Crouching Yeti, Hidden Dragon: New Threat Steals Data

Credit: Gbreezy/Shutterstock

(Image credit: Gbreezy/Shutterstock)

Moscow-based Kaspersky Lab has added to what's known about a previously detected malware campaign that has been stealing sensitive data from major manufacturing, industrial, pharmaceutical, construction and IT companies in the United States, Spain, Germany, Poland, France, Japan, Italy, Turkey, Ireland and China.

Dubbed Crouching Yeti by Kaspersky, the campaign has been going on since at least 2010. It's not clear who is behind Crouching Yeti, or what its operators intend to do with the information gleaned from the campaign.

MORE: 7 Scariest Security Threats Headed Your Way

Aspects of Crouching Yeti were originally identified earlier this year by American security companies CrowdStrike, which named it Energetic Bear, and Symantec, which called it Dragonfly. Both noted that Western energy companies seemed to be the primary targets. Finnish security firm F-Secure called the campaign Havex, after malware the campaign used to attack industrial control systems (and about which the Department of Homeland Security issued an alert).

"Victims are not limited to the energy sector, but to many other ones," wrote Kaspersky's Global Research and Analysis Team (GReAT) in a blog posting today (July 31). "The Bear tag reflects CrowdStrike's belief that this campaign has a Russian origin. We couldn't confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious origin :)."

"There simply is no one piece or set of data that would lead to the conclusion that the threat actor is Bear, Kitten, Panda, Salmon, or otherwise," Kaspersky wrote in its official report.

Crouching Yeti uses several different types of Trojans that infect Windows machines by three different methods: spearphishing, or sending specially crafted emails with malicious PDF attachments to employees of targeted companies; fake software installers; and watering-hole attacks, in which Crouching Yeti's operators inject browser exploit kits, rapid-fire malware installers, into websites their targets are likely to visit.

The operators also uses a sneaky trick to hide the Crouching Yeti campaign. Most malware that sends and receives data over the Internet "talks" to its operators via command-and-control servers hosted and maintained by the criminals or spies who distribute the malware. From these servers, the operators can receive stolen information and send the malware new commands.

Crouching Yeti doesn't host its own command-and-control servers, however. Much as a mockingbird lays eggs in other birds' nests, the campaign hacks into legitimate websites and installs its command-and-control operations on those servers. Half those servers were in the United States; others were in Russia, Britain and Germany.

Other than that, the campaign isn't particularly sophisticated, Kaspersky found. None of the exploits used in the attacks are zero-days, meaning they're all known flaws that the targeted organizations or Web tools simply haven't gotten around to patching.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.

TOPICS

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features
  • DalaiLame
    You don't need Snowden to tell you who is the recalcitrant offender.
    Reply
  • Alec Mowat
    Not sure how much we can trust a Moscow based software security company any more.
    Reply