WHAT ’S HAPPENING? The Cybereason Nocturnus team has discovered several recent, targeted attacks
in the Middle East. These attacks deliver the Spark and Pierogi backdoors for
politically-driven cyber espionage operations using spear phishing attacks.
KEY OBSER VATIONS & T TPS » Targeting Palestinians: The campaigns seems to target Palestinian individuals
and entities, likely related to the Palesitinian government.
» Politically-motivated APT: Cybereason suspects that the objective of the threat
actor is to obtain sensitive information from the victims and leverage it for
political purposes.
» Lured Into Deploying a Backdoor: The attackers use specially crafted lure content
for spear phishing to trick targets into opening malicious files that infect the
victim’s machine with a backdoor. The lure content in the malicious files relates
to political affairs in the Middle East, with references to the Israeli-Palesitinian
conflict, tension between Hamas and Fatah, and other political entities.
» Perpetrated by an Arabic-Speaking APT Group: The modus-operandi of the
attackers in conjunction with the social engineering tactics and decoy content
seem aligned with previous attacks carried out by the Arabic-speaking APT group
MoleRATs (aka Gaza Cybergang). This group has been operating in the Middle East
since 2012.
» Read the full length research here.
CYBEREASON CUSTOMERS
We highly recommend every customer enable the following features:
» If you do not have Cybereason NGAV activated, consider doing so to prevent
against threats like these.
» For Cybereason MDR customers, the Cybereason team will monitor
and triage as well as assist in the mitigation of potential infections.
T H R E AT T Y P E : BACKDOOR
TA R G E T I N D U S T R Y: GOVERNMENT ENTITIES
AT TAC K G OA L : CYBER ESPIONAGE
I M PAC T E D G E O : T H E MIDDLE EAST
O V E R V I E W
Consider social engineering awareness and training, which are key in preventing such attacks.
Disable macros and install an endpoint protection solution to help mitigate similar attacks.
R E M E D I AT I O N S T E P S
C Y B E R E A S O N . C O M
EXPERIENCED A BREACH?
EMAIL US AT
P R E V E N T E D & D E T E C T E D BY
T H E C Y B E R E A S O N D E F E N S E P L AT F O R M
I N F O @ C Y B E R E A S O N . C O M
MOLERATS & PIEROGISTHREAT ALERTS