Researchers today identified a series of ongoing targeted attacks primarily designed to steal sensitivecorporate financialdata fromindustrial and engineering organizations in the Middle East.
The group behind the campaign, nicknamed Operation Ghoul by researchers at Kaspersky Lab’s Global Research and Analysis Team, has carried out attacks against 130 organizations in 30 countries to date according to a report published Wednesday.
While the attacks have been mostlyfocused on countries in the Middle East 70 percent of attacks hit companies in the United Arab Emirates researchers have also observed attacks carried out in India, the United Kingdom, and Germany. Ghoul has hit Spain the hardest; 25 organizations in the country have been targeted by the campaign.
Researchers claim that while attack lacks sophistication the campaign utilized a single command and control server itshouldn’tmake itany less dangerous.
“Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks,” Mohammad Amin Hasbini, a security expert at Kaspersky Lab said, “Thus companies that are not prepared to spot the attacks, will sadly suffer.”
The attacks are built around spear phishing emails with compressed .7z attachments that if opened, trigger data stealing malware. The malware executable begins to suck up passwords, keystrokes, and screenshots toforward it along to attackers. In some cases victims are tricked into following phishing links.
The malware, based on HawkEye, a commercial spying tool, also grabs FTP server credentials, account data from browsers, messaging clients, and email clients, along with clipboard data.From there theattackers use a combination of HTTP GET posts and email messages from already compromised organizations to exfiltrate the data.
The emails, sent to executives and higher ups at organizations, appear to come from a bank in the United Arab Emirates, the Emirates NBD and feature phony subject lines such as“Your payment copy advice from Emirates NBD Bank/subsidiary.”
The most recent swell of attacks started on June 8 and June 27 but researchers claim artifacts associated with the malware files and attack sites suggest the origin of Ghoul could be traced back to March 2015.
The campaign is the latest in a long line of targeted attacks against Middle Eastern industrial sector.
Energy organizations in the Middle East were targeteda few years ago by attackers peddling the njRAT espionage malware. Similar to Operation Ghoul, attackers dropped the remote access Trojan on companies in order to glean data; credentials stored in browsers, steal files, view a user’s desktop and access their computer.
In 2013 attackers were spotted using the Citadel banking Trojan on petrochemical companies in the Middle East. In those attacks, hackers targeted webmail at companies. Attackers could elbow their way into employee or contractor emails andsend messages and facilitate phishing campaigns.