A new malware campaign dubbed Kasperagent was deployed during recent Palestinian Authority elections, according to a report from ThreatConnect. The perpetrator and exact targets remain unclear. Tactics included malware-laced fake news websites and spearphishing messages with content on political tensions and alleged Israeli assassination in Gaza, as well as attacks on infrastructure with Gaza registrants.
“We don’t know for sure who is responsible for this campaign,” the researchers wrote, “but digging into the passive DNS results led us to some breadcrumbs” from the command and control infrastructure running the operation.
Discovered in 2016 by Palo Alto Networks, Kasperagent aims at Microsoft Windows systems and has been used on targets in the United States, Israel, Palestinian Territories and Egypt. This latest campaign represents a new variant of the malware that’s been used across the Middle East.
The new campaign coincides with and exploits rising political tension in Gaza and the West Bank during the run-up to elections there last month. Decoy documents that look like official government secrets suggest the targets could be government employees or contractors, according to ThreatConnect.
Attackers use shortened URLs in spearphishing messages and fake news sites directing victims to download the payload. Kasperagent provides a beachhead through which the attackers can spy on targets to varying degrees including stealing passwords, taking screenshots, logging keystrokes and stealing files.
When Palo Alto Networks initially found Kasperagent in 2016, they also discovered Micropsia, another Microsoft Windows family of malware detected across the Middle East.
In April this year, ThreatConnect came across a malicious file titled “التفاصيل الكاملة لأغتيال فقهاء.r24” which translates to “The Complete Details of Fuqaha’s Assassination.” Mazen Fuqaha, a commander of the military wing of the Islamist Hamas movement, was assassinated by unknown assailants on March 24, 2017. The file then connects to a domain already identified by Palo Alto Networks as being used by Kasperagent.
Several weaponized files used in the campaign claim to be “very secret” documents from the Palestinian Authority addressing political issues like Fuqaha’s death and a supposed ban on Fatah, a more secular Palestinian political party that opposes Hamas.
Investigating the campaign’s infrastructure, ThreatConnect found two domains registered to a freelance web developer in Gaza, Palestine. However, there is nothing definitive to suggest attribution at this point.
“Just like we can’t make a definitive determination as to who conducted this campaign, we do not know for sure who it was intended to target,” the researchers explained. “What we do know is that several of the malicious files were submitted to a public malware analysis site from the Palestinian Territories. This tells us that it is possible either the threat actors or at least one of the targets is located in that area.”