A stealthy hacking gang known as WRITE has been linked to a government-targeting operation conducting attacks since at least 2019 utilizing malicious Excel 4.0 macros. The primary targeting scope includes high-profile public and private entities in the Middle East, but investigators also observed targets in other regions.

Security investigators at Xiarch the operations, toolset, and methods, and concluded with low confidence that WRITE has pro-Palestinian motives and is suspected to be part of the ‘Gaza Cybergang.’

However, compared to other affiliated hacking gangs, WIRTE has better OpSec and more crafty tactics, and they can bypass detection for long periods.

Tricky dropper execution flow

WIRTE’s phishing emails include Excel documents that execute malicious macros to download and install malware payloads on recipients’ devices. While the main focus of WIRTE’s attacks on government and diplomatic entities, Xiarch has seen these attacks targeting a wide variety of industries throughout the Middle East and other regions.

“Our telemetry indicates that the threat actor has targeted a variety of verticals, including diplomatic and financial institutions, government, law firms, military organizations, and technology companies,” explained Xiarch’s report.

“The affected entities are located in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.” The malicious documents are tailored to raise the interest of the targeted victim, and use logos and themes that mimic brands, authorities, or the targeted organization.  

The Excel dropper first runs a series of formulas in a hidden column, which hides the “enable editing” request from the original file and unhides a secondary spreadsheet that contains the decoy. The dropper then runs formulas from a third spreadsheet with hidden columns, which perform the following three anti-sandbox checks:

• Get the name of the environment
• Check if a mouse is present

Check if the host computer can play sounds If all the checks are passed, the macro writes a VBS script that writes an embedded PowerShell snippet and two registry keys for persistence.

The macro then continues by writing a PowerShell with VB code onto %ProgramData%. This snippet is the ‘LitePower’ stager that will download payloads and receive commands from the C2. The commands observed by Kaspersky during the various monitored/analyzed intrusions are the following:

• List local disk drives
• Get the list of installed AV software
• Check if the current user is an admin
• Get OS architecture
• Check for the existence of backdoor services
• Check for registry keys added for COM hijacking
• List all installed hotfixes
• Get a screenshot and save it to %AppData% until the next POST request

Obscured command and control

The actors have placed their C2 domains behind Cloudflare to hide the actual IP addresses, but Kaspersky was able to identify some of them and found that they are hosted in Ukraine and Estonia. Many of these domains date back to at least December 2019, indicative of WIRTE’s ability to evade detection, analysis, and report for extensive periods.

The most recent intrusions use TCP/443 over HTTPS in C2 communication, but they also use TCP ports 2096 and 2087, as mentioned in a 2019 report by Lab52. Another similarity with the older campaign is the sleep function on the script, which still ranges between 60 and 100 seconds.

WRITE has now been seen tentatively expanding its targeting scope to financial institutes and large private organizations, which could be the result of experimentation or a gradual change in focus. Xiarch warns that even though the TTPs used by these actors are simple and rather ordinary, they are still very effective against the group’s targets.