A new wave of cyberattacks targets Palestine with political bait and malware. According to Cisco Talos, these attacks are part of a longstanding espionage and information theft campaign undertaken by the Arid Viper hacking group using a Delphi-based implant called Micropsia dating all the way back to June 2017.
Kaspersky has documented the activities of threat actors also known as Desert Falcon and the APT-C-23 first in February 2015. Later in 2017, Qihoo 360 disclosed details of cross-platform backdoors developed by the group to strike Palestinian institutions. Arid Viper was branded as the “first exclusively Arabic APT group” by the Russian cybersecurity firm.
Meta, formerly Facebook, in April 2021 mentioned the group’s affiliations with the cyber arm of Hamas. Steps were taken by them to get the adversary off its platform for distributing mobile malware against individuals associated with pro-Fatah groups, the Palestinian government organizations, military and security personnel, and student groups within Palestine.
The group now uses similar tactics they used in 2017 and 2019, which suggest they managed to gain some success despite no change in their tools. Recently the group used a decoy file with references to Palestinian reunification and sustainable development in the territory, these when opened lead to the installation of Micropsia on compromised machines.
Operators used the backdoor to gain an unusual range of control over the infected devices. This included the ability to harvest sensitive information and execute commands transmitted from a remote server, enabling them to capture screenshots, record the current activity log, and download additional payloads.
According to Asheer Malhotra and Vitor Ventura researchers. “Arid Viper is a prime example of groups that aren’t very advanced technologically, however, with specific motivations, are becoming more dangerous as they evolve over time and test their tools and procedures on their targets. These [remote access trojans] can be used to establish long-term access into victim environments and additionally deploy more malware purposed for espionage and stealing information and credentials.”
Russian ‘Gamaredon’ Hackers Use 8 New malware payloads in attacks
Are you Embedding Google Fonts on your Websites? German Court Rules it Violets GDPR
New Microsoft Bug Allows Bad Actors to Take Complete Control of Your Emails