Hamas-linked threat actors target high-profile Israeli individuals

Pierluigi Paganini April 08, 2022

Hamas-linked threat actors conducted an elaborate campaign aimed at high-profile Israeli individuals employed in sensitive sectors.

Researchers from Cybereason observed a sophisticated cyberespionage campaign conducted by APT-C-23 group campaigns targeting Israeli high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.

The threat actors use sophisticated social engineering techniques to infect Windows and Android devices of the victims with previously undocumented backdoors.  

The new malware employed by the threat actors are tracked as Barb(ie) Downloader and BarbWire Backdoor. Experts pointed out that attackers used a dedicated infrastructure almost completely separated from the known APT-C-23 infrastructure which was observed in attacks focused on Arabic-speaking targets. 

The threat actors used fake Facebook profiles to trick victims into downloading trojanized direct message applications for Android and PC, which allowed them to take over the targets’ devices. 

“The social engineering tactic used in this campaign relies mostly on classic catfishing, using fake identities of attractive young women to engage with mostly male individuals to gain their trust.” reads the analysis published by Cybereason. “These fake accounts have operated for months, and seem relatively authentic to the unsuspecting user. The operators seem to have invested considerable effort in “tending” these profiles, expanding their social network by joining popular Israeli groups, writing posts in Hebrew, and adding friends of the potential victims as friends.”

Hamas cyber espionage

Once established contact with the victims and gained their trust, the threat actors o suggests migrating the conversation to WhatsApp to obtain the target’s mobile number.

The cyberspies asked the victims to install a secure messaging app for Android (dubbed “VolatileVenom”) or shared a link to a RAR archive file containing explicit sexual video and the BarbWire Backdoor payload.

Hamas cyber espionage 2

The VolatileVenom malware is powerful espionage tool that allows attackers to:

  • Steal SMS messages 
  • Read contact list information
  • Use the device camera to take photos
  • Steal files with the following extensions: pdf, doc, docs, ppt, pptx, xls, xlsx, txt, text
  • Steal images with the following extensions: jpg, jpeg, png
  • Record audio
  • Use Phishing to steal credentials to popular apps such as Facebook and Twitter
  • Discard system notifications
  • Get installed applications
  • Restart Wi-Fi
  • Record calls / WhatsApp calls
  • Extract call logs
  • Download files to the infected device 
  • Take screenshots
  • Read notifications of the following apps: WhatsApp, Facebook, Telegram, Instagram, Skype, IMO, Viber
  • Discards any notifications raised by the system

“Cybereason assesses with moderate-high confidence that APT-C-23, a politically-motivated APT group that operates on behalf of Hamas, is behind the campaign detailed in this report.” concludes the report. “This campaign shows a considerable step-up in APT-C-23 capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hamas)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment