Security experts from Kaspersky have discovered a profit-driven campaign dubbed Operation Ghoul. Threat actors behind the Operation Ghoul targeted more than 130 organizations in 30 countries, including companies operating in the industrial and engineering sectors.
Hackers targeted mainly small and medium-sized businesses with 30 to 300 employees.
Attackers used emails to deliver malicious attachments or link to phishing websites, the crooks spoofed email address of a legitimate bank and mostly targeted executives and managers.
The bad actors used a strain of malware known as HawkEye, a commercial spyware that could be used to steal sensitive data from the infected system, including login credentials, FTP credentials, and emails.
This isn’t the first time that threat actors use the HawkEye malware to spy on the victims, making hard their attribution.
Which is the origin of the name Operation Ghoul?
“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual,” wrote the Kaspersky researcher Mohammad Amin Hasbini.
“This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer,”
Victims of the Operation Ghoul were mainly located in Spain, Pakistan, UAE, India, Egypt, UK, Germany, Saudi Arabia, Portugal, Qatar.
The latest wave of attacks was spotted by Kaspersky experts in June, the researchers observed the majority of victims in the Middle East, particularly the United Arab Emirates.
I suggest you give a look at the report that also includes the Indicators of Compromise that could help your organization to defeat the threat.
(Security Affairs – Operation Ghoul, Cybercrime)