11 June 2015

The GRABIT Cyber Espionage System

SPAMfighter News
June 9, 2015

Campaign of Cyber-Espionage Nicknamed ‘Grabit’ Targets SMBs - Kaspersky

Security firm Kaspersky has discovered a new business-oriented campaign of cyber-spying known as ‘Grabit’ which could steal around 10,000 files from small and medium-sized organisations based mostly in India, Thailand and the US. There are also other countries affected such as Germany, UAE, Canada, Israel, Austria, France, Chile, Sri Lanka and Belgium.

The sectors targeted are nanotechnology, chemicals, agriculture, education, construction, media and many more.

We see many spying campaigns focused on government organisations, enterprises and other high-profile entities with small and medium-sized businesses hardly seen in the lists of target. Kaspersky observed that Grabit shows that it is not just a “big fish” game - in the cyber world every single organization whether it has money, political influence or information, could be of potential interest to one or other malicious actor.

Firstpost.com published news on 29th May, 2015 quoting Idor Naor, Senior Security Researcher with Global Research & Analysis Team of Kaspersky Labs, as saying: “a simple Grabit keylogger was found to be maintaining thousands of credentials of victim account from hundreds of infected systems on 15th May 2015 and this threat should not be underestimated.”

The attack starts with a phishing notification containing a tainted Word document. Once the victim opens the attachment, the malware gets delivered on to the victim’s machine through a remote (and actually hijacked) genuine server hosting the malware, which is based on the notorious commercial HawkEye keylogger kit usually employed for cyberspying. The threat actors also deliver many remote administration Trojans or RATs to the victim’s computer.

Kaspersky showcasing the sophistication of the campaign revealed that a keylogger in a single C2 (command-and-control) servers could steal 2887 Passwords, 3023 Usernames and 1053 Emails from different internal and external hosts including Facebook, Outlook, Google mail, Skype, Yahoo, Pinterest, LinkedIn and Twitter along with bank accounts and others.

However, researchers have been confused most by the fact that the RAT does not have any functionality to conceal its activity pointing towards an erratic group of cyber crooks with some members being more tech-savvy and focused than their counterparts.

Kaspersky Lab recommends all businesses to update their security software and to train their employees to avoid any damage from the malware.

No comments: