Crouching Yeti, Hidden Dragon: New Threat Steals Data

Credit: Gbreezy/Shutterstock

(Image credit: Gbreezy/Shutterstock)

Moscow-based Kaspersky Lab has added to what's known about a previously detected malware campaign that has been stealing sensitive data from major manufacturing, industrial, pharmaceutical, construction and IT companies in the United States, Spain, Germany, Poland, France, Japan, Italy, Turkey, Ireland and China.

Dubbed Crouching Yeti by Kaspersky, the campaign has been going on since at least 2010. It's not clear who is behind Crouching Yeti, or what its operators intend to do with the information gleaned from the campaign.

MORE: 7 Scariest Security Threats Headed Your Way

Aspects of Crouching Yeti were originally identified earlier this year by American security companies CrowdStrike, which named it Energetic Bear, and Symantec, which called it Dragonfly. Both noted that Western energy companies seemed to be the primary targets. Finnish security firm F-Secure called the campaign Havex, after malware the campaign used to attack industrial control systems (and about which the Department of Homeland Security issued an alert).

"Victims are not limited to the energy sector, but to many other ones," wrote Kaspersky's Global Research and Analysis Team (GReAT) in a blog posting today (July 31). "The Bear tag reflects CrowdStrike's belief that this campaign has a Russian origin. We couldn't confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious origin :)."

"There simply is no one piece or set of data that would lead to the conclusion that the threat actor is Bear, Kitten, Panda, Salmon, or otherwise," Kaspersky wrote in its official report.

Crouching Yeti uses several different types of Trojans that infect Windows machines by three different methods: spearphishing, or sending specially crafted emails with malicious PDF attachments to employees of targeted companies; fake software installers; and watering-hole attacks, in which Crouching Yeti's operators inject browser exploit kits, rapid-fire malware installers, into websites their targets are likely to visit.

The operators also uses a sneaky trick to hide the Crouching Yeti campaign. Most malware that sends and receives data over the Internet "talks" to its operators via command-and-control servers hosted and maintained by the criminals or spies who distribute the malware. From these servers, the operators can receive stolen information and send the malware new commands.

Crouching Yeti doesn't host its own command-and-control servers, however. Much as a mockingbird lays eggs in other birds' nests, the campaign hacks into legitimate websites and installs its command-and-control operations on those servers. Half those servers were in the United States; others were in Russia, Britain and Germany.

Other than that, the campaign isn't particularly sophisticated, Kaspersky found. None of the exploits used in the attacks are zero-days, meaning they're all known flaws that the targeted organizations or Web tools simply haven't gotten around to patching.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.