ETDA ThaiCERT
Report
Search
Home > List all groups > Molerats, Extreme Jackal, Gaza Cybergang

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Molerats, Extreme Jackal, Gaza Cybergang

NamesMolerats (FireEye)
Extreme Jackal (CrowdStrike)
Gaza Cybergang (Kaspersky)
Gaza Hackers Team (Kaspersky)
ATK 89 (Thales)
TAG-CT5 (?)
Country[Gaza]
SponsorHamas
MotivationInformation theft and espionage
First seen2012
Description(Kaspersky) The Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and actively targeting the MENA (Middle East North Africa) region. The Gaza cybergang’s attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.

One of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year.

An overlap has been found between Molerats and Operation Parliament and these may also be an association with The Big Bang.
ObservedSectors: Aerospace, Defense, Embassies, Energy, Financial, Government, High-Tech, Media, Oil and gas, Telecommunications and journalists and software developers.
Countries: Afghanistan, Algeria, Canada, China, Chile, Denmark, Egypt, Germany, India, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Latvia, Libya, Macedonia, Morocco, New Zealand, Oman, Palestine, Qatar, Russia, Saudi Arabia, Serbia, Slovenia, Somalia, South Korea, Syria, Turkey, UAE, UK, USA, Yemen and the BBC and the Office of the Quartet Representative.
Tools usedBadPatch, Downeks, DustySky, JhoneRAT, KasperAgent, Micropsia, Molerat Loader, njRAT, Pierogi, Poison Ivy, QuasarRAT, Scote, Spark, XtremeRAT.
Operations performedJan 2012Defacement of Israel fire service website
Hackers claiming to be from the Gaza Strip defaced the website of the Israel Fire and Rescue services, posting a message saying “Death to Israel,” a spokesman said on Friday.
<https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website>
Oct 2012Operation “Molerats”
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well — and as discovered later, even the U.S. and UK governments.
<https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html>
Jun 2013We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control (CnC) infrastructure used by the Molerats attackers.
<https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html>
Apr 2014Between 29 April and 27 May, FireEye Labs identified several new Molerats attacks targeting at least one major U.S. financial institution and multiple, European government organizations.
<https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html>
Summer 2014Attacks against Israeli & Palestinian interests
The decoy documents and filenames used in the attacks suggest the intended targets include organizations with political interests or influence in Israel and Palestine.
<https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html>
2014Operation “Moonlight”
Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.
<https://blog.vectra.ai/blog/moonlight-middle-east-targeted-attacks>
May 2015One interesting new fact about Gaza Cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyberattack investigations.
<https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/>
Sep 2015Operation “DustySky”
These attacks are targeted, but not spear-phished. I.e., malicious email messages are sent to selected targets rather than random mass distribution, but are not tailored specifically to each and every target. Dozens of targets may receive the exact same message. The email message and the lure document are written in Hebrew, Arabic or English –depending on the target audience. Targeted sectors include governmental and diplomatic institutions, including embassies; companies from the aerospace and defense Industries; financial institutions; journalists; software developers. The attackers have been targeting software developers in general, using a fake website pretending to be a legitimate iOS management software, and linking to it in an online freelancing marketplace.
<https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf>
Dec 2015Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky.
<https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/>
Apr 2016Operation “DustySky” Part 2
Attacks against all targets in the Middle East stopped at once, after we published our first report. However, the attacks against targets in the Middle East (except Israel) were renewed in less than 20 days. In the beginning of April 2016, we found evidence that the attacks against Israel have been renewed as well. Based on the type of targets, on Gaza being the source of the attacks, and on the type of information the attackers are after –we estimate with medium-high certainty that the Hamas terrorist organization is behind these attacks.
<https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf>
<https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf>
Nov 2016PwC analysts have been tracking the same malware campaign, which has seen a noticeable spike since at least April 2016. The attackers have targeted Arabic news websites, political figures and other targets that possess influence in the Palestinian territories and other neighbouring Arab countries.
Our investigation began by nalyzing around 20 executable files associated with the attacks. Several of these files opened decoy documents and audio files, which were exclusively in Arabic-language.
<https://pwc.blogs.com/cyber_security_updates/2016/11/molerats-theres-more-to-the-naked-eye.html>
Mid-2017New targets, use of MS Access Macros and CVE 2017-0199, and possible mobile espionage
One of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year.
Another interesting finding is the use of the recently discovered CVE 2017-0199 vulnerability, and Microsoft Access files into which the download scripts were embedded to reduce the likelihood of their detection. Traces of mobile malware that started to appear from late April 2017, are also being investigated.
<https://securelist.com/gaza-cybergang-updated-2017-activity/82765/>
Sep 2017Operation “TopHat”
In recent months, Palo Alto Networks Unit 42 observed a wave of attacks leveraging popular third-party services Google+, Pastebin, and bit.ly.
The attacks we found within the TopHat campaign began in early September 2017. In a few instances, original filenames of the identified samples were written in Arabic.
<https://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/>
Jan 2019“Spark” Campaign
This campaign uses social engineering to infect victims, mainly from the Palestinian territories, with the Spark backdoor. This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content revolves around recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.
<https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one>
Feb 2019New Attack in the Middle East
Recently, 360 Threat Intelligence Center captured a bait document designed specifically for Arabic users. It is an Office Word document with malicious macros embedded to drop and execute a backdoor packed by Enigma Virtual Box. The backdoor program has a built-in keyword list containing names of people or opera movies to communicate with C2, distributes control commands to further control the victim’s computer device. After investigation, we suspect this attack is carried out by Molerats.
<https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/>
Apr 2019Operation “SneakyPastes”
The campaign is multistage. It begins with phishing, using letters from one-time addresses and one-time domains. Sometimes the letters contain links to malware or infected attachments. If the victim executes the attached file (or follows the link), their device receives Stage One malware programmed to activate the infection chain.
<https://www.kaspersky.com/blog/gaza-cybergang/26363/>
Oct 2019Between October 2019 through the beginning of December 2019, Unit 42 observed multiple instances of phishing attacks likely related to a threat group known as Molerats (AKA Gaza Hackers Team and Gaza Cybergang) targeting eight organizations in six different countries in the government, telecommunications, insurance and retail industries, of which the latter two were quite peculiar.
<https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/>
Dec 2019“Pierogi” Campaign
This campaign uses social engineering attacks to infect victims with a new, undocumented backdoor dubbed Pierogi. This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.
<https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one>
Mar 2020Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations
<https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/>
<https://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0021/>

Last change to this card: 17 May 2020

Download this actor card in PDF or JSON format

Previous: Moafee
Next: MoneyTaker

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key