# New espionage attack by Molerats APT targeting users in the Middle East **[zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east](https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east)** ## Introduction In December 2021, the ThreatLabz research team identified several macro-based MS office files uploaded from Middle Eastern countries such as Jordan to OSINT sources such as VT. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT. During our investigation we discovered that the campaign has been active since July 2021. The attackers only switched the distribution method in December 2021 with minor changes in the .NET backdoor. In this blog, we will share complete technical analysis of the attack chain, the C2 infrastructure, threat attribution, and data exfiltration. The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey. ThreatLabz observed several similarities in the C2 communication and .NET payload between this campaign and the previous campaigns attributed to the Molerats APT group. Additionally, we discovered multiple samples that we suspect are related to Spark backdoor. We have not added the analysis of these samples in this blog, but they were all configured with the same C2 server, which we have included in the IOCs section. ----- ## Threat attribution We have attributed the attack to Molerats APT group based on following observations: **1. Use of open-source as well as commercial packers for the backdoor (ConfuserEx,** Themida) **2. Targeting middle-east region** **3. Using Dropbox API for entire C2 communication** **4. Using RAR files for backdoor delivery as well as in later stages** **5. Using other legit cloud hosting services like Google Drive to host the payloads** **6. Overlap of domain SSL Certificate thumbprint observed on current attack infrastructure** with domains used by Molerats APT group in the past **7. Overlap of Passive DNS resolution of domain observed on current attack infrastructure** with the IP used by Molerats APT group in the past ## Attack flow Figure 1 below illustrates the new attack chain. _Figure 1: Attack chain_ ## Decoy content **MD5: 46e03f21a95afa321b88e44e7e399ec3** ----- **Note: Please refer Appendix section for additional decoy contents** ## Technical analysis ----- For the purpose of technical analysis we will use the document with MD5: 46e03f21a95afa321b88e44e7e399ec3 **[+] Stage-1: Macro code** The macro code is not complex or obfuscated. It simply executes a command using cmd.exe which in turn performs the following operations: 1. Executes a PowerShell command to download and drop the Stage-2 payload from the URL “http://45.63.49[.]202/document.html” to the path “C:\ProgramData\document.htm”. 2. Renames document.htm to servicehost.exe 3. Executes servicehost.exe Figure 2 below shows the relevant macro code _Figure 2: Macro code_ **[+] Stage-2: servicehost.exe** **# Static analysis** Based on static analysis, we can see that the binary is .NET-based and is obfuscated using the ConfuserEx packer. It masquerades itself as a WinRAR application by using the icon and other resources (which also contains static strings) from the legit WinRAR application. ----- _Figure 3: Shows the binary icon and other static information_ **# Dynamic analysis** The main function of the binary is the standard ConfuserEx function which is responsible for loading the runtime module "koi'' that is stored in encrypted form using a byte array. Once the module is loaded, the main function resolves the module's entry point function using the metadata token and invokes it by providing required parameters. ----- _Figure 4: Code snippet loading the runtime module and invoking it’s entry point function_ The runtime module ("koi") on analysis is found to be a backdoor. Before calling the main function of the module, the code from within the constructor is called which creates a new thread that regularly monitors the presence of a debugger. _Figure 5: Code snippet of debugger monitoring function_ Once the debugger monitor thread is created we get the code execution flow to the main function of the module which ultimately leads to the backdoor execution. Within the main function the backdoor performs following operations: **1. Collects the machine manufacture and machine model information using WMI which is** used for execution environment checks and is later exfiltrated to C2 server. **2. Checks if it should execute in the current execution environment.** **3. Creates a mutex with the name of executing binary.** **4. Checks if the mutex is created successfully.** **5. Determines if it is executed for the first time using the registry key value** "HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}". **6. If the registry key doesn't exist, the code flow goes via a mouse check function which** executes the code further only if it detects a change in either of the mouse cursor coordinates In the end the mouse check function also creates the same registry key ----- _Figure 6: Main function of backdoor_ **[+] Network communication** From the main function the final code flow reaches the function which starts the network communication. Since the backdoor uses Dropbox API for entire C2 communication and data exfiltration, it first extracts the primary Dropbox account token which is stored in encoded form within the binary. Figure 7 below describes the format and shows the encoded string that contains the Dropbox account token. _Figure 7: Encoded string_ Executing further the backdoor collects the following information from victim machine: **1.** **Machine IP address: By making a network request to “https://api.ipify.org”** **2.** **UserName: From the environment variable** **3.** **HostName: Using the API call Dns.GetHostName()** The collected information is then processed and stored inside a variable named “UserInfo” by performing following operations: ----- **1. Concatenation (IP+UserName+HostName)** **2. Base64 string encode** **3. Substitution (Substitute “=” with “1”)** **4. String reverse** Next the backdoor sends following network requests in the specified sequence using the Dropbox API and correspondingly performs any required operations: **1. Create Folder:** Create a folder inside the root directory where the folder name is the value of UserInfo variable **Note: The created folder acts as a unique identifier for a machine considering the fact that** the machine IP remains static. **2. Create File:** Create a file inside the newly created folder where the file name is the Machine IP and the data it stores is the information collected in Step-1 of the main function. **3. List Content:** List the content of victim specific folder and delete files where the file name length is 15 **4. List Content:** List the content of root directory (which is attacker controlled) and extract the following information: **a) File name of any hosted RAR archive** **b) File name of any hosted exe (Which is found to be the legitimate RAR command-line** utility and is used to extract the downloaded RAR archive in case the machine doesn't already have any RAR archive supporting application) **c) File name of any hosted pdf or doc file (Used as decoy document)** **d) File name of any non specific file type (Based on our analysis it contains the secondary** Dropbox account token that is used for file exfiltration from victim machine) **Note: The above extracted information is stored locally and is used wherever required.** Finally, if the backdoor executed for the first time, it downloads and opens the hosted pdf or doc file and then calls two other functions where the first function creates a thread that continuously communicates with the Dropbox account to fetch and execute the C2 commands while the second function creates a thread that downloads and executes the RAR archive using the information extracted earlier. ----- **[+] C2 Commands** The backdoor creates a file inside the victim specific folder on Dropbox which is used to fetch C2 commands. The file name is a random string of 15 characters. **The C2 commands have following format:** [command code]=[Command arguments separated using “^”] The backdoor uses command codes instead of plaintext strings to determine the action to be performed. **Table below summarizes the supported command codes:** **Command code** **Action performed** 1 Run specified command 2 Take snapshot and upload 3 Send list of files from specified directories 4 Upload files 5 Download and execute the RAR archive ## C2 infrastructure analysis While monitoring the IPs used during the current attack we observed the domain **"msupdata.com" started to resolve to the IP 45.63.49[.]202 from 27-12-2021. We found** two Historical SSL Certificates associated with this domain. Pivoting on the SSL Certificate with thumbprint "ec5e468fbf2483cab74d13e5ff6791522fa1081b" we found domains like "sognostudio.com", "smartweb9.com" and others which were all attributed to Molerats APT group during past attacks. Additionally, the subdomain “www.msupdata.com” also has a Passive DNS resolution to IP 185.244.39[.]165 which is also associated with Molerats APT group in the past. **Note: We didn't observe any activity related to the domain "msupdata.com" or it’s** subdomain “www.msupdata.com” until this blog release. ## Pivot on the Dropbox accounts ----- Based on our analysis at least five Dropbox accounts are being used by the attacker. While investigating the Dropbox accounts we found that the attacker used following information during account registration. **Note: Dropbox has confirmed the takedown of these accounts associated with the Molerats** APT group. **Account 1:** **Name: Adham gherbawi** **Country: NL (Netherlands)** **Email:** [[email protected][.]com](https://www.zscaler.com/cdn-cgi/l/email-protection) **Account 2:** **Name: alwatan voice** **Country: NL (Netherlands)** **Email:** [[email protected][.]com](https://www.zscaler.com/cdn-cgi/l/email-protection) **Account 3:** **Name: adham gharbawi** **Country: NL (Netherlands)** **[Email:[email protected][.]com](https://www.zscaler.com/cdn-cgi/l/email-protection)** **Account 4:** **Name: pal leae** **Country: PS (Palestine)** **Email:** [[email protected][.]com](https://www.zscaler.com/cdn-cgi/l/email-protection) **Account 5:** **Name: pla inod** **Country: PS (Palestine)** **[Email:[email protected][.]com](https://www.zscaler.com/cdn-cgi/l/email-protection)** Also, while analyzing the exfiltrated data from Dropbox accounts we found a screenshot of the attacker machine which was likely uploaded while the attacker was testing the malware. We correlated a number of artifacts and patterns with the file names visible from the snapshot to those used during the real attack. Moreover, from the snapshot the attacker seems to be using a simple GUI application to sync with the Dropbox account and display the victims list. In the victims list, the user name "mijda" is also present which matches with the name of document creator “mij daf” for all the documents we found during this attack. ----- _Figure 8: Screenshot of attacker machine_ Additionally, we discovered that the attacker machine was configured with the IP **185.244.39[.]105 which is located in the Netherlands and is associated with the VPS** service provider "SKB Enterprise B.V.". Interestingly, this IP (185.244.39[.]105) is also located in the same subnet as the IP 185.244.39[.]165 which was used for C2 communication and domain hosting in the past by Molerats APT group. ## Pivot on Google drive link Since the attacker also used Google Drive to host the payload in one of the attack chains, we tried to identify the associated Gmail account. Based on our analysis the attacker used following information for Gmail account: **Account name: Faten Issa** **Email:** [[email protected][.]com](https://www.zscaler.com/cdn-cgi/l/email-protection) ## Old attack chain As per our analysis the old attack chain was used from 13th July 2021(Start of campaign) to 13th Dec 2021. Figure 9 below illustrates the old attack chain. ----- Figure 9: Attack chain The major difference between the new attack chain and the old attack chain is seen in the backdoor delivery. Although we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were likely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted the primary Dropbox account token. In the old attack chain the backdoor fetched the encoded string containing the primary Dropbox account token from attacker-hosted content on “justpaste.it”. Figure 10 below shows the attacker-hosted encoded string that contains the Dropbox account token and also describes the corresponding format. _Figure 10: Attacker-hosted encoded string_ ## Zscaler Sandbox Detection **[+] Detection of the macro-based Document** ----- **[+] Detection of the macro-based PowerPoint file** **[+] Detection of the payload** ----- In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Molerats APT group at various levels. Win32.Trojan.MoleratsAPT PDF.Trojan.MoleRatsAPT ## MITRE ATT&CK TTP Mapping **ID** **Tactic** **Technique** T1566.001 Spear phishing Attachment T1204.002 User Execution: Malicious File T1059.001 Command and Scripting interpreter: PowerShell T1140 Deobfuscate/Decode Files or Information T1082 System Information Discovery Uses doc based attachments with VBA macro User opens the document file and enables the VBA macro VBA macro launches PowerShell to download and execute the payload Strings and other data are obfuscated in the payload Sends processor architecture and computer name ----- T1083 File and Directory Discovery T1005 Data from Local System T1567.002 Exfiltration to Cloud Storage Upload file from the victim machine Upload file from victim machine Data is uploaded to Dropbox via api T1113 Screen capture The C2 command code "2" corresponds to taking a screenshot and uploading to attacker-controlled Dropbox account ## Indicators of compromise **[+] Hashes** **MD5** **File Name** **Description** 46e03f21a95afa321b88e44e7e399ec3 15-12.doc Document 5c87b653db4cc731651526f9f0d52dbb 11-12.docx Document 105885d14653932ff6b155d0ed64f926 report2.dotm Template 601107fc8fef440defd922f00589e2e9 4-1.doc Document 9939bf80b7bc586776e45e848ec41946 19-12.pptm PPT 054e18a1aab1249f06a4f3e661e3f38aأﺟﻨﺪة ﺻﻔﻘﺔ وﻓﺎء اﻷﺣﺮار.pptm PPT e72d18b78362e068d0f3afa040df6a4c wanted persons.ppt PPT ebc98d9c96065c8f1c0f4ce445bf507b servicehost.exe Exe (Confuser packed) ----- c7271b91d190a730864cd149414e8c43 su.exe Exe (Themida packed) 00d7f155f1a9b29be2c872c6cad40026 servicehost.exe Exe (Confuser packed) 2dc3ef988adca0ed20650c45735d4160 cairo hamas office.rar RAR a52f1574e4ee4483479e9356f96ee5e3ﺷﺮوح ﺣﺮﻛﺔ ﺣﻤﺎس ﻟﻔﺘﺢ ﻣﻘﺮ داﺋﻢ ﻟﻬﺎ ﻓﻲ اﻟﻘﺎﻫﺮة .exe Exe (Confuser packed) b9ad53066ab218e40d61b299bd2175ba details.rar RAR f054f1ccc2885b45a71a1bcd0dd711beﺗﻔﺎﺻﯿﻞ ﺻﺎدﻣﺔ ﻟﻌﻤﻠﯿﺔ ﻫﺮوب اﻷﺳﺮى اﻟﺴﺘﺔ ﻣﻦ ﺳﺠﻦ ﺟﻠﺒﻮع.exe Exe (Themida packed) b7373b976bbdc5356bb89e2cba1540cb emergency.rar RAR a52f1574e4ee4483479e9356f96ee5e3ﻣﺘﺎﺑﻌﺔ اﻟﺤﺎﻟﺔ اﻟﺼﺤﯿﺔ ﻟﻠﺮﺋﯿﺲ اﻟﻔﻠﺴﻄﯿﻨﻲ اﺑﻮ 2021-09-16 ﻣﺎزن.exe Exe (Confuser packed) 8884b0d29a15c1b6244a6a9ae69afa16 excelservice.rar RAR 270ee9d4d22ca039539c00565b20d2e7 idf.rar RAR 8debf9b41ec41b9ff493d5668edbb922 Ministry of the Interior statement 26-9-2021.exe Exe (Themida packed) d56a4865836961b592bf4a7addf7a414 images.rar RAR a52f1574e4ee4483479e9356f96ee5e3ﺷﺎﻫﺪ ﻣﺎ اﻟﺘﻘﻄﻪ ﻛﺎﻣﯿﺮات اﻟﻤﺮاﻗﺒﺔ أﺣﺪاث اﻋﻼﻣﻲ ﻓﻲ100 اﻟﺘﺤﺮش اﻟﺠﻨﺴﻲ ﻷﺷﻬﺮ اﻟﻌﺎﻟﻢ.exe Exe (Confuser packed) ----- 59368e712e0ac681060780e9caa672a6 meeting.rar RAR a52f1574e4ee4483479e9356f96ee5e3ﻣﺤﻀﺮ اﺟﺘﻤﺎع ﻧﺎﺋﺒﺔ اﻟﺮﺋﯿﺲ اﻷﻣﺮﯾﻜﻲ ووزﯾﺮ اﻟﺨﺎرﺟﯿﺔ اﻻﺳﺮاﺋﯿﻠﻲ .exe 99fed519715b3de0af954740a2f4d183 ministry of the interior 23-92021.rar 8debf9b41ec41b9ff493d5668edbb922 Ministry of the Interior statement 23-9-2021.exe Exe (Confuser packed) RAR Exe (Themida packed) bd14674edb9634daf221606f395b1e1d moi.rar RAR a52f1574e4ee4483479e9356f96ee5e3أﯾﻠﯿﺖ ﺷﺎﻛﯿﺪ ﺗﺮد ﻋﻠﻰ ﻃﻠﺐ اﻟﺮﺋﯿﺲ ﻋﺒﺎس ﻟﻘﺎءﻫﺎ.exe Exe (Confuser packed) 04d17caf8be87e68c266c34c5bd99f48 namso.rar RAR c7271b91d190a730864cd149414e8c43 namso.exe Exe (Themida packed) 217943eb23563fa3fff766c5ec538fa4 rafah passengers.rar RAR a52f1574e4ee4483479e9356f96ee5e3ﻛﺸﻒ ﺗﻨﺴﯿﻘﺎت اﻟﺴﻔﺮ ﻋﺒﺮ ﻣﻌﺒﺮ رﻓﺢ اﻟﺒﺮي .exe Exe (Confuser packed) fef0ec9054b8eff678d3556ec38764a6 sa.rar RAR a52f1574e4ee4483479e9356f96ee5e3وﻋﻮدات ﻋﺮﺑﯿﺔ وأﻣﺮﯾﻜﯿﺔ ﺑﺎﻟﺘﺤﺮك ﻟﻺﻓﺮاج ﻋﻦ ﻣﻌﺘﻘﻠﻲ ﺣﻤﺎس ﻓﻲ اﻟﺴﻌﻮدﯾﺔ.exe Exe (Confuser packed) 32cc7dd93598684010f985d1f1cea7fd shahid.rar RAR ----- a52f1574e4ee4483479e9356f96ee5e3ﺷﺎﻫﺪ ﻣﺎ اﻟﺘﻘﻄﻪ ﻛﺎﻣﯿﺮات اﻟﻤﺮاﻗﺒﺔ أﺣﺪاث اﻋﻼﻣﻲ ﻓﻲ100 اﻟﺘﺤﺮش اﻟﺠﻨﺴﻲ ﻷﺷﻬﺮ اﻟﻌﺎﻟﻢ.exe Exe (Confuser packed) 1dc3711272f8e9a6876a7bccbfd687a8 sudan details.rar RAR f054f1ccc2885b45a71a1bcd0dd711beﻗﯿﺎدي ﻓﻠﺴﻄﯿﻨﻲ ﺷﺎرك ﻓﻲ ﻣﺤﺎوﻟﺔ اﻻﻧﻘﻼب ﻓﻲ اﻟﺴﻮدان .exe Exe (Themida packed) da1d640dfcb2cd3e0ab317aa1e89b22a tawjihiexam.rar RAR 31d07f99c865ffe1ec14c4afa98208ad Israel-Hamas Prisoner Exchange Progress.exe Exe (Confuser packed) b5e0eb9ca066f5d97752edd78e2d35e7أﺟﻨﺪة اﻻﺟﺘﻤﺎع اﻟﻤﺘﻮﻗﻊ.rar RAR a52f1574e4ee4483479e9356f96ee5e3 - أﺟﻨﺪة اﻻﺟﺘﻤﺎع اﻟﻤﺰﻣﻊ ﻋﻘﺪه اﻷﺳﺒﻮع اﻟﻘﺎدم ﻣﻠﻔﺎت ﺷﺎﺋﻜﺔ ﺗﻨﺘﻈﺮ اﻻﺟﺘﻤﺎع اﻟﻤﺘﻮﻗﻊ.exe Exe (Confuser packed) b65d62fcb1e8f7f06017f5f9d65e30e3ﻣﺠﺮﯾﺎت اﻻﺟﺘﻤﺎع .rar RAR a52f1574e4ee4483479e9356f96ee5e3ﻣﺠﺮﯾﺎت اﻻﺟﺘﻤﺎع اﻟﺜﻨﺎﺋﻲ وأﻫﻢ اﻟﻨﻘﺎط اﻟﺘﻲ ﺗﻤﺲ اﻷﻣﻦ اﻟﻘﻮﻣﻲ اﻟﻤﺼﺮي.exe Exe (Confuser packed) 933ffc08bcf8152f4b2eeb173b4a1e26 israelian attacks.zip ZIP 4ae0048f67e878fcedfaff339fab4fe3 Israelians Attacks during the years 2020 to 2021.exe Exe (Confuser packed) 1478906992cb2a8ddd42541654e9f1ac patient satisfaction survey.zip ZIP 31d07f99c865ffe1ec14c4afa98208ad Patient Satisfaction Survey Patient Satisfaction Survey.exe Exe (Confuser packed) ----- 33b4238e283b4f6100344f9d73fcc9baاﻟﺠﻠﺴﺔ اﻟﺜﺎﻧﯿﺔ.zip ZIP 4ae0048f67e878fcedfaff339fab4fe3ﺗﻔﺎﺻﯿﻞ اﻟﺠﻠﺴﺔ اﻟﺜﺎﻧﯿﺔ ﻣﻦ ﻣﺆﺗﻤﺮ ﻣﺴﺎرات اﻟﺴﻨﻮي اﻟﻌﺎﺷﺮ.exe Exe (Confuser packed) 1f8178f9d82ac6045b6c7429f363d1c5رﺳﺎﺋﻞ ﻃﺎﻟﺒﺎن ﻟﺤﻤﺎس.zip ZIP 4ae0048f67e878fcedfaff339fab4fe3رﺳﺎﺋﻞ ﻃﺎﻟﺒﺎن ﻟﺤﻤﺎس ﻓﯿﻤﺎ ﯾﺨﺺ اﻟﺸﺄن اﻟﺘﺮﻛﻲ وﺣﺴﺎﺳﯿﺔ اﻟﻤﻮﻗﻒ ﺑﯿﻦ ﻛﻞ ﻣﻨﻬﻢ.exe Exe (Confuser packed) c7d19e496bcd81c4d16278a398864d60ﻣﺠﻠﺔ اﺗﺠﺎﻫﺎت ﺳﯿﺎﺳﯿﺔ.zip ZIP 4ae0048f67e878fcedfaff339fab4fe3ﻣﺠﻠﺔ اﺗﺠﺎﻫﺎت ﺳﯿﺎﺳﯿﺔ اﻟﻌﺪد اﻟﺨﺎﻣﺲ واﻟﻌﺸﺮون.exe Exe (Confuser packed) 1bae258e219c69bb48c46b5a5b7865f4ﻣﻘﺘﺮح.zip ZIP 4ae0048f67e878fcedfaff339fab4fe3ﻣﻘﺘﺮح اﺣﯿﺎء ذﻛﺮى أﺑﻮ ﻋﻠﻲ ﻣﺼﻄﻔﻰ ـ ﻣﻘﺘﺮح اﺣﯿﺎء ذﻛﺮى أﺑﻮ ﻋﻠﻲ ﻣﺼﻄﻔﻰ.exe Exe (Confuser packed) 547334e75ed7d4eea2953675b07986b4ﻣﺆﺗﻤﺮ اﻟﻤﻨﻈﻤﺔ.zip ZIP 4ae0048f67e878fcedfaff339fab4fe3 ﻣﺆﺗﻤﺮ اﻟﻤﻨﻈﻤﺔ ﻓﻲ- ﻣﺆﺗﻤﺮ اﻟﻤﻨﻈﻤﺔ ﻓﻲ ﻟﺒﻨﺎن ﻟﺒﻨﺎن.exe **[+] Download URLs** **Component** **URL** Exe (Confuser packed) Template https://drive.google[.]com/uc?export=download&id=1xwb99Q7duf6q7a7be44pCk3dU9KwXam ----- **Component** **URL** Exe http://45.63.49[.]202/document.html http://23.94.218[.]221/excelservice.html http://45.63.49[.]202/doc.html http://45.63.49[.]202/gabha.html **[+] Molerats associated IPs** 45.63.49[.]202 23.94.218[.]221 185.244.39[.]165 **[+] Molerats associated domains** msupdata[.]com www.msupdate[.]com **# Spark backdoor** bundanesia[.]com **[+] File system artifacts** **# Dropped binary** C:\ProgramData\servicehost.exe {current_working_directory}\su.exe ## Appendix **MD5: 5c87b653db4cc731651526f9f0d52dbb** ----- **MD5: 105885d14653932ff6b155d0ed64f926** ----- **MD5: e72d18b78362e068d0f3afa040df6a4c** -----