New espionage attack by Molerats APT targeting users in the Middle East

Introduction

In December 2021, the ThreatLabz research team identified several macro-based MS office files uploaded from Middle Eastern countries such as Jordan to OSINT sources such as VT. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT.

During our investigation we discovered that the campaign has been active since July 2021. The attackers only switched the distribution method in December 2021 with minor changes in the .NET backdoor. In this blog, we will share complete technical analysis of the attack chain, the C2 infrastructure, threat attribution, and data exfiltration.

The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey.

ThreatLabz observed several similarities in the C2 communication and .NET payload between this campaign and the previous campaigns attributed to the Molerats APT group.

Additionally, we discovered multiple samples that we suspect are related to Spark backdoor. We have not added the analysis of these samples in this blog, but they were all configured with the same C2 server, which we have included in the IOCs section.
 

Threat attribution

We have attributed the attack to Molerats APT group based on following observations:

1. Use of open-source as well as commercial packers for the backdoor (ConfuserEx, Themida)
2. Targeting middle-east region
3. Using Dropbox API for entire C2 communication
4. Using RAR files for backdoor delivery as well as in later stages
5. Using other legit cloud hosting services like Google Drive to host the payloads
6. Overlap of domain SSL Certificate thumbprint observed on current attack infrastructure with domains used by Molerats APT group in the past
7. Overlap of Passive DNS resolution of domain observed on current attack infrastructure with the IP used by Molerats APT group in the past
 

Attack flow

Figure 1 below illustrates the new attack chain.

Figure 1: Attack chain
 

Decoy content

MD5: 46e03f21a95afa321b88e44e7e399ec3

Note: Please refer Appendix section for additional decoy contents
 

Technical analysis

For the purpose of technical analysis we will use the document with MD5: 46e03f21a95afa321b88e44e7e399ec3

[+] Stage-1: Macro code

The macro code is not complex or obfuscated. It simply executes a command using cmd.exe which in turn performs the following operations:

1. Executes a PowerShell command to download and drop the Stage-2 payload from the URL “http://45.63.49[.]202/document.html” to the path “C:\ProgramData\document.htm”.
2. Renames document.htm to servicehost.exe
3. Executes servicehost.exe

Figure 2 below shows the relevant macro code

Figure 2: Macro code

[+] Stage-2: servicehost.exe

# Static analysis

Based on static analysis, we can see that the binary is .NET-based  and is obfuscated using the ConfuserEx packer. It masquerades itself as a WinRAR application by using the icon and other resources (which also contains static strings) from the legit WinRAR application.

Figure 3: Shows the binary icon and other static information

# Dynamic analysis

The main function of the binary is the standard ConfuserEx function which is responsible for loading the runtime module "koi'' that is stored in encrypted form using a byte array. Once the module is loaded, the main function resolves the module's entry point function using the metadata token and invokes it by providing required parameters.

Figure 4: Code snippet loading the runtime module and invoking it’s entry point function

The runtime module ("koi") on analysis is found to be a backdoor. Before calling the main function of the module, the code from within the constructor is called which creates a new thread that regularly monitors the presence of a debugger.

Figure 5: Code snippet of debugger monitoring function

Once the debugger monitor thread is created we get the code execution flow to the main function of the module which ultimately leads to the backdoor execution. Within the main function the backdoor performs following operations:

1. Collects the machine manufacture and machine model information using WMI which is used for execution environment checks and is later exfiltrated to C2 server.
2. Checks if it should execute in the current execution environment.
3. Creates a mutex with the name of executing binary.
4. Checks if the mutex is created successfully.
5. Determines if it is executed for the first time using the registry key value "HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}". 
6. If the registry key doesn't exist, the code flow goes via a mouse check function which executes the code further only if it detects a change in either of the mouse cursor coordinates. In the end, the mouse check function also creates the same registry key.

Figure 6: Main function of backdoor

[+] Network communication

From the main function the final code flow reaches the function which starts the network communication. Since the backdoor uses Dropbox API for entire C2 communication and data exfiltration, it first extracts the primary Dropbox account token which is stored in encoded form within the binary. Figure 7 below describes the format and shows the encoded string that contains the Dropbox account token.

Figure 7: Encoded string

Executing further the backdoor collects the following information from victim machine:

1. Machine IP address: By making a network request to “https://api.ipify.org”
2. UserName: From the environment variable
3. HostName: Using the API call Dns.GetHostName()

The collected information is then processed and stored inside a variable named “UserInfo” by performing following operations:

1. Concatenation (IP+UserName+HostName)
2. Base64 string encode
3. Substitution (Substitute “=” with “1”)
4. String reverse

Next the backdoor sends following network requests in the specified sequence using the Dropbox API and correspondingly performs any required operations:

1. Create Folder:
 
Create a folder inside the root directory where the folder name is the value of UserInfo variable

Note: The created folder acts as a unique identifier for a machine considering the fact that the machine IP remains static.

2. Create File:

Create a file inside the newly created folder where the file name is the Machine IP and the data it stores is the information collected in Step-1 of the main function.

3. List Content:

List the content of victim specific folder and delete files where the file name length is 15

4. List Content:

List the content of root directory (which is attacker controlled) and extract the following information:

a) File name of any hosted RAR archive

b) File name of any hosted exe (Which is found to be the legitimate RAR command-line utility and is used to extract the downloaded RAR archive in case the machine doesn't already have any RAR archive supporting application)

c) File name of any hosted pdf or doc file (Used as decoy document)

d) File name of any non specific file type (Based on our analysis it contains the secondary Dropbox account token that is used for file exfiltration from victim machine)
   
Note: The above extracted information is stored locally and is used wherever required.

Finally, if the backdoor executed for the first time, it downloads and opens the hosted pdf or doc file and then calls two other functions where the first function creates a thread that continuously communicates with the Dropbox account to fetch and execute the C2 commands while the second function creates a thread that downloads and executes the RAR archive using the information extracted earlier.

[+] C2 Commands

The backdoor creates a file inside the victim specific folder on Dropbox which is used to fetch C2 commands. The file name is a random string of 15 characters.

The C2 commands have following format:

[command code]=[Command arguments separated using “^”]

The backdoor uses command codes instead of plaintext strings to determine the action to be performed.

Table below summarizes the supported command codes:
 

Command code	Action performed
1	Run specified command
2	Take snapshot and upload
3	Send list of files from specified directories
4	Upload files
5	Download and execute the RAR archive

C2 infrastructure analysis

While monitoring the IPs used during the current attack we observed the domain "msupdata.com" started to resolve to the IP 45.63.49[.]202 from 27-12-2021. We found two Historical SSL Certificates associated with this domain. Pivoting on the SSL Certificate with thumbprint "ec5e468fbf2483cab74d13e5ff6791522fa1081b" we found domains like "sognostudio.com", "smartweb9.com" and others which were all attributed to Molerats APT group during past attacks.

Additionally, the subdomain “www.msupdata.com” also has a Passive DNS resolution to IP 185.244.39[.]165 which is also associated with Molerats APT group in the past. 

Note: We didn't observe any activity related to the domain "msupdata.com" or it’s subdomain “www.msupdata.com” until this blog release.
 

Pivot on the Dropbox accounts

Based on our analysis at least five Dropbox accounts are being used by the attacker. While investigating the Dropbox accounts we found that the attacker used following information during account registration.

Note: Dropbox has confirmed the takedown of these accounts associated with the Molerats APT group.

Account 1:

Name: Adham gherbawi
Country: NL (Netherlands)
Email: adham.gharbawi@gmail[.]com

Account 2:

Name: alwatan voice
Country: NL (Netherlands)
Email: alwatanvoiceoffice@gmail[.]com

Account 3:

Name: adham gharbawi
Country: NL (Netherlands)
Email: adham.ghar.bawi@gmail[.]com

Account 4:

Name: pal leae
Country: PS (Palestine)
Email: palinfoarabic@gmail[.]com

Account 5:

Name: pla inod
Country: PS (Palestine)
Email: palinfo.arabic@gmail[.]com

Also, while analyzing the exfiltrated data from Dropbox accounts we found a screenshot of the attacker machine which was likely uploaded while the attacker was testing the malware. We correlated a number of artifacts and patterns with the file names visible from the snapshot to those used during the real attack. Moreover, from the snapshot the attacker seems to be using a simple GUI application to sync with the Dropbox account and display the victims list. In the victims list, the user name "mijda" is also present which matches with the name of document creator “mij daf” for all the documents we found during this attack.

Figure 8: Screenshot of attacker machine

Additionally, we discovered that the attacker machine was configured with the IP 185.244.39[.]105 which is located in the Netherlands and is associated with the VPS service provider "SKB Enterprise B.V.". Interestingly, this IP (185.244.39[.]105) is also located in the same subnet as the IP 185.244.39[.]165 which was used for C2 communication and domain hosting in the past by Molerats APT group.
 

Pivot on Google drive link

Since the attacker also used Google Drive to host the payload in one of the attack chains, we tried to identify the associated Gmail account. Based on our analysis the attacker used following information for Gmail account:

Account name: Faten Issa
Email: issafaten584@gmail[.]com
 

Old attack chain

As per our analysis the old attack chain was used from 13th July 2021(Start of campaign) to 13th Dec 2021.

Figure 9 below illustrates the old attack chain.

Figure 9: Attack chain

The major difference between the new attack chain and the old attack chain is seen in the backdoor delivery. Although we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were likely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted the primary Dropbox account token. In the old attack chain the backdoor fetched the encoded string containing the primary Dropbox account token from attacker-hosted content on “justpaste.it”. Figure 10 below shows the attacker-hosted encoded string that contains the Dropbox account token and also describes the corresponding format.


Figure 10: Attacker-hosted encoded string
 

Zscaler Sandbox Detection

[+] Detection of the macro-based Document

[+] Detection of the macro-based PowerPoint file

[+] Detection of the payload



In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Molerats APT group at various levels.

• Win32.Trojan.MoleratsAPT
• PDF.Trojan.MoleRatsAPT

MITRE ATT&CK TTP Mapping

ID	Tactic	Technique
T1566.001	Spear phishing Attachment	Uses doc based attachments with VBA macro
T1204.002	User Execution: Malicious File	User opens the document file and enables the VBA macro
T1059.001	Command and Scripting interpreter: PowerShell	VBA macro launches PowerShell to download and execute the payload
T1140	Deobfuscate/Decode Files or Information	Strings and other data are obfuscated in the payload
T1082	System Information Discovery	Sends processor architecture and computer name
T1083	File and Directory Discovery	Upload file from the victim machine
T1005	Data from Local System	Upload file from victim machine
T1567.002	Exfiltration to Cloud Storage	Data is uploaded to Dropbox via api
T1113	Screen capture	The C2 command code "2" corresponds to taking a screenshot and uploading to attacker-controlled Dropbox account

 

Indicators of compromise

[+] Hashes
 

[+] Download URLs
 

Component	URL
Template	https://drive.google[.]com/uc?export=download&id=1xwb99Q7duf6q7a-7be44pCk3dU9KwXam
Exe	http://45.63.49[.]202/document.html http://23.94.218[.]221/excelservice.html http://45.63.49[.]202/doc.html http://45.63.49[.]202/gabha.html

[+] Molerats associated IPs

45.63.49[.]202
23.94.218[.]221
185.244.39[.]165

[+] Molerats associated domains

msupdata[.]com
www.msupdate[.]com

# Spark backdoor

bundanesia[.]com

[+] File system artifacts

# Dropped binary

C:\ProgramData\servicehost.exe 
{current_working_directory}\su.exe
 

Appendix

MD5: 5c87b653db4cc731651526f9f0d52dbb

MD5: 105885d14653932ff6b155d0ed64f926

MD5: e72d18b78362e068d0f3afa040df6a4c