In early July 2018, the Palestinian Authority, the governing body of the Gaza Strip and West Bank, was the target of an advanced persistent threat (APT) attack dubbed "Big Bang." Like most APTs, this attack started with a spear phishing email. While no cybercriminals have come forward claiming this attack, researchers at Check Point suspect the Gaza Cybergang because of its politically-motivated nature.
An APT is an attack where an intruder tries to stay in the network for as long as possible. Most hackers behind APTs enter a network through spear phishing emails. They target big businesses, governments, defense departments, and other high-value organizations. Most attacks of this nature attempt to steal victims' data over a long period of time.
Spear phishing is an email scam targeting specific individuals or organizations. These emails will contain clever language that grabs the attention of its targets and tricks them into opening any attached malicious files. Spear phishing is slightly different from traditional phishing scams in that it is more targeted, using details about the target to shape the language or design used in the email.
An email was sent to unsuspecting victims at the Palestinian Authority from senders posing as the Palestinian Political and National Guidance Commission. The email included an attachment of a self-extracting archive containing a Word document and a malicious executable.
The Word document had excerpts from Palestinian news articles. While unsuspecting victims read these articles, Big Bang's malware started to run in the background. This malware is an upgraded variant of Micropsia, the signature weapon of the Gaza Cybergang. It's capable of taking screenshots, stealing documents, rebooting systems, and more. It also includes a module to self-destruct, making it all the more undetectable and malicious.
This malicious executable acts in two stages—first, it collects personal data of victims and, if it matches a particular profile, the second stage of attack is carried out. In the second stage, additional malware modules are fetched from the attacker's command-and-control server to ensure constant surveillance of victims.
Don't want to make the news for the wrong reasons? Download ManageEngine Exchange Reporter Plus, a wholesome Exchange mailbox monitoring and reporting tool, to ward off any mail-bound threats
This APT originated through a spear phishing email. ManageEngine Exchange Reporter Plus easily identifies suspicious emails like these based on keywords in their subject and body. Additionally, it also helps you detect whether any of your users have received malicious emails by searching based on attachment name, type, and size.
Subscribe to our digest to get your weekly dose of cyber security updates straight to your inbox.
© 2019 Zoho Corporation Pvt. Ltd. All rights reserved.