MoleRATs Group Added Pierogi Backdoor to Their Toolkit

Delaware, USA – February 13, 2020 – MoleRATs group uses new backdoors in cyberspying campaigns targeting victims, organizations and individuals, mainly from the Palestinian territories. Cybereason Nocturnus team tracked two separate campaigns happening simultaneously but differing in tools, server infrastructure, and nuances in decoy content and intended targets. MoleRATs group is one of the Gaza Cybergang groups, an Arabic-speaking, politically motivated group that has operated in the Middle East since 2012.

“The Spark Campaign: This campaign uses social engineering to infect victims, mainly from the Palestinian territories, with the Spark backdoor. This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content revolves around recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements,” researchers said.

The Pierogi Campaign: This campaign uses social engineering attacks to infect victims with a new, undocumented RAT dubbed Pierogi. This RAT first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.” Pierogi backdoor is written in Delphi and is rather simple, but it is capable of collecting and exfiltrating system data, taking screenshots, downloading additional tools, and executing commands via CMD. The researchers suppose that adversaries collect sensitive information from the victims to leverage it for political purposes. To uncover such attacks at early stages, you can use your SIEM and APT Framework rule pack which connects the dots between low-level SIEM incidents and link them to high-confidence compromises: