Kaspersky Lab: New cyber-spy attacking SMBs under guise of Microsoft Word

Threat shows SMBs are as vulnerable as large companies, Kaspersky says

Kaspersky Lab reported today that Grabit, a new cyber-spying campaign, has stolen approximately 10,000 files from SMBs in primarily the U.S., India and Thailand by pretending to be a Microsoft Word document.

According to Kaspersky, Grabit is targeting the agriculture, chemicals, construction, education, media and nanotechnology sectors amongst others.

Ido Noar, senior security researcher of the Global Research and Analysis Team at Kaspersky Lab, said that Grabit proves that cybercriminals are not just after large organizations.

"We see a lot of spying campaigns focused on enterprises, government organizations and other high-profile entities, with SMBs rarely seen in the lists of targets, but Grabit shows that it's not just a ‘big fish' game," Noar said in a statement. "In the cyber world, every single organization, whether it possesses money, information or political influence, could be of potential interest to one or other malicious actor."

Grabit works by sending an employee an email with what is seemingly a Microsoft Office Word .doc file, Kaspersky said. After the employee downloads the file, a remote server hacked by cybercriminals to use as a malware hub sends a spying program to the device, according to Kaspersky. The software security company said hackers then "control" the victims through a commercial spying tool called HawkEye keylogger and a configuration module with various Remote Administration Tools (RATs).

Kaspersky said that with one command-and-control server, a keylogger was able to steal 3,023 usernames, 2,887 passwords and 1,053 emails from 4,928 different hosts. These affected bank accounts, Microsoft Outlook, Google Mail, Skype, social media and more, Kaspersky added.

An "erratic" group of cybercriminals, with some more focused on being untraceable than others, may be to blame, Kaspersky predicted.

"The Grabit threat actor does not go the extra mile to hide its activity: some malicious samples used the same hosting server, and even the same credentials, undermining its own security," Kaspersky said. "On the other hand, the attackers use strong mitigation techniques to keep their code hidden from analysts' eyes. ... Expert analysis suggests that whoever programmed the malware did not write all the code from scratch."

Adapted from an article in Channelnomics

#cybersecurity, #VoIP, #cyber-spying