The Mole Rats advanced persistent threat (APT) has developed 2 new backdoors, both of which allow the attackers to execute arbitrary code & exfiltrate sensitive data, researchers commented.
They were discovered as part of a recent campaign that uses Dropbox, Facebook, Google Docs & Simple note for command-&-control (C2) communications.
This threat group is increasing its espionage activity in the context of the current political climate, & recent events in the Middle East, with 2 new backdoors.
Gaza Cybergang
Mole Rats is part of the Gaza Cybergang, an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East & North Africa, with a particular focus on the Palestinian Territories, according to previous research from Kaspersky.
There are at least 3 groups within the gang, with similar aims & targets – cyber-espionage related to ME political interests – but very different tools, techniques & levels of sophistication, researchers commented.
Less-Complex
One of those is Mole Rats, which falls on the less-complex end of the scale, & which has existed since 2012.
The most recent campaign, discovered by researchers at Cybereason, targets high-ranking political figures & government officials in Egypt, the Palestinian Territories, Turkey & the UAE, they noted.
Phishing
Emailed phishing documents are the attack vector, with lures that include various themes related to current Middle Eastern events, including Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, & a reported clandestine meeting between the Crown Prince of Saudi Arabia, the US Secretary of State Mike Pompeo & Israeli PM Benjamin Netanyahu.
“Analysis of the phishing themes & decoy documents used in the social engineering stage of the attacks show that they revolve mainly around Israel’s relations with neighbouring Arab countries as well as internal Palestinian current affairs & political controversies,” Cybereason researchers noted.
In analysing the offensive, they uncovered the Sharp Stage & Drop Book backdoors (as well as a new version of a downloader dubbed Mole Net), which are interesting in that they use legitimate cloud services for C2 & other activities.
Drop Book
For instance, the Drop Book backdoor uses fake Facebook accounts or Simple note for C2, & both Sharp Stage & Drop Book abuse a Dropbox client to exfiltrate stolen data & for storing their espionage tools, according to the analysis, issued Wednesday.
Cybereason found that both have been observed being used in conjunction with the known Mole Rats backdoor Spark; both have been seen downloading additional payloads, including the open-source Quasar RAT.
Quasar RAT is billed as a legitimate remote administration tool for Windows, but it can be used for malicious purposes, like keylogging, eavesdropping, uploading data, downloading code etc. It is been used by various APTs in the past, including Mole Rats & the Chinese-speaking APT 10.
Infection Routine & Malware Breakdown
The phishing emails arrive with a non-boobytrapped PDF attachment that will evade scanners, according to Cybereason.
When a victim clicks it open, they receive a message that they will need to download the content from a password-protected archive. Helpfully, the message provides the password & gives targets the option of downloading from either Dropbox or Google Drive. This initiates the malware installation.
Screen Captures
The Sharp Stage backdoor is a .NET malware that appears to be under continuous development.
The latest version (a 3d iteration) performs screen captures & checks for the presence of the Arabic language on the infected machine, thus avoiding execution on non-relevant devices, researchers explained. It also has a Dropbox client API to communicate with Dropbox using a token, to download & exfiltrate data.
It also can execute arbitrary commands from the C2 & can download & execute additional payloads.
Decoy Document
Victims receive a decoy document as part of the infection gambit. Cybereason observed that the document contains information allegedly created by the media department of the Popular Front for the Liberation of Palestine (PLFP) describing preparations for the commemoration of the PLFP’s 53rd anniversary.
“It is it is unclear whether it is a stolen authentic document or perhaps a document forged by the attackers & made to appear as if it originated from the Front’s high-rank official,” says the report.
Python
Drop Book meanwhile is a Python-based backdoor compiled with PyInstaller. Researchers explained it can install programs & file names; execute shell commands received from Facebook/Simple note; & download & execute additional payloads using Dropbox.
Like Sharp Stage, it checks for the presence of an Arabic keyboard. Drop Book also only executes if WinRAR is installed on the infected computer, researchers outlined, probably because it is needed for a later stage of the attack.
Social Media
As for its use of social media, & the cloud, “Drop Book fetches a Dropbox token from a Facebook post on a fake Facebook account,” according to the report.
“The backdoor’s operators are able to edit the post in order to change the token used by the backdoor. In case Drop Book fails getting the token from Facebook, it tries to get the token from Simple note.”
After receiving the token, the backdoor collects the names of all files & folders in the “Program Files” directories & in the desktop, writes the list to a text file, & then uploads the file to Dropbox under the name of the current username logged on to the machine.
Drop Book then checks the fake Facebook account post, this time in order to receive commands.
Backdoor
“The attackers are able to edit the post in order to provide new instructions & commands to the backdoor,” according to Cybereason.
“Aside from posting commands, the fake Facebook profile is empty, showing no connections or any personal information about its user, which further strengthens the assumption that it was created solely for serving as a command-and-control for the backdoor.”
Both Sharp Stage & Drop Book exploit legitimate web services to store their weapons & to deliver them to their victims in a stealthy manner, abusing the trust given to these platforms. While the exploitation of social media for C2 communication is not new, it is not often observed in the wild, the team noted.
Politically Charged Events
“While it’s no surprise to see threat-actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social-media platforms being used for issuing C2 instructions & other legitimate cloud services being used for data exfiltration activities,” commented Lior Div, Cybereason Co-founder & CEO, in a statement.
The campaign shows that Mole Rats could be ramping up its activity, according to the firm.
“The discovery of the new cyber-espionage tools along with the connection to previously identified tools used by the group suggest that Mole Rats is increasing their espionage activity in the region in light of the current political climate & recent events in the Middle East,” the report concluded.
