Between 29th April and 27th May, FireEye Labs identified several new Molerats attacks targeting at least one major U.S. financial institution and multiple European government organisations. These attacks were conducted by a group of Middle Eastern hackers in a recent cyber espionage campaign. The group – known as Molerats – has previously been linked with attacks against several targets in the Middle East and the United States in August 2013 during a campaign of Poison Ivy (PIVY) attacks.
According to FireEye, not all large-scale, targeted attacks utilising this off-the-shelf Remote Access Tool (RAT) should be automatically linked to Chinese threat actors. This activity is part of a much broader series of related attacks dating back to as early as October 2011 and are still ongoing. Previous research has linked these campaigns to Molerats, but with so much public attention focused on APT threat actors based in China, it’s easy to lose track of targeted attacks carried out by other threat actor groups based elsewhere.
New Attacks, Same Old Tactics
With the reuse of command and control (CnC) infrastructure and a similar set of TTPs, Molerats activity has been tracked and expanded to a growing target list, which includes Palestinian and Israeli surveillance targets; government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the U.S., and the UK; the Office of the Quartet Representative; the British Broadcasting Corporation (BBC); a major U.S. financial institution, as well as multiple European government organizations.
Previous Molerats campaigns have used several garden-variety, freely available backdoors such as CyberGate and Bifrost, but, most recently, FireEye has observed them making use of the PIVY and Xtreme RATs. Previous campaigns made use of at least one of three observed forged Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors. There also appears to be a habitual use of lures or decoy documents – in either English or Arabic-language – with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats’ flavor of the week, which happen to all be Xtreme RAT binaries in these most recent campaigns.
On 27th May, FireEye observed at least one victim downloading a malicious .ZIP file as the result of clicking on a shortened Google URL likely contained inside of a targeted spearphishing email which was sent to a well-known European government organisation. When clicking on the link, the victims would download a decoy document containing three images (a political cartoon and two edited photos), all negatively depicting former military chief Abdel Fattah el-Sisi. As of 29th May, the URL has been clicked 225 times by a variety of platforms and browser types, so the campaign was likely not limited to just one victim.
On 29th April, FireEye observed two unique malicious attachments being sent to two different victims via spearphishing emails. The malicious file was sent to both the financial institution and Ministry of Foreign Affairs targets and enclosed an Arabic language decoy document titled “Sisi.doc”, which appears to contain several copy/pasted excerpts of (now retired) Egyptian Major General Hossam Sweilem, discussing military strategy and the Muslim Brotherhood. The title of the document appears to have several Chinese characters, yet the entire body of the document is written in Arabic. As noted in our August 2013 blog post, this could possibly be a poor attempt to frame China-based threat actors for these attacks.
Another example is a malicious file only sent to a European government organisation, which drops an English language decoy document also titled “Sisi.doc”. However, this one appears to be an exact copy of a 23rd April Financial Times’ news article about the uncertainties surrounding former military chief Abdel Fattah el-Sisi running for president in the upcoming Egyptian elections.
FireEye was also able to identify five additional samples related to the 29th April attacks which contained an array of either attempted forged or self-signed Authenticode certificates. All of the additionally identified samples were sent to one of the same European government organisations mentioned previously.
Indicators of Compromise
Another attribute regularly exhibited by Molerats malware samples are that they are often archived inside of self-extracting RAR files and encoded with EXECryptor V2.2, along with several other legitimate looking archived files.
Although the samples are all Xtreme RAT, all but two samples communicate over different TCP ports. Some samples transmit communications in clear-text – a common tactic employed by adversaries to try and bypass firewall/proxy rules applying to communications over traditional web ports. These tactics, among several others mentioned previously, seem to indicate that Molerats are not only aware of security researchers’ efforts in trying to track them, but are also attempting to avoid using any obvious, repeating patterns that could be used to more easily track endpoints infected with their malware.
Although a large number of attacks against FireEye’s customers appear to originate from China, they are tracking lesser-known actors also targeting the same firms. Molerats campaigns seem to be limited to only using freely available malware; however, their growing list of targets and increasingly evolving techniques in subsequent campaigns are certainly noteworthy.