New waves of attacks that started on the 8th and the 27th of June 2016 have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions.
… #OpGhoul malware collects all data such as #passwords, keystrokes and screenshots…..
The attackers try to lure targets through spear phishing emails that include compressed executables.
The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.
The group responsible are targeting industrial, manufacturing and engineering organizations in 30+ countries .
In total, over 130 organizations have been identified as victims of this campaign.
Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.
In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon.
Today, the term is sometimes used to describe a greedy or materialistic individual.
Main infection vector: malicious emailsThe following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document.
The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware. In other cases, victims received phishing links.
In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe).
Executables with the following MD5s:
Malware MD5 hashes
Email file MD5 hashes
The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar:
Chief Executive Officer
Chief Operations Officer
General Manager, Sales and Marketing
Deputy General Manager
Finance and Admin Manager
Business Development Manager
Head of Logistics
The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution.
It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including:
FileZilla ftp server credentials
Account data from local browsers
Account data from local messaging clients (Paltalk, Google talk, AIM…)
Account data from local email clients (Outlook, Windows Live mail…)
License information of some installed applications
Data is collected by the attackers using primarily:
Http GET posts
Sent to hxxp://220.127.116.11
mail.ozlercelikkapi[.]com (18.104.22.168), mail to info@ozlercelikkapi[.]com
mail.eminenture[.]com (22.214.171.124), mail to eminfo@eminenture[.]com
Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services.Malware command center
The malware connects to 126.96.36.199 to deliver collected information from the victim’s PC. This information includes passwords, clipboard data, screenshots…
hxxp://188.8.131.52/~loftyco/okilo/login.phpThe IP address 184.108.40.206 seems to belong to a compromised device running multiple malware campaigns.ghoul_EN
Other attack information
Phishing pages have also been spotted through 220.127.116.11, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers. Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms:
Mac OS X
The malware files are detected using the following heuristic signatures:
Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss.
Indicators of Compromise
The following are common among the different malware infections; the presence of these is an indication of a possible infection.
Filenames and paths related to malware
List of malware related MD5 hashes
List of malware related domains
Observed phishing URLs
Other malware links
Malware links observed on 18.104.22.168 dating back to March and April 2016:
Source: securelist.com via diggaman.net