When it comes to corporate espionage, we are all inclined to think this is a threat facing government bodies and big corporations. The last thing we expect is your average startup company or any other small and medium sized business to warrant such level of attention from would-be cyber criminals.
Well, the rude awakening by Kaspersky Lab is that SMEs too are increasingly featuring on the menu list for perpetrators of corporate espionage and cyber crimes. A report tabled by Kaspersky Lab talks of a new cyber-spying campaign using spyware named Grabit. This spyware is said to have stolen about 10,000 files from SMEs, primarily in the United States, India, and Thailand.
According to Kaspersky, Grabit targets SMEs in the agriculture, media, chemicals, education, nanotechnology and construction industries. It disguises itself as a Microsoft Word document sent as an attachment in emails.
“We see a lot of spying campaigns focused on enterprises, government organizations and other high-profile entities, with SMBs rarely seen in the lists of targets. But Grabit shows that it’s not just a ‘big-fish-game’.” Said, Ido Noar, a senior security researcher of the Global Research and Analysis Team at Kaspersky Lab.
“In the cyber world, every single organization whether it possesses money, information or political influence, could be of potential interest to one or other malicious actor.”
Grabit spyware works by sending an employee a seemingly harmless email with a Microsoft Office Word.doc file attachment. Once the recipient downloads the file, spying programs are sent to the host device from a remote server used as a malware hub by hackers. Then, the hackers will be able to ‘control’ their victims using commercial spying tool referred to as HawkEye keylogger and a configuration module using Remote Administration Tools (RATs).
According to Kaspersky, one command-and-control server, a keylogger managed to steal 3,023 usernames, 2,887 passwords, and 1,053 emails from 4,928 different users. The stolen information could potentially give hackers credentials on users’ bank accounts, Gmail, Skype, Microsoft Outlook and social media accounts among other.
Grabit spyware is being used by an “erratic” group of cyber criminals, of whom some are more cautious on being traced than others.
In a statement, Kaspersky said, “The Grabit threat actor does not go the extra mile to hide its activity: some malicious samples used the same hosting server and even the same credentials, undermining its own security. On the other hand, the attackers use strong mitigation techniques to keep their code hidden from analysts’ eyes… Experts analysis suggests that whoever programmed the malware did not write all the code from scratch.”