Trend Micro: Arid Viper Could be the Start of Something Big

Written by

Security researchers have uncovered two interconnected Middle East attack campaigns of very different skill levels aimed at stealing sensitive information from Israeli and Egyptian targets.

Trend Micro revealed the results of its threat intelligence in its latest report: Operation Arid Viper, Bypassing the Iron Dome.

It details two attack campaigns launched by a “budding generation of Arab hackers and malware creators.”

The first, Operation Arid Viper, is by far the more sophisticated.

This highly targeted campaign fires spear phishing emails with an attachment disguised as a pornographic video, designed to distract the victim away from the fact that “something strange is happening ,” said Trend Micro.

Each newly infected system is given a unique identifier for its communications with the C&C server and proceeds to exfiltrate large volumes of sensitive data.

The report continues:

“Based on IP addresses associated with malware infections tied to the campaign’s core infrastructure, we were able to determine its targets—a government office, transport service/infrastructure providers, a military organization, and an academic institution in Israel. It also targeted an academic institution in Kuwait along with several other unidentified Israeli individuals.”

Trend Micro found the C&C servers hosted in Germany, but on investigating them further, discovered that they were also being used to host another attack campaign, dubbed ‘Operation Advtravel’.

The people responsible for this campaign are thought to be less skilled than the Arid Viper group. There are several reasons for this, including the fact that they left the Advtravel C&C server directory publicly accessible – which helped in Trend Micro’s research.

The data-stealing Advtravel malware exhibited similar behaviors to Arid Viper but was different. It infected more than 500 systems – mainly laptops – with the majority of victims being Arabs from Egypt, the report claimed.

It continued:

“The attackers appear to be keenly interested in images stored on victims’ systems. This could be a sign that they are looking for incriminating or compromising images for blackmail purposes. As such, the attackers may be less-skilled hackers who are not after financial gain nor hacking for espionage purposes.”

So intriguingly, despite the shared C&C servers and the fact that domains for both had been registered by the same people, some living in Gaza, the targets for attack were very different.

This could indicate the existence of a “supra-organization” which provides the infrastructure for “Arab parties” to launch cyber-attacks, Trend Micro concluded.

“If our theory holds, we will see a host of cyber-attacks with detrimental results stem from Arab countries in the near future. Internet users will be stuck in the middle of a battlefield they do not care much for,” it added.

What’s hot on Infosecurity Magazine?