WIRTE Threat Actor Expanding from Cyberespionage to Cyberattacks and Phishing

Published on November 13, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

The global cybersecurity firm Check Point Research has disclosed ongoing cyber activities traced back to a notorious threat actor known as WIRTE, whose recent endeavors hint at the group branching out into conducting more disruptive cyber attacks.

The group is given much attention due to its affiliations with the Hamas-related Gaza Cybergang. This Middle Eastern Advanced Persistent Threat (APT) gang has been active since 2018 and is principally involved in politically driven cyber espionage. Their primary focus is on intelligence gathering, which is presumably linked to the regional geopolitical skirmishes. 

The research by Check Point unveiled direct connections between the custom software used by WIRTE and SameCoin, a wiper malware that precipitated a two-tier attack on Israeli organizations in February and October 2024. 

Lure PDF were Infection Chain begins
Lure PDF where Infection Chain begins | Source: Checkpoint Research

WIRTE’s operational tools have witnessed considerable evolution, with certain operational traits such as domain naming conventions, communication undertaken via HTML tags, user agent-specific responses, and redirection to legitimate websites remaining consistent.

Check Point’s surveillance on WIRTE dates back to late 2023 during a campaign that targeted Middle Eastern entities, especially the Palestinian Authority, Jordan, Egypt, and Saudi Arabia. WIRTE’s campaign employs custom loaders like IronWind, previously disclosed in November 2023, associated with a TA402 operation.

In September 2024, Check Point identified a new infection chain starting with a PDF file that contained an embedded URL, mimicking a URL shortener service. This link redirected users to a RAR archive entitled 'RAR 1178 - Beirut - Developments of the War in Lebanon 2’. 

The archive consisted of three files designed to employ DLL-Sideloading. The next-stage payload, delivered by propsys.dll, is Havoc Demon, facilitating communication with the domain master-dental[.]com.

IronWind loader has been used as the infection vector in numerous cases since October 2023. The infection chain starts with a RAR archive containing three files: a legitimate executable, a lure PDF, and version.dll, functioning as the first stage of the infection process. 

After the malware executes, it initiates an HTTP request, which includes the victim’s Office version, OS version, computer name, username, and list of programs, to requestinspector.com, alerting the attackers about the new victim.

Malicious email delivering the wiper | Source: CPR

In October 2024, a malicious email campaign targeted several Israeli organizations, including hospitals and municipalities, from the legitimate email of Israeli ESET reseller. The email contained a newer version of the SameCoin Wiper. 

A unique encryption function, previously seen only in WIRTE malware, was introduced in the newer version. Apart from this, the email alerting on an alleged attack prompted recipients to click on a link that directed them to a ZIP file named ESETUnleashed_081024.zip, containing four legitimate DLLs and a malicious file, Setup.exe, which tried to connect to the Israel Home Front Command site oref.org.il. 

After the malware verified that the target was indeed Israeli, it dropped and decrypted the next files, among which there was a Hamas propaganda video showing graphic attacks from October 7.

Since the XOR function used in the above wiper component (MicrosoftEdge.exe) is unique and can only be found in a newer IronWind loader variant (propsys.dll), security experts believe the same actor developed both tools and possibly compiled them in the same environment.

WIRTE phishing page | Source: CPR

Some domains observed in the infrastructure had phishing pages mimicking the Docdroid file-uploading service that directed to phishing content or legitimate documents, possibly depending on the victim’s IP address.

In other news, card readers across Israel malfunctioned this weekend as a result of a suspected Distributed Denial-of-Service (DDoS) attack.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: