Security Experts:

Connect with us

Hi, what are you looking for?



Cyberspies Target Middle East With Windows, Android Malware

A cyberespionage group apparently not linked to any previously known threat actor has been using several Windows and Android malware families in attacks aimed at organizations in the Middle East.

A cyberespionage group apparently not linked to any previously known threat actor has been using several Windows and Android malware families in attacks aimed at organizations in the Middle East.

The first report on this group’s activities was published last month by Chinese security firm Qihoo 360, which tracks the actor as APT-C-23 and Two-Tailed Scorpion. Researchers at Palo Alto Networks and ClearSky have also conducted a joint investigation into the gang’ operations.

According to the security firms, the group uses Windows and Android malware to spy on victims. Qihoo 360 said it observed nearly 85 percent of infections in Palestine, followed by Israel, but Palo Alto also reported seeing victims in Egypt and the United States.

As for the types of organizations targeted, Qihoo reported that educational institutions appeared to be the main target, followed by military organizations, while Palo Alto mentioned media companies.

Palo Alto Networks and ClearSky have dubbed the Windows malware families used by these cyberspies KASPERAGENT and MICROPSIA. The Android threats are being tracked as SECUREUPDATE and VAMP.

The attackers delivered their malware using fake news websites and spear-phishing emails containing shortened links. Two of the links analyzed by researchers had been clicked hundreds of times.

KASPERAGENT, named so based on a “Kasper” string found in several of the analyzed samples, is used as a reconnaissance tool and downloader for other payloads. However, some of the samples include additional capabilities that allow the hackers to steal passwords from Chrome and Firefox, take screenshots, log keystrokes, execute arbitrary commands, exfiltrate files, and update the malware.

The second Windows malware family used by Two-Tailed Scorpion is MICROPSIA, which allows attackers to log keystrokes, capture screenshots, and steal Office documents.

Researchers initially found no connection between the two malware families, but they eventually uncovered a link: an email address used to register the command and control (C&C) domains.

Some of the domains registered with that email address were also found to host Android malware disguised as harmless applications. One of them is SECUREUPDATE, a backdoor that acts as a downloader for other malware.

The second Android malware is VAMP, which can record calls, harvest contact information, access messages, and steal documents from the infected device.

Both the Android and Windows malware attacks also involve phishing websites that attempt to trick users into handing over their credentials.

Palo Alto has discovered roughly 200 samples of the Windows malware and 17 Android malware samples. The security firm has been monitoring the threat since March 2016, but the KASPERAGENT malware had been used since at least July 2015.

“Through this campaign there is little doubt that the attackers have been able to gain a great deal of information from their targets,” explained Palo Alto Networks researchers. “The scale of the campaign in terms of sheer numbers of samples and the maintenance of several different malware families involved suggests a reasonably sized team and that the campaign is not being perpetrated by a lone wolf, but rather a small team attackers.”

Related: Hamas ‘Honey Trap’ Dupes Israeli Soldiers

Related: Middle East Governments Targeted With RanRan Ransomware

Related: Users in Middle East Targeted in “Moonlight” Espionage Campaign

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.