Targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the fall of 2015.
The campaign targets a wide range of verticals in Japan with the intent to steal confidential data. The group behind the operation is suspected to operate out of China and has been in operation since at least 2012. The group uses multiple avenues to infect their victims including spear-phishing, compromised websites, and zero-day vulnerabilities.
The campaign infects systems with the FALLCHILL malware and uses multiple proxies to obfuscate network traffic. The goal of the attacks are to gain sensitive information including operating system information, system name, and other details about the compromised computer.
The attacks targeted victims in the United States and the Middle East in an attempt to steal sensitive information. The group behind the campaign used fake documents claiming to be from the NSA in spear-phishing emails to convince victims to open the malicious attachments.
The campaign uses the Volgmer malware to perform various task including stealing information about the compromised host as well as terminating processes and uploading/downloading files. The group has been using the malware since at least 2013 targeting a wide range of sectors.
The campaign targeted Triconex Safety Instrumented System (SIS) controllers at a critical infrastructure organization in the Middle East in an attempt to modify the safety devices. The operation was first discovered in November 2017 and is reported to be the first malware to target safety systems in the ICS sector.
The campaign was aimed at computer systems used in the 2018 Winter Olympics in an attempt to disrupt the games by destroying data. The operation used PsExec and Windows Management Instrumentation (WMI) to gain a deeper foothold into the environment.
The campaign targets organizations involved with the 2018 Pyeongchang Olympics with malicious Microsoft Word documents. The operation used a range of implants to carry the attacks to gain persistence and exfiltrate data. The implants have been labeled Gold Dragon, Brave Prince, Ghost419, and Running Rat.
Operation Dark Caracal
The campaign targets a wide range of sectors across the globe in an attempt to steal sensitive information. The operation uses trojanized Android apps as the primary attack vector.