Skip to content

G0021 Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group’s victims have primarily been in the Middle East, Europe, and the United States.1234

Item Value
ID G0021
Associated Names Operation Molerats, Gaza Cybergang
Version 2.0
Created 31 May 2017
Last Modified 27 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Operation Molerats 54
Gaza Cybergang 134

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Molerats saved malicious files within the AppData and Startup folders to maintain persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Molerats used PowerShell implants on target machines.3
enterprise T1059.005 Visual Basic Molerats used various implants, including those built with VBScript, on target machines.36
enterprise T1059.007 JavaScript Molerats used various implants, including those built with JS, on target machines.3
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.1
enterprise T1140 Deobfuscate/Decode Files or Information Molerats decompresses ZIP files once on the victim machine.3
enterprise T1105 Ingress Tool Transfer Molerats used executables to download malicious files from different sources.36
enterprise T1027 Obfuscated Files or Information Molerats has delivered compressed executables within ZIP files to victims.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.364
enterprise T1566.002 Spearphishing Link Molerats has sent phishing emails with malicious links included.3
enterprise T1057 Process Discovery Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Molerats has created scheduled tasks to persistently run VBScripts.6
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Molerats has used forged Microsoft code-signing certificates on malware.5
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Molerats has used msiexec.exe to execute an MSI payload.6
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.36
enterprise T1204.002 Malicious File Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.364

Software

ID Name References Techniques
S0547 DropBook - Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over Web Service File and Directory Discovery Ingress Tool Transfer System Information Discovery System Language Discovery:System Location Discovery Web Service
S0062 DustySky - Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Local Data Staging:Data Staged Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal on Host Keylogging:Input Capture Lateral Tool Transfer Obfuscated Files or Information Peripheral Device Discovery Process Discovery Replication Through Removable Media Screen Capture Software Discovery Security Software Discovery:Software Discovery System Information Discovery Windows Management Instrumentation
S0553 MoleNet - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Ingress Tool Transfer Security Software Discovery:Software Discovery System Information Discovery Windows Management Instrumentation
S0012 PoisonIvy - Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0546 SharpStage - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Ingress Tool Transfer Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Language Discovery:System Location Discovery Web Service Windows Management Instrumentation
S0543 Spark - Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Software Packing:Obfuscated Files or Information System Information Discovery System Language Discovery:System Location Discovery System Owner/User Discovery User Activity Based Checks:Virtualization/Sandbox Evasion

References

Back to top