Several weeks ago, the release of court documents revealed a long-standing cyber espionage campaign aimed at Italian politicians and businesspeople, law firms, state institutions and law enforcement agencies, and many others.
Allegedly run by two Italian siblings, Giulio Occhionero and Francesca Maria Occhionero, the campaign was aimed at discovering sensitive information that could be used by the two to improve their fortunes.
The EyePyramid malware
The spyware they used to execute the information theft was dubbed EyePyramid, and it’s a formidable grabber and stealer of screenshots, keystrokes, documents, databases, and of the contents of emails, messages, and calendars.
But the most interesting thing about the whole story is that EyePyramid was developed and used for at least six years, allegedly by Giulio Occhionero, but it has been flagged only a small number of times.
This low profile must be at least in part due to the sparing use of the malware and the extremely targeted nature of the campaigns.
The malware is also capable of hiding itself well, and especially from 70+ of AV solutions and security suites whose processes it prevents and disables as it establishes a foothold on a target machine.
But, while it is still undetermined who is the author of the malware, it’s highly likely that we haven’t seen the last of it.
“We are looking at a body of malware that is (in part) easily disassembled via various .NET binary disassembly tools. Knowing that, there is no reason to assume that some or all of the code won’t make its way into other in-the-wild malware (if it hasn’t already),” Jim Walter, senior member of Cylance’s SPEAR team, told Help Net Security.
EyePyramid enables easier access for other attackers
To make a bad situation even worse, victims of this particular malware can be victimized by other attackers more easily, as the malware lowers the security posture of affected Windows machines.
As noted before, EyePyramid will stop many security solutions from functioning.
Secondly, it lowers the systems’ security settings by disabling User Account Control (UAC) for local logons and UAC remote restriction protections, allowing local and remote users belonging to the machine’s local administrator group to have full administrator access.
Thirdly, the malware disables Windows’ firewall, automatic Windows updates, the Windows Security Center service and the Windows Action Center.
EyePyramid also tries to create a local admin user and add the account to the domain administrator group in Active Directory, so that it can perform system changes with administrative privileges, connect to remote systems, etc.
Finally, it also messes with Microsoft Office’s protections, by setting the security level for the various applications in the suite to the lowest level. This allows macros to run automatically, executables and scripts attached in emails to be viewed by the user, and so on.
“All of these modifications open a huge gap in the user’s security posture, leaving them vulnerable to future malware attacks,” Cylance researchers have warned.