Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

New espionage attack by Molerats APT targeting users in the Middle East

SAHIL ANTIL, SUDEEP SINGH
January 20, 2022 - 13 min read

Introduction

In December 2021, the ThreatLabz research team identified several macro-based MS office files uploaded from Middle Eastern countries such as Jordan to OSINT sources such as VT. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT.

During our investigation we discovered that the campaign has been active since July 2021. The attackers only switched the distribution method in December 2021 with minor changes in the .NET backdoor. In this blog, we will share complete technical analysis of the attack chain, the C2 infrastructure, threat attribution, and data exfiltration.

The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey.

ThreatLabz observed several similarities in the C2 communication and .NET payload between this campaign and the previous campaigns attributed to the Molerats APT group.

Additionally, we discovered multiple samples that we suspect are related to Spark backdoor. We have not added the analysis of these samples in this blog, but they were all configured with the same C2 server, which we have included in the IOCs section.
 

Threat attribution

We have attributed the attack to Molerats APT group based on following observations:

1. Use of open-source as well as commercial packers for the backdoor (ConfuserEx, Themida)
2. Targeting middle-east region
3. Using Dropbox API for entire C2 communication
4. Using RAR files for backdoor delivery as well as in later stages
5. Using other legit cloud hosting services like Google Drive to host the payloads
6. Overlap of domain SSL Certificate thumbprint observed on current attack infrastructure with domains used by Molerats APT group in the past
7. Overlap of Passive DNS resolution of domain observed on current attack infrastructure with the IP used by Molerats APT group in the past
 

Attack flow

Figure 1 below illustrates the new attack chain.

Attack Flow

Figure 1: Attack chain
 

Decoy content

MD5: 46e03f21a95afa321b88e44e7e399ec3

Decoy 1
Note: Please refer Appendix section for additional decoy contents
 

Technical analysis

For the purpose of technical analysis we will use the document with MD5: 46e03f21a95afa321b88e44e7e399ec3

[+] Stage-1: Macro code

The macro code is not complex or obfuscated. It simply executes a command using cmd.exe which in turn performs the following operations:

  1. Executes a PowerShell command to download and drop the Stage-2 payload from the URL “http://45.63.49[.]202/document.html” to the path “C:\ProgramData\document.htm”.
  2. Renames document.htm to servicehost.exe
  3. Executes servicehost.exe

Figure 2 below shows the relevant macro code

Macro Code
Figure 2: Macro code

[+] Stage-2: servicehost.exe

# Static analysis

Based on static analysis, we can see that the binary is .NET-based  and is obfuscated using the ConfuserEx packer. It masquerades itself as a WinRAR application by using the icon and other resources (which also contains static strings) from the legit WinRAR application.

Static Analysis
Figure 3: Shows the binary icon and other static information

# Dynamic analysis

The main function of the binary is the standard ConfuserEx function which is responsible for loading the runtime module "koi'' that is stored in encrypted form using a byte array. Once the module is loaded, the main function resolves the module's entry point function using the metadata token and invokes it by providing required parameters.

Runtime Module Loading
Figure 4: Code snippet loading the runtime module and invoking it’s entry point function

The runtime module ("koi") on analysis is found to be a backdoor. Before calling the main function of the module, the code from within the constructor is called which creates a new thread that regularly monitors the presence of a debugger.

Debugger Monitor
Figure 5: Code snippet of debugger monitoring function

Once the debugger monitor thread is created we get the code execution flow to the main function of the module which ultimately leads to the backdoor execution. Within the main function the backdoor performs following operations:

1. Collects the machine manufacture and machine model information using WMI which is used for execution environment checks and is later exfiltrated to C2 server.
2. Checks if it should execute in the current execution environment.
3. Creates a mutex with the name of executing binary.
4. Checks if the mutex is created successfully.
5. Determines if it is executed for the first time using the registry key value "HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}". 
6. If the registry key doesn't exist, the code flow goes via a mouse check function which executes the code further only if it detects a change in either of the mouse cursor coordinates. In the end, the mouse check function also creates the same registry key.

Main Function
Figure 6: Main function of backdoor

[+] Network communication

From the main function the final code flow reaches the function which starts the network communication. Since the backdoor uses Dropbox API for entire C2 communication and data exfiltration, it first extracts the primary Dropbox account token which is stored in encoded form within the binary. Figure 7 below describes the format and shows the encoded string that contains the Dropbox account token.

Encoded String
Figure 7: Encoded string

Executing further the backdoor collects the following information from victim machine:

1. Machine IP address: By making a network request to “https://api.ipify.org”
2. UserName: From the environment variable
3. HostName: Using the API call Dns.GetHostName()

The collected information is then processed and stored inside a variable named “UserInfo” by performing following operations:

1. Concatenation (IP+UserName+HostName)
2. Base64 string encode
3. Substitution (Substitute “=” with “1”)
4. String reverse

Next the backdoor sends following network requests in the specified sequence using the Dropbox API and correspondingly performs any required operations:

1. Create Folder:
 
Create a folder inside the root directory where the folder name is the value of UserInfo variable

Note: The created folder acts as a unique identifier for a machine considering the fact that the machine IP remains static.

2. Create File:

Create a file inside the newly created folder where the file name is the Machine IP and the data it stores is the information collected in Step-1 of the main function.

3. List Content:

List the content of victim specific folder and delete files where the file name length is 15

4. List Content:

List the content of root directory (which is attacker controlled) and extract the following information:

a) File name of any hosted RAR archive

b) File name of any hosted exe (Which is found to be the legitimate RAR command-line utility and is used to extract the downloaded RAR archive in case the machine doesn't already have any RAR archive supporting application)

c) File name of any hosted pdf or doc file (Used as decoy document)

d) File name of any non specific file type (Based on our analysis it contains the secondary Dropbox account token that is used for file exfiltration from victim machine)
   
Note: The above extracted information is stored locally and is used wherever required.

Finally, if the backdoor executed for the first time, it downloads and opens the hosted pdf or doc file and then calls two other functions where the first function creates a thread that continuously communicates with the Dropbox account to fetch and execute the C2 commands while the second function creates a thread that downloads and executes the RAR archive using the information extracted earlier.

[+] C2 Commands

The backdoor creates a file inside the victim specific folder on Dropbox which is used to fetch C2 commands. The file name is a random string of 15 characters.

The C2 commands have following format:

[command code]=[Command arguments separated using “^”]

The backdoor uses command codes instead of plaintext strings to determine the action to be performed.

Table below summarizes the supported command codes:
 

Command codeAction performed
1Run specified command
2Take snapshot and upload
3Send list of files from specified directories
4Upload files
5Download and execute the RAR archive


C2 infrastructure analysis

While monitoring the IPs used during the current attack we observed the domain "msupdata.com" started to resolve to the IP 45.63.49[.]202 from 27-12-2021. We found two Historical SSL Certificates associated with this domain. Pivoting on the SSL Certificate with thumbprint "ec5e468fbf2483cab74d13e5ff6791522fa1081b" we found domains like "sognostudio.com", "smartweb9.com" and others which were all attributed to Molerats APT group during past attacks.

Additionally, the subdomain “www.msupdata.com” also has a Passive DNS resolution to IP 185.244.39[.]165 which is also associated with Molerats APT group in the past. 

Note: We didn't observe any activity related to the domain "msupdata.com" or it’s subdomain “www.msupdata.com” until this blog release.
 

Pivot on the Dropbox accounts

Based on our analysis at least five Dropbox accounts are being used by the attacker. While investigating the Dropbox accounts we found that the attacker used following information during account registration.

Note: Dropbox has confirmed the takedown of these accounts associated with the Molerats APT group.

Account 1:

Name: Adham gherbawi
Country: NL (Netherlands)
Email: adham.gharbawi@gmail[.]com

Account 2:

Name: alwatan voice
Country: NL (Netherlands)
Email: alwatanvoiceoffice@gmail[.]com

Account 3:

Name: adham gharbawi
Country: NL (Netherlands)
Email: adham.ghar.bawi@gmail[.]com

Account 4:

Name: pal leae
Country: PS (Palestine)
Email: palinfoarabic@gmail[.]com

Account 5:

Name: pla inod
Country: PS (Palestine)
Email: palinfo.arabic@gmail[.]com

Also, while analyzing the exfiltrated data from Dropbox accounts we found a screenshot of the attacker machine which was likely uploaded while the attacker was testing the malware. We correlated a number of artifacts and patterns with the file names visible from the snapshot to those used during the real attack. Moreover, from the snapshot the attacker seems to be using a simple GUI application to sync with the Dropbox account and display the victims list. In the victims list, the user name "mijda" is also present which matches with the name of document creator “mij daf” for all the documents we found during this attack.

Attacker Machine Snapshot
Figure 8: Screenshot of attacker machine

Additionally, we discovered that the attacker machine was configured with the IP 185.244.39[.]105 which is located in the Netherlands and is associated with the VPS service provider "SKB Enterprise B.V.". Interestingly, this IP (185.244.39[.]105) is also located in the same subnet as the IP 185.244.39[.]165 which was used for C2 communication and domain hosting in the past by Molerats APT group.
 

Pivot on Google drive link

Since the attacker also used Google Drive to host the payload in one of the attack chains, we tried to identify the associated Gmail account. Based on our analysis the attacker used following information for Gmail account:

Account name: Faten Issa
Email: issafaten584@gmail[.]com
 

Old attack chain

As per our analysis the old attack chain was used from 13th July 2021(Start of campaign) to 13th Dec 2021.

Figure 9 below illustrates the old attack chain.

Attack Flow - Old
Figure 9: Attack chain

The major difference between the new attack chain and the old attack chain is seen in the backdoor delivery. Although we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were likely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted the primary Dropbox account token. In the old attack chain the backdoor fetched the encoded string containing the primary Dropbox account token from attacker-hosted content on “justpaste.it”. Figure 10 below shows the attacker-hosted encoded string that contains the Dropbox account token and also describes the corresponding format.

Encoded String - Attacker Hosted
Figure 10: Attacker-hosted encoded string
 

Zscaler Sandbox Detection

[+] Detection of the macro-based Document

Document - Sandbox Report

[+] Detection of the macro-based PowerPoint file

PPT- Sandbox Report

[+] Detection of the payload

Exe - Sandbox Report

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Molerats APT group at various levels.

  • Win32.Trojan.MoleratsAPT
  • PDF.Trojan.MoleRatsAPT


MITRE ATT&CK TTP Mapping

ID

Tactic

Technique

T1566.001

 Spear phishing Attachment

 Uses doc based attachments with VBA macro

T1204.002

User Execution: Malicious File

User opens the document file and enables the VBA macro 

T1059.001

Command and Scripting interpreter: PowerShell

VBA macro launches PowerShell to download and execute the payload

T1140

Deobfuscate/Decode Files or Information

Strings and other data are obfuscated in the payload

T1082

System Information Discovery

Sends processor architecture and computer name

T1083

File and Directory Discovery

Upload file from the victim machine

T1005

Data from Local System

Upload file from victim machine

T1567.002

Exfiltration to Cloud Storage

Data is uploaded to Dropbox via api

T1113Screen captureThe C2 command code "2" corresponds to taking a screenshot and uploading to attacker-controlled Dropbox account

 

Indicators of compromise

[+] Hashes
 

MD5

File Name

Description

46e03f21a95afa321b88e44e7e399ec3

15-12.doc

Document

5c87b653db4cc731651526f9f0d52dbb

11-12.docx

Document

105885d14653932ff6b155d0ed64f926

report2.dotm

Template

601107fc8fef440defd922f00589e2e9

4-1.doc

Document

9939bf80b7bc586776e45e848ec41946

19-12.pptm

PPT

054e18a1aab1249f06a4f3e661e3f38a

أجندة صفقة وفاء الأحرار.pptm

PPT

e72d18b78362e068d0f3afa040df6a4c

wanted persons.ppt

PPT

ebc98d9c96065c8f1c0f4ce445bf507b

servicehost.exe

Exe (Confuser packed)

c7271b91d190a730864cd149414e8c43

su.exe

Exe (Themida packed)

00d7f155f1a9b29be2c872c6cad40026

servicehost.exe

Exe (Confuser packed)

2dc3ef988adca0ed20650c45735d4160

cairo hamas office.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

شروح حركة حماس لفتح مقر دائم لها في القاهرة .exe

Exe (Confuser packed)

b9ad53066ab218e40d61b299bd2175ba

details.rar

RAR

f054f1ccc2885b45a71a1bcd0dd711be

تفاصيل صادمة لعملية هروب الأسرى الستة من سجن جلبوع.exe

Exe (Themida packed)

b7373b976bbdc5356bb89e2cba1540cb

emergency.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

متابعة الحالة الصحية للرئيس الفلسطيني ابو مازن 16-09-2021.exe

Exe (Confuser packed)

8884b0d29a15c1b6244a6a9ae69afa16

excelservice.rar

RAR

270ee9d4d22ca039539c00565b20d2e7

idf.rar

RAR

8debf9b41ec41b9ff493d5668edbb922

Ministry of the Interior statement 26-9-2021.exe

Exe (Themida packed)

d56a4865836961b592bf4a7addf7a414

images.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

شاهد ما التقطه كاميرات المراقبة أحداث التحرش الجنسي لأشهر 100 اعلامي في العالم.exe

Exe (Confuser packed)

59368e712e0ac681060780e9caa672a6

meeting.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

محضر اجتماع نائبة الرئيس الأمريكي ووزير الخارجية الاسرائيلي .exe

Exe (Confuser packed)

99fed519715b3de0af954740a2f4d183

ministry of the interior 23-9-2021.rar

RAR

8debf9b41ec41b9ff493d5668edbb922

Ministry of the Interior statement 23-9-2021.exe

Exe (Themida packed)

bd14674edb9634daf221606f395b1e1d

moi.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

أيليت شاكيد ترد على طلب الرئيس عباس لقاءها.exe

Exe (Confuser packed)

04d17caf8be87e68c266c34c5bd99f48

namso.rar

RAR

c7271b91d190a730864cd149414e8c43

namso.exe

Exe (Themida packed)

217943eb23563fa3fff766c5ec538fa4

rafah passengers.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

كشف تنسيقات السفر عبر معبر رفح البري .exe

Exe (Confuser packed)

fef0ec9054b8eff678d3556ec38764a6

sa.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

وعودات عربية وأمريكية بالتحرك للإفراج عن معتقلي حماس في السعودية.exe

Exe (Confuser packed)

32cc7dd93598684010f985d1f1cea7fd

shahid.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

شاهد ما التقطه كاميرات المراقبة أحداث التحرش الجنسي لأشهر 100 اعلامي في العالم.exe

Exe (Confuser packed)

1dc3711272f8e9a6876a7bccbfd687a8

sudan details.rar

RAR

f054f1ccc2885b45a71a1bcd0dd711be

قيادي فلسطيني شارك في محاولة الانقلاب في السودان .exe

Exe (Themida packed)

da1d640dfcb2cd3e0ab317aa1e89b22a

tawjihiexam.rar

RAR

31d07f99c865ffe1ec14c4afa98208ad

Israel-Hamas Prisoner Exchange Progress.exe

Exe (Confuser packed)

b5e0eb9ca066f5d97752edd78e2d35e7

أجندة الاجتماع المتوقع.rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

أجندة الاجتماع المزمع عقده الأسبوع القادم - ملفات شائكة تنتظر الاجتماع المتوقع.exe

Exe (Confuser packed)

b65d62fcb1e8f7f06017f5f9d65e30e3

مجريات الاجتماع .rar

RAR

a52f1574e4ee4483479e9356f96ee5e3

مجريات الاجتماع الثنائي وأهم النقاط التي تمس الأمن القومي المصري.exe

Exe (Confuser packed)

933ffc08bcf8152f4b2eeb173b4a1e26

israelian attacks.zip

ZIP

4ae0048f67e878fcedfaff339fab4fe3

Israelians Attacks during the years 2020 to 2021.exe

Exe (Confuser packed)

1478906992cb2a8ddd42541654e9f1ac

patient satisfaction survey.zip

ZIP

31d07f99c865ffe1ec14c4afa98208ad

Patient Satisfaction Survey Patient Satisfaction Survey.exe

Exe (Confuser packed)

33b4238e283b4f6100344f9d73fcc9ba

الجلسة الثانية.zip

ZIP

4ae0048f67e878fcedfaff339fab4fe3

تفاصيل الجلسة الثانية من مؤتمر مسارات السنوي العاشر.exe

Exe (Confuser packed)

1f8178f9d82ac6045b6c7429f363d1c5

رسائل طالبان لحماس.zip

ZIP

4ae0048f67e878fcedfaff339fab4fe3

رسائل طالبان لحماس فيما يخص الشأن التركي وحساسية الموقف بين كل منهم.exe

Exe (Confuser packed)

c7d19e496bcd81c4d16278a398864d60

مجلة اتجاهات سياسية.zip

ZIP

4ae0048f67e878fcedfaff339fab4fe3

مجلة اتجاهات سياسية العدد الخامس والعشرون.exe

Exe (Confuser packed)

1bae258e219c69bb48c46b5a5b7865f4

مقترح.zip

ZIP

4ae0048f67e878fcedfaff339fab4fe3

مقترح احياء ذكرى أبو علي مصطفى ـ مقترح احياء ذكرى أبو علي مصطفى.exe

Exe (Confuser packed)

547334e75ed7d4eea2953675b07986b4

مؤتمر المنظمة.zip

ZIP

4ae0048f67e878fcedfaff339fab4fe3

مؤتمر المنظمة في لبنان - مؤتمر المنظمة في لبنان.exe

Exe (Confuser packed)


[+] Download URLs
 

ComponentURL
Templatehttps://drive.google[.]com/uc?export=download&id=1xwb99Q7duf6q7a-7be44pCk3dU9KwXam
Exe

http://45.63.49[.]202/document.html

http://23.94.218[.]221/excelservice.html

http://45.63.49[.]202/doc.html

http://45.63.49[.]202/gabha.html


[+] Molerats associated IPs

45.63.49[.]202
23.94.218[.]221
185.244.39[.]165

[+] Molerats associated domains

msupdata[.]com
www.msupdate[.]com

# Spark backdoor

bundanesia[.]com

[+] File system artifacts

# Dropped binary

C:\ProgramData\servicehost.exe 
{current_working_directory}\su.exe
 

Appendix

MD5: 5c87b653db4cc731651526f9f0d52dbb

Decoy 2 - Document

MD5: 105885d14653932ff6b155d0ed64f926

Decoy 2 - Template

MD5: e72d18b78362e068d0f3afa040df6a4c

Decoy 3

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.