Palestinian APT group Molerats leverage URL redirects to legitimate sites

MoleRATs hackers deploy new malware in a highly evasive espionage campaign

Molerats hacker group uses the info-stealer implant to gather information from highly targeted devices

Palestinian-aligned hacker group spotted using the new malware implant in the campaign that uses geofencing and URL redirects to legitimate websites. The group mainly targets Middle Eastern governments, journalists, bankers.^[1] These hackers are known for tightly targeted intelligence collection campaigns and recently made headlines for new malware implants as part of the newest campaigns.^[2]

The new implant named NimbleMamba is included in the campaign discovered by the Proofpoint research team.^[3] Three variations got discovered revealing the infection chain. The targets included foreign policy think tanks and state-owned airlines. The NimbleMamba was first used in November 2021, and such operations continued until the end of January 2022.

Most of the attacks rely on spear-phishing emails with links to malware delivering pages. Victims either are in the targeted scope or get rerouted to the legitimate news site. The IP address needs to match the defined targeted region. If it does- the NimbleMamba gets dropped on the system with the help of a RAR file.

NimbleMamba implant put in place of another backdoor

It is speculated that this implant is a replacement for the LastConn backdoor and malware downloader. This particular malware please was linked with the same TA402 group and released back in June 2021.^[4] these threat actors have already shown their advanced abilities since this backdoor was replacing another malware piece only six months after the exposure by researchers.

This particular implant carries some similar features to the LastConn. However, new features show advanced changes to the programming and encoding schemes. The NimbleMamba has a more sophisticated anti-analysis feature and has other functions ensuring that the execution only possible on the machines that are targeted.

Such features of the system include Arabic language pack installation, IP detection, and connection to four geolocation API services. It these requirements are met the malware can get configurations from JustPaste.it page that has all C2 communications and commands.

Intelligence gathering trojan targeting politics

The information-stealing malware can obtain data regarding the processes ruing on the computer, take screenshots, obtain files. The threat can detect user interaction and look for mouse movements. The threat seems to be a well-maintained threat that complicated automated and manual analysis. It does virtual machine checks to avoid detection.

The timeline starts with November 2021, when hackers masqueraded as the Quora website and started these targeted campaigns. Then in December, another campaign was found where specific lures were used to phish people. During these attacks, medical information and geopolitical content managed to trick people into getting the malware from Dropbox URLs.

Later, hackers added the controlled WordPress URL to deliver the NimbleMamba malware to each target from a certain country. Particular attacks linked to the Molerats hacker group got reported then.^[5] Since there is a tendency for these TA402 hackers to change tactics and develop new tools after exposure, it is believed that developers might create a new malware piece. However, it is important to note that criminal group maintains the same target focus and serve the same pro-Palestinian objectives. Phishing emails and infection chain tactics most likely will remain in use.