Sunday22 May 2022

Another Day, Another Cloud Storage Campaign from the Molerats APT TA402

Reading time is around minutes.

Dropbox, Google Docs and other cloud storage services are great tools for collaboration and to ensure that your files are kept, relatively, safe. These services can also be used by attackers with the right setup and files. The APT group know as Molerats is just such a group. They have been identified is several attacks that leveraged Dropbox and Google Docs as their C2 and payload sources. In December of 2021 the ThreatLabz team at zscaler noticed some unusual behavior that turned out to be just such an attack.

The investigation started when zscaler researchers noted many Microsoft Office files being submitted to services like Virus Total for investigation. These files turned out to be specifically crafted documents with political conflict themes relating to Palestine and Israel. The themes are what clued the zscaler researchers to the fact that Molerats was involved.

This campaign started in July of 21 with carefully chosen targets in the Palestinian banking sector, political parties, as well as human rights activist and journalist in Turkey. The attack, like many, use macros in Microsoft Office documents that are designed to engage the targeted user. The user clicks on the link which executes a PowerShell command to pull down a .NET based backdoor. This backdoor connects to two different dropbox accounts via the dropbox API. One is used for command and control, the other for data exfiltration. The .NET backdoor itself is obfuscated to look like WinRAR including the right icon and static resources directly from the legitimate version of WinRAR. The campaign’s goal is information collection. Once the target is compromised, the payload begins gathering information using various methods (including WMI calls and screenshots.

Molerats atack chain

This type of attack again focuses on proper endpoint security. Having the right type of anti-malware combined with link and document security can help reduce the risk of infection by an attack like this. The use of both MS Office documents and potentially PDFs shows that this type of security is still lacking in far too many organizations.

Last modified on Monday, 24 January 2022 09:39

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.