Researchers Uncover New Cyber-Espionage Campaign Targeting Middle Eastern Politicians

A new cyber-espionage campaign using popular social media and cloud platforms to target high ranking political figures has been revealed following an investigation by Cybereason.

The campaign has been observed to operate primarily across the Middle East, and the researchers believe it is aimed at high ranking political figures and government officials in the region. Cybereason has attributed the campaign to the politically-motivated APT group Molerats, which has been active in the Middle East since 2012. The threat actors have previously used the Spark and Pierogi backdoors to execute targeted attacks against Palestinian officials.

The new campaign utilizes three previously unidentified malware variants: two backdoors named SharpStage and Dropbox and a downloader called MoleNet. These are designed to help leverage Facebook, Dropbox, Google Docs and Simplenote for command and control to exfiltrate sensitive data from victims’ computers.

Cybereason added that these new malware variants were used in conjunction with the Spark backdoor previously attributed to Molerats, as well as payloads including the open-source Quasar RAT known to have been employed by the group.

Email phishing is another aspect of the espionage operation, with themes focusing on sensitive political issues in the Middle East including Israel-Saudi relations, Hamas elections and even a secretive meeting between the US Secretary of State, the Israeli Prime Minister and the Crown Prince of Saudi Arabia.

Lior Div, co-founder and CEO at Cybereason, commented: “While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities.

“This puts the onus even more on the defenders to be hyper-vigilant with regard to potentially malicious network traffic connecting to legitimate services, and it underscores the need to adopt an operation-centric approach to expose these more subtle indicators of behavior.”

What’s Hot on Infosecurity Magazine?