## BLOG # Operation Electric Powder – Who is targeting Israel Electric Company? Posted on March 14, 2017 by ClearSky Research Team **Attackers have been trying to breach IEC (Israel Electric Company) in a year-long campaign.** From April 2016 until at least February 2017, attackers have been spreading malware via fake Facebook pro�les and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, �le names, Java package names, and Facebook activity. We dubbed this campaign “Operation Electric **Powder“.** [Israel Electric Company (https://en.wikipedia.org/wiki/Israel_Electric_Corporation) (also known as Israel Electric Corporation) “is the largest](https://en.wikipedia.org/wiki/Israel_Electric_Corporation) supplier of electrical power in Israel. The IEC builds, maintains, and operates power generation stations, sub-stations, as well as transmission and distribution networks. The company is the sole integrated electric utility in the State of Israel. It installed generating capacity represents about 75% of the total electricity production capacity in the country.” It is notable that the operational level and the technological sophistication of the attackers are not high. Also, they are having hard time preparing decoy documents and websites in Hebrew and English. Therefore, in most cases a vigilant target should be able to notice the attack and avoid infection. We do not have indication that the attacks succeeded in infecting IEC related computers or stealing information. Currently we do not know who is behind Operation Electric Powder or what its objectives are. See further discussion in the Attribution section. ### Impersonating Israeli news site The attackers registered and used in multiple attacks the domain ynetnewes[.]com (note the extra e). This domain impersonates ynetnews.com, the English version of ynet.co.il – one of Israel’s most popular news sites. Certain pages within the domain would load the legitimate Ynet website: (http://www.clearskysec.com/wp-content/uploads/2017/03/ynet-redirect.png) Others, which are opened as decoy during malware infection, had copied content from a di�erent news site: ----- (http://www.clearskysec.com/wp-content/uploads/2017/03/ynetnewes-1.jpg) The URL ynetnewes[.]com/video/New�lm.html contained an article about Brad Pitt and Marion Cotillard copied from another site (http://www.nrg.co.il/online/47/ART2/830/912.html). At the bottom was a link saying “Here For Watch It !”: (http://www.clearskysec.com/wp-content/uploads/2017/03/ynetnewes.jpg) The link pointed to goo[.]gl/zxhJxu (Google’s URL shortening service). According to the statistics page (https://goo.gl/#analytics/goo.gl/zxhJxu/all_time), it had been created on September 25, 2016 and have been clicked only 11 times. When clicked, it would redirect to iecr[.]co/info/index_info.php . We do not know what was the content in the �nal URL. We estimate that it served malware. The domain iecr[.]co was used as a command and control server for other malware in this campaign. Another URL, http://ynetnewes[.]com/resources/assets/downloads/svchost.exe hosted a malware �le called program_stream_�lm_for_watch.exe. (d020b08f5a6aef1f1072133d11f919f8 (https://www.virustotal.com/en/�le/6909674a3af0960675ca6184d890e0b294da4c66b9e512b35112474f58a4c900/analysis/)) ### Fake Facebook pro�le – Linda Santos One of the above mentioned malicious URLs was spread via comments by a fake Facebook pro�le – Linda Santos (no longer available (https://www.facebook.com/pro�le.php?id=100012012675632)): (http://www.clearskysec.com/wp-content/uploads/2017/03/Linda-santos.png) In September 2016, the fake pro�le commented to posts by Israel Electric Company: ----- (http://www.clearskysec.com/wp-content/uploads/2017/03/iec-comment.png) (http://www.clearskysec.com/wp-content/uploads/2017/03/Picture1.png) The pro�le had dozens of friends, almost all were IEC employees: ----- (http://www.clearskysec.com/wp-content/uploads/2017/03/IEC2.jpg) (http://www.clearskysec.com/wp-content/uploads/2017/03/iec-friends.jpg) The fake pro�le was following only three pages, one of which was the IEC o�cial page: (http://www.clearskysec.com/wp-content/uploads/2017/03/follwing.png) ### Pokemon Go Facebook page In July 2016, when mobile game “Pokemon Go” was at the peak of its popularity, the attackers created a Facebook page impersonating the o�cial Pokemon Go page: ----- (http://www.clearskysec.com/wp-content/uploads/2017/03/Pokémon-Go.jpg) [The page (https://www.facebook.com/Pokemon-Go-1683341815318370/), which is no longer available, had about one hundred followers –](https://www.facebook.com/Pokemon-Go-1683341815318370/) most were Arab Israelis and some were Jewish Israelis. Only one post was published, with text in English and Hebrew. Grammatical mistakes indicate the attackers are not native to both languages: (http://www.clearskysec.com/wp-content/uploads/2017/03/unnamed.png) The post linked to a malicious website hosted in yolasite.com (which is a legitimate website building and hosting platform): **pokemonisrael.yolasite[.]com** (http://www.clearskysec.com/wp content/uploads/2017/03/pokemonisrael.yolasite.com_.jpg) The button – “ומחשב טלפון להורדה” (literal translation – “To download phone and computer”) linked to a zip �le in another website: ----- Pokemon-PC.zip (40303cd6abe7004659ca3447767e4eb7 (https://www.virustotal.com/en/�le/e5f3adf2e7d34a23f37e4ed754fd57f23d40f0bf67b12c6b9f854195362a75ab/analysis/)) contained Pokemon-PC.exe (e45119a72677ed15ee0f04ef936a9803 (https://www.virustotal.com/en/�le/0ab1b7ee�daeb0d554a6378e09728fed6cf8cb22b8e797e1570ec01843ab83b/analysis/)), which at run time drops monitar.exe (d3e0b129bad263e6c0dcb1a9da55978b (https://www.virustotal.com/en/�le/3a36bee1411da9ce3fd5a287ce43e8943e4b1fc5abe62926a0a3a9db9a4f2ee9/analysis/)): ### Android phone malware The attackers also distributed a malicious app for Android devices – pokemon.apk (3137448e0cb7ad83c433a27b6dbfb090 (https://www.virustotal.com/en/�le/329c764c75e3cc257f25c5ae7b44fa9b0dcd8cada12f23e44a789d26c90e04df/analysis/)). This malware also had characteristics that impersonate IEC, such as the package name: (http://www.clearskysec.com/wp-content/uploads/2017/03/iec-apk.jpg) The application is a dropper that extracts and installs a spyware. The dropper does not ask for any permission during installation: (http://www.clearskysec.com/wp-content/uploads/2017/03/mobile1.png) However, when the spyware is installed, it asks for multiple sensitive permissions: (http://www.clearskysec.com/wp-content/uploads/2017/03/mobile2.png) The victim ends up with two applications installed on their device. The Dropper, pretending to be a Pokemon Go app, adds an icon to the phone dashboard. However, it does not have any functionality, and when clicked, this error message is displayed: **Error 505** Sorry, this version is not compatible with your android version. ----- (http://www.clearskysec.com/wp-content/uploads/2017/03/mobile3.png) The dropper does not really check what android version is installed: (http://www.clearskysec.com/wp-content/uploads/2017/03/mobile4.png) The message is intended to make the victim believe that the Pokemon game does not work because of compatibility issues. The victim is likely to uninstall the application at this point. However, because a second application was installed, the phone would stay infected unless it is uninstalled as well. ### Websites for Malware distribution Malware was also hosted in legitimate breached Israeli websites, such as this educational website: http://www.bagrut3.org[.]il/upload/edu_shlishit/passwordlist.exe (defc340825cf56f18b5ba688e6695e68 (https://www.virustotal.com/en/�le/15b5fb226689fdddc04c3e6ddeb84e3aae4ce009cc4c95f6fa68045033ca905f/analysis/)) and a small law �rm’s website: http://sheinin[.]co.il/MyPhoto.zip (650fcd25a917b37485c48616f6e17712 (https://www.virustotal.com/en/�le/9631d1574b11217ecdaa496696f25027a0fae7d83f4c3c1d71c2bf0dcbf9ea1e/analysis/1480916388/)) _In journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332 – a Windows code execution vulnerability. The exploit was_ [copied from an online source, likely from here, (https://gist.github.com/worawit/84ab41358b8465966224)as the code included the same](https://gist.github.com/worawit/84ab41358b8465966224) comments. The website also hosted this malware: afd5288d9aeb0c3ef7b37becb7ed4d5c (https://www.virustotal.com/en/�le/09c4bd14f67ad09dd3a6cc7aea3dad824732b0837a82bae03db7b3b98cfe2cbd/analysis/). In other cases, the attackers registered and built malicious websites: users-management[.]com and sourcefarge[.]net (similar to legitimate software website sourceforge.net). The latter was redirecting to journey-in-israel[.]com and iec-co-il[.]com in May and July 2016, according to PassiveTotal (https://passivetotal.org/search/sourcefarge.net): (http://www.clearskysec.com/wp-content/uploads/2017/03/sourcefarge.jpg) Sample 24befa319fd96dea587f82eb945f5d2a (https://www.virustotal.com/en/�le/641275b120a014ef8534ead47d2f68ea96f62ab04c779dc57608109998afd9b6/analysis/), potentially only a test �le, is a self-extracting archive (SFX) that contains two �les: a legitimate Putty installation and link.html: ----- (http://www.clearskysec.com/wp-content/uploads/2017/03/Screenshot_1.jpg) Sample f6d5b8d58079c5a008f7629bdd77ba7f (https://www.virustotal.com/en/�le/79081e664393cad10c1f93835fd29fa36071e216b6e43bdc8f9650ef3eeae671/analysis/), also a selfextracting archive, contained a decoy PDF document and a backdoor: (http://www.clearskysec.com/wp-content/uploads/2017/03/iecma�l.jpg) The PDF, named IEC.pdf, is a warranty document taken from Ma�l’s public website. It is displayed to the victim while the malware (6aeb71d05a2f9b7c52ec06d65d838e82 (https://www.virustotal.com/en/�le/214bc5cde615305d5c0187581cbb3fcc8bbaab0f7cbfce424ea891f0b2cba79a/analysis/)) is infecting its computer: (http://www.clearskysec.com/wp-content/uploads/2017/03/iec-pdf.jpg) ### Windows Malware The attackers developed three malware types for Windows based computers: **Dropper – self-extracting archives that extract and run the backdoor, sometimes while opening a decoy PDF document or website.** (For example: 6fa869f17b703a1282b8f386d0d87bd4) **Trojan backdoor / downloader – malware that collects information about the system and can download and execute other �les.** (909125d1de7ac584c15f81a34262846f) Some samples had two hardcoded command and control servers: iecrs[.]co and iecr[.]co (note once again the use of IEC in the domain name). **Keylogger / screen grabber – records keystrokes and takes screenshots. The malware �le is compiled Python code.** (d3e0b129bad263e6c0dcb1a9da55978b (https://www.virustotal.com/en/�le/3a36bee1411da9ce3fd5a287ce43e8943e4b1fc5abe62926a0a3a9db9a4f2ee9/analysis/)) An analysis of the malware and other parts of the campaign was published by Mcafee (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Adviso in on November 11, 2016. The latest known sample in this campaign (7ceac3389a5c97a3008aae9a270c706a (https://www.virustotal.com/en/�le/21023f43749e1efa394eeaa486a5cd332d64cabc9bb28a1640a252fd43062384/analysis/)) has compilation timestamp of February 12, 2017. It is dropped when “pdf �le products israel electric.exe” (c13c566b079258bf0782d9fb64612529 (https://www.virustotal.com/en/�le/4961761f7768a802f2023523b73ed60bd178487177f72b58f9284632ae5e3bd2/analysis/)) is executed. ----- covers other parts of the campaign, Mcafee attribute it to Gaza Cybergang (AKA Gaza Hacker Team AKA Molerats). However, the report does not present strong evidence to support this conclusion. While initially we thought the same, currently we cannot relate Operation Electric Powder to any known group. Moreover, besides Mohamad potentially being the name of the malware developer (based on PDB string found in multiple samples: C:\Users\Mohammed.MU\Desktop\AM\programming\C\tsDownloader\Release\tsDownloader.pdb ), we do not have evidence that the attackers are Arabs. ### Indicators of compromise Indicators �le: Operation-Electric-Powder-indicators.csv (http://www.clearskysec.com/wp-content/uploads/2017/03/Operation-Electric[Powder-indicators.csv) (also available on PassiveTotal (https://www.passivetotal.org/projects/e37b0fb0-e207-35a7-c0d6-ae7df39c0708)).](https://www.passivetotal.org/projects/e37b0fb0-e207-35a7-c0d6-ae7df39c0708) Notably, all but one of the IP addresses in use by the attackers belong to German IT services provider “Accelerated IT Services GmbH” (AS31400): 84.200.32.211 84.200.2.76 84.200.17.123 84.200.68.97 82.211.30.212 82.211.30.186 82.211.30.192 [Florian Roth (https://www.bsk-consulting.de/author/venom23/)shared a Yara rule to detect the downloader: Operation-Electric-Powder-](https://www.bsk-consulting.de/author/venom23/) yara.txt (http://www.clearskysec.com/wp-content/uploads/2017/03/Operation-Electric-Powder-yara.txt) The graph below depicts the campaign infrastructure (click the image to see the full graph): (http://www.clearskysec.com/wp-content/uploads/2017/03/Electric-powder maltego.jpg) Live samples can be downloaded from the following link: https://ln.sync[.]com/dl/30e722bf0#f72zgiwk-zxcp3e9t-fa9jyakr-zpbf5hgg (Please email info@clearskysec.com to get the password.) #### Acknowledgments [This research was facilitated by PassiveTotal (https://www.passivetotal.org/)for threat infrastructure analysis, and by MalNet](https://www.passivetotal.org/) (https://shadowdragon.io/) for malware research. [ Posted in: Campaigns (http://www.clearskysec.com/category/campaigns/)](http://www.clearskysec.com/category/campaigns/) Search  #### Categories [Campaigns (http://www.clearskysec.com/category/campaigns/)](http://www.clearskysec.com/category/campaigns/) [Cyber-Crime (http://www.clearskysec.com/category/cyber-crime/)](http://www.clearskysec.com/category/cyber-crime/) [General (http://www.clearskysec.com/category/general/)](http://www.clearskysec.com/category/general/) [Incidents (http://www.clearskysec.com/category/incidents/)](http://www.clearskysec.com/category/incidents/) ----- [Uncategorized (http://www.clearskysec.com/category/uncategorized/)](http://www.clearskysec.com/category/uncategorized/) #### Archive [February 2018 (http://www.clearskysec.com/2018/02/)](http://www.clearskysec.com/2018/02/) [January 2018 (http://www.clearskysec.com/2018/01/)](http://www.clearskysec.com/2018/01/) [December 2017 (http://www.clearskysec.com/2017/12/)](http://www.clearskysec.com/2017/12/) [November 2017 (http://www.clearskysec.com/2017/11/)](http://www.clearskysec.com/2017/11/) [October 2017 (http://www.clearskysec.com/2017/10/)](http://www.clearskysec.com/2017/10/) [August 2017 (http://www.clearskysec.com/2017/08/)](http://www.clearskysec.com/2017/08/) [July 2017 (http://www.clearskysec.com/2017/07/)](http://www.clearskysec.com/2017/07/) [May 2017 (http://www.clearskysec.com/2017/05/)](http://www.clearskysec.com/2017/05/) [April 2017 (http://www.clearskysec.com/2017/04/)](http://www.clearskysec.com/2017/04/) [March 2017 (http://www.clearskysec.com/2017/03/)](http://www.clearskysec.com/2017/03/) [January 2017 (http://www.clearskysec.com/2017/01/)](http://www.clearskysec.com/2017/01/) [November 2016 (http://www.clearskysec.com/2016/11/)](http://www.clearskysec.com/2016/11/) [October 2016 (http://www.clearskysec.com/2016/10/)](http://www.clearskysec.com/2016/10/) [June 2016 (http://www.clearskysec.com/2016/06/)](http://www.clearskysec.com/2016/06/) [January 2016 (http://www.clearskysec.com/2016/01/)](http://www.clearskysec.com/2016/01/) [November 2015 (http://www.clearskysec.com/2015/11/)](http://www.clearskysec.com/2015/11/) [September 2015 (http://www.clearskysec.com/2015/09/)](http://www.clearskysec.com/2015/09/) [June 2015 (http://www.clearskysec.com/2015/06/)](http://www.clearskysec.com/2015/06/) [May 2015 (http://www.clearskysec.com/2015/05/)](http://www.clearskysec.com/2015/05/) [September 2014 (http://www.clearskysec.com/2014/09/)](http://www.clearskysec.com/2014/09/) ######  (http://www.clearskysec.com/feed/)  (https://www.linkedin.com/company/clearsky-cyber-security)  (https://twitter.com/ClearskySec) [(http://www.clearskysec.com/)](http://www.clearskysec.com/) [(http://www.clearskysec.com/jp/)](http://www.clearskysec.com/jp/) #### Cyber Solutions [Threat Intelligence (http://www.clearskysec.com/solutions/cyber-defense-intelligence/)](http://www.clearskysec.com/solutions/cyber-defense-intelligence/) [Cyber strategy (http://www.clearskysec.com/solutions/cyber-strategy/)](http://www.clearskysec.com/solutions/cyber-strategy/) -----