Sustained 'Red Deer' Phishing Attacks Impersonate Israel Post, Drop RATs

Israeli engineering and telecommunications companies have been targeted with a sustained phishing message campaign that is convincingly impersonating Israel's postal service.

Research by Perception Point found the phishing email typically appears to be a missed delivery note containing an HTML link. When clicked, it downloads and opens an .html file attachment on the user's browser. This html file then opens an ISO image file that contains an obfuscated Visual Basic script, which ultimately downloads a modified version of the AsyncRAT malware.

Named Operation Red Deer, due to the fact that the logo for the Israel Postal Company (aka "Israel Post") is a red deer — this technique was initially spotted being used in a campaign in April 2022, but last month a similar campaign was spotted wherein the malware version and SSL certificate that was used were the same.

Sustained Phishing Campaign

Several other campaigns in the activity cluster were also detected, including one last June and another last October, where Igal Lytzki, incident response analyst at Perception Point, says the volume of phishing emails was significantly higher than on other days.

Perception Point called the campaign "a sustained and clandestine operation” which targeted numerous organizations from diverse industries, but all based in Israel.

Lytzki says that "hundreds of emails related to this particular campaign" were detected and quarantined before being delivered, and that they've been directed at employees in varying positions and at different levels of seniority, not solely executive and leadership positions.

He also added that the level of care to make the lures look genuine is notable, including the addition of elements such as the logo, correlation of colors, and additional information about the post office's opening hours. "This is a surprising tactic that reveals the depth of sophistication and investment put into this attack," he notes.

Who Is to Blame?

The attacks were attributed to the Aggah threat group, due to the choice of malware, order-related phishing messages, and use of Losh Crypter obfuscated PowerShell scripts. Lytzki says there is no clear evidence of any state-sponsorship or national identity for Aggah, but there is a striking similarity between Aggah's tactics, techniques, and procedures (TTPs) and another threat group known as Gorgon Group, a state-sponsored group under the Pakistani government .

He adds, "Aggah has targeted a variety of countries for espionage, information gathering, and financial gain. I believe that the evidence suggests that this hacking group is for hire, contracting with other governments to launch malicious campaigns on their behalf."

Also, in the past, Aggah has conducted attacks which were primarily focused on organizations within Middle Eastern countries. The Gorgon Group, meanwhile, does not just focus on financial fraud and cybercrime, but also conducts attacks against government organizations and has been linked to attacks against Russia, Spain, the United Kingdom, and the United States.