Rewterz Threat Alert – WRITE APT Group – Active IOCs

Severity

High

Analysis Summary

In the year 2018, the threat actor WIRTE APT Subgroup was discovered for the first time. Spear-phishing emails are used to encourage victims to open a malicious Microsoft Excel/Word document. All of the Excel droppers found were using a technique that leverages formulae in hidden spreadsheets or cells to execute macro 4.0 commands named as Excel 4.0 macros. It is used to drop malware called Ferocious droppers. The payload was downloaded using conventional VBA macros by the Word droppers. The actor customized the counterfeit contents to the targeted victims, including logos and themes that were relevant to the targeted company or current events in their location. However, in some circumstances a bogus ‘Kaspersky Update Agent’ executable worked as a dropper for the VBS implant. The threat actor appears to have targeted a range of sectors, including diplomatic and financial institutions, government, law firms, military groups, and technological enterprises. Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey are among the countries affected. WIRTE is a suspected part of the Gaza Cybergang that is an Arabic politically motivated cyber criminal group. WIRTE APT Subgroup changed their toolkit and how they operate in order to be inconspicuous for longer. They use simple but successful tactics to compromise its victims and outperformed its suspected peers in terms of OpSec by using interpreted language malwares like VBS and PowerShell scripts.

Impact

• Information Theft and Espionage

Indicators of Compromise

MD5

• c5e75fcb0aa0bf152affecb33f9094df
• 8ba9ed3005407fc8a85b4db88c7e1c0a
• fecaee84b2fb27e9e68e6b9598609706

SHA-256

• 58ff981332189a0a2e0b1152f36a5eb58402501fcf218339deab69a187edf823
• 467b59feba8ebaa7ef81b19ca69c133c07953affebeaf32f2d284b12533391be
• 086e49e431272b1ea8e3c1d7a9e297a8c50891db833bf180f2a5e9035f1bee8b

SHA-1

• 484565cab3abf806df68f2d84f79f974ab79279a
• 2b3f98995576d9a68ccc80542f5390e290a4359e
• e177d85ee3092aa54c95e1804ee3d256b5865fcb

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.