Molerats

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. ^[1] ^[2]

ID: G0021

Associated Groups: Operation Molerats, Gaza Cybergang

Version: 1.0

Created: 31 May 2017

Last Modified: 25 March 2019

Associated Group Descriptions

Name	Description
Operation Molerats	^[3]
Gaza Cybergang	^[1]

Techniques Used

Domain	ID	Name	Use
Enterprise	T1116	Code Signing	Molerats has used forged Microsoft code-signing certificates on malware.^[3]
Enterprise	T1003	Credential Dumping	Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.^[1]
Enterprise	T1057	Process Discovery	Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.^[1]

Software

ID	Name	References	Techniques
S0062	DustySky	^[1] ^[2]	Fallback Channels, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Replication Through Removable Media, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Windows Management Instrumentation
S0012	PoisonIvy	^[1] ^[2] ^[3]	Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port

References

ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.

Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.

Molerats

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References