Key Intelligence Signals:
Palestinian APT Arid Viper Targets into their Own Cyber Territory
Summary:
The Mantis is a Palestinian Cyber-Espionage threat actor known as Arid Viper, Desert Falcon, and APT-C-23 active since 2014. The threat actor has a history of targeting the Middle Eastern region and Israel. The threat actor is known for attacking via spear phishing and luring victims through fake social media profiles into installing or executing malware. In past campaigns, the threat actor has used its customized Micropsia and Arid Gopher backdoor.
Recently, it was observed that the threat actor ran a campaign that started the previous year in September. Attack type and the target are however still unknown. What we know so far is that the attackers utilized three different versions of a toolset to target three separate groups of computers. This indicates that the attackers segmented the attack in this manner as a precautionary measure. By utilizing different variants of the same toolset, the attackers were able to ensure that even if one toolset was discovered, they would still maintain a persistent presence on the targeted network.
On the 18th of December 2022, the first indicator was discovered. The attacker deployed an obfuscated 32-bit PowerShell command stager which fetched and executed another stage from a C&C server. Then it used Certutil and BITSAdmin to dump credentials before downloading the Micropsia backdoor. Between December 22nd and January 2nd, 2023, the Arid Gopher backdoor was used by Micropsia to infect three computers. Once infected, Arid Gopher executed a persistence tool called SetRegRunKey.exe and ran an unfamiliar file named localsecuritypolicy.exe. On December 28th, Micropsia spread to three more computers, using the windowspackages.exe tool. Later, on December 31st, Arid Gopher executed two unknown files named networkswitcherdatamodell.exe and networkuefidiagsbootserver.exe. The attackers then replaced their version of Arid Gopher with a new variant on January 2nd. Two days later, on January 4th, Micropsia was responsible for executing two unknown files – hostupbroker.exe and exfiltration of a RAR file.
Insights:
The threat actor targeting assets in their own country raises hints about countering the internal threat that may be in its initial stage, or the asset may be indulged with activities that are helping external threats which are again against the national interest of Palestine.
Micropsia is an implant that takes on different forms, such as Delphi, Python, and Android. Mantis using it and upgrading its functionality shows signs of not backing down and making it hard for adversaries to detect it. Also, it is visible from their previous campaign, most of the campaigns were undetected until the malicious job was finished.
The Russian hacktivist group Killnet has attempted to disable a recently established German government website devoted to the economic reconstruction of Ukraine. According to the German Ministry for Economic Cooperation, the attack started right after the website went up and continued for a week in the form of distributed denial-of-service (DDoS) attack. According to German authorities, similar action has been expected and the attack has been successfully repelled.
China’s Ministry of Science and Technology (MOST) and National Natural Science Foundation (NSFC) jointly launched “Artificial Intelligence for Science,” an initiative to promote the integration of artificial intelligence (AI) into key science and technology fields, including drug development and gene research. According to the plan, the institutions have committed to developing cutting-edge AI models and algorithms and are working to build a “national open innovation platform for the new generation of AI public computing power,” among other strategies for promoting AI’s use in scientific research. The initiative’s debut coincides with the country’s goal of becoming a “global leader” in the field by 2030, which has shifted the focus of Chinese policy toward technological advancement to AI. CYFIRMA analysts have previously reported on the danger of the use of AI in creating malware and based on China’s past behavior it is reasonable to assume some AI research will be aimed at the development of cyber weapons, especially given the fact that China is using the cyber realm as a vital part of her statecraft toolkit.
It has been revealed that NTC Vulkan, a Moscow-based IT consultancy, is a significant contractor to all three of the main Russian intelligence agencies, the GRU, the SVR, and the FSB. The creation of tools for cyberattacks is Vulkan’s area of expertise, which has been revealed in a leak of over 1,000 classified documents, including 5,299 pages of project plans, orders, and internal emails from Vulkan from 2016 to 2021.
The documents offer a special glimpse into the depths of Russian cyberwarfare plans despite being entirely in Russian and being of a highly technical nature. The militarized nation, in addition to classic military tools, also heavily utilizes hackers and software in combat. According to the so-called Vulkan papers, the business supports a wide variety of offensive cyber operations. Its services and goods cover disinformation, disruptive attacks meant to damage infrastructure but also acts of espionage. The business also trains its clients in the use of security and intelligence systems. According to Western media, a disgruntled insider who opposes Mr. Putin’s conflict with Ukraine is to blame for the leaks.
Vulkan developed at least three systems for Russian operators. First, Amesit, a mapping system to support and gather data for information warfare operations and cyberattacks against critical infrastructure. Second, Krystal-2B, a training system for practicing attacks on transportation and utility systems, and third, Scan – a platform for vulnerability detection and data collection. Some systems appear to have been deployed multiple times, including as part of Russia’s efforts to influence the result of the 2016 US presidential elections, though experts are unsure whether some of the systems are for practice or could enable an attack on vital infrastructure.
CYFIRMA Research team observed Virgin Mobile Mexico – Admin Access System advertised for sale by a Korean-based threat actor for USD 300.
Source: Telegram
