A cyber group harvesting login credentials since 2009 is now under the microscope of one research firm.
The group that started the harvesting campaign, called NightHunter, used a very stealth-like method to exfiltrate data from various victims like Google, Yahoo, Facebook, Skype, Dropbox, Amazon, Yahoo, Hotmail, LinkedIn, Rediff and banking credentials from a wide range of organizations, including energy, health, insurance, education sectors, and even charities, said researchers at security firm Cyphort.
New Android and iOS Mobile Malware
Linux Vulnerability could Hit Androids
Java to Android Ransomware Rescue
New Exploit Kit Delivering Ransomware
Ransomware Infections Drop after Takedown
“NightHunter” has been active since 2009, but the researchers just discovered it.
The security firm has not been able to determine what the attackers are doing with the stolen information, but they said the bad guys could be using it to prepare for targeted attacks, including extortion, espionage or bank fraud.
The cybercriminals distribute malware via phishing emails that appear related to purchase orders, payments, jobs and inquiries. The malicious notifications usually go to the finance, sales and human resources departments of trading companies, broadcasters, insurance firms, auditors, retailers, educational institutions, charities, hospitals, import/export companies and organizations in the oil industry, Cyphort researchers said.
So far, victims were in United States, Saudi Arabia, the United Kingdom, India and Malaysia.
The phishing emails contain an archive file that in most cases hides a keylogger. Once installed on a system, keyloggers enable the attackers to steal data from Web browsers, FTP applications, games, instant messaging apps, password managers, email clients and even Bitcoin programs. Additional threats include features like obfuscation, extension spoofing, screenshot capturing, website blocking, self-removal, fake error messages, file downloaders, application disabling and Web browser data removal.
“The reason for larger number of samples using Gmail is probably (or likely) due to the popularity of Gmail and because most security products somehow ‘whitelist’ Google/Gmail traffic/activity making it easy to hide this email in the volume of emails sent out to Gmail,” said Cyphort researcher McEnroe Navaraj in a blog post.