Skip to main content

Hamas Hackers: spying on opposants

A “highly active” group of hackers, which some analysts believe may be linked to Hamas, are spying on Palestinian government employees, security services, university students and Fatah party politicians by infecting smartphones with malware, according to research conducted by mobile security firm Lookout.

The espionage campaign is part of a broader effort by the hacker group, previously dubbed “Two-tailed Scorpion” by security researchers, to remotely collect information about Palestinians related in some way to the political process, including those individuals who may discuss, share or otherwise receive sensitive material on their mobile phones.

Fatah and Hamas represent the two largest political parties of the State of Palestine, a contested territory that spans two separate areas, the West Bank and Gaza Strip — bordering on Israel, Jordan and Egypt. The two political organizations continuously clash with one another to control the state. Between 2006 and 2007, their rivalry led to an armed conflict that resulted in the deaths of more than 600 Palestinians.

According to Lookout, Two-tailed Scorpion has been able to remotely collect thousands of hours of stolen audio from infected smartphones across the Gaza Strip.

“Unlike financially focused actors, … [Two-tailed Scorpion] is after sensitive personal data and to this end we’ve seen them focus primarily on silently recording calls to or from infected devices,” said Michael Flossman, a security researcher with Lookout. “Despite not using any exploits, we’ve seen just how effective they’ve been with infrastructure now hosting over one gigabyte of exfiltrated content that’s been collected purely from mobile devices.” GPS coordinates for phones infected by Two-tailed scorpion per LookOut

The attackers’ intrusions typically begin with a booby-trapped smartphone application — some of these programs are designed to look almost identical to Facebook Messenger or WhatsApp — being downloaded onto a smartphone or through the deployment of a successful phishing email. In each of these scenarios, the end goal is to install a backdoor implant onto the target’s device to siphon data. The mobile malware attributed to this activity is known as “FrozenCell.”

“We haven’t identified any vulnerabilities being exploited in order for FrozenCell to be installed,” Flossman told CyberScoop. “It’s most likely that social engineering is the primary attack vector here, where a crafted message luring victims to install trojanized apps would be delivered to targets via SMS, email, or social media. Given that the actors are potentially operating in the same area as their targets it’s possible that physical access may also be used to get it on target devices.”

An analysis by Lookout focused on the metadata of exfiltrated content confirms that victims of the hacker group are almost exclusively based in the Palestine region. Call data from infected devices connects back to the +972 area code, or 059 prefix, and remain active during the Palestinian timezone of GMT +3.

“When considered with how long running this campaign is FrozenCell appears to be quite targeted,” Flossman said.

Researchers say Two-tailed scorpion, which is also known as “APT-C-23,” has been active since at least early 2015. U.S. cybersecurity firms Palo Alto Networks and ThreatConnect identified elements of the group’s desktop-specific toolset in 2016.

“While actors in the Middle East have tended to be noisier than those operating out of other regions, which has made it easier to connect that they’re deploying desktop and mobile malware, they’re clearly not the only ones with different tools for different environments,” Flossman said.

Over the last year, FrozenCell has been spread through recognizable phishing email messages already associated with desktop malware, registration information for attacker domains and other indicators linked to Hamas.

It’s possible, however, that another, entirely different Gaza-based actor is responsible for the latest mobile-focused attacks, Flossman said.

Accurate attribution in cyberspace is a notoriously difficult thing to accomplish, according to cybersecurity threat intelligence experts.


Popular posts from this blog

NanoCore developper busted and senteced for 33 months

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.

Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.

Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.
This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.
Huddleston admitted to the court that he created his software knowing it would be used by other cybercrimina…

ICEMAN : Infecting Crystal Finance Millennium

Iceman gang member confirms that they are behind the introduction and spreading of malwares that have affected Crystal Finance Millennium, a Ukraine-based accounting software firm. Was this a political based attack? Read more to find out.
I’ve had a chance to speak to one of the gang member on XMMP and he confirmed that the Iceman group is behind this attack. They started by a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company. He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

KillaMuvz: Undercovered british hacker

The Briton Goncalo Esteves (24), also known as KillaMuvz, has pleaded guilty to charges related to creating and running malware services. The Briton Goncalo Esteves (24) has pleaded guilty to charges related to creating and running malware services.
Such kind of platforms allows crooks to improve the development of their malicious codes. The malware created with the Esteves’ malware services would not be detected by antivirus software.
Esteves that was used the moniker ‘KillaMuvz’ is the creator of Cryptex tool commonly used by vxers to encrypt their files in an effort to avoid the detection. The first version of Cryptex was released in October 2011 and was continuously improved.
According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12. “A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) a…