The “Molerats” cyber crime gang has returned to attack governments across Europe, as well as the BBC and other high-profile targets.
The gang has been active on-and-off for a number of years and is also known as the “Gaza Hackers Team”, according to security services company FireEye. The gang uses a variety of remote access Trojans (RATs – hence the name Molerats) mass emailed to its targets. When a victim is persuaded to open the attachment, the RAT is activated and the attackers gain control over the PC.
The gang was last seen in summer 2013, when they were using the “Poison Ivy” Trojan, and the group doesn’t just target Europe, but also the Middle East, including both Israel and the Palestinian state.
However, in April and May FireEye believes that the gang re-activated its attacks “targeting at least one major US financial institution and multiple, European government organisations”.
Targets for the Molerats group include government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the US and the UK, the BBC, the Office of the Quartet Representative and at least one major US financial institution.
“Previous Molerats campaigns have used several garden-variety, freely available backdoors, such as CyberGate and Bifrost. But most recently, we have observed them making use of the Poison Ivy and Xtreme RATs,” claimed FireEye in an advisory.
It continued: “Previous campaigns made use of at least one of three observed forged Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors.
“There also appears to be a habitual use of lures or decoy documents – in either English or Arabic language – with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats’ flavour of the week, which happen to all be Xtreme RAT binaries in these most recent campaigns.”
Although phishing is a well-established means of attack, people still fall for it with surprising regularity, claims FireEye.
Spear phishing is a targeted attack that involves an email with an attachment purporting to be a picture or other innocuous or essential document that the user is persuaded to click on. While the image or document might be displayed, the malware is activated in the background.