First Arabic Cyberespionage Operation Uncovered

The Desert Falcons gang is the first Arabic APT group, according to researchers at Kaspersky Lab.

CANCUN, Mexico — A Middle Eastern cyberespionage gang is capitalizing on subpar security practices in the region to backdoor a mix of business, political and military targets.

Dubbed Desert Falcons, the gang is thought to be the first Arabic APT operation, according to researchers at Kaspersky Lab who traced the group’s activities back to 2013 and discovered how it uses a mix of Windows and Android malware to raid infected computers of sensitive files.

“This is just an alert [to] the bad cyber security situation in the region,” Kaspersky researchers wrote in a report released today at the company’s Security Analyst Summit. “Banks, media, governments and military entities in different countries all fell to the Desert Falcons attacks.”

Desert Falcons has claimed victims primarily in Egypt, Jordan, Palestine and Israel, hitting upwards of 3,000 victims in governments, media, and financial institutions in the region. Interestingly, physical security companies are also targeted with the attackers collecting information on security officers and their assignments.

The victims are carefully chosen, Kaspersky researchers said, with social engineering scams built specifically for intended victims. The social engineering spans phishing attacks, phony websites and fake social networking accounts, each with socio-political themes relevant to specific victims.

“Malware writers are using multiple technical and social engineering methods to deliver their files and encourage the victims to run them, creating an effective infection vector, even when targeting what should be well protected entities like governments, banks and top media,” Kaspersky researchers wrote.

So far, researchers have uncovered three distinct campaigns attributed to Desert Falcons. The first ran for more than a year starting in March 2013 against high profile government and military targets in Palestine, Jordan, Egypt and Gulf countries, Kaspersky researchers said. The second campaign targeted victims in Israel starting a year ago, with the third run against activists, political figures and media outlets in Egypt starting in November 2013 and again in December 2014.

Victims are tricked into opening malicious attachments or following links to malware downloads. The attacks are well hidden, researchers said, even inside a .rar file that includes an appealing shortcut that executes an attack without user action. The attackers also have other clever means of infection at their disposal, such as the use of a right-to-left extension override trick where the order of characters in a file name is reversed, allowing them to hide a malicious file extension in the middle of a file name, and adding a harmless extension at the end of the file name.

Users’ trust in social networks is also exploited to a generous degree, researchers said. This group is one of the first to use Facebook chats in targeted attacks, connecting with targets via common Facebook pages until gaining their trust and sending them Trojan files via chat hidden as a photo, for example. Facebook is also the medium for wider, more generic attacks against activists and political figures, with certain posts redirecting users to phony political pages laced with a download for one of the gang’s backdoors.

Desert Falcons uses two homemade backdoors to spy on computers, the first of which looks like it was retired last June. The malware in all cases is used to install backdoors on computers that perform a variety of espionage activities including keylogging, audio recording, stealing screenshots, file upload and download, and password stealing.

At the start of this year, Kaspersky researchers discovered the latest version of the Trojan called DHS2015, also known as iRAT. The malware had evolved from its first generation, which was compiled in 2013, adding encryption to command and control communication and file storage, as well as a number of features that keep it from being detected by security mechanisms.

This version also includes evidence of attacks carried out over Android devices; researchers said they discovered mobile call and SMS logs on a command and control servers found at fpupdate[.]info.

From evidence collected, Kaspersky researchers estimate there are upwards of 30 members in the Desert Falcons gang, all of whom are native Arabic speakers. The clues come from a number of their identities that were uncovered, language properties set to Arabic, Arabic names for C&C administrators, and in the content of phishing emails, and an Arabic interface in the DHS control panel.

“The identities of some of the cyber criminals were found when inspecting the contents of one of the C&Cs which had public read permissions open for a short period of time,” researchers wrote, adding that they were also able to track and identify some of the attackers’ Facebook and Twitter accounts, private blogs and websites. “Surprisingly the attackers have published on Twitter some information about their development of the spyware and the command servers.”

Suggested articles