Full Report
Community Feature - @ChicagoCyberA Curated Intelligence APT hunter - Joshua Miller - recently published new intelligence with Proofpoint on TA402 (aka Molerats), a likely Palestinian-aligned advance persistent threat actor. Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage | Proofpoint USThe group is actively engaged in campaigns leveraging a new implant, dubbed NimbleMamba, which is likely a replacement for its LastConn implant used previously. These campaigns have a complex attack chain that leverages geofencing and URL redirects to legitimate sites in order to bypass detection efforts.TA402 activities:In June 2021, TA402 appeared to halt its activities for a short period of time, almost certainly to retoolIn a November 2021 campaign, TA402 masqueraded as the Quora website while using an actor-controlled Gmail account with an actor-controlled domainIn December 2021, TA402 used multiple phishing pretences, including clickbait medical lures and ones allegedly sharing confidential geopolitical informationIn their latest campaigns (January 2022), TA402 continued to use lure content customized for each of their targets but slightly adjusted their attack chain by inserting an additional actor-controlled WordPress URLCurated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Threat Actor: TA402 (Molerats)
## Attribution & Identity
* **Identification:** TA402, also known as Molerats, is described as a likely Palestinian-aligned Advance Persistent Threat (APT) actor.
* **Aliases/Associated Groups:** Molerats.
## Activity Summary
TA402 is actively engaged in espionage campaigns. This activity includes:
* Appearing to halt activities briefly in June 2021, likely for retooling.
* A November 2021 campaign that masqueraded as the Quora website, utilizing an actor-controlled Gmail account with an actor-controlled domain.
* A December 2021 campaign using multiple phishing lures, including clickbait medical lures and lures allegedly sharing confidential geopolitical information.
* Latest campaigns (January 2022) continued using customized lure content for targets, slightly adjusting the attack chain by inserting an additional actor-controlled WordPress URL.
## Tactics, Techniques & Procedures
The actor leverages a complex attack chain incorporating several distinct methods:
* Use of a new implant dubbed **NimbleMamba**, which is likely a replacement for the older **LastConn** implant.
* Techniques involving **geofencing** and **URL redirects** to legitimate sites aimed at bypassing detection efforts.
* Phishing via masquerading as legitimate websites (e.g., Quora).
* Use of actor-controlled domains and Gmail accounts for delivery.
## Targeting
* **Sectors:** Not explicitly detailed, but the nature of the activity (espionage, geopolitical lures) suggests potential targeting of government, political entities, or organizations dealing with sensitive information relevant to the region.
* **Geography:** Not explicitly detailed, but the actor alignment suggests interests within or related to the Middle East/Palestine conflict space.
* **Victims:** Specific victim organizations are not named in this summary, but the targeting is described as customized to individual targets.
## Tools & Infrastructure
* **Malware Families Used:** NimbleMamba (new implant), LastConn (previous implant).
* **Infrastructure:** Actor-controlled Gmail accounts, actor-controlled domains, and actor-controlled WordPress URLs used within the attack chain.
## Implications
TA402 is an adaptive group continuously updating its infrastructure and attack methodologies (e.g., replacing LastConn with NimbleMamba and adjusting the delivery chain via WordPress redirection) to maintain stealth and evade security controls. Their use of geofencing suggests targeted, high-value operations.
## Mitigations
* Implement robust email and web filtering to detect and block access to newly registered or suspicious actor-controlled domains/URLs.
* Monitor for unusual access patterns associated with URL redirects, especially those pointing to known legitimate services followed by malicious payload delivery.
* Ensure endpoint detection and response (EDR) capabilities are in place to catch the execution of new and evolving implants like NimbleMamba.