Researchers have identified two malware operations – one, an intelligence gathering campaign targeting Israeli organizations since mid-2013 and a second which appears to be the work of “less-skilled hackers” targeting victims in Egypt.
Operators behind the campaigns, which have separate aims and make use of different malware, relied on the same command-and-control infrastructure in Germany to carry out their malicious exploits, according to a Trend Micro report (PDF) released Monday.
Analysts dubbed the mission to exfiltrate sensitive data from five Israeli organizations in the government, military, transportation and academic sector “Operation Arid Viper.” While monitoring the attackers’ control hub, they also stumbled upon a campaign run by Egyptian hackers, dubbed “Operation Advtravel,” who sought to obtain photos from their targets’ computers (mostly Arabs in Egypt) that could be used for blackmail. The Advtravel actors shared command-and-control servers with the Arid Viper attackers as well as email addresses used to register domains, Trend Micro found.
On the Adtravel server, researchers observed more than 500 infected systems, the report said, all which appeared to be personal laptops.
“The attackers appear to be keenly interested in images stored on victims’ systems,” the report said. “This could be a sign that they are looking for incriminating or compromising images for blackmail purposes. As such, the attackers may be less-skilled hackers who are not after financial gain nor hacking for espionage purposes.”
In contrast, Operation Arid Viper used spear phishing emails to steal data from Israeli targets. Their malware was “unusual,” Trend Micro noted, in that it carried a “pornographic component,” as a means of slowing incident response efforts down while they worked to exfiltrate data. Researchers observed that Arid Viper attackers opted to send malicious .RAR attachments to victims, which ultimately dropped two additional files on victim’s systems.
“One file is a short pornographic video in .FLV or .MPG format, depending on the samples seen. The other file is a Windows binary file sporting the icon on the well-known Internet communication program, Skype,” the report revealed.
“It targeted professionals who might be receiving very inappropriate content at work and so would hesitate to report the incident,” the report explained. “These victims’ failure to act on the threat could have allowed the main malware to remain undiscovered.”
In a Tuesday interview with SCMagazine.com Tom Kellermann, chief cybersecurity officer at Trend Micro, discussed attackers’ social engineering tactics.
“People are very much embarrassed to bring in IT if there is porn on their computer and these attackers were leveraging that [fact] to have more time to burrow [their malware] in the systems,” Kellermann said. “I think its social engineering as it relates to inappropriate content.”
He later added that this “counter incident response movement is becoming more pervasive,” among attack groups – whether through the destructive payload delivered in the Sony Pictures incident or via malware tactics using pornography, such as in this case, to hamper threat mitigation efforts.