Molerats Cyber-Attack Activity Escalating

New attacks reported by FireEye show China isn't the only part of the world targeting the U.S. with cyber-espionage.


There is a new outbreak of activity from a hacking effort FireEye has dubbed "Molerats," the security firm is reporting. FireEye has been seeing Molerats activity since October 2012 and saw a specific uptick in activity between April 29 and May 27 of this year, with attacks targeting a U.S. financial institution as well as European government institutions.

The Molerats activity comes from the Middle East, but that doesn't necessarily mean that a specific nation-state is behind the attacks.

"We believe that the Molerats activity we are tracking may be related to a group known as the Gaza Hackers Team," Ned Moran, senior malware researcher at FireEye, told eWEEK. "We have nothing linking these actors back to a nation-state sponsor."

On May 27, FireEye noted in its report that a new malicious URL was sent to a European government organization. As of May 29, the malicious link had been clicked 225 times. The link leads to a Word document that installs a remote access tool (RAT) known as Xtreme RAT to the victim's system.

There was also a Molerats attack on April 29 that, according to FireEye, leveraged a fake digital security certificate from security firm Kaspersky Lab. The April 29 attack included an email with news excerpts on the recent reconciliation between Palestinian leaders. Moran noted that the use of a fake certificate is not a new tactic for the Molerats, as the group has used fake Microsoft certificates in the past.

While Molerats activity has picked up in the last month, the group is not using any unknown advanced malware to further its campaign. The Molerats campaign for the most part is only using malware that is freely available.

"We have not seen them use or exploit any zero-day vulnerabilities," Moran said.

Although the Molerats attackers aren't using zero-days, they are taking steps to make it difficult for more security researchers to detect the attacks. The attackers are varying the server ports they use to communicate and even when they do use common ports, they are using evasive techniques. The FireEye report indicates that in one sample where the Molerats attackers use port 443, which is typically associated with encrypted SSL/HTTPS traffic, the attackers are actually not using SSL.

"Instead, the sample transmits communications in clear-text—a common tactic employed by adversaries to try and bypass firewall/proxy rules applying to communications over traditional web ports," FireEye states.

In terms of how the Molerats activity is being tracked, there are a number of things that FireEye is doing. Moran explained that FireEye is tracking the command and control infrastructure used in Molerats activity, as well as indicators extracted from the publicly available RATs they use.

"We are also tracking specific aspects of their malware," Moran added.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.