SharpStage Backdoor

The MoleRats Advanced Persistent Threat (APT) group has launched a new threatening campaign within their usual in the Middle East and North Africa. More specifically, the targets observed to be attacked in this operation are high-ranking political figures and government officials in Egypt, the Palestinian Territories, Turkey, and the UAE. MoleRats also are adhering to their pattern of exploiting significant regional events as lures for their phishing emails. What caught the attention of infosec researchers is the deployment of two new backdoor tools, one of each they named the SharpStage Backdoor.

The SharpStage Backdoor is a potent backdoor threat written in .NET that shows signs of still being under active development. So far, researchers have uncovered three distinct iterations of the threatening tool, with the latest out possessing the capabilities of executing arbitrary commands, harvesting sensitive data, taking screenshots, and exfiltrating all of the gathered information. To ensure that the malware initiates only on the appropriate targets, the MoleRat hackers implemented a measure that checks if the infected computer has Arabic installed and terminates its execution if the check returns a negative result.

The SharpStage Backdoor has been observed to download additional threatening payloads onto the compromised computer, including the Quasar RAT remote-access framework. Although Quasar RAT is a legitimate Windows tool when viewed in a vacuum, it cannot be denied that multiple cybercriminals gangs have already incorporated it as part of their operations. After all, Quasar RAT allows them to initiate keylogging, data harvest, eavesdropping and other threatening processes easily.

MoleRats APT also has adapted quickly to the growing trend among hackers that sees such threat actors using legitimate social media platforms and cloud services as part of their malware Command-and-Control (C2, C&C) structures or data-exfiltration routines. The SharpStage Backdoor, in particular, downloads and exfiltrates data by taking advantage of a Dropbox client API that can communicate with Dropbox through a token.