Viry a Červi

Check Point warns customers to patch VPN vulnerability under active exploitation

The Register - Anti-Virus - 3 Červen, 2024 - 14:02
Also, free pianos are the latest internet scam bait, Cooler Master gets pwned, and some critical vulnerabilities

Infosec in brief  Cybersecurity software vendor Check Point is warning customers to update their software immediately in light of a zero day vulnerability under active exploitation.…

Kategorie: Viry a Červi

IT threat evolution in Q1 2024. Mobile statistics

Kaspersky Securelist - 3 Červen, 2024 - 12:00

IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics

Quarterly figures

According to Kaspersky Security Network, in Q1 2024:

  • 10.1 million attacks using malware, adware, or unwanted mobile software were blocked.
  • The most common threat to mobile devices was adware: 46% of all threats detected.
  • Over 389,000 malicious installation packages were detected, of which:
    • 11,729 packages were related to mobile banking Trojans,
    • 1,990 packages were mobile ransomware Trojans.
Quarterly highlights

The number of attacks using malware, adware, or unwanted software on mobile devices increased compared to the same period last year, but dropped slightly against Q4, to 10,100,510.

Number of attacks targeting users of Kaspersky mobile solutions, Q3 2022–Q1 2024 (download)

The rapid growth in the total number of attacks between Q2 and Q4 2023 is primarily attributed to the surge in adware and Trojan activity, which roughly doubled in absolute terms during this period. However, other types of malicious and unwanted apps also increased their activity, so the distribution of threats by type showed no dramatic swings.

In Q1, the number of WhatsApp modification attacks continued to grow. For example, we found Trojan-Spy.AndroidOS.Agent.ahu, a Trojan hidden inside a WhatsApp mod, that steals encrypted messenger databases along with their decryption keys. Another malicious WhatsApp mod,, is capable of downloading and installing arbitrary software. According to our statistics, this Trojan came pre-installed on some devices.

We also discovered a noteworthy banking Trojan targeting users in Korea. When installed, it displays a notification claiming the app is unavailable and will be removed:

SoumniBot notification stating the app is unavailable

In reality, the app hides its icon and continues to operate in the background, stealing text messages, contacts, photos, and even online banking digital certificates. To conceal the malicious code and hinder analysis, threat actors exploited numerous bugs and flaws in the Android OS code responsible for parsing the app package. This enabled them to create files that successfully install on the device, but cause many analysis tools, including official Google utilities, to go haywire.

Mobile threat statistics

The number of detected samples of Android malware and unwanted software fell in Q4 2023 and climbed again in Q1 2024, reaching 389,178 installation packages.

Number of detected malicious and unwanted installation packages, Q1 2023 – Q1 2024 (download)

The distribution of detected packages by type underwent no significant changes, but the number of Trojan droppers increased noticeably (by 8.76 p.p.). This sharp increase in their share is linked primarily to the activity of the Wroba family, commonly employed to deliver banking Trojans in countries in the Asia-Pacific region.

Distribution of detected mobile apps by type, Q4 2023* and Q1 2024 (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The most common threats remained adware (46.16%) and RiskTool-type unwanted apps (21.27%). The most prevalent adware families were BrowserAd (28.5% of all adware), Adlo (15.3%), and HiddenAd (12.65%).

Share* of users attacked by the given type of malicious or unwanted software out of all targeted users of Kaspersky mobile products (download)

*The sum may exceed 100% if the same users encountered multiple attack types.

The HiddenAd (60.5%), Adlo (17.5%), and TimeWaste (7.5%) adware families attacked the most users. At the same time, the Triada adware Trojan, mentioned in our previous report and distributed in WhatsApp mods, accounts for an increasingly large share of attacks by Trojan-type malware (35.7%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.

Verdict %* in Q4 2023 %* in Q1 2024 Difference in p.p. Change in ranking Trojan.AndroidOS.Triada.fd 2.79 10.38 +7.59 +11 DangerousObject.Multi.Generic. 8.76 9.82 +1.07 0 Trojan.AndroidOS.Fakemoney.v 6.25 8.60 +2.35 +1 Trojan.AndroidOS.Boogr.gsh 5.28 6.62 +1.34 +2 0.00 5.66 +5.66 Trojan-Downloader.AndroidOS.Dwphon.a 1.85 5.26 +3.41 +13 0.00 4.26 +4.26 DangerousObject.AndroidOS.GenericML. 1.99 3.83 +1.84 +9 1.03 3.52 +2.48 +18 Trojan.AndroidOS.Sheetfit.d 0.00 2.42 +2.42 Trojan.AndroidOS.Triada.ex 7.23 2.42 -4.81 -8 3.51 2.12 -1.39 -1 1.08 2.09 +1.01 +13 Trojan.AndroidOS.Generic. 2.22 2.08 -0.14 +2 Trojan.AndroidOS.Piom.baiu 0.80 1.95 +1.15 +16 Trojan-Dropper.AndroidOS.Badpack.g 2.57 1.87 -0.70 -3 Backdoor.AndroidOS.Mirai.b 5.32 1.76 -3.56 -12 Trojan-Spy.AndroidOS.CanesSpy.a 5.10 1.67 -3.42 -11 3.58 1.66 -1.92 -9 Trojan.AndroidOS.Triada.ey 4.33 1.55 -2.79 -11

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The generalized cloud verdict DangerousObject.Multi.Generic yielded the top spot in the ranking of the most common malicious apps to the WhatsApp modification Trojan.AndroidOS.Triada.fd. Next comes Fakemoney, a Trojan that scams users out of personal data by promising easy money in return. Interestingly, Dwphon also made it into the Top 20. Pre-installed on some devices, this Trojan collects the personal data of the device owner and can download arbitrary apps without the user’s knowledge.

Region-specific malware

This section describes malware whose activity is concentrated in specific countries.

Verdict Country* %* Trojan-Banker.AndroidOS.Agent.nw Turkey 99.79 Trojan.AndroidOS.Piom.bcqp Turkey 99.28 Trojan-Banker.AndroidOS.BrowBot.q Turkey 99.28 Trojan-Spy.AndroidOS.SmsThief.wk India 99.02 Trojan.AndroidOS.Piom.bbfv Turkey 98.97 Trojan-Banker.AndroidOS.BrowBot.a Turkey 98.81 Trojan.AndroidOS.Piom.azgy Brazil 98.69 HackTool.AndroidOS.FakePay.c Brazil 98.39 Trojan-Banker.AndroidOS.Coper.b Turkey 98.28 Trojan-Banker.AndroidOS.BrowBot.n Turkey 97.87 Trojan-SMS.AndroidOS.EvilInst.b Thailand 97.33 Backdoor.AndroidOS.Tambir.c Turkey 97.19 Trojan-Banker.AndroidOS.BRats.b Brazil 96.96 Iran 96.88 Trojan-Banker.AndroidOS.Rewardsteal.dn India 96.76 Trojan-Banker.AndroidOS.Rewardsteal.c India 96.65 Backdoor.AndroidOS.Tambir.a Turkey 96.58 Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 96.19 Trojan-Banker.AndroidOS.UdangaSteal.b Indonesia 96.04 Backdoor.AndroidOS.Tambir.b Turkey 95.55 Trojan-Spy.AndroidOS.SmsThief.vb Indonesia 95.29

* The country where the malware was most active.
** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.

Turkey continues to be flooded with banking Trojan variants. In particular, users there are targeted by Trojan-Banker.AndroidOS.Agent.nw, which opens VNC access to the device. It’s based on the open-source library droidVNC-NG. Tambir also gives attackers VNC access. In addition, its functionality includes keylogging, stealing texts, contacts, and app lists, as well as sending texts. Besides VNC backdoors, we observed a concentration of BrowBot attacks in Turkey. The primary functionality of that Trojan is stealing texts. As for Piom, it represents a collective verdict created for various malware within the context of our automated systems. Specifically in Turkey, hiding behind this verdict are modifications of the now infamous Godfather banking Trojan.

Two text-stealing Trojans are active in Indonesia: SmsThief.vb and UdangaSteal.b. They are often sent to victims under the guise of wedding invitations.

The spread of FakePay applications is noticeable in Brazil. These applications visually simulate payment but do not actually execute it. Unlike most Trojans, users often intentionally download such apps in order to deceive sellers who accept payment by transfer. BRats is another banking Trojan that continues to be distributed predominantly in Brazil.

Users in Thailand encountered the EvilInst Trojan, which spreads under the guise of games but in fact, just opens a website with cracked games and sends paid texts.

Mobile banking Trojans

The number of new unique installation packages for banking Trojans remains low.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2023 — Q1 2024 (download)

Nevertheless, the total number of Trojan-Banker attacks continues to grow, with Trojan-Banker even moving up one spot in the distribution structure of malware and unwanted programs by the number of affected users.

Top 10 mobile bankers

Verdict %* in Q4 2203 %* in Q1 2024 Difference in p.p. Change in ranking Trojan-Banker.AndroidOS.Agent.eq 27.73 13.39 -14.34 0 Trojan-Banker.AndroidOS.Coper.b 3.72 12.58 +8.86 +3 Trojan-Banker.AndroidOS.Bian.h 16.06 10.21 -5.85 -1 Trojan-Banker.AndroidOS.Mamont.k 2.48 9.18 +6.70 +5 Trojan-Banker.AndroidOS.UdangaSteal.b 0.00 7.00 +7.00 Trojan-Banker.AndroidOS.Mamont.o 0.00 4.58 +4.58 2.79 4.23 +1.44 0 Trojan-Banker.AndroidOS.Coper.a 0.65 4.21 +3.56 +19 Trojan-Banker.AndroidOS.Rewardsteal.c 0.55 3.99 +3.45 +20 Trojan-Banker.AndroidOS.BrowBot.q 0.00 2.53 +2.53

* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.

Mobile ransomware Trojans

Following a surge in the number of ransomware installation packages in Q4 2023, linked to the emergence of a large number of ransomware from the Rasket family, the number returned to its usual level amid a decrease in Rasket activity. Rasket Trojans are built on Tasker automation scripts, which are designed to automate routine actions on a device but have sufficient functionality to write ransomware.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q1 2023 — Q1 2024 (download)

The same dynamic is reflected in the distribution of attacks for the most active samples: after a sharp rise (to 74% of all ransomware attacks), the share of the Rasket Trojan in Q1 almost halved.

Verdict Prev % New % % diff Pos diff Trojan-Ransom.AndroidOS.Rasket.a 74.38 37.22 -37.16 0 Trojan-Ransom.AndroidOS.Pigetrl.a 9.14 15.56 +6.41 0 5.29 11.59 +6.30 0 0.22 11.17 +10.95 +19 0.51 10.96 +10.45 +2 Trojan-Ransom.AndroidOS.Small.cj 0.30 10.49 +10.19 +9 Trojan-Ransom.AndroidOS.Congur.ap 0.28 6.66 +6.38 +9 Trojan-Ransom.AndroidOS.Rkor.ef 2.00 6.40 +4.40 -4 Trojan-Ransom.AndroidOS.Svpeng.ah 0.12 6.03 +5.91 +34 Trojan-Ransom.AndroidOS.Svpeng.snt 0.07 5.72 +5.64 +47

IT threat evolution Q1 2024

Kaspersky Securelist - 3 Červen, 2024 - 12:00

IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics

Targeted attacks Operation Triangulation: the final mystery

Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information and execute additional modules that extended their control over compromised devices.

In late December, in a presentation at the 37th Chaos Communication Congress (37C3), experts from our Global Research and Analysis Team (GReAT) described the attack chain in detail, including – for the first time – how the attackers exploited the CVE-2023-38606 hardware vulnerability.

Recent iPhone models include additional hardware-based security that prevents attackers from taking full control over the device even if they can read and write kernel memory – as was accomplished in the Operation Triangulation attack by exploiting the CVE-2023-32434 vulnerability. The attackers were able to bypass this hardware-based security protection using another hardware feature of Apple-designed SoCs (System on a Chip): they did this by writing the data, destination address and data hash to unknown hardware registers of the chip that are not used by the firmware.

We would guess that this unknown hardware feature was probably intended for debugging or testing purposes, or was included by mistake. Since it is not used by the firmware, we have no idea how the attackers learned to use it.

A lightweight method for detecting potential iOS malware

Over the past few years, our researchers have analyzed Pegasus malware infections on several iOS devices. The common methods for analyzing an iOS mobile infection are either to examine an encrypted full iOS backup or to analyze the network traffic of the affected device. However, both methods are time consuming and require a high level of expertise. This led us to look for a faster and easier way to identify possible iPhone infections.

During our analysis, we discovered that infections left traces in an unexpected system log, shutdown.log. This is a text-based system log file available on every mobile iOS device. Each reboot event is logged in this file, along with multiple environment characteristics: these log files can have entries going back several years, providing a wealth of information. The shutdown.log file is stored in a sysdiagnose (sysdiag) archive – this can be thought of as a collection of system logs and databases that can be generated for debugging and troubleshooting purposes. The method for generating a sysdiag can vary across different iOS versions. Nevertheless, this archive is usually located in the OS general settings, specifically under ‘Privacy and Analytics’ (the exact location name may, again, vary between iOS versions). Creating the archive usually takes only a few minutes. The result is a .TAR.GZ file about 200-400MB in size, which can then be transferred to the analysis machine. Once the archive is unpacked, the shutdown.log file is located in the \system_logs.logarchive\Extra directory.

This sysdiag dump analysis is a minimally intrusive and resource-light method of identifying possible iPhone infections using system-based artifacts. It can be used to complement infection identification from a different vantage point.

You can read the full analysis here.

DinodasRAT Linux implant targeting entities worldwide

In early October 2023, after ESET published an article by about a campaign dubbed Operation Jacana targeting Windows users, we discovered a new Linux version of DinodasRAT (aka XDealer). The code and networking IoCs (Indicators of Compromise) overlap with the Windows samples described by ESET that were used in attacks against government entities in Guyana. Sample artifacts suggest that this version (V10, according to the attackers’ versioning system) may have started operating in 2022, although the first known Linux variant (V7), which has still not been publicly described, dates back to 2021.

DinodasRAT is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows an attacker to surveil and harvest sensitive data from a target computer. The backdoor is fully functional, giving the operator complete control over an infected machine, enabling data exfiltration and espionage.

The DinodasRAT Linux implant primarily targets Red Hat-based distributions and Ubuntu Linux. In our telemetry data and continuous monitoring of this threat since October 2023, we have observed that the most affected countries and territories are mainland China, Taiwan, Turkey and Uzbekistan.

Other malware New macOS backdoor stealing crypto wallets

Last December, we discovered some cracked apps circulating on pirate websites and infected with a Trojan proxy. Recently, we found a new macOS malware family that was piggybacking the cracked software in order to steal crypto wallets.

Cracked applications are one of the easiest ways for attackers to get malware onto people’s computers: to elevate their privileges, they only need to ask for the password, which usually arouses no suspicion during software installation.

However, some of the things the malware authors came up with, such as placing their Python script inside a domain TXT record on the DNS server, were ingenious. The script was later added to startup agents to download and execute the next-stage payload in an infinite loop, so the malware operators could deliver updates to the infected machine as needed.

The final payload was a backdoor that could run scripts with administrator privileges and replace Exodus and Bitcoin crypto wallet applications with infected versions that stole secret recovery phrases during the wallet unlock process.

Read our analysis here.

Coyote: a multi-stage banking Trojan

Developers of banking Trojans are constantly looking for new ways to distribute their implants. In a recent investigation, we came across new malware called Coyote that targets customers of more than 60 banking institutions, mainly from Brazil. What caught our attention was the sophisticated infection chain that makes use of several advanced technologies that set it apart from other banking Trojans.

Instead of using Delphi or an MSI installer for distribution, Coyote uses a relatively new tool for installing and updating Windows desktop applications called Squirrel. In this way, the malware authors hope to disguise the Trojan as an update packager.

When Squirrel is executed, it ends up running a NodeJS application compiled with Electron. This application executes obfuscated JavaScript code to copy all executables found in a local folder named temp to the user’s captures folder inside the Videos folder: it then runs a signed application from that directory.

An interesting element of the infection chain is the use of Nim, a relatively new programming language, to load the final stage. The loader’s objective is to unpack a .NET executable and execute it in memory using the CLR. This implies that the loader aims to load the executable and execute it within its process, reminiscent of how Donut works.

After all these steps, the Coyote Trojan is executed.

Coyote infection chain

The goal of the Coyote Trojan is consistent with typical banking Trojan behavior. It monitors all open applications on the infected system and waits for the user to access the specific banking application or website.

Network tunneling with … QEMU

Cyber attackers often use legitimate tools to evade detection systems and keep development costs to a minimum. Network scanning, capturing a process memory dump, exfiltrating data, running files remotely, and even encrypting drives – can all be done with trusted software. To gain a foothold inside a compromised infrastructure and develop the attack, adversaries can use previously installed malware or connect to the network through the company’s RDP servers or corporate VPN (to do this, the attackers must have access to accounts with appropriate privileges).

Another way to connect to the internal network of an attacked organization is to use utilities to set up network tunnels or forward network ports between corporate systems and the adversary’s servers, allowing attackers to bypass NAT and firewalls to gain access to internal systems. There is no shortage of utilities that can be used to create a network tunnel between two systems. Some connect directly, while others use a proxy, which hides the IP address of the attacker’s server.

While investigating an incident at a large company, we noticed unusual malicious activity inside one of the systems. We analyzed the artifacts and found that the adversary had deployed and launched (a) the Angry IP Scanner network scanning utility, (b) the Mimikatz password, hash, and Kerberos ticket extractor and Active Directory attack tool, and (c) the QEMU hardware emulator. While the first two were self-explanatory, QEMU raised some questions; what use would threat actors have for a virtualizer?

We discovered that QEMU supports connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to virtual machines. We had no way of reliably determining how the attackers ran QEMU on their own server, so we decided to set up a bed consisting of three systems, as follows:

  • “InternalHost” was located inside the network, with no internet access and running an RDP server on port 3389. It simulated the isolated system without access to the internet.
  • “PivotHost” was located inside the network, but it had internet access. It simulated the system that had been breached by the attackers and used to reach InternalHost.
  • “AttackerServer” was hosted in the cloud and simulated the adversary’s server.

Our goal was to reach InternalHost from AttackerServer. The diagram below shows the general layout of the tunnel.

Network tunnel diagram

We were able to determine that this technique for gaining network access was indeed effective. You can read the details of our investigation here.

While the use of legitimate tools to perform various attack steps is nothing new to incident response professionals, attackers sometimes come up with ingenious uses for unlikely software, as was the case with QEMU. This underscores the need for multi-level protection that includes both reliable endpoint protection and specialized solutions to detect and protect against complex and targeted attacks, including human-operated ones.

IT threat evolution in Q1 2024. Non-mobile statistics

Kaspersky Securelist - 3 Červen, 2024 - 12:00

IT threat evolution Q1 2024
IT threat evolution Q1 2024. Mobile statistics
IT threat evolution Q1 2024. Non-mobile statistics

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q1 2024:

  • Kaspersky solutions blocked more than 658 million attacks from various online resources.
  • Web Anti-Virus responded to slightly fewer than 153 million unique links.
  • File Anti-Virus blocked nearly 32 million malicious and unwanted objects.
  • More than 83,000 users experienced ransomware attacks,
  • with 20% of all victims published on ransomware gangs’ DLSs (data leak sites) hit by LockBit.
  • More than 394,000 users encountered miners.
Ransomware Quarterly trends and highlights BlackCat/ALPHV

In early March, the BlackCat group, alternatively known as “ALPHV”, which distributed the ransomware with the same name, announced its retirement, claiming that their operations had been disrupted by the FBI. In a message posted on a cybercrime forum, the group said, “the feds screwed us over”, just as the group’s DLS showed a banner that read, “the Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action”. However, the FBI refused to comment, while Europol and the UK’s NCA denied involvement in any recent disruption to BlackCat’s infrastructure.

The group also posted a message offering the source code for their ransomware for $5 million. Several days earlier, a BlackCat affiliate had accused the group of stealing more than $20 million in ransom received from a victim company. All of this makes it likely that the “coordinated action” story is BlackCat’s attempt at disappearing with the money. This is not the first time a RaaS group has shut down their operations after taking their affiliates’ money.


In February, as part of a joint effort named “Operation Cronos”, the law enforcement agencies of ten countries seized some of the infrastructure belonging to one of the most prolific ransomware gangs, LockBit. Police arrested two Lockbit operators and issued warrants for other members of the gang.

Soon after, though, LockBit developers reactivated their servers and continued their attacks using an updated ransomware version, which apparently suggests any damage the group had suffered as a result of the crackdown was insignificant.

The most prolific groups

This section looks at the most prolific of ransomware gangs that not only encrypt their victims’ files but steal their confidential data and then publish it, engaging in so-called “double extortion”. The statistics are based on the number of new victims added to each of the groups’ DLSs.

LockBit was the first quarter’s busiest cyberextortion gang, publishing 20.34% of total new ransomware victims on its DLS. It was followed by Black Basta (7.02%) and Play (6.75%).

The number of the group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new ransomware Trojan modifications

In Q1 2024, we discovered nine new families and 7070 ransomware modifications.

Number of new ransomware modifications, Q1 2023 — Q1 2024 (download)

Number of users attacked by ransomware Trojans

In Q1, Kaspersky solutions protected 83,270 unique users from ransomware Trojan attacks.

Number of unique users attacked by ransomware Trojans, Q1 2024 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans:

Country/territory* %** 1 South Korea 0.75% 2 Bangladesh 0.63% 3 Libya 0.57% 4 Pakistan 0.56% 5 Iran 0.49% 6 China 0.46% 7 Iraq 0.40% 8 Venezuela 0.37% 9 Tanzania 0.36% 10 Tajikistan 0.36%

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 (generic verdict) Trojan-Ransom.Win32.Gen 22.92% 2 WannaCry Trojan-Ransom.Win32.Wanna 11.68% 3 (generic verdict) Trojan-Ransom.Win32.Encoder 8.63% 4 (generic verdict) Trojan-Ransom.Win32.Crypren 6.66% 5 Stop/Djvu Trojan-Ransom.Win32.Stop 6.46% 6 PolyRansom/VirLock Virus.Win32PolyRansom / Trojan-Ransom.Win32.PolyRansom 3.87% 7 (generic verdict) Trojan-Ransom.MSIL.Agent 3.66% 8 (generic verdict) Trojan-Ransom.Win32.Crypmod 3.01% 9 (generic verdict) Trojan-Ransom.Win32.Phny 3.00% 10 (generic verdict) Trojan-Ransom.Win32.Agent 2.40%

* Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.
** Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q1 2024, Kaspersky solutions detected 6,601 new miner modifications.

Number of new miner modifications, Q1 2024 (download)

Number of users attacked by miners

In Q1, Kaspersky solutions protected 394,120 unique users globally from miners.

Number of unique users attacked by miners, Q1 2024 (download)

Geography of attacked users TOP 10 countries and territories attacked by miners: Country/territory* %** 1 Tajikistan 2.41 2 Venezuela 1.91 3 Kazakhstan 1.88 4 Kyrgyzstan 1.80 5 Belarus 1.69 6 Uzbekistan 1.55 7 Ethiopia 1.46 8 Ukraine 1.34 9 Mozambique 1.19 10 Sri Lanka 1.12

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country or territory.

Attacks on macOS

In the universe of macOS Trojans, the year 2024 kicked off with the detection of a new backdoor named SpectralBlur and tentatively attributed to the Bluenoroff group. The malware has the typical capabilities of a backdoor, such as downloading and removing files, uploading data to a command-and-control server and running shell commands in a pseudoterminal.

Next, we discovered a large set of cracked applications that contained a Python backdoor loader. Its key feature was the ability to replace Bitcoin and Exodus wallet apps with infected versions to steal passwords and wallet recovery phrases.

We also found infected versions of the VNote and Notepad– text editors with a CobaltStrike agent loader inside. These spread via banner ads in Chinese search engines.

One of the last threats to be discovered in Q1 was a Rust backdoor disguised as a VisualStudio updater and spreading as documents describing job openings. Apparently designed to spy on its victims, the backdoor targeted software developers and existed in the form of several variants.

TOP 20 threats to macOS Verdict %* Trojan-Downloader.OSX.Agent.gen 11.49 AdWare.OSX.Amc.e 5.84 Trojan.OSX.Agent.gen 5.35 5.11 AdWare.OSX.Agent.gen 5.05 4.99 Monitor.OSX.HistGrabber.b 4.99 4.27 AdWare.OSX.Agent.ap 3.73 AdWare.OSX.Pirrit.j 3.19 AdWare.OSX.Mhp.a 2.95 AdWare.OSX.Pirrit.gen 2.29 HackTool.OSX.DirtyCow.a 2.23 RiskTool.OSX.Spigot.a 2.17 2.05 Hoax.OSX.MacBooster.a 1.93 Trojan-Downloader.OSX.Lador.a 1.93 Trojan-Downloader.OSX.Agent.h 1.87 1.87 Backdoor.OSX.Agent.l 1.81

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

A Trojan that downloaded other dangerous applications has topped the list of active threats. More often than not, it delivers various kinds of adware to the infected device, but there are no technical limitations in terms of the type of downloads, so it may as well drop any other malware.

Geography of threats for macOS TOP 10 countries and territories by share of attacked users Country/territory* %** Spain 1.27 Italy 1.11 Canada 1.02 France 0.93 Mexico 0.88 United States 0.81 Germany 0.77 United Kingdom 0.75 Hong Kong 0.73 Brazil 0.66

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country or territory.

Mainland China, previously a leader by number of attacked macOS users, dropped out of the TOP 10 list this time around. Spain, Italy and Canada had the highest numbers of users who encountered threats specific to macOS.

IoT attacks IoT threat statistics

The protocol distribution of devices that attacked Kaspersky honeypots in Q1 2024 is as follows.

Protocol Q4 2023 Q1 2024 Telnet 91.88% 93.31% SSH 8.12% 6.69%

Distribution of attacked services by number of unique IP addresses of attacking devices

As you can see, attackers began to use Telnet more frequently than SSH, as evidenced by the attack statistics for the two protocols.

Protocol Q4 2023 Q1 2024 Telnet 92.17% 96.48% SSH 7.83% 3.52%

Distribution of attackers’ sessions in Kaspersky honeypots

TOP 10 threats delivered to IoT devices: TOP 10 threats %* Q4 2023 %* Q1 2024 Trojan-Downloader.Linux.NyaDrop.b 19.40 37.26 Backdoor.Linux.Mirai.b 12.97 10.22 Trojan.Linux.Agent.nx 0.20 8.73 2.69 6.08 4.86 6.06 Backdoor.Linux.Gafgyt.a 1.19 3.53 0.05 2.81 0.05 1.97 Backdoor.Linux.Mirai.fg 2.52 1.57 Trojan-Downloader.Shell.Agent.p 0.99 1.54

* Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats.

Attacks on IoT honeypots

There were no drastic changes in the geographical distribution of SSH attacks. The shares of attacks originating in South Korea, Singapore and Germany increased the most.

Country/territory %* Q4 2023 %* Q1 2024 Mainland China 21.33 20.58 United States 11.65 12.15 South Korea 7.03 9.59 Singapore 3.97 6.87 Germany 3.76 4.97 India 4.95 4.52 Hong Kong 2.27 3.25 Russian Federation 3.37 2.84 Brazil 3.86 2.36 Japan 1.77 2.36

* Unique IP addresses located in the country or territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

Malicious actors who use the Telnet protocol stepped up attacks from mainland China noticeably.

Country/territory %* Q4 2023 %* Q1 2024 Mainland China 32.96 41.51 India 17.91 17.47 Japan 3.62 4.89 Brazil 4.81 3.78 Russian Federation 3.84 3.12 Thailand 1.08 2.95 Taiwan 2.29 2.73 South Korea 3.81 2.53 United States 2.82 2.20 Argentina 1.81 1.36

* Unique IP addresses located in a country or territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

Attacks via web resources

The statistics in this section are based on data provided by Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create malicious pages on purpose. Web resources with user-generated content, such as forums, as well as hacked legitimate resources, can be infected.

Countries and territories that serve as sources of web-based attacks: the TOP 10

The following statistics show the geographical distribution of sources of internet attacks blocked by Kaspersky products on user computers: web pages with redirects to exploits, sites hosting exploits and other malware, botnet C&C centers, etc. Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2024, Kaspersky solutions blocked 658,181,425 attacks launched from online resources across the globe. A total of 152,841,402 unique URLs triggered a Web Anti-Virus detection.

Geographical distribution of sources of web attacks, Q1 2024 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online malware infection faced by users in various countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %** 1 Greece 14.09 2 Bulgaria 13.01 3 Madagascar 12.54 4 Albania 12.04 5 North Macedonia 12.00 6 Ecuador 11.90 7 Sri Lanka 11.82 8 Qatar 11.77 9 Nepal 11.56 10 Bangladesh 11.36 11 Peru 11.24 12 Kenya 11.02 13 Venezuela 10.97 14 South Africa 10.94 15 Algeria 10.87 16 Serbia 10.84 17 Tunisia 10.77 18 Lithuania 10.66 19 Moldova 10.51 20 Slovakia 10.50

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country or territory.

On average during the quarter, 7.98% of the internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

These statistics are based on detection verdicts returned by the OAS (on-access scan) and ODS (on-demand scan) Anti-Virus modules and received from users of Kaspersky products who consented to providing statistical data. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones or external hard drives.

In Q1 2024, our File Anti-Virus detected 31,817,072 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.

The rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %** 1 Turkmenistan 47.55 2 Yemen 43.57 3 Afghanistan 42.37 4 Tajikistan 39.09 5 Cuba 38.55 6 Syria 34.70 7 Uzbekistan 34.28 8 Burundi 32.79 9 Bangladesh 31.62 10 Myanmar 30.97 11 Tanzania 30.55 12 Niger 30.45 13 Belarus 29.84 14 Algeria 29.82 15 South Sudan 29.80 16 Cameroon 29.55 17 Benin 29.41 18 Madagascar 28.77 19 Burkina Faso 28.77 20 Iraq 28.38

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-category local threats were blocked, as a percentage of all unique users of Kaspersky products in the country or territory.

Overall, 15.04% of user computers globally faced at least one Malware local threat during Q3.

Derisking your CNI

The Register - Anti-Virus - 3 Červen, 2024 - 11:00
How to strengthen cyber risk management for cyber physical systems (CPS)

Webinar  Can organizations ever scale back on the relentless task of identifying, prioritizing, and remediating vulnerabilities, and misconfigurations across their industrial and critical infrastructure environments?…

Kategorie: Viry a Červi

Researchers warn robot cars can be crashed with tinfoil and paint daubed on cardboard

The Register - Anti-Virus - 3 Červen, 2024 - 07:48
Use Baidu's platform to show how the fusion of Lidar, radar, and cameras can be fooled by stuff from your kids' craft box

A team of researchers from prominent universities – including SUNY Buffalo, Iowa State, UNC Charlotte, and Purdue – were able to turn an autonomous vehicle (AV) operated on the open sourced Apollo driving platform from Chinese web giant Baidu into a deadly weapon by tricking its multi-sensor fusion system, and suggest the attack could be applied to other self-driving cars.…

Kategorie: Viry a Červi

Twitch ditches Safety Advisory Council, relaunches with vetted 'ambassadors'

The Register - Anti-Virus - 1 Červen, 2024 - 01:13
Who needs experts when you have an army of hand-picked super users telling you what you want to hear?

Twitch has reportedly dismantled its Safety Advisory Council, and apparently plans to replace the panel with chosen "ambassadors."…

Kategorie: Viry a Červi

Snowflake denies miscreants melted its security to steal data from top customers

The Register - Anti-Virus - 31 Květen, 2024 - 23:44
Infosec house claims Ticketmaster, Santander hit via cloud storage

Updated  Infosec analysts at Hudson Rock believe Snowflake was compromised by miscreants who used that intrusion to steal data on hundreds of millions of people from Ticketmaster, Santander, and potentially other customers of the cloud storage and analytics provider. Snowflake denies its security was defeated.…

Kategorie: Viry a Červi

US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO

The Register - Anti-Virus - 31 Květen, 2024 - 23:29
Similar cases have resulted in serious sanctions, and they were on a far smaller scale

Serial tech and digital privacy critic Senator Ron Wyden (D-OR) laid into UnitedHealth Group's (UHG) CEO for appointing a CISO Wyden deemed "unqualified"– a decision he claims likely led to its ransomware catastrophe of late.…

Kategorie: Viry a Červi

Cyber cops plead for info on elusive Emotet mastermind

The Register - Anti-Virus - 31 Květen, 2024 - 21:21
Follows arrests and takedowns of recent days

After the big dog revelations from the past week, the cops behind Operation Endgame are now calling for help in tracking down the brains behind the Emotet operation.…

Kategorie: Viry a Červi

New Nork-ish cyberespionage outfit uncovered after three years

The Register - Anti-Virus - 31 Květen, 2024 - 17:25
Sector-agnostic group is after your data, wherever you are

Infosec researchers revealed today a previously unknown cybercrime group that's been on the prowl for three years and is behaving like some of the more dangerous cyber baddies under Kim Jong-Un's watch.…

Kategorie: Viry a Červi

Google to push ahead with Chrome's ad-blocker extension overhaul in earnest

The Register - Anti-Virus - 31 Květen, 2024 - 13:15
Starting Monday, users will gradually be warned the end is near

On Monday, some people using Beta, Dev, and Canary builds of Google Chrome will be presented with a warning when they access their browser's extension management page – located at chrome://extensions.…

Kategorie: Viry a Červi

FlyingYeti phishing crew grounded after abominable Ukraine attacks

The Register - Anti-Virus - 31 Květen, 2024 - 08:27
Kremlin-aligned gang used Cloudflare and GitHub resources, and they didn't like that one bit

Cloudflare's threat intel team claims to have thwarted a month-long phishing and espionage attack targeting Ukraine which it has attributed to Russia-aligned gang FlyingYeti.…

Kategorie: Viry a Červi

Mystery miscreant remotely bricked 600,000 SOHO routers with malicious firmware update

The Register - Anti-Virus - 31 Květen, 2024 - 02:15
Source and motive of 'Pumpkin Eclipse' assault unknown

Unknown miscreants broke into more than 600,000 routers belonging to a single ISP late last year and deployed malware on the devices before totally disabling them, according to security researchers.…

Kategorie: Viry a Červi

OpenAI is very smug after thwarting five ineffective AI covert influence ops

The Register - Anti-Virus - 31 Květen, 2024 - 01:29
That said, use of generative ML to sway public opinion may not always be weak sauce

OpenAI on Thursday said it has disrupted five covert influence operations that were attempting to use its AI services to manipulate public opinion and elections.…

Kategorie: Viry a Červi

US Treasury says NFTs 'highly susceptible' to fraud, but ignored by high-tier criminals

The Register - Anti-Virus - 30 Květen, 2024 - 23:47
Narco kingpins aren't coming for your apes, but internet con artists still are

The US Treasury Department has assessed the risk of non-fungible tokens (NFTs) being used for illicit finance, and has found them wanting for lack of proper roadblocks preventing illegal applications.…

Kategorie: Viry a Červi

Euro cops disrupt malware droppers, seize thousands of domains

The Register - Anti-Virus - 30 Květen, 2024 - 20:00
Operation Endgame just beginning: 'Stay tuned,' says Europol

An international law enforcement operation led by Europol has kicked off with the announcement of multiple arrests, searches, seizures and takedowns of malware droppers and their operators.…

Kategorie: Viry a Červi

Cybercriminals raid BBC pension database, steal records of over 25,000 people

The Register - Anti-Virus - 30 Květen, 2024 - 16:02
This just in: We lost your personal info, but here's 2 years' worth of Experian

The BBC has emailed more than 25,000 current and former employees on one of its pension schemes after an unauthorized party broke into a database and stole their personal data.…

Kategorie: Viry a Červi

IT worker sued over ‘vengeful’ cyber harassment of policeman who issued a jaywalking ticket

The Register - Anti-Virus - 30 Květen, 2024 - 15:00
His hospital employer also hit with lawsuit for not stepping in sooner

In an ongoing civil lawsuit, an IT worker is accused of launching a "destructive cyber campaign of hate and revenge" against a police officer and his family after being issued a ticket for jaywalking.…

Kategorie: Viry a Červi

IBM spin-off Kyndryl accused of discriminating on basis of age, race, disability

The Register - Anti-Virus - 30 Květen, 2024 - 13:14
Five current and former employees file formal charges with US employment watchdog

Exclusive  Kyndryl, the IT services firm spun out of IBM, has been accused by multiple employees within its CISO Defense security group of discrimination on the basis of age, race, and disability, in both internal complaints and formal charges filed with the US Equal Employment Opportunity Commission (EEOC).…

Kategorie: Viry a Červi
Syndikovat obsah