An Android Remote Access Trojan (RAT) recently revealed to be targeting Israeli servicemen is part of a larger campaign that might not be associated with Hamas, as initially believed, security researchers have determined.
The attacks, which appear to have started around July 2016 and already hit more than 100 Israeli soldiers, were initiated through social networks and leveraged sophisticated lures to trick victims into installing malware on their Android devices. Focused on exfiltrating data from the compromised phones, the campaign is ongoing, with the most recent attacks observed in February.
Last month, an Israeli military official revealed that the attackers used ‘honey traps’ in the form of fake Facebook profiles featuring alluring photos of attractive young women, and that dozens of predominantly lower-ranked soldiers were duped into downloading fake apps on their phones. The official claimed that Hamas, the Islamist movement that runs the Gaza Strip, was behind the attacks, but didn’t say how the army came to the conclusion.
Now, Kaspersky security researchers, who worked with the Israeli army on investigating the incidents, reveal that the sophisticated attacks were initiated by a “cunning threat actor” and that Israeli Defense Force (IDF) servicemen of different ranks, most of them serving around the Gaza strip, were targeted. Lookout, which also analyzed the attacks, notes that Hamas doesn’t have a “sophisticated mobile capability,” suggesting that another faction is behind the campaign.
The attacks abused social networks such as Facebook to lure targeted servicemen (only IDF soldiers were targeted) into sharing confidential information and installing malicious apps, researchers say. The actors used avatars of young women pretending to be from different countries, including Canada, Germany, Switzerland and more, and attempted to lure victims using sexual innuendo.
Victims were tricked into manually downloading and installing a malicious application, which was designed to function as a dropper. After compromise, the dropper would fetch a list of installed applications and pretend to serve an update for one of them, depending on the findings: either a WhatsApp or Viber update, if one was found on the device, or a generic System Update, if nothing was discovered.
According to Lookout, which calls this Trojan ViperRAT, the actors used Trojanized versions of apps such as SR Chat and YeeCall Pro, as well as a billiards game, an Israeli Love Songs player, and a Move To iOS app, to masquerade the dropper. Kaspersky, on the other hand, discovered the malware hidden in apps such as a YouTube player (LoveSongs) or messaging software (WowoMessanger, YeeCall).
“Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn’t present on their device. ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘update’ that may go unnoticed,” Lookout points out.
The most important part of the attack, however, is the second-stage payload, which includes the surveillanceware capabilities. The malware can collect data from the compromised devices either by executing manual commands from the operator or by performing scheduled tasks (using various Android APIs, the malware collects specific information every 30 seconds).
The exfiltrated data included: contact information, compressed recorded audio, images captured from the device camera, images stored on the device, geolocation information, SMS content, call logs, cell tower information, browser search history and bookmarks, and general information such as network and device metadata (IMEI, operator, device model, SIM information, hardware details, SDK, and the like).
“The actors behind ViperRAT seem to be particularly interested in image data. We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent, were highly likely encrypted images taken using the device camera. We also observed automatically generated files on the C2, indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents,” Lookout notes.
According to Kaspersky, because the RAT doesn’t yet have root permissions implemented, it can’t access WhatsApp database along with the encryption key. The security researchers also note that the malware can update itself and that all of the malicious logic associated with the Trojan was implemented without any native or third-party sources. For example, the call-recording is implemented using Android’s API exclusively.
Although media reports have attributed these attacks to Hamas, Lookout believes that another actor is behind them, mainly because Hamas “is not widely known for having a sophisticated mobile capability.” Furthermore, the security firm notes that ViperRAT, which first surfaced in late 2015, features many default strings in Arabic, either because it was targeting Arabic speakers or because its developer is fluent in Arabic.
At the same time, Kaspersky suggests that the attacks observed so far are only the tip of the iceberg, and that the campaign is likely to continue. “The IDF, which led the research along with Kaspersky Lab researchers, has concluded that this is only the opening shot of this operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering,” Kaspersky concludes.