Multiple malware attacks against both Israeli and Palestinian systems, likely to be coming from the same source, have been seen over the last year. Researchers in Norway have uncovered evidence of a vast Middle Eastern espionage network that for the past year has deployed malicious software to spy on Israeli and Palestinian targets.
Israel has banned its police force from connecting to the Internet and from using memory sticks or disks in an effort to curb a cyberattack. The ban, enacted last week, is meant to prevent a malware program called Benny Gantz-55 named after Benny Gantz, Israel's Chief of General Staff from infecting the police's computer network
Trend Micro has obtained samples of malware implicated in a recent incident, The attack began with a spammed message purporting to come from the head of the Israel Defense Forces, Benny Gatz. The From field has the email address, bennygantz59(at)gmail.com and bore the subject IDF strikes militants in Gaza Strip following rocket barrage to make it more legitimate.'
The attackers were serving up the XtremeRat trojan, which was infamously used in surveillance campaigns against Syrian activists. XtremeRat trojan a Remote Access Trojan that can be used to steal information and receive commands from a remote attacker. According to Trend, the latest iterations of Xtreme Rat have Windows 8 compatibility, improved Chrome and Firefox password grabbing, and improved audio and desktop capture capabilities features.
Looking into the source of the attacks, Norman said "What is behind these IP addresses is hard to establish. It is possible they are hacked boxes and as such do not give much valid information. If that were the case, one might have expected a greater IP range and geographical distribution, but nothing is certain,".
"In the following investigation we first found several other trojans similarly signed, then many more trojans connecting to the same command & control structure as the first batch.".
"The Command & Control structure is centered around a few dynamic DNS (DynDNS) domains that at the time of writing point to hosting services in the US."
Officials have yet to determine whether the virus is a prank or was generated by Iran's cyberwarfare program, which had been rapidly expanded since Tehran's nuclear program was hit by the Stuxnet virus in 2010.