Security Experts:

Espionage Campaign Targeting Israel Expands to Other Countries

The Xtreme RAT malware, which has been at the center of several reports of cyber attacks on Israel has expanded, researchers have discovered. This news follows a recent report from Norman ASA, who reported that the attack campaign has been going on now for more than a year.

In October, Trend Micro reported on collected samples of malware linked to several system infections on computers used by the Israeli police. The malware was determined to include a backdoor using the Xtreme Remote Access Trojan (RAT) or Xtreme RAT. Roni Bachar, from Israeli security firm Avnet, told the Times of Israel the pattern of the attack and the type of virus used were very similar to other cases of attacks, which were found to have been sponsored by governments.

“At this point, I think we can be fairly certain that it was sponsored by a nation-state, most likely Iran,” he added. In Addition, security firm F-Secure reported around the same time that the same malware was being used to target Syrian protesters.

Earlier this week, Norman ASA explained that the older files uncovered by the company used bait documents and videos written in Arabic that were aimed primarily at a Palestinian audience, while the newer files were targeted more towards Israelis. The older files date back to October 2011, offering a solid link to recent events and demonstrating that the attackers have tossed a wide, yet demographically focused net, when it comes to their victims.

"The bait files seem to focus on a number of areas (military, political and religious) which hints at a broad targeting, not only a specific sector," Snorre Fagerland, principal security researcher at Norman told SecurityWeek.

"The malware is off-the-shelf, cheap stuff. No zero-days were seen, though there are a few tricks used; such as using special Unicode characters to reverse text direction, and thus hide the executable file extension," he said.

On Thursday, Trend Micro reported that they’ve discovered additional targets, and that not only has the attack lasted for more than a year – the potential victim list is much larger than previously thought.

“While the vast majority of the emails were sent to the Government of Israel...a significant amount were also sent to the U.S. Government,” wrote Nart Villeneuve, a Senior Threat Researcher at Trend.

Included in the U.S. target list were email accounts at “state.gov,” “senate.gov,” and “house.gov,” and “usaid.gov.”

The target list also included the governments of the UK, Turkey, Slovenia, Macedonia, New Zealand, and Latvia. In addition, the BBC (bbc.co.uk) and the Office of the Quartet Representative (quartetrep.org) were also targeted, he added.

“It is important to note that while we discovered that these targets were sent this email, we have no information about how many received or potentially opened the malicious attachment. Based on our investigation, the malware was signed with an invalid certificate. When executed, it opens a decoy document and installs Xtreme RAT on the targets’ systems,” Villeneuve wrote.

“This campaign it seems is far from over and whatever specific motivations the attackers may have, considering the various targets seen scattered in various states, is still a mystery.”

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.