"These attacks are likely performed by the same attacker, as the malware in question communicate with the same command-and-control structures, and in many cases are signed using the same digital certificate," said Snorre Fagerland, principal security researcher at Norway-based security firm Norman, in a report detailing the attacks. "These attacks have been ongoing for at least a year; seemingly first focused on Palestinians, then Israelis. The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance."
Norman has tied the underlying malicious infrastructure to a series of targeted attacks launched last month against Israeli police force computers, which led officials to temporarily take police computers offline and to ban the use of removable media, according to news reports.
[ Are fears of Iranian cyber attackers overblown? Read Frankenstory: Attack Of The Iranian Cyber Warriors. ]
Last month, Trend Micro studied samples of the malware and said at least one related attack apparently targeted the Israeli customs agency. "The attack began with a spammed message purporting to come from the head of the Israel Defense Forces Benny Gatz," read a blog post from Ivan Macalintal, a threat research manager at Trend Micro. Like the supposed sender, the phishing email's subject line --"IDF strikes militants in Gaza Strip following rocket barrage"-- was meant to entice targets into opening the attachment, which contained a disguised and compressed version of the Xtreme remote access Trojan (RAT).
The latest version of the Xtreme RAT is compatible with Windows 8 and can capture audio and steal passwords from Chrome, Firefox, Opera and Safari browsers. "XtremeRat is a commercially available backdoor Trojan which has been used in many attacks, targeted and otherwise, over the years," said Fagerland. "It gained some notoriety in connection with attacks against Syrian activists; along with other off-the-shelf Trojans such as BlackShades and DarkComet." It has also been used in a number of operations involving surveillance or remote-access exploits.
According to Norman, versions of the attack that it recovered included a malicious executable file -- disguised with the .SCR file extension and named to relate to various high-profile news stories in Israel -- that contained a self-extracting archive (in .SFX format), which itself contained multiple files. Those files included a harmless "barrage.doc" file along with a file named "Word.exe," which was in reality the XtremeRAT backdoor software.
All the emails used in the attacks were signed using the same faked digital certificate, which appeared to be from Microsoft. Interestingly, Norman found that attacks using that same faked certificate date back to at least May 2012 and have been controlled by botnet command-and-control (C&C) servers located in the United States. Upon further investigation, Norman discovered that since at least October 2011, other malware -- mostly versions of Xtreme RAT -- have been communicating with the same C&C infrastructure, as well as entire other botnets, which again are largely based at U.S. hosting services. "It is logical to assume that all these have been part of a medium/large surveillance operation," said Fagerland.
To date, many espionage malware operations focused on the Middle East have been traced to the United States government -- including Stuxnet, Flame, and Duqu -- and in the case of Stuxnet, also Israel. But not all malware that's targeting the Middle East has been launched by the United States. Notably, many security experts believe that the Mahdi malware was developed by Iran, for the purpose of spying on Iranians.
At first, the newly discovered Xtreme RAT attack campaign seemed to be a straight-up operation targeting Israel. But Norman then discovered an earlier series of attacks, launched using the same C&C infrastructure, which didn't target Israel but Palestine. Notably, the bait emails used in the attacks were written in Arabic and referred to issues that would be of greatest interest to Palestinians. The earlier series of attacks, which appear to have begun in the spring of 2012, relied in part on IP addresses owned by a service provider based in Ramallah, in the West Bank.
Norman's Fagerland said that the IP address ranges -- which change every few days -- that were used in the attacks may not reveal the botnet's controllers, as they likely launched their attacks from "hacked boxes." Furthermore, because the botnet targeted both Palestine and Israel, it's difficult to identify exactly who's behind the attacks.
Regardless, he said, the bigger picture is that the attacks demonstrate just how easy -- and relatively affordable -- it can be to launch an advanced persistent threat (APT) attack with commercially available tools. "Using largely off-the-shelf malware, the cost of mounting such an operation is considerably lower than for those who do their own malware development," Fagerland said.
Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)