Lotem Finkelsteen & Aseel Kayal, Check Point

After some two months-long investigation, we have recently uncovered a targeted espionage campaign of one of the most colorful APT groups currently active in the Middle East – APT C-23. The group has been targeting politically-oriented individuals in the Middle-East for almost two years now, using quality spear phishing and mobile applications to lure victims into opening malicious files.

Our investigation has begun with a single campaign, using a decoy document disguised as an official paper by the Palestinian Political and National Guidance Commission to spread a custom malware written in C++ but wrapped as a self-extracting executable. We then gradually exposed a sophisticated, versatile group capable of crafting malware in different code-languages for different platforms. The group has been running several campaigns simultaneously under the radar of the research community, which up until now haven’t succeeded in making connections between the different campaigns.

Upon infection, a unique RAT is installed in the victim machine – unlike most RATs that feature keylogging and credential theft, this RAT was designed to spy – it looks for specific Office documents, features a self-destruction capability and logs specific system info, most likely as a preparation for a second stage attack.

We would like to present the full extent of our instigation process, which includes mapping the group’s activity over the years while listing the tactics, techniques, and procedures (TTP) practiced by the group, and depicting a model of a campaign attributed to the group.

One procedure stands out among the group’s TTP’s– its great affection for TV series. The group links each campaign with an iconic TV series and weaves characters and actors of the series in almost every aspect of the campaign. The campaign we exposed on July 2018, for example, used The Big Bang Theory TV series as its source of inspiration, as characters and actor names decorated the malware code and distinguished the campaign from other parallel efforts.

After reviewing the group’s overall activity as well as analyzing several significant campaigns, we are thrilled to share our findings insights with the audience.