• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   The Eye of the Storm: A Look at EyePyramid, the Malware Supposedly Used in High-Profile Hacks in Italy

The Eye of the Storm: A Look at EyePyramid, the Malware Supposedly Used in High-Profile Hacks in Italy

  • Posted on:January 11, 2017 at 11:55 pm
  • Posted in:Malware, Targeted Attacks
  • Author:
    Federico Maggi (Senior Threat Researcher)
0

You can now check the results of our ongoing research into EyePyramid; this blog post dives into EyePyramid’s behavior and other interesting details from our technical analysis.

Two Italian citizens were arrested last Tuesday by Italian authorities (in cooperation with the FBI) for exfiltrating sensitive data from high-profile Italian targets. Private and public Italian citizens, including those holding key positions in the state, were the subject of a spear-phishing campaign that reportedly served a malware, codenamed EyePyramid, as a malicious attachment. This malware was used to successfully exfiltrate over 87 gigabytes worth of data including usernames, passwords, browsing data, and filesystem content.

Infection chain

Based on the available information and our initial analysis from the samples, it appears that the attacker behind the spear-phishing campaign managed to compromise email accounts, particularly those belonging to attorneys and associates in several law firms. We see this as a lure used by the hacker to bait a target into opening a malicious email attachment. Once opened, the malicious attachment, which is actually the aforementioned malware, bootstraps and concludes its loading routine by planting a copy of itself with a pseudo-random name and an .exe extension. Among some of the known names we found (which could change in other versions and builds of the malware):

Figure 1. File names used

Initial sample analysis

The malware may initially appear to be a naïve piece of code written in .NET (>= 4.5.x), but an in-depth look reveals otherwise. After standard obfuscation, which can be reversed with off-the-shelf tools, the sensitive parts of the decompiled source code are obfuscated, which made detection and analysis trickier. For instance, information about the command & control server’s URL and the MailBee’s license key (allegedly purchased under the attacker’s name), were heavily obfuscated, as the following excerpt of code shows:

Figure 2. Obfuscated code sample

Based on our analysis, we can conclude that the de-obfuscation routine includes a decryption step, based on the 3DES cipher, along with MD5 followed by SHA256 of the input data.

The malware sends the exfiltrated data (after encrypting it) to the command & control servers over standard web transports:

Figure 3. Code for exfiltrating traffic

Note that part of the endpoint’s URL is not obfuscated:

Figure 4. Exposed part of URL (Click thumbnail above for full code)

The malware also used the MailBee.NET.dll APIs—a paid library used for building mail software—to send the exfiltrated data out to dropzones (i.e., email addresses) in use by the attacker.

It is interesting to note that the purchase of the paid library has led the authorities to the identity of the person behind the campaign.

We are currently analyzing this malware and the campaign that used this is under further monitoring. We’ll update this entry once further verified information and details have been uncovered.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: EyePyramidItaly

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.