MoleRats: there’s more to the naked eye

21 November 2016


  View Simon Borwick’s profile on LinkedIn 

There has been some recent news regarding the activities of a Middle Eastern threat group known as MoleRats (or Gaza Hackers Team)[1]. We are releasing this blog which contains indicators to help security professionals in detecting this activity.

Please contact us on [email protected] and we would be happy to send you a TLP-AMBER version of this report containing further information that you are welcome to distribute further in line with the US-CERT definition for TLP.

Recent Reports 

In the past few days, both Vectra Networks and PaloAlto have released reports relating to new activities carried out by the MoleRats group:

  • Vectra Networks describes a campaign they refer to as Moonlight and provides an overview of the decoy documents, malware (H-worm and njRAT) and infrastructure.[2]
  • Palo Alto describes a new version of H-worm and focuses on its modules and infrastructure.[3]

PwC analysts have been tracking the same malware campaign, which has seen a noticeable spike since at least April 2016. The attackers have targeted Arabic news websites, political figures and other targets that possess influence in the Palestinian territories and other neighbouring Arab countries.

Our investigation began by analysing around 20 executable files associated with the attacks. Several of these files opened decoy documents and audio files, which were exclusively in Arabic-language. The filenames are translated as follows (this is not a complete list): 

- Son of Hamas preacher arrested by counter-narcotics police;

- Voice recording of an Egyptian-UAE meeting;

- Leak relating to a UAE security meeting;

- President gets rid of Fatah leadership and replaces it with Abu Samhadanah; and

- General Lino responsible for moral projection of Zakaria Al-Agha

The most common way the malware was packaged in the MoleRats’ campaign was through a self-extracting RAR file; however the attackers also appear to have used several other solutions to drop their malware, including a Visual Basic-based wrapper and an Auto-IT based wrapper.

The identification of decoy documents and audio files infers that the malware may have been delivered through spear phishing; however our research has not been able to find any emails relating to the campaign.

Cyber security image 1

Figure 1 – An Arabic-language decoy document titled “Urgent / Armed groups in Ramallah issue statement threatening Palestinian security forces

Cyber security image 2

Figure 2 – graphing domains used in this particular campaign

Since the malware itself has already been extensively described by both Vectra Networks and Palo Alto, we will simply add on their indicators, which are listed below.

PwC Threat Intelligence subscribers can refer to CTO-SIB-20161026-01A published in October 2016 for further details and the wider context to this activity.


If you'd like to download and copy the information on this table please click here.

Cyber 3

Cyber 4

By Bart Parys


  View Simon Borwick’s profile on LinkedIn