Threats Feed

The OilRig cyberattack campaign, first analyzed in May 2016, continues to evolve, targeting government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States. Using spear-phishing emails with malicious Microsoft Excel documents, the attackers have updated their toolset, including Clayslide delivery documents and the Helminth backdoor. The malware communicates with remote servers via HTTP and DNS for command and control. Despite its lack of sophistication, the malware successfully operates under the radar in many establishments due to techniques like DNS command and control.

In early 2016, the NewsBeef APT (aka Charming Kitten/Newscaster) repurposed the open-source BeEF and Metasploit frameworks in widespread watering hole attacks. These operations targeted visitors to strategically compromised websites, including institutions in Iran, Russia, India, Ukraine, the EU, Turkey, Germany, Japan, China, Brazil, and more. Sectors impacted included education, military, diplomacy, manufacturing, and media. The attackers injected malicious JavaScript to hook browsers, track visitor behavior, and fingerprint systems using evercookies and browser enumeration. While full exploitation wasn’t always observed, selective delivery of backdoors or spoofed login prompts was reported. The group’s campaign reflects an evolution from low-tech social engineering to more technically advanced infrastructure attacks using open-source tools.

Clearsky's "Thamar Reservoir" report details a sustained Iranian cyber-attack campaign targeting over 550 individuals, primarily in the Middle East. The attacks, which began in 2014, used a variety of techniques, including spear-phishing emails with malware, phone calls, and compromised websites to create fake login pages. The attackers were persistent but lacked technical sophistication and made mistakes that aided the investigation. The report concludes that the campaign's targets and methods strongly suggest Iranian state sponsorship, and links it to other known Iranian cyber operations.

This Trend Micro report details the activities of Rocket Kitten, a cyber threat group targeting Israeli and European organisations. The report focuses on two campaigns: a malware campaign using the GHOLE malware, possibly dating back to 2011, and a suspected state-sponsored operation, 'Operation Woolen-GoldFish', involving spear-phishing attacks. Analysis shows possible links to an individual using the alias "Wool3n.H4t", possibly Iranian, and highlights the group's increasing sophistication despite using relatively simple techniques such as macros. The overall aim is to inform readers of Rocket Kitten's methods and suspected politically motivated objectives, suggesting Iranian involvement.