Malware RSS Feed

KeyPass ransomware

Malware Alerts - Mon, 08/13/2018 - 08:21

In the last few days, our anti-ransomware module has been detecting a new variant of malware – KeyPass ransomware. Others in the security community have also noticed that this ransomware began to actively spread in August:

Notification from MalwareHunterTeam

Distribution model

According to our information, the malware is propagated by means of fake installers that download the ransomware module.


The Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

PE header with compilation date

When started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It then deletes itself from the original location.

Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments.

Command line arguments

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.

The list of excluded paths

Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory.

The ransom note

Encryption scheme

The developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the beginning of each file.

Part of the procedure that implements data encryption

Soon after launch, KeyPass connects to its command and control (C&C) server and receives the encryption key and the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON.

If the C&C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the Trojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the victim’s files will be trivial.


From our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks.

GUI of the trojan

This form allows the attacker to customize the encryption process by changing such parameters as:

  • encryption key
  • name of ransom note
  • text of ransom note
  • victim ID
  • extension of the encrypted files
  • list of paths to be excluded from the encryption

Paths excluded from encryption by default

Pseudocode of the procedure that shows the GUI by a keypress

Geography IOC

901d893f665c6f9741aa940e5f275952 – Trojan-Ransom.Win32.Encoder.n

IT threat evolution Q2 2018

Malware Alerts - Mon, 08/06/2018 - 06:00

Targeted attacks and malware campaigns Operation Parliament

In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the MENA (Middle East and North Africa) region, especially Palestine. The attacks, which started early in 2017, target parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others.

The attackers have taken great care to stay under the radar, imitating another attack group in the region. The targeting of victims is unlike that of previous campaigns in the Middle East, by Gaza Cybergang or Desert Falcons, and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 (Command-and-Control) servers. The attacks seem to have slowed down since the start of 2018, probably after the attackers achieved their objectives.

The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute any scripts or commands and receive the result via HTTP requests.

This campaign is a further symptom of escalating tensions in the Middle East.

Energetic Bear

Crouching Yeti (aka Energetic Bear) is an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing e-mails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC).

In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017.

Our findings are as follows.

  1. With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
  2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
  3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
  4. The diversity of victims may indicate the diversity of the attackers’ interests.
  5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.

You can read the full report here.


The use of mobile platforms for cyber-espionage has been growing in recent years – not surprising, given the widespread use of mobile devices by businesses and consumers alike. ZooPark is one such operation. The attackers have been focusing on targets in the Middle East since at least June 2015, using several generations of malware to target Android devices, which we have labelled versions one to four.

Each version marks a progression – from very basic first and second versions, to the commercial spyware fork in the third version and then to the complex spyware that is the fourth version. The last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.

This suggests that the latest version may have been bought from a vendor of specialist surveillance tools. This wouldn’t be surprising, since the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East. At this point, we cannot confirm attribution to any known threat actor. If you would like to learn more about our intelligence reports, or request more information on a specific report, contact us at

We have seen two main distribution vectors for ZooPark – Telegram channels and watering-holes. The second of these has been the preferred method: we found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in the campaign include ‘Kurdistan referendum’, ‘TelegramGroups’ and ‘Alnaharegypt news’, among others.

The target profile has evolved in the last few years of the campaign, focusing on victims in Egypt, Jordan, Morocco, Lebanon and Iran.

Some of the samples we have analyzed provide clues about the intended targets. For example, one sample mimics a voting application for the independence referendum in Kurdistan. Other possible high-profile targets include the United Nations Relief and Works Agency (UNRWA) for Palestine refugees in the Near East in Amman, Jordan.

The king is dead, long live the king!

On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents.

This turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) –patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability.

The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode.

Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document).

To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.


In May, researchers from Cisco Talos published the results of their investigation into VPNFilter, malware used to infect different brands of routers – mainly in Ukraine, although affecting routers in 54 countries in total. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

Further research by Cisco Talos showed that the malware is able to infect more than just targeted devices. It is also spread into networks supported by the device, thereby extending the scope of the attack. Researchers also identified a new stage-three module capable of injecting malicious code into web traffic.

The C2 mechanism has several stages. First, the malware tries to visit a number of gallery pages hosted on ‘photobucket[.]com’ and fetches the image from the page. If this fails, the malware tries to fetch an image from the hard-coded domain ‘toknowall[.]com’ (this C2 domain is currently sink-holed by the FBI). If this fails also, the malware goes into passive backdoor mode, in which it processes network traffic on the infected device, waiting for the attacker’s commands. Researchers in the Global Research and Analysis Team (GReAT) at Kaspersky Lab analyzed the EXIF processing mechanism.

One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).


In March 2018, we detected an ongoing campaign targeting a national data center in Central Asia. The choice of target of the campaign, which has been active since autumn 2017, is especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks.

We attribute this campaign to the Chinese-speaking threat actor LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain, update.iaacstudio[.]com, was previously used by this group and because they have previously targeted government organizations, including those in Central Asia.

The initial infection vector used in the attack against the data centre is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

The attackers used the HyperBro Trojan as their last-stage, in-memory remote administration tool (RAT) and their anti-detection launcher and decompressor makes extensive use of the Metasploit ‘shikata_ga_nai’ encoder as well as LZNT1 compression.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to an IP address that belongs to a Ukrainian ISP network, held by a MikroTik router using version 6.34.4 (March 2016) of the firmware with SMBv1 on board. We suspect that this router was hacked as part of the campaign in order to process the malware’s HTTP requests.

The initial module drops three files that are typical for Chinese-speaking threat actors – a legitimate Symantec pcAnywhere file (‘intgstat.exe’) for DLL side-loading, a DLL launcher (‘pcalocalresloader.dll’) and the last-stage decompressor (‘thumb.db’). As a result of all these steps, the last-stage Trojan is injected into the process memory of ‘svchost.exe’.

The launcher module, obfuscated with the notorious Metasploit ‘shikata_ga_nai’ encoder, is the same for all the droppers. The resulting de-obfuscated code performs typical side-loading: it patches the pcAnywhere image in memory at its entry-point. The patched code jumps back to the second ‘shikata_ga_nai’ iteration of the decryptor, but this time as part of the white-listed application.

The Metasploit encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps ‘thumb.db’ into the memory of the same process (i.e. pcAnywhere). The first instructions in the mapped ‘thumb.db’ are for a new iteration of ‘shikata_ga_nai’. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with ‘RtlCompressBuffer()’ using LZNT1 and maps it into memory.

Olympic Destroyer

In our first report on Olympic Destroyer, the cyberattack on the PyeongChang Winter Olympics, we highlighted a specific spear-phishing attack as the initial infection vector. The threat actor sent weaponized documents, disguised as Olympic-related content, to relevant persons and organizations.

We have continued to track this APT group’s activities and recently noticed that they have started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we have analysed, indicate that the attackers behind Olympic Destroyer are now targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine.

The group continues to use a non-executable infection vector and highly obfuscated scripts to evade detection.

The earlier Olympic Destroyer attacks – designed to destroy and paralyse infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. It’s possible that the new activities are part of another reconnaissance stage that will be followed by a wave of destructive attacks with new motives. This is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware is being used by several groups with different interests. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state threat actors. However, it’s also possible that the financial targets might be another false flag operation by a threat actor that has already shown that they excel at this during their last campaign.

It would be possible to draw certain conclusions about who is behind this campaign, based on the motives and selection of targets. However, it would be easy to make a mistake with only the fragments of the picture that are visible to researchers. The appearance of Olympic Destroyer at the start of this year, with its sophisticated deception efforts, changed the attribution game forever. In our view, it is no longer possible to draw conclusions based on a few attribution vectors discovered during a regular investigation. The response to threats such as Olympic Destroyer should be based on co-operation between the private sector and governments across national borders. Unfortunately, the current geo-political situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

Malware stories Leaking ads

When we download popular apps with good ratings from official app stores, we assume they are safe. This is partially true, because usually these apps have been developed with security in mind and have been reviewed by the app store’s security team. Recently, we looked at 13 million APKs and discovered that around a quarter of them transmit unencrypted data over the internet. This was unexpected, because most apps were using HTTPS to communicate with their servers. But among the HTTPS requests, there were unencrypted requests to third-party servers. Some of these apps were very popular – in some cases they could boast hundreds of millions of downloads. On further inspection, it became clear that the apps were exposing customer data because of third-party SDKs – with advertising SDKs usually to blame. They collect data so that they can show relevant ads, but often fail to protect that data when sending it to their servers.

In most cases the apps were exposing IMEI, IMSI, Android ID, device information (e.g. manufacturer, model, screen resolution, system version and app name). Some apps were also exposing personal information, mostly the customer’s name, age, gender, phone number, e-mail address and even their income.

Information transmitted over HTTP is sent in plain text, allowing almost anyone to read it. Moreover, there are likely to be several ‘transit points’ en route from the app to the third-party server – devices that receive and store information for a certain period of time. Any network equipment, including your home router, could be vulnerable. If hacked, it will give the attackers access to your data. Some of the device information gathered (specifically IMEI and IMSI numbers) is enough to monitor your further actions. The more complete the information, the more of an open book you are to outsiders — from advertisers to fake friends offering malicious files for download. However, data leakage is only part of the problem. It’s also possible for unencrypted information to be substituted. For example, in response to an HTTP request from an app, the server might return a video ad, which cybercriminals can intercept and replace with a malicious version. Or they might simply change the link inside an ad so that it downloads malware.

You can find the research here, including our advice to developers and consumers.

SynAck targeted ransomware uses the Doppelganging technique

In April 2018, we saw a version of the SynAck ransomware Trojan that employs the Process Doppelganging technique. This technique, first presented in December 2017 at the BlackHat conference, has been used by several threat actors to try and bypass modern security solutions. It involves using NTFS transactions to launch a malicious process from the transacted file so that it looks like a legitimate process.

Malware developers often use custom packers to try and protect their code. In most cases, they can be effortlessly packed to reveal the original Trojan executable so that it can then be analyzed. However, the authors of SynAck obfuscated their code prior to compilation, further complicating the analysis process.

SynAck checks the directory where its executable is started from. If an attempt is made to launch it from an ‘incorrect’ directory, the Trojan simply exits. This is designed to counter automatic sandbox analysis.

The Trojan also checks to see if is being launched on a PC with the keyboard set to a Cyrillic script. If it is, it sleeps for 300 seconds and then exits, to prevent encryption of files belonging to victims from countries where Cyrillic is used.

Like other ransomware, SynAck uses a combination of symmetric and asymmetric encryption algorithms. You can find the details here.

The attacks are highly targeted, with a limited number of attacks observed against targets in the US, Kuwait, Germany and Iran. The ransom demands can be as high as $3,000.

Roaming Mantis

In May we published our analysis of a mobile banking Trojan, Roaming Mantis. We called it this because of its propagation via smartphones roaming between different Wi-Fi networks, although the malware is also known as ‘Moqhao’ and ‘XLoader’. This malicious Android app is spread using DNS hijacking through compromised routers. The victims are redirected to malicious IP addresses used to install malicious apps – called ‘facebook.apk’ and ‘chrome.apk’. The attackers count on the fact that victims are unlikely to be suspicious as long as the browser displays the legitimate URL.

The malware is designed to steal user information, including credentials for two-factor authentication, and give the attackers full control over compromised Android devices. The malware seems to be financially motivated and the low OPSEC suggests that this is the work of cybercriminals.

Our telemetry indicates that the malware was detected more than 6,000 times between February 9 and April 9, although the reports came from just 150 unique victims – some of whom saw the same malware appear again and again on their network. Our research revealed that there were thousands of daily connections to the attackers’ C2 infrastructure.

The malware contains Android application IDs for popular mobile banking and game applications in South Korea. It seems the malicious app was initially targeted at victims in South Korea and this is where the malware was most prevalent. We also saw infections in China, India and Bangladesh.

It’s unclear how the attackers were able to hijack the router settings. If you are concerned about DNS settings on your router, you should check the user manual to verify that your DNS settings haven’t been tampered with, or contact your ISP for support. We would also strongly recommend that you change the default login and password for the admin web interface of the router, don’t install firmware from third-party sources and update the router firmware regularly to prevent similar attacks.

Some clues left behind by the attackers – for example, comments in the HTML source, malware strings and a hardcoded legitimate website – point to Simplified Chinese. So we believe the cybercriminals are familiar with both Simplified Chinese and Korean.

Following our report, we continued to track this campaign. Less than a month later, Roaming Mantis had rapidly expanded its activities to include countries in Europe, the Middle East and beyond, supporting 27 languages in total.

The attackers also extended their activities beyond Android devices. On iOS, Roaming Mantis uses a phishing site to steal the victim’s credentials. When the victim connects to the landing page from an iOS device, they are redirected to fake ‘’ webpage where the attackers steal user ID, password, card number, card expiry date and CVV.

On PCs, Roaming Mantis runs the CoinHive mining script to generate crypto-currency for the attackers – drastically increasing the victim’s CPU usage.

The evasion techniques used by Roaming Mantis have also become more sophisticated. They include a new method of retrieving the C2 by using the e-mail POP protocol, server-side dynamic auto-generation of APK file/filenames and the inclusion of an additional command to potentially assist in identifying research environments.

The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.

If it’s smart, it’s potentially vulnerable

Our many years of experience in researching cyberthreats suggests that if a device is connected to the internet, eventually someone will try to hack it. This includes children’s CCTV cameras, baby monitors, household appliances and even children’s toys.

This also applies to routers – the gateway into a home network. In May, we described four vulnerabilities and hardcoded accounts in the firmware of the D-Link DIR-620 router – this runs on various D-Link routers supplied to customers by one of the biggest ISPs in Russia.

The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data – for example, configuration files with plain-text passwords. The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system. The issues were originally identified in firmware version 1.0.37, although some of the discovered vulnerabilities were also identified in other version of the firmware.

You can read the details on the vulnerabilities here.

In May, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities.

Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to Man-in-the-Middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

GPS trackers have been used successfully in many areas, but using them to track the location of pets is a step beyond their traditional scope of application. For this, they need to be upgraded with new ‘user communication interfaces’ and ‘trained’ to work with cloud services, etc. If security is not properly addressed, user data becomes accessible to intruders, potentially endangering both users and pets.

Some of our researchers recently looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data.

Not only was it possible to work out if the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to determine the moments when a computer password entered with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information.

In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

An MitM extension for Chrome

Many browser extensions make our lives easier, hiding obtrusive advertising, translating text, helping us to choose the goods we want in online stores, etc. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. Then there are extensions whose main aim is to steal money. In the course of our work, we analyse a large number of extensions from different sources. Recently, a particular browser extension caught our eye because it communicated with a suspicious domain.

This extension, named ‘Desbloquear Conteúdo’ (which means ‘Unblock Content’ in Portuguese) targeted customers of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil.

The aim of this malicious extension is to harvest logins and passwords and then steal money from the victims’ bank accounts. Such extensions are quite rare, but they need to be taken seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

By the time we published our report on this malicious extension, it had already been removed from the Chrome Web Store.

The World Cup of fraud

Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events. The FIFA World Cup is no different. Long before anyone kicked a football in Russia, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes.

This included notifications of fake lottery wins, informing recipients that they had won cash in a lottery supposedly held by FIFA or official partners and sponsors.

They typically contain attached documents congratulating the ‘winner’ and asking for personal details such as name, address, e-mail address, telephone number, etc. Sometimes such messages also contain malicious programs, such as banking Trojans.

Sometimes recipients are invited to take part in a ticket giveaway, or they are offered the chance to win a trip to a match. Such messages are sent in the name of FIFA, usually from addresses on recently registered domains. The purpose of such schemes is mainly to update e-mail databases used to distribute more spam.

One of the most popular ways to steal banking and other credentials is to create counterfeit imitations of official partner websites. Partner organizations often arrange ticket giveaways for clients, and attackers exploit this to lure their victims onto fake promotion sites. Such pages look very convincing: they are well-designed, with a working interface, and are hard to distinguish from the real thing. Some fraudsters buy SSL certificates to add further credibility to their fake sites. Cybercriminals are particularly keen to target clients of Visa, the tournament’s commercial sponsor, offering prize giveaways in Visa’s name. To take part, people need to follow a link that points to a phishing site where they are asked to enter their bank card details, including the CVV/CVC code.

Cybercriminals also try to extract data by mimicking official FIFA notifications. The victim is informed that the security system has been updated and all personal data must be re-entered to avoid being locked out. The link in the message takes the victim to a fake account and all the data they enter is harvested by the scammers.

In the run up to the tournament, we also registered a lot of spam advertising soccer-related merchandise, though sometimes the scammers try to sell other things too – for example, pharmaceutical products.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We’ve provided some tips on how to avoid phishing scams – advice that holds good for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points.

More than a fifth of Wi-Fi hotspots use unreliable networks. This means that criminals simply need to be located near an access point to intercept the traffic and get their hands on people’s data. Around three quarters of all access points use WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that holds good wherever you may be – not just at the World Cup.

IT threat evolution Q2 2018. Statistics

Malware Alerts - Mon, 08/06/2018 - 06:00

Q2 figures

According to KSN:

  • Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.
  • 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.
  • Ransomware attacks were registered on the computers of 158,921 unique users.
  • Our File Anti-Virus logged 192,053,604 unique malicious and potentially unwanted objects.
  • Kaspersky Lab products for mobile devices detected:
    • 1,744,244 malicious installation packages
    • 61,045 installation packages for mobile banking Trojans
    • 14,119 installation packages for mobile ransomware Trojans.
Mobile threats General statistics

In Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.

Number of detected malicious installation packages, Q2 2017 – Q2 2018

Distribution of detected mobile apps by type

Distribution of newly detected mobile apps by type, Q2 2018

Among all the threats detected in Q2 2018, the lion’s share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.

Second place was taken by Trojan-Dropper threats (13%), whose share fell by 7 p.p. Most detected files of this type came from the families Trojan-Dropper.AndroidOS.Piom and Trojan-Dropper.AndroidOS.Hqwar.

The share of advertising apps continued to decreased by 8%, accounting for 9% (against 11%) of all detected threats.

A remarkable development during the reporting period was that SMS Trojans doubled their share up to 8.5% in Q2 from 4.5% in Q1.

TOP 20 mobile malware

Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool or Adware.

  Verdict %* 1 DangerousObject.Multi.Generic 70.04 2 Trojan.AndroidOS.Boogr.gsh 12.17 3 Trojan-Dropper.AndroidOS.Lezok.p 4.41 4 Trojan.AndroidOS.Agent.rx 4.11 5 Trojan.AndroidOS.Piom.toe 3.44 6 Trojan.AndroidOS.Triada.dl 3.15 7 Trojan.AndroidOS.Piom.tmi 2.71 8 Trojan.AndroidOS.Piom.sme 2.69 9 Trojan-Dropper.AndroidOS.Hqwar.i 2.54 10 2.42 11 Trojan-Dropper.AndroidOS.Agent.ii 2.25 12 1.80 13 Trojan.AndroidOS.Agent.pac 1.73 14 Trojan.AndroidOS.Dvmap.a 1.64 15 Trojan-Dropper.AndroidOS.Lezok.b 1.55 16 Trojan-Dropper.AndroidOS.Tiny.d 1.37 17 Trojan.AndroidOS.Agent.rt 1.29 18 1.26 19 Trojan.AndroidOS.Piom.rfw 1.20 20 Trojan-Dropper.AndroidOS.Lezok.t 1.19

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.

As before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.04%), the verdict we use for malware detected using cloud technologies. In second place was Trojan.AndroidOS.Boogr.gsh (12.17%). This verdict is given to files recognized as malicious by our system based on machine learning. Third was Dropper.AndroidOS.Lezok.p (4.41%), followed by a close 0.3 p.p. margin by Trojan.AndroidOS.Agent.rx (4.11%), which was in the third position in Q1.

Geography of mobile threats

Map of attempted infections using mobile malware, Q2 2018

TOP 10 countries by share of users attacked by mobile malware:

  Country* %** 1 Bangladesh 31.17 2 China 31.07 3 Iran 30.87 4 Nepal 30.74 5 Nigeria 25.66 6 India 25.04 7 Indonesia 24.05 8 Ivory Coast 23.67 9 Pakistan 23.49 10 Tanzania 22.38

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q2 2018, Bangladesh (31.17%) topped the list by share of mobile users attacked. China (31.07%) came second with a narrow margin. Third and fourth places were claimed respectively by Iran (30.87%) and Nepal (30.74%).

Russia (8.34%) this quarter was down in 38th spot, behind Taiwan (8.48%) and Singapore (8.46%).

Mobile banking Trojans

In the reporting period, we detected 61,045 installation packages for mobile banking Trojans, which is 3.2 times more than in Q1 2018. The largest contribution was made by Trojan-Banker.AndroidOS.Hqwar.jck – this verdict was given to nearly half of detected new banking Trojans. Second came Trojan-Banker.AndroidOS.Agent.dq, accounting for about 5,000 installation packages.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 – Q2 2018

TOP 10 mobile bankers

  Verdict %* 1 Trojan-Banker.AndroidOS.Agent.dq 17.74 2 Trojan-Banker.AndroidOS.Svpeng.aj 13.22 3 Trojan-Banker.AndroidOS.Svpeng.q 8.56 4 Trojan-Banker.AndroidOS.Asacub.e 5.70 5 Trojan-Banker.AndroidOS.Agent.di 5.06 6 4.65 7 Trojan-Banker.AndroidOS.Faketoken.z 3.66 8 3.03 9 Trojan-Banker.AndroidOS.Hqwar.t 2.83 10 2.77

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.

The most popular mobile banking Trojan in Q2 was Trojan-Banker.AndroidOS.Agent.dq (17.74%), closely followed by Trojan-Banker.AndroidOS.Svpeng.aj (13.22%). These two Trojans use phishing windows to steal information about user’s banking cards and online banking credentials. Besides, they steal money through abuse of SMS services, including mobile banking. The popular banking malware Trojan-Banker.AndroidOS.Svpeng.q (8.56%) took third place in the rating, moving one notch down from its second place in Q2.

Geography of mobile banking threats, Q2 2018

TOP 10 countries by share of users attacked by mobile banking Trojans

  Country* %** 1 USA 0.79 2 Russia 0.70 3 Poland 0.28 4 China 0.28 5 Tajikistan 0.27 6 Uzbekistan 0.23 7 Ukraine 0.18 8 Singapore 0.16 9 Moldova 0.14 10 Kazakhstan 0.13

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country.

Overall, the rating did not see much change from Q1: Russia (0.70%) and USA (0.79%) swapped places, both remaining in TOP 3.

Poland (0.28%) rose from ninth to third place thanks to activation propagation of two Trojans: and Trojan-Banker.AndroidOS.Marcher.w. The latter was first detected in November 2017 and uses a toolset typical of banking malware: SMS interception, phishing windows and Device Administrator privileges to ensure its persistence in the system.

Mobile ransomware Trojans

In Q2 2018, we detected 14,119 installation packages for mobile ransomware Trojans, which is larger by half than in Q1.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q2 2017 – Q2 2018

  Verdict %* 1 Trojan-Ransom.AndroidOS.Zebt.a 26.71 2 19.15 3 Trojan-Ransom.AndroidOS.Fusob.h 15.48 4 5.99 5 Trojan-Ransom.AndroidOS.Egat.d 4.83 6 Trojan-Ransom.AndroidOS.Svpeng.snt 4.73 7 Trojan-Ransom.AndroidOS.Svpeng.ab 4.29 8 3.32 9 2.61 10 Trojan-Ransom.AndroidOS.Small.cj 1.80

* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab’s mobile antivirus attacked by ransomware Trojans.

The most popular mobile ransomware is Q2 was Trojan-Ransom.AndroidOS.Zebt.a (26.71%), encountered by more than a quarter of all users who got attacked by this type of malware. Second came (19.15%), nudging ahead of once-popular Trojan-Ransom.AndroidOS.Fusob.h (15.48%).

Geography of mobile ransomware Trojans, Q2 2018

TOP 10 countries by share of users attacked by mobile ransomware Trojans

  Country* %** 1 USA 0.49 2 Italy 0.28 3 Kazakhstan 0.26 4 Belgium 0.22 5 Poland 0.20 6 Romania 0.18 7 China 0.17 8 Ireland 0.15 9 Mexico 0.11 10 Austria 0.09

* Excluded from the rating are countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (fewer than 10,000)
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

First place in the TOP 10 went to the United States (0.49%); the most active family in this country was Trojan-Ransom.AndroidOS.Svpeng:

  Verdict %* 1 53.53% 2 16.37% 3 Trojan-Ransom.AndroidOS.Svpeng.snt 11.49% 4 Trojan-Ransom.AndroidOS.Svpeng.ab 10.84% 5 Trojan-Ransom.AndroidOS.Fusob.h 5.62% 6 Trojan-Ransom.AndroidOS.Svpeng.z 4.57% 7 Trojan-Ransom.AndroidOS.Svpeng.san 4.29% 8 2.45% 9 Trojan-Ransom.AndroidOS.Svpeng.h 0.43% 10 Trojan-Ransom.AndroidOS.Zebt.a 0.37%

* Unique users in USA attacked by this malware as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country who were attacked by ransomware Trojans.

Italy (0.28%) came second among countries whose residents were attacked by mobile ransomware. In this country, most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a. Third place was claimed by Kazakhstan (0.63%), where was the most popular mobile ransomware.

Attacks on IoT devices

Judging by the data from our honeypots, brute forcing Telnet passwords is the most popular method of IoT malware self-propagation. However, recently there has been an increase in the number of attacks against other services, such as control ports. These ports are assigned services for remote control over routers – this feature is in demand e.g. with internet service providers. We have observed attempts to launch attacks on IoT devices via port 8291, which is used by Mikrotik RouterOS control service, and via port 7547 (TR-069), which was used, among other purposes, for managing devices in the Deutsche Telekom network.

In both cases the nature of attacks was much more sophisticated than plain brute force; in particular, they involved exploits. We are inclined to think that the number of such attacks will only grow in the future on the back of the following two factors:

  • Brute forcing a Telnet password is a low-efficiency strategy, as there is a strong competition between threat actors. Each few seconds, there are brute force attempts; once successful, the threat actor blocks such the access to Telnet for all other attackers.
  • After each restart of the device, the attackers have to re-infect it, thus losing part of the botnet and having to reclaim it in a competitive environment.

On the other hand, the first attacker to exploit a vulnerability will gain access to a large number of device, having spent minimum time.

Distribution of attacked services’ popularity by number of unique attacking devices, Q2 2018

Telnet attacks

The scheme of attack is as follows: the attackers find a victim device, check if Telnet port is open on it, and launch the password brute forcing routine. As many manufacturers of IoT devices neglect security (for instance, they reserve service passwords on devices and do not leave a possibility for the user to change them routinely), such attacks become successful and may affect entire lines of devices. The infected devices start scanning new segments of networks and infect new, similar devices or workstations in them.

Geography of IoT devices infected in Telnet attacks, Q2 2018

TOP 10 countries by shares of IoT devices infected via Telnet   Country %* 1 Brazil 23.38 2 China 17.22 3 Japan 8.64 4 Russia 7.22 5 USA 4.55 6 Mexico 3.78 7 Greece 3.51 8 South Korea 3.32 9 Turkey 2.61 10 India 1.71

* Infected devices in each specific country as a percentage of all IoT devices that attack via Telnet.

In Q2, Brazil (23.38%) took the lead in the number of infected devices and, consequently, in the number of Telnet attacks. Next came China (17.22%) by a small margin, and third came Japan (8.64%).

In these attacks, the threat actors most often downloaded Backdoor.Linux.Mirai.c (15.97%) to the infected devices.

TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks   Verdict %* 1 Backdoor.Linux.Mirai.c 15.97 2 Trojan-Downloader.Linux.Hajime.a 5.89 3 Trojan-Downloader.Linux.NyaDrop.b 3.34 4 Backdoor.Linux.Mirai.b 2.72 5 1.94 6 Trojan-Downloader.Shell.Agent.p 0.38 7 0.27 8 Backdoor.Linux.Mirai.n 0.27 9 0.24 10 0.20

*Proportion of downloads of each specific malware program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks

SSH attacks

Such attacks are launched similarly to Telnet attacks, the only difference being that they require to bots to have an SSH client installed on them to brute force credentials. The SSH protocol is cryptographically protected, so brute forcing passwords require large computational resources. Therefore, self-propagation from IoT devices is inefficient, and full-fledged servers are used to launch attacks. The success of an SSH attack hinges on the device owner or manufacturers’ faults; in other words, these are again weak passwords or preset passwords assigned by the manufacturer to an entire line of devices.

China took the lead in terms of infected devices attacking via SSH. Also, China was second in terms of infected devices attacking via Telnet.

Geography of IoT devices infected in SSH attacks, Q2 2018

TOP 10 countries by shares of IoT devices attacked via SSH   Country %* 1 China 15.77% 2 Vietnam 11.38% 3 USA 9.78% 4 France 5.45% 5 Russia 4.53% 6 Brazil 4.22% 7 Germany 4.01% 8 South Korea 3.39% 9 India 2.86% 10 Romania 2.23%

*The proportion of infected devices in each country as a percentage of all infected IoT devices attacking via SSH

Online threats in the financial sector Q2 events New banking Trojan DanaBot

The Trojan DanaBot was detected in May. It has a modular structure and is capable of loading extra modules with which to intercept traffic, steal passwords and crypto wallets – generally, a standard feature set for this type of a threat. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojans’ main body. DanaBot initially targeted Australian users and financial organizations, however in early April we noticed that it had become active against the financial organizations in Poland.

The peculiar BackSwap technique

The banking Trojan BackSwap turned out much more interesting. A majority of similar threats including Zeus, Cridex and Dyreza intercept the user’s traffic either to inject malicious scripts into the banking pages visited by the victim or to redirect it to phishing sites. By contrast, BackSwap uses an innovative technique for injecting malicious scripts: using WinAPI, it emulates keystrokes to open the developer console in the browser, and then it uses this console to inject malicious scripts into web pages. In a later version of BackSwap, malicious scripts are injected via the address bar, using JavaScript protocol URLs.

Carbanak gang leader detained

On March 26, Europol announced the arrest of a leader of the cybercrime gang behind Carbanak and Cobalt Goblin. This came as a result of a joint operation between Spain’s national police, Europol and FBI, as well as Romanian, Moldovan, Belorussian and Taiwanese authorities and private infosecurity companies. It was expected that the leader’s arrest would reduce the group’s activity, however recent data show that no appreciable decline has taken place. In May and June, we detected several waves of targeted phishing against banks and processing companies in Eastern Europe. The email writers from Carbanak masquerades as support lines of reputable anti-malware vendors, European Central Bank and other organizations. Such emails contained attached weaponized documents exploiting vulnerabilities CVE-2017-11882 and CVE-2017-8570.

Ransomware Trojan uses Doppelgänging technique

Kaspersky Lab experts detected a case of the ransomware Trojan SynAck using the Process Doppelgänging technique. Malware writers use this complex technique to make it stealthier and complicate its detection by security solutions. This was the first case when it was used in a ransomware Trojan.

Another remarkable event was the Purga (aka Globe) cryptoware propagation campaign, during which this cryptoware, alongside with other malware including a banking Trojan, was loaded to computers infected with the Trojan Dimnie.

General statistics on financial threats

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.

In Q2 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 215,762 users.

Number of unique users attacked by financial malware, Q2 2018

Geography of attacks

Geography of banking malware attacks, Q2 2018

TOP 10 countries by percentage of attacked users Country* % of users attacked** 1 Germany 2.7% 2 Cameroon 1.8% 3 Bulgaria 1.7% 4 Greece 1.6% 5 United Arab Emirates 1.4% 6 China 1.3% 7 Indonesia 1.3% 8 Libya 1.3% 9 Togo 1.3% 10 Lebanon 1.2%

These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.

*Excluded are countries with relatively few Kaspersky Lab’ product users (under 10,000).
** Unique Kaspersky Lab users whose computers were targeted by banking Trojans or ATM/PoS malware as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families Name Verdicts* % of attacked users** 1 Nymaim Trojan.Win32. Nymaim 27.0%   2 Zbot Trojan.Win32. Zbot 26.1%   3 SpyEye Backdoor.Win32. SpyEye 15.5%   4 Emotet Backdoor.Win32. Emotet 5.3%   5 Caphaw Backdoor.Win32. Caphaw 4.7%   6 Neurevt Trojan.Win32. Neurevt 4.7%   7 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 3.3%   8 Gozi Trojan.Win32. Gozi 2.0%   9 Shiz Backdoor.Win32. Shiz 1.5%   10 ZAccess Backdoor.Win32. ZAccess 1.3%  

* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q2 2018, the general makeup of TOP 10 stayed the same, however there were some changes in the ranking. Trojan.Win32.Zbot (26.1%) and Trojan.Win32.Nymaim (27%) remain in the lead after swapping positions. The banking Trojan Emotet ramped up its activity and, accordingly, its share of attacked users from 2.4% to 5.3%. Conversely, Caphaw dramatically downsized its activity to only 4.7% from 15.2% in Q1, taking fifth position in the rating.

Cryptoware programs Number of new modifications

In Q2, we detected 7,620 new cryptoware modifications. This is higher than in Q1, but still well below last year’s numbers.

Number of new cryptoware modifications, Q2 2017 – Q2 2018

Number of users attacked by Trojan cryptors

In Q2 2018, Kaspersky Lab products blocked cryptoware attacks on the computers of 158,921 unique users. Our statistics show that cybercriminals’ activity declined both against Q1 and on a month-on-month basis during Q2.

Number of unique users attacked by cryptors, Q2 2018

Geography of attacks

TOP 10 countries attacked by Trojan cryptors Country* % of users attacked by cryptors** 1 Ethiopia 2.49 2 Uzbekistan 1.24 3 Vietnam 1.21 4 Pakistan 1.14 5 Indonesia 1.09 6 China 1.04 7 Venezuela 0.72 8 Azerbaijan 0.71 9 Bangladesh 0.70 10 Mongolia 0.64

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

The list of TOP 10 countries in Q2 is practically identical to that in Q1. However, some place trading occurred in TOP 10: Ethiopia (2.49%) pushed Uzbekistan (1.24%) down from first to second place, while Pakistan (1.14%) rose to fourth place. Vietnam (1.21%) remained in third position, and Indonesia (1.09%) remained fifth.

TOP 10 most widespread cryptor families Name Verdicts* % of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 53.92   2 GandCrab Trojan-Ransom.Win32.GandCrypt 4.92   3 PolyRansom/VirLock Virus.Win32.PolyRansom 3.81   4 Shade Trojan-Ransom.Win32.Shade 2.40   5 Crysis Trojan-Ransom.Win32.Crusis 2.13   6 Cerber Trojan-Ransom.Win32.Zerber 2.09   7 (generic verdict) Trojan-Ransom.Win32.Gen 2.02   8 Locky Trojan-Ransom.Win32.Locky 1.49   9 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 1.36   10 Cryakl Trojan-Ransom.Win32.Cryakl 1.04  

* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

WannaCry further extends lead over other cryptor families, its share rising to 53.92% from 38.33% in Q1. Meanwhile, the cybercriminals behind GandCrab (4.92%, emerged only in Q1 2018) put so much effort into its distribution that it rose all the way up to second place in this TOP 10, displacing the polymorphic worm PolyRansom (3.81%). The remaining positions, just like in Q1, are occupied by the long-familiar cryptors Shade, Crysis, Purgen, Cryakl etc.


As we already reported in Ransomware and malicious cryptominers in 2016-2018, ransomware is shrinking progressively, and cryptocurrency miners is starting to take its place. Therefore, this year we decided to begin to publish quarterly reports on the situation around type of threats. Simultaneously, we began to use a broader range of verdicts as a basis for collecting statistics on miners, so the Q2 statistics may not be consistent with the data from our earlier publications. It includes both stealth miners which we detect as Trojans, and those which are issued the verdict ‘Riskware not-a-virus’.

Number of new modifications

In Q2 2018, Kaspersky Lab solutions detected 13,948 new modifications of miners.

Number of new miner modifications, Q2 2018

Number of users attacked by cryptominers

In Q2, we detected attacks involving mining programs on the computers of 2,243,581 Kaspersky Lab users around the world.

Number of unique users attacked by cryptominers, Q2 2018

In April and May, the number of attacked users stayed roughly equal, and in June there was a modest decrease in cryptominers’ activity.

Geography of attacks

Geography of cryptominer attacks, Q2 2018

TOP 10 countries by percentage of attacked users Country* % of attacked users** 1 Ethiopia 17.84 2 Afghanistan 16.21 3 Uzbekistan 14.18 4 Kazakhstan 11.40 5 Belarus 10.47 6 Indonesia 10.33 7 Mozambique 9.92 8 Vietnam 9.13 9 Mongolia 9.01 10 Ukraine 8.58

*Excluded are countries with relatively few Kaspersky Lab’ product users (under 50,000).
** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country.

Vulnerable apps used by cybercriminals

In Q2 2018, we again observed some major changes in the distribution of platforms most often targeted by exploits. The share of Microsoft Office exploits (67%) doubled compared to Q1 (and quadrupled compared with the average for 2017). Such a sharp growth was driven primarily by massive spam messages distributing documents containing an exploit to the vulnerability CVE-2017-11882. This stack overflow-type vulnerability in the old, deprecated Equation Editor component existed in all versions of Microsoft Office released over the last 18 years. The exploit still works stably in all possible combinations of the Microsoft Office package and Microsoft Windows. On the other hand, it allows the use of various obfuscations for bypassing the protection. These two factors made this vulnerability the most popular tool in cybercriminals’ hands in Q2. The shares of other Microsoft Office vulnerabilities did no undergo much change since Q1.

Q2 KSN statistics also showed a growing number of Adobe Flash exploits exploited via Microsoft Office. Despite Adobe and Microsoft’s efforts to obstruct exploitation of Flash Player, a new 0-day exploit CVE-2018-5002 was discovered in Q2. It propagated in an XLSX file and used a little-known technique allowing the exploit to be downloaded from a remote source rather than carried in the document body. Shockwave Flash (SWF) files, like many other file formats, are rendered in Microsoft Office documents in the OLE (Object Linking and Embedding) format. In the case of a SWF file, the OLE object contains the actual file and a list of various properties, one of which points to the path to the SWF file. The OLE object in the discovered exploit did not contain an SWF file in it, but only carried a list of properties including a web link to the SWF file, which forced Microsoft Office to download the missing file from the provided link.

Distribution of exploits used in cybercriminals’ attacks by types of attacked applications, Q2 2018

In late March 2018, a PDF document was detected at VirusTotal that contained two 0-day vulnerabilities: CVE-2018-4990 and CVE-2018-8120. The former allowed for execution of shellcode from JavaScript via exploitation of a software error in JPEG2000 format image processor in Acrobat Reader. The latter existed in the win32k function SetImeInfoEx and was used for further privilege escalation up to SYSTEM level and enabled the PDF viewer to escape the sandbox. Ana analysis of the document and our statistics show that at the moment of uploading to VirusTotal, this exploit was at the development stage and was not used for in-the-wild attacks.

In late April, Kaspersky Lab experts using an in-house sandbox have found the 0-day vulnerability CVE-2018-8174 in Internet Explorer and reported it to Microsoft. An exploit to this vulnerability used a technique associated with CVE-2017-0199 (launching an HTA script from a remote source via a specially crafted OLE object) to exploit a vulnerable Internet Explorer component with the help of Microsoft Office. We are observing that exploit pack creators have already taken this vulnerability on board and actively distribute exploits to it both via web sites and emails containing malicious documents.

Also in Q2, we observed a growing number of network attacks. There is a growing share of attempts to exploit the vulnerabilities patched with the security update MS17-010; these make up a majority a of the detected network attacks.

Attacks via web resources

The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In the second quarter of 2018, Kaspersky Lab solutions blocked 962,947,023 attacks launched from web resources located in 187 countries around the world. 351,913,075 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q2 2018

In Q2, the TOP 4 of web attack source countries remain unchanged. The US (45.87%) was home to most sources of web attacks. The Netherlands (25.74%) came second by a large margin, Germany (5.33%) was third. There was a change in the fifth position: Russia (1.98%) has displaced the UK, although its share has decreased by 0.55 p.p.

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Belarus 33.49 2 Albania 30.27 3 Algeria 30.08 4 Armenia 29.98 5 Ukraine 29.68 6 Moldova 29.49 7 Venezuela 29.12 8 Greece 29.11 9 Kyrgyzstan 27.25 10 Kazakhstan 26.97 11 Russia 26.93 12 Uzbekistan 26.30 13 Azerbaijan 26.12 14 Serbia 25.23 15 Qatar 24.51 16 Latvia 24.40 17 Vietnam 24.03 18 Georgia 23.87 19 Philippines 23.85 20 Romania 23.55

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.
Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

Geography of malicious web attacks in Q2 2018 (percentage of attacked users)

On average, 19.59% of Internet user computers worldwide experienced at least one Malware-class web attack.

Local threats

Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2018, our File Anti-Virus detected 192,053,604 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

The rating includes only Malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Uzbekistan 51.01 2 Afghanistan 49.57 3 Tajikistan 46.21 4 Yemen 45.52 5 Ethiopia 43.64 6 Turkmenistan 43.52 7 Vietnam 42.56 8 Kyrgyzstan 41.34 9 Rwanda 40.88 10 Mongolia 40.71 11 Algeria 40.25 12 Laos 40.18 13 Syria 39.82 14 Cameroon 38.83 15 Mozambique 38.24 16 Bangladesh 37.57 17 Sudan 37.31 18 Nepal 37.02 19 Zambia 36.60 20 Djibouti 36.35

These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives.
Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

Geography of malicious web attacks in Q2 201 (ranked by percentage of users attacked)

On average, 19.58% of computers globally faced at least one Malware-class local threat in Q2.

How do file partner programs work?

Malware Alerts - Thu, 08/02/2018 - 06:00

It’s easy to notice if you’ve fallen victim to an advertising partner program: the system has new apps that you didn’t install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, and in the list of installed utilities there is, for example, setupsk, Browser Enhancer, Zaxar game browser, “PC optimizers” (such as Smart Application Controller or One System Care), or unknown browsers, 99% of the time it’s pay-per-install network. Every month, Kaspersky Lab security solutions prevent more than 500,000 attempts to install software that is distributed through advertising partner programs. Most such attempts (65%) happen in Russia.

Geography of attempts to install advertising partner programs apps, June 2018

The partner program acts as an intermediary between software vendors who wish to distribute their apps and owners of file hosting sites. When the user clicks the Download or similar button on such sites, the partner program provides a special installer that downloads the required file, but also determines which set of additional software should be installed on the PC.

File partner programs benefit everyone except the user. The site owner receives money for installing “partner” apps, and the partner program organizer collects a fee from the advertisers, who in turn get what they wanted, since their software is installed.

Propagation methods

To illustrate the process, we chose a scheme used by several partner programs. Let’s look at a real page offering to download a plugin for the S.T.A.L.K.E.R. game.

On attempting to download it, the user is redirected to a landing page selected by the administrator of the file-sharing site when loading the file onto the partner program server. Such pages often mimic the interface of popular cloud services:

Example of a fake page to which the user is redirected

This is what the landing page chooser looks like in the File-7 partner program settings

On clicking the download button, the user receives a file with one of the following formats:

  • ZIP-archive
  • Torrent file
  • ISO image
  • HTML document

Moreover, archives are often multi-layered and, in many cases, password-protected. Such protective measures and choice of format are not accidental — partner programs engage a wide range of tricks to prevent browser from blocking the download of their installers.

Notification about installer download blocks in a partner program’s news feed

The victim is often guided through the loader installation with hints on the download pages as to how to find the program, which password to use for the archive, and how to run the installer. Some versions contain readme attachments with a description of the actions required for the installation. Regardless of the type of file that the user wanted to download, the end product is an executable. Interestingly, every time one and the same file is downloaded, its hash sum changes, and the name always contains a set of some characters.

Example of how loader files are named

Communicating with the server

At the preparatory stage, the partner program installer exchanges data with the C&C server. Every message transmitted uses encryption, usually rather primitive: first it is encoded in Base64, then the result is inverted, and again encoded in Base64.

  1. At stage one, the loader transmits information about the downloaded installer, plus data for identifying the victim to the server. The message includes confidential information: user name, PC domain name, MAC address, machine SID, hard drive serial number, lists of running processes and installed programs. Naturally, the data is collected and transmitted without the consent of the device owner.
  2. The server responds with a message containing the following information fields:
  • adverts list — with the installation conditions for certain partner software
  • content — contains the name of the file that the user originally intended to download and a link to it
  • icon — contains a link to an icon that is later downloaded and used when starting the graphical interface of the loader.

  1. The installer checks that the conditions listed for each “advert” are fulfilled. If all conditions are met, the id of the advert is added to the adverts_done list. In the example above, for instance, the registry is checked for paths indicating that one of the selected antiviruses is installed on the computer. If this is the case, the partner software with id 1116 is not added to the adverts_done list and will not subsequently be installed on the user’s computer. The purpose of such a check is to prevent the installation of a program that would trigger antivirus software. Next, the generated list is sent to the server:
  2. The server selects several id’s (usually 3-5) from the resulting adverts_done list and returns them to the campaigns list. For each id, this list has a checkboxes field containing the text to be displayed in the installation consent window, the url field containing a link to the installer of the given advert, and the parameter field containing a key for installing the unwanted software in silent mode.

After that, a window opens that simulates the download process in Internet Explorer. The loader does not explicitly notify the user that additional programs will be installed on the computer along with the downloaded file. Their installation can be declined only by clicking a barely discernible slider in the bottom part of the window.

File loader window

During the file download process, software that the user does not deselect is installed inconspicuously. At the final stage of operation, the loader reports to the server about the successful installation of each individual product:

Installed software analysis

By analyzing the loader process, we managed to get some links to various programs that can be installed secretly. Although most of the software relates to different advertising families (that’s how Pbot finds its way onto user devices, for example), that is not the only thing distributed via file partner programs. In particular, around 5% of the files were legitimate browser installers. About 20% of the files are detected as malicious (Trojan, Trojan-Downloader, etc.).


Owners of file-sharing sites that cooperate with similar partner programs often do not even check what kind of content visitors get from the resource. As a result, anything at all can be installed on the user’s computer besides legitimate software. Therefore, in the absence of security solutions, such resources need to be used with extreme caution.

Kaspersky Lab products detect the loaders of file partner programs with the following verdicts:




Attacks on industrial enterprises using RMS and TeamViewer

Malware Alerts - Wed, 08/01/2018 - 06:00

Main facts

Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.

According to the data that we have collected, this series of attacks started in November 2017 and is currently in progress. Notably, the first similar attacks were recorded as far back as 2015.

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS). This enables the attackers to gain remote control of infected systems. The threat actor uses various techniques to mask the infection and the activity of malware installed in the system.

According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts. When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments.

In cases where the cybercriminals need additional data or capabilities after infecting a system, such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement, the attackers download an additional pack of malware to the system, which is specifically tailored to the attack on each individual victim. The malware pack can include spyware, additional remote administration utilities that extend the attackers’ control on infected systems, malware for exploiting operating system and application software vulnerabilities, as well as the Mimikatz utility, which provides the attackers with Windows account data.

Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked. They may also use the information found in these emails to prepare new attacks – against companies that partner with the current victim.

Clearly, on top of the financial losses, these attacks result in leaks of the victim organizations’ sensitive data.

Phishing emails

In most cases, the phishing emails have finance-related content; the names of attachments also point to their connection with finance. Specifically, some of the emails purport to be invitations to tender from large industrial companies (see below).

Malicious attachments may be packed into archives. Some of the emails have no attachments – in these cases, message text is designed to lure users into following links leading to external resources and downloading malicious objects from those resources.

Below is a sample phishing email used in attacks on some organizations:

Screenshot of a phishing email

The above email was sent on behalf of a well-known industrial organization. The domain name of the server from which the message was sent was similar to the domain name of that organization’s official website. The email had an archive attached to it. The archive was protected with a password that could be found in the message body.

It is worth noting that the attackers addressed an employee of the company under attack by his or her full name (this part of the email was masked in the screenshot above for confidentiality reasons). This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.

As part of the attacks, the threat actor uses various techniques to mask the infection. In this case, Seldon 1.7 – legitimate software designed to search for tenders – is installed in infected systems in addition to malware components and a remote administration application.

To keep users from wondering why they didn’t get information on the procurement tender referred to in the phishing email, the malicious program distributes a damaged copy of Seldon 1.7 software.

Window of legitimate software Seldon 1.7

In other cases, the user is shown a partially damaged image.

Image opened by malware

There is also a known case of malware being masked as a PDF document containing a bank transfer receipt. Curiously, the receipt contains valid data. Specifically, it mentions existing companies and their valid financial details; even a car’s VIN matches its model.

Screenshot of a bank transfer receipt displayed by malware

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).

Attacks using RMS

There are several known ways in which the malware can be installed in a system. Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.

For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.

Contents of the malware installation file

It can be seen from the commands in the screenshot above that after copying the files the script deletes its own file and launches legitimate software in the system – Seldon v.1.7 and RMS, – enabling the attackers to control the infected system without the user’s knowledge.

Depending on the malware version, files are installed in %AppData%\LocalDataNT folder %AppData%\NTLocalData folder or in %AppData%\NTLocalAppData folder.

When it launches, legitimate RMS software loads dynamic libraries (DLL) required for the program’s operation, including the system file winspool.drv, which is located in the system folder and is used to send documents to the printer. RMS loads the library insecurely, using its relative path (the vendor has been notified of this vulnerability). This enables the attackers to conduct a DLL hijacking attack: they place a malicious library in the same directory with the RMS executable file, as a result of which a malware component loads and gains control instead of the corresponding system library.

The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again.

It is most likely that the attackers chose this approach to mask the presence of malware in the system as well as possible. The malicious library also implements techniques for resisting analysis and detection. One such technique involves dynamically importing Windows API functions using their hashes. This way, the attackers do not have to store the names of these functions in the malicious library’s body, which helps them to conceal the program’s real functionality from most analysis tools.

Part of a malicious code fragment implementing the dynamic import of functions

The malicious dynamic library, winspool.drv, decrypts configuration files prepared by the attackers, which contain RMS software settings, the password for remotely controlling the machine and the settings needed to notify the attackers that the system has been successfully infected.

One of the configuration files contains an email address to which information about the infected system is sent, including computer name, user name, the RMS machine’s Internet ID, etc. The Internet ID sent as part of this information is generated on a legitimate server of the RMS vendor after the computer connects to it. The identifier is subsequently used to connect to the remotely controlled system located behind NAT (a similar mechanism is also used in popular instant messaging solutions).

A list of email addresses found in the configuration files discovered is provided in the indicators of compromise section.

A modified version of RC4 is used to encrypt configuration files. Configuration files from the archive mentioned above are shown below.

Decrypted contents of InternetId.rcfg file

Decrypted contents of notification.rcfg file

Decrypted contents of Options.rcfg file

Decrypted contents of Password.rcfg file

After this, the attackers can use the system’s Internet ID and password to control it without the user’s knowledge via a legitimate RMS server, using the standard RMS client.

Attacks using TeamViewer

Attacks using legitimate TeamViewer software are very similar to those using RMS software, which are described above. A distinguishing feature is that information from infected systems is sent to malware command-and-control servers, rather than the attackers’ email address.

As in the case of RMS, malicious code is injected into the TeamViewer process by substituting a malicious library for system DLL. In the case of TeamViewer, msimg32.dll is used.

This is not a unique tactic. Legitimate TeamViewer software has been used in APT and cybercriminal attacks before. The best-known group to have used this toolset is TeamSpy Crew. We believe that the attacks described in this document are not associated with TeamSpy and are the result of known malware being re-used by another cybercriminal group. Curiously, the algorithm used to encrypt the configuration file and the password for decrypting it, which were identified in the process of analyzing these attacks, are the same as those published last April in a description of similar attacks.

It is common knowledge that legitimate TeamViewer software does not hide its startup or operation from the user and, specifically, notifies the user of incoming connections. At the same time, the attackers need to gain remote control of the infected system without the user’s knowledge. To achieve this, they hook several Windows API functions.

The functions are hooked using a well-known method called splicing. As a result, when legitimate software calls one of the Windows API functions, control is passed to the malicious DLL and the legitimate software gets a spoofed response instead of one from the operating system.

Windows API function hooked by the malware

Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.

After launching, the malicious library checks whether an internet connection is available by executing the command “ping” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.

Screenshot of decrypted contents of the malware configuration file

Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.

As in the case of RMS, the relevant value is added to the RunOnce registry key to ensure that the malware runs automatically at system startup.

The malware collects data on the infected machine and sends it to the command-and-control server along with the system’s identifier needed for remote administration. The data sent includes:

  • Operating system version
  • User name
  • Computer name
  • Information on the privilege level of the user on whose behalf the malware is running
  • Whether or not a microphone and a webcam are present in the system
  • Whether or not antivirus software or other security solutions are installed, as well as the UAC level

Information about security software installed in the system is obtained using the following WQL query:

root\SecurityCenter:SELECT * FROM AntiVirusProduct

The information collected is sent to the attackers’ server using the following POST request:

POST request used to send encrypted data to the command-and-control server

Another distinguishing feature of attacks that involve the TeamViewer is the ability to send commands to an infected system and have them executed by the malware. Commands are sent from the command-and-control server using the chat built into the TeamViewer application. The chat window is also hidden by the malicious library and the log files are deleted.

A command sent to an infected system is executed in the Windows command interpreter using the following instruction:

cmd.exe /c start /b

The parameter “/b” indicates that the command sent by the attackers for execution will be run without creating a new window.

The malware also has a mechanism for self-destructing if the appropriate command is received from the attackers’ server.

The use of additional malware

In cases where attackers need additional data (authorization data, etс.), they download spyware to victim computers in order to collect logins and passwords for mailboxes, websites, SSH/FTP/Telnet clients, as well as logging keystrokes and making screenshots.

Additional software hosted on the attackers’ servers and downloaded to victims’ computers was found to include malware from the following families:

In all probability, these Trojans were downloaded to compromised systems and used to collect information and steal data. In addition to remote administration, the capabilities of malware from these families include:

  • Logging keystrokes
  • Making screenshots
  • Collecting system information and information on installed programs and running processes
  • Downloading additional malicious files
  • Using the computer as a proxy server
  • Stealing passwords from popular programs and browsers
  • Stealing cryptocurrency wallets
  • Stealing Skype correspondence
  • Conducting DDoS attacks
  • Intercepting and spoofing user traffic
  • Sending any user files to the command-and-control server

In other cases observed, after an initial analysis of an infected system, the attackers downloaded an additional malware module to the victim’s computer – a self-extracting archive containing various malicious and legitimate programs, which were apparently individually selected for each specific system.

For example, if the malware had previously been executed on behalf of a user who did not have local administrator privileges, to evade the Windows User Account Control (UAC), the attackers used the DLL hijacking technique mentioned above, but this time on a Windows system file, %systemdir%\migwiz\migwiz.exe, and a library, cryptbase.dll. The local administrator privileges obtained are used to run RemoteUtilities, a remote administration utility, on the infected system. The attackers use a modified RemoteUtilities executable file to mask the presence of the software on the system. The utility offers extensive functionality for managing the system remotely:

  • Remotely controlling the system (RDP)
  • Transferring files to and from the infected system
  • Controlling power on the infected system
  • Remotely managing the processes of running application
  • Remote shell (command line)
  • Managing hardware
  • Capturing screenshots and screen videos
  • Recording sound and video from recording devices connected to the infected system
  • Remote management of the system registry

In some cases, the Mimikatz utility was installed in addition to cryptbase.dll and RemoteUtilities. We believe that the attackers use Mimikatz in cases when the first system infected is not one that has software for working with financial data installed on it. In these cases, the Mimikatz utility is used to steal authentication data from the organization’s employees and gain remote access to other machines on the enterprise’s network. The use of this technique by the attackers poses a serious danger: if they succeed in obtaining the account credentials for the domain administrator’s account, this will give them control of all systems on the enterprise’s network.

Attack targets

According to KSN data, from October 2017 to June 2018, about 800 computers of employees working at industrial companies were attacked using the malware described in this paper.

Number of computers attacked by month. October 2017 – June 2018

According to our estimate, at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:

  • Manufacturing
  • Oil and gas
  • Metallurgy
  • Engineering
  • Energy
  • Construction
  • Mining
  • Logistics

Based on this, it can be concluded that the attackers do not concentrate on companies in any specific industry or sector. At the same time, their activity clearly demonstrates their determination to compromise specifically systems belonging to industrial companies. This choice on the part of the cybercriminals could be explained by the fact that the threat awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies). At the same time, as we have noted before, it is more common for industrial companies than for companies in other sectors to conduct operations involving large amounts of money on their accounts. This makes them an even more attractive target for cybercriminals.


This research demonstrates once again that even when they use simple techniques and known malware, threat actors can successfully attack many industrial companies by expertly using social engineering and masking malicious code in target systems. Criminals actively use social engineering to keep users from suspecting that their computers are infected. They also use legitimate remote administration software to evade detection by antivirus solutions.

This series of attacks targets primarily Russian organizations, but the same tactics and tools can be used in attacks against industrial companies in any country of the world.

We believe that the threat actor behind this attack is highly likely to be a criminal group whose members have a good command of Russian. This is indicated by the high level at which texts in Russian are prepared for phishing emails used in the attack, as well as the attackers’ ability to make changes to organizations’ financial data in Russian. More data about the research on the infrastructure and language used by the attackers is available in the private version of the report on the Treat Intelligence portal.

Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines.

The various malware components used in this attack are detected by Kaspersky Lab products with the following verdicts:

  • Trojan.BAT.Starter
  • Trojan.Win32.Dllhijack
  • Trojan.Win32.Waldek
  • Backdoor.Win32.RA-based
  • Backdoor.Win32.Agent

 Indicators of compromise (PDF)

Unique Passwords

SANS Tip of the Day - Mon, 07/30/2018 - 01:00
Make sure each of your accounts has a separate, unique password. Can't remember all of your passwords/passphrases? Consider using a password manager to securely store all of them for you.

Never Respond to Emails Asking for Personal Information

SANS Tip of the Day - Fri, 07/27/2018 - 01:00
Companies you do business with should never ask for your account information, credit card numbers or password in an email. If you have any questions about an email you receive that supposedly came from your financial institution or service provider, find their number on their website and call them.

A mining multitool

Malware Alerts - Thu, 07/26/2018 - 06:00

Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.

Technical description and propagation method

PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner’s operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.

Fragment of the obfuscated script

The add-on modules encoded in base64

The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.

What the script does after that can be broken down into several stages:

  • Automatic self-update. PowerGhost checks if a new version is available on the C&C. If there is, it downloads the new version and launches it instead of itself.
  • Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.
    PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (MS17-010, CVE-2017-0144).
  • Escalation of privileges. As the miner spreads via mimikatz and WMI, it may end up on a new machine with user rights. It will then attempt to escalate its privileges in the system with the 32- or 64-bit exploits for MS16-032, MS15-051 and CVE-2018-8120.
  • Establishing a foothold in the system. PowerGhost saves all the modules as properties of a WMI class. The miner’s body is saved in the form of a one-line PowerShell script in a WMI subscription that activates every 90 minutes.
  • Payload.Lastly, the script launches the miner by loading a PE file via reflective PE injection.

In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.

PowerShell function with the tell-tale name RunDDOS

It’s worth pointing out that this is the only one of the miner’s functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.

Fragment of disassembled code of the file cohernece.txt

Statistics and geography

Corporate users bore the brunt of the attack: it’s easier for PowerGhost to spread within a company’s local area network.

Geography of infections by the miner

PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.

Kaspersky Lab’s products detect the miner and/or its components with the following verdicts:

  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen

E-wallets at and


Indicators of compromise C&C hostnames:
  • update.7h4uk[.]com
  • info.7h4uk[.]com


A study of car sharing apps

Malware Alerts - Wed, 07/25/2018 - 06:00

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?

The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security

So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

  • the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
  • an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.

Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges

Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength

Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack

It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.

Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying

Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.


The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users
  • Don’t make your phone number publicly available (the same goes for your email address)
  • Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
  • If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
  • Do not use rooted devices.
  • Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.
Recommendations to car sharing services
  • Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
  • Use mechanisms to detect operations on rooted devices.
  • Allow the user to create their own credentials; ensure all passwords are strong.
  • Notify users about successful logons from other devices.
  • Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
  • Protect your application interface from being overlaid by another app.
  • Add a server certificate check.

DDoS attacks in Q2 2018

Malware Alerts - Tue, 07/24/2018 - 05:00

News overview

Q2 2018 news includes: non-standard use of old vulnerabilities, new botnets, the cutthroat world of cryptocurrencies, a high-profile DDoS attack (or not) with a political subtext, the slashdot effect, some half-baked attempts at activism, and a handful arrests. But first things first.

Knowing what we know about the devastating consequences of DDoS attacks, we are not inclined to celebrate when our predictions come true. Alas, our forecast in the previous quarter’s report was confirmed: cybercriminals continue to seek out new non-standard amplification methods. Even before the panic over the recent wave of Memcached-based attacks had subsided, experts discovered an amplification method using another vulnerability—in the Universal Plug and Play protocol, known since 2001. It allows garbage traffic to be sent from several ports instead of just one, switching them randomly, which hinders the blocking process. Experts reported two attacks (April 11 and 26) in which this method was likely used; in the first instance, the DNS attack was amplified through UPnP, and in the second the same was applied to an NTP attack. In addition, the Kaspersky DDoS Protection team observed an attack that exploited a vulnerability in the CHARGEN protocol. A slightly weaker attack using the same protocol to amplify the flood (among other methods) targeted the provider ProtonMail, the reason for which was an unflattering comment made by the company’s executive director.

New botnets are causing more headaches for cybersecurity specialists. A noteworthy case is the creation of a botnet formed from 50,000 surveillance cameras in Japan. And a serious danger is posed by a new strain of the Hide-n-Seek malware, which was the first of all known bots to withstand, under certain circumstances, a reboot of the device on which it had set up shop. True, this botnet has not yet been used to carry out DDoS attacks, but experts do not rule out such functionality being added at a later stage, since the options for monetizing the botnet are not that many.

One of the most popular monetization methods remains attacking cryptocurrency sites and exchanges. What’s more, DDoS attacks are used not only to prevent competitors from increasing their investors, but as a way of making a big scoop. The incident with the cryptocurrency Verge is a case in point: in late May, a hacker attacked Verge mining pools, and made off with XVG 35 million ($1.7 million). In the space of two months, the currency was hacked twice, although the preceding attack was not a DDoS.

Not only that, June 5 saw cybercriminals bring down the Bitfinex cryptocurrency exchange, with the system crash followed by a wave of garbage traffic, pointing to a multistage attack that was likely intended to undermine credibility in the site. It was probably competitive rivalry that caused the renowned online poker site, Americas Cardroom, to suffer a DDoS attack that forced first the interruption and then cancellation of a tournament. That said, it was rumored that the attack could have been a political protest against the in-game availability of Donald Trump and Kim Jong Un avatars.

As always, the most media hype in the past quarter was generated by politically motivated DDoS attacks. In mid-April, British and US law enforcement bodies warned that a significant number of devices had been seized by Russian (supposedly Kremlin-sponsored) hackers in the US, the EU, and Australia with a view to carrying out future attacks. Then just a few days later, in late April, it was a Russian target that got hit: the site of the largest Russian political party, United Russia, was down for two whole days, yet there was precious little public speculation about the masterminds behind the DDoS campaign.

An attack on the Danish railway company DSB, which struggled to serve passengers for several days as a result, was also alleged to be politically motivated. Some see it as a continuation of the attack on Swedish infrastructure last fall.

At the end of the quarter, attention was focused on the Mexican elections and an attack on an opposition party website hosting materials about the illegal activities of a rival. According to the victim, the attack began during a pre-election debate when the party’s candidate showed viewers a poster with the website address. However, it was immediately rumored that DDoS was not the culprit, but the Slashdot effect, which Reddit users also call “the hug of death.” This phenomenon has been around since the dawn of the Internet, when bandwidth was a major issue. But it’s still encountered to this day when a small resource suffers a major influx of legitimate web traffic on the back of media hype.

The Slashdot effect was also observed by the Kaspersky DDoS Protection team in early summer. After a press conference by the Russian president, a major news outlet covering the event experienced a powerful wave of tens of thousands of HTTP GET requests all sent simultaneously. The size of the supposed botnet suggested a new round of attacks involving IoT devices, but further analysis by KDP experts showed that all suspicious queries in the User Agent HTTP header contained the substring “XiaoMi MiuiBrowser”. In fact, owners of Xiaomi phones with the browser app installed received a push notification about the outcome of the conference, and it seems that many took an interest and followed the link, causing a glut of requests.

Meanwhile, law enforcement agencies have been making every effort to prevent organized attacks: in late April, Europol managed to shut down, the world’s largest DDoS-for-hire service. When it was finally blocked, the portal had more than 136,000 users and had served as the source of more than 4 million DDoS attacks in recent years. After the fall of Webstresser, conflicting trends were reported: some companies observed a significant decline in DDoS activity in Europe (although they warned that the drop was going to be relatively short-lived); others, however, pointed to a rise in the number of attacks across all regions, which may have been the result of attackers seeking to compensate by creating new botnets and expanding old ones.

On top of that, several DDoS attack masterminds were caught and convicted. German hacker ZZboot was sentenced for attacking major German and British firms with ransom demands. However, he avoided jail time, receiving 22 months of probation. At the other end of the Eurasian continent, in Taipei, a hacker named Chung was arrested for allegedly attacking the Taiwan Bureau of Investigation, the Presidential Administration, Chungwa Telecom, and the Central Bank. In the other direction, across the pond, a self-proclaimed hacktivist was arrested in the US for obstructing the work of police in Ohio.

Another, less significant, but more curious arrest took place in the US: an amateur hacker from Arizona was arrested, fined, and jailed after an online acquaintance posted a tweet with his name. Despite his rudimentary skills, the cybercriminal, calling himself the “Bitcoin Baron,” had terrorized US towns for several years, crashing the websites of official institutions and demanding ransoms; in one incident, his actions seriously hindered emergency response services. He too tried to position himself as a cyberactivist, but his bad behavior ruined any reputation he might have had, especially his alleged (only by himself, it should be said) attempt to bring down the site of a children’s hospital by flooding it with child pornography.

Quarter trends

In H1 2018, the average and maximum attack power fell significantly compared to H2 2017. This can be explained by the seasonal slowdown that is usually observed at the start of the year. However, a comparison of H1 indicators for 2017 and 2018 shows a measurable rise in attack power since last year.

Change in DDoS attack power, 2017-2018

One way to increase the attack power is third-party amplification. As mentioned in the news overview, hackers continue to look for ways to amplify DDoS attacks through new (or well-forgotten old) vulnerabilities in widely popular software, not without success, unfortunately. This time, the KDP team detected and repelled an attack with a capacity in the tens of Gbit/s that exploited a vulnerability in the CHARGEN protocol—an old and very simple protocol described in RFC 864 way back in 1983.

CHARGEN was intended for testing and measurement purposes, and can listen on both the TCP and UDP sockets. In UDP mode, the CHARGEN server responds to any request with a packet with a string length from 0 to 512 random ASCII characters. Attackers use this mechanism to send requests to the vulnerable CHARGEN server, where the outgoing address is substituted by the address of the victim. US-CERT estimates the amplification factor at 358.8x, but this figure is somewhat arbitrary, since the responses are generated randomly.

Despite the protocol’s age and limited scope, many open CHARGEN servers can be found on the Internet. They are mainly printers and copying devices in which the network service is enabled by default in the software.

The use of CHARGEN in UDP attacks, as reported by KDP and other providers (Radware, Nexusguard), may indicate that attacks using more convenient protocols (for example, DNS or NTP) are becoming less effective, since there exist well-developed methods to combat this kind of UDP flooding. But the simplicity of such attacks makes cybercriminals unwilling to abandon them; instead they hope that modern security systems will not be able to resist antiquated methods. And although the search for non-standard holes will doubtless continue, CHARGEN-type amplification attacks are unlikely to take the world by storm, since vulnerable servers lack a source of replenishment (how often are old copiers connected to the Internet?).

If cybercriminals are going retro in terms of methods, when it comes to targets they are breaking new ground. DDoS attacks against home users are simple, but not profitable, whereas attacks on corporations are profitable, but complex. Now DDoS planners have found a way to get the best of both worlds—in the shape of the online games industry and streamers. Let’s take as an example the growing popularity of e-sports tournaments, in which the victors walk away with tens—sometimes hundreds—of thousands of dollars. The largest events are usually held at special venues with specially setup screens and stands for spectators, but the qualifying rounds to get there often involve playing from home. In this case, a well-planned DDoS attack against a team can easily knock it out of the tournament at an early stage. The tournament server might also be targeted, and the threat of disruption could persuade the competition organizers to pay the ransom. According to Kaspersky Lab client data, DDoS attacks on e-sports players and sites with the goal of denying access are becoming increasingly common.

Similarly, cybercriminals are trying to monetize the market of video game streaming channels. Streaming pros show live playthroughs of popular games, and viewers donate small sums to support them. Naturally, the larger the audience, the more money the streamer gets for each broadcast; top players can earn hundreds or thousands of dollars, which basically makes it their job. Competition in this segment is fierce and made worse by DDoS attacks with the capacity to interfere with livestreams, causing subscribers to look for alternatives.

Like e-sports players, home streamers have virtually no means of protection against DDoS attacks. They are essentially reliant on their Internet provider. The only solution at present could be to set up specialized platforms offering greater protection.


Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor the actions of botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. What’s more, the system is proactive, not reactive—there’s no need to wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2018.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools for performing DDoS attacks, and that the data presented in this report do not cover every single DDoS attack that occurred during the period under review.

Quarter results
  • The stormiest period for DDoS attacks was the start of the quarter, particularly mid-April. By contrast, late May and early June were fairly quiet.
  • Top spot in terms of number of attacks was retained by China (59.03%), with Hong Kong (17.13%) in second. It also entered the Top 3 by number of unique targets with 12.88%, behind only China (52.36%) and the US (17.75%).
  • The attacks were quite evenly distributed across the days of the week. The most and least popular were Tuesday and Thursday, respectively, but the difference is slight.
  • The share of SYN attacks rose sharply to 80.2%; second place went to UDP attacks with 10.6%.
  • The share of attacks from Linux botnets increased significantly to 94.47% of all single-family attacks.
Geography of attacks

The latest quarter threw up a number of surprises. The leader by number of attacks is still China, with its share practically unchanged (59.03% against 59.42% in Q1). However, for the first time since monitoring began, Hong Kong broke into the Top 3, rising from fourth to second: its share increased almost fivefold, from 3.67% to 17.13%, squeezing out the US (12.46%) and South Korea (3.21%), whose shares declined by roughly 5 p.p. each.

Another surprise package in the territorial ranking was Malaysia, which shot up to fifth place, now accounting for 1.30% of all DDoS attacks. It was joined in the Top 10 by Australia (1.17%) and Vietnam (0.50%), while the big-hitters Japan, Germany, and Russia all dropped out. Britain (0.50%) and Canada (0.69%) moved into eighth and seventh, respectively.

The Top 10 in Q2 also had a greater share of the total number of attacks than in Q1: 96.44% compared with 95.44%.

Distribution of DDoS attacks by country, Q1 and Q2 2018

The territorial distribution of unique targets roughly corresponds to the distribution of the number of attacks: China has the largest share (52.36%), a rise of 5 p.p. against the previous quarter. Second place belongs to the US (17.5%) and third to Hong Kong (12.88%), up from fourth, replacing South Korea (4.76%) (note that in Hong Kong the most popular targets are now Microsoft Azure servers). Britain fell from fourth to eighth, now accounting for 0.8% of unique targets.

The Top 10 said goodbye to Japan and Germany, but welcomed Malaysia (2.27%) in fourth place and Australia (1.93%) just behind in fifth. This quarter’s Top 10 accounted for slightly more of the total number of unique attacks, reaching 95.09% against 94.17% in Q1.

Distribution of unique DDoS-attack targets by country, Q1 and Q2 2018

Dynamics of the number of DDoS attacks

Peak activity in Q2 2018 was observed in mid-April: a significant increase in the number of attacks was registered in the middle third of this month, with two large spikes occurring just days apart: April 11 (1163) and April 15 (1555). The quarter’s deepest troughs came in the second half and at the end: the calmest days were May 24 (13) and June 17 (16).

Dynamics of the number of DDoS attacks, Q2 2018

In Q2 2018, Sunday went from being the quietest day for cybercriminals to the second most active: it accounted for 14.99% of attacks, up from 10.77% in the previous quarter. But gold in terms of number of attacks went to Tuesday, which braved 17.49% of them. Thursday, meanwhile, went in the opposite direction: only 12.75% of attacks were logged on this day. Overall, as can be seen from the graph, in the period April-June the attack distribution over the days of the week was more even than at the beginning of the year.

Distribution of DDoS attacks by day of the week, Q1 and Q2 2018

Duration and types of DDoS attacks

The longest attack in Q2 lasted 258 hours (almost 11 days), slightly short of the previous quarter’s record of 297 hours (12.4 days). This time, the focus of persevering hackers was an IP address belonging to China Telecom.

Overall, the share of long-duration attacks fell by 0.02 p.p. to 0.12%. Whereas the share of attacks lasting from 100 to 139 hours remained the same, the share of attacks from 10 to 50 hours almost doubled (from 8.28% to 16.27%); meanwhile, the share of attacks lasting from five to nine hours increased nearly by half (from 10.73% to 14.01%). The share of short-duration attacks (up to four hours) fell sharply from 80.73% in January to 69.49% in March.

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2018

All other types of attacks decreased in share; UDP attacks are in second place (10.6%), while TCP, HTTP, and ICMP constitute a relatively small proportion.

Distribution of DDoS attacks by type, Q2 2018

Correlation between Windows- and Linux-based botnet attacks, Q2 2018

Geographical distribution of botnets

The Top 10 regions by number of botnet C&C servers underwent some significant changes. Top spot went to the US with almost half of all C&C centers (44.75% against 29.32% in Q1). South Korea (11.05%) sank from first to second, losing nearly 20 p.p. China also dropped significantly (from 8.0% to 5.52%). Its place was taken by Italy, whose share climbed from 6.83% in the previous quarter to 8.84%. The Top 10 saw the departure of Hong Kong, but was joined—for the first time since our records began—by Vietnam, whose 3.31% was good enough for seventh place.

Distribution of botnet C&C servers by country, Q2 2018


In Q2 2018, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

Another technical discovery of note is the potential for creating botnets using the UPnP protocol; although evidence for them exists, they are still extremely rare in the wild, fortunately.

Windows botnet activity decreased: in particular, Yoyo activity experienced a multifold drop, and Nitol, Drive, and Skill also declined. Meanwhile, Xor for Linux significantly increased its number of attacks, while another infamous Linux botnet, Darkai, scaled back slightly. As a result, the most popular type of attack was SYN flooding.

The total attack duration changed little since the previous quarter, but the share of medium-duration attacks increased, while the share of shorter ones decreased. The intensity of attacks also continues to grow. The most lucrative targets for cybercriminals seem to be cryptocurrencies, but we can soon expect to see high-profile attacks against e-sports tournaments as well as relatively small ransoms targeting individual streamers and players. Accordingly, there will be market demand for affordable individual anti-DDoS protection.

Calisto Trojan for macOS

Malware Alerts - Fri, 07/20/2018 - 06:00

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).


We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018 Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.


As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan With SIP enabled

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

  • Keychain storage data
  • Data extracted from the user login/password window
  • Information about the network connection
  • Data from Google Chrome: history, bookmarks, cookies

Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available

Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

  • Copies itself to /System/Library/ folder
  • Sets itself to launch automatically on startup
  • Unmounts and uninstalls its DMG image
  • Adds itself to Accessibility
  • Harvests additional information about the system
  • Enables remote access to the system
  • Forwards the harvested data to a C&C server

Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:

The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

  • Enables remote login
  • Enables screen sharing
  • Configures remote login permissions for the user
  • Allows remote login to all
  • Enables a hidden “root” account in macOS and sets the password specified in the Trojan code

The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:

Attempt to contact the C&C server

Extra functions

Static analysis of Calisto revealed unfinished and unused additional functionality:

  • Loading/unloading of kernel extensions for handling USB devices
  • Data theft from user directories
  • Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton

Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

  • The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
  • The Trojan sample contains the line “com.proton.calisto.plist”
  • Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain

Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

  • Always update to the current version of the OS
  • Never disable SIP
  • Run only signed software downloaded from trusted sources, such as the App Store
  • Use antivirus software


DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

Online generators… of dashed expectations

Malware Alerts - Thu, 07/19/2018 - 06:00

Quite recently, we (and hence our security solutions) started to designate an entire class of sites — gift card generators — as fraudulent, despite their not stealing any money or personal data from visitors. Why? Let’s try to unpick these sites and see how they work.

How it works

Ads for all kinds of generators can be seen in spam emails and the banners of dubious advertiser networks. The quality of such sites can range from professional to shoddy, but the essence is always the same: the visitor is offered a freely generated gift card code for iTunes, Google Play, Amazon, Steam, and the like. A single site can offer cards of any value for almost every service out there.

As usual with phishing sites, there is no word about why the creators are so charitable, yet plenty of reviews from grateful customers who report that the “generated” code did the trick (if not the first, then the tenth or the hundredth).

A professionally designed generator site…

It should be noted that the code generation algorithms of major firms like Apple or Google are well shielded against attack. And according to cybersecurity experts, the only high-profile case of this kind — when the iTunes code generation algorithm was allegedly compromised by Chinese hackers back in 2009 — actually was more akin to a money laundering scheme. Gift cards supplied by smaller stores are less well protected, but also of little interest to scammers.

… and a simpler variant

To get a code, the user first selects a gift card on the site, whereupon the system begins the “code generation” (or “hacking”) process. To make everything more believable, as in hacker movies, there are plenty of on-screen messages about server connections and other seemingly important operations.

The user does not get to see the generated code in its entirety until confirmation is given that they are human, not a robot. This requires clicking a link and completing a task.

To get the code, users must prove that they are not a robot

Depending on their country of residence, the user might be asked to take a survey, play a lottery, provide details (phone number, postal address), subscribe to a paid SMS service, install adware (which redirects all user searches, harvests information about online activity, and resists deletion), or do something else. The nature of the task is determined by the partner network owning the site that the user is redirected to. The network, in turn, is selected based on the country of residence: each domain zone has partner networks catering to the laws and languages of various countries.

Download a paid ringtone, play a lottery, share personal data — basically, do something risky to prove you’re not a robot

The upshot is unpleasant, but predictable: the victim is either led around various partner sites until they tire of filling out forms and playing lotteries, or they are rewarded with a random set of symbols that has nothing to do with a real code and only mimics the format.

Note that owners of code generator sites try to avoid outright fraud or phishing. They are more than happy with the funds they get from “selling user actions” on partner sites: revenue can range from a few cents for a click on a link to tens of dollars for a filled-out form or a subscription to a paid service. Scrupulous advertisers (they do exist!) of the partner network assume that they are getting data from users genuinely interested in their particular product or service. But the unscrupulous ones don’t really care, as far as they can use this data for spam or similar purposes. This deception of users (and sometimes advertisers too) is the reason why we started to classify generator sites as fraudulent. But the topic of honest and dishonest partners is a discussion for another day.


There are legitimate sites and services that give users discounts and gift cards as part of a loyalty program (for example, in exchange for points earned or purchases made in partner stores). TokenFire and Swagbucks are examples of legitimate apps. Their gift card codes are purchased from the vendor openly and honestly, and issued to clients who have done enough to cover the company’s expenses and deliver a profit. In other words, to receive a gift, the user has to spend a sizable amount of money and/or time. By contrast, generator sites look far more appealing, since they require very little. But as our research shows, that is because they give even less in return — nothing in fact, besides dashed expectations.

The return of Fantomas, or how we deciphered Cryakl

Malware Alerts - Tue, 07/17/2018 - 06:00

In early February this year, Belgian police seized the C&C servers of the infamous Cryakl cryptor. Soon afterwards, they handed over the private keys to our experts, who used them to update the free RakhniDecryptor tool for recovering files encrypted by the malware. The ransomware, which for years had raged across Russia (and elsewhere through partners), was finally stopped.

For Kaspersky Lab, this victory was the culmination of more than three years of monitoring Cryakl and studying its various modifications — a major effort that eventually defeated the cybercriminals. This story clearly illustrates how cooperation can, in the end, get the better of any crooked scheme.

This spring marked the fourth anniversary of the malware’s first attacks. Against the backdrop of a general decline in ransomware activity (see our report), we decided to return to the topic of Cryakl and tell in detail about how one of the most eye-catching members of this endangered species evolved.

Propagation methods

We first encountered Cryakl (without knowing what it was exactly) in the spring of 2014. The malware had just begun to spread actively, mainly through spam mailings. Initially, attachments with the malware were found in emails allegedly from the Supreme Arbitration Court of the Russian Federation in connection with various offenses. But it wasn’t long before messages started arriving from other organizations too, in particular homeowner associations.

A typical malicious email contained an attachment of one of the following types:

  • Office document with a malicious macro
  • JS script loading a Trojan
  • PDF document with a link to an executable

It was around this time that the malware acquired its nickname: after encrypting files on the user’s hard drive, one of the Cryakl variants ( changed the desktop wallpaper to a picture of Fantomas, the villain from the 1964 French film of the same name.

Later, in 2016, we discovered an interesting modification of the ransomware with a rather cunning mode of distribution. Today, an attack using specialized third-party software would raise few eyebrows, but it was not par for the course in 2016, when Fantomas was distributed as a script for a popular Russian accounting program and a business process management tool. The approach was indeed sneaky: employees were sent a message with a request to “update the bank classifier,” whereupon they opened the attached executable file.

Neither was the attack vector surprising, since Cryakl mainly targeted users in Russia and most of the ransom demands were written in Russian. However, further research showed that the cybercriminals who distributed Fantomas did not limit themselves to the Russian market.

In 2016, we observed the growing complexity and variety of ransomware cryptors, including the emergence of ready-made solutions such as Ransomware-as-a-Service (RaaS) for those lacking skills, resources, or time to create their own. Such services were circulated through an expanding and increasingly influential underground ecosystem.

This was the business model chosen by Cryakl’s creators: “partners” were invited to purchase the build of the malware to attack users in other regions, allowing its authors to monetize the product for a second time.


In expanding its infrastructure, Cryakl also widened its attack geography. From the first infection until today, more than 50,000 people in Russia—plus thousands more in Japan, Italy, and Germany — suffered at the evil hands of Fantomas.

Geographic distribution of users attacked by Cryakl

Data on Cryakl activity over the years shows that the first signs of life appeared in 2014.

Number of unique users on whose computers Cryakl was detected, 2014-2018

At around the time when the RaaS distribution model was deployed, Fantomas was on the rampage, increasing its attacks more than sixfold.

Distinguishing features

Despite the number and variety of modifications, the use of “partners,” and its long history, the malware cannot be said to have undergone any significant changes — the differences between the various versions was slight. This makes it possible to identify the main features of Fantomas.

Cryakl is written in Delphi, but very amateurishly. This immediately jumped out when we took a look at one of the first versions. The file operations were extremely ineffective, and the encryption algorithm was elementary and not secure. We even thought we were dealing with a test build (especially since the internal version was designated The overall impression was that Cryakl’s authors were not the most experienced virus writers. Recall that it all started with mailings about military conscription.

The first detected version of the malware did not change the names of the encrypted files, but placed a text structure at the end of each file with the MD5 of the header, the MD5 of the file itself, its original size, offsets, and the sizes of a few encrypted snippets. It ended with the tag {CRYPTENDBLACKDC}, required to distinguish encrypted files from unencrypted ones.

Through continued observations over the following months, we regularly discovered ever newer versions of Cryakl:, 2.x.0.0, 3.x.0.0, …, Different versions increasingly modified the encryption algorithm as well as the file naming scheme (extensions started to appear of the type: id-{….08.2014 16@02@275587800} The text structure at the end of the file changed multiple times, and new encryption and decryption data as well as various service information were added to it.

After that, we found the Cryakl version CL (not to be confused with, which had notable changes from previous modifications: besides encrypting parts of the file with a “homebrew” symmetric algorithm, for unknown reasons the Trojan now encrypted other parts with the RSA algorithm. Another marked change was the sending of key data used in the encryption to the attackers’ C&C servers. The structure at the end of the encrypted file was framed with new tags ({ENCRYPTSTART}, {ENCRYPTENDED}), required to determine the encrypted files.

Image from one of the Cryakl CL modifications

In version CL, the Trojan stopped sending keys via the Internet. Instead, data required for decryption was now encrypted with RSA and placed in the structure at the end of the file.

Nothing changed fundamentally in the subsequent versions CL – CL, only the size of the RSA keys increased. This enhanced the overall level of encryption, but did not change the situation radically.

Image from one of the Cryakl CL modifications

Starting with version CL, the Trojan (again for unknown reasons) stopped encrypting file regions with RSA. The algorithm was used only to encrypt keys, while file contents were processed by the slightly modified “homebrew” symmetric algorithm.

Image from one of the Cryakl CL modifications

In all versions of the malware, the cybercriminals left various email addresses for communication purposes. These addresses are contained in the names of encrypted files (for example,….randomname-FFIMEFJCNGATTMVPFKEXCVPICLUDXG.JGZ.lfl) and in the image set by the Trojan as the desktop wallpaper. Victims received reply emails containing a ransom sum in Bitcoin and a cryptocurrency wallet address to make the payment.

On receiving the funds, the cybercriminals sent the victim a decryptor tool and a key file.

The terms of payment varied: for example, the above-mentioned set a deadline of 48 hours. Moreover, the cybercriminals did not immediately say how much they wanted in return for their “help,” specifying the cost of the decryptor only in their reply emails. It’s not ruled out that the sum depended on the number and quality of encrypted files. For example, in one case of infection, the cybercriminals demanded $1000. Before doing so, according to victims, they connected to the infected computer and deleted all backup copies on it.

Fantomas is slain

The problem with Cryakl was that its newest versions employed asymmetric RSA encryption. The malware body contained public keys used to encrypt user data. Without knowledge of the corresponding private keys, we could not develop a decryption tool. The keys seized and handed over by the Belgian police enabled us to decipher several versions of the ransomware.

Fragment of the private RSA keys

The keys made it possible to reengineer the RakhniDecryptor tool to decrypt files encrypted with the following versions of Cryakl:

Trojan version Cybercriminals’ email CL CL cryptolocker@aol.com_graf1
byaki_buki@aol.com_mod2 CL CL CL

Mobile Apps

SANS Tip of the Day - Tue, 07/17/2018 - 01:00
Only install mobile apps from trusted places, and always double-check the privacy settings to ensure you are not giving away too much information.


SANS Tip of the Day - Mon, 07/09/2018 - 01:00
When traveling, it is very easy to forget where you are when discussing business with colleagues. That airport, taxi, restaurant or hotel lobby may have individuals nearby eavesdropping on your conversation. When discussing confidential information, agree to hold off on the conversation until you can be assured of privacy. Also, be careful not to share sensitive information with strangers you meet.

Shopping Online

SANS Tip of the Day - Thu, 07/05/2018 - 01:00
When shopping online, always use your credit cards instead of a debit card. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit card numbers are even more secure.


SANS Tip of the Day - Wed, 07/04/2018 - 01:00
Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser's plugin preferences.


SANS Tip of the Day - Tue, 07/03/2018 - 01:00
Turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life.

Two-Step Verification

SANS Tip of the Day - Fri, 06/29/2018 - 01:00
Two-step verification is one of the best steps you can take to secure any account. Two-step verification is when you require both a password and code sent to or generated by your mobile device. Examples of services that support two-step verification include Gmail, Dropbox and Twitter.

CEO Fraud

SANS Tip of the Day - Mon, 06/25/2018 - 01:00
CEO Fraud is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.