Arid Viper Hacking Group Uses Enhanced Malware in Middle East Cyber ​​Attacks

April 04, 2023Ravie LakshmananCyber/Malware Threats

The threat actor known as Barren Vipers has been observed using a new variant of its malware suite in its attacks targeting Palestinian entities since September 2022.

Symantec, which tracks the group under the insect-themed moniker Mantis, said adversaries “go to great lengths to maintain a persistent presence in targeted networks.”

Also known by name APT-C-23 and Desert Falconthe hacker group has been linked to attacks aimed at Palestine and the Middle East since at least 2014.

Mantis has used its own arsenal of malware tools such as ViperRatFrozenCell (aka VolatileVenom), and Micropsia to execute and hide their campaigns on Windows, Android and iOS platforms.

The perpetrators of the threats are believed to be native Arabic speakers and based in Palestine, Egypt and Turkey, according to a report published by Kaspersky in February 2015. Previous public reports have also been group binding to Hamas’ cyber warfare division.

In April 2022, high-profile Israelis working in sensitive defense, law enforcement, and emergency services organizations were observed being targeted with a new Windows backdoor dubbed BarbWire.

Attack sequences mounted by groups typically use spear-phishing emails and fake social credentials to lure targets into installing malware on their devices.

The latest attack detailed by Symantec requires the use of an updated version of its Micropsia implant and its custom Arid Gopher to penetrate a target before engaging in credential theft and exfiltration of stolen data.

Arid Gopher, executable code in the Go programming language, is a variant of the Micropsia malware documented beforehand by Deep Instinct in March 2022. The shift to Go is not uncommon as it allows malware to stay under the radar.

Micropsia, in addition to its ability to launch secondary payloads (such as Arid Gopher), is also designed to log keystrokes, take screenshots, and store Microsoft Office files in RAR archives for exfoliating using bespoke Python-based tools.

“Arid Gopher, like its predecessor Micropsia, is info-stealing malware, whose goal is to establish a foothold, gather sensitive system information, and send it back to a C2 (command-and-control) network,” Deep Instinct said at the time.

Evidence gathered by Symantec indicates that Mantis is moving to deploy three different versions of Micropsia and Arid Gopher on three workstation sets between December 18, 2022 and January 12, 2023, as a means of maintaining access.

Arid Gopher, for his part, has received regular updates and complete code rewrites, with attackers “aggressively mutating logic between variants” as a detection evasion mechanism.

Mantis appears to be a staunch adversary, willing to put in the time and effort to maximize its chances of success, as evidenced by its extensive malware rewrites and its decision to group attacks against single organizations into separate threads to reduce the likelihood of the entire operation being detected,” Symantec concluded.