TA402 Uses IronWind Malware in Targeted Attacks

Governmental organizations in the Middle East have become the target of novel phishing campaigns aimed at disseminating IronWind malware. This was revealed through an investigation conducted by Proofpoint.

Experts indicate that the attacks, recorded from July to October this year, are attributed to a hacker group from the Gaza sector, TA402, also known as Molerats. This group is closely linked with state hackers from Palestine and has long specialized in cyber espionage and attacks on governmental structures in the Middle East.

“TA402 remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate. Its ongoing use of geofencing and decoy documents continues to serve its detection evasion efforts,” noted Joshua Miller from Proofpoint.

For the dissemination of IronWind, the perpetrators employ various malicious software delivery methods – Dropbox links, XLL attachments, and RAR archives. This marks a departure from their previous tactics involving the NimbleMamba backdoor.

Once IronWind infiltrates a system, it initially connects with the hackers’ C2 server, subsequently downloading tools like SharpSploit to gain complete control over the infected machines.

Moreover, in August and October, the malefactors employed new delivery methods for IronWind via counterfeit emails with malicious attachments. Experts note that criminals continually refine their tools and tactics to circumvent protection systems.

The instability in the Middle East has not impeded their activities. They persist in refining methods to bypass detection systems and target governmental organizations in the region, emphasized Miller.

The attacks are conducted with pinpoint precision, focusing on governmental bodies in the Middle East and North Africa. The hackers exhibit high professionalism and resources for conducting long-term intelligence operations.

Experts assess that the threat from TA402 and similar groups will persist into the near future. They urge regional government bodies to heighten vigilance and reinforce cybersecurity measures.

It is also concerning that the hacking tools and tactics perfected in attacks in the Middle East could subsequently be employed against targets in other regions. Therefore, preventing the spread of such cyber threats is crucial for global cybersecurity.