Pierluigi Paganini February 13, 2020

Security experts uncovered a new cyberespionage campaign conducted by one of the Gaza Cybergang groups (aka MoleRATs) targeting the Middle East.

Experts from the Cybereason Nocturnus team have uncovered a cyber espionage campaign allegedly carried out by one of the Gaza Cybergang groups (aka MoleRATs). 

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, in 2018 monitoring of the group, Kaspersky identified different techniques utilized by very similar attackers in the MENA region. Kaspersky distinguished the following three attack groups operating under Gaza Cybergang umbrella:

• Gaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;
• Gaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;
• Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.

As part of the last campaign spotted by Cybereason, MoleRATs has been attempting to infiltrate the systems of both organizations and individuals.

Experts distinguish between two separate campaigns happening simultaneously that were using differed hacking tools, C2 infrastructure.

The first campaign dubbed the Spark Campaign employs social engineering to infect victims with the Spark backdoor. Most of the victims were from the Palestinian territories.

“This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content revolves around recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.” states the report from Cybereason.

According to the experts, the Spark backdoor was specifically designed my MoleRATs to gather system information on an infected machine. 

Spark will also infect victims with Arabic keyboard and language settings.

The second campaign was tracked by the experts as the Pierogi Campaign, it employes social engineering attacks to trick victims into installing an undocumented backdoor dubbed Pierogi.

“This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.” states the report.

The name ‘Pierogi’ comes after an Eastern European dish, it is a simple Delphi backdoor that was allegedly created by Ukranian-speaking hackers. 

The experts did not attribute the attack to a specific state, even if the apparent political motivation suggests the involvement of a nation-state actor. 

“It is important to remember there are many threat actors operating in the Middle East, and often there are overlaps in TTPs, tools, motivation, and victimology,” concludes the report. “There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts, and as such, attribution should rarely be taken as is, but instead with a grain of salt.” 

Additional details, including Indicators of Compromise and MITRE ATT&CK breakdown, are included in the report published by Cybereason.

Pierluigi Paganini

(SecurityAffairs – MoleRATs, )

[adrotate banner=”5″]

[adrotate banner=”13″]