Security researchers have uncovered a new targeted attack campaign against Israeli and European organizations launched by the state-sponsored threat group known as ‘Rocket Kitten’.
Operation Woolen-GoldFish is a different set-up from the group’s previous effort, detailed at the 31CS conference.
That attack relied on a spear-phishing email loaded with a malicious Office attachment, but for the GHOLE malware download to begin, users had to allow macros to see the content, said Trend Micro in a new report.
This new campaign features an improved, more believable spear-phishing element with exclusive content designed to encourage the user to click through.
It also replaces the malicious attachment with a Microsoft OneDrive link leading to a malicious PowerPoint file named ‘Iran’s Missiles Program.ppt.exe’. This tactic could have been devised to help the attack bypass email security, the report claimed.
The executable then drops a version of the CWoolger keylogger on the victim’s machine to hoover up details. The report authors claim this malware is “not as advanced as its contemporaries.”
As for attribution, Trend Micro has made a connection between main author 'Wool3n.H4t' and Iran:
“There was not much information on Wool3n.H4t, which is not a common nickname, on the Internet. However, we found that this nickname owned an inactive blog hosted by a free service in Iran and was registered in several underground hacking forums. The blog only contained two posts signed by Masoud_pk, which could be part of the real identity of Wool3nh4t. Masoud is the one of the top 50 commonly used first names in Iran.”
While Operation Woolen-GoldFish threat actors aren’t as technically sophisticated as many other attack groups, they are improving and even with this limited capacity have managed to compromise several Israeli and European organizations.
“The discovery of the CWoolger keylogger compiled on 7 February 2015 may be the strongest indication that this targeted attack group, which Woole3n.H4t seems to be a part of, is very active and may be developing its own malware,” Trend Micro continued.
“With Wool3n.H4t as both the malware developer and infrastructure controller, it can be loosely deducted that the group comprises very few people.”
The security giant also claimed that the group itself was likely comprised of “old-fashioned cyber-criminals” – an assumption made based on the use of nicknames and passwords and the evolution of the campaign.
“This campaign, like the first one the group launched, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran,” it concluded.
“While motives behind targeted attack campaigns may differ, the end results are one and the same – shift in power control, either economically or politically.”