Pulse Detail — Threat Intelligence

PULSE NAME

Gaza cybergang

WHITE AlienVault 2015-09-28 Modified: 2015-09-28

104

IOCs

HIGH VOLUME

Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015. One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations. IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.

Indicators of Compromise (104)

All domain hostname FileHash-MD5

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	downloadskype.cf	—	2015-09-28
domain	cbbnews.tk	—	2015-09-28
domain	store-legal.biz	—	2015-09-28
domain	chromeupdt.tk	—	2015-09-28
hostname	depka.sytes.net	—	2015-09-28
hostname	live.isasecret.com	—	2015-09-28
hostname	bandao.publicvm.com	—	2015-09-28
hostname	redirectlnk.redirectme.net	—	2015-09-28
hostname	updatee.serveblog.net	—	2015-09-28
hostname	ns2.negociosdesucesso.info	—	2015-09-28
hostname	gov.uae.kim	—	2015-09-28
hostname	ksm5sksm5sksm5s.zzux.com	—	2015-09-28
hostname	downloadmyhost.zapto.org	—	2015-09-28
hostname	googlecombq6xx.ddns.net	—	2015-09-28
hostname	wallanews.sytes.net	—	2015-09-28
hostname	safar.selfip.com	—	2015-09-28
hostname	webfile.myq-see.com	—	2015-09-28
hostname	offeline.webhop.net	—	2015-09-28
hostname	rgoyfuadvkebxhjm.ddns.net	—	2015-09-28
hostname	su.noip.us	—	2015-09-28
hostname	goodday.zapto.org	—	2015-09-28
hostname	deapka.sytes.net	—	2015-09-28
hostname	nazer.zapto.org	—	2015-09-28
hostname	up.uae.kim	—	2015-09-28
hostname	kaliob.selfip.org	—	2015-09-28
hostname	mp4.servemp3.com	—	2015-09-28
hostname	safari.linkpc.net	—	2015-09-28
hostname	backop.mooo.com	—	2015-09-28
hostname	rotter2.sytes.net	—	2015-09-28
hostname	lilian.redirectme.net	—	2015-09-28
hostname	backjadwer.bounceme.net	—	2015-09-28
hostname	bypasstesting.servehalflife.com	—	2015-09-28
hostname	downloadlog.linkpc.net	—	2015-09-28
hostname	cyber18.no-ip.net	—	2015-09-28
hostname	test.cable-modem.org	—	2015-09-28
hostname	noredirecto.redirectme.net	—	2015-09-28
hostname	google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim	—	2015-09-28
hostname	wallanews.publicvm.com	—	2015-09-28
hostname	tango.zapto.org	—	2015-09-28
hostname	internetdownloadr.publicvm.com	—	2015-09-28
hostname	update.ciscofreak.com	—	2015-09-28
hostname	updato.ns01.info	—	2015-09-28
hostname	test.ns01.info	—	2015-09-28
hostname	ynet.ignorelist.com	—	2015-09-28
hostname	tvnew.otzo.com	—	2015-09-28
hostname	use.mooo.com	—	2015-09-28
hostname	safara.sytes.net	—	2015-09-28
hostname	removalmalware.servecounterstrike.com	—	2015-09-28
hostname	uptime.uae.kim	—	2015-09-28
hostname	fatihah.zapto.org	—	2015-09-28
hostname	help2014.linkpc.net	—	2015-09-28
hostname	dnsfor.dnsfor.me	—	2015-09-28
hostname	gaonsmom.redirectme.net	—	2015-09-28
hostname	thenewupdate.chickenkiller.com	—	2015-09-28
hostname	cnaci8gyolttkgmguzog.ignorelist.com	—	2015-09-28
hostname	mailchat.zapto.org	—	2015-09-28
hostname	ynet.sytes.net	—	2015-09-28
hostname	ajaxo.zapto.org	—	2015-09-28
hostname	kaswer12.strangled.net	—	2015-09-28
hostname	natco1.no-ip.net	—	2015-09-28
hostname	justded.justdied.com	—	2015-09-28
hostname	thenewupdatee.redirectme.net	—	2015-09-28
hostname	kolabdown.sytes.net	—	2015-09-28
hostname	cccam.serveblog.net	—	2015-09-28
hostname	wcf6f0nqvjtup4un.mooo.com	—	2015-09-28
hostname	duntat.zapto.org	—	2015-09-28
hostname	lastmoon.mooo.com	—	2015-09-28
hostname	spreng.vizvaz.com	—	2015-09-28
hostname	updatee.hopto.org	—	2015-09-28
hostname	nrehcnthrtfmyi.strangled.net	—	2015-09-28
hostname	httpo.sytes.net	—	2015-09-28
hostname	natco3.no-ip.net	—	2015-09-28
hostname	download.likescandy.com	—	2015-09-28
hostname	haartezenglish.strangled.net	—	2015-09-28
hostname	natco5.no-ip.net	—	2015-09-28
hostname	testcom.strangled.net	—	2015-09-28
hostname	orango.redirectme.net	—	2015-09-28
hostname	haartezenglish.redirectme.net	—	2015-09-28
hostname	rotter2.publicvm.com	—	2015-09-28
hostname	gq4bp1baxfiblzqk.mrbasic.com	—	2015-09-28
hostname	fastbingcom.sytes.net	—	2015-09-28
FileHash-MD5	4d0cbb45b47eb95a9d00aba9b0f7daad	—	2015-09-28
FileHash-MD5	62b1e795a10bcd4412483a176df6bc77	—	2015-09-28
FileHash-MD5	57ab5f60198d311226cdc246598729ea	—	2015-09-28
FileHash-MD5	39758da17265a07f2370cd04057ea749	—	2015-09-28
FileHash-MD5	1d18df7ac9184fea0afe26981e57c6a7	—	2015-09-28
FileHash-MD5	948d32f3f12b8c7e47a6102ab968f705	—	2015-09-28
FileHash-MD5	b4c8ff21441e99f8199b3a8d7e0a61b9	—	2015-09-28
FileHash-MD5	9ea2f8acddcd5ac32cfb45d5708b1e1e	—	2015-09-28
FileHash-MD5	9dccb01facfbbb69429ef0faf4bc1bda	—	2015-09-28
FileHash-MD5	4e8cbe3f2cf11d35827194fd016dbd7b	—	2015-09-28
FileHash-MD5	18259503e5dfdf9f5c3fc98cdfac6b78	—	2015-09-28
FileHash-MD5	058368ede8f3b487768e1beb0070a4b8	—	2015-09-28
FileHash-MD5	f54c8a235c5cce30884f07b4a8351ebf	—	2015-09-28
FileHash-MD5	8921bf7c4ff825cb89099ddaa22c8cfd	—	2015-09-28
FileHash-MD5	868781bcb4a4dcb1ed493cd353c9e9ab	—	2015-09-28
FileHash-MD5	826ab586b412d174b6abb78faa1f3737	—	2015-09-28
FileHash-MD5	3bb319214d83dfb8dc1f3c944fb06e3b	—	2015-09-28
FileHash-MD5	302565aec2cd47bb6b62fa398144e0ad	—	2015-09-28
FileHash-MD5	3c73f34e9119de7789f2c2b9d0ed0440	—	2015-09-28
FileHash-MD5	0b074367862e1b0ae461900c8f8b81b6	—	2015-09-28
FileHash-MD5	5e255a512dd38ffc86a2a4f95c62c13f	—	2015-09-28
FileHash-MD5	89f2213a9a839af098e664aaa671111b	—	2015-09-28
FileHash-MD5	f6e8e1b239b66632fd77ac5edef7598d	—	2015-09-28

References (1)

↗ https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team/