A cyberespionage group apparently not linked to any previously known threat actor has been using several Windows and Android malware families in attacks aimed at organizations in the Middle East.
The first report on this group’s activities was published last month by Chinese security firm Qihoo 360, which tracks the actor as APT-C-23 and Two-Tailed Scorpion. Researchers at Palo Alto Networks and ClearSky have also conducted a joint investigation into the gang’ operations.
According to the security firms, the group uses Windows and Android malware to spy on victims. Qihoo 360 said it observed nearly 85 percent of infections in Palestine, followed by Israel, but Palo Alto also reported seeing victims in Egypt and the United States.
As for the types of organizations targeted, Qihoo reported that educational institutions appeared to be the main target, followed by military organizations, while Palo Alto mentioned media companies.
Palo Alto Networks and ClearSky have dubbed the Windows malware families used by these cyberspies KASPERAGENT and MICROPSIA. The Android threats are being tracked as SECUREUPDATE and VAMP.
The attackers delivered their malware using fake news websites and spear-phishing emails containing Bit.ly shortened links. Two of the Bit.ly links analyzed by researchers had been clicked hundreds of times.
KASPERAGENT, named so based on a “Kasper” string found in several of the analyzed samples, is used as a reconnaissance tool and downloader for other payloads. However, some of the samples include additional capabilities that allow the hackers to steal passwords from Chrome and Firefox, take screenshots, log keystrokes, execute arbitrary commands, exfiltrate files, and update the malware.
The second Windows malware family used by Two-Tailed Scorpion is MICROPSIA, which allows attackers to log keystrokes, capture screenshots, and steal Office documents.
Researchers initially found no connection between the two malware families, but they eventually uncovered a link: an email address used to register the command and control (C&C) domains.
Some of the domains registered with that email address were also found to host Android malware disguised as harmless applications. One of them is SECUREUPDATE, a backdoor that acts as a downloader for other malware.
The second Android malware is VAMP, which can record calls, harvest contact information, access messages, and steal documents from the infected device.
Both the Android and Windows malware attacks also involve phishing websites that attempt to trick users into handing over their credentials.
Palo Alto has discovered roughly 200 samples of the Windows malware and 17 Android malware samples. The security firm has been monitoring the threat since March 2016, but the KASPERAGENT malware had been used since at least July 2015.
“Through this campaign there is little doubt that the attackers have been able to gain a great deal of information from their targets,” explained Palo Alto Networks researchers. “The scale of the campaign in terms of sheer numbers of samples and the maintenance of several different malware families involved suggests a reasonably sized team and that the campaign is not being perpetrated by a lone wolf, but rather a small team attackers.”