Gaza Cybercriminal Gang Targets Embassies with Malware Attacks

A ‘politically motivated’ Gaza cyber-gang from the Middle East is targeting incident response and IT teams related to political entities. Their motive is to compromise government establishments and force the breach of valuable data, according to researchers at security firm Kaspersky.

A Gaza cyber-gang operating in MENA or the Middle East North Africa region is targeting Egypt, Yemen, and the United Arab Emirates. The group is said to be active since 2012 and have increased their presence in 2015, Kaspersky reports.

The complete account of the finding by Kaspersky is available here.

Researchers at the security firm note that the Gaza cyber-gang are ‘actively sending malware files’ to IT and Incident Response staff in government organizations.

Some of the malware files targeting IT and IR employees are:

  • Help .exe
  • Vmplayer .exe
  • Hworks .exe
  • AVR .exe
  • Decoded .exe
  • AVP .exe
  • Crashreporter .exe
  • WindowsUpdate .exe
  • Kaspersky .exe
  • Kaspersky .exe
  • Help .exe
  • Hworks32 .exe

IT employees are generally known to have more permissions and access to files and networks within their organizations, more-so than most employees. The Gaza cyber-gang are believed to be targeting IT employees because their computers are deemed to be worth a lot more than normal employees’ devices.

Incident Response teams also have additional access to critical information such as ongoing data breach & cyber investigations. Additionally, they are bound to use machines with advanced permissions that equip them to look for suspicious activities on the organization’s network.

Quite simply, if an IT or an IR employee is tricked by a phishing campaign that leads to a compromised device, malicious operators of the cyber-gang from Gaza can potentially develop backdoors into systems.

Kaspersky discovered that the cyber-gang was taking a keen interest in embassies and other similar government entities with advanced social engineering techniques. The gang has even used domain names such as to infect targets where security measures aren’t the most reliable.

The primary infection modules used by the group are known to RATs, commonly known as remote access Trojans such as XtremeRat and PoisonIvy. Both Trojans are notorious for their means to install backdoors, tweaking PC registries, force downloading and uploading files from an infected computer and even remote shell code execution.