Over the past few weeks, we discovered the comeback of an APT attack against the Middle East, and specifically against the Palestinian Authority.
The APT group behind this attack launched a campaign over a year ago, and very little of this operation was seen in the wild since. The renewed Big Bang campaign incorporates improved capabilities, wider functionalities, and a more offensive infrastructure. It also seems to have very specific targets in mind.
Shared interests and malware features with campaigns belonging to the Gaza Cybergang that emerged in both 2017 and 2018 show that the infamous threat group is most likely behind this attack.
Although the APT has gone through significant upgrades over the last year, the conductors maintained evident and peculiar fingerprints. Both the delivery methods and the malicious artifacts had unique traces which helped us link the current wave to past attacks.
Among the techniques attributed to the APT group, one could find fake news websites containing up-to-date articles, well-formulated e-mails with malicious attachments or embedded links, and mobile applications posing as legitimate services. All of these methods are meant to filter-in targeted victims that meet predefined characteristics and lead to a custom-made reconnaissance malware.
During our investigation, we were able to spot only three instances of the renewed operation, but distinctive characteristics in the command and control websites revealed a wider infrastructure that may serve unknown samples. While our analysis covered the capabilities of the malware, we are certain that this is a part of an ongoing multi-staged attack, the full infection chain of which has not been completed yet.
The campaign earned its name due to the authors’ affection for the successful TV series “The Big Bang Theory” as reflected in their function naming standard. The malware code is decorated with the character names of the popular series, but also actors of the Turkish series “Resurrection: Ertugrul”.
In our presentation we will cover the operation of this group, focusing on the recent improvements and tactics, as well as the techniques and procedures (TTPs) that identified this group both in previous attacks and in the current one.