Industry: Financial, Government, Law, Military and Technology | Level: Operational | Source: SecureList
The WIRTE group has been conducting campaigns utilizing malicious Excel 4.0 macros, targeting high-profile public and private entities, Kaspersky research recently shared. While there is a specification of attacks with entities in the Middle East, researchers are reporting impacts from other regions as well. The WIRTE group utilizes living-off-the-land (LotL) techniques to evade detection and Kaspersky places low confidence attribution that the WIRTE group is associated with the Gaza Cybergang threat actor. An observed attack chain involves a phishing campaign to distribute the malicious document. Once ran a VBS script writes an embedded PowerShell command and creates persistence in the registry. LitePower, a PowerShell implant, acts as the downloader and secondary stage by communicating with the C2 to download or deploy additional malware.
- Anvilogic Scenario: WIRTE's LotL campaign
- Anvilogic Use Cases:
- Wscript/Cscript Execution
- Add DLL/EXE Registry Value
- Registry key added with reg.exe
- Create/Modify Schtasks