Prominent people from the Israeli government are targeted with social engineering attacks aimed at stealing sensitive data from their devices.
Researchers at Cybereason noted this as ‘Operation Bearded Barbie’, run by AridViper, an APT predominantly active in the Middle East. This campaign lures targets with fake social media accounts and installs spyware tools on their devices, for sniffing and exfiltrating important data.
Operation Bearded Barbie Targeting Israel Officials
AridViper, also Desert Falcon, APT-C-23, or Two-tailed Scorpion, is a politically-driven APT seen mostly rising from the Middle East. With spear-phishing as its major weapon, AridViper targeted Palestinian law enforcement, military, and educational establishments in past.
Now, it’s active once again with a new campaign called Operation Bearded Barbie, as noted by Cybereason’s Nocturnus researchers. As per them, the campaign is carefully crafted to target officials from Israel’s defense, law enforcement, and emergency service sectors.
Luring With Catfish Accounts
Based on social engineering, it starts with a fake Facebook social media account contacting the target, and enticing them to download Trojanized message apps. Appearing as young women, the catfish accounts will then convince the target to move onto WhatsApp, and then to a more ‘discrete’ messaging service.
And at last, they ask the target to open and install a malicious .RAR archive luring it as some sexual video! When did, this opens up Barb(ie) Downloader a tool used for installing the BarbWire Backdoor, which performs several checks and invites yet another malicious tool into the device.
Before proceeding, the BarbWire Backdoor scans for VMs, sandboxes, antivirus tools, etc, and even collects and sends basic details like OS information to hackers C2. This process remains mostly undetected, due to its high levels of obfuscation by using strong encryption, API hashing, and process protection.
This malware backdoor is capable of various surveillance functions like keylogging, screen capturing, audio eavesdropping & recording. Also, it’s capable of creating scheduled tasks, encrypting content, downloading additional malware payloads, and exfiltrating data.
Researchers also spotted another variant called VolatileVenom – an Android malware aimed at surveillance and theft from target’s Android devices. It’s capable of recording calls, using the microphone and audio functions, read messages and notifications of social apps like WhatsApp, Facebook, Telegram, Instagram, Skype, IMO, and Viber.
Also, it can extract call logs, check contact lists, steal SMS messages, and files, use the camera to take photos, alter WiFi connections, and download desired files to the device.