cyber attack

Recent mobile attacks by Molerats

1. Overview

In December 2020, the mobile security team captured a new type of malicious RAT Molerats on the Android platform. Analysis shows that the RAT first appeared in 2017 and has been used continuously to this day.

There are currently 3 versions. After traceability and correlation, it was discovered that the RAT belongs to the unique mobile weapon of the Molerats APT Group and is named the GazaHT family. Chinese named Moonlight Rat Group.

The Moon Rat Group comes from a certain region in the Middle East, and its targets are mainly Israelis and Palestinians. The Group launched a malware attack against Israeli government targets in October 2012, which caused the Israeli police department to disconnect the network access rights of all computers in the department for insurance purposes, which attracted media attention.

In 2013, a foreign security vendor disclosed and named it Molerats. Since then, the Group has continued to carry out multiple attacks, and has been disclosed and named by many domestic and foreign security vendors, so it has multiple aliases (alias: Gaza Hackers Team , Gaza cybergang, Gaza Cybergang, Operation Molerats, Extreme Jackal, Moonlight, ALUMINUM SARATOGA).

2, load delivery

Through the analysis of the mobile terminal attack samples, it can be found that the attack load of the Moon Mouse Group on the mobile terminal adopts a delivery method disguised as Google App Store related applications and chat applications. After tracking and analysis, the security team discovered that the attack payload of the chat application disguised as the Moonmouse Group was mainly stored on the phishing website (ephoneservices.club), although the title of the phishing URL stated “high quality, safe and usable on Google Play”, But once the button is clicked, the malicious attack payload will be downloaded directly. The attack payload of this website belongs to the second-generation RAT. In addition, the website became invalid shortly after being disclosed by the security vendor ESET in July 2020.

clip_image001

3. Attack sample analysis
Moonlight Mouse Group has its own unique mobile terminal GazaHT attack sample family, which has developed to the current third generation according to functional iterations.

The latest third generation has increased the use of auxiliary functions to steal information from currently popular social applications . The GazaHT family has complete functions and can obtain call records, SMS messages, photos, address books, geographic location information, call recordings, etc. Attackers can expand richer monitoring functions according to their own capabilities, and can conveniently remotely control the victim’s mobile phone by issuing commands.

Commands Features
S1 Whether to enable information collection
S2 reserved text
S3 reserved text
S4 SMS theft
S5 Photo upload
S6 recording
S7 Call Recording
S8 Steal the content information of social applications chat

Remote control command and corresponding function relation table:

clip_image002

4, the attack group traceability analysis

The security team analyzed and determined that the attack was attributed to the Molerats. The main basis is as follows:

1. 1. The sample is aimed at Arabic users, and it can be speculated that the attack is mainly aimed at Middle Eastern countries.

2. 2. One of the C&Cs is pal4u.net, and pal4u.net is a common asset of the organization. In addition, its latest C&C adopts the Palestinian Nepras For Media & IT domain name systembackups.info domain name, which also indirectly confirms the organization’s regional identity.

3. 3. The latest sample signature with “Palestine” and “gaza” also indirectly confirms the regional identity of the organization.

5, summary

Moonlight Mouse has been active in the Middle East since 2012. It mainly uses phishing themes and analysis of decoy files to carry out attacks. Phishing can be said to be a cliché, but it is still an attacker’s tried and tested method, and it is clearly one of the most effective tactics.
Responding to these attacks requires not only the protection of various security products of security vendors and the support of security services in place, but also the continuous construction of the company’s own internal security regulations and the awareness of security of internal employees. Regarding how ordinary users can avoid attacks on the mobile terminal, the security team provides the following protection suggestions:
1. Download the application in a regular application store. Domestic users can download it in the app store that comes with the phone, and foreign users can download it in Google Play. Don’t install apps from untrusted sources, don’t just click on unknown URLs or scan QR codes with unknown security.
2. The mobile device should perform security updates in a trusted network environment in time, and do not use untrusted network environments lightly.
3. Be especially cautious with applications that request permission to install apps, activate device managers, etc. Generally speaking, ordinary apps will not request these permissions, especially device managers. Normal application opportunities do not have this requirement.
4. Ensure that mobile phone security software is installed to protect personal property in real time;

IOCs

systembackups.info
emobileservices.club
pal4u.net

2c5cd58126290a04b4dffe87d5240ba0
989da9cf729db914c03cfadb25418e0a
5770a9c2504ff5f424aa2d563c98a12e
c61aa3ab6d335ef45dd4345b7f3ce276
2b6f2c53e206544a707241c9e157f9dd
8698967ce83b4ac06a509a9fbfef5281
9006bfc208a6ed36f7a75816e2b31ca8
2905f2f60d57fbf13d25828ef635ca1cce81e757
c755d37d6692c650692f4c637ae83ef6bb9577fc
29a7cd3c1c7f98896b55f066995aa0de772365ca
ce2f1fac0ba05925408ef2f6efb10d66c6578d82
89ab73d4aaf41cbcdbd0c8c7d6d85d21d93ed199
c60d7134b05b34af08023155eab3b38cede4bccd
70042dc45f2d5c121dad94141774db87e1ca2d75
aac634ae8f9b7ae06c8e5d2c451b7603e4489bd27a28db2d5475db23536f9f9e
8b913f142078c8901240ed96f9d80d499b79bb27fb6387adb1b53bb5fbe973f0
3c0458b4c61250f206e3134c39ea348d0ce08fb32b1ef6fca1d3765979a80c2d
ff63a3fcbc2f4567c4c6885651de6db9f523e44358bd0b6e2fad42df0ab3e96d
4f877f0f6aa1af674fc80e80d043b5cf2ee4545b198be5bd8f20d1807954f6e5
fc0b880ddd9bda92dfb776d32a1958635be8933fa138dd35044cb5e76f470860
fe5af8c8f6efe9cf04107e7c557a62a513db5b703f3b517eaef0b45148d4af47