Discover more from Cyber Oracle
Arid Viper, Aligned with Hamas, Behind Android Spyware Campaign Targeting Arabic-speaking Users
Plus, Iranian Nation-State Hacking Group "Agonizing Serpens" Targets Israeli Higher Education and Tech Sectors with Destructive Cyber Attacks
Cyber espionage group Arid Viper linked to Hamas deploys counterfeit dating app to harvest data from infected devices
Arid Viper, also known as APT-C-23, Desert Falcon, or TAG-63, has been identified as the perpetrator of an Android spyware campaign targeting Arabic-speaking users. Cisco Talos, a cybersecurity firm, revealed that this espionage group employs a counterfeit dating app to surreptitiously collect sensitive information from infected devices and execute additional malicious code. Although active since at least 2017, there is no apparent connection between this campaign and the Israel-Hamas conflict.
The campaign, believed to have started no earlier than April 2022, features a mobile malware strain that shares source code similarities with a legitimate dating app named Skipped, suggesting a potential link between the malicious operators and the app's developers or an attempt to deceive users.
Arid Viper's tactics include using seemingly benign chat applications to deliver malware, akin to the 'honey trap' strategy employed in the past, where fake profiles on social media platforms were used to trick potential targets into installing malicious software.
Cisco Talos also uncovered a network of companies creating dating-themed applications similar to Skipped, available for download from official app stores for Android and iOS. Notably, these simulated dating apps raise the possibility that Arid Viper operators may utilize them in future malicious campaigns.
The attack chain involves sending targets a link to a tutorial video for the purported dating application, hosted on video-sharing services like YouTube. Within the video description is a URL that, when clicked, leads to a domain controlled by the attackers, serving the APK malware.
Once installed, the malware hides on the victim's device by disabling system and security notifications, especially on Samsung mobile devices and Android phones with APK package names containing the word "security" to avoid detection. It also requests intrusive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, alter Wi-Fi settings, terminate background apps, take pictures, and create system alerts.
Additionally, the malware can retrieve system information, receive updated command-and-control (C2) domains from the current C2 server, and download additional malware disguised as legitimate apps, including Facebook Messenger, Instagram, and WhatsApp.
This revelation coincides with Recorded Future's findings, suggesting possible connections between Arid Viper and Hamas through infrastructure overlaps related to an Android application called Al Qassam. This app has been disseminated in a Telegram Channel claiming affiliation with the Izz ad-Din al-Qassam Brigades, the military wing of Hamas. These observations hint at potential shared infrastructure resources between Arid Viper (TAG-63) and the broader Hamas organization.
Agonizing Serpens deploys novel wiper malware to steal sensitive data and render infected systems unusable, raising concerns about upgraded capabilities
A series of destructive cyber attacks that commenced in January 2023 and persisted until October have specifically targeted Israeli higher education and technology sectors. The attacks have been attributed to an Iranian nation-state hacking group known as "Agonizing Serpens," which also goes by the aliases Agrius, BlackShadow, and Pink Sandstorm (formerly Americium). According to a report from Palo Alto Networks Unit 42, these attacks are marked by attempts to steal sensitive data, including personally identifiable information (PII) and intellectual property, followed by deploying various wiper malware to cover the attackers' tracks and render the compromised endpoints inoperable.
The novel wiper malware used in these attacks includes MultiLayer, PartialWasher, and BFG Agonizer, alongside a bespoke tool called Sqlextractor, which is employed to extract information from database servers. Agonizing Serpens has been active since at least December 2020 and has a history of launching wiper attacks against Israeli entities. In May, Check Point reported on the group's use of the ransomware strain "Moneybird" in attacks targeting Israel.
The modus operandi in these recent attacks involves exploiting vulnerable internet-facing web servers as initial access points to deploy web shells, perform reconnaissance on victim networks, and acquire administrative user credentials. The attackers then move laterally within the network, exfiltrate data using a combination of public and custom tools, such as Sqlextractor, WinSCP, and PuTTY, and finally deliver the wiper malware.
MultiLayer: This .NET malware enumerates files for deletion or corruption with random data, making data recovery extremely challenging and rendering the system unusable by wiping the boot sector.
PartialWasher: A C++-based malware that scans drives to wipe specified folders and their subfolders.
BFG Agonizer: This malware leverages the open-source project CRYLINE-v5.0 and plays a significant role in the attacks.
Agonizing Serpens is linked to Agrius through code overlaps with other malware families like Apostle, IPsec Helper, and Fantasy, which the group has previously used. The researchers at Unit 42 have noted an apparent enhancement of the group's capabilities, including efforts to bypass endpoint detection and response (EDR) and other security measures. To achieve this, Agonizing Serpens has been rotating between various known proof-of-concept (PoC) and pentesting tools, as well as custom tools, signaling an ongoing and concerning evolution in their tactics and resources.
AccelByte - Senior Site Reliability Engineer (SRE) - Fully Remote
Rocket Lab - Principal Neutron Safety & Reliability Engineer - Auckland, New Zealand · On-site
Coinbase - Summer 2024 - Product Design Intern - Fully Remote
Circle - Software Engineer, Intern 2024 - Boston, Massachusetts, United States · On-site
ByteDance - Software Engineer Intern (Data-Data Platform-Data Management Suite-US) - 2024 Summer (BS/MS) - San Jose, CA
Thanks for reading Cyber Oracle! Subscribe for free to receive new posts and support our work.