Researchers at Trend Micro have been monitoring the activities of a threat group focusing its efforts on stealing sensitive information from Israeli organizations.
Based on the malware samples analyzed by the security firm, the campaign, dubbed Operation Arid Viper, has been ongoing since mid-2013. Experts believe the attackers have “strong Arab ties” and they are located in Gaza, Palestine.
The list of targets includes a government office, a military organization, an academic institution, and transport service/infrastructure providers based in Israel. Several unidentified Israeli individuals and an academic institution in Kuwait have also been targeted, Trend Micro said.
The attacks start with a spear-phishing email carrying a piece of malware. The malware is also accompanied by a short pornographic video, which is most likely designed to take victims’ focus away from the malicious actions taking place on the infected system, researchers noted.
Once it infects a device, the malware starts searching for Word documents, Excel spreadsheets, PowerPoint presentations, and text files. The list of potentially interesting files is sent back to the command and control (C&C) server, which tells the malware if the documents are interesting or not based on a hard-coded blacklist. This step is most likely designed to prevent the malware from harvesting useless documents, such as “readme.txt” files. Documents that present an interest are compressed and uploaded to the C&C server.
While analyzing the C&C servers, which are located in Germany, researchers uncovered a different, far less sophisticated campaign whose objective appears to be the theft of potentially incriminating or compromising image files that are likely leveraged for blackmail.
This second operation, dubbed Advtravel, appears to be the work of actors with far less technical knowledge whose main targets are individuals from Egypt. The attackers seem to be located in Egypt, according to Trend Micro.
While Advtravel and Arid Viper have completely different targets and they use different pieces of malware, they do have several things in common. First of all, the actors behind the two campaigns share C&C servers. Secondly, the domains used in the attacks have been registered by the same individuals. Finally, the Advtravel group appears to be located in Egypt, but it does have ties to the Gaza Strip.
Trend Micro has tracked down the individuals whose email addresses have been used to register the attack domains. Social media profiles linked to the email addresses show that the individuals have strong anti-Israel beliefs and some of them might have been involved in cyberattacks launched by a hacktivist group called the Gaza Hacker Team against Israeli websites.
One of the online monikers identified by researchers, ViruS_HimA, is the one used by an Egyptian hacker who in 2012 claimed to have breached the systems of Yahoo and Adobe.
“On one hand, we have a sophisticated targeted attack, and on the other a less skilled attack that has all the hallmarks of beginner hackers. So why would these groups be working together?” said Trend Micro. “Our working theory (and subject of continuing investigation) is that there may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on.”
The complete report, Operation Arid Viper: Bypassing the Iron Dome, is available online.