Devastating malware that lets criminals hack into banking accounts, steal data, and spy on computer users is suspected of being linked to terrorist group Hamas‘ cyberwarfare division.
The so-called “Remote Administration Tool,” or RAT, is called Escanor and first surfaced on the Dark Web in January. It can infect computers through Microsoft Office documents, according to Resecurity, which protects Fortune 500 companies. Computers have reportedly been infected in the U.S., Canada, the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Mexico, Singapore, and Israel.
“The tool can be used to collect GPS coordinates of the victim, monitor key strokes, activate hidden cameras, and browse files on the remote mobile devices to steal data,” Resecurity warned.
The domain name behind the dangerous tool, “escanor[.]live,” may be linked to Molerats and APT-C-23, two units of the Hamas cyberwarfare division. Security Affairs reported that APT-C-23 is “known in particular to target Israeli military assets,” and that Molerats, which has been linked to Hamas, has been active for over a decade.
“It’s also tracked as Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal, Moonlight and TA402 — some researchers believe there are multiple groups operating under the same umbrella,” Security Week reported.
Escanor is a version of an Android- and PC-based remote administration tool that hackers use to infect Microsoft Office and Adobe PDF documents with malware, according to Security Affairs. But Escanor’s power has been souped up with elements taken from “cracked” versions of other Dark Web tools, according to the company.
The mobile version of Escanor, dubbed ‘Escape-RAT,’ intercepts banking OTPs, or “one-time passwords” that are generated for customers who don’t choose their own. That allows the cybercriminal full access to the user’s account, and also can spread malware that allows the criminal to activate cameras, track users, and carry out other potentially devastating acts.
“Fraudsters monitor the location of the victim, and leverage Esca RAT to steal credentials to online-banking platforms and perform unauthorized access to compromised account from the same device and IP – in such case fraud prevention teams are not able to detect it and react timely,” malware analyst Ali Saifeldin said.
Escanor is a well-known force on the Dark Web, where criminals buy and sell an array of illegal goods and services. It also has over 28,000 subscribers on its Telegram channel. The actor behind the malware is believed to be the same person or persons behind other hacking tools sold on the Dark Web, including ones known as Venom RAT and Pandora HVNC, which may have been incorporated into Escanor.