Malware Alerts

Subscribe to Malware Alerts feed Malware Alerts
Online headquarters of Kaspersky Lab security experts.
Updated: 1 hour 48 min ago

Machine learning versus spam

Fri, 01/20/2017 - 03:55

Machine learning methods are often presented by developers of security solutions as a silver bullet, or a magic catch-all technology that will protect users from a huge range of threats. But just how justified are these claims? Unless explanations are provided as to where and how exactly these technologies are used, these assertions appear to be little more than a marketing ploy.

For many years, machine learning technology has been a working component of Kaspersky Lab’s security products, and our firm belief is that they must not be seen as a super technology capable of combating all threats. Yes, they are a highly effective protection tool, but just one tool among many. My colleague Alexey Malanov even made the point of writing an article on the Myths about machine learning in cybersecurity.

At Kaspersky Lab, machine learning can be found in a number of different areas, especially when dealing with the interesting task of spam detection. This particular task is in fact much more challenging than it appears to be at first glance. A spam filter’s job is not only to detect and filter out all messages with undesired content but, more importantly, it has to ensure all legitimate messages are delivered to the recipient. In other words, type I errors, or so-called false positives, need to be kept to a minimum.

Another aspect that should not be forgotten is that the spam detection system needs to respond quickly. It must work pretty much instantaneously; otherwise, it will hinder the normal exchange of email traffic.

A graphic representation can be provided in a project management triangle, only in our case the three corners represent speed, absence of false positives, and the quality of spam detection; no compromise is possible on any of these three. If we were to go to extremes, for example, spam could be filtered manually – this would provide 100% effectiveness, but minimal speed. In another extreme case, very rigid rules could be imposed, so no email messages whatsoever would pass – the recipient would receive no spam and no legitimate messages. Yet another approach would be to filter out only known spam; in that case, some spam messages would still reach the recipient. To find the right balance inside the triangle, we use machine learning technologies, part of which is an algorithm enabling the classifier to pass prompt and error-free verdicts for every email message.

How is this algorithm built? Obviously, it requires data as input. However, before data is fed into the classifier, is must be cleansed of any ‘noise’, which is yet another problem that needs to be solved. The greatest challenge about spam filtration is that different people may have different criteria for deciding which messages are valid, and which are spam. One user may see sales promotion messages as outright spam, while another may consider them potentially useful. A message of this kind creates noise and thus complicates the process of building a quality machine learning algorithm. Using the language of statistics, there may be so-called outlier values in the dataset, i.e., values that are dramatically different from the rest of the data. To address this problem, we implemented automatic outlier filtration, based on the Isolation Forest algorithm customized for this purpose. Naturally, this removes only some of the noise data, but has already made life much easier for our algorithms.

After this, we obtain data that is practically ‘clean’. The next task is to convert the data into a format that the classifier can understand, i.e., into a set of identifiers, or features. Three of the main types of features used in our classifier are:

  • Text features – fragments of text that often occur in spam messages. After preprocessing, these can be used as fairly stable features.
  • Expert features – features based on expert knowledge accumulated over many years in our databases. They may be related to domains, the frequency of headers, etc.
  • Raw features. Perhaps the most difficult to understand. We use parts of the message in their raw form to identify features that we have not yet factored in. The message text is either transformed using word embedding or reduced to the Bag-of-Words model (i.e., formed into a multiset of words which does not account for grammar and word order), and then passed to the classifier, which autonomously identifies features.

All these features and their combinations will help us in the final stage – the launch of the classifier.

What we eventually want to see is a system that produces a minimum of false positives, works fast and achieves its principal aim – filtering out spam. To do this, we build a complex of classifiers, and it is unique for each set of features. For example, the best results for expert features were demonstrated by gradient boosting – the sequential building up of a composition of machine learning algorithms, in which each subsequent algorithm aims to compensate for the shortcomings of all previous algorithms. Unsurprisingly, boosting has demonstrated good results in solving a broad range of problems involving numerical and category features. As a result, the verdicts of all classifiers are integrated, and the system produces a final verdict.

Our technologies also take into account potential problems such as over-training, i.e., a situation when an algorithm works well with a training data sample, but is ineffective with a test sample. To preclude this sort of problem from occurring, the parameters of classification algorithms are selected automatically, with the help of a Random Search algorithm.

This is a general overview of how we use machine learning to combat spam. To see how effective this method is, it is best to view the results of independent testing.

Deceive in order to detect

Thu, 01/19/2017 - 05:32

Interactivity is a security system feature that implies interaction with the attacker and their tools as well as an impact on the attack scenario depending on the attacker’s actions. For example, introducing junk search results to confuse the vulnerability scanners used by cybercriminals is interactive. As well as causing problems for the cybercriminals and their tools, these methods have long been used by researchers to obtain information about the fraudsters and their goals.

There is a fairly clear distinction between interactive and “offensive” protection methods. The former imply interaction with attackers in order to detect them inside the protected infrastructure, divert their attention and lead them down the wrong track. The latter may include all the above plus exploitation of vulnerabilities on the attackers’ own resources (so-called “hacking-back”). Hacking-back is not only against the law in many countries (unless the defending side is a state organization carrying out law enforcement activities) it may also endanger third parties, such as users’ computers compromised by cybercriminals.

The use of interactive protection methods that don’t break the law and that can be used in an organization’s existing IT security processes make it possible not only to discover if there is an intruder inside the infrastructure but also to create a threat profile.

One such approach is Threat Deception – a set of methods, specialized solutions and processes that have long been used by researchers to analyze threats. In our opinion, this approach can also be used to protect valuable data inside the corporate network from targeted attacks.

Characteristics of targeted attacks

Despite the abundance of technology and specialized solutions to protect corporate networks, information security incidents continue to occur even in large organizations that invest lots of money to secure their information systems.

Part of the reason for these incidents is the fact that the architecture of automated security solutions, based on identifying patterns in general traffic flows or monitoring a huge number of endpoints, will sooner or later fail to recognize an unknown threat or a criminal stealing valuable data from the infrastructure. This may occur, for example, if the attacker has studied the specific features of a corporate security system in advance and identified a way of stealing valuable data that will go unnoticed by security solutions and will be lost among the legitimate operations of other users.

nother reason is the fact that APT attacks differ from other types of attacks: in terms of target selection and pinpoint execution, they are similar to surgical strikes, rather than the blanket bombing of mass attacks.

The organizers of targeted attacks carefully study the targeted infrastructure, identifying gaps in configuration and vulnerabilities that can be exploited during an attack. With the right budget, an attacker can even deploy the products and solutions that are installed in the targeted corporate network on a testbed. Any vulnerabilities or flaws identified in the configuration may be unique to a specific victim.

This allows cybercriminals to go undetected on the network and steal valuable data for long periods of time.

To protect against an APT, it is necessary not only to combat the attacker’s tools (utilities to analyze security status, malicious code, etc.) but to use specific behavioral traits on the corporate network to promptly detect their presence and prevent any negative consequences that may arise from their actions. Despite the fact that the attacker usually has enough funds to thoroughly examine the victim’s corporate network, the defending side still has the main advantage – full physical access to its network resources. And it can use this to create its own rules on its own territory for hiding valuable data and detecting an intruder.

After all, “locks only keep an honest person honest,” but with a motivated cybercriminal a lock alone is not enough – a watchdog is required to notify the owner about a thief before he has time to steal something.

Interactive games with an attacker

In our opinion, in addition to the obligatory conventional methods and technologies to protect valuable corporate information, the defensive side needs to build interactive security systems in order to get new sources of information about the attacker who, for one reason or another, has been detected inside the protected corporate network.

Interactivity in a security system implies a reaction to the attacker’s actions. That reaction, for instance, may be the inclusion of the attacker’s resources to a black list (e.g. the IP address of the workstations from which the attack is carried out) or the isolation of compromised workstations from other network resources. An attacker who is looking for valuable data within a corporate network may be deliberately misled, or the tools used by the attacker, such as vulnerability scanners, could be tricked into leading them in the wrong direction.

Let’s assume that the defending side has figured out all the possible scenarios where the corporate network can be compromised and sets traps on the protected resource:

  • a special tool capable of deceiving automated vulnerability scanners and introducing all sorts of “junk” (information about non-existent services or vulnerabilities, etc.) in reports;
  • a web scenario containing a vulnerability that, when exploited, leads the attacker to the next trap (described below);
  • a pre-prepared section of the web resource that imitates the administration panel and contains fake documents.

How can these traps help?

Below is a simple scenario showing how a resource with no special security measures can be compromised:

  1. The attacker uses a vulnerability scanner to find a vulnerability on the server side of the protected infrastructure, for example, the ability to perform an SQL injection in a web application.
  2. The attacker successfully exploits this vulnerability on the server side and gains access to the closed zone of the web resource (the administration panel).
  3. The attacker uses the gained privileges to study the inventory of available resources, finds documents intended for internal use only and downloads them.

Let’s consider the same scenario in the context of a corporate network where the valuable data is protected using an interactive system:

  1. The attacker searches for vulnerabilities on the server side of the protected infrastructure using automated means (vulnerability scanner and directory scanner). Because the defending side has pre-deployed a special tool to deceive scanning tools, the attacker has to spend time analyzing the scan results, after which the attacker finds a vulnerability – the trap on the server side of the protected infrastructure.
  2. The attacker successfully exploits the detected vulnerability and gains access to the closed zone of the web resource (the administration panel). The attempt to exploit the vulnerability is recorded in the log file, and a notification is sent to the security service team.
  3. The attacker uses the gained privileges to study the inventory of available resources, finds the fake documents and downloads them.
  4. The downloaded documents contain scripts that call the servers controlled by the defending side. The parameters of the call (source of the request, time, etc.) are recorded in the log file. This information can then be used for attacker attribution (what type of information they are interested in, where the workstations used in the attack are located, the subnets, etc.) and to investigate the incident.
Detecting an attack by deceiving the attacker

Currently, in order to strengthen protection of corporate networks the so-called Threat Deception approach is used. The term ‘deception’ comes from the military sphere, where it refers to a combination of measures aimed at misleading the enemy about one’s presence, location, actions and intentions. In IT security, the objective of this interactive system of protection is to detect an intruder inside the corporate network, identifying their attributes and ultimately removing them from the protected infrastructure.

The threat deception approach involves the implementation of interactive protection systems based on the deployment of traps (honeypots) in the corporate network and exploiting specific features of the attacker’s behavior. In most cases, honeypots are set to divert the attacker’s attention from the truly valuable corporate resources (servers, workstations, databases, files, etc.). The use of traps also makes it possible to get information about any interaction between the attacker and the resource (the time interactions occur; types of data attracting the attacker’s attention, toolset used by the attacker, etc.).

However, it’s often the case that a poorly deployed trap inside a corporate network will not only be successfully detected and bypassed by the attackers but can serve as an entry point to genuine workstations and servers containing valuable information.

Incorrect implementation of a honeypot in the corporate network can be likened to building a small house next to a larger building containing valuable data. The smaller house is unlikely to divert the attention of the attacker; they will know where the valuable information is and where to look for the “key” to access it.

Simply installing and configuring honeypots is not enough to effectively combat cybercriminals; a more nuanced approach to developing scenarios to detect targeted attacks is required. At the very least, it is necessary to carry out an expert evaluation of the attacker’s potential actions, to set honeypots so that the attacker cannot determine which resources (workstations, files on workstations and servers, etc.) are traps and which are not, and to have a plan for dealing with the detected activity.

Correct implementation of traps and a rapid response to any events related to them make it possible to build an infrastructure where almost any attacker will lose their way (fail to find the protected information and reveal their presence).

Forewarned is forearmed

Getting information about a cybercriminal in the corporate network enables the defending side to take measures to protect their valuable data and eliminate the threat:

  • to send the attacker in the wrong direction (e.g., to a dedicated subnet), and thereby concealing valuable resources from their field of view, as well as obtaining additional information about the attacker and their tools, which can be used to investigate the incident further;
  • to identify compromised resources and take all necessary measures to eliminate the threat (e.g., to isolate infected workstations from the rest of the resources on the corporate network);
  • to reconstruct the chronology of actions and movements of the attacker inside the corporate network and to define the entry points so that they can be eliminated.
Conclusion

The attacker has an advantage over the defender, because they have the ability to thoroughly examine their victim before carrying out an attack. The victim doesn’t know where the attack will come from or what the attacker is interested in, and so has to protect against all possible attack scenarios, which requires a significant amount of time and resources.

Implementation of the Threat Deception approach gives the defending side an additional source of information on threats thanks to resource traps. The approach also minimizes the advantage enjoyed by the attacker due to both the early detection of their activity and the information obtained about their profile that enables timely measures to be taken to protect valuable data. It is not necessary to use prohibited “offensive security” methods, which could make the situation worse for the defending side if law enforcement agencies get involved in investigating the incident.

Interactive security measures that are based on deceiving the attacker will only gain in popularity as the number of incidents in the corporate and public sector increases. Soon, systems based on the Threat Deception approach will become not just a tool of the researchers but an integral part of a protected infrastructure and yet another source of information about incidents for security services.

If you’re interested in implementing the Threat Deception concept described in the post on your corporate network, please complete the form below:

Contact Us If you want to learn more on how ATMs are hacked as well as how to endure protection, fill out the form below.
  • First Name*
  • Second Name*
  • Email*
  • Company*
  • Number of PCs in your Company*
  • CountryUnited StatesUnited KingdomRussiaAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAntigua and BarbudaArgentinaArmeniaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosCongo, Democratic Republic of theCongo, Republic of theCosta RicaCôte d'IvoireCroatiaCubaCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEast TimorEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFaroe IslandsFijiFinlandFranceFrench PolynesiaGabonGambiaGeorgiaGermanyGhanaGreeceGreenlandGrenadaGuamGuatemalaGuineaGuinea-BissauGuyanaHaitiHondurasHong KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsraelItalyJamaicaJapanJordanKazakhstanKenyaKiribatiNorth KoreaSouth KoreaKosovoKuwaitKyrgyzstanLaosLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacedoniaMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMauritaniaMauritiusMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew ZealandNicaraguaNigerNigeriaNorthern Mariana IslandsNorwayOmanPakistanPalauPalestine, State ofPanamaPapua New GuineaParaguayPeruPhilippinesPolandPortugalPuerto RicoQatarRomaniaRwandaSaint Kitts and NevisSaint LuciaSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint MaartenSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSpainSri LankaSudanSudan, SouthSurinameSwazilandSwedenSwitzerlandSyriaTaiwanTajikistanTanzaniaThailandTogoTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTuvaluUgandaUkraineUnited Arab EmiratesUruguayUzbekistanVanuatuVatican CityVenezuelaVietnamVirgin Islands, BritishVirgin Islands, U.S.YemenZambiaZimbabwe
jQuery(document).bind('gform_post_render', function(event, formId, currentPage){if(formId == 13) {} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} ); jQuery(document).ready(function(){jQuery(document).trigger('gform_post_render', [13, 1]) } );

Do web injections exist for Android?

Wed, 01/18/2017 - 02:57

Web injection attacks

There’s an entire class of attacks that targets browsers – so-called Man-in-the-Browser (MITB) attacks. These attacks can be implemented using various means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers or other ways. The purpose of an MITB attack may vary from relatively innocuous ad spoofing on social networks or popular websites to stealing money from user accounts – the latter is what happened in the Lurk case.

A malicious app masquerades as a Kaspersky Lab product in an MITB attack

Web injection is used in most cases when an MITB-class attack targets online banking. This type of web injection attack involves malicious code being injected into an online banking service webpage to intercept the one-time SMS message, harvest information about the user, spoof banking details, etc. For example, our Brazilian colleagues have long reported about barcode spoofing attacks performed when users print out Boletos – popular banking documents issued by banks and all kind of businesses in Brazil.

Meanwhile, the prevalence of MITB attacks in Russia is decreasing – cybercriminals are opting for other methods and attack vectors to target banking clients. For the average cybercriminal, it is much easier to use readily available tools than develop and implement web injection tools.

Despite this, we’re often asked if there are any web injection attacks for Android devices. This is our attempt to investigate and give as full an answer as possible.

Web injection on Android

Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page.

Overlaying apps with phishing windows

This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng.

Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details.

The Marcher malware

Besides this, Trojans often overlay various social media and instant messaging apps and steal the passwords to them.

The Acecard malware

However, mobile banking Trojans typically target financial applications, mostly banking apps.

Three methods of MITB attacks for mobile OS can be singled out:

1. A special Trojan window, crafted beforehand by cybercriminals, is used to overlay another app’s window. This method was used, for example, by the Acecard family of mobile banking Trojans.

Acecard phishing windows

2. Apps are overlaid with a phishing web page located on a malicious server. This way, the cybercriminals can modify its contents any time they need to. This method is used by the Marcher family of banking Trojans.

Marcher phishing page

3. A template page is downloaded from a malicious server, to which the icon and the name of the attacked application is added. This is how one of the Trojan-Banker.AndroidOS.Faketoken modifications manages to attack over 2,000 financial apps.

FakeToken phishing page

It should be noted that starting from Android 6, for the above attack method to work, the FakeToken Trojan has to request the privilege of displaying its window on top of other app windows. It’s not alone though: as new versions of Android are gaining popularity, a growing number of mobile banking Trojans are beginning to request such privileges.

Redirecting the user from the bank’s page to a phishing page

We were only able to identify the use of this technology in the Trojan-Banker.AndroidOS.Marcher family. The earliest versions of the Trojan that redirected the user to a phishing page are dated late April 2016, and the latest are from the first half of November 2016.

Redirecting the user from a bank’s webpage to a phishing page works as follows. The Trojan subscribes to modify browser bookmarks, which includes changes in the current open page. This way the Trojan knows which webpage is currently open, and if it happens to be one of the targeted pages, the Trojan opens the corresponding phishing page in the same browser and redirects the user there. We were able to find over a hundred web pages belonging to financial organizations that were targeted by the Marcher family of Trojans.

However, two points need to be raised:

  • All new modifications of the Marcher Trojan that we were able to detect no longer use this technology.
  • Those modifications that used this technology also used a method of overlaying other apps with their phishing window.

Why then was the method of redirecting the user to a phishing page used by only one family of mobile banking Trojans, and why is this technology no longer used in newer modifications of the family? There are several reasons:

  • In Android 6 and later versions, this technology no longer works, meaning the number of potential victims is decreasing every day. For example, around 30% of those using Kaspersky Lab’s mobile security solutions now use Android 6 or a later version;
  • The technology only worked on a limited number of mobile browsers;
  • The user can easily spot that they are being redirected to a phishing site and they may also notice that the URL of the webpage has changed.
Attacks launched using root privileges

With superuser privileges, Trojans can perform any attack, including real malicious injections into browsers. Although we were unable to find a single case of this happening, the following should be noted:

  • Some modules of Backdoor.AndroidOS.Triada can substitute websites in certain browsers, using superuser privileges. All the attacks we found were launched with the purpose of making some money from advertising only, and did not result in the theft of banking information.
  • The banking Trojan Trojan-Banker.AndroidOS.Tordow, using superuser privileges, can steal passwords saved in browsers, which may include passwords to financial websites.
Conclusions

We can state that, despite all the available technical capabilities, cybercriminals that target banks do not make use of malicious web injections in mobile browsers or injections in mobile apps. Sometimes they use these technologies to spoof adverts, but even then that requires highly sophisticated malicious software.

So why do cybercriminals ignore the available opportunities? Most probably it is because of the diversity of mobile browsers and apps. Malware writers would have to adapt their creations to a long list of programs, which is rather costly, while simpler and more versatile attacks involving phishing windows do not require so much effort to target a larger number of users.

Nonetheless, the Triada and Tordow examples suggest that similar attacks may well take place in the future as malware creators gain more expertise.

The “EyePyramid” attacks

Thu, 01/12/2017 - 09:54

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions.

The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank.

The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer.

During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims. All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals.

Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008.

Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero.

Investigation

Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data.

Excerpt from the Italian court order on #EyePyramid
(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf)

Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow:

E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com

Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples.

Here’s how our initial “blind”-written YARA rule looked like:

rule crime_ZZ_EyePyramid {

meta:

copyright = ” Kaspersky Lab”
author = ” Kaspersky Lab”
maltype = “crimeware”
filetype = “Win32 EXE”
date = “2016-01-11”
version = “1.0”

strings:

$a0=”eyepyramid.com” ascii wide nocase fullword
$a1=”hostpenta.com” ascii wide nocase fullword
$a2=”ayexisfitness.com” ascii wide nocase fullword
$a3=”enasrl.com” ascii wide nocase fullword
$a4=”eurecoove.com” ascii wide nocase fullword
$a5=”marashen.com” ascii wide nocase fullword
$a6=”millertaylor.com” ascii wide nocase fullword
$a7=”occhionero.com” ascii wide nocase fullword
$a8=”occhionero.info” ascii wide nocase fullword
$a9=”wallserv.com” ascii wide nocase fullword
$a10=”westlands.com” ascii wide nocase fullword
$a11=”217.115.113.181″ ascii wide nocase fullword
$a12=”216.176.180.188″ ascii wide nocase fullword
$a13=”65.98.88.29″ ascii wide nocase fullword
$a14=”199.15.251.75″ ascii wide nocase fullword
$a15=”216.176.180.181″ ascii wide nocase fullword
$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword
$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword
$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword
$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword
$a20=”gpool@hostpenta.com” ascii wide nocase fullword
$a21=”hanger@hostpenta.com” ascii wide nocase fullword
$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword
$a23=”ulpi715@gmx.com” ascii wide nocase fullword
$b0=”purge626@gmail.com” ascii wide fullword
$b1=”tip848@gmail.com” ascii wide fullword
$b2=”dude626@gmail.com” ascii wide fullword
$b3=”octo424@gmail.com” ascii wide fullword
$b4=”antoniaf@poste.it” ascii wide fullword
$b5=”mmarcucci@virgilio.it” ascii wide fullword
$b6=”i.julia@blu.it” ascii wide fullword
$b7=”g.simeoni@inwind.it” ascii wide fullword
$b8=”g.latagliata@live.com” ascii wide fullword
$b9=”rita.p@blu.it” ascii wide fullword
$b10=”b.gaetani@live.com” ascii wide fullword
$b11=”gpierpaolo@tin.it” ascii wide fullword
$b12=”e.barbara@poste.it” ascii wide fullword
$b13=”stoccod@libero.it” ascii wide fullword
$b14=”g.capezzone@virgilio.it” ascii wide fullword
$b15=”baldarim@blu.it” ascii wide fullword
$b16=”elsajuliette@blu.it” ascii wide fullword
$b17=”dipriamoj@alice.it” ascii wide fullword
$b18=”izabelle.d@blu.it” ascii wide fullword
$b19=”lu_1974@hotmail.com” ascii wide fullword
$b20=”tim11235@gmail.com” ascii wide fullword
$b21=”plars575@gmail.com” ascii wide fullword
$b22=”guess515@fastmail.fm” ascii wide fullword

condition:

((uint16(0) == 0x5A4D)) and (filesize < 10MB) and
((any of ($a*)) or (any of ($b*)) )
}

To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks.

Once the YARA rule was ready, we’ve ran it on our malware collections. Two of the initial hits were:

MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010

These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections.

At the end of this blogpost we include a full list of all related samples identified.

Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses.

Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails. For example:

From: Di Marco Gianmaria
Subject: ricezione e attivazione
Time:2014/01/29 13:57:42
Attachment: contatto.zip//Primarie.accdb (…) .exe

From: Michelangelo Giorgianni
Subject: R: Re: CONVOCAZIONE]
Time: 2014/01/28 17:28:56]
Attachment: Note.zip//sistemi.pdf (…) .exe

Other attachment filenames observed in attacks include:

  • Nuoveassunzioni.7z
  • Assunzione.7z
  • Segnalazioni.doc (…) 7z.exe
  • Regione.7z
  • Energy.7z
  • Risparmio.7z
  • Pagati.7z
  • Final Eight 2012 Suggerimenti Uso Auricolari.exe
  • Fwd Re olio di colza aggiornamento prezzo.exe
  • Approfondimento.7z
  • Allegato.zip
  • Eventi.bmp (…) .exe
  • Quotidiano.mdb (…) _7z.exe
  • Notifica operazioni in sospeso.exe

As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment. The attachments were ZIP and 7zip archives, which contained the EyePyramid malware.

Also the attackers relied on executable files masking the extension of the file with multiple spaces. This technique is significant in terms of the low sophistication level of this attack.

High profile victims

Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi.

It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted.

Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers. Further standout victims, organizations, and verticals include:

Professional firms, Consultants Universities Vaticano Construction firms Healthcare

Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.

Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015.

Conclusions

Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data.

In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence.

This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims.

As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations.

Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught.

Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts:

  • HEUR:Trojan.Win32.Generic
  • Trojan.Win32.AntiAV.choz
  • Trojan.Win32.AntiAV.ciok
  • Trojan.Win32.AntiAV.cisb
  • Trojan.Win32.AntiAV.ciyk
  • not-a-virus:HEUR:PSWTool.Win32.Generic
  • not-a-virus:PSWTool.Win32.NetPass.aku

A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services. Contact: intelreports (at) kaspersky [dot] com.

To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings

References and Third-Party Articles Indicators of Compromise Hashes:

09ff13b020de3629b0547e0312a6c135
102bccd95e5d8a56c4f7e8b902f5fb71
12f3635ab1de63fbcb5e1c492424c605
1391d37c6b809f48be7f09aa0dab7657
1498b8d6e946b5d6b529abea13592381
14db577a9b0bfc62f3a25a9a51765bc5
17af7e00936dcc8af376ad899501ad8b
192d5866cbfafae36d5ba321c817bc14
325f5d379c4d091743ca8581f15d3295
36bd8feed1b17c59f3c653e6427661a4
380b0f1921fed82e1b68b4e442b04f05
3c30f0114c600510fdb2573cc48d5c06
3fed695e2a6e63d971c16fd9e825fec5
47bea4236184c21e89bd1c1af3e52c86
47dd1e017aae694abd2b7bc0b12cf1da
47f1f9b1339147fe2d13772b4cb81030
53b41dc0b8fd9663047f71bc91a317df
5bc1b8c07c0f83d438a3e891dc389954
5eb17f400f38c1b65990a8d60c298d95
6de1e478301d59ac14b8e9636b53815d
75621de46a12234af0bec15620be6763
778d103face6ad7186596fb0ba2399f2
859f60cd5d0f0fbd91bde3c3914cbb18
8afb6488655cbea2737d2423843ea077
9173aefe64b7704510c873e2ce7305e0
92c32eb72f5713ca1f2a8dc918f1f770
932bd2ad79cbca4341d853a4b5ea1da5
94eff87eca2f054aa5fbc1877a6cf919
98825a1ce35f46d004c0839e87cc2778
9b8571b5281f3751750d3099049098e0
9c57839b3f8462bd6c2d36db80cd5ecc
9d3ce3246975ae6d545ee9e8ba12d164
9d4b46d3c389e0144238c821670f8537
a41c5374a14a2c7cbe093ff6b075e8ac
b39a673a5d2ceaa1fb5571769097ca77
b533b082ed1458c482c3663ee12dc3a4
bcfd544df7d8e9a2efe9d2ed32e74cad
c0243741bfece772f02d1657dc057229
c38e9edc0e4b18ff1fc5b61b771f7946
ce76b690dc98844c721e6337cd5e7f4b
cf391937d79ed6650893b1d5fbed0604
d8432ddec880800bfa060af1f8c2e405
eb604e7e27727a410fc226196c13afe9
fafd293065daf126a9ad9562fc0b00b2

Related hashes identified by @GaborSzappanos:

014f69777d2e0c87f2954ad252d52810
02965c8a593989ff7051ec24736da6bd
04b3c63907c20d9be255e167de89a398
04e949f64e962e757f5bb8566c07800b
06e47736256c54d9dd3c3c533c73923e
09ff13b020de3629b0547e0312a6c135
0a80fd5abf270ddd8080f93505854684
0b3c1ff3b3b445f46594227ca2babdcd
0c33c00a5f0f5bde8c426c3ce376eb11
0ded0389cbddeeb673836794269ffb3b
0e19913ce9799a05ba97ac172ec5f0bc
11062b36893c4ba278708ec3da07b1dd
12b4d543ae1b98df15c8712d888c54f0
1334a7df1e59380206841d05d8400778
14cb305de2476365ef02d2226532dd34
1748c33cb5ac6f26d55cd1a58b68df8a
18e24ef2791030693a4588bfcae1dec0
192d5866cbfafae36d5ba321c817bc14
1b4d423350cd1159057dd7dbef479328
1deb28ae7b64fb44358e69e5afd1f600
2222a947ebccc8da16badeacca05df4b
23beed8aaac883a5902039e6fd84ee5f
2485e7ae3e0705898b7787ed0961878d
2642990a46c434e7787a599f04742a32
268698314c854bc483d05ffe459dc540
2866ced99b46b39838f56fbe704d387b
2896ae0489451d32f57c68b919b3fa72
28ba7d1a4c5d64a65f2f2bf5f6ced123
28e65b9577abaabf3f8c94d9fda50fc5
2a809644e6d07dc9fc111804a62b8089
30215197622f5c747fc869992768d9c6
325f5d379c4d091743ca8581f15d3295
33890f9268023cd70c762ad2054078c7
3673c155eb6a0bd8a94bea265ebb8b76
369cd42dfabea188fa57f802a83b55d9
380b0f1921fed82e1b68b4e442b04f05
3a0af8bba61734b043edc0f6c61cd189
3c30f0114c600510fdb2573cc48d5c06
3db711afc09c0a403a8ccff6a8a958df
3e4365b079239b0a2451f48f33761332
3ebbae038d7bf19baa1bcfbc438bb5e7
3fed695e2a6e63d971c16fd9e825fec5
3ffcd0eedd79a9cc79c2c4a0f7e04b21
4025834a88dcfba3ed1774068c64c546
417593eaf61d45e88adbad259d5585d0
422fe9c78c71fb30d376e28ad1c41884
44d91f49f261da6b1f183ea131d12a7f
45dde4082c0407b9904c5f284080337f
47bea4236184c21e89bd1c1af3e52c86
4a494c20bcfb77afd06908eb5a9718cb
53b41dc0b8fd9663047f71bc91a317df
5523aa1d4ee5f19522299be6f1111b89
5627cb8752c4c0774f822ccf8f1363eb
56499e0b590857f73bb54f500008c656
568895c8340a88316fdc0d77a7f2a91d
5847072fd4db9e83d02d8b40a1d67850
5accd89d6483dec54acc7b1484dfbace
5b5f3f65b372f9e24dbc50b21fe31f81
5bc1b8c07c0f83d438a3e891dc389954
622fb530276a639892398410de03d051
63d9e7cca593360411b5d05a555d52f3
6648a255610c5f60f580098bbc1d387c
690cdf20faf470f828fe468a635da34e
6c25a0974a907d368372ac460d8261d6
6c5693df933924e8a633ccfd7ef2635d
6ff7876db06d9102786ae0e425aeaf37
70882709d86e2a7396779f4111cd02e3
70f094e347d4088573c9af34430a3cd6
72ffb3418d3cde6fdef16b5b5db01127
734cfa84d68506fe6e74eb1b038d9c70
7633748203b705109ededadfbe08dcfa
778d103face6ad7186596fb0ba2399f2
77c2a369d0850c7a75487e8eee54b69e
78b7d1caa4185f02b1c5ef493bf79529
7971c90d7533f2c69e33f2461434096a
7aad90ce44e355f95b820fb59c9f5d56
7bf348005958658ba3fcf5ccb3e2ae22
7cddc3b26bb8f98e9b14d9c988f36f8f
81624dc108e2d3dc712f3e6dd138736a
820ca39f331f068cca71e7a7c281e4ac
84c14a1327ae7c0e5a07a67a57451cc4
860f607dbd0d6a2dc69cbc4f3b0eeeaf
889c86aaf22876516964eafa475a2acd
88c31f3b589d64a275608f471163989c
89368652dc98b13f644ec2e356c7707c
89696dbead484bf948c1dd86364672eb
898150dea4d7275f996e7341463db21f
8b27bcfa38205754c8e5fdf6a509d60e
8f419bca20b767b03f128a19b82611ab
915cc3c9c8cb8e200dbe04e425e7018b
92c32eb72f5713ca1f2a8dc918f1f770
932bd2ad79cbca4341d853a4b5ea1da5
98825a1ce35f46d004c0839e87cc2778
98b1157b9f3f3ec183bf322615f1ce41
9b19729531bf15afc38dd73bcc0596f8
9c99ecf33301e4cafdd848a7d3d77ef9
9cf08b15724e0eaf69a63e47690cdee2
a16d8cf9a7a52e5c2ad6519766ae6b92
a35312a5c0b06ee89ddadaea9ca6bad2
a4c551ec6d3b5ab08a252231439e099f
a615a4f5e93a63682a8f25b331f62882
a6c29f9680fe5ae10a9250e5431754d4
ab71ca072d4b526e258c21bd84ec0632
ac6fa4005e587ac4b3456a14bd741ff0
afab0fcbf8bc6595f9f2c0051b975a4e
b1ddec2f71727dcf747e1d385272e24d
b2a756f557d273d81a61edc9fbfc9daf
b2e1663647addc92bf253f389ac98027
b39a673a5d2ceaa1fb5571769097ca77
b533b082ed1458c482c3663ee12dc3a4
b6e86ac7d3bbedf18b98437df49c1b60
b70ddb9f6e4e2c85e80cf2079b10e762
b89a8d3442d96161cef07552116407c3
bb2a0aee38980aeb39cac06677936c96
bc333001d3f458ff8fde9d989b53e16d
bd7a2b795419c0b842fd041eaac36d7f
bf850dcb074e0cf2e30fbee6bfaa4cd9
c0d4e5ba26ef3c08dc1a29ac7496f015
c38832f484645b516b57f6813c42d554
c4abb3210f26d4a15a0d4fd41b47ee0e
c547a30fa39f22e2093b51ed254bb1c2
c69c370fcb7b645aaac086b2a3b18286
c7ef4c7b12b5ad8198dafc58c4bea2a3
c97ef1f13bf3d74c78f50fa7abe7766b
ca010bcdfe3c4965df0c6bc12b40db76
ca243796e79c87c55f67a61bc3ee8ddc
ca9a7c6b231fadfae3466da890b434c5
cf391937d79ed6650893b1d5fbed0604
cf3b3c796114f6908a35542d4fd02b0e
d034810ddab55c17dcddd2c2990b3ef3
d1273537add3f2282391726489c65e38
d20487e2d2f674bfd849cb8730225dde
d8432ddec880800bfa060af1f8c2e405
d864ad5030d354c1e40a873a335b2611
dac10dcede69eb9b4ccce8e6798f332c
db95221ebed1793bf5b5527ecb52eb0c
dc64307ef67177449b31c6bb829edbf2
dd734c07b94c8685bb809f83876c7193
e0e862dbf001eb4a169d3340c200b501
e727b444a6a9fa9d40a34a9508b1079f
e7539ed9616b61c12028a663c298f6be
e78ed9fac4f3e9b443abd02bfa9f3db2
e85ff9e3a27899b0d1de8b958af5ad90
eb604e7e27727a410fc226196c13afe9
eba8aa2572cf0d6ccdf99c34cc26b6f3
ec21252421f26072e9fe75586eb6b58a
ee9435593494f17f3efc3a795c45482e
eeca6409dcf0e46d0182d53d230c701d
eff2d3f9f56e9aabcf970c4c09fe7ef8
f0b61a531a72f0cc02d06d2ebfb935ab
f1a037e2edc5ddf4db4e1e7fcd33d5fb
f3802442727c0b614482455d6ad9edc2
f41be516fa8da87a269845c9ea688749
f7d4742d2e746962440bf517b261f126
f96335bf0512c6e65ea374a844ab7ceb
f9b4459f18ca9d2974cf5a58495c5879
fa4266c305aa75a133ebae2a4dcc9b75
fafd293065daf126a9ad9562fc0b00b2

Backdoor Filenames:

pnbwz.exe
pxcfx.exe
qislg.exe
rqklt.exe
runwt.exe
ruzvs.exe
rvhct.exe
vidhdw.exe
winlng.exe
wxrun.exe
xddrv.exe
xdwdrv.exe

Malicious attachments filenames (weak indicators):

contatto.zip//Primarie.accdb (…) .exe
Note.zip//sistemi.pdf (…) .exe
Nuoveassunzioni.7z
Assunzione.7z
Segnalazioni.doc (…) 7z.exe
Regione.7z
Energy.7z
Risparmio.7z
Pagati.7z
Final Eight 2012 Suggerimenti Uso Auricolari.exe
Fwd Re olio di colza aggiornamento prezzo.exe
Approfondimento.7z
Allegato.zip
Eventi.bmp (…) .exe
Quotidiano.mdb (…) _7z.exe

Holiday 2016 financial cyberthreats overview

Wed, 01/11/2017 - 03:57

Introduction

Last November we conducted a brief analysis of the threat landscape over the holiday period – from October to December in 2014 and 2015 – to find out if the number of financial cyberattacks during this time differs to that usually seen throughout the year. The retrospective analysis found that the percentage of phishing attacks during this period was higher than the average yearly rate. The dynamics of financial malware attacks also clearly showed that in 2014 and 2015, criminals staged their malicious campaigns to match dates around the Black Friday – Cyber Monday period, and also around Christmas and the New Year.

Based on this data we made the following prognosis: the same holiday period in 2016 will see a spike in cyberattacks. Now that the holidays are over, it is time to find out how accurate that prediction was.

Financial phishing The numbers

As seen in the table below, unlike in previous years, the difference between the overall yearly results and the results in Q4 is not significant. However, the percentage of financial phishing attacks blocked by Kaspersky Lab products in Q4 2016 was higher than the total average for the year.

2013 Full year Q4 Financial phishing total 31.45% 32.02% E-shop 6.51% 7.80% E-banks 22.20% 18.76% E-payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% E-shop 7.32% 12.63% E-banks 16.27% 17.94% E-payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% E-shop 9.08% 12.29% E-banks 17.45% 18.90% E-payments 7.08% 12.19% 2016 Full year Q4 Financial phishing total 47.48% 48.13% E-shop 10.17% 10.41% E-banks 25.76% 26.35% E-payments 11.55% 11.37%

Moreover, the Q4 2016 results are the highest we’ve seen so far. 48.13% of all phishing attacks registered by Kaspersky Lab products were focused on gleaning users’ financial data, which is 0.65% higher than the average share of financial phishing in 2016, and 4.75% more than in the same period in 2015. However, the holiday period is not the only reason for such a high percentage of financial attacks. Phishing scams are the easiest way for even low level professional criminals to earn money. The preparation and supporting stages for such scams don’t require a lot of specific tools or knowledge, yet they bring a good return. In other words, phishing attacks appear more attractive to criminals due to their ease and affordability, when compared to staging a financial malware attack. This has resulted in the growth in popularity of phishing.

Delivered on time

As evidenced in our original analysis of the threat landscape during the holiday period in 2014 and 2015, criminals were trying to tie their phishing campaigns to certain dates which resulted in a visible increase in the number of attacks during the Black Friday, Cyber Monday and also Christmas periods. The 2016 figures showed no difference but we’ve seen an increase in the number of attacks which utilized well-known brands from the online retail and financial industries.

As seen on the graph above, the spikes of detections of Amazon-themed phishing scams matched the dates of Black Friday and Cyber Monday 2016 almost perfectly. The same dynamics are repeated with some other topical brands including payment systems.

Interestingly, the dynamics during the Christmas period are different. As seen below, the number of attacks started decreasing several days prior to Christmas Eve, and then went up on 25th of December.

Such synchronous behavior could be explained by multiple factors, one of which is that cybercriminals are also celebrating Christmas and that the overall number of web users also decreases on 24th December. But on 25th December, the number of attacks goes back up.

Scams: from Black Friday to Christmas-themed

In our initial report, we examined some examples of so-called topical phishing scams dedicated to a specific topic – the Black Friday sales. While the report was published several weeks before the actual sales started, we already identified some examples of Black Friday-themed phishing scams. Closer to the start of the sales some new examples appeared.

Example of a Black Friday-themed phishing scam offering a smartphone with 65% discount.

Example of a Black Friday-themed phishing scam offering a TV for an attractive price.

The scams mostly promoted personal electronics, like smartphones and TVs, at extremely low prices, and tried to lure users into providing payment information to criminals. With Christmas approaching, the topics of scams changed accordingly. In December, our researchers started to detect Christmas and New Year-themed phishing schemes.

Example of a Christmas-themed phishing scam resembling the Alibaba.com e-shop.

The example on the screen shot above doesn’t look Christmas-themed at first glance. However this fake Alibaba.com website was available on the christmascartoons.org URL and was supposed to attract victims with a tempting offer to get a loan with very low interest, along with the ability to search for goods and buy them from the same page using a credit card.

In another example targeting mobile users, criminals tried to exploit the popularity of the Clash of Clans mobile game.

The scam promises that the developers of the game are giving away some valuable in-game virtual items for free, as a New Year present to fans.

Users can choose from range of items, however in order to receive these gifts, they need to fill in a registration form which requests their Gmail account details.

Needless to say, in exchange for this information, the victim receives nothing but a loss of control over their email account and the confirmation email.

But the latter is only sent so criminals could be sure that the credentials provided by the victim are legitimate.

In general, we can’t say that the holiday period in 2016 has seen an unusually high increase of phishing attacks, however, our major hypothesis, stated in previous reports – that criminals would exploit Black Friday and Christmas topics and dates – has been confirmed.

And of course, financial phishing wasn’t the only type of cyberthreat that behaved unusually in the last three months of 2016. The financial malware landscape also showed some interesting changes.

Financial malware attacks

In total, during Q4 2016 Kaspersky Lab registered attacks with financial malware against 319,692 users worldwide. That is 22.49% more than during the same period in 2015, when 261,000 users were attacked, and 2.7% more than in 2014. It is hard to say if such an increase has been provoked by criminal interest in the holiday season; however, data on the dynamics of attacks shows that just like phishing scammers, financial malware operators tried to connect their activity to particular dates.

Dynamics of attacks with financial malware during Q4 2016 (holiday period)

25th November 2016 (Black Friday) saw a modest, but visible spike in attacks, with another on 28th November (Cyber Monday). In all, November became the second hottest month of the period in terms of number of attacked users: with more than 120 000. The hottest was October, with more than 130 000 attacked users.

Dynamics of attacks with financial malware during Black Friday and Cyber Monday 2016

The activity of attackers during the Christmas period showed a different pattern. A major increase happened before (on December 22nd) and after (from 25 – 27th December). This may be explained by the fact that most e-commerce activities happen around these dates: people buy gifts and goods for Christmas and the New Year, travel for vacations and spend money on entertainment.

Dynamics of attacks with financial malware during the Christmas 2016 period

It is also important to note that the dynamics of attacks during the holidays are very similar to what we have already seen in 2015 and 2014. Criminals are eager to get users’ money and the holiday period is a key time for them.

To reach their goals they use one of 30 families of banking trojans of which five are the most widespread: Zbot, Nymaim, Shiotob, Gozi and Neurevt. These five are responsible for attacks against 92.35% of users in the period.

The share of users attacked with Top 5 banking trojans

Conclusion

It looks like the trends we spotted as part of our analysis of the threat landscape during the holiday period in 2014 and 2015 have repeated in 2016, but on a larger scale, with more users being attacked. It is too early to draw conclusions on how successful fraud campaigns during the 2016 holiday season were, because usually criminals who were able to steal credentials to payment cards don’t cash them in immediately. They wait for several months in order to make fraudulent transactions less suspicious to the anti-fraud systems of financial organizations, but it would be safe to say that there were multiple attempts to exploit the high sales season.

Although the holiday season is over, it is still imperative to keep in mind several simple rules to stay safe when carrying out financial operations online. Steps to follow can be found in our initial report about holiday threats.

How to hunt for rare malware

Mon, 01/09/2017 - 09:39

At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware. During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples. After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants.

Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2.

Why YARA training?

Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow. Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection. But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective. But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way. The rules can be deployed in networks and on various multi scanner systems.

Giveaways

People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings. The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives. They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs.

What are the requirements for participation?

You don’t have to be an expert in order to go through this training. It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine. Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it.

Catching a 0-day with YARA

One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers.

GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names. All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”. Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately.

If you’re a scholar…

Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on. If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly.

You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities.

Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!

Update from the chaos – 33c3 in Hamburg

Thu, 12/29/2016 - 08:48

Every year, the Chaos Communication Congress summons hackers from around the globe, this time again in Hamburg. The four days between Christmas and New year are packed with talks, workshops and events all over the location at the CCH. Large hackerspaces hosts groups and projects from all areas such as lock-picking, art, music, software projects of all kind and more. Tickets were strictly limited this year, so not all who wanted could come. However due to freely available live streams, free access to the video recordings and onsite resources such as Wiki and Communication channels, everyone at any location could join and be part of this event.

It is simply not possible to summarize this event in a few sentences or pointing out highlights without missing some. This also because of the wide range of areas the talks and projects are about. There were technical talks about vulnerabilities in a banking app and flight booking systems. An overview about the North Korean tablet “Woomlin” was given after last years insight into the “Red Star OS” from North Korea. One of the main topics of course is privacy. Others focus on current trends such as IoT Security, BigData and Blockchain. Full program can be found here.

Due to privacy of the attendees, taking photos is only allowed under strict rules. Therefore following impressions do not contain any pictures with people.

One-stop-shop: Server steals data then offers it for sale

Thu, 12/29/2016 - 04:01

While intercepting traffic from a number of infected machines that showed signs of Remote Admin Tool malware known as HawkEye, we stumbled upon an interesting domain. It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods.

WhiteHats on the prowl?

Before diving into an analysis of the server, it is worth pointing out some interesting behavior spotted in several of the victims’ stolen accounts. A group of WhiteHat hackers who call themselves Group Demóstenes were found to be working around the clock, trawling the internet and looking to exfiltrate stolen data from C2 servers. When such a server was found, the group looked for a backdoor that would give them control over the filesystem. They would then monitor the incoming, stolen data. Either manually or automatically, they would collect the stolen credentials and send emails to the victims’ accounts. These emails contained an attachment with proof that the user’s machine has been compromised. In addition, they advise the user to change passwords immediately and offer to help.

Hi ***********

Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******
WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK …. Steal)
Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer

Name PC USER-PC
Local Time: 03.10.2016. 18:45:02
Installed Language: en-
Net Version: 2.0.50727.5485
Operating System Platform: Win32NT
Operating System Version: 6.1.7601.65536
Operating System: Microsoft Windows 7 Home Premium
Internal IP Address: 192.168.0.101
External IP Address:
Installed Anti virus: Avast Antivirus
Installed Firewall:

have a keylogger harm report All That You write, messages, passwords or more.

¿Why we do it?
We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.
Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress.

PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS

The email above appears in two languages, English and Spanish. The name of the group appears to be of Portuguese origin, though it is not certain.

The shopfront: the command and control servers

Scanning for network services which are running on the C2, we discovered that it contains not only a back-end for storing stolen credentials but also a front-end for selling some of them, alongside many other “goods”.

Browsing the domain that communicated with the HawkEye RAT samples disclosed a login page. Given the fact that the server was newly operational, it allowed users to register an account and login to purchase the goods on offer.

After registering on the C2 web application, there was no sign of the stolen data transferred from compromised machines. A forum-like web page opens up once a successful login is being processed.

The C2 was meant to securely store the stolen data; however, it contained a crucial vulnerability which allowed researchers to download the stolen data.

The C2 owners seem to have added six new Shell scripts on 22 November, just a week before the research started – a further indication of how new the operation is.

Another item for sale is scam pages, and some are multilingual. The attackers also reveal the scope of their victims, noting those who are registered to Amazon, Apple, Netflix and even National Bank of Australia and Barclays. The listing of the year next to the banking information probably refers to how up-to-date the scam pages are in terms of the bank’s website updates.

The attackers have spared no details and have added additional information regarding how one should act when using their services, and who to contact in the Support tab.

To purchase goods in the private shop you must deposit money into your account on the website. The attackers accept Bitcoins, PerfectMoney and WebMoney.

Back to the stolen data

As we described, HawkEye is a robust keylogger that can hijack keystrokes from any application being opened on the victim’s PC. It can also identify login events and record the destination, username and password. It is, however, limited to two-factor authentication and single sign-on.

Stolen credentials on the server were found to be holding sensitive access passwords to government, healthcare, banking and payment web applications. Among them is the following web server which belongs to the Pakistani government.

As mentioned, hundreds of machines were found to be compromised by just one C2. The following is a partial list of what was downloaded from the malicious server.

Usually, careless threat actors forget to remove test files which might contain sensitive data. In this case, we were able to obtain the attackers credentials from one very small file that was captured when searching related strings.

Target geography

The research is still ongoing and is currently affecting users located in APAC, such as Japan, Thailand and India, as well as parts of Eastern Europe such as Russia and Ukraine.

Switcher: Android joins the ‘attack-the-router’ club

Wed, 12/28/2016 - 03:54

Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.

Clever little fakes

To date, we have seen two versions of the trojan:

  • acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com
  • 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi

The first version (com.baidu.com), disguises itself as a mobile client for the Chinese search engine Baidu, simply opening a URL http://m.baidu.com inside the application. The second version is a well-made fake version of a popular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi networks (including the security password) between users of the app. Such information is used, for example, by business travelers to connect to a public Wi-Fi network for which they don’t know the password. It is a good place to hide malware targeting routers, because users of such apps usually connect with many Wi-Fi networks, thus spreading the infection.

The cybercriminals even created a website (though badly made) to advertise and distribute the aforementioned fake version of com.snda.wifilocating. The web server that hosts the site is also used by the malware authors as the command-and-control (C&C) server.

The infection process

The trojan performs the following actions:

  1. Gets the BSSID of the network and informs the C&C that the trojan is being activated in a network with this BSSID
  2. Tries to get the name of the ISP (Internet Service Provider) and uses that to determine which rogue DNS server will be used for DNS-hijacking. There are three possible DNS servers – 101.200.147.153, 112.33.13.11 and 120.76.249.59; with 101.200.147.153 being the default choice, while the others will be chosen only for specific ISPs
  3. Launches a brute-force attack with the following predefined dictionary of logins and passwords:
    • admin:00000000
    • admin:admin
    • admin:123456
    • admin:12345678
    • admin:123456789
    • admin:1234567890
    • admin:66668888
    • admin:1111111
    • admin:88888888
    • admin:666666
    • admin:87654321
    • admin:147258369
    • admin:987654321
    • admin:66666666
    • admin:112233
    • admin:888888
    • admin:000000
    • admin:5201314
    • admin:789456123
    • admin:123123
    • admin:789456123
    • admin:0123456789
    • admin:123456789a
    • admin:11223344
    • admin:123123123

    The trojan gets the default gateway address and then tries to access it in the embedded browser. With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers

  4. If the attempt to get access to the admin interface is successful, the trojan navigates to the WAN settings and exchanges the primary DNS server for a rogue DNS controlled by the cybercriminals, and a secondary DNS with 8.8.8.8 (the Google DNS, to ensure ongoing stability if the rogue DNS goes down). The code that performs these actions is a complete mess, because it was designed to work on a wide range of routers and works in asynchronous mode. Nevertheless, I will show how it works, using a screenshot of the web interface and by placing the right parts of the code successively.
  5. If the manipulation with DNS addresses was successful, the trojan report its success to the C&C

So, why it is bad?

To appreciate the impact of such actions it is crucial to understand the basic principles of how DNS works. The DNS is used for resolving a human-readable name of the network resource (e.g. website) into an IP address that is used for actual communications in the computer network. For example, the name “google.com” will be resolved into IP address 87.245.200.153. In general, a normal DNS query is performed in the following way:

When using DNS-hijacking, the cybercriminals change the victim’s (which in our case is the router) TCP/IP settings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server. So, the scheme will change into this:

As you can see, instead of communicating with the real google.com, the victim will be fooled into communicating with a completely different network resource. This could be a fake google.com, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware. Or anything else. The attackers gain almost full control over the network traffic that uses the name-resolving system (which includes, for example, all web traffic).

You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS. So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router.

The cybercriminals were not cautious enough and left their internal infection statistics in the open part of the C&C website.

According to them, they successfully infiltrated 1,280 Wi-Fi networks. If this is true, traffic of all the users of these networks is susceptible to redirection.

Conclusion

The Trojan.AndroidOS.Switcher does not attack users directly. Instead, it targets the entire network, exposing all its users to a wide range of attacks – from phishing to secondary infection. The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked. Even if the rogue DNS servers are disabled for some time, the secondary DNS which was set to 8.8.8.8 will be used, so users and/or IT will not be alerted.

We recommend that all users check their DNS settings and search for the following rogue DNS servers:

  • 101.200.147.153
  • 112.33.13.11
  • 120.76.249.59

If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network. Kaspersky Lab also strongly advises users to change the default login and password to the admin web interface of your router to prevent such attacks in the future.

Is Mirai Really as Black as It’s Being Painted?

Thu, 12/22/2016 - 05:53

The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, causing denial of service across an entire region, has been extensively covered by the mass media. Given that the botnet’s source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future.

To put this in perspective, recall the year 2012, when the source code of the Zeus banker Trojan was made publicly available. A huge number of modifications of the Trojan appeared as a result of this, many of which are still active and rank among the most widespread financial malware. Similarly, the recent leak is likely to result in the emergence of Mirai modifications, created by cybercriminals and based on the source code that was made public.

The botnet remains active. We carried out an analysis of its activity to find out how Mirai operates, what objectives its owners are pursuing and, most importantly, what needs to be done to avoid becoming part of the botnet in the future.

How Mirai Works

Based on the botnet’s source code that was published on a user forum, Mirai consists of the following components:

  • a command-and-control center (C&C) that contains a MySQL database of all infected IoT devices (bots) and sends commands to intermediate command distribution servers;
  • a Scan Receiver component that collects the results of each bot’s operation and forwards them to the component that downloads the bot onto vulnerable devices (the Distributor);
  • a downloader component, which delivers the bot’s binary file to a vulnerable device (using the wget and tftp utilities – but if they are not present in the system, it uses its own proprietary downloader);
  • a bot, which, after being launched on an infected device, connects to the command-and-control center, scans an IP range (SYN scanning) for vulnerable IoT devices and sends the scan results to the Scan Receiver component in order for further malicious code to be subsequently downloaded to the device.

An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist.

List of logins and passwords used by the original Mirai in its search for vulnerable IoT devices

However, this is by no means all the Mirai botnet can tell us about itself.

Analysis of the Botnet’s Activity

All you need to do to evaluate the Mirai botnet’s current activity is to deploy a server with an open telnet port somewhere on the Internet and analyze connection attempts made by different bots. For example, we detected the first attempts to connect to our telnet port, by several different hosts, within three minutes of putting our experimental server online.

Two facts indicate that these connections are made by bots of the original Mirai or its modifications (i.e., by infected devices):

  • the accounts used by the bots in their attempts to establish a connection are found on the original botnet’s brute force word list;
  • an analysis of connection sources has shown that infected hosts that perform scanning are in most cases IoT devices (cameras and routers of different manufacturers).

Connection attempts by infected Mirai workstations in search of IoT devices using default passwords

Here is a list of login and password pairs most often used by Mirai bots in connection attempts:

“Login:password” combinations 1 admin : admin 2 root : xc3511 3 root : vizxv 4 root : juantech 5 root : default 6 admin : admin1234 7 root : password 8 root : root 9 root : xmhdipc 10 admin : smcadmin

If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers.

Admin panel for managing an IP camera that is part of the botnet

As for the activity of the botnet itself, you can analyze the number of login attempts over 24 hours and see for yourself. On December 13, 2016 we recorded 5,553 attempts by Mirai bots to connect to our server, while 10 days before that, on December 3, 2016, we recorded 8,689 connection attempts. Does this mean that the botnet is losing power? Reduced activity related to searching for new potential bots might certainly be an indication that the rate at which Mirai is infecting new devices is falling, but it is too early to draw any conclusions.

How to Avoid Becoming Part of the Mirai Botnet

We recommend the following measures to prevent your devices from being included in the Mirai botnet:

  • Change the default account parameters on each of your devices. Account passwords should be at least 8 characters long and include digits, upper-case letters and special characters.
  • On each device, install the latest updates provided by the manufacturer.
  • It is a good idea to block all potential entry points to the operating system on your devices (telnet/SSH/web panel, etc.) from being accessed over the Internet.

More details about the Mirai botnet are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email intelreports@kaspersky.com

Notes from HITCON Pacific 2016

Tue, 12/20/2016 - 10:45

Hacks in Taiwan Conference (HITCON) Pacific 2016 was held in Taipei city, Taiwan from the 27th of November to the 3rd of December this year. The concept of this event is about “The Fifth Domain: Cyber | Homeland Security”. This HITCON Pacific 2016 is more formal event than HITCON Community 2016 which we attended last summer..

More than 500 participants from around the world attended the event, which included technical trainings, security conference and capture the flag (CTF) competition. We met many high-skilled malware analysts, incident responders, security researchers and professionals at this event to discuss some of the most recent topics in the field of cybersecurity: Ransomware, ATM hacking, IoT security, machine leaning and targeted attacks. Based on our experience, this event is one of the brightest international security conferences in Asia-Pacific region. One of the organizers, Mr. Sung-ting Tsai, opened the conference with the following words: “HITCON is not only running community and technical topics, in HITCON Pacific we are also concerned about the strategic and operational issues. HITCON Pacific is providing an international platform to connect and collaborate with enterprises, governments, vendors and security experts, especially in Asia Pacific region.”

The conference has been recognized by the local government. One of the most honorable keynote speakers of this event was the president of Taiwan, Tsai Ing-wen (蔡英文). To our knowledge it’s the first time ever, a president of a country or region comes to do the opening speech at information security conference. Such special attention of the president reflects Taiwanese government concerns about improving cybersecurity in Taiwan and the whole Asia Pacific region. She said during her keynote speech: “The spirit of hacking culture is in stepping out of tradition and fighting against the present situation. Governmental organizations need such spirit to cultivate innovation”.

Two speakers from Global Research and Analysis Team (GReAT) of Kaspersky Lab also presented on the same stage: Vitaly Kamluk and Suguru Ishimaru (that’s me).

Vitaly talked about Yara techniques with some of the most remarkable stories, including finding 0-day exploits in Microsoft Silverlight. Surprisingly for the organizers and the audience Vitaly presented with 0 slides during his 40 minutes talk. All the contents he showed was Yara tool output in a terminal session, which looked like live demo but with nice ASCII art and dynamic transition effects. His presentation style was very innovative and widely discussed after his speech.

I attended Hitcon Community conference earlier this year and liked the conference so much that I decided to come again as a speaker. Needless to say it was challenging for me, because I have never presented on such large stage outside of Japan before. Also, I had to present in English, which is not my native language and isn’t my strongest skill.

I talked about malware discovered in targeted attacks which focused on Taiwan and Japan. My talk was titled “Why corrupted samples in recent APTs?”. The talk covered some of the new techniques that were used to prevent automated malware analysis, resulting in erroneous marking of the samples as corrupted. I showed a live demo of such samples, which would cause system exception on any system except the system of the victim.

We had a chance to attend many other rgreat talks by security researchers. Some of the talks we liked included: Ryan Olson from Palo Alto Networks, who talked about “Target Identification through Decoy File Analysis”, Takahiro Haruyama from Symantec who made a presentation about “Winnti Polymorphism”, Kyoung-Ju Kwak from Financial Security Institute, with his talk “Fly me to the BLACKMOON”, and Philippe Lin and Ricky Chou from Trendmicro, who talked about “Experience of Microsoft Malware Classification Challenge”. You can download the slides and agenda from official website of HITCON Pacific 2016.

In conclusion, HITCON Pacific 2016 was fantastic event and I definitely recommend it to all the people who would like to explore cybersecurity arena in Asia Pacific. The organizers kindly offered free simultaneous translation from/to Chinese which built a unique bridge between rather closed Chinese speaking security community and the rest of the world. For me personally this time was a very meditative thing: my first challenge of presenting at international conference in English, an honor of meeting the president and delivering a talk on the same stage.

The banker that encrypted files

Mon, 12/19/2016 - 03:58

Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data. In addition to that, this modification is attacking more than 2,000 financial apps around the world.

We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016. According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand.

Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player.

Preparing the groundwork

The Trojan is capable of interacting with protection mechanisms in the operating system. For example, it requests rights to overlay other apps or the right to be a default SMS application. This allows Faketoken to steal user data even in the latest versions of Android.

Once the Trojan becomes active, it requests administrator rights. If the user denies the request, Faketoken repeatedly refreshes the window asking for these rights, which leaves the victim with little choice.

The Trojan imitating “Yandex.Navigator” to request administrator rights

Once it has received administrator rights, Faketoken starts requesting the necessary permissions: to access the user’s text messages, files and contacts, to send text messages and make calls. These requests will also be repeatedly displayed until the user agrees to provide access.

The Trojan then requests the right to display its windows on top of other applications. This is necessary to block the device and steal user data by displaying phishing pages.

The Trojan requesting the right to display its windows on top of other applications

The final request at the preparatory stage is for the right to be the default SMS application – this allows Faketoken to covertly steal text messages on the latest versions of Android. The Trojan integrates the options necessary for the user to work with SMS. However, on some Android devices and versions when the user attempts to send an SMS via Faketoken it returns an error. As a result, the user cannot send SMS messages until they manually change the SMS application. The Trojan doesn’t like that, and will start requesting the right again.

Manipulations with application shortcuts can also be added to the preparatory stage. After launching, Faketoken starts downloading an archive containing file icons of several applications (the version being analyzed here has eight) related to social networks, instant messengers and browsers. Then it tries to delete the previous shortcuts to these applications and create new ones.

On the test devices the Trojan failed to remove the previous shortcuts which eventually led to the appearance of duplicates

It is not clear why it does this because the shortcuts created by Faketoken lead to the original applications.

Data theft

Once the shortcuts are installed, the next stage of the Trojan’s work begins – the theft of user data. Faketoken downloads a database from the server containing phrases in 77 languages for different device localizations.

Screenshot of the database with phrases in different languages

Using these or other phrases from the database, depending on the operating system language, the Trojan will show the user various phishing messages.

Examples of phishing messages displayed by the Trojan

If the user clicks on the message, the Trojan opens a phishing page designed to steal passwords from Gmail accounts. In addition to that, the Trojan overlays the original Gmail application with this page for the same purpose – to steal the password.

Phishing page imitating the login page of the Gmail mail service

However, the Trojan doesn’t limit itself to Gmail. Like most modern mobile Trojans, Faketoken overlays the original Google Play app with its phishing window to steal the victim’s bank card details.

Phishing page used by the Trojan to steal credit card details

The Trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server. In our case, Faketoken received a list of 2,249 financial applications from around the world.

Example of the Trojan’s phishing pages designed for different applications

It should be noted that the Trojan integrates functionality enabling it to call some of the methods from the HTML page it received from the C&C server. As a result, in addition to the phishing functionality, the pages described above can get certain information about the device including the address of the Gmail account and, even worse, reset the device to factory settings.

What’s more, Faketoken can perform the following actions upon command from the C&C server:

  • Change masks to intercept incoming text messages;
  • Send text messages to a specified number with a specified text;
  • Send text messages with a specified text to a specified list of recipients;
  • Send a specified text message to all contacts;
  • Upload all text messages from the device to the malicious server;
  • Upload all the contacts from the device to the malicious server;
  • Upload the list of installed applications to the malicious server;
  • Reset the device to factory settings;
  • Make a call to a specified number;
  • Download a file to the device following a specified link;
  • Remove specified applications;
  • Create a notification on the phone to open a specified page or run a specified application;
  • Start overlaying specified applications with a specified phishing window;
  • Open a specified link in its own window;
  • Run an application;
  • Block the device in order to extort money for unblocking it. This command may include an option indicating the need to encrypt files.
Ransomware banker

As mentioned above, the ransomware functionality in mobile banking Trojans is now commonplace, after being pioneered by Svpeng in early 2014. However, the new Faketoken version can not only extort money by blocking the screen but also by encrypting user files.

Screenshot of the Trojan code that renames and then encrypts files.

Once the relevant command is received, the Trojan compiles a list of files located on the device (external memory, memory card) corresponding to the given list of 89 extensions and encrypts them. The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom. The Trojan receives the encryption key and the initialization vector from the C&C server. The encrypted files include both media files (pictures, music, videos) and documents. The Trojan changes the extension of the encrypted files to .cat.

In conclusion, we would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently), which may be because most files stored on a mobile device are copied to the cloud. In other words, demanding a ransom in return for decrypting them is pointless.

Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016

Wed, 12/14/2016 - 03:58

 Download Review of the year

 Download Overall statistics

 Download the consolidated Kaspersky Security Bulletin 2016

Introduction

If they were asked to sum up 2016 in a single word, many people around the world – particularly those in Europe and the US – might choose the word ‘unpredictable’. On the face of it, the same could apply to cyberthreats in 2016: the massive botnets of connected devices that paralysed much of the Internet in October; the relentless hacking of high profile websites and data dumps; the SWIFT-enabled bank heists that stole billions of dollars, and more. However, many of these incidents had been in fact been predicted, sometimes years ago, by the IT security industry, and the best word for them is probably ‘inevitable’.

For cyberthreats, 2016 was the year when “sooner or later” became “now” #KLReport

Tweet

Most of all, in 2016, ransomware continued its relentless march across the world – with more new malware families, more modifications, more attacks and more victims. However, there are rays of hope, including the new, collaborative No More Ransom initiative. Kaspersky Lab has designated the revolution in ransomware its Story of the Year for 2016 and you can read more about its evolution and impact here.

Elsewhere on the cybersecurity landscape, targeted cyberespionage attacks, financial theft, ‘hacktivism’ and vulnerable networks of connected devices all played their part in what has been a tense and turbulent year.

This Executive Summary provides an overview of the top threats and statistics for 2016. Full details are included in the accompanying Review & Statistics.

It also considers what these threats mean to organisations trying spot a breach or cyberattack. How ready are businesses to proactively prevent and mitigate a cyberthreat? What can be done to help them?

Six things we learned this year that we didn’t know before 1. That the underground economy is more sophisticated and bigger than ever: xDedic – the shady marketplace

In May, we uncovered a large, active cybercriminal trading platform, called xDedic. xDedic listed and facilitated the buying and selling of hacked server credentials. Around 70,000 compromised servers were on offer – although later evidence suggests that there could have been as many as 176,000 – located in organisations around the world. In most cases, the legitimate owners had no idea that one of their servers, humming away in a back room or data center, had been hijacked and was being passed from criminal to criminal.

xDedic is not the first underground marketplace, but it is evidence of the growing complexity and sophistication of the black market economic ecosystem.

“xDedic is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.”

GReAT

2. That the biggest financial heist did not involve a stock exchange: the SWIFT-enabled transfers

One of the most serious attacks in 2016 was that using the inter-bank network, SWIFT (Society for Worldwide Interbank Financial Telecommunication). In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars to various bank accounts in Asia. The hackers were able to get $81 million transferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million to Pan Asia Banking. The campaign was cut short when the bank spotted a typo in one of the transfer requests. You can read the story here. In the following months, further bank attacks using SWIFT credentials came to light.

Following the theft of $100 million many banks were forced to improve their authentication and SWIFT software update procedures #KLReport

Tweet 3. That critical infrastructure is worryingly vulnerable: the BlackEnergy attacks

BlackEnergy deserves a place in this list even though, strictly speaking, it took place at the end of 2015. However, it was only in early 2016 that the full effect of the BlackEnergy cyber-attack on the Ukrainian energy sector became clear. The attack was unique in terms of the damage it caused. This included disabling the power distribution system in Western Ukraine, wiping software on targeted systems and unleashing a Distributed Denial of Service (DDoS) attack on the technical support services of affected companies. Kaspersky Lab has supported the investigation into BlackEnergy since 2010, with among other things, an analysis of the tool used to penetrate the target systems. You can find our 2016 report here.

The BlackEnergy cyberattack on the Ukrainian energy sector revealed the vulnerability of critical infrastructures worldwide #KLReport

Tweet

To help organizations working with industrial control systems (ICS) to identify possible points of weakness, Kaspersky Lab experts have conducted an investigation into ICS threats. Their findings are published in the Industrial Control Systems Threat Landscape report.

4. That a targeted attack can have no pattern: the ProjectSauron APT

In 2016 we discovered the ProjectSauron APT: a likely nation-state backed cyberespionage group that has been stealing confidential data from organisations in Russia, Iran and Rwanda – and probably other countries – since June 2011. Our analysis uncovered some remarkable features: for example, the group adopted innovative techniques from other major APTs, improving on their tactics in order to remain undiscovered. Most importantly of all: tools are customized for each given target, reducing their value as Indicators of Compromise (IoCs) for any other victim. An overview of the methods available to deal with such a complex threat can be found here.

ProjectSauron’s pattern-less spying platform has far-reaching implications for some basic principles of threat detection #KLReport

Tweet 5. That the online release of vast volumes of data can be an influential tactic: ShadowBrokers and other data dumps

2016 saw a number of remarkable online data dumps. The most famous is probably that by a group calling itself the ShadowBrokers. On August 13, they appeared online claiming to possess files belonging to the ultimate APT predator, the Equation Group. Our research suggests there are similarities between the data dumped by ShadowBrokers and that used by the Equation Group. The initial data dump included a number of unreported zero-days, and there have been further dumps in recent months. The long-term impact of all this activity is unknown, but is has already revealed the huge and rather worrying influence such data dumps can potentially have on public opinion and debate.

In 2016 we also witnessed data breaches at beautifulpeople.com, Tumblr, the nulled.io hacker forum, Kiddicare, VK.com, Sage, the official forum of DotA 2, Yahoo, Brazzers, Weebly and Tesco Bank – for motives ranging from financial gain to personal reputation blackmail.

A LinkedIn hack made public in 2016 revealed over a million uses of the password ‘123456’. #KLReport

Tweet 6. That a camera could be part of a global cyber-army: the insecure Internet of Things

Connected devices and systems, from homes and vehicles to hospitals and smart cities, exist to make our lives safer and easier. However, many were designed and manufactured without much thought for security – and sold to people who underestimated the need to protect them with more than default factory security settings.

The risk of connecting everything without proper safeguards – after 2016, need we say more? #KLReport

Tweet

As the world now knows, all these millions of insecure connected devices represent a powerful temptation to cybercriminals. In October, attackers used a botnet of over half a million internet-connected home devices to launch a DDoS attack against Dyn – a company that provides DNS services to Twitter, Amazon, PayPal, Netflix and others. The world was shocked, but warnings about unstable IoT security have been around for a long time.

For example, in February, we showed how easy it was to find a hospital, gain access to its internal network and take control of an MRI device – locating personal data about patients and their treatment procedures and obtaining access to the MRI device file system. In April, we published the results of our research into, among other things, the vulnerability of city traffic sensors and smart ticket terminals.

Manufacturers need to work with the security industry to implement ‘security-by-design’ #KLReport

Tweet Other top threats Inventive APTs

At least 33 countries were targeted by APTs reported on by Kaspersky Lab #KLReport

Tweet

In February, we reported on Operation Blockbuster, a joint investigation by several major IT security companies into the activities of the Lazarus gang, a highly malicious entity responsible for data destruction.

The Lazarus group is believed to have been behind the attack on Sony Pictures Entertainment in 2014 #KLReport

Tweet

Adwind, is a cross-platform, multi-functional RAT (Remote Access Tool) distributed openly as a paid service, where the customer pays a fee in return for use of the malicious software. It holds the dubious distinction of being one of the biggest malware platforms currently in existence, with around 1,800 customers in the system by the end of 2015.

Adwind’s malware-for-rent had a customer base of 1,800 #KLReport

Tweet

APTs everywhere continued to make the most of the fact that not everyone promptly installs new software updates – in May we reported that at least six different groups across the Asia-Pacific and Far East regions, including the newly discovered Danti and SVCMONDR groups, were exploiting the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially-crafted EPS image file. A patch for the vulnerability was issued back in 2015.

Over six APT groups used the same vulnerability – patched back in 2015 #KLReport

Tweet New zero-days

Zero-days remained a top prize for many targeted attackers.

In June, we reported on a cyber-espionage campaign launched by a group named ScarCruft and code-named Operation Daybreak, which was using a previously unknown Adobe Flash Player exploit (CVE-2016-1010). Then in September we discovered a Windows zero-day, CVE-2016-3393, being used by a threat actor known as FruityArmor to mount targeted attacks.

In all, new Kaspersky Lab technologies designed to identify and block such vulnerabilities helped us to uncover four zero-days in 2016. The other two are an Adobe Flash vulnerability CVE-2016-4171 and a Windows EoP (Escalation of Privilege) exploit CVE-2016-0165 .

The hunt for financial gain

Tricking people into either disclosing personal information or installing malware that then seizes the details for their online bank account remained a popular and successful option for cyber-thieves in 2016. Kaspersky Lab solutions blocked attempts to launch such malware on 2,871,965 devices. The share of attacks targeting Android devices increased more than four-fold.

A third of banking malware attacks now target Android devices #KLReport

Tweet

Some APT groups were also more interested in financial gain than cyberespionage. For example, the group behind Metel infiltrated the corporate network of banks in order to automate the roll-back of ATM transactions: gang members could then use debit cards to repeatedly steal money from ATMs without ever affecting the balance on the card. At the end of 2016 this group remains active.

Metel launched targeted attacks on banks – then sent teams to ATMs at night to withdraw the cash #KLReport

Tweet

In June, Kaspersky Lab supported the Russian police in their investigation into the Lurk gang. The collaboration resulted in the arrest of 50 suspects allegedly involved in creating networks of infected computers and the theft of more than 45 million dollars from local banks, other financial institutions and commercial organizations.

During the investigation, researchers spotted that users attacked by Lurk had the remote administration software Ammyy Admin installed on their computers. This led to the discovery that that the official Ammyy Admin website had most probably been compromised, with the Trojan was downloaded to users’ computers along with the legitimate Ammyy Admin software.

The takedown of the Lurk gang was the largest ever arrest of hackers in Russia #KLReport

Tweet The ultimate vulnerability: people

2016 also revealed that targeted attack campaigns don’t always need to be technically advanced in order to be successful. Human beings – from hapless employees to malicious insiders – often remained the easiest access route for attackers and their tools.

In July, we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using high quality social engineering combined with old exploit code and some PowerShell-based malware, the group was able to successfully steal sensitive data from high-profile diplomatic and economic organisations linked to China’s foreign relations.

Dropping Elephant and Operation Ghoul confirmed the fearsome power of high quality social engineering #KLReport

Tweet

Further, Operation Ghoul sent spear-phishing e-mails that appeared to come from a bank in the UAE to top and middle level managers of numerous companies. The messages claimed to offer payment advice from the bank and attached a look-like SWIFT document containing malware.

Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, recruiting disaffected employees through underground channels or blackmailing staff using compromising information gathered from open sources.” Threat Intelligence Report for the Telecommunications Industry

Mobile advertising

The main mobile threats in 2016 were advertising Trojans able to obtain ‘root’ or superuser rights on an infected Android device – a level of access that allowed them to do pretty much whatever they wanted. This included hiding in the system folder, thereby making themselves almost impossible to delete, and silently installing and launching different apps that aggressively display advertising. They can even buy new apps from Google Play.

22 of the 30 most popular Trojans in 2016 are advertising Trojans – twice as many as in 2015 #KLReport

Tweet

Many such Trojans were distributed through the Google Play Store: some of them were installed more than 100,000 times, and one – an infected Pokemon GO Guide app was installed more than 500,000 times.

Malware distributed through Google Play was downloaded hundreds of thousands of times #KLReport

Tweet

One Android Trojan installed and even updated as a ‘clean’ (malware-free) app before hitting targets with an infected version. Others, including Svpeng, used the Google AdSense advertising network for distribution

Further, some Trojans found new ways to bypass Android security features – in particular the screen overlays and the need to request permission before opening a new app – forcing the user to sign over the access rights the Trojan was looking for.

Mobile ransomware also evolved to make use of overlays, blocking rather than encrypting data since this is generally backed-up.

To read more on these stories, please download the full annual Review for 2016 here.

For an in-depth look at the Statistics for 2016, please register to download the Statistics report here.

The impact on business The 2016 threat landscape indicates a growing need for security intelligence

The Kaspersky Security Bulletin 2016 highlights the rise of complex and damaging cybersecurity threats, many of which have a far-reaching impact on businesses. This impact is also reflected in our Corporate IT Security Risks Reports (1, 2) based on a 2016 survey of more than 4000 businesses worldwide.

Among other things, the survey asked companies about the most crucial metric of incident detection and response: time.

Incident detection time is critical

Previously unreleased findings from the research show that the typical time required to detect an IT Security event is several days – 28.7% of companies said it took them that long to detect a security breach on average.

Time required to detect an IT security event

Only 8.2% of businesses managed to detect security breaches almost instantly, and for 19.1% of businesses it took several weeks to detect a serious security event. When we asked how they eventually detected a long-standing breach, the replies were revealing.

Going beyond prevention

Average time frame required to detect a security event, across all security events
within the last 12 months

In this chart we combine the average time to discover a security event with the responses we received on how businesses detected a breach. Apparently, businesses that struggle to detect a breach quickly, eventually spot them through one or more of the following: an external or internal security audit, or, sadly, notification from a third party.

It turns out that for these businesses a security audit of any kind is the best measure of ‘last resort’ to finally bring it to light. But should it be only a last resort?

This is where our report detects an obvious discrepancy between theory and practice. Although 65% of businesses admit that a security audit is an effective security measure, less than half of the companies surveyed (48%) have conducted such audit in the last 12 months. Further, 52% of companies operate under the assumption that their IT security will inevitably be compromised at some point, although 48% are not ready to accept this. In short: many businesses find a structured detection and response strategy difficult to embrace.

The cost of delay

It is safe to assume that the longer it takes to detect a security breach, the higher the mitigation costs and the greater the potential damage. The results reveal the shocking truth that failure to discover an attack within a few days, results in a doubling, or more of the costs.

Cost of recovery vs. time needed to discover a security breach for enterprises

For enterprises, an attack undiscovered for a week or more costs 2.77 times that of a breach detected almost instantly. SMBs end up paying 3.8 times more to recover from an incident detected too late.

It is clear that better detection significantly reduces business costs. But the implementation of incident detection and response strategies is quite different from ensuring proper prevention. The latter provides a choice of well-established corporate solutions. The former requires security intelligence, a deep knowledge of the threat landscape, and security talent capable of applying that expertise to the unique specifics of a company. According to our special Corporate IT Security Risks report, businesses that struggle to attract security experts end up paying twice as much for their recovery after an incident.

Kaspersky Lab’s solution: turning intelligence into protection

In 2016 Kaspersky Lab significantly expanded its portfolio with products like Kaspersky Anti-Targeted Attack Platform and security services like Penetration Testing and Threat Data Feeds, all to help meet customer needs for better detection and response. Our plan is to offer security intelligence via any means necessary: with a technology to detect targeted threats, a service to analyze and respond to a security event, and intelligence that helps investigate an issue properly.

We appreciate that, for many businesses, going beyond prevention is a challenge. But even a single targeted attack that is detected early and mitigated rapidly is worth the investment – and increases the chances that the next assault on the corporate infrastructure is prevented outright.

Zcash, or the return of malicious miners

Mon, 12/12/2016 - 04:01

On 28 October, the cryptocurrency world saw the emergence of a new player, the Zcash (ZEC) cryptocurrency. Its developers have described it rather figuratively: “If Bitcoin is like HTTP for money, Zcash is HTTPS.” They continue by noting that “unlike Bitcoin, Zcash transactions can be shielded to hide the sender, the recipient and value of all transactions.”

The cryptocurrency market has been looking for this level of anonymity for a while now, so ZEC has attracted considerable interest from investors, miners and cybercriminals alike. Several major cryptocurrency exchanges were quick to offer support for the new currency.

Zcash got off to a flying start; within the first few hours, 1 ZEC reached $30,000. It should be pointed out, however, that there were only a few dozen coins in existence at that time, so the actual turnover was very low.

In the following days, ZEC’s value steadily declined against Bitcoin. At the time of writing, it had leveled out temporarily at 0.07 – 0.01 ZEC/BTC (around $70). Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies.

Ranking of cryptocurrency mining profitability, as reported by the CoinWarz website

This has led to the revival of a particular type of cybercriminal activity – the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.

In November, we recorded several incidents where Zcash mining software was installed on users’ computers without permission. Because these software programs are not malicious in themselves, most anti-malware programs do not react to them, or detect them as potentially unwanted programs (PUP). Kaspersky Lab products detect them as not-a-virus:RiskTool.Win64.BitCoinMiner.

Cybercriminals use rather conventional ways to distribute mining software – they are installed under the guise of other legitimate programs, such as pirated software distributed via torrents. So far, we have not seen any cases of mass-mailings or vulnerabilities in websites being exploited to distribute mining software; however, provided mining remains as profitable as it is now, this is only a matter of time. The software can also be installed on computers that were infected earlier and became part of a for-rent botnet.

The most popular mining software to date is nheqminer from the mining pool Micemash. It has two known variations: one earns payments in bitcoins, the other in Zcash. Both are detected by Kaspersky Lab products, with the respective verdicts not-a-virus:RiskTool.Win64.BitCoinMiner.bez and not-a-virus:RiskTool.Win64.BitCoinMiner.bfa.

All that cybercriminals need to do to start profiting from a mining program on infected computers is to launch it and provide details of their own bitcoin or Zcash wallets. After that, the “coin mining” profit created by the pool will be credited to the cybercriminals’ addresses, from where it can be withdrawn and exchanged for US dollars or other cryptocurrencies. This is what allows us to ‘snoop’ on some of the wallets used by cybercriminals. Here’s just one example:

Using a wallet’s address, we can find out how much money arrived and from which source (i.e. the mining pool) (https://explorer.zcha.in/accounts/t1eVeeBYfPPLgonvi1zk8e9SnrhZdoCBAeM)

We see that the address was created on 31 October, just a couple of days after Zcash launched, and payments are still being made to it at the current time. You may be wondering what happened to the promised anonymity. Actually, there are two types of wallets in Zcash: completely private purses (z-address) and public wallets like that shown above (t-address). At the current time, the completely private wallets are not very popular (they are not supported by exchanges), and are only used to store around 1% of all existing Zcash coins.

We found approximately 1,000 unique users who have some version of the Zcash miner installed on their computers under a different name, which suggests these computers were infected without their owners’ knowledge. An average computer can mine about 20 hashes per second; a thousand infected computers can mine about 20,000 hashes a second. At current prices, that equals about $6,200 a month, or $75,000 a year in net profits.

Here are just a few real-life examples of the names used by these program and where they are installed on infected computers:

diskmngr.exe
mssys.exe
C:\system\taskmngr.exe
system.exe
nsdiag.exe
taskmngr.exe
svchost.exe
C:\Users\[username]\AppData\Roaming\MetaData\mdls\windlw\mDir_r\rhost.exe
qzwzfx.exe
C:\Users\[username]\AppData\Local\Temp\afolder\mscor.exe
C:\Program Files\Common Files\nheqminer64.exe
C:\Windows\Logs\Logsfiles64\conhost.exe
apupd.exe

As you can see, the names of many mining programs coincide with those of legitimate applications, but the installation location is different. For instance, the legitimate Windows Task Manager app (taskmngr.exe) should be located in the system folder C:\Windows\System32 and not in C:\system.

To ensure that the mining program is launched each time the operating system starts, the necessary records are added either to Task Scheduler or to the registry auto-run keys. Here are some examples of these records:

Task Scheduler\Microsoft\Windows Defender\Mine
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Miner

A couple of detected websites distributing mining programs:

http://execsuccessnow[.]com/wp-includes/m/nheqminer.exe
https://a.pomf[.]cat/qzwzfx.exe

Additional DLLs are required for the mining program to work. These DLLs, shown below, are installed along with the mining program.

cpu_tromp_AVX.dll
cpu_tromp_SSE2.dll
cudart64_80.dll
cuda_tromp.dll
logsetuplib.dll
msvcp120.dll
msvcr120.dll

So, what are the threats facing a user who is unaware that their computer is being used for cryptocurrency mining?

Firstly, these operations are power hungry: the computer uses up a lot more electricity, which, in some countries, could mean the user ends up with a hefty electricity bill.

Secondly, a mining program typically devours up to 90% of the system’s RAM, which dramatically slows down both the operating system and other applications running on the computer. Not exactly what you want from your computer.

To prevent the installation of mining programs, Kaspersky Lab users should check their security products and make sure detection of unwanted software is enabled.

All other users are encouraged, at the very least, to check their folders and registry keys for suspicious files and records.

Kaspersky Security Bulletin 2016. Story of the year

Thu, 12/08/2016 - 03:54

 Download the PDF

Introduction

In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses.

The numbers speak for themselves:

  • 62 new ransomware families made their appearance.
  • There was an 11-fold increase in the number of ransomware modifications: from 2,900 new modifications in January/March, to 32,091 in July/September.
  • Attacks on business increased three-fold between January and the end of September: the difference between an attack every 2 minutes and one every 40 seconds.
  • For individuals the rate of increase went from every 20 seconds to every 10 seconds.
  • One in five small and medium-sized business who paid the ransom never got their data back.

2016 also saw ransomware grow in sophistication and diversity, for example: changing tack if it encountered financial software, written in scripting languages, exploiting new infection paths, becoming more targeted, and offering turn-key ransomware-as-a-service solutions to those with fewer skills, resources or time – all through a growing and increasingly efficient underground ecosystem.

At the same time, 2016 saw the world begin to unite to fight back:

The No More Ransom project was launched in July, bringing togetheal Police, Europol, Intel Security and Kaspersky Lab. A further 13 organizations joined in October. Among other things, the collaboration has resulted in a number of free online decryption tools that have so far helped thousands of ransomware victims to recover their data.

This is just the tip of the iceberg – much remains to be done. Together we can achieve far more than any of us can on our own.

What is ransomware?

Ransomware comes in two forms. The most common form of ransomware is the cryptor. These programs encrypt data on the victim’s device and demand money in return for a promise to restore the data. Blockers, by contrast, don’t affect the data stored on the device. Instead, they prevent the victim from accessing the device. The ransom demand, displayed across the screen, typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicating that they must pay a spot-fine. You can find an overview of both forms of ransomware here.

Ransomware: the main trends & discoveries of 2016

“Most ransomware thrives on an unlikely relationship of trust between the victim and their attacker: that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise.”

GReAT, Threat Predictions for 2017

Arrivals and departures Arrivals – in 2016, the world said hello to Cerber, Locky and CryptXXX – as well as to 44,287 new ransomware modifications

Cerber and Locky arrived in the early Spring. Both are nasty, virulent strains of ransomware that are propagated widely, mainly through spam attachments and exploit kits. They rapidly established themselves as ‘major players’, targeting individuals and corporates. Not far behind them was CryptXXX. All three families continue to evolve and to hold the world to ransom alongside well-established incumbents such as CTB-Locker, CryptoWall and Shade.

Locky ransomware has so far been spread across 114 countries #KLReport

Tweet

As of October 2016, the top ransomware families detected by Kaspersky Lab products look like this:

Name Verdicts* percentage of users** 1 CTB-Locker Trojan-Ransom.Win32.Onion /
Trojan-Ransom.NSIS.Onion 25.32 2 Locky Trojan-Ransom.Win32.Locky /
Trojan-Dropper.JS.Locky 7.07 3 TeslaCrypt (active till May 2016) Trojan-Ransom.Win32.Bitman 6.54 4 Scatter Trojan-Ransom.Win32.Scatter /
Trojan-Ransom.BAT.Scatter /
Trojan-Downloader.JS.Scatter /
Trojan-Dropper.JS.Scatter 2.85 5 Cryakl Trojan-Ransom.Win32.Cryakl 2.79 6 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.36 7 Shade Trojan-Ransom.Win32.Shade 1.73 8 (generic verdict) Trojan-Ransom.Win32.Snocry 1.26 9 Crysis Trojan-Ransom.Win32.Crusis 1.15 10 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.90

* These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from usersof Kaspersky Lab products who have consented to provide their statistical data.
** Percentage of users targeted by a certain crypto-ransomware family relative to all users targeted with crypto-ransomware.

Departures – and goodbye to Teslascrypt, Chimera and Wildfire – or so it seemed…

Probably the biggest surprise of 2016 was the shutdown of TeslaCrypt and the subsequent release of the master key, apparently by the malware actors themselves.

TeslaCrypt “committed suicide” – while the police shut down Encryptor RaaS and Wildfire #KLReport

Tweet

Encryptor RaaS, one of the first Trojans to offer a Ransomware-as-a-Service model to other criminals shut up shop after part of its botnet was taken down by the police.

Then, in July, approximately 3,500 keys for the Chimera ransomware were publicly released by someone claiming to be behind the Petya/Mischa ransomware. However, since Petya used some of the Chimera source code for its own ransomware, it could in fact be the same group, simply updating its product suite and causing mischief.

Similarly, Wildfire, whose servers were seized and a decryption key developed following a combined effort by Kaspersky Lab, Intel Security and the Dutch Police, now appears to have re-emerged as Hades.

Abuse of ‘educational’ ransomware

Well-intentioned researchers developed ‘educational’ ransomware to give system administrators a tool to simulate a ransomware attack and test their defenses. Criminals were quick to seize upon these tools for their own malicious purposes.

Ransomware developed for ‘education’ gave rise to Ded Cryptor and Fantom, among others #KLReport

Tweet

The developer of the educational ransomware Hidden Tear & EDA2 helpfully posted the source code on GitHub. Inevitably, 2016 saw the appearance of numerous malicious Trojans based on this code. This included Ded Cryptor, which changed the wallpaper on a victim computer to a picture of an evil-looking Santa Claus, and demanded a massive two Bitcoins (around $1,300) as a ransom. Another such program was Fantom, which simulated a genuine-looking Windows update screen.

Unconventional approaches
  • Why bother with a file when you can have the disk?

    New approaches to ransomware attacks that were seen for the first time in 2016 included disk encryption, where attackers block access to, or encrypt, all the files at once. Petya is an example of this, scrambling the master index of a user’s hard drive and making a reboot impossible. Another Trojan, Dcryptor, also known as Mamba, went one step further, locking down the entire hard drive. This ransomware is particularly unpleasant, scrambling every disk sector including the operating system, apps, shared files and all personal data – using a copy of the open source DiskCryptor software.

    Attackers are now targeting back-ups and hard drives – and brute-forcing passwords #KLReport

    Tweet
  • The ‘manual’ infection technique

    Dcrypter’s infection is carried out manually, with the attackers brute-forcing passwords for remote access to a victim machine. Although not new, this approach has become significantly more prominent in 2016, often as a way to target servers and gain entry into a corporate system.

    If the attack succeeds, the Trojan installs and encrypts the files on the server and possibly even on all the network shares accessible from it. We discovered TeamXRat taking this approach to spread its ransomware on Brazilian servers.

  • Two-in-one infection

    In August we discovered a sample of Shade that had unexpected functionality: if an infected computer turned out to belong to financial services, it would instead download and install a piece of spyware, possibly with the longer term aim of stealing money.

    Shade downloaded spyware if it found financial software #KLReport

    Tweet
Ransomware in scripting languages

Another trend that attracted our attention in 2016 was the growing number of cryptors written in scripting languages. In the third quarter alone, we came across several new families written in Python, including HolyCrypt and CryPy, as well as Stampado written in AutoIt, the automation language.

A long line of amateurs and copycats

Many of the new ransomware Trojans detected in 2016 turned out to be of low-quality; unsophisticated, with software flaws and sloppy errors in the ransom notes.

Poor quality ransomware increases likelihood of data being lost forever #KLReport

Tweet

This was accompanied by a rise in copycat ransomware. Among other things, we spotted that:

  • Bart copies the ransom note & the style of Locky’s payment page.
  • An Autoit-based copycat of Locky (dubbed AutoLocky) uses the same extension “.locky”.
  • Crusis (aka Crysis) copies the extension “.xtbl” originally used by Shade.
  • Xorist copies the whole naming scheme of the files encrypted by Crusis.

Probably the most prominent copycat we discovered this year was Polyglot (aka MarsJoke). It fully mimics the appearance and file processing approach of CTB-Locker.

These trends are all expected to increase in 2017.

“As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”

GReAT, Threat Predictions for 2017

The thriving ransomware economy

The rise of RaaS

While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.

Ransomware is increasingly for hire on the criminal underground #KLReport

Tweet

Notable examples of ransomware that appeared in 2016 and use this model are Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom.

This business model is increasingly sophisticated:

The Petya ransomware partner site

The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.

Petya payment table

There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39.

With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.

From commission-based networks to customer support and branding

The most ‘professional’ attackers offered their victims a help desk and technical support, guiding them through the process of buying Bitcoins to pay the ransom, and sometimes even being open to negotiation. Every step further encouraged the victim to pay.

Criminals offer customer support to ensure more victims pay #KLReport

Tweet

Further, Kaspersky Lab experts studying ransomware in Brazil noticed that for many attacks, branding the ransomware was a matter of some importance. Those looking for media attention and customer fear would opt for a high profile, celebrity theme or gimmick – while those more concerned about staying under the radar would forgo the temptation of fame and leave their victims facing just an e-mail for contacting the bad guys and a Bitcoin address to pay into.

It’s still all about the Bitcoins

Throughout 2016, the most popular ransomware families still favored payment in Bitcoins. Most ransomware demands were not excessive, averaging at around $300, although some were charged – and paid – a great deal more.

Others, particularly regional and hand-crafted operations, often preferred a local payment option – although this also meant that they were no longer able to hide in plain sight and blend in with the rest of the ransomware noise.

Ransomware turned its weapons on business

In the first three months of 2016, 17% of ransomware attacks targeted corporates – this equates to an attack hitting a business somewhere in the world every two minutes1. By the end of Q3 this had increased to 23.9% – an attack every 40 seconds.

A business is attacked with ransomware every 40 seconds #KLReport

Tweet

According to Kaspersky Lab research, in 2016, one in every five businesses worldwide suffered an IT security incident as a result of a ransomware attack.

  • 42% of small and medium-sized businesses were hit by ransomware in the last 12 months.
  • 32% of them paid the ransom.
  • One in five never got their files back, even after paying.
  • 67% of those affected by ransomware lost part or all of their corporate data – and one- in-four spent several weeks trying to restore access.

One in five SMBs never gets their data back, even after paying #KLReport

Tweet

Social engineering and human error remain key factors in corporate vulnerability. One in five cases involving significant data loss came about through employee carelessness or lack of awareness.

“We are seeing more targeted ransomware, where criminal groups carefully hand-pick and spear-phish their targets because of the data they possess and/or their reliance on the availability of this valuable data.”

John Fokker, Digital team Coordinator with the Dutch National High Tech Crime unit

Some industry sectors are harder hit than others, but our research shows that all are at risk

There is no such thing as a low-risk sector anymore #KLReport

Tweet Industry sector % attacked with ransomware 1 Education 23 2 IT/Telecoms 22 3 Entertainment/Media 21 4 Financial Services 21 5 Construction 19 6 Government/
public sector/defence 18 7 Manufacturing 18 8 Transport 17 9 Healthcare 16 10 Retail/wholesale/leisure 16 Ransomware attacks that made the headlines
  • Hospitals became a prime target – with potentially devastating impact as operations were cancelled, patients diverted to other hospitals and more.

  • Hosted desktop and cloud provider VESK paid nearly $23,000 dollars in ransom to recover access to one of its systems following an attack in September.

  • Leading media, including the New York Times, the BBC and AOL were hit by malware carrying ransomware in March 2016.

  • The University of Calgary in Canada, a major research center, acknowledged it had paid around $16,000 to recover emails that been encrypted for a week.

  • A small police station in Massachusetts, ended paying a $500 ransom (via Bitcoin) in order to retrieve essential case-related data, after an officer opened a poisonous email attachment.

  • Even motor racing was hit: a leading NASCAR racing team faced losing data worth millions to a TeslaCrypt attack in April.

Fighting Back

Through technology

The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality. In addition, a new, free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they use.

A new free, AV-independent anti-ransomware tool is available #KLReport

Tweet

Kaspersky Lab’s Anti-Ransomware Tool for Business is a ‘light’ solution that can function in parallel with other antivirus software. The tool uses two components needed for the early detection of Trojans: the distributed Kaspersky Security Network and System Watcher, which monitors applications’ activity.

Kaspersky Security Network quickly checks the reputation of files and website URLs through the cloud, and System Watcher monitors the behavior of programs, and provides proactive protection from yet-unknown versions of Trojans. Most importantly, the tool can back up files opened by suspicious applications and roll back the changes if the actions taken by programs prove malicious.

Through collaboration: The No More Ransom Initiative

On 25 July 2016, the Dutch National Police, Europol, Intel Security and Kaspersky Lab announced the launch of the No More Ransom project – a non-commercial initiative that unites public and private organizations and aims to inform people of the dangers of ransomware and help them to recover their data.

The online portal currently carries eight decryption tools, five of which were made by Kaspersky Lab. These can help to restore files encrypted by more than 20 types of cryptomalware. To date, more than 4,400 victims have got their data back – and more than $1.5 million dollars in ransom demands has been saved.

No More Ransom has so far got 4.400 people their data back – and deprived criminals of $1.5 million in ransom #KLReport

Tweet

In October, law enforcement agencies from a further 13 countries joined the project, including: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.

Eurojust and the European Commission also support the project’s objectives, and more partners from the private sector and law enforcement are expected to be announced soon.

“Public/Private partnerships are the essence and the strength of the NMR initiative. They are essential to effectively and efficiently tackle the problem, providing us with much greater capability and reach than law enforcement could have alone.”

Steven Wilson, Head of Europol’s EC3

Standing up to ransomware – how to stay safe
  1. Back up data regularly.
  2. Use a reliable security solution, and remember to keep key features – such as System Watcher – switched on.
  3. Always keep software updated on all the devices you use.
  4. Treat email attachments, or messages from people you don’t know, with caution. If in doubt, don’t open it.
  5. If you’re a business, you should also educate your employees and IT teams; keep sensitive data separate; restrict access; and back up everything, always.
  6. If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site; you may well find a decryption tool that can help you get your files back.
  7. Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.

“We urge people to report an attack. Every victim holds an essential piece of evidence that provides invaluable insight. In return, we can keep them informed and protect them from dodgy third-party ‘offers’ to unencrypt data. But we need to ensure that more law enforcement offices know how to deal with digital crime.”

Ton Maas, Digital team Coordinator with the Dutch National High Tech Crime unit

Why you shouldn’t pay – advice from the Dutch National High Tech Crime Unit
  1. You become a bigger target.
  2. You can’t trust criminals – you may never get your data back, even if you pay.
  3. Your next ransom will be higher.
  4. You encourage the criminals.
Can we ever win the fight against ransomware?

We believe we can – but only by working together. Ransomware is a lucrative criminal business. To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks.

1Estimates based on: 17% of 372,602 unique users with ransomware attacks blocked by Kaspersky Lab products in Q1, 2016 and 23.9% of 821,865 unique users with ransomware attacks blocked by Kaspersky Lab products in Q3,2016.