Researchers identify year-long cyberespionage operation targeting Israelis, Palestinians

Recent malware attack against the Israeli police are part of a larger campaign, Norman researchers say

The recent cyberattack that infected Israeli police computers with malware was likely part of a year-long cyberespionage operation with targets in Israel and the Palestinian territories, according to security researchers from antivirus vendor Norman.

At the end of October, the Israeli police shut down its computer network after a piece of malware was found on some of its systems. At the time, that malware was a remote access Trojan (RAT) program called Xtreme RAT and was delivered in an archive attached to a spoofed email claiming to be from Benny Gantz, the chief of general staff of the Israel Defense Forces, according to a report from antivirus vendor Trend Micro.

The RAR archive contained a file called "IDF strikes militants in Gaza Strip following rocket barrage.doc" followed by a long series of hyphens and .scr, Snorre Fagerland, principal security researcher at Norwegian antivirus vendor Norman said Monday in a report.

The .scr file, whose name was crafted to hide its real extension, dropped other files on the system's hard drive when executed: a legitimate Word document that was used as bait, an icon file and an .exe file that was actually the Xtreme RAT installer. The Norman researchers noticed that the .exe file was digitally signed with an untrusted, self-generated Microsoft certificate.

This certificate would not be validated by Windows, but the attackers probably hoped that it would trick people who manually inspected the file or would allow the malware to bypass the detection of some security products, Fagerland said.

This is not a new technique. However, what the attackers didn't realize is that the file's digital signature can be used to track down their previous attacks, since they didn't bother to change the certificate when generating new malicious files, Fagerland said.

Norman researchers searched the company's malware database for executable files signed with the same certificate and found other samples that had been used in similar email-based attacks since May. The contents of the bait documents used in those attacks suggested that the targets were from Israel.

A further analysis of the malware samples revealed that they were predominantly Xtreme RAT variants and connected back to a number of hostnames registered with free dynamic DNS providers. Many of those hostnames pointed to the same IP addresses.

Most of the IP addresses used recently are owned by U.S.-based hosting providers, which suggests that the attackers are hosting their command and control (C&C) servers in the U.S. However, that wasn't always the case.

Until the summer of this year, the hostnames pointed to IP addresses belonging to an ISP from the city of Ramallah in the West Bank, Fagerland said.

By searching for malware that historically connected to the same hosts, the Norman researchers managed to find even more Xtreme RAT samples, the oldest of which dated back to October 2011. Some of those samples were used in email attacks that, based on their bait documents, most likely targeted Palestinians, not Israelis, Fagerland said.

The moving of C&C servers from the West Bank to the U.S. might have been triggered by the later switch in targets, Fagerland said. Seeing network traffic directed at an IP address in Palestine might raise suspicion for an Israeli individual or organization, but seeing connections with U.S. IP addresses would be common, he said.

The Norman researchers did not have access to the C&C servers or the opportunity to analyze a machine infected with one of the samples in order to determine what kind of data the attackers were after. However, the evidence gathered by analyzing the malicious files alone point to a year-long cyberespionage operation carried out by the same group of attackers, Fagerland said.

"We have the impression that a cybersurveillance operation is underway (and is probably still ongoing -- most recent sample created Oct. 31) which was first mainly focused on Palestinian targets, then shifted towards Israel," Fagerland said in the report. "The reason for the shift is unknown. Maybe it was planned all along; or caused by changes in the political climate; or maybe the first half of the operation found data that caused the target change."

It's difficult to say who is behind the attacks, Fagerland said. It might be a government organization, a political group or a group of independent hackers, he said.

The attacks are not sophisticated in nature and did not require a lot of resources to pull off. The attackers used free hostnames instead of buying domain names, used cheap hosting solutions for their C&C infrastructure and used Xtreme RAT instead of building their own malware. Xtreme RAT is one the cheapest remote access Trojan programs available; a standard set-up costs around $40, Fagerland said.

The attackers forgot to scrub the metadata from their bait documents, which revealed the names or aliases of the people who created the files: Hitham, anar, Ayman, Tohan, ahmed, aert or HinT.

Some configuration strings found in the RAR archive that was used in the attack against the Israeli police suggest that the file's author was using the Arabic language on his computer when creating it, Jaime Blasco, head of the research lab at security firm AlienVault, said Monday via email.

"During this year we have been tracking several ongoing espionage campaigns that use XtremeRAT as the tool for accessing the victims," Blasco said. "At the beginning of the year the usage of XtremeRAT was spotted as part of a cyber espionage campaign against Syrian dissidents."

Join the CSO newsletter!

Error: Please check your email address.

Tags Snorre FagerlandnormansecurityAlienVaultdata breachDesktop securityspywaremalwareBenny GantzintrusionJaime Blasco

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place