A threat actor called Molerats has been accused of an active espionage operation. He uses legitimate cloud services such as Google Drive and Dropbox for malware payloads, command-and-control, and exfiltration to target data centers across the Middle East.
The cyber offensive is believed to have been underway since at least July 2021, according to cloud-based information security company Zscaler, continuing previous efforts by the hacking group to conduct reconnaissance on the target hosts and plunder sensitive information.
Molerats, also tracked as TA402, Gaza Hackers Team, and Extreme Jackal, is an advanced persistent threat (APT) group that’s largely focused on entities operating in the Middle East. Attack activity associated with the actor has leveraged geopolitical and military themes to entice users to open Microsoft Office attachments and click on malicious links.
The latest Zscaler campaign is similar in that it uses decoy themes relating to ongoing conflict between Israel and Palestine in order to deliver a.NET Backdoor on infected system that then abuses Dropbox API to establish communication with an adversary controlled server and send data.
The implant, which uses specific command codes to commandeer the compromised machine, supports capabilities to take snapshots, list and upload files in relevant directories, and run arbitrary commands. Investigating the attack infrastructure, the researchers said they found at least five Dropbox accounts used for this purpose.
” The threat actor chose the targets for this campaign and these included members of the banking sector in Palestine and people connected to Palestinian political parties as well as journalists and human rights activists in Turkey,” Zscaler ThreatLabz researchers Sahil Antl and Sudeep Sing said.