New malware abuses Facebook, Google and other cloud platforms Malware Magnifying Glass
A cyberespionage campaign using a new malware that relies on Facebook, Google Drive and Dropbox for command and control communication has been discovered by the cybersecurity firm Cybereason.
The Molerats hacker group is behind the new campaign which uses two new backdoors, called SharpStage and DropBook, as well as a previously undocumented malware downloader named MoleNet to abuse popular cloud computing services.
The malware is designed to avoid detection by using Dropbox and Facebook services to steal data and receive instructions from its operators. Once data is stolen from targeted users, both backdoors then use Dropbox to extract it.
The campaign targets political figures or government officials in the Middle East with an email luring them to download malicious documents. However, the document only shows a summary of its content and recipients are then instructed to download password-protected archives stored in Dropbox or Google Drive to see all of the information. This is how Molerats is able to infect users with its SharpStage and DropBook backdoors that can then download additional malware.
Abusing cloud platforms
According to a new report from Cybereason’s Nocturnus Team, the Phyton-based DropBook backdoor only receives instructions on Facebook and from the iOS note-taking app Simplenote. The hackers are then able to control the backdoor using commands published in a post on Facebook with Simplenote serving as a backup.
DropBook is able to check a system’s installed programs and file names, execute shell commands from Facebook or Simplenote and fetch additional payloads from Dropbox. Molerats’ other backdoor SharpStage depends on a traditional command and control server as opposed to using cloud services for instructions.
While Cybereason discovered three SharpStage variants, they all share similar functionalities including the ability to take screenshots, execute arbitrary commands and decompress data received from the command and control server. Both backdoors are used to target Arabic-speaking users and their code can check compromised machines to see if the Arabic language is installed.
The cybersecurity firm also found that Molerats is using another malware called MoleNet which can run WMI commands to profile an operating system, check for debuggers, restart a machine from the command line, upload details about the OS, fetch new payloads and create persistence on a targeted system.
By using popular cloud platforms to communicate with its malware, the Molerats group has made its espionage attempts much harder to detect. Interested users can check out Cybereason’s full Molerats in the Cloud report for more information on the group’s recent campaigns, infrastructure and previous malware.
- We’ve also highlighted the best VPN services
Via BleepingComputer
A cyberespionage campaign using a new malware that relies on Facebook, Google Drive and Dropbox for command and control communication has been discovered by the cybersecurity firm Cybereason. The Molerats hacker group is behind the new campaign which uses two new backdoors, called SharpStage and DropBook, as well as a…
Recent Posts
- Amazfit’s new low-cost wearable packs in a big display and 26 days of battery life
- As Questions Swirl Around Tesla’s Superchargers, the Race Is On to Fill the Power Gap
- Asus won’t say if the ROG Ally’s SD card reader will ever be truly fixed
- Quordle today – hints and answers for Thursday, May 2 (game #829)
- NYT Strands today — hints, answers and spangram for Thursday, May 2 (game #60)
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011