Palestinian law enforcement agencies and other targets within Palestine were targeted in a spear phishing campaign delivering malware to remotely control infected systems, Talos researchers reveal.
The actor behind this campaign “has appeared to have used genuine documents stolen from Palestinian sources as well as a controversial music video as part of the attack,” Talos says. The attacker also referenced TV show characters and included German language words within the attack, researchers discovered.
Information on these attacks initially emerged in March from Chinese security firm Qihoo 360, and in early April, when researchers at Palo Alto Networks and ClearSky revealed four malware families being used in targeted campaigns in the Middle East: Windows-based Kasperagent and Micropsia, and Android-focused SecureUpdate and Vamp.
Last week, ThreatConnect shared some additional information on Kasperagent, sayung the threat was mainly used as a reconnaissance tool and downloader, but that newer samples can also steal passwords from browsers, take screenshots, log keystrokes, execute arbitrary commands, and exfiltrate files.
Focusing on Micropsia, Talos’ new report also reveals that Palestinian law enforcement agencies were the main target in the analyzed campaign. The attack featured spear phishing emails purportedly coming from an individual named “Yasser Saad,” but which included a mismatch: the email address suggested “Yasser Saaid” was the sender.
A .r10 file was attached, suggesting it is part of a split archive, but instead it was a disguised RAR, with a malicious “InternetPolicy_xxx_pdf.exe” file inside. When the file is run, a decoy InternetPolicy.pdf file containing 7 pages is displayed, while the Micropsia Remote Administration Tool (RAT) is executed in the background.
Drive-by download campaigns that drop variants of the malware but use different decoy documents were also observed, Talos says.
Written in Delphi, the RAT uses a legitimate binary developed by OptimumX to create a shortcut to ensure persistence. The malware’s configuration file contains the User-Agent, the command and control (C&C) URL and the json keys used for the network communication.
Micropsia can connect to the C&C infrastructure to download and run an executable received in string format and then modified to become a binary file with the Hex2Bin Delphi API. It also uses WMI queries to get information about the anti-virus program running on the machine. These details are sent to the attacker.
The malware registers with the C&C via HTTP, sending information such as the filename of the executed malware and the version; the version of the infected Operating System; and the hostname and username encoded in base64. The server would respond in json format with an ID and 3 other Boolean values.
Talos reports that over 500 systems are already registered with the C&C server (the ID is incremented at each new infection). However, the researchers also suggest that some of these hosts could be security researcher sandbox systems.
Moreover, several German words were found in the network communication: Betriebssystem (operating system), Anwendung (application), and Ausfahrt (exit). This doesn’t mean the actor is German, but that they might be trying to cover their tracks.
“In this [campaign] one of the most surprising elements is the overt naming convention: the author deliberately uses references to several US TV show and intentionally uses German words for malware communication. We have no indication if these inclusions are to confuse attribution, to mock analysts, or a lapse of trade craft. This is in contrast to the highly convincing decoy documents which appear to be copies of genuine documents relating to the current situation in Palestine which suggests a high degree of professionalism,” Talos concludes.