Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Hacking Group Dropping Malware Via Facebook, Cloud Services

Researchers: 'Molerats' Group Continues to Target Victims in Middle East
Hacking Group Dropping Malware Via Facebook, Cloud Services
Example of fake Facebook page used to help deliver Molerats' malware to victims (Source: Cybereason)

"Molerats," an Arabic-speaking advanced persistent threat group that has been targeting victims mainly in the Middle East for several years, is now abusing Facebook accounts, as well as other cloud-based platforms, to deploy previously undocumented malware as part of an ongoing espionage campaign, according to security firm Cybereason.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The hacking group, which is also known as the Gaza Cybergang, is a politically motivated organization that has been active since at least 2012. The group was previously tied to espionage campaigns in Israel and Palestine, but it also has targeted victims in the U.S. and Europe (see: Molerats Hackers Hit US, EU Governments).

In its recent campaign, which started in September and was active at least through November, the hackers targeted Arabic-speaking victims in the Palestinian territories, the United Arab Emirates and Egypt as well as non-Arabic speaking targets in Turkey, Cybereason notes in the report released Wednesday. The intended victims are usually high-ranking government officials, and the hackers are looking to steal documents.

"We noticed the beginning of the campaign in September 2020, with more attacks happening between October and November 2020, in correlation of the progress of the peace and normalization talks between Israel and Arab nations," a researcher with Cybereason's Nocturnus Team tells Information Security Media Group.

Although the victims of this campaign were initially infected using phishing emails that contained malicious documents, the researchers note the hackers used Facebook accounts and cloud file-sharing platforms such as Dropbox and Google Drive to set up the malware command-and-control servers to help hide the malicious code in plain sight. Cybereason has contacted the companies to report the abuse.

Other researchers, including those at Microsoft, have noted similar tactics used by nation-state hacking groups (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).

New Malware

The Cybereason researchers note that the current Molerats campaign starts with the hackers sending phishing emails with political themes, typically about current events involving the Middle East region, to victims. These messages usually contain attached malicious documents, such as PDF files, that have links that lead to the Facebook pages or cloud services controlled by the group.

The Facebook pages and cloud services then act as command-and-control servers for the hackers, which then can deliver malware to the intended victim. The Cybereason researchers found two new backdoors, dubbed SharpStage and DropBook, along with a malware downloader called MoleNet.

Malicious PDF file used as part of phishing campaign (Source: Cybereason)

According to Cybereason, “all of [these] can allow the attackers the ability to execute arbitrary code and collect sensitive data for exfiltration from infected computers.”

While the newly discovered DropBook backdoor uses fake Facebook accounts for its command-and-control operations, the report notes that both SharpStage and DropBook utilize Dropbox to exfiltrate the data stolen from their targets, as well as for storing espionage tools, according to the report.

Once a device is compromised, the SharpStage backdoor can capture screenshots, check for Arabic language presence in the victims' device for precision targeting and download and execute additional components. DropBook, on the other hand, is used for reconnaissance and to deploy shell commands, the report notes.

The attackers use MoleNet to collect system information from the compromised devices, communicate with the command-and-control servers and maintain persistence, according to the report.

Besides the new backdoor components, researchers note the hackers deployed an open-source remote access Trojan called Quasar, which was previously linked to a Molerats campaign in 2017.

Abusing Facebook

Cybereason researchers note that once the DropBook malware is in the victims' devices, it begins its operation by fetching a token from a post on a fake Facebook account. The backdoor then checks back for certain Facebook posts that hide commands and instructions.

These commands are then fetched by the malware from a "post-history" feature within the Facebook accounts, the report notes.

"Molerats created fake Facebook accounts specifically for this campaign and those accounts are being used by the group for command-and-control purposes, by sending instructions to the malware using a Facebook post," according to the Nocturnus Team researcher. "This is a clever way of hiding in plain sight, abusing the trust given to a legitimate platform such as Facebook and helping the group to remain under the radar."

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.