SharpStage Backdoor
The SharpStage Backdoor is one of the latest new projects in the arsenal of the Advanced Persistent Threat (APT) actor tracked under the name MoleRats. Their most recent campaign involves two new malware samples, which have been given the names SharpStage and DropBook. The former is a .NET Trojan backdoor, which appears to be used against high-profile political figures in the United Arab Emirates, Egypt, Palestine and Turkey. The threatening file is delivered via phishing emails, which may often carry a fake attachment that poses as an important document regarding recent events in the Middle East.
So far, cybersecurity experts have identified three separate variants of the SharpStage Backdoor – clearly a sign that the criminals are continuously updating and developing their threatening toolkit. The latest version of the backdoor relied on Dropbox to serve as a control server, as well as a storage space to exfiltrate data to. Once the SharpStage Backdoor infects a system successfully, it enables the attackers to make use of the following features:
- Grab screenshots of the desktop or specific windows, and upload them to a private Dropbox account.
- Download and execute additional payloads from attacker-specified URLs.
- Execute remote commands.
- Transfer files from the infected system to the attacker-controlled Dropbox account.
Often, APT actors take some measures to try and prevent their malware from running on non-relevant systems. The SharpStage Backdoor is not an exception, but the check it performs is very simple – it checks the infected system's keyboard layouts and only continues with the attack if the Arabic language is available.
Lately, cybercriminals have been abusing legitimate services on a regular basis, and the MoleRats APT is following the same trend. In this campaign, they are relying on Dropbox and Google Drive to host payloads, and the Dropbox service also doubles as a makeshift control server. The SharpStage Backdoor attacks should be preventable with the use of a regularly updated anti-virus service.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.