Security Experts:

Threat Actor Linked to Iran Targets Organizations in Israel, Europe

A threat actor dubbed “Rocket Kitten” has breached the systems of several organizations in Israel and Europe. Evidence uncovered by researchers suggests that the group might have ties to Iran.

Rocket Kitten’s activities were brought to light last year at the 31st Chaos Communication Congress (31C3) where researchers Tillman Werner and Gadi Evron detailed the advanced persistent threat (APT) actor’s activities.

According to Trend Micro, Rocket Kitten has conducted two campaigns. One of them, the one described by Werner and Evron, involved spear-phishing emails designed to distribute a piece of malware called GHOLE. The threat, which is a modified version of a legitimate penetration testing tool from Core Security, gives attackers remote access to the infected machine and the target’s corporate network.

A second campaign, which Trend Micro has been following closely, is far more sophisticated. The operation, dubbed “Woolen-GoldFish,” is most likely a state-sponsored campaign, the security firm said.

The threat groups seems to be particularly interested in the defense industry, government entities, the IT sector, and academic organizations. Based on the contents of the files attached to the spear-phishing emails, researchers believe the attackers have targeted civilian and academic organizations in Israel, German-speaking government organizations, and public and private organizations in Europe.

In the first campaign, Rocket Kitten distributed the GHOLE malware with the aid of macros placed inside Microsoft Office documents. However, this technique might not have been very effective because the victim needed to enable macros in order for the malware to get dropped.

At the end of 2014, the group started changing tactics and launched what researchers have called Operation Woolen-GoldFish.

A spear-phishing emails sent to an Israeli organization in February contained a PDF document which included a link to a file hosted on Microsoft’s OneDrive cloud service. The file, whose name referenced Iran’s missile program, was an executable that used a PowerPoint icon to avoid raising suspicion.

When executed, a legitimate PowerPoint presentation was opened. At the same time, a keylogger called CWoolger (TSPY_WOOLERG.A) was silently dropped. Once it infects a machine, CWoolger starts logging keystrokes in a .DAT file. Experts have pointed out that the malware is not as sophisticated as other modern keyloggers.

Trend Micro has found several clues that suggest a link between Rocket Kitten and Iran. Metadata from the malicious files shows that several individuals have contributed to the development of the malware, but the main author seems to be using the online moniker “Wool3n.h4t.”

According to researches, Wool3n.h4t is the name used to register a blog hosted by a free service in Iran. The blog, which is currently inactive, hosted posts published by a user named “Masoud_pk,” which could be part of Wool3n.h4t’s real identity. If Wool3n.h4t is named Masoud, he could be Iranian since this is one of the top 50 most common names in the country.

Experts also uncovered a connection to Iran while analyzing the command and control (C&C) servers used by the GHOLE malware. The IP addresses the malware communicates with are hosted by a German company. The IP address ranges appear to belong to an individual named Mehdi Mahdavi who, according to registration data, is based in Iran.

This Mehdi Mahdavi also seems to be linked to a now-defunct e-business solutions provider named Joinebiz. The domain is currently for sale, but when the website was active it claimed that he company had offices in several locations around the world, including Iran.

“This campaign, like the first one the group launched, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran. While motives behind targeted attack campaigns may differ, the end results are one and the same—shift in power control, either economically or politically,” Trend Micro researchers said.

The security firm says Operation Woolen-GoldFish is still active.

“From a technical point of view, the threat actors involved in this campaign are less mature in terms of technical capacity and tactic sophistication compared with other targeted attack groups we are monitoring, yet they are improving and gaining traction,” researchers noted.

The complete research paper, Operation Woolen-GoldFish: When Kittens Go Phishing, is available online.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.