WIRTE Group

Industry: Financial, Government, Law, Military and Technology | Level: Operational | Source: SecureList

The WIRTE group has been conducting campaigns utilizing malicious Excel 4.0 macros, targeting high-profile public and private entities, Kaspersky research recently shared. While there is a specification of attacks with entities in the Middle East, researchers are reporting impacts from other regions as well. The WIRTE group utilizes living-off-the-land (LotL) techniques to evade detection and Kaspersky places low confidence attribution that the WIRTE group is associated with the Gaza Cybergang threat actor. An observed attack chain involves a phishing campaign to distribute the malicious document. Once ran a VBS script writes an embedded PowerShell command and creates persistence in the registry. LitePower, a PowerShell implant, acts as the downloader and secondary stage by communicating with the C2 to download or deploy additional malware.

• Anvilogic Scenario: WIRTE's LotL campaign
• Anvilogic Use Cases:
• Wscript/Cscript Execution
• Add DLL/EXE Registry Value
• Registry key added with reg.exe
• Create/Modify Schtasks