14.1 C
London
Saturday, September 23, 2017
Home Tags Matteo Renzi

Tag: Matteo Renzi

EyePyramid operation targeted politicians and business leaders A hacking operation featuring the EyePyramid trojan successfully compromised the systems of numerous high-profile Italian targets, including two former prime ministers, say Italian police. High-profile targets were targeted by a spear-phishing campaign that served a remote-access trojan codenamed "EyePyramid" as a malicious attachment. Targets of the spying included bankers, businessmen and even several cardinals.

The president of the European Central Bank, Mario Draghi, and two former Italian prime ministers, Matteo Renzi and Mario Monti, were among targets of the campaign, according to a copy of an Italian arrest warrant obtained by Politico. The malware was used to successfully exfiltrate over 87 gigabytes worth of data – including usernames, passwords, browsing data, and other files – from compromised systems. Federico Maggi, a senior threat researcher at Trend Micro, has published a blog post here and in a technical summary (on GitHub) here. Brother and sister Giulio Occhionero, 45, and Maria Occhionero, 48, were arrested in Rome on Tuesday and detained over hacking and espionage charges related to the EyePyramid campaign, Reuters reports.
Investigators appear to be proceeding on the basis that the hacking operation was used to harvest insider intelligence as part of a criminally tainted investment strategy rather than politically motivated cyber-espionage. The "stolen data was stored in servers in Prior Lake, Minnesota, and Salt Lake City, Utah," according to a court document seen by Reuters. The FBI has seized the servers and will ship them to Italy, the head of Italy's cyber crime unit told the news agency. Hackers behind the spear-phishing campaign used the compromised email accounts of attorneys and associates in several law firms as a platform to launch the second stage of the attacks, targeting businessmen and politicians, according to Trend Micro's Maggi. ® Bootnote Grazie molto to Milan-based reader Alex for the heads-up on this interesting case, which is unsurprisingly getting a lot of coverage in the Italian press. Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

The “EyePyramid” attacks

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions. The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.

These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank. The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer. During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims.

All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals. Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008. Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero. Investigation Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data. Excerpt from the Italian court order on #EyePyramid(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf) Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow: E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples. Here’s how our initial “blind”-written YARA rule looked like: rule crime_ZZ_EyePyramid { meta: copyright = ” Kaspersky Lab”author = ” Kaspersky Lab”maltype = “crimeware”filetype = “Win32 EXE”date = “2016-01-11”version = “1.0” strings: $a0=”eyepyramid.com” ascii wide nocase fullword$a1=”hostpenta.com” ascii wide nocase fullword$a2=”ayexisfitness.com” ascii wide nocase fullword$a3=”enasrl.com” ascii wide nocase fullword$a4=”eurecoove.com” ascii wide nocase fullword$a5=”marashen.com” ascii wide nocase fullword$a6=”millertaylor.com” ascii wide nocase fullword$a7=”occhionero.com” ascii wide nocase fullword$a8=”occhionero.info” ascii wide nocase fullword$a9=”wallserv.com” ascii wide nocase fullword$a10=”westlands.com” ascii wide nocase fullword$a11=”217.115.113.181″ ascii wide nocase fullword$a12=”216.176.180.188″ ascii wide nocase fullword$a13=”65.98.88.29″ ascii wide nocase fullword$a14=”199.15.251.75″ ascii wide nocase fullword$a15=”216.176.180.181″ ascii wide nocase fullword$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword$a20=”gpool@hostpenta.com” ascii wide nocase fullword$a21=”hanger@hostpenta.com” ascii wide nocase fullword$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword$a23=”ulpi715@gmx.com” ascii wide nocase fullword$b0=”purge626@gmail.com” ascii wide fullword$b1=”tip848@gmail.com” ascii wide fullword$b2=”dude626@gmail.com” ascii wide fullword$b3=”octo424@gmail.com” ascii wide fullword$b4=”antoniaf@poste.it” ascii wide fullword$b5=”mmarcucci@virgilio.it” ascii wide fullword$b6=”i.julia@blu.it” ascii wide fullword$b7=”g.simeoni@inwind.it” ascii wide fullword$b8=”g.latagliata@live.com” ascii wide fullword$b9=”rita.p@blu.it” ascii wide fullword$b10=”b.gaetani@live.com” ascii wide fullword$b11=”gpierpaolo@tin.it” ascii wide fullword$b12=”e.barbara@poste.it” ascii wide fullword$b13=”stoccod@libero.it” ascii wide fullword$b14=”g.capezzone@virgilio.it” ascii wide fullword$b15=”baldarim@blu.it” ascii wide fullword$b16=”elsajuliette@blu.it” ascii wide fullword$b17=”dipriamoj@alice.it” ascii wide fullword$b18=”izabelle.d@blu.it” ascii wide fullword$b19=”lu_1974@hotmail.com” ascii wide fullword$b20=”tim11235@gmail.com” ascii wide fullword$b21=”plars575@gmail.com” ascii wide fullword$b22=”guess515@fastmail.fm” ascii wide fullword condition: ((uint16(0) == 0x5A4D)) and (filesize < 10MB) and((any of ($a*)) or (any of ($b*)) )} To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks. Once the YARA rule was ready, we’ve ran it on our malware collections.

Two of the initial hits were: MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010 These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections. At the end of this blogpost we include a full list of all related samples identified. Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses. Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails.

For example: From: Di Marco GianmariaSubject: ricezione e attivazioneTime:2014/01/29 13:57:42Attachment: contatto.zip//Primarie.accdb (…) .exe From: Michelangelo GiorgianniSubject: R: Re: CONVOCAZIONE]Time: 2014/01/28 17:28:56]Attachment: Note.zip//sistemi.pdf (…) .exe Other attachment filenames observed in attacks include: Nuoveassunzioni.7z Assunzione.7z Segnalazioni.doc (…) 7z.exe Regione.7z Energy.7z Risparmio.7z Pagati.7z Final Eight 2012 Suggerimenti Uso Auricolari.exe Fwd Re olio di colza aggiornamento prezzo.exe Approfondimento.7z Allegato.zip Eventi.bmp (…) .exe Quotidiano.mdb (…) _7z.exe Notifica operazioni in sospeso.exe As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment.

The attachments were ZIP and 7zip archives, which contained the EyePyramid malware. Also the attackers relied on executable files masking the extension of the file with multiple spaces.

This technique is significant in terms of the low sophistication level of this attack. High profile victims Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi. It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted. Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers.

Further standout victims, organizations, and verticals include: Professional firms, Consultants Universities Vaticano Construction firms Healthcare Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland. Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015. Conclusions Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data. In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence. This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations. Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught. Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts: HEUR:Trojan.Win32.Generic Trojan.Win32.AntiAV.choz Trojan.Win32.AntiAV.ciok Trojan.Win32.AntiAV.cisb Trojan.Win32.AntiAV.ciyk not-a-virus:HEUR:PSWTool.Win32.Generic not-a-virus:PSWTool.Win32.NetPass.aku A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services.

Contact: intelreports (at) kaspersky [dot] com
. To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings References and Third-Party Articles Indicators of Compromise Hashes: 09ff13b020de3629b0547e0312a6c135102bccd95e5d8a56c4f7e8b902f5fb7112f3635ab1de63fbcb5e1c492424c6051391d37c6b809f48be7f09aa0dab76571498b8d6e946b5d6b529abea1359238114db577a9b0bfc62f3a25a9a51765bc517af7e00936dcc8af376ad899501ad8b192d5866cbfafae36d5ba321c817bc14325f5d379c4d091743ca8581f15d329536bd8feed1b17c59f3c653e6427661a4380b0f1921fed82e1b68b4e442b04f053c30f0114c600510fdb2573cc48d5c063fed695e2a6e63d971c16fd9e825fec547bea4236184c21e89bd1c1af3e52c8647dd1e017aae694abd2b7bc0b12cf1da47f1f9b1339147fe2d13772b4cb8103053b41dc0b8fd9663047f71bc91a317df5bc1b8c07c0f83d438a3e891dc3899545eb17f400f38c1b65990a8d60c298d956de1e478301d59ac14b8e9636b53815d75621de46a12234af0bec15620be6763778d103face6ad7186596fb0ba2399f2859f60cd5d0f0fbd91bde3c3914cbb188afb6488655cbea2737d2423843ea0779173aefe64b7704510c873e2ce7305e092c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da594eff87eca2f054aa5fbc1877a6cf91998825a1ce35f46d004c0839e87cc27789b8571b5281f3751750d3099049098e09c57839b3f8462bd6c2d36db80cd5ecc9d3ce3246975ae6d545ee9e8ba12d1649d4b46d3c389e0144238c821670f8537a41c5374a14a2c7cbe093ff6b075e8acb39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4bcfd544df7d8e9a2efe9d2ed32e74cadc0243741bfece772f02d1657dc057229c38e9edc0e4b18ff1fc5b61b771f7946ce76b690dc98844c721e6337cd5e7f4bcf391937d79ed6650893b1d5fbed0604d8432ddec880800bfa060af1f8c2e405eb604e7e27727a410fc226196c13afe9fafd293065daf126a9ad9562fc0b00b2 Related hashes identified by @GaborSzappanos: 014f69777d2e0c87f2954ad252d5281002965c8a593989ff7051ec24736da6bd04b3c63907c20d9be255e167de89a39804e949f64e962e757f5bb8566c07800b06e47736256c54d9dd3c3c533c73923e09ff13b020de3629b0547e0312a6c1350a80fd5abf270ddd8080f935058546840b3c1ff3b3b445f46594227ca2babdcd0c33c00a5f0f5bde8c426c3ce376eb110ded0389cbddeeb673836794269ffb3b0e19913ce9799a05ba97ac172ec5f0bc11062b36893c4ba278708ec3da07b1dd12b4d543ae1b98df15c8712d888c54f01334a7df1e59380206841d05d840077814cb305de2476365ef02d2226532dd341748c33cb5ac6f26d55cd1a58b68df8a18e24ef2791030693a4588bfcae1dec0192d5866cbfafae36d5ba321c817bc141b4d423350cd1159057dd7dbef4793281deb28ae7b64fb44358e69e5afd1f6002222a947ebccc8da16badeacca05df4b23beed8aaac883a5902039e6fd84ee5f2485e7ae3e0705898b7787ed0961878d2642990a46c434e7787a599f04742a32268698314c854bc483d05ffe459dc5402866ced99b46b39838f56fbe704d387b2896ae0489451d32f57c68b919b3fa7228ba7d1a4c5d64a65f2f2bf5f6ced12328e65b9577abaabf3f8c94d9fda50fc52a809644e6d07dc9fc111804a62b808930215197622f5c747fc869992768d9c6325f5d379c4d091743ca8581f15d329533890f9268023cd70c762ad2054078c73673c155eb6a0bd8a94bea265ebb8b76369cd42dfabea188fa57f802a83b55d9380b0f1921fed82e1b68b4e442b04f053a0af8bba61734b043edc0f6c61cd1893c30f0114c600510fdb2573cc48d5c063db711afc09c0a403a8ccff6a8a958df3e4365b079239b0a2451f48f337613323ebbae038d7bf19baa1bcfbc438bb5e73fed695e2a6e63d971c16fd9e825fec53ffcd0eedd79a9cc79c2c4a0f7e04b214025834a88dcfba3ed1774068c64c546417593eaf61d45e88adbad259d5585d0422fe9c78c71fb30d376e28ad1c4188444d91f49f261da6b1f183ea131d12a7f45dde4082c0407b9904c5f284080337f47bea4236184c21e89bd1c1af3e52c864a494c20bcfb77afd06908eb5a9718cb53b41dc0b8fd9663047f71bc91a317df5523aa1d4ee5f19522299be6f1111b895627cb8752c4c0774f822ccf8f1363eb56499e0b590857f73bb54f500008c656568895c8340a88316fdc0d77a7f2a91d5847072fd4db9e83d02d8b40a1d678505accd89d6483dec54acc7b1484dfbace5b5f3f65b372f9e24dbc50b21fe31f815bc1b8c07c0f83d438a3e891dc389954622fb530276a639892398410de03d05163d9e7cca593360411b5d05a555d52f36648a255610c5f60f580098bbc1d387c690cdf20faf470f828fe468a635da34e6c25a0974a907d368372ac460d8261d66c5693df933924e8a633ccfd7ef2635d6ff7876db06d9102786ae0e425aeaf3770882709d86e2a7396779f4111cd02e370f094e347d4088573c9af34430a3cd672ffb3418d3cde6fdef16b5b5db01127734cfa84d68506fe6e74eb1b038d9c707633748203b705109ededadfbe08dcfa778d103face6ad7186596fb0ba2399f277c2a369d0850c7a75487e8eee54b69e78b7d1caa4185f02b1c5ef493bf795297971c90d7533f2c69e33f2461434096a7aad90ce44e355f95b820fb59c9f5d567bf348005958658ba3fcf5ccb3e2ae227cddc3b26bb8f98e9b14d9c988f36f8f81624dc108e2d3dc712f3e6dd138736a820ca39f331f068cca71e7a7c281e4ac84c14a1327ae7c0e5a07a67a57451cc4860f607dbd0d6a2dc69cbc4f3b0eeeaf889c86aaf22876516964eafa475a2acd88c31f3b589d64a275608f471163989c89368652dc98b13f644ec2e356c7707c89696dbead484bf948c1dd86364672eb898150dea4d7275f996e7341463db21f8b27bcfa38205754c8e5fdf6a509d60e8f419bca20b767b03f128a19b82611ab915cc3c9c8cb8e200dbe04e425e7018b92c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da598825a1ce35f46d004c0839e87cc277898b1157b9f3f3ec183bf322615f1ce419b19729531bf15afc38dd73bcc0596f89c99ecf33301e4cafdd848a7d3d77ef99cf08b15724e0eaf69a63e47690cdee2a16d8cf9a7a52e5c2ad6519766ae6b92a35312a5c0b06ee89ddadaea9ca6bad2a4c551ec6d3b5ab08a252231439e099fa615a4f5e93a63682a8f25b331f62882a6c29f9680fe5ae10a9250e5431754d4ab71ca072d4b526e258c21bd84ec0632ac6fa4005e587ac4b3456a14bd741ff0afab0fcbf8bc6595f9f2c0051b975a4eb1ddec2f71727dcf747e1d385272e24db2a756f557d273d81a61edc9fbfc9dafb2e1663647addc92bf253f389ac98027b39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4b6e86ac7d3bbedf18b98437df49c1b60b70ddb9f6e4e2c85e80cf2079b10e762b89a8d3442d96161cef07552116407c3bb2a0aee38980aeb39cac06677936c96bc333001d3f458ff8fde9d989b53e16dbd7a2b795419c0b842fd041eaac36d7fbf850dcb074e0cf2e30fbee6bfaa4cd9c0d4e5ba26ef3c08dc1a29ac7496f015c38832f484645b516b57f6813c42d554c4abb3210f26d4a15a0d4fd41b47ee0ec547a30fa39f22e2093b51ed254bb1c2c69c370fcb7b645aaac086b2a3b18286c7ef4c7b12b5ad8198dafc58c4bea2a3c97ef1f13bf3d74c78f50fa7abe7766bca010bcdfe3c4965df0c6bc12b40db76ca243796e79c87c55f67a61bc3ee8ddcca9a7c6b231fadfae3466da890b434c5cf391937d79ed6650893b1d5fbed0604cf3b3c796114f6908a35542d4fd02b0ed034810ddab55c17dcddd2c2990b3ef3d1273537add3f2282391726489c65e38d20487e2d2f674bfd849cb8730225dded8432ddec880800bfa060af1f8c2e405d864ad5030d354c1e40a873a335b2611dac10dcede69eb9b4ccce8e6798f332cdb95221ebed1793bf5b5527ecb52eb0cdc64307ef67177449b31c6bb829edbf2dd734c07b94c8685bb809f83876c7193e0e862dbf001eb4a169d3340c200b501e727b444a6a9fa9d40a34a9508b1079fe7539ed9616b61c12028a663c298f6bee78ed9fac4f3e9b443abd02bfa9f3db2e85ff9e3a27899b0d1de8b958af5ad90eb604e7e27727a410fc226196c13afe9eba8aa2572cf0d6ccdf99c34cc26b6f3ec21252421f26072e9fe75586eb6b58aee9435593494f17f3efc3a795c45482eeeca6409dcf0e46d0182d53d230c701deff2d3f9f56e9aabcf970c4c09fe7ef8f0b61a531a72f0cc02d06d2ebfb935abf1a037e2edc5ddf4db4e1e7fcd33d5fbf3802442727c0b614482455d6ad9edc2f41be516fa8da87a269845c9ea688749f7d4742d2e746962440bf517b261f126f96335bf0512c6e65ea374a844ab7cebf9b4459f18ca9d2974cf5a58495c5879fa4266c305aa75a133ebae2a4dcc9b75fafd293065daf126a9ad9562fc0b00b2 Backdoor Filenames: pnbwz.exepxcfx.exeqislg.exerqklt.exerunwt.exeruzvs.exervhct.exevidhdw.exewinlng.exewxrun.exexddrv.exexdwdrv.exe Malicious attachments filenames (weak indicators): contatto.zip//Primarie.accdb (…) .exeNote.zip//sistemi.pdf (…) .exeNuoveassunzioni.7zAssunzione.7zSegnalazioni.doc (…) 7z.exeRegione.7zEnergy.7zRisparmio.7zPagati.7zFinal Eight 2012 Suggerimenti Uso Auricolari.exeFwd Re olio di colza aggiornamento prezzo.exeApprofondimento.7zAllegato.zipEventi.bmp (…) .exeQuotidiano.mdb (…) _7z.exe