EyePyramid: happy-go-lucky malware

A story of two amateurs who were able to spy on Italian officials for years without getting caught.

When we talk about malware on Kaspersky Daily — and we do that pretty often — we typically choose those malware species that, according to our data, have impacted a lot of people. CryptXXX, TeslaCrypt, and other nasties that have attacked millions all over the world are some examples. Malware that has been detected only a few times usually doesn’t merit much attention. There is a lot of malware out there, as you know — we just can’t devote a blog post to every single one.

But there is an exception to every rule. Today we are going to talk about malware dubbed EyePyramid. No, we didn’t name it; its creators did. And the reason we are going to talk about EyePyramid is that it kind of stands out from the crowd, and its story is a bit like a fairy tale. In it, a small man achieves big results (and fails in the end).

Italian family spying business

Let’s start with the fact that EyePyramid was basically a family business. The malware itself was developed by a 45-year-old Italian, Giulio Occhionero, who has a degree in nuclear engineering. He and his sister, Francesca Maria Occhionero, 48, worked on spreading the malware. They worked together at a small investment firm called Westland Investments.

According to a report Italian police recently published, EyePyramid was distributed via spear phishing and targeted mostly top Italian government members along with freemasons, law firms, consultancy services, universities, and even Vatican cardinals.

What for? Once installed, the malware granted its creators access to all resources on the victims’ computers. It was used for the sole purpose of gathering information, which, as SC Magazine points out, was in turn reportedly used to make more profitable investments. Malware as an analyst’s tool. I personally don’t quite get the link between investments and cardinals, but it seems that the criminals did.

The high-profile positions of the victims and also the fact that Italian police were not disclosing details about EyePyramid, except for the addresses of the command-and-control (C&C) servers and several of the e-mails that were used, drew attention of our GReAT experts. So they decided to make an investigation of their own.

Rookie cybercrime

Some media insist that EyePyramid is complex and sophisticated. It’s not. In fact, it’s rather simple malware

Using information from the police report, our analysts were able to find a whopping 44 different samples of EyePyramid, and that added a lot to our understanding of the story. Some media insist that EyePyramid is complex and sophisticated. It’s not. In fact, it’s rather simple. The cybercriminal duo employed blunt methods such as using multiple spaces to mask the extension of the executable file which contained the malware. That trick looks simple, but it worked.

It also turns out that that Occhioneros started the criminal part of their business a rather long time ago — the earliest samples we’ve been able to find go back to as far as 2010. Italian officials say that the duo might’ve been active since 2008.

Both being amateurs in the field of cybercrime, they failed to maintain good operational security. In fact, they mostly didn’t care about security at all, discussing their victims using regular phone calls (which, as you know, can be easily wiretapped by law enforcement agencies) and WhatsApp (which didn’t use end-to-end encryption until this year), as well as leaving traces of the IP addresses associated with their company.

Nonetheless, they have, by Italian police estimates, operated at least for three years, and maybe even more than eight years, targeted 16,000 victims, and succeeded in getting access to victims’ computer more than 100 times. That gave the duo a lot of information — tens of gigabytes of data that might have helped them improve their investments.

A tale ends

Still, this story is a perfect confirmation of the theory that investments in education (in this case, in learning operational security) usually pay better. On January 10 both Giulio and Francesca Maria Occhionero were arrested by FBI, so the triumphant parade of the rookie malware is now over.

Their long run might seem surprising, but maybe the secret lies in the simplicity of the malware. It looked too boring to be investigated thoroughly, and Kaspersky Security Network showed only 92 attempts at infection, which is a drop in the ocean compared with the number of infection attempts with popular ransomware. Nonetheless, criminals are in prison, all’s right with the world.