Molerat made its presence felt earlier, and Fireeye said that it has spotted attacks in the Middle East and United States. It said that traditionally the attacks, which use the off-the-shelf Remote Access Tool (RAT) should not be linked to Chinese threat actors anymore.
"Previous research has linked these campaigns to Molerats," it said, "but with so much public attention focused on [advanced persistent threat] threat actors based in China, it's easy to lose track of targeted attacks carried out by other threat actor groups based elsewhere."
Fireeye said that the tools and tactics have been used to target organisations like the BBC, an unnamed "major US financial institution" and government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the US and the UK.
These attacks happened over the last five weeks, it added, and used a mix of new and recognisable tactics.
"Previous Molerats campaigns have used several garden-variety, freely available backdoors such as Cybergate and Bifrost, but, most recently, we have observed them making use of the PIVY and Xtreme RATs. Previous campaigns made use of at least one of three observed forged Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors," it added.
"There also appears to be a habitual use of lures or decoy documents - in either English or Arabic-language - with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats' flavor of the week, which happen to all be Xtreme RAT binaries in these most recent campaigns."
The end of May saw a malicious download URL sent to a well-known European government organisation. The shortened link offered "http://lovegame[.]us/ Photos[.]zip", and Fireye said that it was clicked on and downloaded by the victim.
Decoy files in the package give way to the installation of the Xtreme RAT binary into a temporary directory, and according to the security company that same URL has been clicked at least 225 times on a variety of hardware and software since then.
Other similar malicious files have been shared through shortened URLs, it added, and many are hidden within RAR files that are automatically extracted.
The attacks seem rather limited and Fireeye said that off-the-shelf tools are most often used. However, it added that the target network is widening, and the impact of this is "noteworthy".