US security group FireEye said that the Molerats, an extension of the Gaza Hacker Team, use e-mail, document attachments and malicious website links to remotely install malware, which they can then use to steal data or compromise operations. The same hacker crew caused the Israel Police to shut down their network for a week in 2012 and has expanded the scope of its operations, targeting governments, banks and media companies in the US and several European countries with the same brand of RAT (remote access tool) they successfully used against Israeli targets.
FireEye said it noticed a sharp increase in Molerat activity worldwide in recent months.
One of the tricks used to get web surfers to download the malware is a “phishing” message, in which users get a link to an online document, or are sent a convincing-looking encrypted or encoded file. The malware is installed when users click on the link or open the file. In addition, said FireEye, the hackers used forged Microsoft security certificates, the security pages that show up when users reach a questionable web page. When users see these pages, they get the impression that the site is safe and are more likely to click on permissions to view the page. Unknown to them, clicking on those permissions allows the hackers to download and install the malware.
FireEye said the hacker group was able to avoid attention because it uses tools that are generally associated with Chinese hackers. The Molerats have been using a tool called Poison Ivy (PIVY) against mostly Israeli and Palestinian targets since 2011. In a PIVY attack, hackers set up a server to download the malware and upload information, remotely installing code on a target machine and using a Windows GUI client to control the victim’s computer. In addition, they used xTreme RAT, the tool they deployed against the Israel Police and other institutions in Israel and the Palestinian Authority.
Even though PIVY is a favorite of Chinese hackers, FireEye determined that Middle Eastern hacker groups use it as well. “Previous research has linked these campaigns to Molerats,” FireEye said, “but with so much public attention focused on APT threat actors based in China, it’s easy to lose track of targeted attacks carried out by other threat actor groups based elsewhere.” One of the hallmarks of the attacks is “a habitual use of lures or decoy documents, in either English or Arabic language, with content focusing on active conflicts in the Middle East.”
According to FireEye, the hackers have targeted, among others, government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the US and the UK, the Office of the Quartet Representative (the EU-US group facilitating Middle East negotiations), the BBC, a US financial institution, and several EU government organizations.
In October 2012, Israel Police took all its computers off-line for a week after they found a suspicious file circulating on its computers. According to Roni Bachar, head of Israeli security for Avnet, the purpose of that attack was most likely to collect data. “The attack was not sophisticated or complicated in any way” and neither was the virus, he said. “But it was very similar to other data mining attacks that we at Avnet have dealt with in recent years.”
The easiest and best way to avoid getting caught in these kinds of stings, according to Sergey Novikov, one of the top virus experts in Kaspersky Lab, is to install anti-virus software and not click on messages or links that seem suspicious.
Security-aware behavior should be taught to all, including professionals in the workplace and kids. Embarking on a major educational program to ensure that everyone is aware of the dangers in the cyber-world, and the dangers if they fail to protect themselves, could help reduce the effectiveness of RAT and other attacks significantly. “We should be teaching this to kids, even from the earliest grades,” Novikov said. “Just like people are taught that they need to wash their hands to prevent disease, they should also be taught how to maintain a cyber-defense as they engage with the Internet, for society’s sake and their own.”