Researchers have discovered a new espionage attack carried out by the Arabic-speaking Molerats APT group. The attack campaign has been discovered targeting users in the Middle East at least since July 2021.
The campaign highlights
ThreatLabz's research team has discovered the new campaign and provided a complete technical analysis of the attack chain, threat attribution, data exfiltration, and the C2 infrastructure.
- In December 2021, multiple macro-based MS office files were uploaded from Middle Eastern countries to OSINT sources.
- These files included decoy themes linked to geopolitical disputes between Palestine and Israel. Such themes were already used in previous attack campaigns by Molerats.
- The attackers switched the distribution technique in December with few changes in the DotNET backdoor.
- The targets picked by the attackers included important members of the banking sector in Palestine, human rights activists/journalists in Turkey, and members of political parties in Palestinian.
A strong suspicion
ThreatLabz identified multiple similarities (as listed below) between this campaign and earlier campaigns associated with the Molerats APT group.
- A crossover was observed in the DotNET payload and the use of the Dropbox API for full C2 communication.
- Use of open-source as well as commercial packers for the backdoor (ConfuserEx and Themida) while targeting the Middle East.
- Use of RAR files for backdoor propagation and in later stages.
- The use of other genuine cloud hosting services such as Google Drive to host their malicious payloads.
- SSL Certificate and passive DNS resolution thumbprints (overlap) were spotted in the recent attack infrastructure.
Conclusion
The Molerats APT group is active again with a new espionage campaign using a modified backdoor delivery mechanism. Thus, organizations should use the provided IOCs to identify the threat at early stages. Further, use a multilayered security platform for better detection and prevention.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f412_shutterstock_635287649.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_246885445.jpg)
