A Trojan designed to take on law enforcement networks in the Jewish state was discovered causing Israeli Police Department to be offline last Thursday. Using spam messages, the malware was circulated and made to look like it was coming from the head of the Israel Defense Forces, Benny Gantz. The email with the subject line, “IDF strikes militants in Gaza Strip following rocket barrage” was sent with a compressed RAR file attached to the mail. After opening the attachment on Windows computers, an infection by the XTRAT-B Trojan was (a.k.a. Benny Gantz-59) was released.
After studying the samples of the malware, it was observed that the main target of the infection was the systems used inside Israeli Customs agency. Based on the analysis, the backdoor was an Xtreme Remote Access Trojan (RAT) that can be utilized to steal sensitive information and be controlled as it receives commands from a remote attacker. The same Xtreme RAT was used in prior attacks targeting Syria anti-government activists.
The Trojan was designed to be compatible with Windows 8 with a lot better audio and desktop capture capabilities. It also had better strategies taking passwords stored in Chrome and Firefox.
The damage may have been already done even though the antivirus firms added detection for the spammed message and malicious file. The police servers might have been accessed by hackers a week before they detected the outbreak and applied the quarantine procedures. With this situation, it might be already a little late in recovering stolen files. The police only found out about the attack and decided to take computers offline late Wednesday night and because of that, the virus also infected other government departments.
Police force brought back the limited internet connectivity last Sunday and it’s not clear when they will restore the full access. They don’t have any leads as to who created the malware and the reason for it yet. Some comments says the Trojan might have been created by Iran’s burgeoning cyber warfare centers which are growing fast since Stuxnet virus hit the Tehran’s nuclear program in 2010.