Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!
GROUPS
  1. Home
  2. Groups
  3. Molerats

Molerats

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. [1] [2]

ID: G0021
Aliases: Molerats, Operation Molerats, Gaza Cybergang
Version: 1.0

Alias Descriptions

NameDescription
Molerats[1]
Operation Molerats[3]
Gaza Cybergang[1]

Techniques Used

DomainIDNameUse
EnterpriseT1116Code SigningMolerats has used forged Microsoft code-signing certificates on malware.[3]
EnterpriseT1003Credential DumpingMolerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]
EnterpriseT1057Process DiscoveryMolerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]

Software

IDNameTechniques
S0062DustySkyFallback Channels, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Replication Through Removable Media, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Windows Management Instrumentation
S0012PoisonIvyApplication Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port

References

  1. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
  1. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.