Palestinian hackers hit Israel with targeted malware campaigns

Attackers traced back to their Facebook pages

Security firm Trend Micro has uncovered evidence that Israel has been on the receiving end of at least two targeted malware campaigns in recent times, one sophisticated the other anything but. Both suggest increased determination and improving interest, the firm said.

Dubbed 'Operation Arid Viper' and 'Advtravel', a relative lack of sophistication didn't mean that they hadn't achieved a degree of success against targets including a government office, the Israeli military, transport, Kuwaiti academics and a number of unnamed Israeli citizens and bloggers, Trend said.

Even the crude and sometimes careless Advtravel campaign had managed to infect around 500 victims, mostly personal laptops belonging to Egyptians in addition to Israelis.

Apart from the personal targeting, the ambitious nature of the command and control is probably the striking characteristic of the attacks, which in the case of Arid Viper started operation in mid-2013. Advtravel dated from about a year later.

The mechanism of attack was standard booby-trapped attachments in phishing emails with the same basic malware being used over and over even as the infrastructure was updated. The motivation was simply to steal information, possibly in Advtravel's case including compromising images that could be used as part of blackmail campaigns, Trend Micro said.

The Advtravel attackers will read Trend Micro's analysis of their handiwork with some interest, starting with the number of schoolboy configuration errors that made disrupting the command and control easier than it should have been.

Perhaps the worst mistake of all was that Trend managed to trace several individuals who had registered Advtravel C&C servers - Trend even names some of these people and their geographical location.

The firm even speculates on the possible creator of the Advtravel malware right down to screenshots taken of it as he debugged the software on a virtual server. They also traced the hapless hacker's Facebook page.

Either these hackers are incredibly inexperienced beginners or they just don't care who identifies them.

There seems little doubt, then, that the people behind these attacks are Palestinian, possibly connected to the Gaza Hacker Team responsible for a series of website defacements.

"While the two campaigns shared infrastructure, their tactics could not be further apart. Operation Arid Viper is a sophisticated campaign targeting key individuals in organizations in order to exfiltrate sensitive data. Its C&C servers were, in fact, closely locked down," said Trend Micro's researchers.

"Advtravel, on the other hand, looks very much like the work of less-skilled cybercriminals who appeared to be motivated neither by financial gain nor conducting espionage. Instead, they look like a classic group of beginner hackers just starting their careers."

In recent years, Israel's main cyber-foe has been Iran so the uptick in Palestinian malware will be seen as a small but still noteworthy threat.

Join the CSO newsletter!

Error: Please check your email address.

Tags trend microsecuritymalware

More about FacebookTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts