In my last blog of May 12th, I discussed the need for SMBs to invest in cyber security. Recent news has yet again shown that no matter the size of your business you are not immune to cyber-attack: Kaspersky Labs has discovered a new business-oriented spying-campaign targeting small and medium-sized businesses based mainly in Thailand, India and the U.S. Other countries affected are France, Austria, Canada, Germany, UAE, Sri Lanka, Belgium, Chile and Israel. The affected sectors include chemical, nanotechnology, education, agriculture, media, construction and more.
According to Kaspersky Lab researchers, the newly discovered Grabit malware spying-campaign begun in late February 2015. The cyber-attack was able to steal about 10,000 files from SMBs. This kind of attack is unusual because most spying campaigns target enterprises, government organizations and high-profile entities but rarely target small and medium-sized businesses. Grabit shows that cyber-criminals will target any size organization regardless of revenue, information or political influence.
Grabit gets distributed when an employee at an SMB receives a phishing email containing a malicious attachment disguised as a Microsoft Office Word (.doc) file. Once the user opens the attachment, the malware is delivered to the user’s machine via a remote legitimate server that has been compromised and used to host the malware. Grabit Malware is based on the infamous commercial HawkEye keylogger kit used in cyber spying. Also, parts of the payload delivered to the victim’s machine are several remote administration tools, or RATs, which can potentially control the victim’s machine remotely and steal files.
Kaspersky suggests that SMBs use advanced, up-to-date antivirus solutions on their machines as well as keeping all other software patched to stay protected. According to Kaspersky there are few ways to check for Grabit malware to make sure grabit.exe files are not within Windows System Configurations, and if executable files are within the C:Users\<PC-NAME>\AppData\Roaming\Microsoft location, this could be an indication your machine is infected.