Kaspersky discovers a long-lasting campaign targeting government and diplomatic entities in the Middle East
Researchers at Kaspersky have released information regarding a long lasting campaign by a lesser known threat actor actively targeting organizations in the Middle East. Dubbed WIRTE, the APT group primarily targets governmental and diplomatic entities across Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey with potential infections across Gulf countries. Researchers also found victims within law firms, military and technology companies.
WIRTE’s motive is cyber espionage as they’re seen using tools to collect sensitive information from their victims. They are not technically sophisticated and rely on basic toolset and stealthy techniques such as using “Living off the Land (LotL)” binaries. This type of attack effectively allows WIRTE to use legitimate assets to achieve their motives. In some instances, the group used spear-phishing emails to lure victims into opening malicious Microsoft Excel/Word documents. The group expertly tricks victims into downloading files by using logos and trending topics from the Middle East region. Researchers are currently monitoring the campaign which has been active since at least 2019 and have reported their findings on Kaspersky’s Threat Intelligence Portal.
“We are seeing new and evolving threat actors across the Middle East as the environment dynamics change. Nevertheless, their objectives remain the same – collecting sensitive information. This re-emphasizes the curial need for governments and business entities to protect their crown jewels and sensitive data from any emerging targeted threat.” Said Maher Yamout, Senior Security Researcher at Kaspersky. “The group’s most common tactic is to initially install an interpreted language VBS (Visual Basic Script) and PowerShell-based malware. After successfully gaining initial foothold, the group starts exploring the network and deploying more complex malware in order to stealthily stay under the radar and collect sensitive information.” He added.
Kaspersky continues to track WIRTE as it continues to evolve and sharpen its toolset, the group is expected to make its way through cyberspace and continue to compromise its victims with possibly expanding to other neighboring countries. To stay safe from advanced threat campaigns like WIRTE, Kaspersky experts recommend:
Disable interpreters for scripting languages wherever possible
Log PowerShell scripts executed on user machines.
Detect unusual user-agents in network traffic
Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities.
Provide your staff with basic cybersecurity hygiene training for phishing or other social engineering techniques