DropBook Backdoor

The MoleRats APT launched another campaign targeted against the government and political entities in Egypt, the United Arab Emirates and Palestine recently. The criminals are now using a combination of backdoors – the DropBook Backdoor written in Python and the SharpStage Backdoor created via the .NET framework. The former is likely to be used as a first-stage payload, while the latter is a post-exploitation tool.

The DropBook Backdoor stands out with its ability to use the public Facebook and Simplenote services as a command-and-control server – the attackers feed the implant commands to execute via specially created Facebook and Simplenote tokens. Using Facebook is DropBook Backdoor's top priority, but it can fall back to Simplenote's token in case Facebook is unavailable.

The DropBook Backdoor implant focuses on collecting information about the victim's file system, as well as trying to collect specific files. The malware is able to list all files and folders found in the 'Program Files' directory, as well as on the Windows desktop. The stolen files are exfiltrated via Dropbox.

The DropBook Backdoor shares some similarities with the SharpStage Backdoor – it will check for the presence of an Arabic keyboard layout before proceeding with its attack. Another check it performs is to see if the victim has WinRAR installed – the attack only happens if WinRAR is available. However, so far, the DropBook Backdoor has not been observed using WinRAR – it is possible that check might have something to do with the attackers' future plans.

Even high-profile threat actors like the MoleRats APT cannot evade anti-virus products easily. Their newest threats like the DropBook Backdoor may employ some obfuscation tricks, but you can rest assured that a reputable anti-virus product can stop such malware attacks.