Notorious threat actor TA402, also known by aliases such as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, utilised an elaborate infection chain dubbed IronWind to conduct a four-month-long cyberespionage campaign from July to October 2023.
Cybersecurity researchers from Proofpoint analysed this latest campaign and demonstrated that TA402 has adopted a high level of innovation in its tactics, techniques, and procedures (TTPs).
For this campaign, TA402 utilised a convoluted infection chain named IronWind. The group employed three variants, including Dropbox links, XLL file attachments, and RAR file attachments. Each variant consistently led to the download of a Dynamic Link Library (DLL) containing a multifunctional malware strain.
Notably, TA402 shifted away from cloud services such as Dropbox API, which was previously observed in activities spanning 2021 and 2022, opting for actor-controlled infrastructure for command and control (C2) communication.
The campaign’s initiation in July featured a phishing strategy, where TA402 employed a compromised Ministry of Foreign Affairs email account to deliver a malicious Microsoft Powerpoint Add-in (PPAM) file via a deceptive Dropbox link. The PPAM file included a macro facilitating the installation of IronWind. Subsequent stages involved intricated HTTP requests to a TA402-controlled domain, showcasing the group’s technical prowess with reflective .NET loaders.
In August, researchers found out that the group altered its approach, sending an Excel XLL file as an attachment coupled with a terrorism-themed lure. The infection chain continued its complexity, incorporating base64-encoded checks for exfiltrating system information.
The October evolution witnessed another tactical shift, with TA402 utilising a RAR file attachment containing a renamed version of tabcal.exe to sideload IronWind. Strikingly, the group maintained using a compromised Ministry of Foreign Affairs email account, employing conflict-themed lures in phishing attempts.
IronWind’s malware development uncovered lapses in PDB path sanitisation, allowing researchers to discern the project name as ‘tornado.’
TA402 persistently employed geofencing techniques throughout the campaign, making detection significantly challenging. The group consistently incorporated URLs that were redirected to decoy documents on legitimate hosting platforms, enhancing the sophistication of its evasion tactics.
The APT group, recognised for its support of Palestinian espionage objectives, maintained a focus on intelligence collection against Arabic-speaking targets in the Middle East. The researchers found that it is highly likely the group will make some potential adjustments in response to the fluid dynamics of the Israel-Hamas conflict.