Kaspersky Securelist

Syndikovat obsah Securelist - Kaspersky Lab’s cyberthreat research and reports
Online headquarters of Kaspersky Lab security experts.
Aktualizace: 42 min 42 sek zpět

Modern OSs for embedded systems

20 Červen, 2018 - 12:00

At Kaspersky Lab we analyze the technologies available on cybersecurity market and this time we decided to look at what OS developers are offering for embedded systems (or, in other words, the internet of things). Our primary interest is how and to what degree these OSs can solve cybersecurity-related issues.

We’d like to point out that this review reflects the author’s subjective opinion, and for the purposes of this analysis we developed our own classification of OSs.

Moreover, throughout this research we have compared other operating systems with KasperskyOS to see what we can learn from them and how we can improve KasperskyOS. The results of this comparison will also be presented in this article.

We analyzed a total of several dozen operating systems, from the most widespread to some niche players. The vast majority of the operating systems we looked at primarily handle practical functional tasks. Information security features, if they are included in the design, are merely extensions to the existing functionality in the form of plugins, components implementing encryption algorithms or add-in architecture. These measures can help improve the overall information security posture of a solution, but cannot guarantee protection from all modern threat models. If cybersecurity issues are not addressed in the initial design, it inevitably leads to compromises later when protection mechanisms are added.

Operating systems can be classified according to numerous criteria. Our approach was to treat operating systems from an architecture standpoint, so we classified them into four large classes according to their kernel types.

  • monolithic systems,
  • operating systems with monolithic kernels,
  • microkernel-based operating systems,
  • hybrid systems.
Monolithic systems

This is the most widespread type of operating system architecture for embedded devices. Most of the operating systems we analyzed are monolithic environments designed to work in microcontrollers where all processes (both user and system) run in a single address space without restrictions.

From an information security standpoint, this architecture is only suitable for very simple tasks – as the functionality becomes more complex, the risk of vulnerabilities becomes too great. Whenever vulnerabilities occur in such systems, whether it’s in implementations of system services or in an auxiliary application, this leads to the entire solution being compromised.

Libraries containing sets of encryption algorithms are usually offered as extra security measures for such operating systems. However, these measures can hardly be described as sufficient, because they don’t envisage a comprehensive solution to many important issues, such as the generation and storage of keys and certificates, ensuring trusted downloads, secure updates, etc. Also, because these libraries are created specifically for the appropriate operating systems, they often don’t undergo verification and/or sufficient testing, so they themselves may contain vulnerabilities and therefore reduce (rather than improve) the overall security of the solutions they’re part of.

Other measures (such as stack protection, various types of additional checks etc.) may ensure protection against different types of failures and errors, but they are often useless at protecting against targeted attacks that exploit known vulnerabilities within the system.

Even if a microkernel architecture was formally applied in a solution like this, an acceptable level of protection is impossible to ensure unless user processes are isolated from system processes, since any user process could affect the operation of the microkernel. Examples of microkernel operating systems in which processes are not isolated properly include the popular RIOT OS, Zephyr, Unison RTOS, and even the commercial microcontroller kernel µ-velOSity provided by Green Hills, as well as Microsar OS, the basic operating system for automotive solutions provided by Vector.

Despite all the security shortcomings of monolithic systems, such compact operating systems are suitable for work in cheap microcontrollers. They can be used in simple and compact devices where the only task is to measure a single parameter, such as temperature, pressure, volume, etc. Devices like these must be simple, compact and cheap. In our view, monolithic systems are not the best option when faced with tasks that are more complex.

Monolithic kernel systems

Monolithic kernel systems are another type of operating system architecture. This is perhaps the most widespread and popular type of operating system architecture both for embedded systems and for general-purpose systems (i.e. servers, workstations and mobile devices.)

Unlike in purely monolithic solutions, user processes in monolithic kernel systems are isolated from the kernel and only have access to its functions via a limited number of system calls. This constitutes a serious advantage from the information security standpoint.

A large number of services run in the kernel context, such as protocol implementations, file systems, device drivers, etc. Examples of monolithic kernel operating systems include those based on the Linux kernel (and its derivatives), as well as Windows, FreeBSD, RTEMS, etc.

The operating system’s kernel services still leave a large attack surface, while the code base operating in the kernel context cannot be considered as trusted. Therefore, don’t expect the kernel services to be free from vulnerabilities (in fact, vulnerabilities are regularly detected).

The compromise of any kernel service inevitably leads to the entire system being compromised, no matter what tools are employed to protect it.

The second problem is especially relevant for embedded systems. It is the need to restart the device when kernel models are updated. Indeed, restarting is not always required, however any case when a restart is not required is the exception rather than the rule.

The main advantage of monolithic kernel architecture is its better performance as compared to microkernel operating systems. This is due to the smaller number of context switches.

Different Linux distributions

Operating systems based on the Linux kernel are very user-friendly: they are available in source code, offer excellent hardware support and have a large amount of application and system software. All this makes these operating systems extremely attractive for developers of embedded systems.

Note: Linux only serves as the kernel of an operating system. Full-fledged operating systems are Linux-based distributions.

It’s worth noting that Linux was developed as a kernel for a multi-user operating system and contains a set of built-in security mechanisms, but from a modern-day perspective it has a number of information security issues, both in terms of architecture and implementation.

Conventional wisdom suggests that a properly configured Linux-based solution is sufficiently secure. However, the actual configuration process is quite complicated and most security restrictions can be bypassed. Besides, there are also difficulties with Linux that are related to the implementation of secure boot mechanisms, updating operating system components, and a multitude of other problems.

A large number of Linux-based branches and distributions have been developed that aim to improve security. Extensions have also been developed to tackle information security issues, including AppArmour, GRSecurity, PAX, SELinux, etc. These extensions help improve the security posture, though they cannot guarantee sufficient security, because the code base of the Linux kernel is quite large, and there’s no way of making the kernel’s computing base trusted. This problem appears to be insurmountable. According to www.cvedetails.com, 453 vulnerabilities were detected in Linux kernels in 2017. That number includes 159 vulnerabilities that allow execution of arbitrary code in the kernel context. Exploitation of a vulnerability in the Linux kernel makes it possible to circumvent any protection mechanisms, even the most sophisticated and carefully configured.


Android 8.0 Oreo is the latest version of the Android operating system for mobile devices and, according to the developers, contains a multitude of new information security mechanisms. The key security features in this operating system are aimed at mitigating the consequences of exploiting vulnerabilities and reducing the attack surface, as well as the use of the principle of least privilege. There have also been changes to the API design and to the architecture. Some of the innovations are described below:

  • Smart protection of app authorization.
  • Advanced verification during updates of applications and the operating system to prevent common types of attacks, including rollback.
  • In-built support of HSM (hardware security module).
  • Application sandboxing with support for seccomp filters (secure computing restricts apps’ ability to make system calls) and the WebView component is isolated.
  • Support for a set of encryption profiles (different profiles use different sets of keys).
  • In-built support for two-factor authentication using physical keys.
  • Complicating paths to apps. An app can no longer be found at its static location. Instead, it is installed each time to a new location, and a special call to the system must be made to gain access to the app.
  • Discontinued support of outdated and vulnerable protocols and algorithms, such as SSL v3.0.

These are all necessary and useful measures that substantially complicate post exploitation of vulnerabilities and the ability to gain root privileges.

However, it shouldn’t be forgotten that the Linux kernel is inside Android with all the drawbacks inherent to it. An analysis of the monthly security bulletins shows that new vulnerabilities are being discovered in Android all the time, and a significant portion of them enable execution of arbitrary code.

Microkernel operating systems

One possible solution to the above problems is the use of microkernel architecture.

A microkernel provides only the elementary functions of process management and a minimum set of hardware abstractions. Most of the work is done with the help of dedicated user processes that don’t run in the kernel’s address space. This helps to substantially reduce the attack surface of the kernel services, while the kernel of the operating system can be rigorously verified (thanks to the small code base) using, among other things, formal verification methods. To learn more about verification and how it is different from validation, check out Ekaterina Rudina’s article devoted to this topic.

The most meaningful results from an information security standpoint have been shown for microkernel architectures, for example, the Separation Kernel approach and the use of MILS architecture.

Different types of microkernels and microkernel operating systems are widely available on the market. Some examples from this category are QNX, INTEGRITY RTOS, Genode, the L4 kernel and its derivatives.

We would like to dwell a little bit on the microkernel L4. It’s the result of an evolutionary process in the microkernel approach to the development of operating systems. Today, L4 is effectively the de facto standard in the development of microkernel operating systems.

L4 microkernel family

The L4 kernel was initially developed to demonstrate the feasibility of creating a microkernel that is suitable for use in real-life, general-purpose operating systems. This attempt can be considered rather successful: there now exists a whole family of research and commercial projects that make use of the L4 derivatives. The kernels of this family have been ported on a large number of hardware platforms. It should be noted that solutions based on L4 support operation in hard real-time mode.

Among the microkernel implementations currently supported the following can be highlighted:

  • seL4 – the first microkernel to be formally verified. It is still undergoing active development.
  • Codezero – a commercial version of the K4 kernel. The source code of the kernel is available under GPLv3 license, while the source of the additional modules and libraries is closed and distributed under commercial licenses.
  • OC – a version developed by TU Dresden and distributed under GPLv2 license; commercial support is available.

For the listed operating systems, there are different virtualization solutions available. There are also other virtualization solutions based on the L4 microkernel that are worth mentioning – they are OKL4, NOVA and the PikeOS operating system.

The microkernels of the L4 family are also used in the following operating systems:

  • Genode
  • TUD:OS – an operating system developed by TU Dresden on the basis of L4Re, which is an L4-based framework for constructing solutions.
  • CAamkES – a framework based on the L4 microkernel that was developed by Trustworthy Systems Research Group @Data61.
  • L4Linux – a porting of the Linux operating system based on the L4-family kernel. In this implementation of L4, Linux plays the role of a user mode service operating simultaneously with other L4 applications (including real-time components). Linux kernel versions up to 4.14 and hardware platforms x86 and ARM are supported.

From a security point of view, the seL4 kernel is the most important member of the L4 family.

The microkernel seL4 implements an object-capability model. Formal verification has been conducted for it, meaning the operating system’s properties can be guaranteed within specified concepts and assumptions; this improves the overall protection status of the solution. However, if the input assumptions are incorrect, problems can arise. For instance, a substantial drawback of the formal model during seL4 verification is that it rules out simultaneous execution of several processes (a single-processor system with blocked interruptions is envisaged).

The object-capability model provides detailed control over system behavior, but by no means all security properties can be described with its help. There are numerous other security models whose properties are impossible to express based on the object-capability model. For example, security properties may depend on system status, take time relationships into account, etc. To describe such properties, extra mechanisms need to be added to the solution, and in that case the advantages of seL4 are lost.

KasperskyOS makes use of many of the ideas used in seL4. However, it also allows for a description of any security properties by using Kaspersky Security System (KSS), part of the KasperskyOS architecture.

Hybrid operating systems

A hybrid kernel exhibits a combination of properties typical of monolithic and microkernel architectures; a hybrid kernel-based operating system architecture is essentially a modified microkernel that allows operating system modules to be executed in the kernel space to expedite operation.

Operating systems with hybrid kernels have emerged as a result of attempts to use the advantages of microkernel architecture while retaining as much of the well-tested monolithic kernel code as possible. In operating systems of this class, however, the problem of information security remains unsolved, because the attack surface remains large.

The ‘secure by design’ requirement

Many of the older operating systems were initially developed with no regard for information security. When security features are introduced, functional mechanisms cease to operate as they did before, and compatibility issues arise. For this reason, and a host of others, it’s impossible to completely revisit the architectures of these systems, and there can be no security guarantees – it’s only possible to talk of enhancing some security-related properties. There are many examples of such solutions, including QNX, Linux, and FreeBSD.

Only those operating systems that took information security requirements into consideration during development can ensure proper implementation of security mechanisms without impacting their functional capabilities. The use of a secure-by-design approach is a key requirement for the final solution to be certified to Common Criteria standard, starting with EAL4. Examples of secure-by-design operating systems are seL4, INTEGRITY RTOS, MUEN RTOS, KasperskyOS and several others.


From the very start, KasperskyOS was created to meet the most rigid information security requirements. It was based on advanced practices and approaches to creating secure systems, in line with the requirements of all essential security standards. In light of this, KasperskyOS can be considered a truly secure operating system from its inception.

KasperskyOS uses microkernel architecture in which the microkernel system tools divide the system into security domains, or ‘entities’ in KasperskyOS terms. All communications between security domains (inter-process communications, IPC) are performed using the microkernel – and controlled by it. No communications are allowed to bypass the microkernel.

All communications are typed: the interface of the entities is described in IDL (Interface Definition Language), and only this interface can be used for IPCs. This is where KasperskyOS differs significantly from most other operating systems.

The KasperskyOS microkernel operates in conjunction with Kaspersky Security System (KSS), which is a subsystem that calculates security verdicts. For each IPC, the KasperskyOS microkernel requests a verdict from KSS, which it uses as a basis for permitting or blocking that particular IPC. For verdict calculation, it is not only the fact and type of communication that is taken into account but also the system’s topology, the context in which the communication takes place, as well as the assigned policy described within the framework of a set of formal security models.

KSS supports a large number of formal security models, for example, Domain Type Enforcement, Object Capability, Role-Based Access, diverse temporal logic dialects, etc. New models can be added when required.

This provides the developer with a flexible tool to describe security policies with as high a level of detail as required. We are not aware of any other solution that provides this degree of detail.

Security policies are defined in a high-level language, which greatly simplifies the verification of the solution in accordance with stipulated requirements. This also makes it possible to run formal verification of the described properties[1].

If we consider systems with limited functional capabilities that perform a limited set of functions, theoretically it’s possible to provide the specified security properties and guarantee there are no vulnerabilities in the software code.

As a solution grows progressively more complex, the addition of different protocols, algorithms, functions, etc. makes it impossible to guarantee there are no vulnerabilities in it. Special measures must be taken to ensure these vulnerabilities cannot be exploited or that their exploitation does not lead to undesirable consequences. These protection measures should include isolation of processes, restricted access to resources, attack detection systems and countermeasures, etc. In that case, the security properties must be guaranteed by the system’s trusted components, i.e., by the OS kernel, security features, subsystems providing specific types of protection, such as cryptographic protection, etc.

At the same time, the relevant security policies need to be defined in an increasingly detailed way, and there comes a point when the capabilities of policy refinement reach a limit. For example, capability-based policies can allow or deny access to a certain resource, though there is no ability to define a situation in which such access would be contingent on something. In such cases, the required security properties are considered functional requirements, and are implemented in the solution’s code along with its other features. This leads to a progressive growth in the volume of the code base that needs to be controlled, and ensuring its verifiability becomes an increasingly challenging task. Consequently, the solution again becomes insecure.

With the help of KasperskyOS and KSS, it’s possible to provide as detailed a description of security properties as desired, and through decomposition of the solution it’s possible to select a limited set of individual modules containing the minimum required functions that require verification. These modules can be viewed as standalone and isolated – their verification then becomes easy.

The code base of KSS responsible for implementing the solution’s security policies can be generated, is formally verifiable[2] and, in this sense, it is trusted. This solves the problem of uncontrolled growth of the code base to which requirements of trust are imposed.

Since security properties are defined regardless of the functional logic, the developer can construct a security system for their solutions without taking into account the details of how specific components are implemented.

The described capabilities of KasperskyOS make it possible to follow a natural course of developing secure solutions that includes the following steps:

  1. Threat analysis and threat modeling.
  2. Development of a set of formal security policies to counter the threats described in step 1.
  3. Decomposition of the solution into security domains, and definition of IPC interfaces in line with the data obtained at step 2.
  4. Implementation of the solution in line with the data obtained at step 3, and configuration of security policies aligned with the results obtained at step 2.

The ability to follow the described process of development is an important methodological advantage over other operating systems. This ensures a key advantage of KasperskyOS: complex systems can be built to meet specific information security characteristics.

KasperskyOS supports virtualization with the help of the Kaspersky Secure Hypervisor (KSH) application. Its key feature is that it can work together with KSS to implement security policies related to the control of virtual machine access to the hypervisor’s internal resources. KSH is a lightweight solution. This makes it possible to verify its code base and means it can be viewed as being part of a trusted platform. The hypervisor can apply KSS verdicts to its internal processes even in situations where cross-domain interaction does not take place.

This capability does not exist in any other virtualization solutions; it is only possible to set rules to define how a specific virtual machine interacts with other isolated components of the system.


Now, in the internet-of-things era, cybersecurity issues surrounding connected devices are becoming increasingly critical. In our opinion, it is the security of the operating system that defines the overall level of cybersecurity of an entire embedded system. Unfortunately, issues of information security are still not given sufficient consideration during the development of operating systems. For nearly half of the operating systems we have considered, information security aspects are either not addressed whatsoever, or the functions associated with information security are implemented at a level that is unsatisfactory.

We hope that this review will, firstly, encourage the developers of operating systems for embedded systems to devote more attention to issues of cybersecurity, and, secondly, help developers choose an operating system for their projects. After all, it’s important for all of us that the internet of things doesn’t grow into an internet of threats.

[1] No formal verification of KSS has been performed as of yet; however, the approach employed allows for it.
[2] At this time, the requirement of formal verifiability is not met; however, there are vigorous efforts being made towards this end.

Olympic Destroyer is still alive

19 Červen, 2018 - 12:00

In March 2018 we published our research on Olympic Destroyer, an advanced threat actor that hit organizers, suppliers and partners of the Winter Olympic Games 2018 held in Pyeongchang, South Korea. Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.

We have previously emphasized that the story of Olympic Destroyer is different to that of other threat actors because the whole attack was a masterful operation in deception. Despite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution artefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated with North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this forgery.

The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.

Some of the TTPs and operational security used by Olympic Destroyer bear a certain resemblance to Sofacy APT group activity. When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs. However, it is important to remember that Olympic Destroyer can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.
We decided to keep tracking the group and set our virtual ‘nets’ to catch Olympic Destroyer again if it showed up with a similar arsenal. To our surprise it has recently resurfaced with new activity.

In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.

Simplified infection procedure

Infection Analysis

In reality the infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA code, Powershell, MS HTA, with JScript inside and more Powershell. Let’s take a look at this more closely to let incident responders and security researchers recognize such an attack at any time in the future.

One of the recent documents that we discovered had the following properties:

MD5: 0e7b32d23fbd6d62a593c234bafa2311
SHA1: ff59cb2b4a198d1e6438e020bb11602bd7d2510d
File Type: Microsoft Office Word
Last saved date: 2018-05-14 15:32:17 (GMT)
Known file name: Spiez CONVERGENCE.doc

The embedded macro is heavily obfuscated. It has a randomly-generated variable and function name.

Obfuscated VBA macro

Its purpose is to execute a Powershell command. This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign.

It starts a new obfuscated Powershell scriptlet via the command line. The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings such as the command and control (C2) server address.

There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.

Obfuscated commandline Powershell scriptlet

This script disables Powershell script logging to avoid leaving traces:

It has an inline implementation of the RC4 routine in Powershell, which is used to decrypt additional payload downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key. This is a familiar technique used in other Olympic Destroyer spear-phishing documents in the past and in Powershell backdoors found in the infrastructure of Olympic Destroyer’s victims located in Pyeongchang.


The second stage payload downloaded is an HTA file that also executes a Powershell script.

Downloaded access.log.txt

This file has a similar structure to the Powershell script executed by the macro in spear-phishing attachments. After deobfuscating it, we can see that this script also disables Powershell logging and downloads the next stage payload from the same server address. It also uses RC4 with a pre-defined key:

The final payload is the Powershell Empire agent. Below we partially provide the http stager scriptlet for the downloaded Empire agent.

Powershell Empire is a post-exploitation free and open-source framework written in Python and Powershell that allows fileless control of the compromised hosts, has modular architecture and relies on encrypted communication. This framework is widely used by penetration-testing companies in legitimate security tests for lateral movement and information gathering.


We believe that the attackers used compromised legitimate web servers for hosting and controlling malware. Based on our analysis, the URI path of discovered C2 servers included the following paths:

  • /components/com_tags/views
  • /components/com_tags/views/admin
  • /components/com_tags/controllers
  • /components/com_finder/helpers
  • /components/com_finder/views/
  • /components/com_j2xml/
  • /components/com_contact/controllers/

These are known directory structures used by a popular open source content management system, Joomla:

Joomla components path on Github

Unfortunately we don’t know what exact vulnerability was exploited in the Joomla CMS. What is known is that one of the payload hosting servers used Joomla v1.7.3, which is an extremely old version of this software, released in November 2011.

A compromised server using Joomla

Victims and Targets

Based on several target profiles and limited victim reports, we believe that the recent operation by Olympic Destroyer targets Russia, Ukraine and several other European countries. According to our telemetry, several victims are entities from the financial sector in Russia. In addition, almost all the samples we found were uploaded to a multi-scanner service from European countries such as the Netherlands, Germany and France, as well as from Ukraine and Russia.

Location of targets in recent Olympic Destroyer attacks

Since our visibility is limited, we can only speculate about the potential targets based on the profiles suggested by the content of selected decoy documents, email subjects or even file names picked by the attackers.

One such decoy document grabbed our attention. It referred to ‘Spiez Convergence’, a bio-chemical threat research conference held in Switzerland, organized by SPIEZ LABORATORY, which not long ago was involved in the Salisbury attack investigation.

Decoy document using Spiez Convergence topic

Another decoy document observed in the attacks (‘Investigation_file.doc’) references the nerve agent used to poison Sergey Skripal and his daughter in Salisbury:

Some other spear-phishing documents include words in the Russian and German language in their names:

  • 9bc365a16c63f25dfddcbe11da042974 Korporativ.doc
  • da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
  • e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc

One of the documents included a lure image with perfect Russian language in it.

A message in Russian encouraging the user to enable macro (54b06b05b6b92a8f2ff02fdf47baad0e)

One of the most recent weaponized documents was uploaded to a malware scanning service from Ukraine in a file named ‘nakaz.zip’, containing ‘nakaz.doc’ (translated as ‘order.doc’ from Ukrainian).

Another lure message to encourage the user to enable macro

According to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous documents are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and not automated translation software.

Once the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state organization (the date inside indicates 11 June 2018). The text of the document is identical to the one on the official website of the Ukrainian Ministry of Health.

Decoy document inside nakaz.doc

Further analysis of other related files suggest that the target of this document is working in the biological and epizootic threat prevention field.


Although not comprehensive, the following findings can serve as a hint to those looking for a better connection between this campaign and previous Olympic Destroyer activity. More information on overlaps and reliable tracking of Olympic Destroyer attacks is available to subscribers of Kaspersky Intelligence Reporting Services (see below).

Similar obfuscated macro structure

The documents above show apparent structural similarity as if they were produced by the same tool and obfuscator. The highlighted function name in the new wave of attacks isn’t in fact new. While being uncommon, a function named “MultiPage1_Layout” was also found in the Olympic Destroyer spear phishing document (MD5: 5ba7ec869c7157efc1e52f5157705867).

Same MultiPage1_Layout function name used in older campaign


Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine. In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location. It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.

Certain conclusions could be made based on motives and the selection of targets in this campaign. However, it is easy to make a mistake when trying to answer the question of who is behind this campaign with only the fragments of the picture that are visible to researchers. The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever. We believe that it is no longer possible to draw conclusions based on few attribution vectors discovered during regular investigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

The best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Olympic Destroyer and report on new discovered activities of this group.

More details about Olympic Destroyer and related activity are available to subscribers of Kaspersky Intelligence Reporting services. Contact: intelreports@kaspersky.com

Indicators Of Compromise File Hashes

9bc365a16c63f25dfddcbe11da042974 Korporativ .doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
6ccd8133f250d4babefbd66b898739b9 corporativ_2018.doc
abe771f280cdea6e7eaf19a26b1a9488 Scan-2018-03-13.doc.bin
b60da65b8d3627a89481efb23d59713a Corporativ_2018.doc
bb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc
97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc
1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc
0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
4247901eca6d87f5f3af7df8249ea825 nakaz.doc

Domains and IPs


LuckyMouse hits national data center to organize country-level waterholing campaign

13 Červen, 2018 - 12:00

What happened?

In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.

The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.

Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report, IoCs and YARA rules are available from our intelligence reporting service (contact us intelligence@kaspersky.com).

Who’s behind it?

Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.

Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.

How did the malware spread?

The initial infection vector used in the attack against the data center is unclear. Even when we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. It’s possible the actor used a waterhole to infect data center employees.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board. We suspect this router was hacked as part of the campaign in order to process the malware’s HTTP requests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13.

FMikrotik router with two-year-old firmware and SMBv1 on board used in this campaign

In March 2017, Wikileaks published details about an exploit affecting Mikrotik called ChimayRed. According to the documentation, however, it doesn’t work for firmware versions higher than 6.30. This router uses version 6.34.

There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites. These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.

What did the malware do in the data center?

Anti-detection stages. Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red)

The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.

The launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the droppers. The resulting deobfuscated code performs typical side loading: it patches pcAnywhere’s image in memory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but this time as part of the whitelisted application.

This Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db are for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory.

What does the resulting watering hole look like?

The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.

Resulting script on the compromised government websites

Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.


LuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro).

The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.

Some indicators of compromise




HyperBro in-memory Trojan

Domains and IPs

A MitM extension for Chrome

6 Červen, 2018 - 12:00

Browser extensions make our lives easier: they hide obtrusive advertising, translate text, help us choose in online stores, etc. There are also less desirable extensions, including those that bombard us with advertising or collect information about our activities. These pale into insignificance, however, when compared to extensions whose main aim is to steal money. To protect our customers, we automatically process large numbers of extensions from a variety of sources. This includes downloading and analyzing suspicious extensions from Chrome Web Store. One extension, in particular, recently caught our attention because it communicated with a suspicious domain.

The Google Chrome extension named Desbloquear Conteúdo (which means ‘Unblock Content’ in Portuguese) targeted users of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil. The aim of this malicious extension is to harvest user logins and passwords and then steal money from their bank accounts. Kaspersky Lab products detect the extension as HEUR:Trojan-Banker.Script.Generic.

Geographic distribution of security product detections of the script fundo.js, one of the extension components

By the time of publication, the malicious extension had already been removed from Chrome Web Store.

The malicious extension in Chrome Web Store

Analysis of malicious extension

Malicious browser extensions often use different techniques (e.g. obfuscation) to prevent detection by security software. The developers of this specific extension, however, didn’t obfuscate its source code, opting instead for a different approach. This piece of malware uses the WebSocket protocol for data communication, making it possible to exchange messages with the C&C server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank. Essentially, this is a man-in-the-middle attack.

The Desbloquear Conteúdo extension consists of two JS scripts. Let’s take a closer look at them.


The first thing that catches the eye in the script’s code is the function websocket_init(). This is where a WebSocket connection is established. Data is then downloaded from the server (ws://exalpha2018[.]tk:2018) and saved to chrome.storage under the key ‘manualRemovalStorage’.

Download of data from C&C via a WebSocket connection

Data downloaded and saved by the extension

As a result of contacting hxxp://exalpha2018[.]tk/contact-server/?modulo=get, the extension receives the IP address to which user traffic will be redirected.

IP address received from C&C server

The IP to which all user traffic is then redirected

It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

The fundo.js script uses the Proxy Auto Configuration technology at the time of the function call implement_pac_script. This results in the function FindProxyForURL being replaced with a new one that redirects user traffic to the malicious server, but only when a user visits the web page of a Brazilian bank.

Changing browser settings to redirect user traffic


In this script, the following section of code is the most important:

Execution of the downloaded malicious code on web pages belonging to banks

Just like with fundo.js, data downloaded from the server is saved to manualRemovalStorage. The data includes the domains of several Brazilian banks and the code the browser should execute if a user visits one of the relevant sites.

pages.js downloads the following scripts from the domain ganalytics[.]ga and launches them on the banks’ sites:

  • ganalytics[.]ga/bbf.js,
  • ganalytics[.]ga/bbj.js,
  • ganalytics[.]ga/cef.js,
  • ganalytics[.]ga/itf.js,
  • ganalytics[.]ga/itf_new.js.

Web Antivirus detection statistics for attempts to contact ganalytics[.]ga

All the above scripts have similar functionalities and are designed to steal the user’s credentials. Let’s take a look at one of them.


One of this script’s functions is to add specific HTML code to the main page of the online banking system.

Addition of malicious code to the web page

A closer look at the code that’s returned after contacting the server reveals that it’s needed to collect the one-time passwords used for authentication on the bank’s site.

Interception of users’ one-time passwords

If a user is on the page where logins and passwords are entered, the script creates a clone of the ‘Enter’ button. A function is also created to click this button. The password is stored in the cookie files of this function for subsequent transfer to the C&C and the real button, which is overlaid and hidden from the victim, is then clicked.

Copy of the ‘Enter’ button is created and the login and password for an online banking service are intercepted

As a result, the password to the user’s account is sent to the online banking system as well as to the malicious server.

Sending of all intercepted data to the C&C

Additional analysis of the web resources used in the attack (courtesy of the KL Threat Intelligence Portal) yields some interesting information. In particular, the aforementioned ganalytics[.]ga is registered in the Gabon domain zone, which is why WHOIS services don’t provide much information about it:

WHOIS info for ganalytics[.]ga

However, the IP address where it’s hosted is also associated with several other interesting domains.

A fragment of DNS data from KSN

It’s clear that this IP address is (or was) associated with several other domains with tell-tale names containing the keywords advert, stat, analytic and registered in Brazil’s domain zone. It’s noteworthy that many of them were involved in distributing web miners last autumn, with the mining scripts being downloaded when legitimate Brazilian bank sites were visited.

Fragments of KSN data related to advstatistics.com[.]br

When malware is loaded while the user is visiting a legitimate site, it usually indicates that traffic is being modified locally on the user’s computer. Other things about this case, namely the fact that it targeted Brazilian users and that it used the same IP address that was used in previous attacks, suggest that this browser extension (or related versions of it) earlier had functionality to add cryptocurrency mining scripts to the banking sites users were visiting at the moment the extension was downloaded to their devices.


Browser extensions designed to steal logins and passwords are quite rare. However, they need to be taken seriously given the potential damage they could cause. We recommend that users only install verified extensions with large numbers of installations and reviews in Chrome Web Store or another official service. In spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published in them – we’ve covered one such case. Also, it wouldn’t hurt to have a security product installed on your device that issues a warning whenever an extension acts suspiciously.

FIFA public Wi-Fi guide: which host cities have the most secure networks?

4 Červen, 2018 - 13:11

We all know how easy it is for users to connect to open Wi-Fi networks in public places. Well, it is equally straightforward for criminals to position themselves near poorly protected access points – where they can intercept network traffic and compromise user data.

A lack of essential traffic encryption for Wi-Fi networks where official and global activities are taking place – such as at locations around the forthcoming FIFA World Cup 2018 – offers especially fertile ground for criminals.

With this in mind, can football fans feel digitally safe in host cities? How does the situation with Wi-Fi access differ from town to town? To answer these questions, we have analyzed existing reliable and unreliable access points in 11 FIFA World Cup host cities – Saransk, Samara, Nizhny Novgorod, Kazan, Volgograd, Moscow, Ekaterinburg, Sochi, Rostov, Kaliningrad, and Saint Petersburg.

The main feature of the research is telemetry, which aims to secure users’ Wi-Fi connections and turn on VPNs when needed. Statistics were generated from users who voluntarily agreed to having their data collected. For the research, we only evaluated the security of public Wi-Fi spots. Even with relatively few public Wi-Fi spots in small towns, we still obtained a sufficient base for analysis – almost 32,000 Wi-Fi hotspots. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points.

Security of Wireless Networks in FIFA World Cup host cities

Using the methodology described above, we have evaluated the security of Wi-Fi access points in 11 FIFA World Cup 2018 host cities.

Encryption types used in public Wi-Fi hotspots in FIFA World Cup host cities

Over a fifth (22.4%) of Wi-Fi hotspots in FIFA World Cup 2018 host cities use unreliable networks. This means that criminals simply need to be located near an access point to grab the traffic and get their hands on user data.

Around three quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA/WPA2) protocol family, which is considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. The complicated encryption key can take years to successfully hack.

It should also be noted that even reliable networks, like WPA2, cannot be automatically considered as totally secure. They still give in to brute-force, dictionary, and key reinstallation attacks, of which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

Geography of Unsecured Wi-Fi Access Points

Encryption types used in public Wi-Fi hotspots in FIFA World Cup host cities

The safest city (in terms of public Wi-Fi) turned out to be Saransk, with 72% of access points secured by WPA/WPA2 protocol encryption.

The top-three cities with the highest proportion of unsecured connections are Saint Petersburg (48% of Wi-Fi access points are unsecured), Kaliningrad (47%) and Rostov (44%).

Again, the relativity of the results should be noted. Even a WPA2 connection in a cafe couldn’t be considered as secure, if the password is visible to everyone. Nevertheless, we believe that the methodology used represents the Wi-Fi hot-spot security situation in the host cities, with a fair degree of accuracy.

The results of this research show that the security of Wi-Fi connections in FIFA World Cup hosts cities varies. Therefore. We therefore recommend that users follow some key safety rules.

Recommendations for Users

If you are going to visit any of the FIFA World Cup 2018 host cities and use open Wi-Fi networks while you are there, remember to follow these simple rules to help protect your personal data:

  • Whenever possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning that criminals won’t be able to read your data, even if they gain access to it. For example, the Kaspersky Secure Connection VPN solution can switch on automatically when a connection is not safe.
  • Do not trust networks that are not password-protected, or have easy-to-guess or easy-to-find passwords.
  • Even if a network requests a strong password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection using the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by the employees of an establishment.
  • To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend you also disable automatic connections to existing Wi-Fi networks.
  • If you are not 100% sure that the wireless network you are using is secure, but you still need to connect to the Internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely do not perform any online banking operations or enter your bank card details anywhere. This will avoid situations where your sensitive data or passwords are intercepted and then used for malicious purposes later on.
  • To avoid becoming a cybercriminal target, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. Enabling this option is recommended when visiting any websites you think may lack the necessary protection.

One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security. This module protects users who are connected to Wi-Fi networks by providing them with a secure encrypted connection channel. Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (via mail services, social networks, etc.).


1 Červen, 2018 - 11:00

Children today are completely at home in the digital space. They use digital diaries and textbooks at school, communicate via instant messaging, play games on mobile devices (not to mention PCs and consoles), and create mini masterpieces on tablets and laptops. This total immersion in the digital universe is a concern for many parents, but if they want their child to spend time online safely and usefully, they must not only understand the basic concepts of digital security and have a grasp of the threats, but also be able to explain them to their kid.

The Parental Control module in Kaspersky Lab products and the standalone multiplatform solution Kaspersky Safe Kids protect children from undesirable content. They allow us to collect anonymous statistics about children’s online activities for which filtering is suggested, and every year we analyze this data to find out what their interests are and how they are adapting in the digital world.

How statistics are collected

Kaspersky Lab solutions scan the content of web pages that children try to access. If a particular site belongs to one of 14 unwanted categories, the module sends a notification to the Kaspersky Security Network (there is no transfer of personal user data and no violation of privacy). There are two important things to note here:

  • Parents decide for themselves what content should be blocked and configure the application accordingly. However, anonymous statistics are collected for all 14 categories.
  • Data is harvested only from computers running Windows and Mac OS; no mobile statistics are provided in this report.
Website categorization

In products with parental control functionality, web filtering is currently performed across the following categories:

Filtering search queries

Children’s search activity is the best indicator of their interests. Kaspersky Safe Kids can filter children’s queries in five different search engines (Bing, Google, Mail.ru, Yahoo!, Yandex) for six potentially dangerous topics: adult content, alcohol, narcotics (drugs), tobacco, racism, and profanity (bad language).

The search queries were distributed by language. Statistics for the English language are considered international due to its prevalence. All searches in the specific language, minus repeat queries, were taken as the 100% reference value. The popularity of each topic, defined as the percentage of queries related to it, is calculated both for each separate language and for the entire world.

Search queries sent to us during the period of November 2017 — May 2018 were broken down into several thematic categories:

  • Computer games
  • Music
  • Video
  • Anime
  • Shopping
  • Pornography and erotica
  • Online communication
  • Education
  • Sport
  • Translators
  • Other
Global picture Site categories

First of all, let’s look at which categories are most popular among children worldwide (by number of users who visited sites in the corresponding category as a percentage of all Parental Control and Safe Kids users in the world).

Distribution of Parental Control and Safe Kids notifications across 14 categories, May 2017 — May 2018

The most popular category of sites accessed by children from computers is “Internet communication media”, primarily social networks. That said, this category has been declining for a number of years due to the rise of mobile devices. Last year, for instance, its share was 61.32% worldwide, and two years ago it accounted for 67.17%.

The “Computer games” category has also been slipping year on year in the overall ranking of sites visited from computers. In 2015–2016 gaming sites accounted for 11.21%, in 2016-2017 the figure was 9.12%, and in the current reporting period their popularity fell to 4.99%.

After a sharp increase last year, the “Alcohol, tobacco, narcotics” category again slipped back. Whereas in 2015–2016 it accounted for 9.12% and in 2016–2017 14.13%, this year it was down to 6.32%.

The “Software, audio, video” category was in fifth place in the rating two years ago with a share of 3.44%. Last year it climbed to 6.23% and now ranks second with 22.40%.

Over the past two years, the share of visits to sites with adult content has been consistently under 2%. This category is even showing a downward trend: 1.49% in 2015–2016 and 1.16% in 2016–2017.

Search queries

The most popular online search topic for children worldwide is “Video” with a share of 17.25% (this includes queries related to video content, streaming services, search for video bloggers, serials, and films).

Distribution of users’ search queries by thematic categories, November 2017 — May 2018

In second place (13.59%) came the topic of text translation, especially popular in non-English-speaking countries. Many children whose mother tongue is Spanish, Italian, German, Russian, or French often search for “translator” or “google translate.”

Next, children look for things related to communication: social networks, instant messengers, email.

The fourth-placed category in the ranking of individual interests is computer games (9.09%). As for adult content, children search for the topic more often than they visit websites in this category.

Regional variations

As before, we selected six popular categories to be examined in detail. First, let’s look at the distribution of these categories across seven regions. We chose the following:

  • North America (USA, Canada)
  • Western Europe (Austria, Belgium, Britain, Ireland, Germany, Liechtenstein, Luxembourg, Monaco, France, Switzerland, Denmark, Sweden, Spain, Italy)
  • CIS (Russia, Belarus, Kazakhstan)
  • Latin America (Argentina, Brazil, Haiti, Guatemala, Honduras, Dominican Republic, Colombia, Mexico, Panama, Uruguay, Chile, Ecuador, Puerto Rico, Venezuela)
  • Asia (China, Singapore, Hong Kong, Macao, Taiwan, Japan, Korea)
  • The Arab world (Algeria, Bahrain, Djibouti, Egypt, Iraq, Jordan, Kuwait, Libya, Sudan, Tunisia, UAE, Yemen, Saudi Arabia)
  • Australia, New Zealand

Indicators for Top 6 categories of websites in different regions, May 2017 — May 2018

In the Arab world and Latin America, children prefer to access social networks and use instant messengers on a computer, while in North America and Western Europe this indicator is the lowest in the world.

Traditionally, the “Software, audio, video” category is most popular in Asia and least popular in the Arab world, respectively. Also unchanged is the level of interest of Australian, New Zealand, and North American children in the topic of “Alcohol, tobacco, narcotics”, while children in the Arab world show the least interest.

Asian children visit adult sites more often and are more likely to be interested in shopping.

Differences by country and language

To understand why some categories are rising in popularity, while others are declining, we took data from 16 countries across the six popular categories and examined it in detail. For our comparison, we took the share of users who visited sites of a certain category from the total number of Parental Control and Safe Kids users.

Online communication

We already noted that children are using computers less and less to communicate. Every year, social networks are increasingly migrating to mobile platforms (some like SnapChat and Instagram were initially designed for smartphones). It should be noted that not only social networks, messengers, and email fall into the Internet communication media category, but also forums, dating/friend-finding sites, and blogs.

Popularity of the “Internet communication media” category in different countries, May 2017 — May 2018

Saudi Arabia, Egypt, and the UAE are top in terms of number of children who prefer to use computers to visit social networking sites, and desktop versions of instant messengers. The most popular sites in this category in most countries are Facebook, Google Hangouts, Gmail, and Twitter.

Internet communication media. Distribution of thematic search queries by language, November 2017 — May 2018

Russian-speaking children are most likely to search for “online communication”. The most popular queries are “вк” and “вконтакте” (names for Vkontakte social network). That’s not surprising: as we said last year, VKontakte is the most popular social network among Russian-speaking children.

Next come English-language or international queries. The most popular is “Facebook,” followed by “Gmail” and “Instagram.” Portuguese-speaking children are interested in pictures in the social network Tumblr and “facebook login.”

Interestingly, children hardly ever search for dating/friend-finding apps, despite many video bloggers actively promoting them.

Software, audio, video

As we already mentioned, the “Software, audio, video” category is now almost four times as popular as in the previous report. Let’s analyze the content of this category and work out where the growth came from.

Popularity of the “Software, audio, video” website category in different countries, May 2017 — May 2018

A significant rise in the popularity of sites with video and audio content was observed among children in China. Compared with last year (18.45%), children consumed three times as much video and audio content on their computers (78.76%). The popular online music service Kuwo.cn was supplemented by the Chinese equivalents of YouTube — Iqiyi.com and youku.com (YouTube itself is blocked in China), as well as the online cinema Kankan.com.

German children, like most others in the world, prefer to spend time on YouTube, watch TV shows on Netflix, and video game streams on Twitch. In Russia, the most popular sites accessed from computers are also YouTube and Twitch.

What kind of video and audio do children search for? For convenience, we divided their search queries into three separate categories: video content, music, and anime.

Video. Distribution of thematic search queries by language, November 2017 — May 2018

As the international language, English is most commonly used for video content search. As might be expected, the most popular search query is “Youtube,” followed by “Netflix.”

Incidentally, the online cinema Netflix, which in early 2016 opened its virtual doors to users in 190 countries (having initially been available only in the US, Australia, New Zealand, and Canada), was the third most visited resource among children.

In Russian, children most often look for “ютуб” (YouTube), “мультики” (cartoons) and “гравити фолз” (Gravity Falls).

Anime. Distribution of thematic search queries by language, November 2017 — May 2018

Japanese and Chinese children are most interested in watching anime. Their search queries are well-informed and consist mainly of names of specific anime series. A small margin of error is admissible in these figures, since anime aficionados might search for content using the original names. Admittedly, without knowledge of Japanese or Chinese a full analysis of the search results is not really feasible.

Music. Distribution of thematic search queries by language, November 2017 — May 2018

The English-language queries give us an insight into which singers/groups children like and what music they listen to: the most common search was for information about the k-pop group Bangtan Boys. In addition to the long popular Justin Bieber and Taylor Swift, children searched for rap/hip-hop music, for example, rapper Lil Pump (especially his notorious hit track “Gucci Gang”), singers Nicki Minaj, Cardi B, and rap star Lil Peep, who died last year.

Among Portuguese-speaking children, singer Anitta, musical artist MC Kevinho, and rapper Ozuna are popular. In Germany, searches for Julien Bam, Mike Singer, and Lukas Rieger are most common. Judging by search queries, the favorites in Russia are Face, Allj, and Egor Kreed.

The most popular online music services were Spotify, iTunes, and Deezer.

Alcohol, tobacco, narcotics

Popularity of the “Alcohol, tobacco, narcotics” website category in different countries, May 2017 — May 2018

Compared to the year before, the number of visits to sites featuring the topic of alcohol, smoking, or drugs fell in Australia by 8.24 p.p. and in Britain by 19.03 p.p.

Overall, our analysis of search queries received from both PCs and mobile devices revealed little interest in this topic. Last year, we assumed that the surge in children’s interest in this category of websites was because e-cigarettes and vapes were trending. Now the trend is waning, and such sites are being visited less often.

Computer games

The Computer games category covers not only PC game websites, but all sites related to the gaming industry.

Popularity of the “Computer games” website category in different countries, May 2017 — May 2018

Our analysis of search queries showed children’s interest in game consoles, for example, Nintendo Switch, which was released in March 2017. Judging by the queries (for example, “nintendo switch,” “nintendo,” “legend of zelda,” “super mario odyssey”), the unit is very popular with children.

French-speaking children are the most likely to search for sites on gaming topics; for instance, the most popular query in this category is “jeux gratuits” (“free games”). Among the English-language queries, the most common are “roblox,” “fortnite,” and, of course, “minecraft.” Children are also extremely interested in “clash royale” (a game for Android and iOS released in March 2016).

Minecraft and Roblox remain very popular: PC sites connected with these games are the most visited. Overall, the number of game sites accessed from PCs almost halved against the previous year. Children prefer to watch game streaming on YouTube and Twitch (the “Software, audio, video” category), as shown by the increased number of visits to these sites and the rising popularity of YouTube’s dedicated gaming channel: gaming.youtube.com.

Games. Distribution of thematic search queries by language, November 2017 — May 2018

Electronic commerce

Popularity of the “Electronic commerce” website category in different countries, May 2017 — May 2018

Japanese children’s interest in online shopping fell almost threefold against last year, and in China almost fourfold. Nevertheless, children in Japan are still more likely than any others in the world to visit online stores. The most popular are amazon.co.jp, rakuten.ne.jp, and the Japanese clothes store Uniqlo. In Western and Arab countries, the picture remains unchanged: children most often visit Amazon, Ebay, H&M, and IKEA.

Shopping. Distribution of thematic search queries by language, November 2017 — May 2018

Children who speak German are the most likely to query search engines about shopping. Among the popular queries are “Ebay kleinanzeigen” (ads on Ebay) and “handyhüllen” (phone cases). The most popular queries in Portuguese were for the online stores Mercado Livre and Casas Bahia, while in English the top three were Amazon, Ebay, and Aliexpress.

Adult content

Popularity of the “Pornography, erotica” website category in different countries, May 2017 — May 2018

Pornographic content online continues to interest children, but to a far lesser extent than computer games, music, video, and social networks (where, it should be said, there is no shortage of pornography).

The topic is of greatest interest to children from Japan. This is also confirmed by the number of visits to porn sites (the most popular being dmm.co.jp, pornhub.com, and xvideos.com) from computers, and by the share of thematic search queries (mainly including names of famous Japanese porn stars).

The situation is ambiguous in Arab countries, where children visit adult sites from computers less often than other kids, yet search for porn more often. We would hazard a guess that they search for and watch pornography on mobile devices (unnoticed by parents, but not web filtering programs), not on computers. The most popular searches in the Arabic language are “whores,” “sex,” and “watch sex online.”

The Top 3 most popular porn sites among children have not changed for several years. They are PornHub, xHamster, and RedTube.

Porno. Distribution of thematic search queries by language, November 2017 — May 2018

Interestingly, the share of Russian-language porn-themed queries is one of the lowest. But don’t celebrate just yet. It might have something to do with the fact that in Russia the most popular social network among children and teenagers is VKontakte, where music, chat, and games often rub shoulders with pornographic content.

Other interests

In our study of children’s interests based on search queries, we selected a handful of separate topics that are not part of any web categorization, but illustrate fairly well what children do online.


Education. Distribution of thematic search queries by language, November 2017 — May 2018

Most study-related queries come from Chinese children. They search for information about the history of their country, works of art, and mathematical problems. Second place goes to Russian-speaking children. Their most popular queries are “гдз” (ready home assignments), “электронный дневник” (electronic diary), and “егэ/огэ” (unified/basic state exam).

English-language queries are fewer in number, but more diverse. They include mathematical games, dictionaries, space projects, and science in general. However, many established terms and concepts are written in English, so it’s possible to conclude that the above topics are of interest to children throughout the world.

Translators. Distribution of thematic search queries by language, November 2017 — May 2018

As we noted from the global statistics on search queries, “translators” accounted for 13.59% of all searches by children worldwide over the year. Above all, they were made by children from Spain, Germany, Russia, France, and Portugal. Most were searching for Google Translate. Moreover, children are interested in translating from their native language into English and vice versa, for example, “traductor ingles español,” “traduttore italiano inglese,” or “englisch deutsch.”


The final topic of interest to both us and the world’s children is sport.

Sport. Distribution of thematic search queries by language, November 2017 — May 2018

The most popular sport with children is soccer. French-speaking children search for Paris Saint-Germain F.C. and club’s star player Kylian Mbappé. Arabic-speaking children, meanwhile, are more interested in مانشستر يونايتد (Manchester United F.C.) and يلا شوت (yalla-shoot.com), a website with match results and sports broadcasts.

The 2018 Winter Olympics was the most common sports topic among children from Italy (olimpiadi invernali 2018).


Over the past year, children have been spending less time playing PC games and far more watching YouTube videos (often games, ironically), as well as TV shows and movies on Netflix. The younger generation is less inclined to visit social networks from computers, preferring mobile devices. Interest in tobacco, alcohol, and drugs is gradually declining, and computer games are more appealing to children than porn.

We can conclude that despite Parental Control being installed on devices (our Parental Control products are not invisible to the user), children do little to hide their interests and use the Internet not only for entertainment, but also for study. As for parents, information and knowledge about what their child is looking for can be used to build a dialogue and establish a trusting relationship.

Trojan watch

29 Květen, 2018 - 12:00

We continue to research how proliferation of IoT devices affects the daily lives of users and their information security. In our previous study, we touched upon ways of intercepting authentication data using single-board microcomputers. This time, we turned out attention to wearable devices: smartwatches and fitness trackers. Or more precisely, the accelerometers and gyroscopes inside them.

From the hoo-ha surrounding Strava, we already know that even impersonal data on user physical activity can make public what should be non-public information. But at the individual level, the risks are far worse: these smart devices are able to track the moments you’re entering a PIN code in an ATM, signing into a service, or unlocking a smartphone.

In our study, we examined how analyzing signals within wearable devices creates opportunities for potential intruders. The findings were less than encouraging: although looking at the signals from embedded sensors we investigated cannot (yet) emulate “traditional” keyloggers, this can be used to build a behavioral profile of users and detect the entry of critical data. Such profiling can happen discreetly using legitimate apps that run directly on the device itself. This broadens the capacity for cybercriminals to penetrate victims’ privacy and facilitates access to the corporate network of the company where they work.

So, first things first.

Behavioral profiling of users

When people hear the phrase ‘smart wearables’, they most probably think of miniature digital gadgets. However, it is important to understand that most smartwatches are cyberphysical systems, since they are equipped with sensors to measure acceleration (accelerometers) and rotation (gyroscopes). These are inexpensive miniature microcircuits that frequently contain magnetic field sensors (magnetometers) as well. What can be discovered about the user if the signals from these sensors are continuously logged? More than the owner of the gadget would like.

For the purpose of our study, we wrote a fairly simple app based on Google’s reference code and carried out some neat experiments with the Huawei Watch (first generation), Kingwear KW88, and PYiALCY X200 smartwatches based on the Android Wear 2.5 and Android 5.1 for Smartwatch operating systems. These watches were chosen for their availability and the simplicity of writing apps for them (we assume that exploiting the embedded gyroscope and accelerometer in iOS would follow a similar path).

Logging smartwatch signals during password entry

To determine the optimal sampling frequency of the sensors, we conducted a series of tests with different devices, starting with low-power models (in terms of processor) such as the Arduino 101 and Xiaomi Mi Band 2. However, the sensor sampling and data transfer rates were unsatisfactory — to obtain cross-correlation values that were more or less satisfactory required a sampling frequency of at least 50 Hz. We also rejected sampling rates greater than 100 Hz: 8 Kbytes of data per second might not be that much, but not for hours-long logs. As a result, our app sampled the embedded sensors with a frequency of 100 Hz and logged the instantaneous values of the accelerometer and gyroscope readings along three axes (x, y, z) in the phone’s memory.

Admittedly, getting a “digital snapshot” of a whole day isn’t that easy, because the Huawei watch’s battery life in this mode is no more than six hours.

But let’s take a look at the accelerometer readings for this period. The vertical axis shows the acceleration in m/s2, and the horizontal the number of samples (each corresponds to 10 milliseconds on average). For a complete picture, the accelerometer and gyroscope readings are presented in the graphs below.

Digital profile of a user recorded in one hour. Top — accelerometer signals, bottom — gyroscope signals

The graphs contains five areas in which different patterns are clearly visible. For those versed in kinematics, this graph tells a lot about the user.

The most obvious motion pattern is walking. We’ll start with that.

When the user is walking, the hand wearing the smartwatch oscillates like a pendulum. Pendulum swings are a periodic process. Therefore, if there are areas on the graph where the acceleration or orientation readings from the motion sensor vary according to the law of periodicity, it can be assumed that the user was walking at that moment. When analyzing the data, it is worth considering the accelerometer and gyroscope readings as a whole.

Let’s take a closer look at the areas with the greatest oscillations over short time intervals (the purple areas Pattern1, Pattern3, and Pattern5).

Accelerometer and gyroscope readings during walking

In our case, periodic oscillations of the hand were observed for a duration of 12 minutes (Pattern1, figure above). Without requesting geoinformation, it’s difficult to say exactly where the user was going, although a double numerical integration of the acceleration data shows with an accuracy up to the integration constants (initial velocity and coordinates) that the person was walking somewhere, and with varying characteristic velocity.

Result of the numerical integration of the accelerometer data, which gives an estimate of the user’s movement along the x and y axes in the space of one hour (z-axis displacement is zero, so the graph does not show it)

Note that plotting the Y-axis displacement relative to the X-axis displacement gives the person’s approximate path. The distances here are not overly precise, but they are in the order of thousands of meters, which is actually quite impressive, because the method is very primitive. To refine the distance traveled, anthropometric data can be used to estimate the length of each step (which is basically what fitness trackers do), but we shall not include this in our study.

Approximate path of the person under observation, determined on the basis of numerically integrating the accelerometer data along the X and Y axes

It is more difficult to analyze the less active areas. Clearly, the person was at rest during these periods. The orientation of the watch does not change, and there is acceleration, which suggests that the person is moving by car (or elevator).

Another 22-minute segment is shown below. This is clearly not walking — there are no observable periodic oscillations of the signal. However, we see a periodic change in the acceleration signal envelope along one axis. It might be a means of public transport that moves in a straight line, but with stops. What is it? Some sort of public transportation?

Accelerometer data when traveling on public transport

Here’s another time slice.

Pattern 3, accelerometer data

This seems to be a mixture of short periods of walking (for a few seconds), pauses, and abrupt hand movements. The person is presumably indoors.

Below we interpret all the areas on the graph.

Accelerometer and gyroscope readings with decoding of areas

These are three periods of walking (12, 3, and 5 minutes) interspersed with subway journeys (20 and 24 minutes). The short walking interval has some particular characteristics, since it involved changing from one subway line to another. These features are clearly visible, but our interest was in determining them using algorithms that can be executed on the wearable devices themselves. Therefore, instead of neural networks (which we know to be great at this kind of task), we used a simple cross-correlation calculation.

Taking two walking patterns (Walking1 and Walking2), we calculated their cross-correlation with each other and the cross-correlation with noise data using 10-second signal data arrays.

Experiment             max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz Walking1 and Walking2 0.73 0.70 0.64 0.62 0.41 0.83 Walking1 and Noise 0.33 0.30 0.32 0.30 0.33 0.33

Maxima of the functions for cross-correlation of walking patterns with each other and with an arbitrary noise pattern

It can be seen from the table that even this elementary approach for calculating cross-correlation functions allows us to identify the user’s movement patterns within his/her “digital snapshot” with an accuracy of up to 83% (given a very rough interpretation of the correlation). This indicator may not seem that high, but it should be stressed that we did not optimize the sample size and did not use more complex algorithms, for example, principle component analysis, which is assumed to work quite well in determining the characteristic parts of the signal log.

What does this provide to the potential attackers? Having identified the user’s movements in the subway, and knowing the characteristic directions of such movement, we can determine which subway line the user is traveling on. Sure, it would be much easier having data about the orientation of the X and Y axes in space, which could be obtained using a magnetometer. Unfortunately, however, the strong electromagnetic pickup from the electric motors, the low accuracy of determining a northerly direction, and the relatively few magnetometers in smartwatches forced us to abandon this idea.

Without data on the orientation of the X and Y axes in space (most likely, different for individual periods), the problem of decoding the motion trajectory becomes a geometric task of overlaying time slices of known length onto the terrain map. Again, placing ourselves in the attacker’s shoes, we would look for the magnetic field bursts indicate the acceleration/deceleration of an electric train (or tram or trolleybus), which can provide additional information allowing us to work out the number of interim points in the time slices of interest to us. But this too is outside the scope of our study.

Cyberphysical interception of critical data

But what does this all reveal about the user’s behavior? More than a bit, it turns out. It is possible to determine when the user arrives at work, signs into a company computer, unlocks his or her phone, etc. Comparing data on the subject’s movement with the coordinates, we can pinpoint the moments when they visited a bank and entered a PIN code at an ATM.

PIN codes

How easy is it to capture a PIN code from accelerometer and gyroscope signals from a smartwatch worn on the wrist? We asked four volunteers to enter personal PINs at a real ATM.

Accelerometer signals when entering a PIN code on an ATM keypad

Jumping slightly ahead, it’s not so simple to intercept an unencrypted PIN code from sensor readings by elementary means. However, this section of the “accelerometer log” gives away certain information — for example, the first half of the graph shows that the hand is in a horizontal position, while the oscillating values in the second half indicate keys being pressed on the ATM keypad. With neural networks, signals from the three axes of the accelerometer and gyroscope can be used to decipher the PIN code of a random person with a minimum accuracy of 80% (according to colleagues from Stevens Institute of Technology). The disadvantage of such an attack is that the computing power of smartwatches is not yet sufficient to implement a neural network; however, it is quite feasible to identify this pattern using a simple cross-correlation calculation and then transfer the data to a more powerful machine for decoding. Which is what we did, in fact.

Experiment             max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz One person and different tries 0.79 0.87 0.73 0.82 0.51 0.81

Maxima of the functions for cross-correlation of PIN entry data at an ATM

Roughly interpreting these results, it is possible to claim 87% accuracy in recovering the PIN entry pattern from the general flow of signal traffic. Not bad.

Passwords and unlock codes

Besides trips to the ATM, we were interested in two more scenarios in which a smartwatch can undermine user security: entering computer passwords and unlocking smartphones. We already knew the answer (for computers and phones) using a neural network, of course, but we still wanted to explore first-hand, so to speak, the risks of wearing a smartwatch.

Sure, capturing a password entered manually on a computer requires the person to wear a smartwatch on both wrists, which is an unlikely scenario. And although, theoretically, dictionaries could be used to recover semantically meaningful text from one-handed signals, it won’t help if the password is sufficiently strong. But, again, the main danger here is less about the actual recovery of the password from sensor signals than the ease of detecting when it is being entered. Let’s consider these scenarios in detail.

We asked four people to enter the same 13-character password on a computer 20 times. Similarly, we conducted an experiment in which two participants unlocked an LG Nexus 5X smartphone four times each with a 4-digit key. We also logged the movements of each participant when emulating “normal” behavior, especially in chat rooms. At the end of the experiment, we synchronized the time of the readings, cutting out superfluous signals.

In total, 480 discrete functions were obtained for all sensor axes. Each of them contains 250-350 readings, depending on the time taken to enter the password or arbitrary data (approximately three seconds).

Signal along the accelerometer and gyroscope axes for four attempts by one person to enter one password on a desktop computer

To the naked eye, the resulting graphs are almost identical; the extremes coincide, partly because the password and mode of entry were identical in all attempts. This means that the digital fingerprints produced by one and the same person are very similar to each other.

Signals along the accelerometer and gyroscope axes for attempts to enter the same password by different people on a desktop computer

When overlaying the signals received from different people, it can be seen that, although the passphrase is the same, it is entered differently, and even visually the extremes do not coincide!

Attempts to enter a smartphone unlock code by two different people

It is a similar story with mobile phones. Moreover, the accelerometer captures the moments when the screen is tapped with the thumb, from which the key length can be readily determined.

But the eye can be deceived. Statistics, on the other hand, are harder to hoodwink. We started with the simplest and most obvious method of calculating the cross-correlation functions for the password entry attempts by one person and for those by different people.

The table shows the maxima of the functions for cross-correlation of data for the corresponding axes of the accelerometer and gyroscope.

Experiment             max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz One person 0.92 0.63 0.71 0.55 0.76 0.96 Different persons 0.65 0.35 0.31 0.23 0.37 0.76

Maxima of the functions for cross-correlation of password input data entered by different people on a desktop computer

Broadly speaking, it follows that even a very simple cross-correlation calculation can identify a person with up to 96% accuracy! If we compare the maxima of the cross-correlation function for signals from different people in arbitrary text input mode, the correlation maximum does not exceed 44%.

Experiment             max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz One person and different activity 0.32 0.27 0.39 0.26 0.30 0.44

Maxima of the functions for cross-correlation of data for different activities (password entry vs. usual surfing)

Experiment             max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz One person 0.64 0.47 0.56 0.41 0.30 0.58 Different persons 0.33 0.40 0.40 0.32 0.38 0.34

Maxima of the functions for cross-correlation of data for an unlock code entered by one person and by different people

Note that the smallest cross-correlation function values were obtained for entering the smartphone unlock code (up to 64%), and the largest (up to 96%) for entering the computer password. This is to be expected, since the hand movements and corresponding acceleration (linear and angular) are minimal in the case of unlocking.

However, we note once more that the computing power available to a smartwatch is sufficient to calculate the correlation function, which means that a smart wearable gadget can perform this task by itself!


Speaking from the information security point of view, we can conclude that, without a doubt, portable cyberphysical systems expand the attack surface for potential intruders. That said, the main danger lies not in the direct interception of input data — that is quite difficult (the most successful results are achieved using neural networks) and thus far the accuracy leaves much to be desired. It lies instead in the profiling of users’ physical behavior based on signals from embedded sensors. Being “smart,” such devices are able to start and stop logging information from sensors not only through external commands, but on the occurrence of certain events or the fulfillment of certain conditions.

The recorded signals can be transmitted by the phone to the attacker’s server whenever the latter has access to the Internet. So an unassuming fitness app or a new watch face from the Google Play store can be used against you, right now in fact. The situation is compounded by the fact that, in addition to this app, simply sending your geotag once and requesting the email address linked to your Google Play account is enough to determine, based on your movements, who you are, where you’ve been, your smartphone usage, and when you entered a PIN at an ATM.

We found that extracting data from traffic likely to correspond to a password or other sensitive information (name, surname, email address) is a fairly straightforward task. Applying the full power of available recognition algorithms to these data on a PC or in cloud services, attackers, as shown earlier, can subsequently recover this sensitive information from accelerometer and gyroscope signal logs. Moreover, the accumulation of these signals over an extended period facilitates the tracking of user movements — and that’s without geoinformation services (such as GPS/GLONASS, or base station signals).

We established that the use of simple methods of analyzing signals from embedded sensors such as accelerometers and gyroscopes makes it possible (even with the computing power of a wearable device) to determine the moments when one and the same text is entered (for example, authentication data) to an accuracy of up to 96% for desktop computers and up to 64% for mobile devices. The latter accuracy could be improved by writing more complex algorithms for processing the signals received, but we intentionally applied the most basic mathematical toolbox. Considering that we viewed this experiment through the prism of the threat to corporate users, the results obtained for the desktop computer are a major cause for concern.

A probable scenario involving the use of wearable devices relates to downloading a legitimate app to a smartwatch — for example, a fitness tracker that periodically sends data packets of several dozen kilobytes in size to a server (for example, the uncompressed “signal signature” for the 13-character password was about 48 kilobytes).

Since the apps themselves are legitimate, we assume that, alongside our Android Wear/Android for Smartwatch test case, this scenario can be applied to Apple smartwatches, too.


There are several indications that an app downloaded onto a smartwatch might not be safe.

  1. If, for instance, the app sends a request for data about the user’s account (the GET_ACCOUNTS permission in Android), this is cause for concern, since cybercriminals need to match the “digital fingerprint” with its owner. However, the app can also allow the user to register by providing an email address — but in this case you are at least free to enter an address different to that of the Google Play account to which your bank card is linked.
  2. If the app additionally requests permission to send geolocation data, your suspicions should be aroused even further. The obvious advice in this situation is not to give additional permissions to fitness trackers that you download onto your smartwatch, and to specify a company email address at the time of registration.
  3. A short battery life can also be a serious cause for concern. If your gadget discharges in just a few hours, this is a sign that you may be under observation. Theoretically, a smartwatch can store logs of your activity with length up to dozens of hours and upload this data later.

In general, we recommend keeping a close eye on smartwatches sported by employees at your office, and perhaps regulating their use in the company’s security policies. We plan to continue our research into cyberphysical systems such as wearable smart gadgets, and the additional risks of using them.

2018 Fraud World Cup

28 Květen, 2018 - 12:00

There are only two weeks to go before the start of the massive soccer event — FIFA World Cup. This championship has already attracted the attention of millions worldwide, including a fair few cybercriminals. Long before kick-off, email accounts began bulging with soccer-related spam, and scammers started exploiting the topic in mailings and creating World Cup-themed phishing pages.

Our statistics show spikes in the number of phishing pages during match ticket sales. Every time tickets went on sale, fraudsters mailed out spam and activated clones of official FIFA pages and sites offering fake giveaways allegedly from partner companies. But as the event draws nearer, cyber scams are reaching fever pitch. We present our observations below.

Fake lottery win notifications

One of the main types of World Cup-related email fraud is spam informing recipients of cash winnings in lotteries supposedly held by official partners and sponsors (Visa, Coca-Cola, Microsoft, etc.), as well as FIFA itself.

Examples of fake lottery win notifications

Such messages contain attachments (usually PDF or DOCX documents) in which the “winner” is congratulated and told to forward detailed contact details (name, date of birth, address, email, telephone no.) in order to receive the prize. Sometimes recipients are asked to pay a part of the postage or bank transfer fees.

Such mailouts are aimed primarily at harvesting user data (including financial), plus picking up a small money transfer. Such messages can also contain malicious attachments, for example, Trojan-Banker programs.

Examples of fake notifications with attached documents

Another type of common spam fraud is an offer to take part in a ticket giveaway or win a trip to a match. Victims are required either to register on a fake promotion page and provide an email address, or, as in the case of lottery emails, to send the “organizers” their contact details. Such messages are sent in the name of FIFA, usually from addresses on recently registered domains. The purpose of such schemes is mainly to update email databases so as to distribute yet more spam.

Examples of messages with ticket and trip giveaways

Advertising spam

In the runup to the championship, we registered a lot of advertising spam with offers for soccer merchandise, transport/accommodation services, and travel packages from various tour operators. Merchandise was generally offered by small online retailers and included toys, souvenirs, and stationery marked with official logos, as well as soccer jerseys for all teams taking part. Some messages even resemble mailings from the official FIFA store.

Examples of messages offering merchandise

There were also spammings unrelated to soccer. For example, traditional spam offering medical products, but using the World Cup to attract attention. Interestingly, the message subject referred to the 2006 World Cup final. Perhaps the spammers used an old template and forgot to change the date.

Wrong year, same product

Ticket sales

Besides online stores selling merchandise, there are plenty of sites offering match tickets, both fake and real. But real doesn’t necessarily mean bona fide: they are often sold by ticket scalpers exploiting various loopholes in the FIFA rules.

Online scalpers selling tickets for an arm and a leg

However, official tickets can only be bought on the official FIFA website, and large fines are imposed for their illegal sale or resale. Those who use the services of speculators risk being turned away at the stadium: tickets are personalized, and if the bearer fails to show ID matching the information in the ticket, FIFA staff have the right to refuse entry.

Fake sites and messages from partners

One of the most popular ways to steal credentials for bank and other accounts is to create counterfeit imitations of official partner websites. Partner organizations quite often arrange ticket giveaways for clients, and this is what attackers exploit to lure users onto fake promotion sites. Such pages look very convincing: well-designed with a working interface, hard to tell from the real thing.

Phishing login page supposedly of a partner bank

Attempt to gain access to an account on a partner company site under the guise of a ticket giveaway

Scammers also try to extract data by mimicking official FIFA notifications. The victim is informed that the security system has been updated and all personal data must be re-entered to avoid lockout. The link in the message takes the victim far away from FIFA to a fake personal account. Naturally, all data entered flows straight to the scammers.

Example of a phishing email seemingly from FIFA

Cybercriminals are particularly keen to target clients of Visa, the tournament’s commercial sponsor, and offer prize giveaways in the name of this international payment heavyweight. To take part, users need to follow a link that unsurprisingly points to a phishing site (the domain was registered a couple of months ago and has nothing to do with the payment system), where they are asked to enter their bank card details, including the CVV/CVC code.

Example of a message and phishing page in the name of Visa

Fraud allsorts

Alongside social engineering, phishers deploy malicious programs in the pursuit of users’ personal data and cash. For example, a fake site offering online broadcasts can plant malware on the victim’s computer under the guise of a Flash Player update required to view the match.

In some cases, phishers have no interest at all in bank accounts and payment details. For instance, under the pretext of receiving a World Cup-themed update for the video game FIFA Soccer, users are prompted to enter their account credentials for the Origin platform on a fake login page. If there are games of interest under the victim’s profile, the cybercriminals change the login/password and link the account to a new email address for subsequent resale.

Fake Origin login page

In late May, a few weeks before the start of the championship, phishing emails offering cheap flights from the major airlines were all the rage. In addition to fake soccer ticket giveaways, there were draws seemingly on behalf of airlines offering free plane tickets.

Fake ticket giveaway in the name of a major airline

Tricks of the trade

To make their sites seem credible, cybercriminals register domain names combining the words “world,” “worldcup,” “FIFA,” “Russia,” etc. (for example: worldcup2018, russia2018, fifarussia). Normally, though not always, such domains look unnatural (for instance, fifa.ucozx.site) and have a non-standard domain extension. So in most cases, a close look at the link in the email or the URL after opening the site should be enough to avoid the bait.

DNS WHOIS data for phishing sites

Likewise with a view to lulling user vigilance, cybercriminals acquire the cheapest SSL certificates available: relevant authorities often fail to verify the existence of the entity acquiring the certificate, meaning that the scammers get the all-important HTTPS in front of their address. To spot a fake, it is enough to look at the domain’s WHOIS data. Scam websites tend to have been registered quite recently and for a short time, and their owners are usually private individuals. What’s more, detailed information about the owner is often hidden.

Besides active domain names, we logged a large number of “sleepers”: on them you might find a placeholder page, if that. Cybercriminals use them as a backup: if one domain is blocked, the site moves to the next.

Examples of backup domain names


The above describes only the most popular scams exploiting the World Cup theme. Nevertheless, it provides a fairly complete picture of how cybercriminals operate and what they want. In addition to the above, we expect shortly to see an explosion of phishing sites offering cheap airline tickets to World Cup host cities, as well as fake mailings supposedly from popular accommodation services with “special offers.”

To avoid being duped, follow these simple rules:

  • Buy tickets only on the official FIFA website or at official ticket offices.
  • For online purchases (not only during the tournament), get a separate bank card and set a spending limit.
  • Do not open links or attachments in emails from unknown senders, even if they seem legitimate.
  • Check the addresses of links in notifications from known services; at the slightest suspicion, do not click, but open the site manually in the browser.
  • To preserve your money and nerves, never buy products advertised in spam.
  • Use the latest security solutions to protect against cyberthreats, and keep the databases up-to-date.

VPNFilter EXIF to C2 mechanism analysed

24 Květen, 2018 - 20:00

On May 23 2018, our colleagues from Cisco Talos published their excellent analysis of VPNFilter, an IoT / router malware which exhibits some worrying characteristics.

Some of the things which stand out about VPNFilter are:

  • It has a redundant, multi-stage command and control mechanism which uses three different channels to receive information
  • It has a multi-stage architecture, in which some of the more complex functionality runs only in the memory of the infected devices
  • It contains a destructive payload which is capable of rendering the infected devices unbootable
  • It uses a broken (or incorrect) RC4 implementation which has been observed before with the BlackEnergy malware
  • Stage 2 command and control can be executed over TOR, meaning it will be hard to notice for someone checking the network traffic

We’ve decided to look a bit into the C&C mechanism for the persistent malware payload. As described in the Talos blog, this mechanism has several stages:

  • First, the malware tries to visit a number of gallery pages hosted on photobucket[.]com and fetches the first image from the page.
  • If this fails, the malware tries fetching an image file from a hardcoded domain, toknowall[.]com. This C2 domain is currently sinkholed by the FBI.
  • If that fails as well, the malware goes into a passive backdoor mode, in which it processes network traffic on the infected device waiting for the attacker’s commands.

For the first two scenarios in which the malware successfully receives an image file, a C2 extraction subroutine is called which converts the image EXIF coordinates into an IPv4 address. This is used as an easy way to avoid using DNS lookups to reach the C&C. Of course, in case this fails, the malware will indeed lookup the hardcoded domain (toknowall[.]com). It may be worth pointing that in the past, the BlackEnergy APT devs have shown a preference for using IP addresses for C&C instead of hardcoded domain names, which can be easily sinkholed.

To analyse the EXIF processing mechanism, we looked into the sample 5f358afee76f2a74b1a3443c6012b27b, mentioned in the Talos blog. The sample is an i386 ELF binary and is about 280KB in size.

Unfortunately for researchers, it appears that the photobucket.com galleries used by the malware have been deleted, so the malware cannot use the first C2 mechanism anymore. For instance:

With these galleries unavailable, the malware tries to reach the hardcoded domain toknowall[.]com.
While looking at the pDNS history for this domain, we noticed that it resolved to an IP addresses in France, at OVH, between Jan and Feb 2018:

Interestingly, when visiting this website’s C2 URL, we are presented with a JPG image, suggesting it is still an active C2:

Here’s how it looks when viewed as an image:

When we look into the EXIF data for the picture, for instance using IrfanView, it looks as following:

Filename – update.jpg

  • GPS information: –
  • GPSLatitude – 97 30 -175 (97.451389)
  • GPSLongitude – -118 140 -22 (-115.672778)

How to get the IP out of these? The subroutine which calculates the C2 IP from the Latitude and Longitude can be found at offset 0x08049160 in the sample.

As it turns out, VPNFilter implements an actual EXIF parser to get the required information.

First, it searches for a binary value 0xE1. This makes sense because the EXIF attribute information begins with a tag “0xFF 0xE1”. Then, it verifies that the tag is followed by a string “Exif”. This is the exact data that should appear in a correct header of the Exif tag:

Exif tag
FF E1 Exif tag
xx Length of field
45 78 69 66 00 ‘Exif’
00 Padding

The tag is followed by an additional header:

“Attribute information” header
49 49 (or 4D 4D) Byte order, ‘II’ for little endian (‘MM’ for big endian)
2A 00 Fixed value
xx xx Offset of the first IFD

The data following this header is supposed to be the actual “attribute information” that is organized in so-called IFDs (Image File Directory) that are data records of a specific format. Each IFD consists of the following data:

IFD record
xx xx IFD tag
xx xx Data type
xx xx xx xx Number of data records of the same data type
xx xx xx xx Offset of the actual data, from the beginning of the EXIF

The malware’s parser carefully traverses each record until it finds the one with a tag ’25 88′ (0x8825 little endian). This is the tag value for “GPS Info”. That IFD record is, in turn, a list of tagged IFD records that hold separate values for latitude, longitude, timestamp, speed, etc. In our case, the code is looking for the tags ‘2’ (latitude) and ‘4’ (longitude). The data for latitude and longitude are stored as three values in the “rational” format : two 32-bit values, the first is the enumerator and the second one is the denominator. Each of these three values corresponds to degrees, minutes and seconds, respectively.

Then, for each record of interest, the code extracts the enumerator part and produces a string of three integers (i.e. “97 30 4294967121” and “4294967178 140 4294967274″ that will be displayed by a typical EXIF parser as 1193143 deg 55′ 21.00″, 4296160226 deg 47′ 54.00”). Then, curiously enough, it uses sscanf() to convert these strings back to integers. This may indicate that the GPS Info parser was taken from a third-party source file and used as-is. The extracted integers are then used to produce an actual IP address. The pseudocode in C is as follows:

const char lat[] = "97 30 4294967121"; // from Exif data
const char lon[] = "4294967178 140 4294967274"; // from Exif data
int o1p1, o1p2, o2p1, o3p1, o3p2, o4p1;
uint8_t octets[4];

sscanf(lat, "%d %d %d", &o1p2, &o1p1, &o2p1);
sscanf(lon, "%d %d %d", &o3p2, &o3p1, &o4p1);
octets[0] = o1p1 + ( o1p2 + 0x5A );
octets[1] = o2p1 + ( o1p2 + 0x5A );
octets[2] = o3p1 + ( o3p2 + 0xB4 );
octets[3] = o4p1 + ( o3p2 + 0xB4 );

printf("%u.%u.%u.%u\n", octets[0], octets[1], octets[2], octets[3]);

The implementation of the EXIF parser appears to be pretty generic. The fact that it correctly handles the byte order (swapping the data, if required) and traverses all EXIF records skipping them correctly, and that the GPS data is converted to a string and then back to integers most likely indicates that the code was reused from an EXIF-parsing library or toolkit.

For the values provided here, the code will produce the IP address “” that is a known C&C of VPNFilter.

It should be noted that this IP is included in Cisco Talos’ IOCs list as a known C&C. Currently, it appears to be down.

What’s next?

Perhaps the most interesting question is who is behind VPNFilter. In their Affidavit for sinkholing the malware C2, FBI suggests it is related to Sofacy:

Interestingly, the same Affidavit contains the following phrase: “Sofacy Group, also known as apt28, sandworm, x-agent, pawn storm, fancy bear and sednit”. This would suggest that Sandworm, also known as BlackEnergy APT, is regarded as subgroup of Sofacy by the FBI. Most threat intel companies have held these groups separate before, although their activity is known to have overlapped in several cases.

Perhaps the most interesting technical detail, which Cisco Talos points in their blog linking VPNFilter to BlackEnergy, is the usage of a flawed RC4 algorithm.The RC4 key scheduling algorithm implementation from these is missing the typical “swap” at the end of the loop. While rare, this mistake or perhaps optimization from BlackEnergy, has been spotted by researchers and described publicly going as far back as 2010. For instance, Joe Stewart’s excellent analysis of Blackenergy2 explains this peculiarity.

So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: “BE2 custom plugins, router abuse, and target profiles“. We continue to look for other similarities which could support this theory.