Kaspersky Lab announces the release of comprehensive in-depth analysis of the malware and command and control (C&C) server infrastructure related to the cyber-espionage campaign known to the company’s Global Research and Analysis Team (GReAT) as the Crouching Yeti.
The campaign’s origins go back as far as to the end of 2010; while today it is most definitely still alive – and targeting new victims on a daily basis.
Not that energetic. Energetic Bear/Crouching Yeti is involved in several advanced persistent threat (APT) campaigns. According to Kaspersky Lab’s research, its victims appear to be in a wider range of enterprises than was previously thought. The largest number of identified victims fall into the following sectors:
- Information Technology
The total number of known victims is over 2800 worldwide, out of which Kaspersky Lab researchers were able to identify 101 organizations. This list of victims seems to indicate Crouching Yeti’s interest in strategic targets, but it also shows an interest of the group in many other not-so-obvious institutions. Kaspersky Lab’s experts believe they might be collateral victims, but it might also be reasonable to redefine Crouching Yeti not only as a highly targeted campaign in a very specific area of interest, but also as a broad surveillance campaign with interests in different sectors.
The attacked organizations are located mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China. Given the nature of the known victims, the main impact for them is disclosure of very sensitive information such as trade secrets and know-how.
Malicious tools with multiple additional modules. Crouching Yeti is hardly a sophisticated campaign. For example, the attackers used no zero-day exploits, only exploits that are widely available on the Internet. But that didn’t prevent the campaign from staying under the radar for several years.
Kaspersky Lab researchers have found evidence of the existence of five types of malicious tools used by the attackers to withdraw valuable information from compromised systems:
- Havex trojan
- Sysmain trojan
- The ClientX backdoor
- Karagany backdoor and related stealers
- Lateral movement and second stage tools
The most widely used tool is the Havex Trojan. In total Kaspersky Lab researchers discovered 27 different versions of this malicious program and several additional modules, including tools aimed at gathering data from industrial control systems.
For command and control, Havex and the other malicious tools used by Crouching Yeti connect to a large network of hacked websites. These sites host victim information and serve commands to infected systems along with additional malware modules.
The list of downloadable modules includes tools for password and Outlook contacts’ stealing, screenshot capturing, and also modules for searching and stealing certain types of files: text documents, spreadsheets, databases, PDF files, virtual drives, password protected files, pgp security keys, etc.
Industrial espionage. At present, the Havex Trojan is known to have two very special modules aimed at gathering and transmitting to the attacker data from specific industrial IT environments. The first one is the OPC scanner module. This module is designed to collect the extremely detailed data about the OPC servers running in the local network. Such servers are usually used where multiple industrial automation systems are operating.
The OPC scanner module is accompanied by a network scanning tool. This module is designed to scan the local network, look for all computers listening on ports related to OPC/SCADA software, and try to connect to such hosts in order to identify which potential OPC/SCADA system is running, and transmit all gathered data to the command & control servers.
Mysterious origin. The Kaspersky Lab researchers observed several meta features that could point toward the national origin of the criminals behind this campaign. In particular, they performed file timestamp analysis of 154 files and concluded that most of the samples were compiled between 06:00 and 16:00 UTC, which could match basically any country in Europe as well as Eastern Europe.
The experts also analyzed the actor’s language. The strings present in the analyzed malware are in English (written by non-natives). Unlike several previous researchers of this particular campaign, Kaspersky Lab specialists couldn’t conclude definitely, that this actor has Russian origin. Almost 200 malicious binaries and the related operational content all present a complete lack of Cyrillic content (or transliteration), the opposite of Kaspersky Lab’s documented findings from researching Red October, Miniduke, Cosmicduke, Snake and TeamSpy. Also, language clues pointing at French and Swedish speakers were found.
Nicolas Brulez, Principal Security Researcher at Kaspersky Lab, said: “The Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. The Bear goes for attribution, and Crowd Strike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction. Also our analysis demonstrates that the attackers’ global focus is much broader than just power producers. Based on this data, we decided to give a new name to the phenomenon: a Yeti reminds one of a bear, but it has a mysterious origin.”
Kaspersky Lab’s experts are continuing their research into this campaign while working with law enforcement agencies and industry partners. The full text of the research is available at Securelist.com
Detection. Kaspersky Lab products detect and eliminate all variants of the malware used in this campaign, including but not limited to: Trojan.Win32.Sysmain.xxx, Trojan.Win32.Havex.xxx, Trojan.Win32.ddex.xxx, Backdoor.MSIL.ClientX.xxx, Trojan.Win32.Karagany.xxx, Trojan, Spy.Win32.HavexOPC.xxx, Trojan-Spy.Win32.HavexNk2.xxx, Trojan-Dropper.Win32.HavexDrop.xxx, Trojan-Spy.Win32.HavexNetscan.xxx, Trojan-Spy.Win32.HavexSysinfo.xxx