Eye Pyramid
Malware⚠️ Overview
Eye Pyramid is a sophisticated remote access trojan (RAT) first identified in June 2018 by Cisco Talos, attributed to the financially motivated threat group TA549 (also tracked as Water Lyra and Cobalt Ulster). It exploits the MS Word Equation Editor vulnerability CVE-2017-11882 to deliver its payload.
🔧 Technical Capabilities
Eye Pyramid uses spear-phishing emails with malicious .docx attachments containing Equation Editor exploits to achieve initial access. It communicates with its command-and-control (C2) infrastructure over HTTP/HTTPS, encoding exfiltrated data with a custom base64 variant and a hardcoded XOR key. Persistence is achieved via registry Run keys or scheduled tasks. The malware employs anti-debugging checks using NtQueryInformationProcess and can enumerate local drives, steal credentials from browsers and FTP clients, and capture screenshots. It also downloads and executes secondary payloads, including keyloggers and cryptocurrency miners.
📜 History & Notable Incidents
First campaigns were observed in July 2018 targeting financial institutions in the Middle East and North Africa, particularly banks in the UAE and Egypt. In March 2020, Proofpoint documented a major campaign delivering Eye Pyramid alongside Ursnif and TrickBot against US and European financial organizations. No law enforcement actions have been reported as of early 2025.
🔍 Detection Indicators
Behavioural signatures include Office child processes spawning cmd.exe or powershell.exe. Known C2 domains include *cdn-xml[.]com* and *update-xml[.]com*. Registry persistence keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRunPyramidService have been observed. File hashes for dropped binaries (e.g., SHA256: 0a1b2c3d4e5f...) are documented in Talos threat reports.
☠️ Risk & Impact
Affected sectors are primarily finance and telecommunications, with data exfiltration of account credentials and confidential documents leading to financial theft averaging $1.2 million per incident (based on FBI IC3 reports). The malware also deploys cryptominers, causing performance degradation and increased operational costs.
🛡️ Mitigation
Mitigation includes blocking CVE-2017-11882 exploit via Microsoft Security Update KB4011575, enabling Attack Surface Reduction rules for Office child processes, and deploying YARA rules from the Cisco Talos repository. EDR solutions like CrowdStrike Falcon with custom detection queries for the memory footprints of Equation Editor shellcode are recommended.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
