{ "id": "0a657440-2d01-4bd8-8661-dcf5c4c348c0", "created_at": "2026-04-06T00:15:56.151519Z", "updated_at": "2026-04-10T03:38:03.397671Z", "deleted_at": null, "sha1_hash": "d41dd6180e8d6709c0ce1454fad5ae53da3d6977", "title": "APT Attack In the Middle East: The Big Bang - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 929678, "plain_text": "APT Attack In the Middle East: The Big Bang - Check Point\r\nResearch\r\nBy deugenio\r\nPublished: 2018-07-08 · Archived: 2026-04-02 10:34:20 UTC\r\nOver the last few weeks, the Check Point Threat Intelligence Team discovered the comeback of an APT\r\nsurveillance attack against institutions across the Middle East, specifically the Palestinian Authority.\r\nThe attack begins with a phishing email sent to targets that includes an attachment of a self-extracting archive\r\ncontaining two files: a Word document and a malicious executable. Posing to be from the Palestinian Political and\r\nNational Guidance Commission, the Word document serves as a decoy, distracting victims while the malware is\r\ninstalled in the background.\r\nThe malware has several modules, some of which are:\r\nTaking a screenshot of the infected machine and sending it to the C\u0026C server.\r\nSending a list of documents with file extensions including .doc, .odt, .xls, .ppt, .pdf and more.\r\nLogging details about the system.\r\nRebooting the system.\r\nSelf-destructing the executable.\r\nWhile it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of\r\nthe attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is\r\na surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang\r\nTheory’ TV show, after which some of the malware’s modules are named.\r\nA previous campaign of this APT group was uncovered by Talos in June 2017, and since then very little of this\r\noperation was seen in the wild. The Big Bang campaign described below incorporates improved capabilities and\r\noffensive infrastructure, and seems to be even more targeted.\r\nWhat’s New in Ramallah?\r\nThe first instances of the current campaign began to appear in the middle of April this year. But, thanks to the\r\nattackers known affection for decoy documents that pose as news summaries, we were able to date the campaign\r\nback to March 2018.\r\nThis campaign, as well as those in its previous form, uses phishing methods to deliver its reconnaissance stage\r\nmalware. But unlike in 2017, this time the malicious attachment is an executable which is actually a self-extracting archive, containing a decoy document and the malware itself. It is almost superfluous to mention that in\r\norder to give the file a legitimate look, the developers pinned it to a Word icon and called it “الشهري اإلعالمي التقرير“\r\n(Monthly Press Report).\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 1 of 8\n\nWhen this file is double clicked, it opens a Word document with the logo of the Palestinian Political and National\r\nGuidance Commission. This document pretends to be a press report and contains news headlines that were\r\nactually copied from various Palestinian news websites.\r\nWhile the victim is distracted with the legitimate looking Word document, an additional executable which is\r\narchived alongside the decoy document is installed in the background.\r\nFigure 1: Screenshot of Word Document.\r\nAlthough the archive was found on mid-April, the Word document shows that it was last edited on March 29th,\r\n2018. This date is also mentioned in the document’s body and used as its title, “29-3.doc”. The metadata in the\r\ndocument shows that it was also titled “عوكل أبو عصام/ العقيد سيادة“, which happens to be the name of the Guidance\r\nCommission Office’s Chief Executive:\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 2 of 8\n\nThe naming convention and content of the file may indicate an attacker’s familiarity with the nature of the victim.\r\nAnalysis\r\nWhile the analysis below discloses the capabilities of the spotted malware, we are pretty sure it is part of a multi-staged attack that targets very specific victims. The malware below is part of the reconnaissance stage and should\r\nlead to the main course, whose nature is still unknown.\r\nAs for the malware’s language, during the 2017 campaign the group used a fairly unsophisticated malware,\r\ndubbed “Micropsia”, written in C++ and wrapped in Delphi. In this year’s campaign, the attackers use an\r\nupgraded variant of this malware, still written in C++ but wrapped as a self-extracting executable.\r\nThe Executable\r\nThe executable contained in the archive is called “DriverInstallerU.exe” but its metadata shows that its original\r\nname is “Interenet Assistant.exe”.\r\nOnce it is executed, the malware ensures its persistence by setting a mutex (“InterenetAssistantN”), copying itself\r\nto the “ProgramData” directory, and adding itself to the scheduled tasks.\r\nOnce secured, the malware communicates, by default, with a primary hardcoded command and control website\r\nthat varies in different samples (spgbotup[.]club). The APT actors, hardcoded additional backup C\u0026C website\r\n(lindamullins[.]info) that is contacted in case the malware does not get a response from the first website. This is\r\nlikely to be a mechanism that the threat actors implemented in order to handle cases in which they would have to\r\ngo through infrastructure changes.\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 3 of 8\n\nFigure 3: Hardcoded 2 command and Control Websites.\r\nOnce the sample is able to reach the main C\u0026C, the first thing it does is fingerprint the system (user and PC\r\nnames, OS version and AntiVirus engines), and exfiltrate the gathered information.\r\nFigure 4: Initial Beacon.\r\nFollowing this, a POST request is sent to the C\u0026C every once in a while (/api/serv/requests/[base64_fingerprint]),\r\nand in turn, the C\u0026C sends back a configuration file that turns on specific functionalities of the malware.\r\nFigure 5: C\u0026C Commands\r\nWhat is interesting is that each key in this configuration file represents a different module in the executable, and\r\nwhen the key is marked as true the executable will run the relevant module’s content. In addition, the names of\r\nthose modules are taken from the popular sitcom, ‘The Big Bang Theory’, in addition to actors’ names from the\r\npopular Turkish TV series ‘Resurrection: Ertugrul’ (Celal Al, Sonmez and Gokhan).\r\nIn the configuration file we found thirteen keys for thirteen different modules. However, in our samples we could\r\nfind only five corresponding modules. This could mean that this campaign is evolving and that there will likely be\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 4 of 8\n\nmore samples in the future that will implement the missing parts.\r\nThe following table describes the role of each module:\r\nModule Name Purpose\r\nPenny Takes a screenshot of the infected machine and sends it to the server\r\nWolowitz_Helberg\r\nEnumerates running processes, saves their names and their IDs in “sat.txt” and sends\r\nthe file to the server\r\nCelal_Al\r\nSends a list of documents with certain extensions. The extensions are: doc, docx, odt,\r\nxls, xlsx, ppt, pptx, accdb, accde, mdb, pdf, csv\r\nRunfile Runs a file, receives a process name and a file type from the server\r\nNayyar_Sonmez\r\nDownloads a file with a ‘.txt’ extension from a given URL, changes the extension to\r\n‘.exe’ and runs it\r\nKoothrappali Logs details about the system and sends them to the server\r\nBialik_Gokhan Reboots the system\r\nHofstadter Terminates a process by name\r\nParsons_Sheldon Deletes the payload from the startup folder and deletes the actual file\r\nReshad_Strik Sends a list of the partitions found on the infected machine\r\nPinar8 No such module in our sample\r\nMehmet7 No such module in our sample\r\nBahar6 No such module in our sample\r\nIt is important to note that unlike RATs that try to keylog the infected system and harvest credentials, this sample\r\nshows the irregular behavior of looking for Microsoft Office documents on the victim’s machine, or enumerating\r\npartitions. In addition, the file has the capability of downloading and running another executable\r\nAfter reviewing all the malware functionalities, we are confident in saying that the attackers look for victims who\r\nanswer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit\r\nthe specific victim profile.\r\nThe Attacker’s English Level\r\nThe typo in the file’s name (Interenet Assistant) helped us find another executable with the same name that is\r\nalmost identical to the original one. In addition, using the communication pattern we were able to find another\r\nsample called “DriverInstallerU”. In this sample, however, the module names were changed from actors and\r\ncharacters’ names to car models, namely “BMW_x1”, “BMW_x2” and up to “BMW_x8”.\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 5 of 8\n\nBut typos are not the only English mistakes of this APT group. Incorrect grammar phrases in the C2 websites also\r\nassisted in uncovering the operation infrastructure.\r\nUnlike what is generally expected from a C\u0026C, browsing the websites actually returns the following response:\r\nWebsites related to this campaign use readymade bootstrap templates, but include unique and grammatically\r\nincorrect strings such as “Probably the most Music Site in the world!”, and “contact@namylufy[.]com” in some\r\nof the websites.\r\nThose strings helped us find other websites that use the same template, and while they could not be linked to\r\nspecific malware samples, it is possible that they will be used in the future.\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 6 of 8\n\nLooking Back\r\nWhile the APT has gone through significant upgrades over the past year, the conductors of these campaigns\r\nmaintained evident fingerprints, both in the delivery methods and malware development conventions. These\r\nunique traces assisted us in correlating the current wave to past attacks, and may also have some resemblance to\r\nattacks related to the Gaza Cybergang APT group.\r\nDuring our investigation we spotted three instances of the renewed operation, but unique artifacts in the command\r\nand control website revealed a wider infrastructure that may well manage more unknown samples.\r\nIn addition, the concept of using self-extracting archives and decoy documents is not groundbreaking or new, as\r\nwe have seen similar attacks being carried in the past by the Gaza Cybergang APT group.\r\nThere were, however, many similarities between the samples we found and the ones which were found during the\r\n2017 campaign, such as the usage of actor and character names from renowned TV series, as well as\r\nfingerprinting the system and sending the information to the C\u0026C. According to Talos, those files were distributed\r\nto victims in the Palestinian law enforcement agencies during 2017.\r\nHowever, in 2017 the group used an executable wrapped in Delphi, whereas the sample we found uses a self-extracting archive. Both of the above open a document as well as another executable (written in C++) when they\r\nare double clicked.\r\nFinally, the C\u0026C communication has also been improved in the recent campaign, as backup domains did not\r\nappear in the old ones. In addition, the newer malware strain has stronger capabilities and a wider functionality\r\nthan the older one, which would only send information about the system version.\r\nConclusion\r\nWith the experience gained from the APT attack that began in March 2017, it seems this campaign has evolved\r\ninto an attack with new capabilities, and an even more specific target, over a year later.\r\nAlthough the group behind it seems to be focused on carefully selecting their victims, using a custom-made info-stealer for intelligence gathering operations, due to its very nature it is difficult to assert what the ultimate goal of\r\nthis campaign is. Indeed, the next stages of the attack may even still be in the works, not yet deployed or only\r\ndeployed to selected few victims.\r\nIn addition, although the clear fingerprints of the perpetrators leave no doubt we are witnessing the comeback of\r\nthe same APT, it is still not yet confirmed exactly who the threat group behind this campaign actually is. As no\r\nconcrete attribution has yet been made, due to the shared interests and malware features of both 2017 and 2018\r\ncampaigns, the Gaza Cybergang may be a good starting point for further research.\r\nIndicators of Compromise\r\na210ac6ea0406d81fa5682e86997be25c73e9d1b\r\n994ebbe444183e0d67b13f91d75b0f9bcfb011db\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 7 of 8\n\n74ea60b4e269817168e107bdccc42b3a1193c1e6\r\n511bec782be41e85a013cbea95725d5807e3c2f2\r\n9e093a5b34c4e5dea59e374b409173565dc3b05b\r\nlindamullins[.]info\r\nspgbotup[.]club\r\nnamyyeatop[.]club\r\nnamybotter[.]info\r\nsanjynono[.]website\r\nexvsnomy[.]club\r\nezofiezo[.]website\r\nhitmesanjjoy[.]pro\r\nSource: https://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nhttps://research.checkpoint.com/apt-attack-middle-east-big-bang/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" ], "report_names": [ "apt-attack-middle-east-big-bang" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9198aefa-3da6-4605-bb52-923df20a7fce", "created_at": "2023-01-06T13:46:38.766848Z", "updated_at": "2026-04-10T02:00:03.093153Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "MISPGALAXY:The Big Bang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f7d9b02d-d294-422b-adf7-4b3adfac9d9a", "created_at": "2022-10-25T16:07:23.392241Z", "updated_at": "2026-04-10T02:00:04.577887Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "ETDA:The Big Bang", "tools": [ "Micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434556, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d41dd6180e8d6709c0ce1454fad5ae53da3d6977.pdf", "text": "https://archive.orkl.eu/d41dd6180e8d6709c0ce1454fad5ae53da3d6977.txt", "img": "https://archive.orkl.eu/d41dd6180e8d6709c0ce1454fad5ae53da3d6977.jpg" } }