Crouching Yeti, Hidden Dragon: New Threat Steals Data

Credit: Gbreezy/Shutterstock

(Image credit: Gbreezy/Shutterstock)

Moscow-based Kaspersky Lab has added to what's known about a previously detected malware campaign that has been stealing sensitive data from major manufacturing, industrial, pharmaceutical, construction and IT companies in the United States, Spain, Germany, Poland, France, Japan, Italy, Turkey, Ireland and China.

Dubbed Crouching Yeti by Kaspersky, the campaign has been going on since at least 2010. It's not clear who is behind Crouching Yeti, or what its operators intend to do with the information gleaned from the campaign.

MORE: 7 Scariest Security Threats Headed Your Way

Aspects of Crouching Yeti were originally identified earlier this year by American security companies CrowdStrike, which named it Energetic Bear, and Symantec, which called it Dragonfly. Both noted that Western energy companies seemed to be the primary targets. Finnish security firm F-Secure called the campaign Havex, after malware the campaign used to attack industrial control systems (and about which the Department of Homeland Security issued an alert).

"Victims are not limited to the energy sector, but to many other ones," wrote Kaspersky's Global Research and Analysis Team (GReAT) in a blog posting today (July 31). "The Bear tag reflects CrowdStrike's belief that this campaign has a Russian origin. We couldn't confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious origin :)."

"There simply is no one piece or set of data that would lead to the conclusion that the threat actor is Bear, Kitten, Panda, Salmon, or otherwise," Kaspersky wrote in its official report.

Crouching Yeti uses several different types of Trojans that infect Windows machines by three different methods: spearphishing, or sending specially crafted emails with malicious PDF attachments to employees of targeted companies; fake software installers; and watering-hole attacks, in which Crouching Yeti's operators inject browser exploit kits, rapid-fire malware installers, into websites their targets are likely to visit.

The operators also uses a sneaky trick to hide the Crouching Yeti campaign. Most malware that sends and receives data over the Internet "talks" to its operators via command-and-control servers hosted and maintained by the criminals or spies who distribute the malware. From these servers, the operators can receive stolen information and send the malware new commands.

Crouching Yeti doesn't host its own command-and-control servers, however. Much as a mockingbird lays eggs in other birds' nests, the campaign hacks into legitimate websites and installs its command-and-control operations on those servers. Half those servers were in the United States; others were in Russia, Britain and Germany.

Other than that, the campaign isn't particularly sophisticated, Kaspersky found. None of the exploits used in the attacks are zero-days, meaning they're all known flaws that the targeted organizations or Web tools simply haven't gotten around to patching.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.

TOPICS

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

Latest in Online Security
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Best antivirus software
How does antivirus software work
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Latest in News
Sonos logo on a smart speaker
Sonos halts work on rumored super steaming device — what's next?
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 13 (#641)
HomePod with display concept render
Apple HomePod with display now rumored for late 2025 launch
The Apple Watch Series 10 on display at the device's launch in September 2024
Apple Watch sales plummet 19% as smartwatch market declines for first time
Google's Project Astra working on prototype smartglasses in an advertisement
Google just acquired this eye tracking company — hinting at the return of Google glasses
iPhone 17 Air render
iPhone 17 Air could be just 5.5mm thick — but 9.5mm when you throw in the camera bump
  • DalaiLame
    You don't need Snowden to tell you who is the recalcitrant offender.
    Reply
  • Alec Mowat
    Not sure how much we can trust a Moscow based software security company any more.
    Reply