A prolific Middle East team with links to Hamas is using malware and dedicated infrastructure to target high-ranking Israeli officials and steal sensitive data from Windows and Android devices.
The advanced persistent threat (APT) group – known by some as Arid Viper, Desert Falcon and FrozenCell, among other names – set up an elaborate cyberespionage campaign, spending months rolling out fake Facebook accounts to target specific potential Israeli victims, according to Cybereason’s Nocturnus threat intelligence team.
“These fake accounts have operated for months, and seem relatively authentic to the unsuspecting user,” the security shop’s Nocturnus team wrote in a report released today.
“The operators seem to have invested considerable effort in ‘tending’ these profiles, expanding their social network by joining popular Israeli groups, writing posts in Hebrew, and adding friends of the potential victims as friends” the researchers found.
“Over time, the operators of the fake profiles were able to become ‘friends’ with a broad spectrum of Israeli citizens, among them some high-profile targets that work for sensitive organizations including defense, law enforcement, emergency services and other government-related organizations,
Barbie comes with all your data
The campaign, which Nocturnus dubbed “Operation Bearded Barbie”, is a departure for APT-C-23 that has operated in the Middle East for years but typically focused on Arabic-speaking targets. The group has used the same relatively unsophisticated tools and techniques in other campaigns over the years.
However, in this new effort, the threat group is using a fresh set of tools – dubbed Barb(ie) Downloader and BarbWire Backdoor – in its malware that include enhanced techniques for evading detection and a focus on operational security. The group also is leveraging an upgraded VolatileVenom Android implant for this campaign. With this approach, once a user is convinced to download the malware, it’s game over.
“In addition, all three malware [samples] in use were also specifically designed to be used against Israeli targets, and were not observed being used against other targets. … This ‘tight grip’ on their targets attests to how important and sensitive this campaign was for the threat actors.”
Oldest tricks in the book
The group used classic catphishing techniques (fake identities of attractive women in the Facebook profiles) to engage men. After gaining the trust of the victim, the operative suggests they move the conversation to WhatsApp – and gets the target’s mobile number in the process – and then often using sexually-themed content to convince the victim to engage with an even more discrete means of communication, such as a designed Android messaging app that contains the VolatileVenom malware.
They also lure victims into opening a .rar file that includes a video containing sexually explicit content. Once they click on the video, malware is installed on their Windows systems in the background while the target is distracted by the video, the researchers wrote.
Through the .rar vile, the Barb(ie) downloaded is used to install the BarbWire backdoor. It also runs a check to ensure that there are no obstacles like sandboxing or other analysis tools to installing BarbWire. The malware collects information about the system – such as username, the operating system version and running processes – and sends that to the control-and-command server (C2).
The backdoor comes with a number of techniques for hiding itself, from string encryption to API hashing and process protection, with the aim of giving the threat group complete control of the machine and running such tasks as keylogging, screen capturing, audio recording and downloading more malware. It searchers for such file extensions as PDF files, Office documents, videos and image files, as well as external media like a CD-ROM drive.
“Searching for such an old media format, together with the file extensions of interests, could suggest a focus on targets that tend to use more ‘physical’ formats to transfer and secure data, such as military, law enforcement, and healthcare,” the researchers wrote.
Once exfiltrated, the data is put in a .rar file and set to the C2. The Nocturnus team has detected three variants of the BarbWire backdoor.
Regarding VolatileVenom, APT-C-23 has been using the Android malware since about 2020. This campaign uses a fake messaging app named “Wink Chat” as a lure, but when the user tries to sign up for the app, an error message appears saying the app will be uninstalled. Meanwhile, the malware continues running in the background, detecting and stealing data before sending it to the C2.
“This campaign shows a considerable step-up in APT-C-23 capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT [human intelligence] capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group,” the researchers wrote. ®