The Molerats advanced persistent threat group, also known as TA402, has bypassed researchers’ detection in their recent attack, revealing that the group has reemerged with its new malware strain named NimbleMamba.
However, researchers believe that the NimbleMamba malware is more likely to be a recent version of the LastConn malware used by the Molerats group in their previous cyberespionage campaign.
According to recent reports, a new email phishing campaign eyed several governments in the Middle East and has targeted state-backed airlines and foreign-policy think tanks in the same region. The threat actors had spread phishing emails between the early weeks of November 2021 and the last weeks of January 2022.
These organisations were targeted by the cyberespionage group using the NimbleMamba malware, which is a new intelligence-collecting trojan that was distributed through phishing baits.
The phishing campaign leverages three types of emails, pretending to be from Dropbox, Quora, and Ugg bits, and utilised Gmail accounts to distribute attacks. However, the threat actors shifted to Dropbox URLs to spread the compromised [.]rar files that contain the malware.
While LastConn and NimbleMamba malware share identicality, such as being coded in C#, base64 encoding inside the C2 framework, there appears to be a minimal code overlap between the two strains.
The state-backed Molerats APT group has persistently targeted government entities and organisations in the Middle East after the researchers intercepted them. Moreover, the threat group has routinely updated their malware implants and distribution strategy after being hunted by security groups.
The cyberespionage campaign was active since July 2021, and actors leveraged several macro-based Microsoft office files to distribute a new variant of the [.]Net backdoor.
The Molerats is currently an active and efficient threat group that demonstrated their persistence with highly targeted espionage campaigns exclusively on the Middle Eastern nations. Experts believe that the Molerats APT will continue to upgrade its malware implants and TTPs to challenge security solutions worldwide.