Viry a Červi

Cloud security is the best sort of altruism: you need to do it to protect yourself, but you help to protect everyone else at the same time.

Skills gap needs filling somehow

The EU needs more cybersecurity graduates to plug the political bloc's shortage of skilled infosec bods, according to a report from the ENISA online security agency.…

Roll up, roll up. Come and be the CMA-approved trustee to keep an eye on the Chocolate Factory's antics

The torrid tale of Google's Privacy Sandbox took another turn today with the UK's Competitions and Markets Authority (CMA) saying it has "secured improved commitments" from the ad giant over the cookie crushing tech.…

Redesigned SafeToNet feature highlights tech law mess

A company repeatedly endorsed by ministers backing the UK's Online Safety Bill was warned by its lawyers that its technology could breach the Investigatory Powers Act's ban on unlawful interception of communications, The Register can reveal.…

• IT threat evolution Q3 2021
• IT threat evolution in Q3 2021. PC statistics
• IT threat evolution in Q3 2021. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2021:

• 9,599,519 malware, adware and riskware attacks on mobile devices were prevented.
• The largest share of all detected mobile threats accrued to RiskTool apps — 65.84%.
• 676,190 malicious installation packages were detected, of which:
  • 12,097 packages were related to mobile banking Trojans;
  • 6,157 packages were mobile ransomware Trojans.

Quarterly highlights

The attackers became somewhat less active from the previous quarter — the number of mobile attacks dropped to 9.6 million. We have seen no new mass campaigns seeking to distribute any specific mobile malware family; nor were there any newsworthy events similar to what we had early into the COVID-19 pandemic.

Number of attacks targeting users of Kaspersky mobile solutions, Q3 2020 — Q3 2021 (download)

Yet Q3 brought us quite a few interesting finds at the same time. Thus, one of the modified WhatsApp builds, FMWhatsApp 16.80.0, contained the Trojan Triada along with an advertising SDK. The popularity of WhatsApp builds with extended functionality has secured this Trojan the fifth place in our malware ranking.

In Q3, new Trojan families emerged, distributed through Google Play. To those we already knew — Trojan.AndroidOS.Jocker and Trojan.AndroidOS.MobOk (signing the user up to paid subscriptions) and Trojan-Dropper.AndroidOS.Necro (downloading payload from the attack server) — two more were added. The first one includes scam apps of Trojan.AndroidOS.Fakeapp variety exploiting the theme of social payments to cajole money out of the user; the second one is the fast growing family Trojan-PSW.AndroidOS.Facestealer stealing Facebook account data.

Mobile banking Trojans were progressing, too. For example, a curious trick was employed by the family Trojan-Banker.AndroidOS.Fakecalls active in Korea: if the user tries to call the bank, the malware disconnects the real call and plays prerecorded operator’s responses stored in the Trojan’s body.

Mobile threat statistics

In Q3 2021, Kaspersky detected 676,190 malicious installation packages — 209,915 less than in the previous quarter and 445,128 less than in Q3 2020.

Number of detected malicious installation packages, Q3 2020 — Q3 2021 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q2 and Q3 2021 (download)

Two thirds of all threats detected in Q3 2021 came from RiskTool apps (65.84%), their share up by 27.37 p.p. The vast majority of detected apps of this type (91.02%) belonged to the family SMSreg.

Adware came in second with 21.51% — 12.58 p.p. down from the previous quarter. The malicious objects we most frequently encountered came from the families AdWare.AndroidOS.FakeAdBlocker (34.29% of all detected threats in the category), AdWare.AndroidOS.HiddenAd (30.66%) and AdWare.AndroidOS.MobiDash (8.81%).

Various Trojans are in third place (2.79%), their share down by 13.69 p.p. The worst offenders were from the families Boogr (48.88%), Piom (11.04%) and Hiddad (7.52%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 33.02 2 Trojan-SMS.AndroidOS.Agent.ado 6.87 3 Trojan.AndroidOS.Whatreg.b 4.41 4 Trojan.AndroidOS.Triada.dq 3.85 5 Trojan.AndroidOS.Triada.ef 3.71 6 Trojan.AndroidOS.Hiddad.gx 3.70 7 DangerousObject.AndroidOS.GenericML 3.68 8 Trojan.AndroidOS.Agent.vz 3.63 9 Trojan-Downloader.AndroidOS.Necro.d 3.56 10 Trojan-Dropper.AndroidOS.Hqwar.bk 3.43 11 Trojan-SMS.AndroidOS.Fakeapp.b 3.35 12 Trojan.AndroidOS.MobOk.ad 3.13 13 Trojan.AndroidOS.Triada.el 2.76 14 Trojan-Downloader.AndroidOS.Agent.kx 2.21 15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.74 16 Trojan-Downloader.AndroidOS.Gapac.e 1.71 17 Trojan-Dropper.AndroidOS.Agent.rp 1.66 18 Exploit.AndroidOS.Lotoor.be 1.66 19 Trojan.AndroidOS.Fakeapp.dn 1.64 20 Trojan-SMS.AndroidOS.Prizmes.a 1.53

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The first ten threats from the Top 20 in Q3 are those already featured in our rankings earlier.

First place as usual went to DangerousObject.Multi.Generic (33.02%), the verdict we use for malware detected with cloud technology. This technology comes into play whenever the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The Trojan-SMS.AndroidOS.Agent.ado malware — sender of text messages to short premium-rate numbers — has climbed from third to second place (6.87%).

Third place was taken by Trojan.AndroidOS.Whatreg.b (4.41%) allowing attackers to use the victim’s phone number to register new WhatsApp accounts controlled by them alone.

The Triada family Trojans are fourth, fifth and thirteenth in our ranking. They download and execute other malware on the infected device. Triada’s victims often suffer from the abovementioned Trojan.AndroidOS.Whatreg.b, as well as Trojan-Downloader.AndroidOS.Necro.d (9th, 3.56%), Trojan-Downloader.AndroidOS.Gapac.e (16th, 1.71%) and Trojan-Dropper.AndroidOS.Agent.rp (17th, 1.66%), all of which likely belong to the same campaign.

Trojan.AndroidOS.Hiddad.gx (3.70%), a source of annoying ads, rose to sixth position.

Seventh place was taken by DangerousObject.AndroidOS.GenericML (3.68%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

The malware Trojan.AndroidOS.Agent.vz (3.63%) — similarly to Triada, a link in the infection chain of various Trojans — dropped into eighth.

Tenth and fifteenth places were taken by members of the family Trojan-Dropper.AndroidOS.Hqwar — a dropper used to unpack and execute various banking Trojans on the target device.

The newcomer Trojan-SMS.AndroidOS.Fakeapp.b came eleventh (3.35%). This mobile malware can text and call preset numbers, show ads, and conceal its icon. Most users attacked by the Trojan are from Russia.

Trojan.AndroidOS.MobOk.ad (3.13%) that signs users up to paid services dropped into twelfth.

The adware downloader Trojan-Downloader.AndroidOS.Agent.kx (2.21%) rose to fourteenth.

Exploit.AndroidOS.Lotoor.be (1.66%), an exploit used for elevating privileges on the device to superuser level, came eighteenth. Members of this family often come bundled with other widespread malware like Triada and Necro.

Trojan.AndroidOS.Fakeapp.dn (1.64%), another new arrival, takes the nineteenth place. This is a scam app exploiting the theme of social payments: it opens fake pages prompting users to provide their personal data and pay a fee to receive money.

The Top 20 is rounded out by Trojan-SMS.AndroidOS.Prizmes.a (1.53%), which is preinstalled on some Android devices under the guise of Sound Recorder. The Trojan texts preset numbers reporting the events taking place on the device (e.g., smartphone power on).

Geography of mobile threats

Map of infection attempts by mobile malware, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %** 1 Iran 20.14 2 Saudi Arabia 17.84 3 China 17.07 4 Algeria 16.73 5 India 15.33 6 Malaysia 13.63 7 Ecuador 11.52 8 Brazil 11.15 9 Bangladesh 10.81 10 Nigeria 10.81

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

In Q3 2021, the infected systems percentage ranking is led by the same countries as in Q2; the most popular threats in these countries are likewise the same. First place went to Iran (20.14%), its prevailing threat represented by annoying adware modules of the families AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben.

In Saudi Arabia, which came second with 17.84%, AdWare.AndroidOS.HiddenAd and AdWare.AndroidOS.FakeAdBlocker adware were the most common issue.

China (17.07%) came third with Trojan.AndroidOS.Najin.a as its most widely spread Trojan.

Mobile banking Trojans

We detected 12,097 mobile banking Trojan installers during the reporting period — 12,507 less from Q2 and 22,813 less year on year.

The largest contributors to these figures were the families Trojan-Banker.AndroidOS.Agent (46.72% of all banking Trojans detected), Trojan-Banker.AndroidOS.Bian (16.18%) and Trojan-Banker.AndroidOS.Anubis (8.20%).

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2020 – Q3 2021 (download)

Ten most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Anubis.t 16.77 2 Trojan-Banker.AndroidOS.Svpeng.q 11.17 3 Trojan-Banker.AndroidOS.Bian.f 9.08 4 Trojan-Banker.AndroidOS.Agent.eq 6.83 5 Trojan-Banker.AndroidOS.Asacub.ce 6.22 6 Trojan-Banker.AndroidOS.Agent.ep 5.17 7 Trojan-Banker.AndroidOS.Hqwar.t 3.53 8 Trojan-Banker.AndroidOS.Agent.cf 3.05 9 Trojan-Banker.AndroidOS.Bian.h 2.83 10 Trojan-Banker.AndroidOS.Svpeng.t 2.81

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

In Q3 2021, first place in our top mobile bankers ranking was taken by the Anubis family’s Trojan-Banker.AndroidOS.Anubis.t (16.77%). In second (11.17%) and tenth (2.81%) are bankers of the Svpeng family. Bian family bankers are in third (9.08%) and ninth (2.83%).

Geography of mobile banking threats, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile banking Trojans

Country* %** 1 Spain 1.02 2 Austria 0.44 3 Croatia 0.43 4 Germany 0.33 5 Japan 0.26 6 Turkey 0.22 7 Portugal 0.20 8 Norway 0.20 9 China 0.18 10 Switzerland 0.14

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Spain has the largest share of unique users attacked by mobile financial threats in Q3 2021 (1.02%). The prevalent banker detected in this country is Trojan-Banker.AndroidOS.Bian.h (33.55% of all banking Trojans detected). Austria (0.44%) is second with another Bian family representative — Trojan-Banker.AndroidOS.Bian.f (96.02%) — leading by a mile. Croatia (0.43%) is third with Bian.f (97.59%) as its most widely spread banker.

Mobile ransomware Trojans

In Q3 2021, we detected 6,157 installation packages for mobile ransomware Trojans — an increase of 2,534 from the previous quarter and 635 more than in Q3 2020.

Number of mobile ransomware installers detected by Kaspersky, Q3 2020 — Q3 2021 (download)

Top 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 51.00 2 Trojan-Ransom.AndroidOS.Rkor.ax 10.43 3 Trojan-Ransom.AndroidOS.Rkor.bb 8.58 4 Trojan-Ransom.AndroidOS.Rkor.az 5.31 5 Trojan-Ransom.AndroidOS.Rkor.bc 4.64 6 Trojan-Ransom.AndroidOS.Rkor.ay 4.49 7 Trojan-Ransom.AndroidOS.Small.as 3.92 8 Trojan-Ransom.AndroidOS.Rkor.ba 2.30 9 Trojan-Ransom.AndroidOS.Rkor.au 1.72 10 Trojan-Ransom.AndroidOS.Rkor.aw 1.41

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Same as in Q2, this time the ransomware Trojans ranking is led by Trojan-Ransom.AndroidOS.Pigetrl.a — 51% of all attacked users. Most of its attacks (92%) were targeting users from Russia.

Geography of mobile ransomware Trojans, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

Country* %** 1 Kazakhstan 0.57 2 Sweden 0.22 3 Kyrgyzstan 0.21 4 Morocco 0.06 5 China 0.06 6 Saudi Arabia 0.05 7 Uzbekistan 0.04 8 Algeria 0.04 9 Pakistan 0.02 10 Egypt 0.02

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Countries leading by number of users attacked by mobile ransomware Trojans are the same as in Q2: Kazakhstan (0.57%), Sweden (0.22%) and Kyrgyzstan (0.21%). In all three the Trojan-Ransom.AndroidOS.Rkor family Trojans were the most common threat.

• IT threat evolution Q3 2021
• IT threat evolution in Q3 2021. PC statistics
• IT threat evolution in Q3 2021. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2021:

• Kaspersky solutions blocked 1,098,968,315 attacks from online resources across the globe.
• Web Anti-Virus recognized 289,196,912 unique URLs as malicious.
• Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 104,257 unique users.
• Ransomware attacks were defeated on the computers of 108,323 unique users.
• Our File Anti-Virus detected 62,577,326 unique malicious and potentially unwanted objects.

Financial threats Financial threat statistics

In Q3 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 104,257 unique users.

Number of unique users attacked by financial malware, Q3 2021 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.

Geography of financial malware attacks, Q3 2021 (download)

Top 10 countries by share of attacked users

Country* %** 1 Turkmenistan 5.4 2 Tajikistan 3.7 3 Afghanistan 3.5 4 Uzbekistan 3.0 5 Yemen 1.9 6 Kazakhstan 1.6 7 Paraguay 1.6 8 Sudan 1.6 9 Zimbabwe 1.4 10 Belarus 1.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 17.7 2 SpyEye Trojan-Spy.Win32.SpyEye 17.5 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 9.6 4 Trickster Trojan.Win32.Trickster 4.5 5 RTM Trojan-Banker.Win32.RTM 3.6 6 Nimnul Virus.Win32.Nimnul 3.0 7 Gozi Trojan-Banker.Win32.Gozi 2.7 8 Danabot Trojan-Banker.Win32.Danabot 2.4 9 Tinba Trojan-Banker.Win32.Tinba 1.5 10 Cridex Backdoor.Win32.Cridex 1.3

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

In Q3, the family ZeuS/Zbot (17.7%), as usual, became the most widespread family of bankers. Next came the SpyEye (17.5%) family, whose share doubled from 8.8% in the previous quarter. The Top 3 was rounded out by the CliptoShuffler family (9.6%) — one position and just 0.3 p.p. down. The families Trojan-Banker.Win32.Gozi (2.7%) and Trojan-Banker.Win32.Tinba (1.5%) have made it back into the Top 10 in Q3 — seventh and ninth places, respectively.

Ransomware programs Quarterly trends and highlights Attack on Kaseya and the REvil story

In early July, the group REvil/Sodinokibi attempted an attack on the remote administration software Kaseya VSA, compromising several managed services providers (MSP) who used this system. Thanks to this onslaught on the supply chain, the attackers were able to infect over one thousand of the compromised MSPs’ client businesses. REvil’s original $70 million ransom demand in exchange for decryption of all the users hit by the attack was soon moderated to 50 million.

Following this massive attack, law enforcement agencies stepped up their attention to REvil, so by mid-July the gang turned off their Trojan infrastructure, suspended new infections and dropped out of sight. Meanwhile, Kaseya got a universal decryptor for all those affected by the attack. According to Kaseya, it “did not pay a ransom — either directly or indirectly through a third party”. Later it emerged that the company got the decryptor and the key from the FBI.

But already in the first half of September, REvil was up and running again. According to the hacking forum XSS, the group’s former public representative known as UNKN “disappeared”, and the malware developers, failing to find him, waited awhile and restored the Trojan infrastructure from backups.

The arrival of BlackMatter: DarkSide restored?

As we already wrote in our Q2 report, the group DarkSide folded its operations after their “too high-profile” attack on Colonial Pipeline. And now there is a “new” arrival known as BlackMatter, which, as its members claim, represents the “best” of DarkSide, REvil and LockBit.

From our analysis of the BlackMatter Trojan’s executable we conclude that most likely it was built using DarkSide’s source codes.

Q3 closures

• Europol and the Ukrainian police have arrested two members of an unnamed ransomware gang. The only detail made known is that the ransom demands amounted to €5 to €70 million.
• Following its attack on Washington DC’s Metropolitan Police Department, the group Babuk folded (or just suspended) its operations and published an archive containing the Trojan’s source code, build tools and keys for some of the victims.
• At the end of August, Ragnarok (not to be confused with RagnarLocker) suddenly called it a day, deleted all their victims’ info from their portal and published the master key for decryption. The group gave no reasons for this course of action.

Exploitation of vulnerabilities and new attack methods

• The group HelloKitty used to distribute its ransomware by exploiting the vulnerability CVE-2019-7481 in SonicWall gateways.
• Magniber and Vice Society penetrated the target systems by exploiting the vulnerabilities from the PrintNightmare family (CVE-2021-1675, CVE-2021-34527, CVE-2021-36958).
• The group LockFile exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to penetrate the victim’s network; for lateral expansion they relied on the new PetitPotam attack that gained control of the domain controller.
• The group Conti also used ProxyShell exploits for its attacks.

Number of new ransomware modifications

In Q3 2021, we detected 11 new ransomware families and 2,486 new modifications of this malware type.

Number of new ransomware modifications, Q3 2020 — Q3 2021 (download)

Number of users attacked by ransomware Trojans

In Q3 2021, Kaspersky products and technologies protected 108,323 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2021 (download)

Geography of ransomware attacks

Geography of attacks by ransomware Trojans, Q3 2021 (download)

Top 10 countries attacked by ransomware Trojans

Country* %** 1 Bangladesh 1.98 2 Uzbekistan 0.59 3 Bolivia 0.55 4 Pakistan 0.52 5 Myanmar 0.51 6 China 0.51 7 Mozambique 0.51 8 Nepal 0.48 9 Indonesia 0.47 10 Egypt 0.45

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans Name Verdicts %* 1 Stop/Djvu Trojan-Ransom.Win32.Stop 27.67% 2 (generic verdict) Trojan-Ransom.Win32.Crypren 17.37% 3 WannaCry Trojan-Ransom.Win32.Wanna 11.84% 4 (generic verdict) Trojan-Ransom.Win32.Gen 7.78% 5 (generic verdict) Trojan-Ransom.Win32.Encoder 5.58% 6 (generic verdict) Trojan-Ransom.Win32.Phny 5.57% 7 PolyRansom/VirLock Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom 2.65% 8 (generic verdict) Trojan-Ransom.Win32.Agent 2.04% 9 (generic verdict) Trojan-Ransom.MSIL.Encoder 1.07% 10 (generic verdict) Trojan-Ransom.Win32.Crypmod 1.04%

* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.

Miners Number of new miner modifications

In Q3 2021, Kaspersky solutions detected 46,097 new modifications of miners.

Number of new miner modifications, Q3 2021 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 322,131 unique users of Kaspersky products worldwide. And while during Q2 the number of attacked users gradually decreased, the trend was reversed in July and August 2021. With slightly over 140,000 unique users attacked by miners in July, the number of potential victims almost reached 150,000 in September.

Number of unique users attacked by miners, Q3 2021 (download)

Geography of miner attacks

Geography of miner attacks, Q3 2021 (download)

Top 10 countries attacked by miners

Country* %** 1 Ethiopia 2.41 2 Rwanda 2.26 3 Myanmar 2.22 4 Uzbekistan 1.61 5 Ecuador 1.47 6 Pakistan 1.43 7 Tanzania 1.40 8 Mozambique 1.34 9 Kazakhstan 1.34 10 Azerbaijan 1.27

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks Quarter highlights

Much clamor was caused in Q3 by a whole new family of vulnerabilities in Microsoft Windows printing subsystem, one already known to the media as PrintNightmare: CVE-2021-1640, CVE-2021-26878, CVE-2021-1675, CVE-2021-34527, CVE-2021-36936, CVE-2021-36947, CVE-2021-34483. All those vulnerabilities allow for local escalation of privileges or remote execution of commands with system rights and, as they require next to nothing for exploitation, they are often used by popular mass infection tools. To fix them, several Microsoft patches are required.

The vulnerability known as PetitPotam proved no less troublesome. It allows an unprivileged user to take control of a Windows domain computer — or even a domain controller — provided the Active Directory certificate service is present and active.

In the newest OS Windows 11, even before its official release, the vulnerability CVE-2021-36934 was detected and dubbed HiveNightmare/SeriousSam. It allows an unprivileged user to copy all the registry threads, including SAM, through the shadow copy mechanism, potentially exposing passwords and other critical data.

In Q3, attackers greatly favored exploits targeting the vulnerabilities ProxyToken, ProxyShell and ProxyOracle (CVE-2021-31207, CVE-2021-34473, CVE-2021-31207, CVE-2021-33766, CVE-2021-31195, CVE-2021-31196). If exploited in combination, these open full control of mail servers managed by Microsoft Exchange Server. We already covered similar vulnerabilities — for instance, they were used in a HAFNIUM attack, also targeting Microsoft Exchange Server.

As before, server attacks relying on brute-forcing of passwords to various network services, such as MS SQL, RDP, etc., stand out among Q3 2021 network threats. Attacks using the exploits EternalBlue, EternalRomance and similar are as popular as ever. Among the new ones is the grim vulnerability enabling remote code execution when processing the Object-Graph Navigation Language in the product Atlassian Confluence Server (CVE-2021-26084) often used in various corporate environments. Also, Pulse Connect Secure was found to contain the vulnerability CVE-2021-22937, which however requires the administrator password for it to be exploited.

Statistics

As before, exploits for Microsoft Office vulnerabilities are still leading the pack in Q3 2021 (60,68%). These are popular due to the large body of users, most of whom still use older versions of the software, thus making the attackers’ job much easier. The share of Microsoft Office exploits increased by almost 5 p.p. from the previous quarter. Among other things, it was due to the fact that the new vulnerability CVE-2021-40444 was discovered in the wild, instantly employed to compromise user machines. The attacker can exploit it by using the standard functionality that allows office documents to download templates, implemented with the help of special ActiveX components. There is no proper validation of the processed data during the operation, so any malicious code can be downloaded. As you are reading this, the relevant security update is already available.

The way individual Microsoft Office vulnerabilities are ranked by the number of detections does not change much with time: the first positions are still shared by CVE-2018-0802 and CVE-2017-8570, with another popular vulnerability CVE-2017-11882 not far behind. We already covered these many times — all the above-mentioned vulnerabilities execute commands on behalf of the user and infect the system.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2021 (download)

The share of exploits for the popular browsers fell by 3 p.p. from the previous reporting period to 25.57% in Q3. In the three months covered by the report several vulnerabilities were discovered in Google Chrome browser and its script engine V8 — some of them in the wild. Among these, the following JavaScript engine vulnerabilities stand out: CVE-2021-30563 (type confusion error corrupting the heap memory), CVE-2021-30632 (out-of-bounds write in V8) and CVE-2021-30633 (use-after-free in Indexed DB). All these can potentially allow remote execution of code. But it should be remembered that for modern browsers a chain of several exploits is often required to leave the sandbox and secure broader privileges in the system. It should also be noted that with Google Chromium codebase (in particular the Blink component and V8) being used in many browsers, any newly detected Google Chrome vulnerability automatically makes other browsers built with its open codebase vulnerable.

The third place if held by Google Android vulnerabilities (5.36%) — 1 p.p. down from the previous period. They are followed by exploits for Adobe Flash (3.41%), their share gradually decreasing. The platform is no longer supported but is still favored by users, which is reflected in our statistics.

Our ranking is rounded out by vulnerabilities for Java (2.98%), its share also noticeably lower, and Adobe PDF (1.98%).

Attacks on macOS

We will remember Q3 2021 for the two interesting revelations. The first one is the use of malware code targeting macOS as part of the WildPressure campaign. The second is the detailed review of the previously unknown FinSpy implants for macOS.

Speaking of the most widespread threats detected by Kaspersky security solutions for macOS, most of our Top 20 ranking positions are occupied by various adware apps. Among the noteworthy ones is Monitor.OSX.HistGrabber.b (second place on the list) — this potentially unwanted software sends user browser history to its owners’ servers.

Top 20 threats for macOS

Verdict %* 1 AdWare.OSX.Pirrit.j 13.22 2 Monitor.OSX.HistGrabber.b 11.19 3 AdWare.OSX.Pirrit.ac 10.31 4 AdWare.OSX.Pirrit.o 9.32 5 AdWare.OSX.Bnodlero.at 7.43 6 Trojan-Downloader.OSX.Shlayer.a 7.22 7 AdWare.OSX.Pirrit.gen 6.41 8 AdWare.OSX.Cimpli.m 6.29 9 AdWare.OSX.Bnodlero.bg 6.13 10 AdWare.OSX.Pirrit.ae 5.96 11 AdWare.OSX.Agent.gen 5.65 12 AdWare.OSX.Pirrit.aa 5.39 13 Trojan-Downloader.OSX.Agent.h 4.49 14 AdWare.OSX.Bnodlero.ay 4.18 15 AdWare.OSX.Ketin.gen 3.56 16 AdWare.OSX.Ketin.h 3.46 17 Backdoor.OSX.Agent.z 3.45 18 Trojan-Downloader.OSX.Lador.a 3.06 19 AdWare.OSX.Bnodlero.t 2.80 20 AdWare.OSX.Bnodlero.ax 2.64

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

Geography of threats for macOS

Geography of threats for macOS, Q3 2021 (download)

Top 10 countries by share of attacked users

Country* %** 1 France 3.05 2 Spain 2.85 3 India 2.70 4 Mexico 2.59 5 Canada 2.52 6 Italy 2.42 7 United States 2.37 8 Australia 2.23 9 Brazil 2.21 10 United Kingdom 2.12

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q3 2021, France took the lead having the greatest percentage of attacks on users of Kaspersky security solutions (3.05%), with the potentially unwanted software Monitor.OSX.HistGrabber being the prevalent threat there. Spain and India came in second and third, with the Pirrit family adware as their prevalent threat.

IoT attacks IoT threat statistics

In Q3 2021, most of the devices that attacked Kaspersky honeypots did so using the Telnet protocol. Just less than a quarter of all devices attempted brute-forcing our traps via SSH.

Telnet 76.55% SSH 23.45%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2021

The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet 84.29% SSH 15.71%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2021

Top 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 39.48 2 Trojan-Downloader.Linux.NyaDrop.b 20.67 3 Backdoor.Linux.Agent.bc 10.00 4 Backdoor.Linux.Mirai.ba 8.65 5 Trojan-Downloader.Shell.Agent.p 3.50 6 Backdoor.Linux.Gafgyt.a 2.52 7 RiskTool.Linux.BitCoinMiner.b 1.69 8 Backdoor.Linux.Ssh.a 1.23 9 Backdoor.Linux.Mirai.ad 1.20 10 HackTool.Linux.Sshbru.s 1.12

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT threat statistics are published in our Q3 2021 DDoS report: https://securelist.com/ddos-attacks-in-q3-2021/104796/#attacks-on-iot-honeypots

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that serve as sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q3 2021, Kaspersky solutions blocked 1,098,968,315 attacks launched from online resources located across the globe. Web Anti-Virus recognized 289,196,912 unique URLs as malicious.

Distribution of web-attack sources by country, Q3 2021 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Tunisia 27.15 2 Syria 17.19 3 Yemen 17.05 4 Nepal 15.27 5 Algeria 15.27 6 Macao 14.83 7 Belarus 14.50 8 Moldova 13.91 9 Madagascar 13.80 10 Serbia 13.48 11 Libya 13.13 12 Mauritania 13.06 13 Mongolia 13.06 14 India 12.89 15 Palestine 12.79 16 Sri Lanka 12.76 17 Ukraine 12.39 18 Estonia 11.61 19 Tajikistan 11.44 20 Qatar 11.14

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average during the quarter, 8.72% of computers of Internet users worldwide were subjected to at least one Malware-class web attack.

Geography of web-based malware attacks, Q3 2021 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2021, our File Anti-Virus detected 62,577,326 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Turkmenistan 47.42 2 Yemen 44.27 3 Ethiopia 42.57 4 Tajikistan 42.51 5 Uzbekistan 40.41 6 South Sudan 40.15 7 Afghanistan 40.07 8 Cuba 38.20 9 Bangladesh 36.49 10 Myanmar 35.96 11 Venezuela 35.20 12 China 35.16 13 Syria 34.64 14 Madagascar 33.49 15 Rwanda 33.06 16 Sudan 33.01 17 Benin 32.68 18 Burundi 31.88 19 Laos 31.70 20 Cameroon 31.28

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q3 2021 (download)

On average worldwide, Malware-class local threats were recorded on 15.14% of users’ computers at least once during the quarter. Russia scored 14.64% in this rating.

• IT threat evolution Q3 2021
• IT threat evolution in Q3 2021. PC statistics
• IT threat evolution in Q3 2021. Mobile statistics

Targeted attacks WildPressure targets macOS

Last March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.

Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”. Interestingly, this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.

WildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which were WordPress websites.

We have very limited visibility for the samples described in our report, but our telemetry suggests that the targets in this campaign were also from the oil and gas industry.

You can view our report on the new version here, together with a video presentation of our findings.

LuminousMoth: sweeping attacks for the chosen few

We recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that we call LuminousMoth. The campaign dates back to October last year and was still ongoing at the time we published our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is now much more active in the Philippines. Targets include high-profile organizations: namely, government entities located both within those countries and abroad.

Most APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the victims’ identities or environment. It’s not often we observe a large-scale attack by APT threat actors – they usually avoid such attacks because they are too ‘noisy’ and risk drawing attention to the campaign. LuminousMoth is an exception. We observed a high number of infections; although we think the campaign was aimed at a few targets of interest.

The attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive contains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found multiple archives like this with file names of government entities linked to Myanmar.

We also observed a second infection vector that comes into play after the first one has successfully finished. The malware tries to spread to other hosts on the network by infecting USB drives.

In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate data.

The threat actor also deploys an additional tool that accesses a victim’s Gmail session by stealing cookies from the Chrome browser.

Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.

Targeted attacks exploiting CVE-2021-40444

On September 7, Microsoft reported a zero-day vulnerability (CVE-2021-40444) that could allow an attacker to execute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine. Even though few people use IE nowadays, some programs use its engine to handle web content – in particular, Microsoft Office applications.

We have seen targeted attacks exploiting the vulnerability to target companies in research and development, the energy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.

To exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for a malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim’s computer.

Tomiris backdoor linked to SolarWinds attack

The SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT’s networks to perfect their attack. The following timeline sums up the different steps of the campaign.

In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface.

After this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient confidence. However, taken together they suggest the possibility of common authorship or shared development practices.

You can read our analysis here.

GhostEmperor

Earlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown threat actor that we have called GhostEmperor. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.

The rootkit is used to hide the user mode malware’s artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.

We identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in memory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the malicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server process, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.

Although infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility (originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.

This toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including government agencies and telecoms companies.

FinSpy: analysis of current capabilities

At the end of September, at the Kaspersky Security Analyst Summit, our researchers provided an overview of FinSpy, an infamous surveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Our analysis included not only the Windows version of FinSpy, but also Linux and macOS versions, which share the same internal structure and features.

After 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away – it was simply using various first-stage implants to hide its activities. We started detecting some suspicious backdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of 2019 we found a host that served these installers along with FinSpy Mobile implants for Android.

The authors have gone to great lengths to make FinSpy inaccessible to security researchers – it seems they have put as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are protected with multiple layers of evasion tactics.

Moreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made obfuscators.

Apart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible Firmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.

The user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if the victim’s iPhone has not been not jailbroken), the attacker may need physical access to the device.

Other malware REvil attack on MSPs and their customers worldwide

An attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service Providers (MSPs) and their clients was discovered on July 2.

The attackers identified and exploited a zero-day vulnerability in the Kaseya Virtual System/Server Administrator (VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and network infrastructure, is supplied either as a cloud service or via on-premises VSA servers.

The exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft Defender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.

The attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using the on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other businesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that around 1,500 downstream businesses were affected.

Using our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time our analysis of the attack was published.

What a [Print]Nightmare

Early in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The vulnerabilities, CVE-2021-1675 and CVE-2021-34527 (aka PrintNightmare), can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers, making both vulnerabilities potentially very dangerous.

Moreover, owing to a misunderstanding between teams of researchers, a proof-of-concept (PoC) exploit for PrintNightmare was published online. The researchers involved believed that Microsoft’s Patch Tuesday release in June had already solved the problem, so they shared their work with the expert community. However, while Microsoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until July. The PoC was quickly removed, but not before it had been copied multiple times.

CVE-2021-1675 is a privilege elevation vulnerability, allowing an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question.

CVE-2021-34527 is significantly more dangerous because it is a remote code execution (RCE) vulnerability, which means it allows remote injection of DLLs.

You can find a more detailed technical description of both vulnerabilities here.

Grandoreiro and Melcoz arrests

In July, the Spanish Ministry of the Interior announced the arrest of 16 people connected to the Grandoreiro and Melcoz (aka Mekotio) cybercrime groups. Both groups are originally from Brazil and form part of the Tetrade umbrella, operating for a few years now in Latin America and Western Europe.

The Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its operations to other Latin American countries and then to Western Europe. The group has regularly improved its techniques; and, based on our analysis of the group’s campaigns, it operates as a malware-as-a-service (MaaS) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil, Mexico, Spain, Portugal and Turkey.

Melcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking assets in Chile in 2018 and, more recently, in Mexico: it’s likely that there are victims in other countries too, as some of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that, since January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.

Since both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it’s likely that the creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new members in their countries of interest.

Gamers beware

Earlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by its creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device information, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client sessions and logs.

The BloodyStealer ad (Source: https://twitter.com/3xp0rtblog)

The authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have adopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month (roughly $40 for a “lifetime license”).

On top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP archive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service) attacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including gamer accounts.

BloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.

So-called logs are among the most popular. These are databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey and Canada. The entire archive costs $150 (that’s about 0.2 cents per record).

Cybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and conduct other illegal business.

You can read more about gaming threats, including BloodyStealer, here and here.

Triada Trojan in WhatsApp mod

Not everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features that the WhatsApp developers haven’t yet implemented in the official version. The creators of these mods often embed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to be slipped into the app unnoticed.

This happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a third-party ad module that includes the Triada Trojan (detected by Kaspersky’s mobile antivirus as Trojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the user’s device, and then, depending on the information, it downloads one of several other Trojans. You can find a description of the functions that these other Trojans perform in our analysis of the infected FMWhatsApp mod.

Qakbot banking Trojan

QakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been continually maintained and developed since then. It is now one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from compromised organizations.

The Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection. The latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also tries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece of functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the victims, with the information obtained used to lure victims into opening those emails.

QakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with Microsoft Office documents or password-protected archives with documents attached. The documents contain macros and victims are prompted to open the attachments with claims that they contain important information (e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.

However, there is another infection vector that involves a malicious QakBot payload being transferred to the victim’s machine via other malware on the compromised machine. The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It’s known that various threat actors perform reconnaissance of target organizations beforehand to decide which infection vector is most suitable.

We analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% – from 10,493 in the previous year to 17,316 this year.

Number of users affected by QakBot attacks from January to July in 2020 and 2021 (download)

You can read our full analysis here.

Fast forward into 2022 with Sophos’ Cybersecurity Summit 2021

Paid Post  Whatever sector you’re in, 2022 is likely to mean more and nastier cyber-threats.…

Latest episode - listen now! Solid cybersecurity advice in plain English.

Only affects Windows Server Core, so that's alright then

A sad-faced Microsoft engineer has had to reset the "Days since we last shot ourselves in the foot" counter at the company's HQ after a security update broke Microsoft Defender for Endpoint on Windows Server Core.…

The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.

Advertorial  I’m always asked what keeps me awake at night. Being targeted by APT groups? New ransomware strains?…

Fake merchandise and crypto jacking are among the new ways cybercriminals will try to defraud people flocking online for Black Friday and Cyber Monday.

Mandatory vuln reporting, hefty fines for non-compliance

A new British IoT product security law is racing through the House of Commons, with the government boasting it will outlaw default admin passwords and more.…

Ad giant's first stab at providing the 'world's premier security advisory' starts with the obvious

Google's Cybersecurity Action Team has released its first "threat horizon" report on the scary things it's found on the internet.…

Cynos.7 trojan found its way into 9.3 million downloads

Updated  Cybersecurity researchers at anti-virus software company Dr Web have discovered a treasure trove of malware-laced Android games on Huawei's AppGallery.…

Other additions to Entity List are accused of helping Pakistan, North Korea make nukes, missiles

The US Dept of Commerce's Bureau of Industry and Security has added 27 companies to its list of entities prohibited from doing business with the USA on grounds they threaten national security – and one of the firms is associated with HPE’s Chinese joint venture H3C.…

Those numbers that show up on your phone to tell you who's calling? Treat them as SUGGESTIONS, never as PROOF.

A new trojan called Android.Cynos.7.origin, designed to collect Android users’ device data and phone numbers, was found in 190 games installed on over 9M Android devices.

Customers of several brands that resell GoDaddy Managed WordPress have also been caught up in the big breach, in which millions of emails, passwords and more were stolen.

Just weeks after a judge ruled that NSO Group did not have immunity in a suit brought by Facebook subsidiary WhatsApp, Apple is adding significant weight to the company's woes.