The return of TA402 Molerats APT after a short pause

TA402 APT group (aka Molerats and GazaHackerTeam) is back after two-month of silence and is targeting governments in the Middle East.

The TA402 APT group (aka Molerats and Gaza Cybergang) is back after a two-month of apparent inactivity, it is targeting government institutions in the Middle East and global government entities with interest in the region.

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, in 2018 monitoring the operation of the group, Kaspersky identified different techniques utilized by very similar attackers in the MENA region. Kaspersky distinguished the following three attack groups operating under Gaza Cybergang umbrella:

• Gaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;
• Gaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;
• Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.

Most of the victims of the threat actor were located in Israel and Palestine, they belong to multiple industries including governments, telecommunications, finance, military, universities, and technology.

In the last spear-phishing campaign conducted by the group, the threat actors used emails in Arabic language containing either malicious links or PDF attachments. The lure is usually based on a geopolitical topic related to the situation in the Middle East, especially the Gaza conflict. Some of the lure themes used by the attackers include “A delegation from Hamas meets with the Syrian regime” and “Hamas member list”. 

In the attacks that were uncovered in June, TA402 employed a PDF attachment with one or multiple geofenced URLs leading to password-protected archives that contained the malware. With this mechanism, the recipients that were not a potential target of the group were diverted to a benign decoy website, like Al Akhbar and Al Jazeera websites.

“The password protection of the malicious archive and the geofenced delivery method are two easy anti-detection mechanisms threat actors can use to bypass automatic analysis products,” the researchers said.

The malicious code used in the last attacks is a custom backdoor dubbed LastConn, which seems to be an evolution of the SharpStage backdoor that was detailed by Cybereason in December 2020.

“LastConn malware is specifically targeted at computers with an Arabic language pack installed to ensure it only infects specific targets. It uses Dropbox for all command and control (C2) capabilities and infrastructure. Proofpoint researchers assess LastConn is very actively developed and maintained malware. It features multiple capabilities that attempt to prevent both automated and manual malware analysis.” reads the analysis published by Proofpoint.

The backdoor allows the attackers to run arbitrary commands and capturing screenshots, then exfiltrate gathered data to Dropbox.

“TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East,” the researchers conclude. “It is likely TA402 continues its targeting largely focused on the Middle East region.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]