Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

EyePyramid Malware Unsophisticated But Effective: Researchers

The EyePyramid malware used to steal information from Italian politicians, bankers and business leaders is not very sophisticated, but, as many successful espionage operations have shown, it doesn’t need to be.

The EyePyramid malware used to steal information from Italian politicians, bankers and business leaders is not very sophisticated, but, as many successful espionage operations have shown, it doesn’t need to be.

Italian siblings Giulio Occhionero, 45, and Francesca Maria Occhionero, 48, have been arrested for targeting many high-profile individuals and organizations in hacker attacks. Authorities said more than 18,000 email accounts had been compromised and 87 gigabytes worth of data had been stolen.

The list of targets includes the president of the European Central Bank, a former prime minister, cardinals in the Vatican, political parties, ministries, technology and energy companies, and members of a Masonic lodge.

The attacks had been carried out since at least 2010 and they relied on a piece of malware dubbed EyePyramid. Researchers from Kaspersky Lab have found some samples of the malware compiled in 2014 and 2015 and used them to obtain additional information on attack methods and targets.

According to experts, the attackers used social engineering and spear-phishing emails to deliver the malware to victims. The malware was attached to the emails as ZIP or 7Zip archives.

The EyePyramid executable file stored in these archives often had a name that included multiple spaces in order to hide its extension. The use of this simple technique points to the campaign’s low level of sophistication, Kaspersky researchers said.

Trend Micro has also analyzed the attacks and determined that the threat actor sent out the spear-phishing emails from compromised accounts, particularly ones belonging to attorneys and associates at various law firms.

According to the security firm, EyePyramid was written in .NET and it uses multiple layers of obfuscation to hide sensitive parts of the code, which made detection and analysis more difficult. Information about command and control (C&C) servers has also been “heavily obfuscated.”

“Based on our analysis, we can conclude that the de-obfuscation routine includes a decryption step, based on the 3DES cipher, along with MD5 followed by SHA256 of the input data,” said Federico Maggi, senior threat researcher at Trend Micro.

Trend Micro said the malware collects credentials, keystrokes and files. The data is then encrypted and exfiltrated to an email address controlled by the attacker using the MailBee.NET.dll APIs.

Kaspersky reported that its products had blocked more than 90 EyePyramid infection attempts. While 80 percent of these attempts were spotted in Italy, the malware was also detected in France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Kaspersky says the malware is not sophisticated and not difficult to detect. The company also pointed out that the attackers had poor operational security (OPSEC) as they failed to hide their real IP addresses when launching attacks, and they used regular phone calls and WhatsApp to discuss their activities.

On the other hand, experts pointed out that despite the lack of sophistication, the attackers still managed to steal large amounts of data from victims without being identified for several years.

“As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations,” Kaspersky researchers said.

Related Reading: Cyberterrorist Attacks Unsophisticated but Effective, Says Former FBI Agent

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.