MoleRats APT Makes a Comeback, Uses Facebook and Dropbox for Espionage
First discovered in 2012, MoleRats is part of the Gaza Cybergang, an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East and North Africa, with a focus on the Palestinian Territories. It’s believed that there are at least three groups within the gang, all with similar aims and targets, but with very different tools, techniques, and levels of sophistication. One of the three, MoleRats, is one of the less-complex groups, but still dangerous, nonetheless.
The most recent campaign, first uncovered by researchers at Cybereason, has been targeting high-ranking officials in Egypt, the Palestinian Territories, and the UAE. The threat group is launching their attack through email phishing documents, a technique that has become more and more popular in recent times, with lures that include various themes related to current Middle Eastern events, with topics mostly focused on recent political events such as Israeli-Saudi relations to a reported clandestine meeting between the Crown Prince of Saudi Arabia, the U.S. Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu.
Through their analyzation, researchers at Cybereason uncovered the SharpStage and DropBook backdoors, as well as a new version of the downloader MoleNet, both of which use legitimate cloud services for command-and-control communication. The DropBook backdoor uses fake Facebook accounts for C2 communication (the attacks also utilize Simplenote, a note-taking application with Markdown support, for C2 as well), and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools.
The phishing emails have been crafted to deliver a simple PDF attachment that directs the user to download the additional content from a password-protected archive, the password for which has been provided within the innocent PDF. The user will then be given the option to download via Dropbox or from a Google Drive. Once downloaded, the malware will then begin to install.
The SharpStage backdoor is a .NET malware that appears to be under continuous development. The latest version, version 3, performs screen captures and checks for the presence of the Arabic language on the infected machine, thus avoiding execution on non-relevant device. It also has a Dropbox client API to communicate with Dropbox using a token, to download and exfiltrate data. It can also execute arbitrary commands from the C2 and download and execute additional payloads.
DropBook meanwhile is a Python-based backdoor compiled with PyInstaller. Researchers claim it can install programs and file names; execute shell commands received from Facebook and Simplenote; and download and execute additional payloads using Dropbox. Like SharpStage, it checks for the presence of an Arabic keyboard. DropBook also only executes if WinRAR is installed on the infected computer.
Both SharpStage and DropBook exploit legitimate web services to store their tools and deliver them to their victims in a stealthy manner, abusing the trust given to these platforms. While the exploitation of social media for C2 communication is not new, it is part of a growing trend of attackers taking advantage of the growing popularity for multiple social media services.
Sources: