• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – SolarWinds Breach Used to Infiltrate Customer Networks – IoCs
December 14, 2020
Rewterz Threat Alert – AgentTesla Information Stealer – Fresh IoCs
December 15, 2020

Rewterz Threat Alert – New Malware Abusing Google and Facebook Services

December 14, 2020

Severity

Medium

Analysis Summary

Molerats cyberespionage group has been using fresh malware in recent spear-phishing campaigns that relies on Dropbox, Google Drive, and Facebook for command and control communication and to store stolen data. The Molerats threat actor used in recent operations two new backdoors – called SharpStage and DropBook, and one previously undocumented malware downloader named MoleNet. Designed for cyberespionage, the malware attempts to avoid detection and takedown efforts by using Dropbox and Facebook services to steal data and receive instructions from the operators. The attack starts with an email luring political figures or government officials in the Middle East (Palestinian Territories, UAE, Egypt, Turkey) to download malicious documents. 
The document showed only a summary of the content and instructed the recipient to download password-protected archives stored in Dropbox or Google Drive for the full information. 
 

Molerats_attack_DropBook-Sharpstage.jpg


The hackers control the backdoor through commands published in a post on Facebook. They used the same method to provide the token necessary to connect to the Dropbox account. Simplenote acts as a backup in case the malware cannot retrieve the token from Facebook. With commands coming from multiple sources on a legitimate service, taking down the malware’s communication with the attacker becomes a more difficult task. 

Impact

  • Data Theft
  • Remote Command Execution
  • Data Exfiltration

Indicators of Compromise

Domain Name

  • ruthgreenrtg[.]live

MD5

  • f93faca357f9a8041a377ca913888565
  • 533b1aea016aacf4afacfe9a8510b168

SHA-256

  • b61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44
  • 42fa99e574b8ac5eddf084a37ef891ee4d16742ace9037cda3cdf037678e7512

SHA1

  • fd193ca4c3aefe29a95d6077b438ea3b5568b5ec
  • d6b246959385362894ab96c724ea80add019869b

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails, even if they’re stored on DropBox or Google Drive.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.