FireEye has discovered several new Molerats' attack campaigns originating from the Middle East with targets including UK and European government bodies and the BBC.
The security vendor claimed that new research has uncovered a much broader series of attacks dating back even further – to October 2011 – than those first discovered last year.
Those attacks were connected to members of the so-called “Gaza Hackers Team”, and used the Trojan Poison Ivy – commonly used by Chinese hackers – against Middle East and US targets.
However, threat intelligence analyst Timothy Dahms explained in a Monday blog post that the latest campaigns use another publically available Trojan: Xtreme RAT.
“Although a large number of attacks against our customers appear to originate from China, we are tracking lesser-known actors also targeting the same firms,” he wrote. “Molerats campaigns seem to be limited to only using freely available malware; however, their growing list of targets and increasingly evolving techniques in subsequent campaigns are certainly noteworthy.”
The full list of targets includes Palestine and Israeli “surveillance groups”, multiple European government organizations, the BBC, a major US financial institution and government departments in the UK, US, Israel, Latvia, New Zealand, Slovenia and Macedonia.
They also hit the Office of the Quartet Representative – a body comprising the United Nations, the European Union, the United States and Russia which is working to mediate Middle East peace negotiations.
Typically, users are tricked into clicking on a malicious link or attachment inside a spear phishing email.
One particular URL had been clicked 225 times “by a variety of platforms and browser types”, indicating the campaign in question was targeted at numerous victims.
In another example, the lure was apparently an “Arabic language decoy document” containing excerpts from Egyptian Major General Hossam Sweilem on the Muslim Brotherhood and military strategy.
“The title of the document appears to have several Chinese characters, yet the entire body of the document is written in Arabic,” explained Dahms. “As noted in our August 2013 blog post, this could possibly be a poor attempt to frame China-based threat actors for these attacks.”
In another campaign, the attackers have tried to sneak in under the radar by signing malware with a forged Kaspersky Lab certificate.
All but two of the Xtreme RAT samples given by Dahms communicate over different TCP ports, he said.
“The port 443 callback listed in the last sample is also not using actual SSL, but instead, the sample transmits communications in clear-text – a common tactic employed by adversaries to try and bypass firewall/proxy rules applying to communications over traditional web ports,” Dahms added.
“These tactics, among several others mentioned previously, seem to indicate that Molerats are not only aware of security researchers’ efforts in trying to track them but are also attempting to avoid using any obvious, repeating patterns that could be used to more easily track endpoints infected with their malware.”