Molerats

The Molerats is a group of hackers composed of multiple sub-groups, which express an overall interest in targets related to Middle Eastern politics. Their attacks often use e-mail attachments or links for delivering numerous threats, including both free and custom ones. Users should disconnect from the internet after suspecting any infection and use professional anti-malware products for removing the Molerats' Trojans immediately.

Digging a Hole in the Security of Your PC

With adaptation being a hallmark of the threat landscape, few threat actors active in reconnaissance-based campaigns exhibit that mindset so well as the Molerats. This group may owe its flexible tactics, in part, to sub-divisions operating partially independently, and various attacks attributed to it are alignable by shared characteristics. Whether it's referred to as the Molerats, the Gaza Hackers Team, or the Gaza Cybergang, these hackers' attacks start with an e-mail and follow through with backdoor Trojans.

Campaigns administrated under members of the Molerats group include attacks against many of the 'expected' victims of cyber-spying: government entities and telecommunications companies. However, a minority of spear-phishing attacks also occur against less-often-seen targets, such as retailers. Virtually all incidents start with crafted e-mail messages in Arabic or English, using topics like copied news articles concerning Palestinean peace negotiations or Egyptian military strategies. In some cases, the Molerats use Web links to disguised downloads for delivering their Trojans, although, more often, they include attachments, such as documents with drive-by-download macros.

The Molerats group began, at first, using 'free' Trojans with code from GitHub and other non-premium sources. Modifications to these freeware resources and additional programming efforts, over time, gave the hackers access to a broader range of Black Hat tools, some of which are only used by them. Malware researchers are pointing out the following as examples of highly-active Trojans in this threat actor's kit:

• The Poison Ivy backdoor is a 'public' backdoor Trojan in use by the Molerats in 2013.
• DustySky is a .NET Framework Trojan that's specific to the Molerats.
• The Spark family (and variants, like EnigmaSpark) also are limited in usage to this organization.
• JhoneRAT is a Remote Access Trojan that may supplant, or supplement, the Spark backdoor Trojan in functionality.
• BrowserPasswordDump10 is a free tool that the Molerats leverage as spyware for collecting the user's Web-browsing accounts' passwords.

Collapsing the Burrows of a Cyber-Pest

Molerats is capable of using more-advanced methods of disguising their attacks, such as partial or wholly-forged digital certificates on their downloads. The use of a splash screen, forcing user interactions for bypassing security software, is another tactic displaying the group's overall creativity and willingness to delve into in-depth ways of overcoming environmental impediments to their spying. Behaviorally, malware experts characterize them as well-organized – adhering to known work schedules – and, seemingly, funded, since the group is years old and consistently active.

The Molerats' dependency on e-mail infection vectors provides traditional defenses for users in a target government, business or NGO network. Most word-processing programs offer automatic deactivation of macros, and users should avoid enabling them without confirming the safety of this 'advanced' content first. Trojan droppers and downloaders embedded in these documents are identified as threats by numerous cyber-security products, as are obfuscated Web links that direct Web surfers to known corrupted domains.

Traditional anti-malware products include threat heuristics that are relevant to many backdoor Trojans, including those in the Molerats's set of software. Removing Molerats Trojans with appropriate anti-malware tools should also encompass precautions such as changing passwords for preventing further compromise of the network and other accounts.

Until either political tensions in the Middle East or their resources dry up, the Molerats and their spying will remain a relevant factor to the threat landscape. Workers can protect their machines from spear-phishing appropriately or run the risk of becoming part of these hackers' tunneling expeditions.