A notorious Gaza Team cybergang upgrades its malicious toolset with exploits and possibly with Android spyware

Kaspersky Lab experts are registering important changes in the operations of the infamous Gaza Team Cybergang, which is actively targeting multiple commercial and government organizations in the Middle East and Africa (MENA) region. While the group has been active in the threat landscape for several years, it has upgraded its arsenal in 2017 with new malicious tools.
The Gaza Team Cyberganghas been attacking government embassies, diplomats and politiciansas well as oil and gas organizations and the media in the MENA region on a continuous basissince at least 2012, with new malware samples detected regularly. In 2015, Kaspersky Lab researchers reported on the gang’s activity after seeing a significant shift in its malicious operations. On this occasion, the attackers were spotted targeting IT and incident response personnel in an attempt to gain access to legitimate security assessment tools and significantly decrease visibility of their activity in the attacked networks. In 2017, Kaspersky Lab researchers have captured another surge of Gaza Cybergang activity.
The target profile and geography remain unchanged in these new attacks, but the scale of Gaza Team’s operations has expanded. The actor hasbeen spotted seeking out any typeof intelligence across the MENA region, which was not previously the case. What is more important: the attack tools havebecome more sophisticated – with the group developing topical, geopolitical spearphishing documents that are used to deliver malware to targets, and using exploits to a relatively recent vulnerability, CVE 2017-0199 in Microsoft Access, and potentially even Android spyware.
The intruders perform their malicious activities by sending emails containing various RATs (Remote Access Trojans) in fake office documents, or URLs to a malicious page. When these are executed, the victim is infected with malware that subsequently enables the attackers to collect files, keystrokes and screenshots from the victim’s devices. If the victim detects the initially downloaded malware, the downloader tries to install other files on the victim’s device in an attempt to bypass detection.
Further Kaspersky Lab investigation suggests the potential use of mobile malware by the hacking group: some of the file names found during the analysis of Gaza Team activity look to be Android Trojan-related. These upgrades in attack techniques have allowed Gaza Teamto bypass security solutions and manipulate the victim’s system for prolonged periods
“The continuing activity of Gaza Team, which we have observed for several years already shows that the situation in the MENA region is far from safe when it comes to cyber espionage threats. Due to significant improvementsin the group’s techniques, we expect the quantity and quality of Gaza Cybergang attacks to intensify in the near future. People and organizations which fall into their target scope should be more cautious when online,” said David Emm, security expert at Kaspersky Lab.
Kaspersky Lab products successfully detect and block attacks conducted using these techniques.
In order toprevent falling victim to such an attack, Kaspersky Lab researchers recommend implementing the following measures:
● Train staff to be able to distinguish spearphishing emails or a phishing link from legitimate emails and links;
● Use a proven corporate-grade endpoint security solutionIn combination with specialized protection against advanced threats, such as Kaspersky Anti Targeted Attack platform, which is capable of catching attacks by analyzing network anomalies;
● Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attacks research and prevention, such as Indicators of compromise (IOC) and YARA.