Posted on December 15, 2020 at 4:15 PM
Cybersecurity firm Cybereason revealed that it discovered a cyber espionage campaign that makes use of new malware based on Google Drive, Dropbox, and Facebook for command and control communication.
According to the security firm’s report, the Molerats hacking syndicate is responsible for the attack. The campaign utilizes two new backdoors known as DropBook and SharpStage. It also utilizes an undocumented malware downloader called MoreNet.
The campaign started in September
The security researchers said the hacking group’s campaign began in September and they operated through November. As reported, the Arabic speaking victims they targeted included targets in Egypt, United Arab Emirates, Palestinian territories, as well as non-Arabic speaking targets in Turkey.
“We noticed the beginning of the campaign in September 2020, with more attacks happening between October and November 2020,” the security firm stated.
Cybereason has also contacted the companies to inform them about the abuse.
Other cybersecurity researchers, including those working at Microsoft, reported similar cyber espionage methods used by non-state hacking syndicates to abuse cloud platforms.
Cybereason researchers revealed that the Molerats attack starts with the threat actors sending politically-themed phishing emails to the targets about current events in the Middle East region.
Malware is difficult to detect
The Molerats threat actors have made it extremely difficult to detect them since they utilize popular cloud platforms to communicate with malware. Although Cyberreason has been able to detect the existence of the malware group and some of their attack methods, the researchers said there are still some details about them that are relatively unknown.
The malware uses Facebook and Dropbox services to gain access to sensitive data and get genuine instructions from their operators. After the malware steals the data from the target users, they will extract the data using the DropBox feature.
Top political figures targeted
According to the security firm, the attackers plan the hacking campaign against top government officials and high-ranked political figures in the Middle East. They usually send an email to the targets and deceive them to download malicious documents.
But the document doesn’t offer the details of the content. The target users are subsequently requested to download the password-protected archives stored in Google Drive or Dropbox before they can see the full details of the document.
Once the user downloads the said archives, it gives Molerats the chance to infect users with the DropBook and SharpStage backdoor, which can subsequently download more malware.
Abuse Of Cloud Services
The said malware carries out its command and control communication by utilizing popular cloud services. The Python-formulated DropBox backdoor only gets its instructions from Facebook and Simpleton, the iOS note-taking app.
After receiving the instructions, the threat actors can have control over the backdoor with commands posted on Facebook with the Simpleton app acting as a backup.
Using DropBox the threat actors can check the file names and installed programs in the system. They can also execute shell commands from Simpleton or Facebook and get more information via DropBox. SharpStage, the other backdoor for Molerats, does not use cloud services for instructions, but conventional command and control servers.
Cybereason said the three SharpStage flavors it discovered all work similarly. According to the fir, all three models can decompress data retrieved from the command and control server, execute arbitrary commands, and take screenshots.
The backdoors also have a specific target group, and in his case, they targeted Arabic-speaking users. To find out whether the system has installed the Arabic language, the backdoors can scan the affected computers before registering their presence there.
The other malware used by the Molerats threat actors is known as MoleNet. The malware can do a whole lot of things, including getting new payloads, rebooting a computer from the command line, scanning for debuggers, and running WMI commands for profiling an operating system.