New spear-phishing attacks seek out industrial and engineering targets

Researchers at Kaspersky Lab have uncovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world.

Named 'Operation Ghoul' by Kaspersky's researchers, the attacks use spear-phishing emails and malware based on a commercial spyware kit to seek out valuable business-related data stored in their victims' networks.

The campaign appears to have been organized by a cybercriminal group which has been tracked by researchers since March 2015. The latest attacks appear to be the most recent operation conducted by this group.

The malware is delivered as an attachment and is based on the HawkEye commercial spyware that's being sold openly on the Darkweb and provides a variety of tools for the attackers. After installation it collects data from the victim's PC, including: keystrokes, clipboard data, FTP server credentials, and account data from browsers, email clients and messenger programs.

"In ancient folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual," says Mohammad Amin Hasbini, security expert at Kaspersky Lab. "This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer".

More information on the attack can be found on the Kaspersky Securelist blog.

Image Credit: Meryll / Shutterstock