Experts from Cyphort Labs have discovered an extensive data theft campaign named Nighthunter that has been active since 2009 stealing victim’s credentials.

Security experts at Cyphort firm have recently uncovered a five-year-old attack campaign dubbed NightHunter arranged to steal user credentials for DropboxFacebook, and other web services. The malicious campaign is cross sector, every industry has been targeted without distinction, the experts haven’t noticed any targeted attack in the criminal operation.

“Campaign is amassing login credentials of users. At this point it does not seem likely that they are targeting specific organization or industries. We have seen threat activity across several verticals including energy, education, insurance and even charities. Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype.” is explained in a blog post published by Cyphort.

Users’ credentials for principal web services including social networks, cloud storage and email service providers are precious commodities on the underground, security experts are aware of numerous cyber attacks which are conducted to gather this information.

The motivation of the bad actors behind NightHunter campaign are not clear and also the nature of the attackers (e.g. cyber criminals or hacktivists), anyway credentials for principal web services could be used by attackers for numerous illegal activities, to arrange a spam campaign or to control a Botnet hiding settings in a DropBox folder.

n1

The NightHunter campaign uses SMTP email for syphon data as explained in the blog post:

“NightHunter uses SMTP (email) for data exfiltration instead of more common CnC mechanisms that use web protocols. This could be to simply “hide (and steal data) in the plain sight” as organizations beef up web anomaly detection for dealing with advanced attacks.”

The bad actors used several different keyloggers ( e.g. Predator Pain, Limitless, and Spyrex) to steal the victims credentials and send out them via SMTP, a tactic that allows the attackers to remain hidden for a long time.

“The NightHunter data theft campaign is believed to have been active since at least 2009, targeting energy firms, educational institutions, hospitals and charities and other enterprises.”

The researchers at Cyphort started the investigation on NightHunter when received a sample through a phishing email. The malware sample is a .net binary that steals victims’ credentials and sends them to a remote email server.

The attackers used phishing messaged with subject lines such as “Purchase Order” and “Inquiry”, the malicious mails are targeting credentials for Skype, Amazon, LinkedIn, Google, Yahoo, Hotmail, Rediff, and banks.

The experts examined many other samples also delivered with a similar mechanism, the actual number of  infected machines is at least 1,800 compromised PCs discovered by Cyphort, but it is likely that the majority of infected machine used by the attackers are either private or are not publicly accessible for this reason it is impossible for the company looking into the upload account.

“This attack is ongoing and we continue to monitor it,” “The attackers are very aggressive in their data-collection methodology, as well as the intervals of data exfiltration. Given the systematic nature of the actors behind this campaign, we are speculating that they are still in a ‘reconnaissance stage’ targeting credentials of high-level executives, but at this point it is impossible to speculate on their endgame with any degree of certainty.” said Cyphort co-founder Fengmin Gong.

Gong believes that bad actors who arranged the NightHunter campaign could improve their efficiency by using big-data techniques to mine the stolen credentials, allowing them to use stolen data also for targeted attacks.

NightHunter is considered one the most singular  campaigns discovered by the experts at Cyphort due to the complex data collection models it exhibits, the case is the evidence of the efficiency of phishing campaign.

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo