Severity

High

Analysis Summary

In the year 2018, the threat actor WIRTE APT Subgroup was discovered for the first time. Spear-phishing emails are used to encourage victims to open a malicious Microsoft Excel/Word document. All of the Excel droppers found were using a technique that leverages formulae in hidden spreadsheets or cells to execute macro 4.0 commands named as Excel 4.0 macros. It is used to drop malware called Ferocious droppers. The payload was downloaded using conventional VBA macros by the Word droppers. The actor customized the counterfeit contents to the targeted victims, including logos and themes that were relevant to the targeted company or current events in their location. However, in some circumstances a bogus ‘Kaspersky Update Agent’ executable worked as a dropper for the VBS implant. The threat actor appears to have targeted a range of sectors, including diplomatic and financial institutions, government, law firms, military groups, and technological enterprises. Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey are among the countries affected. WIRTE is a suspected part of the Gaza Cybergang that is an Arabic politically motivated cyber criminal group. WIRTE APT Subgroup changed their toolkit and how they operate in order to be inconspicuous for longer. They use simple but successful tactics to compromise its victims and outperformed its suspected peers in terms of OpSec by using interpreted language malwares like VBS and PowerShell scripts.

Impact

• Information Theft and Espionage

Indicators of Compromise

Domain Name

• imagine-world[.]com

MD5

• aaec8a2ce3279519c8bad94745bccb00

SHA-256

• 1f9d4bb8afa4031027df117e35e6c588893471e6ac8d10a9bc9c3899a48a9ef8

SHA-1

• 2f7f1e8aef266b856a43a9e5c37a103c833f48b8

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.