The “EyePyramid” attacks A homebrew cyberespionage operation that took Italy by storm

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions.

The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, president of the European Central Bank.

The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer.

During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims. All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals.

Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008.

Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero.

Investigation

Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data.

Excerpt from the Italian court order on #EyePyramid

(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf)

Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow:

E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com

Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com

Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples.

Here’s how our initial “blind”-written YARA rule looked like:

rule crime_ZZ_EyePyramid { meta: copyright = ” Kaspersky Lab”

author = ” Kaspersky Lab”

maltype = “crimeware”

filetype = “Win32 EXE”

date = “2016-01-11”

version = “1.0” strings: $a0=”eyepyramid.com” ascii wide nocase fullword

$a1=”hostpenta.com” ascii wide nocase fullword

$a2=”ayexisfitness.com” ascii wide nocase fullword

$a3=”enasrl.com” ascii wide nocase fullword

$a4=”eurecoove.com” ascii wide nocase fullword

$a5=”marashen.com” ascii wide nocase fullword

$a6=”millertaylor.com” ascii wide nocase fullword

$a7=”occhionero.com” ascii wide nocase fullword

$a8=”occhionero.info” ascii wide nocase fullword

$a9=”wallserv.com” ascii wide nocase fullword

$a10=”westlands.com” ascii wide nocase fullword

$a11=”217.115.113.181″ ascii wide nocase fullword

$a12=”216.176.180.188″ ascii wide nocase fullword

$a13=”65.98.88.29″ ascii wide nocase fullword

$a14=”199.15.251.75″ ascii wide nocase fullword

$a15=”216.176.180.181″ ascii wide nocase fullword

$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword

$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword

$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword

$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword

$a20=”gpool@hostpenta.com” ascii wide nocase fullword

$a21=”hanger@hostpenta.com” ascii wide nocase fullword

$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword

$a23=”ulpi715@gmx.com” ascii wide nocase fullword

$b0=”purge626@gmail.com” ascii wide fullword

$b1=”tip848@gmail.com” ascii wide fullword

$b2=”dude626@gmail.com” ascii wide fullword

$b3=”octo424@gmail.com” ascii wide fullword

$b4=”antoniaf@poste.it” ascii wide fullword

$b5=”mmarcucci@virgilio.it” ascii wide fullword

$b6=”i.julia@blu.it” ascii wide fullword

$b7=”g.simeoni@inwind.it” ascii wide fullword

$b8=”g.latagliata@live.com” ascii wide fullword

$b9=”rita.p@blu.it” ascii wide fullword

$b10=”b.gaetani@live.com” ascii wide fullword

$b11=”gpierpaolo@tin.it” ascii wide fullword

$b12=”e.barbara@poste.it” ascii wide fullword

$b13=”stoccod@libero.it” ascii wide fullword

$b14=”g.capezzone@virgilio.it” ascii wide fullword

$b15=”baldarim@blu.it” ascii wide fullword

$b16=”elsajuliette@blu.it” ascii wide fullword

$b17=”dipriamoj@alice.it” ascii wide fullword

$b18=”izabelle.d@blu.it” ascii wide fullword

$b19=”lu_1974@hotmail.com” ascii wide fullword

$b20=”tim11235@gmail.com” ascii wide fullword

$b21=”plars575@gmail.com” ascii wide fullword

$b22=”guess515@fastmail.fm” ascii wide fullword condition: ((uint16(0) == 0x5A4D)) and (filesize < 10MB) and

((any of ($a*)) or (any of ($b*)) )

}

To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks.

Once the YARA rule was ready, we’ve ran it on our malware collections. Two of the initial hits were:

MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010

MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010

These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections.

At the end of this blogpost we include a full list of all related samples identified.

Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses.

Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails. For example:

From: Di Marco Gianmaria

Subject: ricezione e attivazione

Time:2014/01/29 13:57:42

Attachment: contatto.zip//Primarie.accdb (…) .exe

From: Michelangelo Giorgianni

Subject: R: Re: CONVOCAZIONE]

Time: 2014/01/28 17:28:56]

Attachment: Note.zip//sistemi.pdf (…) .exe

Other attachment filenames observed in attacks include:

Nuoveassunzioni.7z

Assunzione.7z

Segnalazioni.doc (…) 7z.exe

Regione.7z

Energy.7z

Risparmio.7z

Pagati.7z

Final Eight 2012 Suggerimenti Uso Auricolari.exe

Fwd Re olio di colza aggiornamento prezzo.exe

Approfondimento.7z

Allegato.zip

Eventi.bmp (…) .exe

Quotidiano.mdb (…) _7z.exe

Notifica operazioni in sospeso.exe

As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment. The attachments were ZIP and 7zip archives, which contained the EyePyramid malware.

Also the attackers relied on executable files masking the extension of the file with multiple spaces. This technique is significant in terms of the low sophistication level of this attack.

High profile victims

Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi.

It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted.

Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers. Further standout victims, organizations, and verticals include:

Professional firms, Consultants Universities Vaticano Construction firms Healthcare

Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015.

Conclusions

Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data.

In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence.

This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims.

As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations.

Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught.

Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts:

HEUR:Trojan.Win32.Generic

Trojan.Win32.AntiAV.choz

Trojan.Win32.AntiAV.ciok

Trojan.Win32.AntiAV.cisb

Trojan.Win32.AntiAV.ciyk

not-a-virus:HEUR:PSWTool.Win32.Generic

not-a-virus:PSWTool.Win32.NetPass.aku

A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services. Contact: intelreports (at) kaspersky [dot] com.

To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings

References and Third-Party Articles

Indicators of Compromise

Hashes:

09ff13b020de3629b0547e0312a6c135

102bccd95e5d8a56c4f7e8b902f5fb71

12f3635ab1de63fbcb5e1c492424c605

1391d37c6b809f48be7f09aa0dab7657

1498b8d6e946b5d6b529abea13592381

14db577a9b0bfc62f3a25a9a51765bc5

17af7e00936dcc8af376ad899501ad8b

192d5866cbfafae36d5ba321c817bc14

325f5d379c4d091743ca8581f15d3295

36bd8feed1b17c59f3c653e6427661a4

380b0f1921fed82e1b68b4e442b04f05

3c30f0114c600510fdb2573cc48d5c06

3fed695e2a6e63d971c16fd9e825fec5

47bea4236184c21e89bd1c1af3e52c86

47dd1e017aae694abd2b7bc0b12cf1da

47f1f9b1339147fe2d13772b4cb81030

53b41dc0b8fd9663047f71bc91a317df

5bc1b8c07c0f83d438a3e891dc389954

5eb17f400f38c1b65990a8d60c298d95

6de1e478301d59ac14b8e9636b53815d

75621de46a12234af0bec15620be6763

778d103face6ad7186596fb0ba2399f2

859f60cd5d0f0fbd91bde3c3914cbb18

8afb6488655cbea2737d2423843ea077

9173aefe64b7704510c873e2ce7305e0

92c32eb72f5713ca1f2a8dc918f1f770

932bd2ad79cbca4341d853a4b5ea1da5

94eff87eca2f054aa5fbc1877a6cf919

98825a1ce35f46d004c0839e87cc2778

9b8571b5281f3751750d3099049098e0

9c57839b3f8462bd6c2d36db80cd5ecc

9d3ce3246975ae6d545ee9e8ba12d164

9d4b46d3c389e0144238c821670f8537

a41c5374a14a2c7cbe093ff6b075e8ac

b39a673a5d2ceaa1fb5571769097ca77

b533b082ed1458c482c3663ee12dc3a4

bcfd544df7d8e9a2efe9d2ed32e74cad

c0243741bfece772f02d1657dc057229

c38e9edc0e4b18ff1fc5b61b771f7946

ce76b690dc98844c721e6337cd5e7f4b

cf391937d79ed6650893b1d5fbed0604

d8432ddec880800bfa060af1f8c2e405

eb604e7e27727a410fc226196c13afe9

fafd293065daf126a9ad9562fc0b00b2

Related hashes identified by @GaborSzappanos:

014f69777d2e0c87f2954ad252d52810

02965c8a593989ff7051ec24736da6bd

04b3c63907c20d9be255e167de89a398

04e949f64e962e757f5bb8566c07800b

06e47736256c54d9dd3c3c533c73923e

09ff13b020de3629b0547e0312a6c135

0a80fd5abf270ddd8080f93505854684

0b3c1ff3b3b445f46594227ca2babdcd

0c33c00a5f0f5bde8c426c3ce376eb11

0ded0389cbddeeb673836794269ffb3b

0e19913ce9799a05ba97ac172ec5f0bc

11062b36893c4ba278708ec3da07b1dd

12b4d543ae1b98df15c8712d888c54f0

1334a7df1e59380206841d05d8400778

14cb305de2476365ef02d2226532dd34

1748c33cb5ac6f26d55cd1a58b68df8a

18e24ef2791030693a4588bfcae1dec0

192d5866cbfafae36d5ba321c817bc14

1b4d423350cd1159057dd7dbef479328

1deb28ae7b64fb44358e69e5afd1f600

2222a947ebccc8da16badeacca05df4b

23beed8aaac883a5902039e6fd84ee5f

2485e7ae3e0705898b7787ed0961878d

2642990a46c434e7787a599f04742a32

268698314c854bc483d05ffe459dc540

2866ced99b46b39838f56fbe704d387b

2896ae0489451d32f57c68b919b3fa72

28ba7d1a4c5d64a65f2f2bf5f6ced123

28e65b9577abaabf3f8c94d9fda50fc5

2a809644e6d07dc9fc111804a62b8089

30215197622f5c747fc869992768d9c6

325f5d379c4d091743ca8581f15d3295

33890f9268023cd70c762ad2054078c7

3673c155eb6a0bd8a94bea265ebb8b76

369cd42dfabea188fa57f802a83b55d9

380b0f1921fed82e1b68b4e442b04f05

3a0af8bba61734b043edc0f6c61cd189

3c30f0114c600510fdb2573cc48d5c06

3db711afc09c0a403a8ccff6a8a958df

3e4365b079239b0a2451f48f33761332

3ebbae038d7bf19baa1bcfbc438bb5e7

3fed695e2a6e63d971c16fd9e825fec5

3ffcd0eedd79a9cc79c2c4a0f7e04b21

4025834a88dcfba3ed1774068c64c546

417593eaf61d45e88adbad259d5585d0

422fe9c78c71fb30d376e28ad1c41884

44d91f49f261da6b1f183ea131d12a7f

45dde4082c0407b9904c5f284080337f

47bea4236184c21e89bd1c1af3e52c86

4a494c20bcfb77afd06908eb5a9718cb

53b41dc0b8fd9663047f71bc91a317df

5523aa1d4ee5f19522299be6f1111b89

5627cb8752c4c0774f822ccf8f1363eb

56499e0b590857f73bb54f500008c656

568895c8340a88316fdc0d77a7f2a91d

5847072fd4db9e83d02d8b40a1d67850

5accd89d6483dec54acc7b1484dfbace

5b5f3f65b372f9e24dbc50b21fe31f81

5bc1b8c07c0f83d438a3e891dc389954

622fb530276a639892398410de03d051

63d9e7cca593360411b5d05a555d52f3

6648a255610c5f60f580098bbc1d387c

690cdf20faf470f828fe468a635da34e

6c25a0974a907d368372ac460d8261d6

6c5693df933924e8a633ccfd7ef2635d

6ff7876db06d9102786ae0e425aeaf37

70882709d86e2a7396779f4111cd02e3

70f094e347d4088573c9af34430a3cd6

72ffb3418d3cde6fdef16b5b5db01127

734cfa84d68506fe6e74eb1b038d9c70

7633748203b705109ededadfbe08dcfa

778d103face6ad7186596fb0ba2399f2

77c2a369d0850c7a75487e8eee54b69e

78b7d1caa4185f02b1c5ef493bf79529

7971c90d7533f2c69e33f2461434096a

7aad90ce44e355f95b820fb59c9f5d56

7bf348005958658ba3fcf5ccb3e2ae22

7cddc3b26bb8f98e9b14d9c988f36f8f

81624dc108e2d3dc712f3e6dd138736a

820ca39f331f068cca71e7a7c281e4ac

84c14a1327ae7c0e5a07a67a57451cc4

860f607dbd0d6a2dc69cbc4f3b0eeeaf

889c86aaf22876516964eafa475a2acd88c31f3b589d64a275608f471163989c

89368652dc98b13f644ec2e356c7707c

89696dbead484bf948c1dd86364672eb

898150dea4d7275f996e7341463db21f

8b27bcfa38205754c8e5fdf6a509d60e

8f419bca20b767b03f128a19b82611ab

915cc3c9c8cb8e200dbe04e425e7018b

92c32eb72f5713ca1f2a8dc918f1f770

932bd2ad79cbca4341d853a4b5ea1da5

98825a1ce35f46d004c0839e87cc2778

98b1157b9f3f3ec183bf322615f1ce41

9b19729531bf15afc38dd73bcc0596f8

9c99ecf33301e4cafdd848a7d3d77ef9

9cf08b15724e0eaf69a63e47690cdee2

a16d8cf9a7a52e5c2ad6519766ae6b92

a35312a5c0b06ee89ddadaea9ca6bad2

a4c551ec6d3b5ab08a252231439e099f

a615a4f5e93a63682a8f25b331f62882

a6c29f9680fe5ae10a9250e5431754d4

ab71ca072d4b526e258c21bd84ec0632

ac6fa4005e587ac4b3456a14bd741ff0

afab0fcbf8bc6595f9f2c0051b975a4e

b1ddec2f71727dcf747e1d385272e24d

b2a756f557d273d81a61edc9fbfc9daf

b2e1663647addc92bf253f389ac98027

b39a673a5d2ceaa1fb5571769097ca77

b533b082ed1458c482c3663ee12dc3a4

b6e86ac7d3bbedf18b98437df49c1b60

b70ddb9f6e4e2c85e80cf2079b10e762

b89a8d3442d96161cef07552116407c3

bb2a0aee38980aeb39cac06677936c96

bc333001d3f458ff8fde9d989b53e16d

bd7a2b795419c0b842fd041eaac36d7f

bf850dcb074e0cf2e30fbee6bfaa4cd9

c0d4e5ba26ef3c08dc1a29ac7496f015

c38832f484645b516b57f6813c42d554

c4abb3210f26d4a15a0d4fd41b47ee0e

c547a30fa39f22e2093b51ed254bb1c2

c69c370fcb7b645aaac086b2a3b18286

c7ef4c7b12b5ad8198dafc58c4bea2a3

c97ef1f13bf3d74c78f50fa7abe7766b

ca010bcdfe3c4965df0c6bc12b40db76

ca243796e79c87c55f67a61bc3ee8ddc

ca9a7c6b231fadfae3466da890b434c5

cf391937d79ed6650893b1d5fbed0604

cf3b3c796114f6908a35542d4fd02b0e

d034810ddab55c17dcddd2c2990b3ef3

d1273537add3f2282391726489c65e38

d20487e2d2f674bfd849cb8730225dde

d8432ddec880800bfa060af1f8c2e405

d864ad5030d354c1e40a873a335b2611

dac10dcede69eb9b4ccce8e6798f332c

db95221ebed1793bf5b5527ecb52eb0c

dc64307ef67177449b31c6bb829edbf2

dd734c07b94c8685bb809f83876c7193

e0e862dbf001eb4a169d3340c200b501

e727b444a6a9fa9d40a34a9508b1079f

e7539ed9616b61c12028a663c298f6be

e78ed9fac4f3e9b443abd02bfa9f3db2

e85ff9e3a27899b0d1de8b958af5ad90

eb604e7e27727a410fc226196c13afe9

eba8aa2572cf0d6ccdf99c34cc26b6f3

ec21252421f26072e9fe75586eb6b58a

ee9435593494f17f3efc3a795c45482e

eeca6409dcf0e46d0182d53d230c701d

eff2d3f9f56e9aabcf970c4c09fe7ef8

f0b61a531a72f0cc02d06d2ebfb935ab

f1a037e2edc5ddf4db4e1e7fcd33d5fb

f3802442727c0b614482455d6ad9edc2

f41be516fa8da87a269845c9ea688749

f7d4742d2e746962440bf517b261f126

f96335bf0512c6e65ea374a844ab7ceb

f9b4459f18ca9d2974cf5a58495c5879

fa4266c305aa75a133ebae2a4dcc9b75

fafd293065daf126a9ad9562fc0b00b2

Backdoor Filenames:

pnbwz.exe

pxcfx.exe

qislg.exe

rqklt.exe

runwt.exe

ruzvs.exe

rvhct.exe

vidhdw.exe

winlng.exe

wxrun.exe

xddrv.exe

xdwdrv.exe

Malicious attachments filenames (weak indicators):

contatto.zip//Primarie.accdb (…) .exe

Note.zip//sistemi.pdf (…) .exe

Nuoveassunzioni.7z

Assunzione.7z

Segnalazioni.doc (…) 7z.exe

Regione.7z

Energy.7z

Risparmio.7z

Pagati.7z

Final Eight 2012 Suggerimenti Uso Auricolari.exe

Fwd Re olio di colza aggiornamento prezzo.exe

Approfondimento.7z

Allegato.zip

Eventi.bmp (…) .exe

Quotidiano.mdb (…) _7z.exe