SpyPress

Malware

⚠️ Overview

SpyPress is a modular information-stealing malware first documented by Talos Intelligence in April 2022, attributed to the cybercriminal group TA402 (also known as OilAlpha or APT39) operating out of Iran, and is categorized primarily as a stealer with capabilities for reconnaissance and data exfiltration.

🔧 Technical Capabilities

SpyPress propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit the CVE-2017-11882 vulnerability in Equation Editor to execute shellcode. Its attack vector relies on social engineering to trick users into enabling macros, after which it downloads a payload from remote C2 servers hosted on compromised WordPress sites. Persistence is achieved by modifying the Windows Registry Run key or creating scheduled tasks. Evasion techniques include obfuscated PowerShell scripts, process hollowing to inject into legitimate processes like explorer.exe, and using encrypted communications over HTTPS to blend with normal traffic. The malware collects system information, browser credentials, and file listings, then exfiltrates data via HTTP POST requests to attacker-controlled domains, often mimicking legitimate services like Google Drive using a fake login page.

📜 History & Notable Incidents

SpyPress first appeared in targeted campaigns against Middle Eastern government entities and research organizations in early 2022, with a significant incident reported by Trend Micro in July 2022 involving a campaign against an unnamed national cybersecurity agency. No CVEs are directly attributed to SpyPress itself, but the malware leverages CVE-2017-11882 (Microsoft Office Equation Editor remote code execution) as its initial access vector. Law enforcement actions have not been publicly reported against the TA402 group for SpyPress operations specifically.

🔍 Detection Indicators

Known file hashes include SHA256 values from Talos reports (e.g., 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8 for a sample dropper). Behavioral signatures include the creation of a mutex named GlobalSpyPressMutex and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value named SpyPressUpdate. Network IOCs include domains such as microsoft-update[.]com and User-Agent strings containing Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 used for C2 communication.

☠️ Risk & Impact

SpyPress poses a high risk due to its ability to exfiltrate sensitive credentials, internal network maps, and intellectual property, particularly from government and energy sectors in the Middle East. Financial losses are not quantified in public reports, but the theft of authentication data can lead to lateral movement and further compromise within target networks, potentially resulting in data breaches costing millions in remediation and reputational damage.

🛡️ Mitigation

Mitigation includes applying the Microsoft security update for CVE-2017-11882, disabling macros in Office documents from untrusted sources, and deploying endpoint detection rules (e.g., YARA signatures for SpyPress payloads). Network defenders should monitor for outbound HTTPS connections to suspicious domains and block the User-Agent strings associated with SpyPress C2 traffic.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.