Hamas Backed Molerats comes with new Implant

A cyberespionage group dubbed Molerats aka TA402 linked in the past to the Palestinian terrorist organization Hamas came after a brief break with enhanced tools and capabilities

Even after multiple suppression and takedowns , the group seems to not stop its activities instead striking again with the powerful tools . Now in a latest improvement the group has seen replacing implant named LastConn with NimbleMamba . Researchers see a slight overlap in codes that’s been used.

NimbleMamba has the traditional capabilities of an intelligence-gathering trojan and is likely designed to be the initial access. Functionalities include capturing screenshots and obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement. The malware has been delivered both via malicious websites and Dropbox the file sharing service has also been abused for command and control (C&C) and file exfiltration.

In specific cases, NimbleMamba uses guardrails to ensure that it only infects devices in specified countries in the Middle East and Africa.

NimbleMamba is actively being developed, is well-maintained, and designed for use in highly targeted intelligence collection campaigns. The malware also contains multiple capabilities designed to complicate both automated and manual analysis.

Indicators of Compromise

• 46e03f21a95afa321b88e44e7e399ec3
• 5c87b653db4cc731651526f9f0d52dbb
• 105885d14653932ff6b155d0ed64f926
• 601107fc8fef440defd922f00589e2e9
• 9939bf80b7bc586776e45e848ec41946
• 054e18a1aab1249f06a4f3e661e3f38a
• e72d18b78362e068d0f3afa040df6a4c
• ebc98d9c96065c8f1c0f4ce445bf507b
• c7271b91d190a730864cd149414e8c43
• 00d7f155f1a9b29be2c872c6cad40026
• 2dc3ef988adca0ed20650c45735d4160
• a52f1574e4ee4483479e9356f96ee5e3
• b9ad53066ab218e40d61b299bd2175ba
• f054f1ccc2885b45a71a1bcd0dd711be
• b7373b976bbdc5356bb89e2cba1540cb
• a52f1574e4ee4483479e9356f96ee5e3
• 8884b0d29a15c1b6244a6a9ae69afa16
• 270ee9d4d22ca039539c00565b20d2e7
• 8debf9b41ec41b9ff493d5668edbb922
• d56a4865836961b592bf4a7addf7a414
• a52f1574e4ee4483479e9356f96ee5e3
• 59368e712e0ac681060780e9caa672a6
• a52f1574e4ee4483479e9356f96ee5e3
• 99fed519715b3de0af954740a2f4d183
• 8debf9b41ec41b9ff493d5668edbb922
• bd14674edb9634daf221606f395b1e1d
• a52f1574e4ee4483479e9356f96ee5e3
• 04d17caf8be87e68c266c34c5bd99f48
• c7271b91d190a730864cd149414e8c43
• 217943eb23563fa3fff766c5ec538fa4
• a52f1574e4ee4483479e9356f96ee5e3
• fef0ec9054b8eff678d3556ec38764a6
• a52f1574e4ee4483479e9356f96ee5e3
• 32cc7dd93598684010f985d1f1cea7fd
• a52f1574e4ee4483479e9356f96ee5e3
• 1dc3711272f8e9a6876a7bccbfd687a8
• f054f1ccc2885b45a71a1bcd0dd711be
• da1d640dfcb2cd3e0ab317aa1e89b22a
• 31d07f99c865ffe1ec14c4afa98208ad
• b5e0eb9ca066f5d97752edd78e2d35e7
• a52f1574e4ee4483479e9356f96ee5e3
• b65d62fcb1e8f7f06017f5f9d65e30e3
• a52f1574e4ee4483479e9356f96ee5e3
• 933ffc08bcf8152f4b2eeb173b4a1e26
• 4ae0048f67e878fcedfaff339fab4fe3
• 1478906992cb2a8ddd42541654e9f1ac
• 31d07f99c865ffe1ec14c4afa98208ad
• 33b4238e283b4f6100344f9d73fcc9ba
• 4ae0048f67e878fcedfaff339fab4fe3
• 1f8178f9d82ac6045b6c7429f363d1c5
• 4ae0048f67e878fcedfaff339fab4fe3
• c7d19e496bcd81c4d16278a398864d60
• 4ae0048f67e878fcedfaff339fab4fe3
• 1bae258e219c69bb48c46b5a5b7865f4
• 4ae0048f67e878fcedfaff339fab4fe3
• 547334e75ed7d4eea2953675b07986b4
• 4ae0048f67e878fcedfaff339fab4fe3

Associated IPs

• 45.63.49[.]202
• 23.94.218[.]221
• 185.244.39[.]165

Associated domains

• msupdata[.]com
• http://www.msupdate[.]com