Table of Contents
After laying low for two months, an advanced persistent-threat organization hailing from the Middle East has resumed its malicious operations and is now initiating cyber-attacks on the government bodies in the Middle East. Its targets are influential government institutions associated with the current geopolitical scenario.
The motivation behind the two-month hibernation of the organization remains unknown. However, researchers have attributed it to either the Holy Month of Ramadan or the violence that has ensued in the region since May. Nevertheless, the organization has now reappeared on the radar and is launching a new set of vicious attacks.
TA402: The Politically motivated Threat Actor in Cyber-Security
The Middle Eastern APT has been identified as TA402 by Proofpoint, a Californian company specializing in cyber-security. The threat actor TA402, otherwise known as the GazaHackerTeam or Molerats, is presumed to be a state-sponsored group whose goals are consistent with that of the state of Palestine.
The TA402 uses its cyber expertise to achieve objectives that favor the military and government of Palestine. They have been performing the role of a threat actor for over a decade, continuously launching attacks that compromise the security barriers of associations within Israel and Palestine. They have targeted a range of verticals, such as financial institutions, technological hubs, media houses, government offices, telecom organizations, military bases, and military training academies.
Execution of the TA402 Attacks:
The newest wave of attacks initiated by the TA402 target Arabic-listed emails through spear-phishing. The emails sent carried PDF attachments that were embedded in a geofenced malware-infected URL. If the source IP address of these attachments originated from Middle East, the victims were directed to the password-protected file. Others however, were routed to a benign Arabic news website such as Al Jazeera Jazeera (www.aljazeera.net) or Al Akhbar (www.al-akhbar.com).
The final step in this cyber-attack manufactured by the TA402 entailed the insertion of a custom-made implant LastConn, by extracting an archive from the infection chain. A decoy document is then used to execute LastConn, which depends heavily upon Dropbox API for download and execution of cloud-hosted files, as well as for screenshots and incidental instructions that are eventually returned to Dropbox.
LastConn is not the first backdoor by TA402, rather, it is a newer and updated version of Sharpgates. Sharpgates was a campaign by the GazaHackerTeam to target the Middle East. It was brought to public knowledge after December 2020 when a Cybereason researcher exposed it.
Future of the TA402:
The continuous growth of the TA402 toolkit hints at the unbridled potential of the group. Their attacks are becoming more sophisticated and deliberate with the incorporation of new malware implants capable of passing through cybersecurity walls undetected.
“TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East,” the researchers concluded. “It is likely TA402 continues its targeting largely focused on the Middle East region.”