{"id":14988,"date":"2014-08-01T20:00:59","date_gmt":"2014-08-01T20:00:59","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2309"},"modified":"2019-11-15T07:14:44","modified_gmt":"2019-11-15T12:14:44","slug":"crouching-yeti-got-caught-anyway","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/crouching-yeti-got-caught-anyway\/14988\/","title":{"rendered":"Crouching Yeti: got caught anyway"},"content":{"rendered":"<p>Security researchers uncovered yet another long-standing APT campaign aimed at exfiltration of important data from the organizations associated with strategic industrial sectors. Once again, businesses involved in these areas are threatened by a host of malware and are at risk of losing sensitive data. This campaign received not just one name, but two: <a href=\"https:\/\/securelist.com\/blog\/research\/65240\/energetic-bear-more-like-a-crouching-yeti\/\" target=\"_blank\" rel=\"noopener\">Energetic Bear and\/or Crouching Yeti.<\/a><\/p>\n<p>Years ago once-famous game developer\/publisher, Sierra, released a great series of fantasy adventure and role-playing games titled \u201cQuest for Glory\u201d. A main character could choose from three classes, such as \u201cfighter\u201d, \u201cwizard\u201d or \u201cthief\u201d, and a set of appropriate skills. If a skill, such as stealth, was lacking completely, all attempts to switch your character to \u201cstealthy\u201d mode returned with a message: \u201cYou are as stealthy as an average Goon\u201d.<\/p>\n<p>Yes, in these games Goons were green-skinned, bulky, and rather dumb creatures, not unlike Warhammer orcs.<\/p>\n<p style=\"text-align: center;\">Goons. A screenshot from Quest for Glory IV: Shadows of Darkness PC game.<\/p>\n<p>So, when I saw the \u201cCrouching Yeti\u201d title, that \u201cas an average Goon\u201d message was the first thing to come to mind. Unfortunately, it\u2019s not about a funny message in a PC game; but instead, this is the title Kaspersky Lab has given to a new APT campaign.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Yeti isn\u2019t quite a stealthy thing\u2026 Unless it\u2019s an APT<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F8Puj&amp;text=Yeti+isn%26%238217%3Bt+quite+a+stealthy+thing%E2%80%A6+Unless+it%26%238217%3Bs+an+APT\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Apparently, it\u2019s still all about stealth \u2013 or, rather, stealing. It is a trend now\u2014to launch a large cybercampaign in order to fish out (or phish vigorously) information from the structures related to a multitude of strategic industries. That is exactly what \u201cEnergetic Bear\/Crouching Yeti\u201d does. The focuses are: industrial and machinery sectors, manufacturing, pharmaceutical and construction companies, education facilities and, of course, organizations related to information technology. Most of the victims are working in industrial\/machinery building sectors. Apparently the Bear\/Yeti has something of a special interest there.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020053\/bear_fishing-1.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-2311\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020053\/bear_fishing-1.png\" alt=\"bear_fishing\" width=\"800\" height=\"450\"><\/a><\/p>\n<p style=\"text-align: center;\">Bear caught yet another fish. A screenshot from World of Warcraft PC game.<\/p>\n<p>Of course, there are not one, but two names: Energetic Bear and Crouching Yeti. The first is given by our colleagues from CrowdStrike, who believe that this campaign has Russian origin, and that its main target is the energy sector. Our experts, however, do not confirm this. The origin is still kind of a mystery (thus \u2013 the \u201cYeti\u201d: somewhat bearlike, but much more mysterious) and, as shown above, the attackers\u2019 interest is far from being limited to the energy industry.<\/p>\n<p>The campaign has been around since at least 2010, and so far we have seen about 2800 victims worldwide.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020053\/Yeti-1-1024x621.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-2312\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020053\/Yeti-1.png\" alt=\"Yeti\" width=\"1399\" height=\"848\"><\/a><\/p>\n<p style=\"text-align: center;\">A Giant Yeti. Bulky and frightening (A screenshot from World of Warcraft PC game).<\/p>\n<p>Victims are either peppered with spearphishing PDF docs with embedded flash exploit (CVE-2011-0611, quite old, as one may see), or served with Trojanized software installers; then there are waterhole attacks using a variety of re-used exploits.<\/p>\n<p>Attackers have a handful of specific Trojans ready. These only infect Windows systems and may include Havex (the most often detected one), Sysmain Trojans, also the ClientX backdoor, Karagany backdoor and related stealers, etc.<\/p>\n<p>What\u2019s more unsettling about this, is that the dozens of known Yeti exploit sites and their known referrer sites were compromised legitimate ones. They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Reused exploits, no zero-days, and still \u2013 good efficacy.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F8Puj&amp;text=Reused+exploits%2C+no+zero-days%2C+and+still+%E2%80%93+good+efficacy.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>In other words, there is little originality and little subtleness in the attackers\u2019 activities, although they are methodical and their approach is reported to be \u201cmanaged\u201d and \u201cminimal\u201d. They use a stable (unchanging) toolset and appropriately employ encryption \u2013 symmetric keys protected with attacker\u2019s public key for encrypted log file exfiltration.<\/p>\n<p>Unfortunately, they had managed to be \u201ccrouching\u201d for almost four years undetected.<\/p>\n<p>Good news: Kaspersky Lab solutions detect and <em>skull-bash<\/em> all of the malware the attackers behind Crouching Yeti use. This time they are just not subtle enough.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020052\/beaten_yeti-1.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-2313\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020052\/beaten_yeti-1.png\" alt=\"beaten_yeti\" width=\"800\" height=\"582\"><\/a><\/p>\n<p style=\"text-align: center;\">Whatever giant, Yeti is no match for this player\u2019s druid (A screenshot from World of Warcraft PC game).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers uncovered yet another long-standing APT campaign aimed at exfiltration of important data from the organizations associated with strategic industrial sectors. Once again, businesses involved in these areas are<\/p>\n","protected":false},"author":209,"featured_media":16040,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2140],"class_list":{"0":"post-14988","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-crouching-yeti"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/crouching-yeti-got-caught-anyway\/14988\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/crouching-yeti-got-caught-anyway\/14988\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/crouching-yeti-got-caught-anyway\/14988\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/crouching-yeti\/","name":"Crouching Yeti"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14988"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14988\/revisions"}],"predecessor-version":[{"id":30776,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14988\/revisions\/30776"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/16040"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}