{"id":5808,"date":"2017-01-13T05:02:13","date_gmt":"2017-01-13T10:02:13","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5808"},"modified":"2019-11-15T15:23:55","modified_gmt":"2019-11-15T11:23:55","slug":"eyepyramid-spyware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/eyepyramid-spyware\/5808\/","title":{"rendered":"EyePyramid: happy-go-lucky malware"},"content":{"rendered":"<p>When we talk about malware on Kaspersky Daily \u2014 and we do that pretty often \u2014 we typically choose those malware species that, according to our data, have impacted a lot of people.\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/cryptxxx-v3-ransomware\/13628\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">CryptXXX<\/a>,\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/teslacrypt-master-key\/12160\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">TeslaCrypt<\/a>, and other nasties that have attacked millions all over the world are some examples. Malware that has been detected only a few times usually doesn\u2019t merit much attention. There is a lot of malware out there, as you know \u2014 we just can\u2019t devote a blog post to every single one.<\/p>\n<p>But there is an exception to every rule. Today we are going to talk about malware dubbed EyePyramid. No, we didn\u2019t name it; its creators did. And the reason we are going to talk about EyePyramid is that it kind of stands out from the crowd, and its story is a bit like a fairy tale. In it, a small man achieves big results (and fails in the end).<\/p>\n<h2>Italian family spying business<\/h2>\n<p>Let\u2019s start with the fact that EyePyramid was basically a family business. The malware itself was developed by a 45-year-old Italian, Giulio Occhionero, who has a degree in nuclear engineering. He and his sister, Francesca Maria Occhionero, 48, worked on spreading the malware. They worked together at a small investment firm called Westland Investments.<\/p>\n<p>According to a report Italian police recently\u00a0<a href=\"http:\/\/www.agi.it\/pictures\/pdf\/agi\/agi\/2017\/01\/10\/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">published<\/a>, EyePyramid was distributed via spear phishing and targeted mostly top Italian government members along with freemasons, law firms, consultancy services, universities, and even Vatican cardinals.<\/p>\n<p>What for? Once installed, the malware granted its creators access to all resources on the victims\u2019 computers. It was used for the sole purpose of gathering information, which, as\u00a0<em>SC Magazine<\/em>\u00a0<a href=\"https:\/\/www.scmagazine.com\/brother-sister-team-busted-for-high-level-email-hacks\/article\/631034\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">points out<\/a>, was in turn reportedly used to make more profitable investments. Malware as an analyst\u2019s tool. I personally don\u2019t quite get the link between investments and cardinals, but it seems that the criminals did.<\/p>\n<p>The high-profile positions of the victims and also the fact that Italian police were not disclosing details about EyePyramid, except for the addresses of the command-and-control (C&amp;C) servers and several of the e-mails that were used, drew attention of our GReAT experts. So they decided to make an\u00a0<a href=\"https:\/\/securelist.com\/blog\/incidents\/77098\/the-eyepyramid-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">investigation of their own<\/a>.<\/p>\n<h3>Rookie cybercrime<\/h3>\n<p>Using information from the police report, our analysts were able to find a whopping 44 different samples of EyePyramid, and that added a lot to our understanding of the story. Some media insist that EyePyramid is complex and sophisticated. It\u2019s not. In fact, it\u2019s rather simple. The cybercriminal duo employed blunt methods such as using multiple spaces to mask the extension of the executable file which contained the malware. That trick looks simple, but it worked.<\/p>\n<p>It also turns out that that Occhioneros started the criminal part of their business a rather long time ago \u2014 the earliest samples we\u2019ve been able to find go back to as far as 2010. Italian officials say that the duo might\u2019ve been active since 2008.<\/p>\n<p>Both being amateurs in the field of cybercrime, they failed to maintain good operational security. In fact, they mostly didn\u2019t care about security at all, discussing their victims using regular phone calls (which, as you know, can be easily\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/gsm-hijacking\/11660\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">wiretapped<\/a>\u00a0by law enforcement agencies) and WhatsApp (which didn\u2019t use end-to-end encryption\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/whatsapp-encryption\/11785\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">until this year<\/a>), as well as leaving traces of the IP addresses associated with their company.<\/p>\n<p>Nonetheless, they have, by Italian police estimates, operated at least for three years, and maybe even more than eight years, targeted 16,000 victims, and succeeded in getting access to victims\u2019 computer more than 100 times. That gave the duo a lot of information \u2014 tens of gigabytes of data that might have helped them improve their investments.<\/p>\n<h3>A tale ends<\/h3>\n<p>Still, this story is a perfect confirmation of the theory that investments in education (in this case, in learning operational security) usually pay better. On January 10 both Giulio and Francesca Maria Occhionero were arrested by FBI, so the triumphant parade of the rookie malware is now over.<\/p>\n<p>Their long run might seem surprising, but maybe the secret lies in the simplicity of the malware. It looked too boring to be investigated thoroughly, and Kaspersky Security Network showed only 92 attempts at infection, which is a drop in the ocean compared with the number of infection attempts with popular ransomware. Nonetheless, criminals are in prison, all\u2019s right with the world.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When we talk about malware on Kaspersky Daily \u2014 and we do that pretty often \u2014 we typically choose those malware species that, according to our data, have impacted a<\/p>\n","protected":false},"author":696,"featured_media":5809,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[1263,1264,36,683,682],"class_list":{"0":"post-5808","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-eyepyramid","9":"tag-italy","10":"tag-malware-2","11":"tag-spying","12":"tag-spyware"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/eyepyramid-spyware\/5808\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/eyepyramid-spyware\/10676\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/eyepyramid-spyware\/8245\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/eyepyramid-spyware\/13958\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/eyepyramid-spyware\/2865\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/eyepyramid-spyware\/13838\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/eyepyramid-spyware\/6033\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/eyepyramid-spyware\/9501\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/eyepyramid-spyware\/13629\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/eyepyramid-spyware\/13958\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/eyepyramid-spyware\/13838\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/eyepyramid-spyware\/13838\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/malware-2\/","name":"malware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5808"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5808\/revisions"}],"predecessor-version":[{"id":14838,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5808\/revisions\/14838"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5809"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}