Operation Woolen-Goldfish: When Kittens Go Phishing
Today, we are publishing a research paper on an ongoing operation launched by a threat actor group known as Rocket Kitten.
Rocket Kitten Campaigns
We have been able to observe two different campaigns launched by the group, one after the other, which reveal an evolution in the skills of this group.
The first of these campaigns has already been exposed at 31C3 by Tillman Werner and Gadi Evron. That campaign started with traditional spear phishing e-mails that use basic social engineering techniques to entice the targeted users to open a Microsoft Office file.
Once the file is opened, it asks the user to allow macros to see the content. If the user does so, he is shown a decoy file while his computer is silently being infected by the GHOLE malware, allowing the attackers to have a remote access to that machine and bounce inside the corporate network of the target entity.
While this infection technique works with some unsuspecting users, it is very unsatisfying from the attacker’s point of view because it needs user interaction to infect the computer.
Operation Woolen Goldfish
This is probably the main reason why the attackers recently started a new campaign, which we are calling “Operation Woolen-Goldfish.”
This new campaign shows a significant improvement in the TTP (Tactics, Techniques, and Procedures) deployed by this threat actor group.
For starters, the spear phishing content itself has improved. We have seen this group usurp the identities of high-profile personalities from Israel and use exclusive content made by one of these profiles as a decoy file.
The infection scheme has also changed: the spear-phishing email contains a link to a file stored on a free online storage service. The stored file is an archive file containing an executable file pretending to be a PowerPoint document. Once clicked, this binary infects the target with a brand new malware, TSPY_WOOLERG.A, developed by one of the threat group members known as wool3n.h4t, who was already active in the first campaign.
Figure 1. A comparison between Operation Woolen Goldfish and the previous Rocket Kitten campaign
This campaign, like the previous one from the group, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran. While motives behind targeted attack campaigns may differ, the end results are one and the same: shift in power control either in the economically or politically.
Our full paper on Operation Woolen-Goldfish gives more details on these campaigns. You can download the paper from this link: Operation Woolen-Goldfish: When Kittens Go Phishing.