New Backdoors Used by Hamas-Linked Hackers Abuse Facebook, Dropbox
The threat actor group referred to as Extreme Jackal, Gaza Hackers Team, Gaza Cybergang, and Moonlight has been active since 2012 and mainly focused on conducting cyberattacks against targets in the Middle East. The group has allegedly been using two malware families, Spark and Pierogi alongside two new backdoors named ShartStage and Dropbook. The threat actor group has also been increasingly expanding its target list to include insurance and retail industries whereas they previously targeted government and telecommunications organizations.
The malware families, SharpStage and DropBook, allow the attackers to run arbitrary code and collect data from infected machines. The backdoors have been used in a recent espionage campaign that is actively targeting Arabic speakers located in the Middle East. The intriguing trait of these new backdoors is the use of legitimate online services for malicious purposes. DropBook is used by the APT group for data exfiltration and to store espionage tools, however, DropBook provides legitimate services as well. The hackers also abuse Google Drive for payload storage, a tool used to file digital paperwork or store information.