Hacking Group Dropping Malware Via Facebook, Cloud ServicesResearchers: 'Molerats' Group Continues to Target Victims in Middle East
"Molerats," an Arabic-speaking advanced persistent threat group that has been targeting victims mainly in the Middle East for several years, is now abusing Facebook accounts, as well as other cloud-based platforms, to deploy previously undocumented malware as part of an ongoing espionage campaign, according to security firm Cybereason.
The hacking group, which is also known as the Gaza Cybergang, is a politically motivated organization that has been active since at least 2012. The group was previously tied to espionage campaigns in Israel and Palestine, but it also has targeted victims in the U.S. and Europe (see: Molerats Hackers Hit US, EU Governments).
In its recent campaign, which started in September and was active at least through November, the hackers targeted Arabic-speaking victims in the Palestinian territories, the United Arab Emirates and Egypt as well as non-Arabic speaking targets in Turkey, Cybereason notes in the report released Wednesday. The intended victims are usually high-ranking government officials, and the hackers are looking to steal documents.
"We noticed the beginning of the campaign in September 2020, with more attacks happening between October and November 2020, in correlation of the progress of the peace and normalization talks between Israel and Arab nations," a researcher with Cybereason's Nocturnus Team tells Information Security Media Group.
Although the victims of this campaign were initially infected using phishing emails that contained malicious documents, the researchers note the hackers used Facebook accounts and cloud file-sharing platforms such as Dropbox and Google Drive to set up the malware command-and-control servers to help hide the malicious code in plain sight. Cybereason has contacted the companies to report the abuse.
Other researchers, including those at Microsoft, have noted similar tactics used by nation-state hacking groups (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).
The Cybereason researchers note that the current Molerats campaign starts with the hackers sending phishing emails with political themes, typically about current events involving the Middle East region, to victims. These messages usually contain attached malicious documents, such as PDF files, that have links that lead to the Facebook pages or cloud services controlled by the group.
The Facebook pages and cloud services then act as command-and-control servers for the hackers, which then can deliver malware to the intended victim. The Cybereason researchers found two new backdoors, dubbed SharpStage and DropBook, along with a malware downloader called MoleNet.
According to Cybereason, “all of [these] can allow the attackers the ability to execute arbitrary code and collect sensitive data for exfiltration from infected computers.”
While the newly discovered DropBook backdoor uses fake Facebook accounts for its command-and-control operations, the report notes that both SharpStage and DropBook utilize Dropbox to exfiltrate the data stolen from their targets, as well as for storing espionage tools, according to the report.
Once a device is compromised, the SharpStage backdoor can capture screenshots, check for Arabic language presence in the victims' device for precision targeting and download and execute additional components. DropBook, on the other hand, is used for reconnaissance and to deploy shell commands, the report notes.
The attackers use MoleNet to collect system information from the compromised devices, communicate with the command-and-control servers and maintain persistence, according to the report.
Besides the new backdoor components, researchers note the hackers deployed an open-source remote access Trojan called Quasar, which was previously linked to a Molerats campaign in 2017.
Cybereason researchers note that once the DropBook malware is in the victims' devices, it begins its operation by fetching a token from a post on a fake Facebook account. The backdoor then checks back for certain Facebook posts that hide commands and instructions.
These commands are then fetched by the malware from a "post-history" feature within the Facebook accounts, the report notes.
"Molerats created fake Facebook accounts specifically for this campaign and those accounts are being used by the group for command-and-control purposes, by sending instructions to the malware using a Facebook post," according to the Nocturnus Team researcher. "This is a clever way of hiding in plain sight, abusing the trust given to a legitimate platform such as Facebook and helping the group to remain under the radar."