On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions.
The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank.
The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer.
During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims. All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals.
Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008.
Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero.
Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data.
Excerpt from the Italian court order on #EyePyramid
Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow:
|E-mail Addresses used for exfiltration|
Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples.
Here’s how our initial “blind”-written YARA rule looked like:
To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks.
Once the YARA rule was ready, we’ve ran it on our malware collections. Two of the initial hits were:
|File size||1396224 bytes|
|Type||Win32 PE file|
|Compilation Timestamp||Fri Nov 19 12:25:00 2010|
|File size||1307648 bytes|
|Type||Win32 PE file|
|Compilation timestamp||Fri Sep 17 11:48:59 2010|
These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections.
At the end of this blogpost we include a full list of all related samples identified.
Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses.
Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails. For example:
From: Di Marco Gianmaria
Subject: ricezione e attivazione
Attachment: contatto.zip//Primarie.accdb (…) .exe
From: Michelangelo Giorgianni
Subject: R: Re: CONVOCAZIONE]
Time: 2014/01/28 17:28:56]
Attachment: Note.zip//sistemi.pdf (…) .exe
Other attachment filenames observed in attacks include:
- Segnalazioni.doc (…) 7z.exe
- Final Eight 2012 Suggerimenti Uso Auricolari.exe
- Fwd Re olio di colza aggiornamento prezzo.exe
- Eventi.bmp (…) .exe
- Quotidiano.mdb (…) _7z.exe
- Notifica operazioni in sospeso.exe
As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment. The attachments were ZIP and 7zip archives, which contained the EyePyramid malware.
Also the attackers relied on executable files masking the extension of the file with multiple spaces. This technique is significant in terms of the low sophistication level of this attack.
High profile victims
Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi.
It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted.
Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers. Further standout victims, organizations, and verticals include:
|Professional firms, Consultants||Universities||Vaticano|
Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.
Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015.
Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data.
In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence.
This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims.
As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations.
Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught.
Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts:
A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services. Contact: intelreports (at) kaspersky [dot] com.
To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings
References and Third-Party Articles
Indicators of Compromise
Related hashes identified by @GaborSzappanos:
Malicious attachments filenames (weak indicators):
contatto.zip//Primarie.accdb (…) .exe
Note.zip//sistemi.pdf (…) .exe
Segnalazioni.doc (…) 7z.exe
Final Eight 2012 Suggerimenti Uso Auricolari.exe
Fwd Re olio di colza aggiornamento prezzo.exe
Eventi.bmp (…) .exe
Quotidiano.mdb (…) _7z.exe