1. Home
  2. Groups
  3. Molerats

Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[1][2][3][4]

ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 2.0
Created: 31 May 2017
Last Modified: 27 April 2021
Version Permalink

Associated Group Descriptions

Name Description
Operation Molerats

[5][4]
Gaza Cybergang

[1][3][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Molerats used PowerShell implants on target machines.[3]
.005 Command and Scripting Interpreter: Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.[3][6]
.007 Command and Scripting Interpreter: JavaScript

Molerats used various implants, including those built with JS, on target machines.[3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Molerats decompresses ZIP files once on the victim machine.[3]
Enterprise T1105 Ingress Tool Transfer

Molerats used executables to download malicious files from different sources.[3][6]

Enterprise T1027 Obfuscated Files or Information

Molerats has delivered compressed executables within ZIP files to victims.[3]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.[3][6][4]
.002 Phishing: Spearphishing Link

Molerats has sent phishing emails with malicious links included.[3]
Enterprise T1057 Process Discovery

Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Molerats has created scheduled tasks to persistently run VBScripts.[6]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.[5]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Molerats has used msiexec.exe to execute an MSI payload.[6]

Enterprise T1204 .001 User Execution: Malicious Link

Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.[3][6]

.002 User Execution: Malicious File

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.[3][6][4]

Software

ID Name References Techniques
S0547 DropBook [4] Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, System Location Discovery: System Language Discovery, Web Service
S0062 DustySky [1][2][3] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal: File Deletion, Input Capture: Keylogging, Lateral Tool Transfer, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Replication Through Removable Media, Screen Capture, Software Discovery, Software Discovery: Security Software Discovery, System Information Discovery, Windows Management Instrumentation
S0553 MoleNet [4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Ingress Tool Transfer, Software Discovery: Security Software Discovery, System Information Discovery, Windows Management Instrumentation
S0012 PoisonIvy [1][2][5] Application Window Discovery, Boot or Logon Autostart Execution: Active Setup, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0546 SharpStage [4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Location Discovery: System Language Discovery, Web Service, Windows Management Instrumentation
S0543 Spark [6] [4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Obfuscated Files or Information: Software Packing, System Information Discovery, System Location Discovery: System Language Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: User Activity Based Checks

References

  1. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
  3. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  1. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  2. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
  3. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.