The Big Bang attack campaign: Gaza hackers suspected of targeting Middle Eastern victims

• Attack linked to Gaza hacker group
• Hackers name malware modules after The Big Bang Theory characters
• Attackers use a customized data-stealing malware called Micropsia

Organizations across the Middle East, specifically in Palestine, are being targeted by a cyberespionage advanced persistent threat (APT) group in a new campaign named after the popular comedy series “The Big Bang Theory”. According to security researchers at Check Point, who discovered the new campaign, traces of the campaign indicate some resemblance to attacks launched by the Gaza APT group.

The hacker group has been found previously targeting Middle Eastern victims, using the Micropsia malware, written in C++ and wrapped in Delphi.

However, the researchers refrain from definitively attributing the attack to the prolific cyberespionage group.

Why Big Bang Theory?

The campaign has been dubbed “The Big Bang” by the researchers, chosen to showcase the attackers’ fondness for The Big Bang Theory TV show. Researchers discovered that the hackers named their malware’s modules after popular characters of TV show like Leonard Hofstader, Penny and Sheldon.

According to Check Point’s researchers, the campaign began in March 2018.

The infection chain begins with phishing emails that contain malicious documents which pose as coming from the Palestinian Political and National Guidance Committee. These decoy documents are meant to be a distraction while the malware is quietly deployed onto the targeted system.

In comparison to the APT group’s 2017 campaign, the Big Bang campaign appears to be even more targeted, researchers said.

Micropsia malware + Big Bang Theory

The suspected Gaza group-linked hackers were found using an upgraded version of the Micropsia malware.

This malware is capable of taking screenshots of the infected system and sending it to the C2 server as well as stealing documents, PDFs, PPTs, Excel docs and more. It can also steal system logging details, reboot system and self-destruct.

Some of the malware’s modules have been named after the popular characters of the Big Bang Theory TV show:-

• Penny - Takes a screenshot of the infected machine and sending it to the C2 server
• Wolowitz_Helberg - Enumerates running processes, saving their names and their IDs
• Koothrappali - Logs details about the system and sends them to the server
• Hofstadter - Terminates a process by name
• Parsons_Sheldon - Deletes the payload from the startup folder and deletes the actual file

Unlike other remote access trojans (RAT) attempting to keylog and steal credentials, this malware “shows irregular behavior” by searching for Microsoft Office docs on the victim’s machine, researchers said.

“After reviewing all the malware functionalities, we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile,” Check Point researchers wrote in a blog.

Language issues

Check Point researchers found that the hackers made several typos when writing in English and other grammatical errors when using certain phrases in the C2.

“Websites related to this campaign use readymade bootstrap templates, but include unique and grammatically incorrect strings such as ‘Probably the most Music Site in the world!’, and ‘contact@namylufy[.]com’ in some of the websites,” Check Point researchers said. “Those strings helped us find other websites that use the same template, and while they could not be linked to specific malware samples, it is possible that they will be used in the future.”

Gaza Cybergang’s Evolution

The APT gang has undergone several changes over the past year. However, their digital fingerprints remain identifiable.

These unique digital characteristics allowed the researchers to establish a link between the Big Bang campaign and previous campaigns conducted by the Gaza hacker group.

“During our investigation we spotted three instances of the renewed operation, but unique artifacts in the command and control website revealed a wider infrastructure that may well manage more unknown samples,” the researchers noted. “The concept of using self-extracting archives and decoy documents is not groundbreaking or new, as we have seen similar attacks being carried in the past by the Gaza Cybergang APT group.”

The Big Bang campaign reveals that the hackers behind the cyberespionage campaign are focused on carefully selecting their victims, deploying a multi-stage attack and using a customized data-stealer.

Check Point researchers believe that the hackers may already developing the next stage of attacks.

“Although the clear fingerprints of the perpetrators leave no doubt we are witnessing the comeback of the same APT, it is still not yet confirmed exactly who the threat group behind this campaign actually is,” Check Point researchers concluded. “As no concrete attribution has yet been made, due to the shared interests and malware features of both 2017 and 2018 campaigns, the Gaza Cybergang may be a good starting point for further research.”