Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Kaspersky Lab discovers a cyber-spy tracking SMBs in Thailand, India and the US

Zafirah Salim | May 29, 2015
Called Grabit, this cyber-spying campaign is able to steal about 10,000 files from SMBs based mostly in Thailand, India and the United States.

Kaspersky Lab announced yesterday the discovery of a new business-oriented cyber-spying campaign - called Grabit - that has the capability to steal about 10,000 files from small and medium-sized businesses (SMBs) that are based mostly in Thailand, India and the United States.

Other affected countries include the United Arab Emirates (UAE), Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.

It added that some of the targeted sectors include chemicals, nanotechnology, education, agriculture, media and construction.

"We see a lot of spying campaigns focused on enterprises, government organisations and other high-profile entities, with small and medium-sized businesses rarely seen in the list of targets. But Grabit shows that it's not just a "big fish" game. In the cyber world, every single organisation - whether it possesses money, information or political influence - could be of potential interest to one or other malicious actors," said Ido Noar, Kaspersky Lab's Senior Security Researcher from the Global Research and Analysis team.

Noar warned that since the Grabit is still active, it is critically important for businesses to check the security of their networks. He cited an incident that took place on May 15, whereby a simple Grabit keylogger was found to be maintaining thousands of victim account credentials from hundreds of infected systems.

How Grabit works

According to Kaspersky Lab, the infection starts when a user in an organisation receives an email with an attachment that appears to be a Microsoft Office Word (.doc) file. When the user clicks to download it, the spying programme is delivered to the machine from a remote server that has been hacked by the group to serve as a malware hub.

The attackers then control their victims using HawkEye keylogger, a commercial spying tool from HawkEyeProducts, and a configuration module containing a number of Remote Administration Tools (RATs).

To illustrate the scale of operation, Kaspersky Lab revealed that a keylogger in just one of the command-and-control servers was able to steal 2,887 passwords, 1,053 emails and 3,023 usernames from 4,928 different hosts, internally and externally, including Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, and bank accounts.

To protect against Grabit, Kaspersky Lab recommends businesses to follow these rules:

  • Check this location C:\Users\<PC-NAME>\AppData\Roaming\Microsoft. If it contains executable files, you might be infected with the malware.
  • The Windows System Configurations should not contain a grabit1.exe in the startup table. Run "msconfig" and ensure that it is clean from grabit1.exe records.
  • Do not open attachments and links from people you don't know. If you can't open it, don't forward it to others - call for the support of an IT administrator.
  • Use an advanced, up-to-date anti-malware solution, and always follow the AV task list for suspicious processes.


Sign up for Computerworld eNewsletters.