Kaspersky researcher Ido Noar says attackers have hit hundreds of small and medium businesses, stealing credentials and documents in a noisy smash-and-grab campaign.
Noar says criminals have stolen some 10,000 documents from nanotechnology, education, and media outfits in an attack that foists a newly-discovered strain of malware called "Grabit".
"Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March," Noar says in a notice.
"As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.
"Grabit threat actors did not use any sophisticated evasions or manoeuvres in their dynamic activity."
Attackers did not commit much effort to conceal their command and control servers, nor hide from the local system. Noar discovered the locations of the servers by simply opening the malicious Grabit phishing document file in an editor.
"During our research, dynamic analysis showed that the malicious software’s 'call home' functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry manoeuvres that would hide them from Windows Explorer," he says.
The criminals could choose their favourite remote access trojan including DarkComet and the less complex HawkEye keylogger.
Grabit should serve as a wake up call to admins in charge of protecting small businesses that coordinated attack campaigns are not confined to large enterprises and high-profile organisations. ®