Molerats APT renews phishing attack against Middle Eastern governments

An advanced persistent threat (APT) group has launched a new phishing campaign against political and government leaders in the Middle East, using a previously unreported malware variant crafted to conduct reconnaissance on host machines,  exfiltrate data, and avoid analysis, according to cybersecurity firm Proofpoint.

Proofpoint identifies the APT group as TA402, but it is also known as Molerats or The Gaza Cybergang. The malware used in the group’s latest phishing campaign has been named LastConn by Proofpoint, and is a variant of SharpStage, deployed by Molerats in a phishing attack last year. 

“TA402 leveraged multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only targeting computers with Arabic language packs installed, and password-protected archive files to distribute malware,” according to a Proofpoint blog.

Phishing campaign uses new malware variant

Phishing emails with the new malware variant, as well as other malware programmes, were sent throughout early 2021 before abruptly stopping in March for a two-month hiatus, according to Proofpoint. The emails then recommenced in early June.

“The temporary disruption to email threat operations in March 2021 is interesting and may be due to current tensions in the Middle East region including ongoing violence in the Gaza Strip between Israeli and Palestinian militants or the observation of Ramadan in April through early May 2021,” Proofpoint said.

Though one of the malware programmes used in the latest phishing campaigns is a new variant, the general methodology used by Molerats is similar to that used in prior attacks.

Proofpoint

The messages in phishing email sent to potential victims usually centre around geopolitical topics, including the recent Gaza conflict. Phrases in the recent phishing emails include, ‘A delegation from Hamas meets with the Syrian regime’ and ‘Hamas member list’, according to Proofpoint.

Phishing attacks generally use fake emails that appear to be from a legitimate source, in order to get victims to either hand over passwords and other personal data by prompting them to type login details into a website front, or by enticing them to click on links that download malware onto the potential victim computers.

Phishing attack targets Arabic speakers

In the June Molerats campaign, the emails contain malicious links or PDF attachments that contain malicious links. The emails and PDFs are usually in Arabic. The links apparently use some sort of geofencing mechanism, so only targets of value are sent to files loaded with malware, Proofpoint said.

Proofpoint

“Proofpoint researchers were unable to determine the exact mechanisms for initiating links to the hosted malware, but the PDF may only direct the victim to the files if the source IP address belongs to the targeted countries in the Middle East. If the source IP address does not align with the target group, the URL may redirect the recipient to a benign decoy website, typically an Arabic language news website,” according to the Proofpoint blog.

Potential victims with IP addresses for targeted areas are directed to password-protected RAR (archive format) files, which the victims have been led into believing contain geopolitical information of interest. Victims can open the files using passwords given to them in the phishing email.

Attack chain crafted to avoid detection

By directing only some possible victims to malware-loaded files, and by password-protecting those files, the APT group reduces chance of detection, Proofpoint noted.

Those victims who do open the malicious RAR files download one of a variety of malware programmes including LastConn, an updated version of SharpStage, a .NET malware that uses a Dropbox client API. The API communicates with Dropbox to download and exfiltrate data. Other malware used in this campaign that have similar capabilities include the previously reported programmes SharpStage, Loda, and MiraiEye RAT.

Earlier in the year, Proofpoint detected a Molerats campaign similar to the June attack, but using Google Apps Script URLs inside the spear-phishing email. The methodology followed similar steps, one difference being that after victims click on the Google Apps Script URL, they may need a legitimate Google account to be directed to infected RAR files.

Cybersecurity researchers believe Molerats has been active for 10 or more years, operating in the Middle East. The group’s targets have included the UAE, Egypt, Turkey, Israel and the Palestinian Territories. It has been detected targeting technology, telecommunications, financial institutions, academic institutions, military installations, media outlets, and government offices, Proofpoint noted. 

“Proofpoint assesses with moderate confidence based on lure topics, targeting, and historic campaigns the activity likely supports military or Palestinian state objectives,” according to the blog, which offers a detailed technical analysis of LastConn.

More generally, there has been an increase in phishing attacks during the last year in the Middle East, as the pandemic caused a massive shift to remote work. The wave of phishing attacks as well as ransomware and other security issues, were in the spotlight at the recent GISEC conference, the biggest cybersecurity conference in the Middle East.