EyePyramid – Police arrests two for hacking into emails of politicians, lawyers, entrepreneurs, and masons

Pierluigi Paganini January 12, 2017

Two Italian siblings have been arrested by Italian Police and they were charged with a long-running cyber espionage campaign.

This is a very intriguing story, two Italian siblings Giulio and Francesca Maria Occhionero gave been arrested by Italian Police and they were charged with a long-running cyber espionage campaign that targeted Italian politicians, lawyers, entrepreneurs, and masons. The president of the European Central Bank, Mario Draghi, two former Italian prime ministers, Matteo Renzi and Mario Monti, and also the Cardinal Gianfranco Ravasi were victims of the cyber spies.

The suspects used a malware known as EyePyramid, a name that conjures to mind the Masonic symbolism.

Giulio Occhionero is a member of the Grand Orients Masonic lodge, and among the victim of his espionage activity, there are other members of the Italian lodge, including the grand master of Italy.

In all, it appears that more than 18,000 email accounts may have been compromised. Draghi’s ECB account is not thought to have been compromised, and there is no evidence that any ECB account has been compromised.

“There were tens of thousands of email accounts hacked, and among them were accounts belonging to bankers, businessmen and even several cardinals in the Vatican,” Roberto Di Legami, head of the specialized police cyber unit that conducted the investigation, told Reuters.”

The attacker behind the EyePyramid launched spear-phishing campaigns aimed to compromise email accounts of the targeted people, particularly those belonging to attorneys and associates in several law firms.

“Once opened, the malicious attachment, which is actually the aforementioned malware, bootstraps and concludes its loading routine by planting a copy of itself with a pseudo-random name and an .exe extension” wrote TrendMicro.

Which is the motivation?

Difficult to say considering to say that it is still not clear which information was stolen and who accessed it. Data exfiltrated by the EyePyramid malware was sent to servers in the US. The police already seized two servers that acted as Command and Control for the botnet managed by Occhionero. We have to wait forensic investigation of the machine in order to gather more information.

The court order refers that data was organized in more than 120 categories, two in particular have captured the attention of the media:

  • A category named ‘BROS’ containing emails relating to a Masonic lodge.
  • A category named ‘POBU’ containing emails relating to politicians.

The stolen information was carefully filed in more than 120 categories, including a folder named ‘BROS’ containing emails relating to a Masonic lodge, and another regarding politicians was named ‘POBU’ for Politicians Business.

According to Kaspersky Lab 80% of detections are in Italy, no surprise there. Found in a few other countries too. The researchers have identified 44 EyePyramid samples, most of them compiled in 2014 and 2015.

If you are interested in the EyePyramid malware analysis, let me suggest you the following ones:

Some security experts also speculate a link to international espionage campaign conducted by intelligence agencies, including the NSA and Project Sauron APT. At the time I was writing this is just a speculation because data publicly available doesn’t confirm it.

I personally believe that several people are involved in the EyePyramid cyber espionage campaign, I also speculate that people that worked on the code have deliberately left evidence that are linked to the suspects involved in the espionage campaign.

Let’s read Federico Maggi’s analysis:

  1. cooked (or, better, modified an existing) malware that, among the traditional C2 communication techniques, it leverages MailBee.NET.dll APIs (a .NET library used for building mail software) to send the exfiltrated data out to dropzones. In particular, one of the MailBee license keys used by the malware writer is (? = uknownw) MN600-D8102?501003102110C5114F1?18-0E8CI (other keys are reported below)
    1. comprmised (we don’t know how) some email accounts (at least 15, from what we know). In particular, accounts belonging to various attorneys and associates,
    2. the attacker (or the malware, it’s not really clear) connects via Tor (for what is worth, the only known exit node is 37.49.226[.]236)
  2. using an email mail server (among the known ones, Aruba’s MX 62.149.158[.]90) the attacker sends spear-phisihing email messages to the victims using the compromised accounts s the sender, containing a malicious attachment (unverified information: someone believes the attachment is a PDF)
  3. wait for the victims to open the attachment, which drops the malware executable
    1. the malware sends exfiltrated data to various dropzones (i.e., email addresses in use by the attacker)

Basically, this means that the person that avoided for years defensive measures of the victim is the same that used in its malware a library (MailBee.NET.dll APIs) having his personal license number. Again Occhionero has used Hosts/domains (some are C&C) that are linked to its person.

“The malware may initially appear to be a naïve piece of code written in .NET (>= 4.5.x), but an in-depth look reveals otherwise. After standard obfuscation, which can be reversed with off-the-shelf tools, the sensitive parts of the decompiled source code are obfuscated, which made detection and analysis trickier. For instance, information about the command & control server’s URL and the MailBee’s license key (allegedly purchased under the attacker’s name), were heavily obfuscated.” reads the analysis published by TrendMicro. “Based on our analysis, we can conclude that the de-obfuscation routine includes a decryption step, based on the 3DES cipher, along with MD5 followed by SHA256 of the input data.”

Very strange, what do you think about?

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – EyePyramid, malware)



you might also like

leave a comment