19.2.17

The ViperRAT APT group is targeting the Israeli Defense Force

A group of hackers, tracked as ViperRAT, is spying on the Israeli military by hacking into the soldiers’ personal Android mobile devices to track their activities and steal sensitive data. Experts from security firms Lookout and Kaspersky have discovered that at least 100 Israeli servicemen from the Israeli Defense Force (IDF) were targeted by cyber spies with a malware dubbed ViperRAT. “The Lookout research team was able to gain unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring.” reads the analysis published by Lookout. “In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.”

According to the security experts, the IDF personnel had been targeted with social engineering attacks. The IDF soldiers were devised by attackers via Facebook Messenger and other social networks. The cyber spies posed as attractive women from various countries like Canada, Germany, and Switzerland. “The threat actor uses social engineering to lure targets into installing a malicious application, while continuously attempting to acquire confidential information using social networks. We’ve seen a lot of the group’s activity on Facebook Messenger. Most of the avatars (virtual participants in the social engineering stage) lure the victims using sexual innuendo, e.g. asking the victim to send explicit photos, and in return sending fake photos of teenage girls.” reads the analysis shared by Kaspersky Lab.

The IDF soldiers were tricked into installing a trojanized version of two legitimate Android chat apps, SR Chat and YeeCall Pro. The experts also uncovered versions of a billiards game, an Israeli Love Songs player, and a Move To iOS app packaged with the ViperRAT spyware. “The first variant is a “first stage application,” that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive surveillanceware component, which is the second variant.” states LookOut. The ViperRAT was able to gather information from the personal mobile devices of the IDF soldiers and downloaded another malicious application that masqueraded as an update for one of the apps already installed on the device, such as WhatsApp. The ViperRAT spyware is very sophisticated, the malware researchers discovered two distinct variants of spyware. The first variant is a “first stage application,” that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive

According to the experts, ViperRAT threat actors were particularly interested in stealing image files from compromised devices. The researchers at Lookout determined that 8,929 files had been exfiltrated from hacked mobile devices. 97 percent of the images were highly likely encrypted taken using the device camera. The ViperRAT attack campaign started in July 2016 and it is still ongoing, according to the experts it is likely that other organizations were targeted by the same threat actor. The IDF investigated the attack with the support of both Kaspersky Labs and Lookout firm, they theorized that the attackers were linked to the Hamas organization. Lookout researchers have come to doubt that theory. Lookout researchers have also a second hypothesis that excludes Hamas due to the level of sophistication of their malware. “Hamas is not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRAT.” states Lookout on the attribution.

http://securityaffairs.co/wordpress/56379/apt/viperrat-targets-idf.html

ΣΧΟΛΙΟ "ΙΣΧΥΣ": OI ...ViperRAT ΕΙΝΑΙ ΣΙΝΕΣ. Η ΔΡΑΣΤΗΡΙΟΤΗΤΑ ΤΟΥΣ ΕΧΕΙ ΑΝΙΧΝΕΥΘΕΙ ΚΑΤΑ ΤΟ ΠΑΡΕΛΘΟΝ ΣΕ ΑΛΛΕΣ ΕΠΙΘΕΣΕΙΣ ΝΑ ΠΡΟΕΡΧΕΤΑΙ ΑΠΟ ΜΕΓΑΛΕΣ ΣΙΝΙΚΕΣ ΠΟΛΕΙΣ ΕΙΤΕ ΤΗΣ ΚΙΝΑΣ ΕΙΤΕ ΤΗΣ ΤΑΙΒΑΝ. ΠΡΟΧΕΙΡΗ ΔΙΚH ΜΑΣ ΕΚΤΙΜΗΣΗ... ΜΑΛΛΟΝ ΒΟΗΘΟΥΝ ΤΟΥΣ ΠΕΡΣΕΣ ΜΕΤΑ ΑΠΟ ΑΙΤΗΜΑ ΤΩΝ ΡΩΣΩΝ. ΚΙ ΕΔΩ ΕΧΕΙ ΤΟ ΠΟΛΥ ΜΕΓΑΛΟ ΕΝΔΙAΦΕΡΟΝ ΔΕΔΟΜΕΝΟΥ ΠΩΣ ΟΙ ΕΒΡΑΙΟΙ ΜΕ ΤΟΥΣ ΣΙΝΕΣ ΕΧΟΥΝ ΠΑΡΑ ΠΟΛΥ ΚΑΛΕΣ ΣΧΕΣΕΙΣ ΣΕ ΣΗΜΕΙΟ ΠΑΡΑΞΗΓΗΣΕΩΣ. ΔΥΣΤΥΧΩΣ ΣΕ ΤΕΤΟΙΑ ΕΠΙΠΕΔΑ ΔΕΝ ΥΠΑΡΧΕΙ ΒΕΒΑΙΟΤΗΤΑ ΓΙΑ ΤΙΠΟΤΑ. ΘΑ ΜΠΟΡΟΥΣΕ ΟΠΟΙΟΣΔΗΠΟΤΕ ΝΑ ΧΡΗΣΙΜΟΠΟΙΕΙ ΑΥΤΟ ΤΟ ΟΝΟΜΑ, ΑΛΛΑ ΟΙ ΕΙΔΙΚΟΙ ΜΑΣ ΛΕΝΕ ΠΩΣ ΠΡΟΚΕΙΤΑΙ ΓΙΑ ΤΗΝ ΙΔΙΑ ΗΜΙΚΡΑΤΙΚΗ ΜΟΝΑΔΑ ΤΗΣ ΚΙΝΑΣ. ΗΜΙΚΡΑΤΙΚΗ, ΔΙΟΤΙ ΑΝΑΛΑΜΒΑΝΟΥΝ ΔΟΥΛΕΙΕΣ ΚΑΙ ΓΙΑ ΤΡΙΤΟΥΣ ΕΝΔΙΑΦΕΡΟΜΕΝΟΥΣ ΠΛΗΝ ΤΗΣ ΚΙΝΕΖΙΚΗΣ ΚΥΒΕΡΝΗΣΗΣ, ΒΕΒΑΙΩΣ ΜΕ ΤΟ ΑΝΑΛΟΓΟ ΑΝΤΙΤΙΜΟ ΣΕ ΟΠΟΙΟΝ ΕΙΝΑΙ ΗΛΙΘΙΟΣ ΑΡΚΕΤΑ ΝΑ ΕΠΙΔΙΩΞΕΙ ΔΟΥΛΕΙΕΣ ΜΕ ΚΙΝΕΖΟΥΣ.
 
Security researchers have determined that hackers have infiltrated the Android phones of over 100 Israeli military personnel to monitor their activities by exfilitrating data directly from the compromised devices. Those targeted were compromised by social engineering techniques, such as luring soldiers into conversation through communication platforms like Facebook Messenger with the hackers who pose as attractive women from a variety of countries, including Canada, Germany, and Switzerland. The soldiers were then tricked into installing malicious, yet seemingly legitimate Android chat apps, SR Chat and YeeCall Pro, for further communication, whereby the hackers then remotely updated the apps with a Trojan called ViperRAT capable of receiving commands from an external server and exfiltrating call logs, geolocations, photos, audio, contacts, messages, metadata, internet browsing, and emails. Notably, the photos exfiltrated from the phone cameras were using highly sophisticated cryptographic protocols.

The Cipher Take:Using targeted spear-phishing attacks to compromise the mobile devices of Israeli soldiers suggests the perpetrators are engaging in cyber espionage on behalf of a nation-state. While the Israeli military has insinuated Hamas is behind the breaches, security researchers argue the sophistication of the ViperRAT Trojan and the encryption used to exfiltrate images – likely so that if discovered, the Israeli military would not know what the hackers were interested in nor what assets had been compromised – strongly indicates a more capable state. Mobile phones in the hands of soldiers have long been an operational security hazard – at the least because they maintain telling social media accounts, at worst because they become unwitting insider threats to military operations. The easiest way to avoid a breach by the ViperRAT is to never download applications from an untrusted, third-party source.

https://www.thecipherbrief.com/subscribe

No comments :