Espionage malware used in attacks against Israel, as well as Syrian activists, in the last 18 months has been linked to a new attack against Israel’s Civil Administration, the country’s governing body in the West Bank.
Researchers at Seculert reported today that samples of XtremeRAT, a data-stealing remote access Trojan, were found on as many as 15 machines, including some belonging to the Civil Administration of Judea and Samaria, which is responsible for entry and work permits from West Bank to Israel. Aviv Raff, Seculert CTO, said spear phishing emails from a Gmail account purporting to be the Israeli Shin-Bet, Israel’s Security Agency, were used against the Civil Administration.
The lure was a publicly available Hebrew-language Shin-Bet report on recent terror attacks and an attachment linked to the late prime minister Ariel Sharon, discovered Jan. 15, four days after his death.
“Closer examination of the spear phishing emails revealed that the attackers are not native Hebrew speakers and most likely copied and altered incomplete text to create the subject of the email.” Raff said on the company’s blog. “Evidence shows that the word ‘poisoned’ was then added with incorrect grammar to the end of this phrase as seen below.”
XtremeRAT arrived as a PDF in these attacks; in November 2012, the malware was in a Microsoft Word document in an attack against a politician.
The malware connects to a command and control server in the United States, according to Raff, using HTTP over port 1863 to send stolen data to the attackers. The attackers had remote access to receive data and send more malware to infected machines.
“This isn’t the first and it most definitely won’t be the last time we see Xtreme RAT used by cybercriminals, hacktivists or nation-states. In terms of this particular targeted attack, the nature of the compromised organizations could have implications outside cyberspace,” Raff said.
XtremeRAT is a Trojan commonly used by Middle East attackers, including the Syrian Electronic Army. The SEA has claimed responsibility for a number of high-profile attacks against American media outlets, including the New York Times.
In December, researchers at Citizen Lab at the University of Toronto and the Electronic Frontier Foundation looked at malware campaigns targeting Syrian activists. Groups backing Syrian president Bashar al-Assad, of which the SEA is one, were found to be using not only XtremeRAT but also njRAT to target individuals in the Syrian resistance. The malware not only steals data but can be armed with a keylogger used to steal credentials. The lure in each case was different; one XtremeRAT campaign contained a .zip archive of a video of a man being executed.
Seculert said Palestinian hacktivists were behind the latest XtremeRAT attack on Israel. Guy Inbar, a spokesman for the Civil Administration told Reuters: “We are not commenting on it, we don’t respond to such reports.”
These are not the first targeted attacks against Israeli defense agencies. A joint research effort by Kaspersky and Seculert in 2012 uncovered the Madi malware campaign, used against high value targets with extensive spying features. The malware could be programmed to monitor computer screens, record audio and steal screenshots, keystrokes, documents and e-mail correspondence.