Once again Middle East area is the scene of a series of cyber attacks, several malware attacks have hit over the last year Israeli and Palestinian systems apparently having a common origin. A group of experts from Norwegian antivirus and security firm Norman ASA have discovered a new cyber espionage campaign against the countries that used various malware to spy on victims.
Cyber espionage is one of privileged form of intelligence of the last years, the use of technological instruments to steal sensible information and industrial secrets is widespread.
Let’s step back returning to the previous October when a cyber attack hit Israeli institutions and law enforcement forcing the government to shut down Internet access for its police and prohibiting the use of memory sticks and mobile storage to avoid the diffusion of malicious agent.
As usual the cyber espionage campaign was driven by a spamming activity of malicious emails that claim to be sent Benny Gantz, Chief of General Staff of the Israel Defense Forces, and reporting in the subject the news of an IDF strike against opponents in Gaza Strip. The message text anticipates the content of the attached .zip file that claims to contain reports and photos of the attack. According Trend Micro firm the initial target of that attack was the Israeli Customs agency.
In fact the file attached to the email hides a known malware, the XtremeRat trojan, which was largely used in surveillance campaigns by many regime such as Syrian government. Xtreme Rat is a malware that belong to the Remote Access Tool category really simple to retrieve on line at a low price (Full version Price: €100 EUR). The malware is continuosly improved, last version is Windows 8 compatible and has included new powerful capabilities to audio and video capture and for password stealing from common browsers.
Once again the malware was signed to fool victims into believing that its source code came from a trusted source, in this case the code has been signed with a Microsoft certified. Installation for certain types of software could needs that its code is digitally signed with a trusted certificate, by stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happend for Stuxnet virus.
Fagerland revealed that they have found that oldest malware signed with the same Microsoft certificate and dated October 2011, after eight months from this attacks a new wave of malicious code signed with same certificate hit Israeli targets.
The experts of Norman analyzing the tool have tried to discover the source of the attack but unfortunatelly the retrieved info doesn’t give any valuable information, let’s remind that the attacks could be started form any region of the globe from a compromised system.
“What is behind these IP addresses is hard to establish. It is possible they are hacked boxes and as such do not give much valid information. If that were the case, one might have expected a greater IP range and geographical distribution, but nothing is certain,”.
“In the following investigation we first found several other trojans similarly signed, then many more trojans connecting to the same command & control structure as the first batch.”.
“The Command & Control structure is centered around a few dynamic DNS (DynDNS) domains that at the time of writing point to hosting services in the US.”
Snorre Fagerland, a senior virus researcher at Norman, declared in an interview with KrebsOnSecurity blog :
“These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate,“In my view, they are same attackers.”
As always in these cases one thousand fanciful hypotheses circulating on the network without foundation, some argue that this is an Iranian offensive, others that it may be an US operation or conducted by an European government in search of information.
KrebsOnSecurity blog proposed results of researches made analyzing the metadata included in most of the email bait files. The files, typically Microsof Word documents, have been created and saved by a limited number of users named “Hitham,” “Tohan,” Aert,” and “Ayman.” Searching on hacker forums popular in the Middle East it is possible to find several accounts using these nicknames at a forum called Gaza-Hacker.net. KrebsOnSecurity states:
“The profiles of both Hitham (pictured below) and Aert suggest they are young men from Algeria. Hitham’s signature suggests he is a member of a group calling itself the Gaza Hackers Team, which claimed responsibility for defacing Israeli government sites earlier this year with messages calling for “Death to Israel.”
Personally I don’t believe that the attacks are related to Chinese hackers, despite the attack techniques appear similar, in this case hackers have used common malware that doesn’t requested particular knowledge differently from what’s happened for Operation Aurora and the Elderwood project.
I think that the hypothesis proposed by KrebOnSecurity are very likely.