Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Stealthy WIRTE Hackers Target Governments in the Middle East

Stealthy WIRTE Hackers Target Governments in the Middle East

A stealthy hacking group named WIRTE has been linked to a government-targeting campaign conducting attacks since at least 2019 using malicious Excel 4.0 macros.

The primary targeting scope includes high-profile public and private entities in the Middle East, but researchers also observed targets in other regions.

Kaspersky analyzed the campaign, toolset, and methods, and concluded with low confidence that WIRTE has pro-Palestinian motives and is suspected to be part of the ‘Gaza Cybergang‘.

However, compared to other affiliated hacking groups, WIRTE has better OpSec and more stealthy techniques, and they can avoid detection for long periods.

Also Read: Revised Technology Risk Management Guidelines of Singapore

Tricky dropper execution flow

WIRTE’s phishing emails include Excel documents that execute malicious macros to download and install malware payloads on recipients’ devices

While the main focus of WIRTE’s attacks government and diplomatic entities, Kaspersky has seen these attacks targeting a wide variety of industries throughout the Middle East and other regions.

“Our telemetry indicates that the threat actor has targeted a variety of verticals, including diplomatic and financial institutions, government, law firms, military organizations, and technology companies,” explained Kaspersky’s report.

“The affected entities are located in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.”

The malicious documents are tailored to raise the interest of the targeted victim, and use logos and themes that mimic brands, authorities, or the targeted organization.

Phishing documents sent to victims
Phishing documents sent to victims
Source: Kaspersky

The Excel dropper first runs a series of formulas in a hidden column, which hides the “enable editing” request from the original file and unhides a secondary spreadsheet that contains the decoy.

The dropper then runs formulas from a third spreadsheet with hidden columns, which perform the following three anti-sandbox checks:

  1. Get the name of the environment
  2. Check if a mouse is present
  3. Check if the host computer can play sounds

If all the checks are passed, the macro writes a VBS script that writes an embedded PowerShell snippet and two registry keys for persistence.

Also Read: September 2021 PDPC Incidents and Undertaking: Lessons from the Cases

Adding the two registry keys
Adding the two registry keys
Source: Kaspersky

The macro then continues by writing a PowerShell with VB code onto %ProgramData%. This snippet is the ‘LitePower’ stager that will download payloads and receive commands from the C2.

The commands observed by Kaspersky during the various monitored/analyzed intrusions are the following: 

  • List local disk drives
  • Get list of installed AV software
  • Check if current user is admin
  • Get OS architecture
  • Check for the existence of backdoor services
  • Check for registry keys added for COM hijacking
  • List all installed hotfixes
  • Get screenshot and save to %AppData% until the next POST request

Obscured command and control

The actors have placed their C2 domains behind Cloudflare to hide the actual IP addresses, but Kaspersky was able to identify some of them and found that they are hosted in Ukraine and Estonia.

Many of these domains date back to at least December 2019, indicative of WIRTE’s ability to evade detection, analysis, and report for extensive periods.

Mapped WIRTE C2 infrastructure
Mapped WIRTE C2 infrastructure
Source: Kaspersky

The most recent intrusions use TCP/443 over HTTPS in C2 communication, but they also use TCP ports 2096 and 2087, as mentioned in a 2019 report by Lab52.

Another similarity with the older campaign is the sleep function on the script, which still ranges between 60 and 100 seconds.

Sleep function on the script
Sleep function on the script
Source: Kaspersky

WIRTE has now been seen tentatively expanding its targeting scope to financial institutes and large private organizations, which could be the result of experimentation or a gradual change in focus.

Kaspersky warns that even though the TTPs used by these actors are simple and rather ordinary, they are still very effective against the group’s targets.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us