Viry a Červi

• IT threat evolution in Q1 2023
• IT threat evolution in Q1 2023. Non-mobile statistics
• IT threat evolution in Q1 2023. Mobile statistics

Targeted attacks

BlueNoroff introduces new methods bypassing MotW

At the close of 2022, we reported the recent activities of BlueNoroff, a financially motivated threat actor known for stealing cryptocurrency. The threat actor typically exploits Word documents, using shortcut files for the initial intrusion. However, recently the group has adopted new methods to deliver its malware.

One of these, designed to evade the Mark-of-the-Web (MotW) flag, is the use of .ISO (optical disk image) and .VHD (virtual hard disk) file formats. MotW is a Windows security measure — the system displays a warning message when someone tries to open a file downloaded from the internet.

The threat actor also seems to be experimenting with new file types to deliver its malware. We observed a new Visual Basic script, a previously unseen Windows Batch file and a Windows executable.

Our analysis revealed more than 70 domains used by this group, meaning that they were very active until recently. They also created numerous fake domains that look like venture capital and bank domains: most of these imitate Japanese venture capital companies, indicating that the group has an extensive interest in Japanese financial entities.

Roaming Mantis implements new DNS changer

We continue to track the activities of Roaming Mantis (aka Shaoye), a well-established threat actor targeting countries in Asia. From 2019 to 2022, this threat actor mainly used ‘smishing’ to deliver a link to its landing page, with the aim of controlling infected Android devices and stealing device information, including user credentials.

However, in September 2022, we analyzed the new Wroba.o Android malware, used by Roaming Mantis, and discovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South Korea.

This can be used to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings — for example, to redirect someone to malicious hosts and interfere with security product updates. People connect infected Android devices to free, public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls, and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the malware will compromise the router and affect other devices as well. As a result, it can spread widely in the targeted regions.

BadMagic: new APT related to the Russo-Ukrainian conflict

Since the start of the Russo-Ukrainian conflict, we have identified a significant number of geo-political cyber-attacks, as outlined in our overview of the cyber-attacks related to the conflict.

Last October, we identified an active infection of government, agriculture and transportation organizations located in Donetsk, Lugansk and Crimea. The initial vector of compromise is unclear, but the details of the next stage imply the use of spear-phishing or something similar. The targets navigated to a URL pointing to a ZIP archive hosted on a malicious web server. This archive contained two files: a decoy document (we discovered PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (e.g. PDF.LNK) which, when opened, results in infection.

In several cases, the contents of the decoy document were directly related to the name of the malicious LNK, to trick the user into activating it

The LNK file downloads and installs a PowerShell backdoor called “PowerMagic”, which in turn deploys a sophisticated modular framework called “CommonMagic”. We discovered CommonMagic plugins capable of stealing files from USB devices as well as taking screenshots and sending them to the threat actor.

During our initial analysis, we were unable to find anything to connect the samples we found and the data used in the campaign to any previously known threat actor. However, our continuing investigations revealed more information about this threat, including links to other APT campaigns. You can find the details here.

Other malware Prilex targets contactless credit card transactions

Prilex has evolved from ATM-focused malware into the most advance PoS threat we have seen so far. The threat actor goes beyond the old memory scrapers seen in PoS attacks, to highly advanced malware that includes a unique cryptographic scheme, real-time patching of target software, forcing protocol downgrades, manipulating cryptograms, performing so-called “GHOST transactions” and credit card fraud — even on chip-and-PIN cards.

While investigating an incident, we discovered new Prilex samples, and one of the new features included the ability to block contactless transactions. These transactions generate a unique identifier that’s valid for just one transaction, making them worthless to cybercriminals. By blocking the transaction, Prilex tries to force the customer to insert their card to make a chip-and-PIN transaction instead, allowing the cybercriminals to capture data from the card using their standard techniques.

With contactless card transactions increasing, this is a valuable technique that allows the Prilex threat actor to continue stealing card information.

The threat actor uses social engineering to infect a PoS terminal. They try to convince employees of a retail outlet that they urgently need to update the terminal’s software and to allow a “technical specialist” to visit the store, or at least provide remote access to the terminal. It’s important that retail organizations are alert to the signs of infection — including repeated failed contactless transactions — and educate staff about the methods used by cybercriminals to gain entry to their systems.

For retail companies (especially large networks with many branches), it’s important to develop internal regulations and explain to all employees exactly how technical support and/or maintenance crews should operate. This should at least prevent unauthorized access to POS-terminals. In addition, increasing employee’s awareness of the latest cyberthreats is always a good idea: that way they’ll be much less susceptible to new social engineering tricks.

Stealing cryptocurrency using a fake Tor browser

We recently discovered an ongoing cryptocurrency theft campaign affecting more than 15,000 users across 52 countries. The attackers used a technique that has been around for more than a decade and was originally used by banking Trojans to replace bank account numbers. However, in the recent campaign, the attackers used a Trojanized version of the Tor Browser to steal cryptocurrency.

The target downloads the Trojanized version of the Tor Browser from a third-party resource containing a password protected RAR archive — the password is used to prevent it being detected by security solutions. Once the file is dropped onto the target’s computer, it registers itself in the system’s auto-start and masquerades as an icon for a popular application, such as uTorrent.

The malware waits until there is a wallet address in the clipboard and then replaces a portion of the entered clipboard contents with the cybercriminal’s own wallet address.

Our analysis of existing samples suggests that the estimated loss for those targeted in the campaign is at least $400,000, but the actual amount stolen could be much greater, as our research focused only on Tor Browser abuse. Other campaigns may use different software and malware delivery methods, as well as other types of wallets.

We haven’t been able to identify a single web site that hosts the installer, so it is probably distributed either via torrent downloads or some other software downloader. The installers coming from the official Tor Project are digitally signed and didn’t contain any signs of such malware. So, to stay safe, you should download software only from reliable and trusted sources. Even where someone has downloaded the Trojanized version, a good anti-virus product should be able to detect it.

There is also a way to check if your system is compromised with malware of the same class. Put the following “Bitcoin address” into Notepad:
bc1heymalwarehowaboutyoureplacethisaddress

Now press Ctrl+C and Ctrl+V. If the address changes to something else — the system is probably compromised by clipboard-injector malware and is dangerous to use.

We would recommend that you scan your system with security software. If you want to have full confidence that no hidden backdoors remain, once a system has been compromised, you should not trust it until it has been rebuilt.

It seems that everyone’s chatting about ChatGPT

Since OpenAI opened up its large GPT-3 language model to the general public through ChatGPT, interest in the project has soared, as people rushed to explore its possibilities, including writing poetry, engaging in dialogue, providing information, creating content for web sites and more.

There has also been a good deal of discussion about the potential impact of ChatGPT on the threat landscape.

Given ChatGPT’s ability to mimic human interaction, it’s likely that automated spear-phishing attacks using ChatGPT are already taking place. ChatGPT allows attackers to generate persuasive, personalized e-mails on an industrial scale. Moreover, any responses from the target of the phishing message can easily be fed into the chatbot’s model, producing a compelling follow-up in seconds. That said, while ChatGPT may make it easier for cybercriminals to churn out phishing messages, it doesn’t change the nature of this form of attack.

Cybercriminals have also reported on underground hacker forums how they have used ChatGPT to create new Trojans. Since the chatbot is able to write code, if someone describes a desired function (for example, “save all passwords in file X and send via HTTP POST to server Y”), they can create a simple infostealer without having any programming skills. However, such Trojans are likely to be primitive and could contain bugs that make it less effective. For now, at least, chatbots can only compete with novice malware writers.

We also uncovered a malicious campaign that sought to exploit the growing popularity of ChatGPT. Fraudsters created social network groups that mimicked communities of enthusiasts. These groups also contained fake credentials for pre-created accounts that purported to provide access to ChatGPT. The groups contained a plausible link inviting people to download a fake version of ChatGPT for Windows.

The malicious link installs a Trojan that steals account credentials stored in Chrome, Edge, Firefox, Brave and other browsers.

Since security researchers frequently publish reports about threat actors, including TTPs (Tactics, Techniques and Procedures) and other indicators, we decided to try to find out what ChatGPT already knows about threat research and whether it can help common malicious tools and IoCs (Indicators of Compromise), such as malicious hashes and domains.

The responses for host-based artifacts looked promising, so we instructed ChatGPT to write some code to extract various metadata from a test Windows system and then to ask itself whether the metadata was an IoC:

Since certain code snippets were handier than others, we continued developing this proof of concept manually: we filtered the output for events where the ChatGPT response contained a “yes” statement regarding the presence of an IoC, added exception handlers and CSV reports, fixed small bugs and converted the snippets into individual cmdlets, which produced a simple IoC scanner, HuntWithChatGPT.psm1, capable of scanning a remote system via WinRM.

While the exact implementation of IoC scanning may not currently be a very cost-effective solution at $15 to £20 per host for the OpenAI API, it shows interesting interim results, and reveals opportunities for future research and testing.

The impact of AI on our lives will extend far beyond the current capabilities of ChatGPT and other current machine learning projects. Ivan Kwiatkowski, a researcher in our Global Research and Analysis Team, recently explored the likely scope of the changes we can expect in the long term. These perspectives not only include the productivity gains offered by AI, but the social, economic and political implications of the changes it is likely to usher in.

Tracking our digital footprints

We’ve become used to service providers, marketing agencies and analytical companies tracking our mouse clicks, social media posts and browser and streaming services history. Companies do this for a number of reasons. They want to understand our preferences better, and suggest products and services that we’re more likely to buy. They do it to find out which images or text we focus on most. They also sell on our online behavior and preferences to third parties.

The tracking is done using web beacons (aka tracker pixels and spy pixels). The most popular tracking technique is to insert a tiny image –1×1 or even 0x0 pixels in size — into an e-mail, application, or web page. The e-mail client or browser makes a request to download the image from the server by transmitting information about you, which the server records. This includes the time, device, operating system, browser, and the page from which the pixel was downloaded. This is how the operator of the beacon learns that you opened the e-mail or web page, and how. Often a small piece of JavaScript inside the web page, which can collect even more detailed information, is used instead of a pixel. These beacons, placed on every page or application screen, make it possible for companies to follow you wherever you go on the web.

In our recent report on web trackers, we listed the 20 most common beacons found on web sites and in e-mail. The data for web beacons is based on anonymous statistics from the Do Not Track (DNT) component of Kaspersky consumer products, which blocks the loading of web site trackers. Most of the companies have at least some connection to digital advertising and marketing, including tech giants such as Google, Microsoft, Amazon and Oracle.

The data for e-mail beacons is from anonymized anti-spam detection data from Kaspersky mail products. The companies in the list are either e-mail service providers (ESP) or customer relationship management (CRM) companies.

The information collected using trackers is of value not just to legitimate companies, but also to cybercriminals. If they are able to obtain such information — for example, as result of a data leak — they can use it to hack online accounts or send fake e-mails. In addition, attackers make use of web beacons too. You can find information on how to protect yourself from tracking here.

Malvertising through search engines

In recent months, we have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, abused the search engine promotion plan in order to deliver malicious payloads to victims’ computers.

They seem to be using the same technique of mimicking a web site associated with well-known software, such as Notepad++ and Blender 3D. The threat actors create copies of legitimate software web sites and use “typosquatting” (using incorrectly spelled brands or company names as URLs) or “combosquatting” (as above, but adding arbitrary words as URLs) to make the sites look legitimate. They then pay to promote the site in the search engine in order to push it to the top of search results — a technique known as “malvertising”.

The distribution of malware that we have seen suggests that threat actors are targeting victims, both individual and corporate, across the globe.

• IT threat evolution Q1 2023
• IT threat evolution Q1 2023. Non-mobile statistics
• IT threat evolution Q1 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2023:

• 4,948,522 mobile malware, adware and riskware attacks were blocked.
• The most common threat to mobile devices was adware: 34.8% of all detected threats.
• 307,529 malicious installation packages were detected, of which:
  • 57,601 packages were related to mobile banking Trojans,
  • 1767 packages were mobile ransomware Trojans.

Quarterly highlights

Malware, adware and unwanted software attacks on mobile devices were down slightly year-on-year. Kaspersky mobile security systems thwarted a total of 4.9 million attacks in Q1 2023.

Number of attacks targeting users of Kaspersky mobile solutions, Q3 2021–Q1 2023 (download)

During the period in question, we detected several mobile photo editors on Google Play, which, besides their legitimate features, contained a dropper hidden inside a heavily obfuscated library. The dropper payload was designed to subscribe the user to paid services and intercept notifications.

We assigned our new find the verdict of Trojan.AndroidOS.Subscriber.aj and alerted Google Play, which then took down the malicious files. Kaspersky systems detect new files associated with this Trojan as Trojan.AndroidOS.Fleckpe.

Also in the first quarter, we came across what we designated as Trojan.AndroidOS.Bithief.f, a malicious modification of Skype that stole the victim’s cryptocurrency. The Trojan monitors the contents of the clipboard on the user’s computer and sends any crypto wallet addresses that it detects to the command-and-control server. The server responds with the hacker’s wallet address, so the malware substitutes that for the user’s address. And then inattentive users send their cryptocurrency to the wrong guys.

Mobile threat statistics

After a noticeable decrease in malicious installers in Q4 2022 due to reduced activity by Trojan-Dropper.AndroidOS.Ingopack, we observed a minor increase in new malware varieties.

Number of detected malicious installation packages, Q1 2022–Q1 2023 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q4 2022 and Q1 2023 (download)

Adware was back at the top of the rankings with 34.8%. The most widespread adware families in Q1 2023 were MobiDash (22.5%), HiddenAd (21.9%) and Adlo (12.4%).

Share of users attacked by a certain type of threat out of all attacked mobile users in Q4 2022 and Q1 2023 (download)

The share of users attacked by mobile Trojans increased in the first quarter, mostly due to the malware that we detect as Trojan.AndroidOS.Fakemoney.v and Trojan.AndroidOS.Adinstall.l. The former is a fake investment app that harvests victims’ payment details, and the latter, adware that comes pre-installed on certain devices, capable of downloading and running code (typically ads).

TOP 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking 1 DangerousObject.Multi.Generic 16.52 13.27 -3.24 2 Trojan-Spy.AndroidOS.Agent.acq 4.29 8.60 +4.31 +5 3 Trojan.AndroidOS.Boogr.gsh 6.92 8.39 +1.47 +1 4 Trojan.AndroidOS.Fakemoney.v 1.13 7.48 +6.35 +19 5 Trojan.AndroidOS.GriftHorse.l 8.29 6.13 -2.17 -3 6 Trojan.AndroidOS.Generic 7.68 5.95 -1.73 -3 7 Trojan-Dropper.AndroidOS.Hqwar.hd 3.06 4.54 +1.49 +2 8 Trojan-Downloader.AndroidOS.Agent.mh 0.00 3.68 +3.68 9 Trojan-Spy.AndroidOS.Agent.aas 6.18 3.64 -2.53 -3 10 DangerousObject.AndroidOS.GenericML 2.37 3.46 +1.10 11 Trojan.AndroidOS.Adinstall.l 0.28 3.36 +3.08 12 Trojan-Dropper.AndroidOS.Agent.sl 3.50 2.10 -1.40 -4 13 Trojan.AndroidOS.Fakemoney.u 0.67 1.64 +0.97 +25 14 Trojan-Banker.AndroidOS.Bian.h 1.43 1.52 +0.10 +3 15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.25 1.47 +0.22 +6 16 Trojan-Downloader.AndroidOS.Agent.kx 1.53 1.43 -0.10 -3 17 Trojan-SMS.AndroidOS.Fakeapp.d 6.43 1.32 -5.11 -12 18 Trojan.AndroidOS.Piom.auar 0.00 1.06 +1.06 19 Trojan-Dropper.AndroidOS.Wroba.o 1.51 1.03 -0.47 -4 20 Trojan-Dropper.AndroidOS.Hqwar.gf 0.14 0.98 +0.84

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

DangerousObject.Multi.Generic (13.27%), the verdict we assign to miscellaneous unrelated malware that we detect with our cloud technology, topped the rankings as usual. This was followed by Trojan-Spy.AndroidOS.Agent.acq (8.60%), a malicious modification of WhatsApp that secretly monitors notifications the user receives.

Trojan.AndroidOS.Boogr.gsh (8.39%), a collective verdict for miscellaneous malware we detect with our machine learning technology, was in third place. This verdict is analogous to DangerousObject.AndroidOS.GenericML (3.46%), but unlike it, received through analysis of a similar file in the Kaspersky infrastructure.

Next were the previously mentioned fake investment app Trojan.AndroidOS.Fakemoney.v (7.48%) and the subscription Trojan described in many past reports — Trojan.AndroidOS.GriftHorse.l (6.13%).

Regional malware

This section describes mobile malware that mostly targets those who reside in certain countries.

Verdict Country* %** Trojan-Banker.AndroidOS.Banbra.aa Brazil 99.43 Trojan-Spy.AndroidOS.SmsThief.td Indonesia 99.08 Trojan-Banker.AndroidOS.Bray.n Japan 99.07 Trojan-Banker.AndroidOS.Banbra.ac Brazil 98.85 Trojan-Banker.AndroidOS.Agent.la Turkey 98.62 Trojan.AndroidOS.Hiddapp.da Iran 97.82 Trojan.AndroidOS.Hiddapp.bk Iran 96.95 Trojan.AndroidOS.GriftHorse.ai Kazakhstan 96.26 Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 95.93 Trojan.AndroidOS.FakeGram.a Iran 95.73 Trojan-SMS.AndroidOS.Agent.adr Iran 95.07 Trojan.AndroidOS.Hiddapp.bn Iran 95.01 Trojan.AndroidOS.Piom.aiuj Iran 90.33 Trojan-Banker.AndroidOS.Cebruser.san Turkey 88.28 Trojan.AndroidOS.Hiddapp.cg Iran 88.25 Backdoor.AndroidOS.Basdoor.c Iran 86.44 Trojan-Dropper.AndroidOS.Wroba.o Japan 83.80

* Country where the malware was most active
* Unique users attacked by the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware

Members of the Banbra malware family continued to attack users in Brazil in Q1 2023. These are banking Trojans that abuse Accessibility features to interact with other applications installed on the device.

In Indonesia, users were exposed to spreading SmsThief.td SMS spies masquerading as public services, system apps or marketplaces.

Wroba banking Trojans, which we have covered several times, and the Bray mobile malware distributed under the guise of useful apps, such as call blockers, were busy in Japan.

Turkish users found themselves targeted by several banking Trojans, including the fairly primitive Agent.la and the well-known Cebruser. The Hqwar dropper operating in Turkey is also typically used to deliver various banking malware.

Users in Iran had to deal with hidden, hard-to-remove Hiddapp programs and the FakeGram family, third-party Telegram clients that automatically add users to channels they do not indent to join.

A variant of the GriftHorse subscription Trojan was mostly active in Kazakhstan. Focusing on users in a certain country is expected behavior for this Trojan family, as phishing messages used to lure the user into subscription to a fake service have to be localized.

Mobile banking Trojans

The number of banking Trojan installers began to increase again, exceeding 57,000 in Q1 2023.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2022–Q1 2023 (download)

TOP 10 mobile bankers

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking 1 Trojan-Banker.AndroidOS.Bian.h 29.90 30.81 0.91 2 Trojan-Banker.AndroidOS.Faketoken.pac 6.31 10.15 3.84 3 Trojan-Banker.AndroidOS.Agent.eq 4.59 5.51 0.92 +1 4 Trojan-Banker.AndroidOS.Agent.ep 3.57 4.40 0.84 +2 5 Trojan-Banker.AndroidOS.Svpeng.q 5.71 4.05 -1.66 -2 6 Trojan-Banker.AndroidOS.Banbra.aa 1.80 3.72 1.92 +6 7 Trojan-Banker.AndroidOS.Agent.la 0.16 3.08 2.92 +85 8 Trojan-Banker.AndroidOS.Banbra.ac 0.57 2.46 1.89 +23 9 Trojan-Banker.AndroidOS.Asacub.ce 3.46 2.17 -1.29 -1 10 Trojan-Banker.AndroidOS.Agent.cf 1.63 1.91 0.28 +5

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Q1 2023 saw a noticeable year-on-year increase in activity by the aforementioned mobile malware Agent.la (3,08%) и Banbra (2,46%), which landed outside the TOP 10 in Q4 2022.

Mobile ransomware Trojans

The number of mobile ransomware programs remained low after dropping in 2022, apparently because the niche had ceased to be as profitable for scammers as it once had been.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q1 2022 — Q1 2023 (download)

TOP 10 mobile ransomware verdicts

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking 1 Trojan-Ransom.AndroidOS.Pigetrl.a 54.61 62.22 7.60 2 Trojan-Ransom.AndroidOS.Small.as 5.42 3.65 -1.77 3 Trojan-Ransom.AndroidOS.Rkor.dl 0.00 2.23 2.23 4 Trojan-Ransom.AndroidOS.Congur.y 1.00 1.78 0.78 +19 5 Trojan-Ransom.AndroidOS.Agent.bw 2.19 1.60 -0.59 -1 6 Trojan-Ransom.AndroidOS.Fusob.h 2.04 1.55 -0.49 +1 7 Trojan-Ransom.AndroidOS.Rkor.pac 1.19 1.50 0.32 +9 8 Trojan-Ransom.AndroidOS.Rkor.di 0.62 1.46 0.84 +30 9 Trojan-Ransom.AndroidOS.Rkor.bi 1.62 1.46 -0.16 +2 10 Trojan-Ransom.AndroidOS.Small.o 2.14 1.32 -0.82 -4

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

The distribution of mobile ransomware apps across quarters changed only insignificantly. Pigetrl (62.22%) still accounted for the lion’s share of threats, followed by Small.as (3.65%) and various modifications of Rkor.

• IT threat evolution in Q1 2023
• IT threat evolution in Q1 2023. Non-mobile statistics
• IT threat evolution in Q1 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2023:

• Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
• Web Anti-Virus detected 246,912,694 unique URLs as malicious.
• Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 106,863 unique users.
• Ransomware attacks were defeated on the computers of 60,900 unique users.
• Our File Anti-Virus detected 43,827,839 unique malicious and potentially unwanted objects.

Financial threats Financial threat statistics

In Q1 2023, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 106,863 unique users.

Number of unique users attacked by financial malware, Q1 2023 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans or ATM/POS malware worldwide, for each country and territory, we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

TOP 10 countries/territories by share of attacked users

Country/territory* %** 1 Turkmenistan 4.7 2 Afghanistan 4.6 3 Paraguay 2.8 4 Tajikistan 2.8 5 Yemen 2.3 6 Sudan 2.3 7 China 2.0 8 Switzerland 2.0 9 Egypt 1.9 10 Venezuela 1.8

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 banking malware families

Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 28.9 2 Emotet Trojan-Banker.Win32.Emotet 19.5 3 Zbot/Zeus Trojan-Banker.Win32.Zbot 18.3 4 Trickster/Trickbot Trojan-Banker.Win32.Trickster 6.5 5 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.9 6 Danabot Trojan-Banker.Win32.Danabot 2.3 7 IcedID Trojan-Banker.Win32.IcedID 1.9 8 SpyEyes Trojan-Spy.Win32.SpyEye 1.6 9 Gozi Trojan-Banker.Win32.Gozi 1.1 10 Qbot/Qakbot Trojan-Banker.Win32.Qbot 1.1

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly trends and highlights Attacks on Linux and VMWare ESXi servers

An increasing number of ransomware families are extending their attack surfaces by adding support for operating systems other than Windows, which they have targeted traditionally. In Q1 2023, we discovered builds from several ransomware families intended for running on Linux and VMWare ESXi servers, namely: ESXiArgs (new family), Nevada (a rebranding of Nokoyawa, which is written in Rust), Royal, IceFire.

Thus, the arsenals of most professional extortion groups today include ransomware builds designed for several platforms, thus maximizing the damage they can cause to their victims.

Progress in combating cybercrime

Europol and the U.S. Department of Justice announced that as a result of a joint operation with the FBI that started in July 2022, the FBI penetrated networks belonging to the Hive group and obtained decryption keys for more than 1,300 victims. The law enforcement agencies also obtained information about 250 Hive affiliates and seized several servers belonging to the group.

The Netherlands Police arrested three individuals suspected of stealing confidential data and extorting €100,000 to €700,000 from each victim company.

Europol announced it had arrested two suspected core members of DoppelPaymer during a joint operation with the FBI and the law enforcement agencies of Germany, Ukraine, and the Netherlands. The team also seized hardware, which the law enforcement agencies will inspect during further investigation.

Conti-based Trojan decrypted

Kaspersky analysts released a utility for decrypting files affected by a Trojan known to researchers as MeowCorp. The malware was compiled from Conti source code, which was published last year. An archive containing the secret keys, 258 in all, was posted on an online forum. We added these, along with data decryption code, to the latest version of RakhniDecryptor.

Most prolific groups

This section looks at ransomware groups that engage in so-called “double extortion”, that is stealing confidential data in addition to encrypting it. Most of these groups target large companies, and many maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The diagram below reflects the most prolific extortion gangs, that is, the ones that added the largest numbers of victims to their DLSs.

Most prolific ransomware gangs. The diagram shows each group’s share of victims out of the total number of victims published on all the groups’ DLSs in Q1 2023 (download)

Number of new modifications

In Q1 2023, we detected nine new ransomware families and 3089 new modifications of the malware of this type.

Number of new ransomware modifications, Q1 2022 — Q1 2023 (download)

Number of users attacked by ransomware Trojans

In Q1 2023, Kaspersky products and technologies protected 60,900 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q1 2023 (download)

Geography of attacked users

TOP 10 countries/territories attacked by ransomware Trojans

Country/territory* %** 1 Yemen 1.50 2 Bangladesh 1.47 3 Taiwan 0.65 4 Mozambique 0.59 5 Pakistan 0.47 6 South Korea 0.42 7 Venezuela 0.32 8 Iraq 0.30 9 Nigeria 0.30 10 Libya 0.26

* Excluded are countries/territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 Magniber Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni 15.73 2 WannaCry Trojan-Ransom.Win32.Wanna 12.40 3 (generic verdict) Trojan-Ransom.Win32.Gen 12.27 4 (generic verdict) Trojan-Ransom.Win32.Encoder 8.77 5 (generic verdict) Trojan-Ransom.Win32.Agent 6.65 6 (generic verdict) Trojan-Ransom.Win32.Phny 6.52 7 Stop/Djvu Trojan-Ransom.Win32.Stop 5.90 8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 3.74 9 (generic verdict) Trojan-Ransom.Win32.Crypren 3.52 10 (generic verdict) Trojan-Ransom.Win32.CryFile 2.06

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q1 2023, Kaspersky solutions detected 1733 new modifications of miners.

Number of new miner modifications, Q1 2023 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 403,211 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q1 2023 (download)

Geography of miner attacks

TOP 10 countries/territories attacked by miners

Country/territory* %** 1 Tajikistan 2.87 2 Kazakhstan 2.52 3 Uzbekistan 2.30 4 Kyrgyzstan 2.18 5 Belarus 1.80 6 Venezuela 1.77 7 Ethiopia 1.73 8 Ukraine 1.73 9 Mozambique 1.63 10 Rwanda 1.50

* Excluded are countries/territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Vulnerable applications used in cyberattacks Quarterly highlights

Q1 2023 saw a number of Windows vulnerabilities remediated and published. Some of those were the following:

• CVE-2023-23397: probably the most high-profile vulnerability, which provoked much online debate and discussion. This Windows vulnerability allows starting automatic authentication on behalf of the user on a host running Outlook.
• CVE-2023-21674: a vulnerability in the ALPC subsystem that allows a malicious actor to escalate their privileges to system level.
• CVE-2023-21823: a Windows Graphics Component vulnerability that allows running commands in the system on behalf of the user. This can be reproduced both in Windows desktop versions of Microsoft Office and in mobile (iOS and Android) versions.
• CVE-2023-23376: a Common Log File System Driver vulnerability that allows escalating privileges to system level.
• СVE-2023-21768: a vulnerability in the Ancillary Function Driver for WinSock that allows obtaining system privileges.

A Microsoft fix for each of the vulnerabilities is out, and we strongly encourage you to install all the relevant patches.

The main network threats in Q1 2023 were brute-force attacks on MSSQL and RDP services. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. We detected notably large numbers of attacks and scans that targeted log4j-type vulnerabilities (CVE-2021-44228).

Vulnerability statistics

In Q1 2023, Kaspersky products detected more than 300,000 exploitation attempts, most of these using Microsoft Office exploits. Their share was 78.96%, down by just 1 p.p. from the previous quarter. The most-exploited vulnerabilities in that category were the following:

• CVE-2017-11882 and CVE-2018-0802: Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system.
• CVE-2017-0199 that allows using MS Office to load malicious scripts.
• CVE-2017-8570 that allows loading malicious HTA scripts into the system.

The second most-exploited category were browser vulnerabilities (7.07%), their share growing by 1 p.p. We did not discover any new browser vulnerabilities exploited by malicious actors in the wild. Q2 2023 might bring something new.

Distribution of exploits used by cybercriminals by type of attacked application, Q1 2023 (download)

Android (4.04%) and Java (3.93%) were third and fourth, respectively. Android exploits lost 1 p.p. during the period, whereas the share of Java exploits remained unchanged. The fifth- and sixth-place scores — Adobe Flash (3.49%) and PDF (2.52%) — were very close to the previous quarter’s figures as well.

Attacks on macOS

The first quarter’s high-profile event was a supply-chain attack on the 3CX app, including the macOS version. Hackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.

Worth noting is the MacStealer spy program, also discovered in Q1 2023, which stole cookies from the victim’s browser, as well as account details and cryptowallet passwords.

TOP 20 threats for macOS

Verdict %* 1 AdWare.OSX.Pirrit.ac 11.87 2 AdWare.OSX.Amc.e 8.41 3 AdWare.OSX.Pirrit.j 7.98 4 AdWare.OSX.Agent.ai 7.58 5 Monitor.OSX.HistGrabber.b 6.64 6 AdWare.OSX.Bnodlero.ax 6.12 7 AdWare.OSX.Pirrit.ae 5.77 8 AdWare.OSX.Agent.gen 4.98 9 Hoax.OSX.MacBooster.a 4.76 10 Trojan-Downloader.OSX.Agent.h 4.66 11 AdWare.OSX.Pirrit.o 3.63 12 Backdoor.OSX.Twenbc.g 3.52 13 AdWare.OSX.Bnodlero.bg 3.32 14 AdWare.OSX.Pirrit.aa 3.20 15 Backdoor.OSX.Twenbc.h 3.14 16 AdWare.OSX.Pirrit.gen 3.14 17 Downloader.OSX.InstallCore.ak 2.37 18 Trojan-Downloader.OSX.Lador.a 2.03 19 RiskTool.OSX.Spigot.a 1.92 20 Trojan.OSX.Agent.gen 1.88

* Unique users who encountered this malware as a percentage of all users of Kaspersky security products for macOS who were attacked.

Adware remained the most widespread threat to macOS users. In addition to that, we frequently came across all kinds of system “cleaners” and “optimizers”, many of these containing highly annoying ads or classic scams, where users were offered to buy solutions to problems that did not exist.

Geography of threats for macOS

ТОР 10 countries/territories by share of attacked users

Country/territory* %** 1 Italy 1.43 2 Spain 1.39 3 France 1.37 4 Russian Federation 1.29 5 Mexico 1.20 6 Canada 1.18 7 United States 1.16 8 United Kingdom 0.98 9 Australia 0.87 10 Brazil 0.81

* Excluded from the rankings are countries/territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.

Italy (1.43%) and Spain (1.39%) became the leaders by number of attacked users, as France (1.37%), Russia (1.29%) and Canada (1.18%) lost a few percentage points. Overall, the percentage of attacked users in the TOP 10 countries did not change much.

IoT attacks IoT threat statistics

In Q3 2023, a majority of the devices that attacked Kaspersky honeypots still used the Telnet protocol, but its popularity decreased somewhat from the previous quarter.

Telnet 69.2% SSH 30.8%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q1 2023

In terms of session numbers, Telnet accounted for the absolute majority.

Telnet 97.8% SSH 2.2%

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2023

TOP 10 countries/territories as sources of SSH attacks

Country/territory %* (Q4 2022) %* (Q1 2023) Taiwan 1.60 12.13 United States 19.11 12.05 South Korea 3.32 7.64 Mainland China 8.45 6.80 Brazil 5.10 5.08 India 6.26 4.45 Germany 6.20 4.00 Vietnam 2.18 3.95 Singapore 6.63 3.63 Russian Federation 3.33 3.36 Other 37.81 36.91

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

The APAC countries/territories and the U.S. remained the main sources of SSH attacks in Q1 2023.

TOP 10 countries/territories as sources of SSH attacks

Country/territory %* (Q4 2022) %* (Q1 2023) Mainland China 46.90 39.92 India 6.61 12.06 Taiwan 6.37 7.51 Brazil 3.31 4.92 Russian Federation 4.53 4.82 United States 4.33 4.30 South Korea 7.39 2.59 Iran 1.05 1.50 Pakistan 1.40 1.41 Kenya 0.06 1.39 Other 18.04 19.58

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

Mainland China (39.92%) remained the largest source of Telnet attacks, with India’s (12.06%) and Kenya’s (1.39%) contributions increasing significantly. The share of attacks that originated in South Korea (2.59%) decreased.

TOP 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Trojan-Downloader.Linux.NyaDrop.b 41.39% 2 Backdoor.Linux.Mirai.b 18.82% 3 Backdoor.Linux.Mirai.cw 9.63% 4 Backdoor.Linux.Mirai.ba 6.18% 5 Backdoor.Linux.Gafgyt.a 2.64% 6 Backdoor.Linux.Mirai.fg 2.25% 7 Backdoor.Linux.Mirai.ew 1.89% 8 Trojan-Downloader.Shell.Agent.p 1.77% 9 Backdoor.Linux.Gafgyt.bj 1.24% 10 Trojan-Downloader.Linux.Mirai.d 1.23%

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries/territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q1 2023, Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe. A total of 246,912,694 unique URLs were detected as malicious by Web Anti-Virus.

Distribution of web-attack sources across countries, Q1 2022 (download)

Countries/territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in various countries.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %** 1 Turkey 16.88 2 Taiwan 16.01 3 Algeria 15.95 4 Palestine 15.30 5 Albania 14.95 6 Yemen 14.94 7 Serbia 14.54 8 Tunisia 14.13 9 South Korea 13.98 10 Libya 13.93 11 Sri Lanka 13.85 12 Greece 13.53 13 Syria 13.51 14 Nepal 13.10 15 Bangladesh 12.92 16 Georgia 12.85 17 Morocco 12.80 18 Moldova 12.73 19 Lithuania 12.61 20 Bahrein 12.39

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 9.73% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2023, our File Anti-Virus detected 43,827,839 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country/territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %** 1 Yemen 45.38 2 Turkmenistan 44.68 3 Afghanistan 43.64 4 Tajikistan 42.57 5 Cuba 36.01 6 Burundi 35.20 7 Syria 35.17 8 Bangladesh 35.07 9 Myanmar 34.98 10 Uzbekistan 34.22 11 South Sudan 34.06 12 Rwanda 34.01 13 Algeria 33.94 14 Guinea 33.74 15 Cameroon 33.09 16 Sudan 33.06 17 Chad 33.06 18 Tanzania 32.50 19 Benin 32.42 20 Malawi 31.93

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware-class local threats were registered on 15.22% of users’ computers at least once during Q3.

Nearly anything can look like money laundering if you squint hard enough

Three supporters of activists against a $90 million police training facility dubbed Cop City were arrested after the cops used PayPal data to bring money-laundering charges against the trio.…

Legal prof warns: 'This case is like a wrecking ball for internet law'

The US Ninth Circuit Court of Appeals last week ruled that Enigma Software Group can pursue its long standing complaint against rival security firm Malwarebytes for classifying its software as "potentially unwanted programs" or PUPs.…

BYODALAINGTI (as long as it's not got TikTok installed)

The US federal government's ban on TikTok has been extended to include devices used by its many contractors - even those that are privately owned. The bottom line: if some electronics are used for government work, it better not have any ByteDance bits on it. …

Pocket change, in other words

Microsoft is being fined $20 million by the US Federal Trade Commission for violating the Children's Online Privacy Protection Act (COPPA) by illegally gathering kids' personal information and retaining it without parental consent.…

Crooks steal Social Security numbers and post them on dark web, victims blame holes in Mercer's security

An American university founded in 1833 is facing a bunch of class action lawsuits after the personal data of nearly 100,000 people was stolen from its tech infrastructure.…

Chrome 0-day patched now, Edge patch coming soon.

AI is beefing up the cyber arsenals of both attackers and defenders

Sponsored Feature  Email is a popular target for cybercriminals, offering an easy way of launching an attack disguised as an innocent message. One moment of inattention on the part of the recipient and the door is open to malware, spam, phishing, perhaps even a dose of the dreaded ransomware. Entire organisations can suffer, not just individual victims.…

Corporate watchdog fouled its info-separation regime, let the wrong people read sensitive docs

The US Securities and Exchange Commission (SEC) has dismissed proceedings against 42 companies and individuals after admitting that its enforcement staff accessed documents that were supposed to be for judges' eyes only.…

Little Bobby Tables is back!

Microsoft blames Russian Clop ransomware crew for theft of staff info

British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app.…

Victims nursing huge losses haven't the foggiest how heist happened, yet

As much as $35 million worth of cryptocurrency may have been stolen in a large-scale attack on Atomic Wallet users, with one investigator claiming losses could potentially exceed $50 million.…

Operators stay ahead of defenders with new access methods and C2 infrastructure

The Qbot malware operation – which started more than a decade ago as banking trojan only to evolve into a backdoor and a delivery system for ransomware and other threats – continues to deftly adapt its techniques to stay ahead of security pros, according to a new report.…

Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom. The Satacom malware is delivered via third-party websites. Some of these sites do not deliver Satacom themselves, but use legitimate advertising plugins that the attackers abuse to inject malicious ads into the webpages. The malicious links or ads on the sites redirect users to malicious sites such as fake file-sharing services.

In this report we cover a recent malware distribution campaign related to the Satacom downloader. The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites. The malware attempts to do this by installing an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.

The malicious extension has various JS scripts to perform browser manipulations while the user is browsing the targeted websites, including enumeration and manipulation with cryptocurrency websites. It also has the ability to manipulate the appearance of some email services, such as Gmail, Hotmail and Yahoo, in order to hide its activity with the victim’s cryptocurrencies shown in the email notifications.

Satacom technical analysis

The initial infection begins with a ZIP archive file. It is downloaded from a website that appears to mimic a software portal that allows the user to download their desired (often cracked) software for free. The archive contains several legitimate DLLs and a malicious Setup.exe file that the user needs to execute manually to initiate the infection chain.

Various types of websites are used to spread the malware. Some of them are malicious websites with a hardcoded download link, while others have the “Download” button injected through a legitimate ad plugin. In this case, even legitimate websites may have a malicious “Download” link displayed on the webpage. At the time of writing, we saw the QUADS plugin being abused to deliver Satacom.

Websites with embedded QUADS ad plugin

The plugin is abused in the same way that other advertising networks are abused for malvertising purposes: the attackers promote ads that look like a “Download” button and redirect users to the attackers’ websites.

WP QUADS ad plugin within the website’s content

After the user clicks on the download button or link, there’s a chain of redirects that automatically takes them through various servers to reach a website masquerading as a file-sharing service to distribute the malware. In the screenshot below, we can see examples of websites that are the final destinations of the redirection chains.

Fake ‘file-sharing’ services

After the user downloads and extracts the ZIP archive, which is about 7MB in size, a few binaries, EXE and DLL files are revealed. The DLLs are legitimate libraries, but the ‘Setup.exe’ file is a malicious binary. It is about 450MB, but is inflated with null bytes to make it harder to analyze. The original size of the file without the added null bytes is about 5MB and it is an Inno Setup type file.

Null bytes added to the PE file

Inno Setup installers usually work as follows: at runtime the binary extracts a child installer to a temporary folder with the name ‘Setup.tmp’. Then it runs the child installer ‘Setup.tmp’ file that needs to communicate with the primary installer with arguments pointing to the location of the original ‘Setup.exe’ and its packages in order to retrieve the BIN data inside the ‘Setup.exe’ file for the next step of the installation.

In the case of the Satacom installer, the Setup.tmp file, once running, creates a new PE DLL file in the Temp directory. After the DLL is created, the child installer loads it into itself and runs a function from the DLL.

It then decrypts the payload of Satacom and creates a new sub-process of ‘explorer.exe’ in order to inject the malware into the ‘explorer.exe’ process.

Based on the behavior we observed, we can conclude that the malware performs a common process injection technique on the remote ‘explorer.exe’ process called process hollowing. This is a known technique used to evade detection by AV applications.

The malicious payload that’s injected into the ‘explorer.exe’ process uses the RC4 encryption implementation to decrypt its configuration data, communication strings and data for the other dropped binaries on the victim’s machine. The encrypted data is stored inside the malicious payload.

The malware uses different hardcoded keys to decrypt the data at each step. There are four different RC4 keys that the malware uses to perform its actions, first decrypting the HEX string data to use it for its initial communication purposes.

RC4 keys (left pane) and encrypted HEX strings (right pane)

In the screenshot above, the left pane shows the four RC4 hardcoded keys as HEX strings, and in the right pane we can see the HEX strings that are decrypted using the RC4 ‘config_strings’ key to get the strings for the first initialization of communication with the C2. If we decrypt the strings ourselves using the key, we get the result shown in the screenshot.

Once the HEX strings are decrypted, ‘explorer.exe’ initiates its first communication. To do so, it performs a DNS request to don-dns[.]com (a decrypted HEX string) through Google DNS (8.8.8.8, another decrypted string) and it queries for the TXT record.

DNS query for TXT record through Google to don-dns[.]com

Once the request is complete, the DNS TXT record is received as another base64-encoded RC4-encrypted string: “ft/gGGt4vm96E/jp”. Since we have all of the RC4 keys, we can try to decrypt the string with the ‘dns_RC4_key’ and get another URL as a result. This URL is where the payload is actually downloaded from.

Decrypted string of TXT record

The payload: malicious browser extension

The Satacom downloader downloads various binaries to the victim’s machine. In this campaign we observed a PowerShell script being downloaded that installs a malicious Chromium-based browser extension that targets Google Chrome, Brave and Opera.

The extension installation script is responsible for downloading the extension in a ZIP archive file from a third-party website server. The PowerShell script downloads the archived file to the computer’s Temp directory and then extracts it to a folder inside the Temp directory.

After that, the script searches for the possible locations of shortcuts for each of the targeted browsers in such places as Desktop, Quick Launch and Start Menu. It also configures the locations of the browsers’ installation files and the location of the extension on the computer.

Finally, the PS script recursively searches for any link (.LNK) file in the above locations and modifies the “Target” parameter for all existing browser shortcuts with the flag “–load-extension=[pathOfExtension]” so that the shortcut will load the browser with the malicious extension installed.

Chrome shortcut with the extension parameter

After performing this action, the script closes any browser processes that may be running on the machine, so that the next time the victim opens the browser, the extension will be loaded into the browser and run while the user is browsing the internet.

This extension installation technique allows the threat actors to add the addon to the victim’s browser without their knowledge and without uploading it to the official extension stores, such as the Chrome Store, which requires the addon to meet the store’s requirements.

Extension installation PowerShell script

Malicious extension analysis

After installation of the extension, we can analyze its functionality and features by checking specific files stored in the extension’s directory. If we take a look at the first lines of the ‘manifest.json’ file, we’ll see that the extension disguises itself by naming the addon “Google Drive,” so even when the user accesses the browser addons, the only thing they will see is an addon named “Google Drive”, which looks like just another standard Google extension installed inside the browser.

The manifest.json file settings

Another malicious extension file that always runs in the background when the user is browsing is ‘background.js’, which is responsible for initializing communication with the C2. If we take a closer look at the JavaScript code, we’ll find an interesting function call at the bottom of the script with a string variable that is the address of a bitcoin wallet.

Background.js script snippet

Looking at the script’s code, we can conclude that the extension is about to fetch another string from the hardcoded URL, into which the script inserts the bitcoin address. The JavaScript receives data in JSON format, which shows the wallet’s transaction activity, and then looks for a specific string within the latest transaction details.

JSON of the transaction details

There are two strings on the page that contain the C2 address. The “script” string is a HEX string that contains the C2 host of the malware, and the “addr” string is the Base58-encoded C2 address. The reason for using the last cryptocurrency transaction of a specific wallet to retrieve the C2 address is that the server address can be changed by the threat actors at any time. Moreover, this trick makes it harder to disable the malware’s communication with its C2 server, since disabling wallets is much more difficult than blocking or banning IPs or domains. If the C2 server is blocked or taken down, the threat actors can simply change the ‘script’ or ‘addr’ string to a different C2 server by performing a new transaction. And since the extension always checks these strings to retrieve the C2, it will always ask for the new one if it’s ever changed.

Decoded C2 address from the transaction details

The extension has several other scripts that are responsible for initializing the received commands and become functional after the C2 address is retrieved, because the scripts need to obtain some important information from the C2. For example, the C2 holds the BTC address that will be used when the BTC is transferred from the victim’s wallet to the threat actor’s wallet.

Threat actor’s BTC wallet address

To get hold of the victim’s cryptocurrency, the threat actors use web injects on the targeted websites. The web inject script is also provided by the C2 after the extension contacts it. In the following screenshot, we can see the ‘injections.js’ script from the extension, which fetches the web inject script from the C2 server.

The injections.js script

After the addon contacts the C2 server – extracted as mentioned above – the server responds with the web inject script that will be used on the targeted websites.

Webinject script from C2 server

If we take a closer look at the script, we can see that the threat actors are targeting various websites. In the version of the script shown above we can see that it targets Coinbase, Bybit, KuCoin, Huobi and Binance users.

Since the script within the C2 can be changed at any time, the threat actors can add or remove other web injection targets, as well as start targeting cryptocurrencies other than BTC, which makes this extension pretty dynamic and allows threat actors to control the malicious extension by changing the scripts.

If we look at the script, we can see that the extension performs various actions on the targeted websites. For example, it has the ability to retrieve the victims’ addresses, obtain account information, bypass 2FA, and much more. Moreover, it’s capable of transferring BTC currency from the victim’s wallet to the attackers’ wallet.

Functions from the web inject script

Looking at the full web inject script, we can conclude that the idea behind it is to steal BTC currencies from victims who have the malicious extension installed. The extension performs various actions on the account in order to remotely control it using the web inject scripts, and eventually the extension tries to withdraw the BTC currency to the threat actors’ wallet. To circumvent the 2FA settings for transactions, the web inject script uses 2FA bypass techniques.

Snippet of the BTC withdrawal function from the web inject script

Before stealing the cryptocurrency, the extension communicates with the C2 server to get the minimum BTC value. It then compares this value with the actual amount of money in the target wallet. If the wallet contains less cryptocurrency than the minimum amount received from the C2, it doesn’t withdraw any cryptocurrency from it.

Minimum amount threshold from C2

The script also performs several other checks before stealing the BTC currency. For example, it also checks the BTC to USD exchange rate.

When the amount of BTC in the target wallet meets the C2 checks, the script performs the withdrawal function to steal the BTC currency from the victim.

Performing balance check

In addition to stealing BTC, the malicious extension performs additional actions to hide its activity.

For example, the malicious extension contains scripts that target three different email services: Gmail, Hotmail and Yahoo. The idea behind the scripts is to hide the email confirmation of the transaction performed by the malicious extension.

Each script makes visual changes to the emails once the victim reaches the email service’s page. It searches for pre-defined email titles and content, and when it finds them, it simply hides them from the victim by injecting HTML code into the message body. As a result, the victim is unaware that a specific transaction transferring crypto currency to the threat actors’ wallet was made.

Extension JS targeting Gmail

In addition, the extension can manipulate email threads from the targeted websites, so if the victim opens a thread from, for example, Binance, it can change the content of the emails and display a fake email thread that looks exactly like the real one. It also contains a placeholder for desired strings that the extension can inject into the content of the message page.

Fake email thread template

The malicious extension has many other JavaScripts and it’s capable of performing additional actions. For example, it can extract information through the browser, such as the system information, cookies, browser history, screenshots of opened tabs, and even receive commands from the C2 server.

JavaScripts: requesting commands from the C2 (left pane) and taking screenshots (right pane)

The purpose of the extension is to steal BTC and manipulate targeted cryptocurrency websites and email services to make the malware as stealthy as possible, so the victim doesn’t notice any information about the fraudulent transactions. The extension can update its functionality due to the technique used to retrieve the C2 server via the last transaction of a specific BTC wallet, which can be modified at any time by making another transaction to this wallet. This allows the threat actors to change the domain URL to a different one in case it’s banned or blocked by antivirus vendors.

Victims

This campaign targets individual users around the world. According to our telemetry, in Q1 2023 users in the following countries were most frequently infected: Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, Mexico.

Conclusions

Satacom is a downloader that is still running campaigns and being developed by the threat actor behind it. This threat actor continues to distribute malware families using various techniques, such as ad injection via ad plugins for WordPress websites.

The recently distributed malware, which is a side-loaded extension for Chromium-based browsers, performs actions in the browser to manipulate the content of the targeted cryptocurrency website. The main purpose of this malicious extension is to steal cryptocurrency from victims and transfer it to the threat actors’ wallet.

Moreover, since it is a browser extension, it can be installed in Chromium-based browsers on various platforms. Although the installation of the malicious extension and the infection chain described in this article are Windows-specific, if the threat actors want to target Linux and macOS users, they could easily do so, provided the victims use Chromium-based browsers.

Appendix I – Indicators of Compromise

Satacom files
0ac34b67e634e49b0f75cf2be388f244
1aa7ad7efb1b48a28c6ccf7b496c9cfd
199017082159b23decdf63b22e07a7a1

Satacom DNS
dns-beast[.]com
don-dns[.]com
die-dns[.]com

Satacom C2
hit-mee[.]com
noname-domain[.]com
don-die[.]com
old-big[.]com

Hosted PS scripts
tchk-1[.]com

Malicious extension ZIP
a7f17ed79777f28bf9c9cebaa01c8d70

Malicious extension CC
you-rabbit[.]com
web-lox[.]com

Hosted Satacom installer ZIP files
ht-specialize[.]xyz
ht-input[.]cfd
ht-queen[.]cfd
ht-dilemma[.]xyz
ht-input[.]cfd
io-strength[.]cfd
fbs-university[.]xyz
io-previous[.]xyz
io-band[.]cfd
io-strength[.]cfd
io-band[.]cfd
can-nothing[.]cfd
scope-chat[.]xyz
stroke-chat[.]click
icl-surprise[.]xyz
new-high[.]click
shrimp-clock[.]click
oo-knowledge[.]xyz
oo-station[.]xyz
oo-blue[.]click
oo-strategy[.]xyz
oo-clearly[.]click
economy-h[.]xyz
medical-h[.]click
hospital-h[.]xyz
church-h[.]click
close-h[.]xyz
thousand-h[.]click
risk-h[.]xyz
current-h[.]click
fire-h[.]xyz
future-h[.]click
moment-are[.]xyz
himself-are[.]click
air-are[.]xyz
teacher-are[.]click
force-are[.]xyz
enough-are[.]xyz
education-are[.]click
across-are[.]xyz
although-are[.]click
punishment-chat[.]click
rjjy-easily[.]xyz
guy-seventh[.]cfd

Redirectors to Satacom installer
back-may[.]com
post-make[.]com
filesend[.]live
soft-kind[.]com
ee-softs[.]com
big-loads[.]com
el-softs[.]com
softs-labs[.]com
soft-make[.]com
soft-end[.]com
soon-soft[.]com
tip-want[.]click
get-loads[.]com
new-loads[.]com
file-send[.]live
filetosend-upload[.]net
file-send[.]cc

Appendix II – MITRE ATT&CK Mapping

This table contains all the TTPs identified during analysis of the activity described in this report.

Tactic Technique Technique Name Initial Access User Execution: Malicious Link
User Execution: Malicious File T1204.001
T1204.002 Execution User Execution: Malicious File
Command and Scripting Interpreter: PowerShell T1204.002
T1059.001 Persistence Shortcut Modification
Browser Extensions T1547.009
T1176 Defense Evasion Process Injection T1055.012 Credential Access Credentials from Password Stores
Steal Web Session Cookie
Unsecured CredentialsMulti-Factor Authentication Interception T1555.003
T1539
T1552T1111 Discovery Account Discovery
Software Discovery
Security Software Discovery T1087
T1518
T1518.001 Collection Automated Collection
Screen Capture
Credentials from Password Stores
Browser Session Hijacking T1119
T1113
T1555
T1185 Command and Control Application Layer Protocol: Web Protocols
Application Layer Protocol: DNS
Dynamic Resolution T1071.001
T1071.004
T1568 Exfiltration Exfiltration Over C2 Channel T1041

Commanders in the field persuaded to give up, let their guard down, run around and desert their posts

Australia's Signals Directorate, the signals intelligence organization, has revealed it employed zero-click attacks on devices used by fighters for Islamic State of Iraq and the Levant (ISIL) – then unleashed the terrifying power of Rick Astley.…

Also, hackers publish RaidForum user data, Google's $180k Chrome bug bounty, and this week's vulnerabilities

infosec in brief  Japanese automaker Toyota is again apologizing for spilling customer records online due to a misconfigured cloud environment – the same explanation it gave when the same thing happened a couple of weeks ago. It's like a pattern.…

Living in the eye of the geopolitical storm is not easy, but is good for business

In late September 2021, staff at Taiwanese threat intelligence company TeamT5 noticed something very nasty: a fake news report accusing it of conducting phishing attacks against Japan's government and local tech companies.…

'World's first and only' orbiting infosec playpen due to blast off Sunday

Feature  Assuming the weather and engineering gods cooperate, a US government-funded satellite dubbed Moonlighter will launch at 1212 EDT (1612 UTC) on Sunday, hitching a ride on a SpaceX rocket before being releasing into Earth's orbit.…