Threat Research

Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage | Proofpoint US

Securonix

TA402, a Palestinian-aligned APT, has deployed NimbleMamba, a new implant intended to replace LastConn, in targeted Middle East campaigns. The operation blends geofenced links, actor-controlled domains, and Dropbox-based C2/exfiltration with redirects to legitimate sites to evade detection. #NimbleMamba #TA402 #Molerats #LastConn #BrittleBush #uggboots4sale

Keypoints

  • TA402 (Molerats) has introduced NimbleMamba, likely a replacement for LastConn, and is actively updating implants and delivery methods.
  • The attack chain uses geofencing and URL redirects to legitimate sites to bypass detection.
  • Campaigns in late 2021 targeted Middle Eastern governments, think tanks, and a state‑affiliated airline with three variations of the chain.
  • NimbleMamba is delivered via RAR files containing NimbleMamba and often BrittleBush; it is written in C# and obfuscated with SmartAssembly.
  • The malware uses guardrails (region checks and Arabic language pack) and Dropbox API for C2/exfiltration, complicating analysis.
  • NimbleMamba’s configuration is retrieved from JustPasteIt, with a time-synchronized timestamp used to build download URLs.
  • BrittleBush is a secondary Trojan delivered with NimbleMamba, communicating via easyuploadservice.com and using base64-encoded JSON commands.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – “In the recently observed campaigns, TA402 used spear phishing emails containing links that often lead to malicious files.”
  • [T1036] Masquerading – “masqueraded as the Quora website while using an actor-controlled Gmail account with an actor-controlled domain.”
  • [T1105] Ingress Tool Transfer – “the malicious URL … would be redirected to the RAR file download containing the latest TA402 implant, NimbleMamba.”
  • [T1027] Obfuscated/Compressed Files and Information – “NimbleMamba is written in C# and delivered as an obfuscated .NET executable using third-party obfuscators.”
  • [T1113] Screen Capture – “Functionalities include capturing screenshots …”
  • [T1056.001] Input Capture – “obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement.”
  • [T1567.002] Exfiltration to Cloud Storage – “NimbleMamba uses the Dropbox API for both command and control as well as exfiltration.”

Indicators of Compromise

  • [Domain] uggboots4sale.com – Actor-owned domain used for NimbleMamba delivery.
  • [Domain] easyuploadservice.com – C2 domain used by BrittleBush/C2 activities.
  • [Domain] emaratalyoumcom.wordpress.com – WordPress redirect domain impersonating a news site (Variations).
  • [SHA256] 430c12393a1714e3f5087e1338a3e3846ab62b18d816cc4916749a935f8dab44 – NimbleMamba Sample 1 (Dec 2021 / Jan 2022).
  • [SHA256] c61fcd8bed15414529959e8b5484b2c559ac597143c1775b1cec7d493a40369d – NimbleMamba Sample 2 (Nov 2021).
  • [SHA256] 925aff03ab009c8e7935cfa389fc7a34482184cc310a8d8f88a25d9a89711e86 – Additional NimbleMamba Sample found (Oct 2021).
  • [SHA256] 2e4671c517040cbd66a1be0f04fb8f2af7064fef2b5ee5e33d1f9d347e4c419f – BrittleBush Sample.

Read more: https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage