Molerats APT Strikes Again with New NimbleMamba Malware

What’s the update?

• Researchers from Proofpoint spotted a new email phishing campaign that targeted multiple Middle Eastern governments, foreign-policy think tanks, and a state-affiliated airline.
• These entities were targeted using NimbleMamba, a new intelligence-gathering trojan, that was delivered via various phishing lures.
• In some of these attacks observed by the team, a secondary payload BrittleBush was also used.
• The campaign leveraged three types of emails,  pretending to be from Quora, Ugg boots, or  Dropbox, and were distributed between November 2021 and January 2022.
• One of these phishing emails also used a Gmail account to send the email but later shifted to Dropbox URLs to deliver the malicious .rar files containing NimbleMamba.

About NimbleMamba

• NimbleMamba is believed to share some similarities with Molerats’ previous executable LastConn that was first reported in June 2021.
• According to Cybereason, LastConn was likely an updated version of the SharpStage malware.
• While NimbleMamba and LastConn share similarities such as being written in C#, base64 encoding within the C2 framework, and use of Dropbox API for C2 communication, there appears to be little code overlap between the two.
• Although the malware is still being actively developed, ProofPoint notes that it contains multiple capabilities designed to complicate both automated and manual analysis.

MiddleEast remains a favorite target

• Since its inception, the state-sponsored Molerats APT group has been persistent in targeting organizations and governments in the Middle East by routinely updating its malware implants and delivery methods.
• One such attack campaign was discovered by the Zscaler research team in December 2021.
• The campaign was active since at least July 2021 and leveraged multiple macro-based MS office files to deliver a new variant of the DotNET backdoor.

Conclusion