Cyber Threat Summary:
Researchers at SentinelOne have uncovered an updated version of a backdoor dubbed Pierogi which is being used by the Gaza Cyber Gang, a pro-Hamas threat actor, to target Palestinian entities. The new variant, referred to as Pierogi++, is written in the C++ programming language. Similar to its predecessor, Pierogi++ is designed to take screenshots, execute commands, and download other payloads. One notable difference between the two strains is that Pierogi++ samples use the strings ‘download’ and ‘screen’ when handling backdoor commands while Pierogi samples use the Ukrainian strings ‘vydalyty’, ‘Zavantazhyty’, and ‘Ekspertyza.’ The reason for this change in strings is unclear. Researchers suspect that there was external involvement in Pierogi’s initial development.

Analyst Comments:
Pierogi++ is being distributed using decoy documents written in Arabic or English, pertaining to matters of interest to Palestinians. This is not the first time that the Gaza Cybergang has targeted Palestinian entities, with activities spanning from late 2021 to late 2023. Just recently, the group was linked to attacks employing malware variants of Micropsia and Arid Gopher implants as well as a new initial access downloader dubbed IronWind. The latest deployment of Pierogi++ indicates that this group is continuously updating its toolkit, enabling it to launch successful attacks.

Suggested Correction(s)
SentinelOne has released Indicators of Compromise related to this activity which can be used for detection purposes:
https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/

Organizations should also be on the lookout for malicious links or attachments from unknown senders, as the Gaza Cyber Gang is known for using such lures to target potential victims.

Link(s):
https://thehackernews.com/2023/12/new-pierogi-malware-by-gaza-cyber-gang.html