Trend Micro reports that it has discovered two quite different, but connected, malware attacks from Arabic-speaking groups.
The first, Operation Arid Viper, is believed to have been ongoing since mid-2013, and is being run by operatives based in the Gaza strip. It comprises a highly-targeted cyber-attack against five Israeli-based organisations (government, transport/ infrastructure, military, academia, and transport) and one organisation based in Kuwait. According to the security firm, it uses sophisticated attacks on key individuals to exfiltrate sensitive and confidential data.
The second operation, Advtravel, is totally different in nature, led by Egyptian hackers who seem to be particularly interested in the images stored on its victim's personal laptops, with the presumption that they are looking for incriminating or compromising images for blackmail. It was found while monitoring a command and control (C&C) infrastructure hosted in Germany.
This second group appears to be neither financial nor espionage-related and has shown itself to be less sophisticated and with a lower level of technical knowledge, leaving the directory structure of the server completely open to the public.
In contrast, Operation Arid Viper used a spear-phishing email attachment had a .RAR file that automatically extracts an .SCR file which drops two files when executed. Social engineering ‘bait' in file one is pornography, while in file two is the malware connecting to the C&C servers.
Once the second-stage malware is in the system, it sets itself to autorun each time the systems reboot, posing as internet communication software. Its C&C server, pstcmedia.com, was found to be registered under a personal email address named as Khalid Samraa. The other C&C servers were hosted in IP addresses in Hetzner, Germany, and were related to operation Advtravel.
While they are very different operations, both share the same server, and domains used in Advtravel are registered with the same emails as Operation Arid Viper. It is suggested that a supra-organisation, a forum or an influential sponsor could be providing various hacking groups with the means to pursue their ends.
Assuming such a group exists, it is not known if its aims could be purely criminal – Arab-run but disinterested in its users' activities - or overtly political, perhaps Arab nationalist, facilitating unrelated groups with a common cause. Trend Micro favours the latter explanation, and warns that such a group could foster 'Cyber-militia' groups in the Arab world fighting what they perceive to be enemies of Islam.
Both campaigns are detailed in a research paper Operation Arid Viper: Bypassing the Iron Dome.