Molerats

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. ^[1] ^[2]^[3]

ID: G0021

Associated Groups: Operation Molerats, Gaza Cybergang

Version: 1.1

Created: 31 May 2017

Last Modified: 01 July 2020

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
Operation Molerats	^[4]
Gaza Cybergang	^[1]^[3]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Molerats saved malicious files within the AppData and Startup folders to maintain persistence.^[3]
Enterprise	T1059		Command and Scripting Interpreter	Molerats used various implants, including those built on .NET, on target machines.^[3]
		.005	Visual Basic	Molerats used various implants, including those built with VBScript, on target machines.^[3]
		.007	JavaScript/JScript	Molerats used various implants, including those built with JS, on target machines.^[3]
		.001	PowerShell	Molerats used PowerShell implants on target machines.^[3]
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Molerats decompresses ZIP files once on the victim machine.^[3]
Enterprise	T1105		Ingress Tool Transfer	Molerats used executables to download malicious files from different sources.^[3]
Enterprise	T1027		Obfuscated Files or Information	Molerats has delivered compressed executables within ZIP files to victims.^[3]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Molerats has sent phishing emails with malicious attachments.^[3]
		.002	Phishing: Spearphishing Link	Molerats has sent phishing emails with malicious links included.^[3]
Enterprise	T1057		Process Discovery	Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.^[1]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Molerats has used forged Microsoft code-signing certificates on malware.^[4]
Enterprise	T1204	.001	User Execution: Malicious Link	Molerats has sent malicious links via email.^[3]
		.002	User Execution: Malicious File	Molerats has sent malicious files via email.^[3]

Software

ID	Name	References	Techniques
S0062	DustySky	^[1]^[2]^[3]	Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Lateral Tool Transfer, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, Software Discovery, System Information Discovery, System Shutdown/Reboot, Windows Management Instrumentation
S0012	PoisonIvy	^[1]^[2]^[4]	Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit

References

ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.

Molerats

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References