June 02, 2015
The Blog posted by Kaspersky on May 28 2015, says that “Grabit” was able to steal about 10,000 files from small/medium-sized organizations based mostly in Thailand, India and the US. The list of target sectors includes chemicals, nanotechnology, education, agriculture, media, construction and more.
Other countries affected are the UAE, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.
On the one hand, the Grabit threat actor does not go the extra mile to hide its activity: some malicious samples used the same hosting server, and even the same credentials, undermining its own security. On the other hand, the attackers use strong mitigation techniques to keep their code hidden from analysts’ eyes. This leads Kaspersky Lab to believe that behind the sniffing operation is an erratic group, with some members more technical and focused on being untraceable than others. Expert analysis suggests that whoever programmed the malware did not write all the code from scratch.
To protect against Grabit, Kaspersky Lab recommends following these rules:
- Сheck this location C:UsersAppDataRoamingMicrosoft, if it contains executable files, you might be infected with the malware. This is a warning you should not ignore.
- The Windows System Configurations should not contain a grabit1.exe in the startup table. Run “msconfig” and ensure that it is clean from grabit1.exe records.
- Don’t open attachments and links from people you don’t know. If you can’t open it, don’t forward it to others – call for the support of an IT-administrator.
- Use an advanced, up to date anti-malware solution, and always follow the AV task list for suspicious processes.
Kaspersky Lab products detect all known Grabit samples and protect its users against the threat.
To learn more about the Grabit operation, please read the blog post available at https://securelist.com/blog/research/70087/grabit-and-the-rats/