MoleRats Abuses Public Cloud Infrastructure

An espionage campaign has been linked to the threat actor known as Molerats in the Middle east that abuses legitimate cloud services like Google Drive and Dropbox to host malware payloads and C2C and the exfiltration of data from targets.

Molerats, also tracked as TA402, is an APT group that’s largely focused on entities operating in the Middle East. Attack activity associated with the actor has leveraged geopolitical and military themes to entice users to open Microsoft Office attachments and click on malicious links.

The latest campaign is no different in that it makes use of decoy themes related to ongoing conflicts between Israel and Palestine to deliver a .NET backdoor on infected systems that, in turn, abuses the Dropbox API to establish communications with an adversary-controlled server and transmit data.

The implant, which uses specific command codes to commandeer the compromised machine, supports capabilities to take snapshots, list and upload files in relevant directories, and run arbitrary commands. Investigating the attack infrastructure, the researchers said they found at least five Dropbox accounts used for this purpose.

The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey,

Indicators of Compromise

IP Details

• 45.63.49[.]202
• 23.94.218[.]221
• 185.244.39[.]165

Domains

• msupdata[.]com
• http://www.msupdate[.]com

More details published by ZScaler