DropBook Backdoor

The DropBook Backdoor is one of the two backdoor threats being leverages against high-ranking political figures and government officials in Egypt, the Palestinian Territories, Turkey, and the UAE by the hackers from the MoleRats APT (Advanced Persistent Threat). Operational since at least 2012, MoleRats have shown lasting interest in the Middle East and North Africa regions. The hackers usually deploy phishing emails that use documents discussing significant events in the selected regions as a lure tricking users into downloading a compromised file.

The DropBook Backdoor is a Python-based threat compiled with the use of PyInstaller. When fully deployed, the threat can execute arbitrary commands, fetch and install additional programs and threatening payloads, execute shell commands supplied by the hackers. To confirm that it is infecting a suitable target, the DropBook Backdoor performs a check for the presence of the Arabic language on the compromised computer. Another parameter that can stop the backdoor from initiating is if it detects that there is no WinRAR installed on the target. Among the additional payloads being dropped by the DropBook Backdoor, infosec researchers detected the Quasar RAT remote-access framework. Although Quasar is a threatening tool, it offers cybercriminals an easy way to establish keylogging, eavesdropping, and data-harvesting routines on the infected system.

The MoleRats hackers have incorporated the rising trend among threat actors of using legitimate cloud services and social platforms as part of the Command-and-Control (C2, C&C) structure of their malware creations quickly. Indeed, DropBook employs fake Facebook accounts or Simmplenote as a communication channel with the C2. At the same time, it exploits Dropbox as a storage for the stolen user data and as a hosting service for the additional espionage payloads.