Hamas-Linked APT Group Targets Israeli OfficialsAttackers Use Catfishing to Lure Victims Into Downloading Malware
In a new campaign, threat actors are using fake Facebook profiles to trick high-ranking Israeli officials into downloading previously undocumented Trojanized Android and PC direct message applications that grant them access to the victims' devices.
A politically motivated hacking group, dubbed APT-C-23, was found catfishing high-profile targets working for sensitive defense, law enforcement and emergency services organizations using sexual content, say researchers in the Nocturnus Team of cybersecurity firm Cybereason. The group's ultimate goal is to extract sensitive information from the victims' devices for espionage, say the researchers, who "analyze attack methodologies, reverse-engineer malware and expose unknown system vulnerabilities."
The campaign features the use of a social engineering tactic known as catfishing, in which the group use sexual content to lure victims, mostly Israeli men, into downloading malware.
The researchers say that they assess with "moderate-high confidence" that APT-C-23, which operates on behalf of militant organization Hamas, is behind the campaign. While its operations against Arab-speaking targets - mostly Palestinians - are still taking place, this newly identified campaign specifically targets Israelis and shows unique characteristics that distinguish it from other campaigns, the researchers say.
Operation Bearded Barbie
Cybereason's investigation shows that APT-C-23 has upgraded its malware arsenal with new tools, dubbed Barb(ie) Downloader and BarbWire Backdoor, which are equipped with enhanced stealth and focus on operational security.
The latest campaign also has a dedicated infrastructure that is almost completely separate from the known APT-C-23 infrastructure, which the researchers say is more focused on Arabic-speaking targets.
"The fake Facebook profiles were maintained regularly and constantly interacting with Israeli citizens. The social engineering tactic used in this campaign relies primarily on classic catfishing, using fake identities of attractive young women to engage with mostly male individuals to gain their trust," the researchers say.
They found that these fake accounts have operated for months and seem relatively authentic to the unsuspecting user. The group also seems to have invested considerable effort in tending to these profiles, expanding their social network by joining popular Israeli groups, writing posts in Hebrew and adding potential victims as friends, the report says.
The group makes these profiles more authentic by using different accounts to like various Facebook groups and pages that are well known to Israelis. The threat actors use Israeli news pages, Israeli politicians' accounts and corporate pages to get more likes, the researchers say.
Alan Calder, CEO of GRC International Group, calls the campaign "a very devious ploy on the part of Hamas" He says, "Surely one would have thought the Israelis would be wise to this by now. It just goes to show how effective social engineering is as a low-cost offensive and attack strategy."
Once these attackers gain the victims' trust, they ask that the conversations migrate to messaging platform WhatsApp, which helps them obtain the targets' mobile phone number, the researchers say.
The content of the chat includes sexual themes, with the operators suggesting that victims use a "secure means of communication," aka a designated Android app, for this purpose. In the next step, the attacker entices the victims to open a .rar file containing a video that supposedly contains explicit sexual content - this supposed video file, unsurprisingly, is malware.
The downloader component used by the APT-C-23, dubbed Barb(ie), installs the BarbWire backdoor. The researchers analyzed a downloader sample named "Windows Notifications.exe".
"When first executed, Barb(ie) decrypts strings using a custom base64 algorithm that is also used in the BarbWire backdoor. Those decrypted strings are different Virtual Machine vendor names, WMI queries, command and control (C2), file and folders names which are used in different phases of the execution," the researchers say. "One way the malware uses those strings is in performing multiple checks, such as anti-vm and anti-analysis checks, in order to determine that 'the coast is clear.' If the check fails, a custom pop-up message is displayed to the user and the malware terminates itself."
Once the malware concludes that the victim machine is clean and it doesn't detect any sandboxing or other analysis being performed on the targeted device, the malware continues its execution and collects information about the machine, including username, computer name, date and time, running processes and OS version.
Next, the malware attempts to create a connection to the embedded C2 server: fausto-barb[.]website.
"When creating the connection, the malware sends information about the victim machine that is composed of the data collected. In addition, it sends other information to the C2, like the OS version, downloader name and compilation month as well as information on any installed antivirus software running," the researchers say.
The researchers say the BarbWire backdoor is a capable piece of malware and that a lot of effort was put into hiding its capabilities using a custom base64 algorithm.
The ultimate goal is to fully compromise the victim machine, gaining access to the victims' most sensitive data. The backdoor's main capabilities include persistence, OS reconnaissance, data encryption, keylogging, screen capturing, audio recording, downloading additional malware, local/external drives and directory enumeration, as well as stealing specific file types and exfiltrating data, the researchers say.
The BarbWire backdoor can also steal a wide range of file types, depending on the instructions it receives from the attackers. It specifically looks for certain file extensions - such as PDF files, Office documents, archives, videos and images.
Apart from the local drives, the backdoor looks for external media, such as a CD-ROM drive.
"Searching for such an old media format, together with the file extensions of interests, could suggest a focus on targets that tend to use more 'physical' formats to transfer and secure data, such as military, law enforcement and healthcare," the researchers say.
The backdoor also stores data it collects from the host on special folders it creates under %programdata%Settings, where it stores the collected data from the machine. Every stolen type of data will have its own resource "code name" in the C2.
Once the data is staged and exfiltrated, it is archived in a .rar file and sent to the C2. The backdoor also has keylogging and screen capturing data-stealing capabilities.
"Both are being stored in an interesting way, applying unrelated extensions to the files containing the stolen data. This is perhaps another stealth mechanism, or just a way for the attacker to distinguish between the different stolen data types," the researchers say.
APT-C-23 also uses VolatileVenom, which is an Android malware. The attackers ask victims to download and install the app, claiming that it is secure and discreet.
Based on their investigation, the researchers say the group has been using VolatileVenom since at least April 2020 and disguises it by using icons and names of chat applications.
VolatileVenom has a wide range of espionage capabilities that enable attackers to extract data from their victims, including:
- Stealing SMSes;
- Reading contact list information;
- Using the device camera to take photos;
- Stealing files with the extensions pdf, doc, docs, ppt, pptx, xls, xlsx, txt, text;
- Stealing images with the extensions jpg, jpeg, png;
- Recording audio;
- Using phishing to steal credentials to popular apps, such as Facebook and Twitter;
- Discarding system notifications;
- Getting installed applications;
- Restarting Wi-Fi;
- Recording phone calls and WhatsApp calls;
- Extracting call logs;
- Downloading files to the infected device;
- Taking screenshots;
- Reading notifications from WhatsApp, Facebook, Telegram, Instagram, Skype, IMO and Viber;
- Discarding any notifications raised by the system.