Not all RAT-wielding attackers come from China, say FireEye researchers. For over a year they have been following the activities of a group of hackers that uses the Poison Ivy and Xtreme RATs and targets financial institutions, government organizations and surveillance targets in the US, UK, Europe and the Middle East.
Dubbed Molerats, these attacks have been going on since late 2011.
“Previous Molerats campaigns have used several garden-variety, freely available backdoors such as CyberGate and Bifrost, but, most recently, we have observed them making use of the PIVY and Xtreme RATs,” the researchers shared.
“Previous campaigns made use of at least one of three observed forged Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors. There also appears to be a habitual use of lures or decoy documents – in either English or Arabic-language – with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats’ flavor of the week, which happen to all be Xtreme RAT binaries in these most recent campaigns.”
In these last campaigns spotted in the last month or so, the targets have been many and disparate: government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the US and the UK; the BBC; a number of European government organizations; a big US financial institution; Palestinian and Israeli surveillance targets.
The C&C infrastructure used is the same one from previous campaigns, and the attackers’ modus operandi is similar: the victims received spear-phishing emails carrying a link to a binary that opens a decoy Word document while installing a RAT in the background.
The Word document is often politically-themed. In the latest campaigns it usually has to do with the Egyptian Major General Hossam Sweilem, former Egyptian military chief Abdel Fattah el-Sisi, the Palestinian question, and other Middle Eastern conflicts.
The RAT binary often sports a name that minimizes suspicion, such as Chrome.exe, Download.exe, AVG.exe, and so on.
What’s curious is that all these decoy documents include Chinese characters in the title, yet the entire body of the document is written in Arabic. The researchers posit that this is a “poor attempt to frame China-based threat actors for these attacks.” Some of the RAT binaries are signed, some are not.
“Molerats campaigns seem to be limited to only using freely available malware; however, their growing list of targets and increasingly evolving techniques in subsequent campaigns are certainly noteworthy,” the researchers noted, and pointed out that the attackers are likely aware of the security researchers’ interest into and investigation of their attacks, as they are trying not to use any “obvious, repeating patterns that could be used to more easily track endpoints infected with their malware.”
The Molerats attacks have been previously linked with the members of the “Gaza Hackers Team.”