Today, Trend Micro publishes a research report on an ongoing malware campaign that targets Israeli victims and leverages network infrastructure in Germany. The campaign has strong attribution ties to Arab parties located in the Gaza Strip and elsewhere. We have uncovered two separate, but heavily interconnected campaigns: Operation Arid Viper: This is a highly-targeted attack on high-value Israeli targets that links back to attackers located in Gaza, Palestine. The campaign’s modus operandi involves using spear-phishing emails with an attachment containing malware disguised as a pornographic video. The attached malware carries out data exfiltration routines for a large cache of documents gathered from their victims’ machines in a sort of "smash-and-grab" attack. The first related malware sample was seen in the middle of 2013. Operation Advtravel: This is a much less targeted attack with hundreds of victims in Egypt, whose infected systems appear to be personal laptops. This leads us to believe that the campaign is not as sophisticated as that of Operation Arid Viper. The attackers involved with Operation Advtravel can be traced back to Egypt. However, what is perhaps even more interesting than either of the attacks on their own is that these two separate campaigns where so closely linked together:
- Both are hosted on the same servers in Germany
- The domains for both campaigns have been registered by the same individuals
- Both campaigns can be tied back to activity from Gaza, Palestine.