Malware campaign targeted Kuwait-based transport, shipping firms

Previously unknown hacking tools targeted transportation and shipping organizations based in Kuwait between May and June this year, according to Unit 42, the global threat intelligence team at Palo Alto Networks.

The cyberattack campaign was likely related to activity also targeting Kuwait between July and December 2018, which was recently reported by IBM X-Force IRIS, Unit 42 said in a study released Monday.

The researchers found that in the first known attack this year, malicious actors deployed a backdoor tool called Hisoka version 0.8, as well as other malware that appear to have been created by the same developer or developers. Other backdoor tools found by Unit 42 were called Sakabota, Hisoka, Netero and Killua.

The hackers also deployed malware called Gon, which grants access to open ports on remote systems, with the ability to upload files, download files, take screengrabs, run commands, and also create an RDP (remote desktop protocol) function. In essence, every action on the infected system can be monitored and all files can be stolen without alerting the infected company.

Another backdoor tool used by the hackers, called EYE, also has the ability “to carry out post-exploitation activities,” said Unit 42.

The tools were named after characters in an anime show Hunter x Hunter, prompting researchers to dub the cyberattack campaign “xHunt.”

In a second attack, in June, the same hacking team infiltrated the networks of another shipping and transportation company in Kuwait using an updated version of Hisoka – version 0.9 – which allowed use of an internal IT service desk account to transfer the malware on other systems using SMB (server message block) protocol privileges, Unit 42 said. The attackers were able to send and receive commands after attempts to log in using legitimate credentials.

The researchers noted that the malware mirrors that of a version of Sakabota that has been active since mid-2018, and believed to be the work of the same group of attackers. This is further evidenced by the presence of the same code used in Sakabota being present in the Gon backdoor malware, suggesting commonality among authors or financiers.

As to who the campaign backers are, the researchers noted that the identified malware named Hisoka, Sakabota, and Gon had something in common — they share domains and infrastructure with a hacking operation known as OilRig, believed to have links to the Iranian government.

The Unit 42 researchers were cautious about drawing firm conclusions, however.

“While there are similarities in the targeting of Kuwait organizations, domain naming structure and the underlying toolset used, it remains unclear at this time if the two campaigns (July to December 2018 and May to June 2019) were conducted by the same set of operators,” concluded the researchers. “Due to these overlaps and the focused targeting of organizations within the transportation and shipping industry in the Middle East, we are tracking this activity very closely and will continue analysis in order to determine a more solid connection to known threat groups.”