Campaign targeting user credentials discovered after five years

Researchers at Cyphort Labs have discovered a campaign that is actively targeting usernames and passwords, and has done so undetected since 2009.

The campaign, which researchers are calling Nighthunter, targets credentials seemingly without focus, and it’s believed that those behind the operation are using their access for data collection.

The campaign doesn’t target a specific organization or industry. In fact, Cyphort researchers have seen evidence that the campaign has successfully targeted several verticals, including energy, education, insurance, even charities.

In each attack, the malware delivered targets Google, Yahoo, Facebook, Dropbox, and Skype credentials.

The campaign starts with a Phishing email. From there, those running the operation use malware that stays under the radar, and attempts to avoid detection. In fact, data exfiltration is done via SMTP (skipping the need for a command and control mechanism), something that isn’t all that common considering the more advanced malware circulating online.

“This could be to simply ‘hide (and steal data) in the plain sight’ as organizations beef up web anomaly detection for dealing with advanced attacks,” wrote Cyphort’s McEnroe Navaraj.

“[The campaign] involves several different malware keyloggers, including Predator Pain, Limitless, and Spyrex. The unifying feature is that they all use SMTP (email) for data exfiltration. Email to social networking is like snail-mail is to email, it is outdated and often overlooked, so it can be a more stealthy way of data theft.”

Navaraj’s blog post on the campaign speculates that it’s possible the data collection being performed is one part of a much larger attack, as the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks is high.

Among the interesting tidbits within Cyphort’s research, is that the criminals behind this operation seem to use passive Phishing as a means to target new victims.

Some of the Phishing emails use generic subject lines – such as “Purchase Order” or “Payment Slip” – adding credence to the notion that those behind this campaign are not all that selective about whom they’re victimizing.

When it comes to storing the stolen credentials, the most popular storage medium is Gmail. Google’s services have been used to store more than 300k stolen credentials since 2009.

“Gmail seems to be the most popular email server used by the criminals to “park” the victim data in recent times,” Navaraj explained.

“The reason for larger number of samples using Gmail is probably (or likely) due to the popularity of Gmail and because most security products somehow “whitelist” Google/Gmail traffic/activity making it easy to hide this email in the volume of emails sent out to Gmail.”

In addition to using email as a means to hide the exfiltration, some of the malware samples in this campaign targeted security process and attempted to shut them down if detected. Among the services targeted were Kaspersky’s anti-Virus, NOD 32, Normal, BitDefender, Malwarebytes, Anubis, and Wireshark.