Arid Viper hackers strike Palestine with political lures and Trojans
The advanced persistent threat (APT) group, Arid Viper is back with a new campaign targeting Palestinian organizations and activists.
The cyberattack group, believed to be located in Gaza – an area of conflict and hotbed of tension between Israel and Palestine — attacks organizations worldwide but now appears to be focused on entities related to the politics surrounding Palestine.
Arid Viper, also known as Desert Falcon, Two-tailed Scorpion, or APT C-23, which has been around since at least 2015 was responsible for spear phishing attacks against Palestinian law enforcement, the military, educational establishments, and the Israel Security Agency (ISA).
Windows and Android malware have been utilized previously, the latter of which is spread through fake app stores. Delphi malware has featured heavily in previous campaigns and still the favorite weapon of Arid Viper.
According to the researchers from Cisco Talos, the ongoing campaign uses a Delphi-based Micropsia implant to strike activists. The main focus of Arid Viper is on cyberespionage – and targets are selected by the operators based on the political motivation of the liberation of Palestine.
The initial attack vector is phishing emails, with included content linked to the political Palestinian situation and usually stolen from news agencies.
If a targeted victim opens one of these documents, the implant triggers, extracting a range of Remote Access Trojan (RAT) capabilities. The malware will collect operating system and antivirus data, exfiltrate it to the operator’s command-and-control (C2) server, steal content on the machine, take screenshots, and conduct further surveillance activities.
A timer contained in the implant will also establish persistence on the target machine through the Startup folder.
The most recent samples found by Talos lead researchers to believe that this campaign has been linked to the previous campaign reported in 2017. The continued use of the same TTPs over the years indicates that the group doesn’t feel affected by the public exposure of its campaigns and implants, and continues to operate business as usual.
The post Arid Viper hackers strike Palestine with political lures and Trojans first appeared on Cybersafe News.
