The Libyan Scorpions group is behind a cyber espionage campaign in Lybia

The Cyberkov Security Incident Response team spotted a cyber espionage campaign in Lybia conducted by a group named Libyan Scorpions.

Thinking of Libya we have in mind a non-stable political country where various forces fight for the control of strategic territories and oil productions. but only a few experts know about cyber malicious activities in the area.

Evidently, something is changing, for the first time experts at the Cyberkov Security Incident Response team (CSIRT) collected evidence of a cyber espionage campaign operating  in different areas in Libya especially in Tripoli and Benghazi.
On 6 August 2016, the Cyberkov Security Incident Response team (CSIRT) spotted numerous samples of Android malware targeting entities in Libya.
The experts noticed that the Android malware spreading very fast through the popular Telegram messaging application and targeting high-profile Libyan influential and political figures.
According to the CSIRT, the malware was first spotted after it has compromised a highly Libyan influential Telegram account via web Telegram using IP address from Spain.
Once the attackers compromised the mobile device of the above account they used is to target all his contacts. The experts at the Cyberkov Security Incident Response team  linked the cyber espionage campaign to a group named Libyan Scorpions.

“Libyan Scorpions is believed to be a political motivated group targeting a high-level influential and political figures in multiple cities within Libya. Libyan Scorpions first compromised a personal Telegram account for a Libyan influential person with unknown vector. The victim received a push notification from his Telegram app that someone from Spain is logged into his account” reads the report published by the CSIRT titled “Hunting Libyan Scorpions”

“The victim mistakenly deleted Telegram application from his phone thinking that this is going to stop the attacker(s). Second day, the attacker used the victim phone number to spear phish his contacts in Telegram by pretending that the real person is sending a voice message while the file is actually a malicious APK (Android Package) file.”

Threat actors abused it to spread an Android malware bound with legitimate Android application pretending it is an important voice message (misspelled it by “VoiceMassege.apk”) which indicates a non-english (maybe an Arabic) attacker.

The experts have found the legitimate application in the official App store, this means that the Libyan Scorpions group took an instance of the APK and trojanized it.

“This APK file targets only Android-based smartphones. Once the new victim click on the APK file, the application installs itself in the device without any problem and is fully functional. The icon of the application appears in the Apps menu named (URL Shortener).” continues the report.

With this technique, the threat actors spread the malware that used the same technique to infect via telegram other victims of the network of contacts.

Further investigations revealed that the malware has been active at least since September 2015.

The so-called Libyan Scorpions is a politically motivated group intent in gathering intelligence and spying on influentials and political figures within Libya. The group used different malware in his campaigns, the malicious code were designed to target Android and Windows machines.

The researchers made a reverse engineering of the malicious code and discovered a configuration files containing information of the Command and Control (C2) infrastructure. The sample of malware analyzed in the report presents many similarities with popular spyware like the AlienSpy RAT.

“Resolving the hostname gives: 41.208.110.46 which is a static Libyan IP address owned by Libya Telecom and Technology Backbone.” reads the analysis. “Cyberkov discovered that the malware has not been uploaded to VirusTotal before and the first sample of this malware has been uploaded by us. However, 8 out of 54 AntiVirus engines detect it which is a very low detection rate (15%). Most and major American top Gartner Antivirus companies did not detect it!!”

Libyan Scorpions doesn’t have highly technical skills anyway it was able to use a set of methods to hide and operate their malware, the cyber espionage operation leverage on good social engineering and phishing tactics.

“Libyan Scorpions threat actors used a set of methods to hide and operate their malwares. They appear not to have highly technical skills but a good social engineering and phishing tricks. The threat actors are not particularly sophisticated, but it is well-understood that such attacks don’t need to be sophisticated in order to be effective. ” reads the report published by the  Cyberkov Security Incident Response team. “Using malwares as weapon in an active warzone such as Libya, make the victims easy targets for assassination or kidnapping by tracking their physical locations and monitoring them day and night. “

I suggest you read the report that also includes Indicators of Compromise (IoCs)

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Libyan Scorpions, cyber espionage)