The Advanced Persistent Threat Group Molerats, which is associated with the terrorist organization Hamas, has developed three new tools to help them launch their attacks: ShardStage, DropBook, and MoleNet. All of these allow them to insert code into compromised machines, and Molerats typically targets groups in the Middle East.
Interestingly, all of these tools rely on public infrastructure, DropBox and Google Drive, which helps hide them from detection because both services have a high volume of legitimate traffic. This allows for the extraction of data without tripping automatic sniffers that would normally detect an unusually dense stream of data being sent somewhere. The use of filesharing websites for malware is not a new concept, however it does appear to be on the rise as threat actors capitalize on their ability to hide traffic in the open.
What sets these tools apart, besides their use of cloud service infrastructure, is that they are tailored to go after targets in or associated with the Middle East – their payloads don’t become active unless the compromised device has an Arabic keyboard installed. Once activated however, the tools are capable of executing commands, including installing new software and extracting data.