Amid tensions and a shifting power equilibrium in Middle East, OWN-CERT analyzed a campaign targeting Arab speaking people.
Key Finding
- OWN-CERT found multiple malicious samples targeting Arab speaking people and dropping custom loaders.
- This activity is attributed with high confidence to the Wirte group, based on TTP similarities and infrastructure overlap.
- The custom loader uses an implementation of base64 and Tiny Encryption Algorithm to encrypt the valuables strings in the malware.
- The loader communicates with the command-and-control sending a XOR encoded string containing information about the compromised system.
It seems that the wave of change that has descended on Middle East in 2024 and is still reshaping the region is rooted in Hamas October 7th operation “Tufan al-Aqsa”.
This operation has dragged Iran and Hezbollah in an all-out conflict with Israel to support both verbally and militarily Hamas in Gaza and, since then, 2024 has marked a pivotal period for Middle East.
Iran and its Lebanese ally Hezbollah have been weakened by their repeated confrontations with Israel. They were weakened to the point of stripping their protégé Bashar al-Assad of their support troops which, among other causes - allowed Hayat Tahrir al-Sham (HTS), an Islamist group fighting the Syrian regime, to seize power in a few days at the beginning of December 2024.
After al-Assad was overthrown, Israel invaded the Syrian Quneitra (Golan) while reaching a ceasefire deal with Hamas on 15 January 2025. Turkey on the other hand – an alleged support of HTS – has been trying to solve its national Kurdish issues on Syrian territory.
OWN-CERT expected these extensive developments to trigger espionage and information collection campaigns in the region and started monitoring online activities. OWN-CERT detected a campaign distributing a PDF document leading to a Dropbox share that drops an archive that contains a DLL and a PDF lure document in Arabic about a security working group strategic meeting. The campaign seems to target regional actors in charge of security and defense matters as well as diplomatic negotiations. And here is what it does.
Security working group strategic meeting
On the 1st of January 2025, a RAR archive was uploaded to VirusTotal and AnyRun. This archive is named "الاجتماع الاستراتيجي لمجموعة العمل الامني rar" in Arabic, that could be translated to "Security Working Group Strategic Meeting.rar". The archive was uploaded from Egypt.
This archive contains three files:
- الاجتماع الاستراتيجي لمجموعة العمل الامني.exe (an executable file with the same name as the archive)..
- wtsapi32.dll (a DLL).
- Document (PDF file).
OWN-CERT was not able to retrieve the original infection vector, however the URL from which the archive was distributed was hosted on the service "Dropbox", potentially indicated that the original distribution vector was phishing.
The executable file "الاجتماع الاستراتيجي لمجموعة العمل الامني exe" is a renamed legitimate version of "BDEUISRV.DLL" the library used to unlock BitLocker via a graphical interface. However, the library present in the archive, "wtsapi32.dll", is not the legitimate Windows DLL used for remote desktop services or terminal services.
When the legitimate executable BDEUISRV.DLL is launched, it will load the malicious "wtsapi32.dll" library from the same folder. This technique is known as "DLL side loading" and can help bypass implemented security measures such as antiviruses or misconfigured EDR.
Once executed, the malicious DLL will load the last file present in the archive: "Document". This file is a PDF file written in a good Arabic according to OWN-CERT Arabic speaking analysts and appears to be a report of a meeting discussing security issues and international cooperation involving Palestinian security forces and various international delegations (UN, EU, DCAF, etc.).
This document tackles topics such as:
- The ongoing Israel-Palestine conflict.
- The need to support Palestinian security forces.
- Humanitarian challenges in Gaza and the West Bank.
- The role of international actors in providing financial and logistical support.
This PDF file is a decoy document used to give credibility to the campaign by making the victim think they opened a real PDF document, while malicious activities are taking place in the background.
The "wtsapi32.dll" is a dropper, retrieving the encoded final payload from a command-and-control server, decoding it, and injecting it into the memory of the victim's computer. Most of the used strings (such as C2 server, URI, …) are encoded in base64 and ciphered with the TEA (tiny encryption algorithm). The Tiny Encryption Algorithm is a lightweight, fast, and simple block cipher easy to implement but vulnerable to cryptographic attacks due to its simplicity. OWN-CERT was able to retrieve the key that was hardcoded in this malware, and its value was the name of the malicious DLL: "wtsapi32.dll".
In the malware, this function is coupled with a simple "base64" decode to decrypt the data.
The dropper revolves around two main functions. The first one is the function communicating with the command-and-control server.
It first decodes a string corresponding to the command-and-control value (status.techupinfo[.]com) before extracting the status code from the response.
If the status code is "404", the process is killed.
However, if the status code is not 404, it will try to parse the received payload.
A delay is also implemented, if the command-and-control communication fails or after the payload’s execution, to bypass analysis mechanisms such as sandboxes.
The second main function is used to query the computer for information such as username, computer name, processor used, installed OS version and the computer’s domain. This data is then concatenated into a string and obfuscated using XOR and base64.
The second main function is used to query the computer for information such as username, computer name, processor used, installed OS version and the computer’s domain. This data is then concatenated into a string and obfuscated using XOR and base64.
This concatenated string is used for command-and-control communications to the URL:
status.techupinfo[.]com/api/v1.0/account?token=<encoded_string>
This function might thus be used by the intrusion set to identify the infected machines. It is possible that the final dropped payload in the campaign analyzed by the OWN-CERT was also a post exploitation framework such as Havoc. However, as the infrastructure was down when the OWN-CERT analyzed this campaign this hypothesis could not be confirmed.
This hypothesis is nevertheless based on OWN-CERT observations presented in the “pivoting and attributing” section that shows the identified modus operandi is used to leverage Havoc for its post-compromise activities.
Pivoting and attributing
OWN-CERT was able to identify two other samples, which we assume with high confidence are related to the same campaign, since the only thing differentiating them is the usage of different encoded variables for the command-and-control server and the usage of different user agents.
One of the other samples used the auth.techupinfo[.]com command-and-control server, while the other used a similar domain name cdn.techpointinfo[.]com.
No pivot could be made based on the infrastructure’s registration data, for example, domain names were registered by unique Protonmail emails that were not used to register other domain names:
- tannondmurphy[@]proton[.]me
- ainsleeblackwood[@]proton[.]me
A pivot on the URI path however was possible and indicated the URL:
hxxps://support-api.financecovers[.]com/api/v1.0/account?token=ChYOAQlUAiApPyYnLiNDcx4wVV8pRU0yI3UYUEB
The domain financecovers[.]com was published in a CheckPoint1 report from November 2024, uncovering TTPs from the Wirte group, a Hamas affiliated threat actor. This domain was also registered by a generic @proton[.]me email address.
The TTPs uncovered in this report are very similar to this campaign with a RAR file being downloaded from a PDF lure containing a malicious link. Inside the RAR archive, a legitimate executable side-loads a loader and opens a decoy PDF often targeting Arabic speaking people interested in the Palestinian situation. The final dropped payload is a Havoc 'Demon'. This demon is an agent communicating with the Havoc framework installed on a command-and-control server ensuring post exploitation of the compromised appliance.
Wirte also wipes
Wirte is also known for disruptive operations, such as using wiper malware that sometimes drop pro-Palestine wallpapers or videos. In February 2024, @NicoleFishi19 on X, a researcher at IntezerLabs published an analysis of a campaign named “SameCoin” impersonating the Israeli National Cyber Directorate distributing anti-war propaganda and an attack ad against Benyamin Netanyahu.
A fake email was distributed inciting the victim to “patch” its system from recently discovered vulnerabilities. The malicious email contained multiple legitimate links redirecting to the legitimate INCD website, whereas two other links redirected to a malicious website.
Depending on the link chosen by the victim, the file downloaded was either an archive (for Windows systems) or an APK (for Android devices).
The archive contained an executable, that served both as a wiper and a loader for embedded components such as an image to change the wallpaper, a propaganda video and a .NET lateral movement tool.
The APK has a more direct approach to the deletion of data, by deleting the data in chunks by overwriting them with zeroes.
The exact same TTPs were analyzed by blu3eye in October 2024, during a campaign impersonating ESET targeting Israel with similar TTPs.
The target was selected by creating a request to oref.org[.]il, a geofenced website, meaning that the victim was potentially located in Israel when hit by the malware. In this campaign, a loader executed a wiper, changed the wallpaper and played a propaganda video.
Victimology
Other versions of the BDEUISRV.DLL renamed in Arabic were seen by OWN-CERT. One was entitled "1302 وزير الدفاع التركي غيرنا استراتيجيتنا في مكافحة التنظيمات الارهابية exe" which can be roughly translated to " Turkish Defense minister (we) changed our strategies related to the fight against terrorism.exe". Contrary to other executables’ names, this one seems incorrect from a language point of view. The form of the verb “change” (“غيرنا”) is a first person plural whereas the “minister of defense” is the sentence subject and should be followed by a third person singular. OWN-CERT suggests two hypothesis: either a colon (:) indicating a quote from the Turkish defense minister was left out, or the executable was designed by non-Arabic developers for the group. The latter could not be verified.
The other version is entitled " مذكرة حول اخر التطورات في مفاوضات وقف إطلاق النار وتبادل الأسرى.exe " which translate "Memorandum on the latest developments in the ceasefire and prisoner exchange negotiations".
These two titles suggest the threat actor behind the campaign is targeting on the one hand Arab countries involved in negotiations with Turkey which has gained a predominant position as military power and as a negotiator, and on the other hand Arab countries taking part in negotiations with Israel on the Gaza file as the “ceasefire” and the “prisoner exchange” could refer to discussions that had been held between Israel, Hamas, the US and Qatar.
The file "1302 وزير الدفاع التركي غيرنا استراتيجيتنا في مكافحة التنظيمات الارهابية exe" (“Turkish Defense minister “changed our strategies” related to the fight against terrorism.exe”) was uploaded on 2024-12-06 from Malaysia and " مذكرة حول اخر التطورات في مفاوضات وقف إطلاق النار وتبادل الأسرى.exe " (“Memorandum on the latest developments in the ceasefire and prisoner exchange negotiations”) was uploaded on 2025-01-16 from Jordan.
As for additional malware samples, they were uploaded from Malaysia and Canada.
The localization “Malaysia” could be a VPN exit point, or another hypothesis is that Arab speaking Malaysians received the lure document.
Recommendations
To protect your network from this kind of infection, OWN-CERT recommends the use of a solution such as an EDR that can detect DLL side loading techniques.
Monitoring legitimate processes making unwanted HTTP/HTTPS connections allows to identify the activity of such malware as well as monitoring requests made to the /api/v1.0/account?token= if not used by your organization.
Detect executable files using TEA implementation and base64:
Sources
- https://blu3eye.gitbook.io/malware-insight/eset-wiper
- https://x.com/NicoleFishi19/status/1756936902735806644
- https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/
OWN-CERT's multi-disciplinary team carries out a wide variety of activities, including threat detection, forensic analysis, investigation and analysis of cybercriminal ecosystems, identification and monitoring of adversary operating mode infrastructures, and geopolitical and legal analysis.
Our analysts are fluent in several languages, including Russian, Chinese, Arabic, Korean, Romanian, German, Spanish or Italian.
Would you like to find out more about OWN-CERT's services? Please contact us.
