• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Malware
  • Cyber espionage attack against Israel is not an isolated event

Cyber espionage attack against Israel is not an isolated event

Pierluigi Paganini November 14, 2012

Once again Middle East area is the scene of a series of cyber attacks, several malware attacks have hit over the last year Israeli and Palestinian systems apparently having a common origin. A group of experts from Norwegian antivirus and security firm Norman ASA  have discovered a new cyber espionage campaign against the countries that used various malware to spy on victims.

Cyber espionage is one of privileged form of intelligence of the last years, the use of technological instruments to steal sensible information and industrial secrets is widespread.

Let’s step back returning to the previous October when a cyber attack hit Israeli institutions and law enforcement forcing the government to shut down Internet access for its police and prohibiting the use of memory sticks and mobile storage to avoid the diffusion of malicious agent.

As usual the cyber espionage campaign was driven by a spamming activity of malicious emails that claim to be sent Benny Gantz, Chief of General Staff of the Israel Defense Forces, and reporting in the subject the news of an IDF strike against opponents in Gaza Strip. The message text anticipates the content of the attached .zip file that claims to contain reports and photos of the attack. According Trend Micro firm the initial target of that attack was the Israeli Customs agency.

 

In fact the file attached to the email hides a known malware, the XtremeRat trojan, which was largely used in surveillance campaigns by many regime such as Syrian government.  Xtreme Rat is a malware that belong to the Remote Access Tool category really simple to retrieve on line at a low price (Full version Price: €100 EUR). The malware is continuosly improved, last version is Windows 8 compatible and has included new powerful capabilities to audio and video capture and for password stealing from common browsers.

Once again the malware was signed to fool victims into believing that its source code came from a trusted source, in this case the code has been signed with a Microsoft certified. Installation for certain types of software could needs that its code is digitally signed with a trusted certificate, by stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happend for Stuxnet virus.

Fagerland revealed that they have found that oldest malware signed with the same Microsoft certificate and dated October 2011, after eight months from this attacks a new wave of malicious code signed with same certificate hit Israeli targets.

The experts of Norman analyzing the tool have tried to discover the source of the attack but unfortunatelly the retrieved info doesn’t give any valuable information, let’s remind that the attacks could be started form any region of the globe from a compromised system.

“What is behind these IP addresses is hard to establish. It is possible they are hacked boxes and as such do not give much valid information. If that were the case, one might have expected a greater IP range and geographical distribution, but nothing is certain,”.

“In the following investigation we first found several other trojans similarly signed, then many more trojans connecting to the same command & control structure as the first batch.”.
“The Command & Control structure is centered around a few dynamic DNS (DynDNS) domains that at the time of writing point to hosting services in the US.”

Snorre Fagerland, a senior virus researcher at Norman, declared in an interview with KrebsOnSecurity blog :

“These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate,“In my view, they are same attackers.”

As always in these cases one thousand fanciful hypotheses circulating on the network without foundation, some argue that this is an Iranian offensive, others that it may be an US operation or conducted by an European government in search of information.

KrebsOnSecurity blog proposed results of researches made analyzing the metadata included in most of the email bait files. The files, typically Microsof Word documents, have been created and saved by a limited number of users named “Hitham,” “Tohan,” Aert,” and “Ayman.” Searching on hacker forums popular in the Middle East it is possible to find several accounts using these nicknames at a forum called Gaza-Hacker.net. KrebsOnSecurity states:

“The profiles of both Hitham (pictured below) and Aert suggest they are young men from Algeria. Hitham’s signature suggests he is a member of a group calling itself the Gaza Hackers Team, which claimed responsibility for defacing Israeli government sites earlier this year with messages calling for “Death to Israel.”

 

Personally I don’t believe that the attacks are related to Chinese hackers, despite the attack techniques appear similar, in this case hackers have used common malware that doesn’t requested particular knowledge differently from what’s happened for Operation Aurora and the Elderwood project.

I think that the hypothesis proposed by KrebOnSecurity are very likely.

Pierluigi Paganini


facebook linkedin twitter

cyber espionage Israel malware Middle East Operation Aurora XtremeRat

you might also like

Pierluigi Paganini July 26, 2025
Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
Read more
Pierluigi Paganini July 25, 2025
Koske, a new AI-Generated Linux malware appears in the threat landscape
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT