Rocket Kitten phishing with woollen goldfish & GHOLE

News by Max Cooter

Rocket Kitten hackers are spear-phishing in Germany and Israel using GHOLE and woollen goldfish attacks hosted on Microsoft products.

Users are being warned about two new spear-phishing attacks, both with their origins in the Rocket Kitten crew of hackers. According to a report by Trend Micro, the attacks, seemingly aimed at defence companies and academic institutions in Germany and Israel, have two variants: GHOLE and the poetically named Woollen Goldfish.

Bharat Mistry, a cyber-security specialist with Trend Micro, explained in a report the way the attacks worked. “They are both spear-phishing attacks.  GHOLE uses Excel to embed a macro:  to most people it looks pretty pukka. Woollen Goldfish operates by sending an email with a link to PowerPoint hosted on OneDrive, which means that the malware is hosted on a commercial product.”

According to Trend Micro, the first Woollen Goldfish attack identified used that OneDrive link as a lead to a file named, “Iran's Missiles Program.ppt.exe.” This file used the PowerPoint icon but was an executable file. Once executed, the victim found their computer infected with a variant of the CWoolger keylogger. Trend Micro said that the exploit was no longer live.

Mistry said that one of the notable aspects of the attacks was that there were no sophisticated skills needed, commenting: “Hackers no longer have to use hand-written scripts, but can use commercial, off-the-shelf tools.” He said that this made it more difficult to track the perpetrators. “It's harder to track because they wouldn't have had an online history. They won't have been associated with groups in the past. It's always difficult unless you see a pattern in the code.”

Mistry said that even though Woollen Goldfish was being hosted on a Microsoft product, the company could not be held responsible for the malware. “It's hard for Microsoft: they have to balance privacy with protection. If Microsoft was scanning things held on OneDrive, we'd have users complaining that they shouldn't be doing that,” he said.

He said the only way to fight spear-phishing attacks like these was better education for users. “The key is to try to look at the “to” and “from” when you get an email. If you're suspicious in any way, get it vetted. Be particularly careful about opening attachments; ask yourself “Am I expecting an attachment. Humans are very inquisitive and hackers exploit that,” he said.

A Microsoft spokesman said he couldn't comment on the details of this particular exploit but said “Microsoft takes threats like this very seriously and works closely with partners and law enforcement agencies to take action.”

The spokesman said that just last month, Microsoft had worked with Europol's Cybercrime Centre to seize computers belonging to a group of cyber-criminals.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews