cyber attack

Recent mobile attacks by Molerats

1. Overview

In December 2020, the mobile security team captured a new type of malicious RAT Molerats on the Android platform. Analysis shows that the RAT first appeared in 2017 and has been used continuously to this day.

There are currently 3 versions. After traceability and correlation, it was discovered that the RAT belongs to the unique mobile weapon of the Molerats APT Group and is named the GazaHT family. Chinese named Moonlight Rat Group.

The Moon Rat Group comes from a certain region in the Middle East, and its targets are mainly Israelis and Palestinians. The Group launched a malware attack against Israeli government targets in October 2012, which caused the Israeli police department to disconnect the network access rights of all computers in the department for insurance purposes, which attracted media attention.

In 2013, a foreign security vendor disclosed and named it Molerats. Since then, the Group has continued to carry out multiple attacks, and has been disclosed and named by many domestic and foreign security vendors, so it has multiple aliases (alias: Gaza Hackers Team , Gaza cybergang, Gaza Cybergang, Operation Molerats, Extreme Jackal, Moonlight, ALUMINUM SARATOGA).

2, load delivery

Through the analysis of the mobile terminal attack samples, it can be found that the attack load of the Moon Mouse Group on the mobile terminal adopts a delivery method disguised as Google App Store related applications and chat applications. After tracking and analysis, the security team discovered that the attack payload of the chat application disguised as the Moonmouse Group was mainly stored on the phishing website (, although the title of the phishing URL stated “high quality, safe and usable on Google Play”, But once the button is clicked, the malicious attack payload will be downloaded directly. The attack payload of this website belongs to the second-generation RAT. In addition, the website became invalid shortly after being disclosed by the security vendor ESET in July 2020.


3. Attack sample analysis
Moonlight Mouse Group has its own unique mobile terminal GazaHT attack sample family, which has developed to the current third generation according to functional iterations.

The latest third generation has increased the use of auxiliary functions to steal information from currently popular social applications . The GazaHT family has complete functions and can obtain call records, SMS messages, photos, address books, geographic location information, call recordings, etc. Attackers can expand richer monitoring functions according to their own capabilities, and can conveniently remotely control the victim’s mobile phone by issuing commands.

Commands Features
S1 Whether to enable information collection
S2 reserved text
S3 reserved text
S4 SMS theft
S5 Photo upload
S6 recording
S7 Call Recording
S8 Steal the content information of social applications chat

Remote control command and corresponding function relation table:


4, the attack group traceability analysis

The security team analyzed and determined that the attack was attributed to the Molerats. The main basis is as follows:

1. 1. The sample is aimed at Arabic users, and it can be speculated that the attack is mainly aimed at Middle Eastern countries.

2. 2. One of the C&Cs is, and is a common asset of the organization. In addition, its latest C&C adopts the Palestinian Nepras For Media & IT domain name domain name, which also indirectly confirms the organization’s regional identity.

3. 3. The latest sample signature with “Palestine” and “gaza” also indirectly confirms the regional identity of the organization.

5, summary

Moonlight Mouse has been active in the Middle East since 2012. It mainly uses phishing themes and analysis of decoy files to carry out attacks. Phishing can be said to be a cliché, but it is still an attacker’s tried and tested method, and it is clearly one of the most effective tactics.
Responding to these attacks requires not only the protection of various security products of security vendors and the support of security services in place, but also the continuous construction of the company’s own internal security regulations and the awareness of security of internal employees. Regarding how ordinary users can avoid attacks on the mobile terminal, the security team provides the following protection suggestions:
1. Download the application in a regular application store. Domestic users can download it in the app store that comes with the phone, and foreign users can download it in Google Play. Don’t install apps from untrusted sources, don’t just click on unknown URLs or scan QR codes with unknown security.
2. The mobile device should perform security updates in a trusted network environment in time, and do not use untrusted network environments lightly.
3. Be especially cautious with applications that request permission to install apps, activate device managers, etc. Generally speaking, ordinary apps will not request these permissions, especially device managers. Normal application opportunities do not have this requirement.
4. Ensure that mobile phone security software is installed to protect personal property in real time;