Researchers have identified a new wave of offensive cyberattacks aimed at Palestinian activists and entities that began in October 2021 and included politically oriented hacking emails and fake documents. The attacks are part of Cisco Talos that describes as a long-running spy and data theft effort by the Arid Viper hacking gang, which began in June 2017 and used a Delphi-based implant called Micropsia.
The threat actor’s operations, also known as the APT-C-23 and Desert Falcon, were registered by Kasperksy in February 2015, and then again in 2017, when Qihoo 360 revealed information of cross-platform backdoors designed by the group to attack Palestinian institutions.
In April 2021, Meta (formerly Facebook) announced that it had taken steps to remove the external threat from its platform for distributing mobile malware against individuals associated with pro-Fatah groups, Palestinian government organisations, military and security personnel, and student groups in Palestine, citing the group’s ties to Hamas’ cyber arm.
Despite a lack of change in their tooling, the group’s latest activity depends on the same methods and document used in 2017 and 2019, indicating a certain amount of success. More current fake files speak to Palestinian reunification and sustainable development in the land, and when opened, they install Micropsia on infected devices.
Finally the researchers concluded that ,” Arid Viper is a perfect example of groups that aren’t extremely technologically advanced, but with certain motives are evolving over time and testing their tools and methods on their targets. These can be exploited to get long-term access to victim environments and then deploy further malware aimed at espionage and stealing data and passwords.“