Molerats in the cloud

Molerats (also known as Gaza Cybergang) is an Arabic-speaking, politically motivated APT group that has been active in the Middle East since 2012.

Since its discovery, Cybereason’s Nocturnus team has been tracking this APT group, but in recent months it has used previously unidentified backdoors called SharpStage and DropBook and a downloader called MoleNet. A new attack has been detected.

This new malware weapon was designed specifically for stealth-type spy attacks targeting Arabic-speaking people, especially in the Middle East, and was observed primarily in the Palestinian Territory, United Arab Emirates (UAE), and Egypt. It has also been observed in attacks targeting non-Arabic people in Turkey.

This latest attack uses social engineering technology to deliver phishing documents containing various decoy themes related to the situation in the Middle East. Some of the themes used in this phishing attack were:

· References to neighboring Arab countries’ relations with Israel : Specifically, as reported in the media, Crown Prince of Saudi Arabia Mohammed bin Salman (MBS) , former US Secretary of State Mike Pompeo , and Israel This is a recent meeting with Prime Minister Benjamin Netanyahu .

· References to Palestinian Political Issues : This attack uses a variety of themes related to Palestinian political events and public figures, including:
・ Hamas internal elections
Dr. Ahmad Majudarani (Secretary General of the Palestinian People’s Struggle Front (PPSF))
・Documents believed to be fake created by the Palestinian Liberation People’s Front (PFLP) . A detailed description of media preparation for the PFLP 53rd Anniversary Ceremony.

The newly discovered backdoors were delivered with the previously reported Spark backdoors, and there are other similarities to past attacks, so these backdoors were created by Mollerats. Is more likely to be.

Both the Stage and DropBook backdoors operate in a stealth manner, and use the legitimate cloud storage service Dropbox to leak information stolen from the target and at the same time use the legitimate Web service. Avoid detection and deletion with.

The Nocturnus team also discovered that DropBook, a new Python-based backdoor, is abusing Facebook, a social media platform.

The backdoor operator controlled the backdoor by creating a fake account, sneaking into a place where everyone could see it. What sets DropBook apart from other spy tools in the arsenal is that it only uses a fake Facebook account to get C2 to receive instructions from the operator.

Abusing social media to communicate with C2 is nothing new, but it is rarely observed.

In addition, Cybereason’s Nocturnus team discovered Mollerats’ activity to use the Spark backdoor to target Turkish-speaking people, based on observations of phishing documents written in Turkish.

Finally, the Nocturnus team identified another attack using a new variant of the Pierogi backdoor against similar targets infected with the Spark, SharpStage, and DropBook backdoors. The existence of such duplications raises the suspicion that there may be a link between the two subgroups of Gaza Cybergang (Molerats and APT-C-23 (Arid Viper)).

Cybereason has contacted Facebook, Dropbox, Google and Simplenote to report on account abuse.

▲ Infection chain of the latest attacks by Mollerats

Main survey results

· Threat actors are considered to be Mollerats (also known as Gaza Cybergang) : Mollerats are a politically motivated group of Arabic-speaking people who have been active in the Middle East since 2012.

· A new spy tool developed by Molerats : Cybereason has identified two new backdoors, called SharpStage and DropBook, and a downloader, called MoleNet. These tools allow an attacker to execute arbitrary code, collect sensitive data from an infected computer, and leak it. Also, these newly discovered backdoors were used in combination with previously reported Spark backdoors (created by Mollerats).

· Targeting across the Middle East : Cyber ​​Reason speculates that this attack operator is targeting high-ranking politicians and government officials in the Middle East (including the Palestinian Territories, UAE, Egypt, and Turkey).

· Use Political Themes for Fishing : Themes used to lure victims included topics related to Israeli-Saudi Arabian relations, Hamas elections, Palestinian politicians, and the Saudi emperor. Topics on other recent political events such as top secret talks with Prince Mohammed bin Salman (MBS), US Secretary of State Mike Pompeo, and Israeli Prime Minister Benjamin Netanyahu Was also included.

· Exploiting Facebook, Google Docs, Dropbox, and Simplenote platforms : The newly discovered DropBook backdoor used fake Facebook accounts and Simplenote for command and control (C2) communication. Both SharpStage and DropBook also exploited the Dropbox client to leak data stolen from the target to cloud storage and store spy tools.

· Relevance to the Pierogi backdoor : Analysis revealed an interrelationship between the newly discovered backdoor, Spark, and the previously reported Pierogi backdoor. At Cybereason, these backdoors have been developed by different teams working for similar interests, or by the same threat actors, with medium to high levels of confidence. Is estimated by.

· Using Quasar RAT : Attackers used a new spy tool to download additional payloads from DropBox. Thisincluded the infamous open source Quasar RAT previously used by Gaza Cybergang.

Detect new Molerats cyber weapons

While hunting for threats in the Middle East, Cybereason’s Nocturnus team encountered several unique malware sample analyzes that were previously undocumented.

These two backdoors, called SharpStage and DropBook, and the MoleNet downloader are similar in several respects on TTP and phishing themes, along with the Spark backdoor allegedly created by Gaza Cybergang (aka Mollerats). It was being delivered.

Molerats is known for using political and Middle Eastern-themed phishing files to lure victims, but again Molerats sticks to this method for recent political events (Israel and Arab neighbors). It used to lure victims using a peace agreement with (including the normalization process).

▲ Overview of attack infrastructure

One of the phishing documents identified in this attack was a PDF file entitled “MBS-Israel (MBS-Israel)”, which was written by Israeli Prime Minister Benjamin Netanyahu and Saudi Arabian Prince Muhamand. It mentions a recent meeting with Bin Salman .

▲ The detection rate of phishing PDF files is zero (according to VirusTotal)

▲ MBS-Israel.pdf Document contents

The content of this PDF tells the target to download an archive (password protected) that allegedly contains the minutes of different meetings from Dropbox or Google Drive.

Embedded URLArchive type and SHA-256 hash
https://www.dropbox[.]com/s/r81t6y7yr8w2ymc/ archive
58f926d9bd70c144f8697905bf81dfff046a12929639dfba3a6bd30a26367823[.]com/ uc?export=download&id=1NnMlUPwkxK4_ wAJwrqxqBAfdKCPDxyehRAR archive

▲ Payload downloaded using the PDF

There are two new files, SharpStage and DropBook.

file nameclassificationSHA-256
Details Crown Prince held ‘secret meeting’ with Israeli PM.Nov.23.20.MoM.exeSharpStage Backdoor69af17199ede144d1c743146d4a7b7709b765e-57375d4a4200ea742dabef75ef
Details of MBS meeting with the US Secretary of State.
Spark Backdoor54eadcd0b93f0708c8621d2d8d1fb-4016f617680b3b0496343a9b3fed429aaf9
Talking points for meeting.exeDropBook Backdoor2578cbf4980569b372e06cf414c3da9e29226d-f4612e2fc6c56793f77f8429d8

Interestingly, you can see that the fake Microsoft Word icon used by Gaza Cybergang has consistent variations across different malware.


At the time of this writing, VirusTotal found that the detection rate for newly discovered SharpStage backdoors was very low.

▲ SharpStage single sample detection rate

Cybereason’s Nocturnus team has also observed a variety of Middle East-themed URLs used in SharpStage’s C2 domain, including:

· http://artlifelondon[.]com/hamas_internal_elections.rar

· https://www.artlifelondon[.]com/Hamas.php

· https: // forextradingtipsblog [.] com / SaudiRecognitionofIsrael.php

· https: // forextradingtipsblog [.] com / AhmedMajdalani.php

SharpStage backdoor analysis

SharpStage backdoor is a .NET malware with backdoor functionality. Its name is derived from the main activity class called “Stage_One”.

Cybereason’s Nocturnus team was able to identify three variants of the SharpStage backdoor that are still under development. Two of these shared the hard-coded mutex “71C19A8DC5F144E5AA9B8E896AE0BFD7”.

▲ Mutex confirmed in SharpStage code

The compile time stamps for these samples differ between October 4, 2020 and November 29, 2020. All three samples include similar features with some variation on multiple functions, as well as emphasis on code obfuscation, code modularization, dependency logging and connection checking, etc. It enables further execution. In addition, each sample has its own persistence component.

The SharpStage backdoor has the following features: Note that some functions depend on the command received from C2.

· Screen capture : The SharpStage backdoor has the ability to capture the victim’s screen.

· Targeting Arabic-speaking users : SharpStage avoids running on irrelevant devices by checking for the presence of Arabic on infected machines. It also avoids most sandboxes.

· Dropbox Client : SharpStage implements the Dropbox Client API, which allows data to be downloaded and leaked by communicating with Dropbox using tokens.

· Command execution through Powershell, command line, WMI : Upon receiving a command from C2, SharpStage will be able to execute any command.

· Download and run additional files : This malware can download and run additional payloads.

· Unzip RAR Archive : SharpStage can unzip archived data downloaded from C2 (including SharpStage payload and persistence module).

Cybereason has detected the SharpStage infection chain, as shown in the figure below. In this variant, the persistence component is “sheaS.exe”, which writes scheduled tasks to the downloaded “shear” sample (which will be the payload of SharpStage). It has been found that SharpStage’s persistence components typically have the letter “S” added to them, regardless of the SharpStage’s main module name.

▲ SharpStage attack tree (displayed on Cybereason Defense Platform)

SharpStage dropper (early version)

The first variant comes with a dropper that steps through the backdoor to create persistence. This dropper writes the payload (SharpStage backdoor) to both the temp and startup folders.

▲ Search the startup folder and temp folder in the system

Copying and running the malware is done by creating an instance of Windows Explorer.

▲ Create a Windows Explorer process

In addition, the dropper uses the registry autorun key to create the malware persistence dropped in% temp%.

▲ Create persistence through the registry

Embedding secondary persistence (late version)

As shown in Cybereason’s process tree, a newer and more modular variant of SharpStage (named “shear”) is downloaded from C2 along with a small file called “shearS”. The latter creates the persistence of the first file and includes some machine profiling features. Machine profiling is performed using WMI queries, which collect data such as system make and model.

▲ Collection of system information by persistence components

When creating persistence, use schtasks to create a new scheduled task for “shear”. The reference to “shear” shown below is made by simply removing the letter “S” at the end of “shearS”.

▲ Execute the scheduled task method in the persistence component

SharpStage core features

Downloaded from C2 for SharpStage, the dropper has some backdoor features, including an implementation of the Dropbox client API, as well as the ability to check for the presence of Arabic. By using this check function, the malware can be executed only on the desired target and can avoid the detection of sandboxes. The default language setting is usually “English”.

Before doing a language check, this backdoor automatically captures the screen and saves the image in the% temp% folder.

▲ Capture the victim’s screen

As mentioned above, this malware does a check to detect the presence of an Arabic keyboard. If such a keyboard layout is found, after the “startLoop” flag is set to “true”, the execution will proceed to the main activity and connect to C2 for further instructions.

▲ Checking the Arabic keyboard and updating the corresponding flag

Examining the “GetUpload” method reveals the backdoor functionality of this malware. After connecting to C2, SharpStage will start parsing the command.

▲ Access C2 and start command-related variables

As shown in the figure below, the malware parses commands received from C2 (executed through the command line, Powershell, and WMI) and then initiates the relevant variables.

In addition, launch the Dropbox client to download another file. In this case, the client will be launched using the “AcessTo” variable, which is a token previously obtained from C2.

▲ After parsing the command obtained from C2, start the Dropbox client.

The attacker’s Dropbox account is used to download additional files, but multiple downloads can also be completed using a web address and secure connection.

▲ Download additional files

The code below implements a switch-case sequence to execute a command, using either the command line, Powershell, or WMI, depending on the command received.

▲Command line parsing

The later variants of SharpStage also drop decoy documents at run time.

▲ Document drop and open are instructed in the code

This decoy document contains information allegedly produced by the media department of the Popular Front for the Liberation of Palestine (PLFP), which describes the preparation for PLFP’s 53rd Anniversary Ceremony.

▲ Sharp Stage decoy document

According to the metadata of this document, the author of this document is a person named “ABU-GHASSAN”. In the context of PFLP, this name may refer to Ahmad Sa’adat , the secretary-general of PFLP, known as ABU-GHASSAN.

Cybereason cannot determine the authenticity of this document, so is it a genuine stolen document, or it is a forged document by an attacker, and the attacker pretends that it originated from a senior PFLP official. It remains unclear whether they are or which is true.

▲ Metadata for decoy documents

DropBook backdoor analysis

▲ DropBook attack tree (displayed on Cybereason Defense Platform)

One of the malware delivered by this series of phishing attacks is a Python-based backdoor compiled with PyInstaller, which is called a “DropBook”.

Based on the similarities between TTP and code, Cybereason suspects that DropBook was created by the team that developed JhoneRAT. JhoneRAT is one of the Python-based malware observed in targeted attacks in the Middle East and has been reported to be associated with the Spark backdoor .

The DropBook backdoor has the following features:

· Reconnaissance : Collect installed programs and filenames

· Shell command : Execute the shell command received from Facebook / Simplenote

· Download and run additional files : Ability to download and run additional payloads using DropBox

· Target Arabic-speaking users : Avoid executions against unrelated potential victims by checking for the presence of Arabic on infected machines

▲ Global variables of decompiled python script

DropBook will only run if WinRAR is installed on the infected computer, probably because WinRAR will be required later in the attack.

In addition, the backdoor checks the keyboard language and only runs if Arabic is set. This is one of the techniques Mollerats often uses.

To avoid network-based detection, DropBook communicates with operators through legitimate websites and services such as Dropbox, Facebook, and Simplenote (the service used to leave notes).

Doing so will make the backdoor’s web traffic look legitimate and less suspicious. DropBook also uses Dropbox to download and upload files, as well as the Facebook / Simplenote posting feature to deliver C2 commands from attackers.

The execution flow of DropBook is as follows.

1. Get Dropbox API Token : DropBook gets Dropbox tokens from Facebook posts with fake Facebook accounts. The operator of this backdoor can change the token used by this backdoor by editing this post. If it fails to get the token from Facebook, DropBook will try to get the token from Simplenote.

▲ Dropbox token on Facebook

2. Perform reconnaissance activity : After receiving the token, this backdoor collects the names of all files and folders existing in the “Program Files” directory and on the desktop, then “C: \ Users \% username” Write the list to the% \ info.txt file and upload it to Dropbox with the current user name logged on to the machine.

3. Get command from Facebook : DropBook then checks for fake Facebook account posts to receive commands to run on the infected machine. By editing the post, an attacker can provide the backdoor with new commands and commands such as:

· Run arbitrary shell commands on all victims or specific victims

· Set the name of the payload that may be downloaded at a later stage

· Set the sleep time between queries in new commands

Cybereason has observed that the following command was posted to a Facebook account for C2.

all::tasklistRun “tasklist” on all infected machines
all :: dirRun “dir” on all infected machines
all::set::soundplyer.exeSet the name of the next file to download to “soundplyer.exe”
all::re::30Set sleep time to 30 seconds
all::set::Kd.exeSet the name of the next file to download to “Kd.exe”
all::schtasksRun “schtasks” on all infected machines
all::set::.exeSet the name of the next file to download to “.exe”
all:: %comspec% %userprofile%\.exeProbably trying to run “.exe”
all:: %userprofile%\.exeProbably trying to run “Firefox.exe”
all::schtasks /create /sc minute /mo 1 /tn
“Firefox” /F /tr “\”%userprofile%\Firefox.exe\””
Create a scheduled task for “Firefox.exe”
all::schtasks /create /sc minute /mo 1 /tn
“soundplyer” /F /tr “\”%userprofile%\soundplyer.exe\””
Create a scheduled task for “soundplyer.exe”
all::set::PView.exeSet the name of the next file to download to “PView.exe”
all::dir %userprofile%Run “dir” on% userprofile%
all::schtasks /create /sc minute /mo 1 /tnCreate a scheduled task for “PView.exe”
“PView” /F /tr “\”%userprofile%\PView.exe\””
all::set::DG3.exeSet the name of the file to be downloaded next to “DG3.exe”

You can view all the commands posted by the backdoor operator by using Facebook’s “post edit history” feature.

▲ Shell commands used by attackers revealed by Facebook’s post editing history function

4. Download additional payloads : DropBook can download and run an extended arsenal of payloads stored in Dropbox. This includes the MoleNet downloader, Quasar RAT, an updated version of DropBook, the SharpStage backdoor, as well as Process Explorer, Microsoft’s official tool for monitoring Windows processes . Attackers often use them to perform reconnaissance and credential dumps.

Apart from posting commands, the fake Facebook profile is empty and does not show any personal information about your connection or user. This fact further supports the hypothesis that the fake Facebook profile was created solely for the same backdoor command and control (C2) communication.

▲ Fake Facebook profile used for C2 communication of DropBook

Analysis of MoleNet Downloader

Perhaps the most interesting tool discovered in this attack is the MoleNet downloader. The tool itself was previously undocumented, but the Nocturnus team has been actively developing it since at least 2019, with the infrastructure working since 2017, leaving the tool unnoticed. I found the proof.

The MoleNet Downloader is one of many tools included in Mollerats’ arsenal, and was discovered in this attack to be delivered by the DropBook backdoor along with both SharpStage and Spark backdoors. I did. Also, the MoleNet downloader is written in .NET and is heavily obfuscated.

The MoleNet Downloader has the following features:

· Run WMI commands for OS profiling: This includes the following commands: -SELECT
* FROM FirewallProduct
-SELECT * FROM AntivirusProduct
-SELECT * FROM Win32_PhysicalMedia
-SELECT * FROM Win32_ComputerSystem
-SELECT * FROM Win32_DiskDrive
-SELECT * FROM Win32_LogicalDiskToPartition

· Debugger Checks: MoleNet does some checks like querying the API (such as IsDebuggerPresent or CheckRemoteDebuggerPresent) to see if it is being debugged.

· Rebooting the machine using the command line: MoleNet reboots the infected machine by running the shutdown command line utility.

▲ Reboot the victim’s machine using the command line

· Send a wide variety of OS information to C2: The following is an example of the parameters sent to C2. : name = {0} & subject = {1} & OS = {2} & category = {3} & priority = {4} & message = {5} & FileLocation = {6} & email = {7} & MyVer = {8} & XMLDoc = { 9} & PCTypeOne = {10}

· Downloading additional payloads: MoleNet can download additional payloads from C2.

· Creating Persistence: MoleNet provides persistence to infected machines by running the following command through Powershell. powershell reg add “HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run” / f / v Firefox / t reg_sz /

The new version of MoleNet seems to use the following URL to communicate with the operator.

· hxxps://exchangeupdates[.]com/enterprise/Wenterprise.php

· hxxps://exchangeupdates[.]com/enterprise/Senterprise.php

Discover older versions of MoleNet

By tracking tools that show TTP and strings, Cybereason was able to find an earlier sample of communicating with the same domain, exchangeupdates [.] Com, dating back to July 2020 .

After investigating based on more indicators, we found even earlier samples , dating back to 2019 . This sample was communicating with another domain, upgrade.newshelpyou [.] Com.

This domain was mentioned in a 2017 Kaspersky report (covering various attacks by Gaza Cybergang). However, the report did not contain any information about the MoleNet downloader.

Spark backdoor activity in Turkey

Cybereason also observed the recent activity of Spark backdoors targeting Turkish-speaking individuals . It is unclear if this Turkish-targeted attack is related to the aforementioned attack, but both attacks use a Spark backdoor derived from Mole Rats. It’s interesting that the Spark backdoor is targeted at individuals who speak Turkish, as it is known for checking Arabic settings on infected machines.

One of the Spark backdoor droppers observed in an attack targeting Turkey was named “YENİ İNŞ AAT İÇİN GEREKLİ BELGELER.exe” (translating this file name into “documents needed for new construction”). Was attached. When the malware is executed, a decoy file written in Turkish is opened to divert the victim’s attention from malicious activity.

SHA-256: 5b0693731f100b960720d67bda6f3e6df1c25b7d5024d11cf61c13e7492f18cf
Decoy document SHA-256: dc9aa462547e1436c7254a78c907915d41f771a3a66d2f4656930724cbf3914d

▲ Turkish decoy document dropped with Spark backdoor

Attacks targeting Turkey appear to be using a different C2 domain, brooksprofessional [.] Com.

Connection to the Pierogi backdoor

During this study, we found an interesting link between the newly discovered malware weapons mentioned above and the Pierogi backdoor previously detected by Cybereason .

Some of the newly discovered backdoor victims have been targeted by a new variant of the Pierogi backdoor, which was attacked by APT-C-23, an adjacent subgroup of Gaza Cybergang associated with Mollerats. that performed has been considered to be.

As a result of analyzing the distribution method and phishing theme of Pierogi, the similarity with the attacks introduced in this report and the past attacks believed to have been carried out by Mollerats and APT-C-23 are very high. Turned out.

For example, the Pierogi backdoor dropper has been observed to utilize executable files with fake Microsoft Word icons in multiple instances. There are also similarities in phishing techniques and decoy content sent to victims.

▲ According to VirusTotal, the detection rate of Pierogi backdoor droppers by antivirus is low.

File name: general secretariat for the council of ministers 1839-2021.exe
SHA-256: 2d03ff4e5d4d72afffd9bde9225fe03d6dc941982d6f3a0bbd14076a6c890247

▲ Pierogi dropper file uploaded from Palestinian Territory

SHA-256 of the dropped decoy PDF document:

▲ Contents of the decoy document dropped by Pierogi

Another example of a decoy document is the following file: This was dropped with the Pierogi backdoor.

File name: applied structural-85763489756-5629857-docx.exe (originally with typo)
SHA-256: b61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44

▲ Pierogi A decoy document dropped by the backdoor

The new Pierogi variant seems to retain most of the previously reported features , but Cybereason has some changes and improvements to the code, including code obfuscation and base64-encoded C2 communication. A point has been detected. In addition, the previously reported distinctive URI pattern has changed to no longer include Ukrainian words.

URI patterns observed within the new Pierogi variant:

· hxxp://ruthgreenrtg[.]live/xqgjdxa/yhhzireha/ibcdgpuw

· hxxp://ruthgreenrtg[.]live/xqgjdxa/yhhzireha/zbkvngmnc

· hxxp://ruthgreenrtg[.]live/xqgjdxa/yhhzireha/hknbuahwg

· hxxp://ruthgreenrtg[.]live/xqgjdxa/yhhzireha/tcpuvvfi

Old URI pattern
(Ukrainian command)
debby/weatherford/YortysnrMachine information
debby / weatherford / ExpertiseRequest more commands from C2
debby/weatherford/ZavantazhytyUploading data (mainly screenshots)
debby / weatherford / VydalytyDelete information

For more information, see the complete list of Pierogi IOCs contained in the IOC documentation linked below.