{
	"id": "1a3221aa-8d44-49ae-9d9b-19e037e278d1",
	"created_at": "2026-04-06T00:12:22.62692Z",
	"updated_at": "2026-04-10T13:11:31.152039Z",
	"deleted_at": null,
	"sha1_hash": "1a9429ad87a4def98eb5faa7b6558f3e51ae8386",
	"title": "Breaking The Weakest Link Of The Strongest Chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 414857,
	"plain_text": "Breaking The Weakest Link Of The Strongest Chain\r\nBy IDF C4I\r\nPublished: 2017-02-16 · Archived: 2026-04-02 11:21:21 UTC\r\nAround July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor. The attack compromised their\r\ndevices and exfiltrated data to the attackers’ command and control server. In addition, the compromised devices were pushed\r\nTrojan updates, which allowed the attackers to extend their capabilities. The operation remains active at the time of writing\r\nthis post, with attacks reported as recently as February 2017.\r\nThe campaign, which experts believe is still in its early stages, targets Android OS devices. Once the device is compromised,\r\na process of sophisticated intelligence gathering starts, exploiting the ability to access the phone’s video and audio\r\ncapabilities, SMS functions and location.\r\nThe campaign relies heavily on social engineering techniques, leveraging social networks to lure targeted soldiers into both\r\nsharing confidential information and downloading the malicious applications.\r\nCharacterized by relatively unsophisticated technical merit, and extensive use of social engineering, the threat actor targets\r\nonly IDF soldiers.\r\nIDF C4I \u0026 the IDF Information Security Department unit, with Kaspersky Lab researchers, have obtained a list of the\r\nvictims; among them IDF servicemen of different ranks, most of them serving around the Gaza strip.\r\nAttack Flow\r\nThe operation follows the same infection flow across the different victims:\r\nFigure 1: Campaign’s attack flow\r\nThe threat actor uses social engineering to lure targets into installing a malicious application, while continuously attempting\r\nto acquire confidential information using social networks. We’ve seen a lot of the group’s activity on Facebook Messenger.\r\nMost of the avatars (virtual participants in the social engineering stage) lure the victims using sexual innuendo, e.g. asking\r\nthe victim to send explicit photos, and in return sending fake photos of teenage girls. The avatars pretend to be from\r\ndifferent countries such as Canada, Germany, Switzerland and more.\r\nhttps://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/\r\nPage 1 of 6\n\nDropper\r\nAfter the victim downloads the APK file from the malicious URL, the attacker expects the victim to install the package\r\nmanually. The dropper requires common user permissions as shown in the following screenshot.\r\nFigure 2: Dropper permissions once installed on a victim mobile device\r\nKey features\r\nThe dropper relies on the configuration server which uses queries in order to download the best fitting payload for the\r\nspecified device.\r\nDownloader \u0026 Watchdog of the main payload\r\nPayload update mechanism\r\nCustomized payload – the dropper sends a list of installed apps, and receives a payload package based on it\r\nObfuscation – The dropper package is obfuscated using ProGuard, which is an open source code obfuscator and Java\r\noptimizer, observed in the LoveSongs dropper.\r\nNetwork Protocols\r\nThe network protocol between the dropper and the configuration server is based on HTTP POST requests. The following\r\nservers implement a RESTful API:\r\nLoveSongs – http://endpointup[.]com/update/upfolder/updatefun.php\r\nYeeCall, WowoMessanger – http://droidback[.]com/pockemon/squirtle/functions.php\r\nFigure 3: Communication with C\u0026C server over HTTP\r\nMost of the communication with the server is in clear-text, except for specific commands which are encrypted using an\r\nAES-128 hard coded-key.\r\nhttps://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/\r\nPage 2 of 6\n\nFigure 4: WowoMessanger REST-API POST packet capture\r\nFigure 5: Fake WowoMessanger app – logic flow\r\nAlong with an ID existence check, the dropper sends a list of the device’s installed apps – if it hasn’t done so already.\r\nThe flow between different variants of the dropper is similar, with minor changes. One variant pretends to be a YouTube\r\nplayer, while others are chat apps:\r\nLoveSongs has YouTube player functionality, whereas WowoMessanger does not have any legitimate functionality\r\nwhatsoever; it erases its icon after the first run.\r\nPayload\r\nThe payload is installed after one of the droppers mentioned above has been downloaded and executed on the victim device.\r\nThe only payload we have seen so far is “WhatsApp_Update”.\r\nThe payload is capable of two collection mechanisms:\r\nExecute “On demand” commands – manual commands that are triggered by the operator\r\nScheduled process – scheduled tasks that collect information periodically from various sources.\r\nMost of the collected data will be sent only when a WI-FI network is available.\r\nhttps://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/\r\nPage 3 of 6\n\nC\u0026C Commands\r\nThe payload uses the WebSocket protocol, which gives the attacker a real-time interface to send commands to the payload in\r\na way that resembles ‘reverse shell’. Some of the commands are not yet implemented (as shown in the table below). The\r\ncommands gives the operator basic yet dangerous RAT capabilities:\r\nCollect general information about the device e.g. Network operator, GPS location, IMEI etc.\r\nOpen a browser and browse to a chosen URL\r\nRead \u0026 send SMS messages, and access contacts\r\nEavesdrop at a specific time and period\r\nTake pictures (using the camera) or screenshots\r\nRecord video and audio.\r\nCOLL_AUDIO_RECORDS COLL_CALL_RECORDS GET_LOCATION CHECK_AVAILABILITY\r\nOPEN_WEBPAGE GET_IMAGE GET_DEVICE_INFO COLL_CAPTURED_PHOT\r\nGET_TELEPHONY_INFO GET_CELLS_INFO TAKE_SCREENSHOT CALL_PHONE\r\nGET_SEC_GALL_CACHE GET_SMS SEND_SMS GET_CONTACTS\r\nGET_BOOKMARKS TAKE_BACK_PIC CHANGE_AUDIO_SOURCE RECORD_AUDIO\r\nGET_SEARCHES CLOSE_APP GET_HISTORY OPEN_APP\r\nGET_CALENDER_EVENTS RESTART GET_USER_DICTIONARY SHUTDOWN\r\nUNINSTALL_APP GET_ACCOUNTS INSTALL_APK GET_INSTALLED_APPS\r\nGET_WHATSAPP_KEY RECORD_FRONT_VIDEO GET_WHATSAPP_BACKUP GET_FILE\r\nGET_CALLS GET_ROOT_STATUS TAKE_FRONT_PIC RECORD_BACK_VIDEO\r\nINVALID_COMMAND REMOVE_FILE\r\n*Commands which were implemented are in bold.\r\nScheduled Process\r\nBesides the C\u0026C commands, the payload periodically collects data using various Android APIs. The default time interval is\r\n30 seconds. The process collects the following data:\r\nGeneral data about the device (as mentioned in the C\u0026C command)\r\nSMS messages, WhatsApp database along with the encryption key (requires root permissions which is not yet fully\r\nimplemented)\r\nBrowsing \u0026 search history along with bookmarks\r\nDocuments and archives ( \u003c 2MB ) found in storage (doc, docx, ppt, rar, etc)\r\nPictures taken, auto captures while on an active call\r\nList of contacts and call logs\r\nRecords calls and eavesdrops\r\nUpdates itself\r\nThe attackers implemented all of the malicious logic without any native or third-party sources. The logic behind the\r\nautomatic call-recording feature is implemented entirely using Android’s API.\r\nhttps://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/\r\nPage 4 of 6\n\nFigure 6: Call-Recording implementation in WhatsApp_update\r\nConclusions\r\nThe IDF, which led the research along with Kaspersky Lab researchers, has concluded that this is only the opening shot of\r\nthis operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on\r\nhow ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering.\r\nKaspersky Lab GReAT researchers will disclose more behind-the-scenes details of the operation at the upcoming Security\r\nAnalyst Summit.\r\nIOCs\r\nDomain names \u0026 APK hashes\r\nandroidbak[.]com\r\ndroidback[.]com\r\nendpointup[.]com\r\nsiteanalysto[.]com\r\ngoodydaddy[.]com\r\n10f27d243adb082ce0f842c7a4a3784b01f7248e\r\nb8237782486a26d5397b75eeea7354a777bff63a\r\n09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813\r\n9b923303f580c999f0fdc25cad600dd3550fe4e0\r\n0b58c883efe44ff010f1703db00c9ff4645b59df\r\n0a5dc47b06de545d8236d70efee801ca573115e7\r\n782a0e5208c3d9e8942b928857a24183655e7470\r\n5f71a8a50964dae688404ce8b3fbd83d6e36e5cd\r\n03b404c8f4ead4aa3970b26eeeb268c594b1bb47\r\nCertificates – SHA1 fingerprints\r\n10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6\r\n9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03\r\n44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09\r\n67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A\r\n89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56\r\nB4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A\r\nhttps://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/\r\nPage 5 of 6\n\nSource: https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/\r\nhttps://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/"
	],
	"report_names": [
		"breaking-the-weakest-link-of-the-strongest-chain"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434342,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a9429ad87a4def98eb5faa7b6558f3e51ae8386.pdf",
		"text": "https://archive.orkl.eu/1a9429ad87a4def98eb5faa7b6558f3e51ae8386.txt",
		"img": "https://archive.orkl.eu/1a9429ad87a4def98eb5faa7b6558f3e51ae8386.jpg"
	}
}