{ "name": "Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity", "slug": "hamas-affiliated-threat-actor-wirte-continues-its-middle-east-operations-and-moves-to-disruptive-activity", "description": "Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its operations to include disruptive attacks, with clear links found between their custom malware and the SameCoin wiper targeting Israeli entities. The group's tools have evolved, but key operational aspects remain consistent. WIRTE's activities persist throughout the war, complicating geographical attribution. The group employs various tactics, including custom loaders, phishing, and wipers, targeting both Israeli and other Middle Eastern entities.", "published": "2024-11-12T19:31:21+00:00", "created_at": "2024-11-12T19:31:21+00:00", "modified_at": "2024-11-13T08:04:10+00:00", "created_at_opencti": "2024-11-12T19:31:21+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-11-12", "apt", "cyber espionage", "espionage", "hamas", "havoc demon", "ironwind", "middle east", "phishing", "samecoin", "wiper" ], "related_entities": { "observables": [ { "id": "", "name": "80.77.25.49" }, { "id": "", "name": "80.77.25.216" }, { "id": "", "name": "5.42.221.151" }, { "id": "", "name": "45.59.118.145" }, { "id": "", "name": "45.134.9.202" }, { "id": "", "name": "195.123.210.42" }, { "id": "", "name": "213.252.244.234" }, { "id": "", "name": "193.168.141.29" }, { "id": "", "name": "193.168.141.61" }, { "id": "", "name": "188.92.78.148" }, { "id": "", "name": "185.247.224.28" }, { "id": "", "name": "140.99.164.86" }, { "id": "", "name": "185.165.169.117" }, { "id": "", "name": "140.99.164.56" }, { "id": "", "name": "185.165.169.76" }, { "id": "", "name": "https://theshortner.com/fxT1j" }, { "id": "", "name": "https://suppertools.com/s/?uid=181b9056-7420-4cde-8523-5c609aface73" }, { "id": "", "name": "https://healthscratches.com/s/?uid=06d32218-178c-49d77-b3cf-59df77c93469." }, { "id": "", "name": "trendingcharts.finance-analyst.com" }, { "id": "", "name": "api.finances-news.com" }, { "id": "", "name": "support-api.financecovers.com" }, { "id": "", "name": "wellhealthtech.com" }, { "id": "", "name": "suppertools.com" }, { "id": "", "name": "theshortner.com" }, { "id": "", "name": "saudiday.org" }, { "id": "", "name": "saudi.org" }, { "id": "", "name": "saudiarabianow.org" }, { "id": "", "name": "requestinspector.com" }, { "id": "", "name": "printspoolerupdates.com" }, { "id": "", "name": "microsoftwindowshelp.com" }, { "id": "", "name": "microsoftteams365.com" }, { "id": "", "name": "master-dental.com" }, { "id": "", "name": "microsoftliveforums.com" }, { "id": "", "name": "king-pharmacy.com" }, { "id": "", "name": "jordanrefugees.com" }, { "id": "", "name": "jordansons.com" }, { "id": "", "name": "inclusiveeconomy.us" }, { "id": "", "name": "inclusive-economy.com" }, { "id": "", "name": "healthscratches.com" }, { "id": "", "name": "finances-news.com" }, { "id": "", "name": "healthcarb.com" }, { "id": "", "name": "healthoptionstoday.com" }, { "id": "", "name": "financeinfoguide.com" }, { "id": "", "name": "finance-analyst.com" }, { "id": "", "name": "ellemedic.com" }, { "id": "", "name": "egypttourism-online.com" }, { "id": "", "name": "egyptskytours.com" }, { "id": "", "name": "egyptican.com" }, { "id": "", "name": "economystocking.com" }, { "id": "", "name": "economymentor.com" }, { "id": "", "name": "easybackupcloud.com" }, { "id": "", "name": "dentalaccord.com" }, { "id": "", "name": "bankjordan.com" }, { "id": "", "name": "f2de8a5daed043ef3ab1f52156a4f7ff8f9a382f7f58ace6abb463f5cbab060c" }, { "id": "", "name": "fca0b3e57b3f9a14d18c435e564fe6db3620ba446e1b863737a9b36cbcc7251a" }, { "id": "", "name": "eddd40d457088d8384784ce80eaf0aefb1485776e0916e60781befbd739d4608" }, { "id": "", "name": "e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89" }, { "id": "", "name": "d3a53be1f64325c566bb71222b3747da81439dea8fc9a458fb459355cfa9e7f2" }, { "id": "", "name": "c51952f2caf55b455e7c7eb8048422bb477e3a616cb68f6fa524e15892b9f328" }, { "id": "", "name": "c22f0544e29c803d2cacbca3a57617496e3691389e9b65da84c374c90e699433" }, { "id": "", "name": "c068b9e7130f6fb5763beb9564e92a89644755f223b2f65dc762ed5c77c5b8e3" }, { "id": "", "name": "b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785" }, { "id": "", "name": "b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7" }, { "id": "", "name": "9fe7b2f4c17dd0c7a00aaa6a779c30e2cb3faa4b14766e02f616d00e6f6e9007" }, { "id": "", "name": "9fc4c7cdcaa3c3c03ba65f138386e875d02f7fcaf10de720dfde20167e393f38" }, { "id": "", "name": "8ce87eefded0713c9258f8f2086dcc51028fb404ceb526f832df4c93108c8146" }, { "id": "", "name": "8818c7c2cbd60521b8eb59ff9a720840535651343b30c1b279515d42d8036a8a" }, { "id": "", "name": "86791aa96bac086330bf927ea5c2725ff73aaedfadc2571f4f393aa4d3a6b690" }, { "id": "", "name": "7e0d0f77fe1dcb1e7a0a0a2fc0c25a68eee551c7045935449ae64dcbd1310958" }, { "id": "", "name": "7c0a8d3dec1675fd8ba0a73fb5b8eee3bef0214aa78a7aab73b8ba9814651f9f" }, { "id": "", "name": "795b997c248b2f344f813cd0c15d3d435e6218c91d0f0f54a464d739feead4c5" }, { "id": "", "name": "76a543a49e46ad9163b2a06f6cea7a5e8eb5183cd3213e64446a8c66310fac3a" }, { "id": "", "name": "75c2fb3ae08502a57c8c96ea788ef946a8bb35fb4a16e76deefae4c94fd03fd7" }, { "id": "", "name": "5fa809c0e5dff03bd202b86cd334e80c7ed5dbad9aed7b12a3799ea0800e5f31" }, { "id": "", "name": "5b7e8e685f6ee6b4810ed94b4420e08a10a977516b47fea356173cfaec2c41a0" }, { "id": "", "name": "41112f36fc17f57f0e476c9ffa9e1ecbff796dc31a7ff0372d0d8708a5e9c50b" }, { "id": "", "name": "3fc92e8a440ca16172f7d93bd9de3c6f9391e26d3a1cb964e966ee1ee31770df" }, { "id": "", "name": "3d2409c7834287178f61116c9b653e3520172a10ebef58f58f99d27a34b839bd" }, { "id": "", "name": "3b4ee3d5c1a7202b053159becac4d0b622641e2e4a7b27f339c03a90f287d381" }, { "id": "", "name": "2d55c68aa7781db7f2324427508947f057a6baca78073fee9a5ad254147c8232" }, { "id": "", "name": "2abff990d33d99a0732ddbb3a39831c2c292f36955381d45cd8d40a816d9b47a" }, { "id": "", "name": "2700142c0b78fdbf3df30125a72443e2317d5079a01ff26022a66d0b7bd4c5b1" }, { "id": "", "name": "0a4397f7d5da024b10c778910d6db84a6ba0fc3375fe6fe9b470f7e269ddc716" }, { "id": "", "name": "02902a5e07a80aa56c24c6a8d4cca9fcfb32f32bb074f9c449cad5b3b18a070c" }, { "id": "", "name": "e2ba2d3d2c1f0b5143d1cd291f6a09abe1c53e570800d8ae43622426c1c4343c" }, { "id": "", "name": "ac227dd5c97a36f54e4fa02df4e4c0339b513e4f8049616e2a815a108e34552f" }, { "id": "", "name": "9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47" }, { "id": "", "name": "5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160" }, { "id": "", "name": "6ab5a0b7080e783bba9b3ec53889e82ca4f2d304e67bd139aa267c22c281a368" }, { "id": "", "name": "26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47" } ], "malware": [ { "id": "a0323d4c-bf95-4165-a007-fef967b87250", "name": "Havoc Demon", "slug": "havoc-demon" }, { "id": "legacy:malware:3434ff8f2dbfbcaa", "name": "SameCoin", "slug": "samecoin" }, { "id": "legacy:malware:b79c57444b896193", "name": "IronWind", "slug": "ironwind" } ], "intrusion_sets": [ { "id": "2ffdad6b-10ad-4a9c-b602-a58e99d299c7", "name": "WIRTE", "slug": "wirte" } ], "attack_patterns": [ { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "e73b317e-ea92-49b4-a45d-051f7279aced", "name": "T1213" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40", "name": "T1574" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "306ee8dc-1d64-4916-96be-18060d690ad7", "name": "T1499" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Iraq" }, { "id": "", "name": "Egypt" }, { "id": "", "name": "Saudi Arabia" }, { "id": "", "name": "Jordan" }, { "id": "", "name": "Israel" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/", "https://otx.alienvault.com/pulse/6733bb19e6996c2a488cb29e" ] }