Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Nov. 13, 2024, 9:04 a.m.

Description

Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its operations to include disruptive attacks, with clear links found between their custom malware and the SameCoin wiper targeting Israeli entities. The group's tools have evolved, but key operational aspects remain consistent. WIRTE's activities persist throughout the war, complicating geographical attribution. The group employs various tactics, including custom loaders, phishing, and wipers, targeting both Israeli and other Middle Eastern entities.

External References

https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/
https://otx.alienvault.com/pulse/6733bb19e6996c2a488cb29e
Tags
apt
espionage
phishing
wiper
cyber-espionage
2024-11-12
middle east
ironwind
hamas
havoc demon
samecoin

Date

  • Created: Nov. 12, 2024, 8:31 p.m.
  • Published: Nov. 12, 2024, 8:31 p.m.
  • Modified: Nov. 13, 2024, 9:04 a.m.

Indicators

  • f2de8a5daed043ef3ab1f52156a4f7ff8f9a382f7f58ace6abb463f5cbab060c
  • fca0b3e57b3f9a14d18c435e564fe6db3620ba446e1b863737a9b36cbcc7251a
  • eddd40d457088d8384784ce80eaf0aefb1485776e0916e60781befbd739d4608
  • e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89
  • d3a53be1f64325c566bb71222b3747da81439dea8fc9a458fb459355cfa9e7f2
  • c51952f2caf55b455e7c7eb8048422bb477e3a616cb68f6fa524e15892b9f328
  • c22f0544e29c803d2cacbca3a57617496e3691389e9b65da84c374c90e699433
  • c068b9e7130f6fb5763beb9564e92a89644755f223b2f65dc762ed5c77c5b8e3
  • b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785
  • b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7
  • 9fe7b2f4c17dd0c7a00aaa6a779c30e2cb3faa4b14766e02f616d00e6f6e9007
  • 9fc4c7cdcaa3c3c03ba65f138386e875d02f7fcaf10de720dfde20167e393f38
  • 8ce87eefded0713c9258f8f2086dcc51028fb404ceb526f832df4c93108c8146
  • 8818c7c2cbd60521b8eb59ff9a720840535651343b30c1b279515d42d8036a8a
  • 86791aa96bac086330bf927ea5c2725ff73aaedfadc2571f4f393aa4d3a6b690
  • 7e0d0f77fe1dcb1e7a0a0a2fc0c25a68eee551c7045935449ae64dcbd1310958
  • 7c0a8d3dec1675fd8ba0a73fb5b8eee3bef0214aa78a7aab73b8ba9814651f9f
  • 795b997c248b2f344f813cd0c15d3d435e6218c91d0f0f54a464d739feead4c5
  • 76a543a49e46ad9163b2a06f6cea7a5e8eb5183cd3213e64446a8c66310fac3a
  • 75c2fb3ae08502a57c8c96ea788ef946a8bb35fb4a16e76deefae4c94fd03fd7
  • 5fa809c0e5dff03bd202b86cd334e80c7ed5dbad9aed7b12a3799ea0800e5f31
  • 5b7e8e685f6ee6b4810ed94b4420e08a10a977516b47fea356173cfaec2c41a0
  • 41112f36fc17f57f0e476c9ffa9e1ecbff796dc31a7ff0372d0d8708a5e9c50b
  • 3fc92e8a440ca16172f7d93bd9de3c6f9391e26d3a1cb964e966ee1ee31770df
  • 3d2409c7834287178f61116c9b653e3520172a10ebef58f58f99d27a34b839bd
  • 3b4ee3d5c1a7202b053159becac4d0b622641e2e4a7b27f339c03a90f287d381
  • 2d55c68aa7781db7f2324427508947f057a6baca78073fee9a5ad254147c8232
  • 2abff990d33d99a0732ddbb3a39831c2c292f36955381d45cd8d40a816d9b47a
  • 2700142c0b78fdbf3df30125a72443e2317d5079a01ff26022a66d0b7bd4c5b1
  • 0a4397f7d5da024b10c778910d6db84a6ba0fc3375fe6fe9b470f7e269ddc716
  • 02902a5e07a80aa56c24c6a8d4cca9fcfb32f32bb074f9c449cad5b3b18a070c
  • e2ba2d3d2c1f0b5143d1cd291f6a09abe1c53e570800d8ae43622426c1c4343c
  • ac227dd5c97a36f54e4fa02df4e4c0339b513e4f8049616e2a815a108e34552f
  • 9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47
  • 5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160
  • 6ab5a0b7080e783bba9b3ec53889e82ca4f2d304e67bd139aa267c22c281a368
  • 26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47
  • 80.77.25.49
  • 80.77.25.216
  • 5.42.221.151
  • 45.59.118.145
  • 45.134.9.202
  • 195.123.210.42
  • 213.252.244.234
  • 193.168.141.29
  • 193.168.141.61
  • 188.92.78.148
  • 185.247.224.28
  • 140.99.164.86
  • 185.165.169.117
  • 140.99.164.56
  • 185.165.169.76
  • https://theshortner.com/fxT1j
  • https://suppertools.com/s/?uid=181b9056-7420-4cde-8523-5c609aface73
  • https://healthscratches.com/s/?uid=06d32218-178c-49d77-b3cf-59df77c93469.
  • trendingcharts.finance-analyst.com
  • api.finances-news.com
  • support-api.financecovers.com
  • wellhealthtech.com
  • suppertools.com
  • theshortner.com
  • saudiday.org
  • saudi.org
  • saudiarabianow.org
  • requestinspector.com
  • printspoolerupdates.com
  • microsoftwindowshelp.com
  • microsoftteams365.com
  • master-dental.com
  • microsoftliveforums.com
  • king-pharmacy.com
  • jordanrefugees.com
  • jordansons.com
  • inclusiveeconomy.us
  • inclusive-economy.com
  • healthscratches.com
  • finances-news.com
  • healthcarb.com
  • healthoptionstoday.com
  • financeinfoguide.com
  • finance-analyst.com
  • ellemedic.com
  • egypttourism-online.com
  • egyptskytours.com
  • egyptican.com
  • economystocking.com
  • economymentor.com
  • easybackupcloud.com
  • dentalaccord.com
  • bankjordan.com
Download all indicators here!

Attack Patterns

  • Havoc Demon
  • SameCoin
  • IronWind
  • WIRTE
  • T1490
  • T1213
  • T1486
  • T1574
  • T1547
  • T1071
  • T1543
  • T1055
  • T1036
  • T1499
  • T1204
  • T1140
  • T1132
  • T1027
  • T1566
  • T1190
  • T1078
  • T1059

Additional Informations

  • Healthcare
  • Government
  • Iraq
  • Egypt
  • Saudi Arabia
  • Jordan
  • Israel