MoleRats APT Returns with Espionage Play Using Facebook, Dropbox


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The MoleRats advanced persistent threat (APT) has developed two new backdoors, both of which allow the attackers to execute arbitrary code and exfiltrate sensitive data, researchers said. They were discovered as part of a recent campaign that uses Dropbox, Facebook, Google Docs and Simplenote for command-and-control (C2) communications.

MoleRats is part of the Gaza Cybergang, an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East and North Africa, with a particular focus on the Palestinian Territories, according to previous research from Kaspersky. There are at least three groups within the gang, with similar aims and targets – cyberespionage related to Middle Eastern political interests – but very different tools, techniques and levels of sophistication, researchers said. One of those is MoleRats, which falls on the less-complex end of the scale, and which has been around since 2012.

The most recent campaign, uncovered by researchers at Cybereason, targets high-ranking political figures and government officials in Egypt, the Palestinian Territories, Turkey and the UAE, they noted. Emailed phishing documents are the attack vector, with lures that include various themes related to current Middle Eastern events, including Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and a reported clandestine meeting between the Crown Prince of Saudi Arabia, the U.S. Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu.

“Analysis of the phishing themes and decoy documents used in the social engineering stage of the attacks show that they revolve mainly around Israel’s relations with neighboring Arab countries as well as internal Palestinian current affairs and political controversies,” Cybereason researchers noted.

In analyzing the offensive, they uncovered the SharpStage and DropBook backdoors (as well as a new version of a downloader dubbed MoleNet), which are interesting in that they use legitimate cloud services for C2 and other activities.
For instance, the DropBook backdoor uses fake Facebook accounts or Simplenote for C2, and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools, according to the analysis, issued Wednesday. Cybereason found that both have been observed being used in conjunction with the known MoleRats backdoor Spark; and both have been seen downloading additional payloads, including the open-source Quasar RAT. [...]


Level 11
Aug 21, 2018
"The phishing emails arrive with a non-boobytrapped PDF attachment that will evade scanners, according to Cybereason. When a victim clicks it open, they receive a message that they will need to download the content from a password-protected archive. Helpfully, the message provides the password and gives targets the option of downloading from either Dropbox or Google Drive. This initiates the malware installation."

Where i'm working at, if you get an email with an attachment like PDF from trusted source or non-trusted sources we save the PDF and use online-pdf viewer to see it. We do not click anything email attachment directly. Save, upload it to online viewer. This is paranoid i know, but actually it saved our asses one time.