One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1501589 |
| Date de publication | 2020-01-15 14:00:00 (vue: 2020-01-17 11:04:57) |
| Titre | Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37 |
| Texte |
In 2019, several industry analyst reports confused the threat groups Molerats and APT-C-37 due to their similarity, and this has led to some confusion and inaccuracy of attribution.
For example, both groups target the Middle East and North Africa region (with a special emphasis on Palestine territories). And, they both approach victims through the use of phishing emails that contain decoy documents (mostly in Arabic) and contain themes concerning the political situation in the area.
To improve understanding of the differences and similarities of the two groups (as well as the links between them), we at Alien Labs™ are providing an analysis of their 2019 activity.
A recent spear-phishing document from Molerats
APT-C-37 Overview
APT-C-37, also known as Pat-Bear or the Syrian Electronic Army (SEA), was first seen in October 2015 targeting members of a terrorist organization. Since 2015, however, APT-C-37 has broadened their objectives to include government agencies, armed forces leadership, media organizations, political activists, and diplomats. The group mostly targets victims in Western countries, with the intent of defacing their websites and social accounts while leaving a public footprint after hacking one of their victims.
In previous attacks, APT-C-37 targeted Windows and Android systems, utilizing popular commercial remote access trojans (RATs) such as DroidJack, SpyNote, njRAT, SSLove, and H-Worm.
Technical Analysis: APT-C-37 2019
June 2019: APT-C-37 released an Android app named after the instant messaging software “WhatsApp” as an espionage tool to reportedly spy on the Syrian opposition forces. The app was capable of installing the SSLove RAT to pull private information from the phone and exfiltrating it to a remote location.
Molerats Overview
Molerats has been present in the cybercriminal landscape since 2012. In an analysis released by the Kaspersky’s GReAT (Global Research & Analysis Team) earlier this year on the Gaza Hacker Team and their various subgroups, Kaspersky concluded that Molerats is Gaza Cybergang “Group1.” The report also concluded that Molerats (i.e. Cybergang Group 1) operates with a lower level of sophistication than other groups within the Gaza Hacker Team. In addition, a 2016 article in Security Week reported that one of Molerats campaigns (October 2016) heavily used popular RATs like NjRat and H-Worm (aka Houdini).
Technical Analysis: Molerats 2019
October 2019: In Molerats’ October operation, the attack was distributed as a phishing campaign in the Middle East. Emails included a Microsoft Word file attachment with the title “Daily report on the most important Palestinian developments for the day 9-9-2019.doc” — content that spoke to the political situation in Palestine. When a victim opened the attachment, the malware performed the following:
Displayed the Microsoft Word doc |
| Envoyé | Oui |
| Condensat | “a “daily “foxitreader “group1 “helppane “history “interface “msoffice “msofficee “the “winter ‘c: apt electronic everyone molerats rats since tends windows 102 109 2011 2012 2015 2016 2017 2018 2019 2019: a file extension abbas able about above access accounts achieve active activists activity addition additional advanced africa after against agencies alien aligns allowed also analysis analysis: analyst analyzed android another any app appeared applications approach april apt arabic are area armed army article associated attached attachment attack attacks attempt attempted attributed attribution august available back beacon bear been before behavior being belong below between beyond blog both broadened buckets but c&c camouflaged campaign campaigns can cannot capable case caveat: characteristics: classification clear close com command commercial committee commonly communicated communicating communication concealed concerning concluded conclusion confidence confuse confused confusion connection constant contain contained content control copy corresponded could countries currently cybercriminal cybergang data day decoy decryption defacing defend delivery described desert despite details detect detected development developments diagram did differences different difficult diplomats discovered displayed distract distraction distributed doc” document documents domain don’t doubts down download downloaded droidjack due dustysky earlier east egypt either election elections electronic email emails emphasis encoded enigma enterprise entertained especially espionage even example exchange exe exe” executable executable file executables execute executed executes executing execution exfiltrated exfiltrating exhibit extracted fake falcons fall fast file filename files filtering finally find first folder following following: footprint for forces found foxitreader fraudrop freshchrysanthemum from future gain game gaza geolocations global googlechrome government great group group1 group2 group3 groups hacked hacker hacking had hamas haniyeh happens hard has have having heavily here hide high houdini however html http https hybrid icon identified ids important improve inaccuracy include included indeed industry infect info information infrastructure inside installed installing instant instead intent investigation ismail israel it’s it: its itself january joesandbox june kaspersky kaspersky’s keep known labs labs™ landscape latest launched leader” leadership leak least leave leaving led left level library light like links lnk lnk” location lower lure machine made majdalani make malicious malware matched may media meeting members mentioned messaging methods micorsoft’ microsoft middle ministers modified molerat’s molerats molerats january molerats september molerats’ moment moonlight more most mostly mshta msi muath multimedia name named names neg new next njrat north northern norway not note: november objectives observed obtained occidental october offer once one open opened operates operation opinion opposition organization organizations other otx overview packed packer palestine palestinian parliament particular pat pattern patterns pause pdf performed perseus persistence phishing phone point political popular potentially powershell present president presidential previous previously prior private programdata programmed propagated providing public pull ran rat rats reach real recent recently recycled region relationship released relevant remote report reported reportedly reports request rescanned research researchers resolve retrieved rising rotated rotation run said same sample samples sandboxes scandal scheduled script sea second security see seen september seriously several share shortcut file used show shown signature signatures signed similar similarities similarity simple since situation smf smfl sneakypas |
| Tags | Malware Tool Threat Guideline |
| Stories | APT-C-23 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.