Story image

Operation Ghoul targets industrial sector with spear phishing malware

24 Aug 16

Operation Ghoul is targeting the industrial and engineering sectors across the world, hitting more than 130 organisations in 30 countries, Kaspersky Labs reports.

The attacks use a combination of spear-phishing and malware. The spear-phishing is targeted towards senior and middle managers. The malware is disguised as an attached SWIFT document from a bank in the UAE.

The attackers look for sensitive business data, including keystrokes, clipboard data, FTP server credentials, browser account data, messaging account data, email client data and information about installed software.

The malware is delivered by commercial spyware HawkEye, distributed on the dark web. The collected information is sent back to attackers, allowing them to mine the data and potentially sell it on the black market.

While most targets are in the industrial and engineering sectors, Kaspersky Labs has found that attacks have also been made against shipping, trading, education and manufacturing organisations.

The company suspects the attacks are the work of Operation Ghoul, which has conducted similar campaigns in the past. The current trojans run under the following names:

  • Trojan.MSIL.ShopBot.ww
  • Trojan.Win32.Fsysna.dfah
  • Trojan.Win32.Generic

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual. This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer," explains Mohammad Amin Hasbini, security expert at Kaspersky Lab.

Kaspersky Labs stresses protection by:

  • Educating staff about how to identify phishing and spear-phishing emails
  • Using corporate-grade security solutions and anti-targeted attack solutions
  • Keeping threat intelligent data up to date to help staff implement attack prevention and discovery. Using indicators of compromise and YARA rules will help
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.