Molerats is a politically motivated Palestinian cyber threat group located primarily in the Middle East. Molerats has targeted victims in Europe, the Middle East, and the United States. Their targets include Middle Eastern governments, airlines, and foreign policy think tanks. They are also known as Operation Molerats and the Gaza Cybergang. In addition, researchers from Zscaler have documented MoleRats targeting Palestinians of political value and journalists in Turkey.
Email and spearphishing are used frequently by the group to launch attacks. Proofpoint has gathered quite a bit of data on several types of email attacks and malicious links used by Molerats. An initial campaign shows MoleRats masquerading as a Quora website. This particular attack uses geofencing to target the malicious payload by country. A geofence is a virtual perimeter assigned to an actual geographic area for a real-world geographic area. Geofencing involves using a location-aware device of a location-based service user entering or exiting a geofence.
If the potential victim’s IP address fits within the geofenced target, they would be manipulated into downloading the malicious .RAR file loaded with malware. If the potential victims were outside of the geofence, they would be redirected to a valid new website. Other email attacks did not use geofencing.
One frequently delivered payload that Molerats uses is NimbleMamba. NimbleMamba is an intelligence-gathering trojan. It takes screenshots and steals process information from the host computers. In addition, NimbleMambe can detect mouse movement and other user interactions. NimblMamba also uses the Dropbox API for both C2 as well as exfiltration.
The Molerats threat group has been known to use software tools that include:
- DropBook, a Python-based backdoor that is compiled with PyInstaller.
- DustySky, is malware written in .NET and has been used by Molefrats since mid-2015.
- MoleNet, a downloader tool with extensive backdoor capabilities that has been used since approximately 2019.
- PoisonIvy, a remote access tool (RAT) popular in use by many groups.
- SharpStage, which is also malware written in .NET with backdoor capability.
- Spark, a Windows backdoor that has been in use since approximately 2017.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.