MoleRats attackers using Poison Ivy as they attempt to infiltrate global governments
A group of hackers that had previously targeted the US and UK governments has been spotted chucking malware at Israeli and various Middle Eastern targets, security researchers have revealed.
The MoleRats attackers have started using the prevalent Poison Ivy remote access Trojan (RAT), having previously been keen on the XtremeRAT, and hit Israeli targets in June and July.
FireEye picked up on the campaign after discovering an email promising details on a story on Hamas shooting down an Israeli F-16, but carried an attachment with exploits hidden inside. In one attempt the hackers dropped a decoy document in Arabic with a transcript of an interview with Salam Fayyad, the former Prime Minister of the Palestinian National Authority.
It appears Egyptians are amongst the MoleRats targets too. One malicious email seen by FireEye used protests in Egypt to lure targets into clicking on the nasty attachment. Another decoy document contained a biography of General Adbel Fattah el-Sisi, the commander-in-chief of the Egyptian Armed Forces.
The MoleRats’ widespread campaign has been ongoing since attacks against Israeli and Palestinian targets revealed last year.
“The attackers … have also targeted government entities in the UK and in the U.S.. In addition to using XtremeRAT, which is popular among Middle Eastern attackers, we have found that Molerats have adopted the use of Poison Ivy RAT, which is traditionally favored by Chinese attackers,” the researchers wrote.
“We do not know if this is an intentional attempt by MoleRats to deflect attribution to China-based threat actors, or if they have simply added another, effective, publicly-available RAT to their arsenal. However, this development should raise a warning flag for those who attribute all Poison Ivy attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining positive attribution an increasing challenge.
“As events on the ground in the Middle East – and in Egypt in particular – receive international attention, we expect the MoleRat operators to continue leveraging these headlines to catalyse their operations.”
What do you know about Internet security? Find out with our quiz!