Companies from over thirty countries around the world have recently been targeted by a malicious campaign dubbed “Operation Ghoul”. According to Middle Eastern folklore (and to some of our favorite Supernatural episodes #wink), a ghoul is an evil spirit, a shapeshifting demon, a monstrous creature that can feed on human flesh.

In spoken Arabic, the term is also used to describe a person who is extremely avaricious. As such, it does not come as a surprise that we are faced with a group of cybercriminals whose sole motivation lies in the financial gain.

Earlier this summer, security experts discovered traces of an advanced threat in over 130 companies worldwide. At the present time, the states with the highest level of ghoul infestation are Spain, the United Kingdom, Germany, India, the UAE and Saudi Arabia.

The hackers involved in the affair use phishing emails (not this again!) to gather sensitive information (intellectual property, business information, bank details etc.) and drive their profit by reselling this stolen data.

Operation Ghoul employs the malware-as-a-service strategy, spreading through malicious attachments. The phishing campaign is aimed in particular at small and medium businesses (in a word – vulnerable from a security point of view), active in sectors such as: petrochemicals, shipbuilding, aerospace, solar energy, heavy machinery, engineering, pharmaceuticals and the list go on. In view of this arbitrary targeting, we have no certainty of their actual hacking scheme. That being said, any of us could be next in line. No panic there.

The danger of off-the-shelf malware

An attack driven by Operation Ghoul begins with an email received from a spoofed banking address. This type of email is perfectly camouflaged as a payment notice, with a SWIFT document in attachment. Suppose a recipient were to respond to this message.

In this case, the reply is forwarded directly to the spoofed address and not to the actual address of the sender. Now, even worse, suppose the same recipient clicks the attached payment notice, without realizing that he/she is, in fact, launching a malicious archive on the his/her workstation.

And that’s how you become a victim of malware! And not just any malware. The hackers responsible for this operation are using a spyware derived from HawkEye, a race of digital ghouls active since March 2015 and for sale on the Web Dark.

For those of you that are curious to know more about the “industrialization” of cyber-weapons in SaaS mode, we’ve already covered the trend in a previous article. But back to our main topic, HawkEye. Once installed on a workstation, it is able to feed on:

FTP credentials Browser data Instant messaging accounts Email accounts Keystrokes Clipboard data

This data is then transmitted to the C & C servers managed by the hackers in charge of Operation Ghoul. Targeting mainly senior managers and executives, the stolen information can seriously jeopardize a business. At this point in the story, even our heroes from Supernatural cannot prevent it from leaking on the black market.

Eat or be eaten

First of all, it is essential to be able to differentiate between the threat we call Operation Ghoul and state actors such as Project Sauron. Not having limited itself to a certain category of victims, the group behind the Operation Ghoul seems to choose its targets randomly among all types of SME. This is why we must be on our guard against the tricks of ghoul-hackers that will constantly try to seduce organizations.

In this sense, we invite you to read our article on social engineering – “The Human Target behind the Machine”, to better train your staff in the arts of recognizing a phishing campaign.

As we all know by now, cybercriminals have no scruples and will attempt to trick us until the day they find the kink in our IT security armor. So what if you do not manage to avoid the wrath of HawkEye? You must act and you must act quickly against cybersecurity ghouls. It is merely the supreme law that governs the fight against digital monsters: fight or flee, eat or be eaten.

If you want to survive, it’s time to complete your infrastructure with an advanced security analytics solution. Because in real life, you cannot count on Dean Winchester making a pact with the devil to resurrect the dead

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access