A newly uncovered malware dubbed EyePyramid is targeting Italian celebrities and politicians and stealing their data—and it’s drawn law enforcement attention.
So far, the Italian police have published a preliminary report of the investigation. The Occhionero siblings also have been arrested and implicated as masterminds of a cyber-espionage operation that targeted a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, president of the European Central Bank.
The report shows that 18,327 unique usernames along with 1,793 passwords have been stolen, totaling roughly 87 GB of data. According to an IBM analysis, during the last few years the attackers had targeted around 16,000 victims, all in Italy, and most of them being law firms, consultancy services, universities and even Vatican cardinals.
The EyePyramid malware has keylogging capabilities and is able to exfiltrate stolen information to various command and control (C&C) servers. But it also affects the security posture of its targets: After the malware removes and modifies different security settings, users are left unprotected from a slew of potential attacks and vulnerabilities.
“This malware usually arrives as an attachment of a spear phishing email,” explained security firm Cylance, in a blog post. “The sender of this email typically uses compromised email accounts to make it appear that the email comes from a trusted source. The malware itself contains a list of targeted domains…To date, published analysis has uncovered over 100 domains associated with EyePyramid.”
Another hallmark of this malware is the persistence mechanism. Once the user opens and runs the malware attachment, it drops a copy of itself into the Temp folder and creates registry entries to allow it to run on every system startup.
Once the malware has compromised the host system, it seeks to gain elevated privileges to perform administrative tasks—setting the malware up for lateral movement within the network environment.
The malware will also try to create a local admin user and add the user to domain administrator group in Active Directory. This will allow the malware to perform system changes and other functions with administrative privileges. It will also allow itself to connect to remote systems, possibly with full administrator access token.
“You can just imagine the gigabytes of data that it was able to steal over the years,” Cylance said. “However, this is not the only damage it causes, because the aftermath of the attack leaves its targets susceptible to a slew of further potential attacks and vulnerabilities, even after this malware is removed. The numerous security settings disabled by the malware appear to be an effort to ensure ease of access in the future. However, those disabled settings make it easier for any attacker to gain access, not just the author of EyePyramid. All of these modifications open a huge gap in the user’s security posture, leaving them vulnerable to future malware attacks.”
Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back as 2008.
While the malware campaign has been characterized as unsophisticated, Talos took a look at how how EyePyramid managed to stay hidden under the radar for years. It found evidence of the use of domain generation algorithms, anti-VM and anti-debug, and how it is subverting the operation system by disabling all security policies.
“Although it is true the authors made some trivial mistakes, throughout this post we have observed efforts to cover the vital information of this operation and an agent able to subvert the entire operating system security,” said Talos researchers Mariano Graziano and Paul Rascagneres, in a technical analysis. “Additionally, this sample is not stealthy for all the operations it performs but it has been undetected for years and is reported to have exfiltrated vast amounts of data.”