Israel’s Cybereason uncovers Middle East malware attack via Facebook and Dropbox

The cybersecurity company discovered three variants that leverage social media and cloud platforms to control devices and steal data

James Spiro 09:3909.12.20

Israel’s Cybereason has announced that it has identified an active effort to steal data with malware that abused cloud platforms such as Facebook, Dropbox, Google Docs, and Simplenote. The company attributed the espionage campaign to Molerats, also known as ‘The Gaza Cybergang,’ an Arab group operating in the Middle East since 2012.


According to Cybereason, “This latest campaign leverages two previously unidentified backdoors dubbed SharpStage and DropBook, as well as a downloader dubbed MoleNet. The campaign leverages phishing documents that include various themes related to current Middle Eastern events.” One such event that drew people in pertained to a meeting held between Saudi Arabia’s Crown Prince Mohammed bin Salman, U.S. Secretary of State Mike Pompeo, and Israeli Prime Minister Benjamin Netanyahu.

Lior Div, Cybereason co-founder and CEO. Photo: Cybereason Lior Div, Cybereason co-founder and CEO. Photo: Cybereason


“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities,” Lior Div, Cybereason co-founder and CEO said.

Cybereason’s research team has highlighted some key findings, which include:


  • There are three new variants - the backdoors SharpStage and DropBook, as well as a downloader called MoleNet, can help attackers steal data from ‘infected’ computers.


  • They abuse social media and cloud platforms - the backdoors use fake Facebook accounts and abuse Dropbox users to steal their data and store their espionage tools.


  • They’re politically motivated - emails used to attract victims included themes like Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and other regional events.


  • There are connections to past campaigns - the new backdoors have been observed alongside ‘Spark’, a backdoor previously connected with Molerats.


  • They’re targeting the Middle East - the operation was seen to mainly target the Palestinian Territories, UAE, Egypt, and Turkey.


Given the results of their findings, Cybereason concluded that the campaign operators sought to target high ranking political figures and government officials in the Middle East.


Cybereason was co-founded in 2012 by Liv and Yossi Naar, who serves as its CVO. The company provides future-ready attack protection and has raised a total of $388.6 million over five rounds. It is headquartered in Boston and has offices in Tel Aviv, London, and Tokyo.