An advanced persistent threat (APT) hacker group operating with motives that likely align with Palestine has embarked on a new attack that takes advantage of a previously undocumented implant called the NimbleMamba. The invasions leveraged a chain of attacks targeting Middle Eastern governments.
NimbleMamba uses safeguards to ensure that all infected victims are within the TA402's target region, the researchers said, adding that the malware uses the Dropbox API for both command and control and exfiltration.
A trojan called BrittleBush is also delivered that establishes communication with a remote server to retrieve Base64-encoded commands to be executed on infected machines. Furthermore, the attacks are said to have taken place in conjunction with malicious activity, targeting Palestine and Turkey.
Spear phishing emails, which act as a starting point, contain geofenced links that lead to malware payloads — but only if the recipient is in one of the target regions. If the targets are outside the attack radius, the links will redirect the user to a benign news site.
However, more recent variations in December 2021 and January 2022 involved using Dropbox URLs and attacker-controlled WordPress sites to deliver malicious RAR files containing NimbleMamba and BrittleBush.
The development is the latest example of adversaries using cloud services such as Dropbox to launch their attacks.
Did you find this article interesting? Follow our blog!