Arid Viper hackers strike Palestine with political lures and Trojans

silversurfer

Level 84
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,552
"The Arid Viper cyberattack group is back with a new campaign targeting Palestinian organizations and activists."
On Wednesday, researchers from Cisco Talos said the ongoing campaign uses a Delphi-based Micropsia implant to strike activists.

"The most recent samples found by Talos lead us to believe this is a campaign linked to the previous campaign we reported on in 2017," the researchers say, adding that the main focus of Arid Viper is on cyberespionage -- and targets are selected by the operators based on the political motivation of the "liberation of Palestine."

The initial attack vector is phishing emails, with included content linked to the Palestinian political situation and usually stolen from news agencies. For example, one decoy document was related to Palestinian family reunification, published in 2021, whereas another contained a record of activist questions.

If an intended victim opens one of these documents, the implant triggers, extracting a range of Remote Access Trojan (RAT) capabilities. The malware will collect operating system and antivirus data, exfiltrate it to the operator's command-and-control (C2) server, steal content on the machine, take screenshots, and conduct further surveillance activities.

A timer contained in the implant will also establish persistence on the target machine through the Startup folder.

"The continued use of the same TTPs over the past four years indicates that the group doesn't feel affected by the public exposure of its campaigns and implants and continues to operate business as usual," Talos says. "This complete lack of deterrence makes them a dangerous group once they decide to target an organization or individual."