Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Molerats
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Molerats
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)
ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 2.0
Created: 31 May 2017
Last Modified: 27 Apr 2021

Associated Group Descriptions
Name Description
Operation Molerats (Citation: FireEye Operation Molerats)(Citation: Cybereason Molerats Dec 2020)
Gaza Cybergang (Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Molerats used PowerShell implants on target machines.(Citation: Kaspersky MoleRATs April 2019)
.005 Command and Scripting Interpreter: Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)

.007 Command and Scripting Interpreter: JavaScript

Molerats used various implants, including those built with JS, on target machines.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.(Citation: DustySky)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)
.002 Phishing: Spearphishing Link

Molerats has sent phishing emails with malicious links included.(Citation: Kaspersky MoleRATs April 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Molerats has created scheduled tasks to persistently run VBScripts.(Citation: Unit42 Molerat Mar 2020)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.(Citation: FireEye Operation Molerats)
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Molerats has used msiexec.exe to execute an MSI payload.(Citation: Unit42 Molerat Mar 2020)

Enterprise T1204 .001 User Execution: Malicious Link

Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)

.002 User Execution: Malicious File

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)

Software
ID Name References Techniques
S0543 Spark (Citation: Cybereason Molerats Dec 2020) (Citation: Unit42 Molerat Mar 2020) Software Packing, System Language Discovery, Windows Command Shell, Standard Encoding, System Information Discovery, User Activity Based Checks, System Owner/User Discovery, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Web Protocols
S0546 SharpStage (Citation: BleepingComputer Molerats Dec 2020) (Citation: Cybereason Molerats Dec 2020) Windows Command Shell, Scheduled Task, Registry Run Keys / Startup Folder, Web Service, Screen Capture, PowerShell, Ingress Tool Transfer, System Information Discovery, Deobfuscate/Decode Files or Information, System Language Discovery, Windows Management Instrumentation
S0547 DropBook (Citation: BleepingComputer Molerats Dec 2020) (Citation: Cybereason Molerats Dec 2020) Python, Windows Command Shell, File and Directory Discovery, Web Service, Exfiltration Over Web Service, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, System Language Discovery, System Information Discovery
S0062 DustySky (Citation: DustySky) (Citation: DustySky2) (Citation: Kaspersky MoleRATs April 2019) Web Protocols, Software Discovery, File Deletion, Replication Through Removable Media, Obfuscated Files or Information, System Shutdown/Reboot, Archive via Utility, Exfiltration Over C2 Channel, Keylogging, Peripheral Device Discovery, Windows Management Instrumentation, Local Data Staging, Registry Run Keys / Startup Folder, Screen Capture, Security Software Discovery, Lateral Tool Transfer, Fallback Channels, System Information Discovery, Process Discovery, File and Directory Discovery
S0553 MoleNet (Citation: Cybereason Molerats Dec 2020) System Information Discovery, Windows Command Shell, PowerShell, Registry Run Keys / Startup Folder, Windows Management Instrumentation, Ingress Tool Transfer, Security Software Discovery
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: DustySky) (Citation: DustySky2) (Citation: FireEye Operation Molerats) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit

References

  1. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  2. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  3. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  4. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
  5. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  6. ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.