‘Arid Viper’ threat actors retreat as attacks continue in Israel and Kuwait
Wed 25 Feb 2015
In an update to their continuing investigation into the Arid Viper middle-east malware plague, researchers at Trend Micro report that the individuals they tentatively identified as connected with the campaign’s command-and-control servers in their original findings seem to be in active retreat. They also state that there has been no change in the configuration or location of the C&C servers involved in the operations, and that despite the publicity given to Arid Viper, attacks using its signature have continued since.
Trend Micro have identified two Arid Viper attacks subsequent to the release of its report on 16th February, respectively targeted at Kuwait and Israel.
Arid Viper was characterised by the recent TM report as the work of Palestinian threat actors using sophisticated cyber-attack techniques, combined with social engineering and phishing methods, to exfiltrate data from notable targets in the Israeli government. At the same time the security company reported on a far less adept hacking group dubbed ‘AdTravel’ who conducted less specious attacks against Arab targets in Egypt, but seemed to be using much of the same infrastructure as Arid Viper – suggesting to the researchers the possibility of an Arab-based ‘supra-organization’ capable of offering cyber-infrastructure resources to diverse activists and hackers who, while aligned with Arab sympathies, might have very different goals.
The new update notes that several of the individuals named in the original report [PDF] seem to be going to ground. One of these is Fathy Mostafa, a programmer with skills in C#, the programming language used to create AdTravel. The 16th February Trend Micro report identifies screenshots of AdTravel being created, which it associates with Mostafa.
Fathy Mostafa’s Facebook account, screenshotted in the original report, is no longer active. Additionally various internet accounts and services associated with a suspected key player in the campaigns, Ebrahim Said El-Sharawy – also known as ‘Dev_Hima’ – have been altered or removed. These accounts include Twitter, Facebook, Blogspot and Hacker.org. Additionally El-Sharawy’s personal website, which had formerly hosted possible attack tools, has had its front-page index replaced by the words ‘Closed by DevHima’.
However El-Sharawy’s robots.txt file – the small text file which tells search engine spiders which pages they are not allowed to index – does not actually block any of the site’s pages, meaning that Google still reveals the contents of the site at the time of writing. The former state of the now blanked-out pages is easily revealed with Google’s cache. For instance, this page full of embedded, scantly-viewed YouTube videos, mostly uploaded in September of 2013, gives detailed instructions on downloading and using the DevPCTwitter malware, explained by Trend Micro as a program which ‘allows attackers to control a target system using a Twitter account’.
How to set DevPcTwitter Settings (16 views at the time of writing)
The site’s Google-cached page on DevSpy provided download links for the DevSpy software, characterised by Trend Micro as ‘simply a piece of spyware’, despite its avowed usefulness as a monitoring system for parents to keep track of their children’s online activities.
Trend Micro notes that none of the individuals it named in its 16th February report have contacted them in an effort to set the record straight, but also that the email address used by one Khalid Samraa to register one of the Arid Viper C&C servers was used simply to register a domain on a client’s behalf, and has amended its original findings to state that Mr. Samraa appears to have no involvement with the Arid Viper or AdTravel campaigns.
The company’s investigation continues.