Molerats Abuse Cloud Platforms in Middle East Espionage Campaign

December 11, 2020

Cybereason has identified an active espionage campaign employing three previously unidentified malware variants. The newly discovered operation uses Facebook, Dropbox, Google Docs and Simplenote for command & control in order to directly target victims’ computers for exfiltration of sensitive data.

Cybereason attributes the espionage campaign to Molerats (aka The Gaza Cybergang), an Arabic-speaking, politically motivated APT group that has operated in the Middle East since 2012. Earlier this year, Cybereason researchers reported the discovery of the Spark and Pierogi backdoors that were assessed to be part of targeted attacks executed by Molerats against Palestinian officials.

This latest campaign leverages two previously unidentified backdoors dubbed SharpStage and DropBook, as well as a downloader dubbed MoleNet. The campaign leverages phishing documents that include various themes related to current Middle Eastern events, including a reportedly clandestine meeting between the His Royal Highness Mohammed bin Salman, Crown Prince of Saudi Arabia, the U.S. Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu.

Cybereason researchers’ key findings include:

● New Espionage Tools Developed by Molerats: Cybereason identified two new backdoors dubbed SharpStage and DropBook, as well as the MoleNet downloader, all of which can allow the attackers the ability to execute arbitrary code and collect sensitive data for exfiltration from infected computers.

● Abuse of Facebook, Google Docs, Dropbox, and Simplenote Platforms: The newly discovered DropBook backdoor uses fake Facebook accounts or Simplenote for command and control (C2), and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools.

● Political Phishing Themes: Emails used to lure the victims included themes like Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and other regional events including a secretive meeting between His Royal Highness Mohammed bin Salman, Crown Prince of Saudi Arabia, the U.S. Secretary of State and the Israeli Prime Minister.

● Connections to Previous Middle Eastern Campaigns: The newly discovered backdoors have been observed being used in conjunction with the Spark backdoor previously attributed to Molerats. The attackers also used these new espionage tools to download additional payloads including the infamous open-source Quasar RAT that was used previously by Molerats.

● Targeting Across the Middle East: The operation was primarily observed targeting the Palestinian Territories, UAE, Egypt as well as Turkey. Given the nature of the phishing content, Cybereason assesses that the campaign operators seek to target high ranking political figures and government officials in the Middle East.

“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities,” said Lior Div, Cybereason co-founder and CEO. “This puts the onus even more on the defenders to be hypervigilant with regard to potentially malicious network traffic connecting to legitimate services, and it underscores the need to adopt an operation-centric approach to expose these more subtle indicators of behavior. Uncontextualized alerts won’t uncover a stealthy attack like this, that’s why Cybereason enables security teams to be operation-centric instead of alert-centric, so they can quickly make correlations across seemingly unrelated events on the network and beyond.”