A Group of Hackers Are Targeting Government Officials In Middle East With Facebook, Google and Cloud Services

There is a new malware based on a cyber-espionage campaign which is leveraging platforms including Facebook, Google Drive, and Dropbox to take control of the data that users share on a daily basis.

As first discovered by the cybersecurity firm, Cybereason, the brains behind this campaign belong to the Molerats hackers group who are now using new backdoors, called SharpStage and DropBook, along with an undocumented malware downloader called MoleNet to break into cloud computing services.

The malware operates in such a way that in order to avoid detection, the hackers steal data from Facebook services first and then both backdoors use Dropbox for extracting the similar data.

The campaign, in particular, is targeting the majority of the political figures and government officials in the Middle East as a lot of them have received an email that has asked the targeted users to download some specific malicious documents.

A glimpse of the documents further shows that the officials were given the instructions to download password-protected archives which they usually have stored in Dropbox or Google Drive. And with this Molerats had planned to infect users with its SharpStage and DropBook backdoors, along with the additional injection of downloading more malware.

Targeting Cloud Platforms

There is also another report from Cybereason's Nocturnus Team that states how the Phyton-based DropBook backdoor gets instructions from Facebook and also operates with the help of iOS note-taking app Simplenote. The hackers gain control by having access to the commands which are already present in the form of Facebook posts and then Simplenote serves as an ideal backup tool to save the information.

DropBook also holds the ability to keep an eye on the programs installed on a system and the file names. It then also executes shell commands from Facebook or Simplenote and with that, there is additional fetching of payloads from Dropbox as well.

On the other hand, Molerats' secondary backdoor SharpStage relies a great deal on the traditional command and control server instead of cloud services.

Although Cybereason has revealed three SharpStage variants, yet they are very much alike in their functionalities including the ability to take screenshots, implement arbitrary commands and decompress data received from the command and the control server.

The backdoors easily identify their Arabic-speaking users with a certain code to check if the targeted machine has the Arabic language installed on it or not.

While this alone can be enough, the cybersecurity firm has also caught Molerats using another malware with the name of MoleNet that runs WMI commands to set up an operating system, check for debuggers, restart a machine from the command line, upload all the relevant details regarding the OS, fetch the necessary new payloads and build persistence as well.

All in all, with the integration of cloud platforms for communication, the Molerats group has made it even more hard for anyone to detect their espionage attempts.

Photo: Solarseve / Getty Images/iStockphoto

Read next: Malware Campaign Impacts All Major Web Browsers
Previous Post Next Post