Freely subscribe to our NEWSLETTER

In the midst of Gaza Cybergang activity spanning from late 2022 until late 2023, it is observed that the group introduced a new backdoor to their malware arsenal used in targeting primarily Palestinian entities, tracked as Pierogi++. SentinelLabs assesses that Pierogi++ is based on an older malware strain named Pierogi, first observed in 2019. Consistent targeting of Palestinian entities in this time period using the group’s staple Micropsia family malware and Pierogi++ was also observed.

This targeting is typical for Gaza Cybergang. These activities are likely aligned with the tensions between the Hamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the Israel–Hamas war.

Analysis of recent and historical malware used in Gaza Cybergang operations highlights new relations between activities that have taken place years apart – the Big Bang campaign (2018) and Operation Bearded Barbie (2022). Further, technical indicators they observed, originating from a recently reported activity, reinforce a suspected relation between Gaza Cybergang and the lesser-known threat group WIRTE. This group has historically been considered a distinct cluster and then associated with low confidence with the Gaza Cybergang. This demonstrates the intertwined nature of the Gaza Cybergang cluster making the accurate delineation between its constituent and even other suspected Middle Eastern groups challenging.

Throughout the analysis of Gaza Cybergang activities spanning from 2018 until the present date, the team observed consistent malware evolution over relatively long time periods. This ranges from minor changes in used obfuscation techniques to adopting new development paradigms and resurfacing old malware strains in the form of new ones (as Pierogi++ demonstrates). In addition, the observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggest that the group has likely been undergoing a consolidation process. This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors.

Key points:

• Overlaps in targeting, malware characteristics, and long-term malware evolutions post 2018 suggest that the Gaza Cybergang sub-groups have likely been consolidating, possibly involving the establishment of internal and/or external malware supply lines.
• Gaza Cybergang has upgraded its malware arsenal with a backdoor that SentinelLabs tracks as Pierogi++, first used in 2022 and seen throughout 2023.
• Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war.
• SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang.

Conclusion

Gaza Cybergang operations over 2022 and 2023 reveal a sustained focus on targeting Palestinian entities. The discovery of the Pierogi++ backdoor shows that the group continues to evolve and supplement its staple malware arsenal, including transforming older implementations into new tooling.

The intertwined nature of its constituent sub-groups sharing TTPs, malware, and victims, indicates that Gaza Cybergang is a unified front against anti-Hamas interests. The persistent nature of the Gaza Cybergang threat underscores the necessity for sustained vigilance and cooperative measures to address the challenges posed by these threat actors.

SentinelLabs continues to monitor Gaza Cybergang activities to further improve the collective knowledge on the group’s dynamics and to supply indicators, which are relevant to security teams defending their organisations and individuals at risk of being targeted.