While ransomware is a global threat, every now and then we see a variant that targets one specific region. For example, the Coinvault malware had many infections in the Netherlands, because the authors posted malicious software on Usenet and Dutch people are particular fond of downloading things over Usenet. Another example is the recent Shade campaign, which targets mostly Russia and CIS.
Today we can add a new one to the list: Wildfire.Infection vector
Wildfire spreads through well-crafted spam e-mails. A typical spam e-mail mentions that a transport company failed to deliver a package. In order to schedule a new delivery the receiver is asked to make a new appointment, for which a form has to be filled in, which has to be downloaded from the website of the transport company.
Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.
However, when we look at who registered the domain name, we immediately see that something is suspicious:
The registration date (registered a few days before the spam campaign started), as well as the administrative contact person seem to be very suspicious.The Word document
After the user downloaded and opened the Word document, the following screen is shown:
Apparently the document has some macros, containing pieces of English text, which clearly show the intent of the attackers (actually it is the lyrics of the famous Pink Floyd song Money), but also has several variables in the Polish language.
The macros download and execute the actual Wildfire ransomware which consists in the case we analyzed of the following three files:
The exe file is an obfuscated .net executable that depends on the other two files. This is exactly similar to the Zyklon ransomware that also consists of three files. Another similarity is that, according to some sources (http://www.bleepingcomputer.com/forums/t/611342/zyklon-locker-gnl-help-topic-locked-and-unlock-files-instructionshtml/, http://www.bleepingcomputer.com/forums/t/618641/wildfire-locker-help-topic-how-to-unlock-files-readme-6de99ef7c7-wflx/), Wildfire, GNLocker and Zyklon mainly target the Netherlands. In addition, the ransom notes of Wildfire and Zyklon look quite similar. Also note that Wildfire and Zyklon increase the amount you have to pay three-fold if you don’t pay within the specified amount of time.
Anyway, back to Wildfire. The binary is obfuscated, meaning that when there is no deobfuscator available reversing and analyzing it can take a lot of time. Therefore we decided to run it and see what happens. Just as we hoped, this made things a bit easier, because after a while Usiyykssl.exe launched Regasm.exe, and when we looked into the memory of Regasm.exe, we clearly saw that some malicious code had been injected into it.
Dumping it gave us the binary of the actual Wildfire malware. Unfortunately for us, this binary is also obfuscated, this time with Confuserex 0.6.0. Even though it is possible to deobfuscate binaries obfuscated with Confuserex, we decided to skip that for now. Why? Well it takes a bit of time, and because by working together with the police on this case, we had something much better in our hands: The botnetpanel code!Inside the botnetpanel code
When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored. The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova). It also checks whether the “rid” exists within a statically defined array (we therefore expect the rid to be an affiliate ID).
If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won’t get infected.
Each time the malware calls home, a new key is generated and added to the existing list of keys. The same victim can thus have multiple keys. Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim’s computer are encrypted. We don’t quite understand why a victim can have multiple keys, especially since the victim only has one bitcoin address.
Also interesting is the encryption scheme. It uses AES in CBC mode but the key and the IV are both derived from the same key. This doesn’t add much security and defeats the sole purpose of having an IV in the first place.
Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving. In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro . This is also due to the fact that the spam e-mails are getting better and better.
We therefore advise users to:
- Be very suspicious when opening e-mails;
- Don’t enable Word macro’s;
- Always keep your software up-to-date;
- Turn on Windows file extensions;
- Create offline backups (or online backups with unlimited revisions);
- Turn on the behavioral analyzer of your AV.
A decryption tool for Wildfire can be downloaded from the nomoreransom.org website.
P.S. the attackers agree with us on some points:
The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack.
According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk.
In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples.
Our insight draws on a range of sources. These include:
- The latest telecoms security research by Kaspersky Lab experts.
- Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware.
- Underground forums and communities.
- Centralized, specialized security monitoring systems (such as Shodan).
- Threat bulletins and attack reports.
- Newsfeed aggregation and analysis tools.
Threat intelligence is now a vital weapon in the fight against cyber-attack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly.
We can provide more detailed sector and company-specific intelligence on these and other threats. For more information on our Threat Intelligence Reporting services please email email@example.com.Executive summary
Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers. The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies.
These threats include:
- Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets. Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit. They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.
- The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove.
- Compromising subscribers with social engineering, phishing or malware. These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns. Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes.
- Insider threat is growing. Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime. Some insiders help voluntarily, others are cooerced through blackmail. Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks.
Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result.Typical threats targeting telecoms Overview
We can divide the main threats facing the telecommunications industry into two, interrelated, categories:
- Threats targeting telecommunication companies directly. These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information.
- Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs). These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more.
DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks. By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency. Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks.
The telecommunications sector is particularly vulernable to DDoS attacks. According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.)
The impact of a DDoS attack should not be underestimated. Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening.
Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack.
A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk. The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns. The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities.
DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol). Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities. Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks.
The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques.Targeted attacks
The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult. Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals. Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies. This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration.
Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers.
Other APTs with telecommunications on their radar
The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location.
Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns. In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack. Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service.Unaddressed software vulnerabilities
Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data. In many cases, attackers are exploiting new or under-protected vulnerabilities. For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data.
SQL injection vulnerability on Orange Spain web siteThe impact of service misconfiguration
In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet. This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access.
The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this.
As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel.
Table 1. Top 10 countries with GTP/GRX ports exposed to Internet access# Country Number of GTP/GRX 1 China 52.698 2 Turkey 8.591 3 United States of America 6.403 4 Canada 5.807 5 Belgium 5.129 6 Colombia 2.939 7 Poland 2.842 8 Morocco 1.585 9 Jamaica 862 10 United Arab Emirates 808
The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems. Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service. Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers.
Table 2. Top five countries with BGP protocol exposed to Internet access# Country Number of devices
(end of 2015) 1 Republic of Korea 16.209 2 India 8.693 3 United States of America 8.111 4 Italy 2.909 5 Russian Federation 2.050
An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations.
To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services. To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.)Vulnerabilities in network devices
Routers and other network devices are also primary targets for attacks against telecommunications companies.
In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here).
Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it.
SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware. Still, it is a dangerous way of compromising an organization’s IT infrastructure.
SYNful knock backdoor sign-in credentials request
Worldwide distribution of devices with the SYNful knock backdoor
The latest information on the number of potentially compromised devices is available through the link https://synfulscan.shadowserver.org/stats/.
A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible. Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable. Follow this Cisco bulletin for remediation actions.
For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-center-platforms/115609.
Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic. The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch.
It appears that the additional code with hardcoded password was planted in the source code in late 2013. The backdoor allows any user to log in with administrator privileges using hard-coded password “<<< %s(un=’%s’) = %u”.This vulnerability has been identified as CVE-2015-7755 and is considered highly critical.
Top countries where ScreenOS devices are used are the Netherlands, the United States, China, Italy and Mexico.
Juniper ScreenOS-powered devices worldwide
Another Juniper backdoor, CVE-2015-7756, affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and allows a third party to monitor traffic inside VPN connections due to security flaws in the Dual_EC PRNG algorithm for random number generation.
To protect the organization from misconfiguration and network device vulnerabilitiy, Kaspresky Lab recommendats that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.).Malicious insiders
Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness.
While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information.
Examples of insider attacks in recent years include:
- A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege.
- An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company. The engineer was found to be freely offering his services on a popular DarkNet forum.
For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider. Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee.
Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks.
A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail.
Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly. Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies.
Further information on the emerging attack vectors based on the harvesting of Open Source Intelligence (OSINT) can be obtained using Kaspersky Lab’s customer-specific Intelligence Reporting services.Threats targeting CSP/ISP subscribers Overview
Attacks targeting the customers of cloud and Internet service providers remain a key area of interest for cybercriminals. We’ve revealed a number of malware activities and attack techniques based on internal information and incidents that were caught in our scope. As a result of analyzing this data the following main threats were identified:
- Obtaining subscribers’ credentials. This is growing in appeal as consumers and businesses undertake ever more activity online and particularly on mobile. Further, security levels are often intentionally lowered on mobile devices in favor of usability, making mobile attacks even more attractive to criminals.
- Compromising subscribers’ devices. The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware. Experienced and skilled programmers are now focusing much of their attention on mobile – looking to exploit payment services as well as low-valued assets like compromised Instagram or Uber accounts, collecting every piece of data from the infected devices.
- Compromising small-scale telecoms cells used by consumers and businesses. Vulnerabilities in CSP-provided femtocells allow criminals to compromise the cells and even gain access to the entire cloud provider’s network.
- Successful Proof-Of-Concept attacks on USIM cards. Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable. Successful attacks allow SIM card cloning, call spoofing and the interception of SMS.
Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees.
The attackers exploit trust and naiivity. In 2015, the TeamHans hacker group penetrated one of Canada’s biggest communications groups, Rogers, simply by repeatedly contacting IT support and impersonating mid-ranking employees, in order to build up enough personal information to gain access to the employee’s desktop. The attack provided hackers with access to contracts with corporate customers, sensitive corporate e-mails, corporate employee IDs, documents, and more.
Both social engineering and phishing approaches are worryingly successful. The Data Breach Investigations Report 2016 found that 30% of phishing emails were opened, and that 12% clicked on the malicious attachment – with the entire process taking, on average, just 1 minute and 40 seconds.
Social engineers and phishers also use multiple ways for increasing the likeness of authenticity in their attacks, enriching their data with leaked profiles, or successfully impersonating employees or contractors. Recently criminals have successfully stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users. After infecting their victims with banking malware and obtaining their phone numbers, they called the CSP’s support and, impersonating a retail shop, asked for a new SIM card to be activated, thus gaining access to OTP (One Time Passwords) or “mTan’s” used for two-factor authentication in online banking.
Kaspersky Lab recommends that telecommunications providers implement notification services for financial organizations that alert them when a subscriber’s SIM card has been changed or when personal data is modified.
Some CSPs have also implemented a threat exchange service to inform financial industry members when a subscriber’s phone is likely to have been infected with malware.Vulnerable kit
USBs, modems and portable Wi-Fi routers remain high-risk assets for subscribers, and we continue to discover multiple vulnerabilities in their firmware and user interfaces. These include:
- Vulnerabilities in web interfaces designed to help consumers configure their devices. These can be modified to trick a user into visiting a specially crafted page.
- Vulnerabilities that result from insufficient authentication. These can allow for the modification of device settings (like DNS server addresses), and the interception, sending and receiving of SMS messages, or USSD requests, by exploiting different XSS and CSRF vulnerabilities.
- RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise.
Built-in “service” backdoor allowing no-authentication access to device settings
Examples of these kind of vulnerabilities were demonstrated in research by Timur Yunusov from the SCADAStrangeLove team. The author assessed a number of 3G/4G routers from ZTE, Huawei, Gemtek and Quanta. He has reported a number of serious vulnerabilities:
- Remote Code Execution from web scripts.
- Arbitrary device firmware modification due to insufficient consistency checks.
- Cross Site Request Forgert and Cross Site Scripting attacks.
All these vectors can be used by an external attacker for the following scenarios:
- Infecting a subscriber’s computer via PowerShell code or badUSB attack.
- Traffic modification and interception.
- Subscriber account access and device settings modification.
- Revealing subscriber location.
- Using device firmware modification for APT attack persistence.
Most of these issues exist due to web interface vulnerabilities (like insufficient input validation or CSRF) or modifications made by the vendor during the process of branding its devices for a specific telecommunications company.The risk of local cells
Femtocells, which are essentially a personal NodeB with an IP network connection, are growing in popularity as an easy way to improve signal coverage inside buildings. Small business customers often receive them from their CSPs. However, unlike core systems, they are not always submitted to suitably thorough security audits.
Femtocell connection map
Over the last year, our researchers have found a number of serious vulnerabilities in such devices that could allow an attacker to gain complete control over them. Compromising a femtocell can lead to call interception, service abuse and even illegal access to the CSP’s internal network.
At the moment, a successful attack on a femtocell requires a certain level of engineering experience, so risks remain low – but this is likely to change in the future.USIM card vulnerabilities
Research presented at BlackHat USA in 2015 revealed successful attacks on USIM card security. USIMs had previously been considered unbreakable thanks to the AES-based MILENAGE algorithm used for authentication. The reseachers conducted differential power analysis for the encryption key and secrets extraction that allowed them to clone the new generation of 3G/4G SIM cards from different manufacturers.
Right byte guess peak on differential power analysis graphConclusion
Telecommunications is a critical infrastructure and needs to be protected accordingly. The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions. Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation.
A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own. It needs to be complemented by collaboration, employee education and shared intelligence. Many telecommunications companies already have agreements in place to share network capability and capacity in the case of disruption, and now is the time to start reaping the benefit of shared intelligence.
Our Threat Intelligence Reporting services can provide customer-specific insight into the threats facing your organization. If you’ve ever wondered what your business looks like to an attacker, now’s the time to find out. Contact us at firstname.lastname@example.org
Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian bad guys have made an important addition to their arsenal: the use of PowerShell. Brazil is the most infected country worldwide when it comes to banking Trojans, according to our Q1 2016 report, and the quality of the malware is evolving dramatically. We found Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cybercriminals.
The malware is distributed using a malicious email campaign disguised as a receipt from a mobile operator with a malicious .PIF file. After the file is executed it changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks. It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script. As Windows 7 and newer OS versions are now the most popular in Brazil, the malware will not face a problem running on victims’ computers.
The malware has no C&C communication. After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies. The .ps1 file in the temp folder uses random names. It’s a base64 encoded script capable of making changes in the system.
After some deobfuscation we can see the goal of the script: to change the Internet Settings key and enable a proxy server on it:
And this is the result in the browser of the victim – a small change in the proxy settings:
This change will not only affect IE but all other browsers installed in the system as well, as they tend to use the same proxy configuration set on IE. The proxy domains used in the attack are listed below. All of them use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands (220.127.116.11), where there are several phishing pages for Brazilian banks:
The malware also has other features of interest: it checks for the language of the OS and aborts if it’s not PTBR, a clever trick to avoid infecting Windows versions in languages other than Brazilian Portuguese.
To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code.
Hash of the malware: cancelamento.pif -> MD5: 9419e7cd60487532313a43559b195cb0
Although the second quarter of 2016 has only just finished, it’s safe to say that this is already the year of ransomware Trojans. By the end of Q2 there was still a large number of emails with malicious attachments, most of which download ransomware in one way or other to a victim’s computer. However, in the period between 1 June and 21 June the proportion of these emails decreased dramatically.
The majority of malicious attachments were distributed in ZIP archives. The decline can therefore be clearly seen in the following graph showing spam with ZIP attachments that arrived in our traps:
Number of emails with malicious ZIP archives, Q2 2016
In addition to the decline, June saw another interesting feature: this sort of spam was not sent out on Saturdays or Sundays.
The same situation could be observed in KSN: the number of email antivirus detections dropped sharply on 1 June and grew on 22 June.
Number of email antivirus detections by day, Q2 2016
This decline was caused by a temporary lull in activity by the Necurs botnet, which is mostly used to distribute this type of malicious spam. After the botnet resumed its activity, the spam email template changed, and the malicious attachments became even more sophisticated.
For example, some emails (see the screenshot above) contained an attachment with a Trojan downloader. When run, it downloaded Trojan-Ransom.Win32.Locky.agn, which encrypts the data on a victim’s computer and demands a ransom, to be paid in bitcoin.Obfuscation
The second quarter saw spammers continue to mask links using various Unicode ranges designed for specific purposes. This tactic became especially popular in 2015, and is still widely used by spammers.
The link in this example looks like this:
If you transfer the domain from UTF-8 into the more familiar HTML, it becomes . The characters, which look quite ordinary, in fact belong to the Mathematical Alphanumeric Symbols UTF range used in highly specific mathematical formulas, and are not intended for use in plain text or hyperlinks. The dot in the domain is also unusual: it is the fullwidth full stop used in hieroglyphic languages. The rest of the hyperlink, as well as the rest of the text in these spam messages, is written using the Latin alphabet.Spam in APT attacks
In Q2, we came across a number of APT attacks in the corporate sector. Emails were made to look as if they came from representatives of the targeted company, and contained a request to immediately transfer money to a specific account. The text was fairly plausible and hinted at a personal acquaintance and previous communication. In some cases, the emails included the logo of the attacked company. All the messages conveyed a sense of urgency (“ASAP”, “urgent”, “must be completed today”) – scammers often use this trick in an attempt to catch people off guard, so that they act rather than think.
Below is an example:
How are you doing! Are you available at the office? I need you to process an overdue payment that needs to be paid today.
The emails were sent selectively – to individual employees, usually connected to the finance department. The knowledge shown by the scammers suggests the attack was carefully prepared.
The most suspicious aspect of the attack was the domain used in the ‘From’ field – myfirm.moby – that differed from the corporate one. Perhaps the attackers hope that some email clients only show the sender’s name by default, while concealing the address.
It is not that difficult to write any domain in the ‘From’ field, and in the future we can expect more well-prepared attacks.Sporting events in spam
Spam mailings exploiting real-life events have long become an integral part of junk email. Sporting events are not as popular among spammers as political events, although their use is increasing with every year. There is a continuous stream of emails mentioning various political figures, while sport-related spam messages usually only appear in the run-up to an event. However, we have noticed that mass mailings can now be launched long before an event starts. For instance, emails exploiting the Olympic Games in Brazil were discovered over a year ago, in the second quarter of 2015. The majority of them were fraudulent emails designed to trick recipients and steal their personal information and money.
The classic scenario involves false notifications about lottery wins related to 2016 Olympics. The messages claim that the lottery was held by the official organizers of the games and the recipient was selected at random from millions of addresses. In order to claim the cash, the recipient has to reply to the email and provide some personal information.
The text of the message was often contained in an attached file (.pdf, .doc, .jpg), while the body of the message only displayed a short text prompting the recipient to open the attachment.
There were also more traditional messages where the spammer text was included directly in the body of the message.
In addition to fraudulent messages, advertising spam was also sent out.
Unlike the Olympics, football tournaments have long been used by scammers to grab people’s attention to their spam. Q2 2016 saw the long-awaited UEFA European Championship, and in the run-up to the tournament spam traffic included fake notifications of lottery wins. The content was no different from that dedicated to the Olympic Games, and the emails also contained attachments explaining why the message was sent.
The football theme was also exploited by ‘Nigerian’ scammers. They sent out emails supposedly on behalf of the former FIFA president, and used the infamous corruption scandal associated with his name to make their messages look more realistic. They believed that a fabricated story about how Sepp Blatter had supposedly received money and secretly transferred it to an account in a European bank would not arouse suspicion. In return for keeping the money in their bank accounts, the recipients were promised a 40% cut of the total sum.
In order to convince recipients that the message was genuine, the authors even went to the trouble of using the correct name and domain in the ‘From’ field.US politicians in spam
The presidential election campaign is now in full swing in the United States and the nominees and their entourages are under close media scrutiny. Of course, spammers couldn’t resist using the names of high-profile politicians in their advertising and fraudulent emails. For example, numerous ‘Nigerian’ letters were sent in the name of current president Barack Obama and his wife Michelle. In their ‘official’ emails, the ‘President’ and the ‘First lady’ assured the recipient that a bank card or a check for a very large sum of money had already been issued in their name. The only thing the recipient had to do was complete some formalities, and the money would be delivered shortly afterwards. In order to get the instructions from the White House the recipient had to send some personal information, including their email address and the password for their email account, as well as detailed passport information to spoofed email addresses.
Another politician whose name regularly cropped up in spam was Donald Trump, one of the contenders for the US presidency. Spammers offered a unique Trump technique for earning money online: anyone who wanted to know how to get rich, had to click a link in the emails which were designed to look like news reports from CNN and Fox News.
The links led to fake news sites also in the style of major media outlets and news networks. The sites contained a story about a simple method for earning money – the publication of links, which is basically another kind of spam distribution. In order to participate in the program, a user had to register by providing their phone number and email address.Statistics Proportion of spam in email traffic
Percentage of spam in global email traffic, Q2 2016
The largest percentage of spam in the second quarter – 59.46% – was registered in May and was 3 p.p. more than in April. The average percentage of spam in global email traffic for Q2 amounted to 57.25%.Sources of spam by country
Sources of spam by country, Q2 2016
In Q2 2016, the biggest three sources of spam remained the same as in the previous quarter – the US (10.79%), Vietnam (10.10%) and India (10.01%). However, the figures for each country changed: the gap between them narrowed to within a single percentage point.
China (6.52%) moved up to fourth with an increase of 1.43 p. p. compared to Q1. Mexico (4.55%) came fifth, followed by Russia (4.07%) and France (3.60%). Brazil (3.28%), which was fourth in the previous quarter, lost 2.2 p.p. and dropped to eighth place. Germany (2.97%) and Turkey (2.30%) completed the TOP 10.Spam email size
Breakdown of spam emails by size, Q1 and Q2 2016
Traditionally, the most commonly distributed emails are very small – up to 2 KB (72.26%), although the proportion of these emails dropped by 9.6 p.p. compared to the previous quarter. Meanwhile, the share of emails sized 10-20 KB increased by 6.76 p.p. The other categories saw minimal changes.Malicious email attachments
Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the TOP 10 malware families.TOP 10 malware families
The three most popular malware families remained unchanged from the previous quarter – Trojan-Downloader.JS.Agent (10.45%), Trojan-Downloader.VBS.Agent (2.16%) and Trojan-Downloader.MSWord.Agent (1.82%).
The Trojan.Win32.Bayrob family moved up to fourth place (1.68%), while the Backdoor.Win32.Androm family fell from fourth to ninth place with 0.6%.
TOP 10 malware families in Q2 2016
A newcomer to this ranking was the Trojan.Win32.Inject family (0.61%). The malicious programs from this family embed their code in the address space of other processes.
The Trojan-Spy.HTML.Fraud family (0.55%) rounded off the TOP 10 in Q2 2016.Countries targeted by malicious mailshots
Distribution of email antivirus verdicts by country, Q2 2016
Germany (14.69%) topped the ranking of countries targeted by malicious mailshots, although its share decreased 4.24 p.p. It was followed by China (13.61%) whose contribution grew 4.18 p.p. Japan (6.42%) came third after ending the previous quarter in seventh with a share of 4.29%.
Fourth place was occupied by Brazil (5.57%). Italy claimed fifth with a share of 4.9% and Russia remained in sixth (4.36%).
The US (4.06%) was the seventh most popular target of malicious mailshots. Austria (2.29%) rounded off this TOP 10.Phishing
In Q2 2016, the Anti-Phishing system was triggered 32,363,492 times on the computers of Kaspersky Lab users, which is 2.6 million less than the previous quarter. Overall, 8.7% of unique users of Kaspersky Lab products were attacked by phishers in Q2 of 2016.Geography of attacks
The country where the largest percentage of users is affected by phishing attacks was China (20.22%). In Q2 2016, the proportion of those attacked increased by 3.52 p.p.
Geography of phishing attacks*, Q2 2015
* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country
The percentage of attacked users in Brazil decreased by 2.87 p.p. and accounted for 18.63%, placing the country second in this ranking. Algeria (14.3%) came third following a 2.92 p.p. increase in its share compared to the previous quarter.
TOP 10 countries by percentage of users attacked:China 20.22% Brazil 18.63% Algeria 14.3% United Kingdom 12.95% Australia 12.77% Vietnam 11.46% Ecuador 11.14% Chile 11.08% Qatar 10.97% Maldives 10.94% Organizations under attack
The statistics on phishing targets are based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.
In Q2 of 2016, the share of the ‘Global Internet portals’ category (20.85%), which topped the rating in the first quarter, decreased considerably – by 7.84 p.p. The share of the ‘Financial organizations’ category grew 2.07 p.p. and accounted for 46.23%. This category covers ‘Banks’ (25.43%, +1.51 p.p.), ‘Payment systems’ (11.24%, -0.42 p.p.) and ‘Online stores’ (9.39%, +0.99 p.p.).
Distribution of organizations affected by phishing attacks by category, Q2 2016
The share of attacks on the ‘Social networking sites’ category increased by 2.65 p.p. and reached 12.4%. The ‘Online games’ category was also attacked more often (5.65%, + 1.96 p.p.). Meanwhile, the ‘Telephone and Internet service providers’ (4.33%) and the ‘IMS’ (1.28%) categories lost 1.17 p.p. and 2.15 p.p. respectively.Hot topics this quarter The Olympics in Brazil
For a number of years now Brazil has been among the countries with the highest proportion of users targeted by phishing. In 2015 and 2016 phishers have focused on the Rio Olympic Games in Brazil. Last quarter showed that as well as ordinary users, the potential victims of phishing included the organizers of the Olympic Games.
The Olympic theme remained popular in Q2, with phishers working overtime to send out fake notifications about big cash wins in a lottery that was supposedly organized by the Brazilian government and the Olympic Committee.‘Porn virus’ for Facebook users
Facebook users are often subjected to phishing attacks. During one attack in the second quarter, a provocative video was used as bait. To view it, the user was directed to a fake page imitating the popular YouTube video portal, and told to install a browser extension.
This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.Phisher tricks Compromising domains with good reputation
To bypass security software filters, fraudsters try to place phishing pages on domains with good reputations. This significantly reduces the probability of them being blocked and means potential victims are more trusting. The phishers can strike it big if they can use a bank or a government agency domain for their purposes. In Q2, we came across a phishing attack targeting the visitors of a popular Brazilian e-commerce site: the fake page was located on the domain of a major Indian bank. This is not the first time fraudsters have compromised the domain of a large bank and placed their content on it.
Phishing pages targeting the users of the Brazilian store americanas.com
When trying to purchase goods on the fake pages of the store, the victim is asked to enter lots of personal information. When it’s time to pay, the victim is prompted to print out a receipt that now shows the logo of a Brazilian bank.
The domains of state structures are hacked much more frequently by phishers. In Q2 2016, we registered numerous cases where phishing pages were located on the domains belonging to the governments of various countries. Here are just a few of them:
Phishing pages located on the domains of government authorities
The probability of these links being placed on blacklists is negligible thanks to the reputation of the domain.TOP 3 organizations attacked
Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component fall on phishing pages hiding behind the names of fewer than 15 companies.
The TOP 3 organizations attacked most frequently by phishers accounted for 23% of all phishing links detected in Q2 2016.Organization % of detected phishing links 1 Microsoft 8.1 2 Facebook 8.03 3 Yahoo! 6.87
In Q2 2016, this TOP 3 ranking saw a few changes. Microsoft was the new leader with 8.1% (+0.61 p.p.), while Facebook (8.03%, +2.32 p.p.) came second. The share of attacks targeting Yahoo! (6.87%) fell 1.46 p.p., leaving last quarter’s leader in third.
Q2 leader Microsoft is included in the ‘Global Internet portals’ category because the user can access a variety of the company’s services from a single account. This is what attracts the fraudsters: in the event of a successful attack, they gain access to a number of services used by the victim.
Example of phishing on Live.com, a Microsoft serviceConclusion
In the second quarter of 2016, the proportion of spam in email traffic increased insignificantly – by 0.33 p.p. – compared to the previous quarter and accounted for 57.25%. The US remained the biggest source of spam. As in the previous quarter, the top three sources also included Vietnam and India.
Germany was once again the country targeted most by malicious mailshots, followed closely by China. Japan, which was seventh in the previous quarter’s ranking, completed the TOP 3 in Q2.
Trojan-Downloader.JS.Agent remained the most popular malware family distributed via email. Next came Trojan-Downloader.VBS.Agent and Trojan-Downloader.MSWord.Agent. A significant amount of malicious spam was used to spread ransomware Trojans such as Locky. For almost a month, however, cybercriminals did not distribute their malicious spam, but then the Necurs botnet began working again. We don’t expect to see any significant reduction in the volume of malicious spam in the near future, although there may be changes in email patterns, the complexity of the malware, as well as the social engineering methods used by attackers to encourage a user to launch a malicious attachment.
The focus of phishing attacks shifted slightly from the ‘Global Internet portals’ to the ‘Financial organizations’ category.
The theme of the Olympic Games was exploited by both phishers and spammers to make users visit fake pages with the aim of acquiring their confidential information or simply to get their money.
Events in the political arena, such as the presidential election in the US, also attracted spammers, while the sites of government agencies were compromised in phishing attacks.
As we can see, the overriding trend of the quarter is that of fraud and making quick money from victims using direct methods such as Trojan cryptors that force unprotected users to pay a ransom, or phishing attacks that target financial organizations, rather than long drawn-out scams. All of this once again highlights the need for both comprehensive protection on computers and increased vigilance by Internet users.
Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets through spear phishing emails that include compressed executables. The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.
#OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countriesTweet
We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.
In total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoulTweet
In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.Main infection vector: malicious emails
The following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document. The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware. In other cases, victims received phishing links. A quick analysis of the email headers reveals fake sources being utilised to deliver the emails to victims.
In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s:
Malware MD5 hashes
Email file MD5 hashes
The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar:
- Chief Executive Officer
- Chief Operations Officer
- General Manager
- General Manager, Sales and Marketing
- Deputy General Manager
- Finance and Admin Manager
- Business Development Manager
- Export manager
- Finance Manager
- Purchase manager
- Head of Logistics
- Sales Executive
The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution. It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including:
- Clipboard data
- FileZilla ftp server credentials
- Account data from local browsers
- Account data from local messaging clients (Paltalk, Google talk, AIM…)
- Account data from local email clients (Outlook, Windows Live mail…)
- License information of some installed applications
#OpGhoul malware collects all data such as #passwords, keystrokes and screenshotsTweet
Data is collected by the attackers using primarily:
Http GET posts
- Sent to hxxp://18.104.22.168
- mail.ozlercelikkapi[.]com (22.214.171.124), mail to info@ozlercelikkapi[.]com
- mail.eminenture[.]com (126.96.36.199), mail to eminfo@eminenture[.]com
Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services.Malware command center
The malware connects to 188.8.131.52 to deliver collected information from the victim’s PC. This information includes passwords, clipboard data, screenshots…
The IP address 184.108.40.206 seems to belong to a compromised device running multiple malware campaigns.Victim information
Victim organizations are distributed in different countries worldwide with attackers focused on certain countries more than others:
Number of Victim Organisations by Country
Countries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy.Victim industry information
Victim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong to the product life cycle of multiple goods, especially industrial equipment.
#Manufacturing #transportation #travel targets of #OpGhoulTweet
Number of Victim Organizations by Industry Type
Victim industry descriptionIndustrial Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics Engineering Construction, architecture, automation, chemical, transport, water Shipping International freight shipping Pharmaceutical Production/research of pharmaceutical and beauty products Manufacturing Furniture, decor, textiles Trading Industrial, electronics and food trading Education Training centers, universities, academic publishing Tourism Travel agencies Technology/IT Providers of IT technologies and consulting services Unknown Unidentified victims The last attack waves
Kaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries more than others.
#opghoul highly active in #MiddleEastTweet
Hundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United Arab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany, Iran, Egypt, Japan, Switzerland, Bahrain and Tunisia.
Phishing pages have also been spotted through 220.127.116.11, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers. Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms:
- Mac OS X
The malware files are detected using the following heuristic signatures:
Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss.Indicators of Compromise
The following are common among the different malware infections; the presence of these is an indication of a possible infection.Filenames and paths related to malware
Malware links observed on 18.104.22.168 dating back to March and April 2016:
For more information on how you can protect your business from similar attacks, please visit this post from Kaspersky Business.
August 13, 2016 saw the beginning of a truly bizarre episode. A new identity going under the name ‘ShadowBrokers’ came onto the scene claiming to possess files belonging to the apex predator of the APT world, the Equation Group [PDF]. In their initial leak, the ShadowBrokers claimed the archive was related to the Equation group, however, they didn’t provide any technical details on the connections.
Along with some non-native rants against ‘Wealthy Elites’, the ShadowBrokers provided links to two PGP-encrypted archives. The first was provided for free as a presumptive show of good faith, the second remains encrypted at the time of writing. The passphrase is being ‘auctioned’, but having set the price at 1 million BTC (or 1/15th of the total amount of bitcoin in circulation), we consider this to be optimistic at best, if not ridiculous at face value.
The first archive contains close to 300MBs of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION. Most files are at least three years old, with change entries pointing to August 2013 the newest timestamp dating to October 2013.
As researchers continue to feast on the release, some have already begun to test the functional capabilities of the exploits with good results.
Having originally uncovered the Equation group in February 2015, we’ve taken a look at the newly released files to check for any connections with the known toolsets used by Equation, such as EQUATIONDRUG, DOUBLEFANTASY, GRAYFISH and FANNY.
While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.The Devil’s in the Crypto
The Equation group uses the RC5 and RC6 encryption algorithms quite extensively throughout their creations. RC5 and RC6 are two encryption algorithms designed by Ronald Rivest in 1994 and 1998. They are very similar to each other, with RC6 introducing an additional multiplication in the cypher to make it more resistant. Both cyphers use the same key setup mechanism and the same magical constants named P and Q.
The particular RC5/6 implementation from Equation group’s malware is interesting and deserves special attention because of its specifics. Inside the Equation group malware, the encryption library uses a subtract operation with the constant 0x61C88647. In most publicly available RC5/6 code, this constant is usually stored as 0x9E3779B9, which is basically -0x61C88647. Since an addition is faster on certain hardware than a subtraction, it makes sense to store the constant in its negative form and adding it instead of subtracting. In total, we’ve identified 20 different compiled versions of the RC5/6 code in the Equation group malware.
Encryption-related code in a DoubleFantasy (actxprxy32.dll) sample
In the screenshot above, one can observe the main loop of a RC6 key setup subroutine extracted from one of the Equation group samples. The ShadowBrokers’ free trove includes 347 different instances of RC5/RC6 implementations. As shown in the screenshot below, the implementation is functionally identical including the subtraction of the inverted constant 0x61C88647.
Specific RC6 implementation from “BUSURPER-2211-611.exe” (md5: 8f137a9100a9fcc8b512b3729878a373
Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation.
In case you’re wondering, this specific RC6 implementation has only been seen before with Equation group malware. There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely.
This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.
More details about the ShadowBrokers leak and similarities with Equation group are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email email@example.com
This morning, we encountered a gratuitous act of violence against Android users. By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!
Download of a malicious application while viewing a news site using AdSense
It turns out the malicious program is downloaded via the Google AdSense advertising network. Be warned, lots of sites use this network – not just news sites – to display targeted advertising to users. Site owners are happy to place advertising like this because they earn money every time a user clicks on it. But anyone can register their ad on this network – they just need to pay a fee. And it seems that didn’t deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited.
A similar case was registered in mid-July by the Meduza news portal. As a result, they disabled advertising from AdSense on their pages. At that time the technique was used to distribute an earlier version of the Trojan.
Screenshot from the Meduza news site (https://new.vk.com/wall-76982440_659517)
The Svpeng family of banking Trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions. After being installed and launching, it disappears from the list of installed apps and requests the device’s admin rights (to make it harder for antivirus software or the user to remove it). Svpeng can steal information about the user’s bank cards via phishing windows, intercept, delete, and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer). Also, the malware can counteract mobile security solutions that are popular in Russia by completeing their processes.
In addition, Svpeng collects an impressive amount of information from the user’s phone – the call history, text and multimedia messages, browser bookmarks and contacts.
Be careful and use antivirus solutions!
Special thanks to our colleague Stanislav Zaytsev for the video.
Hacks in Taiwan Conference (HITCON) 2016 was held on 22 – 23 July 2016 in Taipei, Taiwan. The theme of HITCON Community this year is “Security or Nothing”, focusing on hacking techniques and information security.
About 1,500 participants attended to the event coming from the United States, India, Korea, China, Japan and Taiwan. The attendees enjoyed their opportunities to meet security experts, security researchers and malware analysts from each country to discuss information security, APT research and malware analysis. Among them, more than 20 percent were students who possess high skills and promising futures.
This conference agenda included various topics: a 0-day exploit of the Windows 10 built-in browser “Edge”, research regarding an attempt to break the key of an IoT intelligent electric network, and talks on ransomware.
The following are summaries of a few of the impressive presentations:
- BLE authentication design challenges on IoT Devices: Analyzing Gogoro Smart Scooter
Mr. GD (Team T5) introduced how to analyze Bluetooth Low Energy (BLE) and provided details of communication protocols between IoT devices and a smartphone that controls them. He explained a problem in authentication mechanism and application protocol of the Gogoro smart scooter. He demonstrated that other people were able to unlock the scooter and proposed a better authentication mechanism to solve the problem.
2. Bug Bounty: The story of a bug hunter
Mr. Orange Tsai (student) explained what a bug bounty program is, including how to get ready and cautions for participating in a bug bounty. He shared his point of view over finding bugs, as well as examples from his own experiences. Some remote code executions on Facebook, Uber, Apple and Yahoo! were introduced. In addition, he talked about eBay’s SQL Injection and several cross-site scripting cases on Facebook, Apple and Google by showing sample code for each.
If you are interested, you can see the HITCON 2016 presentations at http://hitcon.org/2016/CMT/#hitcon_agenda.
The last session of the 2nd day was a “Lightning talk show” which included technical short presentations that covered recent topics. For example, the first speaker talked about how to communicate with an APT operator and showed the attributions in a recent incident. Another speaker introduced how to crack and hack “Pokémon GO” and they demonstrated how to hook the GPS and control it. They published their code as an open source project on GitHub.
This conference did not consist only of briefings, but also some fun events: a hacker board game, a Raspberry Pi Wargame challenge and the Wall of Sheep. One funny thing that occurred was when some captured traffic indicated someone made a connection to a Japanese dating site via the HITCON public Wi-Fi. It was a window of opportunity for attendees to learn their own vulnerabilities.
The official language of this conference was Chinese, but there were no worries; The event staff wearing an “ask me anything” (何でも聞いて) -sticker with a cute-smile-emoji helped attendees with English and Japanese translations.
In conclusion, HITCON 2016 was really interesting and exciting. We really enjoyed this conference and plan to attend in years to come. The HITCON community has another event, HITCON Pacific (http://hitcon.org/2016/) from 28 November to 3 December 2016. Hopefully we will be in attendance for that one as well:)
All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.Q1 figures
- According to KSN data, Kaspersky Lab solutions detected and repelled 171,895,830 malicious attacks from online resources located in 191 countries all over the world.
- 54,539,948 unique URLs were recognized as malicious by web antivirus components.
- Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc.
- Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,132,031 user computers.
- Crypto ransomware attacks were blocked on 311,590 computers of unique users.
- Kaspersky Lab’s file antivirus detected a total of 249,619,379 unique malicious and potentially unwanted objects.
- Kaspersky Lab mobile security products detected:
- 3,626,458 malicious installation packages;
- 27,403 mobile banker Trojans (installation packages);
- 83,048 mobile ransomware Trojans (installation packages).
In Q2 2016, Kaspersky Lab detected 3,626,458 malicious installation packages – 1.7 times more than in the previous quarter.
Number of detected malicious installation packages (Q3 2015 – Q2 2016)Distribution of mobile malware by type
As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.
Distribution of new mobile malware by type (Q1 2016 and Q2 2016)
In Q2 2016, RiskTool software, or legal applications that are potentially dangerous to users, topped the ranking of detected malicious objects for mobile devices. Their share increased from 31.6% in Q1 to 45.1% this quarter.
Adware occupies second place. The share of these programs fell 1.4 p.p. compared to the previous quarter, and accounted for 14.2%.
The share of SMS Trojans fell from 18.5% to 10.8%, pushing this category of malicious programs down from second to third place in the ranking. Trojan-SMS.AndroidOS.Agent.qu and Trojan-SMS.AndroidOS.Agent.f accounted for most of the detected SMS Trojans, with both accounting for approximately 30% of all malicious files in this category.
The Trojan-Dropper share also fell – from 14.5% in Q1 to 9.2%. Trojan-Dropper.AndroidOS.Agent.v led the way: we detected more than 50,000 installation packages related to this Trojan.TOP 20 mobile malware programs
Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.Name % of attacked users* 1 DangerousObject.Multi.Generic 80.87 2 Trojan.AndroidOS.Iop.c 11.38 3 Trojan.AndroidOS.Agent.gm 7.71 4 Trojan-Ransom.AndroidOS.Fusob.h 6.59 5 Backdoor.AndroidOS.Ztorg.a 5.79 6 Backdoor.AndroidOS.Ztorg.c 4.84 7 Trojan-Ransom.AndroidOS.Fusob.pac 4.41 8 Trojan.AndroidOS.Iop.t 4.37 9 Trojan-Dropper.AndroidOS.Gorpo.b 4.3 10 Trojan.AndroidOS.Ztorg.a 4.30 11 Trojan.AndroidOS.Ztorg.i 4.25 12 Trojan.AndroidOS.Iop.ag 4.00 13 Trojan-Dropper.AndroidOS.Triada.d 3.10 14 Trojan-Dropper.AndroidOS.Rootnik.f 3.07 15 Trojan.AndroidOS.Hiddad.v 3.03 16 Trojan-Dropper.AndroidOS.Rootnik.h 2.94 17 Trojan.AndroidOS.Iop.o 2.91 18 Trojan.AndroidOS.Rootnik.ab 2.91 19 Trojan.AndroidOS.Triada.e 2.85 20 Trojan-SMS.AndroidOS.Podec.a 2.83
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.
First place is occupied by DangerousObject.Multi.Generic (80.87%), the classification used for malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.
As in the previous quarter, 16 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.
Trojan.AndroidOS.Iop.c (11.38%) moved from third to second in the TOP 20 and became the single most popular malicious program of the quarter. Over the reporting period we detected this Trojan in 180 countries, but the majority of attacked users were in Russia, India and Algeria. Iop.c can exploit a variety of vulnerabilities in the system to gain superuser privileges. The main method of monetization is displaying advertising and installing (usually secretly) various programs on the user’s device, including other malicious programs.
In Q2 2016, @kaspersky repelled 172M malicious attacks via online resources located in 191 countries #KLreport #InfosecTweet
Representatives of the Trojan-Ransom.AndroidOS.Fusob ransomware family claimed fourth and seventh places. These Trojans demand a ransom of $100-200 from victims to unblock their devices. Attacks using this Trojan were registered in over 120 countries worldwide in Q2, with a substantial number of victims located in Germany and the US.
Trojan-SMS.AndroidOS.Podec.a (2.83%) has now spent over a year in the mobile malware TOP 20, although it is starting to lose ground. It used to be an ever-present in the TOP 5 mobile threats, but for the second quarter in a row it has only made it into the bottom half of the ranking. Its functionality has remained practically unchanged; its main means of monetization is to subscribe users to paid services.The geography of mobile threats
The geography of attempted mobile malware infections in Q2 2016 (percentage of all users attacked)
TOP 10 counties attacked by mobile malware (ranked by percentage of users attacked)Country* % of users attacked ** 1 China 36.31 2 Bangladesh 32.66 3 Nepal 30.61 4 Uzbekistan 22.43 5 Algeria 22.16 6 Nigeria 21.84 7 India 21.64 8 Indonesia 21.35 9 Pakistan 19.49 10 Iran 19.19
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.
China topped the ranking, with more than 36% of users there encountering a mobile threat at least once during the quarter. China also came first in this ranking in Q1 2016.
In all the countries of this ranking, except China, the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare. The most popular malicious program was Trojan.AndroidOS.Iop.c. In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users there encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families, while Trojan.AndroidOS.Iop.c only occupied sixteenth place.
Russia (10.4%) was 26th in this ranking, Germany (8.5%) 38th, Italy (6.2%) 49th, and France (5.9%) 52th. The US (5.0%) came 59th and the UK (4.6%) 64th.
The safest countries were Austria (3.6%), Sweden (2.9%) and Japan (1.7%).Mobile banking Trojans
As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports. Over the reporting period, we detected 27,403 mobile Trojans, which is 1.2 times less than in Q1.
Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2015 – Q2 2016)
The TOP 5 most popular mobile banking Trojans in Q2 consisted of representatives from just two families – Trojan-Banker.AndroidOS.Asacub and Trojan-Banker.AndroidOS.Svpeng.
Trojan-Banker.AndroidOS.Asacub.i was the most popular mobile banking Trojan of the quarter. It uses different methods to trick users and bypass system constraints. In Q1 we identified a modification of this mobile Trojan that overlaid the regular system window requesting device administrator privileges with its own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges. In Q2, we detected a modification that requested the user’s permission to become the main SMS application.
Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the user’s approval to become the main SMS application
This allows the Trojan to bypass the system constraints introduced in Android 4.4, and to hide incoming SMSs from the user (as a rule, it hides messages from banks and payment systems). In order to make users save this malicious program in the settings as the main SMS application, the Trojan authors had to, among other things, implement a messenger interface.
The Trojan-Banker.AndroidOS.Asacub.i interface used to create and send messages
Asacub is actively distributed via SMS spam.
Russia and Germany lead in terms of the number of users attacked by mobile banking Trojans:
Geography of mobile banking threats in Q2 2016 (percentage of all users attacked)
The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans.
TOP 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)Country* % of users attacked** 1 Russia 1.51 2 Australia 0.73 3 Uzbekistan 0.45 4 Korea 0.35 5 China 0.34 6 Ukraine 0.33 7 Denmark 0.28 8 Germany 0.24 9 Turkey 0.23 10 Kyrgyzstan 0.17
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.
In Q2 2016, first place was occupied by Russia (1.51%) where the majority of affected users encountered the Trojan-Banker.AndroidOS.Asacub, Trojan-Banker.AndroidOS.Svpeng and Trojan-Banker.AndroidOS.Faketoken families of mobile banker Trojans.
China, last quarter’s leader, fell to fifth place this quarter.
In second place again was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat.
Banking Trojans were especially popular with attackers in Russia and Australia. The percentage of users attacked by this malware in the two countries relative to all attacked users accounted for 14%.Mobile Trojan-Ransomware
As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports.
In Q2 2016, we detected 83,048 mobile Trojan-Ransomware installation packages, which is about the same number as the previous quarter and seven times more than in Q4 2015.
Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q3 2015 – Q2 2016)
The sharp rise in the number of mobile Trojan-Ransomware installation packages in 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware. In Q2 its share was 85%.
In Q2 2016, 54.5M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #ITTweet
Trojan-Ransom.AndroidOS.Fusob.h became the most popular mobile Trojan-Ransomware in the second quarter – it accounted for nearly 60% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including the GPS coordinates and call history, and downloads the data to a malicious server. After that, it may get a command to block the device. In the second quarter we registered a growth in the number of installation packages related to Trojan-Ransom.AndroidOS.Congur.b: their share grew from 0.8% to 8.8%. This Trojan, targeting Chinese-speaking users, changes the system password (PIN), or installs it if no password was installed earlier, thus making it impossible to use the device. The notification containing the ransom demand is displayed on the screen of the blocked device.
Germany, the US and Russia had the highest number of users attacked by Trojan-Ransomware this quarter:
Geography of mobile Trojan-Ransomware in Q2 2016 (percentage of all users attacked)
To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile Trojan-Ransomware.
TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)Country* % of users attacked** 1 Canada 2.01 2 Germany 1.89 3 US 1.66 4 Switzerland 1.63 5 Mexico 1.55 6 UK 1.51 7 Denmark 1.35 8 Italy 1.35 9 Kazakhstan 1,35 10 Netherlands 1.15
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.
In all the countries of the TOP 10, except for Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. These Trojans demand a ransom of $100-500 from victims to unblock their devices.
In Kazakhstan and Uzbekistan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it.Vulnerable applications exploited by cybercriminals
In Q2 2016, exploits for Adobe Flash Player remained popular. During the reporting period two new vulnerabilities were discovered in this software:
An exploit for CVE-2016-4117 was added to the Magnitude and Neutrino exploit kits. The CVE-2016-4171 vulnerability was used by the ScarCruft group to carry out targeted attacks. We wrote a more detailed account of this group’s activities in a blog published in mid-June.
In Q2 2016, @kaspersky web #antivirus detected 16,119,489 unique malicious objects #KLreport #netsecTweet
The main event this quarter was the demise of the long-term market leaders – the Angler and Nuclear exploit kits. Angler’s departure resulted in market players shifting to other kits to distribute malware. In particular, we registered a dramatic growth in the popularity of the Neutrino exploit kit.
This is how the overall picture for the use of exploits in the second quarter looks:
Distribution of exploits used in attacks by the type of application attacked, Q2 2016
The chart shows that despite the exit of the market leaders the breakdown of exploits was almost unchanged from the previous quarter: the proportion of exploits for Microsoft Office (14%) and Java (7%) fell by 1 p.p., while the share for Android grew 2 p.p. and reached 24%. This suggests that demand for exploit kits has been spread among the remaining players: RIG, Magnitude and Neutrino. The latter was the undisputed leader this quarter in terms of the number of attempts to download malware.Online threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.
In the second quarter of 2016, Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc. 54,539,948 unique URLs were recognized as malicious by web antivirus components.Online threats in the banking sector
These statistics are based on the detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.Number of users attacked by malware targeting finances<
Due to the constant emergence of new representatives of banking Trojans and functional changes in existing banking Trojans, in the second quarter of 2016 we have significantly updated the list of verdicts classed as banking risks. This means the number of financial malware victims has changed significantly compared to the data published in previous quarters. As a comparison, we have recalculated the statistics for the previous quarter, taking into account all the malware from the updated list.
Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,132,031 computers in Q2 2016. The quarter saw an increase in financial malware activity: the figure for Q2 is 15.6% higher than that for the previous quarter (979, 607).
Number of users attacked by malware targeting finances, Q2 2016Geography of attack
To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.
Geography of banking malware attacks in Q2 2016 (percentage of attacked users)
TOP 10 countries by percentage of attacked usersCountry* % of attacked users** 1 Turkey 3.45 2 Russia 2.92 3 Brazil 2.63 4 Pakistan 2.60 5 Venezuela 1.66 6 Tunisia 1.62 7 Japan 1.61 8 Singapore 1.58 9 Libya 1.57 10 Argentina 1.48
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.
The highest percentage of Kaspersky Lab users attacked by banking Trojans was in Turkey. One of the reasons for the growth in financial threats there was a burst of activity by the Gozi banking Trojan whose developers have joined forces with the creators of the Nymaim Trojan.
In Russia, 2.92% of users encountered a banking Trojan at least once in Q2, placing it second in this ranking.
Brazil rounds off the top three. We expect a surge in financial threats in Latin America in the next quarter due to the Olympic Games in Brazil. This event is just too tempting for cybercriminals to ignore – they regularly use the theme of major sporting events in their attacks to lure potential victims.
The top five countries where users were least affected by banking Trojans were Canada (0.33%), the US (0.4%), the UK (0.4%), France (0.43%) and the Netherlands (0.5%).
The percentage of banking Trojan victims in Italy was 0.62%, in Spain it was 0.83%, while in Germany the figure was 1.03%.
The TOP 10 banking malware familie>
The table below shows the top 10 malware families most commonly used in Q2 2016 to attack online banking users (as a percentage of users attacked):Name* Percentage of users attacked** 1 Trojan-Spy.Win32.Zbot 15.72 2 Trojan-Banker.Win32.Gozi 3.28 3 Trojan.Win32.Qhost 2.35 4 Trojan-Banker.Win32.Shiotob 2.27 5 Trojan-Banker.Win32.BestaFera 2.12 6 Trojan.Win32.Nymaim 1.98 7 Trojan-Banker.Win32.ChePro 1.90 8 Trojan-Banker.Win32.Banbra 1.77 9 Trojan.Win32.Neurevt 0.67 10 Backdoor.Win32.Shiz 0.66
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.
Trojan-Spy.Win32.Zbot in first place is a permanent fixture in the leading positions of this ranking, and it is no coincidence: the source codes of this Trojan became publicly available back in 2012. This has resulted in the emergence of new banking Trojans that have adopted fragments of the Zbot code.
The second quarter of 2016 saw a surge in malicious activity by Trojan.Win32.Nymaim. As a result, this Trojan made it into the top 10 for the first time, going straight in at sixth place. Nymaim was initially designed to block access to valuable data and then demand a ransom (ransomware) to unblock it, but the latest version now also includes banking Trojan functionality for stealing financial information. This can be explained by the fact that the creators of Nymaim and Gozi (which also appears in the Q2 TOP 10 financial risks) have joined forces. Nymaim’s source code now includes fragments of Gozi code that provide attackers with remote access to infected computers.
In Q2 2016, Attempted infections by financial #malware were registered on 1.1M user computers #KLreport #bankingTweet
A permanent resident in this ranking and one of the reasons financial threats are so prominent in Brazil is the Trojan-Banker.Win32.ChePro family. This banking malware lets cybercriminals take screenshots, register keystrokes, and read the contents of the clipboard, i.e., it possess functionality capable of attacking almost any online banking system. Criminals are trying to implement new techniques to avoid detection for as long as possible. Some of the Trojans from this family use geolocation or ask for the time zone and the Windows version from the system in order to infect users in a particular region.
Yet another newcomer to the top 10 most active financial threats in Q2 was the Trojan.Win32.Neurevt family. Representatives of this family were first discovered in 2013 and are used by cybercriminals not only to steal user payment data in online banking systems but also to send out spam (some versions, for example, sent spam messages on Skype) and implement DDoS attacks (with the addition of functionality capable of performing the Slowloris HTTP flooding scenario).Ransomware Trojans
The overall number of cryptor modifications in our virus collection to date is approximately 26,000. A total of 28 new cryptor families and 9,296 new modifications were detected in Q2.
The following graph shows the rise in the number of newly created cryptor modifications over the last two quarters.
Number of Trojan-Ransom cryptor modifications (Q1 2016 vs Q2 2016)
Some of the more high-profile or unusual Trojans detected in Q2 2016 are listed below:
This cryptor has been widely distributed via exploit kits since April 2016. Its earlier versions contained gaps in the file encryption algorithm which allowed Kaspersky Lab to release a utility to decrypt them. Unfortunately, the attackers have made adjustments to subsequent versions, making it impossible to decrypt the files affected by later CryptXXX modifications.
This malware combines cryptor functionality and a worm distribution method. Trojan ransomware does not usually include tools for self-propagation, and ZCryptor just happens to be an exception to this rule. Like a classic worm, while infecting, it creates copies of its body on removable media and generates the autorun.inf file to implement the automatic launch of its executable file once the media is connected to another system (if, of course, autorun is not disabled).
This cryptor puts the victim’s files in password-protected ZIP archives; and it creates passwords using the Diffie-Hellman algorithm on an elliptic curve. The design of the ransom note and the payment site is an exact copy of that used by the notorious Locky.
This is a combination of MBR blocker and file cryptor, probably inspired by similar functionality in the notorious Petya + Mischa Trojans. Satana, unlike Petya, does not encrypt MFT; in fact, its MBR module is obviously incomplete because the process of checking the password entered by the victim results in nothing more than a continuous cycle. Below is a fragment of the code demonstrating this.
Number of users attacked by Trojan-Ransom cryptor malware (Q2 2016)
In Q2 2016, 311,590 unique users were attacked by cryptors, which is 16% less than the previous quarter. Approximately 21% of those attacked were in the corporate sector.
It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the type of malicious software.Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Japan 2.40 2 Italy 1.50 3 Djibouti 1.46 4 Luxembourg 1.36 5 Bulgaria 1.34 6 Croatia 1.25 7 Maldives 1.22 8 Korea 1.21 9 Netherlands 1.15 10 Taiwan 1.04
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.
In Q2, half of the top 10 were European countries – one less than the previous quarter.
Japan, which came ninth in Q1, topped the ranking of countries attacked by cryptors with 2.40%: the most widespread cryptor families in the country were Teslacrypt, Locky and Cryakl.
Newcomers to this ranking were Djibouti (1.46%), Korea (1.21%) and Taiwan (1.04%).Top 10 most widespread cryptor families Name Verdict* Percentage of users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 14.59 2 Teslacrypt Trojan-Ransom.Win32.Bitman 8.36 3 Locky Trojan-Ransom.Win32.Locky 3.34 4 Shade Trojan-Ransom.Win32.Shade 2.14 5 Cryrar/ ACCDFISA Trojan-Ransom.Win32.Cryrar 2.02 6 Cryptowall Trojan-Ransom.Win32.Cryptodef 1.98 7 Cryakl Trojan-Ransom.Win32.Cryakl 1.93 8 Cerber Trojan-Ransom.Win32. Zerber 1.53 9 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 1.39 10 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.13
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.
First place in Q2 was occupied by the CTB-Locker (Trojan-Ransom.Win32/NSIS.Onion) family. In second place was the TeslaCrypt family represented by one verdict: Trojan-Ransom.Win32.Bitman. The Trojan-Ransom.JS.Cryptoload verdict, which in the past downloaded malware and was associated with TeslaCrypt, is no longer characteristic of this family only. TeslaCrypt was earlier a major contributor to the statistics, but fortunately ceased to exist in May 2016 – the owners disabled their servers and posted a master key to decrypt files.
In Q2 2016, #crypto #ransomware attacks were blocked on 311,590 computers of unique users #KLreportTweet
Cerber and Cryrar are the only changes to this ranking compared to the previous quarter.
The Cerber cryptor spreads via spam and exploit kits. The cryptor’s site on the Tor network is translated into lots of languages. Cerber’s special features include the following:
- It explores the infected system meticulously: checks for the presence of an antivirus, if it is running under a virtual machine (Parallels, VmWare, QEMU, VirtualBox) or Wine, checks for utilities from various researchers and analysts (it does this by searching for certain processes and files on the disk drive), it even has a blacklist of system drive serial numbers.
- It checks the keyboard layout and the IP address of the infected system. If it detects that the machine is located in a CIS country, it stops infecting it.
- It attempts to bypass antivirus protection by terminating their processes, interrupting services, deleting files.
- In addition to notifying users about encryption in the form of TXT and HTML files, as is the case with other families, it also runs the VBS script which reproduces the following voice message: “Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!”
The Cryrar cryptor also known as the Anti Cyber Crime Department of Federal Internet Security Agency (ACCDFISA), Anti-Child Porn Spam Protection, etc. first appeared back in 2012. It has the distinctive feature of placing the victim’s files in password-protected self-extracting RAR archives. According to KSN statistics, it shows no signs of conceding its position to newer rivals.Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.
In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q2 2016, Kaspersky Lab solutions blocked 171,895,830 attacks launched from web resources located in 191 countries around the world. 54,539,948 unique URLs were recognized as malicious by web antivirus components.
81% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries.
Distribution of web attack sources by country, Q2 2016
The US (35.44%) returned to the top of this ranking in the second quarter. Russia (10.28%) moved up one place to second. The previous quarter’s leader, the Netherlands, dropped to fourth place after its share fell by 17.7 percentage points. Germany completed the Top 3 with a share of 8.9%. Bulgaria left the Top 10, while Canada was a newcomer in ninth place with 0.96%.Countries where users faced the greatest risk of online infection
In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.Country* % of unique users attacked** 1 Azerbaijan 32.10 2 Russia 30.80 3 China 29.35 4 Slovenia 27.54 5 Ukraine 27.46 6 Kazakhstan 27.03 7 Vietnam 26.02 8 Algeria 25.63 9 Armenia 25.09 10 Belarus 24.60 11 Brazil 24.05 12 France 22.45 13 Moldova 22.34 14 Kyrgyzstan 22.13 15 Bulgaria 22.06 16 Italy 21.68 17 Chile 21.56 18 Qatar 20.10 19 India 20.00 20 Portugal 19.84
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In Q2, Azerbaijan moved up from fourth to first place and became the new leader of this ranking with 32.1%. Russia (30.8%) dropped from first to second, while Kazakhstan (27.03%) fell from second to sixth place.
Since the previous quarter, Spain, Lithuania, Croatia and Turkey have all left the TOP 20. The newcomers to this ranking were Bulgaria (22.06%), Chile (21.56%), Qatar (20.10%) and Portugal (19.84%).
The countries with the safest online surfing environments included Canada (15%), Romania (14.6%), Belgium (13.7%), Mexico (13.2%), the US (12.8%), Switzerland (12. 4%), New Zealand (12.1%), Czech Republic (12%), Argentina (9.9%), Japan (9.5%), the Netherlands (8.3), Sweden (8.2%) and Germany (8%).
On average, 19.4% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a fall of 1.8 p.p. compared to Q1 2016.Local threats
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q2 2016, Kaspersky Lab’s file antivirus detected 249,619,379 unique malicious and potentially unwanted objects.Countries where users faced the highest risk of local infection
For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.
Top 20 countries with the highest levels of computer infectionCountry* % of unique users** 1 Somalia 65.80 2 Vietnam 63.33 3 Tajikistan 62.00 4 Russia 61.56 5 Kyrgyzstan 60.80 6 Bangladesh 60.19 7 Afghanistan 60.00 8 Armenia 59,74 9 Ukraine 59.67 10 Nepal 59.66 11 Ethiopia 59.63 12 Laos 58.43 13 Kazakhstan 57.72 14 Rwanda 57.33 15 Djibouti 56.07 16 Yemen 55.98 17 Venezuela 55.76 18 Algeria 55.58 19 Cambodia 55.56 20 Iraq 55.55
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.
Somalia remained the leader of this ranking in Q2 2016 with 65.8%. Yemen (55.98%) fell from second to sixteenth place, while Vietnam (63.33%) jumped from eighth to second. Tajikistan (62%) rounded off the TOP 3. Russia moved up one place from fifth to fourth, although the figure for that country declined by 2.62 percentage points to 61.56%.
In Q2 2016, 27,403 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreportTweet
Newcomers to this ranking are Djibouti in fifteenth place (56.07%), Venezuela in seventeenth (55.76%), and Cambodia in nineteenth (55.56%).
The safest countries in terms of local infection risks were Croatia (29%), Singapore (28.4%), Germany (28.1%), Norway (27.6%), the US (27.1%), Switzerland (26.3%), Japan (22.1%), Denmark (21.4%) and Sweden (21.3%).
An average of 43.3% of computers globally faced at least one local threat during Q2 2016, which is 1.2 p.p. less than in the previous quarter.
Earlier in the year, as part of an incident response investigation, we uncovered a new version of the Skimer ATM malware. The malware, which first surfaced in 2009, has been re-designed. So too have the tactics of the cybercriminals using it. The new ATM infector has been targeting ATMs around the world, including the UAE, France, the United States, Russia, Macau, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.
Rather than the well-established method of fitting a fake card-reader to the ATM, the attackers take control over the whole ATM. They start by installing the Skimer malware on the ATM – either through physical access or by compromising the bank’s internal network. The malware infects the ATM’s core – the part of the device responsible for interaction with the wider bank infrastructure, card processing and dispensing of cash. In contrast to a traditional card skimmer, there are no physical signs that the ATM is infected, leaving the attackers free to capture data from cards used at the ATM (including a customer’s bank account number and PIN) or steal cash directly.
The cybercriminal ‘wakes up’ the infected ATM by inserting a card that contains specific records on the magnetic stripe. After reading the card, Skimer is able execute a hard-coded command, or receive commands through a special menu activated by the card. The Skimer user interface appears on the display only after the card is ejected and only if the cybercriminal enters the correct session key within 60 seconds. The menu offers 21 different options, including dispensing money, collecting details of cards that have been inserted in the ATM, self-deletion and performing updates. The cybercriminal can save card details on the chip of their card, or print the details it has collected.
The attackers are careful to avoid attracting attention. Rather than take money directly from the ATM – which would be noticed immediately – they wait (sometimes for several months) before taking action. In most cases, they collect data from skimmed cards in order to create cloned cards later. They use the cloned cards in other, non-infected ATMs, casually withdrawing money from the accounts of the victims in a way that can’t be linked back to the compromised ATM.
Kaspersky Lab has several recommendations to help banks protect themselves. They should carry out regular anti-virus scans; employ whitelisting technologies; apply a good device management policy; make use of full disk encryption; password protect the BIOS of ATMs; enforce hard disk booting and isolate the ATM network from the rest of the bank infrastructure. The magnetic strip of the card used by the cybercriminals to activate the malware contains nine hard-coded numbers. Banks may be able to proactively look for these numbers within their processing systems: so we have shared this information, along with other Indicators of Compromise (IoCs).
In April, one of our experts provided an in-depth examination of ATM jackpotting and offered some insights into what should be done to secure these devices.New attacks, old exploit
In recent months we have been tracking a wave of cyber-espionage attacks conducted by different APT groups across the Asia-Pacific and Far East regions. They all share one common feature: they exploit the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially crafted EPS image file. It uses PostScript and can evade the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods built into Windows. The Platinum, APT16, EvilPost and SPIVY groups were already known to use this exploit. More recently, it has also been used by the Danti group.
Danti, first identified in February 2016 and still active, is highly focused on diplomatic bodies. The group predominantly targets Indian government organizations, but data from the Kaspersky Security Network (KSN) indicates that it has also infected targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.
The exploit is delivered using spear-phishing e-mails spoofed to look as though they have been sent by high-ranking Indian government officials. When the victim clicks on the attached DOCX file, the Danti backdoor is installed, allowing the attackers to capture sensitive data.
The origin of the Danti group is unclear, but we suspect that it might be connected to the NetTraveler and DragonOK groups: it’s thought that Chinese-speaking hackers are behind these attacks.
Kaspersky Las has also seen another campaign that makes use of the CVE-2015-2545 vulnerability: we’ve called this SVCMONDR after the Trojan that is downloaded once the attackers get a foothold in the victim’s computer. This Trojan is different to the one used by the Danti group, but it shares some common features with Danti and with APT16 – the latter is a cyber-espionage group believed to be of Chinese origin.
One of the most striking aspects of these attacks is that they are successfully making use of a vulnerability that was patched by Microsoft in September 2015. In November, we predicted that APT campaigns would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware to achieve their goals. This is a case in point: using a known vulnerability, rather than developing a zero-day exploit. This underlines the need for companies to pay more attention to patch management to secure their IT infrastructure.New attack, new exploit
Of course, there will always be APT groups that seek to take advantage of zero-day exploits. In June, we reported on a cyber-espionage campaign – code-named ‘Operation Daybreak‘ and launched by a group named ScarCruft – that uses a previously unknown Adobe Flash Player exploit (CVE-2016-1010). This group is relatively new and has so far managed to stay under the radar. We think the group might have previously deployed another zero-day exploit (CVE-2016-0147) that was patched in April.
The group have targeted a range of organizations in Russia, Nepal, South Korea, China, India, Kuwait and Romania. These include an Asian law enforcement agency, one of the world’s largest trading companies, a mobile advertising and app monetization company in the United States, individuals linked to the International Association of Athletics Federations and a restaurant located in one of Dubai’s top shopping centres. The attacks started in March 2016: since some of them are very recent, we believe that the group is still active.
The exact method used to infect victims is unclear, but we think that the attackers use spear-phishing e-mails that point to a hacked website hosting the exploit. The site performs a couple of browser checks before redirecting victims to a server controlled by the hackers in Poland. The exploitation process consists of three Flash objects. The one that triggers the vulnerability in Adobe Flash Player is located in the second SWF file delivered to the victim. At the end of the exploitation chain, the server sends a legitimate PDF file, called ‘china.pdf’, to the victim: this seems to be written in Korean.
In Q2 2016, @kaspersky #mobile security products detected 3.6M malicious installation packages #KLreportTweet
The attackers use a number of interesting methods to evade detection, including exploiting a bug in the Windows Dynamic Data Exchange (DDE) component in order to bypass security solutions – a method not seen before. This flaw has been reported to Microsoft.
Flash Player exploits are becoming rare, because in most cases they need to be coupled with a sandbox bypass exploit – this makes them tricky to do. Moreover, although Adobe is planning to drop Flash support soon, it continues to implement new mitigations to make exploitation of Flash Player increasingly difficult. Nevertheless, resourceful groups such as ScarCruft will continue to try and find zero-day exploits to target high-profile victims.
While there’s no such thing as 100 per cent security, the key is to increase security defences to the point that it becomes so expensive for an attacker to breach them that they give up or choose an alternative target. The best defence against targeted attacks is a multi-layered approach that combines traditional anti-virus technologies with patch management, host-based intrusion prevention and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed could have been stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.
Kaspersky Lab products detect the Flash exploit as ‘HEUR:Exploit.SWF.Agent.gen’. The attack is also blocked proactively by our Automatic Exploit Prevention (AEP) component. The payloads are detected as ‘HEUR:Trojan.Win32.ScarCruft.gen’.XDedic: APT-as-a-Service
Kaspersky Lab recently investigated an active cybercriminal trading platform called xDedic, an online black market for hacked server credentials around the world – all available through the Remote Desktop Protocol (RDP). We initially thought that this market extended to 70,000 servers, but new data suggests that the XDedic market is much wider – including credentials for 176,000 servers. XDedic includes a search engine, enabling potential buyers to find almost anything – from government and corporate networks – for as little as $8 per server. This low price provides ‘customers’ with access to data on such servers and their use as a bridgehead for further targeted attacks.
The owners of the ‘xdedic[.]biz’ domain claim that they have no relation to those selling access to hacked servers – they are simply selling a secure trading platform for others. The XDedic forum has a separate sub-domain, ‘partner[.]xdedic[.]biz’, for the site’s ‘partners’ – that is, those selling hacked servers. The Xdedic owners have developed a tool that automatically collects information about the system, including websites available, software installed and more. They also provide others tools to its partners, including a patch for RDP servers to support multiple logins for the same user and proxy installers.
The existence of underground markets is not new. But we are seeing a greater level of specialisation. And while the model adopted by the XDedic owners isn’t something that can be replicated easily, we think it’s likely that other specialized markets are likely to appear in the future.
Data from KSN helped us identify several files that were downloaded from the XDedic partner portal: Kaspersky Lab products detect these files as malicious. We have also blacklisted the URLs of control servers used for gathering information about the infected systems. Our detailed report on XDedic contains more information on hosts and network-based IoCs.Lurking around the Russian Internet
Sometimes our researchers find malware that is particular about where it infects. On the closed message boards used by Russian cybercriminals, for example, you sometimes see the advice ‘Don’t work with RU’ – offered by experienced criminals to the younger generation: i.e. don’t infect Russian computers, don’t steal money from Russians and don’t use them to launder money. There are two good reasons for this. First, online banking is not as common as it is in the west. Second, victims outside Russia are unlikely to lodge a complaint with the Russian police – assuming, of course, that they even know that Russian cybercriminals are behind the malware that has infected them.
But there are exceptions to every rule. One of these is the Lurk banking Trojan that has been used to steal money from victims in Russia for several years. The cybercriminals behind Lurk are interested in telecommunications companies, mass media and news aggregators and financial institutions. The first provide them with the means to transfer traffic to the attackers’ servers. The news sites provide them with a way to infect a large number of victims in their ‘target audience’ – i.e. the financial sector. The Trojan’s targets appear to include Russia’s four largest banks.
The primary method used to spread the Lurk Trojan is drive-by download, using the Angler exploit pack: the attackers place a link on compromised websites that leads to a landing page containing the exploit. Exploits (including zero-days) are typically implemented in Angler before being used in other exploit packs, making it particularly dangerous. The attackers also distribute code through legitimate websites, where infected files are served to visitors from the .RU zone, but others receive clean files. The attackers use one infected computer in a corporate network as a bridgehead to spread across the organization. They use the legitimate PsExec utility to distribute the malware to other computers; and then use a mini-dropper to execute the Trojan’s main module on the additional computers.
In Q2 2016, @kaspersky #mobile security products detected 83,048 mobile #ransomware Trojans #KLreportTweet
There are a number of interesting features of the Lurk Trojan. One distinct feature, that we discussed soon after it first appeared, is that it is ‘file-less’ malware, i.e. it exists only in RAM and doesn’t write its code to the hard drive.
The Trojan is also set apart because it is highly targeted. The authors do their best to ensure that they infect victims that are of interest to them without catching the attention of analysts or researchers. The incidents known to us suggest Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems; and forensic investigations after the incidents reveal traces of Lurk on the affected computers.Malware stories Cybercriminals get ready for Rio
Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events, so it’s no surprise that we’ve seen an increase in cybercriminal activity related to the forthcoming Olympic Games in Brazil.
We’ve seen an increase in spam e-mails. The spammers try to cash in on people’s desire to watch the games live, sending out messages informing the recipient that they have won a (fake) lottery (supposedly organized by the International Olympic Committee and the Brazilian government): all they need to do to claim their tickets is to reply to the e-mail and provide some personal details.
Some messages point to fake websites, like this one offering direct sale of tickets without the need to make an application to the official lottery:
These fake ticketing sites are very convincing. Some fraudsters go the extra mile by obtaining legitimate SSL certificates to provide a secure connection between the victim’s browser and the site – displaying ‘https’ in the browser address bar to lure victims into a false sense of security. The scammers inform their victims that they will receive their tickets two or three weeks before the event, so the victim doesn’t become suspicious until it’s too late and their card details have been used by the cybercriminals. Kaspersky Lab is constantly detecting and blocking new malicious domains, many of which include ‘rio’ or ‘rio2016’ in the title.
It’s too late to buy tickets through official channels, so the best way to see the games is to watch on TV or online. We advise everyone to beware of malicious streaming websites – probably the last-ditch attempt by cybercriminals to scam people out of their money.
Cybercriminals also take advantage of our desire to stay connected wherever we go – to share our pictures, to update our social network accounts, to find out the latest news or to locate the best places to eat, shop or stay. Unfortunately, mobile roaming charges can be very high, so often people look for the nearest Wi-Fi access point. This is dangerous, because data sent and received over an open Wi-Fi network can be intercepted. So passwords, PINs and other sensitive data can be stolen easily. On top of this, cybercriminals also install fake access points, configured to direct all traffic through a host that can be used to control it – even functioning as a ‘man-in-the-middle’ device that is able to intercept and read encrypted traffic.
To gauge the extent of the problem, we drove by three major Rio 2016 locations and passively monitored the available Wi-Fi networks that visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, the Olympic Park and the Maracana, Maracanazinho and Engenhao stadiums. We were able to find around 4,500 unique access points. Most are suitable for multimedia streaming. But around a quarter of them are configured with weak encryption protocols: this means that attackers can use them to sniff the data of unsuspecting visitors that connect to them.
To reduce your exposure, we would recommend any traveller (not just those who plan to visit Rio!) to use a VPN connection, so that data from your device travels to the Internet through an encrypted data channel. Be careful though. Some VPNs are vulnerable to DNS leak attacks – meaning that, although your immediate sensitive data is sent via the VPN, your DNS requests are sent in plain text to the DNS servers set by the access point hardware. This would allow an attacker to see what you’re browsing and, if they have access to the compromised Wi-Fi network, define malicious DNS servers – i.e. letting them redirect you from a legitimate site (your bank, for example) to a malicious site. If your VPN provider doesn’t support its own DNS servers, consider an alternative provider or a DNSCrypt service.
There’s one other thing that we need if we want to stay connected – electricity: we need to keep our mobile devices charged. Today you can find charging-points in shopping centres, airports and even taxis. Typically they provide connectors for leading phone models, as well as a USB connector that a visitor can use with their own cable. Some also provide a traditional power supply that can be used with a phone charger.
But remember that you don’t know what’s connected to the other end of the USB connector. If an attacker compromises the charging-point, they can execute commands that allow them to obtain information about your device, including the model, IMEI number, phone number and more: information they can use to run a device-specific attack that would then enable them to infect the device. You can find more information about the data that’s transmitted when you connect a device using USB and how an attacker could use it to compromise a mobile device.
This doesn’t mean that you shouldn’t charge your device when you’re away from home. But you should take steps to protect yourself. It’s always best to use your own charger, rather than using charging cables at a public charging-point or buying one from an unknown source. You should also use a power outlet, instead of a USB socket.
Cybercriminals also continue to exploit established ways to make money. This includes using ATM skimmers to steal credit card data. The most basic skimmers install a card reader and a camera to record the victim’s PIN. The best way to protect yourself from this is to cover the keypad as you enter your PIN. However, sometimes cybercriminals replace the whole ATM, including the keypad and screen, in which case the typed password is stored on the fake ATM system. So it’s also important to check the ATM before you insert your card. Check to see if the green light on the card reader is on: typically, they replace the card reader with a version where there is no light, or it’s switched off. Also check the machine to see if there is anything suspicious, such as missing or broken parts.
Card cloning is another problem facing visitors to Rio 2016. While chip-and-PIN makes life harder for cybercriminals, it’s possible for them to exploit flaws in the EMV transaction implementation. It’s difficult to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the data – to be collected later by the cybercriminals. Sometimes they don’t need physical access to extract the stolen data, as they collect it via Bluetooth. However, there are some steps you can take to reduce your exposure to this type of attack. Sign up for SMS notifications of card transactions from your bank, if they provide this service. Never give your card to the retailer: if they can’t bring the machine to you, go to the machine. If the device looks suspicious, use a different payment method. Before typing your PIN, make sure you’re on the card payment screen and ensure that your PIN isn’t going to be displayed on the screen.Ransomware: backup or pay up?
Towards the end of last year, we predicted that ransomware would gain ground on banking Trojans – for the attackers, ransomware is easily monetized and involves a low cost per victim. So it’s no surprise that ransomware attacks are increasing. Kaspersky Lab products blocked 2,315,931 ransomware attacks between April 2015 and April 2016 – that’s an increase of 17.7 per cent on the previous year. The number of cryptors (as distinct from blockers) increased from 131,111 in 2014-15 to 718,536 in 2015-16. Last year, 31.6 per cent of all ransomware attacks were cryptors. You can find further information, including an overview of the development of ransomware, in our KSN Report: PC ransomware in 2014-16.
Most ransomware attacks are directed at consumers – 6.8 per cent of attacks in 2014-15 and 13.13 percent in 2015-16 targeted the corporate sector.
However, the figures are different for cryptors: throughout the 24 months covered by the report, around 20 per cent of cryptor attacks targeted the corporate sector.
Hardly a month goes by without reports of ransomware attacks in the media – including recent reports of a hospital and online casino falling victim to ransomware attacks. Yet while public awareness of the problem is growing, it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalizing on this – this is clearly reflected in the number of attacks we’re seeing.
It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk. In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data. It’s never advisable to pay the ransom. Not only does this validate the cybercriminals’ business model, but there’s no guarantee that they will decrypt your data once you’ve paid them – as one organization discovered recently to its cost. If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask if your anti-malware vendor is able to help. Kaspersky Lab, for example, is able to help recover data encrypted by some ransomware.Mobile malware
Displaying adverts remains one of the main methods of monetization for detected mobile objects. Trojan.AndroidOS.Iop.c became the most popular mobile Trojan in Q2 2016, accounting for more than 10% of all detected mobile malware encountered by our users during the reporting period. It displays adverts and installs, usually secretly, various programs using superuser privileges. Such activity quickly renders the infected device virtually unusable due to the amount of adverts and new applications on it. Because this Trojan can gain superuser privileges, it is very difficult to delete the programs that it installs.
In our report IT threat evolution in Q1 2016 we wrote about the Trojan-Banker.AndroidOS.Asacub family of banking malware. Representatives of this family have an unusual technique for bypassing the security mechanisms used by operating systems – they overlay the regular system window requesting device administrator privileges with their own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system, and tricks the user into approving these privileges. In Q2 2016, Asacub introduced yet another method for deceiving users: the Trojan acquired SMS messenger functionality and started offering its services in place of the device’s standard SMS app.
Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the rights to be the main SMS application
This allows the Trojan to bypass system constraints first introduced in Android 4.4 as well as delete or hide incoming SMSs from the user.
Back in October 2015, we wrote about representatives of the Trojan-PSW.AndroidOS.MyVk family that steal passwords from user accounts on the VK.com social network. This quarter, those responsible for distributing Trojans from this family introduced a new approach for bypassing Google Play security mechanisms that involved first publishing an app containing useful functionality with no malicious code. Then, at least once, they updated it with a new version of the application – still without any malicious code. It was more than a month after the initial publication that the attackers eventually added malicious code to an update. As a result, thousands of users downloaded Trojan-PSW.AndroidOS.MyVk.i.Data breaches
Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media. This quarter has been no exception, with reported attacks on beautifulpeople.com, the nulled.io hacker forum (underlining the fact that it’s not just legitimate systems that are targeted), kiddicare, Tumblr and others.
Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. It’s not simply a matter of defending the corporate perimeter. There’s no such thing as 100 per cent security, so it’s not possible to guarantee that systems can’t be breached. But any organization that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.
Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically. Unfortunately, all too often people use easy-to-guess passwords and re-use the same password for multiple online accounts – so that if the password for one is compromised, all the victim’s online IDs are vulnerable. This issue was highlighted publicly in May 2016 when a hacker known as ‘Peace’ attempted to sell 117 million LinkedIn e-mails and passwords that had been stolen some years earlier. More than one million of the stolen passwords were ‘123456’!
Many online providers offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Two-factor authentication certainly enhances security – if people choose to take advantage of it.
Several companies are hoping to replace passwords altogether. Apple allows fingerprint authorization for iTunes purchases and payments using Apple Pay. Samsung has said it will introduce fingerprint, voice and iris recognition for Samsung Pay. Amazon has announced ‘selfie-pay’. MasterCard and HSBC have announced the introduction of facial and voice recognition to authorize transactions. The chief benefit, of course, is that it replaces something that customers have to remember (a password) with something they have – with no opportunity to short-circuit the process (as they do when they choose a weak password).
Biometrics are seen by many as the way forward. However, they are not a security panacea. Biometrics can be spoofed, as we’ve discussed before (here, here and here); and biometric data can be stolen. In the end, multi-factor authentication is essential – combining something you know, something you have and something you are.
Malefactors continue to expand the features of ransomware as they try to extract maximum benefit from the compromise of infected computers. We recently found an interesting example of such an “upgrade”: a new logic in the latest version of the Shade encryptor currently being spread widely within the territories of Russia and CIS. On the basis of this logic, the ransomware checks the computer for any involvement in accounting activities and, if the check is successful, installs remote control tools into the compromised system instead of encrypting the victim’s files.Accountant, my sweet accountant
For the initial check, the updated Trojan (verdict Trojan-Ransom.Win32.Shade.yb) searches the list of installed applications and looks for strings associated with bank software. After that the ransomware looks for “BUH”, “BUGAL”, “БУХ”, “БУГАЛ” (accounting) in the names of the computer and its user. If a match is found, the Trojan skips the standard file search and encryption procedure and instead downloads and executes a file from the URL stored in the Trojan’s configuration, and then exits.
Technically the new features look like this: there is a block of base64-encoded data in the body of the ransomware (which was not present in earlier versions of Shade):
We can see the following configuration block when decoding is completed:
Shade initiates the check of an infected system in accordance with this configuration block directly after it starts.
The executable that Shade.yb Trojan downloads to the user’s computer turned out to be a bot known as Teamspy. This bot uses the TeamViewer 6 legal remote control utility for communication with its command-and-control (C&C) server and modifies it on-the-fly for the purpose of discreet execution. Plugins (in our case installvpn.pg, rdw.pg, scankey.pg) propagate along with the bot; they are stored in encrypted form and will be decrypted by the ransomware in the RAM only. A decrypted plugin is basically a DLL with an export named InitPg which is called by the main module of the bot. There are two plugins which, when executed provide malefactors with opportunities for remote access to an infected machine through the remote Desktop Protocol (RDP):
- installvpn.pg: covertly installs the TeamViewer VPN driver; and
- rdw.pg: covertly installs the “RDP Wrapper Library” application and changes system settings in order to enable the RDP connection.
The bot does not connect automatically to the VPN, so it is quite possible that the malefactors keep this opportunity for some specific cases.System infection
The downloaded Teamspy executable file is basically an NSIS installer. It includes:
- NSIS-script script.bin (script that controls the unpacking process);
- Standard NSIS plugins – nsExec.dll, StdUtils.dll, System.dll;
- Legal utility NirCmd (file 6kzi6c94h2oeu4);
- Legal utility 7zip (file vuoup3teqcux6q);
- Image 2b6zfhf3ui7e03iv6.jpg; and
- Image 6nmxxselb250du8c.jpg with an embedded password-protected 7z archive.
When the installer is started, it executes script.bin. The script calculates the BLAKE2-512 hash of the 2b6zfhf3ui7e03iv6.jpg content by means of StdUtils.dll and uses the resulting string as a password to the 7z-archive hidden inside 6nmxxselb250du8c.jpg.
The following files from the password-protected 7z are extracted to the hidden folder “%APPDATA%\Div”:
- x64 subfolder containing install64.exe, teamviewervpn.cat, TeamViewerVPN.inf and teamviewervpn.sys files (legal components of TeamViewer);
- x86 subfolder containing install86.exe, teamviewervpn.cat, TeamViewerVPN.inf and teamviewervpn.sys files (legal components of TeamViewer);
- avicap32.dll (the bot body);
- cfmon.exe (legitimate executable file of TeamViewer);
- installvpn.pg, rdw.pg, scankey.pg (encrypted bot plugins);
- tv.cfg (encrypted bot config); and
- Legitimate components of TeamViewer: TeamViewer_Desktop.exe, TeamViewer_Resource_en.dll, tv_w32.dll, tv_w32.exe, tv_x64.dll, tv_x64.exe.
The installer starts up cfmon.exe upon unpacking. When this process begins, the malicious library avicap32.dll (which is the body of the bot) is automatically loaded and executed. This technique of overriding a legitimate DLL with a malicious one is well-known under the name ‘DLL hijack’. The body of the bot contains several layers of encryption and is obfuscated in order to complicate analysis.Modus operandi of the bot
During execution the malicious avicap32.dll modifies the functionality of the TeamViewer process that is running, by intercepting some system calls as well as TeamViewer’s internal procedures. Hiding the software window and its icon in the notification area is one result of such modifications. The user of the infected computer cannot see the software’s graphic interface (GUI) and may not be suspicious of its presence unless they check a list of running processes.
Fragment of the hook installation procedure pseudocode
In addition to hiding the TeamViewer interface, avicap32.dll decrypts and uses the data of the tv.cfg configuration file.
Decrypted content of tv.cfg
The szadminhost field value is an address of the C&C server that communicates with the bot. Communication is based on the HTTP protocol. For an example of intercepted traffic please see the following screenshot.
In the first request, the bot informs the C&C of its existence. The C&C responds with a command (in this case “lexec” means file downloading and execution, for information on other commands see below). In the third enquiry, the bot informs the server of the command execution results: “cmd=1” – success, “cmd=2” – error.
The server’s commands are processed in a separate thread started from the procedure installed for the interception of API-function SetWindowTextW.
General view of the execution graph of the function that processes and executes server commands
Fragment of the execution graph of the function that processes and executes server commands
List of strings including commands received by the bot
We would like to underline the most interesting commands received by the bot:
- startaudio / stopaudio: start/stop of audio recording;
- startvideo / stopvideo: start/stop of video recording of the screen;
- lexec: download and execute a file from a URL provided by the C&C server; and
- cmd: provide malefactors with the remote control console.
Other commands involve updating the configuration file and some of its fields, updating or deleting plugins, controlling PC power (shutdown, restart), restarting the bot’s own process, or self-deleting.Conclusion
The use of the bots offers malefactors a wide range of possibilities to enrich themselves, and even a single successful infection can bring in substantial cash flows. Essentially the Trojan encryptors pass the initiative to the user (and it’s up to the user to decide whether to pay for their files or not) and the owners take into consideration the average financial solvency of the victim in assigning the ransom sum. The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash.
Kaspersky Lab products detect the bot’s body as Trojan-Spy.Win32.Teamspy.gl; and this malware is also known as TVSPY, TVRAT, SpY-Agent.
Victims infected with Shade versions 1 and 2 have a chance to retrieve their data without paying cybercriminals. IT Security companies joined forces with law enforcement agencies to create a decryption tool, which is available on the NoMoreRansom webpage.MD5
More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service. Contact: firstname.lastname@example.orgIntroduction:
Over the last few years, the number of “APT-related” incidents described in the media has grown significantly. For many of these, though, the designation “APT”, indicating an “Advanced Persistent Threat”, is usually an exaggeration. With some notable exceptions, few of the threat actors usually described in the media are advanced. These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly “advanced” threat actors out there, are Equation, Regin, Duqu or Careto. Another such an exceptional espionage platform is “ProjectSauron”, also known as “Strider”.
What differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the ‘top’ cyberespionage groups:
- The use of zero day exploits
- Unknown, never identified infection vectors
- Have compromised multiple government organizations in several countries
- Have successfully stolen information for many years before being discovered
- Have the ability to steal information from air gapped networks
- Support multiple covert exfiltration channels on various protocols
- Malware modules which can exist only in memory without touching the disk
- Unusual persistence techniques which sometime use undocumented OS features
“ProjectSauron” easily covers many of these points.From discovery to detection:
When talking about long-standing cyber-espionage campaigns, many people wonder why it took so long to catch them. Perhaps one of the explanations is having the right tools for the right job. Trying to catch government or military grade malware requires specialized technologies and products. One such product is Kaspersky’s AntiTargeted Attacks Platform, KATA (http://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform). In September 2015, our anti-targeted attack technologies caught a previously unknown attack. The suspicious module was an executable library, loaded in the memory of a Windows domain controller (DC). The library was registered as a Windows password filter and had access to sensitive data in cleartext. Additional research revealed signs of massive activity from a new threat actor that we codenamed ‘ProjectSauron’, responsible for large-scale attacks against key governmental entities in several countries.
“SAURON” – internal name used in the LUA scripts
ProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. For example, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim.
Some other key features of ProjectSauron:
- It is a modular platform designed to enable long-term cyber-espionage campaigns.
- All modules and network protocols use strong encryption algorithms, such as RC6, RC5, RC4, AES, Salsa20, etc.
- It uses a modified LUA scripting engine to implement the core platform and its plugins.
- There are upwards of 50 different plugin types.
- The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software.
- It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system.
- The platform makes extensive use of the DNS protocol for data exfiltration and real-time status reporting.
- The APT was operational as early as June 2011 and remained active until April 2016.
- The initial infection vector used to penetrate victim networks remains unknown.
- The attackers utilize legitimate software distribution channels for lateral movement within infected networks.
To help our readers better understand the ProjectSauron attack platform, we’ve prepared an FAQ which brings together some of the most important points about this attacker and its tools. A brief technical report is also available, including IOCs and Yara rules.
Our colleagues from Symantec have also released their analysis on ProjectSauron / Strider. You can read it here: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targetsProjectSauron FAQ: 1. What is ProjectSauron?
ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.
Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim.
Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area.
The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the LUA scripts.2. Who are the victims?
Using our telemetry, we found more than 30 infected organizations in Russia, Iran, Rwanda and possibly in Italian-speaking countries as well. Many more organizations and geographies are likely to be affected.
The attacked organizations are key entities that provide core state functions:
- Scientific research centers
- Telecommunication providers
As usual, Kaspersky Lab actively collaborates with industry partners, CERTs and law enforcement agencies to notify victims and help to mitigate the threat. We also rely on public awareness to spread information about it. If you need more information about this actor, please contact email@example.com. For how long have the attackers been active?
Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016. Although it appears to have largely ceased, there is a chance that it is still active on computer systems that are not covered by Kaspersky Lab solutions.5. Did the attackers use interesting or advanced techniques?
The attackers used multiple interesting and unusual techniques, including:
- Data exfiltration and real-time status reporting using DNS requests.
- Implant deployment using legitimate software update scripts.
- Data exfiltration from air-gapped networks through the use of specially prepared USB storage drives where the stolen data is stored in the area unused by standard tools of the operating system.
- Using a modified LUA scripting engine to implement the core platform and its plugins. The use of LUA components in malware is very rare – it was previously spotted in the Flame and Animal Farm attacks.
In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a client organization’s network. Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server. The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext. Additional research revealed signs of activity of a previously unknown threat actor.7. How does ProjectSauron operate?
ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local Security Authority) password filter. This feature is typically used by system administrators to enforce password policies and validate new passwords to match specific requirements, such as length and complexity. This way, the ProjectSauron passive backdoor module starts every time any network or local user (including an administrator) logs in or changes a password, and promptly harvests the password in plaintext.
In cases where domain controllers lack direct Internet access, the attackers install additional implants on other local servers which have both local network and Internet access and may pass through significant amount of network traffic, i.e. proxy-servers, web-servers, or software update servers. After that, these intermediary servers are used by ProjectSauron as internal proxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic.
Once installed, the main ProjectSauron modules start working as ‘sleeper cells’, displaying no activity of their own and waiting for ‘wake-up’ commands in the incoming network traffic. This method of operation ensures ProjectSauron’s extended persistence on the servers of targeted organizations.8. What kind of implants does ProjectSauron use?
Most of ProjectSauron’s core implants are designed to work as backdoors, downloading new modules or running commands from the attacker purely in memory. The only way to capture these modules is by making a full memory dump of the infected systems.
Almost all of ProjectSauron’s core implants are unique, have different file names and sizes, and are individually built for each target. Each module’s timestamp, both in the file system and in its own headers, is tailored to the environment on which it is installed.
Secondary ProjectSauron modules are designed to perform specific functions like stealing documents, recording keystrokes, and stealing encryption keys from both infected computers and attached USB sticks.
ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified LUA interpreter to execute internal scripts. There are upwards of 50 different plugin types.9. What is the initial infection vector?
To date, the initial infection vector used by ProjectSauron to penetrate victim networks remains unknown.10. How were the ProjectSauron implants deployed within the target network?
In several cases, ProjectSauron modules were deployed through the modification of scripts used by system administrators to centrally deploy legitimate software updates within the network.
In essence, the attackers injected a command to start the malware by modifying existing software deployment scripts. The injected malware is a tiny module that works as a simple downloader.
Once started under a network administrator account, this small downloader connects to a hard-coded internal or external IP address and downloads the bigger ProjectSauron payload from there.
In cases where the ProjectSauron persistence container is stored on disk in EXE file format, it disguises the files with legitimate software file names.11. What C&C infrastructure did the attackers use?
The ProjectSauron actor is extremely well prepared when it comes to operational security. Running an expensive cyberespionage campaign like ProjectSauron requires vast domain and server infrastructure uniquely assigned to each victim organization and never reused again. This makes traditional network-based indicators of compromise almost useless because they won’t be reused in any other organization.
We collected 28 domains linked to 11 IPs located in the United States and several European countries that might be connected to ProjectSauron campaigns. Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns.12. Does ProjectSauron target isolated (air-gapped) networks?
Yes. We registered a few cases where ProjectSauron successfully penetrated air-gapped networks.
The ProjectSauron toolkit contains a special module designed to move data from air-gapped networks to Internet-connected systems. To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine.
These USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data (several hundred megabytes) at the end of the disk for malicious purposes. This reserved space is used to create a new custom-encrypted partition that won’t be recognized by a common OS, such as Windows. The partition has its own semi-filesystem (or virtual file system, VFS) with two core directories: ‘In’ and ‘Out’.
This method also bypasses many DLP products, since software that disables the plugging of unknown USB devices based on DeviceID wouldn’t prevent an attack or data leakage, because a genuine recognized USB drive was used.13. Does ProjectSauron target critical infrastructure?
Some of the entities infected by ProjectSauron can be classified as critical infrastructure. However, we haven’t registered ProjectSauron infections inside industrial control system networks that have SCADA systems in place.
Also, we have not yet seen a ProjectSauron module targeting any specific industrial hardware or software.14. Did ProjectSauron use any special communication methods?
For network communication, the ProjectSauron toolkit has extensive abilities, leveraging the stack of the most commonly used protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP.
One of the ProjectSauron plugins is the DNS data exfiltration tool. To avoid generic detection of DNS tunnels at network level, the attackers use it in low-bandwidth mode, which is why it is used solely to exfiltrate target system metadata.
Another interesting feature in ProjectSauron malware that leverages the DNS protocol is the real-time reporting of the operation progress to a remote server. Once an operational milestone is achieved, ProjectSauron issues a DNS-request to a special subdomain unique to each target.15. What is the most sophisticated feature of the ProjectSauron APT?
In general, the ProjectSauron platform is very advanced and reaches the level of complexity of Regin, Equation and similar threat actors we have reported on in the past. Some of the most interesting things in the ProjectSauron platform include:
- Multiple exfiltration mechanisms, including piggybacking on known protocols.
- Bypassing air-gaps using hidden data partitions on USB sticks.
- Hijacking Windows LSA to control network domain servers.
- Implementing an extended LUA engine to write custom malicious scripts to control the entire malware platform with a high-level language.
To date we have not found any 0-day exploits associated with ProjectSauron.
However, when penetrating isolated systems, the creation of the encrypted storage area in the USB does not in itself enable attackers to get control of the air-gapped machines. There has to be another component such as a 0day exploit placed on the main partition of the USB drive.
So far we have not found any 0-day exploit embedded in the body of the malware we analyzed, and we believe it was probably deployed in rare, hard-to-catch instances.17. Is this a Windows-only threat? What versions of Windows are targeted?
ProjectSauron works on all modern Microsoft Windows operating systems – both x64 and x86. We have witnessed infections running on Windows XP x86 as well as Windows 2012 R2 Server Edition x64.
To date, we haven’t found a non-Windows version of ProjectSauron.18. Were the attackers hunting for specific information?
ProjectSauron actively searches for information related to rather uncommon, custom network encryption software. This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange.
In a number of the cases we analyzed, ProjectSauron deployed malicious modules inside the custom network encryption’s software directory, disguised under similar filenames and accessing the data placed beside its own executable. Some of extracted LUA scripts show that the attackers have a high interest in the software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
Also, one of the embedded ProjectSauron configurations contains a special unique identifier for the targeted network encryption software’s server within its virtual network. The behavior of the component that searches for the server IP address is unusual. After getting the IP, the ProjectSauron component tries to communicate with the remote server using its own (ProjectSauron) protocol as if it was yet another C&C server. This suggests that some communication servers running the mentioned network encryption software could also be infected with ProjectSauron.19. What exactly is being stolen from the targeted machines?
The ProjectSauron modules we found are able to steal documents, record keystrokes and steal encryption keys from infected computers and attached USB sticks.
The fragment of configuration block below, extracted from ProjectSauron, shows the kind of information and file extensions the attackers were looking for:
Interestingly, while most of the words and extensions above are in the English language, several of them point to Italian, such as: ‘codice’, ‘strCodUtente’ and ‘segreto’.
Keywords / filenames targeted by ProjectSauron data theft modules:Italian keyword Translation Codice code CodUtente Usercode Segreto Secret
This suggests the attackers had prepared to attack Italian-speaking targets as well. However, we are not aware of any Italian victims of ProjectSauron at the moment.20. Have you observed any artifacts indicating who is behind the ProjectSauron APT?
Attribution is hard and reliable attribution is rarely possible in cyberspace. Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a greater vantage point and vast resources. When dealing with the most advanced threat actors, as is the case with ProjectSauron, attribution becomes an unsolvable problem.21. Is this a nation-state sponsored attack?
We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation-state.22. What would ProjectSauron have cost to set up and run?
Kaspersky Lab has no exact data on this, but estimates that the development and operation of ProjectSauron is likely to have required several specialist teams and a budget probably running into millions of dollars.23. How does the ProjectSauron platform compare to other top-level threat actors?
The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them.
As a reminder, here are some features of other APT attackers which we discovered that the ProjectSauron attackers had carefully learned from or emulated:
- Use of intranet C&Cs (where compromised target servers may act as independent C&Cs)
- Running only in memory (persistence on a few gateway hosts only)
- Use of different encryption methods per victim
- Use of named pipes for LAN communication
- Malware distribution through legitimate software deployment channels
- LUA-embedded code
- Secure file deletion (through data wiping)
- Attacking air-gapped systems via removable devices
Equation and Regin:
- Usage of RC5/RC6 encryption
- Virtual Filesystems (VFS)
- Attacking air-gapped systems via removable devices
- Hidden data storage on removable devices
These other actors also showed what made them vulnerable to potential exposure, and ProjectSauron did its best to address these issues:
- Vulnerable or persistent C&C locations
- ISP name, IP, domain, and tools reuse across different campaigns
- Crypto-algorithm reuse (as well as encryption keys)
- Forensic footprint on disk
- Timestamps in various components
- Large volumes of exfiltrated data, alarming unknown protocols or message formats
In addition, it appears that the attackers took special care with what we consider as indicators of compromise and implemented a unique pattern for each and every target they attacked, so that the same indicators would have little value for anyone else. This is a summary of the ProjectSauron strategy as we see it. The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.24. Do Kaspersky Lab products detect all variants of this malware?
All Kaspersky Lab products detect ProjectSauron samples as HEUR:Trojan.Multi.Remsec.gen25. Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?
ProjectSauron’s tactics are designed to avoid creating patterns. Implants and infrastructure are customized for each individual target and never re-used – so the standard security approach of publishing and checking for the same basic indicators of compromise (IOC) is of little use.
However, structural code similarities are inevitable, especially for non-compressed and non-encrypted code. This opens up the possibility of recognizing known code in some cases.
That’s why, alongside the formal IOCs, we have added relevant YARA rules. While the IOCs have been listed mainly to give examples of what they look like, the YARA rules are likely to be of greater use and could detect real traces of ProjectSauron.
For background: YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that share similarities. YARA rules—basically search strings—help analysts to find, group, and categorize related malware samples and draw connections between them in order to build malware families and uncover groups of attacks that might otherwise go unnoticed.
We have prepared our YARA rules based on tiny similarities and oddities that stood out in the attackers’ techniques. These rules can be used to scan networks and systems for the same patterns of code. If some of these oddities appear during such a scan, there is a chance that the organizations has been hit by the same actor.
More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service. Contact: firstname.lastname@example.org
This year’s Blackhat USA briefings were held at the spacious Mandalay Bay, bringing speakers from all over the world to deliver mostly technical cyber-security talks. A number of our researchers were there attending talks and participating in the parallel IOActive and BSides events on Smart Cities cyber-security and “Stealing Food From the Cat’s Mouth”. We even bought a round of drinks for a GReAT happy hour at our booth, thanks for coming by! And on Tuesday night, we announced a public HackerOne-coordinated bug bounty program, setting aside $50,000 for critical vulnerabilities. Blackhat whitepapers, slidedecks, and some source code are being posted to the site.
Talks and speakers that we enjoyed here:
- DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR and BEHIND THE SCENES OF IOS SECURITY
Low level details of Apple iPhone security were presented, both from offensive researchers hacking apart hardware and software, and one of the vendor’s lead security engineers Ivan Krstic. They revealed cryptographic design and implementation details of the secure enclave processor and its OS, the iCloud keychain, and JIT hardening, and pointed out some weaknesses and areas for likely security vulnerabilities in the code.
- CAPTAIN HOOK: PIRATING AVS TO BYPASS EXPLOIT MITIGATIONS
The speakers demonstrated how many AV vendors are performing inline and Kernel to user hooking for exploit mitigation, and how this is being done insecurely. They were able to utilize the mistakes made in the various hooking engines to run malicious code in memory. Their research identified six different types of vulnerabilities in the hooking engines and how to exploit them. Essentially, most of the vulnerabilities boiled down to improper handling of permissions on created memory blocks by the AV engines.
- ADVANCED CAN INJECTION TECHNIQUES FOR VEHICLE NETWORKS
As always, Charlie and Chris delivered a fantastic talk on the next step in their research; targeting CAN to manipulate vehicle behaviors while driving at high speeds. While their research was done hard wired into the car, they stated that if another remote vulnerability were discovered, these attacks would be plausible remotely, not requiring physical access. They showed how they were able to manipulate various vehicles to apply the emergency brake, turn off the power steering module, control the steering, etc, all while driving at a high speed. They had to essentially bypass security measures which don’t normally allow diagnostic mode to be invoked while the car is on or in motion. In normal Charlie and Chris fashion, the talk was full of funny videos of their exploits, one of which showed them crashing their Jeep into a ditch in a cornfield and subsequently having to be rescued by some locals.
Brazilian cybercriminals are clearly setting their sights on users of mobile banking, with a huge rise in incidents registered in the country over the last two years. In order to carry out these attacks they are using SMiShing (phishing via SMS) and registering new mobile phish domains created especially for this purpose.
In 2015, mobile banking usage in Brazil reached 11.2 billion transactions, an increase of 138% compared to the 4.7 billion transactions registered in 2014. Mobile banking is now the second most popular channel for accessing a bank account in the country – there are more than 33 million active accounts, according to the Brazilian Federation of Banks. Such numbers and the possibility of cheaply sending SMS messages are very attractive to cybercriminals, who are investing their time and effort to create new attacks.
Getting started doesn’t require that much money or preparation: first they need to register a domain (usually a .mobi domain), prepare a phishing page in mobile format, hire a bulk SMS service (as cheap as 2 cents per message sent, and generally paid for with a cloned credit card) and voilá! Getting the telephone numbers of the victims isn’t a problem either: huge databases of mobile numbers can easily be purchased on the Brazilian underground, or can be captured in attacks using WhatsApp as bait. The SMiShing messages inform recipients about a credit card or a bank account that has supposedly been blocked, and always include a link:
“Your data is outdated, your account may be blocked. Please update at <phish URL>” – an SMiShing message sent by phishers
Why target users of mobile banking? Because it’s easier to hack a bank account when accessed from a mobile terminal instead of a desktop. We’ve listed some of the reasons for that below:
- No protection: most smartphone users in Brazil still don’t use a dedicated AV on their phones. A survey performed by B2B International in 2015 showed only 56% of smartphone owners around the world do so.
- No security plugins: unlike desktops, most banks still don’t require the installation of a security plugin on user devices, despite most banks offering dedicated access via their mobile apps. Furthermore, fake mobile banking apps from Brazilian banks have also been found in the Play Store. When a criminal decides to phish a mobile banking user, it’s more effective if the attack is compatible with any mobile browser.
- Simple authentication: most Brazilian banks use very simple authentication on mobile devices, usually just asking for the account number and a six-digit password.
- Common SMS usage: it’s very common for banks in Brazil to send notifications via SMS. When you buy something or withdraw money for your account, you’ll receive an SMS confirming the operation. This approach has allowed Brazilian banks to decrease the number of fraud cases, in particular, this is because customers are aware of any fraud involving their credit cards or bank accounts as soon as it starts. Confusing a SMiShing message with a legit SMS from your bank is very easy.
The mobile versions of these phishing banking websites open correctly in the browser, facilitating the theft of user credentials. The phishers’ tactic is to force the user to access the website via their mobile devices, and not from a desktop. If the victim tries to access the phishing domain using their computer, the following message displayed:
“Service unavailable for desktops, only for mobile devices”
The phishing domain only shows its full content when access is made via a mobile browser:
The cybercriminals create phishing pages for several banks, in an array of colors and styles:
Most of the domains used in these attacks are using the .mobi TLD:
We published a list of some of the domains we found here (if you’re an AV guy, block them!).
It’s important to highlight one other thing: if access is made from an IP outside of Brazil, some domains will display nothing. It’s a method used by Brazilian phishers to keep their attacks alive for as long as possible, because if you don’t see it, you won’t block the domain. Users of our products, including the Safe Browser for iOS, Windows Phone, Android and Fraud Prevention solutions are protected against mobile phishing and SMiShing attacks.
- DDoS attacks on cryptocurrency wallet services have played an important role in the lives of these services. In the second quarter of 2016, two companies – CoinWallet and Coinkite – announced they were terminating their work due to lengthy DDoS attacks. According to Coinkite’s official blog, the e-wallet service will be shut down, as well as its API. The company admits that the decision was largely due to constant attacks and pressure from various governments who want to regulate cryptocurrency.
- A piece of malware was detected that possesses worm functionality and builds a botnet of Linux-based routers (including Wi-Fi access points). It spreads via Telnet. An analysis of the worm’s code has shown that it can be used in various types of DDoS attacks.
- Experts have registered a growing number of botnet C&C servers operating based on LizardStresser – a tool used to perform DDoS attacks. The LizardStresser source codes belong to the hacker group Lizard Squad and were made publically available at the end of 2015. This is what led to the increase in the number of botnets using new versions of the tool.
- Researchers discovered a botnet consisting of 25 000 devices most of which are surveillance cameras. According to the experts, 46% of the infected devices are CCTV systems H.264 DVR. The other compromised devices were manufactured by ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and MagTec CCTV.
- A new botnet named Jaku located mainly in Japan and South Korea was detected. Researchers have stated that the botnet operators are focused on major targets: engineering companies, international organizations, scientific institutions.
- A new modification of Cerber ransomware that uses an infected device to carry out DDoS attacks was discovered. This cryptor Trojan is responsible for sending the UDP packets in which it changes the sender address for the address of the victim. A host that receives the packet sends a reply to the victim’s address. This technique is used to organize a UDP flood, meaning that this Trojan, in addition to its basic ransomware functionality, also integrates the functionality of a DDoS bot.
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
Resources in 70 countries were targeted by DDoS attacks in Q2 2016 #KLReportTweet
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the second quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
77.4% of targeted resources in Q2 2016 were located in China #KLReportTweet
It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.Q2 Summary
- Resources in 70 countries were targeted by DDoS attacks in Q2 2016.
- 77.4% of targeted resources were located in China.
- China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets.
- The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days).
- SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter.
- In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter.
In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks. In fact, 97.3% of the targeted resources were located in just 10 countries. The three most targeted countries remained unchanged – China, South Korea and the US.
Distribution of DDoS attacks by country, Q1 2016 vs. Q2 2016
This quarter’s statistics show that 94.3% of attacks had unique targets within the 10 most targeted countries.
Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q2 2016
Here too China was the leader: 71.3% of all DDoS attacks targeted unique resources located in the country (vs. 49.7% in Q1).
In Q2 2016 China, South Korea and the US remained leaders in terms of the number of DDoS attacks #KLReportTweet
The growth in the proportion of attacks on Chinese resources resulted in a decline in the share of attacks on resources in the other TOP 10 countries: South Korea saw its share fall by 15.5 percentage points, while the contribution of the US fell by 0.7 p.p.
Russia left the TOP 5 after its share decreased by 1.3 p.p. Vietnam took Russia’s place after its share remained unchanged (1.1%). Germany and Canada both left the TOP 10 and were replaced by France and the Netherlands on 0.9% and 0.5% respectively.Changes in DDoS attack numbers
DDoS activity was relatively uneven in Q2 2016, with a lull from late April till the end of May and two sharp peaks on 29 May and 2 June. The peak number of attacks in one day was 1,676, recorded on 6 June.
Number of DDoS attacks over time* in Q2 2016
*DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) #KLReportTweet
An analysis of the data for the first half of 2016 shows that although the distribution of DDoS attack numbers by day of the week remains uneven, a steady upward trend is evident.
Number of DDoS attacks, Q1 2016 – Q2 2016
In Q2, Tuesday was the most active day of the week for DDoS attacks (15.2% of attacks), followed by Monday (15.0%). Thursday, which came second in Q1, fell one place (-1.4 p.p.). Sunday became the quietest day of the week in terms of DDoS attacks (13.0%).
Distribution of DDoS attack numbers by day of the weekTypes and duration of DDoS attacks
The ranking of the most popular attack methods remained unchanged from the previous quarter. The SYN DDoS method has further strengthened its position as leader: its share increased from 54.9% to 76%. The proportion of the other types of attacks decreased slightly except for UDP DDoS whose contribution grew by 0.7 p.p. However, those little fluctuations did not affect the order of the Top 5.
Distribution of DDoS attacks by type
The growth in the popularity of SYN-DDoS is largely down to the fact that during the second quarter of 2016, 70.2% of all detected attacks came from Linux botnets. This was the first time in a number of quarters that there has been such an imbalance between the activity of Linux- and Windows-based DDoS bots. Previously, the difference had not exceeded 10 percentage points. Namely Linux bots are the most appropriate tool for using SYN-DDoS.
Correlation between attacks launched from Windows and Linux botnets
Attacks that last no more than four hours remained the most popular, although their share decreased from 67.8% in Q1 to 59.8% in Q2 of 2016. At the same time, the proportion of longer attacks increased considerably – attacks that lasted 20-49 hours accounted for 8.6% (vs. 3.9% in the first quarter) and those that lasted 50-99 hours accounted for 4% (vs. 0.8% in the previous quarter).
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios in Q2 2016 #KLReportTweet
The longest DDoS attack in the second quarter of 2016 lasted for 291 hours, which significantly exceeded the Q1 maximum of 197 hours.
Distribution of DDoS attacks by duration (hours)C&C servers and botnet types
In Q2, South Korea remained the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 69.6%, a 2 p.p. increase from the first quarter of 2016. The TOP 3 countries hosting the most C&C servers (84.8%) remained unchanged, while Brazil (2.3%), Italy (1%) and Israel (1%) all entered the TOP 10.
Distribution of botnet C&C servers by country in Q2 2016
As in previous quarters, 99.5% of DDoS targets in Q2 2016 were attacked by bots belonging to one family. Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.5% of cases. The most popular families of the quarter were Xor, Yoyo and Nitol.Conclusion
The second quarter of 2016 saw cybercriminals paying close attention to financial institutions working with cryptocurrency. Several of these organizations cited DDoS attacks as the reason for ceasing their activities. Intense competition leads to the use of unfair methods, one of which is the use of DDoS attacks. A strong interest on the part of the attackers is due to a particular feature of the businesses involved in processing cryptocurrency – not everyone is happy about the lack of regulation when it comes to cryptocurrency turnover.
In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets #KLReportTweet
Another trend is the use of vulnerable IoT devices in botnets to launch DDoS attacks. In one of our earlier reports, we wrote about the emergence of a botnet consisting of CCTV cameras; the second quarter of 2016 saw a certain amount of interest in these devices among botnet organizers. It is possible that by the end of this year the world will have heard about some even more “exotic” botnets, including vulnerable IoT devices.
Operating system security is one of Microsoft’s priorities. The developers of the new generation of Windows have vigorously responded to the most significant and relevant threats that target the Windows platform by developing numerous security technologies that were previously available only in third-party solutions. The system has become better protected, making the life of cybercriminals more difficult.
Nevertheless, in some cases, the tools provided by the operating system are not sufficient – the developers have had to make compromises in a number of areas, which has negatively affected system security and makes it necessary to use third-party IT security tools.
Because it is so widespread, Windows has been, and remains, the target of choice for cybercriminals of all stripes. Each new version is researched thoroughly by thousands of blackhats in search of new moneymaking opportunities. Whitehats, for whom Windows is the main battleground in their fight against the bad guys, also explore it. Naturally, Kaspersky Lab always carries out a painstaking analysis of all changes introduced by Microsoft to the security system in order to provide its users with the best possible protection against cyberthreats.
This review consists of three parts devoted to the most prominent new Windows 10 features that affect security. These are the Microsoft Edge browser, virtualization-based security and an updated built-in anti-malware solution called Windows Defender. All of these features have brought new capabilities to the Windows security system, but, unfortunately, they also come with some weaknesses of their own. In this paper, we use examples to demonstrate how Windows 10 protection technologies work and how they can be complemented by third-party solutions to improve system security.Microsoft Edge
The latest browser, Microsoft Edge, is intended to replace Internet Explorer. It is included in Windows 10 as the default browser. The company has worked hard to implement numerous new features, some of which are security-related.
Content Security Policy and HTTP Strict Transport Security technologies were introduced to combat cross-site scripting attacks. These technologies are designed not only to lower the chances of a successful attack but also to notify the web service’s owner about the attempt to carry it out.
Microsoft has also come up with ways to protect Edge against exploits, which were the curse of Internet Explorer. Now, by using containers and separating content handling operations into different processes, exploiting vulnerabilities has been made much more difficult. Finally, integration with SmartScreen should prevent users from visiting sites with malicious content.
In addition to supporting new technologies, the security of Edge has been enhanced by retiring vulnerable old ones. The browser no longer supports VML, BHO and ActiveX, which are used by a multitude of advertising apps and malicious browser add-ons.
When it comes to technologies, however, the real security level is only tested by real-world attacks. It is well known that Banker Trojans usually carry out MiTB (Man-in-The-Browser) attacks, injecting their code in the browser process and hooking networking functions, which enables malicious users to perform online banking operations in the name of someone using an infected computer.
Attacks of this type require a browser-specific, and often version-specific, approach, which is why banker Trojans are updated with such regularity. In November 2015, it was reported that the Dyreza Trojan had been given functionality that enabled it to attack Microsoft Edge. However, the activity of that particular botnet fell to zero soon afterwards: updates ceased to be released and the command-and-control servers were taken offline.
Another infamous banker Trojan, Kronos, caught up with Edge in 2016. We checked out its capabilities on a Windows 10 virtual machine. In the code of the new Kronos version we found a function that checks the name and checksum of a process, as well as the hashes of the functions hooked by the malware.
Function that identifies the browser based on the checksum of its process name
Kronos checks the process’s name, converts the string to lower case, calculates its checksum and squares it. The hash obtained in this way is checked against a table – if it is found there, the Trojan will attempt to hook the functions it needs in the browser’s process.
Browser process names known to the Trojan:Process name Checksum iexplore.exe 0x64302d39 chrome.exe 0x05d66cc4 firefox.exe 0x39ace100 opera.exe 0x9420a4a1 microsoftedge.exe 0x9b6d5990 microsoftedgecp.exe 0x949b93d9
In order to perform malicious operations that will make money for its owners, Kronos hooks the functions that create and send HTTP requests in the Wininet library.
List of wininet.dll functions hooked:API function Hash HttpOpenRequestA Y7D4D7E3T2T2A4U3 HttpQueryInfoA C8C0U1A2G4G5Y2B5 HttpSendRequestA Y4U1P2F2G7T2A4U3 InternetCloseHandle A7S3H3X3D5Y7T7F7 InternetConnectA H0S6D5Q7E8P3P6U5 InternetCrackUrlA E6F2A3S8Y4C7D5A5 InternetOpenA B7P8P7T4E3U2H5A5 InternetQueryOptionA C1Y0B7E2B0P2P3T7 InternetReadFile D6X2S6E3Q3C5B5X2 InternetSetOptionA X3Y6Q2T7Q5Q2A5X6
Kronos hooks functions using the splicing method, adding a JMP (unconditional jump) instruction at the beginning of the code. Since the malicious code injected into the browser is loaded as a shellcode rather than a library, the Mitigation Policy enabled in the browser will not block it from being executed.
InternetReadFile function hook in MicrosoftEdgeCP.exe
Handler for the hooked function
Successfully hooking these functions enables the Trojan to inject data into web pages. It also enables Kronos to get information about the user, the user’s credentials and bank account balance, to redirect the user to phishing sites, or to include additional entry fields to the bank’s legitimate page (enabling the malware to find out the user’s reply to the secret question, credit card number, date of birth or phone number).
Web injection on a bank’s page
Note that Kronos can only attack Edge on the 32-bit version of Windows 10. But this is not a fundamental constraint – there are now bankers that work with the 64-bit version of Edge, as well.
In the beginning of the year, a new modification of the infamous Gozi banker appeared. Among other things, it was designed to carry out an MiTB attack against Edge under a 64-bit version of Windows 10. The Trojan injects its code into the RuntimeBroker.exe process, launches the browser on behalf of that process and injects its code into the browser’s own processes.
Part of the function that checks process names for injection
As in the case of Kronos, the injected code hooks functions that create and send HTTP requests. However, instead of splicing, it substitutes IAT pointers as well as function addresses in the Export Table.
Part of the function that checks process names to set the right hooks for each browser
HttpSendRequestW hook set by Gozi banker in the MS Edge browser
Note that Windows Defender successfully blocks the current versions of Kronos and Gozi. Nevertheless, new malware and adware will emerge that is capable of using Edge for its own purposes.Virtualization-Based Security
In the corporate version of Windows 10, Microsoft has implemented a new approach to security that is based on Microsoft Hyper-V, a hardware-assisted virtualization technology. The new paradigm, called Virtualization Based Security (VBS), is based on a whitelisting mechanism that only allows applications that are on the trusted-application list to be executed, and on isolating the most important services and data from other components of the operating system.
VBS depends on the platform and CPU features, which means that the technology needs the following to operate:
- Windows 10 Enterprise.
- UEFI firmware v2.3.1+ with Secure Boot support.
- CPU supporting Intel VT-x/AMD-V virtualization features.
- 64-bit architecture.
- CPU with support for the Second Level Address Translation (SLAT) mechanism.
- Intel VT-d/AMD-Vi IOMMU (optional).
- Ability to block some features of the UEFI firmware and its secure updating.
- TPM (optional).
Microsoft uses the Hyper-V hypervisor as its virtualization platform. The less code a hypervisor contains, the fewer attack vectors against it exist. In this aspect, the compactness of Hyper-V is very beneficial for security. Unlike previous Windows versions, the hypervisor starts not as a kernel-mode driver but in UEFI, at an early stage of the computer’s startup.
Hyper-V initialization procedure
In VBS, with the hypervisor active, each virtual CPU is assigned a Virtual Trust Level (VTL) attribute. Two attributes are currently used: VTL 1 (“Secure World”) and VTL 0 (“Normal World”). VTL 1 is more privileged than VTL 0.
Secure Kernel Mode or SKM (Ring 0, VTL 1) includes a minimal kernel (SK), a Code Integrity (CI) module and an encryption module. Isolated User Mode or IUM (Ring 3, VTL 1) includes several isolated services called Trustlets that are isolated not only from the external world but also from each other. In “Normal World” (VTL 0) mode, the traditional kernel, kernel-mode drivers, processes and services work according to the former rules.
Diagram describing the two worlds
When the hypervisor is active, physical RAM pages and their attributes are only controlled by the secure isolated kernel (SK). It can manipulate page attributes, blocking or allowing reading, writing or executing code on specific pages. This makes it possible to prevent execution of untrusted code, malicious modification of trusted application code, as well as to make leaking protected data more difficult.
In this architecture, the only component that controls the execution of any code in the system is the secure isolated Code Integrity (CI) module. The kernel from “Normal World” cannot set the attributes of kernel-mode physical pages.Credential Guard
Credential Guard is one of the main functional blocks of VBS. It isolates secrets in such a way as to ensure that only trusted code has access to them. This helps to withstand direct memory access (DMA) attacks, as well as pass-the-hash and pass-the-ticket attacks.
System Information. Credential Guard and HVCI
We have tested the technology, attempting to get secret data using direct memory access. We used Mimikatz and Inception hacker tools for this. Nothing worked. These hacker tools were powerless against Credential Guard.
DMA attack using the Inception toolDevice Guard
The Device Guard technology that is part of VBS is the successor of Microsoft AppLocker. It controls the launching and execution of all code: executable files and dynamic libraries, kernel-mode drivers and scripts (e.g., PowerShell). This is based on a code integrity policy created by the system administrator that defines which software is regarded as trusted.
The main difficulty in using Device Guard is in creating a proper policy, which can be difficult even for experienced system administrators. Ideally, the procedure is as follows:
- Enable the necessary Windows 10 VBS mechanisms on a test computer.
- Prepare a master image of Windows OS.
- Install all the necessary software.
- Create a code integrity policy based on certain rules and leave it in audit mode for some time. During this time, software can be added or changed.
- Watch the event log for CI events.
- Perform any necessary policy adjustments, such as signing any software that is not signed.
- Consolidate the original policy with the version created while the policy was in audit mode.
- Disable audit mode in the code integrity policy, replacing it with enforced mode.
- Distribute the prepared policy to end users.
A code integrity policy defines the conditions for executing code both in user mode (User Mode Code Integrity or UMCI) and in kernel mode (Kernel Mode Code Integrity or KMCI). Secure loading of the Windows kernel itself is provided by the Secure Boot technology. The integrity policy needs to be maintained and updated based on the software requirements in place at a specific organization.
In addition to the integrity policy, there are other restrictions on executing code. A physical memory page gets the “executable” attribute only if the certificate is validated. Additionally, a kernel-mode page cannot have “writable” and “executable” attributes at the same time (the W^X restriction), which prevents most exploits and hooks from working in kernel mode. In the event of an attempt to modify the contents of a kernel mode page that has “readable” and “executable” attributes, this will lead to an exception. If it is not handled, Windows will stop and display a BSOD.
As a result, it is impossible to execute unsigned drivers, applications, dynamic libraries, UEFI modules and some script types when the hypervisor and all the security options, such as Secure Boot, TPM, IOMMU, and SLAT are active. Depending on settings, code that is signed but not trusted can also be blocked from being executed.
To protect the policy from unauthorized changes or substitution, Microsoft suggests that it should be signed using a certificate generated by the administrator. To remove a policy or change settings, another policy signed with the same certificate is required. If an attempt is made to remove a policy or ‘plant’ an unsigned policy, the operating system will not start.
Still, Device Guard is not perfect. Increased protection comes at a price – in the form of performance degradation. This is unavoidable due to the presence of a hypervisor. The convoluted process of creating, configuring and maintaining a code integrity policy can be considered a weakness of the technology. The options used by the policy are scattered across the operating system and cannot be managed through a single control panel. As a result, it is easy to make a mistake, leading to weaker protection.
Since Secure Boot plays a key role in this technology, the level of protection very much depends on the quality of UEFI code, which is developed by a third party over which Microsoft has no control. Finally, the absence of protection against exploits in user mode is disappointing.Testing VBS
If malicious code makes its way onto a computer with VBS by taking advantage of a vulnerability, it will have to elevate its privileges to kernel mode to be able to attack the hypervisor, the “Secure World” or UEFI. We tried to do this using a signed and trusted kernel mode driver.
Kernel mode penetration testing results:Test Result Test Result W+X PE section .INIT + (by design) Allocate NP/P MEM, hack PTE manually + (BSOD) W^X PE section .INIT + (as is) R+X section, remove WP in CR0 + (BSOD) W+X PE section + (no start) Stack code execution + (BSOD) Allocate MEM, execute + (BSOD) Allocate MEM, hack MDL manually + (BSOD) R PE section, write, execute + (BSOD)
None of the attack methods that we tried was successful. Attacks based on changing Control Registers (CR0-CR8, EFER etc.) and Model-Specific Registers (MSR) did not work either – they all invariably ended in a Privileged Instruction exception (0xC0000096).
We also carried out some tests in user mode, trying to circumvent a code integrity policy in enforced mode. The objective was to execute an unsigned application or load an unsigned dynamic library into a trusted process. We were unable to do this directly, but we found a curious error in the Windows 10 preview release (10154).
The error lies in the fact that, although Device Guard checks whether an application, driver or library is signed, it does not verify that the signature is valid for the application signed with it. This makes it possible to extract a valid signature from any trusted application and insert it into any untrusted application – after this the system will consider the application to be trusted. So, by inserting a signature from another application, we were able to execute an untrusted application and to load an untrusted dynamic library.
We immediately reported the error to Microsoft and it was fixed within a few days. Windows 10 RTM (10240) does not include that error.
We also discovered a denial-of-service error that makes it possible to crash the system and cause a BSOD for the hypervisor from the user space with just one Assembler instruction. A fix for this error was included in Windows 10 TH3 (10586).
The hypervisor’s BSOD
Overall, Microsoft has done a great job in developing new security mechanisms. However, as in previous versions, there are still opportunities for attacks via the firmware. Another problem is that the system administrator needs to be highly qualified to configure protection properly. In the event of faulty configuration or loss of the private certificate, all protection becomes useless. In addition, there is no protection against user-mode vulnerabilities. It is also important to keep in mind that VBS is only available to users of the corporate Windows 10 version.
We have notified Microsoft of all the vulnerabilities discovered during testing.Built-in Anti-Malware Protection in Windows
Let’s have a look at the Windows component that protects the system against malware in real time. It is enabled by default and, for users who do not install third-party anti-malware solutions, it is the main Windows IT security tool.
The principal purpose of built-in protection is to prevent the installation and execution of malware. It scans files and active processes in real time, identifying those that are malicious by checking them against a regularly updated signature database. In most cases, this protection is sufficient.
However, if you are an active Internet user and often perform critically important operations on your computer – such as managing your bank accounts via online banking – you need multi-tier protection. Even the best anti-malware solution can miss new, as yet unknown malware. In this case, only additional layers of protection can save the day by preventing a Trojan from carrying out malicious activity in the system.
We did some research and found a few real-life examples demonstrating that built-in protection may not be sufficient.Keystroke Interception
Some banker Trojans intercept data entered on the keyboard to steal the user’s online banking account. Examples of such malware include Qadars, Zbot and Cridex. Many anti-malware solutions, including Kaspersky Internet Security, have a component that detects and blocks attempts by programs to intercept the sequence of keypresses. In some cases, this can be enough to prevent criminals from making money at the victim’s expense, even if they have managed to infect the computer.
We tested the response of built-in protection to keystroke logging with the help of a test application that uses the GetAsyncKeyState WinAPI function (this method is similar to the one used in the latest MRG testing). We were able to intercept the user’s login and password for a PayPal account with Windows Defender enabled.
Logging the user credentials while entering a PayPal accountUnauthorized Web Camera Access
In the next test, we tried to gain unauthorized access to the web camera. This functionality has been increasingly used in Trojans and other hacker tools in the past years. The fact that a surveillance module using the web camera is included in the AdWind Trojan is a telling example of the popularity of this functionality among cybercriminals.
Monitoring victims using their own web cameras can provide a wealth of information about them, which can later be used to make money illegally – for example, by blackmailing a victim with intimate videos.
Some anti-malware solutions can control application access to the camera. In real life, there are practically no situations in which a legitimate application could need to use the camera without notifying the user, which is why providing such notifications is a convenient and widely accepted practice. The user can decide in each specific case whether the application really needs to use the camera or whether this is suspicious activity that should be blocked.
Our test application used a publicly available library called OpenCV (which is what the Rover Trojan does, to give one example). A simple Python script captured video from the web camera and displayed it in a separate window. This means that an application was able to intercept video from the web camera on a Windows 10 machine with protection enabled, without the user being notified of this in any way.
Capturing the screen with a scriptControl of Drive-By Downloads
Another problem that is among the most serious issues faced by Windows users is the numerous exploits that can be used to infect the system via vulnerabilities in various applications. We tested the built-in protection with one of the latest exploits for the CVE-2016-1019 vulnerability in Adobe Flash Player.
The exploit’s file is an SWF object compressed using the ZLIB algorithm.
The flash exploit
In this form, the file is recognized by the Windows Defender and quarantined.
Successful detection of a packed exploit
However, if the file is decompressed into the original SWF, the security system will miss it.
Moreover, a compressed file that was detected on the hard drive is downloaded from websites in drive-by attacks and successfully executed from the browser’s context. If a vulnerable version of Adobe Flash Player is installed in the system, an infection can occur, because Windows Defender does not include a drive-by download control component.
Successful download of a Flash exploit that was previously detected on the hard driveConclusion
Today, a multi-tier approach is required to provide reliable protection for user systems, combining standard detection methods (signature-based analysis, behavioral analysis, etc.) with additional modules designed to detect attack techniques commonly used by cybercriminals.
As our brief review has demonstrated, in some cases the IT security technologies built into Windows 10 are not sufficient for full-scale protection against malicious attacks. As in previous Windows versions, all possible attack vectors should be blocked using dedicated Internet Security class security solutions.
In our last blogpost, Facebook malware: tag me if you can, we revealed a phishing campaign led by Turkish-speaking threat actors who exploited social networks to spread a Trojan that compromises the victim’s machine and captures its entire browser traffic. The report did not address the issue of lateral movement because Kaspersky Lab researchers were still investigating it.
After two weeks of research, Kaspersky Lab researcher Ido Naor, and Dani Goland, the CEO & co-founder of Israel-based company Undot, managed to extract the proverbial needle from a haystack: a Facebook vulnerability that allowed an attacker to replace the comment identifier parameter attached to each web/mobile Facebook comment with an identifier that was reserved for embedded plugins usually located on third-party websites (where they allowed visitors to comment with their Facebook identity).
By tampering with the comment identifier, the attacker was able to create a post on the victim’s Facebook timeline, tag their entire ‘Friends’ list in a comment to the post (which will store the array of tagged users in Facebook servers), and then replace the comment identifier with a third-party Facebook comments plugin identifier (controlled by the attacker) and delete the tagging. Since the notifications were already stored and “shipped” to the tagged friends, the act of replacing the web comment identifier with a Facebook plugin comment identifier resulted in the redirection of the tagged user outside of the Facebook platform, to a malicious link which instantly downloaded a Windows JSE file. And where would be the best place to store such file if not in the victim’s cloud storage – Google Docs / Dropbox? If those were not present, the malware had a fail-safe mechanism that sent a tinyurl link as a Facebook message to the victim’s entire Facebook friends list and, just in case the message wasn’t delivered, a malicious Google short link was posted on the victim’s timeline along with a convincing message that contained pictures of the victim’s friends.
Facebook has now fixed the issue and blocked the vulnerability that was a key feature in spreading the malware.
It is worth mentioning that the code responsible for the vulnerability is filled with strings and variable names in the Spanish language, suggesting that whoever wrote it is not necessarily part of the Turkish-speaking group.
Looking at the complexity of the code puts it in an even more questionable position regarding the author’s identity. In addition, the file is completely dynamic and adaptive to every action made by an analyst, preventing them from fully inspecting the code.
While we were researching the malicious program Lurk in early February 2016, we discovered an interesting oddity in how this banking Trojan spreads. From the data we had, it emerged that the users attacked by Lurk also installed the remote administration software Ammyy Admin on their computers. At first, we didn’t really give this much thought, but further research showed that the official Ammyy Admin website had most probably been compromised, and the Trojan had been downloaded to users’ computers along with the legitimate Ammyy Admin software.
It turned out that on the official site of Ammyy Admin (which is used for remote desktop access) there was an installer that did not have a digital signature and was an NSIS archive. When this archive was launched, two files were created in a temporary folder and launched for execution:
- aa_v3.exe – installer of the administration tool Ammyy Admin, signed with a digital signature;
- ammyysvc.exe – malicious spyware program Trojan-Spy.Win32.Lurk.
In other words, the Ammyy Admin installer available for download on the manufacturer’s official website is basically a dropper Trojan designed to stealthily install a malicious program in the system, while displaying a screen mimicking the installation of legitimate software. We found out that the dropper was being distributed on a regular basis (with short breaks) over several hours on weekdays.
Last November other researchers wrote about this same method of distributing malware, however that publication did not stop the distribution of the Trojan.
Official Ammyy Admin website. Note the ‘Download’ button
By the way, some browsers (e.g. Mozilla Firefox) were flagging the www.ammyy.com website as potentially dangerous at the time of writing this post, and warning about the presence of unwanted software.
Mozilla Firefox warning page displayed when an attempt is made to access www.ammyy.com
To ensure successful distribution of the malicious program, the cybercriminals modified the PHP script on the Ammyy Group web server in such a way that the malicious dropper was provided when a download request was made.
An external function was added to the PHP script on the web server
In early April, the cybercriminals uploaded a new, slightly modified dropper for distribution. At launch, it used the function GetComputerNameExA to check if the computer being infected was part of a corporate network; if so, it launched the Lurk malicious program along with the remote administration tool. This shows that the cybercriminals were specifically hunting for corporate workstations and servers.
We should note that attacks of this type (Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window. This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money.
As soon as we discovered that the Ammyy Group website had been breached and was distributing a malicious program, we reported it to the company’s representatives. After that, as Ammyy Group communicated, the site was checked, and the alien code was removed. In February, we notified the company of three such instances when malware was being distributed, and each time the problem was solved, although only temporarily.
Interestingly, on June 1 the content of the dropper changed. On that very day, it was reported that the creators of Lurk had been arrested, and the website began distributing a new malicious program, Trojan-PSW.Win32.Fareit, in place of Lurk; this new Trojan was also designed to steal personal information. This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from ammyy.com.
We informed Ammy Group of the new attack and the new malware being distributed from the website ammyy.com.
Kaspersky Lab’s products proactively protect users from the installation of the malicious dropper program (as well as from the piggybacked programs Trojan-Spy.Win32.Lurk and Trojan-PSW.Win32.Fareit), and block it from being downloaded from the website ammyy.com.MD5
Industrial control systems (ICS) surround us: they are used in electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods). Smart cities, smart houses and cars, medical equipment – all of that is driven by ICS.
Expansion of the Internet makes ICS easier prey to attackers. The number of ICS components available over the Internet increases every year. Taking into account that initially many ICS solutions and protocols were designed for isolated environments, such availability often provides a malicious user with multiple capabilities to cause impact to the infrastructure behind the ICS due to lack of security controls. Moreover, some components are vulnerable themselves. The first available information about vulnerabilities in ICS components is related to 1997, only two vulnerabilities were published that year. Since then the number of vulnerabilities significantly increased. Over the past five years this index has increased from 19 vulnerabilities in 2010 to 189 vulnerabilities in 2015.
Sophisticated attacks on ICS systems are not somewhat new anymore. It is worth remembering an incident in 2015 in Ivano-Frankivsk, Ukraine where around a half of houses were left without electricity because of a cyber-attack against the Prykarpattyaoblenergo power company, and it was only one of multiple victims of the BlackEnergy APT campaign.
Another notable incident, happened in 2015 and described in Verizon Data Breach Digest, is an attack on Kemuri Water Company’s ICS infrastructure, when intruders infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water. The intrusion was performed through a vulnerable externally available system, that managed programmable logic controllers (PLCs) regulating valves and ducts that controlled the flow of water and chemicals used to treat it through the system.
Also in 2015 there were other ICS-related incidents, such as attacks on a steel mill in Germany and on the Frederic Chopin Airport in Warsaw.
In this research we provide an overview of the current situation with ICS security worldwide from the point of view of vulnerabilities, and vulnerable ICS components exposed to the Internet.Analysis Approach
The research is focused on two areas: Vulnerabilities and ICS Availability over the Internet. Vulnerabilities information gathering was carried out based on open sources, such as Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advisories, NVD/CVE, SCADA Strangelove, Siemens Product CERT and other information available online. Severity levels for the vulnerabilities were assessed based on a Common Vulnerability Scoring System (CVSS) of the versions 2 and 3. CVSS v2 was used to compare vulnerability statistics in the years 2014 and 2015, and it was also used for any vulnerabilities that didn’t have CVSS v3 score assigned.
In the second part of research results (ICS Availability over the Internet) we used a passive approach for analysis based on information from the Shodan search engine. To identify ICS systems in Shodan search we used a fingerprint knowledgebase, containing about 2000 records and allowing to identify product vendors and versions by banners.Main Findings
- The number of vulnerabilities in ICS components keeps growing. With increased attention to ICS security over the last several years, more and more information about vulnerabilities in these systems is becoming public. However, vulnerabilities themselves could be present in these products for years before they are revealed. In total, 189 vulnerabilities in ICS components were published in 2015, and most of them are critical (49%) or have medium severity (42%).
- Vulnerabilities are exploitable. For 26 of the vulnerabilities published in 2015, exploits are available. Besides, for many vulnerabilities (such as hard-coded credentials) an exploit code is not needed at all to obtain unauthorized access to the vulnerable system. Moreover, our ICS security assessment projects show that ICS are often considered by their owners as a “black box”, so default credentials in ICS componenets are often not changed and could be used to gain remote control over the system. The SCADAPASS project of the SCADA Strangelove team provides a representation of known default ICS credentials. Currently information on 134 ICS components of 50 vendors is available.
- ICS vulnerabilities are widely diversified. New vulnerabilities were found in 2015 in the ICS components of different vendors (55 different manufacturers) and types (HMI, electric devices, SCADA, industrial network devices, PLCs and multiple others). The largest amount of vulnerabilities were found in Siemens, Schneider Electric and Hospira devices. Vulnerabilities in ICS components have a different nature. The most widespread types are buffer overflows (9% of all detected vulnerabilities), use of hard-coded credentials (7%) and cross-site scripting (7%).
- Not all of the vulnerabilities found in 2015 are fixed. Patches and new firmware are available for 85% of the published vulnerabilities, the rest are not fixed or are only partially fixed for different reasons. Most of the unpatched vulnerabilities (14 out of 19) are of high level risk. These unpatched vulnerabilities pose significant risk to the owners of the corresponding systems, especially for those who, due to inappropriate network configuration management, have their vulnerable ICS systems exposed to the Internet. Examples include the 11,904 remotely available SMA Solar Sunny WebBox interfaces that are under risk of compromise though hard-coded passwords. Although for Sunny WebBox this number has significantly reduced since 2014 (when over 80 thousand available components were found), the amount is still high, and the unfixed hardcoded credentials issue (published in 2015) is now putting these systems under a much higher risk than was previously thought.
- Numerous ICS components are available via the Internet. 220,668 ICS components were discovered by the Shodan search engine. They are located on 188,019 hosts in 170 countries. Most of the remotely available hosts with ICS components are located in the United States (30.5%) and Europe. Among European countries Germany has a leading position (13.9%) followed by Spain (5.9%). The available systems are of 133 different vendors. The most widespread ones are Tridium (11.1%), Sierra Wireless (8.1%), and Beck IPC (6.7%).
- Insecure protocols are widely used by remotely available ICS components. There is a number of protocols, which are open and insecure by design, such as HTTP, Niagara Fox, Telnet, EtherNet/IP, Modbus, BACnet, FTP, Omron FINS, Siemens S7 and many others. They are used on 172,338 different hosts, which corresponds to 91.6% of all the externally available ICS devices found. This provides an attacker with additional ways to compromise the devices by performing man-in-the-middle attacks.
- Multiple vulnerable ICS components are externally available. We found 13,033 vulnerabilities on 11,882 hosts (6.3% of all hosts with externally available components). The most widespread revealed vulnerabilities are Sunny WebBox Hard-Coded Credentials (CVE-2015-3964), and critical vulnerabilities CVE-2015-1015 and CVE-2015-0987 in Omron CJ2M PLC. Combining these results with statistics of usage of insecure protocols, we were able to estimate the total number of vulnerable ICS hosts as 172,982 (92%).
- Multiple industries are affected. We found that at least 17,042 ICS components on 13,698 different hosts in 104 countries likely belong to large companies, and availability of these components from the Internet is likely related with significant risks. Among owners we were able to identify 1,433 large organizations, including ones belonging to the following industries: electricity, aerospace, transportation (including airports), oil and gas, metallurgy, chemical, agriculture, automotive, utilities, drinks and food manufacturing, construction, liquid storage tanks, smart cities, and ICS vendors. There are also research and education entities, government institutions (including police), medical centers, financial organizations, resorts, hotels, museums, libraries, churches and multiple small businesses among identified owners of remotely available ICS. The number of vulnerable externally available ICS hosts, which likely belong to large organizations, is 12,483 (91.1%), where 453 hosts (3.3%), including hosts belonging to energy, transportation, gas, engineering and manufacturing organizations, drink and foods manufacturing, energy and transportation organizations, contain critical vulnerabilities.
ICS vulnerabilities by year
ICS vulnerabilities in 2015 by risk level (CVSS v.2 and CVSS v.3)
TOP 20 countries by ICS availability
TOP 15 protocols used by externally available ICS components
TOP 5 vulnerabilities on ICS components
ICS availability by vendor
The above results are only lower bound estimations, and real number of available ICS components associated with significant risks could be much higher.Conclusion
Where protection is concerned, the isolation of critical environments can no longer be regarded as a sufficient security control for ICS. The business requirements of the 21st century often make it necessity to integrate ICS with external systems and networks. In addition, the capabilities, motivations and number of threat actors focusing on ICS environments are increasing. From infected hard drives or USB sticks, to unauthorized connections from ICS networks to the Internet through personnel smart phones or modems, and from infected distributive kits obtained from vendors, to a hired insider – all of these methods are available to highly-skilled intruders planning an attack on a physically and logically isolated ICS network.
Nowadays, ICS owners should be aware of modern vulnerabilities and threats, and actively improve the security of their ICS environments based on this knowledge. Here, active vendor support is crucial for the prompt identification and remediation of vulnerabilities in ICS products, as well as for sharing workarounds to protect systems before patches are released.
The specifics of ICS – that its cybersecurity is closely tied with physical safety – often receives an attitude opposite to the demandable treatment in such conditions. Small and medium businesses, as well as individuals, completely rely on vendors when it comes to security of the Internet of Things. The consumers don’t go beyond simple basic steps from device manuals, thus obtaining ready-to-work and easily accessible, but also vulnerable devices. On the contrary, in the enterprise area, companies understand the high risks, which are related with incorrect configuration of ICS environment. However, because of that system owners often consider ICS devices as “black-boxes”, and have a dread to make changes in the environment, including cybersecurity enhancement.
The findings of this research are an additional reminding that the “Security through Obscurity” principle cannot serve as a good basis to achieve effective protection from modern attacks, and that industrial control systems security should not be treated superficially in favor of safety, especially because the security and safety in this area are inextricably connected.
Dropping Elephant (also known as “Chinastrats”) is a relatively new actor targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.
Overall, the activities of this actor show that low investment and ready-made offensive toolsets can be very effective when combined with high quality social engineering. We have seen more such open source toolset dependency with meterpreter and BeEF, and expect to see this trend continue.The Attack Method: Infection Vector
Dropping Elephant uses two main infection vectors that share a common, and fairly elaborately maintained, social engineering theme – foreign relations with China.
The first approach involves spear-phishing targets using a document with remote content. As soon as the user opens the document, a “ping” request is sent to the attackers’ server. At this point, the attackers know the user has opened the document and send another spear-phishing email, this time containing an MS Word document with an embedded executable. The Word document usually exploits CVE-2012-0158. Sometimes the attackers send an MS PowerPoint document instead, which exploits CVE-2014-6352.
Once the payload is executed, an UPX packed AutoIT executable is dropped. Upon execution, this downloads additional components from the attackers’ servers. Then the stealing of documents and data begins.
The second approach involves capturing victims through watering hole attacks. The actor created a website that downloads genuine news articles from other websites. If a website visitor wants to view the whole article they would need to download a PowerPoint document. This reveals the rest of the article, but also asks the visitor to download a malicious artifact.
The two main infection vectors are supported by other approaches. Sometimes, the attackers email out links to their watering hole websites. They also maintain Google+, Facebook and twitter accounts to develop relevant SEO and to reach out to wider targets. Occasionally, these links get retweeted, indiscriminately bringing more potential victims to their watering holes.The Attack Tools 1. Malware Analysis
The backdoor is usually UPX packed but still quite large in size. The reason for this is that most of the file comprises meaningless overlay data, since the file is an automatically generated AutoIT executable with an AutoIT3 script embedded inside. Once started, it downloads additional malware from the C2 and also uploads some basic system information, stealing, among other things, the user’s Google Chrome credentials. The backdoor also pings the C2 server at regular intervals. A good security analyst can spot this while analyzing firewall log files and thereby find out that something suspicious might be going on in the network.
Generally speaking, backdoors download additional malware in the form of encrypted or packed executables/libraries. But, in the case of Dropping Elephant, the backdoor downloads encoded blobs that are then decoded to powershell command line “scripts”. These scripts are run and, in turn download the additional malware.
One of the more interesting malware samples downloaded is the file-stealer module. When this file-stealer is executed, it makes another callback to the C2 server, downloading and executing yet another malware sample. It repeatedly attempts to iterate through directories and to collect files with the following extensions: doc, docx, ppt, pptx, pps, ppsx, xls, xlsx, and pdf. These files are then uploaded to the C2 server.
Also interesting are the resilient communications used by this group. Much like the known actors Miniduke or CommentCrew, it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands.2. C2 Analysis
In many cases it was very difficult to get a good overview of the campaign and to find out how successful it is. By combining KSN data with partner-provided C2 server data, we were able to obtain a much fuller picture of the incident.
We examined connections and attack logins to this particular C2. As it turned out, the attackers often logged in via a VPN, but sometimes via IPs belonging to an ordinary ISP in India. We then looked at the time the attackers were active, of which you can find an image below.
We also wanted to get a better idea of the geolocation of most visitors. Analysis of the image provided access counts and times, along with the IP of the visiting system.
Noteworthy are the many IPs located in China. This focus on China-related foreign relations was apparent from the ongoing social engineering themes that were constant throughout the attacks. The concentration of visits from CN (People’s Republic of China) could be for a variety of reasons – diplomatic staff are visiting these sites from their CN offices, CN academics and analysts are very interested in researching what they believe to be CN-focused think tanks, or some of the IPs are unknown and not self-identifying as bots or scrapers. Regardless, because we were able to determine that multiple targets are diplomatic and governmental entities, these foreign relations efforts are likely to represent the main interest of the attackers.Conclusion
Campaigns do not always need to be technically advanced to be successful. In this case, a small group reusing exploit code, some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015.
Our analysis of the C2 server confirmed the high profile of most victims, mainly based in the Asian region and specially focused on Chinese interests. Actually, some hints suggest the group has been successful enough to have recently expanded its operations, perhaps after proving its effectiveness and the value of the data stolen.
This is quite worrying, especially given the fact that no 0 days or advanced techniques were used against such high profile targets. Simply applying software patches will prevent attacks based on old exploits, as well as training in the most basic social engineering attacks.
However, it should be noted that in this case Microsoft´s patch for exploit CVE-2014-1761 just warns the user not to allow the execution of the suspicious file.
Dropping Elephant artifacts are detected by Kaspersky Lab products as:
As usual Kaspersky Lab actively collaborates with CERTs and LEAs to notify victims and help to mitigate the threat. If you need more information about this actor, please contact email@example.com
More information on how Kaspersky Lab technologies protect against such cyberespionage attacks is available on Kaspersky Business blog.Indicators of Compromise Backdoors