Proofpoint researchers have said that malware called LastConn, distributed by TA402, a hacker also known as Molerats, has targeted government institutions in the Middle East and global government organizations associated with geopolitics in the region.
TA402 has been active since at least 2011 and is believed to be operating out of the Middle East, with the group’s targets including but not limited to targets in Israel and Palestine. The LastConn malware is known to target multiple industry verticals such as technology, telecommunications, financial institutions, academic institutions, military installations, media outlets, and government offices. The primary motivation of this group is to collect sensitive information and documents from high-value targets to gather intelligence.
Based on Proofpoint data, the phishing campaigns occurred on a weekly basis throughout early 2021 before abruptly stopping in March for a two-month hiatus, Proofpoint researchers Konstantin Klinger, Dennis Schwarz and Selena Larson, wrote in a recent post. TA402, also known as Molerats and GazaHackerTeam, resumed email threat campaigns in early June with continued use of malware Proofpoint dubbed LastConn.
The temporary disruption to email threat operations in March this year may be due to current tensions in the Middle East region, including ongoing violence in the Gaza Strip between Israeli and Hamas militants or the observation of Ramadan in April through early May. However, Proofpoint cannot confirm either hypothesis with high confidence.
The June campaigns of the Molerats malware leveraged a PDF attachment with one or multiple geofenced URLs leading to password-protected archives that contained the malware, Proofpoint said. The email and the PDF are typically both written in Arabic, and the lure is usually based on a geopolitical topic impacting the Middle East, especially the Gaza conflict. Proofpoint observed lure themes including “A delegation from Hamas meets with the Syrian regime” and “Hamas member list”.
The password of the RAR file can be found inside the text of the PDF. Extracting the archive reveals a custom TA402 implant. In recent campaigns, the archive dropped LastConn malware, according to Proofpoint. Other observed malware distributed by this attack path include SharpStage, Loda, and MiraiEye RAT (Remote Access Trojan), which provides the attacker with full remote control to access local files, secure login authorization, and other sensitive information, or use that connection to download viruses that could unintentionally pass on to others.
A payload is not immediately downloaded. Proofpoint researchers were unable to determine the exact mechanisms for initiating links to the hosted malware, but the PDF may only direct the victim to the files if the source IP address belongs to the targeted countries in the Middle East, the researchers wrote. If the source IP address does not align with the target group, the URL may redirect the recipient to a benign decoy website, typically an Arabic language news website.
The password protection of the malicious archive and the geofenced delivery method are two easy anti-detection mechanisms attackers can use to bypass automatic analysis products.
Researchers assess with high confidence LastConn is an updated version of SharpStage malware first reported by Cybereason in December 2020.
LastConn malware is specifically targeted at computers with an Arabic language pack installed to ensure it only infects specific targets. It uses Dropbox for all command and control (C2) capabilities and infrastructure. Proofpoint researchers assess LastConn is very actively developed and maintained malware. It features multiple capabilities that attempt to prevent both automated and manual malware analysis.
FireEye had in August 2013 observed several attacks in June and July that year against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control (CnC) infrastructure used by the Molerats attackers.
TA402 is a highly effective and capable hacker that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East. Researchers anticipate TA402 will remain very active, based on its return to weekly threat activity as of this month. It is likely TA402 will continue its targeting largely focused on the Middle East region. Proofpoint assesses TA402 will continue to develop and modify customized malware implants and include features to evade detection and automated analysis.
To defend against exploitation, Proofpoint recommends recipients pay close attention when downloading and opening password-protected archives, and only open them from trusted sources. Proofpoint’s Threat Research team developed Emerging Threat rules to detect post-infection network traffic.