‘Operation Arid Viper’ targeted Israeli organisations with phishing attacks
Mon 16 Feb 2015
A new security report presents evidence of concerted cyber-attacks against high-level Israeli targets by pro-Gaza concerns over the past year. The report [PDF] by security researchers at Trend Micro details two linked campaigns with very different objectives and skill-levels, indicating the possibility of a ‘a supra-organization that provides means for Arab parties to commit acts of cyberviolence’.
The researchers linked a German-based network to the attacks, which have notable ties to Gaza and Palestine, and named a slew of individuals they believe to be associated with the campaigns, providing evidence of their connections to anti-Israeli groups.
The attack campaign which Trend Micro has dubbed ‘Operation Arid Viper’ is by far the more ambitious and adept of the two; though it uses very familiar phishing techniques and attack vectors to infect target machines and steal information from them, the writers of the report opine that the level of sophistication involved in the OAV attacks ‘goes over and beyond normal cybercrime’.
The Arid Viper attacks begin with a spear-phishing attempt – an email message from a non-existent sender to a specific recipient, overwhelmingly an influential address in the Israeli sphere. The email contains social engineering designed to trick the victim into running an attached executable file, which proceeds to attach itself to the Windows registry in order for the infection to survive reboots. The enticement made is via pornographic videos in .FLV or .MPG format, or alternatively by spoofing a genuine Windows Skype application.
After infection, the malware takes and saves screenshots from user activity, logs and files keystrokes, and proceeds to trawl the victim machine for documents. List are sent to the originating actors, who decide whether or not the documents the infection lists are ‘interesting’; those that are get sent back to the network’s command-and-control server via GET requests.
Interestingly the researchers found that one of the control servers featured a very amateur misconfiguration, in that it listed directories. This allowed Trend Micro to examine and archive information that had been stolen, which included documents, screenshots and keystroke logs.
The second campaign, ‘AdTravel’, remains active and seems aimed at Arab victims in Egypt. The researchers note that it has a very different profile to OAV, since it targets the Egyptian-based Arab community and uses tools with far less effective install routines: “Advtravel […]looks very much like the work of less-skilled cybercriminals who appeared to be motivated neither by financial gain nor conducting espionage. Instead, they look like a classic group of beginner hackers just starting their careers.”
The first three C&C servers – which represent only part of the ‘supra-organisation’ which the two campaigns seem to share, according to the report – have IP addresses which correspond to Hetzner, Germany. The report notes one individual in Palestine who it contends was involved in the establishment of the C&C servers, presenting associations with pro-Gaza online activism groups. Several other individuals are named and listed with evidence, though Trend Micro admits that it cannot definitively prove association with Operation Arid Viper or Adtravel, due to the possibility of identity theft.
The report concludes:
“If our theory holds, we will see a host of cyber attacks with detrimental results stem from Arab countries in the near future. Internet users will be stuck in the middle of a battlefield they do not care much for.”