The attackers control their victims using HawkEye keylogger, a commercial spying tool from HawkEyeProducts, and a configuration module containing a number of Remote Administration Tools (RATs).Īccording to Kaspersky Lab’s researchers, the malware actually does little to hide its presence, although it has a very serious protection from analysis: “a weak knight in a heavy armor”, Securelist says. Its binaries are not deleted in most cases, and its communication is in clear-text, where the victim can sniff the communication and grab the FTP/SMTP server’s credentials.” The malware is in plain view, modifying commonplace registry entries, such as the startup configurations, and not covering its tracks.
doc file is actually an archive and when that archive is opened in a convenient editor of your choice, the macro strings are shown in clear-text. In some cases the malicious macro was password protected, but our threat actor might have forgotten that a.
“This macro simply opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub, before downloading the malware. The following is a quote from Securelist’s thorough (as usual) analysis of the malware: #Grabit – an #SMB-targeting spy campaign. Grabit gets distributed via a Microsoft Office Word (.doc) email attachment containing a malicious macro AutoOpen. Still, the first samples arrived to Kaspersky Lab’s experts from the company’s partners in USA.
As almost half of the total number of infections (44.87%) occurred in Thailand (with India as a distant second – 24.36% and US as an even more distant third – 10.26%), it could have been a local operation. Grabit is a rather fresh campaign: the data gathered so far indicates it launched some time in late February 2015. Unlike previous threats, it’s targeting smaller entities – namely SMBs. Kaspersky Lab has just publicized the discovery of a new cyber-espionage campaign.
0 kommentar(er)
