Recently, researchers have uncovered a new cyberespionage campaign conducted by an Arabic-speaking advanced persistent threat (APT) group called Molerats. The campaign has been identified to target victims within the Middle East since at least July of last year.
The researchers added that their team has found a new campaign and provided a thorough technical assessment of the cyberattack method, data exfiltration, command-and-control infrastructure, attack chain, and threat attribution.
In the early weeks of December 2021, several macro-based MS office files were uploaded by the threat actors from Middle Eastern nations to open-source intelligence sources.
These MS files added decoy themes connected to geopolitical disagreements between the long-time rival nations – Israel and Palestine. These themes were already utilised in past cyberespionage campaigns by the Molerats APT group.
Since last December, the threat actors reversed the distribution strategy with minor changes and alterations in the [.]NET backdoor.
The selected targets by the threat actors included essential constituents of the financial institutions in Palestine, human rights activists in Turkey, a journalist in some nations, and portions of political party-list in Palestine.
Researchers stated that the Molerats APT group used a previous attack strategy in their recent cyberespionage campaign.
The Molerats APT group used several similarities between this ongoing campaign and their previous cyberattacks last year based on an analysis.
According to the researchers, they monitored a crossover in the DotNET backdoor and the utilisation of Dropbox API for complete and unobstructed command-and-control communication.
Moreover, the threat actors also used open-source and commercial packers for the payload while selecting potential targets from the Middle East. They also noted that the packers used by Molerats are Themida and ConfuserEx.
The researchers also pointed out that the attackers utilise RAR files for backdoor reproduction in the final phases of the intrusion. The actors also use other legitimate cloud hosting services such as Google Drive to carry out their compromised payloads.
Passive DNS resolutions and SSL certificates were also seen by the researchers being used by the threat actors in this current cyberespionage campaign.
The Molerats advanced persistent threat group has resurfaced with an all-new espionage campaign utilising a customised backdoor distribution strategy.
Middle Eastern organisations should utilise the given IOCs to locate and identify the threat attack in its initial phase. Furthermore, experts urge the targeted companies to use a multi-layered security platform for more competent prevention and detection.
