Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Espionage Malware Network Targets Israel, Palestine

Botnet operators have been infecting multiple targets for more than a year using phishing attacks and Xtreme RAT, reports security firm.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Security researchers have discovered a botnet-driven malware espionage campaign focused on Middle Eastern targets in Israel and Palestine. The most recently known related exploit was launched on Oct. 31, 2012.

"These attacks are likely performed by the same attacker, as the malware in question communicate with the same command-and-control structures, and in many cases are signed using the same digital certificate," said Snorre Fagerland, principal security researcher at Norway-based security firm Norman, in a report detailing the attacks. "These attacks have been ongoing for at least a year; seemingly first focused on Palestinians, then Israelis. The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance."

Norman has tied the underlying malicious infrastructure to a series of targeted attacks launched last month against Israeli police force computers, which led officials to temporarily take police computers offline and to ban the use of removable media, according to news reports.

[ Are fears of Iranian cyber attackers overblown? Read Frankenstory: Attack Of The Iranian Cyber Warriors. ]

Last month, Trend Micro studied samples of the malware and said at least one related attack apparently targeted the Israeli customs agency. "The attack began with a spammed message purporting to come from the head of the Israel Defense Forces Benny Gatz," read a blog post from Ivan Macalintal, a threat research manager at Trend Micro. Like the supposed sender, the phishing email's subject line --"IDF strikes militants in Gaza Strip following rocket barrage"-- was meant to entice targets into opening the attachment, which contained a disguised and compressed version of the Xtreme remote access Trojan (RAT).

The latest version of the Xtreme RAT is compatible with Windows 8 and can capture audio and steal passwords from Chrome, Firefox, Opera and Safari browsers. "XtremeRat is a commercially available backdoor Trojan which has been used in many attacks, targeted and otherwise, over the years," said Fagerland. "It gained some notoriety in connection with attacks against Syrian activists; along with other off-the-shelf Trojans such as BlackShades and DarkComet." It has also been used in a number of operations involving surveillance or remote-access exploits.

According to Norman, versions of the attack that it recovered included a malicious executable file -- disguised with the .SCR file extension and named to relate to various high-profile news stories in Israel -- that contained a self-extracting archive (in .SFX format), which itself contained multiple files. Those files included a harmless "barrage.doc" file along with a file named "Word.exe," which was in reality the XtremeRAT backdoor software.

All the emails used in the attacks were signed using the same faked digital certificate, which appeared to be from Microsoft. Interestingly, Norman found that attacks using that same faked certificate date back to at least May 2012 and have been controlled by botnet command-and-control (C&C) servers located in the United States. Upon further investigation, Norman discovered that since at least October 2011, other malware -- mostly versions of Xtreme RAT -- have been communicating with the same C&C infrastructure, as well as entire other botnets, which again are largely based at U.S. hosting services. "It is logical to assume that all these have been part of a medium/large surveillance operation," said Fagerland.

To date, many espionage malware operations focused on the Middle East have been traced to the United States government -- including Stuxnet, Flame, and Duqu -- and in the case of Stuxnet, also Israel. But not all malware that's targeting the Middle East has been launched by the United States. Notably, many security experts believe that the Mahdi malware was developed by Iran, for the purpose of spying on Iranians.

At first, the newly discovered Xtreme RAT attack campaign seemed to be a straight-up operation targeting Israel. But Norman then discovered an earlier series of attacks, launched using the same C&C infrastructure, which didn't target Israel but Palestine. Notably, the bait emails used in the attacks were written in Arabic and referred to issues that would be of greatest interest to Palestinians. The earlier series of attacks, which appear to have begun in the spring of 2012, relied in part on IP addresses owned by a service provider based in Ramallah, in the West Bank.

Norman's Fagerland said that the IP address ranges -- which change every few days -- that were used in the attacks may not reveal the botnet's controllers, as they likely launched their attacks from "hacked boxes." Furthermore, because the botnet targeted both Palestine and Israel, it's difficult to identify exactly who's behind the attacks.

Regardless, he said, the bigger picture is that the attacks demonstrate just how easy -- and relatively affordable -- it can be to launch an advanced persistent threat (APT) attack with commercially available tools. "Using largely off-the-shelf malware, the cost of mounting such an operation is considerably lower than for those who do their own malware development," Fagerland said.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/17/2012 | 7:50:12 PM
re: Espionage Malware Network Targets Israel, Palestine
I have read a bit about Extreme Rat and its success in the enamelware department. Who ever is behind the attacks is going to be a third party that is obviously not suspected. Or is it a clever trick by attacking both side as to cause of confusion? The attackers also have must have specific knowledge of the targets that they are attacking, if they are enticing the targets with their own local headlines. It does not surprise me what you can buy with money, anything is obtainable especially such a successful malware tool for attackers. From what else I have read it goes pretty cheap ranging from $100-$300, sounds pretty affordable for the roi!

Paul Sprague
InformationWeek Contributor
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.