Threat Group Uses Voice Changing Software in Espionage Attempt
Updated: Apr 8
Today we are releasing a report detailing the activities of a Middle Eastern cyber espionage group that performs surveillance on their political opponents.
To execute this operation, the group employs well known social engineering methods. One is to send spear phishing emails with topics of interests to the targets - for example an invitation to a meeting. Another is to set up websites that impersonate news organisations and convince targets to download “articles”.
The third method is to ensnare their victims through conversations. As the conversations continue, the “women” offer up a “video” - laden with malware to infect the target’s system.
In a more modern twist, however, we found evidence of the group using voice changing software to enhance their operation. Below we analayse their toolset, which also includes tools to perform reconnaissance of targets and bulk-deliver malware to them.
Earlier in 2020 we reviewed a server previously identified as serving malware in targeted attacks. Those behind the attacks had made a misconfiguration on the server which made their attack toolset publicly available.
The attack toolset included:
Malware used for espionage against political opponents
Tools to identify vulnerable routers;
A voice changing application;
Custom tooling to use compromised email accounts to send phishing emails; and
Phishing code for webmail logins
The wider set of activity involved in the campaign we analyse below was previously described by Chinese Anti-Virus companies 360 Antivirus and Rising. Following on from other recent reporting, we refer to the attackers as APT-C-23.
Whilst there are a number of overlapping groups and members in the region, APT-C-23 are part of a larger group known as “Molerats” and are mostly located in Palestine. They have been reported on by the cyber-security industry as far back as 2012. Generally Molerats target political parties in Palestine and the Israeli government - but they also occasionally target Western Governments. They are perhaps best known for their alleged office being targeted by the IDF in 2019:
Others have already reported on the malware that communicates with the server in detail so we will be brief. There are a number of different families of malware but most start with a self extracting rar archive. The archives execute MSHTA/VBScript Downloaders used to install the commodity H-Worm backdoor. The filenames and decoy documents are mostly themed around Palestinian politics. We have included a sample of them in the Appendix.
The file اجتماع لجنة الانتخابات – إقليم الشمال .exe (Election Commission Meeting - Northern Territory .exe) at http://192.119.111[.]4/xx/dv
APT-C-23 are a medium-sophistication group of attackers. They generally rely upon social engineering to convince targets to install their malware.
They have previously been known to impersonate women and target victims on social media to lure them into installing malware.
An article from February 2020 describes how they convinced soldiers in the Israel Defence Forces to install malware. That included using pre-recorded messages in Hebrew saying “Yes” and “No” - presumably as their Hebrew skills were limited.
“Over the last few months militants, who run the Gaza Strip, have attempted to woo soldiers on social media platforms including Telegram, WhatsApp, Facebook and Instagram.
Using fake personas of attractive Israeli women, the militants behind the profiles claimed they were immigrants with hearing difficulties to explain why they could not speak on the phone, and why they were not fluent in Hebrew.
They also used Israeli slang in their communiques, doctored photos to prevent a reverse image search online and sent generic voice messages of women’s voices saying “yes” and “no” to further bolster credibility.
As soon as the apps were downloaded it gave Hamas complete control over the phone: including transferring files to the Hamas server, allowing access to the phone’s data, SMS messages, contacts, microphone and camera to remotely take pictures, Lt Col Conricus said.”
As well as not speaking Hebrew, it’s likely the attackers faced another problem impersonating women. A number of the people thought to be behind these attacks have previously been identified. All are men.
That may help to explain what we found in the folder “/up/uploads” on the public server:
Figure 3: The public directory on the server 192.119.111[.]4
The file “88.zip” contains photos from the instagram account of a female model (we have blurred the photos):
The file “00.zip” contains the installation for Morph Vox Pro, a voice changing application, including a serial key and voices pack:
Figure 4: Voice Changing application MorphVox Pro
The Serial Key is assigned to an “Ahmed [redacted]”:
Given the context of both previous APT-C-23 attacks and the other contents of the folder, we think the most likely explanation for MorphVox being part of their toolset is that it was used to produce audio messages in a female voice to encourage targets to install their malware.
Other analysts have reported on manipulated images being used to enable misinformation in the wider Israeli-Palestinian Conflict. And there have been previous reports of fraudsters using DeepFake audio impersonations. But this is the first time we’re aware of evidence, albeit indirect, of attackers using voice changing software to enable espionage.
Spearphish Delivery Tool
The server also provides information on how the attackers deliver their malware. The file recon.exe is used to bulk-send malicious phishing emails to targets:
The application provides advice on how to send the emails, such as the maximum number of messages that can be sent from each mail provider.
The source code for recon.exe shows that tracking images are also included in sent emails:
Another folder, called “zz”, included another interesting mix of tools:
The file PingIPs.exe is part of an attack toolset that we’ve seen previously. It was uploaded to VirusTotal from a IP address in Palestine. It includes a custom GUI and password list for SipVicious - a tool to hack Voice over IP systems.
The folder “support” contained a credential phishing page for Microsoft accounts. It sends stolen credentials to https://www.hotmiali[.]com/master/login/login
Detection and Response
The malware described in this report is generally well detected by anti-virus, and we have provided indicators of compromise in the Appendix.
US-CERT provides advice on how to avoid falling victim to social engineering attacks. You should always be particularly suspicious of anyone you haven’t met asking you to download files, and avoid installing Mobile applications that are not from the official Google or Apple stores.
About Cado Security
Cado Security specialises in providing tooling and techniques that allow organisations to threat hunt and investigate cloud and container systems.
If you are interested in knowing more, please don’t hesitate to reach out, our pilot program is now open.
Indicators of Compromise
Palestinian Status Assessment 2019.exe
(Served from https://drive.google[.]com/uc?export=download&id=1cZc93fSqdHXvUPJnSVfEsHiIE6gSoZx7 )