A new report from security solutions provider Check Point provides further insight into the activities of the Iran-linked threat group known as Rocket Kitten.
Rocket Kitten has been around since at least early 2014 and its activities have been analyzed by several security firms, including FireEye (Operation Saffron Rose), iSIGHT Partners (Newscaster), ClearSky (Thamar Reservoir) and Trend Micro (Woolen GoldFish).
The fact that its campaigns have been closely monitored by security firms doesn’t seem to have discouraged the advanced persistent threat (APT) group, which simply made some changes to its tools and phishing domains and continued its activities.
Check Point started analyzing Rocket Kitten after the group targeted one of its customers. While investigating a phishing server used by the threat actor, experts noticed that the XAMPP web server hosted on it was not configured properly, allowing anyone to gain root access without needing a password.
An analysis of the attacker’s database revealed a total of more than 1,800 victims who had fallen for the phishing scams and handed over their information. Each of these victims were associated with a particular Rocket Kitten operator.
For example, one operator harvested the details of 522 users as part of a campaign targeting human rights activists, CEOs and ministry officials in Saudi Arabia. Another operator harvested the details of 233 victims in the defense sector, including in NATO countries, the United Arab Emirates, Afghanistan, Thailand, and Turkey. Embassies in countries neighboring Iran were also targeted by the same operator.
The busiest operator is responsible for nearly 700 victims, a list that mainly consists of scholars, persons of influence, education organizations, and media outlets in Saudi Arabia. The database accessed by Check Point shows that the group also focused on Iranians living abroad, Venezuelan entities, and Israeli nuclear scientists, former military officials, and national security and foreign policy researchers.
Logs from the phishing server showed that the largest number of visitors came from Saudi Arabia (18%), the United States (17%), Iran (16%), the Netherlands (8%) and Israel (5%). Experts determined that 26 percent of those who accessed the phishing pages entered their credentials — a relatively high success rate attributed to persistency and well targeted phishing emails.
In addition to the phishing server, researchers managed to hack into one of Rocket Kitten’s command and control (C&C) servers by using administrator credentials hard-coded by the attackers into the malware. This allowed Check Point to find information revealing the real identity of the espionage group’s main developer, known as “Wool3n.H4T.”
“In this case, as in other previously reported cases, it can be assumed that an official body recruited local hackers and diverted them from defacing web sites to targeted espionage at the service of their country. As is often the case with such inexperienced personnel, their limited training reflects in lack of operational security awareness, leaving a myriad of traces to the origin of the attack and their true identities,” Check Point said in its report.
The complete report, titled “Rocket Kitten: A Campaign with 9 Lives” is available for download in PDF format.