Cybereason has announced that it has identified an active espionage campaign employing three previously unidentified malware variants. The newly discovered operation uses Facebook, Dropbox, Google Docs and Simplenote for command and control in order to directly target victims’ computers for exfiltration of sensitive data, said the company.
Cybereason attributes the espionage campaign to Molerats (aka The Gaza Cybergang), an Arabic-speaking, politically motivated APT group that has operated in the Middle East since 2012. Earlier this year, Cybereason researchers reported the discovery of the Spark and Pierogi backdoors that were assessed to be part of targeted attacks executed by Molerats against Palestinian officials.
This latest campaign leverages two previously unidentified backdoors dubbed SharpStage and DropBook, as well as a downloader dubbed MoleNet. The campaign leverages phishing documents that include various themes related to current Middle Eastern events, including a reportedly clandestine meeting between the His Royal Highness Mohammed bin Salman, Crown Prince of Saudi Arabia, the US Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu.
“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities,” said Lior Div, Cybereason Co-Founder and CEO. “This puts the onus even more on the defenders to be hypervigilant with regard to potentially malicious network traffic connecting to legitimate services, and it underscores the need to adopt an operation-centric approach to expose these more subtle indicators of behaviour. Uncontextualised alerts won’t uncover a stealthy attack like this, that’s why Cybereason enables security teams to be operation-centric instead of alert-centric, so they can quickly make correlations across seemingly unrelated events on the network and beyond.”
Discussion about this post