An attack focusing on small- and medium-sized businesses in different countries is working despite employing malware not very good at hiding.
Called “Grabit,” researchers at Kaspersky Labs found attackers were able to hit businesses in Thailand, India, the U.S., UAE, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.
The compromised organizations are from a wide range of sectors, chemicals, nanotechnology, education, agriculture, media, and construction.
Although the activity of the malware is easy to view, the levels of files exfiltrated is impressive, the researchers said. About 10,000 files ended up stolen from SMB organizations mainly from Thailand, India and the U.S.
Kaspersky found the attacker collects the information with a commercial keylogger called HawkEye (developed by HawkEye Products), along with a configuration module with several remote administration tools (RATs) to control the infected system.
Among the RATs identified is DarkComet, said Ido Naor, senior security researcher at Kaspersky’s Global Research and Analysis Team.
On one of the C&C servers the researchers found 2,887 passwords, 1,053 emails, and 3,023 usernames from almost 5,000 different hosts. The data ended up associated with Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, as well as bank accounts.
Grabit communicates with its command and control (C&C) server over random ports via an unencrypted channel (HTTP), which allows a clear view of the traffic. The stolen data ends up packed and encrypted, Naor said.
However, since traffic is in plain text, intercepting it revealed the credentials for the FTP/SMTP servers that received the stolen data.
The campaign started in late February and ended in mid-March, the researchers said.
Every sample they caught varied in size and activity from the others, the smallest one being 0.52MB and the largest weighing 1.57MB, suggesting the attacker experimented with features, packers and integration of “dead code” designed to make binary analysis more difficult.
Based on their findings, the researchers said those behind Grabit did not write all the code themselves and the group has more technical members than others, focusing on making the malware untraceable.
The attack arrives on the victim’s doorstep via an email attachment under the form of a Microsoft Word document laced with a malicious macro that transfers the keylogger from a compromised server.