Though neither sophisticated nor carefully obfuscated, the EyePyramid campaign infected a wide range of victims.
Though neither sophisticated nor carefully obfuscated, the EyePyramid campaign infected a wide range of victims.

Following the arrest by Italian police of a brother-sister team on charges of hacking into emails of prominent Italian officials, comes an analysis of the malware the suspects are said to have used in their scheme.

The siblings – Giulio Occhionero, 45, and Francesca Maria Occhionero, 47 – used a remote access trojan dubbed EyePyramid in a campaign that penetrated the email accounts of a number of prominent personalities in Italy, including former prime ministers, mayors, officials at the Bank of Italy and politicians in both chambers of the nation's parliament.

The pair spread their malware via spear-phishing emails and, according to an analysis by researchers at Securelist, the level of sophistication was low, though it was efficient enough to grant the attackers access to the targeted accounts. Securelist is a Kaspersky Lab blog.

The researchers said the attack – which was carried out from at least March 2014 until August 2016 – affected around 16,000 victims, all in Italy. However, evidence detected on the C&C servers indicates that the malware might have been in use as far back as 2008, they reported.

The Securelist team credits the Italian police for their investigative work, but comment that technical details on how the malware was disseminated were sparse in the police report.

Their analysis found further details, including a range of emails and attachment filenames. The ploy depended on basic social engineering techniques, they said – namely, getting recipients to open and execute attachments, which arrived as ZIP and 7zip archives, in which the EyePyramid malware was embedded.

The Securelist researchers said that though neither very sophisticated nor carefully obfuscated, the EyePyramid campaign infected a wide range of victims that allowed the suspects to siphon out tens of gigabytes of data.

"In general, the operation had very poor OPSEC [operational security]; the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence," they said.

Their conclusion is that the suspects, although not expert in malware techniques, nevertheless achieved remarkable success in absconding with an enormous cache of data, and ran their operation for years before being detected.

The pair's targets were heavily skewed to Italian lawyers and personnel in construction firms, universities, health care and the Vatican. As the perpetrators were well-known in high-finance circles for their work running the London-based financial analysis firm Westlands Securities, the supposition is that they were stealing data for use in investment deals. There is also mention in reports of Giulio Occhionero's association with Freemasons, so there's conjecture he was trying to rise in prominence in the organization.

The siblings have been charged by Italian authorities with a number of felonies, including abusive intrusion in computer systems, abusive eavesdropping, and procurement of information regarding national security. As data was discovered on servers based in the U.S., the FBI was involved in the investigation as well.