Trend Micro researchers have unearthed two separate but closely linked malware campaigns attributed to Arab parties.
The first one, dubbed Operation Arid Viper, is aimed against Israeli targets, and the second one, named Advtravel, has targeted Egyptians.
The tactics used in the two campaigns couldn’t be more different. Arid Viper attackers used spear phishing emails to delivery malware, were after key individuals in specific Israeli-based organizations (government, transport/ infrastructure, military, academia, and transport) and one in Kuwait, and were seemingly after a variety of documents that could be found on the victims’ machines. Also, its C&C servers couldn’t be penetrated by the researchers, which means that the attackers knew how to secure them well.
The Advtravel campaign looks to be much less sophisticated and not targeted. The victims were based in Egypt, as, according to Trend Micro, are the attackers, and the latter are most interested in gathering images stored in the victims’ computers, perhaps in the attempt to find incriminating images that can be used for blackmail. Finally, the campaign’s C&C server was left “unlocked” and allowed researchers a more extensive look into the attackers’ objectives.
But the two campaigns do have several things in common. For one, their C&C servers are hosted on the same servers in Germany, and the domains used in both campaigns have seemingly been registered by the same individuals. Finally, the perpetrators of both campaigns can be tied back to activity from Gaza, Palestine.
“Whoever the real culprits are, it is clear that they are part of the Arab world, evidence of a budding generation of Arab hackers and malware creators intent on taking down their chosen adversaries. Some of the black hats – be they mercenaries or cybersoldiers – are actively targeting countries such as Israel due to political motivations. We have seen all of the ingredients of a cyberskirmish guerrilla war that goes unnoticed by mainstream IT security media,” the researchers commented in the paper they wrote about the two campaigns.
“Beyond these specific campaigns, what we found most interesting was that we had disparate groups of Arab aggressors who used the same infrastructure to launch and monitor attacks. This can possibly mean two things—the attacks were somehow linked, something that appears unlikely given their nature and motivation, or a supra-organization that provides means for Arab parties to commit acts of cyberviolence exists, which appears to be the more probable option.”
If the latter theory turns out to be true, we can expect more destructive cyber attacks coming from Arab countries in the near future.