Posted on April 7, 2022 at 8:36 PM
The notorious APT-C-23 hacking group has been discovered targeting high-ranking Israeli officials, including those in defense, emergency services, and law. The Hamas-backed hacking syndicate was found catfishing Israeli officials, leading to the deployment of new malware.
The threat action involves high-level social engineering tactics such as long-term engagements with the target after creating a fake social media profile. Once they gain the trust of the target, the hackers proceed with their intentions to deliver spyware.
Cybereason analysts, who first discovered the campaign and named it ‘Operation Bearded’, stated that the threat group is also deploying new backdoors for android devices and Windows systems for cyber espionage.
The Group’s Actions Are Politically-Driven
APT-C-23 is also known as Two-tailed Scorpion, Desert Falcon, and AridViper. It’s a politically driven advanced persistent threat (APT) group that is active mostly in the Middle East.
The group has been discovered in the past carrying out spear-phishing attacks against Palestinian educational institutions, the military, as well as law enforcement agencies. The APT group has also attacked the Israeli Security Agency (ISA) in the past.
Earlier this year, researchers at Cisco Talos discovered the Desert Falcon attacks against activists linked with the Israeli-Palestine conflict. And yesterday, the research team at Cybereason’s Nocturnus Research published another finding on the threat group and their latest activities.
The recent activity was dubbed “Operation Bearded Barbie”, as it targets selected Israelis by compromising their systems and stealing sensitive data.
According to the researchers, both the MoleRATs and the AOT-C-23 group are subset AOTs of the Hamas cyberwarfare division that is working based on the instructions of the Palestinian government.
Cybereason also noted that the group use the social engineering hacking method at first before planting malware on the victim’s computer. According to the researchers, the APT group carries out reconnaissance on a victim and creates fake Facebook social media accounts. Afterward, they try to deceive the target by enticing them to download an offer, which, unknown to the target, contains a Trojan. In most cases, the hackers create a catfish profile that appears to be a young woman.
The chats usually begin on Facebook and move to WhatsApp. From there, the catfish initiates or suggests both parties communicate using a more private messaging service. In another attack method, the group use sexual video attached to the malicious.RAR archive.
The APT Now Uses More Advanced Weaponry
The researchers also stated that the APT group has upgraded their attack weaponry and added two new tools – BarbWire Backdoor and Barbie Downloader. They have also added a new implant variant called VolatileVenom.
The BarbWire Backdoor is described as a “very capable” malware strain that can achieve high levels of obfuscation via process protection, API hashing, as well as strong encryption.
It carries out various surveillance functions such as recording, audio eavesdropping, screen capture, and keylogging.
Additionally, the malware variant is sophisticated enough to maintain persistence on an infected device. Other functions it can play effectively, according to the researchers, include exfiltrating data, downloading additional malware payloads, scheduling tasks, and encrypting content.
On the other hand, the Barbie Downloader is used to install the BarbWire backdoor and can be delivered via the lure video. The malware is capable of performing several anti-analysis checks, including scanning for the presence of sandboxes. Once the scanning is complete, it can go ahead with the backdoor installation.
Their Activities Make The WPT Group More Sophisticated
The tool also collects basic information about the Operating System (OS) and delivers them to the threat actor’s command-and-control (C2) server.
The backdoor generally looks for videos, images, PDF files, and Microsoft Office Documents on the compromised system and any connected device.
The new VolatileVenom variant was also spotted by Cybereason. It is an Android malware that is planted during the installation of the “discrete” messaging app. The malware was designed to carry out surveillance and theft.
VolatileVenom is capable of compromising the microphone and audio functions of an Android device. It can also record texts and calls made over WhatsApp, and read notifications from Instagram, Telegram, WhatsApp, Facebook, and other social media platforms.
VolatileVenom can also read contact lists and steal information, including app credentials, files, and SMS messages. Additionally, the malware can use the device’s camera to take photos, download files to the device, and meddle with WiFi connections. This makes it highly sophisticated, as it can do almost anything on a compromised system, the researchers noted.