A targeted, albeit relatively unsophisticated, cyberespionage campaign with servers based in Iran has targeted the Android mobile devices of users in Lebanon, Jordan, Egypt, Morocco, and Iran, according to a recent report from the Moscow-based Kaspersky Lab.
Following the publication of the report, an independent hacker dumped some of the data from the campaign on the internet; though other researchers have cast doubts on the authenticity of the data, the dump indicates that the operation only targeted 169 individuals.
The campaign, referred to as ZooPark by researchers, has been active since at least June 2015 and continued to operate as recently as May 12 of this year.
Researchers detected four versions of the operation, with each new version demonstrating an increasingly advanced set of capabilities. For example, the first version could only extract contact lists and “accounts registered to the victim’s device,” but by the fourth version the range of extractable data included SMS messages, browser data, GPS location, call log information, log-in credentials, two-factor authentication messages, information about installed third-party applications, audio recordings, and images.
The final version was so much more sophisticated that Kaspersky Lab researchers suggested it may not have been developed by the original operators, but purchased from a third-party vendor instead.
Kaspersky Lab researchers were not able to provide data about all of the targets, but they noted that the operation primarily targeted both Kurdistan Referendum supporters across the region and employees of the United Nations Relief and Work Agency for Palestinians in the Near East (UNRWA) in Jordan.
In an interview with Motherboard, the researchers stressed that individuals involved with international organizations were disproportionately affected by the operation.
Attack Vectors: Telegram and Watering Holes
The campaign targeted users through two distinct vectors: Telegram channels and “watering holes”. Watering holes are links to popular websites that have been infected with malware. When using Telegram, the actors behind the operation sent messages to channels containing a download link for a malware-infected copy of an application intended to poll users in the Iranian Kurdistan province.
Though the type of watering hole used in each iteration of the campaign varied, they all followed the same general process.
The operation hacked links of websites, often news sites popular in the Arab world, to redirect the target to download a fake application or image containing malware. In some cases, pages would automatically initiate a download; in other cases, users had to click on a specific application link or image to download.
The watering holes predominantly mimicked news sites, such as the Egyptian Al Nahar, al-Hayat, and potentially the Kuwaiti An-Nahar. The researchers could not confirm if a Kuwaiti An-Nahar webpage was breached, but they suspect it might have been because some targets downloaded a malware-infected replica of the newspaper’s mobile application. According to the report, the malware “mimics” various popular applications; however, these spyware-infected versions do not function in the same way as the authentic applications they mimic.
APT or LamePT: Exploring the Data
After the publication of the report, an independent hacker revealed to Motherboard that they were able to hack the operation using information from the report, insisting that ZooPark was not an APT (Advanced Persistent Threat) actor, but a “LamePT” because much of its code was unoriginal. Subsequently, the hacker dumped a chunk of the data from the campaign onto the internet in exchange for $1,000 in Bitcoin. As a result of this dump, researchers have learned more about the types of data obtained by the operation; however, the public availability of this data also stands to jeopardize the safety and privacy of campaign targets.
Although the hacker may have fabricated some of the leaked data, according to two researchers at the American computer security company McAfee, the data was found to contain over 100,000 audio files,almost 100,000 GPS locations, and an unspecified number of SMS messages.
The released audio files are primarily 8-minute recordings of “ambient conversations and daily activities,” as opposed to phone calls. Charles McFarland and Tim Hux, the two researchers, cast doubt on the authenticity of the SMS messages because some of the sample resembled random messages that are usually used in machine learning techniques for training SMS spam-filters. At the same time, some of the sample SMS messages were found to contain sensitive information, thereby potentially placing exposing targets to further risk.
If the entirety of the dump is authentic, the McAfee researchers concluded that the ZooPark campaign has “a significant footprint in Egypt.”
A Rise in Targeted Spyware Campaigns?
Most surprisingly, the dump suggests that ZooPark targeted just 169 unique victim numbers over a nearly three year period, suggesting that the campaign could have had precise targets or it could have experienced difficulty infecting targets’ devices with malware.
On the other hand, the Dark Caracal campaign, which operated over a six year period and targeted individuals both inside and outside of the Middle East and North Africa, infected at least 2,000 users with spyware. While it is hard to draw conclusions about the significance of this discrepancy without knowing the identity of either campaign’s targets or its operators, it is concerning that two spyware campaigns have been uncovered in the region within such a short time.
For advice on how to prevent your Android device from being infected with spyware, read the tips we released in the wake of the Dark Caracal report and EFF’s Surveillance Self-Defense Tutorial.