Government

New TA402 Molerats Malware Targets Governments in the Middle East

Key Findings 

  • TA402 leverages political and military themes, including the ongoing conflict in the Gaza Strip, to entice users to open attachments and click on malicious links. 
  • TA402 activity is largely focused on entities operating in the Middle East, especially government or government-adjacent organizations. 
  • TA402’s custom malware called LastConn is used to gain access to and conduct information gathering activities. 
  • LastConn uses a number of unique features to deter automated threat analysis and make manual analysis difficult. 

Overview 

Proofpoint researchers identified a malware called LastConn distributed by TA402, a threat actor also known as Molerats. The malware targeted government institutions in the Middle East and global government organizations associated with geopolitics in the region.  

TA402 is a Middle Eastern advanced persistent threat (APT) group that often targets entities in Israel and Palestine, in addition to other regions in the Middle East. In campaigns identified throughout 2021, TA402 leveraged Middle Eastern geopolitical themes including ongoing conflict in the Gaza Strip. The custom malware implant identified by Proofpoint enables the threat actor to conduct reconnaissance on the target host and exfiltrate data. TA402 leveraged multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only targeting computers with Arabic language packs installed, and password-protected archive files to distribute malware. 

Campaign Details 

Following a busy 2020 for TA402, Proofpoint researchers identified new and highly targeted email threat campaigns impacting government organizations in the Middle East and entities with diplomatic relationships in the region.  

Based on Proofpoint visibility, the campaigns occurred on a weekly basis throughout early 2021 before abruptly stopping in March for a two-month hiatus. TA402, also known as Molerats and GazaHackerTeam, resumed email threat campaigns in early June 2021 with continued use of malware Proofpoint dubbed LastConn. Researchers assess with high confidence LastConn is an updated version of SharpStage malware first reported by Cybereason in December 2020

The temporary disruption to email threat operations in March 2021 is interesting and may be due to current tensions in the Middle East region including ongoing violence in the Gaza Strip between Israeli and Palestinian militants or the observation of Ramadan in April through early May 2021, one of the most important religious holidays for Muslims. However, Proofpoint cannot confirm either hypothesis with high confidence.  

TA402 Background & Attribution 

TA402 has been active since at least 2011 and is believed to be operating out of the Middle East. The group’s targeting includes but is not limited to targets in Israel and Palestine. [3,4] TA402 is known to target multiple industry verticals such as technology, telecommunications, financial institutions, academic institutions, military installations, media outlets, and government offices. The primary motivation of this group is to collect sensitive information and documents from high values targets to gather intelligence. Proofpoint assesses with moderate confidence based on lure topics, targeting, and historic campaigns the activity likely supports military or Palestinian state objectives. 

Attack Paths 

TA402 used spear-phishing emails containing either malicious links or attachments in the recently observed campaigns. 

In June campaigns, TA402 leveraged a PDF attachment with one or multiple geofenced URLs leading to password-protected archives that contained the malware.  

 Figure 1: TA402 attack chain leveraging PDF attachments 

The email and the PDF are typically both written in Arabic, and the lure is usually based on a geopolitical topic impacting the Middle East, especially the Gaza conflict. Proofpoint observed lure themes including “A delegation from Hamas meets with the Syrian regime” and “Hamas member list”. The password of the RAR file can be found inside the text of the PDF. Extracting the archive reveals a custom TA402 implant. In recent campaigns, the archive dropped LastConn malware. Other observed malware distributed by this attack path include SharpStage, Loda, and MiraiEye RAT. 

 

Figure 2: Example PDF from 02 June 2021 campaign. The filename is “hamas - syria.pdf” with the content purporting to be details regarding a delegation of Hamas militants meeting with Syrian regime representatives. (SHA256: 557c60ae9c613164fda3189720eaf78fe60b6bd8191f4d208ca3bbbdceffee36) 

The PDF link drops the following files. 

Downloaded RAR: 

  • Hamas-Syria.rar|0db46fea5a0be8624069f978f115e4270833df29ed776c712182327a758fd639 

Exe file inside RAR: 

  • إجتماع وفد من حماس مع النظام السوري.exe|f55e2050733576fa16452e2589a187f4bf202ca3b54b1497ba2c006e8d3bdd45 

  • Translation: “A delegation from Hamas meets with the Syrian regime” 

A payload is not immediately downloaded. Proofpoint researchers were unable to determine the exact mechanisms for initiating links to the hosted malware, but the PDF may only direct the victim to the files if the source IP address belongs to the targeted countries in the Middle East. If the source IP address does not align with the target group, the URL may redirect the recipient to a benign decoy website, typically an Arabic language news website.