Malware RSS Feed
While ransomware is a global threat, every now and then we see a variant that targets one specific region. For example, the Coinvault malware had many infections in the Netherlands, because the authors posted malicious software on Usenet and Dutch people are particular fond of downloading things over Usenet. Another example is the recent Shade campaign, which targets mostly Russia and CIS.
Today we can add a new one to the list: Wildfire.Infection vector
Wildfire spreads through well-crafted spam e-mails. A typical spam e-mail mentions that a transport company failed to deliver a package. In order to schedule a new delivery the receiver is asked to make a new appointment, for which a form has to be filled in, which has to be downloaded from the website of the transport company.
Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.
However, when we look at who registered the domain name, we immediately see that something is suspicious:
The registration date (registered a few days before the spam campaign started), as well as the administrative contact person seem to be very suspicious.The Word document
After the user downloaded and opened the Word document, the following screen is shown:
Apparently the document has some macros, containing pieces of English text, which clearly show the intent of the attackers (actually it is the lyrics of the famous Pink Floyd song Money), but also has several variables in the Polish language.
The macros download and execute the actual Wildfire ransomware which consists in the case we analyzed of the following three files:
The exe file is an obfuscated .net executable that depends on the other two files. This is exactly similar to the Zyklon ransomware that also consists of three files. Another similarity is that, according to some sources (http://www.bleepingcomputer.com/forums/t/611342/zyklon-locker-gnl-help-topic-locked-and-unlock-files-instructionshtml/, http://www.bleepingcomputer.com/forums/t/618641/wildfire-locker-help-topic-how-to-unlock-files-readme-6de99ef7c7-wflx/), Wildfire, GNLocker and Zyklon mainly target the Netherlands. In addition, the ransom notes of Wildfire and Zyklon look quite similar. Also note that Wildfire and Zyklon increase the amount you have to pay three-fold if you don’t pay within the specified amount of time.
Anyway, back to Wildfire. The binary is obfuscated, meaning that when there is no deobfuscator available reversing and analyzing it can take a lot of time. Therefore we decided to run it and see what happens. Just as we hoped, this made things a bit easier, because after a while Usiyykssl.exe launched Regasm.exe, and when we looked into the memory of Regasm.exe, we clearly saw that some malicious code had been injected into it.
Dumping it gave us the binary of the actual Wildfire malware. Unfortunately for us, this binary is also obfuscated, this time with Confuserex 0.6.0. Even though it is possible to deobfuscate binaries obfuscated with Confuserex, we decided to skip that for now. Why? Well it takes a bit of time, and because by working together with the police on this case, we had something much better in our hands: The botnetpanel code!Inside the botnetpanel code
When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored. The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova). It also checks whether the “rid” exists within a statically defined array (we therefore expect the rid to be an affiliate ID).
If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won’t get infected.
Each time the malware calls home, a new key is generated and added to the existing list of keys. The same victim can thus have multiple keys. Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim’s computer are encrypted. We don’t quite understand why a victim can have multiple keys, especially since the victim only has one bitcoin address.
Also interesting is the encryption scheme. It uses AES in CBC mode but the key and the IV are both derived from the same key. This doesn’t add much security and defeats the sole purpose of having an IV in the first place.
Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving. In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro . This is also due to the fact that the spam e-mails are getting better and better.
We therefore advise users to:
- Be very suspicious when opening e-mails;
- Don’t enable Word macro’s;
- Always keep your software up-to-date;
- Turn on Windows file extensions;
- Create offline backups (or online backups with unlimited revisions);
- Turn on the behavioral analyzer of your AV.
A decryption tool for Wildfire can be downloaded from the nomoreransom.org website.
P.S. the attackers agree with us on some points:
The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack.
According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk.
In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples.
Our insight draws on a range of sources. These include:
- The latest telecoms security research by Kaspersky Lab experts.
- Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware.
- Underground forums and communities.
- Centralized, specialized security monitoring systems (such as Shodan).
- Threat bulletins and attack reports.
- Newsfeed aggregation and analysis tools.
Threat intelligence is now a vital weapon in the fight against cyber-attack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly.
We can provide more detailed sector and company-specific intelligence on these and other threats. For more information on our Threat Intelligence Reporting services please email email@example.com.Executive summary
Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers. The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies.
These threats include:
- Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets. Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit. They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.
- The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove.
- Compromising subscribers with social engineering, phishing or malware. These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns. Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes.
- Insider threat is growing. Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime. Some insiders help voluntarily, others are cooerced through blackmail. Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks.
Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result.Typical threats targeting telecoms Overview
We can divide the main threats facing the telecommunications industry into two, interrelated, categories:
- Threats targeting telecommunication companies directly. These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information.
- Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs). These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more.
DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks. By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency. Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks.
The telecommunications sector is particularly vulernable to DDoS attacks. According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.)
The impact of a DDoS attack should not be underestimated. Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening.
Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.
A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk. The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns. The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities.
DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol). Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities. Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks.
The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques.Targeted attacks
The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult. Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals. Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies. This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration.
Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers.
Other APTs with telecommunications on their radar
The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location.
Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns. In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack. Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service.Unaddressed software vulnerabilities
Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data. In many cases, attackers are exploiting new or under-protected vulnerabilities. For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data.
SQL injection vulnerability on Orange Spain web siteThe impact of service misconfiguration
In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet. This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access.
The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this.
As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel.
Table 1. Top 10 countries with GTP/GRX ports exposed to Internet access# Country Number of GTP/GRX 1 China 52.698 2 Turkey 8.591 3 United States of America 6.403 4 Canada 5.807 5 Belgium 5.129 6 Colombia 2.939 7 Poland 2.842 8 Morocco 1.585 9 Jamaica 862 10 United Arab Emirates 808
The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems. Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service. Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers.
Table 2. Top five countries with BGP protocol exposed to Internet access# Country Number of devices
(end of 2015) 1 Republic of Korea 16.209 2 India 8.693 3 United States of America 8.111 4 Italy 2.909 5 Russian Federation 2.050
An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations.
To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services. To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.)Vulnerabilities in network devices
Routers and other network devices are also primary targets for attacks against telecommunications companies.
In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here).
Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it.
SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware. Still, it is a dangerous way of compromising an organization’s IT infrastructure.
SYNful knock backdoor sign-in credentials request
Worldwide distribution of devices with the SYNful knock backdoor
The latest information on the number of potentially compromised devices is available through the link https://synfulscan.shadowserver.org/stats/.
A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible. Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable. Follow this Cisco bulletin for remediation actions.
For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-center-platforms/115609.
Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic. The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch.
It appears that the additional code with hardcoded password was planted in the source code in late 2013. The backdoor allows any user to log in with administrator privileges using hard-coded password “<<< %s(un=’%s’) = %u”.This vulnerability has been identified as CVE-2015-7755 and is considered highly critical.
Top countries where ScreenOS devices are used are the Netherlands, the United States, China, Italy and Mexico.
Juniper ScreenOS-powered devices worldwide
Another Juniper backdoor, CVE-2015-7756, affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and allows a third party to monitor traffic inside VPN connections due to security flaws in the Dual_EC PRNG algorithm for random number generation.
To protect the organization from misconfiguration and network device vulnerabilitiy, Kaspresky Lab recommendats that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.).Malicious insiders
Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness.
While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information.
Examples of insider attacks in recent years include:
- A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege.
- An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company. The engineer was found to be freely offering his services on a popular DarkNet forum.
For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider. Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee.
Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks.
A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail.
Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly. Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies.
Further information on the emerging attack vectors based on the harvesting of Open Source Intelligence (OSINT) can be obtained using Kaspersky Lab’s customer-specific Intelligence Reporting services.Threats targeting CSP/ISP subscribers Overview
Attacks targeting the customers of cloud and Internet service providers remain a key area of interest for cybercriminals. We’ve revealed a number of malware activities and attack techniques based on internal information and incidents that were caught in our scope. As a result of analyzing this data the following main threats were identified:
- Obtaining subscribers’ credentials. This is growing in appeal as consumers and businesses undertake ever more activity online and particularly on mobile. Further, security levels are often intentionally lowered on mobile devices in favor of usability, making mobile attacks even more attractive to criminals.
- Compromising subscribers’ devices. The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware. Experienced and skilled programmers are now focusing much of their attention on mobile – looking to exploit payment services as well as low-valued assets like compromised Instagram or Uber accounts, collecting every piece of data from the infected devices.
- Compromising small-scale telecoms cells used by consumers and businesses. Vulnerabilities in CSP-provided femtocells allow criminals to compromise the cells and even gain access to the entire cloud provider’s network.
- Successful Proof-Of-Concept attacks on USIM cards. Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable. Successful attacks allow SIM card cloning, call spoofing and the interception of SMS.
Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees.
The attackers exploit trust and naiivity. In 2015, the TeamHans hacker group penetrated one of Canada’s biggest communications groups, Rogers, simply by repeatedly contacting IT support and impersonating mid-ranking employees, in order to build up enough personal information to gain access to the employee’s desktop. The attack provided hackers with access to contracts with corporate customers, sensitive corporate e-mails, corporate employee IDs, documents, and more.
Both social engineering and phishing approaches are worryingly successful. The Data Breach Investigations Report 2016 found that 30% of phishing emails were opened, and that 12% clicked on the malicious attachment – with the entire process taking, on average, just 1 minute and 40 seconds.
Social engineers and phishers also use multiple ways for increasing the likeness of authenticity in their attacks, enriching their data with leaked profiles, or successfully impersonating employees or contractors. Recently criminals have successfully stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users. After infecting their victims with banking malware and obtaining their phone numbers, they called the CSP’s support and, impersonating a retail shop, asked for a new SIM card to be activated, thus gaining access to OTP (One Time Passwords) or “mTan’s” used for two-factor authentication in online banking.
Kaspersky Lab recommends that telecommunications providers implement notification services for financial organizations that alert them when a subscriber’s SIM card has been changed or when personal data is modified.
Some CSPs have also implemented a threat exchange service to inform financial industry members when a subscriber’s phone is likely to have been infected with malware.Vulnerable kit
USBs, modems and portable Wi-Fi routers remain high-risk assets for subscribers, and we continue to discover multiple vulnerabilities in their firmware and user interfaces. These include:
- Vulnerabilities in web interfaces designed to help consumers configure their devices. These can be modified to trick a user into visiting a specially crafted page.
- Vulnerabilities that result from insufficient authentication. These can allow for the modification of device settings (like DNS server addresses), and the interception, sending and receiving of SMS messages, or USSD requests, by exploiting different XSS and CSRF vulnerabilities.
- RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise.
Built-in “service” backdoor allowing no-authentication access to device settings
Examples of these kind of vulnerabilities were demonstrated in research by Timur Yunusov from the SCADAStrangeLove team. The author assessed a number of 3G/4G routers from ZTE, Huawei, Gemtek and Quanta. He has reported a number of serious vulnerabilities:
- Remote Code Execution from web scripts.
- Arbitrary device firmware modification due to insufficient consistency checks.
- Cross Site Request Forgert and Cross Site Scripting attacks.
All these vectors can be used by an external attacker for the following scenarios:
- Infecting a subscriber’s computer via PowerShell code or badUSB attack.
- Traffic modification and interception.
- Subscriber account access and device settings modification.
- Revealing subscriber location.
- Using device firmware modification for APT attack persistence.
Most of these issues exist due to web interface vulnerabilities (like insufficient input validation or CSRF) or modifications made by the vendor during the process of branding its devices for a specific telecommunications company.The risk of local cells
Femtocells, which are essentially a personal NodeB with an IP network connection, are growing in popularity as an easy way to improve signal coverage inside buildings. Small business customers often receive them from their CSPs. However, unlike core systems, they are not always submitted to suitably thorough security audits.
Femtocell connection map
Over the last year, our researchers have found a number of serious vulnerabilities in such devices that could allow an attacker to gain complete control over them. Compromising a femtocell can lead to call interception, service abuse and even illegal access to the CSP’s internal network.
At the moment, a successful attack on a femtocell requires a certain level of engineering experience, so risks remain low – but this is likely to change in the future.USIM card vulnerabilities
Research presented at BlackHat USA in 2015 revealed successful attacks on USIM card security. USIMs had previously been considered unbreakable thanks to the AES-based MILENAGE algorithm used for authentication. The reseachers conducted differential power analysis for the encryption key and secrets extraction that allowed them to clone the new generation of 3G/4G SIM cards from different manufacturers.
Right byte guess peak on differential power analysis graphConclusion
Telecommunications is a critical infrastructure and needs to be protected accordingly. The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions. Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation.
A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own. It needs to be complemented by collaboration, employee education and shared intelligence. Many telecommunications companies already have agreements in place to share network capability and capacity in the case of disruption, and now is the time to start reaping the benefit of shared intelligence.
Our Threat Intelligence Reporting services can provide customer-specific insight into the threats facing your organization. If you’ve ever wondered what your business looks like to an attacker, now’s the time to find out. Contact us at firstname.lastname@example.org
Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian bad guys have made an important addition to their arsenal: the use of PowerShell. Brazil is the most infected country worldwide when it comes to banking Trojans, according to our Q1 2016 report, and the quality of the malware is evolving dramatically. We found Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cybercriminals.
The malware is distributed using a malicious email campaign disguised as a receipt from a mobile operator with a malicious .PIF file. After the file is executed it changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks. It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script. As Windows 7 and newer OS versions are now the most popular in Brazil, the malware will not face a problem running on victims’ computers.
The malware has no C&C communication. After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies. The .ps1 file in the temp folder uses random names. It’s a base64 encoded script capable of making changes in the system.
After some deobfuscation we can see the goal of the script: to change the Internet Settings key and enable a proxy server on it:
And this is the result in the browser of the victim – a small change in the proxy settings:
This change will not only affect IE but all other browsers installed in the system as well, as they tend to use the same proxy configuration set on IE. The proxy domains used in the attack are listed below. All of them use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands (18.104.22.168), where there are several phishing pages for Brazilian banks:
The malware also has other features of interest: it checks for the language of the OS and aborts if it’s not PTBR, a clever trick to avoid infecting Windows versions in languages other than Brazilian Portuguese.
To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code.
Hash of the malware: cancelamento.pif -> MD5: 9419e7cd60487532313a43559b195cb0
Although the second quarter of 2016 has only just finished, it’s safe to say that this is already the year of ransomware Trojans. By the end of Q2 there was still a large number of emails with malicious attachments, most of which download ransomware in one way or other to a victim’s computer. However, in the period between 1 June and 21 June the proportion of these emails decreased dramatically.
The majority of malicious attachments were distributed in ZIP archives. The decline can therefore be clearly seen in the following graph showing spam with ZIP attachments that arrived in our traps:
Number of emails with malicious ZIP archives, Q2 2016
In addition to the decline, June saw another interesting feature: this sort of spam was not sent out on Saturdays or Sundays.
The same situation could be observed in KSN: the number of email antivirus detections dropped sharply on 1 June and grew on 22 June.
Number of email antivirus detections by day, Q2 2016
This decline was caused by a temporary lull in activity by the Necurs botnet, which is mostly used to distribute this type of malicious spam. After the botnet resumed its activity, the spam email template changed, and the malicious attachments became even more sophisticated.
For example, some emails (see the screenshot above) contained an attachment with a Trojan downloader. When run, it downloaded Trojan-Ransom.Win32.Locky.agn, which encrypts the data on a victim’s computer and demands a ransom, to be paid in bitcoin.Obfuscation
The second quarter saw spammers continue to mask links using various Unicode ranges designed for specific purposes. This tactic became especially popular in 2015, and is still widely used by spammers.
The link in this example looks like this:
If you transfer the domain from UTF-8 into the more familiar HTML, it becomes . The characters, which look quite ordinary, in fact belong to the Mathematical Alphanumeric Symbols UTF range used in highly specific mathematical formulas, and are not intended for use in plain text or hyperlinks. The dot in the domain is also unusual: it is the fullwidth full stop used in hieroglyphic languages. The rest of the hyperlink, as well as the rest of the text in these spam messages, is written using the Latin alphabet.Spam in APT attacks
In Q2, we came across a number of APT attacks in the corporate sector. Emails were made to look as if they came from representatives of the targeted company, and contained a request to immediately transfer money to a specific account. The text was fairly plausible and hinted at a personal acquaintance and previous communication. In some cases, the emails included the logo of the attacked company. All the messages conveyed a sense of urgency (“ASAP”, “urgent”, “must be completed today”) – scammers often use this trick in an attempt to catch people off guard, so that they act rather than think.
Below is an example:
How are you doing! Are you available at the office? I need you to process an overdue payment that needs to be paid today.
The emails were sent selectively – to individual employees, usually connected to the finance department. The knowledge shown by the scammers suggests the attack was carefully prepared.
The most suspicious aspect of the attack was the domain used in the ‘From’ field – myfirm.moby – that differed from the corporate one. Perhaps the attackers hope that some email clients only show the sender’s name by default, while concealing the address.
It is not that difficult to write any domain in the ‘From’ field, and in the future we can expect more well-prepared attacks.Sporting events in spam
Spam mailings exploiting real-life events have long become an integral part of junk email. Sporting events are not as popular among spammers as political events, although their use is increasing with every year. There is a continuous stream of emails mentioning various political figures, while sport-related spam messages usually only appear in the run-up to an event. However, we have noticed that mass mailings can now be launched long before an event starts. For instance, emails exploiting the Olympic Games in Brazil were discovered over a year ago, in the second quarter of 2015. The majority of them were fraudulent emails designed to trick recipients and steal their personal information and money.
The classic scenario involves false notifications about lottery wins related to 2016 Olympics. The messages claim that the lottery was held by the official organizers of the games and the recipient was selected at random from millions of addresses. In order to claim the cash, the recipient has to reply to the email and provide some personal information.
The text of the message was often contained in an attached file (.pdf, .doc, .jpg), while the body of the message only displayed a short text prompting the recipient to open the attachment.
There were also more traditional messages where the spammer text was included directly in the body of the message.
In addition to fraudulent messages, advertising spam was also sent out.
Unlike the Olympics, football tournaments have long been used by scammers to grab people’s attention to their spam. Q2 2016 saw the long-awaited UEFA European Championship, and in the run-up to the tournament spam traffic included fake notifications of lottery wins. The content was no different from that dedicated to the Olympic Games, and the emails also contained attachments explaining why the message was sent.
The football theme was also exploited by ‘Nigerian’ scammers. They sent out emails supposedly on behalf of the former FIFA president, and used the infamous corruption scandal associated with his name to make their messages look more realistic. They believed that a fabricated story about how Sepp Blatter had supposedly received money and secretly transferred it to an account in a European bank would not arouse suspicion. In return for keeping the money in their bank accounts, the recipients were promised a 40% cut of the total sum.
In order to convince recipients that the message was genuine, the authors even went to the trouble of using the correct name and domain in the ‘From’ field.US politicians in spam
The presidential election campaign is now in full swing in the United States and the nominees and their entourages are under close media scrutiny. Of course, spammers couldn’t resist using the names of high-profile politicians in their advertising and fraudulent emails. For example, numerous ‘Nigerian’ letters were sent in the name of current president Barack Obama and his wife Michelle. In their ‘official’ emails, the ‘President’ and the ‘First lady’ assured the recipient that a bank card or a check for a very large sum of money had already been issued in their name. The only thing the recipient had to do was complete some formalities, and the money would be delivered shortly afterwards. In order to get the instructions from the White House the recipient had to send some personal information, including their email address and the password for their email account, as well as detailed passport information to spoofed email addresses.
Another politician whose name regularly cropped up in spam was Donald Trump, one of the contenders for the US presidency. Spammers offered a unique Trump technique for earning money online: anyone who wanted to know how to get rich, had to click a link in the emails which were designed to look like news reports from CNN and Fox News.
The links led to fake news sites also in the style of major media outlets and news networks. The sites contained a story about a simple method for earning money – the publication of links, which is basically another kind of spam distribution. In order to participate in the program, a user had to register by providing their phone number and email address.Statistics Proportion of spam in email traffic
Percentage of spam in global email traffic, Q2 2016
The largest percentage of spam in the second quarter – 59.46% – was registered in May and was 3 p.p. more than in April. The average percentage of spam in global email traffic for Q2 amounted to 57.25%.Sources of spam by country
Sources of spam by country, Q2 2016
In Q2 2016, the biggest three sources of spam remained the same as in the previous quarter – the US (10.79%), Vietnam (10.10%) and India (10.01%). However, the figures for each country changed: the gap between them narrowed to within a single percentage point.
China (6.52%) moved up to fourth with an increase of 1.43 p. p. compared to Q1. Mexico (4.55%) came fifth, followed by Russia (4.07%) and France (3.60%). Brazil (3.28%), which was fourth in the previous quarter, lost 2.2 p.p. and dropped to eighth place. Germany (2.97%) and Turkey (2.30%) completed the TOP 10.Spam email size
Breakdown of spam emails by size, Q1 and Q2 2016
Traditionally, the most commonly distributed emails are very small – up to 2 KB (72.26%), although the proportion of these emails dropped by 9.6 p.p. compared to the previous quarter. Meanwhile, the share of emails sized 10-20 KB increased by 6.76 p.p. The other categories saw minimal changes.Malicious email attachments
Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the TOP 10 malware families.TOP 10 malware families
The three most popular malware families remained unchanged from the previous quarter – Trojan-Downloader.JS.Agent (10.45%), Trojan-Downloader.VBS.Agent (2.16%) and Trojan-Downloader.MSWord.Agent (1.82%).
The Trojan.Win32.Bayrob family moved up to fourth place (1.68%), while the Backdoor.Win32.Androm family fell from fourth to ninth place with 0.6%.
TOP 10 malware families in Q2 2016
A newcomer to this ranking was the Trojan.Win32.Inject family (0.61%). The malicious programs from this family embed their code in the address space of other processes.
The Trojan-Spy.HTML.Fraud family (0.55%) rounded off the TOP 10 in Q2 2016.Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, Q2 2016
Germany (14.69%) topped the ranking of countries targeted by malicious mailshots, although its share decreased 4.24 p.p. It was followed by China (13.61%) whose contribution grew 4.18 p.p. Japan (6.42%) came third after ending the previous quarter in seventh with a share of 4.29%.
Fourth place was occupied by Brazil (5.57%). Italy claimed fifth with a share of 4.9% and Russia remained in sixth (4.36%).
The US (4.06%) was the seventh most popular target of malicious mailshots. Austria (2.29%) rounded off this TOP 10.Phishing
In Q2 2016, the Anti-Phishing system was triggered 32,363,492 times on the computers of Kaspersky Lab users, which is 2.6 million less than the previous quarter. Overall, 8.7% of unique users of Kaspersky Lab products were attacked by phishers in Q2 of 2016.Geography of attacks
The country where the largest percentage of users is affected by phishing attacks was China (20.22%). In Q2 2016, the proportion of those attacked increased by 3.52 p.p.
Geography of phishing attacks*, Q2 2015
* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country
The percentage of attacked users in Brazil decreased by 2.87 p.p. and accounted for 18.63%, placing the country second in this ranking. Algeria (14.3%) came third following a 2.92 p.p. increase in its share compared to the previous quarter.
TOP 10 countries by percentage of users attacked:China 20.22% Brazil 18.63% Algeria 14.3% United Kingdom 12.95% Australia 12.77% Vietnam 11.46% Ecuador 11.14% Chile 11.08% Qatar 10.97% Maldives 10.94% Organizations under attack
The statistics on phishing targets are based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.
In Q2 of 2016, the share of the ‘Global Internet portals’ category (20.85%), which topped the rating in the first quarter, decreased considerably – by 7.84 p.p. The share of the ‘Financial organizations’ category grew 2.07 p.p. and accounted for 46.23%. This category covers ‘Banks’ (25.43%, +1.51 p.p.), ‘Payment systems’ (11.24%, -0.42 p.p.) and ‘Online stores’ (9.39%, +0.99 p.p.).
Distribution of organizations affected by phishing attacks by category, Q2 2016
The share of attacks on the ‘Social networking sites’ category increased by 2.65 p.p. and reached 12.4%. The ‘Online games’ category was also attacked more often (5.65%, + 1.96 p.p.). Meanwhile, the ‘Telephone and Internet service providers’ (4.33%) and the ‘IMS’ (1.28%) categories lost 1.17 p.p. and 2.15 p.p. respectively.Hot topics this quarter The Olympics in Brazil
For a number of years now Brazil has been among the countries with the highest proportion of users targeted by phishing. In 2015 and 2016 phishers have focused on the Rio Olympic Games in Brazil. Last quarter showed that as well as ordinary users, the potential victims of phishing included the organizers of the Olympic Games.
The Olympic theme remained popular in Q2, with phishers working overtime to send out fake notifications about big cash wins in a lottery that was supposedly organized by the Brazilian government and the Olympic Committee.‘Porn virus’ for Facebook users
Facebook users are often subjected to phishing attacks. During one attack in the second quarter, a provocative video was used as bait. To view it, the user was directed to a fake page imitating the popular YouTube video portal, and told to install a browser extension.
This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.Phisher tricks Compromising domains with good reputation
To bypass security software filters, fraudsters try to place phishing pages on domains with good reputations. This significantly reduces the probability of them being blocked and means potential victims are more trusting. The phishers can strike it big if they can use a bank or a government agency domain for their purposes. In Q2, we came across a phishing attack targeting the visitors of a popular Brazilian e-commerce site: the fake page was located on the domain of a major Indian bank. This is not the first time fraudsters have compromised the domain of a large bank and placed their content on it.
Phishing pages targeting the users of the Brazilian store americanas.com
When trying to purchase goods on the fake pages of the store, the victim is asked to enter lots of personal information. When it’s time to pay, the victim is prompted to print out a receipt that now shows the logo of a Brazilian bank.
The domains of state structures are hacked much more frequently by phishers. In Q2 2016, we registered numerous cases where phishing pages were located on the domains belonging to the governments of various countries. Here are just a few of them:
Phishing pages located on the domains of government authorities
The probability of these links being placed on blacklists is negligible thanks to the reputation of the domain.TOP 3 organizations attacked
Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component fall on phishing pages hiding behind the names of fewer than 15 companies.
The TOP 3 organizations attacked most frequently by phishers accounted for 23% of all phishing links detected in Q2 2016.Organization % of detected phishing links 1 Microsoft 8.1 2 Facebook 8.03 3 Yahoo! 6.87
In Q2 2016, this TOP 3 ranking saw a few changes. Microsoft was the new leader with 8.1% (+0.61 p.p.), while Facebook (8.03%, +2.32 p.p.) came second. The share of attacks targeting Yahoo! (6.87%) fell 1.46 p.p., leaving last quarter’s leader in third.
Q2 leader Microsoft is included in the ‘Global Internet portals’ category because the user can access a variety of the company’s services from a single account. This is what attracts the fraudsters: in the event of a successful attack, they gain access to a number of services used by the victim.
Example of phishing on Live.com, a Microsoft serviceConclusion
In the second quarter of 2016, the proportion of spam in email traffic increased insignificantly – by 0.33 p.p. – compared to the previous quarter and accounted for 57.25%. The US remained the biggest source of spam. As in the previous quarter, the top three sources also included Vietnam and India.
Germany was once again the country targeted most by malicious mailshots, followed closely by China. Japan, which was seventh in the previous quarter’s ranking, completed the TOP 3 in Q2.
Trojan-Downloader.JS.Agent remained the most popular malware family distributed via email. Next came Trojan-Downloader.VBS.Agent and Trojan-Downloader.MSWord.Agent. A significant amount of malicious spam was used to spread ransomware Trojans such as Locky. For almost a month, however, cybercriminals did not distribute their malicious spam, but then the Necurs botnet began working again. We don’t expect to see any significant reduction in the volume of malicious spam in the near future, although there may be changes in email patterns, the complexity of the malware, as well as the social engineering methods used by attackers to encourage a user to launch a malicious attachment.
The focus of phishing attacks shifted slightly from the ‘Global Internet portals’ to the ‘Financial organizations’ category.
The theme of the Olympic Games was exploited by both phishers and spammers to make users visit fake pages with the aim of acquiring their confidential information or simply to get their money.
Events in the political arena, such as the presidential election in the US, also attracted spammers, while the sites of government agencies were compromised in phishing attacks.
As we can see, the overriding trend of the quarter is that of fraud and making quick money from victims using direct methods such as Trojan cryptors that force unprotected users to pay a ransom, or phishing attacks that target financial organizations, rather than long drawn-out scams. All of this once again highlights the need for both comprehensive protection on computers and increased vigilance by Internet users.
Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets through spear phishing emails that include compressed executables. The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.
#OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countriesTweet
We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.
In total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoulTweet
In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.Main infection vector: malicious emails
The following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document. The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware. In other cases, victims received phishing links. A quick analysis of the email headers reveals fake sources being utilised to deliver the emails to victims.
In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s:
Malware MD5 hashes
Email file MD5 hashes
The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar:
- Chief Executive Officer
- Chief Operations Officer
- General Manager
- General Manager, Sales and Marketing
- Deputy General Manager
- Finance and Admin Manager
- Business Development Manager
- Export manager
- Finance Manager
- Purchase manager
- Head of Logistics
- Sales Executive
The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution. It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including:
- Clipboard data
- FileZilla ftp server credentials
- Account data from local browsers
- Account data from local messaging clients (Paltalk, Google talk, AIM…)
- Account data from local email clients (Outlook, Windows Live mail…)
- License information of some installed applications
#OpGhoul malware collects all data such as #passwords, keystrokes and screenshotsTweet
Data is collected by the attackers using primarily:
Http GET posts
- Sent to hxxp://22.214.171.124
- mail.ozlercelikkapi[.]com (126.96.36.199), mail to info@ozlercelikkapi[.]com
- mail.eminenture[.]com (188.8.131.52), mail to eminfo@eminenture[.]com
Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services.Malware command center
The malware connects to 184.108.40.206 to deliver collected information from the victim’s PC. This information includes passwords, clipboard data, screenshots…
The IP address 220.127.116.11 seems to belong to a compromised device running multiple malware campaigns.Victim information
Victim organizations are distributed in different countries worldwide with attackers focused on certain countries more than others:
Number of Victim Organisations by Country
Countries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy.Victim industry information
Victim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong to the product life cycle of multiple goods, especially industrial equipment.
#Manufacturing #transportation #travel targets of #OpGhoulTweet
Number of Victim Organizations by Industry Type
Victim industry descriptionIndustrial Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics Engineering Construction, architecture, automation, chemical, transport, water Shipping International freight shipping Pharmaceutical Production/research of pharmaceutical and beauty products Manufacturing Furniture, decor, textiles Trading Industrial, electronics and food trading Education Training centers, universities, academic publishing Tourism Travel agencies Technology/IT Providers of IT technologies and consulting services Unknown Unidentified victims The last attack waves
Kaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries more than others.
#opghoul highly active in #MiddleEastTweet
Hundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United Arab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany, Iran, Egypt, Japan, Switzerland, Bahrain and Tunisia.
Phishing pages have also been spotted through 18.104.22.168, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers. Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms:
- Mac OS X
The malware files are detected using the following heuristic signatures:
Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss.Indicators of Compromise
The following are common among the different malware infections; the presence of these is an indication of a possible infection.Filenames and paths related to malware
Malware links observed on 22.214.171.124 dating back to March and April 2016:
For more information on how you can protect your business from similar attacks, please visit this post from Kaspersky Business.
August 13, 2016 saw the beginning of a truly bizarre episode. A new identity going under the name ‘ShadowBrokers’ came onto the scene claiming to possess files belonging to the apex predator of the APT world, the Equation Group [PDF]. In their initial leak, the ShadowBrokers claimed the archive was related to the Equation group, however, they didn’t provide any technical details on the connections.
Along with some non-native rants against ‘Wealthy Elites’, the ShadowBrokers provided links to two PGP-encrypted archives. The first was provided for free as a presumptive show of good faith, the second remains encrypted at the time of writing. The passphrase is being ‘auctioned’, but having set the price at 1 million BTC (or 1/15th of the total amount of bitcoin in circulation), we consider this to be optimistic at best, if not ridiculous at face value.
The first archive contains close to 300MBs of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION. Most files are at least three years old, with change entries pointing to August 2013 the newest timestamp dating to October 2013.
As researchers continue to feast on the release, some have already begun to test the functional capabilities of the exploits with good results.
Having originally uncovered the Equation group in February 2015, we’ve taken a look at the newly released files to check for any connections with the known toolsets used by Equation, such as EQUATIONDRUG, DOUBLEFANTASY, GRAYFISH and FANNY.
While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.The Devil’s in the Crypto
The Equation group uses the RC5 and RC6 encryption algorithms quite extensively throughout their creations. RC5 and RC6 are two encryption algorithms designed by Ronald Rivest in 1994 and 1998. They are very similar to each other, with RC6 introducing an additional multiplication in the cypher to make it more resistant. Both cyphers use the same key setup mechanism and the same magical constants named P and Q.
The particular RC5/6 implementation from Equation group’s malware is interesting and deserves special attention because of its specifics. Inside the Equation group malware, the encryption library uses a subtract operation with the constant 0x61C88647. In most publicly available RC5/6 code, this constant is usually stored as 0x9E3779B9, which is basically -0x61C88647. Since an addition is faster on certain hardware than a subtraction, it makes sense to store the constant in its negative form and adding it instead of subtracting. In total, we’ve identified 20 different compiled versions of the RC5/6 code in the Equation group malware.
Encryption-related code in a DoubleFantasy (actxprxy32.dll) sample
In the screenshot above, one can observe the main loop of a RC6 key setup subroutine extracted from one of the Equation group samples. The ShadowBrokers’ free trove includes 347 different instances of RC5/RC6 implementations. As shown in the screenshot below, the implementation is functionally identical including the subtraction of the inverted constant 0x61C88647.
Specific RC6 implementation from “BUSURPER-2211-611.exe” (md5: 8f137a9100a9fcc8b512b3729878a373
Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation.
In case you’re wondering, this specific RC6 implementation has only been seen before with Equation group malware. There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely.
This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.
More details about the ShadowBrokers leak and similarities with Equation group are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email email@example.com
This morning, we encountered a gratuitous act of violence against Android users. By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!
Download of a malicious application while viewing a news site using AdSense
It turns out the malicious program is downloaded via the Google AdSense advertising network. Be warned, lots of sites use this network – not just news sites – to display targeted advertising to users. Site owners are happy to place advertising like this because they earn money every time a user clicks on it. But anyone can register their ad on this network – they just need to pay a fee. And it seems that didn’t deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited.
A similar case was registered in mid-July by the Meduza news portal. As a result, they disabled advertising from AdSense on their pages. At that time the technique was used to distribute an earlier version of the Trojan.
Screenshot from the Meduza news site (https://new.vk.com/wall-76982440_659517)
The Svpeng family of banking Trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions. After being installed and launching, it disappears from the list of installed apps and requests the device’s admin rights (to make it harder for antivirus software or the user to remove it). Svpeng can steal information about the user’s bank cards via phishing windows, intercept, delete, and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer). Also, the malware can counteract mobile security solutions that are popular in Russia by completeing their processes.
In addition, Svpeng collects an impressive amount of information from the user’s phone – the call history, text and multimedia messages, browser bookmarks and contacts.
Be careful and use antivirus solutions!
Special thanks to our colleague Stanislav Zaytsev for the video.
Hacks in Taiwan Conference (HITCON) 2016 was held on 22 – 23 July 2016 in Taipei, Taiwan. The theme of HITCON Community this year is “Security or Nothing”, focusing on hacking techniques and information security.
About 1,500 participants attended to the event coming from the United States, India, Korea, China, Japan and Taiwan. The attendees enjoyed their opportunities to meet security experts, security researchers and malware analysts from each country to discuss information security, APT research and malware analysis. Among them, more than 20 percent were students who possess high skills and promising futures.
This conference agenda included various topics: a 0-day exploit of the Windows 10 built-in browser “Edge”, research regarding an attempt to break the key of an IoT intelligent electric network, and talks on ransomware.
The following are summaries of a few of the impressive presentations:
- BLE authentication design challenges on IoT Devices: Analyzing Gogoro Smart Scooter
Mr. GD (Team T5) introduced how to analyze Bluetooth Low Energy (BLE) and provided details of communication protocols between IoT devices and a smartphone that controls them. He explained a problem in authentication mechanism and application protocol of the Gogoro smart scooter. He demonstrated that other people were able to unlock the scooter and proposed a better authentication mechanism to solve the problem.
2. Bug Bounty: The story of a bug hunter
Mr. Orange Tsai (student) explained what a bug bounty program is, including how to get ready and cautions for participating in a bug bounty. He shared his point of view over finding bugs, as well as examples from his own experiences. Some remote code executions on Facebook, Uber, Apple and Yahoo! were introduced. In addition, he talked about eBay’s SQL Injection and several cross-site scripting cases on Facebook, Apple and Google by showing sample code for each.
If you are interested, you can see the HITCON 2016 presentations at http://hitcon.org/2016/CMT/#hitcon_agenda.
The last session of the 2nd day was a “Lightning talk show” which included technical short presentations that covered recent topics. For example, the first speaker talked about how to communicate with an APT operator and showed the attributions in a recent incident. Another speaker introduced how to crack and hack “Pokémon GO” and they demonstrated how to hook the GPS and control it. They published their code as an open source project on GitHub.
This conference did not consist only of briefings, but also some fun events: a hacker board game, a Raspberry Pi Wargame challenge and the Wall of Sheep. One funny thing that occurred was when some captured traffic indicated someone made a connection to a Japanese dating site via the HITCON public Wi-Fi. It was a window of opportunity for attendees to learn their own vulnerabilities.
The official language of this conference was Chinese, but there were no worries; The event staff wearing an “ask me anything” (何でも聞いて) -sticker with a cute-smile-emoji helped attendees with English and Japanese translations.
In conclusion, HITCON 2016 was really interesting and exciting. We really enjoyed this conference and plan to attend in years to come. The HITCON community has another event, HITCON Pacific (http://hitcon.org/2016/) from 28 November to 3 December 2016. Hopefully we will be in attendance for that one as well:)
All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.Q1 figures
- According to KSN data, Kaspersky Lab solutions detected and repelled 171,895,830 malicious attacks from online resources located in 191 countries all over the world.
- 54,539,948 unique URLs were recognized as malicious by web antivirus components.
- Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc.
- Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,132,031 user computers.
- Crypto ransomware attacks were blocked on 311,590 computers of unique users.
- Kaspersky Lab’s file antivirus detected a total of 249,619,379 unique malicious and potentially unwanted objects.
- Kaspersky Lab mobile security products detected:
- 3,626,458 malicious installation packages;
- 27,403 mobile banker Trojans (installation packages);
- 83,048 mobile ransomware Trojans (installation packages).
In Q2 2016, Kaspersky Lab detected 3,626,458 malicious installation packages – 1.7 times more than in the previous quarter.
Number of detected malicious installation packages (Q3 2015 – Q2 2016)Distribution of mobile malware by type
As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.
Distribution of new mobile malware by type (Q1 2016 and Q2 2016)
In Q2 2016, RiskTool software, or legal applications that are potentially dangerous to users, topped the ranking of detected malicious objects for mobile devices. Their share increased from 31.6% in Q1 to 45.1% this quarter.
Adware occupies second place. The share of these programs fell 1.4 p.p. compared to the previous quarter, and accounted for 14.2%.
The share of SMS Trojans fell from 18.5% to 10.8%, pushing this category of malicious programs down from second to third place in the ranking. Trojan-SMS.AndroidOS.Agent.qu and Trojan-SMS.AndroidOS.Agent.f accounted for most of the detected SMS Trojans, with both accounting for approximately 30% of all malicious files in this category.
The Trojan-Dropper share also fell – from 14.5% in Q1 to 9.2%. Trojan-Dropper.AndroidOS.Agent.v led the way: we detected more than 50,000 installation packages related to this Trojan.TOP 20 mobile malware programs
Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.Name % of attacked users* 1 DangerousObject.Multi.Generic 80.87 2 Trojan.AndroidOS.Iop.c 11.38 3 Trojan.AndroidOS.Agent.gm 7.71 4 Trojan-Ransom.AndroidOS.Fusob.h 6.59 5 Backdoor.AndroidOS.Ztorg.a 5.79 6 Backdoor.AndroidOS.Ztorg.c 4.84 7 Trojan-Ransom.AndroidOS.Fusob.pac 4.41 8 Trojan.AndroidOS.Iop.t 4.37 9 Trojan-Dropper.AndroidOS.Gorpo.b 4.3 10 Trojan.AndroidOS.Ztorg.a 4.30 11 Trojan.AndroidOS.Ztorg.i 4.25 12 Trojan.AndroidOS.Iop.ag 4.00 13 Trojan-Dropper.AndroidOS.Triada.d 3.10 14 Trojan-Dropper.AndroidOS.Rootnik.f 3.07 15 Trojan.AndroidOS.Hiddad.v 3.03 16 Trojan-Dropper.AndroidOS.Rootnik.h 2.94 17 Trojan.AndroidOS.Iop.o 2.91 18 Trojan.AndroidOS.Rootnik.ab 2.91 19 Trojan.AndroidOS.Triada.e 2.85 20 Trojan-SMS.AndroidOS.Podec.a 2.83
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.
First place is occupied by DangerousObject.Multi.Generic (80.87%), the classification used for malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.
As in the previous quarter, 16 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.
Trojan.AndroidOS.Iop.c (11.38%) moved from third to second in the TOP 20 and became the single most popular malicious program of the quarter. Over the reporting period we detected this Trojan in 180 countries, but the majority of attacked users were in Russia, India and Algeria. Iop.c can exploit a variety of vulnerabilities in the system to gain superuser privileges. The main method of monetization is displaying advertising and installing (usually secretly) various programs on the user’s device, including other malicious programs.
In Q2 2016, @kaspersky repelled 172M malicious attacks via online resources located in 191 countries #KLreport #InfosecTweet
Representatives of the Trojan-Ransom.AndroidOS.Fusob ransomware family claimed fourth and seventh places. These Trojans demand a ransom of $100-200 from victims to unblock their devices. Attacks using this Trojan were registered in over 120 countries worldwide in Q2, with a substantial number of victims located in Germany and the US.
Trojan-SMS.AndroidOS.Podec.a (2.83%) has now spent over a year in the mobile malware TOP 20, although it is starting to lose ground. It used to be an ever-present in the TOP 5 mobile threats, but for the second quarter in a row it has only made it into the bottom half of the ranking. Its functionality has remained practically unchanged; its main means of monetization is to subscribe users to paid services.The geography of mobile threats
The geography of attempted mobile malware infections in Q2 2016 (percentage of all users attacked)
TOP 10 counties attacked by mobile malware (ranked by percentage of users attacked)Country* % of users attacked ** 1 China 36.31 2 Bangladesh 32.66 3 Nepal 30.61 4 Uzbekistan 22.43 5 Algeria 22.16 6 Nigeria 21.84 7 India 21.64 8 Indonesia 21.35 9 Pakistan 19.49 10 Iran 19.19
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.
China topped the ranking, with more than 36% of users there encountering a mobile threat at least once during the quarter. China also came first in this ranking in Q1 2016.
In all the countries of this ranking, except China, the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare. The most popular malicious program was Trojan.AndroidOS.Iop.c. In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users there encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families, while Trojan.AndroidOS.Iop.c only occupied sixteenth place.
Russia (10.4%) was 26th in this ranking, Germany (8.5%) 38th, Italy (6.2%) 49th, and France (5.9%) 52th. The US (5.0%) came 59th and the UK (4.6%) 64th.
The safest countries were Austria (3.6%), Sweden (2.9%) and Japan (1.7%).Mobile banking Trojans
As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports. Over the reporting period, we detected 27,403 mobile Trojans, which is 1.2 times less than in Q1.
Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2015 – Q2 2016)
The TOP 5 most popular mobile banking Trojans in Q2 consisted of representatives from just two families – Trojan-Banker.AndroidOS.Asacub and Trojan-Banker.AndroidOS.Svpeng.
Trojan-Banker.AndroidOS.Asacub.i was the most popular mobile banking Trojan of the quarter. It uses different methods to trick users and bypass system constraints. In Q1 we identified a modification of this mobile Trojan that overlaid the regular system window requesting device administrator privileges with its own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges. In Q2, we detected a modification that requested the user’s permission to become the main SMS application.
Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the user’s approval to become the main SMS application
This allows the Trojan to bypass the system constraints introduced in Android 4.4, and to hide incoming SMSs from the user (as a rule, it hides messages from banks and payment systems). In order to make users save this malicious program in the settings as the main SMS application, the Trojan authors had to, among other things, implement a messenger interface.
The Trojan-Banker.AndroidOS.Asacub.i interface used to create and send messages
Asacub is actively distributed via SMS spam.
Russia and Germany lead in terms of the number of users attacked by mobile banking Trojans:
Geography of mobile banking threats in Q2 2016 (percentage of all users attacked)
The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans.
TOP 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)Country* % of users attacked** 1 Russia 1.51 2 Australia 0.73 3 Uzbekistan 0.45 4 Korea 0.35 5 China 0.34 6 Ukraine 0.33 7 Denmark 0.28 8 Germany 0.24 9 Turkey 0.23 10 Kyrgyzstan 0.17
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.
In Q2 2016, first place was occupied by Russia (1.51%) where the majority of affected users encountered the Trojan-Banker.AndroidOS.Asacub, Trojan-Banker.AndroidOS.Svpeng and Trojan-Banker.AndroidOS.Faketoken families of mobile banker Trojans.
China, last quarter’s leader, fell to fifth place this quarter.
In second place again was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat.
Banking Trojans were especially popular with attackers in Russia and Australia. The percentage of users attacked by this malware in the two countries relative to all attacked users accounted for 14%.Mobile Trojan-Ransomware
As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.
In Q2 2016, we detected 83,048 mobile Trojan-Ransomware installation packages, which is about the same number as the previous quarter and seven times more than in Q4 2015.
Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q3 2015 – Q2 2016)
The sharp rise in the number of mobile Trojan-Ransomware installation packages in 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware. In Q2 its share was 85%.
In Q2 2016, 54.5M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #ITTweet
Trojan-Ransom.AndroidOS.Fusob.h became the most popular mobile Trojan-Ransomware in the second quarter – it accounted for nearly 60% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including the GPS coordinates and call history, and downloads the data to a malicious server. After that, it may get a command to block the device. In the second quarter we registered a growth in the number of installation packages related to Trojan-Ransom.AndroidOS.Congur.b: their share grew from 0.8% to 8.8%. This Trojan, targeting Chinese-speaking users, changes the system password (PIN), or installs it if no password was installed earlier, thus making it impossible to use the device. The notification containing the ransom demand is displayed on the screen of the blocked device.
Germany, the US and Russia had the highest number of users attacked by Trojan-Ransomware this quarter:
Geography of mobile Trojan-Ransomware in Q2 2016 (percentage of all users attacked)
To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile Trojan-Ransomware.
TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)Country* % of users attacked** 1 Canada 2.01 2 Germany 1.89 3 US 1.66 4 Switzerland 1.63 5 Mexico 1.55 6 UK 1.51 7 Denmark 1.35 8 Italy 1.35 9 Kazakhstan 1,35 10 Netherlands 1.15
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.
In all the countries of the TOP 10, except for Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. These Trojans demand a ransom of $100-500 from victims to unblock their devices.
In Kazakhstan and Uzbekistan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it.Vulnerable applications exploited by cybercriminals
In Q2 2016, exploits for Adobe Flash Player remained popular. During the reporting period two new vulnerabilities were discovered in this software:
An exploit for CVE-2016-4117 was added to the Magnitude and Neutrino exploit kits. The CVE-2016-4171 vulnerability was used by the ScarCruft group to carry out targeted attacks. We wrote a more detailed account of this group’s activities in a blog published in mid-June.
In Q2 2016, @kaspersky web #antivirus detected 16,119,489 unique malicious objects #KLreport #netsecTweet
The main event this quarter was the demise of the long-term market leaders – the Angler and Nuclear exploit kits. Angler’s departure resulted in market players shifting to other kits to distribute malware. In particular, we registered a dramatic growth in the popularity of the Neutrino exploit kit.
This is how the overall picture for the use of exploits in the second quarter looks:
Distribution of exploits used in attacks by the type of application attacked, Q2 2016
The chart shows that despite the exit of the market leaders the breakdown of exploits was almost unchanged from the previous quarter: the proportion of exploits for Microsoft Office (14%) and Java (7%) fell by 1 p.p., while the share for Android grew 2 p.p. and reached 24%. This suggests that demand for exploit kits has been spread among the remaining players: RIG, Magnitude and Neutrino. The latter was the undisputed leader this quarter in terms of the number of attempts to download malware.Online threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.
In the second quarter of 2016, Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc. 54,539,948 unique URLs were recognized as malicious by web antivirus components.Online threats in the banking sector
These statistics are based on the detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.Number of users attacked by malware targeting finances<
Due to the constant emergence of new representatives of banking Trojans and functional changes in existing banking Trojans, in the second quarter of 2016 we have significantly updated the list of verdicts classed as banking risks. This means the number of financial malware victims has changed significantly compared to the data published in previous quarters. As a comparison, we have recalculated the statistics for the previous quarter, taking into account all the malware from the updated list.
Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,132,031 computers in Q2 2016. The quarter saw an increase in financial malware activity: the figure for Q2 is 15.6% higher than that for the previous quarter (979, 607).
Number of users attacked by malware targeting finances, Q2 2016Geography of attack
To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.
Geography of banking malware attacks in Q2 2016 (percentage of attacked users)
TOP 10 countries by percentage of attacked usersCountry* % of attacked users** 1 Turkey 3.45 2 Russia 2.92 3 Brazil 2.63 4 Pakistan 2.60 5 Venezuela 1.66 6 Tunisia 1.62 7 Japan 1.61 8 Singapore 1.58 9 Libya 1.57 10 Argentina 1.48
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.
The highest percentage of Kaspersky Lab users attacked by banking Trojans was in Turkey. One of the reasons for the growth in financial threats there was a burst of activity by the Gozi banking Trojan whose developers have joined forces with the creators of the Nymaim Trojan.
In Russia, 2.92% of users encountered a banking Trojan at least once in Q2, placing it second in this ranking.
Brazil rounds off the top three. We expect a surge in financial threats in Latin America in the next quarter due to the Olympic Games in Brazil. This event is just too tempting for cybercriminals to ignore – they regularly use the theme of major sporting events in their attacks to lure potential victims.
The top five countries where users were least affected by banking Trojans were Canada (0.33%), the US (0.4%), the UK (0.4%), France (0.43%) and the Netherlands (0.5%).
The percentage of banking Trojan victims in Italy was 0.62%, in Spain it was 0.83%, while in Germany the figure was 1.03%.
The TOP 10 banking malware familie>
The table below shows the top 10 malware families most commonly used in Q2 2016 to attack online banking users (as a percentage of users attacked):Name* Percentage of users attacked** 1 Trojan-Spy.Win32.Zbot 15.72 2 Trojan-Banker.Win32.Gozi 3.28 3 Trojan.Win32.Qhost 2.35 4 Trojan-Banker.Win32.Shiotob 2.27 5 Trojan-Banker.Win32.BestaFera 2.12 6 Trojan.Win32.Nymaim 1.98 7 Trojan-Banker.Win32.ChePro 1.90 8 Trojan-Banker.Win32.Banbra 1.77 9 Trojan.Win32.Neurevt 0.67 10 Backdoor.Win32.Shiz 0.66
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.
Trojan-Spy.Win32.Zbot in first place is a permanent fixture in the leading positions of this ranking, and it is no coincidence: the source codes of this Trojan became publicly available back in 2012. This has resulted in the emergence of new banking Trojans that have adopted fragments of the Zbot code.
The second quarter of 2016 saw a surge in malicious activity by Trojan.Win32.Nymaim. As a result, this Trojan made it into the top 10 for the first time, going straight in at sixth place. Nymaim was initially designed to block access to valuable data and then demand a ransom (ransomware) to unblock it, but the latest version now also includes banking Trojan functionality for stealing financial information. This can be explained by the fact that the creators of Nymaim and Gozi (which also appears in the Q2 TOP 10 financial risks) have joined forces. Nymaim’s source code now includes fragments of Gozi code that provide attackers with remote access to infected computers.
In Q2 2016, Attempted infections by financial #malware were registered on 1.1M user computers #KLreport #bankingTweet
A permanent resident in this ranking and one of the reasons financial threats are so prominent in Brazil is the Trojan-Banker.Win32.ChePro family. This banking malware lets cybercriminals take screenshots, register keystrokes, and read the contents of the clipboard, i.e., it possess functionality capable of attacking almost any online banking system. Criminals are trying to implement new techniques to avoid detection for as long as possible. Some of the Trojans from this family use geolocation or ask for the time zone and the Windows version from the system in order to infect users in a particular region.
Yet another newcomer to the top 10 most active financial threats in Q2 was the Trojan.Win32.Neurevt family. Representatives of this family were first discovered in 2013 and are used by cybercriminals not only to steal user payment data in online banking systems but also to send out spam (some versions, for example, sent spam messages on Skype) and implement DDoS attacks (with the addition of functionality capable of performing the Slowloris HTTP flooding scenario).Ransomware Trojans
The overall number of cryptor modifications in our virus collection to date is approximately 26,000. A total of 28 new cryptor families and 9,296 new modifications were detected in Q2.
The following graph shows the rise in the number of newly created cryptor modifications over the last two quarters.
Number of Trojan-Ransom cryptor modifications (Q1 2016 vs Q2 2016)
Some of the more high-profile or unusual Trojans detected in Q2 2016 are listed below:
This cryptor has been widely distributed via exploit kits since April 2016. Its earlier versions contained gaps in the file encryption algorithm which allowed Kaspersky Lab to release a utility to decrypt them. Unfortunately, the attackers have made adjustments to subsequent versions, making it impossible to decrypt the files affected by later CryptXXX modifications.
This malware combines cryptor functionality and a worm distribution method. Trojan ransomware does not usually include tools for self-propagation, and ZCryptor just happens to be an exception to this rule. Like a classic worm, while infecting, it creates copies of its body on removable media and generates the autorun.inf file to implement the automatic launch of its executable file once the media is connected to another system (if, of course, autorun is not disabled).
This cryptor puts the victim’s files in password-protected ZIP archives; and it creates passwords using the Diffie-Hellman algorithm on an elliptic curve. The design of the ransom note and the payment site is an exact copy of that used by the notorious Locky.
This is a combination of MBR blocker and file cryptor, probably inspired by similar functionality in the notorious Petya + Mischa Trojans. Satana, unlike Petya, does not encrypt MFT; in fact, its MBR module is obviously incomplete because the process of checking the password entered by the victim results in nothing more than a continuous cycle. Below is a fragment of the code demonstrating this.
Number of users attacked by Trojan-Ransom cryptor malware (Q2 2016)
In Q2 2016, 311,590 unique users were attacked by cryptors, which is 16% less than the previous quarter. Approximately 21% of those attacked were in the corporate sector.
It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the type of malicious software.Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Japan 2.40 2 Italy 1.50 3 Djibouti 1.46 4 Luxembourg 1.36 5 Bulgaria 1.34 6 Croatia 1.25 7 Maldives 1.22 8 Korea 1.21 9 Netherlands 1.15 10 Taiwan 1.04
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.
In Q2, half of the top 10 were European countries – one less than the previous quarter.
Japan, which came ninth in Q1, topped the ranking of countries attacked by cryptors with 2.40%: the most widespread cryptor families in the country were Teslacrypt, Locky and Cryakl.
Newcomers to this ranking were Djibouti (1.46%), Korea (1.21%) and Taiwan (1.04%).Top 10 most widespread cryptor families Name Verdict* Percentage of users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 14.59 2 Teslacrypt Trojan-Ransom.Win32.Bitman 8.36 3 Locky Trojan-Ransom.Win32.Locky 3.34 4 Shade Trojan-Ransom.Win32.Shade 2.14 5 Cryrar/ ACCDFISA Trojan-Ransom.Win32.Cryrar 2.02 6 Cryptowall Trojan-Ransom.Win32.Cryptodef 1.98 7 Cryakl Trojan-Ransom.Win32.Cryakl 1.93 8 Cerber Trojan-Ransom.Win32. Zerber 1.53 9 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 1.39 10 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.13
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.
First place in Q2 was occupied by the CTB-Locker (Trojan-Ransom.Win32/NSIS.Onion) family. In second place was the TeslaCrypt family represented by one verdict: Trojan-Ransom.Win32.Bitman. The Trojan-Ransom.JS.Cryptoload verdict, which in the past downloaded malware and was associated with TeslaCrypt, is no longer characteristic of this family only. TeslaCrypt was earlier a major contributor to the statistics, but fortunately ceased to exist in May 2016 – the owners disabled their servers and posted a master key to decrypt files.
In Q2 2016, #crypto #ransomware attacks were blocked on 311,590 computers of unique users #KLreportTweet
Cerber and Cryrar are the only changes to this ranking compared to the previous quarter.
The Cerber cryptor spreads via spam and exploit kits. The cryptor’s site on the Tor network is translated into lots of languages. Cerber’s special features include the following:
- It explores the infected system meticulously: checks for the presence of an antivirus, if it is running under a virtual machine (Parallels, VmWare, QEMU, VirtualBox) or Wine, checks for utilities from various researchers and analysts (it does this by searching for certain processes and files on the disk drive), it even has a blacklist of system drive serial numbers.
- It checks the keyboard layout and the IP address of the infected system. If it detects that the machine is located in a CIS country, it stops infecting it.
- It attempts to bypass antivirus protection by terminating their processes, interrupting services, deleting files.
- In addition to notifying users about encryption in the form of TXT and HTML files, as is the case with other families, it also runs the VBS script which reproduces the following voice message: “Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!”
The Cryrar cryptor also known as the Anti Cyber Crime Department of Federal Internet Security Agency (ACCDFISA), Anti-Child Porn Spam Protection, etc. first appeared back in 2012. It has the distinctive feature of placing the victim’s files in password-protected self-extracting RAR archives. According to KSN statistics, it shows no signs of conceding its position to newer rivals.Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.
In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q2 2016, Kaspersky Lab solutions blocked 171,895,830 attacks launched from web resources located in 191 countries around the world. 54,539,948 unique URLs were recognized as malicious by web antivirus components.
81% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries.
Distribution of web attack sources by country, Q2 2016
The US (35.44%) returned to the top of this ranking in the second quarter. Russia (10.28%) moved up one place to second. The previous quarter’s leader, the Netherlands, dropped to fourth place after its share fell by 17.7 percentage points. Germany completed the Top 3 with a share of 8.9%. Bulgaria left the Top 10, while Canada was a newcomer in ninth place with 0.96%.Countries where users faced the greatest risk of online infection
In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.Country* % of unique users attacked** 1 Azerbaijan 32.10 2 Russia 30.80 3 China 29.35 4 Slovenia 27.54 5 Ukraine 27.46 6 Kazakhstan 27.03 7 Vietnam 26.02 8 Algeria 25.63 9 Armenia 25.09 10 Belarus 24.60 11 Brazil 24.05 12 France 22.45 13 Moldova 22.34 14 Kyrgyzstan 22.13 15 Bulgaria 22.06 16 Italy 21.68 17 Chile 21.56 18 Qatar 20.10 19 India 20.00 20 Portugal 19.84
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In Q2, Azerbaijan moved up from fourth to first place and became the new leader of this ranking with 32.1%. Russia (30.8%) dropped from first to second, while Kazakhstan (27.03%) fell from second to sixth place.
Since the previous quarter, Spain, Lithuania, Croatia and Turkey have all left the TOP 20. The newcomers to this ranking were Bulgaria (22.06%), Chile (21.56%), Qatar (20.10%) and Portugal (19.84%).
The countries with the safest online surfing environments included Canada (15%), Romania (14.6%), Belgium (13.7%), Mexico (13.2%), the US (12.8%), Switzerland (12. 4%), New Zealand (12.1%), Czech Republic (12%), Argentina (9.9%), Japan (9.5%), the Netherlands (8.3), Sweden (8.2%) and Germany (8%).
On average, 19.4% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a fall of 1.8 p.p. compared to Q1 2016.Local threats
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q2 2016, Kaspersky Lab’s file antivirus detected 249,619,379 unique malicious and potentially unwanted objects.Countries where users faced the highest risk of local infection
For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.
Top 20 countries with the highest levels of computer infectionCountry* % of unique users** 1 Somalia 65.80 2 Vietnam 63.33 3 Tajikistan 62.00 4 Russia 61.56 5 Kyrgyzstan 60.80 6 Bangladesh 60.19 7 Afghanistan 60.00 8 Armenia 59,74 9 Ukraine 59.67 10 Nepal 59.66 11 Ethiopia 59.63 12 Laos 58.43 13 Kazakhstan 57.72 14 Rwanda 57.33 15 Djibouti 56.07 16 Yemen 55.98 17 Venezuela 55.76 18 Algeria 55.58 19 Cambodia 55.56 20 Iraq 55.55
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.
Somalia remained the leader of this ranking in Q2 2016 with 65.8%. Yemen (55.98%) fell from second to sixteenth place, while Vietnam (63.33%) jumped from eighth to second. Tajikistan (62%) rounded off the TOP 3. Russia moved up one place from fifth to fourth, although the figure for that country declined by 2.62 percentage points to 61.56%.
In Q2 2016, 27,403 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreportTweet
Newcomers to this ranking are Djibouti in fifteenth place (56.07%), Venezuela in seventeenth (55.76%), and Cambodia in nineteenth (55.56%).
The safest countries in terms of local infection risks were Croatia (29%), Singapore (28.4%), Germany (28.1%), Norway (27.6%), the US (27.1%), Switzerland (26.3%), Japan (22.1%), Denmark (21.4%) and Sweden (21.3%).
An average of 43.3% of computers globally faced at least one local threat during Q2 2016, which is 1.2 p.p. less than in the previous quarter.
Earlier in the year, as part of an incident response investigation, we uncovered a new version of the Skimer ATM malware. The malware, which first surfaced in 2009, has been re-designed. So too have the tactics of the cybercriminals using it. The new ATM infector has been targeting ATMs around the world, including the UAE, France, the United States, Russia, Macau, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.
Rather than the well-established method of fitting a fake card-reader to the ATM, the attackers take control over the whole ATM. They start by installing the Skimer malware on the ATM – either through physical access or by compromising the bank’s internal network. The malware infects the ATM’s core – the part of the device responsible for interaction with the wider bank infrastructure, card processing and dispensing of cash. In contrast to a traditional card skimmer, there are no physical signs that the ATM is infected, leaving the attackers free to capture data from cards used at the ATM (including a customer’s bank account number and PIN) or steal cash directly.
The cybercriminal ‘wakes up’ the infected ATM by inserting a card that contains specific records on the magnetic stripe. After reading the card, Skimer is able execute a hard-coded command, or receive commands through a special menu activated by the card. The Skimer user interface appears on the display only after the card is ejected and only if the cybercriminal enters the correct session key within 60 seconds. The menu offers 21 different options, including dispensing money, collecting details of cards that have been inserted in the ATM, self-deletion and performing updates. The cybercriminal can save card details on the chip of their card, or print the details it has collected.
The attackers are careful to avoid attracting attention. Rather than take money directly from the ATM – which would be noticed immediately – they wait (sometimes for several months) before taking action. In most cases, they collect data from skimmed cards in order to create cloned cards later. They use the cloned cards in other, non-infected ATMs, casually withdrawing money from the accounts of the victims in a way that can’t be linked back to the compromised ATM.
Kaspersky Lab has several recommendations to help banks protect themselves. They should carry out regular anti-virus scans; employ whitelisting technologies; apply a good device management policy; make use of full disk encryption; password protect the BIOS of ATMs; enforce hard disk booting and isolate the ATM network from the rest of the bank infrastructure. The magnetic strip of the card used by the cybercriminals to activate the malware contains nine hard-coded numbers. Banks may be able to proactively look for these numbers within their processing systems: so we have shared this information, along with other Indicators of Compromise (IoCs).
In April, one of our experts provided an in-depth examination of ATM jackpotting and offered some insights into what should be done to secure these devices.New attacks, old exploit
In recent months we have been tracking a wave of cyber-espionage attacks conducted by different APT groups across the Asia-Pacific and Far East regions. They all share one common feature: they exploit the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially crafted EPS image file. It uses PostScript and can evade the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods built into Windows. The Platinum, APT16, EvilPost and SPIVY groups were already known to use this exploit. More recently, it has also been used by the Danti group.
Danti, first identified in February 2016 and still active, is highly focused on diplomatic bodies. The group predominantly targets Indian government organizations, but data from the Kaspersky Security Network (KSN) indicates that it has also infected targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.
The exploit is delivered using spear-phishing e-mails spoofed to look as though they have been sent by high-ranking Indian government officials. When the victim clicks on the attached DOCX file, the Danti backdoor is installed, allowing the attackers to capture sensitive data.
The origin of the Danti group is unclear, but we suspect that it might be connected to the NetTraveler and DragonOK groups: it’s thought that Chinese-speaking hackers are behind these attacks.
Kaspersky Las has also seen another campaign that makes use of the CVE-2015-2545 vulnerability: we’ve called this SVCMONDR after the Trojan that is downloaded once the attackers get a foothold in the victim’s computer. This Trojan is different to the one used by the Danti group, but it shares some common features with Danti and with APT16 – the latter is a cyber-espionage group believed to be of Chinese origin.
One of the most striking aspects of these attacks is that they are successfully making use of a vulnerability that was patched by Microsoft in September 2015. In November, we predicted that APT campaigns would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware to achieve their goals. This is a case in point: using a known vulnerability, rather than developing a zero-day exploit. This underlines the need for companies to pay more attention to patch management to secure their IT infrastructure.New attack, new exploit
Of course, there will always be APT groups that seek to take advantage of zero-day exploits. In June, we reported on a cyber-espionage campaign – code-named ‘Operation Daybreak‘ and launched by a group named ScarCruft – that uses a previously unknown Adobe Flash Player exploit (CVE-2016-1010). This group is relatively new and has so far managed to stay under the radar. We think the group might have previously deployed another zero-day exploit (CVE-2016-0147) that was patched in April.
The group have targeted a range of organizations in Russia, Nepal, South Korea, China, India, Kuwait and Romania. These include an Asian law enforcement agency, one of the world’s largest trading companies, a mobile advertising and app monetization company in the United States, individuals linked to the International Association of Athletics Federations and a restaurant located in one of Dubai’s top shopping centres. The attacks started in March 2016: since some of them are very recent, we believe that the group is still active.
The exact method used to infect victims is unclear, but we think that the attackers use spear-phishing e-mails that point to a hacked website hosting the exploit. The site performs a couple of browser checks before redirecting victims to a server controlled by the hackers in Poland. The exploitation process consists of three Flash objects. The one that triggers the vulnerability in Adobe Flash Player is located in the second SWF file delivered to the victim. At the end of the exploitation chain, the server sends a legitimate PDF file, called ‘china.pdf’, to the victim: this seems to be written in Korean.
In Q2 2016, @kaspersky #mobile security products detected 3.6M malicious installation packages #KLreportTweet
The attackers use a number of interesting methods to evade detection, including exploiting a bug in the Windows Dynamic Data Exchange (DDE) component in order to bypass security solutions – a method not seen before. This flaw has been reported to Microsoft.
Flash Player exploits are becoming rare, because in most cases they need to be coupled with a sandbox bypass exploit – this makes them tricky to do. Moreover, although Adobe is planning to drop Flash support soon, it continues to implement new mitigations to make exploitation of Flash Player increasingly difficult. Nevertheless, resourceful groups such as ScarCruft will continue to try and find zero-day exploits to target high-profile victims.
While there’s no such thing as 100 per cent security, the key is to increase security defences to the point that it becomes so expensive for an attacker to breach them that they give up or choose an alternative target. The best defence against targeted attacks is a multi-layered approach that combines traditional anti-virus technologies with patch management, host-based intrusion prevention and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed could have been stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.
Kaspersky Lab products detect the Flash exploit as ‘HEUR:Exploit.SWF.Agent.gen’. The attack is also blocked proactively by our Automatic Exploit Prevention (AEP) component. The payloads are detected as ‘HEUR:Trojan.Win32.ScarCruft.gen’.XDedic: APT-as-a-Service
Kaspersky Lab recently investigated an active cybercriminal trading platform called xDedic, an online black market for hacked server credentials around the world – all available through the Remote Desktop Protocol (RDP). We initially thought that this market extended to 70,000 servers, but new data suggests that the XDedic market is much wider – including credentials for 176,000 servers. XDedic includes a search engine, enabling potential buyers to find almost anything – from government and corporate networks – for as little as $8 per server. This low price provides ‘customers’ with access to data on such servers and their use as a bridgehead for further targeted attacks.
The owners of the ‘xdedic[.]biz’ domain claim that they have no relation to those selling access to hacked servers – they are simply selling a secure trading platform for others. The XDedic forum has a separate sub-domain, ‘partner[.]xdedic[.]biz’, for the site’s ‘partners’ – that is, those selling hacked servers. The Xdedic owners have developed a tool that automatically collects information about the system, including websites available, software installed and more. They also provide others tools to its partners, including a patch for RDP servers to support multiple logins for the same user and proxy installers.
The existence of underground markets is not new. But we are seeing a greater level of specialisation. And while the model adopted by the XDedic owners isn’t something that can be replicated easily, we think it’s likely that other specialized markets are likely to appear in the future.
Data from KSN helped us identify several files that were downloaded from the XDedic partner portal: Kaspersky Lab products detect these files as malicious. We have also blacklisted the URLs of control servers used for gathering information about the infected systems. Our detailed report on XDedic contains more information on hosts and network-based IoCs.Lurking around the Russian Internet
Sometimes our researchers find malware that is particular about where it infects. On the closed message boards used by Russian cybercriminals, for example, you sometimes see the advice ‘Don’t work with RU’ – offered by experienced criminals to the younger generation: i.e. don’t infect Russian computers, don’t steal money from Russians and don’t use them to launder money. There are two good reasons for this. First, online banking is not as common as it is in the west. Second, victims outside Russia are unlikely to lodge a complaint with the Russian police – assuming, of course, that they even know that Russian cybercriminals are behind the malware that has infected them.
But there are exceptions to every rule. One of these is the Lurk banking Trojan that has been used to steal money from victims in Russia for several years. The cybercriminals behind Lurk are interested in telecommunications companies, mass media and news aggregators and financial institutions. The first provide them with the means to transfer traffic to the attackers’ servers. The news sites provide them with a way to infect a large number of victims in their ‘target audience’ – i.e. the financial sector. The Trojan’s targets appear to include Russia’s four largest banks.
The primary method used to spread the Lurk Trojan is drive-by download, using the Angler exploit pack: the attackers place a link on compromised websites that leads to a landing page containing the exploit. Exploits (including zero-days) are typically implemented in Angler before being used in other exploit packs, making it particularly dangerous. The attackers also distribute code through legitimate websites, where infected files are served to visitors from the .RU zone, but others receive clean files. The attackers use one infected computer in a corporate network as a bridgehead to spread across the organization. They use the legitimate PsExec utility to distribute the malware to other computers; and then use a mini-dropper to execute the Trojan’s main module on the additional computers.
In Q2 2016, @kaspersky #mobile security products detected 83,048 mobile #ransomware Trojans #KLreportTweet
There are a number of interesting features of the Lurk Trojan. One distinct feature, that we discussed soon after it first appeared, is that it is ‘file-less’ malware, i.e. it exists only in RAM and doesn’t write its code to the hard drive.
The Trojan is also set apart because it is highly targeted. The authors do their best to ensure that they infect victims that are of interest to them without catching the attention of analysts or researchers. The incidents known to us suggest Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems; and forensic investigations after the incidents reveal traces of Lurk on the affected computers.Malware stories Cybercriminals get ready for Rio
Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events, so it’s no surprise that we’ve seen an increase in cybercriminal activity related to the forthcoming Olympic Games in Brazil.
We’ve seen an increase in spam e-mails. The spammers try to cash in on people’s desire to watch the games live, sending out messages informing the recipient that they have won a (fake) lottery (supposedly organized by the International Olympic Committee and the Brazilian government): all they need to do to claim their tickets is to reply to the e-mail and provide some personal details.
Some messages point to fake websites, like this one offering direct sale of tickets without the need to make an application to the official lottery:
These fake ticketing sites are very convincing. Some fraudsters go the extra mile by obtaining legitimate SSL certificates to provide a secure connection between the victim’s browser and the site – displaying ‘https’ in the browser address bar to lure victims into a false sense of security. The scammers inform their victims that they will receive their tickets two or three weeks before the event, so the victim doesn’t become suspicious until it’s too late and their card details have been used by the cybercriminals. Kaspersky Lab is constantly detecting and blocking new malicious domains, many of which include ‘rio’ or ‘rio2016’ in the title.
It’s too late to buy tickets through official channels, so the best way to see the games is to watch on TV or online. We advise everyone to beware of malicious streaming websites – probably the last-ditch attempt by cybercriminals to scam people out of their money.
Cybercriminals also take advantage of our desire to stay connected wherever we go – to share our pictures, to update our social network accounts, to find out the latest news or to locate the best places to eat, shop or stay. Unfortunately, mobile roaming charges can be very high, so often people look for the nearest Wi-Fi access point. This is dangerous, because data sent and received over an open Wi-Fi network can be intercepted. So passwords, PINs and other sensitive data can be stolen easily. On top of this, cybercriminals also install fake access points, configured to direct all traffic through a host that can be used to control it – even functioning as a ‘man-in-the-middle’ device that is able to intercept and read encrypted traffic.
To gauge the extent of the problem, we drove by three major Rio 2016 locations and passively monitored the available Wi-Fi networks that visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, the Olympic Park and the Maracana, Maracanazinho and Engenhao stadiums. We were able to find around 4,500 unique access points. Most are suitable for multimedia streaming. But around a quarter of them are configured with weak encryption protocols: this means that attackers can use them to sniff the data of unsuspecting visitors that connect to them.
To reduce your exposure, we would recommend any traveller (not just those who plan to visit Rio!) to use a VPN connection, so that data from your device travels to the Internet through an encrypted data channel. Be careful though. Some VPNs are vulnerable to DNS leak attacks – meaning that, although your immediate sensitive data is sent via the VPN, your DNS requests are sent in plain text to the DNS servers set by the access point hardware. This would allow an attacker to see what you’re browsing and, if they have access to the compromised Wi-Fi network, define malicious DNS servers – i.e. letting them redirect you from a legitimate site (your bank, for example) to a malicious site. If your VPN provider doesn’t support its own DNS servers, consider an alternative provider or a DNSCrypt service.
There’s one other thing that we need if we want to stay connected – electricity: we need to keep our mobile devices charged. Today you can find charging-points in shopping centres, airports and even taxis. Typically they provide connectors for leading phone models, as well as a USB connector that a visitor can use with their own cable. Some also provide a traditional power supply that can be used with a phone charger.
But remember that you don’t know what’s connected to the other end of the USB connector. If an attacker compromises the charging-point, they can execute commands that allow them to obtain information about your device, including the model, IMEI number, phone number and more: information they can use to run a device-specific attack that would then enable them to infect the device. You can find more information about the data that’s transmitted when you connect a device using USB and how an attacker could use it to compromise a mobile device.
This doesn’t mean that you shouldn’t charge your device when you’re away from home. But you should take steps to protect yourself. It’s always best to use your own charger, rather than using charging cables at a public charging-point or buying one from an unknown source. You should also use a power outlet, instead of a USB socket.
Cybercriminals also continue to exploit established ways to make money. This includes using ATM skimmers to steal credit card data. The most basic skimmers install a card reader and a camera to record the victim’s PIN. The best way to protect yourself from this is to cover the keypad as you enter your PIN. However, sometimes cybercriminals replace the whole ATM, including the keypad and screen, in which case the typed password is stored on the fake ATM system. So it’s also important to check the ATM before you insert your card. Check to see if the green light on the card reader is on: typically, they replace the card reader with a version where there is no light, or it’s switched off. Also check the machine to see if there is anything suspicious, such as missing or broken parts.
Card cloning is another problem facing visitors to Rio 2016. While chip-and-PIN makes life harder for cybercriminals, it’s possible for them to exploit flaws in the EMV transaction implementation. It’s difficult to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the data – to be collected later by the cybercriminals. Sometimes they don’t need physical access to extract the stolen data, as they collect it via Bluetooth. However, there are some steps you can take to reduce your exposure to this type of attack. Sign up for SMS notifications of card transactions from your bank, if they provide this service. Never give your card to the retailer: if they can’t bring the machine to you, go to the machine. If the device looks suspicious, use a different payment method. Before typing your PIN, make sure you’re on the card payment screen and ensure that your PIN isn’t going to be displayed on the screen.Ransomware: backup or pay up?
Towards the end of last year, we predicted that ransomware would gain ground on banking Trojans – for the attackers, ransomware is easily monetized and involves a low cost per victim. So it’s no surprise that ransomware attacks are increasing. Kaspersky Lab products blocked 2,315,931 ransomware attacks between April 2015 and April 2016 – that’s an increase of 17.7 per cent on the previous year. The number of cryptors (as distinct from blockers) increased from 131,111 in 2014-15 to 718,536 in 2015-16. Last year, 31.6 per cent of all ransomware attacks were cryptors. You can find further information, including an overview of the development of ransomware, in our KSN Report: PC ransomware in 2014-16.
Most ransomware attacks are directed at consumers – 6.8 per cent of attacks in 2014-15 and 13.13 percent in 2015-16 targeted the corporate sector.
However, the figures are different for cryptors: throughout the 24 months covered by the report, around 20 per cent of cryptor attacks targeted the corporate sector.
Hardly a month goes by without reports of ransomware attacks in the media – including recent reports of a hospital and online casino falling victim to ransomware attacks. Yet while public awareness of the problem is growing, it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalizing on this – this is clearly reflected in the number of attacks we’re seeing.
It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk. In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data. It’s never advisable to pay the ransom. Not only does this validate the cybercriminals’ business model, but there’s no guarantee that they will decrypt your data once you’ve paid them – as one organization discovered recently to its cost. If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask if your anti-malware vendor is able to help. Kaspersky Lab, for example, is able to help recover data encrypted by some ransomware.Mobile malware
Displaying adverts remains one of the main methods of monetization for detected mobile objects. Trojan.AndroidOS.Iop.c became the most popular mobile Trojan in Q2 2016, accounting for more than 10% of all detected mobile malware encountered by our users during the reporting period. It displays adverts and installs, usually secretly, various programs using superuser privileges. Such activity quickly renders the infected device virtually unusable due to the amount of adverts and new applications on it. Because this Trojan can gain superuser privileges, it is very difficult to delete the programs that it installs.
In our report IT threat evolution in Q1 2016 we wrote about the Trojan-Banker.AndroidOS.Asacub family of banking malware. Representatives of this family have an unusual technique for bypassing the security mechanisms used by operating systems – they overlay the regular system window requesting device administrator privileges with their own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system, and tricks the user into approving these privileges. In Q2 2016, Asacub introduced yet another method for deceiving users: the Trojan acquired SMS messenger functionality and started offering its services in place of the device’s standard SMS app.
Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the rights to be the main SMS application
This allows the Trojan to bypass system constraints first introduced in Android 4.4 as well as delete or hide incoming SMSs from the user.
Back in October 2015, we wrote about representatives of the Trojan-PSW.AndroidOS.MyVk family that steal passwords from user accounts on the VK.com social network. This quarter, those responsible for distributing Trojans from this family introduced a new approach for bypassing Google Play security mechanisms that involved first publishing an app containing useful functionality with no malicious code. Then, at least once, they updated it with a new version of the application – still without any malicious code. It was more than a month after the initial publication that the attackers eventually added malicious code to an update. As a result, thousands of users downloaded Trojan-PSW.AndroidOS.MyVk.i.Data breaches
Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media. This quarter has been no exception, with reported attacks on beautifulpeople.com, the nulled.io hacker forum (underlining the fact that it’s not just legitimate systems that are targeted), kiddicare, Tumblr and others.
Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. It’s not simply a matter of defending the corporate perimeter. There’s no such thing as 100 per cent security, so it’s not possible to guarantee that systems can’t be breached. But any organization that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.
Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically. Unfortunately, all too often people use easy-to-guess passwords and re-use the same password for multiple online accounts – so that if the password for one is compromised, all the victim’s online IDs are vulnerable. This issue was highlighted publicly in May 2016 when a hacker known as ‘Peace’ attempted to sell 117 million LinkedIn e-mails and passwords that had been stolen some years earlier. More than one million of the stolen passwords were ‘123456’!
Many online providers offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Two-factor authentication certainly enhances security – if people choose to take advantage of it.
Several companies are hoping to replace passwords altogether. Apple allows fingerprint authorization for iTunes purchases and payments using Apple Pay. Samsung has said it will introduce fingerprint, voice and iris recognition for Samsung Pay. Amazon has announced ‘selfie-pay’. MasterCard and HSBC have announced the introduction of facial and voice recognition to authorize transactions. The chief benefit, of course, is that it replaces something that customers have to remember (a password) with something they have – with no opportunity to short-circuit the process (as they do when they choose a weak password).
Biometrics are seen by many as the way forward. However, they are not a security panacea. Biometrics can be spoofed, as we’ve discussed before (here, here and here); and biometric data can be stolen. In the end, multi-factor authentication is essential – combining something you know, something you have and something you are.
Malefactors continue to expand the features of ransomware as they try to extract maximum benefit from the compromise of infected computers. We recently found an interesting example of such an “upgrade”: a new logic in the latest version of the Shade encryptor currently being spread widely within the territories of Russia and CIS. On the basis of this logic, the ransomware checks the computer for any involvement in accounting activities and, if the check is successful, installs remote control tools into the compromised system instead of encrypting the victim’s files.Accountant, my sweet accountant
For the initial check, the updated Trojan (verdict Trojan-Ransom.Win32.Shade.yb) searches the list of installed applications and looks for strings associated with bank software. After that the ransomware looks for “BUH”, “BUGAL”, “БУХ”, “БУГАЛ” (accounting) in the names of the computer and its user. If a match is found, the Trojan skips the standard file search and encryption procedure and instead downloads and executes a file from the URL stored in the Trojan’s configuration, and then exits.
Technically the new features look like this: there is a block of base64-encoded data in the body of the ransomware (which was not present in earlier versions of Shade):
We can see the following configuration block when decoding is completed:
Shade initiates the check of an infected system in accordance with this configuration block directly after it starts.
The executable that Shade.yb Trojan downloads to the user’s computer turned out to be a bot known as Teamspy. This bot uses the TeamViewer 6 legal remote control utility for communication with its command-and-control (C&C) server and modifies it on-the-fly for the purpose of discreet execution. Plugins (in our case installvpn.pg, rdw.pg, scankey.pg) propagate along with the bot; they are stored in encrypted form and will be decrypted by the ransomware in the RAM only. A decrypted plugin is basically a DLL with an export named InitPg which is called by the main module of the bot. There are two plugins which, when executed provide malefactors with opportunities for remote access to an infected machine through the remote Desktop Protocol (RDP):
- installvpn.pg: covertly installs the TeamViewer VPN driver; and
- rdw.pg: covertly installs the “RDP Wrapper Library” application and changes system settings in order to enable the RDP connection.
The bot does not connect automatically to the VPN, so it is quite possible that the malefactors keep this opportunity for some specific cases.System infection
The downloaded Teamspy executable file is basically an NSIS installer. It includes:
- NSIS-script script.bin (script that controls the unpacking process);
- Standard NSIS plugins – nsExec.dll, StdUtils.dll, System.dll;
- Legal utility NirCmd (file 6kzi6c94h2oeu4);
- Legal utility 7zip (file vuoup3teqcux6q);
- Image 2b6zfhf3ui7e03iv6.jpg; and
- Image 6nmxxselb250du8c.jpg with an embedded password-protected 7z archive.
When the installer is started, it executes script.bin. The script calculates the BLAKE2-512 hash of the 2b6zfhf3ui7e03iv6.jpg content by means of StdUtils.dll and uses the resulting string as a password to the 7z-archive hidden inside 6nmxxselb250du8c.jpg.
The following files from the password-protected 7z are extracted to the hidden folder “%APPDATA%\Div”:
- x64 subfolder containing install64.exe, teamviewervpn.cat, TeamViewerVPN.inf and teamviewervpn.sys files (legal components of TeamViewer);
- x86 subfolder containing install86.exe, teamviewervpn.cat, TeamViewerVPN.inf and teamviewervpn.sys files (legal components of TeamViewer);
- avicap32.dll (the bot body);
- cfmon.exe (legitimate executable file of TeamViewer);
- installvpn.pg, rdw.pg, scankey.pg (encrypted bot plugins);
- tv.cfg (encrypted bot config); and
- Legitimate components of TeamViewer: TeamViewer_Desktop.exe, TeamViewer_Resource_en.dll, tv_w32.dll, tv_w32.exe, tv_x64.dll, tv_x64.exe.
The installer starts up cfmon.exe upon unpacking. When this process begins, the malicious library avicap32.dll (which is the body of the bot) is automatically loaded and executed. This technique of overriding a legitimate DLL with a malicious one is well-known under the name ‘DLL hijack’. The body of the bot contains several layers of encryption and is obfuscated in order to complicate analysis.Modus operandi of the bot
During execution the malicious avicap32.dll modifies the functionality of the TeamViewer process that is running, by intercepting some system calls as well as TeamViewer’s internal procedures. Hiding the software window and its icon in the notification area is one result of such modifications. The user of the infected computer cannot see the software’s graphic interface (GUI) and may not be suspicious of its presence unless they check a list of running processes.
Fragment of the hook installation procedure pseudocode
In addition to hiding the TeamViewer interface, avicap32.dll decrypts and uses the data of the tv.cfg configuration file.
Decrypted content of tv.cfg
The szadminhost field value is an address of the C&C server that communicates with the bot. Communication is based on the HTTP protocol. For an example of intercepted traffic please see the following screenshot.
In the first request, the bot informs the C&C of its existence. The C&C responds with a command (in this case “lexec” means file downloading and execution, for information on other commands see below). In the third enquiry, the bot informs the server of the command execution results: “cmd=1” – success, “cmd=2” – error.
The server’s commands are processed in a separate thread started from the procedure installed for the interception of API-function SetWindowTextW.
General view of the execution graph of the function that processes and executes server commands
Fragment of the execution graph of the function that processes and executes server commands
List of strings including commands received by the bot
We would like to underline the most interesting commands received by the bot:
- startaudio / stopaudio: start/stop of audio recording;
- startvideo / stopvideo: start/stop of video recording of the screen;
- lexec: download and execute a file from a URL provided by the C&C server; and
- cmd: provide malefactors with the remote control console.
Other commands involve updating the configuration file and some of its fields, updating or deleting plugins, controlling PC power (shutdown, restart), restarting the bot’s own process, or self-deleting.Conclusion
The use of the bots offers malefactors a wide range of possibilities to enrich themselves, and even a single successful infection can bring in substantial cash flows. Essentially the Trojan encryptors pass the initiative to the user (and it’s up to the user to decide whether to pay for their files or not) and the owners take into consideration the average financial solvency of the victim in assigning the ransom sum. The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash.
Kaspersky Lab products detect the bot’s body as Trojan-Spy.Win32.Teamspy.gl; and this malware is also known as TVSPY, TVRAT, SpY-Agent.
Victims infected with Shade versions 1 and 2 have a chance to retrieve their data without paying cybercriminals. IT Security companies joined forces with law enforcement agencies to create a decryption tool, which is available on the NoMoreRansom webpage.MD5
More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service. Contact: firstname.lastname@example.orgIntroduction:
Over the last few years, the number of “APT-related” incidents described in the media has grown significantly. For many of these, though, the designation “APT”, indicating an “Advanced Persistent Threat”, is usually an exaggeration. With some notable exceptions, few of the threat actors usually described in the media are advanced. These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly “advanced” threat actors out there, are Equation, Regin, Duqu or Careto. Another such an exceptional espionage platform is “ProjectSauron”, also known as “Strider”.
What differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the ‘top’ cyberespionage groups:
- The use of zero day exploits
- Unknown, never identified infection vectors
- Have compromised multiple government organizations in several countries
- Have successfully stolen information for many years before being discovered
- Have the ability to steal information from air gapped networks
- Support multiple covert exfiltration channels on various protocols
- Malware modules which can exist only in memory without touching the disk
- Unusual persistence techniques which sometime use undocumented OS features
“ProjectSauron” easily covers many of these points.From discovery to detection:
When talking about long-standing cyber-espionage campaigns, many people wonder why it took so long to catch them. Perhaps one of the explanations is having the right tools for the right job. Trying to catch government or military grade malware requires specialized technologies and products. One such product is Kaspersky’s AntiTargeted Attacks Platform, KATA (http://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform). In September 2015, our anti-targeted attack technologies caught a previously unknown attack. The suspicious module was an executable library, loaded in the memory of a Windows domain controller (DC). The library was registered as a Windows password filter and had access to sensitive data in cleartext. Additional research revealed signs of massive activity from a new threat actor that we codenamed ‘ProjectSauron’, responsible for large-scale attacks against key governmental entities in several countries.
“SAURON” – internal name used in the LUA scripts
ProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. For example, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim.
Some other key features of ProjectSauron:
- It is a modular platform designed to enable long-term cyber-espionage campaigns.
- All modules and network protocols use strong encryption algorithms, such as RC6, RC5, RC4, AES, Salsa20, etc.
- It uses a modified LUA scripting engine to implement the core platform and its plugins.
- There are upwards of 50 different plugin types.
- The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software.
- It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system.
- The platform makes extensive use of the DNS protocol for data exfiltration and real-time status reporting.
- The APT was operational as early as June 2011 and remained active until April 2016.
- The initial infection vector used to penetrate victim networks remains unknown.
- The attackers utilize legitimate software distribution channels for lateral movement within infected networks.
To help our readers better understand the ProjectSauron attack platform, we’ve prepared an FAQ which brings together some of the most important points about this attacker and its tools. A brief technical report is also available, including IOCs and Yara rules.
Our colleagues from Symantec have also released their analysis on ProjectSauron / Strider. You can read it here: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targetsProjectSauron FAQ: 1. What is ProjectSauron?
ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.
Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim.
Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area.
The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the LUA scripts.2. Who are the victims?
Using our telemetry, we found more than 30 infected organizations in Russia, Iran, Rwanda and possibly in Italian-speaking countries as well. Many more organizations and geographies are likely to be affected.
The attacked organizations are key entities that provide core state functions:
- Scientific research centers
- Telecommunication providers
As usual, Kaspersky Lab actively collaborates with industry partners, CERTs and law enforcement agencies to notify victims and help to mitigate the threat. We also rely on public awareness to spread information about it. If you need more information about this actor, please contact email@example.com. For how long have the attackers been active?
Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016. Although it appears to have largely ceased, there is a chance that it is still active on computer systems that are not covered by Kaspersky Lab solutions.5. Did the attackers use interesting or advanced techniques?
The attackers used multiple interesting and unusual techniques, including:
- Data exfiltration and real-time status reporting using DNS requests.
- Implant deployment using legitimate software update scripts.
- Data exfiltration from air-gapped networks through the use of specially prepared USB storage drives where the stolen data is stored in the area unused by standard tools of the operating system.
- Using a modified LUA scripting engine to implement the core platform and its plugins. The use of LUA components in malware is very rare – it was previously spotted in the Flame and Animal Farm attacks.
In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a client organization’s network. Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server. The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext. Additional research revealed signs of activity of a previously unknown threat actor.7. How does ProjectSauron operate?
ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local Security Authority) password filter. This feature is typically used by system administrators to enforce password policies and validate new passwords to match specific requirements, such as length and complexity. This way, the ProjectSauron passive backdoor module starts every time any network or local user (including an administrator) logs in or changes a password, and promptly harvests the password in plaintext.
In cases where domain controllers lack direct Internet access, the attackers install additional implants on other local servers which have both local network and Internet access and may pass through significant amount of network traffic, i.e. proxy-servers, web-servers, or software update servers. After that, these intermediary servers are used by ProjectSauron as internal proxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic.
Once installed, the main ProjectSauron modules start working as ‘sleeper cells’, displaying no activity of their own and waiting for ‘wake-up’ commands in the incoming network traffic. This method of operation ensures ProjectSauron’s extended persistence on the servers of targeted organizations.8. What kind of implants does ProjectSauron use?
Most of ProjectSauron’s core implants are designed to work as backdoors, downloading new modules or running commands from the attacker purely in memory. The only way to capture these modules is by making a full memory dump of the infected systems.
Almost all of ProjectSauron’s core implants are unique, have different file names and sizes, and are individually built for each target. Each module’s timestamp, both in the file system and in its own headers, is tailored to the environment on which it is installed.
Secondary ProjectSauron modules are designed to perform specific functions like stealing documents, recording keystrokes, and stealing encryption keys from both infected computers and attached USB sticks.
ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified LUA interpreter to execute internal scripts. There are upwards of 50 different plugin types.9. What is the initial infection vector?
To date, the initial infection vector used by ProjectSauron to penetrate victim networks remains unknown.10. How were the ProjectSauron implants deployed within the target network?
In several cases, ProjectSauron modules were deployed through the modification of scripts used by system administrators to centrally deploy legitimate software updates within the network.
In essence, the attackers injected a command to start the malware by modifying existing software deployment scripts. The injected malware is a tiny module that works as a simple downloader.
Once started under a network administrator account, this small downloader connects to a hard-coded internal or external IP address and downloads the bigger ProjectSauron payload from there.
In cases where the ProjectSauron persistence container is stored on disk in EXE file format, it disguises the files with legitimate software file names.11. What C&C infrastructure did the attackers use?
The ProjectSauron actor is extremely well prepared when it comes to operational security. Running an expensive cyberespionage campaign like ProjectSauron requires vast domain and server infrastructure uniquely assigned to each victim organization and never reused again. This makes traditional network-based indicators of compromise almost useless because they won’t be reused in any other organization.
We collected 28 domains linked to 11 IPs located in the United States and several European countries that might be connected to ProjectSauron campaigns. Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns.12. Does ProjectSauron target isolated (air-gapped) networks?
Yes. We registered a few cases where ProjectSauron successfully penetrated air-gapped networks.
The ProjectSauron toolkit contains a special module designed to move data from air-gapped networks to Internet-connected systems. To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine.
These USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data (several hundred megabytes) at the end of the disk for malicious purposes. This reserved space is used to create a new custom-encrypted partition that won’t be recognized by a common OS, such as Windows. The partition has its own semi-filesystem (or virtual file system, VFS) with two core directories: ‘In’ and ‘Out’.
This method also bypasses many DLP products, since software that disables the plugging of unknown USB devices based on DeviceID wouldn’t prevent an attack or data leakage, because a genuine recognized USB drive was used.13. Does ProjectSauron target critical infrastructure?
Some of the entities infected by ProjectSauron can be classified as critical infrastructure. However, we haven’t registered ProjectSauron infections inside industrial control system networks that have SCADA systems in place.
Also, we have not yet seen a ProjectSauron module targeting any specific industrial hardware or software.14. Did ProjectSauron use any special communication methods?
For network communication, the ProjectSauron toolkit has extensive abilities, leveraging the stack of the most commonly used protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP.
One of the ProjectSauron plugins is the DNS data exfiltration tool. To avoid generic detection of DNS tunnels at network level, the attackers use it in low-bandwidth mode, which is why it is used solely to exfiltrate target system metadata.
Another interesting feature in ProjectSauron malware that leverages the DNS protocol is the real-time reporting of the operation progress to a remote server. Once an operational milestone is achieved, ProjectSauron issues a DNS-request to a special subdomain unique to each target.15. What is the most sophisticated feature of the ProjectSauron APT?
In general, the ProjectSauron platform is very advanced and reaches the level of complexity of Regin, Equation and similar threat actors we have reported on in the past. Some of the most interesting things in the ProjectSauron platform include:
- Multiple exfiltration mechanisms, including piggybacking on known protocols.
- Bypassing air-gaps using hidden data partitions on USB sticks.
- Hijacking Windows LSA to control network domain servers.
- Implementing an extended LUA engine to write custom malicious scripts to control the entire malware platform with a high-level language.
To date we have not found any 0-day exploits associated with ProjectSauron.
However, when penetrating isolated systems, the creation of the encrypted storage area in the USB does not in itself enable attackers to get control of the air-gapped machines. There has to be another component such as a 0day exploit placed on the main partition of the USB drive.
So far we have not found any 0-day exploit embedded in the body of the malware we analyzed, and we believe it was probably deployed in rare, hard-to-catch instances.17. Is this a Windows-only threat? What versions of Windows are targeted?
ProjectSauron works on all modern Microsoft Windows operating systems – both x64 and x86. We have witnessed infections running on Windows XP x86 as well as Windows 2012 R2 Server Edition x64.
To date, we haven’t found a non-Windows version of ProjectSauron.18. Were the attackers hunting for specific information?
ProjectSauron actively searches for information related to rather uncommon, custom network encryption software. This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange.
In a number of the cases we analyzed, ProjectSauron deployed malicious modules inside the custom network encryption’s software directory, disguised under similar filenames and accessing the data placed beside its own executable. Some of extracted LUA scripts show that the attackers have a high interest in the software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
Also, one of the embedded ProjectSauron configurations contains a special unique identifier for the targeted network encryption software’s server within its virtual network. The behavior of the component that searches for the server IP address is unusual. After getting the IP, the ProjectSauron component tries to communicate with the remote server using its own (ProjectSauron) protocol as if it was yet another C&C server. This suggests that some communication servers running the mentioned network encryption software could also be infected with ProjectSauron.19. What exactly is being stolen from the targeted machines?
The ProjectSauron modules we found are able to steal documents, record keystrokes and steal encryption keys from infected computers and attached USB sticks.
The fragment of configuration block below, extracted from ProjectSauron, shows the kind of information and file extensions the attackers were looking for:
Interestingly, while most of the words and extensions above are in the English language, several of them point to Italian, such as: ‘codice’, ‘strCodUtente’ and ‘segreto’.
Keywords / filenames targeted by ProjectSauron data theft modules:Italian keyword Translation Codice code CodUtente Usercode Segreto Secret
This suggests the attackers had prepared to attack Italian-speaking targets as well. However, we are not aware of any Italian victims of ProjectSauron at the moment.20. Have you observed any artifacts indicating who is behind the ProjectSauron APT?
Attribution is hard and reliable attribution is rarely possible in cyberspace. Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a greater vantage point and vast resources. When dealing with the most advanced threat actors, as is the case with ProjectSauron, attribution becomes an unsolvable problem.21. Is this a nation-state sponsored attack?
We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation-state.22. What would ProjectSauron have cost to set up and run?
Kaspersky Lab has no exact data on this, but estimates that the development and operation of ProjectSauron is likely to have required several specialist teams and a budget probably running into millions of dollars.23. How does the ProjectSauron platform compare to other top-level threat actors?
The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them.
As a reminder, here are some features of other APT attackers which we discovered that the ProjectSauron attackers had carefully learned from or emulated:
- Use of intranet C&Cs (where compromised target servers may act as independent C&Cs)
- Running only in memory (persistence on a few gateway hosts only)
- Use of different encryption methods per victim
- Use of named pipes for LAN communication
- Malware distribution through legitimate software deployment channels
- LUA-embedded code
- Secure file deletion (through data wiping)
- Attacking air-gapped systems via removable devices
Equation and Regin:
- Usage of RC5/RC6 encryption
- Virtual Filesystems (VFS)
- Attacking air-gapped systems via removable devices
- Hidden data storage on removable devices
These other actors also showed what made them vulnerable to potential exposure, and ProjectSauron did its best to address these issues:
- Vulnerable or persistent C&C locations
- ISP name, IP, domain, and tools reuse across different campaigns
- Crypto-algorithm reuse (as well as encryption keys)
- Forensic footprint on disk
- Timestamps in various components
- Large volumes of exfiltrated data, alarming unknown protocols or message formats
In addition, it appears that the attackers took special care with what we consider as indicators of compromise and implemented a unique pattern for each and every target they attacked, so that the same indicators would have little value for anyone else. This is a summary of the ProjectSauron strategy as we see it. The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.24. Do Kaspersky Lab products detect all variants of this malware?
All Kaspersky Lab products detect ProjectSauron samples as HEUR:Trojan.Multi.Remsec.gen25. Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?
ProjectSauron’s tactics are designed to avoid creating patterns. Implants and infrastructure are customized for each individual target and never re-used – so the standard security approach of publishing and checking for the same basic indicators of compromise (IOC) is of little use.
However, structural code similarities are inevitable, especially for non-compressed and non-encrypted code. This opens up the possibility of recognizing known code in some cases.
That’s why, alongside the formal IOCs, we have added relevant YARA rules. While the IOCs have been listed mainly to give examples of what they look like, the YARA rules are likely to be of greater use and could detect real traces of ProjectSauron.
For background: YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that share similarities. YARA rules—basically search strings—help analysts to find, group, and categorize related malware samples and draw connections between them in order to build malware families and uncover groups of attacks that might otherwise go unnoticed.
We have prepared our YARA rules based on tiny similarities and oddities that stood out in the attackers’ techniques. These rules can be used to scan networks and systems for the same patterns of code. If some of these oddities appear during such a scan, there is a chance that the organizations has been hit by the same actor.
More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service. Contact: firstname.lastname@example.org