Cyber threat group Rocket Kitten has launched a phishing campaign, known as Woolen-Goldfish, which is thought to be targeting the defence, IT, government entities and academic industries.
In March 2015 Trend Micro released a research paper documenting the details of an ongoing operation launched by the group. Trend Micro researchers have been able to observe two different campaigns launched by Rocket Kitten, one after the other, which reveal an evolution in the skills of the group.
Rocket Kitten has successfully infiltrated several companies in Israel and Europe and continues to target civilian and academic organisations in Israel, German-speaking government organisations and a European company. According to Trend Micro’s researchers, Rocket Kitten is interested in the defence, IT, government entities and academic industries.
Operation Woolen-Goldfish gives Rocket Kitten a level up using social engineering techniques and MS OneDrive cloud storage abuse. One PowerPoint file used as a lure in these spear-phishing attempts indicates the breach of a well-known engineer’s computer in Israel using the WOOLERG keylogger. The name Woolen-GoldFish pertains to the malware developer and one of the threat actors behind it (Woolen), and to the location of its original launch (GoldFish).
In addition to Operation Woolen-Goldfish, this group of threat actors has also launched a campaign called GHOLE. The GHOLE campaign utilises embedded macros in Microsoft Office files to infect victims, a move deemed amateurish in cybersecurity industry circles. It uses the malware GHOLE, which is a modified version of a highly sophisticated penetration testing product from Core Security. The malware is believed to have been active since 2011 and has C&C servers hosted in Germany.
Rocket Kitten employ the common technique of sending out spear-phishing e-mails to originally compromise networks. In the GHOLE campaign these e-mails led to a document that uses macros to download malware and in the case of Operation Woolen-Goldfish, victims are sent a link to the free online cloud storage OneDrive, which ultimately leads to the download of a keylogger onto victims’ systems.
Keyloggers are used to capture keystrokes, steal credentials and snoop into computer systems, the information from which is sent back to command-and-control servers.
“Cyber-attackers are getting increasingly confident and are targeting larger enterprises and organisations. What’s worse is that the identity of attackers are easily concealed, slowing down any process that could bring perpetrators to justice. Rocket Kitten – or any other cybercriminal organisation – is free of the restriction of time and location, which means we could become a target at any time and we need to be prepared,” says Gregory Anderson, country manager at Trend Micro South Africa.