Kaspersky researchers suspect that the cyberattackers may be a subgroup of the politically motivated, Palestine-focused Gaza Cybergang.
A threat actor tracked as WIRTE has been assaulting Middle East governments since at least 2019 using “living-off-the-land” techniques, and malicious Excel 4.0 macros.
On Monday, Kaspersky reported that it observed the group in February using Microsoft Excel droppers, which planted hidden spreadsheets and VBA macros to launch intrusions, fingerprint systems and execute code on infected machines.
Researchers said that the first-stage implants look similar to the first-stage VBS implant used by the MuddyWater advanced persistent threat (APT) actor for reconnaissance and profiling (aka Mercury, Static Kitten or Seedworm). Whatever its name, MuddyWater has historically targeted government victims in the Middle East to exfiltrate data.
In April 2019, Kaspersky Lab reported that it had observed MuddyWater exfiltrating data such as credentials from governmental and telco targets in the Middle East, using a relatively simple, expendable set of tools that revealed a moderately sophisticated threat actor at work – with the potential to get even more dangerous over time.
Slightly Different TTPs Than MuddyWater’s
But although the most recent intrusion sets look similar to a new MuddyWater