A prolific Middle East team with links to Hamas is said to be using malware and infrastructure to target high-ranking Israeli officials and steal sensitive data from Windows and Android devices.
The advanced persistent threat (APT) group – known by some as APT-C-23, Arid Viper, Desert Falcon, and FrozenCell, among other names – set up an elaborate cyberespionage campaign, spending months rolling out fake Facebook accounts to target specific potential Israeli victims, according to Cybereason’s Nocturnus threat intelligence team.
“These fake accounts have operated for months, and seem relatively authentic to the unsuspecting user,” the security shop’s Nocturnus outfit wrote in a report released today.
“The operators seem to have invested considerable effort in ‘tending’ these profiles, expanding their social network by joining popular Israeli groups, writing posts in Hebrew, and adding friends of the potential victims as friends,” the researchers found.
“Over time, the operators of the fake profiles were able to become ‘friends’ with a broad spectrum of Israeli citizens, among them some high-profile targets that work for sensitive organizations including defense, law enforcement, emergency services and other government-related organizations.”
Barbie comes with all your data
The campaign, which Nocturnus dubbed Operation Bearded Barbie, is a departure for APT-C-23 that has operated in the Middle East for years and typically focused on Arabic-speaking targets. The group has used the same relatively unsophisticated tools and techniques in other campaigns over the years.
However, for this latest effort, the APT crew has seemingly upgraded: it’s now using a fresh set of tools – dubbed Barb(ie) Downloader and BarbWire Backdoor – that feature techniques for evading detection and a focus on operational security. The group is also deploying an improved VolatileVenom Android implant.
“In addition, all three malware [samples] in use were also specifically designed to be used against Israeli targets, and were not observed being used against other targets. … This ‘tight grip’ on their targets attests to how important and sensitive this campaign was for the threat actors,” Nocturnus stated.
Oldest tricks in the book
The APT team used classic cat-fishing techniques (fake identities of attractive women in the Facebook profiles) to engage men. After gaining the trust of the victim, the operative suggests they move the conversation to WhatsApp – and gets the target’s cellphone number in the process – and then often using sexually-themed content to convince the victim to engage with an even more discrete means of communication, such as a designed Android messaging app that contains the VolatileVenom malware.
They also lure victims into opening a .rar file on their PC that includes a video containing sexually explicit content. Once they click on the video, malware is installed on the Windows system in the background while the target is distracted by the video, the researchers wrote.
Through the .rar file, the Barb(ie) downloader is used to install the BarbWire backdoor. It also performs a check to ensure there are no analysis tools running, and no sandbox-like environment in place, before installing BarbWire. The malware collects information about the system – such as username, the operating system version, and running processes – and sends that to a control-and-command server (C2).
The backdoor comes with a number of techniques for hiding itself, from string encryption to API hashing and process protection, with the aim of giving the threat group complete control of the PC and running such tasks as keylogging, screen capturing, audio recording, and downloading more malware. It searches for files including PDFs, Office documents, videos, and image files as well as external media, including CD-ROMs.
“Searching for such an old media format, together with the file extensions of interests, could suggest a focus on targets that tend to use more ‘physical’ formats to transfer and secure data, such as military, law enforcement, and healthcare,” the researchers wrote.
Once located, this data is put in a .rar archive and exfiltrated to a remote command-and-control server. The Nocturnus team said it has detected three variants of the BarbWire backdoor.
Regarding VolatileVenom, APT-C-23 has been using the Android malware since about 2020. This campaign uses a fake messaging app named “Wink Chat” as a lure; when the user tries to sign up to use the software, an error message appears saying the app will be uninstalled. Meanwhile, the malware continues running in the background, locating and gathering data before sending it to the C2.
“This campaign shows a considerable step-up in APT-C-23 capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT [human intelligence] capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group,” the researchers wrote. ®