Researchers from Proofpoint have spotted a new Middle East-targeted phishing campaign that delivers a new malware dubbed NimbleMamba.
Known Palestinian threat player MoleRats is likely behind the recent malicious email campaign targeting ME Govts., foreign-policy think tanks & state-affiliated airlines with a new intelligence-gathering trojan dubbed NimbleMamba, researchers stated.
Spear-Phishing
Researchers from Proofpoint explained they have observed a spear-phishing campaign using multiple methods since Nov. that they believe is the work of TA402, more commonly known as MoleRats & linked to the Palestinian Territories, according to a report posted online Tues.
The campaign uses various phishing lures & includes tactics not only to avoid being detected but also to ensure that its malware payload only attacks specific targets, Proofpoint researchers wrote in the report. Some of the attacks observed by the team also delivered a secondary payload, a trojan dubbed BrittleBush, they continued.
Intelligence-Gathering
NimbleMamba, delivered as a hidden .NET executable using 3rd-party obfuscators, is an intelligence-gathering trojan researchers believe is a replacement for previous malware used by TA402, LastConn.
“NimbleMamba has the traditional capabilities of an intelligence-gathering trojan & is likely designed to be the initial access,” researchers informed. “Functionalities include capturing screenshots & obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement.”
Gaza Cybergang
MoleRats is part of the Gaza Cybergang, an Arabic speaking, politically motivated collective of related threat groups actively targeting the Middle East & North Africa. It is known for attacks using spyware & other malware aimed at gathering intelligence.
Researchers from Zscaler have already spotted MoleRats targeting prominent Palestinians, as well as activists & journalists in Turkey, with spyware in a previously identified attack in Jan. That campaign used malicious files doctored to look like real content related to the Israeli-Palestine conflict.
Espionage Campaign
Proofpoint outlined 3 sorts of emails using different tactics & URLs aimed at fooling victims into clicking on malicious links to download the payloads.
One, which they saw in Nov., shows MoleRats pretending to be the Quora website whilst using a player-controlled Gmail account with a player-controlled domain, they outlined.
The attack method revealed a signature of the campaign, which is to use ‘geofencing’ to target certain countries with the malicious payload rather than delivering it to everyone who clicks on the email’s malicious link. The email seems to advertise Ugg boots for sale.
Targeted Countries
“The malicious URL, such as https[:]//www[.]uggboots4sale[.]com/news15112021.php, in the phishing email was geofenced to the targeted countries,” researchers wrote.
”If the target’s IP address fits into the targeted region, the user would be redirected to the .RAR file download containing the latest TA402 implant, NimbleMamba. If outside the target area, the user would be redirected to a legitimate news site.”
Dropbox URL
The 2nd variation, called “Dropbox URL,” was observed in Dec. using “multiple phishing pretences, including clickbait medical lures & ones allegedly sharing confidential geopolitical information,” researchers wrote.
This variation also used a Gmail account controlled by TA402 to send the email but moved to Dropbox URLs to deliver the malicious .RAR files containing NimbleMamba. It also abandoned the use of geofencing, they went on to say.
In this version, researchers noticed that the threat player also was using the cloud-based file-sharing service Dropbox for malware command & control (C2), which made them notify Dropbox of the malicious activity so they could end it, they commented. MoleRats was seen using Dropbox for C2 in its previously identified attacks in Jan.
3rd E-Mail
The 3rd email used by attackers, observed in Dec. & Jan., used socially engineered content specifically to tempt targets. However, in this variation, MoleRats “slightly adjusted their attack chain by inserting an additional actor-controlled WordPress URL,” researchers suggested.
The WordPress site impersonates a news ‘aggregator’ of the legitimate news site used in the 1st campaign variation, & likely redirects to the download site of the malicious .RAR files containing NimbleMamba if someone in the targeted region clicks on the link, researchers revealed.
“If the source IP address does not align with the target region, the URL will redirect the recipient to a benign website, typically an Arabic-language news website,” they added.
NimbleMamba
The most commonly delivered payload of the campaign, NimbleMamba, has some similarities between TA402’s previously used deliverable, LastConn, but also some noticeable differences, researchers observed.
Both executables are written in C#, have base64 encoding within the C2 framework & use the Dropbox API for C2 communication. However, there appears to be little code overlap between the 2, they stated.
Unique
NimbleMamba’s use of ‘guardrails’ to ensure that all victims are within TA402’s target region also is unique, as is its use of the Dropbox API for both C2 as well as exfiltration, researchers wrote.
“The malware also contains multiple capabilities designed to complicate both automated & manual analysis,” they concluded.
“Based on this, Proofpoint assesses NimbleMamba is actively being developed, is well-maintained, & designed for use in highly targeted intelligence collection campaigns.”
