In June 2021, Proofpoint identified the first activities of TA402. After this research was published, TA402 seemed to go on hiatus for a short time, most likely to update its attack method and delivery mechanisms.
Tribune – However, in late 2021, Proofpoint researchers identified a complex chain of attacks targeting Middle Eastern governments, foreign policy think tanks and a state-affiliated airline.
After 3 months of observation, the researchers today report their observations and reveal three subtle variations of this chain of attacks .
They attribute these campaigns to TA402, an APT actor known as Molerats , and believed to be operating in the interests of the Palestinian Territories. According to Proofpoint research, TA402 is a persistent threat to organizations and governments in the Middle East due to its ability to self-renew. The group began its comeback by launching new campaigns exploiting malware dubbed NimbleMamba and BrittleBush by Proofpoint analysts.
Additionally, TA402 regularly uses geofencing techniques and URL redirects to legitimate sites to circumvent detection efforts.
According to Sherrod DeGrippo, Emerging Threats Director at Proofpoint:
“IN LATE 2021, TA402 REFINED ITS DELIVERY METHODS AND MALWARE IN CAMPAIGNS THAT SYSTEMATICALLY TARGETED ENTITIES IN THE MIDDLE EAST. OBSERVATION OF THESE CAMPAIGNS REVEALED A COMPLEX ATTACK CHAIN THAT WAS DIFFICULT TO DETECT AND PRECISE ENOUGH TO ENSURE THAT THE MALWARE ONLY RAN ON THE TARGETED MACHINES. »
Proofpoint continues to monitor TA402, which will likely continue to evolve its infection methods for future attacks.
For more information, please see the Proofpoint blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage” target=”_blank” rel=”noreferrer noopener”>blog .