{ "id": "89f58953-9fc4-43c1-b057-c58a57be9de8", "created_at": "2026-04-06T00:20:17.54431Z", "updated_at": "2026-04-10T03:36:19.112291Z", "deleted_at": null, "sha1_hash": "7eb56e0f6ccf41045a2ed683eda87d54968442bb", "title": "WIRTE Group attacking the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1070873, "plain_text": "WIRTE Group attacking the Middle East\r\nPublished: 2019-04-02 · Archived: 2026-04-05 16:50:23 UTC\r\nThe Intelligence Development Group of S2 Grupo has carried out an investigation on an actor from whom LAB52\r\nhas not been able to find references or similarities in open sources and who has been identified as WIRTE.\r\nThe DFIR (Digital Forensics and Incident Response) team of S2 Grupo first identified this actor in August 2018\r\nand since then the follow-up has been carried out during the last few months.\r\nThis group attacks the Middle East and does not use very sophisticated mechanisms, at least in the campaign\r\nstarted in August 2018 which was monitored. It is considered unsophisticated by the fact that the scripts are\r\nunobtrusive, communications go unencrypted by HTTP, they use Powershell (increasingly monitored), and so on.\r\nDespite this apparently unsophisticated modus operandi compared to other actors, they manage to infect their\r\nvictims and carry out their objectives. In addition, as will be seen during the report, the detection rate of some of\r\nthe scripts in December 2018 by the main antivirus manufacturers is low, an aspect that must be highlighted. We\r\nmust be aware that once these scripts are executed, it is when the behavior analysis of many solutions will detect\r\nthem, but this fact has not been studied by LAB52.\r\nThis actor in all the artifacts analyzed shows his victims a decoy document in Arabic with different themes.\r\nDuring the report these documents will be analyzed and who could be the objectives depending on the topic dealt\r\nwith in the document.\r\nTechnical analysis\r\nAs indicated above, during the month of August 2018 S2 Grupo CERT we managed an incident aimed at the\r\ndiplomacy of different Middle Eastern countries.\r\nThe attackers used a malware made in Visual Basic Script (VBS) as a tool to control the victim. Starting from the\r\nstudy of this VBS from S2 Grupo CERT, the monitoring of this group was started, finding in other sources other\r\nartifacts from the same group but with different decoy documents and with different strategies of execution,\r\npersistence, and so on. S2 Grupo does not have enough information to make any type of attribution or authorship.\r\nIt is associated that these artifacts are related because they reflect similarities from a technical and temporal point\r\nof view and because of the decoy documents used, since sometimes they are identical.\r\nOne aspect observed during the investigation is that the attackers after running the VBS used it as an Empire post-exploitation framework (https://github.com/EmpireProject/Empire).\r\nA total of five scripts plus the one involved in the incident could be collected. Below we detail the main\r\ncharacteristics of each.\r\nScript 1: 617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 1 of 12\n\nThis first file can be seen in Virus Total and has a low detection (4/58). The last analysis took place on\r\n12/12/2018.\r\nIn this case the file was uploaded from Palestine to Virus Total:\r\nIn the image you can see that it was uploaded through the web, from PS (Palestine) and also that it was uploaded\r\nfor the first time on 5 Aug. 2018.\r\nNetwork communication occurs over HTTP to the micorsoft[.]store domain to TCP/2082 port. This domain since\r\nit exists has resolved to the following ip addresses:\r\n104.31.78.17\r\n104.31.79.17\r\n185.86.79.243\r\nCurrently resolves to a Cloudflare address. Port 2082 is one of the ports allowed by Cloudflare for HTTP traffic. It\r\nshould be noted that the first IP address 185.86.79.243 is geolocated in Ukraine. This IP address has been assigned\r\nto different domains, among them the malicious one.\r\nApparently the attackers changed their IP address and hid behind Cloudflare at some point.\r\nIn this script this communication information is all in the RunPld() function. This function aims to download the\r\npowershell code from the command and control server and execute it:\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 2 of 12\n\nAnother common function in these scripts is the writeDOC function. This function decodes the decoy document,\r\nwrite it to disk and show it to the victim. This document is encoded in base64 and embedded in the script itself in\r\na variable.\r\nThe VBS script copies itself to APPDATA through the copyVBS() function:\r\nThe script itself does not establish persistence in its first execution, so either the attackers deploy it later when\r\nthey execute powershell or fix it by transporting this script. The script once copied to APPDATA will have the\r\nfollowing name: Update.vbs.\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 3 of 12\n\nOn the other hand, if the script is running from APPDATA it does not show the document and only executes the\r\nRunPld() function which is the backdoor in powershell and that has been detailed previously. If it is not being\r\nexecuted from APPDATA it shows the DOC file “decoy”, it copies and executes the backdoor (script in\r\npowershell).\r\nWhen the victim executes the VBS file, a Word document will be opened with the following content (you can see\r\non the left in Arabic and next to it the translation made by Google Translate):\r\nThe document we have shown is intended to simulate that it was sent from the Ministry of Foreign Affairs of\r\nSaudi Arabia. Presumably, it seems that the addressee was the Ministry of Awqaf and Islamic Affairs of Kuwait,\r\nsince (Kuwait – Jeddah) appears in the very signature of the document. It was also apparently addressed to the\r\nKuwaiti Consulate of the Cooperation Council of the Arab States of the Gulf, a highly important body within the\r\ncountries of the Persian Gulf.\r\nThe text mentions that attached, the recipient will find a document from the Saudi Ministry of Foreign Affairs\r\ncalled “Hajj affairs”, which is of interest to all those Arab countries that have citizens who have interests in\r\ncarrying out the pilgrimage to the Mecca. In addition, it encourages recipients to forward the document to other\r\ngovernment organizations in countries with interests linked to the “Hajj” that have been approved by the same\r\nMinistry of Culture of Saudi Arabia. Presumably, the author intends to generate an infection among the “partner\r\nstates” of Saudi Arabia; the “target” of the issuer could be the members of the diplomatic corps of countries\r\nwith interest in the “Hajj” and especially the diplomats who are part of the Cooperation Council of the Arab\r\nStates of the Gulf, since the issuer promotes the forwarding of the document to all interested parties.\r\nThere are five fundamental pillars within the religion of Islam. One of them is the “Hajj”, which implies that all\r\nMuslims must visit Mecca at least once in their lifetime. This monument is located in the Jeddah region within\r\nSaudi Arabia. The “Hajj” is significantly relevant to Muslims around the world. Consequently, this text is\r\nattractive and of interest to both Shi’ite and Sunni Muslims.\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 4 of 12\n\nThe date of issuance of the document is relevant as it was held in August, approximately two weeks before the\r\ngreat pilgrimage, just when thousands of people of Muslim faith would begin the pilgrimage to Jeddah in Saudi\r\nArabia. Consequently, the chances of a possible victim opening the document increase significantly.\r\nScript 2: b4c20b56059a6c6762b4c99d04eb9177cb0a4707c58ef575817fb8b702f162aa\r\nThis file in Virus Total has a low detection, 2/56, and the last analysis took place on 1 Dec. 2018.\r\nIn this case the file has been uploaded from Palestine to Virus Total:\r\nIn the image you can see that it was uploaded through the web, from PS (Palestine) and also that it has been\r\nuploaded for the first time on 08/25/2018.\r\nThe network communication in this case is also produced by HTTP to the domain micorsoft[.]store to the port\r\ntcp/2082.\r\nIn this case the script has exactly the same code as the hash\r\n“617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a”. The only thing that varies is the\r\ndecoy document that we can see below:\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 5 of 12\n\nThe information presented in the document is directly related to security issues and internal political affairs of\r\nPalestine. The main actors mentioned in the text are Hamas, Al Fatah and the Palestinian government. The\r\ninformation is an analytical summary of the current political situation in Palestine and even analyzes in\r\ngeostrategic terms some current aspects. In addition, the document informs about the potential political strategies\r\nthat the previously mentioned actors could undertake in the future. This type of information is highly relevant for\r\ndiplomats with political interests in the geographical area of Gaza and Palestine. Consequently, it might be\r\nfeasible for the document’s target audience to be diplomats, politicians and professionals from the defense sector.\r\nScript 3: b906f3c19c19e1b20b2d00bfb82b5453d5386d63b4db901ecade0f33dd38326a\r\nThis file in Virus Total has a low detection, 3/56, and the last analysis took place on 1 Dec. 2018.\r\nIn this case the file was uploaded from Sweden to Virus Total:\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 6 of 12\n\nIn the image you can confirm that it has been uploaded by the community, from SE (Sweden) and also that it has\r\nbeen uploaded for the first time on 6 Nov. 2018.\r\nThe network communication in this case is also produced by HTTP to the micorsoft[.]store domain to the\r\nTCP/2082 port.\r\nIn this case the script has exactly the same code as the previous two; the decoy document is identical to\r\n“617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a”, varying only from where it was\r\nuploaded and the dates regarding the first one.\r\nScript 4: 3d4a9466e9428ccb1cde05336f5366b29c7e5ae454ddaa4aa28c75c504c13d96\r\nThis file in Virus Total has a low detection, 8/56, and the last analysis took place on 12/12/2018. We can see that\r\nthis document has a higher detection to the rest, although it is certain that some were not re-analyzed on December\r\n12th.\r\nIn this case the file was uploaded from Palestine to Virus Total:\r\nIn the image you can see that it was uploaded through the web, from PS (Palestine) and also that it was uploaded\r\nfor the first time on 08/25/2018. The upload date matches the hash date\r\n“b4c20b56059a6c6762b4c99d04eb9177cb0a4707c58ef575817fb8b702f162aa”.\r\nThe network communication in this case is produced by HTTP to the domain office365-update[.]co to TCP/2082\r\nport. This hash changes the domain and then the structure of the script is different from the others, although it\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 7 of 12\n\nmaintains functions and similarities with the rest.\r\nThe ip addresses to which the domain has resolved are:\r\n104.24.108.64\r\n104.24.109.64\r\nIn this case, the domain has always resolved to CloudFlare and it has not been observed that it has resolved to\r\nanother IP address as in the previous case.\r\nThe main of the script is simple and we are going to review its flow:\r\nWe are going to see what logic each of the functions has.\r\nThe first function that we find is writeTXT():\r\nThe function it does is to save, in a file named sys.txt and in a path set from the script, the content of the\r\nfileContent variable that is part of a powershell script. It should be noted that the write-to-file function used is\r\nwirteFile(), which as can be seen has produced a typographical error that has been seen in several of the scripts\r\nthat implement this functionality.\r\nThe function writeSCT():\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 8 of 12\n\nThe function creates an SCT (scriptlet) file on disk to execute through the JScript language a powershell whose\r\ncode is in the TXT file written by the writeTXT() function.\r\nRegsvr32.exe is used to trigger the execution:\r\nThe writeDOC() function performs the same logic as in the hash\r\n“617bbc71e5f0a645cbb8eeb6d4a1ece96ba0860c8ab5deda6a795e6ad244607a” and which has already been\r\nexplained.\r\nIn this case the decoy document shown to the victim is the same as that presented in\r\n“b4c20b56059a6c6762b4c99d04eb9177cb0a4707c58ef575817fb8b702f162aa”.\r\nScript 5: 4f5d633604b8a3cceb7d582bab640d47e8a5898458c5c2f0e28adcdf01aabf33\r\nThis file has a higher detection rate than the previous ones: you can see that 20/58 antivirus identify it as harmful.\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 9 of 12\n\nIn the image you can see that it has been uploaded through API, from the US and also that it has been uploaded for\r\nthe first time on 2 Sept. 2018. The date of upload is after the artifacts uploaded from Palestine, but close in time.\r\nIn this case you can see a reference to this script in a tweet\r\n(https://twitter.com/ItsReallyNick/status/1036687952544448512) by Nick Carr (@ItsReallyNick), where he\r\ndetails all the technical aspects of the script:\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 10 of 12\n\nBy viewing the tweet thread we can see how they indicate that in this case runs a VBScript #Houdini RAT and that\r\nthe command and control server is hxxp: //149.28.14[.]103:535/ is-ready.\r\nWhen looking for which domains have resolved to this IP address it is observed that the only one categorized as\r\nmalware is related to spdns.de and searching for this domain name we come to the analysis\r\nhttps://gist.github.com/JohnLaTwC/ccdcbeb85649ef9feaae045482d694b9 (from @ JohnLaTwC) that shows how\r\nthis domain is configured with port 535 and with HTTP requests from RAT Houdini. The domain was resolving to\r\nIP addresses until August 30, 2018.\r\nThe fact that in this case the actor uses a Houdini varies from the rest of VBS found, which based their execution\r\non a powershell script that received commands from a remote server and executed them, but even so there are\r\nseveral aspects that lead us to think that it is the same actor:\r\n• There are matching function names: writeTXT, writeDOC, wirteFile (this is a very important indicator\r\nsince it is the same typographical error).\r\n• Then writeDOC has the same logic and, besides, the decoy document is also in Arabic.\r\nIn this case the decoy document is different from the previous ones, so everything presupposes that the objective\r\nis different:\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 11 of 12\n\nThe document refers to information related to the Security Forces in the territory of northern Gaza involved in\r\ndefending of the border. The information refers to an accreditation and decoration by Palestinian governmental\r\nauthorities for their members of the law enforcement and security forces. The target of this malicious document\r\ncould be soldiers, police, professionals linked to the Ministry of Defense and members of the diplomatic\r\ncorps in Gaza. The current government within the Gaza Strip is Hamas, a party that has a military arm considered\r\nby different countries as a terrorist group.\r\nIndicators of compromise\r\nSource: https://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nhttps://lab52.io/blog/wirte-group-attacking-the-middle-east/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE", "MISPGALAXY" ], "references": [ "https://lab52.io/blog/wirte-group-attacking-the-middle-east/" ], "report_names": [ "wirte-group-attacking-the-middle-east" ], "threat_actors": [ { "id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8", "created_at": "2022-10-25T15:50:23.798666Z", "updated_at": "2026-04-10T02:00:05.255838Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "WIRTE" ], "source_name": "MITRE:WIRTE", "tools": [ "LitePower", "Ferocious" ], "source_id": "MITRE", "reports": null }, { "id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d", "created_at": "2023-11-14T02:00:07.079123Z", "updated_at": "2026-04-10T02:00:03.444083Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "Ashen Lepus" ], "source_name": "MISPGALAXY:WIRTE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "aa5c2fa9-e018-484b-9f4a-0ef76ebbbf57", "created_at": "2022-10-25T16:07:24.41839Z", "updated_at": "2026-04-10T02:00:04.982315Z", "deleted_at": null, "main_name": "WIRTE Group", "aliases": [ "G0090", "White Dev 21" ], "source_name": "ETDA:WIRTE Group", "tools": [ "EmPyre", "EmpireProject", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Kognito", "LOLBAS", "LOLBins", "Living off the Land", "Njw0rm", "PowerShell Empire", "SameCoin", "WSHRAT", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434817, "ts_updated_at": 1775792179, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7eb56e0f6ccf41045a2ed683eda87d54968442bb.pdf", "text": "https://archive.orkl.eu/7eb56e0f6ccf41045a2ed683eda87d54968442bb.txt", "img": "https://archive.orkl.eu/7eb56e0f6ccf41045a2ed683eda87d54968442bb.jpg" } }