MoleRats APT Returns with Espionage Play Using Facebook, Dropbox

molerats apt backdoors

The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.

The MoleRats advanced persistent threat (APT) has developed two new backdoors, both of which allow the attackers to execute arbitrary code and exfiltrate sensitive data, researchers said. They were discovered as part of a recent campaign that uses Dropbox, Facebook, Google Docs and Simplenote for command-and-control (C2) communications.

MoleRats is part of the Gaza Cybergang, an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East and North Africa, with a particular focus on the Palestinian Territories, according to previous research from Kaspersky. There are at least three groups within the gang, with similar aims and targets – cyberespionage related to Middle Eastern political interests – but very different tools, techniques and levels of sophistication, researchers said. One of those is MoleRats, which falls on the less-complex end of the scale, and which has been around since 2012.

Threatpost Webinar Promo Bug Bounty

Click to register.

The most recent campaign, uncovered by researchers at Cybereason, targets high-ranking political figures and government officials in Egypt, the Palestinian Territories, Turkey and the UAE, they noted.  Emailed phishing documents are the attack vector, with lures that include various themes related to current Middle Eastern events, including Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and a reported clandestine meeting between the Crown Prince of Saudi Arabia, the U.S. Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu.

“Analysis of the phishing themes and decoy documents used in the social engineering stage of the attacks show that they revolve mainly around Israel’s relations with neighboring Arab countries as well as internal Palestinian current affairs and political controversies,” Cybereason researchers noted.

In analyzing the offensive, they uncovered the SharpStage and DropBook backdoors (as well as a new version of a downloader dubbed MoleNet), which are interesting in that they use legitimate cloud services for C2 and other activities.

For instance, the DropBook backdoor uses fake Facebook accounts or Simplenote for C2, and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools, according to the analysis, issued Wednesday. Cybereason found that both have been observed being used in conjunction with the known MoleRats backdoor Spark; and both have been seen downloading additional payloads, including the open-source Quasar RAT.

Quasar RAT is billed as a legitimate remote administration tool for Windows, but it can be used for malicious purposes, like keylogging, eavesdropping, uploading data, downloading code and so on. It’s been used by various APTs in the past, including MoleRats and the Chinese-speaking APT 10.

Infection Routine & Malware Breakdown

The phishing emails arrive with a non-boobytrapped PDF attachment that will evade scanners, according to Cybereason. When a victim clicks it open, they receive a message that they will need to download the content from a password-protected archive. Helpfully, the message provides the password and gives targets the option of downloading from either Dropbox or Google Drive. This initiates the malware installation.

The SharpStage backdoor is a .NET malware that appears to be under continuous development. The latest version (a third iteration) performs screen captures and checks for the presence of the Arabic language on the infected machine, thus avoiding execution on non-relevant devices, researchers explained. It also has a Dropbox client API to communicate with Dropbox using a token, to download and exfiltrate data.

It also can execute arbitrary commands from the C2, and as mentioned, can download and execute additional payloads.

Victims receive a decoy document as part of the infection gambit. Cybereason said that the document contains information allegedly created by the media department of the Popular Front for the Liberation of Palestine (PLFP) describing preparations for the commemoration of the PLFP’s 53rd anniversary.

“It is it is unclear whether it is a stolen authentic document or perhaps a document forged by the attackers and made to appear as if it originated from the Front’s high-rank official,” according to the report.

DropBook meanwhile is a Python-based backdoor compiled with PyInstaller. Researchers said it can install programs and file names; execute shell commands received from Facebook/Simplenote; and download and execute additional payloads using Dropbox. Like SharpStage, it checks for the presence of an Arabic keyboard. DropBook also only executes if WinRAR is installed on the infected computer, researchers said, probably because it is needed for a later stage of the attack.

As for its use of social media, and the cloud, “DropBook fetches a Dropbox token from a Facebook post on a fake Facebook account,” according to the report. “The backdoor’s operators are able to edit the post in order to change the token used by the backdoor. In case DropBook fails getting the token from Facebook, it tries to get the token from Simplenote.”

After receiving the token, the backdoor collects the names of all files and folders in the “Program Files” directories and in the desktop, writes the list to a text file, and then uploads the file to Dropbox under the name of the current username logged on to the machine. DropBook then checks the fake Facebook account post, this time in order to receive commands.

“The attackers are able to edit the post in order to provide new instructions and commands to the backdoor,” according to Cybereason. “Aside from posting commands, the fake Facebook profile is empty, showing no connections or any personal information about its user, which further strengthens the assumption that it was created solely for serving as a command-and-control for the backdoor.”

Both SharpStage and DropBook exploit legitimate web services to store their weapons and to deliver them to their victims in a stealthy manner, abusing the trust given to these platforms. While the exploitation of social media for C2 communication is not new, it is not often observed in the wild, the team noted.

“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social-media platforms being used for issuing C2 instructions and other legitimate cloud services being used for data exfiltration activities,” said Lior Div, Cybereason co-founder and CEO, in a statement.

The campaign shows that MoleRats could be ramping up its activity, according to the firm.

“The discovery of the new cyber-espionage tools along with the connection to previously identified tools used by the group suggest that MoleRats is increasing their espionage activity in the region in light of the current political climate and recent events in the Middle East,” the report concluded.

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles