Kasperagent malware used in a new campaign leveraging Palestine-Themed decoy files
18.6.2017 securityaffairs
APT

Researchers uncovered a new cyber espionage campaign involving the Kasperagent spyware delivered with Palestine-Themed decoy files.
In March, experts at security firm Qihoo 360 have spotted a cyber espionage campaign conducted by a threat actor tracked as APT-C-23 and Two-Tailed Scorpion.

A few weeks later, in April, researchers at Palo Alto Networks and ClearSky also shared the results of their investigation on the group.

The APT-C-23 group leverages Windows malware dubbed Kasperagent and Micropsia, and Android malware called SecureUpdate and Vamp in cyber attacks aimed mainly at Palestine. Victims of the group were also located in Israel, Egypt and the United States.

Malware experts at threat intelligence firm ThreatConnect have recently discovered tens of sample of the Kasperagent malware that had been compiled in April and May.

These samples dropped various decoy files associated with the Palestinian Authority tha is the body that governs the Palestinian Territories in the Middle East.

The documents are designed to appear as legitimate and most of them are publicly available on news websites or social media.

To trick victims into opening the documents, attackers used subjects such as the assassination of Hamas military leader Mazen Fuqaha, and banning of the Palestinian political party Fatah from Gaza.

“The first document – dated April 10, 2017 – is marked “Very Secret” and addressed to Yahya Al-Sinwar, who Hamas elected as its leader in Gaza in February 2017. Like the photo displayed in the first decoy file we found, this document references the death of Mazen Fuqaha. The Arabic-language text and English translation of the document are available in ThreatConnect here.” reads the analysis published by ThreatConnect.

kasperagent malware campaign

Crooks used the Kasperagent malware as a reconnaissance tool and downloader, anyway recent samples detected by the experts include additional capabilities, such as password stealing from browsers, taking screenshots and logging keystroke.

“However, some of the recently identified files display “extended-capability” including the functionality to steal passwords, take screenshots, log keystrokes, and steal files. These “extended-capability” samples called out to an additional command and control domain, stikerscloud[.]com.” continues the report. “Additionally, early variants of KASPERAGENT used “Chrome” as the user agent, while more recent samples use “OPAERA” – a possible misspelling of the “Opera” – browser. The indicators associated with the blog article are available in the ThreatConnect Technical Blogs and Reports source here.”

The APT-C-23 group used the same malware in the campaigns analyzed by ThreatConnect and Palo Alto Networks and ClearSky, anyway the command and control (C&C) servers were different.

ThreatConnect observed that malware used in the recent campaign was hosted on the IP address 195.154.110[.]237 that stored four domains, two of which (upfile2box[.]com and 7aga[.]net) registered by a freelance web developer from Gaza.

The researchers believe that the threat actors and at least one of the target is located in the Palestinian Territories. It is likely, the cyber espionage campaign may have been aimed at Hamas, Israel or the Fatah party.

“Just like we can’t make a definitive determination as to who conducted this campaign, we do not know for sure who it was intended to target. What we do know is that several of the malicious files were submitted to a public malware analysis site from the Palestinian Territories. This tells us that it is possible either the threat actors or at least one of the targets is located in that area,” concluded ThreatConnect.