High ranking Israeli officials are being catfished in a cyber espionage campaign compromising their PCs and phones to spy on their activities and steal sensitive information being run by AridViper, also known as APT-C-23, a politically motivated advanced persistent threat group active in the Middle East.
This latest campaign, dubbed “Operation Bearded Barbie”, was founded by security firm Cyberreason’s Nocturnus Research Team, which published its findings on Thursday. According to the report, the group operates on behalf of Hamas, a Palestinian Islamic-fundamentalist movement and a terrorist organisation.
The research team’s investigation also revealed that they have “effectively upgraded” their malware and have added new tools called Barb(ie) Downloader and BarbWire Backdoor, focussing on enhancing stealth and operational security. The team also noticed an upgraded version of an Android implant known as VolatileVenom.
In the News: Apps are harvesting kids’ data at an alarming rate
Digital turmoil in the Middle East
The group was known to use previously detected tools and used relatively unsophisticated tools and techniques. However, analysis of this campaign revealed that the group has ramped up their game with a new toolset and is using social engineering as its primary attack vector.
The group set up a network of fake Facebook accounts actively maintained and interacted with many Israeli citizens. The campaign here relies mainly on catfishing, which involves impersonating young women to engage with male individuals to get their trust or vice-versa.
Over time, the profiles were able to become friends with a wide spectrum of Israeli citizens, including some high-profile targets working for sensitive organisations including defence, law enforcement, emergency services and other government organisations.
Once the victims were looped in, the operators switched from Facebook to Whatsapp, gaining the victims’ phone numbers. The operators urged the victims to use a more secure messaging app, in this case, the VolatileVenom malware. Additionally, they also asked victims to open a .rar file containing a supposedly explicit video. However, users were infected with malware instead on opening the RAR file.
The accounts have operated for months, seeming relatively authentic to the average person. The operators have put considerable effort into making these profiles up, expanding their networks by joining popular Israeli groups and adding the victims’ friends and writing posts in Hebrew.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.