Modus operandi: use fake Facebook identities of attractive women to lure the predominantly male targets.
Details of a new, elaborate cyber espionage campaign targeting prominent Israeli defense, law enforcement, and emergency services employees have been disclosed in a report by a cybersecurity investigations team.
According to the findings, Molerats, a politically motivated group operating on behalf of the terrorist organization Hamas, used sophisticated social engineering techniques in their attempts to extract sensitive information from the victims’ smart devices for espionage purposes.
Fake Facebook profiles were used to trick the targeted individuals into downloading trojanized Android and PC direct messaging applications, which then let the attackers gain access to the victims’ devices.
Furthermore, these fake Facebook profiles were regularly maintained and constantly interacting with Israeli citizens. The social engineering tactic used in this campaign relied primarily on classic catfishing, which involves the use of fake identities (usually attractive members of the opposite sex) to engage with individuals (mostly males) to gain their trust.
Key findings
The cyber espionage campaign used malware dubbed Barb(ie) Downloader and BarbWire Backdoor which are equipped with enhanced stealth and a focus on operational security. Dubbed Operation Bearded Barbie by the Cybereason team that discovered it, the campaign had the following characteristics:
- It used social engineering as the primary infection vector: Fake Facebook profiles were used to ‘catfish’ specific individuals.
- Revamped tools and a new playbook were deployed: Previouslyusedtools and techniques which had served Molerats for years and were known to be relatively unsophisticated tools had been revamped.
- Improved malware arsenal were deployed: Two previously undocumented malware in play, named after “barbs”—Barb(ie) Downloader and BarbWire Backdoor—now use an enhanced stealth mechanism to remain undetected.
Cybereason assesses with moderate-high confidence that the group behind the new campaign is APT-C-23, an Arabic-speaking, politically motivated group believed to be operating on behalf of Hamas.