A cybersecurity firm Cado Security spotted a subdivision of a known Middle Eastern hacker group using voice-changing software to trick political targets into installing infected apps.
The Molerats group, also known as Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal, and Moonlight, has been tracked since at least 2012. They mainly target entities in the Middle East, attacks on targets in Europe and the United States are less common.
Cado Security researchers say that it was a subdivision of Molerats, known as APT-C-23, that was behind the attacks using voice-changing technology.
In the past, APT-C-23 used social engineering to compel victims to install its malware.
In recent spear-phishing attacks on political opponents, researchers believe, APT-C-23 has adopted an interesting tactic of using voice-changing software to pose as women.
“APT-C-23 has been observed impersonating women to engage victims in conversations. As the conversations continue, the group sends video laden with malware to infect the target’s system,” Cado Security said.
The researchers based their conclusion on the fact that group members that have been identified so far are all men and a voice-changing application found on the attackers’ server. Having analyzed a publicly exposed server belonging to the hacking group, Cado Security researchers found an archive with photos from the Instagram account of a female model and an installation package for the voice-changing application MorphVox Pro.
“Given the context of both previous APT-C-23 attacks and the other contents of the folder, we think the most likely explanation for MorphVox being part of their toolset is that it was used to produce audio messages in a female voice to encourage targets to install their malware,” Cado Security researchers said.
The same server belonging to the attackers had various other tools, such as an application for bulk-sending phishing emails, another one for hacking Voice-over IP systems, an app with example commands to find vulnerable routers, and a Microsoft credential phishing page.