Threat Research

Hamas-linked SameCoin campaign malware analysis

Harfanglab

HarfangLab analyzed a phishing campaign that distributed a Windows loader, a Windows wiper, an Android APK with a native wiping library, and a .NET component that attempts domain-wide propagation; victims were lured by emails impersonating the Israeli National Cyber Directorate and hosted malicious files on Gofile. Technical analysis highlights staging checks (Hebrew keyboard, CPU count), elevation via runas, dynamic API resolution, domain spreading via LDAP and SMB/C$ file copies, and destructive behavior that overwrites files (Windows: 1111 random bytes; Android: zeros then delete). #SameCoin #Hamas

Keypoints

  • Infection vector: spearphishing email impersonating the Israeli National Cyber Directorate containing links to malicious RAR/APK files hosted on Gofile.
  • Loader (cff976d1…) runs in staging and infection modes, checking for Hebrew keyboard layouts and >=2 CPUs before requesting elevation via runas and copying itself to C:UsersPublicMicrosoft System Agent.exe.
  • Loader drops components: a .NET “Tasks Spreader” (Windows Defender Agent.exe) for AD propagation, a wiper (Microsoft System Manager.exe), and propaganda media; it sets wallpaper and plays the video.
  • Wiper (e6d2f436…) enumerates writable files across drives A:–Z:, excludes Windows and program directories, spawns 20 threads, and overwrites each target file with 1111 random bytes in a perpetual loop.
  • Tasks Spreader (b447ba43…) uses System.DirectoryServices LDAP queries to enumerate domain computers, copies the Loader to \C$UsersPublic, and creates scheduled tasks (Schedule.Service COM) named MicrosoftEdgeUpdateTaskMachinesCores to execute the Loader.
  • Android APK (556b5101…) requests full file access and calls a native library (libexampleone.so, 2480…) whose deleteInCHunks() overwrites files with zeros then removes them, scanning /storage/emulated/0 and excluding Android/obb and Android/data.
  • Technical artifacts: dynamic resolution of ShellExecuteEx/CreateProcessA, tampered compilation timestamps, multiple architecture native libs, and YARA rules provided for detection.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Email impersonated the Israeli National Cyber Directorate and urged users to download “security patches” (‘The INCD has detected an imminent, major cyber attack sponsored by Iran, exploiting previously-unknown vulnerabilities in the personal computers and mobile phones of our citizens’).
  • [T1204.002] User Execution: Malicious File – Victims who downloaded and executed the linked Android or Windows applications were infected with a wiper (‘Victims who download and execute linked files are infected with a wiper’).
  • [T1082] System Information Discovery – Loader checks environment characteristics such as keyboard layouts and CPU count as preconditions for proceeding (‘Looking into the following registry keys … if one of the configured keyboard layouts corresponds to Hebrew … Ensuring that the current machine has at least 2 CPUs’).
  • [T1548] Abuse Elevation Control Mechanism – Loader requests elevated privileges by copying itself to C:UsersPublic and invoking the copy with the runas keyword via ShellExecuteEx (‘copies itself as C:UsersPublicMicrosoft System Agent.exe and invokes its new copy using the runas keyword’).
  • [T1106] Native API – Loader dynamically resolves API functions by parsing DLL imports/exports to call ShellExecuteEx and CreateProcessA (‘dynamically resolves the ShellExecuteEx function by manually parsing the imports of Shell32.dll’ and ‘manually resolving CreateProcessA by manually parsing the exports of Kernel32.dll’).
  • [T1021.002] SMB/Windows Admin Shares – Tasks Spreader copies the Loader to remote machines using administrative C$ shares (C$UsersPublicMicrosoft System Agent.exe) to stage execution on other hosts (‘copies the local Loader to all those remote computers … from C:UsersPublicMicrosoft System Agent.exe to C$UsersPublicMicrosoft System Agent.exe’).
  • [T1053.005] Scheduled Task/Job – Tasks Spreader remotely creates scheduled tasks via the Schedule.Service COM object to execute the Loader and persist/trigger execution (‘The created task is named MicrosoftEdgeUpdateTaskMachinesCores … set to execute the copied Loader … and its description mimics the one from Microsoft Edge update tasks’).
  • [T1485] Data Destruction – Windows and Android components overwrite and delete user files: Windows wiper writes 1111 random bytes to files in multiple threads and loops indefinitely; Android native library overwrites with zeros then removes files (‘Each file is opened and overwritten with 1111 random bytes’ and ‘Each file is overwritten with zeroes and then removed from the filesystem’).

Indicators of Compromise

  • [SHA-256 hashes] malware samples – cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6 (Loader), e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89 (Wiper), and other hashes (see GitHub) and 7 more hashes.
  • [APK filename] Android package – INCD-SecurityUpdate-FEB24.apk (SHA256 556b5101e0e8aee…d9) distributed via Gofile links; requests full file access and contains libexampleone.so.
  • [File paths] dropped artifacts on Windows – C:UsersPublicMicrosoft System Agent.exe (Loader), C:UsersPublicMicrosoft System Manager.exe (Wiper), C:UsersPublicWindows Defender Agent.exe (Tasks Spreader).
  • [URLs / Hosting] public file hosting used for distribution – hxxps://gofile[.]io/d/WeFbpd (INCD-SecurityUpdate-FEB24.rar), and other store*.gofile[.]io download URLs (multiple entries).

HarfangLab’s technical procedure summary:

The campaign used a phishing email with links to Gofile-hosted archives/APKs. The Windows loader (compiled Oct 7, 2023) runs a two-stage routine: a staging phase that checks for Hebrew keyboard layouts and at least two CPUs, and an infection phase that, if not elevated, copies itself to C:UsersPublicMicrosoft System Agent.exe and invokes that copy with runas; it resolves ShellExecuteEx/CreateProcessA by parsing DLL imports/exports. In infection mode the loader drops multiple components (a .NET Tasks Spreader, a C wiper, wallpaper JPG, and a video), launches them, sets the wallpaper, increases system volume, and plays the video.

The Windows wiper enumerates writable files across drives A:–Z:, excluding Program Files/ProgramData/Windows directories and files dropped by the Loader, then uses 20 threads to overwrite each target file with 1111 bytes from rand() and runs this process in a perpetual loop (allowing potential recovery of bytes past offset 1111). The .NET Tasks Spreader leverages System.DirectoryServices LDAP queries to enumerate domain computers, copies the Loader to remote machines via administrative SMB/C$ paths, and remotely creates scheduled tasks using the Schedule.Service COM API (task name MicrosoftEdgeUpdateTaskMachinesCores) to execute the Loader immediately and on user logon.

The Android APK requests broad file permissions and delegates deletion to a native library (libexampleone.so) whose deleteInCHunks() enumerates /storage/emulated/0 (excluding Android/obb and Android/data), divides the file list into chunks handled by threads, overwrites files with zeros, deletes them, and attempts to remove the storage directory. Detection artifacts include multiple SHA-256 hashes, dropped file paths, Gofile download URLs, and supplied YARA rules matching the loader, wiper, Tasks Spreader, and native Android library.

Read more: https://harfanglab.io/en/insidethelab/samecoin-malware-hamas/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint