Threat Alert:

What's Happening?

The Cybereason Nocturnus Team has identified an active espionage campaign attributed to the threat actor known as Molerats that employs three previously unidentified malware variants that abuse Facebook, Dropbox, Google Docs and Simplenote for command & control and the exfiltration of data from targets across the Middle East.

The newly discovered backdoors have been observed being used in conjunction with the Spark backdoor previously attributed to Molerats. The attackers also used the new espionage tools to download additional payloads including the infamous open-source Quasar RAT that was used previously by Molerats.

Read The Full Research

KEY OBSERVATIONS & TTPS

• New Espionage Tools Developed by Molerats: Cybereason identified two new backdoors dubbed SharpStage and DropBook, as well as the MoleNet downloader, all of which can allow the attackers the ability to execute arbitrary code and collect sensitive data for exfiltration from infected computers.
• Abuse of Facebook, Google Docs, Dropbox, and Simplenote Platforms: The newly discovered DropBook backdoor uses fake Facebook accounts or Simplenote for command and control (C2), and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools.
• Political Phishing Themes: Emails used to lure the victims included themes like Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and other regional events including a secretive meeting between the His Royal Highness Mohammed bin Salman, Crown Prince of Saudi Arabia, the U.S. Secretary of State and the Israeli Prime Minister.
• Connections to Previous Middle Eastern Campaigns: The newly discovered backdoors have been observed being used in conjunction with the Spark backdoor previously attributed to Molerats. The attackers also used these new espionage tools to download additional payloads including the infamous open-source Quasar RAT that was used previously by Molerats.