Ideologically-motivated “hacktivist” actors can present a variety of threats to organizations from defacements, to denial of service attacks and sometimes even data compromise. Our analysts recently observed hacktivist actors themselves being targeted with malware.

We recently identified evidence indicative of a malware distribution campaign apparently intended to deploy remote access trojans (RAT) onto the machines of hacktivist actors engaged in supporting the 2017 iteration of OpIsrael. This yearly hacktivist campaign targets Israeli entities on April 7th. While monitoring for activity relating to OpIsrael, Digital Shadows (now ReliaQuest) identified a Twitter account sharing links to what were claimed to be two denial of service (DoS) tools – one for Windows and one for Android devices. The tweets encouraged users to download these tools in order to participate in OpIsrael and featured multiple hashtags used by this campaign, as well as Anonymous collective imagery.

OpIsrael Tool Tweet

Figure 1 – Tweet linking to purported “DDoS tools”. Details obfuscated for safety.

The Android app file (APK) for the purported Android tool was hosted on the file sharing site Sendspace, but the Windows tool was hosted on a page on what appeared to be a compromised website. This page featured further incitements to participate in OpIsrael and claimed to have been posted by Anonymous RedCult, an Anonymous affiliated group which on March 3, 2017 posted a video to YouTube declaring the intention to target Israeli Government sites in support of OpIsrael.

OpIsrael Tool Download

Figure 2 – Purported “DDoS” tool download page.

Hacktivists seeking to whip up support for an upcoming operation will often share tools to be used by prospective supporters. Digital Shadows (now ReliaQuest) observed similar posts while tracking OpIcarus, an operation targeting financial institutions throughout 2016.

However, in this case all was not as it seemed. When we downloaded and examined the files, we discovered that the purported Windows DoS tool was highly likely a version of the well-known Dark Comet RAT. Similarly, the claimed Android DoS tool was highly likely an Android RAT which, after being installed, elevated its permissions to obtain access to the infected device’s camera, SMS messages, microphone, browser, call logs and physical location via GPS. At the time of analysis, neither of these samples had previously been documented on malware analysis sites.

Assessment and outlook

These findings suggest that the actors responsible for these tweets have sought to use Anonymous collective imagery and hashtags to socially engineer supporters of OpIsrael to compromise their machines. While the nature and objectives of the actor(s) responsible for this campaign are not known, opposing pro-Israel campaigns such as OpIslam, often emerge to counter OpIsrael.

Therefore while it is possible that this distribution campaign was the work of an opportunistic criminal actor, we also assessed it to be plausible that it was part of an attempt by pro-Israeli actors to compromise the machines of OpIsrael participants. If this is the case, it would indicate the possibility that the actors responsible for this distribution campaign might use it to act against OpIsrael participants prior to April 7th. It remains to be seen whether evidence of such targeting will emerge.