The EyePyramid malware used to steal information from Italian politicians, bankers and business leaders is not very sophisticated, but, as many successful espionage operations have shown, it doesn’t need to be.
Italian siblings Giulio Occhionero, 45, and Francesca Maria Occhionero, 48, have been arrested for targeting many high-profile individuals and organizations in hacker attacks. Authorities said more than 18,000 email accounts had been compromised and 87 gigabytes worth of data had been stolen.
The list of targets includes the president of the European Central Bank, a former prime minister, cardinals in the Vatican, political parties, ministries, technology and energy companies, and members of a Masonic lodge.
The attacks had been carried out since at least 2010 and they relied on a piece of malware dubbed EyePyramid. Researchers from Kaspersky Lab have found some samples of the malware compiled in 2014 and 2015 and used them to obtain additional information on attack methods and targets.
According to experts, the attackers used social engineering and spear-phishing emails to deliver the malware to victims. The malware was attached to the emails as ZIP or 7Zip archives.
The EyePyramid executable file stored in these archives often had a name that included multiple spaces in order to hide its extension. The use of this simple technique points to the campaign’s low level of sophistication, Kaspersky researchers said.
Trend Micro has also analyzed the attacks and determined that the threat actor sent out the spear-phishing emails from compromised accounts, particularly ones belonging to attorneys and associates at various law firms.
According to the security firm, EyePyramid was written in .NET and it uses multiple layers of obfuscation to hide sensitive parts of the code, which made detection and analysis more difficult. Information about command and control (C&C) servers has also been “heavily obfuscated.”
“Based on our analysis, we can conclude that the de-obfuscation routine includes a decryption step, based on the 3DES cipher, along with MD5 followed by SHA256 of the input data,” said Federico Maggi, senior threat researcher at Trend Micro.
Trend Micro said the malware collects credentials, keystrokes and files. The data is then encrypted and exfiltrated to an email address controlled by the attacker using the MailBee.NET.dll APIs.
Kaspersky reported that its products had blocked more than 90 EyePyramid infection attempts. While 80 percent of these attempts were spotted in Italy, the malware was also detected in France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.
Kaspersky says the malware is not sophisticated and not difficult to detect. The company also pointed out that the attackers had poor operational security (OPSEC) as they failed to hide their real IP addresses when launching attacks, and they used regular phone calls and WhatsApp to discuss their activities.
On the other hand, experts pointed out that despite the lack of sophistication, the attackers still managed to steal large amounts of data from victims without being identified for several years.
“As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations,” Kaspersky researchers said.