Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[1][2][3][4]

ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 2.0
Created: 31 May 2017
Last Modified: 27 April 2021

Associated Group Descriptions

Name Description
Operation Molerats

[5][4]

Gaza Cybergang

[1][3][4]

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Molerats used PowerShell implants on target machines.[3]

.005 Command and Scripting Interpreter: Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.[3][6]

.007 Command and Scripting Interpreter: JavaScript

Molerats used various implants, including those built with JS, on target machines.[3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Molerats decompresses ZIP files once on the victim machine.[3]

Enterprise T1105 Ingress Tool Transfer

Molerats used executables to download malicious files from different sources.[3][6]

Enterprise T1027 Obfuscated Files or Information

Molerats has delivered compressed executables within ZIP files to victims.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.[3][6][4]

.002 Phishing: Spearphishing Link

Molerats has sent phishing emails with malicious links included.[3]

Enterprise T1057 Process Discovery

Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Molerats has created scheduled tasks to persistently run VBScripts.[6]

Enterprise T1218 .007 Signed Binary Proxy Execution: Msiexec

Molerats has used msiexec.exe to execute an MSI payload.[6]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.[5]

Enterprise T1204 .001 User Execution: Malicious Link

Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.[3][6]

.002 User Execution: Malicious File

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.[3][6][4]

Software

ID Name References Techniques
S0547 DropBook [4] Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Python, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, Web Service
S0062 DustySky [1][2][3] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Lateral Tool Transfer, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, Software Discovery, System Information Discovery, Windows Management Instrumentation
S0553 MoleNet [4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Ingress Tool Transfer, Software Discovery: Security Software Discovery, System Information Discovery, Windows Management Instrumentation
S0012 PoisonIvy [1][2][5] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0546 SharpStage [4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, Web Service, Windows Management Instrumentation
S0543 Spark [6] [4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Obfuscated Files or Information: Software Packing, System Information Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: User Activity Based Checks

References