Researchers identify year-long cyberespionage operation targeting Israelis, Palestinians

Recent malware attack against the Israeli police are part of a larger campaign, Norman researchers say

The recent cyberattack that infected Israeli police computers with malware was likely part of a year-long cyberespionage operation with targets in Israel and the Palestinian territories, according to security researchers from antivirus vendor Norman.

At the end of October, the Israeli police shut down its computer network after a piece of malware was found on some of its systems. At the time, that malware was a remote access Trojan (RAT) program called Xtreme RAT and was delivered in an archive attached to a spoofed email claiming to be from Benny Gantz, the chief of general staff of the Israel Defense Forces, according to a report from antivirus vendor Trend Micro.

The RAR archive contained a file called "IDF strikes militants in Gaza Strip following rocket barrage.doc" followed by a long series of hyphens and .scr, Snorre Fagerland, principal security researcher at Norwegian antivirus vendor Norman said Monday in a report.

The .scr file, whose name was crafted to hide its real extension, dropped other files on the system's hard drive when executed: a legitimate Word document that was used as bait, an icon file and an .exe file that was actually the Xtreme RAT installer. The Norman researchers noticed that the .exe file was digitally signed with an untrusted, self-generated Microsoft certificate.

This certificate would not be validated by Windows, but the attackers probably hoped that it would trick people who manually inspected the file or would allow the malware to bypass the detection of some security products, Fagerland said.

This is not a new technique. However, what the attackers didn't realize is that the file's digital signature can be used to track down their previous attacks, since they didn't bother to change the certificate when generating new malicious files, Fagerland said.

Norman researchers searched the company's malware database for executable files signed with the same certificate and found other samples that had been used in similar email-based attacks since May. The contents of the bait documents used in those attacks suggested that the targets were from Israel.

A further analysis of the malware samples revealed that they were predominantly Xtreme RAT variants and connected back to a number of hostnames registered with free dynamic DNS providers. Many of those hostnames pointed to the same IP addresses.

Most of the IP addresses used recently are owned by U.S.-based hosting providers, which suggests that the attackers are hosting their command and control (C&C) servers in the U.S. However, that wasn't always the case.

Until the summer of this year, the hostnames pointed to IP addresses belonging to an ISP from the city of Ramallah in the West Bank, Fagerland said.

By searching for malware that historically connected to the same hosts, the Norman researchers managed to find even more Xtreme RAT samples, the oldest of which dated back to October 2011. Some of those samples were used in email attacks that, based on their bait documents, most likely targeted Palestinians, not Israelis, Fagerland said.

The moving of C&C servers from the West Bank to the U.S. might have been triggered by the later switch in targets, Fagerland said. Seeing network traffic directed at an IP address in Palestine might raise suspicion for an Israeli individual or organization, but seeing connections with U.S. IP addresses would be common, he said.

The Norman researchers did not have access to the C&C servers or the opportunity to analyze a machine infected with one of the samples in order to determine what kind of data the attackers were after. However, the evidence gathered by analyzing the malicious files alone point to a year-long cyberespionage operation carried out by the same group of attackers, Fagerland said.

"We have the impression that a cybersurveillance operation is underway (and is probably still ongoing -- most recent sample created Oct. 31) which was first mainly focused on Palestinian targets, then shifted towards Israel," Fagerland said in the report. "The reason for the shift is unknown. Maybe it was planned all along; or caused by changes in the political climate; or maybe the first half of the operation found data that caused the target change."

It's difficult to say who is behind the attacks, Fagerland said. It might be a government organization, a political group or a group of independent hackers, he said.

The attacks are not sophisticated in nature and did not require a lot of resources to pull off. The attackers used free hostnames instead of buying domain names, used cheap hosting solutions for their C&C infrastructure and used Xtreme RAT instead of building their own malware. Xtreme RAT is one the cheapest remote access Trojan programs available; a standard set-up costs around $40, Fagerland said.

The attackers forgot to scrub the metadata from their bait documents, which revealed the names or aliases of the people who created the files: Hitham, anar, Ayman, Tohan, ahmed, aert or HinT.

Some configuration strings found in the RAR archive that was used in the attack against the Israeli police suggest that the file's author was using the Arabic language on his computer when creating it, Jaime Blasco, head of the research lab at security firm AlienVault, said Monday via email.

"During this year we have been tracking several ongoing espionage campaigns that use XtremeRAT as the tool for accessing the victims," Blasco said. "At the beginning of the year the usage of XtremeRAT was spotted as part of a cyber espionage campaign against Syrian dissidents."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespywareintrusionDesktop securitynormanAlienVaultBenny GantzJaime BlascoSnorre Fagerland

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?