A threat group targeting public and private organizations in Israel and Europe since possibly 2011 has shifted tactics a bit in its latest campaign, which could be state-sponsored, according to research from Trend Micro.
The group is known as Rocket Kitten and it has been observed attacking civilian and academic organizations in Israel, German-speaking government organizations, European government organizations and European private companies, according to a research paper.
The ultimate goal of the latest Rocket Kitten campaign – referred to as "Operation Woolen-GoldFish" – seems to be intellectual property theft, Cedric Pernet, threat researcher at Trend Micro, told SCMagazine.com in a Thursday email correspondence.
“The malware they use can help with that,” Pernet said. “However, we have had no information on data exfiltration in this campaign. He explained that researchers had "seen very few samples of their malware, aimed at few entities, which makes it very difficult to estimate the number of targets.”
The malware being used is a keylogger known as CWoolger, which exfiltrates data collected on the infected machine via FTP, Pernet said. CWoolger was observed being delivered via highly targeted spear phishing emails, one of which used the identity of a recognized Israeli engineer.
The phishing emails include a OneDrive link – OneDrive is Microsoft's free online cloud storage system – that, when clicked, ultimately results in CWoolger silently infecting the target system, the research paper indicated.
Trend Micro believes the campaign could be state-sponsored.
“The targets of the Rocket Kitten group seem to be interesting to a state rather than to individuals or even companies,” Pernet said. “Attribution in APT attacks depends a lot on the context and the data, and we have no 100 [percent] evidence that this is state-sponsored. It is just a strong suspicion.”
Trend Micro researchers were able to hone in one possible suspect – identified as "Wool3n.H4t" – who is capable of developing malware and may have been working with accomplices named "aikido1" and "Hoffman," the research paper indicated.
“We have found some Wool3n.H4t references connecting this nickname to Iran, yet it is only suspicion and we have no solid proof,” Pernet said.
In its previous campaign, Rocket Kitten used spear phishing emails containing an attachment – typically an Excel file containing a malicious macro – to deliver malware identified as GHOLE, according to the research paper.
GHOLE malware has a variety of functions that include creating and removing directories, executing a command shell, terminating processes, and shutting down a computer, as well as downloading, deleting and moving files, Pernet said.
Trend Micro gave credit to Tillman Werner and Gadi Evron for their December 2014 analysis of the Rocket Kitten campaign involving GHOLE.