APT Group Using Voice Changing Software in Spear-Phishing Campaign
A sub-group of the ‘Molerats’ threat-actor has been using voice-changing software to successfully trick targets into installing malware, according to a warning from Cado Security.
The Molerats hacking group, also tagged as Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal, and Moonlight, has been active since at least 2012, mainly targeting entities in the Middle East, but also launching attacks against targets in Europe and the United States.
Cado Security says that APT-C-23, believed to be part of Molerats, typically uses social engineering to trick victims into installing malware, and was previously observed impersonating women in attacks that leveraged social media sites to target soldiers in the Israel Defence Forces.
In recent attacks targeting political opponents, APT-C-23 appears to have taken the spear-phishing to a new level, through the use of voice-changing software to pose as women (the group’s members that have been identified so far are all men).
“APT-C-23 has been observed impersonating women to engage victims in conversations. As the conversations continue, the group sends video laden with malware to infect the target’s system,” Cado Security said.
While analyzing a publicly exposed server pertaining to the hacking group, Cado Security researchers identified an archive containing photos from the Instagram account of a female model, along with the installation for the voice changing application Morph Vox Pro.
“Given the context of both previous APT-C-23 attacks and the other contents of the folder, we think the most likely explanation for MorphVox being part of their toolset is that it was used to produce audio messages in a female voice to encourage targets to install their malware,” the company said.
On the same server, the researchers identified various tools employed by the attacks, such as the application used to bulk-send phishing emails, another to hack Voice over IP systems, one with example commands to find vulnerable routers, and a folder containing a Microsoft credential phishing page.