The proprietary obfuscated string, methods and classes made it rather challenging to analyze. Looking at the chart, it is interesting to see the modus operandi as the threat actor consistently strives to achieve a variety of samples, different code sizes and supposedly more complicated obfuscation.Īlong with these different sizes, activities and obfuscation, a serious encryption algorithm was also implemented in each one of them. The smallest sample (0.52Mb) and the largest (1.57Mb) were both created on the same day, which could indicate experiments made by the group to test features, packers and “dead code” implementations. The following chart illustrates how the group or individual created the samples, the size of each sample, the time of the day when each was compiled and the time lapses between each compilation.
Files were compiled over the course of three days, between March 7th and 9th of 2015. As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.Īll of the dozens of samples we managed to collect were programmed in Windows machine 32bit processor, over the Microsoft. Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March. The timestamp seems valid and close to the documented infection timeline. Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar. The malware calls itself Grabit and is distinctive because of its versatile behavior.
Grabit com software#
Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations’ servers.
0 kommentar(er)
