Skip to main content

Molerats continue to attack US, EU and Middle East targets

For over a year, FireEye researchers have been tracking a group of hackers that targets government organisations, financial institutions and surveillance targets in Europe, the US and the Middle East.

Nicknamed Molerats, such attacks have been in business since late 2011.

Molerat attacks have wriggled their way through garden-variety backdoors, such as CyberGate and Bitfrost, said the team of experts in a blog post. "Most recently, we have observed them making use of the PIVY and Xtreme RATs."

"Previous campaigns made use of at least one of three observed forged Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors.

"There also appears to be a habitual use of lures or decoy documents – in either English or Arabic-language – with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats' flavor of the week, which happen to all be Xtreme RAT binaries in these most recent campaigns."

Observed over the last month or so, recent attacks have targeted a range of institutions, including the BBC, several European government organisations and government departments in Latvia, Israel, Slovenia, Turkey, Macedonia, the US and the UK.

In this latest bout of attacks, the targets received spear-phishing emails with a link to a binary that opens a Word document, which acts as a decoy as a RAT is sneakily installed in the background - often with a suspicion-reducing title, such as Chrome.exe, AVG.exe, Download.exe, or the like.

The Word document frequently features political content. The Palestinian situation and other Middle Eastern conflicts, amongst a range of political figures, have appeared within the documents' pages.

The researchers found that all the recent decoy Word files contain Chinese characters in the title and, considering the rest of each document is written in Arabic, the team believe it "a poor attempt to frame China-based threat actors for these attacks."

Read more: How to prevent RATs from taking over your mac.

Molerat attacks have been previously attributed to members of the "Gaza Hackers Team".