Summary information:
Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015.
One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.
IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.
IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network…
The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy
Some more interesting facts about Gaza cybergang:
Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable
Use of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social engineering to infect targets
Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used
Other operation names:
DownExecute
MoleRATs
Political file names targeting Arabic countries
File name: بوادر خلاف جديد بين الامارات والسعودية.exe
Translation: Indications of disagreement between Saudi Arabia and UAE.exe
Filename: “Wikileaks documents on Sheikh ******* *** *****.exe”
File name: صور فاضحـــــة جدا لبعض العسكريين والقضاة والمستشاريين المصريين.exe
Translation: Scandalous pictures of Egyptian militants, judges and consultants
File name: Majed-Abaas.zip -> الرئيس الفلسطيني محمود عباس يشتم ماجد فرج.exe
Translation: President Mahmoud Abbas cursing Majed Faraj.exe
File name: “مكالمة مسربة بين القائد العام للقوات المسلحة المصرية صدقي صبحي.exe”
Translation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe
File name: tasreb.rar
IT and IR Malware File Names
VCSExpress.exe
Hex.exe
Microsoft Log.exe
IMP.exe
Win.exe
Corss.exe
WinRAR.exe
AVR.exe
ccleaner.exe
codeblocks.exe
HelpPane.exe
Hex_Workshop_Hex_Editor-o.exe
Help.exe
Decoded.exe
vmplayer.exe
Decrypted.exe
procexp.exe
crashreporter.exe
RE.exe
WindowsUpdate.exe
PE.exe
AVP.exe
PE-Explorr.exe
Kaspersky.exe
PE-Explorr.exe
Kaspersky.exe
hworks32.exe
Kaspersky Password Manager.exe
Other malware file names
abc.exe
News.exe
Sky.exe
SkyC.exe
Skype.exe
Skypo.exe
وصية وصور الوالد أتمنى الدعاء له بالرحمة والمغفرة.exe
Secret_Report.exe
Military Police less military sexual offenses, drug offenses more.exe
Phishing
http://google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim/new/index.php?Email=FL1-08-2015@gmail.com
http://google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim/new/g.htm?Email=sharq-2014-12-31@gmail.com
http://google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim/new/index.php?Email=2014-12-04@gmail.com
http://googlecombq6xx.ddns.net/new/index.php?Email=yemen-22-01-2015@hotmail.com
IP addresses and domain names used in the attacks
Domains
uae.kim
natco1.no-ip.net
gov.uae.kim
natco3.no-ip.net
up.uae.kim
natco5.no-ip.net
uptime.uae.kim
nazer.zapto.org
google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim
noredirecto.redirectme.net
ajaxo.zapto.org
nrehcnthrtfmyi.strangled.net
backjadwer.bounceme.net
ns2.negociosdesucesso.info
backop.mooo.com
offeline.webhop.net
bandao.publicvm.com
orango.redirectme.net
bypasstesting.servehalflife.com
redirectlnk.redirectme.net
cbbnews.tk
removalmalware.servecounterstrike.com
cccam.serveblog.net
mailchat.zapto.org
chromeupdt.tk
mp4.servemp3.com
cnaci8gyolttkgmguzog.ignorelist.com
rgoyfuadvkebxhjm.ddns.net
cyber18.no-ip.net
rotter2.publicvm.com
deapka.sytes.net
rotter2.sytes.net
depka.sytes.net
safar.selfip.com
dnsfor.dnsfor.me
safara.sytes.net
download.likescandy.com
safari.linkpc.net
downloadlog.linkpc.net
spreng.vizvaz.com
downloadmyhost.zapto.org
store-legal.biz
downloadskype.cf
su.noip.us
duntat.zapto.org
tango.zapto.org
fastbingcom.sytes.net
test.cable-modem.org
fatihah.zapto.org
test.ns01.info
gaonsmom.redirectme.net
testcom.strangled.net
goodday.zapto.org
thenewupdate.chickenkiller.com
googlecombq6xx.ddns.net
thenewupdatee.redirectme.net
gq4bp1baxfiblzqk.mrbasic.com
tvnew.otzo.com
haartezenglish.redirectme.net
update.ciscofreak.com
haartezenglish.strangled.net
updatee.hopto.org
help2014.linkpc.net
updatee.serveblog.net
httpo.sytes.net
updato.ns01.info
internetdownloadr.publicvm.com
use.mooo.com
justded.justdied.com
wallanews.publicvm.com
kaliob.selfip.org
wallanews.sytes.net
kaswer12.strangled.net
Wcf6f0nqvjtUP4uN.mooo.com
kolabdown.sytes.net
webfile.myq-see.com
ksm5sksm5sksm5s.zzux.com
webfile.myq-see.com
lastmoon.mooo.com
ynet.ignorelist.com
lilian.redirectme.net
ynet.sytes.net
live.isasecret.com
IP addresses
192.52.166.115
131.72.136.28
109.200.23.207
131.72.136.124
66.155.23.36
172.227.95.162
162.220.246.117
162.220.246.117
192.253.246.169
192.99.111.228
192.52.167.125
185.33.168.150
198.105.117.37
185.45.193.4
198.105.122.96
131.72.136.11
131.72.136.171
84.200.17.147
Malware Hashes
302565aec2cd47bb6b62fa398144e0ad
f94385be79ed56ef77c961aa6d9eafbf
f6e8e1b239b66632fd77ac5edef7598d
a347d25ed2ee07cbfe4baaabc6ff768b
8921bf7c4ff825cb89099ddaa22c8cfd
674dec356cd9d8f24ef0f2ec73aaec88
3bb319214d83dfb8dc1f3c944fb06e3b
e20b5b300424fb1ea3c07a31f1279bde
826ab586b412d174b6abb78faa1f3737
42fca7968f6de3904225445312e4e985
5e255a512dd38ffc86a2a4f95c62c13f
3dcb43a83a53a965b40de316c1593bca
058368ede8f3b487768e1beb0070a4b8
e540076f48d7069bacb6d607f2d389d9
62b1e795a10bcd4412483a176df6bc77
699067ce203ab9893943905e5b76f106
39758da17265a07f2370cd04057ea749
11a00d29d583b66bedd8dfe728144850
f54c8a235c5cce30884f07b4a8351ebf
d5b63862b8328fb45c3dabdcdf070d0d
9ea2f8acddcd5ac32cfb45d5708b1e1e
bc42a09888de8b311f2e9ab0fc966c8c
948d32f3f12b8c7e47a6102ab968f705
c48cba5e50a58dcec3c57c5f7cc3332d
868781bcb4a4dcb1ed493cd353c9e9ab
658f47b30d545498e3895c5aa333ecb1
3c73f34e9119de7789f2c2b9d0ed0440
2b473f1f7c2b2b97f928c1fc497c0650
9dccb01facfbbb69429ef0faf4bc1bda
46cf06848e4d97fb3caa47c17cdd7a9e
4e8cbe3f2cf11d35827194fd016dbd7b
6eb17961e6b06f2472e4518589f66ab9
b4c8ff21441e99f8199b3a8d7e0a61b9
b0f49c2c29d3966125dd322a504799c6
4d0cbb45b47eb95a9d00aba9b0f7daad
ca78b173218ad8be863c7e00fec61f2f
18259503e5dfdf9f5c3fc98cdfac6b78
23108c347282ff101a2104bcf54204a8
0b074367862e1b0ae461900c8f8b81b6
76f9443edc9b71b2f2494cff6d4a26a8
89f2213a9a839af098e664aaa671111b
Phishing Hashes
1d18df7ac9184fea0afe26981e57c6a7
57ab5f60198d311226cdc246598729ea
Additional references
http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf
https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
https://github.com/kbandla/APTnotes/blob/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf
http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html