Experts Observe that Energetic Bear is Much More Widespread than Originally Expected

Motherboard.vice.com reported on 31st July, 2014 stating that a malware campaign namely Energetic Bear was initially seemed to have originated from Russia targeting only power grids, is much more dangerous and widespread than what cyber security experts first imagined.

Kaspersky Lab recently reported that the malware has infected thousands of high-profile targets at several industries around the world and it was not likely a Russian invention. Actually, we really don't know its origin and the campaign has been named 'Crouching Yeti' to reflect its mysterious origins.

The report reveals that Crouching Yeti has been operating since at least 2010 and has infected approximately 2,800 targets in 38 countries in diverse industries like pharmaceuticals and education.

The finding is concerning and confounding. It is concerning because the victims of the campaigns are all leaders in their field although the report doesn't disclose their names and the main objective is to glean sensitive trade secrets and information and it is confounding because the experts tracking the malware are unable to find its origin and reason.

Crouching Yeti uses many different kinds of trojans which contaminate Windows machines using three dissimilar methods such as fake software installers; and water-holing attacks, sending specially designed electronic mails carrying tainted attachments to workers of targeted companies or spear-phishing in which operators of Crouching Yeti infuse browser exploit kits and rapid-fire malicious software installers into sites which they are likely to visit.

The operators also use a cunning trick to conceal the campaign of Crouching Yeti. Mostly malware sends and receives information over the World Wide Web communicates to its operators through C2 (command-and-control) servers hosted and preserved by the spies or cybercriminals who spread the malware. The operators can obtain stolen data and send malware to new commands from these servers.

Researchers of Kaspersky said that identifiying the malware, victims and tools in the attack is one thing but it is difficult to prove the identity of the attackers.

Threatpost.com reported on 31st July, 2014 quoting the report as "The available data is more non-specific than usual as compared to our other APT research. Simply, there is not a single piece or a set of data which would prove that the threat actor is Kitten, Panda, Bear, Salmon or others".

» SPAMfighter News - 8/12/2014