Threat Management, Threat Intelligence, Incident Response, Malware, TDR

Malware operations targeting orgs in Israel, Egypt traced to Gaza

Researchers have identified two malware operations – one, an intelligence gathering campaign targeting Israeli organizations since mid-2013 and a second which appears to be the work of “less-skilled hackers” targeting victims in Egypt.

Operators behind the campaigns, which have separate aims and make use of different malware, relied on the same command-and-control infrastructure in Germany to carry out their malicious exploits, according to a Trend Micro report (PDF) released Monday.

Analysts dubbed the mission to exfiltrate sensitive data from five Israeli organizations in the government, military, transportation and academic sector “Operation Arid Viper.” While monitoring the attackers' control hub, they also stumbled upon a campaign run by Egyptian hackers, dubbed “Operation Advtravel,” who sought to obtain photos from their targets' computers (mostly Arabs in Egypt) that could be used for blackmail. The Advtravel actors shared command-and-control servers with the Arid Viper attackers as well as email addresses used to register domains, Trend Micro found.

On the Adtravel server, researchers observed more than 500 infected systems, the report said, all which appeared to be personal laptops.

“The attackers appear to be keenly interested in images stored on victims' systems,” the report said. “This could be a sign that they are looking for incriminating or compromising images for blackmail purposes. As such, the attackers may be less-skilled hackers who are not after financial gain nor hacking for espionage purposes.”

In contrast, Operation Arid Viper used spear phishing emails to steal data from Israeli targets. Their malware was “unusual,” Trend Micro noted, in that it carried a “pornographic component,” as a means of slowing incident response efforts down while they worked to exfiltrate data. Researchers observed that Arid Viper attackers opted to send malicious .RAR attachments to victims, which ultimately dropped two additional files on victim's systems.

“One file is a short pornographic video in .FLV or .MPG format, depending on the samples seen. The other file is a Windows binary file sporting the icon on the well-known Internet communication program, Skype,” the report revealed.

“It targeted professionals who might be receiving very inappropriate content at work and so would hesitate to report the incident,” the report explained. “These victims' failure to act on the threat could have allowed the main malware to remain undiscovered.”

In a Tuesday interview with SCMagazine.com Tom Kellermann, chief cybersecurity officer at Trend Micro, discussed attackers' social engineering tactics.  

“People are very much embarrassed to bring in IT if there is porn on their computer and these attackers were leveraging that [fact] to have more time to burrow [their malware] in the systems,” Kellermann said. “I think its social engineering as it relates to inappropriate content.”

He later added that this “counter incident response movement is becoming more pervasive,” among attack groups – whether through the destructive payload delivered in the Sony Pictures incident or via malware tactics using pornography, such as in this case, to hamper threat mitigation efforts.

“I do find that interesting,” Kellermann said. “Crude, but interesting.”

Despite the location of individual hackers in the Arid Viper and Advtravel malware campaigns, Trend Micro said that the operations could be traced to the Gaza Strip in Palestine. Researchers were able to identify some of the believed attackers as having ties to the region after finding social networking accounts registered with emails linked to command-and-control server domains, and finding malicious tools on their systems that were popular in Arab countries.

Given the shared infrastructure attackers used to carry out their exploits, the security firm said that the most probable theory for explaining the Gaza connection was that a “supra-organization that provides means for Arab parties to commit acts of cyberviolence exists.”

“If our theory holds, we will see a host of cyber attacks with detrimental results stem from Arab countries in the near future,” the report continued. 

In an appendix, Trend Micro published the SHA-256 hashes linked with the malware operations alongside the firm's names for the detected malware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.