It seems that when it comes to cybercrime, ill-minded actors in the Middle East have a particular taste for espionage. Some prefer to target Android devices, such as the campaigns of the Two-Tailed Scorpion hacking group, which has ties to the terrorist organization Hamas. Others go for the more well-trodden path of malware targeting PCs. This is the case with the operations involving the MICROPSIA and KASPERAGENT families.
The KASPERAGENT doubles as a Trojan downloader and a tool meant to collect general system information - OS version, running services, username, network configuration, etc. It is written in the C++ language.
Hundreds of Variants
The KASPERAGENT Trojan appears to be a very popular hacking tool in the Middle East. Cybersecurity researchers have detected over a hundred different samples of this threat. It seems that some cybercriminals using it did not modify the original tool too much and used it only in campaigns that would gather basic information about the host’s system and configurations. However, other cyber crooks have added new features to the KASPERAGENT Trojan enabling it to collect sensitive data like usernames and passwords, log keystrokes and perform various commands.
Most of the actors distributing the KASPERAGENT Trojan have opted for the tried and tested method of phishing emails. Others have tried to propagate this Trojan by hosting infected, fraudulent applications on a Web page they have set up.
Once the KASPERAGENT infects a system, it will waste no time and gain persistency by modifying the Windows Registry immediately. Usually, the KASPERAGENT Trojan lays on the down low until the attackers send a command. More often than not, the KASPERAGENT threat serves as a first-stage payload. The attackers tend to use it as a backdoor through which they can infect the system with additional, more threatening malware.
The cybercriminals, which created the boosted variants of the KASPERAGENT Trojan enabled them to:
- Take screenshots of the desktop.
- Serve as a keylogger.
- Collect login credentials from Mozilla Firefox and Google Chrome.
- Browse and detect potentially sensitive data on storage devices.
- Execute remote commands.
A downloadable sample of KASPERAGENT Trojan was discovered on one of the domains that are known to be part of the server infrastructure of MICROPSIA, another notable piece of malware. It is likely that both of these hacking tools are being used by the same group operating in the Middle East. To stay safe from the KASPERAGENT Trojan and similar threats, you have to make sure to not only obtain a reputable anti-malware tool but also to update it regularly.