NimbleMamba - Molerats Hackers deploy New Malware
Reading Time: 2 minutes

Molerats hackers, a Palestine-aligned APT group tracked as TA402 are using new malware called NimbleMamba in a cyber-espionage campaign. It leverages geofencing and URL redirects to legitimate websites.

According to Proofpoint who discovered the campaign, there are three variations of the infection chain, that target governments in Middle Eastern countries, foreign policy think tanks, and a state-owned airline.

The group first used the NimbleMamba in November 2021 and continued the operation until late January 2022 with cyber attacks. 

The group carries out spear-phishing email campaigns that contain links to malware-dropping sites. To execute the malware the victims need to be within the targeted scope or are redirected to legitimate news sites.

A copy of NimbleMamba is dropped on their system inside a RAR file once the target’s IP address matches the defined targeted region. 

As mentioned earlier, the researchers have found three different chains with slight variations concerning the theme of the phishing lure, the redirection URL, and the malware-hosting sites.

About NimbleMamba
TA402 first used NimbleMamba to replace LastConn, a backdoor and malware downloader in June 2021, according to the Proofpoint report. Incidentally, LastConn replaced SharpStage, exposed by Cybereason, in December 2020.

The TA402 is capable of developing new tools which can be seen from the fact that they go through a period of distinct hiatus when they refresh after their existing set is uncovered. 

NimbleMamba has a few similarities with LastConn, though these are limited to the programming language, C2 encoding scheme, and the use of Dropbox API for communications.

It comprises more sophisticated anti-analysis systems and contains multiple guardrails to ensure that it only executes on targeted machines. This means the host needs to have an Arabic pack installed on their systems. The malware needs to connect to four IP geolocation API services, else it won’t run.

Once the initial criteria are met, NimbleMamba retrieves its configuration from a page. It contains the obfuscated API auth key for C2 communication.

Proofpoint in a report explained, “NimbleMamba has the traditional capabilities of an intelligence-gathering trojan and is likely designed to be the initial access. Functionalities include capturing screenshots and obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement.”

The researchers discovered NimbleMamba is not the only malware present in the RAR files fetched from DropBox, it also has the BrittleBush trojan, which is most likely used as a backup tool.

With their latest tool uncovered, TA402 is expected to go dormant for a while before bouncing back with renewed and powerful tools. 

The domains used to deliver NimbleMamba and C2 communications have been taken offline. One thing to keep in mind is the bad actors in this case have a specific target, serve the same pro-Palestinian objectives, and use mainly phishing emails to initiate the infection chain.

Related Articles:
New York Couple Arrested For Allegedly Conspiring to Launder Billions in Stolen Cryptocurrency
PrivateLoader – Pay Per Install Service offered by Malware Families to Expand their Targets
Vodafone Portugal Hit by Hackers, No Client Data Compromised