Trend Micro threat research today released a new report that details out the activities of a group of hackers we call Rocket Kitten and who have been active in a cyberespionage campaign for several years now. We released a previous report on this group, but since then some new activities have been uncovered with the help of another research organization, ClearSky, who we collaborated with on the new report.
Targeted attacks are fairly standard today with the intent of most being theft of information, which is then used to sell or use in an effort to make money. What makes the Rocket Kitten group interesting is we don’t believe they are doing this for monetary gain, but for cyberespionage. Their targets also are not organizations like we’ve see in previous attacks, but rather are individuals who are in a select set of industries. Cyberespionage is an area we don’t see a lot of publicity about as it can be difficult to identify the actual data being stolen and how it is used. But in our analysis of the malicious code used in these attacks it seems pretty apparent that the endgame was to steal data from the victims. Looking at the correlating businesses the victims are in, espionage seems to be the reason for the attacks.
The other aspect that we saw was the use of a malicious pen testing tool (GHOLE), which they utilized in their attacks to identify ways to attack the victims. This is interesting in that this is a malicious version of the legitimate Core Impact Pro tool used by many organizations. What also makes this interesting is that one could tie this back to the Hacking Team breach where many malicious tools and 0-days were found being used by this organization. Good tools that are abused and used for malicious purposes allow the attackers to forego their own innovation by simply abusing legitimate tools that have the capabilities they need.
The victim profiles also give us insight into the motivation of this group. They are mainly targeting Middle Eastern individuals who are scientists, researchers, journalists and expats from Iran living in other countries. The actors appear to be highly skilled at reconnaissance in that they know exactly who they want to target and rarely do we see any collateral damage performed by this group. They also are very persistent in their efforts to infect their victims and will often shift the content of their spearphishing emails with interesting data they know will entice the victim to open. They will also contact the victims via the phone in order to establish a rapport and trust. This level of interaction is not typically seen and this tells us this actor group is very interested in stealing information from their victims, regardless of the amount of effort needed to complete the attack.
The report goes into more details on the activities of this group of hackers and is an excellent case study of a cyberespionage case being perpetrated by a determined and persistent team. The use of malware bought within the underground as well as custom built code shows there are different ways threat actors can build out their toolset to infect victims. We will continue to investigate the Rocket Kitten team and publish our findings moving forward. Enjoy the read and I welcome your feedback.
Please add your thoughts in the comments below or follow me on Twitter; @jonlclay.