Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Sustained 'Red Deer' Phishing Attacks Impersonate Israel Post, Drop RATs

The "missed package" phishing messages, likely the work of a hacking-for-hire group, bounds into inboxes, bearing ASyncRAT.

Israeli flag with an army of hackers
Source: 3D generator via Alamy Stock Photo

Israeli engineering and telecommunications companies have been targeted with a sustained phishing message campaign that is convincingly impersonating Israel's postal service.

Research by Perception Point found the phishing email typically appears to be a missed delivery note containing an HTML link. When clicked, it downloads and opens an .html file attachment on the user's browser. This html file then opens an ISO image file that contains an obfuscated Visual Basic script, which ultimately downloads a modified version of the AsyncRAT malware.

Named Operation Red Deer, due to the fact that the logo for the Israel Postal Company (aka "Israel Post") is a red deer — this technique was initially spotted being used in a campaign in April 2022, but last month a similar campaign was spotted wherein the malware version and SSL certificate that was used were the same.

Sustained Phishing Campaign

Several other campaigns in the activity cluster were also detected, including one last June and another last October, where Igal Lytzki, incident response analyst at Perception Point, says the volume of phishing emails was significantly higher than on other days.

Perception Point called the campaign "a sustained and clandestine operation” which targeted numerous organizations from diverse industries, but all based in Israel.

Lytzki says that "hundreds of emails related to this particular campaign" were detected and quarantined before being delivered, and that they've been directed at employees in varying positions and at different levels of seniority, not solely executive and leadership positions.

He also added that the level of care to make the lures look genuine is notable, including the addition of elements such as the logo, correlation of colors, and additional information about the post office's opening hours. "This is a surprising tactic that reveals the depth of sophistication and investment put into this attack," he notes.

Who Is to Blame?

The attacks were attributed to the Aggah threat group, due to the choice of malware, order-related phishing messages, and use of Losh Crypter obfuscated PowerShell scripts. Lytzki says there is no clear evidence of any state-sponsorship or national identity for Aggah, but there is a striking similarity between Aggah's tactics, techniques, and procedures (TTPs) and another threat group known as Gorgon Group, a state-sponsored group under the Pakistani government .

He adds, "Aggah has targeted a variety of countries for espionage, information gathering, and financial gain. I believe that the evidence suggests that this hacking group is for hire, contracting with other governments to launch malicious campaigns on their behalf."

Also, in the past, Aggah has conducted attacks which were primarily focused on organizations within Middle Eastern countries. The Gorgon Group, meanwhile, does not just focus on financial fraud and cybercrime, but also conducts attacks against government organizations and has been linked to attacks against Russia, Spain, the United Kingdom, and the United States.

About the Author

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights