Incident Response, Malware, TDR

NightHunter campaign dates back to 2009, targets credentials and other data

Attackers have been using all sorts of modified and customized keylogger malware to infect systems and steal data – including credentials – as part of a massive campaign that dates back to 2009, according to researchers with security company Cyphort.

Some of the targets in the campaign – known as NightHunter – include Google, Yahoo, Facebook, Dropbox and Skype, but threats has been observed targeting energy firms, the oil industry, educational institutions, hospitals, charities and other organizations.

The current stage of the at least five-year-old campaign involves reconnaissance on high-level executives within those aforementioned organizations, Fengmin Gong, co-founder and chief architect at Cyphort, told SCMagazine.com in a Thursday email correspondence.

“We speculate that [the attackers] intend to leverage this information fully for the next stage, which can have many different objectives,” Gong said, explaining the attackers are exfiltrating screenshots and keylogging information at 30 minute intervals, and credentials once per day.

So far Cyphort has observed more than 1,800 infected systems across the globe, including in the U.S., UK, Saudi Arabia, India and Malasia, but Gong said there is no specific pattern emerging with regard to the data theft.

“It is unclear of the endgame for this campaign,” Gong said. “However, many of the affected companies are in possession of critical customer data and critical infrastructure assets for some countries.”

Gong could not provide any information about the NightHunter attackers due to an ongoing criminal investigation, but he said they are spreading their unique variants of keylogger malware through phishing emails containing DOC, ZIP and RAR attachments.

The attackers have been using a wide array of keylogger malware, including Limitless logger lite, Predator Pain, and Spyrex, most of which come with various features that enable file downloading, clearing browser data, and other data stealing functions.

“There are a number of keyloggers and malware being used as part of this campaign, some of which are known, and some are unknown that Cyphort has discovered, which is why [NightHunter] has gone undiscovered and gained so much momentum,” Gong said.

Another notable element of the campaign is the use of email – such as Gmail – for data exfiltration, likely to avoid detection, Gong said, explaining that attackers typically utilize web protocols because it is a more simple method to send data externally.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.