Cybereason researchers have identified an ongoing espionage campaign using three yet unidentified malware variants.
Cybereason has discovered a new espionage campaign in which attackers are using three different malware variants and exploiting Facebook, Google Docs, Dropbox, and Simplenote as its C&C server to target victims.
The malware variants were previously unidentified, claims Cybereason. The campaign involves the exfiltration of confidential data. According to researchers, The Gaza Cybergang aka MoleRats is responsible for this new campaign.
It is an Arabic-speaking APT group that surfaced in early 2012 and mainly targets victims in the Middle East. This group is now abusing Cloud-based platforms and Facebook for deploying malware.
MoleRats is a politically motivated organization that previously has launched targeted campaigns in Palestine, Israel, Europe, and the USA. In February 2020, the same group was found targeting top Palestinian authority figures.
According to Cybereason’s report [PDF], the recent campaign was active since September, and researchers believe that it lasted until November. This time, the main targets of hackers were high-profile Arabic-speaking government officials individuals in the UAE, Palestine, Egypt, and non-Arabic speaking targets in Turkey.
The hackers attempted to steal sensitive documents from their targeted computers. The group has used two yet identified backdoors including DropBook and SharpStage, and a downloader MoleNet.
To carry out their attack, these hackers use phishing documents on a variety of themes related to current Middle Eastern events. For instance, they used meeting between Saudi Arabia’s Crown Prince, His Royal Highness Mohammed bin Salman, Israeli Prime Minister Benjamin Netanyahu, and the U.S. Secretary of State Mike Pompeo in some of their lures.
The newly identified tools allow attackers to execute arbitrary commands/code and exfiltrate sensitive data from infected computers. DropBook backdoor uses Simplenote or fake Facebook accounts as a C&C server, and along with SharpStage, it abuses a Dropbox client to retrieve stolen data or store espionage tools.
“Analysis of the phishing themes and decoy documents used in the social engineering stage of the attacks show that they revolve mainly around Israel’s relations with neighboring Arab countries as well as internal Palestinian current affairs and political controversies,” Cybereason researchers wrote.