The Return of The Molerats

Threat actor Molerats (TA402) is reported to have launched a new phishing campaign with the use of an implant called "NimbleMamba". This Advanced Persistent Threat (APT) hacking group is linked to multiple espionage attacks, recently targeting multiple Middle Eastern governments, foreign-policy think tanks, and a state-affiliated airline.

NimbleMamba is a Windows-targeted intelligence gathering tool, an upgraded version of the "LastConn" malware which was first reported in June 2021 as pointed out by Cyware. Both malware share multiple similarities, with LastConn believed to be an updated version of the December 2020 "SharpStage" malware according to a research paper written by Cybereason. This strain of malware indeed achieves the "Mamba Mentality" (if you know, you know ;)) as with each variant, comes more advanced techniques to bypass any defensive measures in place.

Phishing emails were allegedly sent from accounts posing as Quora, Ugg boots, and Dropbox. Gmail was the preferred method of delivery for phishing emails; however, there seems to have been a shift to Dropbox URLs to deliver malicious payloads in the form of `.rar` files. Researchers observed the Trojan was delivered together with a secondary payload called "BrittleBrush", which is yet another intelligence-gathering tool, that researchers believe is in place to act as a form of redundancy.

Image from ProofPoint

"NimbleMamba uses guardrails to ensure that all infected victims are within TA402's target region" the researchers said, adding the malware "uses the Dropbox API for both command-and-control (C2) as well as exfiltration" suggesting its use in "highly targeted intelligence collection campaigns".

NimbleMamba was first discovered in November 2021 and is still being actively deployed today. Jamf Threat Defense identified a phishing attempt this month from this very campaign. Using evidence from this attempt, they compared the Indicators of Compromise (IoCs) against ones released by Proofpoint, and found they matched. Despite being thoroughly dissected, Proofpoint also noted that NimbleMamba possesses capabilities such as sophisticated obfuscation to complicate both automated and manual analysis.

Real-time NimbleMamba samples from MalwareBazaar Database

This malware attack is the latest example of adversaries using cloud services, like Dropbox, to launch attacks. Proofpoint has shared their investigation and analysis with Dropbox prior to publication, and they took the necessary actions for neutralising this activity within their organisation. Still, Molerats continues to be an effective and sophisticated threat actor that demonstrates its persistence in creating something powerful and effective that bypasses existing security and detection layers. Although thoroughly researched by the public, the APT group is expected to continue modifying its malware implants and infection chains to defy defensive efforts.