Malware RSS Feed
According to Kaspersky Lab, in 2015
- The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014.
- 79% of spam emails were no more than 2 KB in size.
- 15.2% of spam was sent from the US.
- 146,692,256 instances that triggered the ‘Antiphishing’ system were recorded.
- Russia suffered the highest number of phishing attacks, with 17.8% of the global total.
- Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers.
- 34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores).
In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.
In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReportTweet
However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone.
This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases.Spammer tricks: methods for expressing domain names
Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc.
In 2015, 79% of spam emails were less than 2 KB in size #KLReportTweet
In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages.Special features of the IP protocol: different IP formats
The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly!
These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats:
- oct – hex
- oct – dword
- hex – dword
Addresses in hexadecimal format can be written with and without dots separating the numbers:
Additionally, 4294967296 (256*4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address.
In 2015, 15.2% of spam was sent from the US #KLReportTweet
In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly.
In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid:
You can also insert any number of forward slashes in the address:
Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to).Obfuscation of an IP address, or how many ways can a number be written in Unicode
We have already written about the obfuscation of key words in spam using various Unicode ranges.
The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics.
We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.:
As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing).
To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities:
URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:firstname.lastname@example.org means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence:
It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://email@example.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find
If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu.
In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm.
For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link.
Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding):
As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively.Reiteration of a popular domain name
Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times:
It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code.
Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results:
The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering.
In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them.
Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions.Statistics Proportion of spam in email traffic
In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year.
The proportion of spam in email traffic, 2015
The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points.Sources of spam by country
Sources of spam by country, 2015
In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points.
In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReportTweet
As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.).The size of spam emails
The size of spam emails in 2015
The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails.Malicious attachments in email
The Top 10 malicious programs spread by email in 2015
The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals.
Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites.
Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.
Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient.
Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals.Malware families
Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap.
MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology.
The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families.
In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReportTweet
The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information.Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, 2015
For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014.
The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country.
We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places.Special features of malicious spam
In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs.
As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations.
In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #bankingTweet
The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds.
In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression, which is used to reduce email sizes to a minimum and bypass spam filtering. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages.
In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android.
In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux.
The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment.
With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase.
In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components.Methods of distributing phishing content
The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising.
Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015.
The fraudulent page to which the victim is redirected by a pop-up advertOther popular themes of the year
As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers.
This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money.
Phishing email sent on behalf of FedEx
The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services.Email tricks
Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering.
These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations.
Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page.
We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file.
A phishing email with an attached PDF file containing a redirect to a phishing websiteThe geography of attacks Top 10 countries by percentage of attacked users
Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year.
The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015
Top 10 countries by percentage of attacked usersJapan 21.68% Brazil 21.63% India 21.02% Ecuador 20.03% Mozambique 18.30% Russia 17.88% Australia 17.68% Vietnam 17.37% Canada 17.34% France 17.11%
Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.).The distribution of attacks by country
Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year.
Distribution of phishing attacks by country in 2015
Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.).Organizations under attack
The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.
Distribution of organizations subject to phishing attacks by category, 2015
In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories.
Top 3 organizations attackedOrganization % of detected phishing links 1 Yahoo! 14.17 2 Facebook 9.51 3 Google 6.8
In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name.Conclusion and forecasts
In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant.
The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam.
The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.
A while ago Turkish security group Otku Sen created the hidden tear ransomware and published the source code online. Idea behind it was to “teach” security researchers how ransomware works. Right from the beginning the reaction of various security professionals was negative. And we were right, it didn’t take long before the first ransomware variants arrived based on the hidden tear source code (, ) and of course, things escalated a bit.
Wondering what else there was, I decided to analyze the samples in the Trojan-Ransom.MSIL.Tear class and was amazed to find 24 additional samples.
Hidden tear only encrypts files located on the user’s desktop in the “\test” directory. If such a directory doesn’t exist, then no files are encrypted and no harm is done. In one of the first samples we classified as hidden tear Trojan-Ransom.MSIL.Tear.c, they removed the “\test” directory, so in this case all the files (with a certain extension) located on the Desktop are encrypted.
Another sample, Trojan-Ransom.MSIL.Tear.f calls itself KryptoLocker. According to the message, public key cryptography was used, but when we look at the code, we see something different. The author also didn’t use a CnC this time, but asked the victims to e-mail him, so he could ask for the ransom.
The next variants, Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h , are the first versions that use a proper CnC (previous samples used a server with an internal IP address as the CnC server). Other samples, such as Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k share the same CnC, while Trojan-Ransom.MSIL.Tear.j uses another one.
Interesting is also Trojan-Ransom.MSIL.Tear.m. This variant is specifically looking for files located in the “Microsoft\Atom” directory.
Variants Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, Trojan-Ransom.MSIL.Tear.q, on the other hand just encrypt your files and doesn’t store the key anywhere.
Variants Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v are all more or less the same. The location of the c2 is often example.com. This of course does not work.
The last samples, Trojan-Ransom.MSIL.Tear.w, Trojan-Ransom.MSIL.Tear.x and Trojan-Ransom.MSIL.Tear.y all store the password on the hard drive and was also described earlier here.
As always, when malware gets open sourced, we see an increase in variants of that specific malware. We can therefore conclude that hidden tear completely missed its purpose. Researchers don’t need hidden tear to understand how ransomware works. Luckily enough, in this case, the copy cats didn’t fix the bugs in hidden tear. Therefore it is actually possible (with some computation) to recover your key and decrypt your files for free. More worrisome is when copy cats use well developed and sophisticated malware and start using that.
The samples discussed in this post were all samples that were not often spotted in the wild. This means the number of victims remains relatively low.
Nevertheless, bugs can be fixed and the malware can be enhanced without much effort. After this point, it is just waiting for future victims who might lose their files forever.
Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them.
This backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the victim’s activities, including code to capture audio and take screenshots.
One example would be this location: $HOME/.local/share/.dropbox/DropboxCache. To achieve persistence, it uses this not very stealthy method: it just creates a .desktop-file in $HOME/.config/autostart/$filename.desktop. Here’s the template for this:
This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption. The binary comes with the following hardcoded public keys:
The malware then collects gathered information from the keylogger, audio captures and screenshots in /tmp/. Later it will upload collected data to the C&C.
- /tmp/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots, JPEG, every 30 sec.)
- /tmp/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures, WAV)
- /tmp/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
- /tmp/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)
DDMMyy = date: 280116 = 2016-01-28
HHmmss = time: 154411 = 15:44:11
nnn = milliseconds.
However, audio capturing is not activated in the event timer of this binary, just like the keylogging feature. Since the authors have statically linked libqt, xkbcommon (the library to handle keyboard descriptions) and OpenSSL (1.0.2c) to the binary, the size of the binary is over 13MB. The criminals also didn’t make any effort to obfuscate the binary in any way. In fact, the binary contains almost all symbols, which is very useful during analysis.
There are also references to the author’s source files:
Apparently, it’s written in C++ and Qt, a cross-platform application framework. According to the binary’s metadata it was compiled using “GCC 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)” on Ubuntu 14.04 LTS “Trusty Tahr”. According to the qt_instdate timestamp, the last time the Qt sources were configured was on 2015-09-26 (qt/qtbase.git: deprecated), which implies the compilation time of the malware to be not earlier than end of September 2015.
We detect this type of malware as Backdoor.Linux.Mokes.a.OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv
Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a.
After execution, the malware randomly chooses one of nine different locations in %AppData% to persistently install itself on the machine. The binary also creates a “version”-file in the same folder. As its name implies, it stores just version information, together with the full installation path of the malware itself:
Then the corresponding registry keys are created in HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure persistence in the system.
After the malware has executed its own copy in the new location, the SetWindowsHook API is utilized to establish keylogger functionality and to monitor mouse inputs and internal messages posted to the message queue.
The next stage in its operation is to contact the hardcoded C&C server. Besides the different IP addresses and encryption key, we see almost identical behavior.
However, this particular variant uses a slightly different implementation and tries to obtain the default Windows user-agent string.
If this is not successful, the sample uses its hardcoded version:
Like the Linux variant, it connects to its C&C server in the same way: once per minute it sends a heartbeat signal via HTTP (GET /v1). To retrieve commands or to upload or download additional resources, it uses TCP Port 433.
It uses almost the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data. Unlike the Linux variant, in this sample the keylogger is active. Below you can see the content of a keystroke logfile, located in %TEMP% and created by this sample:
And again, we spotted some unexpected code. The following screenshot shows references to code which is able to capture images from a connected camera, such as a built-in webcam.
Similar to the Linux version, the author left quite a number of suspicious strings in the binary. The following string is surprisingly honest.
From the criminal’s point of view, it’s important that the software looks legitimate and that Windows doesn’t asks the user for confirmation prior to execution of unknown software. On Windows machines this can be achieved by using Trusted Code Signing Certificates. In this particular case, the criminal managed to sign the binary with a trusted certificate from “COMODO RSA Code Signing CA”.
We detect this type of malware as Backdoor.Win32.Mokes.imv.What’s next
Since this software was intentionally designed to be platform independent, we might see also corresponding Mac OS X samples in the future.IOCs Backdoor.Linux.Mokes.a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “%PERSISTENT-FILENAME%”, “%PERSISTENT-FILEPATH%”
where %PERSISTENT-FILENAME% is one of the filenames above
and %PERSISTENT-FILEPATH% is the corresponding path
Of all the Q4 2015 events in the world of DDoS attacks and the tools used to launch them, we picked out those that, in our opinion, best illustrate the main trends behind the evolution of these threats.
- Emergence of new vectors for conducting reflection DDoS attacks;
- Increase in number of botnets composed of vulnerable IoT devices;
- Application-level attacks – the workhorse behind DDoS attack scenarios.
Web resources powered by the WordPress content management system (CMS) are popular with cybercriminals who carry out DDoS attacks. This is because WordPress supports the pingback function that notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. When the post containing the link to the other web resource is published on a site with the enabled pingback function, a special XML-RPC request is sent to the site where the link leads and that resource receives and processes it. During processing, the recipient site may call the source of the request to check for the presence of the content.
This technology allows a web resource (victim) to be attacked: a bot sends a specially formed pingback request specifying the address of the victim resource as the sender to a WordPress site with the pingback function enabled. The WordPress site processes the request from the bot and sends the reply to the victim’s address. By sending pingback requests with the victim’s address to lots of WordPress resources with pingback enabled, the attackers create a substantial load on the victim resource. This is why web resources running WordPress with the pingback function enabled are of interest to cybercriminals.
In Q4 2015, resources in 69 countries were targeted by DDoS attacks #KLReportTweet
The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering.IoT-based botnets
In October 2015, experts registered a huge number of HTTP requests (up to 20,000 requests per second) coming from CCTV cameras. The researchers identified about 900 cameras around the world that formed a botnet used for DDoS attacks. The experts warn that in the near future new botnets utilizing vulnerable IoT devices will appear.Three new vectors for carrying out reflection DDoS attacks
Reflection DDoS attacks exploit weaknesses in a third party’s configuration to amplify an attack. In Q4, three new amplification channels were discovered. The attackers send traffic to the targeted sites via NetBIOS name servers, domain controller PRC services connected via a dynamic port, and to WD Sentinel licensing servers.Attacks on mail services
In Q4 2015, mail services were especially popular with DDoS attackers.
In particular, activity was detected by the Armada Collective cybercriminal group, which uses DDoS attacks to extort money from its victims. The group is suspected of being involved in an attack on the ProtonMail secure e-mail service in which the cybercriminals demanded $6000 to end the DDoS attack.
In Q4 2015, the largest numbers of DDoS attacks targeted victims in China, the US and South Korea. #KLReportTweet
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the fourth quarter of 2015.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.Q4 Summary
- In Q4, resources in 69 countries were targeted by DDoS attacks.
- 94.9% of the targeted resources were located in 10 countries.
- The largest numbers of DDoS attacks targeted victims in China, the US and South Korea.
- The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days).
- SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios.
- The popularity of Linux-based bots continued to grow: the proportion of DDoS attacks from Linux-based botnets in the fourth quarter was 54.8%.
By the end of 2015, the geography of DDoS attacks narrowed to 69 countries. 94.9% of targeted resources were located in 10 countries.
Q4 saw a considerable increase in the proportion of DDoS attacks targeting resources located in China (from 34.5% to 50.3%) and South Korea (from 17.7% to 23.2%).
Distribution of unique DDoS attack targets by country, Q3 vs Q4 2015
The share of DDoS targets located in the US dropped by 8 percentage points, which saw it move down to third place and South Korea climb to second.
Croatia with 0.3% (-2.5 percentage points) and France, whose share fell from 1.1% to 0.7%, left the Top 10. They were replaced by Hong Kong, with the same proportion as the previous quarter, and Taiwan, whose share increased by 0.5 percentage points.
The statistics show that 94% of all attacks had targets within the Top 10 countries:
Distribution of DDoS attack by country, Q3 vs Q4 2015
In the fourth quarter, the Top 3 ranking remained the same, although the US and South Korea swapped places: South Korea’s contribution grew by 4.3 percentage points, while the US share dropped by 11.5 percentage points. The biggest increase in the proportion of DDoS attacks in Q4 was observed in China – its share grew by 18.2 percentage points.Changes in DDoS attack numbers
In Q4 2015, DDoS activity was distributed more or less evenly, with the exception of one peak that fell in late October and an increase in activity in early November.
The peak number of attacks in one day was 1,442, recorded on 2 November. The quietest day was 1 October – 163 attacks.
Number of DDoS attacks over time* in Q4 2015.
* DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.
Monday and Tuesday were the most active days of the week in terms of DDoS attacks. In Q4, the number of attacks carried out on a Monday was 5.7 percentage points more than in the previous quarter. The figure for Tuesdays changed slightly (-0.3 percentage points).
Distribution of DDoS attack numbers by day of the week, Q4 2015Types and duration of DDoS attacks
97.5% of DDoS targets in Q4 2015 (vs. 99.3% in Q3) were attacked by bots belonging to one family. In just 2.4% of all cases cybercriminals launched attacks using bots from two different families (used by one or more botnet masters). In 0.1% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families.
The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). #KLReportTweet
The ranking of the most popular attack methods remained unchanged, although SYN DDoS (57%) and TCP DDoS (21.8%) added 5.4 and 1.9 percentage points respectively.
The distribution of DDoS attacks by type
Once again, most attacks lasted no longer than 24 hours in Q4 2015.
The distribution of DDoS attacks by duration (hours)
The maximum duration of attacks increased again in the fourth quarter. The longest DDoS attack in the previous quarter lasted for 320 hours (13.3 days); in Q4, this record was beaten by an attack that lasted 371 hours (15.5 days).C&C servers and botnet types
In Q4 2015, South Korea maintained its leadership in terms of the number of C&C servers located on its territory, with its share growing by 2.4 percentage points. The US share decreased slightly – from 12.4% to 11.5%, while China’s contribution grew by 1.4 percentage points.
In Q4 2015, SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. #KLReportTweet
The Top 3 ranking remained the same. The countries in fourth and fifth switched places – Russia’s share increased from 4.6% to 5.5%, while the share of the UK declined from 4.8% to 2.6%.
Distribution of botnet C&C servers by country in Q4 2015
The proportion of DDoS attacks from Linux-based botnets in Q4 2015 was 54.8% #KLReportTweet
In Q4, the correlation between active bots created from Windows and Linux saw the proportion of attacks by Linux bots grow from 45.6% to 54.8%.
Correlation between attacks launched from Windows and Linux botnetsConclusion
Events in Q4 2015 demonstrated that the cybercriminals behind DDoS attacks utilize not only what are considered to be classic botnets that include workstations and PCs but also any other vulnerable resources that are available. These include vulnerable web applications, servers and IoT devices. In combination with new channels for carrying out reflection DDoS attacks this suggests that in the near future we can expect a further increase in DDoS capacity and the emergence of botnets consisting of new types of vulnerable devices.
Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine. Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojans as well as several new modules.
BlackEnergy is a Trojan that was created by a hacker known as Cr4sh. In 2007, he reportedly stopped working on it and sold the source code for an estimated $700. The source code appears to have been picked by one or more threat actors and was used to conduct DDoS attacks against Georgia in 2008. These unknown actors continued launching DDoS attacks over the next few years. Around 2014, a specific user group of BlackEnergy attackers came to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors around the world. This indicated a unique skillset, well above the average DDoS botnet master.
For simplicity, we’re calling them the BlackEnergy APT group.
One of the prefered targets of the BlackEnergy APT has always been Ukraine. Since the middle of 2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document.
A few days ago, we discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine. Unlike previous Office files used in previous attacks, this is not an Excel workbook, but a Microsoft Word document. The lure used a document mentioning the Ukraine “Right Sector” party and appears to have been used against a television channel.Introduction
At the end of the last year, a wave of attacks hit several critical sectors in Ukraine. Widely discussed in the media and by our colleagues from ESET, iSIGHT Partners and other companies, the attacks took advantage of both known BlackEnergy Trojans as well as several new modules. A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum (the text is only available in Russian for now, but can be read via Google Translate).
In the past, we have written about BlackEnergy, focusing on their destructive payloads, Siemens equipment exploitation and router attack plugins. You can read blogs published by my GReAT colleagues Kurt Baumgartner and Maria Garnaeva here and here. We also published about the BlackEnergy DDoS attacks.
Since mid-2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros which drop the trojan to disk if the user chooses to run the script in the document.
For the historians out there, Office documents with macros were a huge problem in the early 2000s, when Word and Excel supported Autorun macros. That meant that a virus or trojan could run upon the loading of the document and automatically infect a system. Microsoft later disabled this feature and current Office versions need the user to specifically enable the Macros in the document to run them. To get past this inconvenience, modern day attackers commonly rely on social engineering, asking the user to enable the macros in order to view “enhanced content”.
Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document:
“$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2)
This document was uploaded to a multiscanner service from Ukraine on Jan 20 2016, with relatively low detection. It has a creation_datetime and last_saved field of 2015-07-27 10:21:00. This means the document may have been created and used earlier, but was only recently noticed by the victim.
Upon opening the document, the user is presented with a dialog recommending the enabling of macros to view the document.
Interestingly, the document lure mentions “Pravii Sektor” (the Right Sector), a nationalist party in Ukraine. The party was formed in November 2013 and has since played an active role in the country’s political scene.
To extract the macros from the document without using Word, or running them, we can use a publicly available tool such as oledump by Didier Stevens. Here’s a brief cut and paste:
As we can see, the macro builds a string in memory that contains a file that is created and written as “vba_macro.exe”.
The file is then promptly executed using the Shell command.
The vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper. It drops the final payload as “%LOCALAPPDATA%\FONTCACHE.DAT”, which is a DLL file. It then proceeds to run it, using rundll32:
To ensure execution on every system startup, the dropper creates a LNK file into the system startup folder, which executes the same command as above on every system boot.
The final payload (FONTCACHE.DAT, md5: 3fa9130c9ec44e36e52142f3688313ff) is a minimalistic BlackEnergy (v3) trojan that proceeds to connect to its hardcoded C&C server, 22.214.171.124, on Port 80. The server was previously mentioned by our colleagues from ESET in their analysis earlier this month. The server is currently offline, or limits the connections by IP address. If the server is online, the malware issues as HTTP POST request to it, sending basic victim info and requesting commands.
The request is BASE64 encoded. Some of the fields contain:
The b_id contains a build id and an unique machine identifier and is computed from system information, which makes it unique per victim. This allows the attackers to distinguish between different infected machines in the same network. The field b_gen seems to refer to the victim ID, which in this case is 301018stb. STB could refer to the Ukrainian TV station “STB”, http://www.stb.ua/ru/. This TV station has been publicly mentioned as a victim of the BlackEnergy Wiper attacks in October 2015.Conclusions
BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities.
Our targeting analysis indicates the following sectors have been actively targeted in recent years. If your organization falls into these categories, then you should take BlackEnergy into account when designing your defences:
- ICS, Energy, government and media in Ukraine
- ICS/SCADA companies worldwide
- Energy companies worldwide
The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014. However, the old versions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the unsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping capabilities that focus on file extensions as opposed on disks. This is no less destructive than the disk payloads, of course, and has the advantage of not requiring administrative privileges as well as working without problems on modern 64-bit systems.
Interestingly, the use of Word documents (instead of Excel) was also mentioned by ICS-CERT, in their alert 14-281-01B.
It is particularly important to remember that all types of Office documents can contain macros, not just Excel files. This also includes Word, as shown here and alerted by ICS-CERT and PowerPoint, as previously mentioned by Cys Centrum.
In terms of the use of Word documents with macros in APT attacks, we recently observed the Turla group relying on Word documents with macros to drop malicious payloads (Kaspersky Private report available). This leads us to believe that many of these attacks are successful and their popularity will increase.
We will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available.
Kaspersky Lab products detect the various trojans mentioned here as: Backdoor.Win32.Fonten.* and
To know more about countering BlackEnergy and similar offensives, read this article on Kaspersky Business Blog.Indicators of compromise Word document with macros (Trojan-Downloader.Script.Generic):
e15b36c2e394d599a8ab352159089dd2Dropper from Word document (Backdoor.Win32.Fonten.y):
ac2d7f21c826ce0c449481f79138aebdFinal payload from Word document (Backdoor.Win32.Fonten.o):
3fa9130c9ec44e36e52142f3688313ffBlackEnergy C&C Server:
We were recently analyzing a family of mobile banking Trojans called Trojan-Banker.AndroidOS.Asacub, and discovered that one of its C&C servers (used, in particular, by the earliest modification we know of, as well as by some of the more recent ones) at chugumshimusona[.]com is also used by CoreBot, a Windows spyware Trojan. This prompted us to do a more detailed analysis of the mobile banking Trojan.
The earliest versions of Asacub that we know of emerged in the first half of June 2015, with functionality that was closer to that of spyware Trojans than to banking malware. The early Asacub stole all incoming SMS messages regardless of who sent them, and uploaded them to a malicious server. The Trojan was capable of receiving and processing the following commands from the C&C:
- get_history: upload browser history to a malicious server;
- get_contacts: upload list of contacts to a malicious server;
- get_listapp: upload a list of installed applications to a malicious server;
- block_phone: turn off the phone’s screen;
- send_sms: send an SMS with a specified text to a specified number.
New versions of Asacub emerged in the second half of July 2015. The malicious files that we are aware of used the logos of European banks in their interface, unlike the early versions of the Trojan, which used the logo of a major US bank.
There was also a dramatic rise in the number of commands that Asacub could execute:
- get_sms: upload all SMSs to a malicious server;
- del_sms: delete a specified SMS;
- set_time: set a new time interval for contacting the C&C;
- get_time: upload the time interval for contacting the C&C to the C&C server;
- mute_vol: mute the phone;
- start_alarm: enable phone mode in which the device processor continues to run when the screen goes blank;
- stop_alarm: disable phone mode in which the device processor continues to run when the screen goes blank;
- block_phone: turn off the phone’s screen;
- rev_shell: remote command line that allows a cybercriminal to execute commands in the device’s command line;
- intercept_start: enable interception of all incoming SMSs;
- intercept_stop: disable interception of all incoming SMSs.
One command that was very unusual for this type of malware was rev_shell, or Reverse shell, a remote command line. After receiving this command, the Trojan connects a remote server to the console of the infected device, making it easy for cybercriminals to execute commands on the device, and see the output (results) of those commands. This functionality is typical of backdoors and very rarely found in banking malware – the latter aims to steal money from the victim’s bank account, not control the device.
The most recent versions of Asacub – detected in September 2015 or later – have functionality that is more focused on stealing banking information than earlier versions. While earlier versions only used a bank logo in an icon, in the more recent versions we found several phishing screens with bank logos.
One of the screenshots was in Russian and was called ‘ActivityVTB24’ in the Trojan’s code. The name resembles that of a large Russian bank, but the text in the screen referred to the Ukrainian bank Privat24.
Phishing screens were present in all the modifications of Asacub created since September that are known to us, but only the window with bank card entry fields was used. This could mean that the cybercriminals only plan to attack the users of banks whose logos and/or names they use, or that a version of Asacub already exists that does so.
After launching, the ‘autumnal version’ of the Trojan begins stealing all incoming SMSs. It can also execute the following commands:
- get_history: upload browser history to a malicious server;
- get_contacts: upload list of contacts to a malicious server;
- get_cc: display a phishing window used to steal bank card data;
- get_listapp: upload a list of installed applications to a malicious server;
- change_redir: enable call forwarding to a specified number;
- block_phone: turn off the phone’s screen;
- send_ussd: run a specified USSD request;
- update: download a file from a specified link and install it;
- send_sms: send an SMS with a specified text to a specified number.
Although we have not registered any Asacub attacks on users in the US, the fact that the logo of a major US bank is used should serve as a warning sign. It appears the Trojan is developing rapidly, and new dangerous features, which could be activated at any time, are being added to it.
As for the relationship between Asacub and the Corebot Trojan, we were unable to trace any link between them, except that they share the same C&C server. Asacub could be Corebot’s mobile version; however, it is more likely that the same malicious actor purchased both Trojans and has been using them simultaneously.Asacub today
Very late in 2015, we discovered a fresh Asacub modification capable of carrying out new commands:
- GPS_track_current – get the device’s coordinates and send them to the attacker;
- camera_shot – take a snapshot with the device’s camera;
- network_protocol – in those modifications we know of, receiving this command doesn’t produce any results, but there could be plans to use it in the future to change the protocol used by the malware to interact with the C&C server.
This modification does not include any phishing screens, but banks are still mentioned in the code. Specifically, the Trojan keeps attempting to close the window of a certain Ukrainian bank’s official app.
Code used to close a banking application
In addition, our analysis of the Trojan’s communication with its C&C server has shown that it frequently gets commands to work with the mobile banking service of a major Russian bank.
During the New Year holidays, the new modification was actively distributed in Russia via SMS spam. In just one week, from December 28, 2015 to January 4, 2016, we recorded attempts to infect over 6,500 unique users. As a result, the Trojan made the Top 5 most active malicious programs. After that, the activity of the new Asacub modification declined slightly. We continue to follow developments related to this malware.
When mass-produced electronic spying programs became widely known by the public, many email providers, businesses, and individuals started to use data encryption. Some of them have implemented forced encryption solutions to server connections, while others went further and implemented end-to-end encryption for data transmission as well as server storage.
Unfortunately, albeit important, said measures did not solve the core problem. Well, the original architectural design used in emails allows for metadata to be read as plain text on both sent and received messages. Said metadata includes recipient, sender, sent/receipt date, subject, message size, whether there are attachments, and the email client used to send out the message, among other data.
This information is enough for someone behind targeted campaigns attacks to reconstruct a time line for conversations, learn when people communicate with one another, what they talk about, and how often they communicate. Using this information to fill in the gaps, threat actors are able to learn enough about their targets.
In addition to the above, technologies are evolving, so something that is encrypted today may be easily decrypted a few years later, sometimes only months later, depending on how strong the encryption key is and how fast technologies are developing.
Said scenario has made people move away from email exchanges when it comes to confidential conversations. Instead, they started using secure mobile messaging applications with end-to-end encryption, no server storage and timed deletion. On the one hand, these applications manage strong data and connection encryptions. On the other hand, they manage auto deletion on cell phones and provider servers. Finally, they practically have no metadata or are impersonal, thus not allowing identifiers about targets or data correlation. This way, conversations are truly kept confidential, safe, and practical.
Naturally, this scenario has made threat actors develop implants for mobile devices since, from a hacking perspective, they address all the aforementioned technical limitations―that is, the inability to intercept conversations between users who have migrated to these secure mobile messaging applications. What is an implant? This is an interesting terminology invented by the very same threat actors behind targeted attacks. We saw it for the first time during the Careto campaign we announced a few years ago.
Now we will analyze some implants developed by HackingTeam to infect mobile devices running on iOS (Apple), Android, Blackberry, and Windows Mobile. HackingTeam isn’t the only group developing mobile implants. There are several campaigns with different roots, which have been investing in the development of mobile malware and used it in targeted attacks at the regional and international level.Implants for Androids
Android-based phones are more affordable and, consequently, more popular worldwide. That is why threat actors responsible for targeted attacks have Android phones as their #1 priority and have developed implants for this operating system in particular.
Let’s analyze what one of these implants is capable of.
It is well known that the encryption algorithm used in text messages is weak. It is safe to assume that practically all text messages sent are susceptible to interception. That is precisely why many users have been using instant messaging programs. In the coding fragment above, we can see how threat actors are able to obtain access to the messaging database used by WeChat, a mobile application for text message exchange.
Let’s assume that the messaging application being used by the victim is really secure and has applied a strong end-to-end encryption, but all messages sent and received are stored locally. In said case, threat actors would still have the ability to decode these messages. Well, when they steal a database along with the encryption key that is stored within the victim’s device, threat actors behind these attacks can decrypt all contents. This includes all database elements, not only the text information, but also geographic locations shared, pictures, files, and other data.
Besides, threat actors have the ability to manipulate the camera on the device. They can even take pictures of the victim for identity confirmation. This also correlates with other data, such as the wireless network provider that the phone is connected to.
Actually, it doesn’t matter what application the victim is using. Once the mobile end point is infected, threat actors are able to read all messages sent and received by the victim. In the following code segments, we can see the instructions used to interact with messaging applications Viber and WhatsApp.
If a mobile devices is compromised with an implant, the rule becomes very simple – if you read a secure text message on your screen, the threat actor behind that implant, reads it too.Implants for iOS
Undoubtedly, Apple mobile devices also enjoy a large market share. In some markets, they are certainly more popular than Android devices.
Apple has managed the safety architecture of its devices very well. However, it doesn’t make them completely immune to malware attacks, especially when there are high-profile threat actors involved.
There are several infection vectors for these devices. Likewise, when high-profile targets are selected, threat actors behind these targeted attacks may apply infection techniques that use exploits whose costs are higher―hundreds of thousands of dollars―but highly effective, as well. When targets are of an average profile, less sophisticated, but equally effective infection techniques are used. For example, we would point to malware installations from a previously infected computer when a mobile device is connected through a USB port.
What technical abilities do iOS implants have? Let’s see the following implant example:
This Trojan infects iOS devices as they are being charged by the victim of the attack by using a previous Jailbreak made to the device. In other words, if targets usually charge their cell phones using a USB cable, the pre-infected computer may force a complete Jailbreak on the device and, once the process is complete, the aforementioned implant is installed.
In this code, you can see that the attacker is able to infected the device and confirm the victim’s identity. This is a crucial step during targeted attacks, since threat actors behind this kind of attacks wouldn’t want to infect the wrong victim and―worse yet―lose control of their implant and spoil the entire operation, thus exposing their attack to the public.
Consequently, one of the technical abilities of these implants is to verify the phone number of their victim, along with other data to make sure they’re not targeting the wrong person.
Among other preliminary surveying actions, this implant also verifies the name of the mobile device and the exact model, battery status, Wi-Fi connection data, and the IMEI number, which is unique to each device.
Why would they check the battery status? Well, there are several reasons for that, the main one of them being that data can be transferred through the internet to the hacker’s server as this information is extracted from an infected device. When phones are connected to the internet, be it through a data plan or Wi-Fi connection, the battery drains faster than normal. If threat actors extract data at an unsuitable moment, the victim could easily notice that there’s something wrong with the phone, since the battery would be hot and start draining faster than normal. That is the reason why threat actors would rather extract information from victims―especially heavy data like photos or videos―at a moment when their battery is being charged and the cell phone is connected to the Wi-Fi.
A key part of spying techniques is to combine a victim’s real world with the digital world they live in. In other words, the objective is not only to steal information stored in the cell phone, but also to spy conventional conversations carried out off line. How do they do it? By enabling the front camera and microphone on hacked devices. The problem is that, if the cell phone isn’t in silent or vibrate mode, it will make a particular sound as a picture is taken with the camera. How to resolve it? Well, implants have a special setting that disables camera sounds.
Once the victim is confirmed, the hacker once again starts to compile the information they are interested in. The coding below shows that threat actors are interested in the Skype conversations their victims are having.
This way, threat actors have complete control over their victims’ conversations. In this example, Skype is the messaging application being used by threat actors, but it could actually be any application of their choice, including those considered very secure apps. As mentioned above, the weakest link is the mobile end point and, once it is compromised, there is no need to even crack any encryption algorithm, no matter how strong it may be.Implants for Blackberry
Some targets may use Blackberry phones, which are known to be one of the most secure operating systems in the market. Even though they are safer, threat actors behind targeted attacks don’t lag behind and they have their arsenal ready.
This implant is characterized by a strong code obfuscation technique. Analyzing it is complex task. When we look at the code, we can clearly see that even though the implant comes from the same threat actor, the developer belongs to another developer group. It’s as if a specific group were in charge of developing implants for this operating system in particular.
What actions may these implants develop in an infected Blackberry device? Well, there are several possible actions:
- Checking the Battery Status
- Tracking the victim’s geographic location
- Detecting when a SIM card is replaced
- Reading text messages stored within the device
- Compiling a list of calls made and received by the device.
Once Blackberry phones start to use the Android operating system, threat actors will have a farther-reaching operation.Implants for Windows Mobile
Windows Mobile aren’t necessarily the most popular operating system for mobile devices in the market, but it is the native OS used by Nokia devices, which are preferred by people looking for quality and a solid track history. There is a possibility that some targets may use this operating system, and that is why the development of implants for Windows Mobile devices is underway as well. Next, we will see the technical scope of implants for Windows Mobile devices.
When infecting a victim’s mobile device, this implant is hidden under a dynamic library file by the name bthclient.dll, which is supposedly a Bluetooth driver.
The technical abilities of these implants are practically limitless. Threat actors may develop several actions, such as checking:
- A list of apps installed,
- The name of the Wi-Fi access point to which the victim is connected,
- Clipboard content that usually contains information of interest to the victim and, consequently, to the attacker.
Threat actors may even be able to learn the name of the APN that victims connect to while using the data plan through their provider.
Additionally, threat actors can actively monitor specific applications, such as the native email client and communications hub being used by a Windows Mobile device to process the victim’s communication data.
Considering the explanation in the introduction, it is probable that the most sensitive conversations take place in secure end-to-end mobile applications and not necessarily emails sent with PGP. Threat actors are aware of it, and that is why they have been actively working not only on developing implants for desktop computers, but also for mobile devices. We can say for sure that threat actors enjoy multiple benefits when they infect a mobile device, instead of a traditional computer. Their victims are always carrying their cell phones with them, so these devices contain information that their work computers won’t. Besides, mobile devices are usually less protected from a technological point of view, and victims oftentimes don’t believe their cell phones could ever become infected.
Despite a strong data encryption, a compromised mobile end point is completely exposed to spying, since threat actors have the same ability to read messages as users themselves. Threat actors don’t need to struggle with encryption algorithms, nor intercept data at the network layer level. They simply read this information the same way, as their victim would.
Mobile implants don’t belong to the group of massive attacks launched by cybercriminals; they are actually targeted attacks in which victims are carefully selected before the attack. What Makes You A Target?
There are several factors involved in being a target, including whether you are a politically exposed person, have contacts of interest to threat actors, are working on a secret or sensitive project that is also of interest, among others. One thing is certain: if you’re targeted by such an attack, the probability of infection is very high.
Everything we’re seeing now is a battle for numbers. You cannot decide whether you’ll become a victim, but one thing you could do is elevate the cost of such an attack to the point that threat actors might give up and move on to a less expensive target who is more tangible in terms of time invested and risk of the exploit campaign being discovered. How Can Someone Elevate the Cost of an Attack? Here is a set of best practices and habits in general. Each case is unique, but the main idea is to make threat actors lack motivation once it becomes too laborious to carry out their operation, thus increasing their risk of failure.
Among the basic recommendations to improve the security of our mobile devices, we could highlight the following:
- Always use a VPN connection to connect to the Internet. This will help making your network traffic not easily interceptable and susceptible to malware that could be directly injected into a legitimate application being downloaded from the internet.
- Do not charge your mobile devices using a USB port connected to a computer. The best thing you can do is to plug your phone directly into the AC power adapter.
- Install an anti-malware program. It has to be the best one. It seems that the future of these solutions lies precisely in the same technologies already implemented for desktop security: Default Deny and Whitelisting.
- Protect your devices with a password, not a PIN. If the PIN is found, threat actors may gain physical access to your mobile device and install the implant without your knowledge.
- Use encryption in the data storage memories implemented by your mobile devices. This advice is especially current for devices that allow for memory disks extraction. If threat actors extract your memory by connecting it to another device, they’ll also be able to easily manipulate your operating system and your data in general.
- Do NOT Jailbreak your device, especially if you’re not very sure what it implies.
- Don’t use second-hand cell phones that may already come with pre-installed implants. This piece of advice is especially important if your cell phone comes from someone you’re not very familiar with.
- Always keep the operating system in your mobile device updated and install the latest upgrade as soon as it becomes available.
- Review all processes being executed in your device memory.
- Review all authorized apps in your system and disable the automatic data submission function for logs and other service data, even if the communication is between your cell phone and your provider.
- Finally, keep in mind that, without a doubt, conventional conversations in a natural environment are always safer than those carried out electronically.
Perhaps one of the most explosively discussed subjects of 2015 was the compromise and data dump of Hacking Team, the infamous Italian spyware company.
For those who are not familiar with the subject, Hacking Team was founded in 2003 and specialized in selling spyware and surveillance tools to governments and law enforcement agencies. On July 5, 2015, a large amount of data from the company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach. Previously, “Phineas Fisher” did a similar attack against Gamma International, another company in the spyware/surveillance business.
The hacking of Hacking Team was widely discussed in the media from many different points of view, such as the legality of selling spyware to oppressive governments, the quality (or lack of…) of the tools and leaked email spools displaying the company’s business practices.
One of these stories attracted our attention.How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team
So reads the title of a fascinating article written for Ars Technica by Cyrus Farivar on July 10, 2015. The article tells the story of Vitaliy Toropov, a 33-year-old exploit developer from Moscow who made a living by selling zero-day vulnerabilities to companies such as Hacking Team.
In the Ars Technica article, Cyrus writes the following paragraph, which shows the original offer from the exploit seller:
Excerpt from the Ars Technica article
For a company like Hacking Team, zero-days are their “bread and butter” — their software cannot infect their targets without effective exploits and zero-days, especially those that can bypass modern defense technologies such as ASLR and DEP. Those exploits are in very high demand.
The trade between these two continued until they finally agreed on purchasing an Adobe Flash Player zero-day, now defunct, for which Vitaliy Toropov promptly received a $20,000 advance payment.
A good salesman, Vitaliy Toropov immediately mailed back and offered a discount on the next purchases. So writes Cyrus, in his Ars Technica story:
Excerpt from the Ars Technica article
This section of the story immediately spiked our attention. A Microsoft Silverlight exploit written more than two years ago and may survive in the future? If that was true, it would be a heavyweight bug, with huge potential to successfully attack a lot of major targets. For instance, when you install Silverlight, it not only registers itself in Internet Explorer, but also in Mozilla Firefox, so the attack vector could be quite large.The hunt for the Silverlight zero-day
In the past, we successfully caught and stopped several zero-days, including CVE-2014-0515 and CVE-2014-0546 (used by the Animal Farm APT group), CVE-2014-0497 (used by the DarkHotel APT group) and CVE-2015-2360 (used by the Duqu APT group). We also found CVE-2013-0633 a FlashPlayer zero-day that was used by Hacking Team and another unknown group.
We strongly believe that discovery of these exploits and reporting them to the affected software manufacturers free of charge makes the world a bit safer for everyone.
So while reading the Ars Technica story, the idea to catch Vitaliy Toropov’s unknown Silverlight exploit materialized.
How does one catch zero-days in the wild? In our case, we rely on several well-written tools, technologies and our wits. Our internal tools include KSN (Kaspersky Security Network) and AEP (Automatic Exploit Prevention).
To catch this possibly unknown Silverlight exploit we started by investigating the other exploits written by Vitaliy Toropov. Luckily, Vitaliy Toropov has a rather comprehensive profile on OVSDB. Additionally, PacketStorm has a number of entries from him:
This one caught our attention for two reasons:
- It is a Silverlight exploit
- It comes with a proof of concept written by Vitaly himself
One can easily grab the PoC from the same place:
Which we did.
The archive contains a well-written readme file that describes the bug, as well as source codes for the PoC exploit.
The exploit in this PoC simply fires up calc.exe on the victim’s machine. The archive includes a debug version compiled by the author, which is extremely useful to us, because we can use it to identify specific programming techniques such as specific strings or shellcode used by the developer.
The most interesting file in the archive is:
Size: 17920 bytes
This is the actual DLL that implements the Silverlight exploit from 2013, as coded by Vitaliy Toropov.
With this file in hand, we decided to build several special detections for it. In particular, we wrote a YARA rule for this file which took advantage of several of the specific strings from the file. Here’s what our detection looked like in YARA:
Pretty straightforward, no?
Actually, nowadays we write YARA rules for all high-profile cases and we think it’s a very effective way to fight cyberattacks. Great props to the Victor Manuel Alvarez and the folks at VirusTotal (now Google) for creating such a powerful and versatile tool!The long wait…
After implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it?
Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015.
On November 25th, one of our generic detections for Toropov’s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos).
This file was compiled in July 21, 2015, which is about two weeks after the Hacking Team breach. This also made us think it was probably not one of the older 2013 exploits but a new one.
It took us some time to analyse and understand the bug. When we were absolutely sure it was indeed a new zero-day exploit, we disclosed the bug to Microsoft.
Microsoft confirmed the zero-day (CVE-2016-0034) and issued a patch on January 12, 2016.Technical analysis of the bug:
The vulnerability exists in the BinaryReader class. When you create an instance of this class you can pass your own realization of the encoding process:
Moreover, for the Encoding process you can use your own Decoder class:
Looking at the BinaryReader.Read() code, we see the following:
Indeed, the “index” value was checked correctly before this call:
But if you will look deeper inside InternalReadChars (this function is marked as unsafe and it is using pointers manipulations) function you will see the following code:
The problem appears because the GetChars function could be user-defined, for instance:
Therefore, as you can see we can control the “index” variable from user-defined code. Let’s do some debugging.
This is a Test.buf variable, where 05 is the array length before triggering the vulnerability:
After calling BinaryRead.Read method we are stopping in InternalReadChars method (index is 0):
After this call we stopped in user-defined code:
This is a first call of user-defined function and we return incorrect value from it. In the next iteration, the “index” variable contains the incorrect offset:
After we change the offset we can easily modify memory, for instance:
This is a Test.buf object after our modifications in decoder method:
One of the biggest questions we have is whether this is Vitaliy Toropov’s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one?
Several things make us think it’s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one.
One final note: due to copyright reasons, we couldn’t check if the leaked Hacking Team archive has this exploit as well. We assume the security community which found the other zero-days in the HackingTeam leaks will also be able to check for this one.
If you’d like to learn how to write effective YARA rules and catch new APTs and zero-days, why not take our elite YARA training before SAS 2016? Hunt APTs with Yara like a GReAT Ninja (with trainers Costin Raiu, Vitaly Kamluk and Sergey Mineev). The class is almost sold out!
Kaspersky products detect new Silverlight exploit as HEUR:Exploit.MSIL.Agent.gen.
с новым годом! Microsoft rings in the New Year with a new set of ten security bulletins MS16-001 through MS16-010, patching 24 CVE detailed vulnerabilities. These bulletins effect Microsoft web browsers and plugins, Office software, Windows system software, and Exchange mail servers. Six of them maintain a critical rating. The Critical bulletins effect the following software:
- Silverlight Runtime
- Internet Explorer
- Microsoft Edge
- VBScript and JScript scripting engine
- Microsoft Office, Visio, and SharePoint
- Windows Win32k Kernel Components
Somewhat surprisingly with over twenty vulnerabilities, Microsoft claims to be unaware of public exploitation of any of them at the time of reporting, however they acknowledge at least three were publicly disclosed. Nonetheless, the urgency to patch remains, so please update your software.
Of these, the Silverlight vulnerability CVE-2016-0034 (note that Mitre records the CVE as assigned on 2015.12.04) appears to be the most interesting and most risky, as it enabled remote code execution across multiple platforms for this widespread software, including Apple. But more of the IE, Edge and add-on related vulnerabilities also provide opportunity for mass exploitation. Don’t forget to return to Securelist soon for concrete perspective and upcoming posts detailing past and ongoing exploitation of these issues.
It’s also assuring to see Microsoft security operations pushing the edges of improving TLS algorithms to encrypt web sessions and provide greater privacy. Even their Technet page for a summary of these Bulletins provides TLS 1.2, implementing 3DES_EDE_CBC with HMAC-SHA1 and a RSA key exchange. But, it looks like their research group hasn’t pushed forward their work on post-quantum resistant TLS key exchange (Full RWLE Paper [pdf]), as “R-LWE in TLS” into production. Tomorrow’s privacy will have to wait.
In a comment on Reddit this week, user “moeburn” raised the possibility of new malware circulating for Smart TVs:
My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.
It was an LG Smart TV with a built in web browser, and she managed to get a DNS Hijacker that would say “Your computer is infected please send us money to fix it” any time she tried to do anything on the TV.
We immediately got to work trying to figure out if this threat was targeting connected televisions specifically or whether this was an accidental infection. Trying to connect to the webpage mentioned in the URL from the photo does not work — the domain name does not resolve to an IP at the moment.
We used our favorite search engine and found many hits while looking for the domain. Besides the host “ciet8jk” (ciet8jk.[maliciousdomain].com), 27 other hosts have been assigned to that domain name and pointed to same IP address.
The domain ***-browser-alert-error.com was registered on August 17th 2015.
It appears that there were just a few days when this scam was online and thus, we’re sure the image from the TV is at least four months old.
These kind of attacks are nothing new, so we started looking for a server which is currently online to see what exactly the page tries to do.
Unfortunately, we weren’t able to find a live page from that very source, but while searching for the alert message shown in the photo, we found similar domains used for the same scam.
A few examples:
The last domain listed is still online but there is no reply from the server.
All the domain names mentioned have been blocked by Kaspersky Web Protection for several months.
Interestingly, all the IPs belong to Amazon’s cloud (54.148.x.x, 52.24.x.x, 54.186.x.x).
Although they used different providers to register the domain, they decided to host the malicious pages in the cloud. This could be because if offers another layer of anonymization, because it’s cheaper than other providers or because they were unsure about the traffic and needed something scaleable.
Still unable to find a live page, we kept searching for parts of the alert message and one hit took us to HexDecoder from ddecode.com. This is a webpage that de-obfuscates scripts or entire web pages. To our surprise, all previous decodings were saved and are publically viewable.
The script checks the URL parameters and displays different phone numbers based on the location of the user.
DEFAULT (US) : 888581****
France : +3397518****
Australia : +6173106****
UK : +44113320****
New Zealand : +646880****
South Africa : +2787550****
We also ran the file on a Samsung Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings.
Keep in mind that you should never call those numbers! You might get charged per minute or someone at the end of the line might instruct you to download and install even more malware onto your device.
So in this case, it’s not a new type of malware specifically targeting Smart TVs, but a common threat to all internet users. There are also reports that this scam has hit users on Apple MacBooks; and since it runs in the browser, it can run on Smart TVs and even on smartphones.
These kinds of threats often get combined with exploits and may take advantage of vulnerabilities in the browser, Flash Player or Java. If successful, they may install additional malware on the machine or change DNS settings.
Such behaviour could not be observed in this case, since they malicious pages have been removed already.
Keep in mind, there might be vulnerabilities in the software on your TV! Therefore it’s important to check if your device is up to date. Make sure you installed the latest updates for your Smart TV! Some vendors apply updates automatically, while others leave it to the user to trigger the update manually.
There is malware that works on Smart TV, but it’s not really “in the wild” at the moment. There are several reasons why criminals focus on PC and smartphone users instead of Smart TVs:
- Smart TVs are not often used to surf the web and users seldom install any app from web pages other than the vendor’s App Store – as it is the case with mobile devices
- Vendors are using different operating systems: Android TV, Firefox OS, Tizen, WebOS.
- Hardware and OS may even change from series to series, causing malware to be incompatible.
- There are by far fewer users surfing the web or reading email on the TV compared to PCs or mobile devices.
But remember, for example, that it’s possible to install an app from a USB stick. If your TV runs Android, a malicious app designed for an Android smartphone might even work on your TV.
In a nutshell, this case isn’t malware specifically targeting Smart TVs, but be aware that such websites, as with phishing generally, work on any OS platform you’re using.
Keep your eyes open!
What do you think when you receive yet another spam or phishing message on your mobile phone? Most likely it is: “Who are these people, and how on earth did they get my phone number?” Initially, suspicion usually falls on an unscrupulous employee at some organization that you gave your number to. However, it’s not uncommon for spammers and cybercriminals to use a database harvested from a social network using special software, rather than a “leaked” database of cellphone subscribers.
Information security experts, including us, have for years reiterated: cybercriminals can make use of any information that you publish about yourself on a social network. However, a huge amount of users still continue to share news and a plethora of personal information with their virtual friends as well as incidental onlookers. This may lead to unpleasant and, at times, unforeseen consequences. To show that this isn’t just scaremongering, let me offer an example from the recent activities of our cybercrime investigation team.A run-of-the-mill cybercrime
This autumn, we helped law enforcement agencies halt the activities of a small Russian cybercriminal gang that specialized in distributing Android malware and stealing money from online banking accounts. The group’s plan of action was fairly straightforward: they used a database of cellphone numbers they already had to send short messages containing a link to a banking Trojan. If infected successfully, the mobile device became part of a botnet, and the Trojan began to search for information about any banking services used by the victim, collecting any data required to access them. The cybercriminals then had the relatively simple task of transferring the victim’s money to their own accounts.
It is interesting to note that none of the cybercriminals were professional programmers. When people talk about hackers and stealing money, an image springs to mind of some corrupt programmer who writes malicious code and then uses it to infect the devices of unwitting users. This time, however, we are not talking about professionals with the relevant education and experience. Instead, we assume they spent just enough time on public hacking forums to garner the information and tools required to commit cybercrimes.
One of the tools they employed is of particular interest: it is a parser program that harvests mobile phone numbers from public profiles on the popular Russian social network VKontakte. With the help of this tool, the cybercriminals have created a database of cellphone numbers that was later used to send malicious messages. As far as we know, the social network was the sole source of information from which the cybercriminals harvested their data.
A post on a popular Russian hacker forum advertising an app to harvest the phone numbers of social network users
Russian cybercriminal forums (especially the open forums frequented by amateur fraudsters) have loads of adverts offering this type of software for sale or rent. It is capable of collecting and structuring all valuable information about users, including their first and last names, all published contact data and profile settings – not just mobile phone numbers. The availability of this information offers cybercriminals plenty of opportunities for fraud. The most obvious ways the gathered data can be used are: sending spam (including both advertising and malicious spam), stealing money through premium SMS services, and creating fake SIM cards.
In less than a year the cybercriminals have managed to steal an estimated 600,000 RUR (approximately $8,500). This is a relatively small amount compared to the millions stolen by larger, more advanced cybercriminal groups. However, in this case it is not the amount of money stolen that defines the scope of the problem, but rather the number of similar non-professional cybercriminal groups that are conducting the same sort of activity. Judging by the user complaints that get posted on the support forums of online banks, dozens of these criminal groups appear to be operating.Beyond Russia
The fact that these types of fraudulent activities mostly take place in Russia and neighboring countries does not mean there is nothing to fear for people living in other countries.
For instance, the early banking Trojans for PCs and mobile devices mostly targeted users living in Russia. However, with time the Russian-language cybercriminals behind those Trojans either radically changed their target “audience” and switched to residents of other countries, or expanded it by creating versions that targeted the residents of other countries.
The criminal group we are looking at used an application that collected the personal information of users from just one social network – VKontakte. However, there are offers on hacking forums for similar tools designed to collect data from other social networks, including Facebook and Instagram. So, it is quite possible that similar schemes exploiting data collected from public sources are already emerging in countries beyond the former Soviet Union, or are likely to emerge in the near future.
An advert posted on a popular Russian public hacking forum offering a parser program designed to harvest users’ mobile phone numbers and other information from Instagram
The countries at most risk include those where pre-paid phone contracts are prevalent and various SMS services are popular, including those that allow bank card operations via SMS.What to do?
In summary, we would like once again to urge users to publish as little information about themselves in social networks as possible. In particular, do not publish your mobile phone number, or remove it if you already have. This will not completely eliminate the problem of cybercriminals harvesting users’ personal information from social networks, but at least it prevents the easiest ways of stealing your money.
If you or your family and friends use mobile banking services, you should also apply these basic security measures:
- Block installation of apps from third-party sources on the Android device you use for mobile banking;
- Set withdrawal limits for your bank account;
- Restrict or disable the sending of text messages to premium-rate numbers;
- Use a reliable security solution capable of protecting your device from infections.
If you should still fall victim to an attack and your money is stolen, contact the appropriate law enforcement agencies. It is important you do this, because we are seeing an ominous trend: the broad availability of various tools, including malicious ones, and the perceived anonymity of cybercrime create a false sense of security in cybercriminals, which is only exacerbated by the passive attitude of the victims. This encourages an increasing number of people to start acting as cybercriminals in the hope of easy gains. The more cybercriminals that are arrested for these illegal activities, the more obvious it will be that cybercrime doesn’t pay and those contemplating it will be less likely to start committing crimes on the web. This will help make the Web a safer place.
On the eve of major holidays such as Christmas and New Year, mail and delivery services face a dramatic increase in the amount of shipments they have to handle. People are buying far more goods online than usual, looking for bargains in the sales, and sending gifts by mail – both nationally and internationally – to friends and relatives. To ease their customers’ nerves, delivery services send email notifications and provide shipment tracking systems. However, this type of communication also creates the ideal conditions for cybercriminals to send phishing messages in the name of major delivery services, and we end up with an increase in the number of these messages.
The fraudsters have a clear aim: to trick unwitting users into downloading a malicious program or entering their confidential data on a phishing site. For example, one scam message detected by Kaspersky Lab asked the user to fill in and sign a delivery form in order to receive a shipment. The message had a DOC file attached to it containing the exploit Exploit.MSWord.Agent.gg, which allowed the cybercriminal to, among other things, gain remote access to the infected computer.
Phishing message containing Exploit.MSWord.Agent.gg
In another scam message the fraudsters write that the shipment is already at a DHL office, but the courier cannot deliver it because the delivery address is unclear. The recipient is asked to follow a link within 48 hours and enter the shipment number on the tracking page; otherwise, the shipment will be returned to the sender.
A closer inspection reveals that none of the links in the message lead to the DHL site; instead they all point to the same URL packed with the help of a URL shortening service. Another typical fraudster trick is also used in the email – the victim is warned there is a limited amount of time to react (in this case, 48 hours). If the user fails to follow the link in time, the shipment will be returned to the sender. The plan is simple – distract users with warnings about the urgency of doing something quickly rather than giving them time to think things through logically.
If unwitting users follow the link, they are taken to a specially crafted site in the corporate style of DHL, and are prompted to type in their login credentials to enter the shipment tracking system.
The data entered on sites like this is certain to end up in the hands of cybercriminals. The user will receive a message such as “Your account has been successfully updated”, and will be taken to the official DHL site, which will convince the victim that the operation was legitimate.
A similar situation exists around FedEx, another large delivery service provider. Kaspersky Lab has detected multiple phishing messages sent in the name of this company.
A fraudulent message sent in the name of FedEx
There’s nothing new about this scheme – the victim enters account credentials on a crafted site in order to view information about a shipment.
Phishing site masquerading as the FedEx site
The fact that this site is fraudulent and has nothing to do with FedEx is clear from the URL in the browser address bar.
The conclusion that can be made from the examples given above is that you shouldn’t be too trusting or inattentive while you are online. Never follow links in email messages; it’s safer if you manually type the URL of the required site in your browser address bar. Whenever a page prompts you to enter confidential data, always check the URL in the address bar first. If anything looks suspicious in the URL or in the website design, think twice before entering any personal data.
Last but not least, always keep your security software up to date; it should also include an anti-phishing tool that will help you keep your data confidential, and your money safe. That way, you will be in a good mood for the holidays.
Software vulnerabilities are one of those problems that potentially affect all users. A vulnerability is a fault in a program’s implementation that can be used by attackers to gain unauthorized access to data, inject malicious code or put a system out of operation. In most cases, vulnerabilities arise from a lack of attention to fine details at the design stage rather than programming errors. Sometimes a system can seem virtually invulnerable at the design stage, but then, at some point, a new technology arises and hackers prove that the system can be successfully attacked. A notable example is DES – a symmetric-key encryption algorithm developed in 1975, which was considered bulletproof at the time. However, in 1990 it was successfully broken in 39 days using an enormous computer network. A supercomputer built in 1998 succeeded in breaking DES in less than three days.
Continually testing popular software to identify vulnerabilities and releasing patches to close any vulnerabilities found is part of a program’s normal lifecycle. The more sophisticated and popular the program the higher the chances of vulnerabilities being found in it.Searching for vulnerabilities
Most developers try to close any vulnerabilities found in their products in a timely manner. They analyze their software independently or with the help of external experts. However, third-party researchers also hunt for vulnerabilities. Some do this to improve the overall level of security online. Others are paid to search for vulnerabilities. Still others prefer to sell information on any vulnerabilities they discover on the black market.
They can do this because information on new vulnerabilities is valuable for cybercriminals. If a researcher finds a flaw in a system and proves that it can be exploited in practice (that is, if he writes an exploit), he can make tens of thousands of dollars on the black market. There is an entire sector of the cybercriminal underworld that specializes in finding and selling vulnerabilities.
Luckily, this business does not operate on a mass scale. One reason for this is that not all vulnerabilities can be exploited in the real world. A combination of different conditions is often needed to be able to do real harm and the chances of these combinations arising are not very high. A second reason is that it takes a highly skilled programmer to write an effective exploit, and there are not many of them around.
One more option for making money on vulnerabilities is to sell them to third-party companies that, at first glance, seem to have nothing to do with crime. This is what some researchers do. However, these companies may be involved in creating spyware for governments or special services, so the vulnerabilities will still be used to illegitimately manipulate information systems. Moreover, it turns out that the security of such companies is not always as good as it ought to be, so occasionally external parties are able to gain access to their knowledge, with dire consequences.
Idealists, who search for vulnerabilities for the sake of universal security, face a dilemma. On the one hand, the later they publicly announce their discovery, the more time the developers have to fix the problem. On the other, the earlier they publish the information the sooner users will learn about the danger posed by the vulnerability. In theory, cybercriminals might also discover the vulnerability and immediately take advantage of it. It should also be kept in mind that disclosing the information will inevitably result in attempts to abuse the newly discovered vulnerability. Sometimes, attacks can start within an hour of making information about a vulnerability public. This is what happened, for example, after the Shellshock disclosure.What are the dangers of vulnerabilities?
An exploit is a program or code fragment that uses vulnerabilities to attack a computing system. In some cases, an exploit is used on a mass scale – that is, cybercriminals try to use it to attack a broad range of systems. In such cases, vulnerabilities in popular software (such as the Adobe Flash Player) are exploited to deliver payloads to user machines. This is commonly done via so-called drive-by attacks that attempt to download malicious code to the computers of all users visiting an infected website.
Sometimes cybercriminals develop targeted attacks. They analyze the software used by a particular company and write targeted exploits for those specific programs. One such highly tailored attack was carried out as part of the Duqu 2.0 APT.
The ‘useful’ life of exploits can vary. Some are used for years, even though developers release patches that close the relevant vulnerabilities. This is because some users are in no hurry to install those patches.
According to Kaspersky Lab data, today cybercriminals extensively use exploits for the vulnerabilities listed below:Software product Vulnerability Adobe Flash Player CVE-2015-0310 CVE-2015-0311 CVE-2015-0313 CVE-2015-0336 CVE-2015-0359 CVE-2015-3090 CVE-2015-3104 CVE-2015-3105 CVE-2015-3113 CVE-2015-5119 CVE-2015-5122 CVE-2015-5560 CVE-2015-7645 Microsoft Internet Explorer CVE-2014-6332 CVE-2015-2419 Microsoft Office CVE-2012-0158 Microsoft Windows CVE-2015-1701
It is easy to see from CVE identifiers that most of these vulnerabilities were discovered this year, but there are also some that date back to 2014 and even 2012. The fact that these vulnerabilities are still being exploited means that many users have not bothered to update the relevant software.Defending against exploits
The main recommendations are really quite simple: remember to update your software regularly and do not use outdated software. The latter piece of advice can be hard to follow: it is sometimes difficult to find a new alternative to a familiar and convenient program that is outdated. While developers do not track vulnerabilities in obsolete software or release patches for them, cybercriminals continue to watch for an opportunity to exploit. The upshot is that you need additional protection to continue using such software.
There are dedicated tools designed to scan computers for known vulnerabilities and, if detected, automatically install updates. These tools include, for example, Kaspersky Systems Management components Vulnerability Assessment and Patch Management. Kaspersky Lab is also developing a similar solution for home users called Kaspersky Software Updater. The utility is currently in beta testing.
Kaspersky Lab uses a vulnerability naming system that is different from the codes used in the CVE (Common Vulnerabilities and Exposures) system. While an identifier in CVE always corresponds to one vulnerability, a code in our system can match a group of vulnerabilities (in most cases, vulnerabilities closed with one patch or vulnerabilities in one version of a program) – sometimes dozens of vulnerabilities are covered by one code (depending on the patches released by software vendors). As a result, the 20 KLA vulnerabilities listed below actually match 375 CVE vulnerabilities.
According to Kaspersky Security Network statistics, vulnerability scanning most often identifies the following sets of vulnerabilities on our users’ machines:KLA Number of users Date of discovery Description 1 KLA10680 308219 2015-10-14 Code execution vulnerability in Adobe Flash Player 2 KLA10036 256383 2014-07-08 Multiple vulnerabilities in Adobe Flash and Adobe AIR 3 KLA10492 228454 2013-10-16 Multiple vulnerabilities in Oracle products 4 KLA10670 182972 2015-09-21 Multiple vulnerabilities in Adobe products 5 KLA10650 176435 2015-08-11 Multiple vulnerabilities in Adobe products 6 KLA10653 150987 2015-05-18 Code execution vulnerability in QuickTime 7 KLA10682 150960 2015-10-13 Multiple vulnerabilities in Adobe Acrobat and Reader 8 KLA10628 138039 2015-07-14 Multiple vulnerabilities in Adobe Acrobat 9 KLA10651 135291 2015-08-17 Code injection vulnerability in VLC Media Player 10 KLA10655 134824 2015-09-01 Multiple vulnerabilities in Google Chrome 11 KLA10672 108722 2015-09-22 Multiple vulnerabilities in Mozilla Firefox 12 KLA10654 107661 2015-08-27 Multiple vulnerabilities in Mozilla Firefox 13 KLA10691 103880 2015-11-10 Multiple vulnerabilities in Google Chrome 14 KLA10344 100311 2009-11-05 Multiple vulnerabilities in Sun Java SE 15 KLA10669 92345 2015-09-16 Multiple vulnerabilities in Apple iTunes 16 KLA10684 91013 2015-10-22 Code execution vulnerability in Flash plugin for Google Chrome 17 KLA10663 87898 2015-09-08 Code execution vulnerability in Adobe Shockwave Player 18 KLA10690 87478 2015-11-10 Multiple vulnerabilities in Adobe products 19 KLA10569 86657 2015-04-28 Vulnerability in OpenOffice 20 KLA10671 84380 2015-09-21 Flash Player update for Google Chrome
Vulnerability sets KLA10680 and KLA10650 are particularly notable. The former includes, among others, CVE-2015-7645, the latter — CVE-2015-5560. These vulnerabilities are also present in the first table above, which lists the most commonly exploited software flaws.
Naturally, security products also include technologies designed to block attempts to exploit vulnerabilities. They closely track application behavior (particularly that of applications known to be prone to vulnerabilities), identify and block suspicious activity.How is the security industry doing?
Vulnerabilities can be found in security solutions, just like in any other software products. The only difference is that security vendors have a much greater responsibility, because security software is essentially the last line of defense. That is why Internet security companies are especially careful and thorough when it comes to checking products for vulnerabilities.
We cannot speak for the industry as a whole, so we are going to use the only example we are familiar with – that is, our own. We keep the security of our products in mind at all stages of development, from defining the attack surface at the design stage to special testing procedures aimed at identifying possible vulnerabilities in products that are nearly ready to be released. In the process of development, R&D staff not only create the necessary product functionality but also make certain that the new features cannot be used to compromise the program’s integrity.
We believe that this approach is more effective than a dedicated team responsible for tracking vulnerabilities in all of the company’s products. Which is not to say that we do not have such a team. A group of security architects regularly checks newly developed code for vulnerabilities using fuzz testing (so-called fuzzing) and penetration testing.
Fuzzing essentially means checking a program for unintended operations by inputting incorrect or random data. In other words, products are tested on abnormal or distorted data sets.
Penetration testing is carried out both internally and by external experts. It should be noted at this point, however, that in our experience, few external experts are sufficiently knowledgeable about the way security products work and can therefore effectively search for vulnerabilities. Additionally, Kaspersky Lab has a special team that specializes in searching third-party code for vulnerabilities (its services are used, among others, by banks seeking to verify the security of their applications). Even though third-party applications are the team’s top priority, these experts also analyze code developed in-house.
We also value the opinions of independent researchers. Any person who has found a vulnerability in our technologies can report it using a special communication channel that can be found here. Kaspersky Lab experts will thoroughly analyze all data coming via the channel. The procedure is as follows: first, our analysts confirm that there really is a vulnerability. After confirming this, we contact the independent researcher and agree on a time when this information will be made public. Meanwhile, the data is provided to the R&D team responsible for developing the technology; we also check whether the vulnerability is present in any other Kaspersky Lab products. It should be noted that sometimes independent researchers do draw our attention to serious issues. We really appreciate this!A few practical recommendations
Since only software developers can significantly improve the situation, here are some recommendations:
- As we have said many times before, update your software. If the developer provides an update for its product, the chances are that it does so for a good reason.
- Do not disable automatic updates. True, this can be a bit of a nuisance if you have lots of programs, but security is what really counts.
- Remove the programs you no longer use. There is no reason for this dead weight to remain on your hard drive. One day such programs could do you a grave disservice.
- Do not use obsolete software. If it is really such a handy, useful program, there must be other similar programs available. True, it can be hard to abandon a familiar interface, but it is better to spend a few days getting used to a new one than using vulnerable software.
- Regularly scan your computer for known vulnerabilities using dedicated utilities.