An “elaborate campaign”, targeting highly-profile Israeli citizens involved in law enforcement and sensitive defense has been linked with a threat actor affiliated to Hamas’ cyber warfare division.
“The campaign operators use sophisticated social engineering techniques, ultimately aimed to deliver previously undocumented backdoors for Windows and Android devices,” cybersecurity company Cybereason said in a Wednesday report.
“The goal behind the attack was to extract sensitive information from the victims’ devices for espionage purposes. “
The monthslong intrusions, codenamed “Operation Bearded Barbie,” have been attributed to an Arabic-speaking and politically-motivated group called Arid Viper, which operates out of the Middle East and is also known by the monikers APT-C-23 and Desert Falcon.
Most recently, this threat actor has been held accountable for attacks on Palestinian activists and entities beginning around October 2021 by using politically-themed decoy documents and phishing emails.
The latest infiltrations are notable for their specific focus on plundering information from computers and mobile devices belonging to Israeli individuals by luring them into downloading trojanized messaging apps, granting the actors unfettered access.
The social engineering attacks used fake Facebook personas to get the attention of targeted people and to befriend them.
“After gaining the victim’s trust, the operator of the fake account suggests migrating the conversation from Facebook over to WhatsApp,” the researchers elaborated. “By doing so, the operator quickly obtains the target’s mobile number. “
Once chat switches from Facebook to WhatsApp the attackers recommend that victims install VolatileVenom, a secure messaging application for Android. They also suggest that the victims open RAR archives containing explicit sexual material that lead to Barb(ie) malware downloading.
Other hallmarks of the campaign have included the group leveraging an upgraded arsenal of malware tools, including the BarbWire Backdoor, which is installed by the downloader module.
The malware is used to compromise the victim’s computer. It can establish persistence, steal stored information, take screenshots and record audio.
VolatileVenom, on the other hand, is Android spyware that’s known to spoof legitimate messaging apps and masquerade as system updates and which has been put to use in different campaigns by Arid Viper since at least 2017.
One example of an unauthorized Android app that is rogue is “Wink Chat,” which prompts victims to log in to the service. The application then stealthily runs behind the scenes and collects a variety of data.
“The attackers use a completely new infrastructure that is distinct from the known infrastructure used to target Palestinians and other Arabic-speakers,” the researchers said.
“This campaign shows a considerable step-up in APT-C-23 capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group. “