Molerats

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. [1] [2][3]

ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 1.1
Created: 31 May 2017
Last Modified: 01 July 2020

Associated Group Descriptions

Name Description
Operation Molerats [4]
Gaza Cybergang [1][3]

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[3]

Enterprise T1059 Command and Scripting Interpreter

Molerats used various implants, including those built on .NET, on target machines.[3]

.005 Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.[3]

.007 JavaScript/JScript

Molerats used various implants, including those built with JS, on target machines.[3]

.001 PowerShell

Molerats used PowerShell implants on target machines.[3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Molerats decompresses ZIP files once on the victim machine.[3]

Enterprise T1105 Ingress Tool Transfer

Molerats used executables to download malicious files from different sources.[3]

Enterprise T1027 Obfuscated Files or Information

Molerats has delivered compressed executables within ZIP files to victims.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Molerats has sent phishing emails with malicious attachments.[3]

.002 Phishing: Spearphishing Link

Molerats has sent phishing emails with malicious links included.[3]

Enterprise T1057 Process Discovery

Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.[4]

Enterprise T1204 .001 User Execution: Malicious Link

Molerats has sent malicious links via email.[3]

.002 User Execution: Malicious File

Molerats has sent malicious files via email.[3]

Software

ID Name References Techniques
S0062 DustySky

[1][2][3]

Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Lateral Tool Transfer, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, Software Discovery, System Information Discovery, System Shutdown/Reboot, Windows Management Instrumentation
S0012 PoisonIvy

[1][2][4]

Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit

References