Israel’s Cybereason in recent months has exposed a series of cyber-attacks that have emerged in the Middle East and which targeted senior Palestinian Authority (PA) officials.
The purpose of the attacks was to spy on mobile phones used by PA officials, use the phone’s camera without the knowledge of the device owner, listen in to what was happening around the phone, and steal files and information.
Cybereason released an investigative research report from its Nocturnus Research Group that focused on the MoleRATs cybercrime group and two new campaigns it launched simultaneously that targeted PA organizations and individuals.
Cybereason is attributing The Spark and Pierogi Campaigns to MoleRATs, aka The Gaza Cybergang, an Arabic-speaking, politically motivated group that has operated in the Middle East since 2012.
In the past few years, the MoleRATs group has attacked Israel and other countries in the region.
“We suspect MoleRATs are carrying out these campaigns to obtain sensitive information from its victims to leverage for political purposes,” said one of Cybereason’s Nocturnus researchers.
The two campaigns, dubbed the Spark and Pierogi, differ in tools, server infrastructure and nuances in decoy content, as well as their intended targets.
There are indications that suggest that the Pierogi backdoor was authored by Ukrainian-speaking malware developers.
The Spark Campaign uses social engineering to infect victims with the Spark backdoor. This backdoor first emerged in January 2019 and the threat actors are taking advantage of recent geopolitical events, especially the Israeli-Palestinian conflict, the assassination of Iranian General Qassem Soleimani, and the ongoing conflict between Hamas and Fatah, to lure victims into clicking on tainted files or documents.
The Pierogi Campaign uses social engineering attacks to infect victims with a new, undocumented backdoor dubbed Pierogi. This backdoor first emerged in December 2019 and was discovered by Cybereason.