Pro-Palestinian group APT uses Novel Downloader in new campaign


A Middle Eastern advanced persistent threat (APT) group launched a new round of targeted cyberespionage attacks from July to October 2023, using a new initial access downloader dubbed IronWind, according to Proofpoint.

The security provider identified the actor as TA402 (aka Molerats, Gaza Cybergang, Frankenstein, WIRTE), who it says supports Palestinian intelligence collection goals.

Although active since 2020, the group’s latest campaign showed signs of new tactics – including the use of IronWind as part of a “labyrinthine” infection chain.

“TA402 used three variations of this infection chain: Dropbox links, XLL file attachments, and RAR file attachments, with each variation systematically leading to the download of a DLL containing the multifunctional malware,” Proofpoint explained.

“In these campaigns, TA402 also shifted its use of cloud services like the Dropbox API, which Proofpoint researchers observed in operation from 2021 and 2022, to the use of actor-controlled infrastructure for C2 communication (command and control).”

Read more about threats in the Middle East: Growing concern over the role of hacktivism in the Israel-Hamas conflict

The phishing emails themselves were sent from a compromised Foreign Office account to target various government entities in the Middle East using a spoofed Gulf Cooperation Council lure.

In July, the group used a Dropbox link in the phishing email to download a malicious Microsoft PowerPoint Add-in (PPAM) file. This file in turn contained a macro that deleted three files, one of which loaded IronWind.

In August, TA402 switched to sending an attached XLL file to load IronWind. Then, in October, it changed tactics again, sending a RAR file attachment containing a renamed version of tabcal.exe to load IronWind instead of using a malicious PPAM file delivered via Dropbox or an attached XLL file.

This latest phishing campaign used the war in Gaza as a lure for the first time.

“Currently, TA402 appears to be using conflict solely for decoy purposes” Proofpoint said. “Additionally, TA402 continues to engage in phishing, indicating that the conflict has not significantly disrupted the group’s operations.”

Leave a comment