A new cyberespionage campaign carried out by the APT-C-23, also known as the AridViper APT group, has been observed by security experts, wherein high-ranking Israeli officials are being targeted. The advanced persistent threat (APT) group is a politically driven attack operator based in the Middle East and also goes by Desert Falcon and Two-tailed Scorpion.
There were records of the AridViper APT launching spear-phishing attacks toward the Palestinian authorities and military, educational institutions, and the Israel Security Agency (ISA). Moreover, the group had also attacked many activists involved in Israel and Palestine’s geopolitical conflict.
New attack findings have been recently observed linking to the AridViper APT, which involves targeting prominent Israeli individuals to compromise their machines, spy on their movements, and steal confidential information.
The new campaign targeting Israeli officials has been dubbed ‘Operation Bearded Barbie,’ wherein the defence, law enforcement authorities, and emergency service sectors are specifically targeted. The operation focuses on social engineering tactics, involving spying on the victim, creating fake Facebook profiles, making contact, and then enticing them to download malware-infected messaging applications.
As the conversation between the operators and the victims progresses, they will request to transfer to WhatsApp, where the hackers begin to lure them more into installing the malware-infected app zipped in a [.]RAR archive.
Aside from the new campaign, the group also improved their attack toolset, including the Barb(ie) Downloader and BarbWire Backdoor, alongside a new implant variant called VolatileVenom.
The Barb(ie) Downloader is spread via the zipped archive sent by the threat group to the victims, which is used to install the BarbWire backdoor on the compromised devices. Upon being installed, the malware will execute anti-analysis checks, such as scanning for virtual machines or sandboxes before launching the backdoor.
Experts describe the BarbWire backdoor as a very capable malware strain since it has high levels of obfuscation capability. They also believe that the APT group is crucial in making the campaign successful based on how tight they are on their targets.
The AridViper APT showcased a considerable improvement in its attack operations, including upgraded stealth, launching novel malware, and refining its social engineering tactics. Users are warned to be cautious about who they communicate with online and avoid downloading suspicious applications that may lead to compromise.
