A group of hackers, tracked as ViperRAT, is spying on the Israeli military by hacking into the soldiers’ personal Android mobile devices to track their activities and steal sensitive data.
Experts from security firms Lookout and Kaspersky have discovered that at least 100 Israeli servicemen from the Israeli Defense Force (IDF) were targeted by cyber spies with a malware dubbed ViperRAT.
“The Lookout research team was able to gain unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring.” reads the analysis published by Lookout.
“In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.”
According to the security experts, the IDF personnel had been targeted with social engineering attacks. The IDF soldiers were devised by attackers via Facebook Messenger and other social networks. The cyber spies posed as attractive women from various countries like Canada, Germany, and Switzerland.
“The threat actor uses social engineering to lure targets into installing a malicious application, while continuously attempting to acquire confidential information using social networks. We’ve seen a lot of the group’s activity on Facebook Messenger. Most of the avatars (virtual participants in the social engineering stage) lure the victims using sexual innuendo, e.g. asking the victim to send explicit photos, and in return sending fake photos of teenage girls.” reads the analysis shared by Kaspersky Lab.
The IDF soldiers were tricked into installing a trojanized version of two legitimate Android chat apps, SR Chat and YeeCall Pro. The experts also uncovered versions of a billiards game, an Israeli Love Songs player, and a Move To iOS app packaged with the ViperRAT spyware.
“The first variant is a “first stage application,” that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive surveillanceware component, which is the second variant.” states LookOut.
The ViperRAT was able to gather information from the personal mobile devices of the IDF soldiers and downloaded another malicious application that masqueraded as an update for one of the apps already installed on the device, such as WhatsApp.
The ViperRAT spyware is very sophisticated, the malware researchers discovered two distinct variants of spyware. The first variant is a “first stage application,” that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive
According to the experts, ViperRAT threat actors were particularly interested in stealing image files from compromised devices. The researchers at Lookout determined that 8,929 files had been exfiltrated from hacked mobile devices. 97 percent of the images were highly likely encrypted taken using the device camera.
The ViperRAT attack campaign started in July 2016 and it is still ongoing, according to the experts it is likely that other organizations were targeted by the same threat actor.
The IDF investigated the attack with the support of both Kaspersky Labs and Lookout firm, they theorized that the attackers were linked to the Hamas organization. Lookout researchers have come to doubt that theory.
Lookout researchers have also a second hypothesis that excludes Hamas due to the level of sophistication of their malware.
“Hamas is not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRAT.” states Lookout on the attribution.
(Security Affairs – ViperRAT, cyber espionage)