Researchers Expose New Malicious Tools and an Expanded List of Victims of the Crouching Yeti campaign, also known as Energetic Bear
Woburn, MA – July 31, 2014 –Kaspersky Lab today releases an in-depth analysis of the malware and command and control (C&C) server infrastructure related to the cyber-espionage campaign known to the Company’s Global Research and Analysis Team as the Crouching Yeti. The targets of this actor include thousands of victims in several strategic sectors.
Crouching Yeti, also known as Energetic Bear, is an actor involved in several Advanced Persistent Threat (APT) campaigns that have been active since at least the end of 2010. According to Kaspersky Lab’s research, its victims appear to be in a wider range of enterprises than was previously thought. The largest numbers of identified victims fall into the following sectors:
- Industrial/machinery
- Manufacturing
- Pharmaceutical
- Construction
- Education
- Information Technology
The total number of known victims is over 2,800 worldwide, out of which Kaspersky Lab researchers were able to identify 101 organizations. The attacked organizations are located mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China. This list of victims seems to indicate Crouching Yeti’s interest in strategic targets, but it also shows the group’s interest in many other not-so-obvious institutions. Kaspersky Lab believes some of the targets might be collateral victims or give reason to potentially redefine the Crouching Yeti actors. It may not only be a highly targeted campaign in a very specific area of interest, but also as a broad surveillance campaign with interests in different sectors.
Though Crouching Yeti has been performing massive surveillance campaigns, there is no evidence of sophisticated exploits or malware being used. For example, the attackers used no zero-day exploits and only used exploits that are widely available on the Internet. Kaspersky Lab researchers found evidence of the existence of five types of malicious tools used by the attackers to withdraw valuable information from compromised systems, including:
- Havex trojan
- Sysmain trojan
- The ClientX backdoor
- Karagany backdoor and related stealers
- Lateral movement and second stage tools
The most prevalent attack tool used is the Havex Trojan. In total, Kaspersky Lab researchers discovered 27 different versions of this malicious program and several additional modules, including tools aimed at gathering data from industrial control systems.
For command and control, Havex and the other malicious tools used by Crouching Yeti connect to a large network of hacked websites. These sites host victim information and serve commands to infected systems along with additional malware modules.
The list of downloadable modules includes tools for stealing passwords and Outlook contacts, capturing screenshots, and searching and stealing certain types of files, such as text documents, spreadsheets, databases, PDF files, virtual drives, password protected files, pgp security keys, etc.
Industrial espionage. At present, the Havex Trojan is known to have two unique modules aimed at gathering and transmitting data from specific industrial IT environments to the attacker. The first is the OPC scanner module, which is designed to collect detailed data about the OPC servers running in the local network. Such servers are usually used where multiple industrial automation systems are operating.
The OPC scanner module is accompanied by a network scanning tool. This second module is designed to scan the local network, look for all computers listening on ports related to OPC/SCADA software, and try to connect to such hosts in order to identify which potential OPC/SCADA system is running, and transmit all gathered data to the command & control servers.
Mysterious origin. Kaspersky Lab researchers observed several meta features that could point toward the national origin of the criminals behind this campaign. In particular, they performed file timestamp analysis of 154 files and concluded that most of the samples were compiled between 06:00 and 16:00 UTC, which could match basically any country in Europe as well as Eastern Europe.
Experts also analyzed the actor’s language. The strings present in the analyzed malware are in English (written by non-natives). Unlike several previous researchers of this particular campaign, Kaspersky Lab specialists couldn’t conclude definitively, that this actor has Russian origin. Almost 200 malicious binaries and the related operational content all present a complete lack of Cyrillic content (or transliteration), the opposite of Kaspersky Lab’s documented findings from researching Red October, Miniduke, Cosmicduke, Snake and TeamSpy. Also, language clues pointing at French and Swedish speakers were found.
Quote:
Nicolas Brulez, Principal Security Researcher
Kaspersky Lab
“The Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. The Bear goes for attribution, and Crowd Strike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction. Also our analysis demonstrates that the attackers’ global focus is much broader than just power producers. Based on this data, we decided to give a new name to the phenomenon: a Yeti reminds one of a bear, but it has a mysterious origin.”
Kaspersky Lab’s experts are continuing their research into this campaign while working with law enforcement agencies and industry partners. The full text of the research is available at Securelist.com
Detection
Kaspersky Lab products detect and eliminate all variants of the malware used in this campaign, including but not limited to: Trojan.Win32.Sysmain.xxx, Trojan.Win32.Havex.xxx, Trojan.Win32.ddex.xxx, Backdoor.MSIL.ClientX.xxx, Trojan.Win32.Karagany.xxx, Trojan, Spy.Win32.HavexOPC.xxx, Trojan-Spy.Win32.HavexNk2.xxx, Trojan-Dropper.Win32.HavexDrop.xxx, Trojan-Spy.Win32.HavexNetscan.xxx, Trojan-Spy.Win32.HavexSysinfo.xxx
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.
For the latest in-depth information on security threat issues and trends, please visit:
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter
Media Contact
Sarah Bergeron
781.503.2615
sarah.bergeron@kaspersky.com
