WIRTE

Threat Actor updated 3 days ago (2024-11-20T18:12:39.650Z)

Download STIX

Preview STIX

WIRTE is a threat actor that has been identified as part of several overlapping groups, including TA402, Molerats, and Frankenstein. In mid-2023, Proofpoint researchers first noticed WIRTE's activity within TA402, which targeted Middle Eastern governments using an intricate infection chain and a new initial access downloader named IronWind. The group utilized documents deploying Visual Basic Script (VBS), often delivered via spear phishing, with Arabic content frequently associated with Palestinian matters. WIRTE's target selection and the nature of its distributed content further reinforce this connection. The group has also shown a continued reliance on tactics such as user agent filtering, payload building with HTML tags, redirection to news sites, and maintaining a consistent infrastructure style. The longstanding WIRTE Advanced Persistent Threat (APT) group's activities and tools have been revealed over the past year. In earlier campaigns, the group employed various tools like VBS and PowerShell scripts, while retaining signature techniques in the attacks discussed in this report. A unique encryption function introduced in newer versions of the malware has only been seen in WIRTE malware, suggesting minor changes and advancements in their methods. Based on historical ties and disruptive attack messaging, it is assessed that WIRTE likely has connections to Hamas. This association is supported by WIRTE's consistent targeting of the Palestinian Authority (PA) and historical links to groups associated with Hamas, such as Molerats and the Gaza Cyber Gang. However, these connections are assessed with low confidence, indicating that more evidence is needed to confirm these relationships definitively. Check Point Research identifies WIRTE as primarily deploying a tool called SameCoin, further cementing its status as a disruptive operation.

Description last updated: 2024-11-15T15:54:54.386Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
TA402 is a possible alias for WIRTE. TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a threat actor that has been tracked by cybersecurity researchers for over a decade. This group, associated with pro-Palestinian interests, is known for its innovative and persistent cyber espionage activities, frequently ret	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Phishing

Malware

Hamas

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Samecoin Malware is associated with WIRTE. SameCoin is a multi-platform wiper malware, with versions for Android and Windows, identified in two significant waves of cyberattacks targeting Israeli entities in February and October 2024. The malware was often disguised as an Israeli National Cyber Directorate (INCD) security update, tricking us	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Gaza Cybergang Threat Actor is associated with WIRTE. Gaza Cybergang, a threat actor group affiliated with Hamas, has been active since at least 2012, targeting entities in the Middle East and North Africa. The group's activities primarily involve intelligence collection and espionage campaigns against Palestinian and Israeli victims. Researchers have	is related to	2

Source Document References

Information about the WIRTE Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	2 days ago	18th November – Threat Intelligence Report
DARKReading	8 days ago	Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel
Checkpoint	8 days ago	Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - Check Point Research
CERT-EU	a year ago	TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities \| Proofpoint US
MITRE	2 years ago	Public report on attacks in Middle East we attribute to WIRTE APT