Insights, news, education and announcements from PolySwarm

PolySwarm Threat Bulletin: Molerats NimbleMamba Espionage Campaign Targeting MENA Countries

Written by PolySwarm Tech Team | Feb 16, 2022 7:55:24 PM


Background

Proofpoint recently posted their findings on a Molerats espionage campaign leveraging a new implant dubbed NimbleMamba. In this campaign, Molerats employed a complex attack chain that uses a combination of geofencing and URL redirects to legitimate sites to evade detection. Targets of this campaign included Middle Eastern governments, foreign policy think tanks, and an airline.

Who are the Molerats?

Molerats, also known as TA402, Extreme Jackal, and Gaza Cyber Gang, is reportedly a Palestinian aligned threat actor group based in the Gaza region that primarily targets entities in the Middle East and North Africa (MENA). In the past, industry researchers have linked Molerats to the Hamas terrorist organization. The group has been active since at least 2012 and is known for espionage campaigns. Molerats TTPs include phishing, malicious macros, social engineering, voice changing software, BadPatch, Downeks, DropBook, DustySky, H-Worm, Molerat Loader, njRAT, Poison Ivy, QuasarRAT, XtremeRAT, LastConn, and others. Proofpoint calls Molerats a persistent threat to entities in the Middle East and notes the group frequently updates its TTPs. NimbleMamba was likely developed as a replacement for Molerats previously used tool, LastConn.

Details

Proofpoint first discovered this Molerats campaign in late 2021, observing a complex attack chain targeting multiple entities including an airline, foreign policy think tanks, and Middle Eastern governments. They note the campaign may have been active as early as August 2021. Proofpoint observed three variations of the espionage campaign using NimbleMamba:

  • In variation one, Molerats leveraged an actor-controlled Gmail account and domain for a phishing campaign and masqueraded as the Quora website. The emails contained a malicious URL, which leveraged geofencing to target specific regions. A user in the targeted region would be redirected to a RAR file containing the NimbleMamba implant. Users not in the targeted region were instead redirected to a benign news site. 
  • In variation two, Molerats used multiple phishing themes, including medical-related clickbait and lures promising disclosure of confidential geopolitical information. Molerats used a threat actor-controlled Gmail account, using Dropbox to host the NimbleMamba RAR, as well as for malware C2. Since they did not use an actor-controlled domain, they were unable to employ geofencing.
  • In variation three, Molerats continued to use customized lures and used an actor-controlled WordPress site masquerading as a news aggregator. Molerats were again able to use geofencing, with users in the targeted region being redirected to the NimbleMamba RAR and those outside the region being redirected to a benign news site.
The campaign’s target region includes Kuwait, Egypt, Israel, Saudi Arabia, Iran, UAE, Tunisia, Algeria, Syria, Qatar, Jordan, Oman, Palestine, Lebanon, Libya, South Sudan, Iraq, Yemen, Bahrain, and Morocco. It also targets all computers with an Arabic language pack installed. Each variation of the campaign resulted in users in the targeted region being redirected to a RAR containing NimbleMamba. In some cases, the RAR also contained an additional trojan, BrittleBrush.

NimbleMamba is written in C#, uses base64 encoding within the C2 framework, and uses the Dropbox API for C2 communication and data exfiltration. It is delivered as an obfuscated .NET executable, created using the SmartAssembly obfuscator. It is apparently written for espionage purposes and for gaining initial access to a target’s machine. Some of NimbleMamba's functions include screenshot capture, obtaining process information, and detecting user actions. It also performs a virtual machine check in an attempt to thwart analysis.

Its configuration is retrieved from a paste on JustPasteIt, using the current timestamp to generate a JustPasteIt URL. The generated paste contains an obfuscated Dropbox account API auth key and a password for the RAR file that is later dropped into a Dropbox folder. NimbleMamba then uses the victim’s IP address and computer name and a custom algorithm to create a string to use as the folder name on Dropbox. The malware communicates with Dropbox to retrieve the RAR, as well as a decoy file, which is usually a PDF or Office document. It then retrieves the RAR file password and extracts file contents.

IOCs

PolySwarm has multiple samples associated with this Molerats campaign.

Hashes

430c12393a1714e3f5087e1338a3e3846ab62b18d816cc4916749a935f8dab44 (NimbleMamba)

C61fcd8bed15414529959e8b5484b2c559ac597143c1775b1cec7d493a40369d (NimbleMamba)

925aff03ab009c8e7935cfa389fc7a34482184cc310a8d8f88a25d9a89711e86 (NimbleMamba)

2e4671c517040cbd66a1be0f04fb8f2af7064fef2b5ee5e33d1f9d347e4c419f (BrittleBrush)

 


Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports