Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware, codenamed "EyePyramid", and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen.

We have analyzed nearly 250 EyePyramid malware samples. On the one hand, it is certain that the original source code has gone through only very mild modifications (e.g., not all variants are able to exfiltrate Skype conversations, C&C and dropzones, compiler version, and protection mechanisms). On the other hand, the computer(s) used to build the various versions over the years seem to be in line with the evolution of Microsoft developer tools (based on the progression of the compiler version) and software-protection tools (as seen on the recent substitution of Skater + Dotfuscator with the more powerful ConfuserEx). This indicates that the final actors producing the malware executable files were "tech savvy."

Apart from this, the origins of EyePyramid’s malware and its attribution remain a mystery. While the license key registered to Giulio Occhionero’s name can be considered as strong evidence, it is unclear why a malware author would bother using (simple yet not so trivial) mechanisms to cover their traces (e.g., obfuscation, packing, encryption, disabling security tools), and then mistakenly embed the license key under his name in all of the main variants. Moreover, an analysis of the domain-to-IP historical data of the domain names listed in the court order reveals domains named “occhionero.com” and “occhionero.info,” which is again another oddity.

Photos