Η Παγκόσμια Ομάδα Έρευνας και Ανάλυσης της Kaspersky Lab αποκαλύπτει τη δράση της ομάδας Desert falcons,ενός φορέα ψηφιακής κατασκοπείας με στόχο πολλούς οργανισμούς και μεμονωμένα πρόσωπα υψηλού κύρους από χώρες της Μέσης Ανατολής.
Kaspersky Lab experts consider this operator to be the first known Arab group of "digital mercenaries", who have developed and carry out comprehensive businesses digital espionage.
- The campaign has been active for at least two years. The team Desert Falcons has begun to develop and consolidate its operation within 2011. However, the beginning of the group's core action and infections through it malwareis placed in 2013. The peak of their activity is recorded at the beginning of 2015.
- The overwhelming majority of targets are in Egypt, Palestine, Israel and Jordan.
- In addition to the Middle East countries, which were the original targets, the group Desert Falconsis also active outside of this area. Overall, its members have managed to attack more than 3.000 victims in more than 50 countries worldwide, having overrun 1 million records.
- Attackers use malicious tools that they have developed to launch attacks on computers Windows and devices Android.
- Her experts Kaspersky Lab have many reasons to believe that the mother tongue of the group members Desert Falconsis Arabic.
The list of targeted victims includes military and government agencies – and in particular, officials tasked with combating money laundering. The campaign also targeted executives from the health and business sectors, leading mass media, research and educational institutions, providers energyς και υπηρεσιών κοινής ωφέλειας, ακτιβιστών και πολιτικών ηγετών, εταιρειών προσωπικής ασφάλειας και άλλων στόχων που έχουν στην κατοχή τους σημαντικές γεωπολιτικές πληροφορίες.
Overall, Kaspersky Lab experts were able to detect signs of attacks in over 3.000essions, to more than 50 countries, finding it intercepting more than one million files. Although the attacker appears to be operating in countries such as Egypt, Palestine, Israel and Jordan, many victims were also found in Qatar, Saudi Arabia, the United Arab Emirates, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States, Russia and other countries.
Transport, "Infection", Espionage
Η κύρια μέθοδος που χρησιμοποιήθηκε από την ομάδα Desert Falconsγια τη transport κακόβουλου φορτίου ήταν το spearphishing μέσω email, μηνυμάτων σε μέσα κοινωνικής δικτύωσης και μηνυμάτων σε chat. Τα μηνύματα Phishingcontained malicious files (or links to malicious files) impersonating legitimate documents or applications. The Desert Falcons team uses various techniques to lure its victims and force them to execute the malicious files. One of the most characteristic techniques used by the group is the so-called “Right-to-LeftOverride”.
This technique takes advantage of a special character in Unicode to reverse the string of characters in the name of a file by hiding a dangerous extension in the middle of the name and placing a false file extension that looks harmless close to the end of the file name. Using this technique, malicious (.exe, .scr) files resemble a harmless PDF document or file, and even cautious users with good technical knowledge can drag and drop these files. For example, a file with a suffix ".Fdp.scr"would be presented as".Rcs.pdf".
After the victim's successful infection, Desert Falcons members use one of two different BackDocs, either their basic Trojan or DHSBackdoor, which seem to have been developed from scratch and are in constant growth. Kaspersky Lab specialists were able to identify more than 100 malware samples used by this group for attacks.
Τα κακόβουλα εργαλεία που χρησιμοποιούνται έχουν πλήρη Backdoor λειτουργικότητα. Έτσι, μπορούν να τραβούν screenshots, να υποκλέπτουν πληκτρολογήσεις, να κάνουν uploadή downloadαρχεία, να συλλέγουν πληροφορίες σχετικά με όλα τα αρχεία Word και Excel στο σκληρό δίσκο ή τις συνδεδεμένες συσκευές USB ενός θύματος, να υποκλέπτουν κωδικούς πρόσβασης που αποθηκεύονται στο μητρώο του συστήματος (Internet Explorer και Live Messenger) και να κάνουν ηχογραφήσεις. Οι ειδικοί της Kaspersky Lab κατάφεραν επίσης να εντοπίσουν ίχνη από τη δραστηριότητας ενός κακόβουλου λογισμικού, το οποίο φαίνεται να αποτελεί backdoorγια Android,με δυνατότητες υποκλοπής κλήσεων και αρχείων καταγραφής SMS.
Using these tools, members of the Desert Falcons team created and managed at least three different malicious campaigns targeting different victims in different countries.
A "flock" in the secret hunt
Kaspersky Lab researchers estimate that at least 30 individuals, in three groups, shared in different countries, are running the Desert Falcons malware campaigns.
"The people behind this organization are extremely determined, active, with good technical knowledge and good information on political and cultural issues. Using only phishing email, social engineering techniques, tools and backdoors developed by themselves, the members of the team Desert Falcons have been able to "pollute" hundreds of major victims in the Middle East through their computers or their handheld devices, as well as decode sensitive data. We expect this campaign to continue to develop more Trojans and to use even more sophisticated techniques. With sufficient funding, they could acquire or develop exploits, which could increase the effectiveness of attacks their",said Dmitry Bestuzhev, a security expert and member of Kaspersky Lab's Worldwide Research and Analysis Group.
The productKaspersky Lab's solutions successfully detect and block malware used by the Desert Falcons team.
More information about the campaign is available at Securelist.com.