Reemerged MoleRats Cyber Campaign Hackers Evolve to Spread Poison Ivy Trojan Malware

MoleRats and Poison Ivy, a likely combination for those with an infestation of nagging pests, is actually a tech-recipe that has been served up by hackers targeting several government groups in a wave of data-theft cyber-attacks.

As a campaign aimed at several government entities, Poison Ivy Trojan malware was a prevalent means of stealing data from vulnerable sources. The set of targets was broad accounting for the US and UK governments. Security researchers traced the campaign to members of the Gaza Hackers Team, which is now referred to as MoleRats as noted in a recent FireEye researcher report.

Many attacks orchestrated in June, and July of 2013 were against Israeli government targets used a Poison Ivy payload, which connected to command and control servers used by the MoleRat attackers. The Poison Ivy samples used by the MoleRats group utilized keys instead of passwords, an atypical feature for an attack, which makes it difficult to fight against and track.

The loading of .pik files harboring a key to secure communications between the control server and attacked system was found within Poison Ivy. Conveniently, Poison Ivy is able to secure communications via a ASCII text password of 'admin' by default.

Researchers have suggested that the use of Poison Ivy by MoleRats cyber campaign hackers is an unlikely change for them, and their behavior alteration remains to be a mystery. Some researchers have suggested that the move could be more political than technical, especially considering how their traditional attack methods were favored by Chinese hacking groups. Possibly, their change is an intentional action by MoleRates to deflect attribution to China-based malware threat activities.

Even though MoleRats have changed direction slightly, in knowing how they are utilizing Poison Ivy in an aggressive manner to target entities all around the world, we suspect they will continue to evolve and become more organized in their malware-attack methods. Their current campaign is one of many targeting businesses using advanced cyber threats. MoleRats is one of the latest to add to the long list of focused cyber-attack groups who have collectively cost over 508,000 US citizens their jobs due to previous attacks over many years.

This is one case where the 'Poison' becomes the MoleRats' candy as they look to new creative ways to orchestrate sophisticated attacks around the world.