You can now check the results of our ongoing research into EyePyramid; this blog post dives into EyePyramid’s behavior and other interesting details from our technical analysis.
Two Italian citizens were arrested last Tuesday by Italian authorities (in cooperation with the FBI) for exfiltrating sensitive data from high-profile Italian targets. Private and public Italian citizens, including those holding key positions in the state, were the subject of a spear-phishing campaign that reportedly served a malware, codenamed EyePyramid, as a malicious attachment. This malware was used to successfully exfiltrate over 87 gigabytes worth of data including usernames, passwords, browsing data, and filesystem content.
Infection chain
Based on the available information and our initial analysis from the samples, it appears that the attacker behind the spear-phishing campaign managed to compromise email accounts, particularly those belonging to attorneys and associates in several law firms. We see this as a lure used by the hacker to bait a target into opening a malicious email attachment. Once opened, the malicious attachment, which is actually the aforementioned malware, bootstraps and concludes its loading routine by planting a copy of itself with a pseudo-random name and an .exe extension. Among some of the known names we found (which could change in other versions and builds of the malware):
Figure 1. File names used
Initial sample analysis
The malware may initially appear to be a naïve piece of code written in .NET (>= 4.5.x), but an in-depth look reveals otherwise. After standard obfuscation, which can be reversed with off-the-shelf tools, the sensitive parts of the decompiled source code are obfuscated, which made detection and analysis trickier. For instance, information about the command & control server’s URL and the MailBee’s license key (allegedly purchased under the attacker’s name), were heavily obfuscated, as the following excerpt of code shows:
Figure 2. Obfuscated code sample
Based on our analysis, we can conclude that the de-obfuscation routine includes a decryption step, based on the 3DES cipher, along with MD5 followed by SHA256 of the input data.
The malware sends the exfiltrated data (after encrypting it) to the command & control servers over standard web transports:
Figure 3. Code for exfiltrating traffic
Note that part of the endpoint’s URL is not obfuscated:
Figure 4. Exposed part of URL (Click thumbnail above for full code)
The malware also used the MailBee.NET.dll APIs—a paid library used for building mail software—to send the exfiltrated data out to dropzones (i.e., email addresses) in use by the attacker.
It is interesting to note that the purchase of the paid library has led the authorities to the identity of the person behind the campaign.
We are currently analyzing this malware and the campaign that used this is under further monitoring. We’ll update this entry once further verified information and details have been uncovered.
