The recent cyberattack that infected Israeli police computers with malware was likely part of a year-long cyberespionage operation with targets in Israel and the Palestinian territories, according to security researchers from antivirus vendor Norman.
At the end of October, the Israeli police shut down its computer network after a piece of malware was found on some of its systems. At the time, that malware was a remote access Trojan (RAT) program called Xtreme RAT and was delivered in an archive attached to a spoofed email claiming to be from Benny Gantz, the chief of general staff of the Israel Defense Forces, according to a report from antivirus vendor Trend Micro.
The RAR archive contained a file called "IDF strikes militants in Gaza Strip following rocket barrage.doc" followed by a long series of hyphens and .scr, Snorre Fagerland, principal security researcher at Norwegian antivirus vendor Norman said Monday in a report.
The .scr file, whose name was crafted to hide its real extension, dropped other files on the system's hard drive when executed: a legitimate Word document that was used as bait, an icon file and an .exe file that was actually the Xtreme RAT installer. The Norman researchers noticed that the .exe file was digitally signed with an untrusted, self-generated Microsoft certificate.
This certificate would not be validated by Windows, but the attackers probably hoped that it would trick people who manually inspected the file or would allow the malware to bypass the detection of some security products, Fagerland said.
This is not a new technique. However, what the attackers didn't realise is that the file's digital signature can be used to track down their previous attacks, since they didn't bother to change the certificate when generating new malicious files, Fagerland said.
Norman researchers searched the company's malware database for executable files signed with the same certificate and found other samples that had been used in similar email-based attacks since May. The contents of the bait documents used in those attacks suggested that the targets were from Israel.
Predominantly Xtreme RAT variants
A further analysis of the malware samples revealed that they were predominantly Xtreme RAT variants and connected back to a number of hostnames registered with free dynamic DNS providers. Many of those hostnames pointed to the same IP addresses.
Most of the IP addresses used recently are owned by US-based hosting providers, which suggests that the attackers are hosting their command and control (C&C) servers in the US. However, that wasn't always the case.
Until the summer of this year, the hostnames pointed to IP addresses belonging to an ISP from the city of Ramallah in the West Bank, Fagerland said.
By searching for malware that historically connected to the same hosts, the Norman researchers managed to find even more Xtreme RAT samples, the oldest of which dated back to October 2011. Some of those samples were used in email attacks that, based on their bait documents, most likely targeted Palestinians, not Israelis, Fagerland said.
The moving of C&C servers from the West Bank to the US might have been triggered by the later switch in targets, Fagerland said. Seeing network traffic directed at an IP address in Palestine might raise suspicion for an Israeli individual or organization, but seeing connections with US IP addresses would be common, he said.
The Norman researchers did not have access to the C&C servers or the opportunity to analyze a machine infected with one of the samples in order to determine what kind of data the attackers were after. However, the evidence gathered by analyzing the malicious files alone point to a year-long cyberespionage operation carried out by the same group of attackers, Fagerland said.
No clue who is behind the attacks
"We have the impression that a cybersurveillance operation is underway (and is probably still ongoing - most recent sample created 31 October) which was first mainly focused on Palestinian targets, then shifted towards Israel," Fagerland said in the report. "The reason for the shift is unknown. Maybe it was planned all along; or caused by changes in the political climate; or maybe the first half of the operation found data that caused the target change."
It's difficult to say who is behind the attacks, Fagerland said. It might be a government organisation, a political group or a group of independent hackers, he said.
The attacks are not sophisticated in nature and did not require a lot of resources to pull off. The attackers used free hostnames instead of buying domain names, used cheap hosting solutions for their C&C infrastructure and used Xtreme RAT instead of building their own malware. Xtreme RAT is one the cheapest remote access Trojan programs available; a standard set-up costs around $40, Fagerland said.
The attackers forgot to scrub the metadata from their bait documents, which revealed the names or aliases of the people who created the files: Hitham, anar, Ayman, Tohan, ahmed, aert or HinT.
Some configuration strings found in the RAR archive that was used in the attack against the Israeli police suggest that the file's author was using the Arabic language on his computer when creating it, Jaime Blasco, head of the research lab at security firm AlienVault, said Monday via email.
"During this year we have been tracking several ongoing espionage campaigns that use XtremeRAT as the tool for accessing the victims," Blasco said. "At the beginning of the year the usage of XtremeRAT was spotted as part of a cyber espionage campaign against Syrian dissidents."