November 14, 2023 at 09:57AM
The pro-Palestinian cyber espionage group, TA402, has developed a new tool called IronWind to target government agencies in the Middle East and North Africa. Despite the conflict in the region, TA402 continues to operate and has shown sophistication in its tactics. The group uses geofencing to limit attacks and has recently shifted to economic-themed phishing attacks in Arabic. While TA402 primarily focuses on intelligence collection, their targeting may change due to the ongoing Israel-Hamas conflict.
The meeting notes discuss the activities of a pro-Palestinian cyber espionage group called TA402, also known as Molerats or Frankenstein. The group has recently improved its attack tools with a sophisticated initial access downloader called IronWind. It has used this tool in three campaigns targeting government agencies in the Middle East and Northern Africa. Instead of using off-the-shelf tools, TA402 has developed custom code specifically targeting a limited subset of government organizations.
The significance of this development is that it shows smaller groups like Molerats can possess sophisticated tools and operational security, challenging the notion that only threat actors from major countries like Russia, China, Iran, and North Korea are capable of such activities. The fact that the malware and kill chain are highly geofenced to Arabic speakers is also noteworthy.
Despite the ongoing conflict in the region, TA402 has continued its espionage activities as usual, targeting the same customers and not changing its tactics. The group uses economic-themed phishing attacks in Arabic as a lure, with the email leading to a malicious PowerPoint add-in file, a shellcode loader, and ultimately a .NET backdoor. The group has also employed different lures and malicious files in their attack chain, focusing on Excel files in August and RAR archive files in October. Geofencing is used to redirect parts of the attack chain to benign documents on legitimate servers, avoiding detection.
According to Crowdstrike, a similar group called Extreme Jackal, which is linked to Hamas, has evolved from using commercial tools to developing its own custom malware. Although Proofpoint may not agree that the two groups are the same, they share the view that TA402 remains a persistent and innovative threat actor that continuously adapts its attack methods and malware to support its cyber espionage objectives. The ongoing conflict between Israel and Hamas could potentially influence TA402 to adjust its targeting or social engineering tactics, according to Proofpoint’s analysis.