Jump to content

Operation Woolen Goldfish hackers spear phishing European firms

Recommended Posts


Hackers are targeting a number of European businesses and organisations with a spear phishing campaign with the colourful codename Operation Woolen Goldfish.

Trend Micro researchers reported uncovering the campaign in an Operation Woolen-Goldfish: When Kittens Go Phishing white paper, warning the attacks are likely a follow-up to the "Rocket Kitten" campaign discovered in December 2014.

"In February 2015, the Trend Micro Smart Protection Network received an alert from Europe that triggered several targeted attack indicators related to a specific malware family, prompting our threat defence experts to investigate further," read the report.

"The alert showed an infected Microsoft Excel file that soon proved to have been launched by Rocket Kitten."

Rocket Kitten was an attack campaign that targeted victims with basic spear phishing messages designed to entice them to open malicious Office files loaded with a rare "Ghole" malware.

Trend Micro said the follow-up Woolen Goldfish campaign is far more sophisticated.

"By the end of 2014 we saw significant changes in the attack behavior of the Rocket Kitten group in terms of spear-phishing campaigns and malware infection schemes," read the paper.

The firm highlighted a Woolen Goldfish attack targeting an Israeli engineer as proof of the group's evolution.

"The attackers used a OneDrive link in their campaign. OneDrive is a free online cloud storage system from Microsoft that comes with several gigabytes of data storage capacity," explained the report.

"The attackers probably decided to store their malicious binaries online rather than send them as an attachment to bypass email detection.

"Once executed, the file drops a non-malicious PowerPoint file used as a decoy file, while silently infecting the system with a variant of the CWoolger keylogger."

Trend Micro said the CWoolger keylogger malware appears to have been developed by a hacker operating under the "Wool3n.H4t" pseudonym. Wool3n.H4t is believed to have taken part in past Rocket Kitten attacks.

"Consistent with the other malware used by the threat actors involved in Operation Woolen Goldfish, the command and control reference is hard-coded as an IP address in the binary," read the paper.

"A domain name was not used. Moreover, it lands on the system with a name, which is very similar to some Ghole malware variants [used by Rocket Kitten]."

The paper highlighted the malware as proof the Rocket Kitten hackers are developing new attack tools and could become an even bigger threat in the very near future.

Rocket Kitten is one of many targeted attack groups currently active. On 12 March, researchers at Kaspersky reported finding evidence the Equation group has been developing and mounting sophisticated attacks since at least 2003.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...