ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > WIRTE Group

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: WIRTE Group

NamesWIRTE Group (LAB52)
White Dev 21 (PWC)
Country[Middle East]
MotivationInformation theft and espionage
First seen2018
Description(LAB52) The DFIR (Digital Forensics and Incident Response) team of S2 Grupo first identified this actor in August 2018 and since then the follow-up has been carried out during the last few months.

This group attacks the Middle East and does not use very sophisticated mechanisms, at least in the campaign started in August 2018 which was monitored. It is considered unsophisticated by the fact that the scripts are unobtrusive, communications go unencrypted by HTTP, they use Powershell (increasingly monitored), and so on. Despite this apparently unsophisticated modus operandi compared to other actors, they manage to infect their victims and carry out their objectives. In addition, as will be seen during the report, the detection rate of some of the scripts in December 2018 by the main antivirus manufacturers is low, an aspect that must be highlighted. We must be aware that once these scripts are executed, it is when the behavior analysis of many solutions will detect them, but this fact has not been studied by LAB52.

This actor in all the artifacts analyzed shows his victims a decoy document in Arabic with different themes.
ObservedSectors: Defense, Government and diplomats.
Countries: Middle East.
Tools usedEmpireProject, H-Worm, Living off the Land and several VBScript, PowerShell and VBA scripts.
Information<https://lab52.io/blog/wirte-group-attacking-the-middle-east/>
<https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html>
<https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0090/>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]