Uncovering the Inner Workings of EyePyramid

Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)

The court order was published by AGI, an Italian news agency, around noon on January 11. It (surprisingly) contains multiple technical details which we used to bootstrap our initial analysis. This post builds on the details of the case to provide a more complete and in-depth view of the activities of this campaign.

Scope of this analysis

We have analyzed nearly 250 distinct samples, with new batches of EyePryramid-related samples seen and identified daily. Right after our initial analysis, about a dozen suspicious samples were uploaded to VirusTotal and tagged as “#eyepyramid”. We believe that these samples are “false flags,” because the samples do not resemble any of the samples that we were able to definitely relate to the EyePyramid case. Although we are not able to say with 100% certainty that there are no relationships between these “false flags” and the original EyePyramid samples, we purposely did not focus on these uploaded samples.

Targeted Email Accounts

Evidence from some of the samples suggests that the attackers targeted email accounts from various domains. Both account credentials and messages from these accounts were stolen, with email accounts from the following domains being targeted:

The domains being targeted

@alice.it
@aol.com
@att.net
@badoo.com
@bellsouth.net
@bluewin.ch
@btinternet.com
@comcast.net
@cox.net
@cyh.com.tr
@earthlink.net
@eim.ae
@email.com
@email.it
@emirates.net.ae
@excite.it
@facebook.com
@facebookmail.com
@fastweb.it
@fastwebmail.it
@fastwebnet.it
@free.fr

@gmail.com
@gmail.it
@gmx.de
@gmx.net
@googlegroups.com
@googlemail.com
@groupama.it
@groups.facebook.com
@gvt.net.br
@hanmail.net
@hinet.net
@hotmail.co.uk
@hotmail.com
@hotmail.fr
@hotmail.it
@infinito.it
@interbusiness.it
@interfree.it
@inwind.it
@iol.it
@jazztel.es
@jumpy.it

@katamail.com
@laposte.net
@legalmail.it
@libero.it
@live.com
@live.it
@lycos.com
@lycos.it
@mac.com
@mail.bakeca.it
@mail.com
@mail.ru
@mail.vodafone.it
@mail.wind.it
@mclink.it
@me.com
@msn.com
@mtnl.net.in
@nate.com
@netscape.net
@netzero.com

@orange.fr
@otenet.gr
@poczta.onet.pl
@poste.it
@proxad.net
@rediffmail.com
@rocketmail.com
@runbox.com
@saudi.net.sa
@sbcglobal.net
@skynet.be
@supereva.it
@sympatico.ca
@t-online.de
@tele2.it
@verizon.net
@virgilio.it
@vodafone.com
@vodafone.it
@vsnl.net.in

@wanadoo.fr
@web.de
@yahoo.ca
@yahoo.co.in
@yahoo.co.jp
@yahoo.co.uk
@yahoo.com
@yahoo.com.ar
@yahoo.com.br
@yahoo.com.mx
@yahoo.de
@yahoo.es
@yahoo.fr
@yahoo.it
@yahoogroups.com
@ymail.com


Attack scheme

The attack scheme features a remarkable pre-attack phase designed to create a foundation of trust for an effective spear-phishing campaign against high-profile targets. The attacker starts with a list of email accounts—obtained either from an out-of-band compromise, or by another case using the same malware. These accounts belong to organizations or persons that are supposedly trusted by the final, high-profile victim(s).

Using these email accounts as senders, together with attachment names crafted to camouflage the original malware sample extension (*.exe), the attacker managed to infect the computers (directly or indirectly) used by the high-profile victims.

When the malware files are executed on each machine it auto-updates itself, steals information related to email accounts matching the list above, and sends the harvested information to dropzone email addresses and/or C&C servers via HTTP/HTTPS. This also adds these email accounts to the attacker’s list of compromised accounts, which could be used to spread malware to other victims.

Attack scheme_EyePyramid

Timeline and prevalence

Using the compile time stamp, we obtained the following timeline, which is in line with other analyses that followed our initial report. EyePyramid’s known samples peaked in 2014, with more than three times the number of samples of any other year.

Figure 1_EyePyramid

Figure 1. Distribution of EyePyramid sample compilation date, by year

While EyePyramid was based in Italy, not all of its victims were located in that country, as seen from the graph below:

Figure2_EyePyramid

TOP 10 %
Italy 14.77
United States 9.79
Japan 9.61
United Kingdom 5.87
Taiwan 4.45
Germany 4.27
France 3.20
India 2.14
Brazil 1.78
Austria 1.60
Others 42.52

Figure 2 and Table 1. Distribution of EyePyramid victims

EyePyramid Malware Evolution

After analysis, we were able to group the EyePyramid samples based on various features, including:

  • year of executable file creation (compile time stamp)
  • original/internal file name
  • obfuscator and packer used; there were two combinations of obfuscators used:
    • Skater .NET + Dotfuscator, two popular obfuscators (most of the samples are post-processed in this way)
    • ConfuserEx, a recent and powerful obfuscator (only the most recent ones)
  • presence of relevant strings, either in the original binary, or after de-obfuscation, de-compilation and string-decryption:
    • gmail.it – this string appears next to “gmail.com” and “googlemail.com”, which are known domains for Google email accounts, It’s possible this was a mistake by the author, who wanted to target Italian Gmail users. Alternately, the attacker could be targeting the customers of the Gmail.it free email service. (Note that Gmail.it is not connected with the Google-owned service and shares nothing with it except the name.) Without the ability to ask the threat actors, no strong conclusions should be derived from this finding.
    • Paths indicating a link to the case. We found the string “\Work\EyePyramid\” in one sample dated December 13, 2014; the original file name is mfkr.exe. This is one of the strings that contributed to this case’s name. The presence of such a string is a strong indication that the malware is related to EyePyramid. However, not all samples tied to EyePyramid include this string.
    • Use of Desaware’s SpyWorks component, which can be used to implement key-capturing functionalities, or to create system-level hooks.

Figure3_EyePyramid

Figure 3. Code for key capturing features

  • paths or library names indicating code reuse of specific components, namely:
    • :\Projects\VS2005\ChromePass\Release\ChromePass.pdb
    • :\Projects\VS2005\MyLastSearch\release\MyLastSearch.pdb
    • :\Projects\VS2005\NK2View\Release\NK2View.pdb
    • :\Projects\VS2005\ProduKey\Release\ProduKey.pdb
    • :\Projects\VS2005\RecentFilesView\Release\RecentFilesView.pdb
    • :\Projects\VS2005\USBDeview\Release\USBDeview.pdb
    • :\Projects\VS2005\WirelessKeyView\Release\WirelessKeyView.pdb
    • :\Projects\VS2005\mspass\Release\mspass.pdb
    • :\Projects\VS2005\netpass\Release\netpass.pdb
    • :\projects\VS2005\iepv\Release\iepv.pdb
    • :\projects\vs2005\shortcutsman\release\shman.pdb

These strings indicate that the malware incorporated various software components with specific features. For example, “iepv\Release\iepv.pdb” is the IE Password Viewer, a small utility (and library) which can be used to reveal passwords stored by Internet Explorer. Other components listed have similar features. The presence of these components suggests that one of the malware’s purposes is to exfiltrate browser-related data.

The recurrent path string “:\projects\vs2005” also provides us clues about the malware author’s modus operandi. We found all of these strings in both a 2014 and 2015 variant, which both shared the file name vmgr.exe. This suggests that the author behind both samples is the same. However, these were not compiled with the same programming environment: the 2014 variant has been compiled with .NET 4.5.5416.41981, whereas the 2015 variant has .NET 4.5.5604.16127.

Based on the above features, we generated a summary of the malware samples, which can be found in the appendix below. We can conclude that over time, the threat actors behind this crime modified and updated the malware’s capabilities (e.g., not all variants are able to exfiltrate Skype conversations), C&C and dropzones, compiler version, and protection mechanisms.

Figure4_EyePyramid

Figure 4. Appendix with complete table (2010 – 2016)

Link back to 2011 Bisignani spy case

In 2012, a high-profile Italian businessman and ex-journalist named Luigi Bisignani was prosecuted as part of the “P4 secret society,” (short for Propaganda 4). The P4 was the fourth of the masonic lodges in Italy, which was supposedly influencing political decisions.

The malware used in those attacks used several Gmail addresses as dropzones. Investigators at CNAIPIC (an Italian cybercrime body) found that these same addresses were used by recent EyePyramid variants as well. Independently, we found that older (2012) variants of EyePyramid were doing the same thing.

One more interesting link that we found is the use of the mail.hospenta.com mailserver, which is similar to the one used by the recent versions of EyePyramid. Curiously, only the 2010 version—and not the 2012 version—used mail.hostpenta.com. Both the 2010 and 2012 versions share the infamous MN600-D8102F401003102110C5114F1F18-0E8C MailBee license key, which was either purchased by Giulio Occhionero, or purchased using his name.

Main Features of EyePyramid Malware

EyePyramid’s most important features are listed below. This list is not meant to be exhaustive, but it covers the most relevant ones.

Persistency

When first executed, the malware drops a copy of itself onto the hard drive (usually on the root folder C:\) using a name selected from random list, which is made up of:

Figure5_EyePyramid

Figure 5. Possible “random” file names

To maintain persistency, the malware uses a classic mechanism that involves modifying or adding entries to the CurrentVersion\Run and CurrentVersion\RunOnce registry keys.

Figure6_EyePyramid

Figure 6. Autostart registry entries

Setting the value of these entries to the path of the malware executable will ensure that it is executed upon every user logon.

Code reuse: not all variants use the same combinations of libraries

An interesting characteristic of the EyePyramid malware is the use of publicly known third-party components or open-source libraries, which provide clues to the technical skills of the author.

The following libraries were found:

  • MouseKeyboardActivityMonitor, a library for globally monitoring keystrokes and mouse activity. The malware used this component to steal keystrokes.
  • Internet Explorer Passwords Viewer, as well as other password-viewing components (e.g., for Google Chrome), which are used by the EyePyramid malware to steal browser-stored credentials.
  • Desaware, a software company, produces SpyWorks, a component used to capture keystrokes and/or to create system hooks that can be used to programmatively “detour” a program’s execution flow, at runtime. The presence of Desaware components was determined by finding the following string in code:
    • d:\srcnet\Desaware.SpyWorksDotNet\Release820\Desaware.shcomponent20.pdb
  • MailBee, a component used to handle emails. This was the component that was used to attribute the attack to Giulio Occhionero. The embedded license key had been purchased under his name.
  • SevenZip, a common library for creating 7z data, which was used by the malware to compress the stolen files before encrypting and sending them to drop zones.

File harvesting

As we noted in our initial analysis, EyePyramid’s main feature is to harvest and steal files. Files with the following extensions are targeted:

Figure7_EyePyramid

Figure 7. File extensions targeted for theft

Among the other harvested data, EyePyramid looks for *.pst files, which are used by various applications including the Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook to store copies of messages, calendar events and other similar information.

Figure8_EyePyramid

Figure 8. Code targeting PST files

Skype data

Among the other harvested data, EyePyramid looks for *.pst files, which are used by various applications including the Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook to store copies of messages, calendar events and other similar information.

Figure9_EyePyramid

Figure 9. Code targeting Skype

Disabling of security software

EyePyramid targets various security tools and tries to disable both real-time protection mechanisms and AV-related processes from being launched, as can be seen from the following list:

Figure10_EyePyramid

Figure11_EyePyramid

Figure12_EyePyramid

Figures 10-12. Code targeting security software

Obfuscation and protection

The malware binary is obfuscated by three tools: Skater + Dotfuscator, or ConfuserEx. As a result, the final executable is mildly protected from naïve debugging and in-VM dynamic analysis. However, the amount of protection provided is relatively mild and far from advanced.

In addition, custom string-encryption/obfuscation is used to render strings non-directly readable on the decompiled source code. In particular, most of the samples using Skater + Dotfuscator encrypt the strings using 3DES, after serialization, reducing then to bytes arrays. We reverse-engineered the encryption routine and recovered the encrypted strings.

Anecdotes and Other Curious Findings

Cross-site Scripting Testing on HTML Emails?

Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet (from 21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316):

Figure13_EyePyramid

Figure 13. Code testing Cross-site Scripting

Provenance of email accounts 

During our analysis, we received emails from various analysts asking for clarification. One reader noted that the email address used by the EyePyramid operators to send spear-phishing messages was also used to register accounts on various dating sites, based on information from Leaked Source (a database of breaches from various sites).

Searching on Leaked Source for the domains appearing on the court order—ones that were allegedly involved with the data-exfiltration activities—revealed a similar situation. Email addresses on these domains used to register on various sites, including dating and social media sites, were from various data breaches. As a result, these credentials, unless changed by the legitimate owners, are to be considered essentially publicly available.

Icons

Although not a detection criterion, the samples that we processed had 81 distinct icon types, some of which are shown below:

Figure14_EyePyramid

Figure 14. Icons used by EyePyramid samples

Analysis Methodology

Figure15_EyePyramid

Figure 15. Analysis process

We followed a fairly common practice for our analysis. As mentioned in our first blog post, it all started from a court order that appeared on the AGI site. From that, we extracted some patterns, which we used to perform what is commonly referred to as “retro-hunting,” that is, we wrote a Yara rule, plus some custom post-processing scripts, to statically match an initial set of patterns. This allowed us to get to a set of samples, among which was “d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c”. Other analysts found that this was related to EyePyramid as well.

We then manually deobfuscated and decompiled the binary code, obtaining a non-compiling source code tree, which allowed us to find more details about the malware’s behavior. Some of these behaviors were also confirmed after running the initial samples in a sandboxed environment (among which we used our Deep Discovery Analyzer).

The newly extracted details allowed us to refine our retro-hunting process, revealing more samples, some of which are currently being manually analyzed. Among the various patterns that we used (e.g., included library names, domain names, email addresses), we note that the executable’s original name ensures a good recall. This is unusual, and possibly tells something about the attacker’s skills: A smart attacker would, at least, take care to randomize such names consistently in the PE header. With some automation, we run this iterative process every day and cross-check our findings with the reports sent by our customers.

Conclusions

From a purely technical viewpoint, the origins of EyePyramid’s malware and its attribution remain unclear. While the license key registered to Giulio Occhionero’s name can be considered as strong evidence, it is unclear why a malware author would bother using (simple yet not so trivial) mechanisms to cover their traces (e.g., obfuscation, packing, encryption, disabling security tools), and then mistakenly embed the license key under his name in all of the main variants. Moreover, an analysis of the domain-to-IP historical data of the domain names listed in the court order reveals domains named “occhionero.com” and “occhionero.info,” which is again another oddity.

From a technical viewpoint, it is certain that the original source code has gone through mild modifications. On the other hand, the computer(s) used to build the various versions over the years seem to be in line with the evolution of Microsoft developer tools (based on the progression of the compiler version) and software-protection tools (as seen on the recent substitution of Skater + Dotfuscator with the more powerful ConfuserEx).

Here is the appendix containing further details about the samples we analyzed.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Uncovering the Inner Workings of EyePyramid

Read more: Uncovering the Inner Workings of EyePyramid

Story added 18. January 2017, content source with full text you can find at link above.