Security Experts:

Connect with us

Hi, what are you looking for?



EyePyramid Malware Unsophisticated But Effective: Researchers

The EyePyramid malware used to steal information from Italian politicians, bankers and business leaders is not very sophisticated, but, as many successful espionage operations have shown, it doesn’t need to be.

The EyePyramid malware used to steal information from Italian politicians, bankers and business leaders is not very sophisticated, but, as many successful espionage operations have shown, it doesn’t need to be.

Italian siblings Giulio Occhionero, 45, and Francesca Maria Occhionero, 48, have been arrested for targeting many high-profile individuals and organizations in hacker attacks. Authorities said more than 18,000 email accounts had been compromised and 87 gigabytes worth of data had been stolen.

The list of targets includes the president of the European Central Bank, a former prime minister, cardinals in the Vatican, political parties, ministries, technology and energy companies, and members of a Masonic lodge.

The attacks had been carried out since at least 2010 and they relied on a piece of malware dubbed EyePyramid. Researchers from Kaspersky Lab have found some samples of the malware compiled in 2014 and 2015 and used them to obtain additional information on attack methods and targets.

According to experts, the attackers used social engineering and spear-phishing emails to deliver the malware to victims. The malware was attached to the emails as ZIP or 7Zip archives.

The EyePyramid executable file stored in these archives often had a name that included multiple spaces in order to hide its extension. The use of this simple technique points to the campaign’s low level of sophistication, Kaspersky researchers said.

Trend Micro has also analyzed the attacks and determined that the threat actor sent out the spear-phishing emails from compromised accounts, particularly ones belonging to attorneys and associates at various law firms.

According to the security firm, EyePyramid was written in .NET and it uses multiple layers of obfuscation to hide sensitive parts of the code, which made detection and analysis more difficult. Information about command and control (C&C) servers has also been “heavily obfuscated.”

“Based on our analysis, we can conclude that the de-obfuscation routine includes a decryption step, based on the 3DES cipher, along with MD5 followed by SHA256 of the input data,” said Federico Maggi, senior threat researcher at Trend Micro.

Trend Micro said the malware collects credentials, keystrokes and files. The data is then encrypted and exfiltrated to an email address controlled by the attacker using the MailBee.NET.dll APIs.

Kaspersky reported that its products had blocked more than 90 EyePyramid infection attempts. While 80 percent of these attempts were spotted in Italy, the malware was also detected in France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Kaspersky says the malware is not sophisticated and not difficult to detect. The company also pointed out that the attackers had poor operational security (OPSEC) as they failed to hide their real IP addresses when launching attacks, and they used regular phone calls and WhatsApp to discuss their activities.

On the other hand, experts pointed out that despite the lack of sophistication, the attackers still managed to steal large amounts of data from victims without being identified for several years.

“As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations,” Kaspersky researchers said.

Related Reading: Cyberterrorist Attacks Unsophisticated but Effective, Says Former FBI Agent

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...