Community Feature - @ChicagoCyber
A Curated Intelligence APT hunter - Joshua Miller - recently published new intelligence with Proofpoint on TA402 (aka Molerats), a likely Palestinian-aligned advance persistent threat actor.
The group is actively engaged in campaigns leveraging a new implant, dubbed NimbleMamba, which is likely a replacement for its LastConn implant used previously. These campaigns have a complex attack chain that leverages geofencing and URL redirects to legitimate sites in order to bypass detection efforts.
- In June 2021, TA402 appeared to halt its activities for a short period of time, almost certainly to retool
- In a November 2021 campaign, TA402 masqueraded as the Quora website while using an actor-controlled Gmail account with an actor-controlled domain
- In December 2021, TA402 used multiple phishing pretences, including clickbait medical lures and ones allegedly sharing confidential geopolitical information
- In their latest campaigns (January 2022), TA402 continued to use lure content customized for each of their targets but slightly adjusted their attack chain by inserting an additional actor-controlled WordPress URL
Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!