Molerats APT

 





Overview

Molerats malware is also known as ALUMINUM SARATOGA, Extreme Jackal, G0021, Gaza Cybergang, Gaza Hackers Team, Moonlight, and Operation Molerats. This malware mainly targeted the Middle East government institutions and global government organizations associated with geopolitics in the region. 

It is a type of Advanced Persistent Threat (APT) that is mostly interested in Israel and Palestine, along with the other regions in the Middle East. The custom malware implant of the threat actor allows reconnaissance on the victim and exfiltrate data. It can also leverage multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only target computers with Arabic language packs installed, and password-protected archive files to distribute malware.

Main Features

  • Uses open-source and commercial packers for the backdoor. 
  • Targets Middle East region.
  • Uses Dropbox API for entire C2 communication. 
  • Use RAR files for backdoor delivery as well as later stages.
  • Use other legit cloud hosting services like Google Drive to host the payloads.

Analysis

This threat actor is using the malware LastConn,an updated version or new variant of SharpStage, in its recent campaigns that are email-based.  The malware especially targets the computers with Arabic language installed pack to ensure the desired targets. It is an actively developed and maintained malware, that uses Dropbox for all C2 capabilities and infrastructure. It also consists of multiple qualities that can prevent both automated and manual malware analysis.

Conclusion

Molerats is a highly effective and capable threat actor especially for those working with the government and other geopolitical entities in the Middle East. Evidently, it will continue to develop and modify customized malware implants to evade detection and automated analysis. Hence, to protect against such threat actor, it is advisable to carefully download and open any password protected archives, and open them from trusted sources only. 



































































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)