Operation Rebound: fake social media profiles with pictures of young girls used in the attack against Israel Defense Forces members
According to the Israeli military, social media profiles with selfies of young girls got used in the Operation Rebound by Hamas. The Twitter post from Israel Defense Forces claims that the Hamas hacker group launched such profiles on different social media platforms while trying to hack phones of soldiers.
Once mobile phones got compromised, the person was redirected to download a page where the victim was offered to install a mobile RAT disguised as a dating or chatting application. The campaign got further analyzed, and creators were identified to be the Hamas militant group, also known as APT-C-23, responsible for many cyberattacks in the Middle East.
The Palestinian terror group got identified as responsible for this catfishing campaign by IDF themselves, according to their Twitter post:
What Hamas didn’t know was that Israeli intelligence caught onto their plot, tracked the malware & downed Hamas’ hacking system.
Attractive women baiting soldiers
Pictures of young women pretending to be new immigrants to Israel on social media attracted soldiers to interact with fake profiles. Females wrote with typos and used Hebrew slang in their speech. According to researchers, six different personas (Sarah Orlova, Maria Jacobova, Eden Ben Ezra, Noa Danon, Yael Azoulay, and Rebecca Aboxis) got created to engage soldiers in a conversation on various platforms like Facebook, WhatsApp, Telegram, and Instagram.
Stolen photos of young females got edited and altered, so the primary source cannot be identified easily by reverse searching. The interaction was initiated via text and voice messages, then females offered to engage in more personal conversation, exchange photos, and talk more on a separate app.
Accounts instructed victims to download the application via the provided link. The supposed program should be similar to Snapchat, but not available for download on the official application store. Pages for such apps got set up as normal app promotional sites with descriptions and specific images.
Some soldiers fell for the trick, but there is no indication that security got impacted. The operation was named Rebound, and Israel Defense Forces and Israel Security Agency took down the campaign and eliminated these possible risks from compromised devices.
Mobile RAT for data collection purposes
Apparently mobile applications were only disguising mobile remote access trojans. When one of them gets installed for more talk and exchanging pictures, an error occurred and indicated that something is not right. Alert stating that the device is not supported, and the uninstall can start masked the MRAT installation at this point.
Once the virus gets installed, it initiates communication with the remote command and control server over the MQTT protocol. The initial features of mobile threats may get extended with the use of C2 commands and allow remote attackers to download malware, execute files and programs, take pictures, steal lists of contacts, and other data.
The primary function of the mobile trojan, supposedly differs but it was set to collect various information once added:
- phone numbers;
- GPS information;
- storage data;
- SMS messages.