Threat Research

Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware

Securonix

Cisco Talos identifies a new wave of the Delphi-based Micropsia implant operated by Arid Viper, targeting Palestinian entities and activists with politically themed decoys. The latest implants add multiple RAT and information-gathering capabilities, persistence mechanisms, and C2 communications, indicating a long-running campaign that relies on unchanged TTPs. #Micropsia #AridViper

Keypoints

  • New wave of Delphi-based Micropsia implants attributed to Arid Viper (Desert Falcon/APT C-23) targeting Palestinian individuals and organizations with politically themed decoys.
  • Implants include remote access Trojan (RAT) capabilities and information-gathering functionality.
  • Decoys and lures are thematically political, frequently in Arabic, with content tied to Palestinian topics and organizations.
  • Tactics and procedures mirror earlier campaigns from 2017, suggesting the actor’s continued use of established methods despite public exposure.
  • Deployment uses email vectors to deliver lures/implants, with persistence via startup folder and decoy document display.
  • Network communications rely on HTTP(S) POSTs to C2, with distinct URLs for different command types and a defined command set.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Initial access via email delivering lures and implants. ‘It is highly likely that the threat actor has continued to use the email vector to deliver their lures and implants.’
  • [T1547.001] Boot or Logon Autostart Execution – Persistence by creating a startup shortcut to run the implant; ‘the shortcut to run the implant contains the “-start” switch … moved over to the currently logged-in user’s Startup folder to complete persistence across reboots and re-logins.’
  • [T1082] System Information Discovery – Information gathering about the host (pcid, computername, username, AV, OS). ‘Generate a pc ID for the infected endpoint. Save this value into a data file, such as: “%APPDATA%dsfjj45k.tmp”
  • [T1113] Screen Capture – Exfiltration of screenshots. ‘Capture screenshots to the %TEMP% directory and exfiltrate.’
  • [T1059.003] Windows Command Shell – Command execution on the endpoint. ‘Execute the command specified and send output to C2.’
  • [T1105] Ingress Tool Transfer – Downloading files from a remote location to the endpoint. ‘Download file from a specified remote location into a local path specified by the C2.’
  • [T1071.001] Web Protocols – C2 communications over HTTP(S). ‘The data is then sent to the implant’s C2 server via an HTTP POST request.’

Indicators of Compromise

  • [Hashes] – File hashes of the Micropsia implants. d4e56e3a9dec89cc32df78aa4ba8b079aa5e697ed99a1e21e9bd31e85d5d1370, 1d4e54529feef53850f97f39029a906d53f3d4b2aea8373e27c413324a55681c, and 2 more hashes
  • [Hostnames] – C2-related hostnames. deangelomcnay[.]news, juliansturgill[.]info, earlahenry[.]com, and 2 more hostnames
  • [URLs] – C2 and exfiltration URLs. http://deangelomcnay[.]news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/ZCgbo9EVhYMA8PX, http://deangelomcnay[.]news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/bu5EmpJE7DUfzZD, and 2 more URLs

Read more: http://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html