Findings from a latest Kaspersky Repor, sent exclusively to The Tech Portal by Kaspersky Labs, has revealed a new lethal malware named Grabit, which infected as many as 10,000 files at SMEs and Startups based mostly in India, Thailand and the US, with India and Thailand housing maximum number of infected machines.
The report further states, that the list of infected countries also includes the UAE, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.
The infected enterprises belong to variety of sectors including chemicals, nanotechnology, education, agriculture, media, construction and more. Kaspersky Lab documentation points out that the campaign started somewhere in late February 2015 and ended in mid-March.
As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.
The infection was first reported by Kaspersky clients in the United States when they approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations’ servers. By looking at the stolen credentials, it became clear that employees sent the malware to one another, as stolen host names and internal applications are the same.
The researchers at Kaspersky further found the malware to be programmed in Windows machine 32bit processor, over the Microsoft .NET Framework (Visual Basic/C#).
The infection reportedly starts when a user clicks an email attachment looking like a Microsoft Word (.doc) file containing a malicious macro called AutoOpen. This macro simply opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub, before downloading the malware.
Interestingly, the modus operandi of malware consistently strives to achieve a variety of samples, different code sizes and supposedly more complicated obfuscation and also includes a serious encryption algorithm making it rather challenging to analyze. The attackers control their victims using HawkEye keylogger, a commercial spying tool from HawkEye Products, and a configuration module containing a number of Remote Administration Tools (RATs).
This convenient “choose your RAT” functionality plays a very important role in the malware infection, routine and survival on the victim’s machine.
To illustrate the scale of operation, Kaspersky Lab revealed that a keylogger in just one of the command-and-control servers was able to steal 2887 Passwords, 1053 Emails and 3023 Usernames from 4928 different hosts, internally and externally, including Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, as well as bank accounts and others.
However, what has baffled researchers the most, is that the malware does not have any functionality to hide its activity, pointing towards an erratic group of cyber criminals with some members more technical and focused on being untraceable than others. Moreover, Grabit seems to be more dangerous because it focused on mostly small or medium scale organizations while most of the cyber spying campaigns usually focus on enterprises, government organizations and other high-profile entities.
“Grabit shows that it’s not just a “big fish” game – in the cyber world every single organization, whether it possesses money, information or political influence, could be of potential interest to one or other malicious actor.
Ido Naor, Senior Security Researcher, Global Research & Analysis Team says,
Grabit is still active and it’s critically important to check your network to ensure you’re safe. On May 15th a simple Grabit key logger was found to be maintaining thousands of victim account credentials from hundreds of infected systems. This threat shouldn’t be underestimated.
To protect against Grabit, Kaspersky Lab recommends following these rules:
- Сheck this location: C:\Users\<PC-NAME>\AppData\Roaming\Microsoft. If it contains executable files, you might be infected with the malware. This is a warning you should not ignore.
- The Windows System Configurations should not contain a grabit1.exe in the startup table. Run “msconfig” and ensure that it is clean from grabit1.exe records.
- Don’t open attachments and links from people you don’t know. If you can’t open it, don’t forward it to others – call for the support of an IT-administrator.
- Use an advanced, up to date anti-malware solution, and always follow the AV task list for suspicious processes.