Palo Alto Networks Unit 42: Molerats targeted eight organizations in six different countries in the government, tlc, insurance and retail sectors with Spark backdoor. The malware, a backdoor, has been spread trough a spear-phishing campaign
Molerats hackers targeted eight organizations in six different countries in the government, tlc, insurance and retail sectors with Spark backdoor. It has been discovered by Palo Alto Networks Unit 42 cyber security experts. The researchers, between October 2019 and December 2019, observed multiple instances of phishing attacks likely related to the cyber espionage group known also as Gaza Hackers Team and Gaza Cybergang. All involved spear-phishing emails to deliver malicious documents that required the recipient to carry out some action. Social engineering techniques included lure images attempting to trick the user into enabling content to run a macro and document contents that threaten to release compromising pictures to the media to coerce the user into clicking a link to download a malware. The payload in a majority of these attacks was a backdoor called Spark, that allows to open applications and run command line commands on the compromised system.
The cyber security experts: Molerats used Spark at least since 2017. The cyber espionage group has been in operation as far back as 2011 targeting government organizations around the world, largely been associated with attacks involving unauthorized access and sensitive data collection
According to the cyber security experts, the Spark backdoor has been used by Molerats since at least 2017 and is associated with Operation Parliament campaign, attributed to Gaza Cybergang. The malware delivered in one of the attacks appears to be related to JhoneRAT, which may suggest the threat group has added another custom payload to their toolset. The cyber espionage group has been in operation as far back as 2011 targeting government organizations around the world, largely been associated with attacks involving unauthorized access and sensitive data collection. The malicious hackers have been observed using a bevy of tactics and techniques, ranging from leveraging publicly available backdoor tools, such as PoisonIvy or XtremeRAT, to creating custom developed ones such as KASPERAGENT and MICROPSIA. In the last campaign, they primarily relied on social engineering and spear-phishing techniques for their initial infection vector, then multi-stage C2 servers for malware delivery.
The group (aka Gaza Hackers Team and Gaza Cybergang) used a ariety of techniques to make detection and analysis difficult
Unit 42 underlined that Molerats used a variety of techniques to make detection and analysis difficult, such as password-protecting delivery documents, limiting the execution of the Spark payload to only run on systems with an Arabic keyboard and locale and the use of the commercial packer Enigma to obfuscate the payloads. The Spark C2 channel also attempts to evade detection, as the data in the HTTP POST requests and responses is encrypted using either 3DES or AES with randomly generated keys that appear to be unique for each payload.