A week ago the Israel’s well known Mossad posted a recruitment ad challenging security experts to solve multiple puzzles if they wish to apply an “”operational cyber security expert”” position. For the top-secret Israeli intelligence agency, this was the first ad addressing hackers directly, but this direct approach is quite common among other agencies who have been publishing ads since the WWII era. These days you can even find want ads even on the NSA’s official twitter accounts.
Surprisingly, this is not the only Mossad related cyber-security news that popped up this week. Security researcher @benkow recently spotted the appearance of the Mossad’s emblem in very different and odd context – the command and control infrastructure of a POS malware called TreasureHunter which contained what he called a “”funny Jewish C&C“”.
Treasure Hunt C&C login page with the Mossad emblem
POS malware are typically implanted in point-of-sale devices by cybercriminals in order to collect and exfiltrate payment card data for their own use, or to be sold on the underground market. The so called “”Jewish”” TreasureHunter sample @benkow stumbled upon is version 0.1 of this specific POS malware, that has apparently been active for less than a week.
analysis of the malware itself, with the embedded string “”TreasureHunter version 0.1″”
It is unclear why the crooks behind this TreasureHunter campaign chose the Mossad emblem for their C&C servers. Did they take part in the recent recruitment challenge? It is plausible but the chances are slim since it was blocked for non-Israeli IP addresses and the operators of similar POS malware operations haven’t been linked to Israel or to Israeli citizens.
TreasureHunter sends a request to its C&C server
Was the Mossad emblem used as a feeble attempt to link the Israeli intelligence agency to illicit activities? The current geopolitical atmosphere has borne quite a number of entities interested in smearing the reputation of official Israeli institutions. However, it seems that there are much easier ways than posting the Mossad emblem in an inaccessible remote malware C&C server to accomplish that.
Is the Mossad entering the profitable POS malware scene? If so, using their emblem in a public webpage is as realistic as a James Bond movie 🙂
Perhaps these hackers heard the Mossad’s name in a recent action movie and just re-used a cool picture from Wikipedia?
Unfortunately, at least for the time being this remains a mystery – that will probably require a true Mossad agent to solve.
IOC
URL
hxxp://x0000m.net/
IP
5.56.133.100
SHA256
3f54aaa6d2cb5c7ff3f6d41790b40de47e8f870fe96aaecec4342ab84f700def
YARA Rule
rule TreasureHunt
{
meta:
author = “”Minerva Labs””
date = “”2016/06″”
maltype = “”Point of Sale (POS) Malware””
filetype = “”exe””
strings:
$a = “”treasureHunter.pdb””
$b = “”jucheck””
$c = “”cmdLineDecrypted””
condition:
all of them
}