As part of the last campaign spotted by Cybereason, MoleRATs has been attempting to infiltrate the systems of both organizations and individuals.
Experts distinguish between two separate campaigns happening simultaneously that
The first campaign dubbed the Spark Campaign employs social engineering to infect victims with the Spark backdoor. Most of the victims were from the Palestinian territories.
“This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content revolves around recent geopolitical events,
According to the experts, the Spark backdoor was specifically designed my MoleRATs to gather system information on an infected machine.
Spark will also infect victims with Arabic keyboard and language settings.
The second campaign was tracked by the experts as the Pierogi Campaign, it employes social engineering attacks to trick victims into installing an undocumented backdoor dubbed Pierogi.
“This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.” states the report.
The name ‘Pierogi’ comes after an Eastern European dish, it is a simple Delphi backdoor that was allegedly created by Ukranian-speaking hackers.
The experts did not attribute the attack to a specific state, even if the apparent political motivation suggests the involvement of a nation-state actor.
“It is important to remember there are many threat actors operating in the Middle East, and often there are overlaps in TTPs, tools, motivation, and
Additional details, including Indicators of Compromise and MITRE ATT&CK breakdown, are included in the report published by Cybereason.
(SecurityAffairs – MoleRATs, )