As malware becomes more targeted on key organizations, we’re seeing more sensitive groups be singled out for attacks. Recently, the Israeli Defense Force suffered a wave of attacks after Hamas used malware to infiltrate its system. How did the infection get in, and what does Hamas’s malware do?
How the Infection Spread
The infection was spread using a catfishing campaign. Members of Hamas made attractive female profiles on social media and used them to talk to Israeli soldiers. They’d claim to be immigrants to the region, which allowed them to use basic Hebrew without raising suspicion. They’d also only maintain communication via text to maintain their cover.
Once the catfishers had someone’s full attention, they’d encourage the target to download an app. This app, they claimed, was similar to Snapchat, except that photos only persisted for a short time. This made it easier to share private photos without any worry about them leaking.
The apps were called Catch&See, ZatuApp, and GrixyApp, and were malware carriers for Hamas. As soon as a soldier downloaded one of these apps, the app would put up a fake error message saying the target’s phone wasn’t compatible with the app.
The app would then pretend to uninstall itself, but in reality, the app simply hid its icon from the list of apps. This app then worked to open a backdoor for Hamas through which they could gain access to their target’s phone.
What Did the Malware Do?
Once the target downloaded and ran one of the above apps, it executed a Mobile Remote Access Trojan (MRAT). This essentially means the hacker can peek into what the user is doing and even grab files for themselves.
The app asked for permission to use the camera, calendar, phone location, SMS messages, contacts, and the browser’s history. The malware would then scan the phone for installed apps, the device’s details, and any info about the internal storage.
Fortunately, these attacks were discovered and shut down relatively quickly, but not before dozens of soldiers were infected.
What We Can Learn From this Attack
Obviously, this attack wasn’t for unsuspecting civilians. This was a targeted campaign that isolated a specific group of individuals for the Hamas hackers to work with. However, we can still learn proper cybersecurity from this attack.
The main lesson we can take from this is the app’s distribution method. Instead of risking going through the app stores and their security, the Hamas hackers set up websites that looked convincingly real. This teaches us that downloading an unknown app from outside the app store can be highly dangerous.
Also, this attack shows how catfishing works. Malicious agents set up a fake profile and use this to trick people into doing their bidding. It’s always a good idea to double- and triple-check the validity of the person before you do anything they suggest.
The recent attack on Israeli soldiers tells us a lot about cybersecurity practices. Trusting someone you’ve never heard or seen in the flesh is risky, and downloading apps that aren’t on the official app store has its dangers.
Have you or anyone you know suffered a catfishing attack? Let us know below.