Pierluigi Paganini January 13, 2017

Let’s try to analyze some facts about the Italian EyePyramid espionage campaign. Prof. Corrado Aaron Visaggio helped us in this difficult task.

The Italian EyePyramid espionage campaign raised to me two simple questions:

(i) Are the criminals geniuses or dummies?

(ii) How can an old, known, easy-to-detect malware infect so many machines belonging to different perimeters for so long time, but only in Italy?

This cyber-espionage appears as a naive mixture of sophisticated and amateur techniques. The choice of the spyware (amateur) is the first strange thing: EyePyramid is an old and known malware.

Kaspersky reported that its products had blocked more than 90 EyePyramid infection attempts. While 80 percent of these attempts were spotted in Italy, the malware was also detected in France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Kaspersky says the malware is not sophisticated and not difficult to detect. The company also pointed out that the attackers had poor operational security (OPSEC) as they failed to hide their real IP addresses when launching attacks, and they used regular phone calls and WhatsApp to discuss their activities.

“In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence.”

“This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations.” reads the analysis published by Kaspersky on EyePyramid.

The final victims were infected by emails sent by compromised accounts belonging to several attorneys and associates in several law firms (sophisticated) but data was exfiltrated as attached to emails sent to a small set of e-mail addresses (amateur).

The malware was a customized (sophisticated) version of a very old malware (about 1995) (Amateur), with a weak obfuscation (amateur), but that makes use of reflection (sophisticated).

The malware has been updated during all the duration of the espionage (likely 4-6 years) in order to make it evasive to detection and to add more advanced spying functions, like intercepting the keying of specific words (sophisticated), but the stolen data resided on a couple of servers regularly and directly accessed by the supposed authors of the espionage (amateur).

It is interesting to note that the purchase of the paid library has led the authorities to the identity of the persons behind the campaign (amateur), since the cyber criminals used a licensed library -MailBee.Net- that they regularly paid, to send the exfiltrated data out to dropzones.

Are these criminals geniuses or dummies?

The second observation regards some concerns about “how” a similar software can stay resident for years in so many machines that should be placed within several different perimeters, that are supposed to be protected and monitored.

Concern number 1: is it really so easy to infect the machines of key people of a Nation’s Government (and further equally important Institutions and Organizations), with a very old and unsophisticated malware?

Concern number 2: The malware remains active for several years and the attackers were able to update it in order to evade the detection: did the attackers know how the operating environment of the victims changed over time and so did they adapt properly the malware?

Concern number 3: C&C centers usually make use of fluxing techniques (for IP or domains) for masquerading themselves. In this case, the dropzones where a small number of domains or e-mail addresses. So exfiltrated data was sent continuously to a fixed and small number of dropzones. How could this activity (easy to classify as an anomaly) pass unnoticed to a monitoring system for a so long time?

Concern number 4: if the malware was easy to detect, as claimed by Kasperksy, why it remained undetected on so many machines, in different perimeters, for a so long time?

References

• https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
• http://blog.trendmicro.com/trendlabs-security-intelligence/eye-storm-look-eyepyramid-malware-supposedly-used-high-profile-hacks-italy/
• https://github.com/eyepyramid/eyepyramid
• https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Pyramid.aspx
• http://www.securityweek.com/eyepyramid-malware-unsophisticated-effective-researchers

https://it.linkedin.com/in/corrado-aaron-visaggio-629839/it

About the author Corrado Aaron Visaggio

Professor of CyberSecurity at the Department of Engineering, University of Sannio,

CINI CyberSecurity Lab

ECSO member-  European CyberSecurity Organization

ISWATLAB

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Eyepyramid, cyber espionage)