Security researchers have discovered a new and massive cyber espionage campaign by copykittens hackers, especially aimed at people working in government organizations, defense, and academics from various countries.
The campaign is conducted by a group of Iran-related threats whose activity, methods of attack and targets have been published in a detailed joint report published by Trend Micro researchers and the Israeli ClearSky Society.
Supported by CopyKittens researchers (aka rocket kittens), the computer espionage group has been active since at least 2013 and has been run by organizations and individuals, including diplomats and researchers in Israel, Saudi Arabia, Turkey, the United States, Jordan, and Germany.
Selected organizations include government institutions such as the Ministry of Foreign Affairs, defense companies, large IT companies, academic institutions, subcontractors of the ministry of defense and municipal authorities, along with UN employees.
The latest report [PDF], called “Tuliped Operation,” details of a spy-hacker campaign by CopyKittens hackers, a wide range of tools and tactics that they have used, infrastructure, command and control, and modus operandi of the group.
As CopyKittens Hackers infects your goals
Media and organizations whose websites have been abused by irrigation holes attacks include the Jerusalem Post, for which the German Federal Office for Computer Security (BSI) also issued a notice, and Maariv news organization of disabled veterans Of IDF.
In addition to water holes, CopyKittens hackers also used other malware delivery modes, including:
1. Links to malicious websites controlled by e-mail hackers.
2. Armed Office Documents Using False Discoveries Recently (CVE-2017-0199).
3. Navigating web servers that use SQLI vulnerability scanners and tools such as Havij, SQL Map, and Acunetix.
4. False social media entities to build trust with your goals and potentially spread malicious links.
“The group uses a combination of these methods to consistently pursue the same victim, on multiple platforms until a first bridgehead has been established – before turning on the highest value targets on the network,” writes Trend Micro on a blog.\
In order to infect their targets, CopyKittens hackers use its own custom malware tools in conjunction with existing business tools such as the Cobalt Strike Team Red Mimikatz software, Metasploit, Empire after Exploitation agent, Rear door and TDTESS.
Matryoshka, the remote access trojan is a malware developed by the group uses DNS for communication and control (C & C) command and has the capability to steal passwords, capture screens, record keystrokes, collect and load files, and attach attackers to the Meterpreter shell.
“Matryoshka is transmitted through a phishing spear with a document attached to it. The document is a malicious macro that asks the victim to enable or an embedded executable in the victim is asked to open,” says Sky clear on a blog.
The malware initial version analyzed in 2015 and was in the nature of July 2016 until January 2017, although the group also developed and used Matryoshka v.2.
Users who allow two-factor authentication to protect your compromised webmail accounts, which is a treasure trove of information for copykittens hackers, and an “extremely strong bridge start head” to rotate on other targets is recommended.