Rocket Kitten, the APT group of attackers that have been delivering spear-phishing emails with the Ghole malware to Israeli and European institutions late last year, have lately been spotted mounting a new operation.
Dubbed Woolen-Goldfish (Woolen because of “wool3n.h4t,” a member of the group, and Goldfish is an attribute to the location of origin with which the campaign was seemingly launched from), this latest spear-phishing campaign initially delivered the Ghole malware, but later the attackers switched to a CWoolger keylogger variant.
“It is interesting to note that the Ghole malware is in fact a modified CORE IMPACT product. CORE IMPACT is a sophisticated penetration-testing tool from CORE, a legitimate company,” Trend Micro researchers pointed out.
In the Ghole malware campaign, the malware was delivered via a specially crafted MS Excel file that would drop a .DLL file on the target system and would be execute using a macro embedded in the file.
“The use of macros to infect computers is deemed amateur. This shows that there is a gap between the maturity of the malware, which is good enough for its purpose, and the way it is delivered, which raises questions about the attackers’ professional capacity,” the researchers noted.
That gap has been closed in the Woolen-Goldfish campaign. The spear-phishing emails were impersonating well-known Israeli engineers and figures in the defense field, and the decoy file was no longer attached to the email, but offered for download from a OneDrive cloud storage account.
“The OneDrive link leads to an archive file containing a file named, ‘Iran’s Missiles Program.ppt.exe.’ This file, which has been taken offline, used the PowerPoint icon but was really an executable file,” the researchers shared. “The attackers probably decided to store their malicious binaries online rather than sent them as an attachment to bypass email detection. Once executed, the file drops a nonmalicious PowerPoint file used as a decoy file, while silently infecting the system with a variant of the CWoolger keylogger.”
They believe that the decoy file was stolen by the same actors from the compromised computer of the aforementioned engineer.
Operation Woolen-GoldFish is alive and active, and it has managed to infiltrate several companies and organizations in Israel and Europe. The attackers are obviously improving their tactics, techniques and procedures.
“In this case, we were able to confirm that Wool3n.H4t was not only responsible for most of the infecting Office files used, but was also capable of developing malware. The discovery of the CWoolger keylogger compiled on 7 February 2015 may be the strongest indication that this targeted attack group, where Woole3n.H4t seems to a part of, is very active and may be developing its own malware. With Wool3n.H4t as both the malware developer and infrastructure controller, it can be loosely deducted that the group comprise of very few people,” the researchers concluded.
“Seeing the evolution of this targeted attack group, we believe its members, especially Wool3n.H4t, are traditional or old-fashioned cybercriminals. This assumption is based on the way the campaign spreads and evolves, including the use of nicknames and password used by Wool3n.H4t, which indicates that he rather comes from an underground hacking group. This campaign, like the first one the group launched, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran. While motives behind targeted attack campaigns may differ, the end results are one and the same—shift in power control, either economically or politically.”
For more details and indicators of compromise, check out the whitepaper.