ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar
February 2017 by Lookout
ViperRAT is an active, advanced persistent threat (APT) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.
The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off the device, and seem most interested in exfiltrating images and audio content. The attackers are also hijacking the device camera to take pictures.
Using data collected from the Lookout global sensor network, the Lookout research team gained unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we identified how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring. In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.
In aggregate, the type of information stolen could let an attacker know where a person is, with whom they are associated (including contacts’ profile photos), the messages they are sending, the websites they visit and search history, screenshots that reveal data from other apps on the device, the conversations they have in the presence of the device, and a myriad of images including anything at which device’s camera is pointed.
Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem.
Lookout researchers have been tracking this threat for the last month. Given that this is an active threat, we’ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today.
Additionally, we have determined that though original reports of this story attribute this surveillanceware tool to Hamas, this may not be the case, as we demonstrate below.
The structure of the surveillanceware indicates it is very sophisticated. Analysis indicates there are currently two distinct variants of ViperRAT. The first variant is a “first stage application,” that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive surveillanceware component, which is the second variant.
The actors behind ViperRAT seem to be particularly interested in image data. We identified that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent, were highly likely encrypted images taken using the device camera. We also observed automatically generated files on the C2, indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents. This should be highly alarming to any government agency or enterprise.
ViperRAT samples can communicate to C2 servers through an exposed API as well as websockets. Below is a collection of API methods and a brief description around their purpose.
Media reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas. Israeli media published the first reports about the social networking and social engineering aspects of this campaign. However, it’s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report. Hamas is not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRAT.
ViperRAT has been operational for quite some time, with what appears to be a test application that surfaced in late 2015. Many of the default strings in this application are in Arabic, including the name. It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic.
This leads us to believe this is another actor.
All Lookout customers are protected from this threat. However, the existence of threats like ViperRAT and Pegasus, the most sophisticated piece of mobile surveillanceware we’ve seen to date, are evidence that attackers are targeting mobile devices.
Mobile devices are at the frontier of cyber espionage, and other criminal motives. Enterprise and government employees all use these devices in their day-to-day work, which means IT and security leaders within these organizations must prioritize mobile in their security strategies.