Back to Newsroom

Cybereason Uncovers New Malware Arsenal Abusing Facebook and Dropbox in Middle East Espionage Campaign

Dec 9, 2020

Cybereason, the leader in future-ready attack protection, today announced that it has identified an active espionage campaign employing three previously unidentified malware variants. The newly discovered operation uses Facebook, Dropbox, Google Docs and Simplenote for command & control in order to directly target victims’ computers for exfiltration of sensitive data.

Cybereason attributes the espionage campaign to Molerats (aka The Gaza Cybergang), an Arabic-speaking, politically motivated APT group that has operated in the Middle East since 2012. Earlier this year, Cybereason researchers reported the discovery of the Spark and Pierogi backdoors that were assessed to be part of targeted attacks executed by Molerats against Palestinian officials.

This latest campaign leverages two previously unidentified backdoors dubbed SharpStage and DropBook, as well as a downloader dubbed MoleNet. The campaign leverages phishing documents that include various themes related to current Middle Eastern events, including a reportedly clandestine meeting between the His Royal Highness Mohammed bin Salman, Crown Prince of Saudi Arabia, the U.S. Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu.

Cybereason researchers’ key findings include:

● New Espionage Tools Developed by Molerats: Cybereason identified two new backdoors dubbed SharpStage and DropBook, as well as the MoleNet downloader, all of which can allow the attackers the ability to execute arbitrary code and collect sensitive data for exfiltration from infected computers.

● Abuse of Facebook, Google Docs, Dropbox, and Simplenote Platforms: The newly discovered DropBook backdoor uses fake Facebook accounts or Simplenote for command and control (C2), and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools.

● Political Phishing Themes: Emails used to lure the victims included themes like Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and other regional events including a secretive meeting between His Royal Highness Mohammed bin Salman, Crown Prince of Saudi Arabia, the U.S. Secretary of State and the Israeli Prime Minister.

● Connections to Previous Middle Eastern Campaigns: The newly discovered backdoors have been observed being used in conjunction with the Spark backdoor previously attributed to Molerats. The attackers also used these new espionage tools to download additional payloads including the infamous open-source Quasar RAT that was used previously by Molerats.

● Targeting Across the Middle East: The operation was primarily observed targeting the Palestinian Territories, UAE, Egypt as well as Turkey. Given the nature of the phishing content, Cybereason assesses that the campaign operators seek to target high ranking political figures and government officials in the Middle East.

“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities,” said Lior Div, Cybereason co-founder and CEO. “This puts the onus even more on the defenders to be hypervigilant with regard to potentially malicious network traffic connecting to legitimate services, and it underscores the need to adopt an operation-centric approach to expose these more subtle indicators of behavior. Uncontextualized alerts won’t uncover a stealthy attack like this, that’s why Cybereason enables security teams to be operation-centric instead of alert-centric, so they can quickly make correlations across seemingly unrelated events on the network and beyond.”

The full report, titled Molerats in the Cloud: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign, is available for download here:
https://www.cybereason.com/blog/New-Malware-Arsenal-Abusing-Cloud-Platforms-in-Middle-East-Espionage-Campaign

About Cybereason
Cybereason is the champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere. Cybereason is a privately held, international company headquartered in Boston with customers in more than 30 countries.

Media Contacts:

Bill Keeler
Senior Director, Global Public Relations
Cybereason
bill.keeler@cybereason.com
(929) 259-3261