Rewterz Threat Update – BRATA Malware Wipes Devices after Stealing Data – Active IOCs
January 26, 2022Rewterz Threat Update – Watering Hole Attacks against Political Entities using DazzleSpy – Active IOCs
January 26, 2022Rewterz Threat Update – BRATA Malware Wipes Devices after Stealing Data – Active IOCs
January 26, 2022Rewterz Threat Update – Watering Hole Attacks against Political Entities using DazzleSpy – Active IOCs
January 26, 2022Severity
High
Analysis Summary
Molerats APT – also known as Moonlight, Extreme Jackal, and Gaza Hackers Team – have been active since 2012. They made headlines in 2012 when they conducted a cyberattack against Israeli government. The targeted nations expanded to include Palestine, U.S., and also the UK. Molerats is a politically motivated nation-state actor that is conducting cyber espionage using three new malware variants:
- SharpStage Backdoor
- DropBook backdoor
- MoleNet Downloader
Molerats use Dropbox, Google Drive, and other legitimate services to drop spyware for cyber espionage against the Middle-East.
They use content written in the Arabic language related to the Palestinian conflict with Israel which encloses a macro that can execute a PowerShell command for fetching malware
Impact
- Data Exfiltration
- Cyber Espionage
- Political and Economic Loss
Indicators of Compromise
Filename
- Challenge35[.]exe
- Sysinternals[.]exe
MD5
- 535b08cfd5bb887fda074d3ff3e5f34f
- c4f9f49b9a467d66dcf8f6a5ce0f3c6a
- 10db60d3ed8408d5b0be71dca7c4eb69
SHA-256
- 430c12393a1714e3f5087e1338a3e3846ab62b18d816cc4916749a935f8dab44
- 2a9857f5b247488166e25d42f819459e685b3556e4f9ba0a052ba6b3c6c2fa4f
- b2260d530f51b2289e2c64579eb53c4c9ce0c9ee3c850e57e90296968fd9625e
SHA-1
- ad09a95386db11d2f90c4d5bb423a9af276619b7
- 2de729828bbcde6c0e1fd2d20150ede12a075070
- 2df93325837e7fdfe10d1ddd13d64599e741d582
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Search for IOCs in your environment.