Endpoint

5/28/2015
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Small-to Mid-sized Organizations Targeted By 'Grabit' Cyberspies

Rare SMB-focused cyber espionage campaign hitting small firms worldwide.

Yet another reminder that even small companies aren't immune from cyber espionage hacks: researchers have discovered an aggressive attack campaign against SMBs around the globe that appears to be targeting the chemical, nanotechnology, education, agriculture, media, and construction sectors for intelligence purposes.

Kaspersky Lab researchers today gave details about the newly discovered Grabit malware and its attack campaign that has been underway since February of this year and remains active. The cyber espionage attack has stolen some 10,000 files from victims mostly in Thailand, India, and the US; but Kaspersky has seen victims in the United Arab Emirates, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile, and Belgium.

The attackers appear to be after everything from credentials to system information. "Based on our research, we’ve seen that credentials is not the main focus and that Grabit collects internal information about the system – firewall, anti-virus installed, machine name, internal/external IPs, keylog, screenshots, machine time [and] language and more," says Ido Naor, senior security researcher for Kaspersky Lab's Global Research & Analysis Team.

Naor says he and his fellow researchers are still studying just what type of information Grabit's attackers are ultimately after. He doesn't believe the SMB targets are being used as stepping stones to bigger targets, either. "Although one victim had a very sensitive set of credentials stolen, we still haven’t seen any bridge between the SMBs and any organization that could be seen as the final targeted destination," he says.

He says it's unusual to see a cyberespionage campaign specifically targeting SMBs. "I actually haven’t seen an SMB's malware that targeted this amount of victims before. The group behind Grabit have [a] developed plan. Through our research we are doing what we can to intercept it," Naor says.

The researchers stopped short of speculating just who or what nation or region is behind the attack, but note that Thailand and India had the most infected machines overall.

Source: Kaspersky lab
Source: Kaspersky lab

The attack begins with a phishing email outfitted with a malicious Word document. Once the user opens the attachment, the malware is delivered to the user's machine via a remote (and actually compromised) legitimate server that hosts the malware, which is based on the infamous commercial HawkEye keylogger kit used for cyberspying. The attackers also deliver several remote administration tools, or RATs, to the victim.

"The decoy document is not leveraging any exploit or zero-day to bypass the victim's judgment. Instead, it waits for the attacker's call to enable the macro," he says. "This type of attack matches the victim’s profile: a manager/director, who usually opens many documents.”

Kaspersky Lab researchers found that a keylogger from one of the attacker's command-and-control servers had stolen 2,887 passwords, 1,052 email messages, and 3,024 usernames from some 4,928 different host machines at the victim SMBs. Among the booty: Outlook, Facebook, Skype, Gmail, Pinterest, Yahoo, LinkedIn, Twitter, and online banking accounts.

The attack group appears a bit scattershot, with a combination of weak security and sophisticated methods to avoid discovery, according to Kaspersky. In one case, the malware was phoning home out in the open and easily spotted. "In addition, the files themselves were not programmed to make any kind of registry maneuvers that would hide them from Windows Explorer. Taking that into an equation, it seems that the threat actors are sending a “weak knight in a heavy armor” to war. "It means that whoever programmed the malware did not write all the code from scratch," Kaspersky  senior security researcher Ido Naor wrote in a blog post today.

But they also use obfuscation, strong encryption, and ASLR to make it more difficult for researchers to discover and analyze the malware. "Along with these different sizes, activities, and obfuscation, a serious encryption algorithm was also implemented in each one of them. The proprietary obfuscated string, methods and classes made it rather challenging to analyze," Naor blogged. "ASLR [Address Space Layout Randomization] is also enabled, which might point to an open source RAT or even a commercial framework that packed the malicious software in a well written structure."

There are a few ways to check for Grabit infections, according to Kaspersky: the C:\Users\<PC-NAME>\AppData\Roaming\Microsoft area of a user's machine has executable files; or if the Windows System Configuration includes "grabit1.exe" in the startup table. "Run “msconfig” and ensure that it is clean from grabit1.exe records," Kaspersky Lab said in its blog post today.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/29/2015 | 10:28:18 AM
Re: sophisticated stuff
My first question to Kaspersky Lab was whether these orgs were just a means to an end, or stepping stones to a bigger-fish target. But they said that was not the case, which I think is really interesting. 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
5/29/2015 | 10:16:04 AM
sophisticated stuff
This is fascinating, Kelly. My first thought was that it was awfully sophisticated stuff to go after SMBs, but on second thought, the SMBs it was going after weren't exactly flower shops, were they? They might have been smaller in size, but not necessarily in technological sophistication themselves.

Maybe we need to reassess how we think about SMBs.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14332
PUBLISHED: 2018-07-19
An issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user...
CVE-2018-1529
PUBLISHED: 2018-07-19
IBM Rational DOORS Next Generation 5.0 through 5.0.2, 6.0 through 6.0.5 and IBM Rational Requirements Composer 5.0 through 5.0.2 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potential...
CVE-2018-1535
PUBLISHED: 2018-07-19
IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 and IBM Rational Software Architect Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri...
CVE-2018-1536
PUBLISHED: 2018-07-19
IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 and IBM Rational Software Architect Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri...
CVE-2018-1585
PUBLISHED: 2018-07-19
IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 and IBM Rational Software Architect Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri...