New malware abuses Facebook, Google and other cloud platforms
A cyberespionage campaign using a new malware that relies on Facebook, Google Drive and Dropbox for command and control communication has been discovered by the cybersecurity firm Cybereason.
The Molerats hacker group is behind the new campaign which uses two new backdoors, called SharpStage and DropBook, as well as a previously undocumented malware downloader named MoleNet to abuse popular cloud computing services.
The malware is designed to avoid detection by using Dropbox and Facebook services to steal data and receive instructions from its operators. Once data is stolen from targeted users, both backdoors then use Dropbox to extract it.
The campaign targets political figures or government officials in the Middle East with an email luring them to download malicious documents. However, the document only shows a summary of its content and recipients are then instructed to download password-protected archives stored in Dropbox or Google Drive to see all of the information. This is how Molerats is able to infect users with its SharpStage and DropBook backdoors that can then download additional malware.
Abusing cloud platforms
According to a new report from Cybereason’s Nocturnus Team, the Phyton-based DropBook backdoor only receives instructions on Facebook and from the iOS note-taking app Simplenote. The hackers are then able to control the backdoor using commands published in a post on Facebook with Simplenote serving as a backup.
DropBook is able to check a system’s installed programs and file names, execute shell commands from Facebook or Simplenote and fetch additional payloads from Dropbox. Molerats’ other backdoor SharpStage depends on a traditional command and control server as opposed to using cloud services for instructions.
While Cybereason discovered three SharpStage variants, they all share similar functionalities including the ability to take screenshots, execute arbitrary commands and decompress data received from the command and control server. Both backdoors are used to target Arabic-speaking users and their code can check compromised machines to see if the Arabic language is installed.
The cybersecurity firm also found that Molerats is using another malware called MoleNet which can run WMI commands to profile an operating system, check for debuggers, restart a machine from the command line, upload details about the OS, fetch new payloads and create persistence on a targeted system.
By using popular cloud platforms to communicate with its malware, the Molerats group has made its espionage attempts much harder to detect. Interested users can check out Cybereason’s full Molerats in the Cloud report for more information on the group’s recent campaigns, infrastructure and previous malware.