Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:10 PM
Kelly Sheridan
Kelly Sheridan
Quick Hits
Connect Directly

Voice-Changing Software Found on APT Attackers' Server

Security researchers believe the presence of Morph Vox Pro could indicate APT-C-23 has new plans for their phishing campaigns.

The discovery of voice-changing software on the server of APT-C-23 could have implications for the group's future phishing attacks, Cado Security researchers report.

APT-C-23, a group connected to attacks in the Middle East, is known as part of a larger group called "Molerats" that is mostly located in Palestine, the report states. Molerats usually target political parties in Palestine and the Israeli government, specifically the Israeli Defense Force (IDF). On occasion, the attackers have also been known to target Western governments.

Cado Security calls APT-C-23 "a medium-sophistication" group and notes it typically relies on social engineering to manipulate victims into downloading malware. In the past, the group has been known to impersonate women to trick their targets into installing malicious applications.

"The reason they're doing this is espionage, and then what they're doing with this data, is mostly trying to track what people are up to and I think help them on the ground a bit," says Cado Security co-founder and CTO Chris Doman.

Researchers found a server belonging to APT-C-23 in early 2020. The server had previously been identified as serving malware in targeted attacks; however, a misconfiguration had since made the attackers' toolset publicly available. By the time they discovered it, the toolkit contained malware used for espionage, tools to identify vulnerable routers, custom tooling to leverage compromised email accounts to send phishing emails, and a phishing code for webmail logins.

"It's pretty common to find these servers spun up to serve malware to targets or to receive commands from that malware," he adds. "Interestingly in this case, they left the server open." 

Molerats use a number of different malware families, researchers state, but most start with a self-extracting rar archive. The archives execute MSHTA/VBScript downloaders, which are used to install the H-Worm backdoor, they explain in a blog post.

The server's most interesting tool was a voice-changing application called Morph Vox Pro, which included a serial key and voices pack. Given APT-C-23's previous phishing campaigns, researchers speculate the group is using this tool to produce audio messages that could be used to convince targets to install malware.

In analyzing the server, researchers also learned more about how attackers deliver malware. For example, an application provided guidance on how to bulk-send phishing emails to targets. A separate file contained sample commands to find vulnerable routers with ZoomEye, an Internet scanning service. A "support" folder held a credential phishing page for Microsoft accounts.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.