Molerats
Associated Group Descriptions |
|
Name | Description |
---|---|
Gaza Cybergang | (Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020) |
Operation Molerats | (Citation: FireEye Operation Molerats)(Citation: Cybereason Molerats Dec 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Molerats saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Molerats used PowerShell implants on target machines.(Citation: Kaspersky MoleRATs April 2019) |
.005 | Command and Scripting Interpreter: Visual Basic |
Molerats used various implants, including those built with VBScript, on target machines.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Molerats used various implants, including those built with JS, on target machines.(Citation: Kaspersky MoleRATs April 2019) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.(Citation: DustySky) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Molerats has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020) |
.002 | Phishing: Spearphishing Link |
Molerats has sent phishing emails with malicious links included.(Citation: Kaspersky MoleRATs April 2019) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Molerats has created scheduled tasks to persistently run VBScripts.(Citation: Unit42 Molerat Mar 2020) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Molerats has used forged Microsoft code-signing certificates on malware.(Citation: FireEye Operation Molerats) |
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Molerats has used msiexec.exe to execute an MSI payload.(Citation: Unit42 Molerat Mar 2020) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) |
.002 | User Execution: Malicious File |
Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020) |
References
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
- Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
- Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.