Hamas Hackers Posing as Women to Con Snr Israeli Officials into Installing Malware

Hamas Hackers Posing as Women to Con Snr Israeli Officials into Installing Malware

A Middle Eastern hacking group supposedly connected to Hamas uses malware to steal sensitive data from Windows and Android devices of high-ranking Israeli officials.

Sophisticated Catfish Campaign Targeting Israeli Officials

Cybereason’s Nocturnus researcher team has reported a new malware campaign where Israeli government officials are targeted with catfishing lures. Apparently, the Hamas-linked Advanced Persistent Threat group/APT-C-23 is engaged in a sophisticated catfishing campaign specifically targeting high-ranking Israeli officials. The group is also known as Arid Viper, Desert Falcon, and FrozenCell.

Hamas Hackers Posing as Women to Con Snr Israeli Officials into Installing Malware
One of the fake Facebook profiles used by hackers to trick Israeli government officials (Image credit: Cybereason)

Israeli Officials Keep Getting Catfished

It is worth noting that APT-C-23 has a history of successfully catfishing Israeli military and government officials. The group’s campaign goes all the way back to 2015 when Trend Micro revealed that “Arid Viper” successfully targeted Israeli officials with ‘Porn Star Video’ malware.

In 2015 again, an independent security research firm, Blue Coat Systems Inc. (Blue Coat), confirmed that “Desert Falcons” successfully carried out a four-month spying campaign after breaching Israeli military servers. In their campaign, the group also used sensual photos of IDF’s women division to lure officials.

In 2017, Israeli authorities acknowledged that Hamas hacked dozens of IDF soldiers’ phones using seductive female images. In their campaign, hackers posted seductive pictures of young Israeli women on social media to attract IDF soldiers and successfully obtained classified information in return.

In 2018, the Times of Israel reported that the smartphones of hundreds of IDF soldiers were compromised by Hamas. According to the newspaper, IDF blamed Palestinian hackers for spying on its soldiers with spyware-infected World Cup and dating apps and using photos of attractive women.

In January 2020, Hamas hackers managed to lure more Israeli soldiers into falling prey to their Honey Trap operation in which several hundred Israeli soldiers got their smartphones infected with malware.

Once again, the modus operandi of the hackers involved using a careful combination of spyware along with deceiving emails attached with tempting images of IDF women soldiers.

How does APT-C-23 Target its Victims?

In order to hack their Android or Windows devices, the group didn’t just rely on social media-based social engineering tactics but used a diverse range of malware. This includes the fake messaging app VolatileVenom, a backdoor called BarbWire, and the Barbie Downloader apart from Android malware. Hence, this campaign is dubbed Operation Bearded Barbie.

The attackers lure their victims into opening a .RAR file on their computer, including a video containing sexually explicit content. When the victim clicks on the video, malware is quickly installed in the Windows system while the target is busy watching the video.

This .RAR file downloads the Barbie downloader, installing the BarbWire backdoor. It also checks for analysis tools or a sandbox-like environment running on the device before installing the backdoor. The malware can collect sensitive data from the device, such as username, running processes, and OS version, which is transferred to a C2 server.

Hamas Hackers Posing as Women to Con Snr Israeli Officials into Installing Malware
Infection chain of the campaign (Credit: Cybereason)

Who Are the Prime Targets?

This campaign is geared towards high-ranking Israeli officials mainly working in law enforcement, law, emergency, and other government institutions. The purpose behind this campaign seems to be espionage. It is worth noting that Molerats and APT-C-23 are the two primary sub-groups of the Hamas cyber warfare unit.

What is Catfishing?

In catfishing, attackers create a fake online identity using full or part of an already existing, genuine identity to cause reputational damage to the individual. In this particular campaign, the purpose seems to be trapping the victims.

In its blog post, Cybereason Nocturnus explained that these fake accounts have operated for months, and seem relatively authentic to the unsuspecting user.

The operators have tried their best to create a genuine-looking profile and even joined popular Israeli groups, wrote posts in Hebrew, and added friends of their potential victims to their friends’ list on social media.

“Over time, the operators of the fake profiles were able to become ‘friends’ with a broad spectrum of Israeli citizens, among them some high-profile targets that work for sensitive organizations including defense, law enforcement, emergency services, and other government-related organizations.”

Previous Hacks Against Israel

  1. Israel’s Channel 10 TV Station Hacked by Hamas
  2. Israeli Security Camera Systems hit by Pro-Hezbollah Hackers
  3. Palestinian Engineer Jailed for Hacking Israeli CCTVs & Drones
  4. Hackers interrupt Eurovision webcast in Israel with missile attack alert
  5. Hackers deface 1000+ Israeli sites in an attempt to get webcam access
Related Posts