- From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode.
- During the same period, TA402 adjusted its delivery methods, moving from using Dropbox links to using XLL and RAR file attachments, likely to evade detection efforts.
- This threat actor has consistently engaged in extremely targeted activity, pursuing less than five organizations with any single campaign. They have also maintained a strong focus on government entities based in the Middle East and North Africa.
- Proofpoint has tracked TA402 since 2020. Our researchers assess the threat actor is a Middle Eastern advanced persistent threat (APT) group that historically has operated in the interests of the Palestinian Territories and overlaps with public reporting on Molerats, Gaza Cybergang, Frankenstein, and WIRTE.
In mid-2023, Proofpoint researchers first identified TA402 (Molerats, Gaza Cybergang, Frankenstein, WIRTE) activity using a labyrinthine infection chain to target Middle Eastern governments with a new initial access downloader Proofpoint has dubbed IronWind. From July through October 2023, TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant consistently leading to the download of a DLL containing the multifunctional malware. In these campaigns, TA402 also pivoted away from its use of cloud services like Dropbox API, which Proofpoint researchers observed in activity from 2021 and 2022, to using actor-controlled infrastructure for C2 communication.
As of late October 2023, Proofpoint researchers had not observed any changes in targeting by TA402, an APT group that historically has operated in the interests of the Palestinian Territories, nor identified any indications of an altered mandate despite the current conflict in the region. It remains possible that this threat actor will redirect its resources as events continue to unfold.
Campaign details and IronWind
July 2023 Activity: In July 2023, Proofpoint researchers observed the first of TA402’s new, more convoluted infection chain as compared to prior campaign activity from 2021 and 2022 (Figures 1 and 2).
Figure 1. TA402 infection chain used from November 2021 to January 2022.
Figure 2. TA402 infection chain used in July 2023 campaign.
TA402 engaged in a phishing campaign using a compromised Ministry of Foreign Affairs email account to target Middle Eastern government entities. The emails used an economic-themed social engineering lure ("برنامج التعاون الإقتصادي مع دول مجلس التعاون الخليجي 2023-2024" [Machine Translation: Economic cooperation program with the countries of the Gulf Cooperation Council 2023-2024"]) to deliver a Drobox link that downloaded a malicious Microsoft PowerPoint Add-in (PPAM) file. The PPAM file contained a macro that dropped three files: version.dll (IronWind), timeout.exe, and gatherNetworkInfo.vbs. Timeout.exe was used to sideload IronWind. Once sideloaded, IronWind sent an HTTP GET request to a known TA402 C2 domain, theconomics[.]net, which was hosted on 191.101.78[.]189 at the time of analysis in August 2023. Proofpoint researchers have observed TA402 leveraging Dropbox for malware delivery since at least December 2021.
After receiving the HTTP GET request, the C2 responded with shellcode that represented the third stage of the infection chain. During Proofpoint’s analysis, the shellcode used reflective .NET loaders to conduct WMI queries. The shellcode also served as a multipurpose loader, downloading the fourth stage—a .NET executable that used SharpSploit, a .NET post-exploitation library written in C#.
The .NET executable continued to use HTTPS POSTs and GETs to theconomics[.]net for C2 and received JSON responses. It passed authentication via a custom UserAgent string, "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:<tag>) Gecko/<auth> Firefox/3.15" and almost certainly would have downloaded additional shellcode payloads. Based on Proofpoint analysis, this UserAgent is unique enough to be used for detection purposes. Proofpoint researchers did not observe the fifth stage at the time of analysis but took note that the last stage payload contained unused code, suggesting TA402 may be making further updates and adjustments to the malware.
August 2023 activity: In August 2023, TA402 shifted to sending an attached XLL file to load IronWind using “قائمة الأشخاص والكيانات (المصنفة إرهابية) من قبل هيئة مكافحة غسيل الأموال وتمويل الإرهاب” as a lure instead of using a malicious PPAM file delivered via Drobox. The machine translation of the lure is as follows: “List of persons and entities (designated as terrorists) by the Anti-Money Laundering and Terrorist Financing Authority.” TA402 used the same compromised Ministry of Foreign Affairs email account observed in the July activity. As part of the initial infection process, TA402 sent a base64 encoded check in to Request Inspector—a third-party service for creating endpoints for HTTP requests—to exfiltrate some system information.
October 2023 activity: In October 2023, TA402 shifted a portion of its infection chain yet again. This time the threat actor sent a RAR file attachment that contained a renamed version of tabcal.exe for sideloading IronWind and propsys.dll (IronWind) instead of using a malicious PPAM file delivered via Dropbox or an attached XLL file to load the malware. The delivered malware again used Request Inspector for initial check in and a new TA402 C2 domain, inclusive-economy[.]com.
TA402 also continued to leverage a compromised Ministry of Foreign Affairs email account to send phishing emails with the lure "تقريــر وتوصيــات الـدورة (110) بخصوص الحرب على غزة,” which translates to “Report and Recommendations of the 110th Session on the War on Gaza.” Currently, TA402 only appears to be using the conflict for lure purposes. Additionally, TA402 continues to phish, indicating the conflict has not significantly disrupted the group’s operations.
IronWind: PDB analysis
During malware analysis, Proofpoint researchers identified TA402 had failed to sanitize the group’s PDB paths during malware development for multiple stages. A YARA rule for hunting purposes is attached at the end of this blog.
Based on the following PDB paths, Proofpoint researchers assess with moderate confidence that the IronWind malware project name is \tornado\ and malware development is broken out by function, including IA (the IronWind dropper), stager (the stager DLL), and payloads.
- VT Stage 1: C:\Users\Win\Desktop\Reno\NewTor\27-07-2023\tornado\tornado\Payloads\BAR_33\I.A\out\IA.pdb
- July 2023 Stage 2: C:\Users\User\Desktop\tornado\Payloads\WKS_10\I.A\out\stagerx64.pdb
- August 2023 Stage 1: C:\Users\Win\Desktop\Reno\NewTor\27-07-2023\tornado\tornado\Payloads\BAR_38\I.A\out\IA.pdb
- August 2023 Stage 2: C:\Users\Win\Desktop\Reno\NewTor\NewIA-Tornado-WithStealer\Payloads\KIL_03\I.A\out\stagerx64.pdb
- Stage 4: K:\prj\WIP\C# - Payload\Client-Side\https\client-Divided\KALV\obj\Release\KALV.pdb
TA402 regularly employs geofencing techniques to make detection of its malicious activity more difficult. This aspect of the threat actor’s tactics, techniques, and procedures has remained consistent since at least 2020. Even with the more elaborate infection chains observed in 2023, TA402 continues to include URLs that will at times redirect to decoy documents hosted on legitimate document hosting platforms if the geofencing is not bypassed.
Proofpoint researchers attributed the campaigns to TA402 based on tactics, techniques, and victimology. The 2023 campaigns share similarly themed lures as historical TA402 activity and retain a focus on Arabic-speaking targets located in the Middle East. Over the years, TA402 has consistently targeted government entities based in the Middle East and North Africa, at times going after the same targets repeatedly. TA402’s use of compromised Ministry of Foreign Affairs email accounts, geofencing, and decoy documents additionally contributed to the attribution.
Proofpoint researchers also assess TA402 operates in support of Palestinian espionage objectives with a focus on intelligence collection. This is consistent with prior Proofpoint published reports on this threat actor. While Proofpoint recognizes that TA402 overlaps with a number of publicly reported threat actors, including Molerats, WIRTE, and Frankenstein, Proofpoint researchers cluster independently based on internal malware analysis and investigations.
Based on Proofpoint’s tracking of this threat actor since 2020, TA402 remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate. Its ongoing use of geofencing and decoy documents continues to serve its detection evasion efforts. While TA402 is an intelligence collection focused threat actor with a specific interest in Middle Eastern and North African government entities, the group could find itself under direction to adjust its targeting or social engineering lures in reaction to the ongoing Israel-Hamas conflict.
Indicators of Compromise (IOCs)
Domain | IP (C2)
- 2049153 - ET MALWARE Win32/TA402 CnC User-Agent
- 2049154 - ET MALWARE Win32/TA402 CnC Response M1
- 2049155 - ET MALWARE Win32/TA402 CnC Response M2
- 2049158 - ET MALWARE Win32/TA402 Checkin
- 2049159 - ET MALWARE Win32/TA402 Checkin M2
- 2049160 - ET MALWARE TA402 CnC Domain in DNS Lookup
- 2049161 - ET MALWARE Observed TA402 Domain in TLS SNI
- 2049162 - ET MALWARE TA402 CnC Domain in DNS Lookup
- 2049163 - ET MALWARE Observed TA402 Domain in TLS SNI
- 2049164 - ET MALWARE Win32/TA402 CnC Activity (POST)
- 2049165 - ET MALWARE Win32/TA402 CnC Activity (GET)
author = "Proofpoint inc."
description = "Finds TA402 related PDB paths"
date = “2023-09-27”
$pdb1 = "C:\\Users\\Win\\Desktop\\Reno\\NewTor" ascii wide
$pdb2 = "C:\\Users\\User\\Desktop\\tornado\\" ascii wide
$pdb3 = "K:\\prj\\WIP\\C# - Payload\\Client-Side\\https\\client-Divided\\KALV\\obj\\Release\\KALV.pdb" ascii wide
$pdb4 = "K:\\prj\\WIP\\C# - Payload\\Client-Side" ascii wide
any of them