Friday 6 October 14:30 - 15:00, Green room
Matias Porolli (ESET)
Arid Viper is a cyberespionage group, believed to be aligned with the interests of Hamas, that has been active since at least 2013. Most of the group’s publicly reported campaigns have targeted Palestinian and Israeli organizations, including law enforcement, military forces, government agencies, and student groups, as well as individuals, such as activists. The group has drawn attention over the years for its vast arsenal of malware for Android, iOS and Windows platforms.
In 2023 Arid Viper is still active, operating updated custom malware for its ongoing long-term espionage operations. We’ve observed two different campaigns in which the group deployed numerous backdoors and tools to spy on its victims. And not only did we observe custom tools written in various programming languages, but also several versions of the same tools, which goes to show Arid Viper’s continuous efforts and capabilities. The list includes the group’s known backdoors Micropsia (Delphi), PyMicropsia (Python), Arid Gopher (Go), and BarbWire (C++), and an undocumented backdoor we recently discovered.
Written in Rust, we have named this new backdoor Rusty Viper and describe it for the first time in this session, along with the group’s social engineering techniques for approaching its targets and the decoy documents it uses. We compare Rusty Viper with its predecessors and analyse possible changes that its developers might introduce.
Next, we take a step back to look at Arid Viper’s extensive toolset. Collectively, Arid Viper’s arsenal provides diverse spying capabilities such as recording audio with the microphone, detecting inserted flash drives and exfiltrating files from them, and stealing saved browser credentials, to name just a few. While these tools share similarities in their general structure and flow of execution, they also contain notable differences in implementation and coding styles. Even for the same backdoor, we have observed major implementation changes from one version to another, in some cases observing the backdoor apparently rewritten from scratch.
Finally, we compare historical Arid Viper attacks with the most recent campaigns we’ve observed, analysing similarities and differences between the tools and their versions, leading to a discussion of how a group allegedly operating from such a small region as Gaza has the capabilities to produce so many backdoors, each with several versions and using so many different languages. Our answers suggest what can be expected in future attacks.
Born and raised in Argentina, Matias is a malware researcher on the ESET Threat Intelligence team in Canada. He divides his time between tracking APT groups and reverse engineering their malware. Before moving to Canada, he worked for ESET in their Buenos Aires office. His interests include studying exploitation in the Windows environment, crackmes, CTFs and C programming.