Attacks/Breaches
11/12/2012
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Espionage Malware Network Targets Israel, Palestine

Botnet operators have been infecting multiple targets for more than a year using phishing attacks and Xtreme RAT, reports security firm.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Security researchers have discovered a botnet-driven malware espionage campaign focused on Middle Eastern targets in Israel and Palestine. The most recently known related exploit was launched on Oct. 31, 2012.

"These attacks are likely performed by the same attacker, as the malware in question communicate with the same command-and-control structures, and in many cases are signed using the same digital certificate," said Snorre Fagerland, principal security researcher at Norway-based security firm Norman, in a report detailing the attacks. "These attacks have been ongoing for at least a year; seemingly first focused on Palestinians, then Israelis. The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance."

Norman has tied the underlying malicious infrastructure to a series of targeted attacks launched last month against Israeli police force computers, which led officials to temporarily take police computers offline and to ban the use of removable media, according to news reports.

[ Are fears of Iranian cyber attackers overblown? Read Frankenstory: Attack Of The Iranian Cyber Warriors. ]

Last month, Trend Micro studied samples of the malware and said at least one related attack apparently targeted the Israeli customs agency. "The attack began with a spammed message purporting to come from the head of the Israel Defense Forces Benny Gatz," read a blog post from Ivan Macalintal, a threat research manager at Trend Micro. Like the supposed sender, the phishing email's subject line --"IDF strikes militants in Gaza Strip following rocket barrage"-- was meant to entice targets into opening the attachment, which contained a disguised and compressed version of the Xtreme remote access Trojan (RAT).

The latest version of the Xtreme RAT is compatible with Windows 8 and can capture audio and steal passwords from Chrome, Firefox, Opera and Safari browsers. "XtremeRat is a commercially available backdoor Trojan which has been used in many attacks, targeted and otherwise, over the years," said Fagerland. "It gained some notoriety in connection with attacks against Syrian activists; along with other off-the-shelf Trojans such as BlackShades and DarkComet." It has also been used in a number of operations involving surveillance or remote-access exploits.

According to Norman, versions of the attack that it recovered included a malicious executable file -- disguised with the .SCR file extension and named to relate to various high-profile news stories in Israel -- that contained a self-extracting archive (in .SFX format), which itself contained multiple files. Those files included a harmless "barrage.doc" file along with a file named "Word.exe," which was in reality the XtremeRAT backdoor software.

All the emails used in the attacks were signed using the same faked digital certificate, which appeared to be from Microsoft. Interestingly, Norman found that attacks using that same faked certificate date back to at least May 2012 and have been controlled by botnet command-and-control (C&C) servers located in the United States. Upon further investigation, Norman discovered that since at least October 2011, other malware -- mostly versions of Xtreme RAT -- have been communicating with the same C&C infrastructure, as well as entire other botnets, which again are largely based at U.S. hosting services. "It is logical to assume that all these have been part of a medium/large surveillance operation," said Fagerland.

To date, many espionage malware operations focused on the Middle East have been traced to the United States government -- including Stuxnet, Flame, and Duqu -- and in the case of Stuxnet, also Israel. But not all malware that's targeting the Middle East has been launched by the United States. Notably, many security experts believe that the Mahdi malware was developed by Iran, for the purpose of spying on Iranians.

At first, the newly discovered Xtreme RAT attack campaign seemed to be a straight-up operation targeting Israel. But Norman then discovered an earlier series of attacks, launched using the same C&C infrastructure, which didn't target Israel but Palestine. Notably, the bait emails used in the attacks were written in Arabic and referred to issues that would be of greatest interest to Palestinians. The earlier series of attacks, which appear to have begun in the spring of 2012, relied in part on IP addresses owned by a service provider based in Ramallah, in the West Bank.

Norman's Fagerland said that the IP address ranges -- which change every few days -- that were used in the attacks may not reveal the botnet's controllers, as they likely launched their attacks from "hacked boxes." Furthermore, because the botnet targeted both Palestine and Israel, it's difficult to identify exactly who's behind the attacks.

Regardless, he said, the bigger picture is that the attacks demonstrate just how easy -- and relatively affordable -- it can be to launch an advanced persistent threat (APT) attack with commercially available tools. "Using largely off-the-shelf malware, the cost of mounting such an operation is considerably lower than for those who do their own malware development," Fagerland said.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/17/2012 | 7:50:12 PM
re: Espionage Malware Network Targets Israel, Palestine
I have read a bit about Extreme Rat and its success in the enamelware department. Who ever is behind the attacks is going to be a third party that is obviously not suspected. Or is it a clever trick by attacking both side as to cause of confusion? The attackers also have must have specific knowledge of the targets that they are attacking, if they are enticing the targets with their own local headlines. It does not surprise me what you can buy with money, anything is obtainable especially such a successful malware tool for attackers. From what else I have read it goes pretty cheap ranging from $100-$300, sounds pretty affordable for the roi!

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.