Story image

Operation Ghoul targets industrial sector with spear phishing malware

24 Aug 2016

Operation Ghoul is targeting the industrial and engineering sectors across the world, hitting more than 130 organisations in 30 countries, Kaspersky Labs reports.

The attacks use a combination of spear-phishing and malware. The spear-phishing is targeted towards senior and middle managers. The malware is disguised as an attached SWIFT document from a bank in the UAE.

The attackers look for sensitive business data, including keystrokes, clipboard data, FTP server credentials, browser account data, messaging account data, email client data and information about installed software. The malware is delivered by commercial spyware HawkEye, distributed on the dark web. The collected information is sent back to attackers, allowing them to mine the data and potentially sell it on the black market.

While most targets are in the industrial and engineering sectors, Kaspersky Labs has found that attacks have also been made against shipping, trading, education and manufacturing organisations.

The company suspects the attacks are the work of Operation Ghoul, which has conducted similar campaigns in the past. The current trojans run under the following names:

  • Trojan.MSIL.ShopBot.ww
  • Trojan.Win32.Fsysna.dfah
  • Trojan.Win32.Generic

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual. This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer," explains Mohammad Amin Hasbini, security expert at Kaspersky Lab.

Kaspersky Labs stresses protection by:

  • Educating staff about how to identify phishing and spear-phishing emails
  • Using corporate-grade security solutions and anti-targeted attack solutions
  • Keeping threat intelligent data up to date to help staff implement attack prevention and discovery. Using indicators of compromise and YARA rules will help
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.
SolarWinds extends database anomaly detection
As organisations continue their transition from purely on-premises operations into both private and public cloud infrastructures, adapting their IT monitoring and management capabilities can pose a significant challenge.
Adura launches new SOC and MSP in Singapore
The new SOC focuses on the needs of businesses to gain insight into their organization’s security posture and increase their ability to react promptly.