Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.^[1]^[2]^[3]^[4]

ID: G0021

ⓘ

Associated Groups: Operation Molerats, Gaza Cybergang

Version: 2.0

Created: 31 May 2017

Last Modified: 27 April 2021

Associated Group Descriptions

Name	Description
Operation Molerats	^[5]^[4]
Gaza Cybergang	^[1]^[3]^[4]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Molerats saved malicious files within the AppData and Startup folders to maintain persistence.^[3]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Molerats used PowerShell implants on target machines.^[3]
		.005	Command and Scripting Interpreter: Visual Basic	Molerats used various implants, including those built with VBScript, on target machines.^[3]^[6]
		.007	Command and Scripting Interpreter: JavaScript	Molerats used various implants, including those built with JS, on target machines.^[3]
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Molerats decompresses ZIP files once on the victim machine.^[3]
Enterprise	T1105		Ingress Tool Transfer	Molerats used executables to download malicious files from different sources.^[3]^[6]
Enterprise	T1027		Obfuscated Files or Information	Molerats has delivered compressed executables within ZIP files to victims.^[3]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.^[3]^[6]^[4]
		.002	Phishing: Spearphishing Link	Molerats has sent phishing emails with malicious links included.^[3]
Enterprise	T1057		Process Discovery	Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Molerats has created scheduled tasks to persistently run VBScripts.^[6]
Enterprise	T1218	.007	Signed Binary Proxy Execution: Msiexec	Molerats has used msiexec.exe to execute an MSI payload.^[6]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Molerats has used forged Microsoft code-signing certificates on malware.^[5]
Enterprise	T1204	.001	User Execution: Malicious Link	Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.^[3]^[6]
		.002	User Execution: Malicious File	Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.^[3]^[6]^[4]

Software

ID	Name	References	Techniques
S0547	DropBook	^[4]	Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Python, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, System Location Discovery: System Language Discovery, Web Service
S0062	DustySky	^[1]^[2]^[3]	Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Lateral Tool Transfer, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Replication Through Removable Media, Screen Capture, Software Discovery: Security Software Discovery, Software Discovery, System Information Discovery, Windows Management Instrumentation
S0553	MoleNet	^[4]	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Ingress Tool Transfer, Software Discovery: Security Software Discovery, System Information Discovery, Windows Management Instrumentation
S0012	PoisonIvy	^[1]^[2]^[5]	Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0546	SharpStage	^[4]	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Location Discovery: System Language Discovery, Web Service, Windows Management Instrumentation
S0543	Spark	^[6] ^[4]	Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Obfuscated Files or Information: Software Packing, System Information Discovery, System Location Discovery: System Language Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: User Activity Based Checks

References

ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

Molerats

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References