Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)
The court order was published by AGI, an Italian news agency, around noon on January 11. It (surprisingly) contains multiple technical details which we used to bootstrap our initial analysis. This post builds on the details of the case to provide a more complete and in-depth view of the activities of this campaign.
Scope of this analysis
We have analyzed nearly 250 distinct samples, with new batches of EyePyramid-related samples seen and identified daily. Right after our initial analysis, about a dozen suspicious samples were uploaded to VirusTotal and tagged as “#eyepyramid”. We believe that these samples are “false flags,” because the samples do not resemble any of the samples that we were able to definitely relate to the EyePyramid case. Although we are not able to say with 100% certainty that there are no relationships between these “false flags” and the original EyePyramid samples, we purposely did not focus on these uploaded samples.
Targeted Email Accounts
Evidence from some of the samples suggests that the attackers targeted email accounts from various domains. Both account credentials and messages from these accounts were stolen, with email accounts from the following domains being targeted:
|The domains being targeted|
The attack scheme features a remarkable pre-attack phase designed to create a foundation of trust for an effective spear-phishing campaign against high-profile targets. The attacker starts with a list of email accounts—obtained either from an out-of-band compromise, or by another case using the same malware. These accounts belong to organizations or persons that are supposedly trusted by the final, high-profile victim(s).
Using these email accounts as senders, together with attachment names crafted to camouflage the original malware sample extension (*.exe), the attacker managed to infect the computers (directly or indirectly) used by the high-profile victims.
When the malware files are executed on each machine it auto-updates itself, steals information related to email accounts matching the list above, and sends the harvested information to dropzone email addresses and/or C&C servers via HTTP/HTTPS. This also adds these email accounts to the attacker’s list of compromised accounts, which could be used to spread malware to other victims.
Timeline and prevalence
Using the compile time stamp, we obtained the following timeline, which is in line with other analyses that followed our initial report. EyePyramid’s known samples peaked in 2014, with more than three times the number of samples of any other year.
Figure 1. Distribution of EyePyramid sample compilation date, by year
While EyePyramid was based in Italy, not all of its victims were located in that country, as seen from the graph below:
Figure 2 and Table 1. Distribution of EyePyramid victims
EyePyramid Malware Evolution
After analysis, we were able to group the EyePyramid samples based on various features, including:
- year of executable file creation (compile time stamp)
- original/internal file name
- obfuscator and packer used; there were two combinations of obfuscators used:
- Skater .NET + Dotfuscator, two popular obfuscators (most of the samples are post-processed in this way)
- ConfuserEx, a recent and powerful obfuscator (only the most recent ones)
- presence of relevant strings, either in the original binary, or after de-obfuscation, de-compilation and string-decryption:
- “gmail.it” – this string appears next to “gmail.com” and “googlemail.com”, which are known domains for Google email accounts, It’s possible this was a mistake by the author, who wanted to target Italian Gmail users. Alternately, the attacker could be targeting the customers of the Gmail.it free email service. (Note that Gmail.it is not connected with the Google-owned service and shares nothing with it except the name.) Without the ability to ask the threat actors, no strong conclusions should be derived from this finding.
- Paths indicating a link to the case. We found the string “\Work\EyePyramid\” in one sample dated December 13, 2014; the original file name is mfkr.exe. This is one of the strings that contributed to this case’s name. The presence of such a string is a strong indication that the malware is related to EyePyramid. However, not all samples tied to EyePyramid include this string.
- Use of Desaware’s SpyWorks component, which can be used to implement key-capturing functionalities, or to create system-level hooks.
Figure 3. Code for key capturing features
- paths or library names indicating code reuse of specific components, namely:
These strings indicate that the malware incorporated various software components with specific features. For example, “iepv\Release\iepv.pdb” is the IE Password Viewer, a small utility (and library) which can be used to reveal passwords stored by Internet Explorer. Other components listed have similar features. The presence of these components suggests that one of the malware’s purposes is to exfiltrate browser-related data.
The recurrent path string “:\projects\vs2005” also provides us clues about the malware author’s modus operandi. We found all of these strings in both a 2014 and 2015 variant, which both shared the file name vmgr.exe. This suggests that the author behind both samples is the same. However, these were not compiled with the same programming environment: the 2014 variant has been compiled with .NET 4.5.5416.41981, whereas the 2015 variant has .NET 4.5.5604.16127.
Based on the above features, we generated a summary of the malware samples, which can be found in the appendix below. We can conclude that over time, the threat actors behind this crime modified and updated the malware’s capabilities (e.g., not all variants are able to exfiltrate Skype conversations), C&C and dropzones, compiler version, and protection mechanisms.
Link back to 2011 Bisignani spy case
In 2012, a high-profile Italian businessman and ex-journalist named Luigi Bisignani was prosecuted as part of the “P4 secret society,” (short for Propaganda 4). The P4 was the fourth of the masonic lodges in Italy, which was supposedly influencing political decisions.
The malware used in those attacks used several Gmail addresses as dropzones. Investigators at CNAIPIC (an Italian cybercrime body) found that these same addresses were used by recent EyePyramid variants as well. Independently, we found that older (2012) variants of EyePyramid were doing the same thing.
One more interesting link that we found is the use of the mail.hospenta.com mailserver, which is similar to the one used by the recent versions of EyePyramid. Curiously, only the 2010 version—and not the 2012 version—used mail.hostpenta.com. Both the 2010 and 2012 versions share the infamous MN600-D8102F401003102110C5114F1F18-0E8C MailBee license key, which was either purchased by Giulio Occhionero, or purchased using his name.
Main Features of EyePyramid Malware
EyePyramid’s most important features are listed below. This list is not meant to be exhaustive, but it covers the most relevant ones.
When first executed, the malware drops a copy of itself onto the hard drive (usually on the root folder C:\) using a name selected from random list, which is made up of:
Figure 5. Possible “random” file names
To maintain persistency, the malware uses a classic mechanism that involves modifying or adding entries to the CurrentVersion\Run and CurrentVersion\RunOnce registry keys.
Figure 6. Autostart registry entries
Setting the value of these entries to the path of the malware executable will ensure that it is executed upon every user logon.
Code reuse: not all variants use the same combinations of libraries
An interesting characteristic of the EyePyramid malware is the use of publicly known third-party components or open-source libraries, which provide clues to the technical skills of the author.
The following libraries were found:
- MouseKeyboardActivityMonitor, a library for globally monitoring keystrokes and mouse activity. The malware used this component to steal keystrokes.
- Internet Explorer Passwords Viewer, as well as other password-viewing components (e.g., for Google Chrome), which are used by the EyePyramid malware to steal browser-stored credentials.
- Desaware, a software company, produces SpyWorks, a component used to capture keystrokes and/or to create system hooks that can be used to programmatively “detour” a program’s execution flow, at runtime. The presence of Desaware components was determined by finding the following string in code:
- MailBee, a component used to handle emails. This was the component that was used to attribute the attack to Giulio Occhionero. The embedded license key had been purchased under his name.
- SevenZip, a common library for creating 7z data, which was used by the malware to compress the stolen files before encrypting and sending them to dropzones.
As we noted in our initial analysis, EyePyramid’s main feature is to harvest and steal files. Files with the following extensions are targeted:
Figure 7. File extensions targeted for theft
Among the other harvested data, EyePyramid looks for *.pst files, which are used by various applications including the Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook to store copies of messages, calendar events and other similar information.
Figure 8. Code targeting PST files
The following queries, found in the partially-decompiled source code of one of the EyePyramid malware samples (i.e., those variants commonly named as vmgr.exe), show that it is trying to read from the Accounts, Contacts, Messages, and SMS tables of the Skype client, which contains the information of the said application.
Figure 9. Code targeting Skype
Disabling of security software
EyePyramid targets various security tools and tries to disable both real-time protection mechanisms and AV-related processes from being launched, as can be seen from the following list:
Figures 10-12. Code targeting security software
Obfuscation and protection
The malware binary is obfuscated by three tools: Skater + Dotfuscator, or ConfuserEx. As a result, the final executable is mildly protected from naïve debugging and in-VM dynamic analysis. However, the amount of protection provided is relatively mild and far from advanced.
In addition, custom string-encryption/obfuscation is used to render strings non-directly readable on the decompiled source code. In particular, most of the samples using Skater + Dotfuscator encrypt the strings using 3DES, after serialization, reducing then to bytes arrays. We reverse-engineered the encryption routine and recovered the encrypted strings.
Anecdotes and Other Curious Findings
Cross-site Scripting Testing on HTML Emails?
Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet (from 21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316):
Figure 13. Code testing Cross-site Scripting
Provenance of email accounts
During our analysis, we received emails from various analysts asking for clarification. One reader noted that the email address used by the EyePyramid operators to send spear-phishing messages was also used to register accounts on various dating sites, based on information from Leaked Source (a database of breaches from various sites).
Searching on Leaked Source for the domains appearing on the court order—ones that were allegedly involved with the data-exfiltration activities—revealed a similar situation. Email addresses on these domains used to register on various sites, including dating and social media sites, were from various data breaches. As a result, these credentials, unless changed by the legitimate owners, are to be considered essentially publicly available.
Although not a detection criterion, the samples that we processed had 81 distinct icon types, some of which are shown below:
Figure 14. Icons used by EyePyramid samples
Figure 15. Analysis process
We followed a fairly common practice for our analysis. As mentioned in our first blog post, it all started from a court order that appeared on the AGI site. From that, we extracted some patterns, which we used to perform what is commonly referred to as “retro-hunting,” that is, we wrote a Yara rule, plus some custom post-processing scripts, to statically match an initial set of patterns. This allowed us to get to a set of samples, among which was “d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c”. Other analysts found that this was related to EyePyramid as well.
We then manually deobfuscated and decompiled the binary code, obtaining a non-compiling source code tree, which allowed us to find more details about the malware’s behavior. Some of these behaviors were also confirmed after running the initial samples in a sandboxed environment (among which we used our Deep Discovery Analyzer).
The newly extracted details allowed us to refine our retro-hunting process, revealing more samples, some of which are currently being manually analyzed. Among the various patterns that we used (e.g., included library names, domain names, email addresses), we note that the executable’s original name ensures a good recall. This is unusual, and possibly tells something about the attacker’s skills: A smart attacker would, at least, take care to randomize such names consistently in the PE header. With some automation, we run this iterative process every day and cross-check our findings with the reports sent by our customers.
From a purely technical viewpoint, the origins of EyePyramid’s malware and its attribution remain unclear. While the license key registered to Giulio Occhionero’s name can be considered as strong evidence, it is unclear why a malware author would bother using (simple yet not so trivial) mechanisms to cover their traces (e.g., obfuscation, packing, encryption, disabling security tools), and then mistakenly embed the license key under his name in all of the main variants. Moreover, an analysis of the domain-to-IP historical data of the domain names listed in the court order reveals domains named “occhionero.com” and “occhionero.info,” which is again another oddity.
From a technical viewpoint, it is certain that the original source code has gone through mild modifications. On the other hand, the computer(s) used to build the various versions over the years seem to be in line with the evolution of Microsoft developer tools (based on the progression of the compiler version) and software-protection tools (as seen on the recent substitution of Skater + Dotfuscator with the more powerful ConfuserEx).
Here is the appendix containing further details about the samples we analyzed.
Updated on January 19, 2017, 10:15 PM (UTC-7):
The appendix related to this post was updated with SHA256 and other information.