The hacking team behind the infamous MoleRats cyber campaign has resurfaced using an evolved version of the Poison Ivy Trojan, according to FireEye researchers.
The ongoing campaign was reported by FireEye's Nart Villeneuve, Ned Moran and Thoufique Haq in their MoleRats: Middle East Cyber Attacks Using Poison Ivy report. The campaign is reportedly an escalated version of the original attacks. The original MoleRats campaign began in 2012 and saw hackers target a number of government groups in Israel and Palestine with a wave of data-stealing cyber attacks.
The campaign has an expanded target set and is designed to attack numerous government entities, some in the UK, with evolved Poison Ivy malware as well as the XtremeRAT that was used originally.
"The target set was broader than previously believed and included targets in the US and UK governments. Further research revealed a connection between these attacks and members of the ‘Gaza Hackers Team'. We refer to this campaign as MoleRats," the report noted.
The FireEye researchers said the malware used in the attack has several atypical features that make it hard to track and defend against.
"We observed several attacks in June and July 2013 against Israeli government targets that dropped a Poison Ivy payload, which connected to command and control (C2) infrastructure used by the MoleRats attackers. We collected additional Poison Ivy samples that had the same password and/or linked to C2 infrastructure at a common IP address," read the report.
"We also found a Poison Ivy sample used by this group that leveraged ‘keys' instead of passwords. The Poison Ivy builder allows operators to load .pik files containing a key to secure communications between the victim computer and its control server. By default, Poison Ivy secures these communications with the ASCII text password of ‘admin'."
The use of Poison Ivy is a bizarre change in behaviour by the group, with the malware traditionally being favoured by Chinese hacking teams. The reason for the hackers' change in strategy remains unknown, though the FireEye researchers have suggested it could be more political than technical.
"We do not know if this is an intentional attempt by MoleRats to deflect attribution to China-based threat actors, or if they have simply added another effective, publicly available remote-access technology (RAT) to their arsenal. However, this development should raise a warning flag for those who attribute all Poison Ivy attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining positive attribution an increasing challenge," read the report.
The FireEye researchers said the purpose of campaign remains unknown, but warned the attacks will likely continue to evolve. "The ongoing attacks are also heavily leveraging content in Arabic, which relates to the current situation in Egypt and the wider Middle East in order to lure targets into opening malicious files. However, we do not have further information about the exact targets at this time," said the report.
"As events on the ground in the Middle East – and in Egypt in particular – receive international attention, we expect the MoleRat operators to continue leveraging these headlines to catalyse their operations."
The campaign is one of many advanced cyber threats targeting businesses. Before the discovery of MoleRats, McAfee and the Center for Strategic and International Studies (CSIS) estimated that espionage-focused cyber attacks have cost over 508,000 US citizens their jobs.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago