Below is a an essay which discusses Operation Molerats, this is a broad campaign of attacks launched from the Middle East targeting various governments across the world, which uses an old hacking tool called Poison Ivy.
This campaign is significant as more (not less) nation state threat actors are using seemingly old RATs (such as Poison Ivy) and they are succeeding in compromising large organisations, even today. In this particular case, this new threat actor appears to have a targeting preference for Middle East organizations/firms.
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Don't be too hasty to link every Poison Ivy-based cyber attack to China. The popular remote access tool (RAT), which we recently detailed on this blog, is being used in a broad campaign of attacks launched from the Middle East, too.
First, some background:
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. [1] Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. [2] — and as discovered later, even the U.S. and UK governments. [3] Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”
Threat actors in specific geographic regions may prefer one RAT to another, but many RATs are publicly available and used by a variety of threat actors, including those involved in malware-based espionage.
In 2012, the Molerats attacks appeared to rely heavily on the XtremeRAT, a freely available tool that is popular with attackers based in the Middle East. [5] But the group has also used Poison Ivy (PIVY), a RAT more commonly associated with threat actors in China [6] — so much so that PIVY has, inaccurately, become synonymous with all APT attacks linked to China.
This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files. [7]
Enter Poison Ivy
We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control (CnC) infrastructure used by the Molerats attackers.
The malware sample we analyzed was unusual for two reasons:
§ It referenced an article that was published last year
§ The compile time for the dropped binary was also dated from last year, seemingly consistent with the referenced article. But this malware was signed, and — in contrast to the compile time, which can be faked — the signing time on its certificate was much more recent: Monday, July 08, 2013 1:45:10 A.M.