Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. Molerats

Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[1][2][3][4]

ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 2.1
Created: 31 May 2017
Last Modified: 17 November 2024

Associated Group Descriptions

NameDescription
Operation Molerats

[5][4]

Gaza Cybergang

[1][3][4]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[3]

EnterpriseT1059.001Command and Scripting Interpreter:PowerShell

Molerats used PowerShell implants on target machines.[3]

.005Command and Scripting Interpreter:Visual Basic

Molerats used various implants, including those built with VBScript, on target machines.[3][6]

.007Command and Scripting Interpreter:JavaScript

Molerats used various implants, including those built with JS, on target machines.[3]

EnterpriseT1555.003Credentials from Password Stores:Credentials from Web Browsers

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]

EnterpriseT1140Deobfuscate/Decode Files or Information

Molerats decompresses ZIP files once on the victim machine.[3]

EnterpriseT1105Ingress Tool Transfer

Molerats used executables to download malicious files from different sources.[3][6]

EnterpriseT1027.015Obfuscated Files or Information:Compression

Molerats has delivered compressed executables within ZIP files to victims.[3]

EnterpriseT1566.001Phishing:Spearphishing Attachment

Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.[3][6][4]

.002Phishing:Spearphishing Link

Molerats has sent phishing emails with malicious links included.[3]

EnterpriseT1057Process Discovery

Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

Molerats has created scheduled tasks to persistently run VBScripts.[6]

EnterpriseT1553.002Subvert Trust Controls:Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.[5]

EnterpriseT1218.007System Binary Proxy Execution:Msiexec

Molerats has used msiexec.exe to execute an MSI payload.[6]

EnterpriseT1204.001User Execution:Malicious Link

Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.[3][6]

.002User Execution:Malicious File

Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.[3][6][4]

Software

IDNameReferencesTechniques
S0547DropBook[4]Command and Scripting Interpreter:Python,Command and Scripting Interpreter:Windows Command Shell,Deobfuscate/Decode Files or Information,Exfiltration Over Web Service,File and Directory Discovery,Ingress Tool Transfer,System Information Discovery,System Location Discovery:System Language Discovery,Web Service
S0062DustySky[1][2][3]Application Layer Protocol:Web Protocols,Archive Collected Data:Archive via Utility,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Data Staged:Local Data Staging,Exfiltration Over C2 Channel,Fallback Channels,File and Directory Discovery,Indicator Removal:File Deletion,Input Capture:Keylogging,Lateral Tool Transfer,Obfuscated Files or Information,Peripheral Device Discovery,Process Discovery,Replication Through Removable Media,Screen Capture,Software Discovery,Software Discovery:Security Software Discovery,System Information Discovery,Windows Management Instrumentation
S0553MoleNet[4]Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:PowerShell,Ingress Tool Transfer,Software Discovery:Security Software Discovery,System Information Discovery,Windows Management Instrumentation
S0012PoisonIvy[1][2][5]Application Window Discovery,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution:Active Setup,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data from Local System,Data Staged:Local Data Staging,Encrypted Channel:Symmetric Cryptography,Execution Guardrails:Mutual Exclusion,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Obfuscated Files or Information,Process Injection:Dynamic-link Library Injection,Rootkit
S0546SharpStage[4]Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:PowerShell,Deobfuscate/Decode Files or Information,Ingress Tool Transfer,Scheduled Task/Job:Scheduled Task,Screen Capture,System Information Discovery,System Location Discovery:System Language Discovery,Web Service,Windows Management Instrumentation
S0543Spark[6][4]Application Layer Protocol:Web Protocols,Command and Scripting Interpreter:Windows Command Shell,Data Encoding:Standard Encoding,Deobfuscate/Decode Files or Information,Exfiltration Over C2 Channel,Obfuscated Files or Information:Software Packing,System Information Discovery,System Location Discovery:System Language Discovery,System Owner/User Discovery,Virtualization/Sandbox Evasion:User Activity Based Checks

References

×
[8]ページ先頭
©2009-2026 Movatter.jp