Researchers have uncovered the activities of a new cyberespionage group which has launched an advanced malware operation that targets Syrian dissidents. The hackers associated with the group are likely to be state-sponsored and have been linked with Iran. The campaign's infrastructure was found to be entirely hosted on the servers of Iranian ISPs (Internet Service Provider).
Citizen Lab researchers dubbed the APT (Advanced Persistent Threat) team as Group5, as this was the fifth cyberespionage group uncovered that was targeting Syrian dissidents. The others identified so far include the Syrian Electronic Army, ISIS-linked hackers, the Assad regime-linked hacker groups and a Lebanon linked group.
"The operators use a range of techniques to target Windows computers and Android phones with the apparent goal of penetrating the computers of well-connected individuals in the Syrian opposition," Citizen Lab said. "Our analysis indicates that Group5 is likely a new entrant in Syria, and we outline the circumstantial evidence pointing to an Iranian nexus. We do not conclusively attribute Group5 to a sponsor, although we suspect the interests of a state are present, in some form."
Malware and RATs
Citizen Lab said that it first spotted Group5 after former VP of the opposition of the SNC (Syrian National Council), Noura Al-Ameer received a suspicious email, which was later found to be part of a spear-phising campaign delivering malware.
"When Syrian opposition figure Noura Al-Ameer sensed something wrong and refrained from clicking, she frustrated a reasonably well put together deception. We suspect she may have been targeted in order to steal her digital identity for the purposes of mounting a larger campaign," Citizen Lab said.
Group5 primarily operated via one malicious website (assadcrimes.info), which was used to hoodwink victims into installing Android and Windows applications containing RATs (Remote Access Trojan). The cybercriminals were found using the njRat and NanoCore malware to target Windows users, while Android users were targeted with the DroidJack RAT. "The RATs also enable the operator to remotely delete files, and spy on the computer user via the microphone or webcam," the firm added.
Group5 linked to Iran-based malware developer
Based on the analysis of Group5's activities and techniques, Citizen Lab noted that there were several similarities with another Iran-linked cyberespionage group called "Infy". "One interesting direction for further investigation came from analysis of the tool used to obfuscate the RATs, which yielded a number of interesting connections to known threat actors and tools. Notably, the PAC Crypt tool, and Mr. Tekide, the alias of an Iranian malware developer," the firm added.
According to Citizen Lab, Mr. Tekide is the pseudonym used by an Iranian malware developer who also runs a hacking forum site (http://crypter[.]ir), that also doubles as an online shop, which offers various "hacking tools and services".
"We believe that the most compelling explanation of Group5's activities is that a group in Iran may be attempting to compromise the communications of the opposition. The circumstantial evidence pointing to an Iranian group is unsurprising, given Iran's active military engagement in Syria, and the sympathies of many in that country for the Assad regime. However, mindful of the limits of our investigation, we stop short of conclusive statements of attribution about the identity of the operators, or their possible sponsors," Citizen Lab concluded.