Threat group targets employees at SMBs with Grabit malware

Sectors being targeted in the campaign include chemicals, nanotechnology, education, agriculture, media, and construction
Sectors being targeted in the campaign include chemicals, nanotechnology, education, agriculture, media, and construction

As part of an information stealing campaign, a threat group is using malware identified as Grabit to infect employees at small and medium-sized businesses (SMB) primarily in Thailand, India and the U.S., according to researchers with Kaspersky Lab.

Sectors being targeted in the campaign – which appears to have commenced sometime in late February – include chemicals, nanotechnology, education, agriculture, media, and construction, according to a Thursday post by Ido Naor, senior security researcher with the Global Research & Analysis Team at Kaspersky Lab.

Each of the dozens of samples of Grabit observed by researchers was different in size and activity, Naor told SCMagazine in a Friday email correspondence. The malware was observed being distributed via emails that have documents attached, he said, explaining the documents contain a malicious macro called AutoOpen.

The document tells users that the file is protected and that they must enable macros to continue reading – upon doing so, the malware is delivered to the victim's system from a remote server that was hacked by the group to serve as a malware hub, Naor said, adding that no exploits are leveraged.

“The attackers control their victims using HawkEye keylogger and a configuration module containing a number of Remote Administration Tools (RAT),” Naor said. “Stolen data is packed and sent over FTP, HTTP or SMTP. In most cases the data is sent over clear text, but some samples were compiled with encryption of data in transit as well.”

According to the post, a keylogger in one command-and-control (C&C) server was able to steal 2,887 passwords, 1,053 emails, and 3,023 usernames from 4,928 different hosts, internally and externally, such as Outlook, Facebook, Gmail, Yahoo, Twitter and LinkedIn, as well as bank accounts.

To protect against the threat, Kaspersky advised checking the ‘C:\Users\<PC-NAME>\AppData\Roaming\Microsoft' location to see if there are any executable files, which could indicate an infection. Additionally, Windows System Configurations should not contain grabit1.exe in the startup table.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS