Espionage campaign relying on the Zeus Trojan targets the Israeli Public Sector

Pierluigi Paganini October 14, 2015

Check Point discovered a series of malware-based attacks on Israeli public sector organizations that were infected by the Zeus Trojan via RTF files.

Security experts at Check Point have detected a series of attacks on high-profile companies, victims were targeted by a malicious spam campaign that relies on bogus RTF file. The campaign targeted several individuals working for a number of Israeli public sector organizations.

Check Point confirmed that that hackers compromised over 200 PC belonging to 15 distinct Israeli firms and institutions, the list of victims also includes government agencies, security industry firms, municipal agencies, research institutions and even hospitals.

“Two months ago, a malicious Rich Text Format (RTF) document came to the attention of Check Point Threat Intelligence & Research via a worried high-profile client in the public sector. The file had been sent to many employees, several of whom opened the file; as a result, their machines became infected. Check Point took actions to prevent this document from further infecting the customer’s network, and also analyzed the file to better understand the attack. The result was a discovery of a larger-scale campaign that has been targeting Israeli public and private organizations for some time.” states a blog post published by Check Point.

The threat actors rely on RTF documents infected with the Zeus Trojan, this was no ordinary phishing or macro  attack. The particulars of the attack is that the document was auto-generated by Microsoft Word Intruder (MWI) exploit kit.

“the document utilized three different remote code execution vulnerabilities in MS-Word. The specific vulnerabilities being exploited were enough to determine that this malicious document was not crafted by hand, but rather auto-generated by a well-known exploit kit called Microsoft Word Intruder (MWI).” continues the post.

The analysis of the network traffic generated by the Zeus Trojan revealed that it contact the C&C server by using an HTTP GET request. The C&C server was owned by a legitimate local residential letting agency abroad, which had been compromised by the threat actors. The experts discovered that most of the victims are Israeli entities by analyzing the log file on the control server.

Zeus Trojan campaign hit Israeli Public Sector

The choice of the targets leads the experts at Check Point to think that hackers are politically motivated.

“Such campaigns are usually orchestrated by adversaries, which are themselves nation-states or political organizations. On the other hand, campaigns launched by such adversaries tend to make use of dedicated tools that are specifically tailored for the occasion. It is unusual for such a campaign to rely on ‘off-the-shelf’ materials such as MWI and vanilla Zeus,” states Check Point.

Pierluigi Paganini

(Security Affairs – Zeus trojan, spam campaign)

you might also like

leave a comment