GROUPS
  1. Home
  2. Groups
  3. Molerats

Molerats

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. [1] [2]

ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 1.0

Associated Group Descriptions

Name Description
Operation Molerats [3]
Gaza Cybergang [1]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing Molerats has used forged Microsoft code-signing certificates on malware.[3]
Enterprise T1003 Credential Dumping Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]
Enterprise T1057 Process Discovery Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]

Software

ID Name References Techniques
S0062 DustySky [1] [2] Fallback Channels, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Replication Through Removable Media, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Windows Management Instrumentation
S0012 PoisonIvy [1] [2] [3] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port

References

  1. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
  1. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.