Skip to content

AridViper is catfishing high-ranking Israeli officials

  • by
  • 3 min read
Hacking Android: How your phone can be compromised by a rogue app

High ranking Israeli officials are being catfished in a cyber espionage campaign compromising their PCs and phones to spy on their activities and steal sensitive information being run by AridViper, also known as APT-C-23, a politically motivated advanced persistent threat group active in the Middle East. 

This latest campaign, dubbed “Operation Bearded Barbie”, was founded by security firm Cyberreason’s Nocturnus Research Team, which published its findings on Thursday. According to the report, the group operates on behalf of Hamas, a Palestinian Islamic-fundamentalist movement and a terrorist organisation. 

The research team’s investigation also revealed that they have “effectively upgraded” their malware and have added new tools called Barb(ie) Downloader and BarbWire Backdoor, focussing on enhancing stealth and operational security. The team also noticed an upgraded version of an Android implant known as VolatileVenom. 

In the News: Apps are harvesting kids’ data at an alarming rate

Digital turmoil in the Middle East

The group was known to use previously detected tools and used relatively unsophisticated tools and techniques. However, analysis of this campaign revealed that the group has ramped up their game with a new toolset and is using social engineering as its primary attack vector. 

The group set up a network of fake Facebook accounts actively maintained and interacted with many Israeli citizens. The campaign here relies mainly on catfishing, which involves impersonating young women to engage with male individuals to get their trust or vice-versa. 

Over time, the profiles were able to become friends with a wide spectrum of Israeli citizens, including some high-profile targets working for sensitive organisations including defence, law enforcement, emergency services and other government organisations. 

AridViper is catfishing high-ranking Israeli officials
The initial attack chain. | Source: Cyberreason.

Once the victims were looped in, the operators switched from Facebook to Whatsapp, gaining the victims’ phone numbers. The operators urged the victims to use a more secure messaging app, in this case, the VolatileVenom malware. Additionally, they also asked victims to open a .rar file containing a supposedly explicit video. However, users were infected with malware instead on opening the RAR file. 

The accounts have operated for months, seeming relatively authentic to the average person. The operators have put considerable effort into making these profiles up, expanding their networks by joining popular Israeli groups and adding the victims’ friends and writing posts in Hebrew. 

In the News: Big Sur and Catalina left out to dry against actively exploited 0-day


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: [email protected].