JCry ransomware utilized in #OpJerusalem campaign against Israeli sites

The attack was meant to compromise thousands of Israeli websites users with JCry ransomware, but the plot failed due to the flaw in the code

#OpJerusalem campaign originators attempted to deliver JCry ransomware to Israeli site users. However, due to the code bug, the attack failed and produced a defacement page instead

The annual #OpJerusalem cyber-attack directed towards Israeli websites tried to infiltrate JCry ransomware^[1] by using a popular accessibility widget used by many site developers. However, due to a bug in the written code, the campaign failed to deliver ransomware payload and instead displayed the message from the attackers, which initially was meant only to be delivered to non-Windows users.

If bad actors would have coded the script correctly, however, Windows users would receive a notification showing the allegedly outdated Adobe Flash Player, and after clicking “Update,” website visitors would download and install JCry ransomware that would encrypt personal data on the device and require ransom for its release.

The attack, however, was stopped on Saturday, when the control of the nagish.co.il site was regained after merely a few hours after the initial attack.

Thousands of users could have been infected if hackers had avoided the coding error

To perform the attack, malicious actors modified the DNS configuration of a popular web accessibility tool from Nagich.com on compromised websites. Once visitors would enter the domain, the malicious plugin would be loaded instead of the original one.

The malicious script was programmed to check whether or not the user is running Windows OS, and then present an alleged outdated Flash Player message, that would consequently download flashplayer_install.exe^[2] executable. Once the UAC access is granted, the file would extract the payload of JCry ransomware that would encrypt all users' data and prevent them from accessing it until a ransom of $500 in Bitcoin is paid.

Those who do not operate Windows machines should have been presented with a message from attackers instead:

Jerusalem is the capital of Palestine
#OpJerusalem

However, due to the code bug, the mentioned message is always loaded instead of the fake Flash Player update, even if the the visitor is Windows user.

Nevertheless, JCry ransomware itself does function properly, and uses decent obfuscation techniques, according to researchers:^[3]

This sample is another example of malware that shows the hackers put a lot of effort into bypassing the AV and other protections. Here, the malware is encapsulating a Rar archive, which is decompressed at runtime. The Rar archive contains two executables and one visual basic file. The VB file is only used to print an “Access Denied” message.

Palestine-Israeli conflict fuels the cybercrime against Israel

The conflict in the Gaza strip area between Palestinians and Israelis now lasts for more than half a century, and has been labeled as “most intractable conflict.”^[4] The conflict, however, does not only includes military confrontation but also stretches to the cyberspace.

#OpJerusalem or #OpIsrael is a yearly cyber-attack that focuses on Israel governmental and private websites which initially started back in 2013 by Anonymous, as explained by researchers from CyberArk, who analyzed the campaign.^[3] The campaign, that intends to “erase Israel from the internet,” mainly focuses on coordinated DDoS (denial-of-service) and site defacements, although data leakage applications are also used.

Hackers who organize these attacks typically create a Twitter and Facebook profile to distribute tools and malware payloads. This year, the campaign started a month early and intended to infect users who visit Israeli sites with JCry ransomware.

Nevertheless, the #OpIsrael campaigns are in decline, and fewer attacks are produced every single year. 6,100 participants were registered on the campaign's Facebook page in 2014, which dropped to 600 members in 2017.^[5]