An advanced persistent threat (APT) hacking gang with apparent Palestinian goals has launched a new campaign using the previously undocumented NimbleMamba implant. According to research by enterprise security firm Proofpoint, the breaches used a complex attack chain to target Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline. The covert operation was attributed to a threat actor known as Molerats (TA402).
The APT group, which constantly updates malware implants and delivery methods, was most previously linked to an espionage attack targeting human rights activists and journalists in Palestine and Turkey. In contrast, a recent attack revealed in June 2021 resulted in implementing a backdoor known as LastConn. However, the operators are aggressively attempting to retool their arsenal, which has countered the dip in activity. As a result, NimbleMamba, intended to replace LastConn, was created. It’s likely to be an improved version of another backdoor known as SharpStage, which the same organization employed in December 2020 as part of its activities.
“NimbleMamba uses guardrails to ensure that all infected victims are within TA402’s target region,” the researchers said, adding the malware “uses the Dropbox API for both command-and-control as well as exfiltration,” suggesting its use in “highly targeted intelligence collection campaigns.”
BrittleBush, a trojan that establishes contacts with a remote server to obtain Base64-encoded orders to be executed on affected PCs, is also included. Furthermore, the attacks are believed to have coincided with the previously described hostile behavior aimed towards Palestine and Turkey. The infection sequence is identical to the threat actor’s method of compromising its targets. The initial spear-phishing emails contain geofenced URLs that lead to malware payloads – but only if the receiver is in one of the targeted locations. If the targets are located outside the attack radius, the links will take the user to a safe news site such as Emarat Al Youm.
However, in December 2021 and January 2022, more recent iterations of the campaign used Dropbox URLs and attacker-controlled WordPress sites to distribute malicious RAR files containing NimbleMamba and BrittleBush. The development is the newest example of adversaries launching attacks using cloud services like Dropbox. Not to mention how fast sophisticated actors can reply to public disclosures of their invasion methods to create potent and effective bypassing security and detection layers.