“Uncovering the Inner Workings of EyePyramid”, from TrendMicro (…and a small gift for Italian readers)

About EyePyramid I have already wrote something, bringing mainly analyzes conducted by researchers much more prepared than me. :-)

But now I need to talk again about this topic, because TrendMicro has published a fresh new analysis, extremely accurate, about EyePyramid (made by Federico Maggi, as the previous report on GitHub)

So, I believe i should share it!


  • Targeted Email Accounts
  • Attack scheme
  • Timeline and prevalence
  • EyePyramid Malware Evolution
  • Link back to 2011 Bisignani spy case
  • Main Features of EyePyramid Malware
  • Anecdotes and Other Curious Findings
  • Analysis Methodology
  • Conclusions


When the malware files are executed on each machine it auto-updates itself, steals information related to email accounts matching the list above, and sends the harvested information to dropzone email addresses and/or C&C servers via HTTP/HTTPS. This also adds these email accounts to the attacker’s list of compromised accounts, which could be used to spread malware to other victims.

While EyePyramid was based in Italy, not all of its victims were located in that country

In 2012, a high-profile Italian businessman and ex-journalist named Luigi Bisignani was prosecuted as part of the “P4 secret society,” (short for Propaganda 4). The P4 was the fourth of the masonic lodges in Italy, which was supposedly influencing political decisions.

The malware used in those attacks used several Gmail addresses as dropzones. Investigators at CNAIPIC (an Italian cybercrime body) found that these same addresses were used by recent EyePyramid variants as well. Independently, we found that older (2012) variants of EyePyramid were doing the same thing.

Analysis Methodology

From a purely technical viewpoint, the origins of EyePyramid’s malware and its attribution remain unclear.

From a technical viewpoint, it is certain that the original source code has gone through mild modifications. On the other hand, the computer(s) used to build the various versions over the years seem to be in line with the evolution of Microsoft developer tools (based on the progression of the compiler version) and software-protection tools (as seen on the recent substitution of Skater + Dotfuscator with the more powerful ConfuserEx).

Below an appendix containing further details about the samples we analyzed:


The analysis


A little bonus

For Italian readers, I suggest this great video made by Matteo Flora: