Arid Viper Update: Attacks Ongoing, Threat Actors on the Move
Last week, we released a research paper titled “Operation Arid Viper: Bypassing the Iron Dome” where we detailed two related campaigns. To recall, here are our key findings related to the two campaigns:
- Palestinian threat actors have staged a targeted attack, Operation Arid Viper, to exfiltrate data from high-profile targets in the Israeli government and have been doing so since mid-2013. The attacks are still on-going, coinciding with the political tension between Israel and Palestinians.
- Investigation of the Germany-hosted server used in Arid Viper revealed a group of Egyptian hackers (Advtravel) that have less technical knowhow and are attacking other Egyptians in less purposeful attacks.
- Both groups have strong Arab ties, and the same server and site registration details suggest the existence of a supra-organization, a forum or an influential sponsor could be providing various hacking groups with the means to pursue their ends.
Since the report was released, we have continued our investigation and have a number of updates:
- None of the C&C domains have moved to other hosting providers or had other major changes since the publishing of our report. Although we have not seen newly compiled samples being spread – we have seen 2 recent attempted infections with existing binaries from Arid Viper on the 15th and 19th of February against a target in Israel and Kuwait respectively. For reference, our paper went public on the 16th.
- Interestingly, a number of the people linked to the C&C servers in the paper have made changes to their public profiles since the paper went live. To date none of these individuals have contacted us to dispute the details we outlined in the paper:
- The Facebook account we mentioned in the paper for Fathy Mostafa is now no longer active.
- Quite a number of the accounts we related to Ebrahim Said El-Sharawy (aka Dev_Hima) have been modified or removed. Upon inspection today, his accounts on Blogspot, Facebook, Twitter, and Hacker.org are no longer active. His main webpage (http://devhima.webs.com) which had hosted two questionable tools we outlined in the report has been changed to remove all of that content and has been replaced with the words “Closed by DevHima”:
- Some of his other accounts such as his LinkedIn, SoundHound, and YouTube (which is hard to remove without deleting your personal Gmail account) are still live at the time of writing.
- After further investigation, we now believe that the email used to register the C&C pstcmedia[dot]com , firstname.lastname@example.org, actually belongs to the Web hosting provider that registered this domain on a client’s behalf – and is not an individual involved in the campaign itself. We have updated our paper to remove reference to Mr. Samraa with the exception that the email address was used to register this site.
Trend Micro will continue to research more on these campaigns over the coming months and post updates as we find them.