1. Home
  2. Groups
  3. Molerats

Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[1][2][3][4]

ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 2.1
Created: 31 May 2017
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description
Operation Molerats

[5][4]
Gaza Cybergang

[1][3][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]
Enterprise T1140 反混淆/解码文件或信息

Molerats decompresses ZIP files once on the victim machine.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Molerats used PowerShell implants on target machines.[3]
.005 命令与脚本解释器: Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.[3][6]
.007 命令与脚本解释器: JavaScript

Molerats used various implants, including those built with JS, on target machines.[3]

Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Molerats has delivered compressed executables within ZIP files to victims.[3]
Enterprise T1204 .001 用户执行: Malicious Link

Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.[3][6]

.002 用户执行: Malicious File

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.[3][6][4]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

Molerats has used msiexec.exe to execute an MSI payload.[6]

Enterprise T1105 输入工具传输

Molerats used executables to download malicious files from different sources.[3][6]

Enterprise T1057 进程发现

Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.[3][6][4]
.002 钓鱼: Spearphishing Link

Molerats has sent phishing emails with malicious links included.[3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Molerats has created scheduled tasks to persistently run VBScripts.[6]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.[5]

Software

ID Name References Techniques
S0547 DropBook [4] 反混淆/解码文件或信息, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 系统位置发现: System Language Discovery, 系统信息发现, 网络服务, 输入工具传输, 通过网络服务渗出
S0062 DustySky [1][2][3] Windows管理规范, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 回退信道, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 数据分段: Local Data Staging, 文件和目录发现, 横向工具传输, 混淆文件或信息, 移除指标: File Deletion, 系统信息发现, 软件发现, 软件发现: Security Software Discovery, 输入捕获: Keylogging, 进程发现, 通过C2信道渗出, 通过可移动媒体复制
S0553 MoleNet [4] Windows管理规范, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 系统信息发现, 软件发现: Security Software Discovery, 输入工具传输
S0012 PoisonIvy [1][2][5] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0546 SharpStage [4] Windows管理规范, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 屏幕捕获, 系统位置发现: System Language Discovery, 系统信息发现, 网络服务, 输入工具传输, 预定任务/作业: Scheduled Task
S0543 Spark [6] [4] 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 混淆文件或信息: Software Packing, 系统位置发现: System Language Discovery, 系统信息发现, 系统所有者/用户发现, 虚拟化/沙盒规避: User Activity Based Checks, 通过C2信道渗出

References

  1. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
  3. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  1. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  2. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
  3. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.