Moonlight APT Uses H-Worm Backdoor to Spy on Middle Eastern Targets

October 26, 2016

An APT group operating out of the Middle East, and most likely out of Palestine, has been engaged in a cyber-espionage campaign that has taken aim at various Middle Eastern and African countries in the Mediterranean Basin.

Several cyber-security firms have tracked the group over the years. Vectra Networks calls it Moonlight, but other names include Gaza Hacker Team, Gaza Cybergang, DownExecute, XtremeRAT, Molerats, and DustSky.

Security firm ClearSky, which tracked several of the group’s campaigns, said in June 2016 that the group might have ties to Hamas, a Palestinian organization founded in 1987 that has blurred the lines between a resistance movement and a terrorist group.

For this particular campaign, identified by Vectra Networks, the group has used spear-phishing emails and social media lures to trick targets into installing the H-Worm malware, a backdoor trojan, which in some cases they used to further compromise targets with a Remote Access Trojan called njRat.

Besides Vectra researchers, the team at Palo Alto Networks also detected a spike in infections with the H-Worm malware, which it broke down on its blog, but has not attributed these incidents to a cyber-espionage group, as of yet.

Read full story…