In early April, ClearSky’s team discovered a persistent Yemeni/Houthi influence campaign
operating in Israel and the Gulf states. We first exposed the campaign in 2019. It continues
to operate in a similar manner to what was uncovered in 2019. Between 2019 and 2022,
the campaign mainly focused on Gulf countries, particularly Saudi Arabia and the UAE,
and returned to focus on Israel from late 2024. We did not found any indication that that the
campaign targeted Israel between 2019–2022.

The campaign operators have invested for years in building and maintaining an
infrastructure that includes fake websites, Facebook pages, and social media profiles. The
ongoing maintenance of such a campaign indicates its importance and the resources
allocated to sustain it. These resources include, among other things, dedicated personnel,
funding, and a certain level of proficiency in Hebrew.

The campaign first exposed in 2019 involved the dissemination of false reports by several
social media profiles. These reports focused on gossip-related topics (for example, the
death of an Israeli actress and singer). They were published on pages of Israeli media
outlets and in several marginal Israeli social media groups, mainly on Facebook. The 2019
campaign was based on methodologies used in Iranian influence campaigns that we had
uncovered starting in 2018.

This report focuses on the campaign active in recent months, with an emphasis on the
personas created to disseminate content, the websites established as part of the
infrastructure, and the campaign’s messaging.
The report also addresses differences between the 2019 campaign and the content
published in the current one.

Read the current report:

Read our report from 2019:

A new zero-day vulnerability, CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities.

The vulnerability activates URL files containing malicious code through seemingly innocuous actions:

• A single right-click on the file (all Windows versions).
• Deleting the file (Windows 10/11).
• Dragging the file to another folder (Windows 10/11 and some Windows 7/8/8.1 configurations).

The malicious URL files were disguised as academic certificates and were initially observed being distributed from a compromised official Ukrainian government website.

Exploitation Process:

The attack begins with a phishing email sent from a compromised Ukrainian government server. The email prompts the recipient to renew their academic certificate. The email contains a malicious URL file. When the user interacts with the URL file by right-clicking, deleting, or moving it, the vulnerability is triggered. This action establishes a connection with the attacker’s server and downloads further malicious files, including SparkRAT malware.

SparkRAT is an open-source remote access trojan that allows the attacker to gain control of the victim’s system. The attackers also employed techniques to maintain persistence on the infected system, ensuring their access even after a reboot.

Attribution:

CERT-UA linked this campaign to the threat actor UAC-0194, suspected to be Russian. ClearSky also noted similarities with previous campaigns by other threat actors, suggesting the use of a common toolkit or technique.

Remediation:

Microsoft released a security patch for this vulnerability on November 12, 2024. Users are strongly advised to update their Windows systems to mitigate the risk posed by CVE-2024-43451.

Read the full report:

ClearSky Cyber Security research identified a campaign named “Iranian Dream Job campaign”, in which the Iranian threat actor TA455 targeted the aerospace industry by offering fake jobs. 

The campaign distributed the SnailResin malware, which activates the SlugResin backdoor. ClearSky attributes both malware programs to a subgroup of Charming Kitten. 

However, some cyber research companies detected the malware files as belonging to the North Korean Kimsuky/Lazarus APT group. 

The similar “Dream Job” lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran. 

The Iranian “Dream Job” campaign has been active since at least September 2023. Mandiant had previously reported on suspected Iranian espionage activity targeting aerospace, aviation, and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE), as well as Turkey, India, and Albania. 

The LinkedIn profiles of the fake recruiters in our report seem to be newer versions of the profiles Mandiant previously reported. For example, ClearSky discovered a profile associated with a fake company called “Careers 2 Find,” which previously worked for “1st Employer,” a fake recruiting website highlighted by Mandiant. 

How the Campaign Works

TA455 uses fake recruiting websites and LinkedIn profiles to distribute a ZIP file containing malicious files. The ZIP file, which includes legitimate files, is downloaded from a domain impersonating a job recruiting website. Victims are given a detailed PDF guide on how to “safely” access the website in order to prevent them from making “mistakes” that might “prevent infection”. Once the ZIP file is downloaded, the victim clicks on a highlighted EXE file. The EXE loads the malicious DLL file “secur32[.]dll” via DLL side loading. The malware checks the victim’s IP address and downloads information from a GitHub account that contains the C&C server domain address.

For the full version of our report:

ClearSky Cyber Security and SentinelLabs have discovered a new wave of Russian information warfare campaign named Doppelgänger NG. “Doppelgänger” (meaning spirit double, an exact but usually invisible replica) is a global information warfare campaign publishing false information on hundreds of fake websites and social media channels.
Our research revealed that “Doppelgänger NG” is again fully operational in 2024, using new infrastructure. Furthermore, we found a link between the “Doppelgänger NG” Campaign and the Russian cyber espionage group APT28.

Key findings:

• New infrastructure used by “Doppelgänger NG”.
• We discovered a potential link between APT28 to “Doppelgänger NG” campaign.
• The “Doppelgänger NG” campaign has expanded its victims list, including new targets in the US, Germany, Israel, and France.
• The “Doppelgänger NG” network contains more than 150 domains, including news feeds
  relevant to five countries (United State, Israel, France, Germany, Ukraine).

Doppelgänger report

Doppelgänger IoCs file

SentinelLabs report

This blog post will elaborate on “Homeland justice” group’s background and provide an in-depth analysis of the tools used in the current attack, including reverse engineering of the NACL executable – dubbed “No-Justice Wiper”

Read the Full report: No-Justice Wiper

ClearSky Cyber Security has detected a watering hole attack on at least eight Israeli websites. The attack is highly likely to be orchestrated by a nation-state actor from Iran, with a low confidence specific attribution to Tortoiseshell (also called TA456 or Imperial Kitten).

The Infected sites collect preliminary user information through a script. We have discovered several details that suggest this script is used for malicious purposes.

Read the Full report: Fata Morgana Watering hole report

ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group with
medium-high confidence.
The file is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.

This indicates an attacker-controlled at least two IP’s on the same range.
The downloaded file is a reverse shell that impersonates an Adobe update.
The reverse shell is dropped by a parent file signed with a fake Microsoft certificate, along with a lure PDF document and an executable designed to establish persistence.
There seems to be a shared use of fake Microsoft certificates by a variety of Iranian groups, as Phosphorus was previously observed.
Additionally, the lure PDF document relates to drone attacks conducted in Iran, resembling a similar document previously employed by SiameseKitten3.

Read the full report: https://www.clearskysec.com/wp-content/uploads/2022/06/Lyceum-suicide-drone-23.6.pdf

As part of our monitoring of malicious files in current use, we detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that we associated with the EvilNominatus ransomware, initially exposed at the end of 2021. It seems that the ransomware’s developer is a young Iranian, who bragged about its development on Twitter.

At this point, we have no details regarding any victims of this ransomware. We publish this research due to the malware’s unique method of operation, and the low number of AV engines capable of detecting it.

The original BAT file the research is based on was only detected by two AV engines on VirusTotal. Another BAT file that was discovered later, which shares characteristics with the first one, wasn’t detected by any AV engines. Other files that were either generated by the BAT files or communicated with them to carry out attacks were detected by multiple AV engines. Therefore, we assess that the tool’s general level of risk is low at this point.

Read the full report:

At the beginning of May 2021, we detected the first attack by Siamesekitten on an IT company in Israel. Siamesekitten (also named Lyceum/Hexane) is an Iranian APT group active in the Middle east and in Africa that is active in launching supply chain attacks. To this end Siamesekitten established a large infrastructure that enabled them to impersonate the company and their HR personnel. We believe that this infrastructure was built to lure IT experts and penetrate their computers to gain accesses to the company’s clients.

This campaign is similar to the North Korean “Job seekers” campaign, employing what has become a widely used attack vector in recent years – impersonation. Many attack groups are executing this type of campaign, such as the North Korean Lazarus campaign we exposed in the summer of 2020 (Dream Job) and the Iranian OilRig campaign (APT34) that targeted Middle Eastern victims in the first quarter of 2021.

In July 2021, we detected a second wave of similar attacks against additional companies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a new version called “Shark” and it replaced the old version of their malware called “Milan”. Details of both versions are included in our report.

This report summarizes our findings regarding the latest Siamesekitten attacks and reviews the attack patterns and malware used in this campaign.

Read the full report:

CryptoCore is an attack campaign against crypto-exchange companies that has been ongoing for three years and was discovered by ClearSky researchers. This cybercrime campaign is focused mainly on the theft of cryptocurrency wallets, and we estimate that the attackers have already made off with hundreds of millions of dollars. This campaign was also reported by additional companies and organizations, including JPCERT/CC[1], NTT Security[2] and F-SECURE[3]. The campaign is also known as CryptoMimic, Dangerous Password and Leery Turtle. In this report we attributed this campaign to a specific actor – North Korea’s LAZARUS APT Group, known also as Hidden Cobra.

Read the full report: Attributing CryptoCore Attacks Against Crypto Exchanges to LAZARUS (North Korea)

In this report, we based our attribution with two stages of research:

1. First stage– connecting all research documents to the same campaign:  a comparative study of all the research documents trying to prove they are all referring to the same campaign.
2. Second stage – Attribution to Lazarus: We adopted F-SECURE’s attribution to LAZARUS. Then we reaffirmed this attribution by comparing the attack tools  found in this campaign  to other Lazarus campaigns  and found strong similarities.

Our research shows a MEDIUM-HIGH likelihood that Lazarus group, a  North-Korean, state-sponsored APT group, is attacking crypto exchanges all over the world and in Israel for at least three years. This group is has successfully hacked into numerous companies and organizations around the world for many years. Until recently this group was not known to attack Israeli targets.

We would like to thank NTT Security Japan for sharing malware samples with us, and for their feedback on this research.

---

[1] https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html

[2] https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf

[3] https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf