Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Spear Phishing Campaign Targets Palestinian Law Enforcement

Palestinian law enforcement agencies and other targets within Palestine were targeted in a spear phishing campaign delivering malware to remotely control infected systems, Talos researchers reveal.

Palestinian law enforcement agencies and other targets within Palestine were targeted in a spear phishing campaign delivering malware to remotely control infected systems, Talos researchers reveal.

The actor behind this campaign “has appeared to have used genuine documents stolen from Palestinian sources as well as a controversial music video as part of the attack,” Talos says. The attacker also referenced TV show characters and included German language words within the attack, researchers discovered.

Information on these attacks initially emerged in March from Chinese security firm Qihoo 360, and in early April, when researchers at Palo Alto Networks and ClearSky revealed four malware families being used in targeted campaigns in the Middle East: Windows-based Kasperagent and Micropsia, and Android-focused SecureUpdate and Vamp.

Last week, ThreatConnect shared some additional information on Kasperagent, sayung the threat was mainly used as a reconnaissance tool and downloader, but that newer samples can also steal passwords from browsers, take screenshots, log keystrokes, execute arbitrary commands, and exfiltrate files.

Focusing on Micropsia, Talos’ new report also reveals that Palestinian law enforcement agencies were the main target in the analyzed campaign. The attack featured spear phishing emails purportedly coming from an individual named “Yasser Saad,” but which included a mismatch: the email address suggested “Yasser Saaid” was the sender.

A .r10 file was attached, suggesting it is part of a split archive, but instead it was a disguised RAR, with a malicious “InternetPolicy_xxx_pdf.exe” file inside. When the file is run, a decoy InternetPolicy.pdf file containing 7 pages is displayed, while the Micropsia Remote Administration Tool (RAT) is executed in the background.

Drive-by download campaigns that drop variants of the malware but use different decoy documents were also observed, Talos says. 

Written in Delphi, the RAT uses a legitimate binary developed by OptimumX to create a shortcut to ensure persistence. The malware’s configuration file contains the User-Agent, the command and control (C&C) URL and the json keys used for the network communication.

Advertisement. Scroll to continue reading.

Micropsia can connect to the C&C infrastructure to download and run an executable received in string format and then modified to become a binary file with the Hex2Bin Delphi API. It also uses WMI queries to get information about the anti-virus program running on the machine. These details are sent to the attacker.

The malware registers with the C&C via HTTP, sending information such as the filename of the executed malware and the version; the version of the infected Operating System; and the hostname and username encoded in base64. The server would respond in json format with an ID and 3 other Boolean values.

Talos reports that over 500 systems are already registered with the C&C server (the ID is incremented at each new infection). However, the researchers also suggest that some of these hosts could be security researcher sandbox systems.

Moreover, several German words were found in the network communication: Betriebssystem (operating system), Anwendung (application), and Ausfahrt (exit). This doesn’t mean the actor is German, but that they might be trying to cover their tracks.

“In this [campaign] one of the most surprising elements is the overt naming convention: the author deliberately uses references to several US TV show and intentionally uses German words for malware communication. We have no indication if these inclusions are to confuse attribution, to mock analysts, or a lapse of trade craft. This is in contrast to the highly convincing decoy documents which appear to be copies of genuine documents relating to the current situation in Palestine which suggests a high degree of professionalism,” Talos concludes.

Related: ‘Kasperagent’ Spyware Delivered via Palestine-Themed Documents

Related: Cyberspies Target Middle East With Windows, Android Malware

Related: Users in Middle East Targeted in “Moonlight” Espionage Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.