Kaspersky Lab has just publicized the discovery of a new cyber-espionage campaign. Unlike previous threats, it\u2019s targeting smaller entities \u2013 namely SMBs. That\u2019s where it gets interesting.<\/p>\n
Grabit and run<\/strong><\/p>\n Grabit is a rather fresh campaign: the data gathered so far indicates it launched some time in late February 2015. As almost half of the total number of infections (44.87%) occurred in Thailand (with India as a distant second \u2013 24.36% and US as an even more distant third \u2013 10.26%), it could have been a local operation. Still, the first samples arrived to Kaspersky Lab\u2019s experts from the company\u2019s partners in USA.<\/p>\n Grabit gets distributed via a Microsoft Office Word (.doc) email attachment containing a malicious macro AutoOpen.<\/p>\n #Grabit \u2013 an #SMB-targeting spy campaign. #Protectmybiz<\/p>Tweet<\/a><\/blockquote>\n The following is a quote from Securelist\u2019s thorough (as usual) analysis<\/a> of the malware:<\/p>\n \u201cThis macro simply opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub, before downloading the malware. In some cases the malicious macro was password protected, but our threat actor might have forgotten that a .doc file is actually an archive and when that archive is opened in a convenient editor of your choice, the macro strings are shown in clear-text.<\/p>\n The malware is in plain view, modifying commonplace registry entries, such as the startup configurations, and not covering its tracks. Its binaries are not deleted in most cases, and its communication is in clear-text, where the victim can sniff the communication and grab the FTP\/SMTP server\u2019s credentials.\u201d<\/p>\n The attackers control their victims using HawkEye keylogger, a commercial spying tool from HawkEyeProducts, and a configuration module containing a number of Remote Administration Tools (RATs).<\/p>\n According to Kaspersky Lab\u2019s researchers, the malware actually does little to hide its presence, although it has a very serious protection from analysis: \u201ca weak knight in a heavy armor\u201d, Securelist says.<\/p>\n While it is strange on its own, most likely it indicates that only a part of the malware has been written from scratch, the rest could have been acquired somewhere else.<\/p>\n But regardless, the threat shouldn\u2019t be underestimated: a keylogger discovered in just one of the command-and-control servers was able to steal 2887 Passwords, 1053 Emails and 3023 Usernames from 4928 different hosts, internally and externally, including Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, as well as bank accounts and others.<\/p>\n Recommendations for businesses to protect themselves:<\/strong><\/p>\n Probably disabling macros by default isn\u2019t the worst idea either.<\/p>\n Picking smaller targets<\/strong><\/p>\n Cyber-espionage is actually regarded as a threat for high-profile entities \u2013 large corporations, enterprises, government organizations, etc. Cyber-espionage isn\u2019t your common malware attack that often only requires an attacker to know where to get a proper piece of code.<\/p>\n Spying and not getting intercepted and bashed off requires a lot of technical prowess, so it\u2019s not something that script-kiddies go for eagerly. The known spying campaigns are usually comprised of rather advanced tools, mostly custom-built, and the actors behind them are clearly motivated by getting something specific, even if the lists of their apparent points of interest are very large, as was the case with Crouching Yeti APT campaign.<\/p>\n\n