Molerats, a Middle Eastern APT group, is active again after a two-month hiatus. Since last month, the APT group has been observed targeting government institutions in the Middle East and global government firms related to geopolitics in new campaigns.
What has happened?
Proofpoint has identified and linked a malicious activity to the politically motivated threat actor tracked as TA402, also known as GazaHackerTeam and Molerats.
- Based on its targeting and past campaigns, Molerats is suspected to have motives that align with military or Palestinian state goals and believed to be active for almost a decade.
- The recent attacks start with spear-phishing emails written in Arabic and include PDF attachments that come with a malicious geofenced URL.
- These malicious URLs are selectively directing victims to a password-protected archive if the source IP address is associated with the targeted countries in the Middle East.
Recipients who fall outside of the target set are directed to a genuine decoy website, typically Arabic language news websites such as Al Jazeera (aljazeera[.]net) and Al Akhbar (al-akhbar[.]com).
- The final step in the infection chain is the extraction of the archive to drop a custom implant named LastConn, which is an upgraded or newer variant of a backdoor called SharpStage disclosed last December.
- Along with displaying a decoy document when LastConn is executed for the first time, the malware relies mainly on Dropbox API to execute or download files hosted on the cloud service.
- Additionally, to run arbitrary commands and capture screenshots, the results are exfiltrated back to Dropbox. Molerats uses Dropbox for all C2 infrastructure and capabilities.
Molerats is a very effective and competent threat actor that has been a serious threat for a decade. The group is constantly targeting entities working with the government or other geopolitical entities in the Middle East. Furthermore, it is focused on developing or updating customized malware to sneak past defenses and avoid detection.