AridViper hackers attacked Israeli officials

The cybercrime group AridViper (also known as APT-C-23, Desert Falcon and Two-tailed Scorpion) organized a cyber espionage campaign against high-ranking Israeli officials.

According to cybersecurity experts from Cybereason Nocturnus, the current espionage campaign called Operation Bearded Barbie is aimed at “carefully selected” Israeli citizens to hack their computers and mobile devices, spy on their actions and steal confidential data. According to researchers, AridViper is allegedly connected with the Palestinian Islamist movement Hamas and works for the benefit of the Palestinian authorities.

The first stage of the AridViper campaign is based on social engineering. After conducting intelligence, the group creates fake accounts on Facebook social networks, establishes contact with a potential victim and tries to encourage her to download Trojan messaging applications. In some cases, fake profiles are created ostensibly on behalf of young women.

Criminals transfer communication from Facebook to WhatsApp, and already in the messenger offer a more “personal” messaging service. Another attack vector is a decoy as a video of a sexual nature, packaged in a malicious .RAR archive.

APT has also upgraded its cyberweapons and acquired two new tools — Barb(ie) Downloader and BarbWire Backdoor, as well as a new variant of the VolatileVenom implant.

The Barb(ie) Downloader is delivered via a video bait and is used to install the BarbWire backdoor. Before starting to install the backdoor, the malware performs several anti-analytical checks, including scanning virtual machines (VMs) or checking for sandboxes. Barb(ie) also collects basic information about the OS and sends it to the command server.

The BarbWire backdoor is described as a “very effective” type of malware with a high level of obfuscation achieved through string encryption, API hashing and process protection. BarbWire performs various surveillance functions, including keylogging, screen capture, and audio listening and recording. In addition, a variant of malware can persist on an infected device, schedule tasks, encrypt content, load additional payloads, and steal data. The backdoor will specifically search for Microsoft Office documents, files.PDF files, archives, images and videos on the compromised system and any connected external drives.

Cybereason has also discovered new variants of VolatileVenom. VolatileVenom is malware for Android that is downloaded during the installation of a “personal” messaging application and is designed to monitor and steal data. Instagram Facebook, Telegram, Instagram, Skype, IMO and Viber can hack the microphone and audio functions of an Android device, record calls via WhatsApp, read notifications from WhatsApp, Facebook, Telegram, Instagram, Skype, IMO and Viber; read contact lists and steal information, including SMS messages, files and application credentials.

In addition, malware can extract call logs, use the camera to take photos, interfere with Wi-Fi connections and upload files to the device.