Small and medium enterprises in India need to be careful as they have become the target of a cyber-spying campaign called Grabit.
According to findings by Kaspersky Lab, a new business-oriented cyber-spying campaign called Grabit was able to steal about 10,000 files from small/medium-sized organisations based mostly in India, Thailand and the US.
The list of target sectors includes chemicals, nanotechnology, education, agriculture, media, construction and more. Companies based in India and Thailand had the largest percentage of infected machines. By looking at the stolen credentials, it is very clear that employees sent the malware to one another, as stolen host names and internal applications are the same.
Other countries affected are the UAE, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.
Kaspersky Lab documentation points out that the campaign started somewhere in late February 2015 and ended in mid-March. As the development phase supposedly ended, malware started spreading from India, the US and Israel to other countries around the globe.
"We see a lot of spying campaigns focused on enterprises, government organisations and other high-profile entities, with small and medium-sized businesses rarely seen in the lists of targets. But Grabit shows that it's not just a "big fish" game - in the cyber world every single organisation, whether it possesses money, information or political influence, could be of potential interest to one or other malicious actor," said Ido Naor, Senior Security Researcher, Global Research & Analysis Team.
Grabit is still active, and it's critically important to check your network to ensure you're safe, said Kaspersky.
On May 15th a simple Grabit keylogger was found to be maintaining thousands of victim account credentials from hundreds of infected systems. This threat shouldn't be underestimated, said the company.
Infection starts when a user in a business organisation receives an email with an attachment that appears to be a Microsoft Office Word (.doc) file. The user clicks to download it and the spying program is delivered to the machine from a remote server that has been hacked by the group to serve as a malware hub. The attackers control their victims using HawkEye keylogger, a commercial spying tool from HawkEyeProducts, and a configuration module containing a number of Remote Administration Tools (RATs).
To illustrate the scale of operation, Kaspersky Lab reveal that a keylogger in just one of the command-and-control servers was able to steal 2,887 Passwords, 1,053 emails and 3,023 usernames from 4,928 different hosts, internally and externally, including Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, as well as bank accounts and others.