{
	"id": "9ed198c7-1c97-49c6-8e26-8d1f58d5a7ec",
	"created_at": "2026-04-06T00:08:40.689221Z",
	"updated_at": "2026-04-10T03:20:29.066857Z",
	"deleted_at": null,
	"sha1_hash": "d29dbe0167d521e38f5a94279908a7e9449951ed",
	"title": "EyePyramid: An Archaeological Journey",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3296190,
	"plain_text": "EyePyramid: An Archaeological Journey\r\nBy Paul Rascagneres\r\nPublished: 2017-01-30 · Archived: 2026-04-05 18:20:25 UTC\r\nMonday, January 30, 2017 14:40\r\nThis post authored by Mariano Graziano and Paul Rascagneres\r\nSummary\r\nThe last few days a malware sample named EyePyramid has received considerable attention,\r\nespecially in Italy. The Italian police have arrested two suspects and also published a preliminary\r\nreport of the investigation. This malware is notable due to the targeting of Italian celebrities and\r\npoliticians.\r\nWe conducted our analysis on one of the first public samples attributed to EyePyramid. Sources in the security\r\ncommunity have described this malware campaign as unsophisticated, and the malware samples involved as\r\nuninteresting. However Talos was intrigued to determine just how EyePyramid managed to stay hidden under-the-radar for years.\r\nPreliminary Analysis\r\nThe sample is written in .Net and it is heavily obfuscated. Although at first sight we can also extract some\r\ninteresting strings which are useful for possible ClamAV or Yara signatures. The author paid attention to hide the\r\ncore functionalities by using either known .Net obfuscators or cryptography to hide crucial information such as\r\nURLs, email addresses and credentials.\r\nGenerally speaking, reversing .Net applications is not a difficult task because it is possible to decompile the\r\nbinary. There are many tools do it such as ILSpy, dotPeek, etc. We first tried decompiling the sample with ILSpy\r\nbut the obfuscation was heavy and all over the place. As a result the ILSpy output was not very useful and we had\r\nproblems identifying the entry point of the application. The sample cannot be debugged, and it does not run inside\r\nvirtual machines due to several and sometimes trivial (but effective) anti-debugging and anti-vm checks.\r\nDissection\r\nTo effectively analyze EyePyramid we needed to defeat the obfuscation. We first tried to use de4dot for the\r\ndeobfuscation and it detected two different known obfuscators namely 'Dotfuscator' and and 'Skater .NET'. From\r\nthis point on, we refer to a 'cleaner' version of the sample. Keep in mind, however, that the malware is still\r\nobfuscated and the decompiler still fails for some routines.\r\nThe sample starts with some initialization code for the license keys and the certificates. Then, there is some code\r\nto achieve persistence using the CurrentVersion\\Run and CurrentVersion\\RunOnce registry keys. Moreover, there\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 1 of 11\n\nare checks to ensure the malware has Administrator privileges, and for the system uptime via a Windows\r\nManagement Instrumentation (WMI) query to LastBootUpTime.\r\nRegarding the persistence, we can observe the operation in which the registry key is set below:\r\nThe next step is to check and 'fix' the security descriptors of many folders via 'cacls.exe'. Specifically, this code is\r\ninterested in the Windows Firewall and a long list of possible antivirus software (among them also 'ClamAV for\r\nWindows'). To find these programs the malware looks in typical locations such as ProgramFiles, ProgramFiles\r\n(x86), etc. You can see from the picture below 'cacls.exe' and part of the security products list:\r\nIn the next picture we can see how the malware creates an exception rule for itself, adding several new entries to\r\nthe firewall policy ruleset:\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 2 of 11\n\nThe program also spawns threads and executes commands and executables (e.g., via ProcessStart or\r\nInteractionShell functions). For instance, it creates a registry key named 'default.reg' and it is added to the registry\r\nby directly invoking the regedit command. Regarding executables, we have instead 'ghk.exe' and 'stkr.exe' that are\r\nexecuted and other resources downloaded from the web.\r\nAnother interesting spawned thread is the one for checking the User Account Control (UAC) via the registry key\r\n'EnableLUA' and disabling it through the control panel. UAC is an additional layer of security introduced by\r\nMicrosoft from Windows Vista to notify the users about changes in the computer. In case of this and other\r\nchanges, the system needs a reboot so all the modifications are effective and this is the goal of the function\r\ncontaining the 'shutdown' command. See below:\r\nIt is worth also a mention the programs added to 'DisallowRun', and here we noticed a particular interest for Avast\r\nantivirus. This key contains a list of applications that cannot run on the system.\r\nWhen programs are executed by the agent, often they are launched with a command line parameter ('-w').\r\nGenerally speaking, this sample really pays attention to disable all possible security software and security checks.\r\nAdditionally, it creates rules to make its execution smoother whenever it is possible.\r\nEncryption\r\nAs we already said the sample is still obfuscated and it massively adopts cryptography. As reported by other\r\nsources, the strings are encrypted with 3DES. Here we report how the key is generated and the overall structure\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 3 of 11\n\nfor the encryption phase. The key is an array of 16 booleans at the beginning all set to false. The key is initialized\r\nin the the steps listed in the table below. The result of every step is a boolean value (true/false).\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 4 of 11\n\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 5 of 11\n\n(*) These checks are more complex. Please refer to the decompiled version of the binary for a more exhaustive\r\ndescription.\r\nAs a consequence, the key is dependent on the environment in which the sample is run. This sample was\r\nconfigured to run in three different environments. In order to allow this, the decryption function is called with\r\nthree string arguments, which correspond to the same string encrypted with three different keys (one for each\r\npossible environment). The function will first try to decrypt the first string with the 16-bit based environment key,\r\nwith the 14th and 15th bytes set to false. If this decryption process does not return a valid string, it will try to\r\ndecrypt the second string with the same key, and finally, if this does not work either, it will try to decrypt the last\r\nstring with the whole 16 bit key, including the last two checks.\r\nThe encryption is performed according to the pseudocode below:\r\narray = init_key()\r\nsarray = serializekey(array)\r\nkey = md5(sarray)\r\niv = sha256(sarray)\r\n3des(data, key, iv)\r\nwhere init_key() are the the checks from 0 to 13 or from 0 to 15. Given the low entropy of the possible keys, we\r\ncould bruteforce the encryption keys for the three different running environments. In all the cases the decryption\r\nproduced the same exact set of strings:\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 6 of 11\n\nThroughout the code, the checks are also used as anti-vm in combination with others.\r\nAmong the others, it is worth mentioning a check for the 'Totalsize' of the drive. If this is less than 46.5 GB and\r\nthe operating system is Windows XP, this is not a valid environment. This is a clever way to detect sandbox\r\nenvironments because generally they use a small hard drive and an old version of the Windows operating system.\r\nNetwork Behavior\r\nBy running the sample on a VM and sniffing the network traffic we noticed some requests to known websites. At a\r\nfirst sight, this looks like a method to check if the connection is available but in this case the goal is different as\r\nyou can see below:\r\nThe code randomly picks one domain and contacts it. Then it checks the header for the field 'Date'. This field is\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 7 of 11\n\nused to compute the difference the with current date and see if the delta is less than 60 min.\r\nAnother interesting point is related to the way in which the domains are rotated. This is not a real a domain\r\ngeneration algorithm (DGA), because the domains are not generated on the fly. This is simply how the agent gets\r\nthe required information. This works in the following way:\r\nswitch((DateAndTime.Now.Month - 1) % 3):\r\n0: geturl[0]\r\n1: geturl[1]\r\n2: geturl[2]\r\nwhere geturl looks like:\r\ngeturl:\r\nreturn new string{\r\nway_0(),\r\nway_1(),\r\nway_2()}\r\nIn this image you can observe the behavior described above. Interestingly, the same approach is used for URLs\r\nand other critical information such as email addresses, passwords etc. Throughout the code there are three\r\ndifferent implementations to get a different kind of information. We stress the point that the domains are not\r\ngenerated on the fly but are chosen among a list of candidates.\r\nExfiltration\r\nThe exfiltration is done mainly via email and partially via WebDAV and HTTP. Regarding emails,\r\nthey are sent via SMTP protocol and the data is exfiltrated as attachment. The message is then\r\nuploaded to the IMAP server in a specific folder (\"inbox\" on the third picture).The protocol\r\nchoice depends on a flag passed as a parameter to the function dealing with the email messages.\r\nThese attachments can be either encrypted or in clear. The encryption is once again based on\r\n3DES. For instance, this is part of the code related to the SMTP protocol, the second image\r\ncontains IMAP servers while the third picture contains IMAP code:\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 8 of 11\n\nWebDAV support is present in the code and it is used for uploading data and to fetch files. We also decrypted\r\nWebDAV credentials used during this operation. The code invokes different WebDav methods. In the picture\r\nbelow we can observe the code for 'SEARCH':\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 9 of 11\n\nThe sample interacts with Command and Control servers and can download additional files. This C\u0026C\r\ncommunication is authenticated with a username and password. After authentication, the agent downloads the\r\nresource and writes it to the disk in encrypted form. Next, the file is read and decrypted, with the decryption key\r\nbeing used as the temporary filename. Finally, the file is deleted.\r\nIt is also interesting how the sample retrieves the IP address of 'libero.it', a well-known italian webportal:\r\nAs you can see from the snippets of code above, the IP address is extracted directly from the cookie. This IP is\r\nadded to a list of possible IP addresses to use and it is also used to generated an index later to pick a value from an\r\narray.The purpose of obtaining this IP is not completely clear from analyzing the code. Unfortunately some of the\r\nfunctions involved do not have any reference, so it appears as if they are never invoked.\r\nOther Supports\r\nAdditionally in the code there is also support for Active Directory and LDAP. The code\r\nconcerning Active Directory lists the administrative members of the domains and it checks if the\r\ncurrent user is in this list. Another method adds the current user to the domain administrators.\r\nRegarding LDAP, the code is not referenced by any function, and it is probably used in more\r\nrecent versions of this agent, however, logically it is similar to the Active Directory one.\r\nDuring our analysis we have isolated another sample which was not publically related to this campaign. This\r\nsample and possibly one other are on 'malwr.com'. Unfortunately, at the time of publication malwr.com is down\r\nfor maintenance and google did not cache either of the two analyses. See:https://www.google.com/search?\r\nq=%22uaccheckbox%22\r\nConclusion\r\nAlthough it is true the authors made some trivial mistakes, throughout this post we have observed\r\nefforts to cover the vital information of this operation and an agent able to subvert the entire\r\noperating system security. Additionally, this sample is not stealthy for all the operations it\r\nperforms but it has been undetected for years and is reported to have exfiltrated vast amounts of\r\ndata. In this post, Talos dissected some interesting parts of this agent and provided detailed\r\ninformation on how it bypasses dynamic analysis environments and disarms the operating system\r\nsecurity.\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 10 of 11\n\nThe authors would like to thank the research community for sharing the hashes and 'hackbunny' for the support\r\nand information sharing.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nThe Network Security protection ofIPS andNGFW have up-to-date signatures to detect malicious network activity\r\nby threat actors.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella prevents DNS resolution of the domains associated with malicious activity.\r\nReferences\r\nhttp://www.tribupress.it/_/wp-content/uploads/2017/01/ORDINANZA-DI-CUSTODIA-CAUTELARE-OCCHIONERO.pdf\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nSource: http://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nhttp://blog.talosintel.com/2017/01/Eye-Pyramid.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.talosintel.com/2017/01/Eye-Pyramid.html"
	],
	"report_names": [
		"Eye-Pyramid.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d29dbe0167d521e38f5a94279908a7e9449951ed.pdf",
		"text": "https://archive.orkl.eu/d29dbe0167d521e38f5a94279908a7e9449951ed.txt",
		"img": "https://archive.orkl.eu/d29dbe0167d521e38f5a94279908a7e9449951ed.jpg"
	}
}