Source: OTHALA IMAGES via Alamy Stock Photo
A group of pro-Hamas attackers known as the Gaza Cybergang is using a new variation of the Pierogi++ backdoor malware to launch attacks on Palestinian and Israeli targets.
According to research from Sentinel Labs, the backdoor is based on the C++ programming language and has been used in campaigns between 2022 and 2023. The attackers have also been using the Micropsia malware in recent hacking campaigns across the Middle East.
"Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," wrote Sentinel Labs senior threat researcher Aleksandar Milenkoski in the report.
Distributing the Malware
The hackers distributed the Pierogi++ malware using archive files and malicious Office documents that discussed Palestinian topics in both English and Arabic. These contained Windows artifacts such as scheduled tasks and utility applications, which included malware-ridden macros designed to spread the Pierogi++ backdoor.
Milenkoski tells Dark Reading that the Gaza Cybergang used phishing attacks and social media-based engagements to circulate the malicious files.
"Distributed through a malicious Office document, Pierogi++ is deployed by an Office macro upon the user opening the document," Milenkoski explains. "In cases where the backdoor is disseminated via an archive file, it typically camouflages itself as a politically themed document on Palestinian affairs, deceiving the user into executing it through a double-click action."
Many of the documents used political themes for luring its victims and executing the Pierogi++ backdoor, such as: "The situation of Palestinian refugees in Syria refugees in Syria" and "The Ministry of State for Wall and Settlement Affairs established by the Palestinian government."
The Original Pierogi
This new malware strain is an updated version of the Pierogi backdoor, which researchers at Cybereason identified nearly five years ago.
Those researchers described the backdoor as enabling "attackers to spy on targeted victims" using social engineering and spoofed documents, often based on political topics related to the Palestinian government, Egypt, Hezbollah, and Iran.
The main difference between the original Pierogi backdoor and the newer variant is that the former uses the Delphi and Pascal programming languages, while the latter uses C++.
Older variations of this backdoor also used Ukrainian backdoor commands 'vydalyty', 'Zavantazhyty', and 'Ekspertyza'. Pierogi++ uses the English strings 'download' and 'screen'.
The use of Ukrainian in the previous versions of Pierogi may have suggested external involvement in the creation and distribution of the backdoor, but Sentinel Labs doesn't believe this is the case for Pierogi++.
Sentinel Labs observed that both variants have coding and functionality similarities despite some differences. These include identical spoofed documents, reconnaissance tactics, and malware strings. For instance, hackers can use both backdoors for screenshotting, downloading files, and executing commands.
Researchers said Pierogi++ is proof that Gaza Cybergang is shoring up the "maintenance and innovation" of its malware in a bid to "enhance its capabilities and evade detection based on known malware characteristics."
No New Activity Since October
While Gaza Cybergang has been targeting Palestinian and Israeli victims in predominantly "intelligence collection and espionage" campaigns since 2012, the group hasn't increased its baseline volume of activity since the start of the Gaza conflict in October. Milenkoski says the group has been consistently targeting "primarily Israeli and Palestinian entities and individuals" over the past few years.
The gang comprises several "adjacent sub-groups" who have been sharing techniques, processes, and malware for the past five years, Sentinel Labs noted.
"These include Gaza Cybergang Group 1 (Molerats), Gaza Cybergang Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Gaza Cybergang Group 3 (the group behind Operation Parliament)," the researchers said.
Although Gaza Cybergang has been active in the Middle East for more than a decade, the exact physical location of its hackers is still unknown. However, based on previous intelligence, Milenkoski believes they are likely dispersed throughout the Arabic-speaking world in places like Egypt, Palestine, and Morocco.