New Group of Cyber-Espionage Targets Syrian Rebels

Researchers of Citizen Lab revealed a new cyber-espionage group (Group5) operating by using infrastructure based in Iran and targeting Syrian rebels since late 2015. Researchers called this APT Group5 as they have discovered cyber-espionage crew five times targeting Syrian rebels after the Syrian Electronic Army, a Lebanon-linked group, ISIS-linked hackers and the Assad regime itself.

The researchers call this operation as Group5 and it was first discovered when Noura Al-Ameer, opposition politician of Syria, received e-mails from the "Assad Crimes", which is a fictitious group. Group5 combines "just enough" technical sophistication to evade antivirus and well-developed frauds, similar to several operations reported before.

The researchers managed to gain access to one website namely assadcrimes[.]info, through which the group mainly operated. The victims were lured to download malicious Windows and Android applications containing RATs (Remote Access Trojans) by this website. Group5 used the NanoCore and njRat malware to target Windows users and the DroidJack RAT to target Android devices.

Going down the rabbit hole, researchers of Citizen Lab found the Group5 infrastructure, wholly hosted on the servers of Iranian ISPs. Group5 used spear-phishing emails to spread files laced with malware and connects to malicious websites where targets were exposed to drive-by downloads which infected their computer with malware or tried to trick users in installing the malware themselves.

The hackers seem to have made some mistakes in Al-Ameer's case. But Scott-Railton said that those who target dispersed opposition activists of Syria, are sophisticated just as required to be. Several groups operating in the area, including the pro-Assad Syrian Electronic Army, have used very simple tools and continuous fraud to repeatedly compromise savvier targets.

Citizen Lab claims that Group5 could be related to Infy, an APT activating from Iran's borders on the basis of deployment of TTPs (Tactics, Techniques and Procedures) by the group.

Security researchers also said that they have found Persian language texts in malware's code, besides utilizing infrastructure hosted in Iran and references to Mr. Tekide, a malware developer of Iran.

Citizen Lab says: "we cannot conclude with certainty that Group5 is Iran-based, although the confluence of information outlined above provides a circumstantial case".

» SPAMfighter News - 8/9/2016