Cybercriminals from Molerats are using public cloud services to hide new snooping attacks
- January 22, 2022
Molerats, a threat actor, has been linked to an ongoing snooping operation that exploits genuine cloud services like Google Drive and Dropbox to host malware payloads as well as for command-and-control and data exfiltration from targets around the Middle East. According to cloud-based information security provider Zscaler, the cyberattack has been operational since at least July 2021, extending prior efforts by the hacker gang to perform intelligence gathering on the target servers and steal critical information.
Molerats, also known as TA402, Gaza Hackers Team, and Extreme Jackal, is an advanced persistent threat (APT) organization that primarily targets entities operating in the Middle East. The hacker’s attacks have used geopolitical and military motifs to lure people into opening Microsoft Office documents and clicking on dangerous websites.
The new attempt reported by Zscaler is similar in that it uses decoy themes linked to existing disputes between Israel and Palestine to install a.NET backdoor on compromised PCs, which then uses the Dropbox API to communicate with an adversary-controlled server and relay data.
The implant, which employs certain command codes to seize control of the infected system, can take screenshots, list and upload data in relevant directories, and run arbitrary instructions. The researchers discovered at least five Dropbox accounts used for this purpose while analyzing the attack architecture.
“The threat actor chose the targets for this campaign specifically, and they included critical members of the banking sector in Palestine, people associated with Palestinian political parties, as well as human rights activists and journalists in Turkey,” said Zscaler ThreatLabz researchers Sahil Antil and Sudeep Singh.