Keypoints
- WIRTE is a Middle Eastern APT active since at least 2018, primarily focused on politically motivated cyber-espionage.
- Recent campaigns show an expansion from intelligence collection to disruptive attacks against Israeli targets.
- The group deploys custom malware families that have connections to SameCoin wiper activity.
- Operators use distinctive domain naming schemes and filter traffic by specific user agents to control access.
- Infection chains include tools such as IronWind for initial compromise and Havoc for post-exploitation tasks.
- Phishing campaigns exploit topical regional events to trick victims into executing malicious payloads or disclosing credentials.
- WIRTE’s operations have continued despite ongoing conflict in the region, supporting its attribution to Hamas.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command and control domains to maintain communication with compromised systems. (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1203] Execution – Exploits software vulnerabilities to run malicious code on victim machines. (‘Exploits vulnerabilities in software to execute malicious code.’)
- [T1003] Credential Dumping – Harvests credentials from compromised hosts to escalate access and move laterally. (‘Collects credentials from compromised systems.’)
- [T1486] Data Encrypted for Impact – Encrypts or otherwise sabotages data to disrupt availability of systems and information. (‘Encrypts data to disrupt access to systems and information.’)
- [T1566] Phishing – Sends deceptive emails that lure users into running malware or revealing sensitive information. (‘Uses deceptive emails to trick users into executing malicious payloads.’)
Indicators of Compromise
- [Domains] infrastructure used in campaigns – saudiday[.]org, jordansons[.]com, and other 11 items
- [IP Addresses] hosts associated with command and control or payload delivery – 185.158.248[.]161, 193.168.141[.]29, and other 8 items
- [File Hash] malicious payload identifier – b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785
WIRTE, a Middle Eastern advanced persistent threat active since at least 2018, has continued its cyber-espionage campaigns while increasingly carrying out disruptive attacks in the Middle East. Check Point Research attributes the group’s persistence and shifting tactics to a strong affiliation with Hamas; despite regional conflict, WIRTE has maintained operations against targets in Israel and other countries. The actor’s campaigns blend intelligence collection with sabotage-like behaviors, broadening their operational goals beyond traditional spying.
The group employs custom malware in its toolset, and some of these binaries show ties to SameCoin, a wiper observed targeting Israeli networks. In several intrusion chains, WIRTE has used components such as IronWind to gain an initial foothold and Havoc for post-exploitation activity, indicating a modular approach where different tools fulfill specific stages of the attack. These tailored implants support both data theft and, in some cases, destructive actions aimed at denying access or damaging systems.
WIRTE operators rely on a carefully constructed infrastructure to support their campaigns. They register and operate numerous domains that mimic legitimate regional sites and adopt a recognizable naming convention across that infrastructure. Traffic management techniques include filtering by particular user-agent strings to limit access to their command-and-control endpoints, which helps conceal operations and reduce discovery. The attacker-controlled hosts and domains work together to deliver payloads, receive stolen data, and maintain persistence inside victim environments.
Phishing remains a primary vector for WIRTE intrusions. The group crafts emails that leverage topical events in the Middle East as baits, increasing the likelihood that recipients will open attachments or follow links that trigger malware execution. Once a system is compromised, WIRTE has been observed performing credential harvesting and other actions to escalate privileges and move laterally, consistent with the use of credential dumping to deepen access across networks.
The research lists multiple indicators of compromise tied to WIRTE’s campaigns, including a set of domains, several IP addresses associated with their infrastructure, and at least one known malicious file hash. These artifacts help defenders identify potential compromises and disrupt the actor’s operations. Check Point’s findings underscore both the adaptability of WIRTE’s tactics and the continued risk posed by politically motivated groups that combine espionage with disruptive capabilities.
Read more: https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/