February 15, 2022

Threat Group, TA402/Molerats & NimbleMamba Malware

Industry: Aviation, Government and Think Tanks | Level: Tactical | Source: ProofPoint

ProofPoint shares research on threat group, TA402 (aka Molerats) persistent in targeting “Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline” since late 2021. The group operates in the interest of Palestinian Territories. Frequent usage of geofencing techniques is observed from the group, only directing targets of interest to malicious websites, with non-targets getting directed to benign sites. Dating back to November 2021, three different websites, Quora, Dropbox and WordPress, were URLs leveraged by the threat group in phishing emails to distribute a RAR file containing the NimbleMamba malware and/or a trojan, BrittleBush. In the Dropbox attack chain, geofencing was not utilized however, the DropBox API was used for C2 communication.

  • Anvilogic Scenario: TA402/Molerats Threat Behavior
  • Anvilogic Use Cases:
    • DropBox API Traffic
    • Compressed File Execution
    • Output to File