In recent years, a number of cyber criminal groups have emerged, using their combined skills and knowledge to inflict even more damage on their prospective targets than a single hacker would be able to. An organized collection of black hats could spell disaster for those in its crosshairs, especially when the group has state backing.
According to research from Trend Micro, the threat group known as Rocket Kitten recently launched a new attack campaign called Operation Woolen-Goldfish. Evidence shows the organization could be sponsored by a nation-state, making the group that much more dangerous.
Rocket Kitten: Not a new hacking group
While this is the first time many users have heard the name "Rocket Kitten," security researchers are fairly familiar with the organization, which first surfaced in 2011, according to SC Magazine. In the past, the group have unleashed its black hat strategies on civilian and academic firms based in Israel, as well as government organizations in Germany and other European private corporations.
In the campaigns involved in these attacks, Rocket Kitten leveraged a phishing approach – complete with specially designed email messages and a malicious attachment – to lure users into downloading malware. Now, the group is using a new malware strain, and is possibly receiving support from a state.
"The targets of the Rocket Kitten group seem to be interesting to a state rather than to individuals or even companies," noted Trend Micro threat researcher Cedric Pernet. "Attribution in APT attacks depends a lot on the context and the data, and we have no 100 [percent] evidence that this is state-sponsored. It is just a strong suspicion."
Previous campaign: GHOLE malware
Rocket Kitten's previous malware campaign was first discovered by Trend Micro in February 2015, after an alert highlighted a potentially infected Excel file. The file in question was found to contain the GHOLE malware sample, which has since become one of Rocket Kitten's calling cards.
During the campaign, GHOLE was dispersed in an attached file alongside a phishing message, enabling the strain to be downloaded onto the victim's device. Researchers discovered that the malware connected to a Command & Control server hosted in Germany.
"While this infection technique works with some unsuspecting users, it is very unsatisfying from the attacker's point of view because it needs user interaction to infect the computer," Pernet wrote in a post for TrendLabs, Trend Micro's security intelligence blog. "This is probably the main reason why the attackers recently started a new campaign, which we are calling 'Operation Woolen-Goldfish.'"
New campaign: Operation Woolen-Goldfish
Rocket Kitten's next campaign was considerably similar to its previous attacks utilizing the GHOLE malware. However, experts noted that the group showed significant improvement in its TTP, or Tactics, Techniques and Procedures.
While this attack again leveraged phishing emails to lure in victims, Pernet noted that the content of these messages improved from the first campaign. This time around, the group fraudulently used the identities of high-profile Israeli individuals within the emails, and established matching profiles to further convince users' of the messages' validity.
Rocket Kitten also utilized a new attack style in this most recent campaign. Although the malware used in these attacks initially appeared to be a variant of GHOLE, researchers soon discovered that it was a completely new sample, and dubbed it TSPY_WOOLERG.A. This strain came in the form a link for a free online storage service, which leads the user to an archived file that is presented like a PowerPoint document. However, once the file is opened, the user is infected with the TSPY_WOOLERG.A sample.
SC Magazine noted that this attack campaign included the use of a keylogger called CWoolger, delivered via phishing email that leverages the identity of a well-known Israeli engineer. Once downloaded onto a victim's system, the keylogger utilizes an FTP to send along the information collected on the victim's system.
While the phishing message content and malware being used have changed in these most recent attacks, Pernet noted that the group had the same goal for both campaigns.
"This campaign, like the previous one from the group, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran," Pernet wrote. "While motives behind targeted attack campaigns may differ, the end results are one and the same: shift in power control either in the economically or politically."
Possible suspect: Wool3n.H4t
Although these events are still being investigated, researchers have been able to attribute both campaigns to an online persona known as Wool3n.H4t. The name appeared in a number of phishing email documents attributed to Rocket Kitten, recognizing Wool3n.H4t as the last modifier.
In addition, the Wool3n.H4t moniker was discovered in the CWoolger keylogger code, linking both attack campaigns with this individual.
To find out more about Operation Woolen-Goldfish, check out Trend Micro's research paper.