Anonymous members who wanted to participate in this year's annual #OpIsrael cyber-attacks were the targets of an intelligence gathering operation carried out by an unknown threat actor.

#OpIsrael is an annual campaign of the Anonymous hacker collective that takes place on April 7. The date was chosen in 2013, the first year when #OpIsrael took place.

Initially, the attackers wanted to attack Israel ahead of the local Holocaust Remembrance Day, which that year fell on April 8. Because Israel's National Holocaust Remembrance Day falls on a different day each year, between April 7 & May 7, attacks in subsequent years stuck to the April 7 date.

During this day each year, several Muslim-dominant Anonymous factions launch attacks against Israeli targets, such as defacements, DDoS attacks, or data leaks.

In most cases, these have been attacks against small targets, and rarely have hackers targeted government agencies. Most of the time, security experts called #OpIsrael a nuisance, rather than a threat, but the hatred between Israel and nearby Muslim countries ensured the campaign took place year after year, no matter how lame some of the attacks were.

Links spreading RATs found on Twitter

Just like each year, weeks before April 7, various Anonymous groups started promoting this year's #OpIsrael campaign on Twitter, Facebook, and YouTube.

Digging through the vast number of tweets, threat intelligence analysts from US cyber-security firm Digital Shadows found a Twitter account that was offering free DDoS tools for anyone willing to participate in the attacks.

The practice of creating special DDoS tools for a specific event isn't anything out of the ordinary, as Anonymous hackers did the same thing for the massive DDoS attacks against the Brazilian government during the Rio Olympics last summer.

Those tools weren't laced with malware, but the ones distributed in #OpIsrael are. For example, the tweet below urges users to download an Android app that would allow users to launch DDoS attacks from their phone against a target of the #OpIsrael campaign.

The link, obfuscated for obvious reasons, leads the user to a SendSpace page where they can download the malicious APK.

A VirusTotal scan of the app reveals its malicious payload, a Remote Access Trojan that was packed inside the app and which allows attackers to access the hacktivist's camera, SMS messages, microphone, browser, call logs, and physical location via GPS.

Similarly, the same Twitter account also tweeted download links to a similar tool for Windows users.

This link led to a legitimate site that appeared to have been compromised and used to host a similar malware-laced DDoS tool.

At the time of writing, the malware payload was removed from the website, so we couldn't get a copy of the tool. According to Digital Shadows experts, this Windows app contained a copy of Dark Comet, a powerful RAT that grants attackers full control over the victim's PC.

Who's behind the attacks?

Just like #OpIsrael is a campaign by Anonymous Muslim members, there is also #OpIslam, a similar operation carried out by Anonymous members of other religion groups.

It is safe to speculate that two parties are the main suspects behind the Twitter account spreading the RATs.

The first could be fellow Anonymous members participating in #OpIslam, and who want to sabotage the efforts of #OpIsrael attackers, and possibly reveal their real identities.

The second group could be Israeli intelligence services, who want to uncover the individuals who've been attacking Israeli businesses and individuals in the past years.

Past #OpIsrael campaigns

Last year, in 2016, the #OpIsrael campaign was fueled by pro-Palestine hacker groups, usually of Arab origin, such as Anonymous Arab, AnonGhost, AnonSec, and the Meca group.

In 2015, an Anonymous hacker named Mauritania Attacker, member of AnonGhost, donated the money the group stole in #OpIsrael attacks to multiple Palestinian charities.

In 2014, following the successful #OpIsrael DDoS attacks from 2013, several Israeli government departments opted to shut down their websites on their own terms instead of dealing with the DDoS attacks.

Attacks took place, but Israeli hackers fought back and exposed some of the attackers.