2021-11-24

WIRTE Group

Level: 
Tactical
  |  Source: 
SecureList
Financial
Government
Share:

WIRTE Group

Industry: Financial, Government, Law, Military and Technology | Level: Operational | Source: SecureList

The WIRTE group has been conducting campaigns utilizing malicious Excel 4.0 macros, targeting high-profile public and private entities, Kaspersky research recently shared. While there is a specification of attacks with entities in the Middle East, researchers are reporting impacts from other regions as well. The WIRTE group utilizes living-off-the-land (LotL) techniques to evade detection and Kaspersky places low confidence attribution that the WIRTE group is associated with the Gaza Cybergang threat actor. An observed attack chain involves a phishing campaign to distribute the malicious document. Once ran a VBS script writes an embedded PowerShell command and creates persistence in the registry. LitePower, a PowerShell implant, acts as the downloader and secondary stage by communicating with the C2 to download or deploy additional malware.

  • Anvilogic Scenario: WIRTE's LotL campaign
  • Anvilogic Use Cases:
  • Wscript/Cscript Execution
  • Add DLL/EXE Registry Value
  • Registry key added with reg.exe
  • Create/Modify Schtasks

Chat with our team to receive a free maturity assessment

Get in Touch