# New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor

**[cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838)**

**Research by: Cybereason Nocturnus Team**

## Background

Since December 2019, the Cybereason Nocturnus team has been investigating a campaign targeting
Palestinian individuals and entities in the Middle East, mostly within the Palestinian territories. This
campaign uses social engineering and decoy documents related to geopolitical affairs and relations
between the Palestinian government, and references Egypt, Hezbollah, and Iran.

_[Part one of this research investigates the Spark campaign, where attackers use social engineering to](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one)_
_infect victims, mainly from the Palestinian territories, with the Spark backdoor. For more information_
_[about part one, click here.](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one)_

During the attacks, victims are infected with a previously undocumented backdoor, dubbed Pierogi by
Cybereason. This backdoor allows attackers to spy on targeted victims. Cybereason suspects that the
backdoor may have been obtained in underground communities rather than home-grown, as the
evidence found in the code of the backdoor suggests it may have been developed by Ukranian-speaking
hackers.

The tactics, techniques, and procedures (TTPs), content, and theme of the decoy documents, as well as
the victimology observed in the campaign, resemble previous attacks that have targeted Palestinians. In
particular, these campaigns appear to be related to attacks carried out by a group called MoleRATs (aka,
[Gaza Cyber Gang, Moonlight), an Arabic-speaking, politically motivated group that has been operating in](https://attack.mitre.org/groups/G0021/)
the Middle East since 2012.

## Key Points

**Cyber Espionage with a New Malware: The Cybereason Nocturnus team has discovered recent,**
targeted attacks in the Middle East to deliver the Pierogi backdoor for politically-driven cyber
espionage.
**Targeting Palestinians: The campaigns seems to target Palestinian individuals and entities, likely**
related to the Palestinian government.
**Using Geopolitically-charged Lure Content: The attackers use specially crafted lure content to**
trick their targets into opening malicious files that infect the victim’s machine with the Pierogi
backdoor. The decoy content of the malicious files revolves around various political affairs in the
Middle East, specifically targeting the tension between Hamas and other entities in the region.
**Perpetrated by an Arabic-speaking APT, MoleRATs: The modus-operandi of the attackers as**
well as the social engineering decoy content seem aligned with previous attacks carried out by an
Arabic-speaking APT group called MoleRATs (aka Gaza Cybergang). This group has been
operating in the Middle East since 2012.

[For a synopsis of this research, check out the Molerats & Pierogis Threat Alert.](https://www.cybereason.com/threat-alert-molerats-pierogis)

## Table of Contents


-----

## Infection Vector via Social Engineering

[Similar to previous attacks, this campaign starts with social engineering. In one instance, it lures victims](https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks)
to open an email attachment. In others, it persuades victims to download a report about a recent political
affair pertaining to the Middle East and specifically to Palestinian matters. In most cases, the
downloaded file is either an executable that masquerades as a Microsoft Word document or a
weaponized Microsoft Word document.

_Malicious file named “Reports on major developments__347678363764”, uploaded to VirusTotal from_
_the Palestinian territories._

### Backdoor Dropper File Name SHA-256

 347678363764_ا�����ات ��أ ��ل �����.exe 4e77963ba7f70d6777a77c158‐
 fab61024f384877d78282d31ba7b‐
 Translation: Report on major bac06724b68 developments_347678363764.exe

 Ente‐ 094e318d14493a9f56d56b44b30fd396af8b296 laqa_hamas_32_1412_847403867_rar.exe 119ff5b82aca01db9af83fd48

 Translation: Hamas_32th_Anniver‐ sary__32_1412_847403867_rar.exe

 final_meet‐ 050a45680d5f344034be13d4fc3a7e389ce‐ ing_9659836_299283789235_rar.exe b096bd01c36c680d8e7a75d3dbae2

 Employee-entitlements-2020.doc b33f22b967a5be0e886d479d47d6c9d35c6639 d2ba2e14ffe42e7d2e5b11ad80

 Congratulations_Jan-7_78348966_pdf.exe 4be7b1c2d862348ee00bcd36d7a6543f1eb‐ b7d81f9c48f5dd05e19d6ccdfaeb5

## Decoy Content

As soon as the victim double-clicks on the dropper, they are presented with the decoy document. The
document lowers the victim’s suspicions by distracting them with a real document while the dropper
installs the backdoor. However, some of the documents also play an additional role in the attack. While

|Backdoor Dropper File Name|SHA-256|
|---|---|
|347678363764_تاčĂúĖÍا śšأ لťą đūđŎù.exe Translation: Report on major developments_347678363764.exe|4e77963ba7f70d6777a77c158‐ fab61024f384877d78282d31ba7b‐ bac06724b68|
|Ente‐ laqa_hamas_32_1412_847403867_rar.exe Translation: Hamas_32th_Anniver‐ sary__32_1412_847403867_rar.exe|094e318d14493a9f56d56b44b30fd396af8b296 119ff5b82aca01db9af83fd48|
|final_meet‐ ing_9659836_299283789235_rar.exe|050a45680d5f344034be13d4fc3a7e389ce‐ b096bd01c36c680d8e7a75d3dbae2|
|Employee-entitlements-2020.doc|b33f22b967a5be0e886d479d47d6c9d35c6639 d2ba2e14ffe42e7d2e5b11ad80|
|Congratulations_Jan-7_78348966_pdf.exe|4be7b1c2d862348ee00bcd36d7a6543f1eb‐ b7d81f9c48f5dd05e19d6ccdfaeb5|


-----

some are more neutral, quoting from newspapers and the media, others seem to report fake news to
spread misinformation that serves a political agenda. With regards to decoy content themes, this
[campaign resembles previous campaigns reported in blogs by Vectra, Unit 42, and Talos. The contents](https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks)
of the decoy documents seems to include:

Potentially fake documents that appear to be issued by the Palestinian government.
Meetings minutes of different Palestinian organizations.
News about Hamas and the Palestinian National Authority.
Potentially fake, leaked Hamas documents.
Criticism of and embarrassing content about Hamas.

|Decoy Document Name|Docu‐ ment Descrip‐ tion|SHA-256|
|---|---|---|
|APA adopt‐ ed resolu‐ tion Unlim‐ ited sup‐ port for Palestinian people.‐ docx|De‐ scribes a resolu‐ tion by the Asian Parlia‐ mentary Assem‐ bly (APA) held in Ana‐ talya, an‐ nouncing unlimited support for the Palestin‐ ian people.|7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c|


-----

|jalsa.rar|Contains the above men‐ tioned docu‐ ment, as well as photos of the assem‐ blies and political cartoons criticiz‐ ing Hamas|50a597aa557084e938e2a987ec5db99187428091e8141e616c‐ ced72e6a39de1b|
|---|---|---|
|Internet in govern‐ ment.pdf / Define the Internet in govern‐ ment institution‐ s.pdf|An‐ nounce‐ ment about a new reg‐ ulation regard‐ ing inter‐ net us‐ age in Palestin‐ ian gov‐ ernment institu‐ tions. The an‐ nounce‐ ment states that porn, gambling and en‐ tertain‐ ment sites will be blocked.|9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8|


-----

|Congratu‐ lations_‐ Jan-7.pdf|Letter allegedly from the Bar‐ celona branch of the Federa‐ tion of Indepen‐ dent Palestin‐ ian Com‐ munities and Or‐ ganiza‐ tions and Events in the Di‐ aspora. The let‐ ter com‐ memo‐ rates the 73rd an‐ niversary of the Syrian Army, and ex‐ presses the Palestin‐ ian sup‐ port of Bashar Al-Asad. The let‐ ter ends with “Death to Israel” and “Hu‐ miliation and shame to the tyrant America”|65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc|
|---|---|---|


-----

|Daily_Re‐ port.docx|Daily summa‐ ry of news concern‐ ing dif‐ ferent Palestin‐ ian goven‐ ment re‐ lated issues.|d3771d58051cb0f4435232769ed11c0c0e6457505962ddb6ee‐ b46d900de55428|
|---|---|---|
|Directory of Govern‐ ment Ser‐ vices.pdf|A screen‐ shot from a website of the Palestin‐ ian gov‐ ernment, showing a direc‐ tory of the dif‐ ferent min‐ istries.|9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8|
|Meeting Agenda.pdf|Corrupt‐ ed file|f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427|
|imgonline- com-ua- dexifEEd‐ WuIb‐ NSv7G.jpg|poten‐ tially leaked Hamas docu‐ ment de‐ tailing Hamas 32nd an‐ niversary expens‐ es in dif‐ ferent regions in the Palestin‐ ian Territo‐ ries|932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb|


-----

|Asala.mp3|An .mp3 file of a song by the fa‐ mous Syrian singer Asala Nasri (song name: Fen Habibi, transla‐ tion: “where is my loved one?”)|4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964|
|---|---|---|


Select screenshots from the above decoy content:

_Excerpt of the decoy documents presented to the victims._


-----

_Potentially leaked Hamas document detailing expenses for Hamas 32th anniversary celebrations._

In addition to the documents, the content includes a number of political cartoons that criticize Hamas’
relations with Iran and Hamas’ standing as a resistance movement.

### “#Iran Movement” - depicting the co-founder “Hamas 32 years after its establishment”          of Hamas, Mahmoud Al-Zahar and Ali               Top: “The Speeches (calling for) Khamenei, the Supreme leader of Iran.     ‘Resistance’”            Bottom: “The reality”  

       SHA-256:
 SHA-256: 6ccd‐ 06e92ca2d9c6c17c45ed5b347d‐ fa8fcf5e2fc5baeea765e59a10e9f9a5d3d1b2a2f189f‐ f1d27cb96747ba3a4585f7c94f0861fc643e94 f1beee4fe9c4539

## Infection Vector: Analysis of the Malicious Word Document

|Col1|Col2|
|---|---|
|“#Iran Movement” - depicting the co-founder of Hamas, Mahmoud Al-Zahar and Ali Khamenei, the Supreme leader of Iran. SHA-256: 06e92ca2d9c6c17c45ed5b347d‐ f1d27cb96747ba3a4585f7c94f0861fc643e94|“Hamas 32 years after its establishment” Top: “The Speeches (calling for) ‘Resistance’” Bottom: “The reality” SHA-256: 6ccd‐ fa8fcf5e2fc5baeea765e59a10e9f9a5d3d1b2a2f189f‐ f1beee4fe9c4539|


-----

While the majority of infections in this campaign did not originate from Malicious Microsoft Word
documents, the Cybereason Nocturnus team found several weaponized Microsoft Word documents with
an embedded downloader macro that downloads and installs the backdoor used in this attack.

_Malicious Microsoft Word Document uploaded from the Palestinian territories._

### Docu‐ Phishing Content SHA-256 ment Name

 ا����ة Resume of a woman from Abu-Dis, Palestinian 4a6d1b686873158a1e‐
 Authority. b088a2756daf2882be‐
 ���ا��ا
 f4f5f‐
 doc.1���ل
 fc7af370859b6f87c08840f

 Transla‐ tion: CV Manal 1

 Employ‐ A statement of the Ministry of Finance on civil and b33f22b967a5be0e886d4 ee-enti‐ military employee benefits and salaries, discussing 79d47d6c9d35c6639d2ba tlements- the conterversial issue Palestinian Authority employ‐ 2e14ffe42e7d2e5b11ad80 2020.doc ees that have not been paid or paid in full their
 salaries.

When the victims open the document, they are encouraged to click on Enable Content, which causes the
embedded malicious macro code to run.

|Docu‐ ment Name|Phishing Content|SHA-256|
|---|---|---|
|ةđŬĖŕا ÷Ŭùاďŕا doc.1لñŞř Transla‐ tion: CV Manal 1|Resume of a woman from Abu-Dis, Palestinian Authority.|4a6d1b686873158a1e‐ b088a2756daf2882be‐ f4f5f‐ fc7af370859b6f87c08840f|
|Employ‐ ee-enti‐ tlements- 2020.doc|A statement of the Ministry of Finance on civil and military employee benefits and salaries, discussing the conterversial issue Palestinian Authority employ‐ ees that have not been paid or paid in full their salaries.|b33f22b967a5be0e886d4 79d47d6c9d35c6639d2ba 2e14ffe42e7d2e5b11ad80|


-----

_Contents of the weaponized Microsoft Word document._

The macro code embedded in the document is rather simple and is not obfuscated. In fact, it is almost
unusual in its unsophistication.

The macro code does the following:

1. Downloads a Base64 encoded payload from the following URL:

_hxxp://linda-callaghan[.]icu/Minkowski/brown._
2. Writes the decoded payload to C:\ProgramData\IntegratedOffice.txt.
3. Decodes the Base64 payload and writes the file to C:\ProgramData\IntegratedOffice.exe.
4. Runs the executable file and deletes the .txt file.


-----

_Malicious macro code found in the phishing document._

## Analysis of the Pierogi Backdoor

[Pierogi, the backdoor in this attack, appears to be a new backdoor written in Delphi. It enables the](https://en.wikipedia.org/wiki/Delphi_(software))
attackers to spy on victims using rather basic backdoor capabilities. While it is unknown at this point
whether the backdoor was coded by the same members of the group behind the attacks, there are
indications that suggest that the malware was authored by Ukranian-speaking malware developers. The
commands used to communicate with the C2 servers and other strings in the binary are written in
Ukrainian.

[This is why we chose to name the malware Pierogi, after the popular East European dish.](https://en.wikipedia.org/wiki/Pierogi)


-----

_Strings embedded in the backdoor binary that show Ukranian words._

The backdoor has the following capabilities:

Collects information about the infected machine.
Uploads files to the attackers’ server.
Downloads additional payloads.
Takes screenshots from the infected machine.
Executes arbitrary commands via the CMD shell.

In addition to spy features, the backdoor also implements a few checks to ensure it is running in a safe
environment. Specifically, it looks for antivirus and other security products.

1. The backdoor queries Windows for installed antivirus software using WMI: SELECT * FROM

_AntiVirusProduct_
2. It looks for specific antivirus and security products installed on the infected machine, such as

Kaspersky, eScan, F-secure and Bitdefender.


-----

_Strings of security products found in the backdoor code._

## Persistence Mechanism

The backdoor achieves persistence using a classic startup item autorun technique:

1. A shortcut is added to the the startup folder:

_C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup._
2. Once the user logs on to the infected machine, the shortcut points to the file binary location in the

_C:\ProgramData\ folder._

_The backdoor persistence shown via Sysinternals Autoruns tool._

The GUID generated by the malware is saved in a file called GUID.bin. This file is created in the same
folder as the binary of the backdoor (C:\ProgramData\GUID.bin).


-----

_Contents of the GUID.bin file generated by the backdoor._

## C2 Communication by the Pierogi Backdoor

The backdoor has rather basic C2 functionality implemented through a predefined set of URLs:

**1. Sending machine information and a heartbeat to the C2:**
URL: hxxp://nicoledotson[.]icu/debby/weatherford/Yortysnr

The information sent to the C2 includes:

**cname: computer name, username, and GUID**
**av: Name of detected antivirus**
**osversion: version of the operating system**
**aname: the location of the malware on the infected machine**

_Sending basic information about the infected machine_


-----

**2. Requesting commands from the C2 server:**

URL: hxxp://nicoledotson[.]icu/debby/weatherford/Ekspertyza

_Ekspertyza means expertise or examination in Ukranian. There are 3 basic commands coming from the_
server in the form of md5 hashes:

### MD5 hash Plain text command

 Dfff0a7fa1a55c8c1a4966c19f6da452 cmd

 51a7a76a7dd5d9e4651fe3d4c74d16d6 downloadfile

 62c92ba585f74ecdbef4c4498a438984 screenshot

_Receiving command from the server to upload a screenshot of the infected machine’s screen._

**3. Uploading data (mainly screenshots) to the C2:**

URL: hxxp://nicoledotson[.]icu/debby/weatherford/Zavantazhyty

_Zavantazhyty means to load or download in Ukranian. This command is used to upload collected data to_
the C2 server. For example, in some instances the backdoor uploads screenshots taken from an infected
machine, as can be seen in the example below.

|MD5 hash|Plain text command|
|---|---|
|Dfff0a7fa1a55c8c1a4966c19f6da452|cmd|
|51a7a76a7dd5d9e4651fe3d4c74d16d6|downloadfile|
|62c92ba585f74ecdbef4c4498a438984|screenshot|


-----

_The backdoor uploads a screenshot of the infected machine to the C2 server._

**4. Removing information:**

**URL: hxxp://nicoledotso[.]icu/debby/weatherford/Vydalyty**

_Vydalyty means to remove or delete in Ukrainian. The malware can delete various requests based_
**on the command below.**

_Excerpt from the code that handles deletion requests from the C2 server._

## Recent Infrastructure

The records of the domains and IPs involved in this campaign seem to show that the attackers created a
new infrastructure specifically for this campaign. The domains were registered in November 2019 and
operationalized shortly after, as shown below.


-----

_PassiveTotal UI: An activity timeline of the malicious domain Linda-callaghan[.]icu._

_An activity timeline of the malicious domain Nicoledotson[.]icu._

## Conclusion

In part two of this research, we examined the Pierogi campaign. Cybereason suspects this campaign
targets Palestinian individuals and entities in the Middle East, specifically directed at those in the
Palestinian government. The threat actors behind the campaign use social engineering to infect their
victims with the Pierogi backdoor for cyber espionage purposes.

The threat actor behind the attack invested considerable time and effort to lure their victims with
specially-crafted documents that target Palestinian individuals and entities in the Middle East. In our
analysis, we reviewed the TTPs and the decoy content, and pointed out the similarities between previous
attacks that have been attributed to MoleRATs, an Arabic-speaking, politically motivated group that has
operated in the Middle East since 2012.

The Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented
and gives the threat actors espionage capabilities over their victims. Based on the Ukranian language
embedded in the backdoor, Cybereason raises the possibility that the backdoor was obtained in
underground communities by the threat actors, rather than developed in-house by the group.

Learn how to protect against these types of attacks with the right roles for SIEM and EDR. Download our
white paper.

## Indicators of Compromise

[Click here to download the MoleRATs IOCs (PDF)](https://www.cybereason.com/hubfs/Pierogi%20IOCs.pdf)

## MITRE ATT&CK BREAKDOWN

|Initial Ac‐ cess|Exe‐ cution|Persis‐ tence|Privi‐ lege Escala‐ tion|Defense Evasion|Discov‐ ery|Col‐ lec‐ tion|C&C|Exfil‐ tration|
|---|---|---|---|---|---|---|---|---|


-----

|Spear phish‐ ing At‐ tach‐ ment|Com‐ mand- Line Inter‐ face|Sched‐ uled Task|Bypass User Account Control|Bypass User Ac‐ count Control|System Informa‐ tion Discov‐ ery|Screen Cap‐ ture|Web Ser‐ vice|Data En‐ crypted|
|---|---|---|---|---|---|---|---|---|
|Spear phish‐ ing Link|Sched‐ uled Task|Registry Run Keys / Startup Folder|Startup Items|Deobfus‐ cate/De‐ code Files or Information|User Discov‐ ery|Auto‐ mated Collec‐ tion|Data En‐ cod‐ ing||
||Script‐ ing|Shortcut Modifica‐ tion||Disabling Security Tools|Virtual‐ ization/ Sand‐ box Discov‐ ery||Re‐ mote File Copy||
||User Execu‐ tion|||File Deletion|||||
|||||Software Packing|||||
|||||Mas‐ querading|||||
|||||Evade Analysis Environ‐ ment|||||
|||||Security Software Discovery|||||


-----