Threat Alert:

Molerats

ORANGE_THREAT_ALERT_CR_ICONS-54

Threat Overview

BLOCKED_EXECUTABLE_CR_ICONS-32
Threat Type
MALWARE
IMPACTEDGEO_GLOBE2_CR_ICONS-31
TARGET INDUSTRIES
High-ranking political figures & government officials
REDUCE_FALSE_POSITIVES_CR_ICONS-18
Attack Goal
Espionage
PLATFORM3_CR_ICONS-03
Impacted GEO
Palestinian Territories, UAE, Egypt and Turkey

What's Happening?

The Cybereason Nocturnus Team has identified an active espionage campaign attributed to the threat actor known as Molerats that employs three previously unidentified malware variants that abuse Facebook, Dropbox, Google Docs and Simplenote for command & control and the exfiltration of data from targets across the Middle East.

The newly discovered backdoors have been observed being used in conjunction with the Spark backdoor previously attributed to Molerats. The attackers also used the new espionage tools to download additional payloads including the infamous open-source Quasar RAT that was used previously by Molerats.

Read The Full Research

KEY OBSERVATIONS & TTPS

  • New Espionage Tools Developed by Molerats: Cybereason identified two new backdoors dubbed SharpStage and DropBook, as well as the MoleNet downloader, all of which can allow the attackers the ability to execute arbitrary code and collect sensitive data for exfiltration from infected computers.
  • Abuse of Facebook, Google Docs, Dropbox, and Simplenote Platforms: The newly discovered DropBook backdoor uses fake Facebook accounts or Simplenote for command and control (C2), and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools.
  • Political Phishing Themes: Emails used to lure the victims included themes like Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and other regional events including a secretive meeting between the His Royal Highness Mohammed bin Salman, Crown Prince of Saudi Arabia, the U.S. Secretary of State and the Israeli Prime Minister.
  • Connections to Previous Middle Eastern Campaigns: The newly discovered backdoors have been observed being used in conjunction with the Spark backdoor previously attributed to Molerats. The attackers also used these new espionage tools to download additional payloads including the infamous open-source Quasar RAT that was used previously by Molerats.

Remediation Steps

EDR2_CR_ICONS-11
Threat Hunting

Periodically proactively hunt for potential attacks on sensitive assets.

TECH_DEEPDIVE_KNOWLEDGE_CR_ICONS-27
Training

Consider social engineering awareness and training, which are key in preventing phishing attacks.

LOGIN_PASSWORDS_CR_ICONS-52
Monitor External Traffic

Monitor for suspicious external network traffic including traffic to legitimate platforms that could be abused for C2 and exfiltration.

PARTNER_SANDBOX_CR_ICONS-28
Antivirus

Ensure antivirus is deployed and up to date on all endpoints.

antivirus-01
Prevented & Detected by the Cybereason Defense Platform

Prevented & Detected by the Cybereason Defense Platform

Suffered a Breach?

Talk to a Specialist