Grabbing has often had a negative connotation attached to it. This time, though, attackers just escalated it to an all new level of malice.
The EvilGrab campaign is immortalized by its capacity for targeting not just any generic company information but specific media types. These include videos, audio, screenshots, and other media files that can easily record sensitive conversations, meeting notes, strategies, and other information that any company or group wouldn’t want out.
The campaign uses any one of its three backdoor malware, each neatly wrapped in spear-phishing emails and malicious Microsoft® Excel® spreadsheet, PDF, or Microsoft® Word® document attachments. It loads a malicious component whenever explorer.exe is run, setting it apart from other attacks with malware that do not directly target Windows components.
It can grab sensitive media files with the help of technology that’s already in Windows. It can use the Sample Grabber filter to nab videos, or Wave APIs to get audio.
This campaign’s attackers remain stealthy by taking the presence of security products into consideration. Apart from setting up disguised folders and shortcuts as decoy documents, the malware encrypts its own components and checks for certain security processes that are tied to security products.
Users and organizations in Japan and China should be wary of this campaign as it mostly prevails in the said countries. In addition, an EvilGrab builder has already been released for attackers to easily input their C&C servers, the security products they want to avoid, and other routines.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).