Recently, QiAnXin Threat Intelligence Center captured a bait document designed specifically for Arabic users. It is an Office Word document with malicious macros embedded to drop and execute a backdoor packed by Enigma Virtual Box. The backdoor program has a built-in keyword list containing names of people or opera movies to communicate with C2, distributes control commands to further control the victim's computer device. After investigation, we suspect this attack is carried out by Molerats.
After sharing the relevant information through social channels, we found that the C2 domain was resolved to a server no longer controlled by the attacker just within a few days to avoid more attacks.
Activity Records of Molerats
The activity of Molerats (alias: Gaza Hackers Team, Gaza cybergang, Operation Molerats, Extreme Jackal, Moonlight) could be traced back to early 2012. In January 2012, attackers who identified themselves as the "Gaza Hackers Team" struck the website of the Israel Fire and Rescue services. The same year in October, a suspicious file was found to have been circulating on Israeli police department computers and hence decided to take all its computers offline temporarily. The follow up analysis report from Trend Micro pointed out that the malware being used in the attack was Xtreme RAT which could be used to steal information and receive commands from a remote attacker. They also discovered that Xtreme RAT variants had been used to target many other National government agencies, such as those in the United States, United Kingdom, Turkey, New Zealand and etc.
FireEYE reviewed the attack on Israeli police department in a report released in 2013, associated this event to Gaza Hackers Team and named this group as Molerats. Besides that, some other malware such as Poison Ivy used by this attack group also got revealed. In another report released in 2014, FireEYE said ”Molerats are not only aware of security researchers’ efforts in trying to track them but are also attempting to avoid using any obvious, repeating patterns that could be used to more easily track endpoints infected with their malware”.
Molerats became particularly active in Q2 2015, Kaspersky collected lots of related IoCs and pointed out staffs in IT (Information Technology) and IR (Incident Response) departments were their preferred targets.
ClearSky first discovered the group's activities on Operation DustSky in January 2016. The target attack got suspended for more than half a month since the first report got released. After that, their malware were rewritten in C++ and targets also got switched from before in efforts to evade detection. ClearSky also indicated that Molerats were not as cautious as before, leaving more clues, which in turn has led to conclude with fairly certainly that Hamas may have a hand behind this attack group.
In June 2017, QiAnXin Threat Intelligence Center discovered new malware used by Molerats. The malicious payload, which got delivered through CVE-2017-0199 exploit, was completely generated by using the popular standard attack framework Cobalt Strike. Kaspersky came up with an update of Molerats in late October and mentioned a possible related Android mobile malware in the report.
The captured bait document is an Office Word document written in Arabic with malicious VBA macros embedded. If macro get enabled, the malicious code is automatically executed when the victim opens the document.
The contents after translation are as follows.
Since the macro is encrypted, we extract the relevant macro code as follows:
The macro code could drop out and execute the wmsetup.vbs script in the %userprofile% directory.
The VBS script decodes the data through Base64, and then save the decoded data to %temp%/ihelp.exe.
Finally set the scheduled task to start ihelp.exe:
|Packer||Enigma Virtual Box|
The backdoor is packed by Enigma Virtual Box：
The corresponding C2 is encrypted and stored in the configuration blob. When get executed, the backdoor decrypts the blob to obtain the C2 address (smartweb9.com).
The domain name has been resolved to IP address 184.108.40.206 which could be a sinkhole, but the attacker's server (220.127.116.11) was still online. So we were able to directly connect to the attacker’s server and perform follow up investigations. According to the network traffic and related decompiled code, the backdoor uses the SFML library for network communication (a library for game development: https://github.com/SFML).
The backdoor constructs a formatted request through a built-in keyword table, with contents related to some names or opera movies. This approach looks similar to the one mentioned by Talos previously.
The request data fall into sub-blocks, and some of the data are encoded by Base64 before appending to related keyword.
The entire block is encrypted and Base64 encoded again when all sub-blocks are ready, and finally sent to C2 via HTTP POST request.
The data returned by C2 will then be received and decrypted. The decrypted data contains keyword Demi which is supposed to inform the client to upload the collected information.
The sample collects information, such as the user name and computer name, and a string similar to the UUID. Then encrypts and encodes the information in the same way and sends it back to C2.
The data returned from C2 may contain some configuration information. After processing the received data, the backdoor starts to acquire the attacker's instructions periodically in order to perform functions such as remote shell and file operations.
- Remote Shell
- File Operation
Since QiAnXin Threat Intelligence Center shared related information on the social media immediately after discovering the sample, the C2 has been taken over by security company or related agency before February 10.
By querying VirusTotal, we find that the IP address (18.104.22.168) being used to take over the C2 domain is associated with a large number of malicious domains.
Through 360 threat analysis platform, it can be seen that both belong to a same domain name service provider.
Therefore, we have reason to believe that after the QiAnXin Threat Intelligence Center shared the information, the domain name service provider got notified by some relevant organizations to take over the C2 to avoid more attacks.
After analyzing those samples, the attack was suspected to be carried out by Molerats APT with part of the associations as follows.
- Similarity in the bait document
Highly similar to some of the bait documents used by Kaza Cybergang (Molerats), which were disclosed by Kaspersky in 2017. Both are related to the Gaza region and Hamas.
- Similarity in the payload
Similar to those discovered by Kaspersky, the payloads are packed by Enigma Virtual Box and pretend to come from Microsoft.
The URL got commented out in the macro is the same as the one mentioned in Kaspersky’s report.
Macro code from samples provided in Kaspersky’s report.
Based on the above information and some other internal related data, QiAnXin Threat Intelligence Center suspects Molerats APT group is the one that launched this attack.
The Molerats APT group has been in existence for a few years, and has carried out a large number of attacks by using a variety of public and privately owned malware. Attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services.
This group is good at social engineering by sending various types of decoy documents to the target in the attack. The decoy documents usually execute subsequent code through malicious macro. Comparing with Office 0day, using macro needs more user interactions and could reduce the success rate, but this approach is still used by lots of attack groups considering the cost is much lower. It is recommended that users avoid to open documents from untrusted sources, and Office macro should be disabled by default.
Products of 360 ESG can protect users from this new malware, including QiAnXin Threat Intelligence Platform, SkyEye APT Detection and NGSOC.