Rocket Kittens target defence and IT bods from Europe & Israel
Hacker cats scratch folk gazing hungrily at Iran
A seemingly state-sponsored hacking crew has compromised systems in several organisations in Israel and Europe, according to new research by Trend Micro.
The so-called Rocket Kitten group has targeted defence and IT industries, government entities and academic institutions.
Victims include civilian and academic organisations in Israel, German-speaking government organisations and a European company, among others.
Rocket Kitten has launched two campaigns so far: "Operation Woollen-GoldFish" and “GHOLE”.
The earlier GHOLE campaign featured embedded macros in Microsoft Office files that victims were tricked into opening, before becoming infected. All this required user interaction, as Trend explains.
"Once the file is opened, it asks the user to allow macros to see the content. If the user does so, he is shown a decoy file while his computer is silently being infected by the GHOLE malware, allowing the attackers to have a remote access to that machine and bounce inside the corporate network of the target entity," Trend said.
The same group recently launched a more sophisticated attack. Woollen-GoldFish combines social engineering techniques and abuse of Microsoft OneDrive cloud storage.
The spear phishing content itself has improved. We have seen this group usurp the identities of high-profile personalities from Israel and use exclusive content made by one of these profiles as a decoy file.
The infection scheme has also changed: the spear-phishing email contains a link to a file stored on a free online storage service. The stored file is an archive file containing an executable file pretending to be a PowerPoint document.
Once clicked, this binary infects the target with a brand new malware, TSPY_WOOLERG.A, developed by one of the threat group members known as wool3n.h4t, who was already active in the first campaign.
"This campaign, like the previous one from the group, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran," Cedric Pernet, a threat researcher at Trend Micro, concludes.
A blog post featuring a graphic to illustrate the Woollen-GoldFish campaign can be found here.
A more detailed white paper by Trend Micro on Rocket Kitten can be found here (PDF). ®