Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)
ID: G0021
Associated Groups: Gaza Cybergang, Operation Molerats
Version: 2.1
Created: 31 May 2017
Last Modified: 11 Apr 2024

Associated Group Descriptions

Name Description
Gaza Cybergang (Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)
Operation Molerats (Citation: FireEye Operation Molerats)(Citation: Cybereason Molerats Dec 2020)

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Molerats used PowerShell implants on target machines.(Citation: Kaspersky MoleRATs April 2019)

.005 Command and Scripting Interpreter: Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)

.007 Command and Scripting Interpreter: JavaScript

Molerats used various implants, including those built with JS, on target machines.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.(Citation: DustySky)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Molerats has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)

.002 Phishing: Spearphishing Link

Molerats has sent phishing emails with malicious links included.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Molerats has created scheduled tasks to persistently run VBScripts.(Citation: Unit42 Molerat Mar 2020)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.(Citation: FireEye Operation Molerats)

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Molerats has used msiexec.exe to execute an MSI payload.(Citation: Unit42 Molerat Mar 2020)

Enterprise T1204 .001 User Execution: Malicious Link

Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)

.002 User Execution: Malicious File

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)

Software

ID Name References Techniques
S0543 Spark (Citation: Cybereason Molerats Dec 2020) (Citation: Unit42 Molerat Mar 2020) Software Packing, System Language Discovery, Windows Command Shell, Standard Encoding, System Information Discovery, User Activity Based Checks, System Owner/User Discovery, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Web Protocols
S0546 SharpStage (Citation: BleepingComputer Molerats Dec 2020) (Citation: Cybereason Molerats Dec 2020) Windows Command Shell, Scheduled Task, Registry Run Keys / Startup Folder, Web Service, Screen Capture, PowerShell, Ingress Tool Transfer, System Information Discovery, Deobfuscate/Decode Files or Information, System Language Discovery, Windows Management Instrumentation
S0547 DropBook (Citation: BleepingComputer Molerats Dec 2020) (Citation: Cybereason Molerats Dec 2020) Python, Windows Command Shell, File and Directory Discovery, Web Service, Exfiltration Over Web Service, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, System Language Discovery, System Information Discovery
S0062 DustySky (Citation: DustySky) (Citation: DustySky2) (Citation: Kaspersky MoleRATs April 2019) Web Protocols, Software Discovery, File Deletion, Replication Through Removable Media, Obfuscated Files or Information, System Shutdown/Reboot, Archive via Utility, Exfiltration Over C2 Channel, Keylogging, Peripheral Device Discovery, Windows Management Instrumentation, Local Data Staging, Registry Run Keys / Startup Folder, Screen Capture, Security Software Discovery, Lateral Tool Transfer, Fallback Channels, System Information Discovery, Process Discovery, File and Directory Discovery
S0553 MoleNet (Citation: Cybereason Molerats Dec 2020) System Information Discovery, Windows Command Shell, PowerShell, Registry Run Keys / Startup Folder, Windows Management Instrumentation, Ingress Tool Transfer, Security Software Discovery
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: DustySky) (Citation: DustySky2) (Citation: FireEye Operation Molerats) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Mutual Exclusion, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.