Experts Unveil Cyber Espionage Attacks Past Times Copykittens Hackers

Security researchers convey discovered a new, massive cyber espionage crusade that mainly targets people working inwards government, defense in addition to academic organisations inwards diverse countries.

The crusade is beingness conducted past times an Iran-linked threat group, whose activities, laid upwards on methods, in addition to targets convey been released inwards a joint, detailed study published past times researchers at Trend Micro in addition to Israeli trouble solid ClearSky.

Dubbed past times researchers CopyKittens (aka Rocket Kittens), the cyber espionage grouping has been active since at to the lowest degree 2013 in addition to has targeted organisations in addition to individuals, including diplomats in addition to researchers, inwards Israel, Saudi Arabia, Turkey, the United States, Hashemite Kingdom of Jordan in addition to Germany.

The targeted organisations include regime institutions similar Ministry of Foreign Affairs, defense companies, large information technology companies, academic institutions, subcontractors of the Ministry of Defense, in addition to municipal authorities, along amongst employees of the United Nations.

The latest study [CVE-2017-0199).

Web servers exploitation using vulnerability scanner in addition to SQLi tools similar Havij, sqlmap, in addition to Acunetix.

Fake social media entities to construct trust amongst targets in addition to potentially spread malicious links.

"The grouping uses a combination of these methods to persistently target the same victim over multiple platforms until they succeed inwards establishing an initial beachhead of infection – earlier pivoting to higher value targets on the network," Trend Micro writes inwards a blog post.

In social club to infect its targets, CopyKittens makes piece of job of its ain custom malware tools inwards combination amongst existing, commercial tools, similar Red Team software Cobalt Strike, Metasploit, post-exploitation agent Empire, TDTESS backdoor, in addition to credential dumping tool Mimikatz.

Dubbed Matryoshka, the remote access trojan is the group's self-developed malware which uses DNS for command in addition to command (C&C) communication in addition to has the mightiness to pocket passwords, capture screenshots, tape keystrokes, collect in addition to upload files, in addition to give the attackers Meterpreter crunch access.

"Matryoshka is spread through pike phishing amongst a document attached to it. The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open," Clear Sky says inwards a blog post.

The initial version of the malware was analysed inwards 2015 in addition to seen inwards the wild from July 2016 until Jan 2017, though the grouping also developed in addition to used Matryoshka version 2.

Users are recommended to enable two-factor authentication inwards social club to protect their webmail accounts from beingness compromised, which is a treasure trove of information for hackers, in addition to an "extremely strong initial beachhead" for pivoting into other targets.

Share This :