Molerats
Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. [1] [2][3]
Associated Group Descriptions
Name | Description |
---|---|
Operation Molerats | |
Gaza Cybergang |
[1][3] |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[3] |
Enterprise | T1059 | Command and Scripting Interpreter |
Molerats used various implants, including those built on .NET, on target machines.[3] |
|
.005 | Visual Basic |
Molerats used various implants, including those built with VBScript, on target machines.[3] |
||
.007 | JavaScript/JScript |
Molerats used various implants, including those built with JS, on target machines.[3] |
||
.001 | PowerShell | |||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Molerats decompresses ZIP files once on the victim machine.[3] |
|
Enterprise | T1105 | Ingress Tool Transfer |
Molerats used executables to download malicious files from different sources.[3] |
|
Enterprise | T1027 | Obfuscated Files or Information |
Molerats has delivered compressed executables within ZIP files to victims.[3] |
|
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Molerats has sent phishing emails with malicious attachments.[3] |
.002 | Phishing: Spearphishing Link |
Molerats has sent phishing emails with malicious links included.[3] |
||
Enterprise | T1057 | Process Discovery |
Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1] |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Molerats has used forged Microsoft code-signing certificates on malware.[4] |
Enterprise | T1204 | .001 | User Execution: Malicious Link | |
.002 | User Execution: Malicious File |
Software
References
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.