The Palestinian APT group tracked as TA402 (also known as Molerats) was discovered using a new implant called ‘NimbleMamba’ in a cyber-espionage campaign that leverages geofencing and URL redirects to legitimate websites.

TA402 is a persistent threat targeting organizations and governments in the Middle East, regularly updating not only its malware implants but also its delivery methods. In June 2021, TA402 appeared to halt its activities for a short period of time and used that time to update its implants and delivery mechanisms, using malware named NimbleMamba and BrittleBush. TA402 also uses regular geofencing techniques and varied attack chains that complicate detection efforts for defenders.

This new threat uses guardrails to ensure all infected victims are within TA402’s target region, the researchers said, adding that the malware “uses the Dropbox API for both command and control and exfiltration,” which suggests its use in collection campaigns.

It should be noted that a Trojan called BrittleBush is also delivered that establishes communications with a remote server to retrieve Base64-encoded commands to execute them on infected machines. Furthermore, the attacks are said to have occurred in conjunction with the aforementioned malicious activity targeting Palestine and Turkey.

The infection sequence mirrors the exact same technique used by the threat actor to compromise their targets. Spear-phishing emails, which act as a starting point, contain geo-fenced links that lead to malware payloads, but only if the recipient is located in one of the targeted regions.

TA402 continues to be an effective threat actor that demonstrates its persistence with its highly focused campaigns in the Middle East, and these do not seem to be stopping, so we must take security measures.


Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *