Molerats

The Molerats hacking group is an APT (Advanced Persistent Threat) that is believed to originate from Palestine. The Molerats group also is known under the alias the Gaza Cybergang. It is likely that the Molerats group has been active since 2012. This hacking group appears to be politically motivated exclusively, as none of their campaigns seem to be aiming at a personal gain of any kind. The Molerats group is highly-experienced and tends to go after high-profile targets. Some of the more popular targets of the Molerats hacking group include:

• The BBC (The British Broadcasting Corporation).
• Various United States banks.
• Government bodies located in Palestine, Israel, the United Kingdom, New Zealand, Turkey and Macedonia.
• Government-linked organization in a variety of European nations.

The Molerats hacking group appears to rely on RATs (Remote Access Trojans) to carry out their harmful campaigns. One of the most well-liked RATs in the hacking arsenal of the Molerats group is called PoisonIvy. In their early years, the Molerats hacking group appeared to rely on the PosionIvy for its operations mainly. Later on, the hacking group expanded its hacking arsenal by adding various public tools. This allowed the Molerats group to plant additional malware on the compromised systems, steal sensitive information like login credentials, and collect data regarding the network infrastructure of the target.

The backdoor that MoleRATs use is called Spark or EnigmaSpark. It was recently used as part of a phishing campaign that appears to be the work of MoleRATs, who are part of the Gaza Cybergang. MoleRATs is the threat actor behind Operation SneakyPasters, which used GitHub and PasteBin to host and spread malware.

There are signs that the group has used the Spark backdoor since at least March 2017. In that time, the group has deployed various versions of the backdoor that connect to up to 15 command and control centers. There may be more command and control centers that have yet to be discovered.

Researchers across multiple agencies have tracked campaigns from MoleRATs and analyzed the tactics, malware, and overall infrastructure of the attacks. When scrutinized, it’s evident that the attacks all have something in common and are from the same group.

How the MoleRATs Hide

MoleRATs attempt to hide signs of infection with Enigma Protector. Enigma Protector is a legitimate software tool used to protect executable files so they can’t be copied, hacked, modified, or analyzed.

The attacks appear to be politically motivated. The targets for the campaign and the messages used in the social engineering aspect of the attack are all political-related. The attack focuses on Arabic speakers with an interest in Palestine and the Palestinian peace plan.

The Spark backdoor uses an infection chain that starts with a malicious Microsoft Word document. This document is written in Arabic and emailed to potential victims. MoleRATs use several methods, including language checks, to ensure that the emails only reach intended targets. Using this tactic is another way that they avoid detection. The email urges readers to download and access the document, which then asks users to enable content.

Recently, the Molerats hacking group has been making sure that their campaigns are very concentrated on a particular demographic so that their threats do not compromise unintended targets. The group has developed several methods of checking whether the infected system matches the criteria it has set. In some of the more recent campaigns involving the Spark backdoor Trojan and the EnigmaSpark threat, the Molerats group made sure to deploy its malware only on systems that have Arabic set as the default language.

The Common Denominator Linking It All Together

An investigation by X-Force (IRIS) showed that the attackers used the technique alongside other binaries in other attacks. The researchers noticed that the file generated by the unpacking of "runawy.exe" was the same as "blaster.exe." Blaster is a binary delivered by an executable file covered by Themida. Themida is another legitimate tool used to protect executable files against inspection and modification, similar to Enigma Protection.

Several files were discovered through a single common factor; they all used the unique string "S4.4P" and the same "tg1678A4" cryptographic certificate signer. The files in question are Blaster.exe, Runawy.exe, HelpPane.exe, Wordeditor.exe, and tasmanager.exe.

Blaster and Runawy used the same fake host header trick, but with different real destinations. While Runawy connects to "nysura.com," Blaster connects to "webtutorialz.com."

Researchers from several companies have connected the Spark backdoor to MoleRATs. MoleRATs are known for using malware they find on hacker forums as part of their attacks. The idea of ransomware as a service (RaaS) and malware as a service (MaaS) is one reason there have been so many attacks in recent months. Hackers can buy tools and deploy them without having to make them.

Many experienced APTs do not use public tools in their campaigns. Instead, they tend to develop their own hacking tools. However, this is not the case with the Molerats group. This hacking group does not shy away from utilizing public tools in its operations. This means that the Molerats group has a very wide variety of hacking tools at its disposal.