fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Molerats Hackers Deploy New Malware in Highly Evasive Campaign

Molerats Hackers Deploy New Malware in Highly Evasive Campaign

The Palestinian-aligned APT group tracked as TA402 (aka Molerats) was spotted using a new implant named ‘NimbleMamba’ in a cyber-espionage campaign that leverages geofencing and URL redirects to legitimate websites.

The campaign was discovered by Proofpoint, whose analysts observed three variations of the infection chain, all targeting governments in Middle Eastern countries, foreign policy think tanks, and a state-owned airline.

As for the timeline of the recent attacks, the actors first used NimbleMamba in November 2021 and continued the operation until late January 2022.

Also Read: New Licensing Requirements For Cyber-Security Service Providers in 2022

Infection chain

In most attacks, TA402 uses spear-phishing emails that contain links to malware-dropping sites. The victims need to be within the targeted scope, or they are redirected to legitimate news sites.

If the target’s IP address matches the defined targeted region, a copy of NimbleMamba is dropped on their system inside a RAR file.

Proofpoint observed three different attach chains with slight variations concerning the theme of the phishing lure, the redirection URL, and the malware-hosting sites.

New TA402 infection chain
New TA402 infection chain
Source: Proofpoint

NimbleMamba

Proofpoint believes that TA402 developed NimbleMamba to replace LastConn, a backdoor and malware downloader exposed in a June 2021 report by the same firm.

In turn, LastConn is thought to have replaced SharpStage, exposed by Cybereason, in December 2020.

TA402 have demonstrated their capacity to quickly develop new custom tools when their existing set is uncovered and typically go through a period of distinct hiatus when they refresh.

Also Read: A Closer Look: The Personal Information Protection Law in China

NimbleMamba inevitably carries some code similarities with LastConn, but these are limited to the programming language, C2 encoding scheme, and the use of Dropbox API for communications.

The new tool features much more sophisticated anti-analysis systems and contains multiple guardrails to ensure that it only executes on targeted machines.

For example, the host needs to have the Arabic language pack installed, and the malware needs to be able to connect to four IP geolocation API services; otherwise, it won’t run.

If the prerequisites are met, NimbleMamba retrieves its configuration from a JustPaste.it page, which contains the obfuscated API auth key for C2 communication.

Pastes were added by someone using Israel's prime minister name
Pastes were added by someone using Israel’s prime minister name
Source: Proofpoint

“NimbleMamba has the traditional capabilities of an intelligence-gathering trojan and is likely designed to be the initial access,” explains Proofpoint’s report.

“Functionalities include capturing screenshots and obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement.”

The RAR files fetched from Dropbox don’t always contain only NimbleMamba, as the analysts also retrieved the BrittleBush trojan, which is most likely used as a backup tool.

Outlook

Now that the refreshed toolset of TA402 has been exposed again, the actors are expected to go dormant for a while to develop new tools.

Already, the domains used for delivering NimbleMamba and C2 communications have been taken offline.

The critical thing to remember is that the particular actor maintains the same target focus, serves the same pro-Palestinian objectives, and uses mainly phishing emails to initiate the infection chain.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us