APT group targeting organizations in Palestinian territories, researchers say
A state-backed group believed to be operating out of the Palestinian territories targeted local organizations in a campaign that began in September 2022 and lasted until at least February 2023.
Researchers from Symantec have been tracking a cyber-espionage group they call “Mantis” but is also referred to as “Arid Viper.” The group has been active since at least 2014 and has been known to target organizations in Israel and several other Middle Eastern countries.
Brigid O Gorman, a senior intelligence analyst with Symantec’s Threat Hunter Team, told Recorded Future News that the campaign did not target human rights organizations or government bodies but could not offer more information about who the victims were.
“This attack campaign had all the hallmarks of cyber-espionage activity. Mantis is known to have launched cyber-espionage campaigns in the past, and in this campaign we see them deploying a custom data exfiltration tool to exfiltrate data from victim networks, alongside the updated versions of their custom Arid Gopher and Micropsia backdoors, so all signs point towards this being espionage activity,” she said.
O Gorman said that while it might be unusual to see a Palestinian-based group go after Palestinian targets, it isn’t unprecedented and APT groups often target victims in their own countries.
“This targeting is not unprecedented for Mantis itself and Symantec previously uncovered attacks against individuals located in the Palestinian territories during 2017,” she said.
The group “is continuing to mount attacks, deploying a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks,” the researchers said in a report released Tuesday.
“The group is known for employing spear-phishing emails and fake social media profiles to lure targets into installing malware on their devices,” they wrote. “While other vendors have linked the group to Hamas, Symantec cannot make a definitive attribution to any Palestinian organization.”
The group has in the past targeted a wide range of organizations connected to governments, militaries and companies in the financial, media, education and energy sectors.
Symantec said in the latest attacks on Palestinian organizations, the group used updated versions of tools it has previously deployed that enabled “extensive credential theft and exfiltration of stolen data.”
One thing that stood out to O Gorman was a case where a compromised organization found the attackers deploying three different versions of the same tools on three different groups of computers. The tactics show the group “is pretty dedicated,” she said, noting that it was an example of the steps the group takes to maintain persistence on victim machines.
“They're effectively mounting three separate attacks against one organization,” she said. “Compartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the target’s network,” the researchers wrote.
The first evidence of activity was on December 18, when the threat actors first started their attack. The next day, the hackers used a tool to steal credentials before downloading a backdoor and upgrading their access to the organization’s network.
Throughout December and January, the group installed other backdoors and tools to expand their access to data, and more.
The group deployed the Arid Gopher malware, which they appear to regularly update and rewrite in order to evade detection. One version of the malware was vastly different from previous versions, meaning the hackers are spending significant amounts of time to update their tools.
“Mantis appears to be a determined adversary, willing to put time and effort into maximizing its chances of success, as evidenced by extensive malware rewriting and its decision to compartmentalize attacks against single organizations into multiple separate strands to reduce the chances of the entire operation being detected,” the researchers said.
Mantis was previously spotlighted by security experts at Facebook, who in 2021 disrupted the activities of the group after it abused the platform to infect users with malware.
In a 40-page report detailing the group's activity, Facebook said it tracked Arid Viper abusing its platform as far back as August 2019. Facebook also said the group used advanced malware and was capable of attacking users across Windows, iOS, and Android environments.
Facebook added that the campaign targeted the Palestinian community, but also individuals living in Syria, Turkey, Iraq, Lebanon, and Libya. In total, Facebook said it identified 10 Android malware strains, two iOS malware hashes, eight desktop malware strains, and 179 domains used by Arid Viper in attacks that were carried out via Facebook accounts and other services.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.