Blog

Operation DustySky

By Clearsky

January 7, 2016

Threat actors

CaptureDustySky (called “NeD Worm” by its developer) is a multi-stage malware in use since May 2015. It is in use by the Molerats (aka Gaza cybergang), a politically motivated group whose main objective, we believe, is intelligence gathering.  Operating since 2012, the group’s activity has been reported by Norman [1], Kaspersky[2] [3], FireEye[4], and PwC[5].

This report revolves around a campaign that includes a new malware developed by a member of the group or on behalf of the group. Based on dozens of known attacks and the vast infrastructure in use – we estimate that a wave of targeted malicious email messages has been sent on a weekly basis.

These attacks are targeted, but not spear-phished. I.e., malicious email messages are sent to selected targets rather than random mass distribution, but are not tailored specifically to each and every target. Dozens of targets may receive the exact same message. The email message and the lure document are written in Hebrew, Arabic or English – depending on the target audience.

Targeted sectors include governmental and diplomatic institutions, including embassies; companies from the aerospace and defence Industries; financial institutions; journalists; software developers.

The attackers have been targeting software developers in general, using a fake website pretending to be a legitimate iOS management software, and linking to it in an online freelancing marketplace.

Most targets are from the Middle East: Israel, Egypt, Saudi Arabia, United Arab Emirates and Iraq. The United States and countries in Europe are targeted as well.

Read the full report: Operation DustySky
Indicators file: DusySky-indicators.xlsx  (DustySky indicators are tagged as such in PassiveTotal)

If you have been targeted with DustySky, or have questions about the report, please contact us at:
info[at]clearskysec.com

Also see “Operation DustySky Notes” by PassiveTotal for further discussion about the malicious infrastructure.

Acknowledgments

We would like to thank our colleagues for their ongoing information sharing and feedback, which have been crucial for this research: security researcher Infra; PassiveTotal analyst team; Tom Lancaster of PwC ;Team Cymru; Security researcher Sebastián García; Menachem Perlman of LightCyber; Other security researchers who wish to remain anonymous.

[1] https://github.com/kbandla/APTnotes/blob/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf

[2] http://www.seculert.com/blog/2014/01/xtreme-rat-strikes-israeli-organizations-again.html

[3] https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team

[4] https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

[5] http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html