‘Ghoul’ malware targeting small and medium sized industrial businesses
Security researchers have identified a hacking group targeting small- and mid-sized industrial manufacturers in more than 30 countries, apparently to drain their bank accounts or steal their intellectual property.
Researchers from Kaspersky Labs dubbed the group “Ghoul,” in a blog post Wednesday.
“The attackers try to lure targets through spear-phishing emails that include compressed executables,” wrote researcher Mohamad Amin Hasbini, saying they had detected 130 infected company networks so far, but that the group’s use of “commercial off-the-shelf malware makes attribution of the attacks more difficult.”
The group’s malicious software is “based on” commercially available Hawkeye spyware, according to the post, which offers wide range of capabilities for the attackers, plus the anonymity of using commodity code which cannot be linked to them.
In the latest wave of attacks, heavily concentrated in the Middle East, the emails are forged, or “spoofed,” to appear to be coming from a bank in the UAE, with a payment advice attached. Earlier waves employed links to malicious sites. They are “mostly sent to senior members and executives of targeted organizations,” Hasbini writes.
[Read more: The fixes needed to fight phishing.]
If victims click on the attachment, the malware installs itself and begins collecting data such as keystrokes, clipboard contents and the details accounts from local browsers, messaging apps and email clients. The data is exfiltrated by http or email to an IP address which “seems to belong to a compromised device running multiple malware campaigns., providing another layer of anonymity for the hackers.
Ghoul hacking group – number of victim networks by country (Source: Kaspersky Labs)
Map showing the geographical distribution of targets of the “Ghoul” hackers’ group (Source: Kaspersky Labs)
The targets are spread across the globe, although most are in the Middle East or Europe, and they span industrial sectors from military shipbuilding to petrochemical and pharmaceutical, aerospace, solar energy and plastics.
Kaspersky says its researchers identified victims using both Windows and Mac OS X devices, as well as iPhones and Androids.
