跳到主体内容

Kaspersky Lab discovers Grabit: A Cyber-spy Tracking SMBs in Thailand, India and the US

2015年5月28日

Kaspersky Lab has recently discovered a new business-oriented cyber-spying campaign called Grabit that was able to steal about 10,000 files from small/medium-sized organizations based mostly in Thailand, India and the US

Kaspersky Lab has recentlydiscovereda new business-oriented cyber-spying campaign called Grabit that was able to steal about10,000 files fromsmall/medium-sized organizations based mostly in Thailand, India and the US. The listof target sectors includes chemicals, nanotechnology, education, agriculture, media, construction and more.

Other countries affected are the UAE, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.

“We see a lot of spying campaigns focused on enterprises, government organizations and other high-profile entities, with small and medium-sized businesses rarely seen in the lists of targets. But Grabit shows that it’s not just a “big fish” game – in the cyber world every single organization, whether it possesses money, information or political influence, could be of potential interest to one or other malicious actor. Grabit is still active, and it’s critically important to check your network to ensure you’re safe. On May 15th a simple Grabitkeylogger was found to be maintaining thousands of victim account credentials from hundreds of infected systems. This threat shouldn’t be underestimated,” – says Ido Naor, Senior Security Researcher, Global Research & Analysis Team.

Infection starts when a user in a business organization receives an email with an attachment that appears to be a Microsoft Office Word (.doc) file. The user clicks to download it and the spying program is delivered to the machine from a remote server that has been hacked by the group to serve as a malware hub. The attackers control their victims using HawkEye keylogger, a commercial spying tool from HawkEyeProducts, and a configuration module containing a number of Remote Administration Tools (RATs).

To illustrate the scale of operation, Kaspersky Lab can reveal that a keylogger in just one of the command-and-control servers was able to steal 2887 Passwords, 1053 Emails and 3023 Usernames from 4928 different hosts, internally and externally, including Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, as well as bank accounts and others.

An Erratic Group of Cybercriminals

On the one hand, the Grabit threat actor does not go the extra mile to hide its activity: some malicious samples used the same hosting server, and even the same credentials, undermining its own security. On the other hand, the attackers use strong mitigation techniques to keep their code hidden from analysts’ eyes. This leads Kaspersky Lab to believe that behind the sniffing operation is an erratic group, with some members more technical and focused on being untraceable than others.  Expert analysis suggests that whoever programmed the malware did not write all the code from scratch.

To protect against Grabit, Kaspersky Lab recommends following these rules:

  • Сheck this location C:\Users\<PC-NAME>\AppData\Roaming\Microsoft, if it contains executable files, you might be infected with the malware. This is a warning you should not ignore.
  • The Windows System Configurations should not contain a grabit1.exe in the startup table.  Run “msconfig” and ensure that it is clean from grabit1.exe records.
  • Don’t open attachments and links from people you don’t know. If you can’t open it, don’t forward it to others – call for the support of an IT-administrator.  
  • Use an advanced, up to date anti-malware solution, and always follow the AV task list for suspicious processes.

Kaspersky Lab products detect all known Grabit samples and protect its users against the threat.

To learn more about the “Grabit” operation, please read the blog post available at Securelist.com.

Kaspersky Lab discovers Grabit: A Cyber-spy Tracking SMBs in Thailand, India and the US

Kaspersky Lab has recently discovered a new business-oriented cyber-spying campaign called Grabit that was able to steal about 10,000 files from small/medium-sized organizations based mostly in Thailand, India and the US
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻