A security firm has identified a group of Arab-speaking hackers that are conducting two separate malware operations against targets in Israel and Egypt.
According to a report published by the Trend Micro Threat Research Team, the group is using the same command and control (C&C) servers hosted in Germany to conduct “Operation Arid Viper” and “Operation Advtravel.”
In the first operation, hackers use spear-phishing emails to trick Israeli victims into downloading an attachment. As this malicious executable file burrows down to the Windows registry, where it can survive a system reboot, it also drops two additional files: a short pornographic video in .FLV or .MPG format, as well as a Windows binary file that spoofs the popular web communications program Skype.
Researchers at Trend Micro believe these files are meant to embarrass their targets and thereby prevent them from reporting the incidents to their IT teams.
“People are very much embarrassed to bring in IT if there is porn on their computer, and these attackers were leveraging that [fact] to have more time to burrow [their malware] in the systems,” said Tom Kellermann, chief cybersecurity officer at Trend Micro. “I think it is social engineering as it relates to inappropriate content.”
After infection, the malware logs and takes screenshots of the victims’ activities, documents which are sent back to the network’s command-and-control server via GET requests.
Operation Advtravel, by contrast, seems to be the work of “a classic group of beginner hackers just starting their careers,” reports Trend Micro.
The attackers behind this malware campaign have infected 500 systems of Arabs living in Egypt and have focused mainly on stealing images from users’ computers, such as by taking screenshots of victims’ Facebook profiles.
“This could be a sign that they are looking for incriminating or compromising images for blackmail purposes,” Trend Micro notes. “As such, the attackers may be less-skilled hackers who are not after financial gain nor hacking for espionage purposes.”
The exact identities of the hackers are unknown. But as Trend Micro observes, “Whoever the real culprits are, it is clear that they are part of the Arab world, evidence of a budding generation of Arab hackers and malware creators intent on taking down their chosen adversaries.