The discovery of voice-changing software on the server of APT-C-23 could have implications for the group's future phishing attacks, Cado Security researchers report.
APT-C-23, a group connected to attacks in the Middle East, is known as part of a larger group called "Molerats" that is mostly located in Palestine, the report states. Molerats usually target political parties in Palestine and the Israeli government, specifically the Israeli Defense Force (IDF). On occasion, the attackers have also been known to target Western governments.
Cado Security calls APT-C-23 "a medium-sophistication" group and notes it typically relies on social engineering to manipulate victims into downloading malware. In the past, the group has been known to impersonate women to trick their targets into installing malicious applications.
"The reason they're doing this is espionage, and then what they're doing with this data, is mostly trying to track what people are up to and I think help them on the ground a bit," says Cado Security co-founder and CTO Chris Doman.
Researchers found a server belonging to APT-C-23 in early 2020. The server had previously been identified as serving malware in targeted attacks; however, a misconfiguration had since made the attackers' toolset publicly available. By the time they discovered it, the toolkit contained malware used for espionage, tools to identify vulnerable routers, custom tooling to leverage compromised email accounts to send phishing emails, and a phishing code for webmail logins.
"It's pretty common to find these servers spun up to serve malware to targets or to receive commands from that malware," he adds. "Interestingly in this case, they left the server open."
Molerats use a number of different malware families, researchers state, but most start with a self-extracting rar archive. The archives execute MSHTA/VBScript downloaders, which are used to install the H-Worm backdoor, they explain in a blog post.
The server's most interesting tool was a voice-changing application called Morph Vox Pro, which included a serial key and voices pack. Given APT-C-23's previous phishing campaigns, researchers speculate the group is using this tool to produce audio messages that could be used to convince targets to install malware.
In analyzing the server, researchers also learned more about how attackers deliver malware. For example, an application provided guidance on how to bulk-send phishing emails to targets. A separate file contained sample commands to find vulnerable routers with ZoomEye, an Internet scanning service. A "support" folder held a credential phishing page for Microsoft accounts.