Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Hamas Cyberspies Return With New Malware After Exposure of Operations

A cyberespionage group linked in the past to the Palestinian terrorist organization Hamas took a break after its operations were exposed last summer and returned with new tools and techniques.

A cyberespionage group linked in the past to the Palestinian terrorist organization Hamas took a break after its operations were exposed last summer and returned with new tools and techniques.

According to enterprise security firm Proofpoint, the threat actor known as Molerats apparently took a short break after the company released information on its activities in June 2021. During that break, it updated its malware and delivery mechanisms.

Molerats has been active since at least 2011 and it focuses on the Middle East. It’s also tracked as Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal, Moonlight and TA402 — some researchers believe there are multiple groups operating under the same umbrella.

It’s worth noting that Molerats’ operations are often exposed by cybersecurity firms and researchers, but that does not appear to have discouraged the threat actor. In 2019, Kaspersky even managed to disrupt a significant part of the infrastructure used by the cyberspies and, in the same year, Israel claimed to have bombed a building housing Hamas cyber operatives in response to a cyberattack.

In a blog post published on Tuesday, Proofpoint said the hackers have apparently replaced an implant named LastConn with a new one that the cybersecurity firm has dubbed NimbleMamba. The malware was used in late 2021 in attacks aimed at Middle Eastern entities, including governments, foreign policy think tanks, and a state-affiliated airline.

Proofpoint researchers found that while NimbleMamba and LastConn have some similarities, there is little overlap between the two when it comes to code.

“NimbleMamba has the traditional capabilities of an intelligence-gathering trojan and is likely designed to be the initial access. Functionalities include capturing screenshots and obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement,” Proofpoint explained.

The malware has been delivered both via malicious websites and Dropbox — the file sharing service has also been abused for command and control (C&C) and file exfiltration. Researchers also found that NimbleMamba uses “guardrails” to ensure that it only infects devices in specified countries in the Middle East and Africa.

Advertisement. Scroll to continue reading.

“The malware also contains multiple capabilities designed to complicate both automated and manual analysis,” researchers said. “Based on this, Proofpoint assesses NimbleMamba is actively being developed, is well-maintained, and designed for use in highly targeted intelligence collection campaigns.”

Recently, Zscaler also published a report on new espionage operations conducted by Molerats, targeting the banking sector in Palestine, individuals related to Palestinian political parties, as well as human rights activists and journalists in Turkey. Proofpoint believes the attacks it has analyzed occurred concurrently to the activity detailed by Zscaler.

Related: APT Group Using Voice Changing Software in Spear-Phishing Campaign

Related: New Backdoors Used by Hamas-Linked Hackers Abuse Facebook, Dropbox

Related: Hamas-Linked Hackers Add Insurance and Retail to Target List

Related: New Backdoor Attacks Leverage Political Turmoil in Middle East

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.