What we know about EyePyramid?

A useful recap by Federico Maggi


The security researcher Federico Maggi has made a useful recap of all technical information currently available about EyePyramid, the malware used in the cyber-espionage campaign that involved some relevant Italian politicians.

What happened?

Sensitive information was exfiltrated from high-value targets on the Italian scene:

  • 18327 usernames
  • 1793 passwords
  • keystrokes stolen via a keylogger

Roughly, 87GB of data overall.

How it works?

From what we know, the attacker (or the attackers):

  1. Cooked (or, better, modified an existing) malware that seems to be doing hooking of MailBee.NET.dll APIs (a .NET library used for building mail software) to intercept the data handled by mail applications. In particular, one of the MailBee license keys used by the malware writer is (? = uknownw) MN600-D8102?501003102110C5114F1?18–0E8CI (other keys are reported below)
    1- Compromised (we don’t know how) some email accounts (at least 15, from what we know). In particular, accounts belonging to various attorneys and associates,
    2- the attacker (or the malware, it’s not really clear) connects via Tor (for what is worth, the only known exit node is 37.49.226.236)
  2. Using an email mail server (among the known ones, Aruba’s MX 62.149.158.90) the attacker sends spear-phisihing email messages to the victims using the compromised accounts s the sender, containing a malicious attachment (unverified information: someone believes the attachment is a PDF)
  3. wait for the victims to open the attachment, which drops the malware executable
    i- the malware sends exfiltrated data to various dropzones (i.e., email addresses in use by the attacker)

Earlier versions of the malware malware have been probably used in 2008, 2010, 2011, and 2014 in various spear-phishing campaigns (against various targets, including Italian targets).

Who are the victims?

The exfiltrated information is referred to, produced/exchanged by, or otherwise possessed by private and public Italian citizens, operating in key positions of the Italian State. The known domains of the victims are:

  • enav.it
  • istruzione.it
  • gdf.it
  • bancaditalia.it
  • camera.it
  • senato.it
  • esteri.it
  • tesoro.it
  • finanze.it
  • interno.it
  • istut.it
  • matteorenzi.it
  • partitodemocratico.it
  • pdl.it
  • cisl.it
  • comune.roma.it
  • regione.campania.it
  • regione.lombardia.it
  • unibocconi.it

The potential malware samples

Available on VirusTotal:

https://www.virustotal.com/en/file/d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c/analysis/

and HybridAnalysis:

https://www.virustotal.com/en/file/d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c/analysis/

This has been found via “MSIL/Cribz.a”, a clue by @ReaQta together with @emgent who convinced me that it’s actually a relevant sample. I’m still skeptical, though. It’s definitely relevant and related based on what’s in it, but it’s not 2016’s EyePyramid.


The updated report

Is available at this link:

https://www.virustotal.com/en/file/d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c/analysis/

Comments