Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine

  /     /     /  
Publicated : 23/11/2024   Category : security


Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine


The Arid Viper APT group is deploying AridSpy malware with Trojanized messaging applications and second-stage data exfiltration.



Hamas-linked advanced persistent threat (APT) group Arid Viper has been observed using Android spyware AridSpy dating back to 2022. Now, for the first time, researchers have provided a full analysis of the malwares previously mysterious later stages.
It turns out AridSpy is being distributed through Trojanized messaging apps, according to researchers with ESET, which recently released a new report on AridSpy campaigns.
New in these campaigns, AridSpy was turned into a multistage trojan, with additional payloads being downloaded from the command-and-control server by the initial, trojanized app, the report said.
The researchers analyzed five separate AridSpy efforts targeting Android users across Egypt and Palestine, according to the report. AridSpy often lurks in applications with legitimate functions, making it more difficult to detect; in this case, victims in Palestine were targeted with advertisements for a malicious app posing as the Palestinian Civil Registry, ESET said. In Egypt, the first-stage
spyware
was hidden in an app called LapizaChat as well as in scam job opportunity postings. The apps are available for download from third-party sites controlled by the threat actors, rather than Google Play.
Once second-stage data exfiltration begins, the analysis showed the threat group is able to collect a raft of data, including device location, contact list, call logs, text messages, photo thumbnails, clipboard data, notifications, video recording thumbnails, as well as giving the cybercriminals the ability to record audio, take pictures, and more.
Previous analysis revealed AridSpy was used in 2022 to
target the FIFA World Cup held in Qatar
, among other campaigns across the Middle East, the
report
said.
Dedicated sites are still running at least three AridSpy espionage campaigns, ESET warns.
At the time of this publication, three out of the five discovered campaigns are still active; the campaigns used dedicated websites to distribute malicious apps impersonating NortirChat, LapizaChat, and ReblyChat, ... job postings..., and Palestinian Civil Registry apps, the report said.
Arid Viper is likely maintaining and improving the AridSpy code as time goes on, as well.
Naturally, the second-stage payload carries the latest updates and malicious code changes, which can be pushed to other ongoing campaigns, the researchers noted. This information suggests that AridSpy is maintained and might receive updates or functionality changes.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine