First Arabic Cyber Espionage Operation Uncovered — ‘Desert Falcons,’ Has Already Stolen Over 1M Files

First Arabic Cyber Espionage Operation Uncovered — ‘Desert Falcons,’ Has Already Stolen Over 1M Files

Michael Mimoso, writing on today’s (February 17, 2015) Threatpost,com website, writes that “a Middle Eastern cyber espionage gang is capitalizing on subpar security practices in the region — to backdoor a mix of business, political, and military targets. Dubbed, Desert Falcons, the gang is thought to be the first Arabic Advanced Persistent Threat (APT) operation,” according to [cyber] security researchers at the Moscow-based Kaspersky Labs — “who traced the group’s activities back to 2013; and, discovered how it uses a mix of Windows, and Android malware to raid infected computers of sensitive files.”

“This is just an alert [to] bad cyber security situation in the region,” Kaspersky Lab researchers wrote in a paper released today at the company’s Security Analyst Summit in Cancun, Mexico. “Banks, media, governments, and military entities in different countries all fell to Desert Falcons attacks.”

Mr. Mimoso notes that “Desert Falcons has claimed victims primarily in Egypt, Jordan, Palestine,and Israel — hitting upwards of 3,000 victims in governments, media, financial institutions, and physical security companies — including personal information on security officers; and, their assignments.” “The victims are carefully chosen,” Kaspersky Labs said, “with social engineering scams built specifically for intended victims. The social engineering spans phishing attacks, phony websites, and fake social networking accounts, each with socio-political themes relevant to specific victims.”

“Malware writers are using multiple technical and social engineering methods, to deliver their [malicious] files; and, encourage victims to run them, creating an effective infection vector, even when targeting what should be well protected entities like governments, banks, and top media,” Kaspersky researchers wrote.

“So far,” Mr. Minoso writes,”researchers have uncovered three distinct [cyber espionage] campaigns attributed to Desert Falcons.” “The first ran for more than a year, starting in March 2013, against high profile government and military targets in Palestine, Jordan, Egypt, and Gulf countries,” Kaspersky Labs researchers wrote. “The second campaign targeted victims in Israel, starting a year ago; and,a third run against activists, political figures, and media outlets in Egypt, starting in November 2013, and again in December 2014.”

“Victims are tricked into opening malicious attachments, or following links to malware downloads. The attacks are well hidden,” Ksapersky researchers said, “even inside a.rar file that includes an appealing shortcut that executes an attack without user action. The attackers also have other clever means of infection at their disposal, such as the use of right-to-left extension override trick, where the order of the characters in a file name is reversed, allowing them to hide a malicious file extension in the middle of a file name, and adding a harmless extension at the end of the file name,” Threatpost noted.

“Users trust in social networks, is also exploited to a generous degree,’ Kaspersky researchers said. “This group is one of the first to use FaceBook chats in targeted attacks, connecting with targets via common FaceBook pages, until gaining their trust — and, sending them. Trojan files via chat hidden as a photo for example. FaceBook is also the medium for wider, more generic attacks against activists and political figures, with certain posts redirecting users to phony political pages, laced with a download for one of the gang’s backdoors,” Threatpost said.

“Desert Falcons used two homemade back-doors to spy on computers, the first of which looks like it was retired last June. The malware, in all cases, is used to install back-doors on computers that perform a variety of espionage activities, including keylogging, audio recording, stealing screenshots, file upload and download, and password stealing,” Kaspersky wrote.

“At the start of 2015,’ Mr. Minoso notes, “Kaspersky researchers discovered the latest version of the Trojan called, DHS2015, also known as – iRAT. The malware has evolved from its first generation, which was compiled in 2013, adding encryption to command-and-control-communication file storage, as well as a number of features that keep it from being detected by security mechanisms. This version also includes evidence of attacks carried out Android devices; researchers said they discovered mobile call and SMS logs on command-and-control servers found at fpupdate[.]info.”

“From the evidence collected, Kaspersky Lab researchers estimate there are upwards of 30 members in the Desert Falcons gang, all of whom are Arabic speakers. The clues come from a number of their identities that ere uncovered, language properties set to Arabic, Arabic names for C and C administrators, in the content of phishing emails, and Arabic interface in the DHS control panel.”

“The identities of some of the cyber criminals were found when inspecting the contents of one of the C and Cs, which had public read permissions open for a short period of time,” Kaspersky researchers wrote, adding they “were also able to track and identify some of the attackers’ FaceBook and Twitter accounts, private blogs, and websites. “Surprisingly, the attackers have published on Twitter, some information about their development of the spyware and the command servers.”

And, now that Kaspersky has published what they allege is the nuts and bolts of NSA’s cyber espionage operations for all to see — one would expect these kind of gangs will derive substantial benefit from Kaspersky’s analysis; and, this problem is going to get much worse — not better, anytime soon. V/R, RCP

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: