WHAT ’S HAPPENING? The Cybereason Nocturnus team has discovered several recent, targeted attacks

in the Middle East. These attacks deliver the Spark and Pierogi backdoors for

politically-driven cyber espionage operations using spear phishing attacks.

KEY OBSER VATIONS & T TPS » Targeting Palestinians: The campaigns seems to target Palestinian individuals

and entities, likely related to the Palesitinian government.

» Politically-motivated APT: Cybereason suspects that the objective of the threat

actor is to obtain sensitive information from the victims and leverage it for

political purposes.

» Lured Into Deploying a Backdoor: The attackers use specially crafted lure content

for spear phishing to trick targets into opening malicious files that infect the

victim’s machine with a backdoor. The lure content in the malicious files relates

to political affairs in the Middle East, with references to the Israeli-Palesitinian

conflict, tension between Hamas and Fatah, and other political entities.

» Perpetrated by an Arabic-Speaking APT Group: The modus-operandi of the

attackers in conjunction with the social engineering tactics and decoy content

seem aligned with previous attacks carried out by the Arabic-speaking APT group

MoleRATs (aka Gaza Cybergang). This group has been operating in the Middle East

since 2012.

» Read the full length research here.

CYBEREASON CUSTOMERS

We highly recommend every customer enable the following features:

» If you do not have Cybereason NGAV activated, consider doing so to prevent

against threats like these.

» For Cybereason MDR customers, the Cybereason team will monitor

and triage as well as assist in the mitigation of potential infections.

T H R E AT T Y P E : BACKDOOR

TA R G E T I N D U S T R Y: GOVERNMENT ENTITIES

AT TAC K G OA L : CYBER ESPIONAGE

I M PAC T E D G E O : T H E MIDDLE EAST

O V E R V I E W

Consider social engineering awareness and training, which are key in preventing such attacks.

Disable macros and install an endpoint protection solution to help mitigate similar attacks.

R E M E D I AT I O N S T E P S

C Y B E R E A S O N . C O M

EXPERIENCED A BREACH?

EMAIL US AT

P R E V E N T E D & D E T E C T E D BY

T H E C Y B E R E A S O N D E F E N S E P L AT F O R M

I N F O @ C Y B E R E A S O N . C O M

MOLERATS & PIEROGISTHREAT ALERTS