Attacks/Breaches
11/12/2012
12:06 PM
50%
50%

Espionage Malware Network Targets Israel, Palestine

Botnet operators have been infecting multiple targets for more than a year using phishing attacks and Xtreme RAT, reports security firm.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Security researchers have discovered a botnet-driven malware espionage campaign focused on Middle Eastern targets in Israel and Palestine. The most recently known related exploit was launched on Oct. 31, 2012.

"These attacks are likely performed by the same attacker, as the malware in question communicate with the same command-and-control structures, and in many cases are signed using the same digital certificate," said Snorre Fagerland, principal security researcher at Norway-based security firm Norman, in a report detailing the attacks. "These attacks have been ongoing for at least a year; seemingly first focused on Palestinians, then Israelis. The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance."

Norman has tied the underlying malicious infrastructure to a series of targeted attacks launched last month against Israeli police force computers, which led officials to temporarily take police computers offline and to ban the use of removable media, according to news reports.

[ Are fears of Iranian cyber attackers overblown? Read Frankenstory: Attack Of The Iranian Cyber Warriors. ]

Last month, Trend Micro studied samples of the malware and said at least one related attack apparently targeted the Israeli customs agency. "The attack began with a spammed message purporting to come from the head of the Israel Defense Forces Benny Gatz," read a blog post from Ivan Macalintal, a threat research manager at Trend Micro. Like the supposed sender, the phishing email's subject line --"IDF strikes militants in Gaza Strip following rocket barrage"-- was meant to entice targets into opening the attachment, which contained a disguised and compressed version of the Xtreme remote access Trojan (RAT).

The latest version of the Xtreme RAT is compatible with Windows 8 and can capture audio and steal passwords from Chrome, Firefox, Opera and Safari browsers. "XtremeRat is a commercially available backdoor Trojan which has been used in many attacks, targeted and otherwise, over the years," said Fagerland. "It gained some notoriety in connection with attacks against Syrian activists; along with other off-the-shelf Trojans such as BlackShades and DarkComet." It has also been used in a number of operations involving surveillance or remote-access exploits.

According to Norman, versions of the attack that it recovered included a malicious executable file -- disguised with the .SCR file extension and named to relate to various high-profile news stories in Israel -- that contained a self-extracting archive (in .SFX format), which itself contained multiple files. Those files included a harmless "barrage.doc" file along with a file named "Word.exe," which was in reality the XtremeRAT backdoor software.

All the emails used in the attacks were signed using the same faked digital certificate, which appeared to be from Microsoft. Interestingly, Norman found that attacks using that same faked certificate date back to at least May 2012 and have been controlled by botnet command-and-control (C&C) servers located in the United States. Upon further investigation, Norman discovered that since at least October 2011, other malware -- mostly versions of Xtreme RAT -- have been communicating with the same C&C infrastructure, as well as entire other botnets, which again are largely based at U.S. hosting services. "It is logical to assume that all these have been part of a medium/large surveillance operation," said Fagerland.

To date, many espionage malware operations focused on the Middle East have been traced to the United States government -- including Stuxnet, Flame, and Duqu -- and in the case of Stuxnet, also Israel. But not all malware that's targeting the Middle East has been launched by the United States. Notably, many security experts believe that the Mahdi malware was developed by Iran, for the purpose of spying on Iranians.

At first, the newly discovered Xtreme RAT attack campaign seemed to be a straight-up operation targeting Israel. But Norman then discovered an earlier series of attacks, launched using the same C&C infrastructure, which didn't target Israel but Palestine. Notably, the bait emails used in the attacks were written in Arabic and referred to issues that would be of greatest interest to Palestinians. The earlier series of attacks, which appear to have begun in the spring of 2012, relied in part on IP addresses owned by a service provider based in Ramallah, in the West Bank.

Norman's Fagerland said that the IP address ranges -- which change every few days -- that were used in the attacks may not reveal the botnet's controllers, as they likely launched their attacks from "hacked boxes." Furthermore, because the botnet targeted both Palestine and Israel, it's difficult to identify exactly who's behind the attacks.

Regardless, he said, the bigger picture is that the attacks demonstrate just how easy -- and relatively affordable -- it can be to launch an advanced persistent threat (APT) attack with commercially available tools. "Using largely off-the-shelf malware, the cost of mounting such an operation is considerably lower than for those who do their own malware development," Fagerland said.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/17/2012 | 7:50:12 PM
re: Espionage Malware Network Targets Israel, Palestine
I have read a bit about Extreme Rat and its success in the enamelware department. Who ever is behind the attacks is going to be a third party that is obviously not suspected. Or is it a clever trick by attacking both side as to cause of confusion? The attackers also have must have specific knowledge of the targets that they are attacking, if they are enticing the targets with their own local headlines. It does not surprise me what you can buy with money, anything is obtainable especially such a successful malware tool for attackers. From what else I have read it goes pretty cheap ranging from $100-$300, sounds pretty affordable for the roi!

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.