A US-based cybersecurity firm has discovered that three new malware variants are targeting people in the UAE and other Middle East countries for an espionage campaign through Facebook, Dropbox, Google Docs and Simplenote.
The Boston-headquartered Cybereason said the vast majority of people targeted were Arabic speakers in the UAE and that this is the first time Molerats used these tactics of targeting through social media platforms.
Molerats is a politically-motivated threat group operating since 2012, targeting victims primarily in the Middle East, Europe and the US.
The campaign leverages phishing documents that include various themes related to current Middle Eastern events, including Israeli-US relations, Hamas elections, news about Palestinian politicians and other regional events including US Secretary of State Mike Pompeo, Israeli Prime Minister Benjamin Netanyahu and Gulf royals.
“The operation was primarily observed targeting the Palestinian Territories, UAE, Egypt as well as Turkey. Given the nature of the phishing content, we assess that the campaign operators seek to target high-ranking political figures and government officials in the Middle East,” the US cybersecurity firm said.
“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities,” said Lior Div, Cybereason co-founder and CEO.
“This puts the onus even more on the defenders to be hyper-vigilant with regard to potentially malicious network traffic connecting to legitimate services, and it underscores the need to adopt an operation-centric approach to expose these subtler indicators of behaviour,” he said.
“Uncontextualised alerts won’t uncover a stealthy attack like this; that’s why Cybereason enables security teams to be operation-centric instead of alert-centric, so they can quickly make correlations across seemingly unrelated events on the network and beyond,” Div concluded.