A week ago the Israel's well known Mossad posted a recruitment ad challenging security experts to solve multiple puzzles if they wish to apply an "operational cyber security expert" position. For the top-secret Israeli intelligence agency, this was the first ad addressing hackers directly, but this direct approach is quite common among other agencies who have been publishing ads since the WWII era. These days you can even find want ads even on the NSA's official twitter accounts.
Surprisingly, this is not the only Mossad related cyber-security news that popped up this week. Security researcher @benkow recently spotted the appearance of the Mossad’s emblem in very different and odd context – the command and control infrastructure of a POS malware called TreasureHunter which contained what he called a "funny Jewish C&C".
POS malware are typically implanted in point-of-sale devices by cybercriminals in order to collect and exfiltrate payment card data for their own use, or to be sold on the underground market. The so called "Jewish" TreasureHunter sample @benkow stumbled upon is version 0.1 of this specific POS malware, that has apparently been active for less than a week.
It is unclear why the crooks behind this TreasureHunter campaign chose the Mossad emblem for their C&C servers. Did they take part in the recent recruitment challenge? It is plausible but the chances are slim since it was blocked for non-Israeli IP addresses and the operators of similar POS malware operations haven't been linked to Israel or to Israeli citizens.
Was the Mossad emblem used as a feeble attempt to link the Israeli intelligence agency to illicit activities? The current geopolitical atmosphere has borne quite a number of entities interested in smearing the reputation of official Israeli institutions. However, it seems that there are much easier ways than posting the Mossad emblem in an inaccessible remote malware C&C server to accomplish that.
Is the Mossad entering the profitable POS malware scene? If so, using their emblem in a public webpage is as realistic as a James Bond movie :)
Perhaps these hackers heard the Mossad's name in a recent action movie and just re-used a cool picture from Wikipedia?
Unfortunately, at least for the time being this remains a mystery – that will probably require a true Mossad agent to solve.
author = "Minerva Labs"
date = "2016/06"
maltype = "Point of Sale (POS) Malware"
filetype = "exe"
$a = "treasureHunter.pdb"
$b = "jucheck"
$c = "cmdLineDecrypted"
all of them