Threat Research

Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials

Securonix

Cybereason Nocturnus details a new espionage campaign by APT-C-23 targeting Israeli officials, featuring upgraded malware (Barb(ie) Downloader, BarbWire Backdoor, and VolatileVenom Android implant) and sophisticated social engineering to gain initial access. The operation uses a separate infrastructure from earlier Arabic-speaking campaigns and emphasizes stealth, data exfiltration, and multi-platform kompromat. #APT-C-23 #BarbDownloader #BarbWireBackdoor #VolatileVenom #Molerats #Hamas #IsraeliOfficials #Facebook #WhatsApp

Keypoints

  • New espionage campaign targets Israeli individuals, including high-profile defenders, law enforcement, and emergency services personnel.
  • Attribution to APT-C-23, a Hamas-associated, Arabic-speaking group, with a distinct infrastructure for Israeli targets.
  • Social engineering via fake Facebook profiles using catfishing to lure victims into installing trojanized Android and PC apps.
  • Upgraded malware suite: Barb(ie) Downloader, BarbWire Backdoor, and VolatileVenom Android implant, with enhanced stealth and persistence.
  • Infection flow shifts victims from Facebook to WhatsApp, then to a trojanized delivery chain delivering the BarbWire backdoor.
  • BarbWire Backdoor provides extensive espionage capabilities and data exfiltration, including persistence, OS reconnaissance, keylogging, screen capture, audio recording, and file collection.

MITRE Techniques

  • [T1566.001] Phishing – Social-engineered Facebook profiles trick Israeli targets into downloading trojanized direct message applications for Android and PC. ‘fake Facebook profiles to trick specific individuals into downloading trojanized direct message applications for Android and PC, which granted them access to the victims’ devices.’
  • [T1105] Ingress Tool Transfer – Barb(ie) Downloader downloads the BarbWire backdoor payload from a URL. ‘A link to a site “hxxps://media-storage[.]site/09vy09JC053w15ik21Sw04” downloads a .rar file that contains a private video and the BarbWire Backdoor payload.’
  • [T1053.005] Scheduled Task – Barb(ie) Downloader creates two scheduled tasks for persistence. ‘…sets persistence via two scheduled tasks: “01” and “02”.’
  • [T1082] System Information Discovery – Barb(ie) collects machine information (username, computer name, date/time, OS version). ‘collect information about the machine, including username, computer name, date and time, running processes and OS version.’
  • [T1083] File and Directory Discovery – Enumeration of local and external drives. ‘Local drives found on the host, it also looks for external media such as a CD-Rom drive.’
  • [T1027] Obfuscated/Compressed Files and Information – Custom base64 algorithm to hide strings used during execution. ‘uses a custom-built base64 algorithm.’
  • [T1056.001] Keylogging – BarbWire backdoor includes keylogging capability. ‘Keylogging’
  • [T1113] Screen Capture – BarbWire backdoor includes screen capture capability. ‘Screen capturing’
  • [T1123] Audio Capture – BarbWire backdoor includes audio recording capability. ‘Audio recording’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltrated to C2 via HTTP POST. ‘Data that is sent in the POST request includes…’
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 uses HTTPS and Firebase Cloud Messaging for command and control. ‘VolatileVenom uses HTTPS and Firebase Cloud Messaging (FCM) for C2 communication.’
  • [T1497.001] Virtualization/Sandbox Evasion – Anti-VM and anti-analysis checks to avoid detection. ‘anti-vm and anti-analysis checks, in order to determine that “the coast is clear.”’

Indicators of Compromise

  • [Hash] ff1c877db4d0b6a37f4ba5d7b4bd4b3b980eddef – Early variant MD5 hash for BarbWire/BarbDownloader
  • [Hash] ad9d280a97ee3a52314c84a6ec82ef25a005467d – Analyzed Campaign variant MD5; includes sekop parameter
  • [Hash] 4dcdb7095da34b3cef73ad721d27002c5f65f47b – New variant MD5; includes sekop=092021
  • [Domain] fausto-barb.website – C2 domain used by Barb(ie) Downloader
  • [URL] https://media-storage.site/09vy09JC053w15ik21Sw04 – Downloader payload delivery URL
  • [URL] https://sites.google.com/view/linda-lester/lockhart – C2 domain referenced via decrypted domain in .so
  • [Domain] frances-thomas.com – Final C2 domain derived from the decrypted domain title
  • [File] Windows Notifications.exe – Downloader sample filename used in infection chain
  • [File] adbloker.dat – Data store file created by Barb(ie) Downloader for exfiltration staging

Read more: https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials#iocs