Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


New Group of Cyber-Espionage Targets Syrian Rebels

Researchers of Citizen Lab revealed a new cyber-espionage group (Group5) operating by using infrastructure based in Iran and targeting Syrian rebels since late 2015. Researchers called this APT Group5 as they have discovered cyber-espionage crew five times targeting Syrian rebels after the Syrian Electronic Army, a Lebanon-linked group, ISIS-linked hackers and the Assad regime itself.

The researchers call this operation as Group5 and it was first discovered when Noura Al-Ameer, opposition politician of Syria, received e-mails from the "Assad Crimes", which is a fictitious group. Group5 combines "just enough" technical sophistication to evade antivirus and well-developed frauds, similar to several operations reported before.

The researchers managed to gain access to one website namely assadcrimes[.]info, through which the group mainly operated. The victims were lured to download malicious Windows and Android applications containing RATs (Remote Access Trojans) by this website. Group5 used the NanoCore and njRat malware to target Windows users and the DroidJack RAT to target Android devices.

Going down the rabbit hole, researchers of Citizen Lab found the Group5 infrastructure, wholly hosted on the servers of Iranian ISPs. Group5 used spear-phishing emails to spread files laced with malware and connects to malicious websites where targets were exposed to drive-by downloads which infected their computer with malware or tried to trick users in installing the malware themselves.

The hackers seem to have made some mistakes in Al-Ameer's case. But Scott-Railton said that those who target dispersed opposition activists of Syria, are sophisticated just as required to be. Several groups operating in the area, including the pro-Assad Syrian Electronic Army, have used very simple tools and continuous fraud to repeatedly compromise savvier targets.

Citizen Lab claims that Group5 could be related to Infy, an APT activating from Iran's borders on the basis of deployment of TTPs (Tactics, Techniques and Procedures) by the group.

Security researchers also said that they have found Persian language texts in malware's code, besides utilizing infrastructure hosted in Iran and references to Mr. Tekide, a malware developer of Iran.

Citizen Lab says: "we cannot conclude with certainty that Group5 is Iran-based, although the confluence of information outlined above provides a circumstantial case".

ยป SPAMfighter News - 8/9/2016

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page