Attacks/Breaches
11/12/2012
12:06 PM
50%
50%

Espionage Malware Network Targets Israel, Palestine

Botnet operators have been infecting multiple targets for more than a year using phishing attacks and Xtreme RAT, reports security firm.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Security researchers have discovered a botnet-driven malware espionage campaign focused on Middle Eastern targets in Israel and Palestine. The most recently known related exploit was launched on Oct. 31, 2012.

"These attacks are likely performed by the same attacker, as the malware in question communicate with the same command-and-control structures, and in many cases are signed using the same digital certificate," said Snorre Fagerland, principal security researcher at Norway-based security firm Norman, in a report detailing the attacks. "These attacks have been ongoing for at least a year; seemingly first focused on Palestinians, then Israelis. The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance."

Norman has tied the underlying malicious infrastructure to a series of targeted attacks launched last month against Israeli police force computers, which led officials to temporarily take police computers offline and to ban the use of removable media, according to news reports.

[ Are fears of Iranian cyber attackers overblown? Read Frankenstory: Attack Of The Iranian Cyber Warriors. ]

Last month, Trend Micro studied samples of the malware and said at least one related attack apparently targeted the Israeli customs agency. "The attack began with a spammed message purporting to come from the head of the Israel Defense Forces Benny Gatz," read a blog post from Ivan Macalintal, a threat research manager at Trend Micro. Like the supposed sender, the phishing email's subject line --"IDF strikes militants in Gaza Strip following rocket barrage"-- was meant to entice targets into opening the attachment, which contained a disguised and compressed version of the Xtreme remote access Trojan (RAT).

The latest version of the Xtreme RAT is compatible with Windows 8 and can capture audio and steal passwords from Chrome, Firefox, Opera and Safari browsers. "XtremeRat is a commercially available backdoor Trojan which has been used in many attacks, targeted and otherwise, over the years," said Fagerland. "It gained some notoriety in connection with attacks against Syrian activists; along with other off-the-shelf Trojans such as BlackShades and DarkComet." It has also been used in a number of operations involving surveillance or remote-access exploits.

According to Norman, versions of the attack that it recovered included a malicious executable file -- disguised with the .SCR file extension and named to relate to various high-profile news stories in Israel -- that contained a self-extracting archive (in .SFX format), which itself contained multiple files. Those files included a harmless "barrage.doc" file along with a file named "Word.exe," which was in reality the XtremeRAT backdoor software.

All the emails used in the attacks were signed using the same faked digital certificate, which appeared to be from Microsoft. Interestingly, Norman found that attacks using that same faked certificate date back to at least May 2012 and have been controlled by botnet command-and-control (C&C) servers located in the United States. Upon further investigation, Norman discovered that since at least October 2011, other malware -- mostly versions of Xtreme RAT -- have been communicating with the same C&C infrastructure, as well as entire other botnets, which again are largely based at U.S. hosting services. "It is logical to assume that all these have been part of a medium/large surveillance operation," said Fagerland.

To date, many espionage malware operations focused on the Middle East have been traced to the United States government -- including Stuxnet, Flame, and Duqu -- and in the case of Stuxnet, also Israel. But not all malware that's targeting the Middle East has been launched by the United States. Notably, many security experts believe that the Mahdi malware was developed by Iran, for the purpose of spying on Iranians.

At first, the newly discovered Xtreme RAT attack campaign seemed to be a straight-up operation targeting Israel. But Norman then discovered an earlier series of attacks, launched using the same C&C infrastructure, which didn't target Israel but Palestine. Notably, the bait emails used in the attacks were written in Arabic and referred to issues that would be of greatest interest to Palestinians. The earlier series of attacks, which appear to have begun in the spring of 2012, relied in part on IP addresses owned by a service provider based in Ramallah, in the West Bank.

Norman's Fagerland said that the IP address ranges -- which change every few days -- that were used in the attacks may not reveal the botnet's controllers, as they likely launched their attacks from "hacked boxes." Furthermore, because the botnet targeted both Palestine and Israel, it's difficult to identify exactly who's behind the attacks.

Regardless, he said, the bigger picture is that the attacks demonstrate just how easy -- and relatively affordable -- it can be to launch an advanced persistent threat (APT) attack with commercially available tools. "Using largely off-the-shelf malware, the cost of mounting such an operation is considerably lower than for those who do their own malware development," Fagerland said.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/17/2012 | 7:50:12 PM
re: Espionage Malware Network Targets Israel, Palestine
I have read a bit about Extreme Rat and its success in the enamelware department. Who ever is behind the attacks is going to be a third party that is obviously not suspected. Or is it a clever trick by attacking both side as to cause of confusion? The attackers also have must have specific knowledge of the targets that they are attacking, if they are enticing the targets with their own local headlines. It does not surprise me what you can buy with money, anything is obtainable especially such a successful malware tool for attackers. From what else I have read it goes pretty cheap ranging from $100-$300, sounds pretty affordable for the roi!

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.