{"id":5072,"date":"2015-10-01T03:40:42","date_gmt":"2015-10-01T07:40:42","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5072"},"modified":"2017-09-24T18:36:58","modified_gmt":"2017-09-24T14:36:58","slug":"gaza-cybergang-wheres-your-ir-team","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/gaza-cybergang-wheres-your-ir-team\/5072\/","title":{"rendered":"Gaza cybergang, where&#8217;s your IR team?"},"content":{"rendered":"<p>Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly\u00a0<b>Egypt, United Arab Emirates and Yemen<\/b>. The group has been operating since 2012 and became particularly active in Q2 2015.<\/p>\n<p>One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to\u00a0<b>IT (Information Technology)<\/b>\u00a0and\u00a0<b>IR (Incident Response)<\/b>\u00a0staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.<\/p>\n<p>IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.<\/p>\n<p>IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network\u2026<\/p>\n<p>The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy<\/p>\n<p>Some more interesting facts about Gaza cybergang:<\/p>\n<ul>\n<li>Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable<\/li>\n<li>Use of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social engineering to infect targets<\/li>\n<li>Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used<\/li>\n<\/ul>\n<p>Other operation names:<\/p>\n<ul>\n<li>DownExecute<\/li>\n<li>MoleRATs<\/li>\n<\/ul>\n<p><a href=\"https:\/\/kas.pr\/Aq1Y\" target=\"_blank\" rel=\"noopener\">Kaspersky Lab products<\/a> and services successfully detect and block attacks by Gaza team.<\/p>\n<h2 id=\"political-file-names-targeting-arabic-countries\">Political file names targeting Arabic countries<\/h2>\n<p><b>File name:<\/b>\u00a0\u0628\u0648\u0627\u062f\u0631 \u062e\u0644\u0627\u0641 \u062c\u062f\u064a\u062f \u0628\u064a\u0646 \u0627\u0644\u0627\u0645\u0627\u0631\u0627\u062a \u0648\u0627\u0644\u0633\u0639\u0648\u062f\u064a\u0629.exe<\/p>\n<p><b>Translation:<\/b>\u00a0Indications of disagreement between Saudi Arabia and UAE.exe<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5073\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/10\/05113059\/gaza_cybergang_1-1024x753.png\" alt=\"gaza_cybergang_1-1024x753\" width=\"1024\" height=\"753\"><\/p>\n<p><b>Filename:<\/b>\u00a0\u201cWikileaks documents on Sheikh ******* *** *****.exe\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5074\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/10\/05113057\/gaza_cybergang_2-1024x496.png\" alt=\"gaza_cybergang_2-1024x496\" width=\"1024\" height=\"496\"><\/p>\n<p><b>File name:<\/b>\u00a0\u0635\u0648\u0631 \u0641\u0627\u0636\u062d\u0640\u0640\u0640\u0640\u0640\u0629 \u062c\u062f\u0627 \u0644\u0628\u0639\u0636 \u0627\u0644\u0639\u0633\u0643\u0631\u064a\u064a\u0646 \u0648\u0627\u0644\u0642\u0636\u0627\u0629 \u0648\u0627\u0644\u0645\u0633\u062a\u0634\u0627\u0631\u064a\u064a\u0646 \u0627\u0644\u0645\u0635\u0631\u064a\u064a\u0646.<b>exe<\/b><\/p>\n<p><b>Translation:<\/b>\u00a0Scandalous pictures of Egyptian militants, judges and consultants<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5075\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/10\/05113055\/gaza_cybergang_3-1024x670.png\" alt=\"gaza_cybergang_3-1024x670\" width=\"1024\" height=\"670\"><\/p>\n<p><b>File name:<\/b>\u00a0Majed-Abaas.zip -&gt; \u0627\u0644\u0631\u0626\u064a\u0633 \u0627\u0644\u0641\u0644\u0633\u0637\u064a\u0646\u064a \u0645\u062d\u0645\u0648\u062f \u0639\u0628\u0627\u0633 \u064a\u0634\u062a\u0645 \u0645\u0627\u062c\u062f \u0641\u0631\u062c.<b>exe<\/b><\/p>\n<p><b>Translation:<\/b>\u00a0President Mahmoud Abbas cursing Majed Faraj.exe<\/p>\n<p><b>File name: \u201c<\/b>\u0645\u0643\u0627\u0644\u0645\u0629 \u0645\u0633\u0631\u0628\u0629 \u0628\u064a\u0646 \u0627\u0644\u0642\u0627\u0626\u062f \u0627\u0644\u0639\u0627\u0645 \u0644\u0644\u0642\u0648\u0627\u062a \u0627\u0644\u0645\u0633\u0644\u062d\u0629 \u0627\u0644\u0645\u0635\u0631\u064a\u0629 \u0635\u062f\u0642\u064a \u0635\u0628\u062d\u064a.<b>exe\u201d<\/b><\/p>\n<p><b>Translation:<\/b>\u00a0Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe<\/p>\n<p><b>File name:<\/b>\u00a0tasreb.rar<\/p>\n<h2 id=\"it-and-ir-malware-file-names\">IT and IR Malware File Names<\/h2>\n<table border=\"0\" width=\"80%\">\n<tbody>\n<tr>\n<td width=\"45%\">VCSExpress.exe<\/td>\n<td width=\"45%\">Hex.exe<\/td>\n<\/tr>\n<tr>\n<td>Microsoft Log.exe<\/td>\n<td>IMP.exe<\/td>\n<\/tr>\n<tr>\n<td>Win.exe<\/td>\n<td>Corss.exe<\/td>\n<\/tr>\n<tr>\n<td>WinRAR.exe<\/td>\n<td>AVR.exe<\/td>\n<\/tr>\n<tr>\n<td>ccleaner.exe<\/td>\n<td>codeblocks.exe<\/td>\n<\/tr>\n<tr>\n<td>HelpPane.exe<\/td>\n<td>Hex_Workshop_Hex_Editor-o.exe<\/td>\n<\/tr>\n<tr>\n<td>Help.exe<\/td>\n<td>Decoded.exe<\/td>\n<\/tr>\n<tr>\n<td>vmplayer.exe<\/td>\n<td>Decrypted.exe<\/td>\n<\/tr>\n<tr>\n<td>procexp.exe<\/td>\n<td>crashreporter.exe<\/td>\n<\/tr>\n<tr>\n<td>RE.exe<\/td>\n<td>WindowsUpdate.exe<\/td>\n<\/tr>\n<tr>\n<td>PE.exe<\/td>\n<td>AVP.exe<\/td>\n<\/tr>\n<tr>\n<td>PE-Explorr.exe<\/td>\n<td>Kaspersky.exe<\/td>\n<\/tr>\n<tr>\n<td>PE-Explorr.exe<\/td>\n<td>Kaspersky.exe<\/td>\n<\/tr>\n<tr>\n<td>hworks32.exe<\/td>\n<td>Kaspersky Password Manager.exe<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5076\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/10\/05113053\/gaza_cybergang_41.jpg\" alt=\"gaza_cybergang_41\" width=\"874\" height=\"400\"><\/p>\n<h2 id=\"other-malware-file-names\">Other malware file names<\/h2>\n<p>abc.exe<br>\nNews.exe<br>\nSky.exe<br>\nSkyC.exe<br>\nSkype.exe<br>\nSkypo.exe<br>\n\u0648\u0635\u064a\u0629 \u0648\u0635\u0648\u0631 \u0627\u0644\u0648\u0627\u0644\u062f \u0623\u062a\u0645\u0646\u0649 \u0627\u0644\u062f\u0639\u0627\u0621 \u0644\u0647 \u0628\u0627\u0644\u0631\u062d\u0645\u0629 \u0648\u0627\u0644\u0645\u063a\u0641\u0631\u0629.exe<br>\nSecret_Report.exe<\/p>\n<p>Military Police less military sexual offenses, drug offenses more.exe<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5077\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/10\/05113052\/gaza_cybergang_511.jpg\" alt=\"gaza_cybergang_511\" width=\"516\" height=\"150\"><\/p>\n<h2 id=\"phishing\">Phishing<\/h2>\n<p>http:\/\/google.com.*****\/new\/index.php?Email=FL1-08-2015@gmail.com<\/p>\n<p>http:\/\/google.com.*****\/new\/g.htm?Email=sharq-2014-12-31@gmail.com<\/p>\n<p>http:\/\/google.com.*****\/new\/index.php?Email=2014-12-04@gmail.com<\/p>\n<p>http:\/\/googlecom*****\/new\/index.php?Email=yemen-22-01-2015@hotmail.com<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5078\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/10\/05113051\/gaza_cybergang_6-1002x1024.png\" alt=\"gaza_cybergang_6-1002x1024\" width=\"1002\" height=\"1024\"><\/p>\n<h2 id=\"ip-addresses-and-domain-names-used-in-the-attacks\"><\/h2>\n<p>More details about IP addresses and domain names used in the attacks can be found at <a href=\"https:\/\/kas.pr\/foU3\" target=\"_blank\" rel=\"noopener\">Securelist report<\/a>.<\/p>\n<div align=\"center\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly\u00a0Egypt, United Arab Emirates and Yemen. The group has been operating<\/p>\n","protected":false},"author":540,"featured_media":5073,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[111,1064,1065,1183],"class_list":{"0":"post-5072","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-attacks","10":"tag-gaza","11":"tag-gaza-cybergang","12":"tag-leaks"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/gaza-cybergang-wheres-your-ir-team\/5072\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/gaza-cybergang-wheres-your-ir-team\/3534\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/attacks\/","name":"attacks"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/540"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5072"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5072\/revisions"}],"predecessor-version":[{"id":9362,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5072\/revisions\/9362"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5073"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}