A cyber espionage campaign using new malware that relies on Facebook, Google Drive and Dropbox for command and control communication has been discovered by cybersecurity firm Cybereason.
Hacker group Molerats is behind the new campaign that uses two new backdoors, called SharpStage and DropBook, as well as a previously undocumented malware downloader named MoleNet to abuse popular cloud services.
The malware is designed to avoid detection by using Dropbox and Facebook services to steal data and receive instructions from its operators. Once the data is stolen from the targeted users, the two backdoors then use Dropbox to extract it.
The campaign targets politicians or government officials in the Middle East with an email tricking them into downloading malicious material. However, the document only shows a summary of its contents and recipients are then prompted to download password protected archives stored in Dropbox or Google Drive to see all the information. This is how Molerats is able to infect users with its SharpStage and DropBook backdoors who can then download additional malware.
Abuse of cloud platforms
According to a new report from Cybereason’s Nocturnus team, the Phyton-based DropBook backdoor only receives instructions on Facebook and the iOS note-taking app Simplenote. Hackers are then able to control the backdoor using commands posted in a Facebook post with Simplenote serving as a backup.
DropBook is able to check installed programs and file names on a system, run shell commands from Facebook or Simplenote, and grab additional payloads from Dropbox. Molerats’ other backdoor SharpStage relies on a traditional command and control server rather than relying on cloud services for instructions.
While Cybereason discovered three variations of SharpStage, they all share similar functionality, including the ability to take screenshots, execute arbitrary commands, and decompress data received from the command and control server. The two backdoors are used to target Arabic speaking users and their code can check compromised machines to see if the Arabic language is installed.
The cybersecurity company also discovered that Molerats uses another malware called MoleNet that can run WMI commands to profile an operating system, find debuggers, restart a machine from the command line, download details about the operating system, grab new payloads, and create persistence on a targeted system.
By using popular cloud platforms to communicate with its malware, the Molerats group has made its spy attempts much harder to detect. Interested users can view Cybereason in full Molerats report in the cloud for more information on the group’s recent campaigns, infrastructure and previous malware.
- We’ve also highlighted the best VPN services
Going through BipComputer