Crouching Yeti, Hidden Dragon: New Threat Steals Data
Moscow-based Kaspersky Lab has added to what's known about a previously detected malware campaign that has been stealing sensitive data from major manufacturing, industrial, pharmaceutical, construction and IT companies in the United States, Spain, Germany, Poland, France, Japan, Italy, Turkey, Ireland and China.
Dubbed Crouching Yeti by Kaspersky, the campaign has been going on since at least 2010. It's not clear who is behind Crouching Yeti, or what its operators intend to do with the information gleaned from the campaign.
Aspects of Crouching Yeti were originally identified earlier this year by American security companies CrowdStrike, which named it Energetic Bear, and Symantec, which called it Dragonfly. Both noted that Western energy companies seemed to be the primary targets. Finnish security firm F-Secure called the campaign Havex, after malware the campaign used to attack industrial control systems (and about which the Department of Homeland Security issued an alert).
"Victims are not limited to the energy sector, but to many other ones," wrote Kaspersky's Global Research and Analysis Team (GReAT) in a blog posting today (July 31). "The Bear tag reflects CrowdStrike's belief that this campaign has a Russian origin. We couldn't confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious origin :)."
"There simply is no one piece or set of data that would lead to the conclusion that the threat actor is Bear, Kitten, Panda, Salmon, or otherwise," Kaspersky wrote in its official report.
Crouching Yeti uses several different types of Trojans that infect Windows machines by three different methods: spearphishing, or sending specially crafted emails with malicious PDF attachments to employees of targeted companies; fake software installers; and watering-hole attacks, in which Crouching Yeti's operators inject browser exploit kits, rapid-fire malware installers, into websites their targets are likely to visit.
The operators also uses a sneaky trick to hide the Crouching Yeti campaign. Most malware that sends and receives data over the Internet "talks" to its operators via command-and-control servers hosted and maintained by the criminals or spies who distribute the malware. From these servers, the operators can receive stolen information and send the malware new commands.
Crouching Yeti doesn't host its own command-and-control servers, however. Much as a mockingbird lays eggs in other birds' nests, the campaign hacks into legitimate websites and installs its command-and-control operations on those servers. Half those servers were in the United States; others were in Russia, Britain and Germany.
Other than that, the campaign isn't particularly sophisticated, Kaspersky found. None of the exploits used in the attacks are zero-days, meaning they're all known flaws that the targeted organizations or Web tools simply haven't gotten around to patching.
- Best Free PC Antivirus Software 2014
- How Your Next Hotel Room Could Be Hacked
- 9 Tips to Stay Safe on Public Wi-Fi
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.