Security News > 2020 > December > MoleRats APT Returns with Espionage Play Using Facebook, Dropbox
The MoleRats advanced persistent threat has developed two new backdoors, both of which allow the attackers to execute arbitrary code and exfiltrate sensitive data, researchers said.
The DropBook backdoor uses fake Facebook accounts or Simplenote for C2, and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools, according to the analysis, issued Wednesday.
As for its use of social media, and the cloud, "DropBook fetches a Dropbox token from a Facebook post on a fake Facebook account," according to the report.
After receiving the token, the backdoor collects the names of all files and folders in the "Program Files" directories and in the desktop, writes the list to a text file, and then uploads the file to Dropbox under the name of the current username logged on to the machine.
"The discovery of the new cyber-espionage tools along with the connection to previously identified tools used by the group suggest that MoleRats is increasing their espionage activity in the region in light of the current political climate and recent events in the Middle East," the report concluded.
News URL
https://threatpost.com/molerats-apt-espionage-facebook-dropbox/162162/