WIRTE Group

The WIRTE group has been conducting campaigns utilizing malicious Excel 4.0 macros, targeting high-profile public and private entities, Kaspersky research recently shared. While there is a specification of attacks with entities in the Middle East, researchers are reporting impacts from other regions as well. The WIRTE group utilizes living-off-the-land (LotL) techniques to evade detection and Kaspersky places low confidence attribution that the WIRTE group is associated with the Gaza Cybergang threat actor. An observed attack chain involves a phishing campaign to distribute the malicious document. Once ran a VBS script writes an embedded PowerShell command and creates persistence in the registry. LitePower, a PowerShell implant, acts as the downloader and secondary stage by communicating with the C2 to download or deploy additional malware.