APT-C-23, a Hamas-linked hacking group catfish high-ranking Israeli officials working in defense, law, enforcement, and government agencies, ultimately leading to the deployment of new malware.
According to analysts at Cybereason, dubbed the new campaign as ‘Operation Bearded Barbie,’ the campaign involves high-level social engineering tricks such as creating fake social media profiles and a long-term engagement with the targets before delivering spyware.
The hacking group is also known for deploying new custom backdoors for Windows and Android devices geared towards espionage.
How does the Hacking Group carry out the attacks?
The hacking group has created numerous fake Facebook profiles, using fabricated identities and stolen or AI-generated images of attractive women. Later they approach the victims through these profiles.
These fake profiles look authentic and curated by the operators posting in Hebrew and liking groups and popular pages in Israel. They succeed in building a network of friends who in reality are people targeted by them working in Israel’s police, defense forces, emergency services, or the government.Once trust is established via interactions on Facebook, the adversaries suggest migrating to WhatsApp for better privacy.
The threat actors suggest another trick up their sleeves just as the conversation takes an erotic turn. The suggestion is to jump on to a more discreet Android IM app, which actually is the VolatileVenom malware.
Additionally, the victims are sent a link to a RAR file that purportedly contains a sexual video, but which in reality is a downloader for the BarbWire backdoor.
The hacking group is able to completely compromise the victim system using malware as a tool. Allowing them to establish persistence, harvest stored information, record audio, capture screenshots, and download additional payloads, all of which are transmitted back to a remote server.Android spyware, VolatileVenom is able to spoof legitimate messaging apps and masquerade as system updates and has been put to use in different campaigns by Arid Viper since at least 2017.
The researchers said, “This campaign shows a considerable step-up in APT-C-23 capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group.”
US disrupts Cyclops Blink Botnet Prior to Being used in Attacks
Fake Shopping Apps Distributed by Hackers to Steal Banking Data of Malaysian Users
Russian Hydra Darknet Market Shut down in Germany – Bitcoins worth $25 Million seized