Gaza cybergang, where’s your IR team? By Mohamad Amin Hasbini Published: 2015-09-28 · Archived: 2026-04-05 15:17:39 UTC Summary information: Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015. One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations. IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user. IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network… The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy Some more interesting facts about Gaza cybergang: Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable Use of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social engineering to infect targets Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used Other operation names: DownExecute MoleRATs Kaspersky Lab products and services successfully detect and block attacks by Gaza team. Political file names targeting Arabic countries exe.بوادر خالف جديد بني االمارات والسعودية :name File Translation: Indications of disagreement between Saudi Arabia and UAE.exe https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 1 of 8 Filename: “Wikileaks documents on Sheikh ******* *** *****.exe” exe.صور فاضحـــــة جدا لبعض العسكريني والقضاة والمستشاريني المصريني :name File Translation: Scandalous pictures of Egyptian militants, judges and consultants https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 2 of 8 exe.الرئيس الفلسطيين محمود عباس يشتم ماجد فرج <- zip.Abaas-Majed :name File Translation: President Mahmoud Abbas cursing Majed Faraj.exe “exe.مكالمة مسربة بني القائد العام للقوات المسلحة المصرية صدقي صبحي” :name File Translation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe File name: tasreb.rar IT and IR Malware File Names VCSExpress.exe Hex.exe Microsoft Log.exe IMP.exe Win.exe Corss.exe WinRAR.exe AVR.exe ccleaner.exe codeblocks.exe HelpPane.exe Hex_Workshop_Hex_Editor-o.exe Help.exe Decoded.exe vmplayer.exe Decrypted.exe procexp.exe crashreporter.exe RE.exe WindowsUpdate.exe PE.exe AVP.exe https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 3 of 8 PE-Explorr.exe Kaspersky.exe PE-Explorr.exe Kaspersky.exe hworks32.exe Kaspersky Password Manager.exe Other malware file names abc.exe News.exe Sky.exe SkyC.exe Skype.exe Skypo.exe exe.وصية وصور الوالد ٔاتمىن الدعاء له بالرحمة والمغفرة Secret_Report.exe Military Police less military sexual offenses, drug offenses more.exe Phishing http://google.com.*****/new/index.php?Email=FL1-08-2015@gmail.com http://google.com.*****/new/g.htm?Email=sharq-2014-12-31@gmail.com http://google.com.*****/new/index.php?Email=2014-12-04@gmail.com https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 4 of 8 http://googlecom*****/new/index.php?Email=yemen-22-01-2015@hotmail.com IP addresses and domain names used in the attacks Domains uae.kim natco1.no-ip.net gov.uae.kim natco3.no-ip.net up.uae.kim natco5.no-ip.net uptime.uae.kim nazer.zapto.org google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim noredirecto.redirectme.net ajaxo.zapto.org nrehcnthrtfmyi.strangled.net backjadwer.bounceme.net ns2.negociosdesucesso.info backop.mooo.com offeline.webhop.net https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 5 of 8 bandao.publicvm.com orango.redirectme.net bypasstesting.servehalflife.com redirectlnk.redirectme.net cbbnews.tk removalmalware.servecounterstrike.com cccam.serveblog.net mailchat.zapto.org chromeupdt.tk mp4.servemp3.com cnaci8gyolttkgmguzog.ignorelist.com rgoyfuadvkebxhjm.ddns.net cyber18.no-ip.net rotter2.publicvm.com deapka.sytes.net rotter2.sytes.net depka.sytes.net safar.selfip.com dnsfor.dnsfor.me safara.sytes.net download.likescandy.com safari.linkpc.net downloadlog.linkpc.net spreng.vizvaz.com downloadmyhost.zapto.org store-legal.biz downloadskype.cf su.noip.us duntat.zapto.org tango.zapto.org fastbingcom.sytes.net test.cable-modem.org fatihah.zapto.org test.ns01.info gaonsmom.redirectme.net testcom.strangled.net goodday.zapto.org thenewupdate.chickenkiller.com googlecombq6xx.ddns.net thenewupdatee.redirectme.net gq4bp1baxfiblzqk.mrbasic.com tvnew.otzo.com haartezenglish.redirectme.net update.ciscofreak.com haartezenglish.strangled.net updatee.hopto.org help2014.linkpc.net updatee.serveblog.net httpo.sytes.net updato.ns01.info internetdownloadr.publicvm.com use.mooo.com justded.justdied.com wallanews.publicvm.com kaliob.selfip.org wallanews.sytes.net kaswer12.strangled.net Wcf6f0nqvjtUP4uN.mooo.com https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 6 of 8 kolabdown.sytes.net webfile.myq-see.com ksm5sksm5sksm5s.zzux.com webfile.myq-see.com lastmoon.mooo.com ynet.ignorelist.com lilian.redirectme.net ynet.sytes.net live.isasecret.com IP addresses 192.52.166.115 131.72.136.28 109.200.23.207 131.72.136.124 66.155.23.36 172.227.95.162 162.220.246.117 162.220.246.117 192.253.246.169 192.99.111.228 192.52.167.125 185.33.168.150 198.105.117.37 185.45.193.4 198.105.122.96 131.72.136.11 131.72.136.171 84.200.17.147 Malware Hashes 302565aec2cd47bb6b62fa398144e0ad f94385be79ed56ef77c961aa6d9eafbf f6e8e1b239b66632fd77ac5edef7598d a347d25ed2ee07cbfe4baaabc6ff768b 8921bf7c4ff825cb89099ddaa22c8cfd 674dec356cd9d8f24ef0f2ec73aaec88 3bb319214d83dfb8dc1f3c944fb06e3b e20b5b300424fb1ea3c07a31f1279bde 826ab586b412d174b6abb78faa1f3737 42fca7968f6de3904225445312e4e985 5e255a512dd38ffc86a2a4f95c62c13f 3dcb43a83a53a965b40de316c1593bca 058368ede8f3b487768e1beb0070a4b8 e540076f48d7069bacb6d607f2d389d9 62b1e795a10bcd4412483a176df6bc77 699067ce203ab9893943905e5b76f106 39758da17265a07f2370cd04057ea749 11a00d29d583b66bedd8dfe728144850 f54c8a235c5cce30884f07b4a8351ebf d5b63862b8328fb45c3dabdcdf070d0d 9ea2f8acddcd5ac32cfb45d5708b1e1e bc42a09888de8b311f2e9ab0fc966c8c 948d32f3f12b8c7e47a6102ab968f705 c48cba5e50a58dcec3c57c5f7cc3332d https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 7 of 8 868781bcb4a4dcb1ed493cd353c9e9ab 658f47b30d545498e3895c5aa333ecb1 3c73f34e9119de7789f2c2b9d0ed0440 2b473f1f7c2b2b97f928c1fc497c0650 9dccb01facfbbb69429ef0faf4bc1bda 46cf06848e4d97fb3caa47c17cdd7a9e 4e8cbe3f2cf11d35827194fd016dbd7b 6eb17961e6b06f2472e4518589f66ab9 b4c8ff21441e99f8199b3a8d7e0a61b9 b0f49c2c29d3966125dd322a504799c6 4d0cbb45b47eb95a9d00aba9b0f7daad ca78b173218ad8be863c7e00fec61f2f 18259503e5dfdf9f5c3fc98cdfac6b78 23108c347282ff101a2104bcf54204a8 0b074367862e1b0ae461900c8f8b81b6 76f9443edc9b71b2f2494cff6d4a26a8 89f2213a9a839af098e664aaa671111b Phishing Hashes 1d18df7ac9184fea0afe26981e57c6a7 57ab5f60198d311226cdc246598729ea Additional references http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html https://github.com/kbandla/APTnotes/blob/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html Source: https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ Page 8 of 8