EyePyramid. This is the name of the malware that is shaking the Italian institutions as well as the private sector of this country. I recovered, from open sources and from a collection of malware, some samples probably belonging to the family in object. I elaborated as well a simple behavioral workflow after my first analysis available for download.
EyePyramid is not an advanced threat. It’s a malware built in vb.net and leans to a whole infrastructure built on Microsoft products. This is quite strange because these technical solutions are not usually observed in the “underground” and even less in state-sponsored threats. On the other hand, I think this makes us understand much of the technical limitations of the authors.
Technically speaking, the malware is spread via spear-phishing. For most not via malicious documents (pdf, docx, bla bla) or directly attaching the executable, but with a .vbs script (with filename spoofed via RTLO) that served as dropper for the first module of the infection.
This is an executable protected by ConfuserEx and it’s designed to perform reconnaissance actions. It decides whether to continue towards the full system infection or to abort the operation. After the first installation, it modified HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce for persistency and waits for system reboot.
After the first reboot, it copies itself under the system directory and downloads additional modules for C&C communication and data exfiltration.
Data exfiltration seems to be performed via SMTP and WebDAV protocols (on the basis of dimensions of the data to be exfiltrated).
Email used for exfiltration:
C&C related domains:
Finally, the malware is using a commercial component called MailBee.Net for data exfiltration.
The really weird thing is that malware authors have registered the license of that component to themselves !! Who would ever do such a thing?
Finally, it’s available a workflow made by me based on operations executed by samples I analyzed: