Politically Themed Lures Target PalestiniansPhishing Attacks With Micropsia Malware Use Decoy Documents
A new wave of Delphi malware called Micropsia, developed and operated by the Arid Viper advanced persistence threat group, is reported to be targeting Palestinian entities and activists using politically themed lures in an ongoing campaign.
Researchers at Cisco Talos observed the latest activity by the Arid Viper APT group, which has been active since 2017, and said it contains multiple RATs and information-gathering capabilities.
"Talos believes with high confidence that this is the work of the Arid Viper threat actor. This is a group believed to be based out of Gaza which is known to target organizations all over the world. The actor uses the Micropsia implant in the most recent wave that started around October 2021," according to researchers at Cisco Talos.
Arid Viper Background
The researchers say that the group uses politically themed file names, decoy documents and content originally published on the Turkish state-run news agency Anadolu and on the Palestinian MA'AN development center to target activists and Palestinian institutions.
The tactics, techniques and procedures used in the samples analyzed by the researchers led them to believe this campaign is linked to a previous one that they reported on in 2017.
Facebook, now known as Meta, also exposed this actor in an April 2021 report that focused mainly on mobile targeting operations.
"However, that did not stop the group, as they've continued to target Windows-based systems. Although this group hasn't technologically evolved, it has the motivation and means to operate long-standing campaigns against the same targets. This level of motivation makes them particularly dangerous to organizations that may come into their crosshairs," the researchers say.
The Group's TTPs
Magni Reynir Sigurðsson, senior manager of detection technologies at Cyren, says cybercriminals know which techniques to use to increase their chances of delivering malware successfully, and the use of politically themed emails and decoy documents makes it more likely that the victim will click on the included malicious link.
"However, this is where the attack’s ingenuity ends, because Arid Viper continues to use the same TTPs they have since 2017 rather than advancing to more sophisticated and technologically advanced attack vectors. Not only does this demonstrate the arrogance of the group, which doesn’t feel affected by the public exposure of its campaigns, [but] the lack of change also points to a certain level of success with their current TTPs," Sigurðsson tells Information Security Media Group.
Arid Viper, also known as Desert Falcon or APT C-23, was first exposed in 2015. Its main motivation is espionage and information theft, and its campaigns have been attributed to malicious operators who favor the liberation of Palestine.
The researchers say that the group - which is known to target mobile and desktop platforms, including Apple iOS - is not a technically evolved actor.
"Their toolkit consists of Delphi packers and compilers around their staple malware, Micropsia. This implant has also been ported to other platforms with versions based on Python and an Android version," they say.
The researchers analyzed an example lure used in 2019 and found that while the file name refers to an annual report from 2018, the contents actually mention 2014 and 2015. They also shared a small chronology of malicious implants masquerading as documents of interest created with the same themes, which they associate with this ongoing campaign.
Politically Themed Lures
"The use of politically themed lures reduced during 2018 and 2019, but we observed a definite increase in their usage in 2020 and 2021. Talos also observed other themes being used by this group (to deliver Micropsia) during 2018 and 2019 and into 2020/21, but they were not considered as part of this campaign in analysis and are beyond the scope of this research," the researchers say.
The politically motivated content in the decoy documents and their use of the Arabic language point to the victims being Palestinian individuals and organizations, according to the researchers.
One of the recent decoy documents from September 2021 that was analyzed by Cisco Talos contains an article about the reunification of Palestinian families that was originally published by the Anadolu Agency on Sept. 3, 2021.
Another decoy document from the same month contains articles on social and economically sustainable development in Palestine written by the MA'AN development center, a Palestinian development and training institution, the researchers say.
They also found a decoy document from July 2021 that consisted of a patient's report containing affidavits from the State of Palestine's Ministry of Health.
"During March and February 2021, we observed the use of politically themed decoys. One of these decoys consisted of a list of questions from a Palestinian activist on the Presidential decree issued on Feb. 20, 2021, ordering the respect of freedom of expression ahead of legislative elections in May," the researchers say.
They say they could not find any email or social media posts that were linked with the Micropsia implants.
"However, we found the implants and compressed files containing the implants. This follows the same pattern that we described in our 2017 post about this actor. It is highly likely that the threat actor has continued to use the email vector to deliver their lures and implants," the researchers say.
The implant used in the campaign consists of Delphi-based versions of Micropsia, which has four buttons and four timers implemented to carry out different malicious activities.
All the malicious functionalities are implemented through the timers configured in the implant, the researchers say. "One of these timers is responsible for extracting the decoy document and saving it to the %TEMP% folder and then displaying it via ShellExecute. Now, if the implant is started with the "-start" command-line switch, it will skip the process for dropping and displaying the decoy document and jump straight to its RAT functionalities."
Another timer is used to establish persistence, which it obtains by its current command line, which is then used to create a shortcut for itself in the %TEMP% directory.
"The shortcut to run the implant contains the "-start" switch (used to skip displaying the decoy document). This shortcut is then moved over to the currently logged-in user's Startup folder to complete persistence across reboots and re-logins," the researchers say.
The remaining two timers focus on gathering preliminary system information and activating the RAT capabilities of the implant. The gathered data is base64-encoded and assigned to HTTP form query variables, which is then sent to a command-and-control server via an HTTP POST request, which researchers say is fairly standard in Micropsia implants.
"Implants such as Micropsia come in various forms such as Delphi, Python and Android. Such RATs proliferated and operated by a highly motivated threat actor who refuses to back down consist of a variety of functionalities and are constantly evolving. These RATs can be used to establish long-term access into victim environments and additionally deploy more malware purposed for espionage and stealing information and credentials," the researchers say.
Sigurðsson warns that fraudulent emails are reaching user inboxes, and this is where security awareness training becomes critical. Employees must be taught to recognize the telltale signs of a malicious attack, such as spelling errors and incorrect logos, he says. Users should also be cautious opening attachments from suspicious looking emails. With this campaign, Sigurðsson says, most of the attachments are double-extended. For instance, document.pdf.exe looks to users like a harmless PDF file when it is really executable malware.
Sigurðsson says that current email security is overly focused on prevention, whereas organizations are far better off accepting that their employees will continue to be the target of attacks - and that some reach the inbox. He says organizations should implement a robust, layered security strategy in retaliation. "This layered strategy should include real-time detection of zero-day and unique threats. By adding a real-time detection and automated remediation capability to identify and eliminate threats rapidly, we can minimize the impact of when a malicious email makes it through our defenses."