Security Experts:

Connect with us

Hi, what are you looking for?



Gaza Threat Group Targeting Israeli Organizations: Trend Micro

Researchers at Trend Micro have been monitoring the activities of a threat group focusing its efforts on stealing sensitive information from Israeli organizations.

Researchers at Trend Micro have been monitoring the activities of a threat group focusing its efforts on stealing sensitive information from Israeli organizations.

Based on the malware samples analyzed by the security firm, the campaign, dubbed Operation Arid Viper, has been ongoing since mid-2013. Experts believe the attackers have “strong Arab ties” and they are located in Gaza, Palestine.

The list of targets includes a government office, a military organization, an academic institution, and transport service/infrastructure providers based in Israel. Several unidentified Israeli individuals and an academic institution in Kuwait have also been targeted, Trend Micro said.

The attacks start with a spear-phishing email carrying a piece of malware. The malware is also accompanied by a short pornographic video, which is most likely designed to take victims’ focus away from the malicious actions taking place on the infected system, researchers noted.

Once it infects a device, the malware starts searching for Word documents, Excel spreadsheets, PowerPoint presentations, and text files. The list of potentially interesting files is sent back to the command and control (C&C) server, which tells the malware if the documents are interesting or not based on a hard-coded blacklist. This step is most likely designed to prevent the malware from harvesting useless documents, such as “readme.txt” files. Documents that present an interest are compressed and uploaded to the C&C server.

While analyzing the C&C servers, which are located in Germany, researchers uncovered a different, far less sophisticated campaign whose objective appears to be the theft of potentially incriminating or compromising image files that are likely leveraged for blackmail.

This second operation, dubbed Advtravel, appears to be the work of actors with far less technical knowledge whose main targets are individuals from Egypt. The attackers seem to be located in Egypt, according to Trend Micro.

While Advtravel and Arid Viper have completely different targets and they use different pieces of malware, they do have several things in common. First of all, the actors behind the two campaigns share C&C servers. Secondly, the domains used in the attacks have been registered by the same individuals. Finally, the Advtravel group appears to be located in Egypt, but it does have ties to the Gaza Strip.

Trend Micro has tracked down the individuals whose email addresses have been used to register the attack domains. Social media profiles linked to the email addresses show that the individuals have strong anti-Israel beliefs and some of them might have been involved in cyberattacks launched by a hacktivist group called the Gaza Hacker Team against Israeli websites.

One of the online monikers identified by researchers, ViruS_HimA, is the one used by an Egyptian hacker who in 2012 claimed to have breached the systems of Yahoo and Adobe.

“On one hand, we have a sophisticated targeted attack, and on the other a less skilled attack that has all the hallmarks of beginner hackers. So why would these groups be working together?” said Trend Micro. “Our working theory (and subject of continuing investigation) is that there may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on.”

The complete report, Operation Arid Viper: Bypassing the Iron Dome, is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...