Wednesday, April 23, 2025
HomeMalwareWIRTE’s Hacker Group Uses Weaponized MS Excel Droppers To Attack High Profile...

WIRTE’s Hacker Group Uses Weaponized MS Excel Droppers To Attack High Profile Targets

Published on

SIEM as a Service

Follow Us on Google News

A state-sponsored hacking group, WIRTE has been active since at least 2019 that targets high-profile public and private entities in the Middle East using weaponized MS Excel 4.0 macros as droppers.

The cyber security researchers at Kaspersky have closely investigated the following things to know the motives of WIRTE:-

  • Campaign
  • Toolset
  • Methods

But, after analyzing the above things they have concluded that the motives of WIRTE are still not clear, but, it has been reported that with the Gaza Cybergang threat actors WIRTE group has some links.

- Advertisement - Google News

Tricky dropper

And not only that even they have also observed targets in other regions apart from the Middle East. While as compared to other hacking groups, WIRTE has superior skills like:-

  • Better OpSec
  • Better stealthy techniques
  • Better evasion
  • Better persistence

On recipients’ devices the hackers from WIRTE hacking group download and install malware payloads by executing the MS Excel macros that are sent via phishing emails.

Initially, in a hidden column, the Excel dropper runs a series of formulas to enable the editing request. Later, the third spreadsheet with hidden columns runs the dropper and checks the following anti-sandbox checks that we have mentioned below:-

  • Get the name of the environment
  • Check if a mouse is present
  • Check if the host computer can play sounds

Targets

The primary focus of the WIRTE:-

  • Government entities
  • Diplomatic entities
  • Financial institutions
  • Law firms
  • Military organizations
  • Technology companies

Actions

During the investigation process, the experts have observed several commands and actions that we have mentioned below:-

  • List local disk drives
  • Get the list of installed AV software
  • Check if the current user is an admin
  • Get OS architecture
  • Check for the existence of backdoor services
  • Check for registry keys added for COM hijacking
  • List all installed hotfixes
  • Get a screenshot and save it to %AppData% until the next POST request

Hidden command and control

To hide the actual IP addresses the hackers place their C2 domains behind Cloudflare. However, the security analysts at Kaspersky have managed to identify some that are hosted in the following countries:-

  • Ukraine
  • Estonia

But, the threat actors have used TCP ports 2096 and 2087 along with TCP/443 over HTTPS in C2 communication for their most recent intrusions.

Apart from this, the most serious thing about their actions is that WIRTE hacking group is expanding its targeting scope to several organizations including financial institutes and large private organizations.

That’s why as a recommendation the analysts have strongly recommended organizations to stay alert and develop their security practices to mitigate such situations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted...

Hackers Exploit Legitimate Microsoft Utility to Deliver Malicious DLL Payload

Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into...

Cybercriminals Exploit Network Edge Devices to Infiltrate SMBs

Small and midsized businesses (SMBs) continue to be prime targets for cybercriminals, with network...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Latest Lumma InfoStealer Variant Found Using Code Flow Obfuscation

Researchers have uncovered a sophisticated new variant of the notorious Lumma InfoStealer malware, employing...

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

Hackers Claim to Sell ‘Baldwin Killer’ Malware That Evades AV and EDR

A notorious threat actor has allegedly begun selling “Baldwin Killer,” a sophisticated malware toolkit...