WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019

APT reports

29 Nov 2021

minute read

Overview
Gaining an initial foothold
Exploitation, installation and persistence

Ferocious dropper
LitePower stager

Command and control
Victimology
Threat actor assessment
Conclusion and outlook
Indicators of compromise

Malicious documents and droppers
Class IDs in registry
File path
PDB paths
Domains and IPs

Authors

Maher Yamout

Overview

This February, during our hunting efforts for threat actors using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant. The implant itself is a VBS script with functionality to collect system information and execute arbitrary code sent by the attackers on the infected machine.

Although these intrusion sets may appear similar to the new MuddyWater first stage VBS implant used for reconnaissance and profiling activities, which we described recently in a private report, they have slightly different TTPs and wider targeting. To date, most of the known victims are located in the Middle East, but there are also targets in other regions. Various industries are affected by this campaign. The main focus is on government and diplomatic entities, though we also noticed an unusual targeting of law firms and financial institutions.

We attribute this campaign with high confidence to an actor named WIRTE, which is a lesser-known threat actor first publicly referenced by our colleagues at Lab52 in 2019. We further suspect, with low confidence, that the WIRTE group has relations with the Gaza Cybergang threat actor.

More information about WIRTE is available to customers of Kaspersky Intelligence Reporting. Contact: [email protected]”

Gaining an initial foothold

In the instances we have observed, the threat actor sent spear-phishing emails, luring the victims to open a malicious Microsoft Excel/Word document. The Excel droppers observed in all instances were using Excel 4.0 macros – a technique that uses formulas in hidden spreadsheets or cells that execute macro 4.0 commands – to drop malware that in our particular case was named Ferocious dropper. The Word droppers were using standard VBA macros to download the payload. The actor tailored the decoy contents to the targeted victims, using logos and themes relevant to the targeted company or using trending topics from their region and, in one instance, even mimicking the Palestinian authority.

However, in some cases we saw a fake ‘Kaspersky Update Agent’ executable acting as a dropper for the VBS implant. We were unable to confirm if this PE file was also distributed through email or downloaded by the threat actor after some initial penetration, but our analysis shows it has the same execution flow as the Excel 4.0 macros.