Middle East phishing attack aims malware variants at political figures

An apparent espionage campaign that uses three previously unreported malware variants and targets political and government leaders in the Middle East is adding to a wave of phishing attacks that has washed over the region in the wake of a massive move to remote work caused by COVID-19.

The malware was reported last week by Cybereason, which attributed the campaign to an advanced persistent threat (APT) known as Molerats, a part of the hacker group called The Gaza Cybergang. Researchers say that the group is politically motivated and has been operating since 2012. Cybereason says it observed the group primarily targeting UAE, Egypt, Turkey, and the Palestinian Territories.

The phishing campaign uses email with political themes to trick victims into downloading backdoor programmes from social media accounts that issue command and control (C2) instructions.

Phishing attacks generally use fake emails that appear to be from a legitimate source, in order  to get victims to hand over passwords and other personal data by prompting them to type login details into a website front. Such attacks have increased since pandemic lockdowns forced office staffers — including government officials — to work from home, with cybercriminals taking advantage of an increase in traffic to e-commerce, social media and other sites.

Phishing attacks jumped by 600 percent in the Middle East after the pandemic hit the region, according to a June report by Dubai Future Foundation, and more than 2.57 million phishing attacks were detected across the Middle East in the second quarter, according to security company Kaspersky. The initial wave of phishing attacks that occurred when COVID first hit frequently used news about the pandemic to lure victims.

Phishing emails carry political themes

The political phishing themes of Molerats’ latest phishing campaign, though, suggest that the Arabic-speaking group is targeting political and government leaders in the wake of normalization deals between Israel and Gulf nations Bahrain and UAE, Cybereason says.

Phishing emails used to attract victims included themes like Israeli-Saudi relations, Hamas elections, and news about regional events including the recent normalization deals, and a reported but not officially confirmed meeting between Mohammed bin Salman, crown prince of Saudi Arabia, U.S. Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu.

Cybereason

Cybereason reports that the phishing emails use two new backdoors dubbed SharpStage and DropBook, as well as a downloader called MoleNet; the malware is designed to execute code and collect sensitive data for exfiltration from infected computers.

The phishing emails have PDF attachments; when victims click on them they are prompted to download content from a password-protected archive, Cybereason reports. Victims are told they  can download content from either Dropbox or Google Drive, and when they attempt to do so the malware installation is triggered.

“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities,” said Lior Div, Cybereason co-founder and CEO, in a press release announcing the report on the new campaign.

How the Molerats backdoors work

SharpStage backdoor is .NET malware that is a variant of a backdoor that continues to be developed by Molerats, and checks for the presence of Arabic on victim machines, thus avoiding execution and possible detection on non-relevant machines, according to the Cybereason report. A Dropbox client API is implemented in SharpStage and is used to communicate with Dropbox using a token to download and exfiltrate data. SharpStage can execute arbitrary commands, do screen captures and download and execute additional files.

Otherwise, DropBook is a Python-based backdoor that can install programs, execute shell commands received from Facebook or Simplenote, and download additional payloads using Dropbox, Cybereason says. It also checks for the presence of Arabic. Cybereason researchers said, though, that DropBook also only executes if WinRAR —  a data compression, encryption and archiving tool for Windows — is installed on the victim’s computer, most likely because it is used to complete certain aspects of the attack.

“These two backdoors, and the MoleNet downloader share multiple campaign similarities in TTPs [tactics, techniques and procedures] and phishing themes, and were also delivered in conjunction with the Spark backdoor previously attributed to the Gaza Cybergang,” according to the researchers.

Earlier this year, Cybereason discovered two backdoors of the same group called Spark and Pierogi that were used for targeted attacks, which led the team to follow the operations of the APT group, and to discover the current campaign. The Gaza Cyber Gang itself is an overall  term for an array of hacker groups and activities. Researchers at Israeli firm ClearSky have linked Molerats to Palestinian political and militant group Hamas.