Proofpoint’s security experts have now discovered several attack campaigns targeting governments, think tanks and other organizations in the Middle East. […]
Proofpoint’s security experts have now discovered several attack campaigns targeting governments, think tanks and other organizations in the Middle East. An attacker is a group of cybercriminals known as Molerats or TA402 (Threat Actor 402). TA402 is considered a group of Palestinian criminals. With sophisticated attack techniques, she tries to ensure in the new campaigns that the potential victims only come from a previously defined region – currently the Middle East. We use e-mails as well as fake websites and Dropbox.
The new malware used in the attacks has been christened Proofpoint NimbleMamba. After Molerats was no longer active for some time, the group may have used this time out to replace their previously used malware (LastConn). NimbleMamba now has some technologies that are designed to obscure and make it difficult to detect and track the attacks. According to the findings so far, it can be assumed that the attackers are trying to access confidential data from governments in the Middle East, secret information on international politics and flight data.
Among the further developments of the malware is also so-called geofencing. The malware checks the geographical location of the attacked system. If the computer is within the previously defined geographical framework, the attack will continue. If the computer is outside this region, the redirection to a normal news page takes place:
According to Proofpoint’s research, TA402 is a constant threat to organizations and governments in the Middle East and regularly improves not only its malware, but also the way this malware is distributed.
Among other things, in the recently observed campaigns, TA402 used spear phishing emails with links that often lead to malicious files. Thus, TA402 used several baits, including clickbait baits on medical topics and those that allegedly included confidential geopolitical information. At first, a Gmail account controlled by TA402 was used, but later Dropbox URLs were used to transmit the prepared RAR files with NimbleMamba. Dropbox was not only used to download the malware, but also to control it.
Proofpoint shared the results of this analysis with Dropbox before the release, so the company has already taken action here and was able to neutralize this aspect of Molerate’s activities.