#but the post completely cuts all that out and just takes the screenshot of israel being mentioned and nothing else ? | Explore Tumblr Posts and Blogs

themathomhouse · 5 months

Text

I haven't seen this posted about here but it's going round Twitter and tiktok, and I'm so beyond angry I can't let it go.

The UK imprint of Simon and Schuster have announced a history of Gaza is forthcoming from writer and academic Dr Anne Irfan. She's a professor at UCL specialising in Palestinian refugees and their treatment under the UNRWA. She's done extensive work and volunteering in refugee camps, advocates for Palestinians in the UK directly to government, works with a number of projects including in asylum applications, and writes articles both in academic journals and in newspapers about Palestine. Whilst studying for her thesis, she was denied entry into Palestine by Israel.

Sounds like a highly qualified person to write a history of Gaza, right?

WRONG!

According to activists on social media - all of whom have comparable work backgrounds and experience I'm sure - it's completely unacceptable for her to write this book!!! Some of which is due to her being a white woman (we'll get to that), and some is due to her husband being a soldier in the IDF and clapping for genocide (we'll get to that too).

The vitriol and backlash has been awful, and I haven't seen many takedowns so under the cut I will dissect the issues here.

1) she's not Palestinian.

This one seems to be true, and I do think that it's important that we allow people from a region to tell their own stories. This isn't the worst criticism, however given the other problems people have I think it's being brought up disengenuously.

She is an expert though, and I am deeply concerned about this progression to an idea that we should only learn about or discuss our own cultures. Palestinian voices not being elevated is a systemic issue, not the fault of one woman who we can at least say possesses the requisite expertise to write a history book.

She's actually already written one book - Refuge and Resistance: Palestinians and the international refugee system.

Here's a list of recent news articles she's written.

2) she's white.

This one I can't verify. There are claims from people purporting to be former students of hers who say she's Jordanian and has family in Palestine. Certainly her surname is Arabic and she's listed as being fluent in Arabic on her academic profiles, so I'm not willing to assume from the single photograph I've seen that she's white.

We have also seen from the rise in antisemitism recently that whiteness is entirely conditional, and I think in this case it's being thrust upon her to justify saying she has no business writing a book. I think this is trying to get at systemic issues with publishing, but without any of the facts.

Source:

3) her husband is an IDF soldier.

Her partner (not husband as far as I can tell) tweeted out the book announcement. He's a fucking marketing data guy who works for Twitter. He's not in the IDF. He's just Israeli and so probably did national service, but that's an assumption as he lives in London.

Source:

I can't add his LinkedIn or other profiles as they've all been deleted, likely due to this shit. This will have to do.

4) he supports genocide.

No.

He had a take that I don't personally agree with - saying Israel shouldn't agree to a ceasefire until the hostages have been returned - but that is an extremely far cry from any kind of support for genocide. His Twitter has been deleted so I've only seen screenshots, possibly someone made this claim but failed to procure the correct evidence; but that seems extremely unlikely.

Even the original person who tweeted about this has tried to walk it back (not the husband part but some of the other stuff).

There were no receipts by the way, possibly due to a change of heart.

Babe you called it coloniser apologia and attacked her personally as well as her partner, you're kind of the one who made it personal. Feel bad all you want but this is just you being defensive.

What now?

If you are going to make claims about someone supporting genocide or any of this shit, be really fucking sure before you throw a Molotov cocktail into the dumpster fire of this discourse. The publisher, an unrelated book news website, her editor (who's made her account private after being @ed in the comments), and she and her partner (both deleted Twitter) have been inundated with tweets and videos on tiktok yelling about it - most of which has been at best unhelpful, but comes from a place of xenophobia and an entirely misapplied desire to crusade for justice - and I'm being generous calling it that.

Has this helped? Has it? Did posting her university email and calling for people to call her a fascist in her work inbox manifest some Palestinian writers? Has tweeting shit like this helped?

Getting rid of academia is definitely A Good Take and not the step authoritarians take.

I've personally written to the publisher to express my sadness at this whole thing, agreeing that Palestinian voices are extremely important to uplift but also saying that Dr Irfan is clearly more than qualified to write this book. I admire all of the work she has already done spending more than a decade working with Palestinian refugees, and I hope very much that everyone involved is doing okay.

I don't know what else to do. All I can do is once again say that people need to really, properly fact-check before you post. This woman is actually doing the activism. She's an historian, yes; but also does work directly in camps and with the preservation of archives. Her crime seems to me to be that her partner is Israeli, and if that's where we're at then I don't even want to know where we're going.

#i/p #antisemitism #xenophobia #anne irfan #don't make me regret tagging this #long post

40 notes · View notes

dearfuturehusbandblog · 6 months

Text

I Had A Moment

Dear Future Husband,

I've had a lot I've wanted to post here over the last few months but it's been too much, really, and a lot of the things I've wanted to say would come out sounding completely insensitive and that just wouldn't be appropriate for what everyone has been struggling with. I'm also slow at processing things properly, which I think I've made kind of clear in this blog in the past.

Regardless, I'll reiterate: I'm often too pragmatic, honestly to a fault.

Everything about the way I think and feel (or don't feel) is a direct symptom of the way I was raised, regardless of how in denial my parents are of the way they raised us.

I've been sleeping worse than normal for the last three months (it's literally 10:20am right now as I'm starting to write this and I still haven't slept since yesterday and I only slept about 3-4 hours yesterday, so you can probably see where this is going....) and I'm too tired to really explain myself thoroughly here right now, but I thought I should share this.

Since the war started in October I haven't felt much about it.

This is the whole insensitive thing I was talking about....

I'm a half a world away dealing with so many other things and b"H all the people I know in Israel are as safe as they can be during this insanity, so it's hard to relate to anything that's going on over there.

I've also never been much of an emotional person, so I've seen a lot of the footage and pictures and haven't had much of a reaction. Which is ridiculous, I know, and maybe one day when I'm not falling on my face I'll take time to go more in depth on what I mean, but today is not that day.

Anywho, when I was in Seminary in Israel a whole 15+ years ago, I started reciting the entire sefer tehillem during the week of Chanukah.

That lasted maybe four or five years, but I'm so slow at reading Hebrew that I would always procrastinate the days perakim and end up off schedule and it was too much pressure on myself to do something that nobody told me I had to do. So at some point I just stopped doing it.

But another "tradition" I started at the same time was doing a content "diet" and cutting out all non-kosher movies, tv, music, and books (except for bathroom reading) for the entire week of Chanukah. That is something I still do pretty much every year.

So during the rest of the year I listen to the radio or my non-Jewish music with the blutooth in my car, but during Chanukah it's only Jewish music.

Last Thursday night, the 8th night of Chanukah, I was listening to music in my car on the way to the supermarket to buy some things for Shabbos and the song L'man Achai by The Chevra came on.

I listened to it once, not having heard it in a long time, and sang along with it. The next song came on, but my mind was still on L'man Achai, so I put it on again, harmonizing with it. And then it sunk in as an earworm and I played it again.

And I had a moment.

It was on this third play that I actually listened to the words of the song. It's from two separate perakim of tehillem.

Leman achai v're'ai adabra na shalom bach Leman bes Hashem Elokeinu avaksha tov lach Hashem oz l'amo yiten, Hashem yivarech as amo ba'shalom

The first part is from Perek 122:

And the second is from Perek 29:

My translation skills aren't that good (hence the screenshots), so I was sitting in my car trying to suss out what exactly I was saying in the first part, but when I got to the second, I got completely choked up. Words just wouldn't come out right and tears did spring to my eyes. Although the tears didn't spill over, the knot in my throat took a while to dissipate and I stopped singing along with the song. All I could think about was how many people in Israel are wishing for peace and strength, and how many have picked themselves up after such a tragedy and are moving forward, not letting this keep them down at all.

And I thought about every galus we've been in. Every massacre of Jews for thousands of years because of feuds that run so deep in our history that even when they've been resolved by the people who started them, their children still carry that hatred in their hearts because they've been taught it's important, even when it's not their fight.

And the sarcastic and angry part of me was saying "Hashem gives us strength? He blesses us with peace? WHAT peace? WHAT strength???"

But the rest of me just felt the brokenness of it all.

I ended up playing the song several more times in a row, getting my voice back enough to yell out the lyrics, hoping if I could say them loud enough they'd permeate my soul and maybe I would feel something more than just that momentary strangle. That maybe just putting the words out into the world would be enough.

So after three months of playing the part of "it's so terrible, it's so sad" but not really feeling those emotions, something in my brain finally clicked. And I had that moment.

It's been a week and I've had the song on repeat in my head since then. It doesn't have the same impact on me as it did last Thursday in the car, but I keep thinking about it.

It's like the earworm of the century has burrowed into my brain and no matter what I do to distract myself the tune is always on the periphery of my thoughts.

Not that this whole situation hasn't been far from my mind every day anyway.... but now I have a small and constant reminder that I can have human feelings on occasion. It just sometimes takes three months for that moment.

-LivelyHeart

#jumblr #frumblr #shidduch #frum #jewish dating #orthodox #shadchanim #shidduchim #jewish #shadchan #shidduch dating #dating #jewishdating #i am the shidduch crisis

4 notes · View notes

philosopherking1887 · 5 years

Text

The meaning of Aziraphale’s name

Angel names in Judeo-Christian angelology all mean something in Hebrew. Gabriel means “God is my might”; Michael means “who is like God?”; Uriel means “God is my light”; Raphael could mean either “God healed” or (as an imperative) “God, heal!” I’m not completely sure that Gaiman and Pratchett intended for the name Aziraphale to mean anything in particular in Hebrew, but because I’m obsessive, I wanted to figure something out. People who know more Hebrew than I do are welcome to make corrections or suggestions.

I think Neil Gaiman said in an interview at some point that the original spelling was Aziraphael, in keeping with the typical -el ending of angel names. If that’s the correct spelling, then the name might be a strange way of saying “God, my strength, healed” or “God, my strength, heal!” Or it might contain the name Raphael as a part, meaning “Raphael is my strength.” I don’t really buy the recent fanon proposal that Crowley was Raphael before his fall, because all the angel lore, including the Book of Tobit, has Raphael as an angel long after Lucifer’s rebellion would have taken place (in Paradise Lost, Raphael is the one who tells the story to Adam). But if we do go in for that bit of fanon, then we can imagine a scenario like the one at the beginning of this fic, in which our two heroes were in love in Heaven before the Fall and Aziraphael (who we assume ranked lower) had a different name to start with but took the name “Raphael is my strength.”

But there are other interesting translation possibilities if we take the current spelling to indicate that the name has 4 syllables rather than 5 (i.e., there’s no extra aleph between the pheh and the lamed). I’m not aware of a Hebrew root rap[h]al, so that means we’d need to break the name up into Azir - aphel or Azir(a) - phel. As noted in this wonderful post, in which someone wrote a letter from “Crawly” to Azirapil in Akkadian cuneiform (!!), the “Azir” part can be derived from a Hebrew root and mean “helper, one who helps.” That speculative translation continues:

The second element appears to be āpilu, literally “the one who answers,” but also used to mean “the one who dissents, the one who talks back.” Thus, together, the name would mean “the one who helps the dissenter.”

Which is very cool, but I wasn’t sure whether there was any Hebrew equivalent, so I went looking for the meaning of a Hebrew root ‘ap[h]al. The first thing I found was this article called “The Sin and Danger of Presumption,” which I immediately knew was a Christian thing because Christians get way more worked up about presumption than Jews do. Anyway, here’s the relevant bit:

apal - presume. (So ASV, RSV; NASB, “to be heedless.”) - This root, to which we may compare Arabic gafala “to be heedless, neglectful, inadvertent,” is found in only one OT passage, Num 14:44 (Hiphil), of Israel’s rash and reckless attack on the Amalekites and Canaanites, following her lack of faith and great rebellion. There are some authorities who suggest that the Pual of apal in Hab 2:4 may be from the same root, “to presume, be proud.”

Whoa this is getting super long. The rest is under a cut.

So I tracked down the verses as translated by Jews, because I trust Jews more than Christians to not read anachronistic concepts into Hebrew words. In my tiny little JPS (Jewish Publication Society) Tanakh, vaya’pilu la’alot (Num. 14:44) is translated as “they defiantly marched,” with a footnote saying “meaning of Heb. uncertain.” OK, something to do with defiance... interesting. The first half of Hab. 2:4 is translated, “Lo, his spirit within him is puffed up, not upright,” and the Hebrew word translated as “puffed up” is ‘uplah (no, I’m not making that up).

Bible Hub is another Christian thing, but they’ve got a useful entry on the root aphal (that’s with an ayin at the beginning) with translations from a bunch of different concordances. It appears that the original literal meaning is “to swell,” and it acquired metaphorical meanings related to arrogance (having a swelled head or an inflated sense of one’s own importance), rashness, and/or defiance. So assuming the Azir- part means “helper,” Azir’aphel or Azir’aphal might mean “helper of the arrogant/defiant one,” which could refer to his relationship with Crowley; or it might mean “heedless helper,” which could describe the morally dubious action of giving Adam and Eve his flaming sword.

I don’t know how to deal with Hebrew characters in Tumblr, so I’m going to do something dumb and put in a screenshot of how his name might be spelled in Hebrew:

The other possible way to break it down would be with the second ‘a’ just as a link between Azir- and -phel or -phal rather than the vowel associated with a ‘silent’ consonant (it’s silent now, but it used to be some guttural sound that doesn’t exist in Hebrew anymore). In Biblical Hebrew there isn’t a two-letter root pal, but I did find this old and not at all sketchy-looking e-zine entry about the root palal, which can mean “to intercede,” “to interpose,” “to arbitrate/judge,” “to pray,” or (apparently) “to think.” According to the not-at-all-sketchy e-zine, the Biblical Hebrew root palal is derived from the older parent root pal, which means “to speak to authority.” Supposedly that has something to do with the fact that the letter peh is a picture of a mouth and lamed is a picture of a shepherd’s staff, but it is absolutely fucking insane to derive the meaning of a spoken word from the meanings of the letters in which it is written, so I’m taking that with a whole handful of salt.

Somewhat more reasonable is the assertion that the root means “to fall,” and thus the connection with prayer, intercession, or pleading one’s case to an authority has to do with the practice of prostrating oneself in supplication. The root meaning “to fall” is nap[h]al, but nun is one of those funky semi-consonant letters (like heh, vav, and yud) that has a tendency to disappear or turn into something else when the verb is conjugated, so it’s not insane to think that the pal part is what’s core to the meaning and the nun is just there because roots gotta have 3 letters. It’s also not totally insane to think that this is somehow related to the root palal, because I also vaguely remember that in roots where the second and third letters are the same, they have a tendency to get mushed together, as in the palal derivative that’ll be most familiar to Jews, t’fillah, the noun meaning “prayer.” (Well, it’s a little vague because it’s spelled with two l’s in English but there’s only one lamed in the Hebrew... but there’s also a little dot in the lamed, which indicates that it’s a geminate consonant, serving as both the coda of the second syllable and the onset of the third.)

OK, so, what would that mean for Aziraphale’s name? Obviously the most exciting possibility would be that it means “helper of the fallen,” because duh. “The fallen” or “the one who falls” would be nophel, but if the nun gets dropped in conjugation, it might also fall out when it’s getting mashed together with another word in a name, right? Alternatively, going with the “prayer/intercession” meaning of palal, Aziraphale might mean “helper [and] intercessor,” which would make sense with his role as the one who attempts to plead for human beings and the Earth with his superiors who are happy to see it destroyed to settle their scores with Hell. If either of those is the meaning, it would be spelled like this:

So, to sum up: depending on how we imagine Aziraphale to be spelled in Hebrew, it could mean:

“God, my strength, healed”, “God, my strength, heal!”, or (less likely) “Raphael is my strength”

“helper of the arrogant/defiant one” or “heedless helper”

“helper of the fallen” or “helper [and] intercessor”

#i can't believe i just wrote that #that took way too long #aziraphale #aziraphale's name #aziraphale meaning #good omens #good omens meta #ineffable husbands

376 notes · View notes

ayuochancosplay · 6 years

Text

Sesshomaru cosplay

Hello guys! i’ll be making a series of blog posts of my Sesshomaru cosplay progress containing both the planning and the making process. I always wanted to do that so I hope it will help you guys out!

Planning process:

on this part we will be focusing on three main things:

planning your cosplay

buying materials

research

Each of these parts come before you actually start working on your cosplay, how do you choose the right wig? the right fabric color? with what materials are you going to make the props?

Finding refrences is fairly easy thanks to google pictures yet sometimes there are parts that gets hidden behind layers or weird shots, so I sugget before starting a new cosplay to find as much refrences as you can, game models, offical art, concept art and etc, but I had many times when the character didn’t have much refrences or there simply wasn’t enough, in such situations I often try to go over the scenes the character appears in and take as much screenshots as I can, sometimes you can find your character had a drawing on their back and you’d notice it only after looking over an action scene! also anime openings often show a very ditailed drawing of you charcter, which really helped me with understanding Sesshomaru’s sword handles!

With every cosplay first comes the planning process, consisting of collecting refrences, counting your budget, sketches and material research. The easiest method for me for planning my cosplay is to break everything down to pieces, many costumes and armor pieces contain several layers and breaking them down really helps. For example before I even make a shopping list I like to sketch down several cosplay pieces for them all to make sense in the project later, I don’t like being confused over certain parts and I try to make it as simple as possible. When you’re drawing your cosplay small details are a lot harder to miss and it is your opputunity to think through how a 2D element might work out in real life. Since Sesshomaru wears several layers consisting of a breast plate, a kimono and an an undershirt, sketching each part individualy really helped me see the whole picture plan through how it might all look like when i’m actually making the costume.

For example here’s my sketches for Sesshomaru:

But if sketching the cosplay is not your cup of tea yet you still want to keep your cosplan organized, I suggest you make a to-do list! write down all the cosplay parts you have to make and possible materials you have to buy!

Even though I like to make countless lists of possible sketches and materials sometimes when you’re out there buying fabrics you realise you forgot what you wanted to get, so a very useful app for that is an app called “Cosplanner” (which most of you have probably heard of) but it’s really nice to keep watch on your tasks, so I typed down the things I had to buy\ make for Sesshomaru. keeping a “to buy” list really prevents a huge mess and you could easily keep track of what you’re missing to progress on your cosplay, also because this app uses percents you can always see how much you’ve progressed on your cosplay!

Here you can see my “to buy” list which really helped me arrange my tasks and goals.

After I arranged my buying lists, I started buying materials little by little, starting with buying a fabric for my kimono, I wanted to use a more natural fabric since the show itself is taking place in Japan’s Sengoku period where I assumed they mostly used natural fabrics, in addition to that I knew that Israel is a hot country and wearing a three layer costume will be super difficult I had to use a breathing fabric. so I bought five meters of white cotton together with iDye Poly fabric paint and a “so soft” acrylic paint with a matching color (I chose the shade crimson). I also tried not to buy everything at one go in order so save money and look up different options.(do check that the fabric paint you choose will suit the type of fabric that you’re buying my paint suits natural fabrics, it’s usually written on the package.) it is also important for me to pick a color that won’t bleed when i’m painting on facric therefore a so soft acrylic is perfect for me since you can apply it without using too much water plus the color is meant for fabric making it elastic and preventing possible cracks the a regular acrylic paint might cause. I intend to paint the patterns on Sesshomaru’s kimono by hand and I want it to be as clean as possible, especially when drawn on white fabric.

I know some people measure themselves out before buying their fabrics but I’m just picking it by eye,concidering that i had to make both the top (which has long sleeves) and the pants i assumed 5 meters will be enough. I had also bought 3 EVA foam blocks for my swords, i’m planning on cutting them up in half in order to carve the swords out, we will see how this turns out. I also plan on buying EVA foam for the armor pieces,even though I own worbla I thought EVA foam would be more suitable for Sesshomaru’s breast plate, while worbla is an amazing material, i thought a thick EVA foam would look more aesthetically pleasing and cheaper for me to afford, i intented to carve out the “spikes” on his outfit out of foam anyway so i’d rather be consistant with my materials.

Making a cosplay always involves a lot of planning and thought,and sometimes the thing you planned to do in the beggining doesn’t work in the end and that’s okay! I like thinking every step through before I start working even when I buy my materials just to keep me calm and make sure I don’t forget anything.

An important part of every cosplay is research, I always look up other talented cosplayers to see how they did their work since most of the time we’re cosplaying a 2D characters and fabircs\ materials sometimes get very confusing, but looking up people who already done this costume might actually help you learn new tactics and gather up brilliant ideas, one of the ways to do it is to look up some Youtube tutorials! with most of them made by cosplayers it creates a great platform to learn and try new things, for examle I never made a piece of armor in my lfe, so I had to look up a couple of tutorials that will tutor me how to use EVA foam and how to make swords ( honestly how the heck do you do this)

here’s a list of Youtube tutorials I found useful:

A tutorial explaining how to make 3 types of con friendly swords

EVA foam priming

EVA foam basics

foam spikes

After I had something to start with, my only worry was ordering a suitable wig for the character, I always try to do this ahead of time in order for the wig to arrive eary before the con (because when you wig arrives late it sucks) usualy I order my wigs from eBay since I don’t want something too expensive nor too fancy, but this time around Sesshomaru has very long and thick hair, so I wanted a wig i knew had a lot of fibers and was long enough for my liking. Therefore I decided to order my wig from Arda wigs, with the help of my friends I went over countless wigs trying to understand what length or color I should go for, and in the end settled down on a 152 cm silver wig! I didn’t take a completely white wig since I thought a silver one would look better in real life, I also chose a silky wig because of it’s soft fibers, even though my wig won’t be completely tangle free, it made me feel a tad safer. The wig I chose is a DELILAH SILKY( one of Arda’s classic long wigs) and it arrived super quickly! I really love it and i’m happy with my choice :3

*When you choose a wig for your cosplay, always concider how you need to style it, if you need to straighten a wig always make sure it’s heat resistant!

Now that I planned everything through and have enough materials to start, I shall begin working on my cosplay!

#cosplay #AyuoChan #AyuoChanSesshomaruProgress #inuyasha #Sesshomaru #cosplay wip #wip

1 note · View note

annadianecass · 7 years

Text

KASPERAGENT malware campaign resurfaces in the run up to May Palestinian Authority elections

ThreatConnect has identified a KASPERAGENT malware campaign leveraging decoy Palestinian Authority documents. The samples date from April – May 2017, coinciding with the run up to the May 2017 Palestinian Authority elections. Although we do not know who is behind the campaign, the decoy documents’ content focuses on timely political issues in Gaza and the IP address hosting the campaign’s command and control node hosts several other domains with Gaza registrants.

In this blog post we will detail our analysis of the malware and associated indicators, look closely at the decoy files, and leverage available information to make an educated guess on the possible intended target. Associated indicators and screenshots of the decoy documents are all available here in the ThreatConnect platform.

Background on KASPERAGENT

KASPERAGENT is Microsoft Windows malware used in efforts targeting users in the United States, Israel, Palestinian Territories, and Egypt since July 2015. The malware was discovered by Palo Alto Networks Unit 42 and ClearSky Cyber Security, and publicised in April 2017 in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog. It is called KASPERAGENT based on PDB strings identified in the malware such as “c:\Users\USA\Documents\Visual Studio 2008\Projects\New folder (2)\kasper\Release\kasper.pdb.”

The threat actors used shortened URLs in spear phishing messages and fake news websites to direct targets to download KASPERAGENT. Upon execution, KASPERAGENT drops the payload and a decoy document that displays Arabic names and ID numbers. The malware establishes persistence and sends HTTP requests to the command and control domain mailsinfo[.]net. Of note, the callbacks were to PHP scripts that included /dad5/ in the URLs. Most samples of the malware reportedly function as a basic reconnaissance tool and downloader. However, some of the recently identified files display “extended-capability” including the functionality to steal passwords, take screenshots, log keystrokes, and steal files. These “extended-capability” samples called out to an additional command and control domain, stikerscloud[.]com. Additionally, early variants of KASPERAGENT used “Chrome” as the user agent, while more recent samples use “OPAERA” – a possible misspelling of the “Opera” – browser. The indicators associated with the blog article are available in the ThreatConnect Technical Blogs and Reports source here.

The samples we identified leverage the same user agent string “OPAERA”, included the kasper PDB string reported by Unit 42, and used similar POST and GET requests. The command and control domains were different, and these samples used unique decoy documents to target their victims.

Identifying another KASPERAGENT campaign

We didn’t start out looking for KASPERAGENT, but a file hit on one of our YARA rules for an executable designed to display a fake XLS icon – one way adversaries attempt to trick targets into thinking a malicious file is innocuous. The first malicious sample we identified (6843AE9EAC03F69DF301D024BFDEFC88) had the file name “testproj.exe” and was identified within an archive file (4FE7561F63A71CA73C26CB95B28EAEE8) with the name “التفاصيل الكاملة لأغتيال فقهاء.r24”. This translates to “The Complete Details of Fuqaha’s Assassination”, a reference to Hamas military leader Mazen Fuqaha who was assassinated on March 24, 2017.

We detonated the file in VxStream’s automated malware analysis capability and found testproj.exe dropped a benign Microsoft Word document that pulls a jpg file from treestower[.]com. Malwr.com observed this site in association with another sample that called out to mailsinfo[.]net – a host identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog. That was our first hint that we were looking at KASPERAGENT.

The jpg pulled from treestower[.]com displays a graphic picture of a dead man, which also appeared on a Palestinian news website discussing the death of Hamas military leader Mazen Fuqaha. A separate malicious executable – 2DE25306A58D8A5B6CBE8D5E2FC5F3C5 (vlc.exe) – runs when the photograph is displayed, using the YouTube icon and calling out to several URLs on windowsnewupdates[.]com. This host was registered in late March and appears to be unique to this campaign.

With our interest piqued, we pivoted on the import hashes (also known as an imphash), which captures the import table of a given file. Shared import hashes across multiple files would likely identify files that are part of the same malware family. We found nine additional samples sharing the imphash values for the two executables, C66F88D2D76D79210D568D7AD7896B45 and DCF3AA484253068D8833C7C5B019B07.

Analysis of those files uncovered two more imphashes, 0B4E44256788783634A2B1DADF4F9784 and E44F0BD2ADFB9CBCABCAD314D27ACCFC, for a total of 20 malicious files. These additional samples behaved similarly to the initial files; testproj.exe dropped benign decoy files and started malicious executables. The malicious executables all called out to the same URLs on windowsnewupdates[.]com.

These malware samples leverage the user agent string “OPAERA,” the same one identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog. Although the command and control domain was different from those in the report, the POST and GET requests were similar and included /dad5/ in the URL string. In addition, the malware samples included the kasper PDB string reported by Unit 42, prompting us to conclude that we were likely looking at new variants of KASPERAGENT.

The Decoy Files

Several of the decoy files appeared to be official documents associated with the Palestinian Authority – the body that governs the Palestinian Territories in the Middle East. We do not know whether the files are legitimate Palestinian Authority documents, but they are designed to look official. Additionally, most of the decoy files are publicly available on news websites or social media.

The first document – dated April 10, 2017 – is marked “Very Secret” and addressed to Yahya Al-Sinwar, who Hamas elected as its leader in Gaza in February 2017. Like the photo displayed in the first decoy file we found, this document references the death of Mazen Fuqaha. The Arabic-language text and English translation of the document are available in ThreatConnect here.

The second legible file, dated April 23, has the same letterhead and also is addressed to Yahya al-Sinwar. This file discusses the supposed announcement banning the rival Fatah political party, which controls the West Bank, from Gaza. It mentions closing the Fatah headquarters and houses that were identified as meeting places as well as the arrest of some members of the party.

Looking at the Infrastructure

We don’t know for sure who is responsible for this campaign, but digging into the passive DNS results led us to some breadcrumbs. Starting with 195.154.110[.]237, the IP address which is hosting the command and control domain windowsnewupdates[.]com, we found that the host is on a dedicated server. Using our Farsight DNSDB integration, we identified other domains currently and previously hosted on the same IP.

Two of the four domains that have been hosted at this IP since 2016 — upfile2box[.]com and 7aga[.]net — were registered by a freelance web developer in Gaza, Palestine. This IP has been used to host a small number of domains, some of which were registered by the same actor, suggesting the IP is dedicated for a single individual or group’s use. While not conclusive, it is intriguing that the same IP was observed hosting a domain ostensibly registered in Gaza AND the command and control domain associated with a series of targeted attacks leveraging Palestinian Authority-themed decoy documents referencing Gaza.

Targeting Focus?

Just like we can’t make a definitive determination as to who conducted this campaign, we do not know for sure who it was intended to target. What we do know is that several of the malicious files were submitted to a public malware analysis site from the Palestinian Territories. This tells us that it is possible either the threat actors or at least one of the targets is located in that area. Additionally, as previously mentioned, the decoy document subject matter would likely be of interest to a few different potential targets in the Palestinian Territories. Potential targets such as Hamas who controls the Gaza strip and counts Mazen Fuqaha and Yahya al-Sinwar as members, Israel which is accused of involvement in the assassination of Mazen Fuqaha, and the Fatah party of which the Prime Minister and President of the Palestinian Authority are members.

The campaign corresponds with a period of heightened tension in Gaza. Hamas, who has historically maintained control over the strip, elected Yahya al-Sinwar – a hardliner from its military wing – as its leader in February. A Humanitarian Bulletin published by the United Nations’ Office for the Coordination of Humanitarian Affairs indicates in March 2017 (just before the first malware samples associated with this campaign were identified in early April) Hamas created “a parallel institution to run local ministries in Gaza,” further straining the relationship between Hamas and the Palestinian Authority who governs the West Bank. After this announcement, the Palestinian Authority cut salaries for its employees in Gaza by 30 percent and informed Israel that it would no longer pay for electricity provided to Gaza causing blackouts throughout the area and escalating tensions between the rival groups. Then, in early May (two days after the last malware sample was submitted) the Palestinian Authority held local elections in the West Bank which were reportedly seen as a test for the Fatah party. Elections were not held in Gaza.

All of that is to say, the decoy documents leveraged in this campaign would likely be relevant and of interest to a variety of targets in Israel and Palestine, consistent with previously identified KASPERAGENT targeting patterns. Additionally, the use of what appear to be carefully crafted documents at the very least designed to look like official government correspondence suggests the malware may have been intended for a government employee or contractor who would be interested in the documents’ subject matter. More associated indicators, screenshots of many of the decoy documents, and descriptions of the activity are available via the March – May 2017 Kasperagent Malware Leveraging WindowsNewUpdates[.]com Campaign in ThreatConnect.

The post KASPERAGENT malware campaign resurfaces in the run up to May Palestinian Authority elections appeared first on IT SECURITY GURU.

from KASPERAGENT malware campaign resurfaces in the run up to May Palestinian Authority elections

#Dean Alvarez

0 notes