Enrichment of Zscaler Research into Middle Eastern Espionage Attacks
Key Findings
Higher order infrastructure, utilizing IP addresses assigned to Palestinian providers, identified for the Molerats APT group
Additional ‘attacker’ hosts identified (23.237.73[.]126 and 45.128.73[.]179), used to target entities in Israel and Saudi Arabia.
Introduction
On 20 January 2022, Zscaler released a research blog detailing a Molerats espionage campaign against targets in the Middle East, which had commenced in July 2021.
Molerats, often referred to as the ‘Gaza Cybergang’, are an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group’s targets are primarily located in the Middle East, Europe, and the United States.
Zscaler’s analysts had identified a screenshot from an attacker machine (see Figure 1 below), which they believed had been inadvertently uploaded whilst the actors were testing malware. Within the screenshot an IP address, seemingly used to access the attacker machine, was identified – 185.244.39[.]105.
Figure 1: Screenshot of the Attacker Machine (Source – Zscaler)
In this blog we will explore activity surrounding 185.244.39[.]105 in further detail, using Team Cymru’s Pure Signal™ Recon platform.
Network Telemetry
185.244.39[.]105
When examining network telemetry data for 185.244.39[.]105 over the past few months, inbound connections to TCP/61003 were identified, with directionality inferred based on the ephemeral ports used by the peer IP addresses.
In total, connections were observed from ten distinct IP addresses (see Table 1 below) assigned to SPEED-CLICK-LIMITED, PS, with traffic most recently observed on 06 January 2022. Geolocation data placed a number of these IP addresses in the Gaza Strip.
As can be seen in Table 1, the relationship between the listed IPs and 185.244.39[.]105 is sequential, with no cross-over in use observed in the first and last seen timestamps.
This activity is indicative of one user/machine being utilized to access 185.244.39[.]105 over an extended time period, with the client IP address refreshing due to DCHP lease renewal; SPEED-CLICK-LIMITED is a home broadband provider (wireless and ADSL).
Given this pattern of IPs assigned to the same provider (SPEED-CLICK-LIMITED, PS) being utilized to connect to an IP associated with the Molerats APT group, we decided to examine network telemetry data, during the time periods specified, for each of the IPs listed in Table 1.
23.237.73[.]126
In each case, outbound sessions to remote UDP/46370 on 23.237.73[.]126 were observed (see Figure 2 below for an example of this activity). This IP address is assigned to FDCSERVERS, US – an American hosting/VPS provider.
Network telemetry data for 23.237.73[.]126 identified connections to remote TCP/443 on an IP address assigned to a provider in Saudi Arabia. This activity occurred between 21 – 22 December 2021. Passive DNS data for this IP address identified it as a mail server for the Secretariat General of a regional government organization in the Middle East.
When reviewing inbound network telemetry data for 23.237.73[.]126:46370, a further three IP addresses were observed in UDP sessions:
85.114.96[.]246
85.114.102[.]90
85.114.112[.]152
All three IP addresses were assigned to FUSION-SERVICES, PS, with geolocation data again placing them in the Gaza Strip.
As previously, a pivot was undertaken on these IP addresses in order to identify further Molerats APT infrastructure.
45.128.73[.]179
Two of the IP addresses assigned to FUSION-SERVICES, PS were observed in outbound sessions to remote UDP/47489 on 45.128.73[.]179. This IP address is assigned to DEDIPATH, US – an American hosting/VPS provider.
In addition, five of the IP addresses contained in Table 1, as well as a further IP address (45.130.98[.]149) assigned to SPEED-CLICK-LIMITED, were observed in UDP sessions to 45.128.73[.]179:47489.
Furthermore, inbound connections to TCP/61637 on 45.128.73[.]179 were observed from three of the IP addresses accessing 45.128.73[.]179:47489.
Network telemetry data for 45.128.73[.]179 identified connections to remote TCP/443 on an IP address assigned to an Israeli provider. This activity occurred on 15 January 2022. Passive DNS data for this IP address identified it as a web server for an Israeli government department.
Summary
Figure 3 (below) provides a summary of all the network telemetry data discussed so far in this blog, showing the links between the higher order infrastructure and ‘attacker’ hosts.
Commonalities
Open ports information for the three IP addresses identified at the bottom of Figure 6 as attacker infrastructure, showed that each host was running an Apache web server on TCP/80; version 2.4.18 (Ubuntu). Open source information indicated that in each case, this Apache version was first observed around June / July 2021. A variety of CVEs are reported for Apache version 2.4.18, dating back to 2016. It is possible that Molerats APT actors compromised these hosts for use in attack activity, although an alternative theory might be that the actors are using an outdated version of Apache in the setup of their C2 servers.
Given the apparent vulnerability of these servers, it should be noted that other malicious actors may have gained access during the period of activity examined in this blog.
Conclusion
From the starting point of an IP address (185.244.39[.]105) associated with the management of an ‘attacker machine’, it was possible to pivot and identify higher order infrastructure utilizing IP addresses assigned to a Palestine provider. From this point a further pivot led us to the identification of an additional ‘attacker’ host (23.237.73[.]126), based on observed connections to the mail server of a Middle Eastern government organization during December 2021.
Although it was possible to confirm successful connections were made to the mail server (based on observed TCP flags), it is unclear whether the Molerats APT actors were able to gain access to specific mailboxes (although this was the hypothesized intent).
Travelling back upstream from this new ‘attacker’ host, it was possible to identify further higher order infrastructure, which led to another ‘attacker’ host (45.128.73[.]179) being identified. In this case based on connections to an Israeli government web server during January 2022.
Based on these observations, it is apparent that the infrastructure first identified by Zscaler and expanded upon in this blog, is being utilized in current and ongoing operations attributable to the Molerats APT group.
Indicators of Compromise
23.237.73[.]126
45.128.73[.]179