Attacks against Israeli & Palestinian interests

27 April 2015

 View Tom Lancaster's profile on LinkedIn

This short report details the techniques being used in a series of attacks mostly against Israel-based organisations. The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine. Although we are unable to link this campaign to any already documented in open source, it bears similarities to some described by others previously[1],[2].

The earliest samples in the campaign we have identified date back to the summer of 2014. The number of samples discovered and relatively small scale of infrastructure suggest the attackers have limited resources with which to conduct attacks.


Our investigation begins by taking a look at the following file: ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9. According to the analysis published on[3], this file was originally named ‘Israel Homeland Defense Directory 2015 _Secured_.exe’ and, once executed, the following decoy document was presented:        


The initial file in this case is a self-extracting RAR file that contains three components, including a decoy document (in this case, the PDF shown above) and the malware.

Further inspection of the malware extracted showed it wasn’t a family our analysts recognised. This, coupled with the nature of the decoy document used, led us to take a more in depth look at the malware, and associated infrastructure.

We’d like to give special thanks to Eyal Sela of ClearSky Security for his collaborative efforts in this research.


The most common way this malware packaged is via a self-extracting RAR file; however the attackers also appear to have used a number of other solutions to drop their malware, including a Visual Basic based wrapper and an Auto-IT based wrapper.

In terms of how the malware is delivered, it’s most likely that it’s done via spearphishing. For example, there are also several occasions where the VirusTotal ‘ITW’ tab suggests that the original dropper was available to download on a 3rd party website. In the case of the sample discussed in the introduction we can see:

2 is a relatively low-profile file sharing/hosting website currently based in Sweden. The use of low-key file-sharing sites appears to be a feature of the campaign as far as we can tell, with a few other similar sites being used in the same way.

This, in conjunction with the nature of the related files we have discovered (all of them are directly executable files) means it is likely that the malware is primarily delivered via spear phishing attempts, rather than any other method.

DownExecute – Brief Analysis

In this analysis, we’ll go over the file with a SHA256 hash of ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9.

We’ve chosen to refer to the malware as ‘DownExecute’ due to the .pdb string left in the malware (leaving debug paths in malware seems to be very fashionable at the moment…):


All variants of the DownExecute’ malware we’ve identified come packaged in the following fashion:


From the samples we have analysed so far, the decoy application included is never used by the binary, and is presumably included so that anyone taking a cursory look at the file will conclude it is in fact the real deal.  Whilst the cURL[4] binary included is used for internet connectivity but it’s currently unclear why the attackers chose to use this method of adding connectivity to their file.

Some of the binaries are also self-signed:


So what can this malware do? Not all that much – it’s just a downloader.

Before execution, the malware makes a couple of checks to avoid analysis, including checking for the presence of a debugger using IsDebuggerPresent as well as checking for the presence of VirtualBox by looking for the device name \\.\VBoxMiniRdrDN:


The malware also checks for the presence of several anti-virus solutions, as well for any processes including the word ‘security’:


The malware then proceeds to decrypt some basic configuration data, including the command & control domain, and information about the origin of the infection, tracked via ID:


Meanwhile, the malware begins calling home, whilst also keeping a log of its actions in a plaintext file that is created in the same folder as where the binary was executed from.


After successful compromise…

It appears as though the clue for the main functionality of this malware is in its name (it downloads, and then executes) files, as it offers little else for the attacker. The DownExecute malware is used as a way for the attackers to gain an initial foothold on the victim machine. The basic information reported back by the malware would also certainly allow the attacker a way to triage infections to ensure they had reached their intended victim rather than a researcher.

We don’t have great visibility into post-compromise activity at this stage; however there are a number of other malware samples which communicate with the same infrastructure as the DownExecute samples. It’s not unreasonable to infer that if these are more fully featured backdoors, that they are likely the 2nd stage malware families used in conjunction with DownExecute. Specifically, we’ve observed the well-documented Xtreme RAT and Poison Ivy malware families in use with the same domain names as DownExecute. The Poison Ivy passwords observed for the group were ‘admin2014’ and ‘admin!@#$%”.

Command & Control Infrastructure


The vast majority of infrastructure in terms of hostnames observed associated with these attacks have been dynamic DNS domains, primarily associated with This provider is popular with several Middle Eastern threat actors tracked by PwC’s intelligence team. In terms of the size of the infrastructure used in the campaign using the tools described, it’s also fairly small, as shown on our Maltego graph.

The attackers have made an unusual choice with respect to the hosting providers used for the malicious infrastructure. Most of the domains at the time of writing, and indeed historically, have pointed to IP address space owned by Host Sailor, geo-located in Belize. Many of the threat actors in the Middle East that we’re familiar with have extremely volatile IP hosting, owing to the fact that the infrastructure is likely to be hosted on their own networks. This remote hosting therefore somewhat bucks the trend of some of the other actors we see from the region.

Inferred Targeting

As we have mentioned in a number of our other reports[5], attackers often use C&C domains which contain phrases relevant to their targets so as to make them appear legitimate. With this in mind we performed some simple analysis on the domain names used in this campaign to identify legitimate organisations being impersonated. For a full list of C&Cs used, please see Appendix B.

Domain name

Legitimate Entity


Israeli news outlet

Israeli news outlet

Israeli news outlet

Israeli news outlet


Islamic 2nd month

Israeli news outlet

As shown, there appears to be a theme here, with a number of Israeli news organisations being used as C&C themes and hence probably being targeted. So do we believe this campaign is focused only at Israeli companies? Perhaps not entirely.


Whilst there are a number of documents clearly aimed at Israeli nationals , using political and military themes, one of the lures[6] included an Arabic language decoy document pictured below:


The document in question discusses an alleged leak of information relating to Abbas, leader of the Palestine Liberation Organization. Whilst this is a subject which is clearly of key interest to all parties in the region, the fact the attackers sent an Arabic language version of the story may indicate that the recipient was expected to be fluent in Arabic, and possibly therefore less likely to be Israeli, but rather someone from another adjacent region.


Whilst, in this case, we’re unable to attribute this set of activity to a specific group or entity in the Middle East, it does bear a significant resemblance to many attacks seen from the Middle East that have been previously documented. Specifically, the following aspects of this campaign remind us of existing write-ups on Middle Eastern campaigns:

  • Consistent use of  the dynamic DNS provider and associated domains:  it’s unclear why there is a preference for this, however in several ‘how-to’ videos on Arabic language underground forums the video creators recommend using as opposed to other dynamic DNS providers;
  • Use of publically available  malware: many groups operating in the Middle East use malware families (such as Poison Ivy/Xtreme RAT) which are publically available rather than developing their own binaries;
  • Variety of targeting: the targeting seems entirely restricted to Middle Eastern issues and, whilst there appears to be a heavy focus on Israel in the decoy documents we’ve observed, there is the possibility that Palestinians have been targeted as well. This is consistent with the complex relationships between the different nations and political groups in the region;
  • Password schema: In their August 2013 blog[7], FireEye noted that a group they refer to as MoleRats used Poison Ivy and Xtreme RAT, in conjunction with a password of “!@#GooD#@!” The keyboard walk used for the symbols “!@#” across the top of a keyboard is similar to the password observed in some of our Poison Ivy samples.

The fact that the attackers chose to develop their own dropper may be indicative that their biggest problem when conducting network intrusions is getting their foot in the door – particularly as it seems as though they still prefer the more fully featured Poison Ivy and Xtreme RAT backdoors as 2nd stage malware families.

When we pivoted and looked for the earliest examples of the DownExecute malware, the first samples we could find were compiled in June 2014. We have no reason to believe in this case that the threat actor has tampered with the compile time on any samples, as all other samples discovered were identified shortly after they were compiled. As such we believe the campaign using this downloader malware has been on-going for approximately 12 months.


Appendix A – Samples































Appendix B – C&C Infrastructure


Value Type










































IPv4 Address

IPv4 Address

IPv4 Address

IPv4 Address

IPv4 Address

IPv4 Address

IPv4 Address

IPv4 Address

IPv4 Address

IPv4 Address


Appendix C – Signatures



rule DownExecute_A



       author = "PwC Cyber Threat Operations :: @tlansec"

       date = "2015-04"

       reference = ""

       description = “Malware is often wrapped/protected, best to run on memory”



       $winver1 = "win 8.1"

       $winver2 = "win Server 2012 R2"

       $winver3 = "win Srv 2012"

       $winver4 = "win srv 2008 R2"

       $winver5 = "win srv 2008"

       $winver6 = "win vsta"

       $winver7 = "win srv 2003 R2"

       $winver8 = "win hm srv"

       $winver9 = "win Strg srv 2003"

       $winver10 = "win srv 2003"

       $winver11 = "win XP prof x64 edt"

       $winver12 = "win XP"

       $winver13 = "win 2000"


       $pdb1 = "D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdb"

       $pdb2 = "d:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h"

       $pdb3 = ":\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h"

       $pdb4 = "\\downloadexcute\\downexecute\\"


       $magic1 = "<Win Get Version Info Name Error"

       $magic2 = "P@$sw0rd$nd"

       $magic3 = "$t@k0v2rF10w"

       $magic4 = "|*|123xXx(Mutex)xXx321|*|6-21-2014-03:06PM" wide


       $str1 = "Download Excute" ascii wide fullword

       $str2 = "EncryptorFunctionPointer %d"

       $str3 = "%s\\%s.lnk"

       $str4 = "Mac:%s-Cpu:%s-HD:%s"

       $str5 = "feed back responce of host"

       $str6 = "GET Token at host"

       $str7 = "dwn md5 err"



       all of ($winver*) or

       any of ($pdb*) or

       any of ($magic*) or

       2 of ($str*)



Network IDS

alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/gtk)";  flow:established,to_server; urilen:7; content:"/dw/gtk"; http_uri;  depth:7; content:"GET" ; http_method; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999901; rev:2015200401;)


alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/setup)";  flow:established,to_server; urilen:>8; content:"/dw/setup"; http_uri;  depth:9; content:"POST" ; http_method; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999902; rev:2015200401;)


alert http any any -> any any (msg:"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute Headers";  flow:established,to_server; urilen:>7; content:"Accept */*";  http_client_body; content:"Content-Type: multipart/form-data\; boundary=------------------------"; http_header; content: "ci_session="; http_cookie; depth:11; content: "POST"; http_method; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999903; rev:2015200401;)







[6] ca78b173218ad8be863c7e00fec61f2f




Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.