Palestinian hacking group evolving with new malware, researchers say
A Palestinian-aligned hacking group has targeted Middle Eastern governments, foreign policy think tanks and a state-affiliated airline with a new malware implant as part of “highly targeted intelligence collection campaigns,” according to research published Tuesday.
The findings, from researchers with cybersecurity firm Proofpoint, unpack the latest activities of an established and well-documented Arabic-speaking hacking group known as MoleRATs and its deployment of a new intelligence-gathering trojan they call “NimbleMamba.”
The malware serves an intelligence-gathering trojan and, according to the researchers, is likely designed gain initial access to a target system.
The group has gone after targets worldwide over the years, but Tuesday’s research examines campaigns against an unnamed Middle East government, foreign policy think tanks and a state-affiliated airline starting in August 2021 and continuing into January 2022.
The operators behind MoleRATs — also known as TA402 — are “evolving their techniques and creating these very nicely done, specific and well-targeted campaigns,” Sherrod DeGrippo, Proofpoint’s vice president for threat research and detection, told CyberScoop.
In June 2021 Proofpoint researchers analyzed MoleRATs malware known as LastConn, which was designed to gain access and conduct information gathering activities. After that publication, “TA402 appeared to halt its activities for a short period of time, almost certainly to retool,” the researchers say in the new report.
After the retooling, the group began to use NimbleMamba and another piece of malware Proofpoint calls BrittleBush, which is likely an updated version of malware first reported by cybersecurity firm Cybereason in 2020 known as SharpStage.
Custom lures and more
The latest operations were seen being delivered against targets in one of several ways. In November 2021 the hackers masqueraded as the Quora website. If a target system’s IP address fit into one of about two-dozen geofenced country codes, the user would be redirected to a domain that would serve the NimbleMamba malware. If not, the user would be redirected to a legitimate news site.
Another campaign, in December 2021, used target-specific lures such as medical information or confidential geopolitical material, and served malware from Dropbox URLs. The popular online filesharing service was also used for command and control functions by the hackers, according to Proofpoint, but the company took “the needed actions for neutralizing the activity” once notified by Proofpoint.
A third campaign, taking place between December and January, used custom lures for each target but added a hacker-controlled WordPress URL to deliver the malware. Like the November 2021 campaign, the hacker-controlled URL allowed for attacks only on targets within certain countries.
NimbleMamba contains “multiple capabilities designed to complicate both automated and manual analysis,” the researchers wrote, which lead the researchers to conclude that the malware is “actively being developed, is well-maintained, and designed for use in highly targeted intelligence collection campaigns.”
DeGrippo noted that the campaigns in question showed MoleRATs creating custom attacks for specific targets, rather than generic lures for multiple targets at once. That suggests the group doesn’t have the resources to do it at scale, so they’re “going in and handcrafting these specifically for each of these targets, which means those targets are probably very valuable for them.”
Tuesday’s Proofpoint analysis comes a week after researchers with Cisco’s Talos threat intelligence division published research on Arid Viper, a separate hacking group allegedly working in service of Palestinian espionage and information gathering. That research painted a picture of a group that while not “a technically evolved actor,” was sufficiently talented and motivated such to the point that it made it “particularly dangerous to organizations that may come into [its] crosshairs.”
The Talos researchers concluded that the Arid Viper activity was an example of a group that’s “becoming more dangerous” over time as it evolves and refines its tools against its adversaries.
While not commenting on the specifics of Talos’ research, DeGrippo agreed that the various Palestinian-aligned groups were a growing threat. “That region is growing in its capabilities, talent, and their evolution is accelerating,” DeGrippo said.