Malware RSS Feed

Threat Predictions for Industrial Security in 2018

Malware Alerts - Wed, 11/15/2017 - 05:00

The landscape in 2017

2017 was one of the most intense in terms of incidents affecting the information security of industrial systems. Security researchers discovered and reported hundreds of new vulnerabilities, warned of new threat vectors in ICS and technological processes, provided data on accidental infections of industrial systems and detected targeted attacks (for example, Shamoon 2.0/StoneDrill). And, for the first time since Stuxnet, discovered a malicious toolset some call a ‘cyber-weapon’ targeting physical systems: CrashOverride/Industroyer.

However, the most significant threat to industrial systems in 2017 was encryption ransomware attacks. According to a Kaspersky Lab ICS CERT report, in the first half of the year experts discovered encryption ransomware belonging to 33 different families. Numerous attacks were blocked, in 63 countries across the world. The WannaCry and ExPetr destructive ransomware attacks appear to have changed forever the attitude of industrial enterprises to the problem of protecting essential production systems.

What can we expect in 2018?
  1. A rise in general and accidental malware infections. With few exceptions, cybercriminal groups have not yet discovered simple and reliable schemes for monetizing attacks on industrial information systems. Accidental infections and incidents in industrial networks caused by ‘normal’ (general) malicious code aimed at a more traditional cybercriminal target such as the corporate networks, will continue in 2018. At the same time, we are likely to see such situations result in more severe consequences for industrial environments. The problem of regularly updating software in industrial systems in line with the corporate network remains unresolved, despite repeated warnings from the security community.
  2. Increased risk of targeted ransomware attacks. The WannaCry and ExPetr attacks taught both security experts and cybercriminals that operational technology (OT) systems are more vulnerable to attack than IT systems, and are often exposed to access through the Internet. Moreover, the damage caused by malware can exceed that in the corresponding corporate network, and ‘firefighting’ in the case of OT is much more difficult. Industrial companies have demonstrated how inefficient their organization and staff can be when it comes to cyberattacks on their OT infrastructure. All of these factors make industrial systems a desirable target for ransomware attacks.
  3. More incidents of industrial cyberespionage. The growing threat of organized ransomware attacks against industrial companies could trigger development of another, related area of cybercrime: the theft of industrial information systems data to be used afterwards for the preparation and implementation of targeted (including ransomware) attacks.
  4. New underground market activity focused on attack services and hacking tools. In recent years, we have seen growing demand on the black market for zero day exploits targeting ICS. This tells us that criminals are working on targeted attack campaigns. We expect to see this interest increase in 2018, stimulating the growth of the black markets and the appearance of new segments focused on ICS configuration data and ICS credentials stolen from industrial companies and, possibly, botnets with ‘industrial’ nodes offerings. Design and implementation of advanced cyberattacks targeting physical objects and systems requires an expert knowledge of ICS and relevant industries. Demand is expected to drive growth in areas such as ‘malware-as-a-service’, ‘attack-vector-design-as-a-service’, ‘attack-campaign-as-a-service’ and more.
  5. New types of malware and malicious tools. We will probably see new malware being used to target industrial networks and assets, with features including stealth and the ability to remain inactive in the IT network to avoid detection, only activating in less secure OT infrastructure. Another possibility is the appearance of ransomware targeting lower-level ICS devices and physical assets (pumps, power switches, etc.).
  6. Criminals will take advantage of ICS threat analyses published by security vendors. Researchers have done a good job finding and making public various attack vectors on industrial assets and infrastructures and analyzing the malicious toolsets found. However, this could also provide criminals with new opportunities. For example, the CrashOverride/Industroyer toolset disclosure could inspire hacktivists to run denial-of-service attacks on power and energy utilities; or criminals may targeted ransomware and may even invent monetizing schemes for blackouts. The PLC (programmable logic controller) worm concept could inspire criminals to create real world malicious worms; while others could try to implement malware using one of standard languages for programming PLCs. Criminals also could recreate the concept of infecting the PLC itself. Both these types of malware could remain undetected by existing security solutions.
  7. Changes in national regulation. In 2018, a number of different cybersecurity regulations for industrial systems will need to be implemented. For example, those with critical infrastructures and industrial assets facilities will be compelled to do more security assessments. This will definitely increase protection and awareness. Thanks to that, we will probably see some new vulnerabilities found and threats disclosed.
  8. Growing availability of, and investment in industrial cyber insurance. Industrial cyber-risk insurance is becoming an integral part of risk management for industrial enterprises. Previously, the risk of a cybersecurity incident was excluded from insurance contracts – just like the risk of a terrorist attack. But the situation is changing, with new initiatives introduced by both cybersecurity and insurance companies. In 2018, this will increase the number of audits/assessments and incident responses undertaken, raising cybersecurity awareness among the industrial facility’s leaders and operators.

Mobile Apps

SANS Tip of the Day - Wed, 11/15/2017 - 00:00
Only install mobile apps from trusted places, and always double-check the privacy settings to ensure you are not giving away too much information.

APT Trends report Q3 2017

Malware Alerts - Tue, 11/14/2017 - 04:41

Introduction

Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting.  This report serves as the next installment, focusing on important reports produced during Q3 of 2017.

As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: intelreports@kaspersky.com.

Chinese-Speaking Actors

The third quarter demonstrated to us that Chinese-speaking actors have not “disappeared” and are still very much active, conducting espionage against a wide range of countries and industry verticals.  In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.

The most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner.  In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site.   Netsarang is a popular server management software used throughout the world.  The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record.  Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM.  Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs.  The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.

Q3 also showed China is very interested in policies and negotiations involving Russia with other countries.  We reported on two separate campaigns demonstrating this interest.  To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first.  IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes.  Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia’s help.  Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor.  In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries.  Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as “H2ODecomposition”.  In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal).  The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.

Other reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight.  The Spring Dragon report summarized the evolution of their malware to date.  Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit.  A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use.  Finally, Bald Knight (AKA – Tick) was seen using their popular XXMM malware family to target Japan and South Korea.

Below is a summary of report titles produced for the Chinese region.  As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to intelreports@kaspersky.com.

  1. Analysis and evolution of Spring Dragon tools
  2. EnergyMobster – Campaign targeting Russian-Indian energy project
  3. IronHusky – Intelligence of Russian-Mongolian military negotiations
  4. The Bald Knight Rises
  5. Massive watering holes campaign targeting Asia-Pacific
  6. Massive Watering Holes Campaign Targeting AsiaPacific – The Toolset
  7. NetSarang software backdoored in supply chain attack – early warning
  8. ShadowPad – popular server management software hit in supply chain attack
  9. New BlueTermite samples and potential new wave of attacks
  10. CCleaner backdoored – more supply chain attacks
Russian-Speaking Actors

The third quarter was a bit slower with respect to Russian speaking threat actors.  We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.

The ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models.  “Cutlet Maker” and “ATMProxy” both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs.  ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.

Another report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap.  Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.

Finally, we produced a summary report on Sofacy’s summertime activity.  Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL.  Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.

Below is a list of report titles for reference:

  1. ATMProxy – A new way to rob ATMs
  2. Cutlet maker – Newly identified ATM malware families sold on Darknet
  3. Summertime Sofacy – July 2017
  4. Buhtrap – New wave of attacks on financial targets
English-Speaking Actors

The last quarter also had us reporting on yet another member of the Lamberts family.  Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications.  What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor’s part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.

  1. The Red Lambert
Korean-Speaking Actors

We were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff.  Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage.  Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt.  Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.

Report titles focusing on Korean-speaking actors:

  1. Scent of ScarCruft
  2. Bluenoroff hit Casino with Manuscrypt
Other Activity

Finally, we also wrote seven other reports on “uncategorized” actors in the third quarter.  Without going into detail on each of these reports, we will focus on two.  The first being a report on the Shadowbrokers’ June 2017 malware dump.  An anonymous “customer” who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money.  We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.

The other report we’d like to highlight (“Pisco Gone Sour”) is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire.  We are constantly searching for new adversaries in our daily routine and this appears to be just that.  The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.

  1. Dark Cyrene – politically motivated campaign in the Middle East
  2. Pisco Gone Sour – Cyber Espionage Campaign Targeting Chile
  3. Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine
  4. New Machete activity – August 2017
  5. ATMii
  6. Shadowbroker June 2017 Pack
  7. The Silence – new trojan attacking financial organizations
Final Thoughts

Normally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018.  Instead, we would like to point out one alarming trend we’ve observed over the last two quarters which is an increase in supply chain attacks.  Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia.  While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous.  Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing.  As an added benefit, these attacks can remain undetected for months, if not longer.  It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven’t seen the last of this type of attack in the near future.

Never Give Your Password Over the Phone

SANS Tip of the Day - Mon, 11/13/2017 - 00:00
Never give your password to someone over the phone. If someone calls you and asks for your password while saying they are from the Help Desk or Tech Support team, it is an attacker attempting to gain access to your account.

IT threat evolution Q3 2017. Statistics

Malware Alerts - Fri, 11/10/2017 - 05:45

Q3 figures

According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.

72,012,219 unique URLs were recognized as malicious by web antivirus components.

Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.

Crypto ransomware attacks were blocked on 186283 computers of unique users.

Kaspersky Lab’s file antivirus detected a total of 198,228,428 unique malicious and potentially unwanted objects.

Kaspersky Lab mobile security products detected:

  • 1,598,196 malicious installation packages;
  • 19,748 mobile banking Trojans (installation packages);
  • 108,073 mobile ransomware Trojans (installation packages).
Mobile threats Q3 events The spread of the Asacub banker

In the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.

Number of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 and Q3 2017

New capabilities of mobile banking Trojans

Q3 2017 saw two significant events in the world of mobile banking Trojans.

Firstly, the family of mobile banking Trojans Svpeng has acquired the new modification Trojan-Banker.AndroidOS.Svpeng.ae capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.

Interestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related – instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.

Trojan-Banker.AndroidOS.Svpeng.ag. window containing ransom demand

Secondly, the FakeToken family of mobile banking Trojans has expanded the list of apps it attacks. If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.

The growth of WAP billing subscriptions

In the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to steal users’ money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user’s knowledge.

Our Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.

Mobile threat statistics

In the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.

Number of detected malicious installation packages (Q4 2016 – Q3 2017)

Distribution of mobile malware by type

Distribution of new mobile malware by type (Q2 and Q3 2017)

RiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.

Trojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.

The share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% – almost 4 p.p. less than in Q2.

In Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Verdict % of attacked users* 1 DangerousObject.Multi.Generic 67.14 2 Trojan.AndroidOS.Boogr.gsh 7.52 3 Trojan.AndroidOS.Hiddad.ax 4.56 4 Trojan-Dropper.AndroidOS.Agent.hb 2.96 5 Trojan.AndroidOS.Loapi.b 2.91 6 Trojan-Dropper.AndroidOS.Hqwar.i 2.59 7 Trojan-Clicker.AndroidOS.Ubsod.b 2.20 8 Backdoor.AndroidOS.Ztorg.c 2.09 9 Trojan.AndroidOS.Agent.gp 2.05 10 Trojan.AndroidOS.Sivu.c 1.98 11 Trojan.AndroidOS.Hiddapp.u 1.87 12 Backdoor.AndroidOS.Ztorg.a 1.68 13 Trojan.AndroidOS.Agent.ou 1.63 14 Trojan.AndroidOS.Triada.dl 1.57 15 Trojan-Ransom.AndroidOS.Zebt.a 1.57 16 Trojan-Dropper.AndroidOS.Hqwar.gen 1.53 17 Trojan.AndroidOS.Hiddad.an 1.48 18 Trojan.AndroidOS.Hiddad.ci 1.47 19 Trojan-Banker.AndroidOS.Asacub.ar 1.41 20 Trojan.AndroidOS.Agent.eb 1.29

* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.

As in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.

Trojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&C. The Trojan requests administrator rights to prevent its removal.

Trojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan – a representative of the Loaipi family. One of them –Trojan.AndroidOS.Loapi.b – came fifth in this quarter’s Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals’ server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.

Trojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the FakeToken and Svpeng mobile banking families.

In seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&C and opens them. We wrote about this family in more detail in our review of Trojans that steal money using WAP subscriptions.

Trojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them ‘hide’ in the system folder, making it very difficult to remove them. It’s worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).

Trojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.

Occupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.

Trojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main ‘audience’ is in Russia.

The geography of mobile threats

The geography of attempted mobile malware infections in Q3 2017 (percentage of all users attacked)

Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):

Country* % of attacked users** 1 Iran 35.12 2 Bangladesh 28.30 3 China 27.38 4 Côte d’Ivoire 26.22 5 Algeria 24.78 6 Nigeria 23.76 7 Indonesia 22.29 8 India 21.91 9 Nepal 20.78 10 Kenya 20.43

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000). 
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

For the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware – 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.

Russia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.

The safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).

Mobile banking Trojans

Over the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q4 2016 – Q3 2017)

Banker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.

Geography of mobile banking threats in Q3 2017 (percentage of all users attacked)

Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):

Country* % of attacked users** 1 Russia 1.20 2 Uzbekistan 0.40 3 Kazakhstan 0.36 4 Tajikistan 0.35 5 Turkey 0.34 6 Moldova 0.31 7 Ukraine 0.29 8 Kyrgyzstan 0.27 9 Belarus 0.26 10 Latvia 0.23

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.

Of particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn’t make it into our Top 10 this quarter. This was due to a decrease in activity by the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher mobile banking families.

Mobile ransomware

In Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 – Q3 2017)

In our report for Q2, we wrote that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family’s activity.

Trojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, Trojan-Ransom.AndroidOS.Fusob.h, which topped the rating for several quarters in a row, was only third in Q3 2017.

Geography of mobile Trojan-Ransomware in Q3 2017 (percentage of all users attacked)

Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):

1 US 1.03% 2 Mexico 0.91% 3 Belgium 0.85% 4 Kazakhstan 0.79% 5 Romania 0.70% 6 Italy 0.50% 7 China 0.49% 8 Poland 0.49% 9 Austria 0.45% 10 Spain 0.33%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

The US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.

In Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.

Vulnerable apps exploited by cybercriminals

Q3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message – in case the embedded exploit fails.

Although two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.

There were no large network attacks (such as WannaCry or ExPetr) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.

Distribution of exploits used in attacks by type of application attacked, Q3 2017

The distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.

Online threats (Web-based attacks)

These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources.

Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats.

In Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.

Number of users attacked by financial malware, Q3 2017

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

Geography of banking malware attacks in Q3 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked** 1 Togo 2.30 2 China 1.91 3 Taiwan 1.65 4 Indonesia 1.58 5 South Korea 1.56 6 Germany 1.53 7 United Arab Emirates 1.52 8 Lebanon 1.48 9 Libya 1.43 10 Jordan 1.33

These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families

The table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):

Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 27.9 2 Trojan.Win32.Nymaim 20.4 3 Trojan.Win32.Neurevt 10.0 4 Trickster 9.5 5 SpyEye 7.5 6 Caphaw 6.3 7 Trojan-Banker.Win32.Gozi 2.0 8 Shiz 1.8 9 ZAccess 1.6 10 NeutrinoPOS 1.6

* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

The malware families Dridex and Tinba lost their places in this quarter’s Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.

Cryptoware programs Q3 highlights Crysis rises from the dead

In our Q2 report we wrote that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.

However, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing – the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn’t have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.

The above suggests that this piece of ‘zombie’ malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.

Surge in Cryrar attacks

The Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim’s files in password-encrypted RAR-sfx archives.

In the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar – a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim’s system using the remote access protocol and manually launch the Trojan’s installation file. The latter, in turn, installs the cryptor’s body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.

According to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.

Master key to original versions of Petya/Mischa/GoldenEye published

In July 2017, the authors of the Petya Trojan published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.

This happened shortly after the ExPetr epidemic which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.

Unfortunately, this master key won’t help those affected by ExPetr, as its creators didn’t include the option of restoring a Salsa key to decrypt MFT.

The number of new modifications

In Q3 2017, we identified five new ransomware families in this classification. It’s worth noting here that this number doesn’t include all the Trojans that weren’t assigned their own ‘personal’ verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.

Number of newly created cryptor modifications, Q3 2016 – Q3 2017

The number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.

The number of users attacked by ransomware

July was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.

Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2017)

The geography of attacks

Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Myanmar 0.95% 2 Vietnam 0.92% 3 Indonesia 0.69% 4 Germany 0.62% 5 China 0.58% 6 Russia 0.51% 7 Philippines 0.50% 8 Venezuela 0.50% 9 Cambodia 0.50% 10 Austria 0.49%

* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000)
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

Most of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.

Brazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).

Russia, in tenth the previous quarter, ended Q3 in sixth place.

Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 16.78% 2 Crypton Trojan-Ransom.Win32.Cryptoff 14.41% 3 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 6.90% 4 Locky Trojan-Ransom.Win32.Locky 6.78% 5 Cerber Trojan-Ransom.Win32.Zerber 4.30% 6 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3.99% 7 Shade Trojan-Ransom.Win32.Shade 2.69% 8 Spora Trojan-Ransom.Win32.Spora 1.87% 9 (generic verdict) Trojan-Ransom.Win32.Gen 1.77% 10 (generic verdict) Trojan-Ransom.Win32.CryFile 1.27%

* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

Wannacry (16.78%) tops the rating for Q3, and the odds are that it’s set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.

Crypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.

The cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by ‘old timers’ – the Trojans Locky, Cerber, Cryrar, Shade, and Spora.

The Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In the third quarter of 2017, Kaspersky Lab solutions blocked 277,646,376 attacks launched from web resources located in 185 countries around the world. 72,012,219 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q3 2017

In Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked** 1 Belarus 27.35 2 Algeria 24.23 3 Russia 23.91 4 Armenia 23.74 5 Moldova 23.61 6 Greece 21.48 7 Azerbaijan 21.14 8 Kyrgyzstan 20.83 9 Uzbekistan 20.24 10 Albania 20.10 11 Ukraine 19.82 12 Kazakhstan 19.55 13 France 18.94 14 Venezuela 18.68 15 Brazil 18.01 16 Portugal 17.93 17 Vietnam 17.81 18 Tajikistan 17.63 19 Georgia 17.50 20 India 17.43

These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 16.61% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

Geography of malicious web attacks in Q3 2017 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2017, Kaspersky Lab’s file antivirus detected 198,228,428 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked** 1 Yemen 56.89 2 Vietnam 54.32 3 Afghanistan 53.25 4 Uzbekistan 53.02 5 Laos 52.72 6 Tajikistan 49.72 7 Ethiopia 48.90 8 Syria 47.71 9 Myanmar 46.82 10 Cambodia 46.69 11 Iraq 45.79 12 Turkmenistan 45.47 13 Libya 45.00 14 Bangladesh 44.54 15 China 44.40 16 Sudan 44.27 17 Mongolia 44.18 18 Mozambique 43.84 19 Rwanda 43.22 20      Belarus 42.53

These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

This Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.

On average, 23.39% of computers globally faced at least one Malware-class local threat during the third quarter.

Geography of local malware attacks in Q3 2017 (ranked by percentage of users attacked)

The safest countries in terms of local infection risks included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

IT threat evolution Q3 2017

Malware Alerts - Fri, 11/10/2017 - 05:09

Targeted attacks and malware campaigns [Re-]enter the dragon

In July, we reported on the recent activities of a targeted attack group called ‘Spring Dragon’ (also known as LotusBlossom), whose activities data back to 2012. Spring Dragon makes extensive use of spear-phishing and watering-hole attacks. The group’s targets include high-profile government agencies, political parties, educational institutions and telecommunication around the South China Sea – including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.

Most of the malicious tools implemented by Spring Dragon over the years are backdoors designed to steal data, execute additional malware components and run system commands on victim’s computers. These give the attackers the ability to undertake a variety of different malicious activities on their victims’ computers. The group maintains a large C2 infrastructure, comprising more than 200 unique IP addresses and C2 domains.

The large number of samples that we have collected have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system – all of which makes detection more difficult.

We think it is likely that Spring Dragon, like many other targeted attack campaigns, is likely to re-surface in this region, so it is important for organisations to make effective use of good detection mechanisms such as YARA rules and IDS signatures.

You can read our report on Spring Dragon here.

Stepping-stones

One of the most striking aspects of the ExPetr attacks earlier this year was its primary attack vector: the attackers specifically targeted a company supplying accounting software to Ukrainian companies. Most of the victims of this wiper were located in Ukraine. However, it recently became clear that the attack has had a significant impact on some companies that operate worldwide. Among them are Maersk, the world’s largest container ship and supply vessel company. The company indicated in its earnings report that it expected losses of between $200 and $300 as a result of ‘significant business interruption’ caused by the ExPetr attack. Another was FedEx, which revealed that the operations of its TNT Express unit in Europe were ‘significantly affected’ by the attack, costing the company around $300 in lost earnings.

In recent months, we have seen further cases of attackers compromising software supply chain providers and using this as a stepping-stone into their chosen targets.

In July, we discovered suspicious DNS requests on the network of a customer working in the financial services industry: we found the requests on systems used to process transactions. The source of the DNS queries was a package for popular server management software developed by NetSarang. Customers of NetSarang, which has headquarters in South Korea and the United States, include companies working in financial services, energy, retail, technology and media. The attackers had modified one of the updates to include a backdoor.

NetSarang quickly removed the compromised update, but not before it had been activated at least once (we were able to confirm an activation on a computer in Hong Kong).

The attackers hide their malicious intent in several layers of encrypted code. The tiered architecture means that the business logic of the backdoor is not activated until a special packet has been received from the first tier C2 (Command and Control) server. Until then, it transfers basic information every eight hours: this includes computer, domain and user names. The payload is only activated through a crafted ‘dns.txt’ record for a specific domain. This allows the attackers to glean system information and send a decryption key to unlock the next stage of the attack, activating the backdoor itself.

This backdoor, called ShadowPad, is a modular platform that lets the attackers download and execute arbitrary code, create processes and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim.

You can read more about ShadowPad here.

Another supply-chain attack occurred in September, when attackers compromised an update to the Windows clean-up utility CCleaner, published by Avast. Researchers at Cisco Systems Talos Group discovered that attackers had modified the installer for CCleaner 5.3 to drop their malware on the computers of anyone who downloaded the utility. The malware, which was signed with a valid certificate, was active for a month and infected around 700,000 computers. The attackers used a two-stage infection process. The first delivered a profile of the victim to the attackers C2 servers, while the second was reserved for specific targets. You can find details of the analysis here.

It is sometimes tempting for companies to imagine that no one would want to target them – perhaps because they are not a large company, or because they do not believe that they have anything of significance to an attacker. However, even quite apart from their intellectual property, or personal information belonging to customers, they can be valuable as a stepping-stone into another organisation.

The bear facts

In August, we provided an update on an interesting APT that we call ‘WhiteBear’, related to the Turla group. Like Turla, WhiteBear uses compromised web sites and hijacked satellite connections for its C2 infrastructure. The project also overlaps with other Turla campaigns such as ‘Skipper Turla’ (or ‘WhiteAtlas’) and ‘Kopiluwak’ (both of which we detailed for subscribers to Kaspersky APT intelligence reports). In addition, we have found WhiteBear components on a subset of systems that were previously targeted by WhiteAtlas, with the same file-paths and identical filenames. Nevertheless, we have been unable to firmly tie the delivery of WhiteBear to any specific WhiteAtlas components, and we believe that WhiteBear is the product of a separate development effort and has a distinct focus.

For much of 2016, WhiteBear activity was narrowly focused on embassies and consulates around the world – all related to diplomatic and foreign affairs organisations. This shifted in mid-2017 to include defence-related organizations.

Although we’re not sure of the delivery vector for WhiteBear components, we strongly suspect that the group sends spear-phishing e-mails to its targets containing malicious PDF files.

The encryption implemented in the main module, the WhiteBear orchestrator, is particularly interesting. The attackers encrypt/decrypt, and pack/decompress the resource section with RSA+3DES+BZIP2. This implementation is unique and includes the format of the private key as stored in the resource section. 3DES is also present in Sofacy and Duqu 2.0 components, but they are missing in this Microsoft-centric RSA encryption technique. The private key format used in this schema and the RSA crypto combination with 3DES is (currently) unique to this group.

Most WhiteBear samples are signed with a valid code-signing certificate issued for ‘Solid Loop Ltd’, a once-registered British organization. This is probably a front organization or a defunct organization; and the attackers have assumed its identity to abuse the name and trust, in order to create deceptive digital certificates.

You can find full technical details of WhiteBear here.

(Un)documented Word feature abused by hackers

If a targeted attack is to be successful, the attackers must first gather intelligence on their prospective victims. In particular, they need details about the operating system and key applications, so that they can deliver the appropriate exploit.

During an investigation of a targeted attack, we found some spear-phishing e-mails with interesting Word documents attached to them. At first sight, they seemed unremarkable: they contained no macros, exploits or other active content.

However, on closer inspection, we found that they contained several links to PHP scripts located on third-party web resources. When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links and, as a result, provided the attackers with information about software installed on the target computer. The documents were in OLE 2 (Object Linking and Embedding) format. OLE allows authors to embed objects and link to multiple objects or resources in a single Word document. For example, an author can created a field in a document that points to a graphic file, rather than simply embedding the graphic file.

We found a field in the document called ‘INCLUDEPICTURE’. The link to the image in this field should be in ASCII, but in this case, it was in Unicode. Microsoft documentation provides virtually no information about this field. However, the attackers manipulated the Unicode framework to trigger a GET request to malicious and obfuscated URLs contained in the underlying code of the Word document. These links then point to PHP scripts located on third-party web sites, enabling the attackers to gather information about the software installed on the computer.

This feature is not only present in Word for Windows, but also in Microsoft Office for iOS and in Microsoft Office for Android.

You can read further details about our investigation here.

Information security incidents and how to respond to them

Our growing dependence on technology, connectivity and data means that businesses present a bigger attack surface than ever. Targeted attackers have become more adept at exploiting their victims’ vulnerabilities to penetrate corporate defences while ‘flying under the radar’. Unfortunately, corporate information security services are often unprepared. Their employees underestimate the speed, secrecy and efficiency of modern cyber-attacks and businesses often fail to recognize how ineffective the old approaches to security are. Even where companies supplement traditional prevention tools such as anti-malware products, IDS/IPS and security scanners with detection solutions such as SIEM and anti-APT, they may not be used to their full potential.

You can’t manage what you can’t measure. One of the key factors in responding effectively to a targeted attack is to understand the nature of the incident.

In August, our incident response team used the example of a bank attack to present the key stages of a targeted attack (known as the kill chain) and the steps required for an effective incident response process. You can read the report here, but the following is a summary of the key elements.

The basic principles of a successful targeted attack include thorough preparation and a step-by-step strategy. The stages of the kill chain are:

  1. RECONNAISSANCE (learning about the target)
  2. WEOPANISATION (choosing the method of attack)
  3. DELIVERY (deciding on the attack vector)
  4. EXPLOITATION (exploiting a vulnerability to gain an initial foothold)
  5. INSTALLATION (installing the malware)
  6. COMMAND-AND-CONTROL (connecting to the attackers’ server for further instructions)
  7. ACTIONS ON OBJECTIVE (achieving the attackers’ goals)

The basic principles behind the work of information security staff are the same as the attackers – careful preparation and a step-by-step strategy. The objectives, of course, are fundamentally different: to prevent incidents and, if one occurs, to restore the initial state of the system as soon as possible.

There are two main stages involved in responding to a specific incident: investigation and system restoration. The investigation must determine

  • The initial attack vector
  • The malware, exploits and other tools use by the attackers
  • The target of the attack (affected networks, systems and data)
  • The extent of the damage (including reputational damage) to the organisation
  • The stage of the attack (whether or not it was completed and the attackers’ goals were achieved)
  • Timeframes (when the attack started and ended, when it was detected and the response time of the information security service)

Once the investigation has been completed, it is necessary to use the information learned to create a system recovery plan or, if one exists, to assess how it can be improved.

The overall strategy includes the following steps.

  1. PREPARATION (develop the tools, policies and processes needed to defend the organisation)
  2. IDENTIFICATION (decide if an incident has occurred by identifying pre-defined triggers)
  3. CONTAINMENT (limit the scope of the incident and maintain business continuity)
  4. ERADICATION (restore the system to its pre-incident state)
  5. RECOVERY (re-connect the affected systems to the wider network)
  6. LESSONS LEARNED (how well did the information security team deal with the incident and what changes need to be made to the strategy)

In the event of the information security team having to respond to multiple incidents simultaneously, it’s important to correctly set priorities and focus on the main threats. The key factors involved in determining the severity of an incident include:

  • The network segment where the compromised computer is located
  • The value of the data stored on that computer
  • The type and number of incidents that affect the same computer
  • The reliability of the IoCs (Indicators of Compromise) for this incident

The choice of computer, server or network segment to deal with first will depend on the specific nature of the organisation.

Malware stories The hidden advertising threat

As well as banking Trojans, ransomware and other threats that can clearly be defined as malware, people also face numerous borderline programs – including advertising bots and modules, and partnership programs – which are typically referred to as ‘potentially unwanted programs’. They are borderline because there is sometimes a fine line between classifying something as an outright Trojan or adware. One such program is Magala, a Trojan-Clicker.

Such programs imitate a user click on a particular web page, thus boosting advertisement click counts. Magala doesn’t actually affect the person whose computer it is installed on, other than consuming some of their computer’s resources. The victims are those who pay for the advertising – typically small business owners doing business with unscrupulous advertisers.

The first stage of the infection involves the Trojan checking which version of Internet Explorer is installed and locating it in the system. The Trojan doesn’t run if it’s version 8 or earlier. Otherwise, it initialises a virtual desktop, used to perform all subsequent activities. Then it runs a sequence of utility operations (typical for this type of malware): it sets up autorun, sends a report to a hardcoded URL, and installs the required adware. To interact with the content of an open page, Magala uses IHTMLDocument2, the standard Windows interface that makes it easy to use DOM tree. The Trojan uses it to load the MapsGalaxy Toolbar, installs this on the system and adds the site ‘hxxp://hp.myway.com’ to the system registry, associating it with MapsGalaxy so that it becomes the browser’s home page.

The Trojan then contacts the remote server and requests a list of search queries for the click counts that it needs to boost. The server returns this list in plain text. Magala uses the list to send the requested search queries and clicks on each of the first 10 links in the search results, with an interval of 10 seconds between each click.

The average cost per click in a campaign of this sort is $0.07. So a botnet consisting of 1,000 infected computers clicking 10 web site addresses from each search result, performing 500 search requests with no overlaps in the search results, could earn the cybercriminals up to $350 from each infected computer. However, this is just an estimate as the costs can vary greatly in each situation.

Statistics from March to early June 2017 indicate that most Magala infections occur in the United States and Germany.

This class of program typically doesn’t present as much of a threat to consumers as, for example, banking Trojans or ransomware. However, two things make it tricky to deal with. First, such programs straddle the borderline between legitimate and malicious software and it’s vital to determine whether a specific program is part of a secure and legal advertising campaign or if it’s illegitimate software making use of similar functions. Second, the sheer quantity of such programs means that we need to use a fundamentally different approach to analysis.

You can read more about Magala here.

It started with a link

Cybercriminals are constantly on the lookout for ways of luring unsuspecting victims into doing things that compromise their security and capture personal data. In August, David Jacoby from Kaspersky Lab and Frans Rosen from Detectify teamed up to expose one such campaign that used Facebook Messenger to infect people.

It started with a link to a YouTube video. The cybercriminals behind the scam used social engineering to trick their victims into clicking on it: the message contained the recipient’s first name, plus the word ‘Video’ – for example ‘David Video’ – and then a bit.ly link.

This link pointed to Google Drive, where the victim would see what looks like a playable movie, with a picture of them in the background and what seems to be a ‘Play’ button.

If the victim tried to play the video in the Chrome browser, they were redirected to what looked like a YouTube video and were prompted to install a Chrome extension –in fact, this was the malware. The malware waited for the victim to sign in to their Facebook account and stole their login credentials. It also captured information about their Facebook contacts and sent malicious links to their friends – so spreading the infection further.

Anyone using a different extension was nagged into updating their Adobe Flash Player instead – but the file they downloaded was adware, earning money for the cybercriminals through advertising.

This attack relied heavily on realistic social interactions, dynamic user content and legitimate domains as middle steps. The core infection point of the spreading mechanism was the installation of a Chrome Extension. It’s really important to be careful about allowing extensions to control your browser interactions and also to make sure that you know exactly what extensions you are running in your browser. In Chrome, you can type ‘chrome://extensions/’ into the address field of your browser to get a list of enabled extensions. On top of this, of course, be wary about clicking on links. If you’re in any doubt about whether it’s legitimate or not, contact the sender to check if it was really them who sent it.

Undermining your security

We have seen a substantial growth in crypto-currency miners this year. In 2013, our products blocked attempts to install miners on the computers of 205,000 people protected by Kaspersky Lab products. In 2014, this increased to 701,000. In the first eight months of 2017, this increased to 1.65 million.

Crypto-currency mining is not illegal. However, there are groups of people who trick unwitting people into installing mining software on their computers, or exploit software vulnerabilities to do so. The criminals obtain crypto-currency, while the computers of their victims slow down. We have recently detected several large botnets designed to profit from concealed crypto mining. We have also seen growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the business processes of the target organisations suffer because data processing speeds fall substantially.

The main method used to install miners is adware installers spread using social engineering. There are also more sophisticated propagation methods – one is using the EternalBlue exploit published in April 2017 by the Shadow Brokers group. In this case, the cybercriminals tend to target servers – these provide them with a more powerful asset.

We recently detected a network made up of an estimated 5,000 plus computers on which Minergate, a legal console miner, had been installed without the knowledge or consent of the victims. The victims had downloaded the installer from a file-hosting service, under the guise of a freeware program or keys to activate licensed products. This installer downloader the miner’s dropper file to their computer. This installed the Minergate software to the computer, ensuring that it is loaded each time the computer boots and re-installing it if it is deleted.

Often, crypto-miners come with extra services to maintain their presence in the system, launch automatically every time the computer boots and conceal their operation. Such services could, for example try to turn off security software, monitor system activities or ensure that the mining software is always present by restoring it if the files are deleted.

Concealed miners are very difficult to detect because of their specific nature and operating principles. Anyone can choose to install this kind of software and legally use it to mine a crypto-currency.

Monero (XMR) and Zcash are the two currencies most often used in concealed mining. They both ensure the anonymity of transactions – this is clearly very useful for cybercriminals. Even according to conservative estimates, a mining network can generate up to $30,000 per month for its owners.

The above image shows a wallet coded into the miner’s configuration data. At the time of writing, 2,289 XMR had been transferred from this wallet, which at the current exchange rate is equivalent to $208,299.

You can read more here.

Connected hospitals

Technology now reaches into more parts of society than ever before. As a result, organisations that previously didn’t need to think about cyber-security now face cyber-attacks. One example of this is the healthcare industry. Medical information that has traditionally existed in paper form is now to be found in databases, portals and medical equipment.

Data security in medicine is more serious than it seems at first glance. The obvious issue might be the theft and resale of medical data on the black market. However, the possibility of diagnostic data being modified by attackers is even more alarming. Regardless of the goals of the attackers (extortion or attacks targeted at specific patients), there’s a serious risk to patients: after receiving incorrect data, doctors may prescribe the wrong course of treatment. Even if the attempt to substitute data is detected in time, the normal operation of the medical facility may be disrupted, prompting the need to verify all of the information stored on compromised equipment. According to a report by the Centre for Disease Control and Prevention (CDC), the third leading cause of death in the United States comes from medical errors. Establishing a correct diagnosis depends not only on the knowledge and skill of a doctor, but on the correctness of data received from medical devices and stored on medical servers. This makes the resources for connected medicine a more attractive target for attackers. Unfortunately, in some cases, the security of the network infrastructure of healthcare facilities is neglected, and resources that process medical information are accessible from outside sources.

This term ‘connected medicine’ refers to a large number of workstations, servers, and dedicated medical equipment that are connected to the network of a medical institution (a simplified model is shown in the figure below).

Diagnostic devices can be connected to the LAN of an organization or to workstations- for example, through a USB connection. Medical equipment quite often processes data (for example, a patient’s photographs) in DICOM format, an industry standard for images and documents. In order to store them and provide access to them from outside, PACS (Picture Archiving and Communication Systems) are used, which can also be of interest to cybercriminals.

We have put together some recommendations for securing medical facilities. You can find the details here, but the following is a summary of the key points:

  1. Prevent public access to all nodes that process medical data
  2. Assign counter-intuitive names to resources
  3. Periodically update installed software and remove unwanted applications
  4. Don’t connect expensive equipment to the main LAN
  5. Ensure timely detection of malicious activity on the LAN

Using legitimate tools to hide malicious code

Malware Alerts - Wed, 11/08/2017 - 05:00

The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process. Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe. But some samples employ other interesting methods. We’re going to discuss one such type of malware.

Our eye was caught by various samples for .NET that use the trusted application InstallUtil.exe from the Microsoft .NET Framework (information from Microsoft’s website: “The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies. This tool works in conjunction with classes in the System.Configuration.Install namespace”).

The technique was described by information security researcher Casey Smith aka subTee (Proof of Concept). Briefly, the console utility InstallUtil.exe runs a malicious .NET assembly, bypassing the entry point of the assembly; all malicious activity is then hidden in the context of the trusted process.

The spreading of malicious samples follows a standard pattern: they basically reach the user in a password-protected archive, and the executable file icons in most cases are chosen specially so that the victim perceives the file as a normal document or photo. We also encountered executable files masquerading as a key generator for common software. To begin with, the malicious content of the generator got inside the %TEMP% folder, where it was run later in the described manner.

Users are misled by executable file icons

Analysis

All the malicious files we encountered were heavily obfuscated, which complicated their manual analysis. We took the sample 263dc85de7ec717e8940b1ccdd6ee119 and deobfuscated its strings, classes, methods, and fields. Here’s how the file looked before deobfuscation:

Sample before deobfuscation

InstallUtil.exe allows file execution to start not from the .NET assembly entry point: execution begins from a class inherited from System.Configuration.Install.Installer. To facilitate manual analysis, this class was renamed InstallUtilEntryClass in the sample under investigation. The code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware.

Let’s examine the behavior of the malicious file in the order of methods execution. First up is FirstMainClass, since its constructor is marked with the keyword “static” and assembly execution begins with it:

The static constructor of FirstMainClass that is triggered when the assembly is loaded

The constructor does the following:

  • CheckSandboxieEnvironment() determines whether the file is running in Sandboxie by attempting to load the SbieDll.dll library. If the library can be loaded, the malicious process terminates;
  • CheckVirtualBoxEnvironment() searches for the vboxmrxnp.dll library, which belongs to VitrualBox. If the library can be found, the malicious process likewise terminates;
  • AddResourceResolver() adds a method for handling the resource load event. This method unpacks the assembly, which is packed by the Deflate algorithm, from a specific resource and loads the assembly into memory;

The method responsible for loading the assembly from the resource

The assembly is unpacked from the resource and loaded into memory

  • The UnpackAllAssemblies() method of the AssemblyResourceLoader class iterates through all the assembly resources and, if the resource name contains the string “+||”, unpacks the assemblies from these resources. The assemblies unpacked by this method are required by the malicious file to operate, and are legitimate libraries: Interop.MSScript.Control, Interop.TaskScheduler, SevenZipSharp;
  • RemoveZoneIdentifier() deletes the NTFS alternate stream Zone.Identifier through the command line to prevent a warning at startup if the file was downloaded from the Internet. The authors made a slight mistake in the command line (“cmd.exe /c (echo. > file path:Zone.Identifier) 2 > Null”) by leaving a space between the characters 2 and >, which produces an error in the console:

The warning issued on deleting Zone.Identifier

  • The ElevatePrivilegesProxy() method is the wrapper for the ElevatePrivileges() method, which in turn uses the known UAC bypass technique described by Matt Nelson aka enigma0x3.

Control then passes to the traditional entry point—the Main() method, which is located in the Form5 class:

The traditional entry point is the Main() method

We see that a WMI object is retrieved after a 30-second pause. Next, the ScriptControlClassInstance object is customized, which the language (Visual Basic script) and the body of the script are transferred to:

The script that runs the executable file using InstallUtil.exe

The AddCode() method adds and executes a VB script that runs the current assembly using InstallUtil.exe. After that, the current process is closed by calling Environment.Exit(0).

At the next stage, the malicious object is run using the InstallUtil tool and once more executes the static constructor of the FirstMainClass class examined above; control passes to the static constructor of the InstallUtilEntryClass class, which, as mentioned, is inherited from System.Configuration.Install.Installer:

The static class constructor called by InstallUtil.exe

The functions of this class include:

  • Copying the malicious file to %APPDATA%\program\msexcel.EXE, setting the Hidden+System attributes for the “program” folder, running msexcel.EXE, and terminating the current process;
  • Adding the copied file to autorun (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run);
  • Creating a task called “filesqmaepq0d.tnk” that runs msexcel.EXE every minute to ensure survival on the victim’s computer;
  • Checking if the malicious process is already running. An event with the name “78759961M” is created, and if such an event already exists in the system, the new process terminates;
  • Creating the Form5 class and calling its destructor.

Let’s sum up the interim results: all the actions described above (entrenchment in the system, elevation of privileges, startup from a trusted application) are essentially laying the foundation for the main task. Let’s move on to analyzing the next stage of the preparatory actions, which will take us closer to the heart of the malicious activity.

The malicious assembly contains, inter alia, five classes inherited from System.Windows.Forms.Form. Inheritance from the Form class is not accidental: in its inheritance hierarchy it implements several interfaces, one of which is IDisposable, which allows to override the Dispose() method for its own purposes. Dispose() methods are called by the garbage collector in order to free up unmanaged resources used by the class when closing or unloading the assembly. Now let’s look at the source code of the Dispose() method of the Form5 class:

The overridden Dispose() method of the Form5 class

As we can see, various methods are executed at each iteration of the cycle, and the results are saved. Let’s take a closer look:

  • At the first iteration, the full path to the RegAsm.exe utility from .NET Framework is retrieved;
  • A chain of nested methods is called with a view to decoding strings from Base64 that are stored in another class and unpacking the resulting array using the SevenZipExtractor library. As a result, we get an array that is the remote administration tool NanoCore Client;
  • The PERun.dll library is loaded from the assembly that was previously unpacked from the resource into memory;
  • A class with the name “RunPE” and the Run method of this class are sought in this library;
  • At the final iteration, the parameters are transferred and the Run method is called.

Knowing that the legalProgramPath variable contains the full path to the legitimate utility RegAsm.exe, PEFileByteArray contains the executable file in the form of a byte array, while the class name is RunPE; it is not hard to figure out that the Run() method employs the technique of hiding malicious code in the address space of the trusted process RunPE. This technique is widely known and described here, for instance.

Deep inside the Run() method, a legitimate utility process is created in CREATE_SUSPENDED state (the sixth parameter is 4u):

Creating a legitimate program process in CREATE_SUSPENDED state

Eventually, the RegAsm.exe process is loaded in the address space and starts to execute the payload: the remote administration tool NanoCore Client. Only trusted processes remain in the list of running processes, and even an experienced user might not realize that the system is compromised:

Only legitimate utilities can be seen in the list of running processes

RegAsm.exe was chosen as the “carrier” because (a) it is a legitimate utility from Microsoft, (b) it is located in the same directory as InstallUtil.exe, and (c) a utility from .NET Framework calling another utility from the same framework is less suspicious than calling, say, notepad.exe. In fact, the use of RegAsm.exe is not critical: the “carrier” could be any program that does not arouse the suspicion of security software and users. It is also important that all actions involving a malicious module are executed in memory, which allows file scanners to be bypassed.

As we’ve mentioned, this sample contains NanoCore Client, which can be used to control the victim’s computer, take screenshots, record keystrokes, download files, and much more. It should be noted that the payload here can be anything: from “fashionable” encrypters and miners to advanced Trojans.

Conclusion

Malware writers employ various tricks to conceal malicious activity, and the above technique allowing the execution of malicious code in the context of two legitimate programs is an obvious example. Detecting this kind of concealment method requires a behavioral analysis of the program. Kaspersky Lab’s security solutions detect this behavior as PDM: Trojan.Win32.Generic and PDM: Exploit.Win32.Generic.

IOC (MD5)

263DC85DE7EC717E8940B1CCDD6EE119 payload: EF8AF3D457DBE875FF4E3982B34F1DE9
3E4825AA1C09E27C2E6A1309BE8D6382 payload: 82709B139634D74DED404A516B7952F0
7E3863F827C1696835A49B8FD7C02D96 payload: D1A9879FFCB14DF70A430E59BFF5EF0B
8CB8F81ECF1D4CE46E5E96C866939197 payload: D8652841C19D619D2E3B5D7F78827B6E
FDF4086A806826503D5D332077D47187 payload: BF4A3F4B31E68B3DE4FB1F046253F2D0

DDoS attacks in Q3 2017

Malware Alerts - Mon, 11/06/2017 - 05:00

News Overview

In the third quarter of 2017, the trends of the preceding quarters continued to develop further. The number of DDoS attacks in China, the United States, South Korea and Russia increased, which were reflected in the statistics we gathered for botnets. A sharp surge in the number (more than 450 daily) and power (up to 15.8 million packets per second) of attacks was registered in the ‘Australian sector’. The cost of protection increased accordingly: for example, in early September, six IB vendors entered into a $50 million contract with the Singapore government (the previous three-year contract cost the state half that amount).

The biggest success in combating DDoS attacks was the taking down of the huge (hundreds of thousands of devices in more than a hundred countries) WireX botnet. The botnet had been secretly working on Android devices and proliferating via legitimate Google Play applications. The joint actions of Google, Samsung and several large IT security vendors were required to take down the botnet. Given the deplorable state of security on the Internet of things and in micro-applications, such findings are now likely to occur on a fairly regular basis.

Cybercriminals are using their brains as well as their brawn. In mid-August, Imperva described Pulse Wave technology capable of increasing the power of a DDoS attack thanks to a vulnerability in hybrid and cloud technologies. The analysts at Imperva believe that most DDoS attacks will soon follow a similar pattern: short but powerful sudden “punctuated” attacks that last for several hours or several days.

The targets within the scope of the cybercriminals’ interest remain the same. In the political arena, the increase in the number of attacks has even triggered a process of qualitative change: some are voicing the belief that DDoS attacks are a legitimate form of democratic protest. However, the effectiveness of this method is still questionable: the two most notable political acts of the third quarter (an attack on the DreamHost hosting provider and on a libertarian site) achieved nothing apart from greater publicity for the attacked resources.

Cases of blackmail involving DDoS attacks – or rather, attempts that aren’t always very well executed –have become more frequent. While in the previous quarter companies preferred to pay off the attackers, mass mailings with threats are now often perceived as just another wave of spam.

As a means of applying pressure, DDoS attacks are still more beneficial in industries where downtime and communication failures lead to lost profits and reputation. The gaming industry is becoming even more attractive for cybercriminals: the profits here are estimated in the hundreds of billions of dollars, while security is still far from perfect, with hybrid gaming platforms vulnerable to attacks via the links between resources and applications.

In Q3, there were three high-profile incidents involving gaming platforms (not including the DDoS attack on Final Fantasy’s servers, which, according to Square Enix, began in June and lasted till the end of July).

Firstly, in mid-August, Blizzard Entertainment reported a flood of junk traffic that caused problems for players of Overwatch and World of Warcraft.

Secondly, at the beginning of September, the Americas Cardroom online poker site began to experience difficulties. The attack (not the first to target the resource) followed the notorious pattern “demonstrate force, demand a ransom”. The site’s management refused to pay, but was forced to cancel – or more precisely, to delay – a poker championship that was already under way.

At the end of the quarter, on 30 September, the site of the UK National Lottery was seriously affected: for 90 minutes players were unable to place their stakes online or via applications, which caused the service serious losses.

It appears that constant DDoS attacks on the entertainment industry is becoming the new normal: the largest companies will either have to seriously reconsider their approach to security or put customer loyalty at risk. Some of them have started eliminating possible vectors on their own. For example, Netflix (yet another entertainment platform that could lose customers due to a loss of communication) found a serious vulnerability in API and developed two tools to deal with the infected applications.

Probably the most curious attack of the quarter was also related to the entertainment and gaming industry: the cybercriminals hacked a US casino via a smart fish tank. It had nothing to do with DDoS attacks, but it’s interesting that criminals managed to break through to the mainframe and steal 100 GB of confidential data from the organization, although the fish tank was installed on its own VPN. It is highly likely that in the near future the entertainment and gaming sector will be on a par with the financial sector when it comes to the scope and ingenuity of large-scale attacks.

Quarter Trends

In term of trends, there was a fairly new vector of attacks related to the now notorious crypto- currencies. More and more attacks are targeting Initial Coin Offering (ICO) platforms – a type of crowdfunding. Since blockchain technology allows transactions to be conducted safely, ICOs are quickly gaining in popularity. But there are risks as well: with the rapid growth and the increasing turnover of crypto-currencies, such platforms are subjected to cyberattacks, including DDoS attacks. The broad availability of the platform guarantees reliable and secure transactions, while DDoS attacks are aimed at breaking the operability of the service and thus discrediting it or, even worse, creating a smokescreen for more sophisticated types of attacks.

Another detail of this quarter is the increase in the proportion of mixed, multi-component (SYN + TCP Connect + HTTP-flood + UDP flood) attacks. As forecasted earlier, they are gradually gaining in popularity. There is nothing fundamentally new in these attacks, but in the right hands they can be quite effective.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. The experts of the company have been tracking the actions of botnets by using the DDoS Intelligence system.

Being part of the Kaspersky DDoS Prevention solution, the DDoS Intelligence system is intended to intercept and analyze commands sent to bots from command-and-control servers and requires neither infecting any user devices nor the actual execution of cybercriminals’ commands.

This report contains DDoS Intelligence statistics for the third quarter of 2017.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Also, bot requests originating from different botnets but directed at one resource count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers that were used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited only to those botnets that have been detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools for performing DDoS attacks; thus, the data presented in this report do not cover every single DDoS attack occurred during the indicated period.

Q3 summary
  • Resources in 98 countries were attacked in Q3 2017 vs. 86 in Q2 2017.
  • As in Q2, around half of all attacks (51.56%) originated in China.
  • China, the US, and South Korea remained leaders in terms of both number of attacks and number of targets. According to the number of reported C&C servers, the same countries are make up the TOP 3, though South Korea calimed first place this time.
  • The longest DDoS attack was 215 hours, a decrease of 28% compared to Q2. At the same time, the share of attacks that lasted less than 50 hours remained practically unchanged (99.6% in Q3 vs. 99.7% in Q2).
  • As in the previous quarter, there was a considerable drop in the proportion of attacks over TCP (down to 11.2% from 28.2%) and ICPM (down to 7.1% from 9.42%). This caused a rise in the percentage of SYN floods and HTTP attacks.
  • The proportion of Linux botnets continued to grow. Such botnets were responsible for 69.62% of attacks in Q3 compared to 51.23% in Q2.
Geography of attacks

DDoS attacks were registered in 98 countries in Q3, where the largest number of the attacks were aimed at China (63.30% of all attacks), which is 5.3 p.p. higher than the previous quarter. South Korea’s share fell from 14.17% to 8.70%, moving it to third place. The US came second despite the percentage of attacks originating from this country falling from 14.03% to 12.98%.

The top 10 accounted for 93.56% of all attacks. Germany (1.24%) re-entered the top 10, replacing Italy out of the rating. Hong Kong (1.31%) dropped from 4th to 7th, having lost 1.07 p.p. Russia (1.58%) gained 0.35 p.p. and was once again in fourth place. The UK remained fifth while the Netherlands saw its share go up from 0.84% to 1.31%, moving it to sixth.

Distribution of DDoS attacks by country, Q2 2017 vs. Q3 2017

91.27% of all attacks were aimed at targets in the countries of the top 10 in Q3 2017.

Distribution of unique DDoS-attack targets by country, Q2 2017 vs. Q3 2017

China remained in first place: 51.56% of all targets were located in the territory of the country, an increase of 4.14 p.p. compared to Q2. At the same time, the US and South Korea remained second and third respectively, although the proportion of targets in the territories of both countries fell considerably: from 18.63% to 17.33% in the US, and from 16.35% to 11.11% in South Korea.

The share of targets located in the territory of Russia grew from 1.33% in Q2 to 2.24% in Q3, which saw Russia move up from seventh to fourth place. Australia and Italy left the top 10 and were replaced by France (1.43%) and Germany (1.65%).

Dynamics of the number of DDoS attacks

The number of attacks per day ranged from 296 (24 July) to 1508 (26 September) in Q3 2017. The peak numbers were registered on 27 July (1399) and 24 September (1497). A relative downturn was registered on 28 July (300), 31 May (240), and 25 September (297).

Dynamics of the number of DDoS attacks in Q3 2017*
*Since DDoS attacks may continuously last for several days, one attack may be counted several times in the timeline, i.e., once per day.

In Q3 2017, Monday remained the quietest day for DDoS attacks (10.39% vs 11.78% in the previous quarter), while Thursday became the busiest day (17.54%). Last quarter’s leader, Saturday, came second (15.59%) followed by Sunday (14.89%) and Tuesday (14.79%).

Distribution of DDoS attacks by day of the week, Q2 vs Q3 2017

Types and duration of DDoS attacks

As in the previous quarter, the number of SYN DDoS attacks continued to grow, rising from 53.26% to 60.43% in Q3 2017. At the same time, the percentage of TCP DDoS attacks plummeted from 18.18% to 11.19%, which did not affect second position in the rating for this type of attack. Both UDP and ICMP attacks became quite rare: their share dropped from 11.91% to 10.15% and from 9.38% to 7.08% respectively. Meanwhile, the popularity of HTTP attacks increased from 7.27% to 11.6%, which placed them in third.

Distribution of DDoS attacks by type, Q3 2017

The number of long-term attacks remained almost unchanged from the previous quarter: 0.02% of attacks lasted more than 150 hours (vs 0.01%). The longest attack lasted for 215 hours, 62 hours shorter than the record in Q2. At the same time, the share of attacks that lasted 4 hours or less dropped from 85.93% in Q2 to 76.09% in Q3. Thus, the percentage of attacks lasting from 5 to 49 and from 50 to 99 hours increased, accounting for 23.55% and 0.3% of all attacks respectively.

Distribution of DDoS attacks by duration (hours), Q2 vs Q3 2017

C&C servers and botnet types

The top 3 countries with the greatest number of detected C&C servers remained unchanged from Q2: South Korea, whose share grew from 49.11% to 50.16%, remained top. The US retained second place (16.94% vs 16.07% in Q2). China remained third although its share dropped from 7.74% to 5.86%. The top 3 countries accounted for 72.96% of C&C servers in total, which is only slightly more than in the previous quarter.

The top 10 included Italy (1.63%) and the UK (0.98%), which ousted Canada and Germany in Q3. Compared to Q2 2017, there was a significant increase in the shares of France (up to 2.93% from 1.79%) and Russia (up to 3.58% from 2.68%).

Distribution of botnet C&C servers by country in Q3 2017

In Q3, Linux-based botnets continued to win back positions from Windows: the share of detected Linux-based botnets comprised 69.62%, while the percentage of Windows-based botnets dropped to 30.38%.

Correlation between Windows- and Linux-based botnet attacks, Q3 2017

Conclusion

In the third quarter of 2017, we registered a considerable increase in the number of both DDoS attacks and their targets. Traditionally, China is the country with the largest number of attack sources and targets. It was followed by the United States and South Korea. The popularity of Windows OS as a basis for creating a botnet has fallen noticeably, while the share of Linux-based botnets increased proportionally.

Among this quarter’s trends were increased attacks on ICO platforms: in Q3, crypto-currency was widely discussed both on the Internet and in the mass media, and cybercriminals did not ignore its popularity. Yet another detail of this quarter is the growth in the proportion of multi-component attacks, consisting of various combinations of SYN, TCP Connect, HTTP flood and UDP flood techniques.

Two-Step Verification

SANS Tip of the Day - Mon, 11/06/2017 - 00:00
Two-step verification is one of the best steps you can take to secure any account. Two-step verification is when you require both a password and code sent to or generated by your mobile device. Examples of services that support two-step verification include Gmail, Dropbox and Twitter.

Spam and phishing in Q3 2017

Malware Alerts - Fri, 11/03/2017 - 06:00

Quarterly highlights Blockchain and spam

Cryptocurrencies have been a regular theme in the media for several years now. Financial analysts predict a great future for them, various governments are thinking about launching their own currencies, and graphics cards are swept off the shelves as soon as they go on sale. Of course, spammers could not resist the topics of cryptocurrency, mining and blockchain technology.

Last quarter we wrote that many Trojans were downloading ‘miners’ as a payload on victims’ computers, and in third quarter of 2017 this practice became even more widespread.

Fraud, cryptocurrencies and binary options

Financial fraud makes very active use of the cryptocurrency topic: users receive messages that vividly describe the use of special software for trading on the cryptocurrency market and how it can secure their financial future.

Examples of emails with offers “to secure your financial future”

After clicking on a link, users end up on a site where they are once again persuaded to join the ranks of the rich who only have one problem in life – how to spend their money. In reality, such sites are partners for shady brokerage houses, and purveyors of new, inexperienced customers. It is there that new users are redirected.

The plan is to get the victim to deposit a certain amount to their account, usually several hundred dollars, for the opportunity to start trading. We should note here that we’re no longer talking about cryptocurrencies – in most cases, trading involves binary options.

The problem is not even in the questionable legality of the actual trading, but that no one guarantees the honesty of the brokerage offices and, consequently, there are no guarantees that the invested funds will be returned. The fraudsters start by motivating people to invest more and more money, and then simply disappear, leaving the victim to read angry reviews on the Internet from other cheated depositors.

There are also more primitive types of fraud, where the email directly asks the recipient to transfer bitcoins to a specific wallet, with a promise to return the investment with interest five days later. But only the most naïve recipients are likely to fall for such an offer.

Naive users are invited to “invest” bitcoins for a short time at a high high rate of interest

Webcasts

Another example of the cryptocurrency theme being used in spam is that of webcasts. In most cases, scammers suggest taking a study course that will help the user understand more about cryptocurrencies and how to invest in them. Of course, the sums invested in “training” will result in huge profits in the near future, according to the organizers.

Natural disasters and the ‘White House administration’

In August and September, the world’s attention was focused on hurricanes Irma and Harvey, and the earthquake in Mexico. There were dozens of victims of these disasters, and the damage caused was estimated to be billions of dollars. These tragic events inevitably attracted the attention of so-called Nigerian scammers trying to cash in on people’s grief. They sent messages on behalf of family members whose relatives died during the hurricanes and asked for help obtaining an inheritance left by them. Natural disasters were also mentioned in emails promoting job offers and loans.

In the third quarter, ‘Nigerian’ letters also mentioned the name of Donald Trump, the current US president. The authors pretended to be representatives of state or banking organizations, and to make their message sound more important they claimed they were appointed by the US president or were acting on his behalf. The spammers spun the standard tales in their fraudulent letters, promising millions of dollars to users, with the scammers asking for personal information so that they could supposedly track the money transfer. The letters contained identical text but with different layouts and contact details.

Letters ‘from the US president’s office’

B2B fakes in malicious emails

There is still a tendency to create emails with malicious attachments for fake commercial offers. At times their quality is so good that you suspect they could be a man-in-the-middle attack.

The file in the attachment is detected as HEUR: Trojan.Java.Agent.gen. This malware is written to startup and tries to close programs such as Process Hacker, system explorer and security software processes. It then communicates with the remote server and waits for the command to install other malicious programs

The attachment is detected as HEUR: Exploit.MSOffice.Generic, exploiting the vulnerability CVE-2017-0199 in MS Word. As a result, other malicious programs are downloaded to the victim’s computer

Both archives contain the same malicious object, detected as Trojan.Win32.VBKrypt.xtgt. It collects information from the victim’s computer and transfers it to the remote server

Release of new iPhone

In September, Apple unveiled the new models of its smartphone – iPhone 8 and iPhone X. This event was widely covered in the media, and spammers, weren’t going to miss out.

Even before the official presentation, we began to record spam mailings with offers to test the updated phone for free and participate in a prize draw to win one. Some mailings even reported the recipient had won a device before it was publicly unveiled. In most cases, the links in these emails could end up downloading Reimage Repair ‘advertising software’. Immediately after the release of the smartphone, Chinese factories got in on the act, sending out emails advertising various accessories for the new model. Our traps also recorded a large volume of phishing associated with the purchase and delivery of the popular gadget.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q2 and Q3 2017

In the third quarter of 2017, the largest share of spam was recorded in September – 59.56%. The average share of spam in global email traffic was 58.02%, which was almost 1.05 p.p. more than the average for the previous quarter.

Sources of spam by country

Sources of spam by country, Q3 2017

According to the results for the third quarter of 2017, China (12.24%) became the biggest source of spam, after finishing third the previous quarter. Last quarter’s leader Vietnam (11.17%) was second after a decrease of 1.2 p.p. The US fell one place to third (9.62%), while India (8.49%) remained fourth in this rating. Iran rounded off the top 10, accounting for 2.07% of all spam.

Spam email size

Breakdown of spam emails by size, Q2 and Q3 2017

The share of very small emails (up to 2 KB) in spam increased by 9.46 p.p. to 46.87% in the third quarter. The proportion of emails between 5 and 10 KB in size also increased by 6.66 p.p. compared with the previous quarter and amounted to 12.6%.

The number of emails between 10 and 20 KB decreased, however, with their share falling by 7 p.p. There was also a decrease in emails sized 20 to 50 KB. Their share this quarter amounted to 19%, which was a fall of 8.16 p.p. compared to the previous reporting period.

Overall, the number of very small emails continues to grow.

Malicious attachments in email Top 10 malware families

TOP 10 malware families in Q3 2017

Backdoor.Java.QRat (3.11%) became the most widespread malicious program family in email traffic. Next came the Trojan-Downloader.VBS.Agent family (2.95%), followed by Trojan-Downloader.JS.SLoad (2.94%). The newcomers in this rating – Trojan.Win32.VBKrypt and Trojan-Downloader.VBS.SLoad (a VBS script that downloads and launches other malicious programs on the victim machine, usually cryptographers) occupy fifth and eighth places with 2.64% and 2.02% respectively. The Trojan.PDF.Badur family (1.79%) rounds off the top 10.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q3 2017

Germany remained the country targeted most by malicious mailshots in the third quarter of 2017. Its share increased by 6.67 p.p. and amounted to 19.38%.

China came second, with 10.62% of mail antivirus verdicts recorded there – a drop of 1.47 p.p. compared to Q2. Russia, which came fifth the previous quarter, completed the top three (9.97%) after its share increased by 4.3 p.p. Fourth and fifth were occupied by Japan (5.44%) and Italy (3.90%) respectively.

Phishing

In the third quarter of 2017, the anti-phishing system prevented 59,569,508 attempted visits to phishing pages on the computers of Kaspersky Lab users. Overall, 9.49% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q3 2017.

Geography of attacks

The country with the largest percentage of users affected by phishing attacks was once again Brazil (19.95%, +1.86p.p.).

Geography of phishing attacks*, Q3 2017
* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in that country

Australia (16.51%) came second after its share increased by 3.81 p.p. In third place was New Zealand (15.61%, + 3.55pp). China (12.66%) fell from second place to fourth, with its share losing 0.19 p.p. Next came France (12.42%), Peru (11.73%), Argentina (11.43%), Canada (11.14%), Qatar (10.51%,) and Georgia (10.34%).

Brazil 19.95% Australia 16.51% New Zealand 15.61% China 12.66% France 12.42% Peru 11.73% Argentina 11.43% Canada 11.14% Qatar 10.51% Georgia 10.34%

TOP 10 countries by percentage of users attacked

Organizations under attack Rating the categories of organizations attacked by phishers

The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In the third quarter of 2017, almost half (47.54%) of the heuristic components of the anti-phishing system were recorded on pages with references to brands from financial categories such as Banks (24.1%, + 0.61 p.p.), Payment systems (13.94%, -4.46 p.p.) and Online stores (9.49%, -0.08 p.p.).

Distribution of organizations affected by phishing attacks by category, Q3 2017

Hot topics this quarter Airline tickets

Last quarter we described a scam involving a free giveaway of airline tickets supposedly by popular airlines, with information being spread via reposts from victims on a social network. In the third quarter, scammers continued to spread the ‘giveaway’ using WhatsApp instead. Judging by the decrease in the number of anti-phishing verdicts in the Airlines category, however, we can assume that this approach wasn’t as effective.

The downturn may also be due to the fact that scammers switched to ‘prize draws’ not only for air tickets but also other prizes, for example, sports shoes, cinema tickets, gift cards for Starbucks, etc.

Before you could claim your prize you had to share information about the prize draw with eight contacts on WhatsApp.

After clicking the button, users are redirected to WhatsApp.

The redirect function in the instant messenger and the message that has to be sent to contacts

This is what the message looks like in the app

The message needs to be sent a minimum of eight times

After sending the message to their contacts the victim, instead of winning a prize, is redirected to some dubious resource, for example, a page where malicious extensions are installed, a new survey, etc.

WhatsApp

WhatsApp users are also subjected to phishing attacks that hide behind the app brand.

More often than not the scammers try to steal money on the pretext of updating the application or paying for a subscription. At one time WhatsApp really did request a subscription payment, although now it’s free.

Scammers offer a choice of subscription – for one year, three years or five. However, victims will lose much more than the stated amount if they enter their bank card details on such a site.

Netflix

Netflix users are another popular target of phishers. The number of attacks on them increased in the third quarter. The criminals usually coax bank card details from users on the pretext of a failed payment or other problems linked to subscription renewal.

Green Card

On the eve of the Green Card lottery conducted by the US government in October-November of each year, we are seeing a surge in activity by scammers offering help to apply.

After completing the form on the fraudulent site, the user is asked to pay for their application. If the victim enters their bank card details, much more money than the amount indicated on the site can end up being withdrawn from their account.

Rap battle

Even niche events can be good cover for phishing activity. On 15 October, a rap battle was held between Russian artist Oxxxymiron and Dizaster, one of the best battle MCs in the US. This followed another battle that took place just a few months earlier between Oxxxymiron and Slava KPSS. Less than 12 hours later a video of the event had gained around 5 million views – and it wasn’t just thematic sites writing about the battle but also a lot of the mainstream Russian media.

Shortly before the publication of the official video, phishing web pages dedicated to the event began to appear online:

If a user tried to view the video, they were prompted to first sign in to the popular Russian social network VKontakte.

After entering the login and password, the victim was redirected to the official page of the Versus site on the social network, and their personal data went to the scammers.

TOP 3 attacked organizations

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections by Kaspersky Lab’s heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies. At the same time, the composition of the top three has remained unchanged for several quarters:

Organization % of detected phishing links Facebook 7.96 Microsoft Corporation 7.79 Yahoo! 4.79 Conclusion

In terms of the average share of spam in global email traffic (58.02%), the third quarter of 2017 was almost identical to the previous reporting period: once again growth was slightly more than one percentage point – 1.05 (and 1.07 p.p. in Q2 2017). As in previous quarters, spammers were quick to react to high-profile events and adapted their fraudulent emails to the news agenda. This quarter they were quickly to use the theme of natural disasters following hurricanes Irma and Harvey, and the earthquake in Mexico. The popular theme of cryptocurrency was also used: trusting victims were offered seminars and ‘help’ with trading that came with profits guaranteed.

Scammers continued to use all available communication channels to spread phishing content, including social networks and instant messengers: in the current quarter, the anti-phishing component prevented more than 59 million attempts to redirect to phishing pages, which is 13 million more than in Q2.

The most common malware family in the third quarter of 2017 was Backdoor.Java.QRat (3.11%), followed by Trojan-Downloader.VBS.Agent (2.95%), and Trojan-Downloader.JS.SLoad (2.94%).