WIRTE

Threat Actor updated a month ago (2024-11-29T13:51:36.918Z)
Download STIX
Preview STIX
WIRTE is a threat actor that has been identified as part of several overlapping groups, including TA402, Molerats, and Frankenstein. In mid-2023, Proofpoint researchers first noticed WIRTE's activity within TA402, which targeted Middle Eastern governments using an intricate infection chain and a new initial access downloader named IronWind. The group utilized documents deploying Visual Basic Script (VBS), often delivered via spear phishing, with Arabic content frequently associated with Palestinian matters. WIRTE's target selection and the nature of its distributed content further reinforce this connection. The group has also shown a continued reliance on tactics such as user agent filtering, payload building with HTML tags, redirection to news sites, and maintaining a consistent infrastructure style. The longstanding WIRTE Advanced Persistent Threat (APT) group's activities and tools have been revealed over the past year. In earlier campaigns, the group employed various tools like VBS and PowerShell scripts, while retaining signature techniques in the attacks discussed in this report. A unique encryption function introduced in newer versions of the malware has only been seen in WIRTE malware, suggesting minor changes and advancements in their methods. Based on historical ties and disruptive attack messaging, it is assessed that WIRTE likely has connections to Hamas. This association is supported by WIRTE's consistent targeting of the Palestinian Authority (PA) and historical links to groups associated with Hamas, such as Molerats and the Gaza Cyber Gang. However, these connections are assessed with low confidence, indicating that more evidence is needed to confirm these relationships definitively. Check Point Research identifies WIRTE as primarily deploying a tool called SameCoin, further cementing its status as a disruptive operation.
Description last updated: 2024-11-15T15:54:54.386Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
TA402 is a possible alias for WIRTE. TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a threat actor that has been tracked by cybersecurity researchers for over a decade. This group, associated with pro-Palestinian interests, is known for its innovative and persistent cyber espionage activities, frequently ret
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Malware
Hamas
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Samecoin Malware is associated with WIRTE. SameCoin is a multi-platform wiper malware, with versions for Android and Windows, identified in two significant waves of cyberattacks targeting Israeli entities in February and October 2024. The malware was often disguised as an Israeli National Cyber Directorate (INCD) security update, tricking usUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gaza Cybergang Threat Actor is associated with WIRTE. Gaza Cybergang, a threat actor group affiliated with Hamas, has been active since at least 2012, targeting entities in the Middle East and North Africa. The group's activities primarily involve intelligence collection and espionage campaigns against Palestinian and Israeli victims. Researchers have is related to
2
Source Document References
Information about the WIRTE Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more