New and improved Arid Viper APT sinks teeth into victims once more

Operation Arid Viper - aka Desert Falcons - has returned with new malware after not being sighted in the wild for several months.

Arid Viper
Arid Viper

Just when you thought it was safe to go back in the desert, Operation Arid Viper is back. The APT, thought to be dormant since February, has re-emerged, according to researchers at Proofpoint.

The group was discovered separately by Trend Micro and Kaspersky Lab in February 2015.

Trend Micro released details of the APT and identified it as an Arabic-speaking group, operating in the Gaza strip, with links to a malware group called advtravel that operates out of Egypt and Germany.

According to Kaspersky Lab, which also studied the group and called them the Desert Falcons, the attackers were native Arabic-speakers and were possibly the first known Arab group to develop and run a full cyber-espionage operation. Kaspersky estimated the group numbered 30 individuals in three teams.

Now according to a new analysis by Proofpoint, the group went dormant for a few months but is now back with a new and improved malware payload.

According to Proofpoint, the infection chain is “fairly straightforward”, starting with a phishing email with video content as bait. To open the video – which claims to be either pornography or a fiery car crash – the victim has to open a RAR file which extracts an SCR file which then drops two files: a malicious EXE which is labelled with a legitimate-sounding name like “skype.exe” and a video file.

Proofpoint said it has recently intercepted and analysed Arid Viper payloads which contained links to the RAR file – as opposed to carrying it as an attachment. The RAR file now drops a malicious file labelled “chrome.exe” which installs itself while the victim watches the video.

The ensuing communication with the C&C server has been recorded and analysed by Proofpoint. “Although the data that is exfiltrated and the manner in which it is gathered remain largely the same as in previously documented versions, the final result that is transmitted to an attacker-controlled server has changed significantly,” the analysts wrote. This included updating the encryption method so the exfiltrated data is encrypted with AES-256 prior to base64 encoding.

However, cracking the encryption wasn't very difficult, the researchers said: “Numerous examples over the years have served to remind us that designing your own cryptography implementation is difficult and usually ill-advised. The authors of the updated Arid Viper backdoor seem to have overlooked this lesson for, although certain measures have been taken to protect the generated secret keys and IVs, their implementation is susceptible to a brute force attack, often capable of finding the correct key/IV combination in less than one second.”

The updates to the malware payload and the delivery mechanism means it's still a threat. “Despite its relatively low profile since February, the Arid Viper / Desert Falcons threat still has teeth and remains a risk for organisations in Israel and elsewhere,” Proofpoint's report concluded.

Trend Micro CTO Raimund Genes isn't very impressed by the return of Arid Viper. “Yes, the Arid Viper guys are back, regrouped and with a few new tricks up their sleeve, but not very sophisticated improvements,” he said.

“Unfortunately even if the malware is not that sophisticated, due to the social engineering pitch – who doesn't want to see a car crash? – there will be victims,” he said. “It will be more difficult this time to trace the initial infection vector, as they moved from binaries which are stored on mail servers and help to find forensic evidence to links – more difficult to spot, and helps them to randomise and adapt the malware better. But all of this is pretty common behaviour of modern attack groups.”