Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Molerats
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Molerats
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)
ID: G0021
Associated Groups: Gaza Cybergang, Operation Molerats
Version: 2.1
Created: 31 May 2017
Last Modified: 17 Nov 2024

Associated Group Descriptions
Name Description
Gaza Cybergang (Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)
Operation Molerats (Citation: FireEye Operation Molerats)(Citation: Cybereason Molerats Dec 2020)

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Molerats used PowerShell implants on target machines.(Citation: Kaspersky MoleRATs April 2019)
.005 Command and Scripting Interpreter: Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)

.007 Command and Scripting Interpreter: JavaScript

Molerats used various implants, including those built with JS, on target machines.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.(Citation: DustySky)
Enterprise T1027 .015 Obfuscated Files or Information: Compression

Molerats has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)
.002 Phishing: Spearphishing Link

Molerats has sent phishing emails with malicious links included.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Molerats has created scheduled tasks to persistently run VBScripts.(Citation: Unit42 Molerat Mar 2020)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.(Citation: FireEye Operation Molerats)
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Molerats has used msiexec.exe to execute an MSI payload.(Citation: Unit42 Molerat Mar 2020)

Enterprise T1204 .001 User Execution: Malicious Link

Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)

.002 User Execution: Malicious File

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)

Software
ID Name References Techniques
S0543 Spark (Citation: Cybereason Molerats Dec 2020) (Citation: Unit42 Molerat Mar 2020) System Owner/User Discovery, Standard Encoding, System Information Discovery, Deobfuscate/Decode Files or Information, User Activity Based Checks, Exfiltration Over C2 Channel, System Language Discovery, Windows Command Shell, Software Packing, Web Protocols
S0546 SharpStage (Citation: BleepingComputer Molerats Dec 2020) (Citation: Cybereason Molerats Dec 2020) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Information Discovery, Deobfuscate/Decode Files or Information, Web Service, PowerShell, Registry Run Keys / Startup Folder, System Language Discovery, Windows Command Shell, Ingress Tool Transfer
S0547 DropBook (Citation: BleepingComputer Molerats Dec 2020) (Citation: Cybereason Molerats Dec 2020) System Information Discovery, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, File and Directory Discovery, Web Service, System Language Discovery, Python, Windows Command Shell, Ingress Tool Transfer
S0062 DustySky (Citation: DustySky) (Citation: DustySky2) (Citation: Kaspersky MoleRATs April 2019) Archive via Utility, Windows Management Instrumentation, Screen Capture, Keylogging, Local Data Staging, Peripheral Device Discovery, System Information Discovery, Replication Through Removable Media, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Lateral Tool Transfer, Security Software Discovery, File Deletion, Web Protocols, Software Discovery, Fallback Channels, System Shutdown/Reboot
S0553 MoleNet (Citation: Cybereason Molerats Dec 2020) Windows Management Instrumentation, System Information Discovery, PowerShell, Registry Run Keys / Startup Folder, Security Software Discovery, Windows Command Shell, Ingress Tool Transfer
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: DustySky) (Citation: DustySky2) (Citation: FireEye Operation Molerats) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Keylogging, Rootkit, Local Data Staging, Active Setup, Symmetric Cryptography, Windows Service, Data from Local System, Mutual Exclusion, Application Window Discovery, Modify Registry, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Dynamic-link Library Injection

References

  1. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  3. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved November 17, 2024.
  4. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  5. ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
  6. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.