Malware RSS Feed
Over the past decade, APT have intensely targeted organizations and individuals across India. Its developing base of technology, its geographical location and bounds, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for badly intentioned cyber attackers. The list of APT groups targeting Indian organizations is unfortunately quite long. A few interesting mentions include Gh0stNet, Shadownet, an Enfal actor, Red October, NetTraveler, the LuckyCat actor, the Turla APT, a Mirage actor, and the Naikon crew. There are many more. And, in unique cases, we have seen unusual new techniques, some for infiltrating mobile devices by the Chuli attackers, the Sabpub attackers' focus on Apple's OS X devices, various effective watering holes, and the generally noisy, targeted activity we would expect from most of these actors.
More recently in March, we saw a pickup in offensive activity on Indian organizations invested in environmental, economic and government policy. This crew has been targeting organizations for a few years now with an unusual offensive WMI technique that continues to be effective. The components have been called WMIGhost or Shadow. These attackers, like others currently active, are generally re-using current headline geopolitical event spearphishing themes to establish a foothold in target organizations. For example, in a March 2014 attack, this actor used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, filename mis-spellings and all, "India US strategic dialouge press release.doc" (000150415302D7898F56D89C610DE4A9).
From there, the dropper and component chain is the same they have used in the past. Successful exploitation drops "dw20.exe" (803e8f531989abd5c11b424d8890b407) --> "gupdate.exe" (481f8320b016d7f57997c8d9f200fe18) and "~tmpinst.js" (6a279a35141e9a7c73a8b25f23470d80). The script instantiates WMI objects for communications complete with their Comment Crew-like encoded wordpress site instructions that redirect the backdoor to the appropriate command and control server for further instruction.
Along with other groups, WMIGhost attackers are actively hitting Indian targets. In another recent WMIGhost campaign this year, a spoofed unclassified military document was sent simultaneously to several Indian targets with the consistent WMIGhost toolchain, "united states air force unmanned aircraft systems flight plan 2009-2047.doc".
We observe more of these current attacks occurring throughout the country on government and military agencies, NGOs, subcontractors and technology developers, with an expanding scope of targets.
Of these groups to date, NetTraveler was the most prolific, and in many ways the most successful at exfiltrating large volumes of information. The NetTraveler crew spent a disproportionate amount of effort and attention on extracting data from Indian organizations overall. NetTraveler is stealing GB of data from victims all over the globe, including the many victims in India. An example of their past spearphish decoys deployed to India is displayed here. The content encompasses Indian political issues, current at the time of delivery:
Meanwhile, other actors are currently working to exfiltrate more data out of India. Multiple levels of Indian organizations are frightfully pounded with spearphish and webserver attacks with no end in sight.
In June, high-profile news events such as the FIFA World Cup and the situation in Ukraine were exploited by fraudsters to extract money and financial information from Internet users.
In the run-up to the Muslim holiday of Ramadan and Father's Day, English-language holiday-related spam offered a variety of themed products and services. The leading spam themes in June were adverts for various online dating services as well as offer for fuel cards and jewelry.The World Cup
In June, football fans around the world finally saw the World Cup get underway. Popular sporting events like the World Cup attract the attention not only of millions of spectators but also spammers and phishers. This year, the first fraudulent mailings exploiting the World Cup theme were first registered back in November, long before it began. In June, the attackers sent out phishing emails in Portuguese offering the chance to win tickets to the opening ceremony and other World Cup matches. To do this, the user was required to click a link (which was of course fraudulent) and enter his registration data and credit card information. The fake link was directly attached to a graphic file that was displayed when the user opened the message. The phishing pages were located on the free .tk domain – the national top-level domain for the Tokelau Islands (New Zealand). To convince the user that the email was legitimate, the spammers used the domains of the Visa payment system and FIFA in the sender address.
English-language spam in June was dominated by Father's Day, celebrated on the third Sunday of the month. The spammers sent out adverts for e-gadgets, replicas of designer goods and weapons from various ages trying to attract the recipient's attention with discounts, sales and low prices. In order to bypass spam filters, spammers inserted junk text at the end of the message – a quote from a literary work. They also used a popular short link service to mask the real address and redirect users to a spammer site. The name of the holiday was mentioned in the subject and text field of the email.
More secular holidays are exploited in spam than religious ones, but spammers never forget to provide users with appropriate promotional offers. The name of the Muslim holy Ramadan appears in spam traffic every year. This year was no exception: in June, we came across adverts for restaurants that contained references to Ramadan (as well as an invitation to come and watch broadcasts of World Cup matches). We also registered offers of IT services and services for sending out promotional text messages. Ramadan will continue until the end of July, and we expect the spammers will continue spreading messages exploiting this holiday.
The political events in Ukraine were again used by "Nigerian" scams for luring money from credulous users. This time, the author of the email presented himself as a personal assistant to a Ukrainian female politician who was among the first victims of the clashes in Kiev. As is usual with these types of letter, the deceased has left her assistant millions of dollars that have to be urgently transferred from Ukraine to the account of a foreign recipient. The assistant is promised a reward and a certain amount of money to cover any fees that may arise when transferring the money.
The same "Nigerian" scam is used from year to year, only the details change. However, we would like to remind you that all "Nigerian" offers to make you rich quick are merely scams to lure money from users.Online dating
A significant part of June's spam was adverts for dating services targeting different social and ethnic groups, including Muslims, Christians as well as elderly and married people.
In June, we registered emails and mass mailings spread on behalf of people who wanted to get acquainted, via the Internet, "for serious relationships or marriage". The offers involved not only traditional but also same-sex relations. Some "senders" had attached their photo and provided their email address or a link to their page on a dating service site (which was often a veiled advertisement of such services and the emails were most probably sent on behalf of non-existent members as bait). The senders described their appearance and interests and said they wanted to start correspondence. It was often stated that the recipient's address had been provided by a mutual friend or found on a social networking site or on another dating site, which was not necessarily true.
Spammers also sent out emails promising a partner that met absolutely any criteria (age, skin color, interests and so on) within three minutes of using their "Soulmate database". To use the service, the recipient had to send a text message to a short number. In addition to the money taken from the user's mobile account the spammers got access to his contact information, in particular to his phone number.
For those more interested in meeting people in person the spammers offered lessons in seducing women ("24 laws of attracting women"), and other tips for successful relationships.
One of the mailings contained an advert for a dating spam service. The spammers offered their assistance in creating and promoting (of course, with the help of mass mailings) a new dating site which would include users from many countries. The message included an email address and an ICQ number for communication.
There were a lot of jewelry-themed offers in June. Most of them were promotional and bonus offers from small jewelry stores, jewelry manufacturers and firms engaged in the production and cutting of diamonds. They offered the spam recipients the chance to participate in their business and provided the price list for their products.
Yet another popular theme in English-language spam was fuel cards for automatic payments at gas stations. This payment method is quite convenient for transportation companies with lots of vehicles routes that find it difficult to control the fueling process. Spam "middlemen" offer the recipients the chance to compare prices, choose the most favorable fueling company and sign a contract for a special fuel card. A specific feature of this sort of spam mass mailing was the fact that the links in the emails led to sites registered on recently created domains. And the sites are intended for calculating quotes only.
The percentage of spam in email traffic averaged 64.8%, which is 5 percentage points less than in May. The highest spam levels were seen during the second week of the month (65.8%), and the lowest levels were seen in the third week (63.5%).The geographical distribution of spam sources
Previously our statistical data on the sources of spam by country was based on the information received from spam traps in different countries. However, the spam from the traps differs from the spam received by common users. For example, spam targeting specialized companies does not reach the traps. That is why we have changed the data source and now with KSN (Kaspersky Security Network) we draw statistical reports on spam based on the messages that the users of our products receive worldwide. Since the information for the statistical report in June was received from a different source, comparing the results with the statistics for the previous month would be incorrect.
At the end of June 2014, the top three sources of spam around the world included the US (13.2%), Russia (7%) and China (5.6%).
Vietnam was in fourth place (5.3%) followed by Argentina (4.1%), Germany (3.7%), Spain (3.6%), Ukraine (3.2%) and Italy (2.9%).
The Top 10 was rounded off by India, which accounted for 2.8% of the world spam.Malicious attachments in email
The graph below shows the Top 10 malicious programs spread by email in June.
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen. This threat appears as an HTML phishing website and sends email disguised as an important notification from banks, online stores, and other services.
Second in June was Trojan-Downloader.MSWord.Agent.z. This malicious program appears in the form of the *.doc file with the embedded macros written in Visual Basic for Applications (VBA) which is executed on opening the document. The macro itself downloads and runs the malicious program.
In June, representatives of the Bublik family occupied third, fourth, fifth and seventh places. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers.
Backdoor.Win32.Androm.elwa took sixth place. This malicious program is the modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot is expanded using a system of plugins that are loaded by the criminals in the necessary amount at any time.
The Email-Worm.Win32.Bagle.gt worm, which ranked eighth in June, sends itself to all of the email addresses it can find on the computer. Its main objective is to download and launch files from the Internet without the victims noticing. To spread infected messages, Worm.Win32.Bagle.gt uses its own SMTP library.
Trojan-Banker.Win32.ChePro.ilc. ended the month in ninth position. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.
Rounding off the Top 10 was Email-Worm.Win32.Mydoom.l, a network worm with backdoor functionality that is spread as an email attachment via file sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. The worm also connects directly to the recipient's SMTP server.
In June, Germany saw a big surge in the number of antivirus detections and topped the rating (+8.17 percentage points) having pushed the UK off top spot.
Russian reentered the Top 20 at 13th place with 2.03% of all antivirus detections.
The UAE (+0.96 percentage points) bypassed Australia, Hong Kong and Vietnam in terms of antivirus detections, while Switzerland dropped out of the Top 20.
The percentage of email antivirus detections in other countries did not change much in June.Special features of malicious spam
The vacation season is gaining momentum: many people are still thinking over their holiday plans while those who have already decided where to go often self-book flight tickets and hotel accommodation. Besides the traditional seasonal increase of holiday spam, we have seen a growth in the number of fraudulent messages sent on behalf of various booking services, including international ones. These fake notifications appear in the form of a booking confirmation and usually contain malicious attachments imitating bills for a hotel reservation. Generally, the email includes the order number, the date of arrival/departure and the cost of the order. One of the most popular malicious programs used in the holiday spam in June was Trojan-Spy.Win32.Ursnif. This Trojan steals confidential data and sends it to a remote server. It can listen for network traffic, download and run other malicious programs, as well as disable some system applications such as the firewall.
In order to send malicious attachments, the fraudsters use not only fake notifications from major booking services, banks or online hypermarkets but also shops with more narrow specialization. For example, last month we came across a malicious mailing spread on behalf of an online pet store. The recipient was asked to download and print out the invoice for purchased goods. Should he have any questions, the email read, he could contact the support service of the pet store by clicking the link on its official website. Instead of the promised PDF file with the information about the purchase, the archive contained Trojan-Banker.Win32.Shiotob.c. This malware steals system information, user names and passwords from FTP and various sites when the user logins on to them.
Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers in June, with a slight drop of 0.2 percentage points from the previous month. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. Financial and payment organizations (11.6%) and Online stores (10.6%) declined by 1.2 and 1.5 percentage points respectively. The percentage of attacks targeting Telephone and Internet service providers fell by 0.1 percentage points leaving this category in fifth place in the rating.
The ranking is based on Kaspersky Lab's anti-phishing component detections that are triggered every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
In June, the scammers sent out fake notices on behalf of the US corporation Electronic Arts that produces and sells video games. The phishers tried to access users' personal accounts in the online store Origin owned by the company. To deceive their victims, the attackers used an old trick of sending out an email saying the online store was going to enhance protection for their customer accounts and asked the recipients to confirm they were the owner of the account. In order to make the email look legitimate the fraudsters used the Origin logo, links to the official website of the company and the usual warning not to give the password from a personal account to anybody.
The proportion of spam in global email traffic in June dropped 5 percentage points and averaged 64.8%. This may be a seasonal decline as summer business activity decreases and many spam bots are disabled for the vacation season.
In June, high-profile political and sporting events were used by scammers to trick users. In the run-up to the FIFA World Cup, a huge event for football fans, phishers were trying to obtain banking information from users by asking them to participate in the competition to win tickets. "Nigerian" scammers again exploited the situation in Ukraine and asked for help to transfer non-existent millions.
In June, Email search sites (32.1%) again topped the rating of organizations most frequently targeted by phishers. Second came Social networks (27.7%), having increased their contribution by 3.7 percentage points from May. This can be explained by the traditional growth in the activity of schoolchildren and students during the holidays, which is of course used by the fraudsters. Financial and payment organizations (11.6%) rounded off the Top 3 organizations most frequently targeted by phishers.
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen imitating notifications from banks and online stores. The holiday season has brought an increase in the number of fake notifications from various booking services containing malicious attachments. Germany (16.4%) was the country with the highest proportion of email antivirus detections.
Recently Kaspersky Lab has contributed to an alliance of law enforcement and industry organizations, to undertake measures against the internet domains and servers that form the core of an advanced cybercriminal infrastructure that uses the Shylock Trojan to attack online banking systems around the globe.
Shylock is a banking Trojan that was first discovered in 2011. It utilizes man-in-the-browser attacks designed to pilfer banking login credentials from the PCs of clients of a predetermined list of target organizations. Most of these organizations are banks, located in different countries.
Kaspersky Lab products detect the Shylock malware as Backdoor.Win32.Caphaw and Trojan-Spy.Win32.Shylock.
We detected this malware generically from the end of August 2011, as Backdoor.Win32.Bifrose.fly. Specific detection of this separate family was added in February 2012. Since then we have observed a very few detections – approximately 24,000 attempts to infect PCs protected by Kaspersky Lab products worldwide.
These are very modest numbers, especially in comparison with other infamous banking malware such as ZeuS, SpyEye, Carberp which have generated (and, in the case of some of them, such as ZeuS , still generate) tens or hundreds of thousands of detections. Of course, these numbers don't tell us everything about how widespread or effective Shylock is, because Kaspersky Lab "sees" only a part of the total number of PC users - only those who use our products.
Low popularity doesn't make Shylock less dangerous though. The set of malicious techniques it utilizes is no less dangerous than that used by other similar malware. It is able to inject its body in multiple running processes, has tools to avoid detection by anti-malware software, uses several plugins which add additional malicious functions aimed at bypassing anti-malware software, collects passwords for ftp-servers, spreads itself via messengers and servers, provides remote access to the infected machine, video grabbing and of course web injection.
This last function is used to steal online banking credentials by injecting fake data entry fields into the web page loaded in the victim's browser.
During the entire period we've seen two relatively big peaks in detection rate for this malware.
The first one was in November 2012 and the second one was in December 2013.
The geography of the November 2012 peak was as follows:United Kingdom Italy Poland Russian Federation Mexico Thailand Iran Turkey India Spain
The table above shows the top 10 countries wheremost attacks using the Shylock malware were registered. A little more than a year later, in December 2013, the picture had changed dramatically.Brazil Russian federation Vietnam Italy Ukraine India United Kingdom Belarus Turkey Taiwan
As these tables show, the criminals behind this malware definitely stopped paying so much attention to the developed e-money markets of the UK, Italy and Poland in favor of the actively developing markets of Brazil, Russia and Vietnam. It's slso interesting that both peaks happened in the late autumn to early winter period, a traditional high retail season in many countries around the world.
According to Europol data, this malware has infected more than 30,000 PCs worldwide. This is a big enough scale to cause huge financial damage, so the disruption of the Shylock backbone infrastructure is very good news.
And even better news is that the recent operation, coordinated by the UK's National Crime Agency (NCA), brought together partners from the law enforcement and the private sector, including – besides Kaspersky Lab – Europol, the FBI, BAE Systems Applied Intelligence, Dell SecureWorks and the UK's GCHQ (Government Communications Headquarters), to jointly combat the threat. We at Kaspersky Lab were glad to add our modest contribution to this operation. Global action brings positive results – an example being the operation targeting the Shylock malware.