Virus Type: Malware / Advanced Persistent Threat (APT)
Crouching Yeti is a threat involved in several advanced persistent threat (APT) campaigns that have been active going back to at least the end of 2010.
The Primary targeted sectors for this threat include:
After detailed research, it was determined that the largest number of victims we identified fall into the industrial/machinery building sector, which is a good indication that this is a sector of special interest.
The Crouching Yeti threat relayed on three methods to infect the victims, Spear-phishing e-mails using PDF documents embedded with an Adobe Flash exploit (CVE-2011-0611)
Crouching Yeti is hardly a sophisticated campaign. For example, the attackers used no zero-day exploits, only exploits that are widely available on the Internet. But that didn’t prevent the campaign from staying under the radar for several years.
The total number of known victims is over 2800 worldwide, out of which Kaspersky Lab researchers were able to identify 101 organizations. This list of victims seems to indicate Crouching Yeti’s interest in strategic targets, but it also shows an interest of the group in many other not-so-obvious institutions.
Kaspersky Lab’s experts believe they might be collateral victims, but it might also be reasonable to redefine Crouching Yeti not only as a highly targeted campaign in a very specific area of interest, but also as a broad surveillance campaign with interests in different sectors.
The best way to determine if you’ve been a victim of Crouching Yeti if to identify if there has been an intrusion. Threat identification can be done with a strong antivirus product such as Kaspersky Lab Anti-Virus.
Kaspersky Lab products will detect the malware involved in the Crouching Yeti campaign with the following threat definitions: