The pro-Hamas cyber threat group known as Gaza Cyber Gang is using an updated backdoor malware, named Pierogi++, to target Palestinian entities, according to cybersecurity company SentinelOne. Pierogi++ is implemented in the C++ programming language, unlike its predecessors, which were based in Delphi and Pascal.
- SentinelOne reports that the Gaza Cyber Gang’s activities show constant targeting of Palestinian entities, with no significant changes observed since the beginning of the Israel-Hamas war.
- The Gaza Cyber Gang, believed to be active since 2012, often uses spear-phishing as its initial method of access and has hit targets throughout the Middle East, particularly in Israel and Palestine.
- The malware used by the group includes families such as BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStage, Spark, Pierogi, PoisonIvy, and XtremeRAT.
- Recent attacks by the group have involved updated versions of its Micropsia and Arid Gopher implants, as well as a new initial access downloader named IronWind.
- The Gaza Cyber Gang began using Pierogi++ in late 2022. The malware is delivered through decoy documents written in English or Arabic on topics of interest to Palestinians.
- Both Pierogi and Pierogi++ can take screenshots, download attacker-provided files, and execute commands. The updated version, however, no longer includes Ukrainian strings in the code.
SentinelOne’s investigation has further revealed tactical connections between two separate campaigns, known as Big Bang and Operation Bearded Barbie, and strengthened ties between the Gaza Cyber Gang and WIRTE, a previously identified threat actor.
Despite the group’s continued focus on Palestine, the discovery of Pierogi++ indicates that the Gaza Cyber Gang is continually refining its malware to ensure successful compromise of targets and to maintain long-term access to their networks.