WIRTE is a threat group that has been identified and active since August 2018. Security researchers have indicated that WIRTE has continued to target various targets in the Middle East and Europe. These include diplomatic, government, military, financial, technology organizations, and law firms.
WIRTE has been observed using spear-phishing emails which contain malware-laden Microsoft Excel or Word documents. WIRTE uses Microsoft Excel Droppers that use hidden spreadsheets and VBA macros to drop the first implant. The Excel droppers appear to use Excel 4.0 macros to use formulas in hidden spreadsheets or cells executing macro 4.0 commands.
A dropper is a specialized program designed to extract files into the endpoint so that it can install malicious programs. Droppers facilitate the delivery and installation of malware and are often used by threat actors to bypass the signature analysis done by antivirus programs to mitigate malicious code. The logic for this is simple. If the dropper is identified as malicious, it takes far less time to rewrite than rewrite the more sophisticated malicious code the dropper downloads and extracts.
Security researchers have noted WIRTE’s use of a “Ferocious Dropper.” For example, the Excel droppers execute macros to download and install a next-stage implant named Ferocious on the target’s endpoint. At the same time, the Word document droppers use Visual Basic for Applications (VBA) macros to download the same malware. This download, in turn, triggers the execution of a PowerShell script named LitePower.
The Ferocious dropper successfully uses a living-off-the-land technique called COM hijacking to achieve persistence. Living off-the-land attacks utilize inherently non-malicious tools typically within the targeted entity’s standard environment. For example, COM object hijacking is a technique in which malicious software can replace a non-malicious system-wide COM object with a malicious user-specific object.
An analysis of the tactics, techniques, and procedures (TTPs) of WIRTE in one campaign has suggested to security researchers that the WIRTE group might have connections to another politically motivated collective called the Gaza Cybergang. The affected entities are spread across Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.
WIRTE has not gained broad-scale visibility with security analysts yet but has been referenced by MITRE ATT&CK’s profile on WIRTE, which noted these two sources as references: (1) S2 Grupo. (2019, April 2). WIRTE Group was attacking the Middle East. Retrieved May 24, 2019, and by (2) Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ land since at least 2019.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.