Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 10 min 1 sek zpět

Ransomware world in 2021: who, how and why

12 Květen, 2021 - 12:00

As the world marks the second Anti-Ransomware Day, there’s no way to deny it: ransomware has become the buzzword in the security community. And not without good reason. The threat may have been around a long time, but it’s changed. Year after year, the attackers have grown bolder, methodologies have been refined and, of course, systems have been breached. Yet, much of the media attention ransomware gets is focused on chronicling which companies fall prey to it. In this report, we take a step back from the day-to-day ransomware news cycle and follow the ripples back into the heart of the ecosystem to understand how it is organized.

First, we will debunk three preconceived ideas that obstruct proper thinking on the ransomware threat. Next, we dive deep into the darknet to demonstrate how cybercriminals interact with each other and the types of services they provide. And finally, we conclude with a look at two high-profile ransomware brands: REvil and Babuk.

No matter how much work we put into writing this report, before you start reading, make sure your data is backed up safely!

Part I: Three preconceived ideas about ransomware Idea #1: Ransomware gangs are gangs

Along with the rise of big-game hunting in 2020, we saw the emergence of a number of high-profile groups in the ransomware world. Criminals discovered victims would be more likely to pay ransoms if they could establish some form of reputability beforehand. To ensure that their ability to restore encrypted files would never be questioned, they cultivated an online presence, wrote press releases and generally made sure their name would be known to all potential victims.

But by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem. From the outside, they may appear to be single entities; but they are in fact only the tip of the spear. In most attacks there are a significant number of actors involved, and a key takeaway is that they supply services to each other through dark web marketplaces.

Botmasters and account resellers are tasked with providing initial access inside the victim’s network. Other members of this ecosystem, which we’ll name the red team for the purpose of this discussion, use this initial access to obtain full control over the target network. During this process, they will gather information about the victim and steal internal documents.

These documents may be forwarded to an outsourced team of analysts who will try to figure out the actual financial health of the target, in order to set the highest ransom price that they are likely to pay. Analysts will also keep a lookout for any sensitive or incriminating information which may be used to support their blackmail tactics – the goal being to put maximum pressure on decision-makers.

When the red team is ready to launch the attack, it will purchase a ransomware product from dark web developers, usually in exchange for a cut of the ransom. An optional role here is the packer developer, who may add protection layers to the ransomware program and make it harder for security products to detect for the few hours it needs to encrypt the whole network.

Finally, negotiations with the victims may be handled by yet another team and when the ransom is paid out, a whole new set of skills is needed to launder the cryptocurrency obtained.

An interesting aspect of all this is that the various actors in the “ransomware value chain” do not need to personally know each other, and in fact they don’t. They interact with each other through internet handles, paying for services with cryptocurrency. It follows that arresting any of these entities (while useful for deterrence purposes) does little to slow down the ecosystem, as the identity of co-perpetrators cannot be obtained, and other suppliers will immediately fill the void that was created.

The ransomware world must be understood as an ecosystem, and treated as such: it is a problem that can only be addressed systematically, for instance by preventing the money from circulating inside of it – which involves not paying ransoms in the first place.

Idea #2: Targeted ransomware is targeted

The previous description of the ransomware ecosystem has noteworthy implications when it comes to the way victims are selected. Yes, criminal groups are getting bolder and ask for ever-increasing ransoms. But ransomware attacks have an opportunistic aspect to them. As far as we know, these groups do not peruse the Financial Times to decide who they are going after next.

Counter-intuitively, the people who obtain the initial access to the victim’s network are not the ones who deploy the ransomware later on; and it is helpful to think of access collection as an entirely separate business. For it to be viable, sellers need a steady stream of “product”. It might not make financial sense to spend weeks trying to breach a predetermined hard target like a Fortune 500 company because there’s no guarantee of success. Instead, access sellers go after the low-hanging fruit. There are two main sources for such access:

  • Botnet owners. Well-known malware families are involved in the biggest and most wide-reaching campaigns. Their main objective is to create networks of infected computers, though the infection is only dormant at this point. Botnet owners (botmasters) sell access to the victim machines in bulk as a resource that can be monetized in many ways, such as organizing DDoS attacks, distributing spam or, in the case of ransomware, by piggybacking on this initial infection to get a foothold in a potential target.
  • Access sellers. Hackers who are on the lookout for publicly disclosed vulnerabilities (1-days) in internet facing software, such as VPN appliances or email gateways. As soon as such a vulnerability is disclosed, they compromise as many affected servers as possible before the defenders have applied the corresponding updates.

An example of an offer to sell access to an organization’s RDP

In both cases, it is only after the fact that the attackers take a step back and figure out who they have breached, and if this infection is likely to lead to the payment of a ransom. Actors in the ransomware ecosystem don’t do targeting in that they almost never choose to go after specific entities. Understanding this fact underlines the importance for companies to update internet-facing services in a timely fashion, and to have the ability to detect dormant infections before they can be leveraged for wrongdoing.

Idea #3: Cybercriminals are criminals

Alright, technically, they are. But this is also an area where there is more than meets the eye, because of the diversity of the ransomware ecosystem. There is, of course, a documented porosity between the ransomware ecosystem and other cybercrime domains such as carding or point-of-sale (PoS) hacking. But it is worth pointing out that not all members of this ecosystem originate from the cybercrime underworld. In the past, high-profile ransomware attacks have been used as a destructive means. It is not unreasonable to think that some APT actors are still resorting to similar tactics to destabilize rival economies while maintaining strong plausible deniability.

On the same note, we released a report last year about Lazarus group trying its hand at big-game hunting. ClearSky identified similar activity that they attributed to the Fox Kitten APT. Observers have noted that the obvious profitability of ransomware attacks has attracted a few state-sponsored threat actors to this ecosystem as a way of circumventing international sanctions.

Our data indicates that such ransomware attacks represent only a tiny fraction of the total. While they do not represent a rift in what companies need to be able to defend against, their very existence creates an additional risk for victims. On October 1, 2020, the US Department of the Treasury’s OFAC released a memo clarifying that companies wiring money to attackers need to ensure that the recipients are not subject to international sanctions. This announcement appeared to be effective as it already impacted the ransomware market. It goes without saying that performing due diligence on ransomware operators is a challenge on its own.

Part II: The darknet shenanigans Through the market lanes

When it comes to the sale of digital goods or services related to cybercrime on the darknet, most information is aggregated on just a few large platforms, though there are multiple smaller thematic ones focusing on a single topic or product. We analyzed three main forums on which ransomware-related offers are aggregated. These forums are the main platforms where cybercriminals that work with ransomware actively communicate and trade. While the forums host hundreds of various advertisements and offers, for analysis we selected just a few dozen offers that had been verified by forum administrations and placed by groups with an established reputation. These ads included a variety of offers from the sale of source code to regularly updated recruitment advertisements, available in English and Russian.

Different types of offers

As we noted before, the ransomware ecosystem consists of players that take on different roles. Darknet forums partially reflect this state of affairs, albeit the offers on these markets are aimed primarily at selling or recruiting. Just as with any marketplace, when operators need something, they actively update their ad placements on forums and take them off as soon as that need is fulfilled. Ransomware developers and operators of affiliate ransomware programs (better known as Ransomware as a Service) offer the following:

  • Invitations to join partner networks, affiliate programs for ransomware operators
  • Ads for ransomware source code or ransomware builders

The first type of involvement presumes a lengthy partnership between the ransomware group operator and the affiliate. Usually, the ransomware operator takes a profit share ranging from 20% to 40%, while the remaining 60-80% stays with the affiliate.

Examples of offers listing payment conditions in partner programs

While many ransomware operators look for partners, some sell ransomware source code or do-it-yourself (DIY) ransomware packages. Such offers vary from US$300 to US$5000.

Sale of ransomware source code or the sale of leaked samples is the easiest way of making money off ransomware in terms of technical proficiency and effort invested by the seller. However, such offers also make the least money, as source code and samples quickly lose their value. There are two different types of offers – with and without support. If ransomware is purchased without support, once it is detected by cybersecurity solutions, the buyer would need to figure out on their own how to repackage it, or find a service that does sample repackaging – something that it still easily detected by security solutions.

Offers with support (admittedly, more widespread in the financial malware market), usually offer regular updates and make decisions about malware updates.

In this regard, darknet forum offers have not changed much compared to 2017.

Ransomware developers sometimes advertise builders and source code as a one-off purchase with no customer support

An offer of a subscription for ransomware and additional services looks very similar to any other ad for a legitimate product, with varying benefits and price range

Some of the big players aren’t seen on the darknet

Even though the number and the range of offers available on the darknet certainly is not small, the markets do not reflect the whole ransomware ecosystem. Some large ransomware groups either work independently or find partners directly (for instance, as far as we know, Ryuk was able to access some of its victims’ systems after a Trickbot infection, which suggests a potential partnership between two groups). Therefore, the forums generally host smaller players – either medium-sized RaaS operators, smaller actors that sell source code and newbies.

Ground rules for affiliates on the darknet

The ransomware market is a closed one, and the operators behind it are careful about who they choose to work with. This caution is reflected in the ads the operators place and criteria they impose when selecting partners.

The first general rule is that of geographical restrictions placed on the operators. When malware operators work with partners, they avoid using the malware in the jurisdiction where they are based. This rule is strictly adhered to and partners that don’t abide by it quickly lose access to the programs they have been working with.

Additionally, operators screen potential partners to reduce the chances of hiring an undercover official, for instance, by checking their knowledge of the country they claim to be from, as illustrated in the example below. They may also impose restrictions on certain nationalities based on their political views. These are just some of the ways operators try to ensure their security.

In this example the gang recommends vetting new affiliates by asking obscure questions about the history of former Soviet republics and expressions that typically only native Russian speakers could answer

Avaddon may consider English-speaking affiliates if they have an established reputation or can provide a deposit, according to this ad

The merchants

For a more detailed overview we chose two of the most noteworthy Big Game Hunting ransomware in 2021.

The first one is the REvil (aka Sodinokibi) gang. Since 2019, this ransomware has been advertised on underground forums and has a strong reputation as a RaaS operator. The gang’s name REvil often appears in news headlines in the infosecurity community. REvil operators have demanded the highest ransoms in 2021.

The other is the Babuk locker. Babuk is the first new RaaS threat discovered in 2021, demonstrating a high level of activity.


An example of an ad placed by the REvil affiliate program

REvil is one of the most prolific RaaS operations. The group’s first activity was observed in April 2019 after the shutdown of GandCrab, another now-defunct ransomware gang.

To distribute ransomware, REvil cooperates with affiliates hired on cybercriminal forums. The ransom demand is based on the annual revenue of the victim, and distributors earn between 60% and 75% of the ransom. Monero (XMR) cryptocurrency is used for payment. According to the interview with the REvil operator, the gang earned over $100 million from its operations in 2020.

The developers regularly update the REvil ransomware to avoid detection and improve the reliability of ongoing attacks. The group announces all major updates and availability of new partner program items in their various threads on cybercriminal forums. On April 18, 2021, the developer announced that the *nix implementation of the ransomware was undergoing closed testing.

REvil informs about the internal testing of the *nix implementation of the ransomware

Technical details

REvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm. The malware sample has an encrypted configuration block with many fields, which allow attackers to fine-tune the payload. The executable can terminate blacklisted processes prior to encryption, exfiltrate basic host information, encrypt non-whitelisted files and folders on local storage devices and network shares. A more detailed account of the technical capabilities of REvil is available in our private and public reports.

The ransomware is now distributed mainly through compromised RDP accesses, phishing, and software vulnerabilities. The affiliates are responsible for gaining initial access to corporate networks and deploying the locker – a standard practice for the RaaS model. It should be noted that the gang has very strict recruitment rules for new affiliates: REvil recruits only Russian-speaking highly skilled partners with experience in gaining access to networks.

Privilege elevation, reconnaissance and lateral movement follow a successful breach. The operators then evaluate, exfiltrate and encrypt sensitive files. The next stage is negotiations with the attacked company. If the victim decides not to pay their ransom, the REvil operators will start publishing the sensitive data of the attacked company on the .onion Happy Blog site. The tactic of publishing exfiltrated confidential data on leak sites has recently gone mainstream among Big Game Hunting players.

An example of a post on REvil’s blog that includes data stolen from the victim

It’s worth noting that ransomware operators have started using voice calls to business partners and journalists, as well as DDoS attacks, to force their victims to pay a ransom. In March 2021, according to the operator, the gang launched a service at no extra cost for affiliates that contacts the victim’s partners and the media to exert maximum pressure, plus DDoS (L3, L7) as a paid service.

REvil announces a new feature to arrange calls to the media and the target’s partners to exert additional pressure when demanding a ransom

According to our research, this malware affected almost 20 business sectors. The largest share of victims fell into the category Engineering & Manufacturing (30%), followed by Finance (14%), Professional & Consumer Services (9%), Legal (7%), and IT & Telecommunications (7%).

The victims of this campaign include companies such as Travelex, Brown-Forman Corp., the pharmaceutical group Pierre Fabre, and the celebrity law firm Grubman Shire Meiselas & Sacks. In March 2021, the gang breached Acer and demanded the highest recorded ransom of $50 million.

On April 18, 2021, a member of the REvil group announced that the gang was on the cusp of declaring its “most high-profile attack ever” in a post on forums where cybercriminals recruit new affiliates. On April 20, the group published a number of alleged blueprints for Apple devices on the Happy Blog site. According to the attackers, the data was stolen from Quanta’s network. Quanta Computer is a Taiwan-based manufacturer and one of Apple’s partners. Quanta’s initial ransom demand was $50 million.

In the past few quarters there has been a sharp spike in REvil’s targeted activity

The REvil gang is a prime example of a Big Game Hunting player. In 2021, we are seeing a trend towards bigger ransoms for sensitive company data. The use of new tactics to pressure the victim, the active development of non-Windows versions and the regular recruitment of new affiliates all suggest that the number and scale of attacks will only grow in 2021.


Another player in the Big Game Hunting scene in 2021 is the Babuk locker. At the beginning of 2021 we observed several incidents involving this ransomware.

At the end of April 2021, the threat actors behind Babuk announced the end of their activity, stating that they will make their source code publicly available in order to “do something like Open Source RaaS”. This means that we’ll probably see a new wave of ransomware activity as soon as various smaller threat actors adopt the leaked source code for their operations. We’ve seen this sort of situation happen before with other RaaS and MaaS projects – the Cerberus banking Trojan for Android is a good example from last year.

Babuk announcement about the end of operations

The group obviously customizes each sample for each victim because it includes a hardcoded name of the organization, personal ransomware note and extensions of the encrypted files. Babuk’s operators also use the RaaS model. Prior to infection, affiliates or the operators compromise the target network, so they can identify how to deploy the ransomware effectively and evaluate the sensitive data in order to set the highest realistic ransom price for the victim. The team behind Babuk defines their group as CyberPunks that “randomly test corporate networks security,” using RDP as an infection vector. The gang offers 80% of the ransom to their affiliates.

An example of an ad placed by the Babuk affiliate program

Babuk advertises on both Russian-speaking and English-speaking underground forums. At the beginning of January 2021, an announcement appeared on one forum about the new ransomware Babuk, with subsequent posts focusing on updates and affiliate recruitment.

Babuk’s announcement to the press explaining their strategy and victim selection

Babuk’s whitelist prevents any targeting in the following countries: China, Vietnam, Cyprus, Russia and other CIS countries. The operators also prohibit the compromise of hospitals, non-profit charities, and companies with an annual revenue of less than $30 million according to ZoomInfo. To join the affiliate program, a partner must pass an interview on Hyper-V and ESXi hypervisors.

Babuk made the headlines for being probably the first ransomware gang to publicly declare a negative stance towards the LGBT and Black Lives Matter (BLM) communities. It was due to this fact that the group excluded these communities from their whitelist. But in a post on the Babuk data leak site about the results of two months of work, the gang reported that they had added LGBT and BLM foundations and charity organizations to their whitelist.

Technical details

For encryption Babuk uses a symmetric algorithm combined with Elliptic curve Diffie–Hellman (ECDH). After successful encryption, the malware drops a hardcoded ransom note as “How To Restore Your Files.txt” into each processed directory. In addition to the text, the ransom note contains a list of links to screenshots of some exfiltrated data. This proves that the malware sample is crafted after the victim’s data is exfiltrated. As mentioned above, each sample is customized for the specific target.

In the ransom note, the gang also suggests that the victim starts the negotiation process using their personal chat portal. These steps aren’t exclusively tied to Babuk but are commonly present in Big Game Hunting campaigns. Remarkably, the text of the ransom note also contains a private link to the related post on the .onion data leak site, which is not accessible from the main page of the site. There are some screenshots, as well as a text description of the types of stolen files, and general threats addressed to the victim. If the victim decides not to negotiate with cybercriminals, the link to this post will be made public.

The group behind the Babuk locker primarily targets large industrial organizations in Europe, the US and Oceania. Targeted industries include, but are not limited to, transportation services, the healthcare sector, and various suppliers of industrial equipment. In fact, recent cases show that Babuk operators are expanding their targets. On April 26, the D.C. Police Department confirmed that its network had been breached, with the Babuk operator claiming responsibility and announcing the attack on their .onion leak site.

Babuk’s announcement of a successful attack on the D.C. Police Department

According to the post on this site, the gang was able to exfiltrate more than 250 GB of data from Washington’s Metropolitan Police Department network. At the time of writing, the police department had three days to start the negotiation process with the attackers; otherwise, the group would start leaking data to criminal gangs. Babuk also warned that it would continue to attack the US state sector.

Babuk operator’s screenshots of stolen files from the D.C. Police Department’s network published on the darknet leak site


On April 23, 2021, we released ransomware statistics that revealed a significant decline in the number of users who had encountered this threat. These numbers should not be misinterpreted: while it is true that random individuals are less likely to encounter ransomware than they used to, the risk for companies has never been higher.

Ever eager to maximize profits, the ransomware ecosystem has evolved and can now be considered a systemic threat for corporations all around the world.

There was a time where SMBs could mostly ignore the challenges posed by information security: they were small enough to stay under the radar of APT actors, but still big enough not to be affected by random and generic attacks. Those days are over, and all companies today are now in a position where they must be prepared to fend off criminal groups.

Thankfully, such attackers will usually go after the low-hanging fruit first, and setting up appropriate security practices will make a world of difference.

On May 12, which is Anti-Ransomware Day, Kaspersky encourages organizations to follow these best practices to help safeguard your organization against ransomware:

  • Always keep software up to date on all your devices to prevent attackers from infiltrating your network by exploiting vulnerabilities.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminal connections. Set up offline backups that intruders cannot tamper with. Make sure you can quickly access them in an emergency.
  • To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect against ransomware attacks is available here.
  • Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
  • Enable ransomware protection for all endpoints. There is the free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with other installed security solutions.
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. Ask for help from your MDR provider if you lack internal threat hunting experts. They will take responsibility for continuously finding, detecting and responding to threats targeting your business. All of the above is available within the Kaspersky Expert Security framework.
  • If you become a victim, never pay the ransom. It won’t guarantee you get your data back but will encourage criminals to continue their activities. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the internet – quite a few are available at https://www.nomoreransom.org/en/index.html

DDoS attacks in Q1 2021

10 Květen, 2021 - 12:00

News overview

Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.

Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian word matryoshka — nesting doll) due to the multi-step process for obtaining the C&C address. It is not the first bot to attack mobile devices through a debug interface. This loophole was previously exploited by ADB.Miner, Ares, IPStorm, Fbot, Trinity, and other malware.

Q1 was not without yet another iteration of Mirai. Cybercriminals infected network devices, exploiting relatively recently discovered vulnerabilities, plus several unknown bugs. According to the researchers who identified the attack, it might have affected several thousand devices.

In Q1 2021, cybercriminals also found a host of new tools for amplifying DDoS attacks. One of them was Plex Media Server for setting up a media server on Windows, macOS, or Linux computers, network-attached storages (NAS), digital media players, and the like. Around 37,000 devices with Plex Media Server installed, accessible online directly or receiving packets redirected from specific UDP ports, turned out to be vulnerable. Junk traffic generated by Plex Media Server is made up of Plex Media Service Discovery Protocol (PMSSDP) requests and amplifies the attack by a factor of approximately 4.68.

A major amplification vector was the RDP service for remote connection to Windows devices. RDP servers listening on UDP port 3389 were used to amplify DDoS attacks. At the time of publishing the information about the misuse of the remote access service, 33,000 vulnerable devices had been found. The amplification factor was significantly higher than in the case of Plex Media Server: 85.9. To prevent attacks via RDP, it is recommended to hide RDP servers behind a VPN or disable UDP port 3389.

That said, a VPN is no panacea if it too is vulnerable to amplification attacks. In Q1 2021, for instance, attackers went after Powerhouse VPN servers. The culprit turned out to be the Chameleon protocol, which guards against VPN blocking and listens on UDP port 20811. The server response to requests on this port was 40 times larger than the original request. The vendor released a patch when they learned about the problem.

Alas, not all users of vulnerable programs and devices install updates promptly. For instance, as of mid-March, there were around 4,300 web-based servers for DDoS amplification through the DTLS protocol — this method was covered in our previous report. Vulnerable devices were either misconfigured or missing the latest firmware version with the required settings. Cybercriminals have wasted no time in adding this amplification method (as well as most others discovered just this past quarter) to their arsenal of DDoS-for-hire platforms.

Non-standard protocols are of interest to cybercriminals not only as a means of amplification, but as a tool for carrying out DDoS attacks. In Q1, a new attack vector appeared in the form of DCCP (Datagram Congestion Control Protocol), a transport protocol for regulating the network load when transmitting data in real time, for example, video streaming. The built-in mechanisms to protect against channel congestion did not prevent attackers using this protocol to flood victims with multiple connection requests. What’s more, on the side of the junk packet recipients, there were no online-accessible DCCP applications. Most likely, the attackers were randomly looking for a way to bypass standard DDoS protection.

Another unusual DDoS vector was the subject of an FBI warning about the rise in attacks on emergency dispatch centers. TDoS (telephony denial-of-service) attacks aim to keep the victim’s phone number permanently busy, flooding it with junk calls. There are two main TDoS methods: via flash mobs on social networks or forums, and automated attacks using VoIP software. Neither is new, but TDoS against critical first-responder facilities poses a very serious threat. “The public can protect themselves in the event that 911 [the emergency number across North America] is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area,” the FBI advised.

On the whole, the quarter was rich in media-reported DDoS attacks. In particular, DDoS ransomware continued to attack organizations worldwide at the start of the year. In some cases, they demonstrated impressive capabilities. For example, a European gambling company was bombarded with junk traffic, peaking at 800 GB per second. Maltese Internet service provider Melita was also hit by ransomware: a showcase DDoS attack disrupted services. At the same time, ransomware operators, having already started to steal victims’ data before encryption, also turned their eyes on DDoS as an extortion tool. The first attack on the website of a victim unwilling to negotiate occurred late last year. In January, Avaddon’s operators jumped on the bandwagon, followed in March by the group behind the Sodinokibi (REvil) ransomware.

Ransomwarers were likely spurred on by the upward movement of cryptocurrency prices, which continued in Q1 2021. In early February, Tesla announced a massive investment in Bitcoin, which led to even more hype around digital money. Several cryptocurrency exchanges could not cope with the resulting influx of sign-ups and suffered downtime. There was no avoiding DDoS either: British exchange EXMO reported an attack on its systems. Company representatives admitted that not only the site was affected, but the entire network infrastructure.

As many users were still working (and playing) from home in Q1 2021, cybercriminals made sure to target the most in-demand resources. In addition to the aforementioned Melita, Austrian provider A1 Telekom (article in German), as well as Belgian telecommunications firm Scarlet, suffered DDoS attacks (albeit without the ransomware component). In both instances, customers faced communication disruptions, and in the case of A1 Telekom, users all across the country experienced problems.

Online entertainment was likewise targeted by cybercriminals throughout the quarter. For example, Blizzard reported a DDoS attack in early January. The barrage of junk traffic caused players, especially those trying to connect to World of Warcraft servers, to experience delays. There were also cases of players getting kicked off the server. Towards the end of the month, cybercriminals attacked League of Legends. Players attempting to enter tournaments in Clash mode experienced login issues and intermittent connection failures. In February, a DDoS attack temporarily disabled the television service of Icelandic provider Siminn. And in March, LittleBigPlanet servers were unavailable for several days. Players blamed a disgruntled fan for the attack.

By early 2021, many schools had switched to on-campus or hybrid mode, but that did not stop the DDoS attacks. Only now, instead of flooding online platforms with junk traffic, cybercriminals sought to deprive educational institutions of internet access. For instance, in February, US schools in Winthrop, Massachusetts, and Manchester Township, New Jersey, were hit by DDoSers. In the second case, the attack forced the institutions to temporarily return to remote schooling. In March, CSG Comenius Mariënburg, a school in Leeuwarden, Netherlands, also fell victim to a DDoS attack. The attack was organized by students themselves. Two of them were quickly identified, but school officials suspect that there were other accomplices.

The most significant event in Q1 was COVID-19 vaccination. As new segments of the population became eligible for vaccination programs, related websites suffered interruptions. At the end of January, for example, a vaccine registration website in the US state of Minnesota crashed under the load.The incident coincided with the opening of appointments to seniors, teachers and childcare workers.In February, a similar glitch occurred on a vaccine appointment portal in Massachusetts as retirees, people with chronic illnesses and staff of affordable senior housing tried to sign up for a shot. In both cases, it is not known for certain whether it was a DDoS attack or an influx of legitimate traffic; all the same, cybersecurity company Imperva recorded a spike in bot activity on healthcare resources.

Nor was Q1 without political DDoS attacks. In February, cybercriminals flooded the websites of Dutch politician Kati Piri and the Labor Party, of which she is a member, with junk traffic. The Turkish group Anka Nefeler Tim claimed responsibility. In late March, a DDoS hit the website of the Inter-Parliamentary Alliance on China (IPAC). Representatives of the organization note that this is not the first such attack in living memory. On top of that, several government agencies in Russia and Ukraine reported DDoS attacks in early 2021. The victims included the websites of the Russian Federal Penitentiary Service and the National Guard, the Kiev City State Administration, the Security Service of Ukraine, the National Security and Defense Council, as well as other Ukrainian security and defense institutions.

Since the start of 2021, a number of media outlets in Russia and abroad have been targeted by DDoS attacks. In January, attackers downed the websites of Kazakh newspaper Vlast and Brazilian nonprofit media organization Repórter Brasil. In the second case, the attacks continued for six days. The Ulpressa portal, based in the Russian city of Ulyanovsk, came under a much longer attack lasting several weeks. The website was attacked daily during peak hours. The KazanFirst news portal initially managed to repel the stream of junk traffic, but the attackers changed tactics and ultimately took the site offline. A similar scenario played out in the case of Mexican magazine Espejo: the administrators deflected the first attempts to down the site, but these were followed by a more powerful DDoS wave.

But it was not only legitimate organizations that suffered from DDoS in Q1 2021. In January, many resources on the anonymous Tor network, which is popular with cybercriminals, were disrupted. The Tor network may have been overloaded due to DDoS attacks against specific sites on the dark web. A February target was the major underground forum Dread, used, among other things, to discuss deals on the black market. The forum administration was forced to connect additional servers to defend against the attack.

But this quarter was not all doom and gloom: some DDoS organizers did get exposed. For example, a pair of high-ranked Apex Legends players who DDoSed anyone who beat them finally got banned. A slightly more severe punishment was dished out to a teenager who late last year tried to disrupt Miami-Dade County Public Schools’ online learning system. He escaped jail, but was sentenced to 30 hours’ community service and placed on probation.

Quarter trends

In Q1 2021, DDoS market growth against the previous reporting period outstripped our prediction of around 30%, nudging over the 40% mark. Unusually, and hence interestingly, 43% of attacks occurred in the normally relatively calm month of January.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparative number of DDoS attacks, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100% (download)

The unexpected surge in DDoS activity can be attributed to the price of cryptocurrencies in general, and Bitcoin in particular, which began to fall in January 2021. The practice of previous years shows that rapid cryptocurrency growth is followed by a similarly rapid decline. It seems that the nimblest botnet owners expected similar behavior this year, and reverted back to DDoS at the first hint of a price drop. However, the Bitcoin price sometimes has a mind of its own: it rose again in February, plateaued in March and remains high at the time of posting. Accordingly, the DDoS market sagged in February and March.

Note that these two months were entirely in line with our forecast: the DDoS market showed slight growth relative to Q4, but no more than 30%. Another curiosity is that this year’s February and March indicators are very similar (within a few percent) to those of January 2020, which was a typically calm January. The same picture (abnormal January followed by standard February and March) was seen in 2019.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparative number of DDoS attacks, 2019–2021. Data for 2019 is taken as 100% (download)

Q1 2019 was fairly stable, almost benchmark standard, so it can be used to demonstrate deviations. Last year saw an explosive increase in DDoS activity in February and March, which we attributed, and continue to attribute, to the coronavirus outbreak, the switch to remote working, and the emergence of many new DDoS-vulnerable targets. This year’s January outlier is equally stark when compared with the 2019 data.

Note the significant lag in the Q1 figures overall against the same period of last year. This gap can be explained by the above-mentioned abnormally high numbers in 2020. Over the past year, the situation has changed: organizations have strengthened and learned how to protect remote infrastructure, so Q1 this year was simply ordinary, with no distortions. The slump in the numbers was caused specifically by the abnormal previous year, not the decline in the current one.
At the same time, the share of smart attacks in Q1 increased relative to both the end of 2020 (from 44.29% to 44.60%) and its start. This also indirectly confirms the theory that capacities are being redirected away from DDoS, which comes at the expense of attacks that are easy to organize and defend, since they have become unprofitable for botnet operators.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of smart attacks, Q1 2021, Q1 2020, and Q4 2020 (download)

In our Q4 2020 report, we noted a downward trend in the duration of short attacks and an upward one in the duration of long attacks. This trend continued this quarter as well, which is clearly seen from the duration data compared to Q4 of the previous year. We cautiously assume that this trend will continue in the future.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

DDoS attack duration, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100% (download)

Statistics Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2021.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Note that, starting Q4 2020, the number of botnets whose activity is included in the DDoS Intelligence statistics has increased. This may be reflected in the data presented in this report.

Quarter summary

In Q1 2021:

  • The US displaced China from top spot by both number of DDoS attacks and number of unique targets.
  • We saw a spike in DDoS activity in January, peaking at over 1,800 attacks per day: 1,833 on the 10th and 1,820 on the 11th. On several other days in January, the daily number of attacks exceeded 1,500.
  • The distribution of attacks by day of the week was fairly even: just 2.32 p.p. separated the most and the least active days.
  • The number of short (less than 4 hours) DDoS attacks increased significantly.
  • The most widespread this time was UDP flooding (41.87%), while SYN flooding dropped to third place (26.36%).
  • Linux botnets continued to account for almost all DDoS traffic (99.90%).
Attack geography

In Q1 2021, the perennial leaders by number of DDoS attacks swapped places: the US (37.82%) added 16.84 p.p. to top the leaderboard, nudging aside China (16.64%), which lost 42.31 p.p. against the previous reporting period. The Hong Kong Special Administrative Region (2.67%), which had long occupied third position, this time dropped to ninth, with Canada (4.94%) moving into the Top 3.

The UK (4.12%) also lost ground, falling from fourth to sixth place, despite its share increasing by 2.13 p.p., behind the Netherlands (4.48%) and France (4.43%). South Africa, which finished fifth last quarter, dropped out of the Top 10 altogether.
Germany (3.78%) moved up to seventh place, displacing Australia (2.31%), which rounds out the ranking this quarter. Eighth place was taken by Brazil (3.36%), having rarely climbed higher than eleventh before.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by country, Q4 2020 and Q1 2021 (download)

The Top 10 countries by number of DDoS targets traditionally corresponds closely to the ranking by number of attacks. The Q1 leader was the US (41.98%), whose share increased by 18.41 p.p. By contrast, China’s share fell by more than four times — from 44.49% to 10.77%, pushing it into second place. However, there are some minor differences in the two rankings. Hong Kong, for instance, dropped out of the Top 10 countries by number of targets, and the Netherlands moved up to third place (4.90%). The UK (4.62%) consolidated its position in fourth spot, while Canada (4.05%) dropped from sixth to seventh, just a fraction of a percentage point behind Germany (4.10%) and France (4.08%).

Brazil (3.31%), as in the ranking by number of DDoS attacks, moved up to eighth place, while Australia (2.83%) climbed tenth to ninth place, allowing Poland (2.50%) to sneak in at the foot of the table. Like Brazil, Poland is an infrequent guest in the Top 10.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of unique DDoS-attack targets by country, Q4 2020 and Q1 2021 (download)

DDoS attack dynamics

Q1 2021 got off to a dynamic start. DDoS activity peaked on January 10 and 11, when the number of attacks exceeded 1,800 per day. January posted several more days on which our systems recorded more than 1,500 attacks. As mentioned above, this surge in activity is most likely due to the brief drop in the Bitcoin price.
After a stormy start, there followed a relatively calm February, when for several days in a row — from the 13th to the 17th — the daily rate of DDoS attacks remained under 500. The quietest day was February 13, when we recorded just 346 attacks. Early March saw another peak, more modest than the January one: 1,311 attacks on the 3rd and 1,290 on the 4th. Note that, as before, this was preceded by a fall in the Bitcoin price.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Dynamics of the number of DDoS attacks, Q1 2021 (download)

In Q1 2021, DDoS attacks by day of the week were far more evenly spread than in the previous reporting period. The difference between the stormiest and the quietest days was 2.32 p.p. (versus 6.48 p.p. in Q4 2020). Saturday (15.44%) took the lion’s share of DDoS attacks, while Thursday (13.12%), last quarter’s leader, was this time the most inactive day. Overall, the share of days from Friday to Monday increased in the first three months of 2021, while midweek dipped slightly.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by day of the week, Q4 2020 and Q1 2021 (download)

Duration and types of DDoS attacks

The average DDoS attack duration in Q1 more than halved compared to Q4 2020. The proportion of very short attacks lasting less than four hours rose markedly (91.37% against 71.63% in the previous reporting period). In contrast, the share of longer attacks declined. Attacks lasting 5–9 hours lost 7.64 p.p., accounting for 4.14% of all attacks; only 2.07% of incidents lasted 10–19 hours, and 1.63% 20–49 hours. Attacks lasting 50–99 hours in Q1 made up less than 1% of the total. The shares of long (0.07%) and ultra-long (0.13%) attacks also fell slightly.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by duration, Q4 2020 and Q1 2021 (download)

The distribution of attacks by type continued to change. In Q1 2021, the seemingly unassailable leader, SYN flooding (26.36%), lost its grip on the ranking. This DDoS type shed 51.92 p.p. and finished third. Meanwhile, UDP (41.87%) and TCP flooding (29.23%) gained in popularity among attackers. GRE (1.43%) and HTTP flooding (1.10%), which round out the ranking, also posted modest growth.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by type, Q1 2021 (download)

In terms of botnet types, Linux-based bots were again responsible for the vast majority of attacks this quarter. Moreover, their share even rose slightly against the previous reporting period: from 99.80% to 99.90%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ratio of Windows/Linux botnet attacks, Q4 2020 and Q1 2021 (download)

Botnet distribution geography

The traditional leader in terms of C&C server hosting is the US (41.31%), and Q1 was no exception. Its share increased by 5.01 p.p. against Q4 2020. Silver and bronze again went to Germany (15.32%) and the Netherlands (14.91%), only this time they changed places: the share of the Netherlands fell, while Germany’s almost doubled.
Romania dropped from fourth to seventh place (2.46%), behind France (3.97%), the UK (3.01%), and Russia (2.60%). Canada held on to eighth position (1.92%), while Singapore and the Seychelles closed out the ranking, both posting 1.37% in Q1.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnet C&C servers by country, Q1 2021 (download)


The first quarter began with a surge in DDoS activity amid falling cryptocurrency prices, but on the whole it was relatively calm. At the same time, we observed several unexpected reshuffles. In particular, the US knocked China out of first place by both number of DDoS attacks and number of targets. SYN flooding, long the most common type of attack, gave way to UDP and TCP this time around.

As for Q2 forecasts, no significant shifts in the DDoS market are in sight at present. As is customary, much will depend on cryptocurrency prices, which are currently rising an all-time high. Besides, the experience of previous years shows that the second quarter is usually rather calmer than the first; so, barring any shocks, we can expect little change, perhaps a slight decline, in the DDoS market. That said, if the cryptocurrency market falls sharply, we forecast a rise in DDoS activity, driven largely by simple, short-lasting attacks.

Operation TunnelSnake

6 Květen, 2021 - 12:00

Windows rootkits, especially those operating in kernel space, are pieces of malware infamous for their near absolute power in the operating system. Usually deployed as drivers, such implants have high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion.

Having said that, the successful deployment and execution of a rootkit component in Windows has become a difficult task over the years. With Microsoft’s introduction of Driver Signature Enforcement, it has become harder (though not impossible) to load and run new code in kernel space. Even then, other mechanisms such as Kernel Patch Protection (also known as PatchGuard) make it hard to tamper with the system, with every change in a core system structure potentially invoking the infamous Blue Screen of Death.

Consequently, the number of Windows rootkits in the wild has decreased dramatically, with the bulk of those still active often being leveraged in high profile APT attacks. One such example came to our attention during an investigation last year, in which we uncovered a formerly unknown Windows rootkit and its underlying cluster of activity. We observed this rootkit and other tools by the threat actor behind it being used as part of a campaign we dubbed ‘TunnelSnake’, conducted against several prominent organizations in Asia and Africa.

In this blog post we will focus on the following key findings that came up in our investigation:

  • A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled;
  • The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware;
  • We observed an additional victim in South Asia, where the threat actor deployed a broad toolset for lateral movement along with the rootkit, including a tool that was formerly used by APT1. Based on the detection timestamps of that toolset, we assess that the attacker had a foothold in the network from as early as 2018;
  • A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

We provided information about this operation in our threat intelligence portal in August 2020. More details and analysis are available to customers of our private APT reporting service. For more details contact: intelreports@kaspersky.com.

What is the Moriya rootkit and how does it work?

Our investigation into the TunnelSnake campaign started from a set of alerts from our product on a detection of a unique rootkit within the targeted networks. Based on string artefacts within the malware’s binaries, we named this rootkit Moriya. This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs.

The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions. Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints.

The figure below illustrates the structure of the rootkit’s components. They consist of a kernel mode driver and a user mode agent that deploys and controls it. In the following sections we will break down each of these components and describe how they operate to achieve the goal of tapping into the target’s network communication and blending in its traffic.

Fig. 1. The architecture of the Moriya rootkit

User mode agent analysis

The user mode component of the Moriya rootkit has two purposes. One is to deploy the kernel mode component of the malware on the machine and the other is to leverage the covert communication channel created by it to read shell commands sent from the C&C server to the compromised machine and to respond to them. Since Moriya is a passive backdoor intended to be deployed on a server accessible from the internet, it contains no hardcoded C&C address and relies solely on the driver to provide it with packets filtered from the machine’s overall incoming traffic.

The first order of business for the attacker when using Moriya is to gain persistence on the targeted computer. For this purpose, the user mode agent’s DLL contains an export function named Install, which is intended to create a service named ZzNetSvc with the description ‘Network Services Manager’ and start it. In turn, the path to the user mode agent’s image is set to the registry key HKLM\System\CurrentControlSet\Services\ZzNetSvc\Parameters\ServiceDll so that it will be invoked from its ServiceMain export each time the service is initiated.

Next, after the service is started, the agent will attempt to load the rootkit’s driver into the system. Its binary is bundled as two driver images within the DLL’s resource section, corresponding to 32- and 64-bit architectures, while in reality only one of them is written to disk. In the cases we analyzed, the agent DLLs were compiled for 64-bit systems, dropping a 64-bit driver to the drivers directory in the system path, under the name MoriyaStreamWatchmen.sys, hence the rootkit’s name.

Fig. 2. Code that writes the Moriya driver to disk

The agent uses a known technique whereby the VirtualBox driver (VBoxDrv.sys) is leveraged to bypass the Driver Signature Enforcement mechanism in Windows and load Moriya’s unsigned driver. DSE is an integrity mechanism mandating that drivers are properly signed with digital signatures in order for them to be loaded, which was introduced for all versions of Windows starting from Vista 64-bit. The technique used to bypass it was seen in use by other threat actors like Turla, Lamberts and Equation.

Moriya’s user mode agent bypasses this protection with the use of an open-source code[1] named DSEFIX v1.0. The user agent dumps an embedded VBoxDrv.sys image of version 1.6.2 to disk and loads it, which is then used by the aforementioned code to map Moriya’s unsigned driver to kernel memory space and execute it from its entry point. These actions are made possible through IOCTLs implemented in VBoxDrv.sys that allow writing to kernel address space and executing code from it. Throughout this process, the bypass code is used to locate and modify a flag in kernel space named g_CiOptions, which controls the mode of enforcement.

After the unsigned driver is loaded, the agent registers a special keyword that is used as a magic value, which will be sought in the first bytes of every incoming packet passed on the covert channel. This allows the rootkit to filter marked packets and block them for any application on the system other than the user mode agent. The registration of the value is done through a special IOCTL with the code 0x222004 sent to the driver, where a typical magic string is pass12.

Fig. 3. Registration of the packet magic value using a designated IOCTL

Except for its covert channel communication feature, Moriya is capable of establishing a reverse shell session using an overt channel. For this purpose, it waits for a special packet that consists of a message with the structure connect <c2_address> <c2_port>. The address and port are parsed and used by the agent to start a new connection to the given server, while creating a new cmd.exe process and redirecting its I/O to the connection’s socket. The handles for the newly created process and its main thread are destroyed to avoid detection.

In any other case, the agent attempts to read the incoming TCP payload from the driver, which will be retrieved as soon as a designated packet with a magic number and shell command is received. An attempt is made to read the data with a plain ReadFile API function as a blocking operation, i.e., reading is accomplished only once the buffer in kernel mode is populated with data from a Moriya-related packet.

Upon an incoming packet event, the agent creates a new cmd.exe process and redirects its I/O using named pipes. One pipe is used to read the retrieved shell command from the covert channel and the other is used to write the shell’s output (obtained from the stdout and stderr streams) back to it after execution. To write any data back, the agent uses the WriteFile API function with the driver’s handle.

All traffic passed on the channel is encoded with a simple encryption scheme. Every sent byte has its payload, following the magic string, XORed with the value 0x05 and then negated. Following the same logic, to decode the incoming traffic’s payload, every byte of it should be first negated and then XORed with 0x05.

Fig. 4. Code used for packet encoding

Kernel mode driver analysis

The Moriya rootkit’s driver component makes use of the Windows Filtering Platform (WFP) to facilitate the covert channel between the compromised host and the C&C server. WFP provides a kernel space API that allows driver code to intercept packets in transit and intervene in their processing by the Windows TCP/IP network stack. This makes it possible to write a driver that can filter out distinct packet streams, based on developer-chosen criteria, and designate them for consumption by a specific user mode application, as is the case in Moriya.

The driver fetches the distinct Moriya-related traffic using a filtering engine. This is the kernel mode mechanism used to inspect traffic according to rules that can be applied on various fields across several layers of a packet (namely data link, IP and transport), making it possible to handle matching packets with unique handlers. Such handlers are referred to as callout functions.

In the case of Moriya, the filtering engine is configured to intercept TCP packets, sent over IPv4 from a remote address. Each packet with these criteria will be inspected by a callout function that checks if its first six bytes correspond to the previously registered magic value, and if so, copies the packet contents into a special buffer that can be later read by the user mode agent. The matching packet will then be blocked in order to hide its presence from the system, while any other packet is permitted to be processed as intended by the network stack.

To allow the crafting of a response back to the server, the callout function saves a special value in a global variable that identifies the received TCP stream. This value is called a flowHandle, and is taken from the packet’s corresponding FWPS_INCOMING_METADATA_VALUES0 struct. When the user issues a response to the server via the driver, the latter would craft a new packet using the FwpsAllocateNetBufferAndNetBufferList0 function and insert the response data and target server based on the saved flowHandle to it, using the function FwpsStreamInjectAsync0.

Fig. 5. Code that creates a new packet, designates it for the flow of the corresponding incoming TCP packet and injects data written from user space into it

As formerly mentioned, the driver registers several functions that are exposed to the user mode agent in order to interact with it:

  • IRP_MJ_READ: used to allow the user mode agent to read the body of a Moriya TCP packet from a special buffer to which it is copied upon receipt. The function itself waits on an event that gets signaled once such a packet is obtained, thus turning the ReadFile function called by the user mode agent into a blocking operation that will wait until the packet is picked up by the driver.
  • IRP_MJ_WRITE: injects user-crafted data into a newly created TCP packet that is sent as a response to an incoming Moriya packet from the server.
  • IRP_MJ_DEVICE_CONTROL: used to register the keyword to check the beginning of every incoming TCP packet in order to identify Moriya-related traffic. The passed magic is anticipated to be six characters long.

Fig. 6. Code used for registering the packet magic value from the driver side

How were targeted servers initially infected?

Inspecting the systems targeted by the rootkit, we tried to understand how they got infected in the first place. As previously mentioned, Moriya was seen deployed mostly on public-facing servers within the victim organizations. In one case, we saw the attacker infect an organizational mail server with the China Chopper webshell, using it to map the victim’s

network and then deploy other tools in it. Moriya’s user mode agent was explicitly installed using a command line executed on the targeted server this way. This command and examples of others run on the victim machine via the webshell can be seen below.

"cmd" /c cd /d C:\inetpub\wwwroot\&ipconfig -all "cmd" /c cd /d C:\inetpub\wwwroot\&reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest "cmd" /c cd /d C:\inetpub\wwwroot\&$public\acmsetup.exe "cmd" /c cd /d C:\inetpub\wwwroot\&query user "cmd" /c cd /d C:\inetpub\wwwroot\&ipconfig/all "cmd" /c cd /d C:\inetpub\wwwroot\&ping google.com "cmd" /c cd /d C:\inetpub\wwwroot\&netstat -anp tcp "cmd" /c cd /d C:\inetpub\wwwroot\&tasklist /v "cmd" /c cd /d C:\inetpub\wwwroot\&whoami "cmd" /c cd /d C:\inetpub\wwwroot\&cd $windir\web\ "cmd" /c cd /d $windir\Web\&rundll32 MoriyaServiceX64.dll, Install "cmd" /c cd /d C:\inetpub\wwwroot\&ipconfig/all "cmd" /c cd /d C:\inetpub\wwwroot\&time /t ...

In general, we assess that the group’s modus-operandi involves infiltrating organizations

through vulnerable web servers in their networks. For example, an older variant of Moriya named IISSpy (described below) targets IIS web servers. Our telemetry shows that it was likely deployed by exploiting CVE-2017-7269 to let the attackers gain an initial foothold on a server prior to running the malware.

Post exploitation toolset

During our investigation we found a target in South Asia that enabled us to get a glimpse into some of the other tools that we assess were in use by the same attacker. The toolset includes programs used to scan hosts in the local network, find new targets, perform lateral movement to spread to them and exfiltrate files. While most of the tools seem custom made and tailored for the attackers’ activities, we could also observe some open-source malware frequently leveraged by Chinese-speaking actors. Following is an outline of these tools based on their purpose in the infection chain.

  • Network Discovery: custom built programs used to scan the internal network and detect vulnerable services.
    • HTTP scanner: command-line tool, found under the name ‘8.tmp’, which discovers web servers through banner grabbing. This is done by issuing a malformed HTTP packet to a given address, where no headers are included and the request is succeeded with multiple null bytes.

      Fig. 7. Malformed packet generated by HTTP scanner

      If the server responds, the output will be displayed in the console, as shown below.

      Fig. 8. Console output with a server response displayed upon discovery of a new server in the network

    • DCOM Scanner: another command-line utility that attempts to connect to a remote host on TCP port 135 (RPC), and use the DCOM IOxidResolver interface to resolve addresses assigned to all network interfaces available on the remote system.

      Fig. 9. Output of the DCOM scanner utility

  • Lateral Movement: tools used to spread to other hosts in the targeted networks.
    • BOUNCER: malware that was first described by Mandiant in their 2013[2] report on APT1. This tool is another passive backdoor that waits for incoming connections on a specific port and provides different features, as outlined below, that can be used to control a remote host and facilitate lateral movement from it.
      0x01: Proxy Init Connection 0x02: Proxy Send Packet 0x03: Proxy Close Connection 0x07: Execute Shellcode 0x0A: Kill Bot 0x0C: Reverse Shell CMD 0x0D: Delete File 0x0E: Execute local program 0x0F: Enumerate Servers In Domain and save output in gw.dat 0x10: Enumerate SQL Servers and save output in sql.dat 0x12: Reverse Shell CreateProcess 0x16: Upload File - Write Data 0x17: Download File - Finish 0x1E: Download File - Start 0x1F: Upload File - Start 0x2D: Enumerate Servers 0x2E: Enumerate SQL Server 0x2F: Enumerate Servers Verbose 0x30: Enumerate Users 0x32: Do nothing The BOUNCER sample that we observed contained a string that indicates which command-line arguments it anticipates:
      usage:%s IP port [proxip] [port] [key] However, the backdoor is configured to accept only the port number on which it will listen.

      We saw two versions of this backdoor, initiated by two different launchers. The first one is an executable file named nw.tmp that decrypts an embedded payload using the RC4 algorithm and injects it into a newly spawned svchost.exe process. The injected payload is similar to one described by Mandiant in 2013, which is yet another intermediate loader that decrypts and loads an embedded BOUNCER DLL. The last stage is started by invoking the DLL’s dump export with the arguments passed via the command line.

      The other version was stored with the name rasauto.dll in the system directory, impersonating the Windows Remote Access Auto Connection Manager library. Like the other version, it decrypts an embedded DLL using RC4, but this time uses no intermediate stage, instead directly calling the DLL’s dump export without arguments. The decrypted library is a slightly modified BOUNCER variant that always listens on the hardcoded port 1437.

      Fig. 10. Code from the second BOUNCER variant that uses the hardcoded port 1437 to listen for new packets

      Based on compilation timestamps of all BOUNCER-related executables, as shown below, we assess that the attacker reused old samples of the malware rather than compiled new versions of it:

      nw.tmp – stage 0 - launcher - 08-03-2017 03:56:24 nw.tmp – stage 1 - embedded loader - 26-08-2014 04:49:58 nw.tmp – stage 2 - embedded BOUNCER backdoor - 28-05-2012 13:44:37 rasauto.dll - stage 0 – loader 26-08-2013 09:37:08 rasauto.dll - stage 1 - embedded BOUNCER backdoor - 26-08-2013 09:36:27

    • Custom PSExec: the attacker deployed a tool to execute commands remotely on compromised machines. Like the original PSExec tool, this one consists of two components – a client named tmp and a service named pv.tmp. In order to use the tool, the attacker has to execute it via a command line with the parameters specified below.

      Usage: psexec <hostname >   psserve_path  exefilename  ServerName[option]\n

      The service component is a tiny program that uses the CreateProcessA API to start a program specified as an argument. The client component uses the Service Control Manager (SCM) API to create a service on the target machine. If the ServerName argument is not specified, the service will be named Server%c%c where %c is a random lower case character. The exefilename argument is then passed to the StartServiceA function in order to initiate the command execution.

      Fig. 11. Code used to create and start the service on targeted host

      It is worth noting that the program has some limitations. Compared with the original PSExec, it is not able to copy the service binary (i.e., pv.tmp, which has its path specified in the psserve_path argument) to a remote machine, but rather assumes it is already present on it. Besides, it cannot handle network credentials, limiting the ability to execute commands as other users, nor does it support pipes, which means it does not receive the output of the commands it issues.

  • Exfiltration: multi-platform utilities commonly used to establish connections with remote hosts and conduct file system operations on them, including file upload and download.
    • Earthworm and Termite: well-known command-line utilities developed to facilitate intrusion into intranet networks. These programs are multiplatform and can be deployed on various architectures. Earthworm is used to create tunnels between compromised hosts and transfer data.

      Fig. 12. Earthworm help message

      Termite provides additional features to download and upload files between the compromised hosts, as well as a way to spawn a remote shell to control the targeted machine.

      Fig. 13. Termite help message

    • TRAN: another tool that we detected under the filename tmp that was used to transfer data between compromised hosts. The binary we saw operated as a loader that embodies a tiny web server encrypted with the RC4 algorithm within it. This server is later injected into a newly created legitimate schtask.exe process and usually listens on port 49158. It is used for managing files uploaded by the attacker into an in-memory virtual file system maintained by the malware.By default the file system includes a tiny program named client.exe, which can be downloaded by any host using a standard HTTP GET request to the path /client.exe. This file is a command-line utility that can be used to control the virtual file system managed by the server, through one of several available commands outlined below.

      Fig. 14. Client.exe help message

IISSpy: tracing Moriya back to a user-mode rootkit

IISSpy is an older user-mode version of the Moriya rootkit that we were able to pinpoint in our telemetry. It is used to target IIS servers for establishing a backdoor in their underlying websites. It was detected on a machine in 2018, unrelated to any of the attacks in the current operation. This suggests the threat actor has been active since at least that year.

The malware, which comes as a DLL, achieves its goals by enumerating running IIS processes on the server (i.e., those that are executed from the image w3wp.exe), and injecting the malware’s DLL into them to alter their behavior. The executed code in the IIS processes will then set inline hooks for several functions, most notably CreateFileW.

The corresponding CreateFileW hook function checks if the filename argument contains the directory ‘\MORIYA\’ or ‘\moriya\’ in its path, and if so, infers that the attacker has sent a specially crafted HTTP request to the web server. In this request, the Moriya path in the URL is followed by an encoded command. After the command is decoded and processed, it is passed via a mailslot (\\.\mailslot\slot) to a separate thread, while signaling an event called Global\CommandEvent.

Fig. 15. Code of the CreateFileW hook function that looks for the ‘MORIYA’ \ ‘moriya’ directory in a request path

Should the currently handled file contain the Moriya path, the very same hook function will generate a special file on the web server to which command execution output will be written. This file’s path is created by finding the position of the ‘\MORIYA\’ or ‘\moriya\’ strings in the inspected filename argument, and replacing it with the string ‘\IISINFO.HTM’. This will then be appended to the command data passed on the mailslot, following a ‘ > ‘ character.

The other thread waiting on the command event mentioned above is in charge of processing attacker data fetched from the mailslot. Any such command will be read and parsed to find the ‘ > ‘ character and the file path that follows it, in this case the one corresponding to ‘IISINFO.HTML’. After executing the command via cmd.exe, the output will be written to the file in this path, allowing the attacker to read it by issuing a corresponding HTTP request where the URL path leads to this file on the server.

Other functions that are hooked in the IIS process are CreateProcessAsUserW and CreateProcessW. These are used to detect if the current process spawns a new server instance, which will in turn be injected with the malware’s DLL. Apart from this, IISSpy will also create a monitoring thread that will periodically look for newly created httpd.exe processes, corresponding to the Apache server. If detected, the malware will be injected to them as well.

Although it is evident from both the functionality and use of the Moriya keyword by the malware that IISSpy and the Moriya rootkit are related, further evidence in the code substantiates the connection:

  • The older variant is capable of creating a reverse shell transmitted through an overt channel in exactly the same way as the more recent version of the malware, i.e., it identifies a connect request followed by a C&C server address and port, connects to it and redirects the IO of a new exe process to the underlying socket.
  • Both variants use the same packet encoding and decoding algorithm, whereby each clear-text byte is XORed with 0x5 and negated, and vice-versa.

Fig. 16. Packet decoding loop that follows the same logic as that used in Moriya

  • In both cases the developers left a trail of unique debug messages, issued to the OutputDebugString API function. An example of such a string used in identical code in the two variants is shown below.

Fig. 17. Code used in both variants to spawn a new shell, while printing unique debug messages

  • Both implants are deployed by invoking an export function named Install that creates a service that allows persistent execution, with the malware’s logic residing in the ServiceMain Moreover, the Install functions are highly similar to one another.

Fig. 18. Comparison of Install export function CFGs between IISSpy and Moriya

The ProcessKiller rootkit vs. security products

Another interesting artefact found in our telemetry that could be tied to the developers of Moriya is a malware named ProcessKiller. As its name suggests, it is intended to eliminate execution of processes, with the use of a kernel mode driver. Ultimately, this tool is used to shut down and block initiation of AV processes from kernel space, thus allowing other attack tools to run without being detected.

This malware operates through the following stages:

  • An attacker calls the malware’s DLL from an export named Kill, passing it a list of process names it would like to shut down and block as a command-line argument.
  • The malware writes a driver that is embedded as a resource within it, impersonating a Kaspersky driver under the path %SYSTEM%\drivers\kavp.sys.
  • There is an attempt to load the driver using the Service Control Manager. However, since it is not signed and loading is prone to fail on Windows versions above Vista 64-bit, the malware uses the same DSEFix code to bypass Digital Signature Enforcement as witnessed in Moriya’s user mode agent.
  • The malware parses the process names passed as arguments and creates a vector of ‘blacklisted processes’ out of them.
  • For each process in the list, the malware detects its PID and issues it through an IOCTL with code 0x22200C to the driver which is in charge of shutting it down from kernel space. The shutdown is carried out by locating the process object with the function PsLookupProcessByProcessId and then terminating it with ZwTerminateProcess.
  • The list of processes is then passed via another IOCTL with the code 0x222004 to the driver, which inserts each member of it to a linked list in kernel space. When the driver is bootstrapped, it registers a callback for newly created processes through the PsSetCreateProcessNotifyRoutineEx function, which inspects the image name of the created process and compares it against those found in the linked list. If a match is found, the process creation status in the PPS_CREATE_NOTIFY_INFO structure will be set to STATUS_UNSUCCESSFUL, signaling the user space API function that process creation failed.
  • At this point any other malware can theoretically operate without being detected.
  • If the attacker wishes to disable blacklisting, it can be done by issuing an IOCTL with the code 0x222008, which would destroy the linked list of blacklisted processes.

Once again, the connection to Moriya is based on several observations:

  • Distinct debug error messages, as the one presented below.

Fig. 19. Unique debug message that appears in ProcessKiller and Moriya

  • Filename of the same structure, i.e., Moriya’s agent is internally named ‘MoriyaServiceX64.dll’, and ProcessKiller’s DLL is named ‘ProcessKillerX64.dll’
  • Usage of the exact same DSEFix code to load an unsigned driver.
What do we know about the threat actor?

Unfortunately, we are not able to attribute the attack to any particular known actor, but based on the TTPs used throughout the campaign, we suppose it is a Chinese-speaking one. We base this on the fact that the targeted entities were attacked in the past by Chinese-speaking actors, and are generally located in countries that are usually targeted by such an actor profile. Moreover, the tools leveraged by the attackers, such as China Chopper, BOUNCER, Termite and Earthworm, are an additional indicator supporting our hypothesis as they have previously been used in campaigns attributed to well-known Chinese-speaking groups.

Who were the targets?

Based on our telemetry the attacks were highly targeted and delivered to less than 10 victims around the world. The most prominent victims are two large regional diplomatic organizations in South-East Asia and Africa, while all the others were victims in South Asia.


The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by our product, giving us visibility into the group’s operation.

Still, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to evolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions. With that in mind, we continue to track this attacker and look for signs of its reappearance in the wild. Any findings and updates will be made available to customers of our Threat Intelligence Portal.

For more information about operation TunnelSnake and the underlying threat actor, contact us at: intelreports@kaspersky.com.
To learn more on reverse engineering and malware analysis from Kaspersky GReAT experts, check out the website http://xtraining.kaspersky.com.

IOCs 48307C22A930A2215F7601C78240A5EE Moriya Agent A2C4EE84E3A95C8731CA795F53F900D5 Moriya 64-bit Driver 5F0F1B0A033587DBCD955EDB1CDC24A4 IISSpy C1159FE3193E8B5206006B4C9AFBFE62 ProcessKiller DA627AFEE096CDE0B680D39BD5081C41 ProcessKiller Driver – 32-bit 07CF58ABD6CE92D96CFC5ABC5F6CBC9A ProcessKiller Driver – 64-bit 9A8F39EBCC580AA56D6DDAF5804EAE61 pv.tmp (Custom PSExec Server) 39C361ABB74F9A338EA42A083E6C7DF8 pc.tmp (Custom PsExec Client) DE3FB65461EE8A68A3C7D490CDAC296D tran.tmp (Exfiltration tool) EAC0E57A22936D4C777AA121F799FEE6 client.exe (Utility embedded in tran.tmp) D745174F5B0EB41D9F764B22A5ECD357 rasauto.dll (Bouncer Loader) 595E43CDF0EDCAA31525D7AAD87B7BE4 8.tmp (HTTP )Scanner 9D75B50727A8E732DB0ADE7E270A7395 ep.tmp DCOM Scanner 3A4E1F3F7E1BAAB8B02F3A8EE20F98C9 nw.tmp Bouncer Loader 47F2D06713DAD556F535E523B777C682 Termite 45A5D9053BC90ED657FA90DE0B775E8F Earthworm

[1] Today a copy of the original code can be found here: http://www.m5home.com/bbs/thread-8043-1-1.html

[2] https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Spam and phishing in Q1 2021

3 Květen, 2021 - 12:00

Quarterly highlights Banking phishing: new version of an old scheme

In Q1 2021, new banking scams appeared alongside ones that are more traditional. Clients of several Dutch banks faced a phishing attack using QR codes. The fraudsters invited the victim to scan a QR code in an email, ostensibly to unblock mobile banking. In actual fact, scanning the code resulted in a data leak, money theft or device infection, if it contained a link to a web page with malware.

To lure users to their sites, phishers exploited the COVID-19 topic. In particular, in a newsletter purporting to be from the MKB bank, recipients were asked to catch up on the latest news about the pandemic and measures taken by the bank. The link pointed to a fake Outlook authorization page.

This past year, cybercriminals have actively exploited the topic of government payouts, most often in relation to damage caused by the pandemic. In Q1 2021, scammers imitating bank emails began to focus on compensation. The links in their messages took the victim to a well-designed phishing pages with official emblems, business language and references to relevant laws. The attacks were mostly aimed at stealing any card details and personal data.

However, users of specific banks were also targeted. In this case, the focus was on copying the external attributes of the bank’s website to create a near-indistinguishable phishing version.

Vaccine with cyberthreat

COVID-19 vaccination was one of the hottest global topics, and hence highly attractive to scammers. Cybercriminals took advantage of people’s desire to get vaccinated as quickly as possible. For instance, some UK residents received an email that appeared to come from the country’s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link.

In another mailing, the attackers focused on age — people over 65 were asked to contact a clinic to receive a vaccine.

In both cases, to make a vaccination appointment, a form had to be filled out with personal data; and in the first case, the phishers also wanted bank card details. If the victim followed all the instructions on the fake website, they handed their money and personal data to the attackers.

Another way to gain access to users’ personal data and purse strings was through fake vaccination surveys. Scammers sent out emails in the name of large pharmaceutical companies producing COVID-19 vaccines, or of certain individuals. The message invited the recipient to take part in a short survey.

Participants were promised a gift or cash reward for their help. After answering the questions, the victim was redirected to a page with the “gift.”

Having consented to receive the prize, the user was asked to fill out a detailed form with personal information. In some cases, the attackers also asked for payment of a token amount for delivery. However, if the victim went ahead and entered their bank card details, the amount charged was several times higher. Needless to say, no gift materialized.

The vaccination topic could hardly be ignored by spammers offering services on behalf of Chinese manufacturers. The emails mentioned lots of products related to diagnosis and treatment of the virus, but the emphasis was on the sale of vaccination syringes.

Such offers may look very favorable, but the likelihood of a successful deal is zero. Most if not all of the time, the “business partners” simply vanish into thin air after receiving the agreed prepayment.

Corporate segment: on-the-job fraud

Corporate usernames and passwords remain a coveted prize for scammers. To counter people’s increasingly wary attitude to emails from outside, attackers try to give their mailings a respectable look, disguising them as messages from business tools and services. By blending into the workflow, the scammers calculate that the user will be persuaded to follow the link and enter data on a fake page. For example, a “notification” from Microsoft Planner invited the user to review their tasks for the coming month. The link redirected them to a phishing page requesting their Microsoft account credentials.

In the Runet (Russian internet), we found an email seemingly from the support department of an analytics portal. The messages talked about recent updates and suggested checking the availability of the resource. The link also required entering corporate account credentials.

Old techniques, such as creating a unique fake page using JavaScript, were combined in Q1 with overtly business-themed phishing emails. If previously scammers used common, but not always business-oriented services as bait, the new batch of emails cited an urgent document awaiting approval or contract in need of review.

Every little bit helps

Since the end of last year, we have observed fraudulent emails and fake pages urging users to pay a small sum for certain services. The payment indicated in the fake email was often so tiny that the potential victim could ignore the risks. For example, in one of the emails below, the cybercriminals ask for just 1.99 rubles (US$0.027). The calculation was simple: users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site. To make the emails more convincing, they imitated commonly used services. For example, delivery services — messages from which are often faked — led the field. The potential victim was asked to pay for customs clearance or package delivery. However, the scammers did not fake the courier service emails very well: they were readily given away by the address in the From field or by the invalid tracking number indicated in the email.

Besides delivery, scammers found other reasons for mailing out “invoices.” In particular, fake notifications about payment for domain usage or even an expired WhatsApp subscription did the rounds. In the latter case, the very mention of a paid subscription should sound an alarm, since even the business version of WhatsApp is free.

Although the scammers asked for a token payment in the email, in reality, if successful, they siphoned off far more than that from the victims’ account, and swiped their bank card details. This danger is ever-present when entering data on dubious websites.

Intrigue: emails from strangers

In March, we identified a targeted mailing to the addresses of an educational institution. The email reported a hack of the database of the school’s partner company, which resulted in the intruders getting their hands on the personal data of students and employees. The company refused to pay the ransom, so now the school administration must prepare for the worst: the data might find its way onto darknet, and from there to even worse criminals, who could use it to enter the school building under the guise of an employee. To convince the school leaders of the reality of the looming threat, the email authors advised clicking the provided link and viewing a portion of the stolen database. The link led to a site in the .onion domain, which can only be opened using the Tor browser. Behind the link was a C&C server that was accessed by malware (various ransomware, including Trojan-Banker.Win32.Danabot). A link to this resource was also contained in ransom messages from the attackers, and in some cases malware was downloaded from it. If a curious employee visited this resource, they risked launching the ransomware in the school’s network or facing a demand to pay the ransom on behalf of the partner company.

Cybercriminals adopted an interesting tactic to attack Facebook users. The potential victim received an email saying that their account had violated the social network’s terms of use. To avoid the account being deleted, the scammers advised the recipient to follow the link and lodge an appeal. At the same time, the window for doing so was very short so as to hurry the victim into acting quickly without scrutinizing the message. The email would have been no different from any other aimed at stealing Facebook credentials, but for one nuance: the link in the message pointed to an actual Facebook page.

Resembling an official notice, the page stated that an erroneous decision to block an account could be disputed by following the link provided. In reality, it was a note in a Facebook user’s profile, which the sharp-eyed user could have discerned from the word “notes” in the address. Clicking the link in the note took the victim straight to a phishing site. The attackers’ calculation was simple: first lull the victim’s vigilance with a legitimate link, then get them to enter their credentials on a fake page.

Statistics: spam Proportion of spam in mail traffic

In Q1 2021, the share of spam in global mail traffic continued to decline and averaged 45.67%, down 2.11 p.p. against Q4 2020 (47.78%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in global email traffic, Q4 2020 and Q1 2021 (download)

The highest percentage of junk mail was recorded in January (46.12%). This is 0.71 p.p. less than the lowest figure in 2020 (46.83%). The calmest month was March, in which spam accounted for only 45.10% of all emails.

In the Runet, the average share of spam was also lower than in Q4 48.56% versus 50.25%. As was generally the case worldwide, the most turbulent month of the reporting period was January (49.76%), and the quietest was March (47.17%). In contrast to the global picture, January’s share of spam in the Runet was 1.30 p.p. higher than December’s (49.76% versus 48.46%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in Runet mail traffic, Q4 2020 and Q1 2021 (download)

Sources of spam by country

In 2020, Russia and Germany led the pack by volume of outgoing spam. In Q1 2021, they remained out in front: Russia accounted for 22.47% of spam, and Germany’s share was 14.89%. Third place went to the US (12.98%), and fourth to China (7.38%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Sources of spam by country, Q1 2021 (download)

The Netherlands (4.18%) ranked fifth, followed by France (3.69%) and Spain (3.39%). Poland (2.39%), Brazil (2.37%) and Japan (2.23%) round out the Top 10.

Malicious mail attachments

In Q1 2021, Kaspersky solutions detected 38,195,315 malicious mail attachments. This is almost 3 million fewer than in the last three months of 2020. That said, the number of attachments blocked by Mail Anti-Virus grew during the quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of Mail Anti-Virus triggerings, Q4 2020 and Q1 2021 (download)

Malware families

The most common Trojans detected by our solutions in mail attachments came from the Agensla family (8.91%). These malicious programs specialize in stealing credentials from browsers, as well as from mail and FTP clients. In second place came exploits for the CVE-2017-11882 vulnerability in the Microsoft Equation Editor component, which were detected in 6.38% of cases. Third position this time was taken by Trojans from the Badun family (5.79%). Malicious programs disguised as e-documents are detected with this verdict. Malware from the Badun family most often spreads through archives.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 malware families in mail traffic, Q1 2021 (download)

Fourth place went to SAgent (4.98%) — documents containing a VBA script that runs PowerShell to covertly download other malware. The fifth- and sixth-placed families are Taskun (3.79%) — programs that create malicious tasks in Windows Task Scheduler, and ISO (3.69%) — malicious disk images distributed by email. In seventh place is the Noon spyware (2.41%), which steals passwords from browsers and reads keystrokes. In eighth is the Crypt family (2.16%), which consists of highly obfuscated or encrypted software. The Top 10 is rounded out by Androm backdoors (2.05%) and worms coded in Visual Basic (1.66%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 malicious attachments, Q1 2021 (download)

The Top 10 most common malicious attachments in Q4 corresponds exactly to the ranking of families. This suggests that each of the above-described families was widespread largely due to one member.

Countries targeted by malicious mailings

Our solutions registered the largest number of attempts to open malicious attachments in Spain (8.74%). This country was the top malicious mailing target throughout 2020, and held on to first place in this reporting quarter. Italy (7.59%) moved up to second place, and third place went to Germany (5.84%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Countries targeted by malicious mailings, Q1 2021 (download)

In fourth position in Q1 was the UAE (5.25%), with Russia (4.88%) closing out the Top 5.

Statistics: phishing

In Q1 2021, our Anti-Phishing system prevented 79,608,185 attempted redirects to fraudulent websites. 5.87% of Kaspersky users encountered phishing, and 695,167 new masks were added to the anti-phishing databases.

Geography of phishing attacks

This quarter, phishing attacks affected a relatively small proportion of our users, both overall and in specific countries. The leader was France, where 9.89% of all users of Kaspersky solutions tried to follow a fraudulent link at least once during the reporting period.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of phishing attacks by country, Q1 2021 (download)

Israel placed second and Hungary third, where 8.45% and 8.27% of users, respectively, encountered phishing pages. Meanwhile, Brazil (7.94%), which topped the rating in 2020, only managed ninth position in Q1.

Top-level domains

As usual, the largest share of phishing sites that users attempted to visit in the period January–March 2021 were located in the .com domain zone (32.80%). The second most popular domain among scammers this time around was .xyz (11.38%). Bronze goes to the .tk domain zone (3.24%), belonging to the Tokelau Islands, a dependent territory of New Zealand, in the Pacific Ocean. Tokelau domains are cheap to rent, and so popular with phishers.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top-level domain zones most commonly used for phishing, Q1 2021 (download)

Also prevalent this quarter were phishing sites that were not assigned domain names (2.78%). Such resources were the fourth most popular. In fifth spot, just 0.01 p.p. behind, was the Russian domain .ru (2.77%).

Organizations under attack

The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

The Top 10 organizations used by phishers as bait remained practically unchanged in Q1 relative to 2020. Online stores (15.77%) still lead the way, followed by global internet portals (15.50%) and banks (10.04%). Fraudsters’ continued targeting of users of electronic trading platforms is explained by the pandemic-related restrictions that remained in force in many countries this quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations targeted by phishers, by category in Q1 2021 (download)


In Q1 2021, we largely saw a continuation of the 2020 trends. Cybercriminals are still actively using the COVID-19 theme to entice potential victims. And as coronavirus vaccination programs have been rolled out, spammers have adopted it as bait. Corporate account hunters continue to hone their techniques to make their emails as convincing as possible. Meanwhile, phishers who prey on personal accounts are still actively spoofing the websites of online stores, which have risen in popularity due to the pandemic.

Attackers will likely carry on exploiting the COVID-19 vaccination topic in Q2. Moreover, we can expect new fraudulent schemes to emerge. Scams related to compensation for damages caused to individuals and companies worldwide will not go away any time soon, too. Moreover, Q2 may see an associated rise in the number of fraudulent schemes offering payments from governments or other structures. And as the summer season approaches, an increase in the number of emails related to tourism is possible; however, due to the pandemic, it is likely to be small. On the other hand, cybercriminals will almost certainly continue to actively hunt corporate account credentials, exploiting the fact that many companies are still in remote working mode and communication among employees is predominantly online.

APT trends report Q1 2021

27 Duben, 2021 - 12:00

For four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2021.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

In December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The company’s Orion IT, a solution for monitoring and managing customers’ IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia. In our initial report on Sunburst, we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation. Further investigation of the Sunburst backdoor revealed several features that overlap with a previously identified backdoor known as Kazuar, a .NET backdoor first reported in 2017 and tentatively linked to the Turla APT group. The shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. There are several possibilities: Sunburst may have been developed by the same group as Kazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their malware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with them; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will make things clearer.

On March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called “limited and targeted attacks”. At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity’s telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. Prior to the posts, on February 28, we identified related exploitation on less than a dozen Exchange systems; we also found more than a dozen Exchange artefacts indicating exploitation uploaded to multi-scanner services. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits are now available to multiple groups.

We have also discovered a campaign active since mid-March targeting governmental entities in the Russian Federation, using the aforementioned Exchange zero-day exploits. This campaign made use of a previously unknown malware family we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.


During routine monitoring of detections for FinFisher spyware tools, we discovered traces that point to recent FinFly Web deployments. In particular, we discovered two servers with web applications that we suspect, with high confidence, were generated using FinFly Web. FinFly Web is, in essence, a suite of tools and packages that implement a web-based exploitation server. It was first publicly documented in 2014, in the aftermath of the Gamma Group hacking incident. One of the suspected FinFly Web servers was active for more than a year between October 2019 and December 2020. This server was disabled a day after our discovery last December. Nevertheless, we were able to capture a copy of its landing page, which included JavaScript used to profile victims using what appears to be previously unknown code. In the second case, the server hosting FinFly Web was already offline at the moment of discovery, so we drew our conclusions using available historical data. As it turned out, it was active for a very short time around September 2020 on a host that appears to have been impersonating the popular Mail.ru service. Surprisingly, this server began answering queries again on January 12. So far, we haven’t seen any related payloads being dropped by these web pages.

Russian-speaking activity

Kazuar is a .NET backdoor usually associated with the Turla threat actor (aka Snake and Uroboros). Recently, Kazuar received renewed interest due to its similarities with the Sunburst backdoor. Although the capabilities of Kazuar have already been exposed in public research, many interesting facts about this backdoor were not made public. Our latest reports focus on the changes the threat actor made to the September and November versions of its backdoor.

On February 24, the National Security Defense Council of Ukraine (NSDC) publicly warned that a threat actor had exploited a national documents circulation system (SEI EB) to distribute malicious documents to Ukrainian public authorities. The alert contained a few related network IoCs, and specified that the documents used malicious macros in order to drop an implant onto targeted systems. Thanks to the shared IoCs, we were able to attribute this attack, with high confidence, to the Gamaredon threat actor. The malicious server IP mentioned by the NSDC has been known to Kaspersky since February as Gamaredon infrastructure.

On January 27, the French national cybersecurity agency (ANSSI) published a report describing an attack campaign that targeted publicly exposed and obsolete Centreon systems between 2017 and 2020, in order to deploy Fobushell (aka P.A.S.) webshells and Exaramel implants. ANSSI associated the campaign with the Sandworm intrusion-set, which we refer to as Hades. Although we specifically looked for additional compromised Centreon systems, Exaramel implant samples or associated infrastructure, we were unable to retrieve any useful artifacts from which we could initiate a comprehensive investigation. However, we did identify three Centreon servers where a Fobushell webshell had been deployed. One of those Fobushell samples was identical to another we previously identified on a Zebrocy C2 server.

Chinese-speaking activity

We discovered a set of malicious activities, which we named EdwardsPheasant, targeting mainly government organizations in Vietnam since June 2020. The attackers leverage previously unknown and obfuscated backdoors and loaders. The activities peaked in November 2020, but are still ongoing. The associated threat actor continues to leverage its tools and tactics (described in our private report) to compromise targets or maintain access in their networks. While we could identify similarities with the tools and tactics associated with Cycldek (aka Goblin Panda) and Lucky Mouse (aka Emissary Panda), we have been unable to attribute this set of activities to either of them conclusively.

We investigated a long-running espionage campaign, dubbed A41APT, targeting multiple industries, including the Japanese manufacturing industry and its overseas bases, which has been active since March 2019. The attackers used vulnerabilities in an SSL-VPN product to deploy a multi-layered loader we dubbed Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). We attribute this activity to APT10 with high confidence. Most of the discovered payloads deployed by this loader are fileless and have not been seen before. We observed SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8RAT (aka GreetCake and HEAVYPOT), and FYAnti (aka DILLJUICE Stage 2) which in turn loads QuasarRAT. In November and December 2020, two public blog posts were published about this campaign. One month later, we observed new activities from the actor with an updated version of some of their implants designed to evade security products and make analysis harder for researchers. You can read more in our public report.

Middle East

We recently came across previously unknown malicious artifacts that we attributed to the Lyceum/Hexane threat group, showing that the attackers behind it are still active and have been developing their toolset during the last year. Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented .NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. Our telemetry revealed that the threat group’s latest endeavors are focused on going after entities within one country – Tunisia. The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies. Based on the targeted industries, we assume that the attackers may have been interested in compromising these entities to track the movements and communications of individuals that are of interest to them. This could mean that the latest Lyceum cluster has an operational focus on targeting Tunisia, or that it is a subset of broader activity that is yet to be discovered.

On November 19, 2020, Shadow Chaser Group tweeted about a suspected MuddyWater APT malicious document potentially targeting a university in the United Arab Emirates. Based on our analysis since then, we suspect this intrusion is part of a campaign that started at least in early October 2020 and was last seen active in late December 2020. The threat actor relied on VBS-based malware to infect organizations from government, NGO and education sectors. Our telemetry, however, indicates that no further tools were deployed and we do not believe that data theft took place either. This indicates to us that the attackers are currently in the reconnaissance phase of their operation, and we expect subsequent waves of attacks to follow in the near future. In our private report, we provide an in-depth analysis of the malicious documents used by this threat actor and study their similarities to known MuddyWater tooling. The infrastructure setup and communications scheme are also similar to past incidents attributed to this group. The actor maintains a small set of first-stage C2 servers to connect back from the VBS implant for initial communications. Initial reconnaissance is performed by the actor and communication with the implant is handed off to a second-stage C2 for additional downloads. Finally, we present similarities with known TTPs of the MuddyWater group and attribute this campaign to them with medium confidence.

Domestic Kitten is a threat group mainly known for its mobile backdoors. The group’s operations were exposed in 2018, showing that it was conducting surveillance attacks against individuals in the Middle East. The threat group targeted Android users by sending them popular and well-known applications that were backdoored and contained malicious code. Many of the applications had religious or political themes and were intended for Farsi, Arabic and Kurdish speakers, possibly alluding to this attack’s main targets. We have discovered new evidence showing that Domestic Kitten has been using PE executables to target victims using Windows since at least 2013, with some evidence that it goes back to 2011. The Windows version, which, to the best of our knowledge, has not been described in the past, was delivered in several versions, with the more recent one used for at least three and a half years to target individuals in parallel to the group’s mobile campaigns. The implant functionality and infrastructure in that version have remained the same all along, and have been used in the group’s activity witnessed this year.

Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar and, to the best of our knowledge, has not been covered by security researchers. It only recently attracted attention when a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. We have been able to expand some of the findings on the group and provide insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victim’s machine. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point. In our private report, we expand the details on these findings as well as provide analysis and mechanics of the MarkiRAT malware.

Karkadann is a threat actor that has been targeting government bodies and news outlets in the Middle East since at least October 2020. The threat actor leverages tailor-made malicious documents with embedded macros that trigger an infection chain, opening a URL in Internet Explorer. The minimal functionality present in the macros and the browser specification suggest that the threat actor might be exploiting a privilege-escalation vulnerability in Internet Explorer. Despite the small amount of evidence available for analysis in the Karkadann case, we were able to find several similarities to the Piwiks case, a watering-hole attack we discovered that targeted multiple prominent websites in the Middle East. Our private report presents the recent Karkadann campaigns and the similarities between this campaign and the Piwiks case. The report concludes with some infrastructure overlaps with unattributed clusters that we have seen since last year that are potentially linked to the same threat actor.

Southeast Asia and Korean Peninsula

We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. In this campaign, beginning in December 2020, the group compromised a website belonging to the vendor of stock trading software, replacing the hosted installation package with a malicious one. Kimsuky also delivered its malware by utilizing a malicious Hangul (HWP) document containing COVID-19-related bait that discusses a government relief fund. Both infection vectors ultimately deliver the Quasar RAT. Compared to Kimsuky’s last reported infection chain, composed of various scripts, the new scheme adds complications and introduces less popular file types, involving VBS scripts, XML and Extensible Stylesheet Language (XSL) files with embedded C# code in order to fetch and execute stagers and payloads. Based on the lure document and characteristics of the compromised installation package, we conclude that this attack is financially motivated, which, as we have previously reported, is one of Kimsuky’s main focus areas.

On January 25, the Google Threat Analysis Group (TAG) announced that a North Korean-related threat actor had targeted security researchers. According to Google TAG’s blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog and installed a Chrome exploit. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We can confirm that several infrastructures on the blog overlap with our previously published reporting about Lazarus group’s ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle – malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data, analyzing logs and files present on the servers. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research. You can read our public report here.

Following up our previous investigation into Lazarus attacks on the defense industry using ThreatNeedle, we discovered another malware cluster named CookieTime used in a campaign mainly focused on the defense industry. We detected activity in September and November 2020, with samples dating back to April 2020. Compared to the already known malware clusters of the Lazarus group, CookieTime shows a different structure and functionality. This malware communicates with the C2 server using the HTTP protocol. In order to deliver the request type to the C2 server, it uses encoded cookie values and fetches command files from the C2 server. The C2 communication takes advantage of steganography techniques, delivered in files exchanged between infected clients and the C2 server. The contents are disguised as GIF image files, but contain encrypted commands from the C2 server and command execution results. We had a chance to look into the command and control script as a result of working closely with a local CERT to take down the threat actor’s infrastructure. The malware control servers are configured in a multi-stage fashion and only deliver the command file to valuable hosts.

While investigating the artifacts of a supply-chain attack on the Vietnam Government Certification Authority’s (VGCA) website, we discovered that the first Trojanized package dates to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins deployed using PhantomNet malware, which was delivered using Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware. In our private report, we offer a detailed description for each post-compromise tool used in the attack, as well as other tools belonging to the actor’s arsenal. Finally, we also explore CoughingDown attribution in the light of recent discoveries.

On February 10, DBAPPSecurity published details about a zero-day exploit they discovered last December. Aside from the details of the exploit itself, researchers also mentioned it being used in the wild by BitterAPT. While no such subsequent information was given in the initial report to explain the attribution claims, our investigation into this activity confirms the exploit was in fact being used exclusively by this actor. We assigned the name TurtlePower to the campaign that makes use of this exploit, along with the other tools used to target governmental and telecom entities in Pakistan and China. We have also confidently linked the origin of this exploit to a broker we refer to as Moses. Moses has been responsible for the development of at least five exploits patched in the last two years. We have also been able to tie the usage of some of these exploits to at least two different actors thus far – BitterAPT and DarkHotel. At this time, it is unclear how these threat actors are obtaining exploits from Moses, whether it is through direct purchase or another third-party provider. During the TurtlePower campaign, BitterAPT used a wide array of tools on its victims to include a stage one payload named ArtraDownloader, a stage two payload named Splinter, a keylogger named SourLogger, an infostealer named SourFilling, as well as variations of Mimikatz to gather specific files and maintain its access. This particular campaign also appears to be narrowly focused on targets within Pakistan and China (based on the initial report referenced). While we can verify specific targeting within Pakistan using our own data, we have not been able to do the same regarding China. Use of CVE-2021-1732 peaked between June and July 2020, but the overall campaign is still ongoing.

In 2020, we observed new waves of attacks related to Dropping Elephant (aka Patchwork, Chinastrats), focusing on targets in China and Pakistan. We also noted a few targets outside of the group’s traditional area of operations, namely in the Middle East, and a growing interest in the African continent. The attacks followed the group’s well-established TTPs, which include the use of malicious documents crafted to exploit a remote code execution vulnerability in Microsoft Office, and the signature JakyllHyde (aka BadNews) Trojan in the later infection stages. Dropping Elephant introduced a new loader for JakyllHyde, a tool we named Crypta. It contains mechanisms to hinder detection and appears to be a core component of this APT actor’s recent toolset. Crypta and its variants have been observed in multiple scenarios loading a wide range of subsequent payloads, such as Bozok RAT, Quasar RAT and LokiBot. An additional Trojan discovered during our research was PubFantacy. To our knowledge, this tool has never been publicly described and has been used to target Windows servers since at least 2018.

We recently discovered a previously publicly unknown Android implant used in 2018-2019 by the SideWinder threat group, which we dubbed BroStealer. The main purpose of the BroStealer implant is to collect sensitive information from a victim’s device, such as photos, SMS messages, call recordings and files from various messaging applications. Although SideWinder has numerous campaigns against victims using the Windows platform, recent reports have shown that this threat group also goes after its targets via the mobile platform.

Other interesting discoveries

In February 2019, multiple antivirus companies received a collection of malware samples, most of them associated with various known APT groups. Some of the samples cannot be associated with any known activity. Some, in particular, attracted our attention due to their sophistication. The samples were compiled in 2014 and, accordingly, were likely deployed in 2014 and possibly as late as 2015. Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert. Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert. Our report, available to subscribers of our APT threat reports, includes discussion of both the passive-listener payload and the loader functionality included in the main module.

Final thoughts

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q1 2021:

  • Perhaps the most predominant attack we researched in this quarter was the SolarWinds attack. SolarWinds showed once again how successful a supply-chain attack can be, especially where attackers go the extra mile to remain hidden and maintain persistence in a target network. The scope of this attack is still being investigated as more zero-day flaws are discovered in SolarWinds products.
  • Another critical wave of attacks was the exploitation of Microsoft Exchange zero-day vulnerabilities by multiple threat actors. We recently discovered another campaign using these exploits with different targeting, possibly related to the same cluster of activities already reported.
  • Lazarus group’s bold campaign targeting security researchers worldwide also utilized zero-day vulnerabilities in browsers to compromise their targets. Their campaigns used themes centered on the use of zero-days to lure relevant researchers, possibly in an attempt to steal vulnerability research.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.


Ransomware by the numbers: Reassessing the threat’s global impact

23 Duben, 2021 - 12:19

Kaspersky has been following the ransomware landscape for years. In the past, we’ve published yearly reports on the subject: PC ransomware in 2014-2016, Ransomware in 2016-2017, and Ransomware and malicious crypto miners in 2016-2018. In fact, in 2019, we chose ransomware as the story of the year, upon noticing the well-known threat was shifting its attention to municipalities. In the 2010s, with campaigns like WannaCry and NotPetya, ransomware became mainstream news. However, starting in 2018, we began noticing something else: the statistics for the overall number of ransomware detections were on a steep decline. What was happening? Was ransomware, in fact, a dying species of malware?

For anyone following the news in the infosecurity community, this seemed unlikely. In 2019 and 2020, stories of ransomware attacks made front-page headlines, from Maze attacking LG to the infamous APT group Lazarus adding ransomware to its arsenal. In the United States alone in 2020, ransomware hit more than 2,300 government entities, healthcare facilities and schools, according to the security company Emsisoft.

So, what’s the story?

Ransomware hasn’t disappeared; the threat has just undergone a fundamental shift. Widespread ransomware campaigns have been replaced with highly targeted, destructive attacks, often aimed at large organizations. In addition, attackers appear to be more focused on exfiltrating data as well as encrypting it, i.e., siphoning off confidential information and threatening to make it public if the victims refuse to pay. All of this is done with the aim of launching fewer attacks, each with a far larger payout, rather than collecting smaller amounts from a massive number of victims.

In this report, we’ll take a look at the numbers behind the ransomware threat from 2019 to 2020, what they mean — and what they foretell about ransomware’s future.

Key findings
  • In 2020, the number of unique users that encountered ransomware on their devices was 1,091,454, a decline from 1,537,465 in 2019.
  • In 2019, the share of users targeted with ransomware among the overall number of users that encountered malware was 3.31%; this declined slightly in 2020 to 2.67%.
  • The share of ransomware detections among the overall number of malware detections was 1.49% in 2019 and 1.08% in 2020.
  • In both 2019 and 2020, WannaCry was the most frequently encountered crypto-ransomware family on Windows systems.
  • In 2019, the number of unique users that encountered ransomware on their mobile devices was 72,258. This number declined to 33,502 in 2020.
  • However, the share of unique users that encountered ransomware on their mobile devices among the overall number of users that encountered malware held steady between 2019 and 2020 at 0.56%.
  • From 2019 to 2020, the number of unique users affected by targeted ransomware families increased by 767%.
  • By far, the industry that contained the greatest share of targeted ransomware attacks was engineering and manufacturing, at 25.63%.

This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN).

There are two main metrics used. The first, unique users, refers to the number of distinct users of Kaspersky products with the KSN feature enabled who encountered ransomware at least once in a given period. The second is detections, which is the number of ransomware attacks blocked by Kaspersky products over a given period.

The report also includes research into the threat landscape by Kaspersky experts.

Kaspersky products detect various types of ransomware. These include crypto-ransomware (malware that encrypts your files), screen lockers, browser lockers, and boot lockers. Unless otherwise stated, statistics refer to any type of ransomware.

Ransomware across all platforms

As Kaspersky has previously noted, the total number of ransomware detections has been steadily declining since 2017. This is a trend that has continued through 2019 and 2020.

In 2019, the total number of unique users that encountered ransomware across all platforms was 1,537,465. In 2020, that number fell to 1,091,454 — a decrease of 29%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Side-by-side comparison of the number of unique KSN users that encountered ransomware on their devices, 2019 – 2020 (download)

In fact, for each month in 2020, the number of unique users that encountered ransomware across all devices was lower than the number observed during the same month in the previous year. In both years, the number of users that encountered ransomware was relatively stable — hovering between 100,000 and 170,000 in 2020 and between 150,000 and 190,000 in 2019 — with the exception of July 2019, when there was a noticeable spike. This was driven by an increase in two ransomware families. The first, Bluff, is a browser locker, meaning victims are confronted with a fake tab — one they are unable to exit out of — that threatens dire consequences if a certain amount of money is not paid. The other was Rakhni, a crypto-ransomware that first appeared in 2013 and was distributed primarily through spam with malicious attachments.

The share of unique users that encountered ransomware out of the total number that encountered any type of malware across their devices also declined, from 3.31% in 2019 to 2.67% in 2020. However, the share of ransomware detections out of the total number of malware detections held relatively steady, declining only slightly from 2019 to 2020, from 1.49% to 1.08%.

The most active crypto-ransomware families

Three years after it first made headlines everywhere, WannaCry is still the most active crypto-ransomware family. To date, WannaCry is the largest ransomware infection in history, with damage totaling at least $4 billion across 150 countries. In 2019, 21.85% of users that encountered crypto-ransomware encountered WannaCry.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top five crypto-ransomware families, 2019 (download)

Among other active families were GandCrab, a ransomware family that was active in 2019 and followed the RaaS model, STOP/DJVU, and PolyRansom/VirLock. Shade, a widespread cryptor that first appeared in 2014, was still one of the most active ransomware families in 2019, but its activity has been on the decline for years. In fact, in 2020, Kaspersky released a decryptor for all strains of Shade — and it was no longer one of the five most active ransomware families detected by Kaspersky products.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top five crypto-ransomware families, 2020 (download)

In 2020, WannaCry was still the most frequently encountered family, with 16% of users (80,207) that encountered crypto-ransomware encountering this malware. In addition, a new strain entered the top five most active families: Crysis/Dharma. Crysis is able to use multiple attack vectors, although recently it has primarily exploited unsecured RDP access. First discovered in 2016, the malware has continued to evolve and is now following ransomware-as-a-service model.

In general, 2019 and 2020 continued a trend first noticed in early 2018: the consolidation of ransomware groups. Only a few notable families continue to maintain a significant presence across the threat landscape, with the rest of attacks conducted by ransomware Trojans that do not belong to any specific family. Of course, new families do continue to appear, with STOP and GandCrab serving as excellent examples.

Geography of ransomware attacks

When analyzing the geography of attacked users, we take into consideration the distribution of Kaspersky’s customers. That’s why, when examining the geography of attacks, we use the percentage of users attacked with ransomware as a proportion of users attacked with any kind of malware in those regions where there are more than 10,000 unique users of Kaspersky products.

All percentages reflect the percent of unique users that encountered ransomware at least once on any device out of the total number of unique users that encountered any type of malware over the stated period.

Middle East

In 2019, the countries with the greatest share of users that encountered ransomware on any device in the Middle East were as follows:

Country %* Pakistan 19.03% Palestine 6.74% Yemen 6.55% Egypt 6.41% Iraq 6.28%

*Share of users attacked with ransomware out of all users encountering malware in the country

Pakistan had, by far, the greatest share of users encountering ransomware: 19.03%. The other countries in the top five all had a share of roughly 6% of users that encountered ransomware.

In 2020, the five countries with the greatest share of users encountering ransomware remained the same with a few small adjustments.

Country %* Pakistan 14.88% Yemen 7.49% Egypt 6.45% Palestine 5.48% Iraq 5.37%

*Share of users attacked with ransomware out of all users encountering malware in the country

Pakistan still had the greatest share of users, but the overall percentage declined to 14.88%. The percent of users encountering ransomware in Yemen actually increased to 7.49%, while the percentage of users in Palestine and Iraq lowered, and the share of affected Egyptians remained pretty much the same.

North and South America

In 2019, the countries in North and South America with the greatest percentage of users that encountered ransomware were the following:

Country %* United States 5.49% Paraguay 4.87% Venezuela 3.34% Canada 3.25% Guatemala 2.81%

*Share of users attacked with ransomware out of all users encountering malware in the country

The United States had the greatest share at 5.49% percent, followed by Paraguay at 4.87%. Rounding out the countries with the greatest share of users encountering ransomware were Venezuela, Canada, and Guatemala.

In 2020, the countries with the greatest share in North and South America were mostly the same — although with a smaller percentage of users encountering ransomware.

Country %* United States 2.97% Venezuela 2.49% Canada 2.46% Paraguay 2.44% Uruguay 2.37%

*Share of users attacked with ransomware out of all users encountering malware in the country

year, Venezuela had the second greatest share of users encountering ransomware, with Paraguay falling to fourth. In addition, Guatemala was replaced by Uruguay.


In 2019, the countries in Africa with the greatest percentage of users encountering ransomware were the following:

Country %* Mozambique 12.02% Ethiopia 8.57% Ghana 5.75% Angola 3.32% Libya 3.28%

*Share of users attacked with ransomware out of all users encountering malware in the country

Mozambique had the greatest share of users by far at 12.02%, followed by Ethiopia at 8.57%. The remaining countries with the greatest percentage of users that encountered ransomware were Ghana, Angola, and Libya.

In 2020, the landscape shifted a bit:

Country %* Cameroon 6.83% Mali 5.85% Mozambique 5.62% Ethiopia 5.39% Ghana 3.85%

*Share of users attacked with ransomware out of all users encountering malware in the country

The country with the greatest share of users encountering ransomware was Cameroon, followed by Mali. Mozambique, Ethiopia, and Ghana remained in the top five, but the share of users facing ransomware declined for all three.


In Asia in 2019, the five countries with the greatest percentage of users encountering ransomware were the following:

Country %* Afghanistan 26.44% Bangladesh 23.14% Turkmenistan 11.28% Uzbekistan 10.53% Tajikistan 8.08%

*Share of users attacked with ransomware out of all users encountering malware in the country

Afghanistan had the greatest share of users at 26.44%, followed by Bangladesh at 23.14%. The next three countries with the greatest share of users were concentrated in Central Asia: Turkmenistan, Uzbekistan, and Tajikistan.

In 2020, the landscape slightly changed:

Country %* Afghanistan 17.67% Bangladesh 11.31% Turkmenistan 9.52% Tajikistan 5.26% Kyrgyzstan 4.05%

*Share of users attacked with ransomware out of all users encountering malware in the country

Uzbekistan left the rating of countries with the greatest share of users encountering ransomware, giving way to Kyrgyzstan (4.05%), and the percentages of all the rest were significantly lower than in 2019. Afghanistan’s share of users declined to 17.67% and Bangladesh’s to 11.31%.


In Europe, the countries with the greatest percentage of users encountering ransomware were the following:

Country %* Azerbaijan 5.03% Turkey 3.03% Cyprus 2.82% France 2.74% Armenia 2.54% Bulgaria 2.54%

*Share of users attacked with ransomware out of all users encountering malware in the country

Azerbaijan had the greatest share at 5.03%, followed by Turkey and Cyprus. Rounding out the six countries with the greatest percentage of users encountering ransomware were France, Armenia, and Bulgaria, the last two having the same share of affected users.

In 2020, the landscape looked a bit different:

Country %* France 5.18% Montenegro 4.36% Monaco 4.22% Azerbaijan 4.21% Macedonia 4.06%

*Share of users attacked with ransomware out of all users encountering malware in the country

France had the greatest share of users encountering ransomware, followed by Montenegro and Monaco, which replaced Turkey and Cyprus. Azerbaijan had the fourth greatest share at 4.21%, and Macedonia took Armenia’s place as the country with the fifth greatest share.

Mobile ransomware

As is the case with ransomware across all devices, mobile ransomware continues to decline. In 2019, the total number of unique Kaspersky users that encountered ransomware was 72,258. In 2020, it was 33,502 — a decrease of 54%.

However, the share of mobile users that encountered ransomware out of the total number that encountered any type of malware remained steady at 0.56%. This coincided with a decline in the overall number of mobile ransomware detections — from 333,878 in 2019 to 290,372 in 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of mobile ransomware detections from 2019 to 2020 (download)

Interestingly enough, while the number of mobile ransomware detections declined relatively steadily after July 2019 with just a few small spikes in July 2019 and February 2020, it again started to rise significantly in the second half of 2020, reaching 35,000 detections in September of last year. This was due to, oddly enough, the ransomware Encoder, which is actually designed for Windows workstations and is not dangerous for mobile devices. However, in September 2020, Encoder spread via Telegram, which has both a mobile and desktop application. The attackers were most likely targeting Windows users, and mobile users accidentally ended up with Encoder on their phones when the mobile version of Telegram synced downloads with the desktop client.

Most active mobile ransomware families


!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of the most active mobile ransomware families, 2019 (download)

In 2019, nearly 45% of users that encountered mobile ransomware encountered Svpeng, the family that started as SMS Trojans, then switched to stealing banking credentials and credit card data, and finally evolved into ransomware. Slightly less than 20% of users encountered Rkor and Small. Rkor is a classic locker for ransom. Distributed via porn, it uses accessibility services to gain the necessary control over a device and then locks it until a fee is paid. Small is very similar: it locks the screen and demands a fee to continue watching porn.

The fourth most common family is Congur, which is distributed via a modified application, such as WhatsApp. Another well-known active family is Fusob, which claims to be from some kind of authority and says that the intended victim is obligated to pay a fine.


!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of the most active mobile ransomware families, 2020 (download)

In 2020, Small was the most frequently encountered mobile ransomware family at 28.38% followed by Rkor and Congur. Svpeng was the fourth most common family, with 15.59% of users encountering it.

Geography of attacked users

In 2019, the countries with the greatest percentage of users that encountered ransomware on their mobile devices were the following:

Country %*  United States 33.19% Kazakhstan 13.24% Canada 2.71% Germany 2.27% Italy 2.19% United Kingdom 1.53% Iran 1.41% Poland 1.22% Mexico 1.09% Spain 1.00%

*Share of users attacked with ransomware out of all users encountering malware

The countries with the greatest number of users encountering mobile ransomware were relatively dispersed globally, with the United States having the highest percentage. Kazakhstan followed at 13.24%. The rest of the top ten had significantly smaller percentages of users encountering mobile ransomware, with Canada — the country with the third largest share — having only 2.71%.

In 2020, the countries with the greatest percentage of users that encountered mobile ransomware were the following:

Country %* Kazakhstan 23.80% United States 10.32% Germany 2.54% Egypt 1.46% Mexico 1.43% Italy 1.41% United Kingdom 1.14% Iran 1.07% Malaysia 1.02% Indonesia 1.01%

*Share of users attacked with ransomware out of all users encountering malware

In 2020, Kazakhstan had the greatest percentage of users encountering mobile ransomware at 23.80%, followed by the United States at 10.32%. Poland, Spain, and Canada were replaced by Malaysia, Indonesia, and Egypt. In general, the percentage of affected users declined — this is to be expected given that the overall number of users affected by mobile ransomware declined by more than 50%.

The rise of targeted ransomware

While the raw total of ransomware detections has been on the decline, those numbers only tell part of the story. When ransomware first made front-page headlines, it was because of campaigns like WannaCry, Petya, and CryptoLocker: massive campaigns interested in hitting as many users as possible and extorting relatively small amounts per user. In WannaCry, for example, the attackers only requested $300 and later raised this amount to $600.

However, these types of campaigns are becoming less profitable, for potentially several reasons.      Given the increasing amount of attention paid to ransomware, security software may have become better at blocking ransomware threats and people are repeatedly encouraged not to pay. In addition, in a lot of countries, people simply can’t afford that high of a ransom. As a result, attackers have shifted their focus to those who can pay — companies. In 2019, nearly one-third of victims targeted by ransomware were corporate users.

Of course, infecting companies requires a far more sophisticated, targeted approach, and there are specific ransomware families designed to do just that.

Targeted ransomware (also known as “big game hunting”) consists of families of ransomware used to extort money from a particular victim. These victims tend to be high profile, such as large corporations, government and municipal agencies, and healthcare organizations, and the ransom demanded is far larger than that demanded from separate users. Often, their attacks involve one or more of the following stages:

  • Network compromise
  • Reconnaissance & persistence
  • Lateral movement
  • Data exfiltration
  • Data encryption
  • Extortion

Initial infection often occurs via exploitation of server-side software (VPNs, Citrix, WebLogic, Tomcat, Exchange, etc), RDP brute-force attacks/credential stuffing, supply-chain attacks, or botnets.

Kaspersky classifies a particular ransomware group as “targeted” based on the victims chosen, and if sophisticated methods are used to conduct the attack, such as breaching the network or lateral movement. So far, Kaspersky has identified 28 of these targeted families, which includes the infamous Hades ransomware that targets companies worth at least $1 billion.

From 2019 to 2020, the number of unique users affected by targeted ransomware — ransomware that is designed to affect specific users — increased from 985 to 8,538, a 767% jump.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The number of unique Kaspersky users affected by targeted ransomware, 2019 – 2020 (download)

A major spike occurred in July 2020, which was driven by the REvil ransomware family, which successfully exploited the foreign exchange company Travelex for $2.3 million. Grubman Shire Meiselas & Sacks, a New York-based law firm with a host of celebrity clients, also fell victim to REvil in May. Other highly targeted ransomware families also appeared in 2019 and 2020, the most notable of which was Maze. First appearing in 2019, Maze used various mechanisms for initial compromise. In certain cases, they used spear-phishing campaigns to install Cobalt Strike RAT, while other attacks involved exploiting a vulnerable internet-facing service (e.g., Citrix ADC/NetScaler or Pulse Secure VPN) or weak RDP credentials to breach the network. Maze primarily targeted businesses and large organizations. Some of their most notable attacks were against LG and the city of Pensacola, Florida.

Alongside this rise in targeted ransomware there has been an increased focus not just on data encryption but on data exfiltration: searching for highly confidential information and threatening to make it public if the ransom isn’t met as a means of coercing organizations to pay. Maze was one of the first ransomware groups to actually publish this stolen data if the ransom wasn’t paid. In addition, this information can later be sold online at auctions, which is what happened with databases from various agricultural companies that had fallen victim to REvil in the summer of 2020.

Eventually, Maze teamed up with another well-known, highly targeted ransomware family, RagnarLocker, which first appeared in 2020. Like Maze, RagnarLocker targets primarily large organizations and publishes the confidential information of those who refuse to pay on the “Wall of Shame.” This family is so targeted that each individual malware sample is specifically tailored to the organization it is attacking.

WastedLocker also appeared in 2020 and made global headlines when it knocked most popular services by Garmin, the well-known fitness and GPS technology company, offline for three days as it held the company’s data for a $10 million ransom. The malware used in the attack was specifically designed for Garmin.

Targeted ransomware is not confined to one specific industry. It has affected everything from healthcare organizations to sports and fitness companies.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of targeted ransomware attacks by industry, 2019–2020 (download)

Engineering and manufacturing was the most represented industry by far, with 25.63% of targeted ransomware attacks from 2019 to 2020 affecting this industry. This is not surprising given the highly sensitive nature of their data and the often high value of such companies. It is also incredibly disruptive to businesses in this sector if their systems go offline. 7.60% of targeted ransomware attacks affected professional and consumer services companies, and 7.09% targeted financial firms. Other popular targets are construction & real estate, commerce & retail, and IT & telecommunications.


The world is entering a new era of ransomware, and it’s likely that any kind of large-scale campaign — the kind that targets average, everyday users — will be few and far between. Of course, that’s not to say ransomware is only a threat if you’re a large company. Just in December of last year, there was a group looking to capitalize on the launch of Cyberpunk 2077 by distributing a fake, mobile version of the game that encrypts users’ files once downloaded.

That said, there has been an unmistakable shift in the landscape — one aimed at extorting confidential information and recovering large sums of money by targeting just one or maybe a dozen organizations. That means ransomware attackers will continue to deploy more advanced techniques for infiltrating networks and encrypting data. APT groups like Lazarus have already begun adding ransomware to their toolset. It wouldn’t be surprising if additional advanced threat actors followed suit.

The biggest takeaway from this is that companies — large and small — need to think about more than just backing up their data. They need to take a comprehensive approach to their security — one that includes regular patching, software updates, and cybersecurity awareness training. Some of these attacks against companies involve gaining an initial foothold in the system, laterally moving throughout the network until full control has been achieved, and then conducting reconnaissance for months before striking at a moment that causes optimal damage. In the attack against Travelex with the REvil ransomware, the cybercriminals had infiltrated the company’s network six months before they actually encrypted the data and demanded the ransom.

Ransomware attackers are sharpening their toolsets, and companies need to respond in kind. Fortunately, doing so is completely within their power.

Here are just a few suggestions from Kaspersky experts on the ways you can safeguard your organization against ransomware:

  1. Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
  2. Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Back up data regularly. Make sure you can quickly access it in an emergency when needed.
  3. Use solutions like Kaspersky Endpoint Detection and Responseand Kaspersky Managed Detection and Response, which help identify and stop an attack at an early stage, before attackers reach their final goals.
  4. To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect your business from ransomware attacks is available here.
  5. Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, which is powered by exploit prevention, behavior detection, and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.

Targeted Malware Reverse Engineering Workshop follow-up. Part 2

21 Duben, 2021 - 12:00

If you have read our previous blogpost “Targeted Malware Reverse Engineering Workshop follow-up. Part 1“, you probably know about the webinar we conducted on April 8, 2021, with Kaspersky GReAT’s Ivan Kwiatkowski and Denis Legezo, to share best practices in reverse engineering and demonstrate real-time analysis of recent targeted malware samples. The experts also had a fireside chat with Igor Skochinsky of Hex-Rays and introduced the Targeted Malware Reverse Engineering online self-study course.

The webinar audience having been so active – it was a very pleasant surprise, thanks again! – not only were we unable to address all the incoming questions online, we didn’t even manage to pack the rest of them in one blogpost. So here comes the second part of the webinar follow-up.

Questions related to malware analysis
  1. How common are opaque predicates in legitimate software? Can these predicates be leveraged as detection signatures?
    Ivan: It is difficult to provide an answer encompassing all legitimate software. As a general rule, obfuscation or evasion techniques can provide a relevant weak signal  potentially indicating malicious behavior, but should not be used for detection.
    Denis: We mostly deal with malicious, not legit code, but I would not expect such tricks there. What for — protection? I would not expect opaque predicates even from third-party protectors.
  2. Do you often come across binary obfuscation methods like nanomites, control flow flattening or VM in malwares?
    Ivan: Such techniques are extremely rare, possibly because attackers know that the presence of such protections will raise suspicion.
    Denis: We met several flattening cases lately. I could also name a couple of cases of custom internal VM usage in malware. So, not often, but they do exist.
  3. When it comes to packed executables, are automated unpackers usually good enough (like using dynamic instrumentation to detect tail jump and so forth) or is it more about manual work?
    Ivan: It turns out that packed executables are not as widespread as you would think. They turn up so rarely that I always default to manual work.
    Denis: We mostly deal with targeted malware, and packing executables are not common in this world, I agree.
  4. Do we also see any “exotic” commercial packers like vmprotect?
    Ivan: We don’t, however, if this is of interest to you, I strongly recommend you to watch Vitaly Kamluk’s presentation on the subject.
    Denis: Not in this training, but again, I would not say such tools are too popular in the world of targeted malware. Mostly due to being detected by security products, I suppose.
  5. What are the most creative anti-reversing tricks from malware creators you have seen so far?
    Ivan: I would name the LuckyMouse APT which deploys stripped down malware samples containing none of its configuration anymore, once saved somewhere on the victim’s machine. Generally speaking, they’re very good at making sure that files obtained by defenders are incomplete.
    Denis: The best anti-reversing trick I have seen is a seasoned software design pro with brain-damaging multi-module development style and 30 years of experience on the other side of the court. The only thing you want to do after the encounter is to yell at him/her, your disassembler, your PC, and yourself. But when you are done at last — well, this is the reason why we do it.
Questions on the Targeted Malware Reverse Engineering course syllabus

You can find the full syllabus here.

  1. Is the training focused on static reverse engineering or do you use dynamic analysis (e.g. debug/emulation) as well? Is the virtual lab analysis limited to static one?
    Ivan: We occasionally use debugging, and debuggers are available in the VM. Most of the work, however, takes place in IDA Pro.
    Denis: Ah, our deep belief in static analysis has affected the training for sure. But we do debugging as well, it is true. For example, in the LuckyMouse track.
  2. Will the analysis exercises deal only with the “final” malicious payloads/files or with analyzing the entire infection chains (e.g. downloader -> dropper/injector -> shellcode)?
    Ivan: It is closer to the other way around. When we have no time to show everything, we focus on the most complex parts of the infection chain (the beginning), tackle all the problems, and leave the easy part (looking at the unobfuscated final stage) as an exercise for the audience.
  3. You have mentioned that a lot of course time will be spent discussing deobfuscation mechanisms. Will there also be a chapter/section dealing on bypassing anti-reversing mechanisms?
    Ivan: The course is organized around the specific real malware cases. There is no theory segment on obfuscation. However, we show many samples that use different techniques and demonstrate how to approach each one of them.
  4. Does the course cover the C2 protocol traffic analysis?
    Ivan: To some extent, yes. One of the tracks is entirely dedicated to analyzing a network utility, understanding and re-implementing its custom protocol.
    Denis: For example, in the Topinambour track, you deal with simple C2 communication protocol analysis from the reversing point of view: it means means by analyzing the code you come to understand what to expect from the traffic.
  5. Do you cover both IDA Python and IDC during the course?
    Ivan: We only cover IDA Python, but the participants are free to use IDC if they choose to.
  6. Will you teach any countermeasures against this kind of anti-reversing techniques?
    Ivan: It’s our intentional choice to focus on real-life cases; and it is a fact that the vast majority of samples I have worked on involved no such protections. One of the malware specimens shown in the course has Anti-VM detection, which doesn’t bother us as we are just reading the code.
  7. What malicious document formats will be analyzed in the training?
    Ivan: The malicious document studied in the course is the InPage exploit.
    Denis: The InPage file format is based upon Compound Document Format, and we will analyze how the Biodata campaign operators had embedded the shellcode into it.
  8. If you detect such antimalware techniques, will there be a link to your previous Yara training: how to write a good detection rule to find such complex anti obfuscation techniques?
    Ivan: As you will probably see, the course is quite packed as it is! We may make a comment here and there about what could be a good Yara rule, but only in passing. I am, however, certain that the training will help you write better Yara rules.
  9. Shall we also learn to write or automate these anti obfuscation tasks at scale?
    Ivan: Yes, a large part of the course focuses on defeating the various protections that prevent us from seeing the actual payload!
Topics not addressed in the Targeted Malware Reverse Engineering training
  1. The course seems to include various topics on RE. Anything that has been left out? Probably saved for a future update to the course.
    Ivan: There are many things we could not get into. Rust/Go malware, CPU architectures beyond x86 and x64, ARM arch and Mac OS, etc. But we believe we were able to provide a varied yet realistic sample of what we usually encounter.
    Denis: In the third-level reverse engineering course from Kaspersky, you may expect the use of a decryption framework to facilitate such typical reversing tasks.
  2. Does the course address any malware employing unique file formats, thus requiring one to create an IDA loader module? How often do you deal with malware that uses unique file formats? It is something I am looking to learn.
    Ivan: This is a use case not covered by the course, and in fact one that I have yet to encounter.
    Denis: One quite unique _document_ format with the shellcode in it is featured in the course, but it needs no loader module, as you understand. Pity, but your topic seems to be out of the scope of this training. We are planning to create additional reversing screencasts from time to time — let’s think about covering this, too.
Virtual lab
  1. Will it be possible to do the exercises in a personal lab at home to analyze the samples of the course?
    Ivan: Due to legal restrictions in some countries, participants are required to work in the dedicated virtual lab that we provide and the VM cannot be downloaded. The good news is that it contains all the necessary tools, including a full version of IDA Pro.
  2. Can the lab hours be extended if required?
    Ivan: Virtual machines will indeed be suspended after 100 hours of runtime. We can extend the hours on a case-by-case basis, but we expect this should be enough to complete all the tracks of the training.
  3. Do we need to RDP from a VM?
    Ivan: The virtual environment is accessed directly from the web browser.
  4. Are the VM’s stealthy for the malware, or can they be detected through redpill/no-pill techniques?
    Ivan: The VMs provided in the training make no attempt at concealing what they are. Most of the malware provided does not particularly try to prevent execution in virtualized environments, and in any case the training is focused on static analysis with IDA Pro.
  5. If we write IDA scripts, can we extract them to our home environment at the end?
    Ivan: Sadly, this will not be possible. But the scripts you write should remain relatively modest in size, and will probably not be generic enough to allow future use anyway.

You can check information on prerequisites here.

  • Do you have any good recommendations on how to prepare for the training? Any prerequisites for this course?
    Ivan: I would advise to check out the demo version of the training. It should give you an idea of whether you meet the prerequisites, and we also provide a number of third-party resources in the introduction in case you need a bit of preparation.
  • Is knowledge of cryptographic algorithms also required? Or shall we learn how to detect them in the binaries?
    Ivan: We touch on that subject lightly. In most cases, figuring out which cryptographic algorithm is used is straightforward. If not, some help will be provided during the solution segments.
  • Knowledge of which languages is required?
    Ivan: Python scripting is required at some point. Other than that, familiarity with compiled languages, such as C or C++, is recommended.
Support & feedback
  • How much support or guidance will be available if I get stuck on an exercise?
    Ivan: We will collect your requests through helpdesk. Also a monthly call with the trainers is scheduled to answer your questions about the course. Otherwise, we are generally available on Twitter: @JusticeRage and @legezo.
  • Does the Targeted Malware Reverse Engineering training provide for some kind of exam/cert at the end?
    Ivan: There is no exam as such, although each track contains challenging knowledge checks and quizzes to check your progress. Certification will be awarded to all participants who complete all the tracks of the course.
  • How much will this course cost?
    Ivan: $1,400 VAT included.
  • Future plans/Future courses
    • What is the difference between the Targeted Malware Reverse Engineering training and the upcoming third-level Advanced Malware Analysis training?
      Ivan: This is an intermediate-level course, while the upcoming one will be an advanced expert-level course.

Targeted Malware Reverse Engineering Workshop follow-up. Part 1

19 Duben, 2021 - 13:30

On April 8, 2021, we conducted a webinar with Ivan Kwiatkowski and Denis Legezo, Senior Security Researchers from our Global Research & Analysis Team (GReAT), who gave live workshops on practical disassembling, decrypting and deobfuscating authentic malware cases, moderated by GReAT’s own Dan Demeter.

Ivan demonstrated how to strip the obfuscation from the recently discovered Cycldek-related tool, while Denis presented an exercise on reversing the MontysThree’s malware  steganography algorithm. The experts also had a fireside chat with our guest Igor Skochinsky of Hex-Rays.

On top of that, Ivan and Denis introduced the new Targeted Malware Reverse Engineering online self-study course, into which they have squeezed 10 years of their cybersecurity experience. This intermediate-level training is designed for those seeking confidence and practical experience in malware analysis. It includes in-depth analysis of ten fresh real-life targeted malware cases, like MontysThree, LuckyMouse and Lazarus, hands-on learning with an array of reverse engineering tools, including IDA Pro, Hex-Rays decompiler, Hiew, 010 Editor, and 100 hours of virtual lab practice.

In case you missed the webinar – or if you attended but want to watch it again – you can find the video here: Targeted Malware Reverse Engineering Workshop (brighttalk.com).

With so many questions collected during the webinar – thank you all for your active participation! – we lacked the time to answer them all online, we promised we would come up with this blogpost.

Questions on the Cycldek-related tool analysis
  1. How do you decide whether the Cycldek-actors have adopted the DLL side-loading triad technique, or the actors normally using the DLL side-loading triad have adopted the design considerations from Cycldek?
    Ivan: It is precisely because we cannot really differentiate between the two that we have been very careful with the attribution of this specific campaign. The best we can say at the moment is that the threat actor behind it is related to Cycldek.
    Denis: Even in our training there is another track with .dll search order hijacking – LuckyMouse. I really would not recommend anyone to build attribution based on such a technique, because it’s super wide-spread among the Chinese-speaking actors.
  2. Does the script work automatically, or do you have to add information about the specific code you are working with?
    Ivan: The script shown in the webinar was written solely for the specific sample used in the demonstration. I prefer to write small programs addressing very specific issues at first, and only move on to developing generic frameworks when I have to, which is not the case for opaque predicates.
  3. Is the deobfuscation script for the shellcode publicly available?
    Ivan: It is derived from a publicly available script. However, my modifications were not made public; if they were, it would make the training a little too easy, wouldn’t it?
  4. Decryption/deobfuscation seems to be very labor-intensive. Have you guys experimented with symbolic execution in order to automate the process? Have you built a framework that you use against multiple families and (data&code) obfuscation or you build tools on ‘as needed’ basis?
    Ivan: I have always found it quicker to just write quick scripts to solve the problem instead of spending time on diving into symbolic execution. Same goes for generic frameworks, but who knows? Maybe one day I will need one.
    Denis: Decryption/deobfuscation is mostly case-based, I agree, but we also have disassembler plugins to facilitate such tasks. By the way, such a code base and the habits are the reasons that create the threshold to change the disassembler. We have internal framework for asm layer decryption, you will meet him in advanced course, but it’s up to researcher to use it or not.
  5. Any insight into the success rate of this campaign?
    Ivan: We were able to identify about a dozen organizations attacked during this campaign. If you want to know more about our findings, please have a look at our blogpost.
  6. Any hint on the code pattern that helped you connect with the Cycledek campaign?
    Ivan: You can find more about this in our blogpost. Even more details are available through our private reporting service. Generally speaking, we have a tool called KTAE that performs this task, and of course the memory of samples we have worked on in the past.
  7. About the jump instructions that lead to the same spot – how were they injected there? Manually using a binary editor?
    Ivan: The opaque predicates added in the Cycldek shellcode were almost certainly inserted using an automated tool.
  8. I am one of the people using the assembly view. After the noping stage usually I have to suffer the long scrolling. You mentioned there is a way to fix this?”
    Ivan: Check out this script I published on GitHub a couple of months ago.
  9. Can xmm* registers and Pxor be used as code patterns Yara signatures?
    Ivan: This is in fact one of the signatures I wrote for this piece of malware.
Questions on analysis of the MontysThree’s malware steganography algorithm
  1. Do you think there was a practical reason to use steganography as obfuscation, or the malware developer did it just for fun?
    Denis: In my experience, most steps the malefactors take are on purpose, not for fun. With steganography they are trying to fool the network security systems like IDS/IPS: bitmaps are not too suspicious for them. Let me also add that the campaign operators are human, too, so now and again there will be Easter eggs in their products — for example, take a look at the Topinambour track and the phrases used as decryption keys and beaconing.
  2. What image steganography algorithm have you seen hiding in the wild recently, other than LSB?
    Denis: As far as I know, it is LSB alright — Microcin, MontysThree. I would expect some tools to be creating such images for the operators. But take a look at the function we ended during the short workshop: depending on the decrypted steganography parameters, it could be not just LSB, but the “less significant half a byte” as well.
  3. Are there any recent malware samples incorporating network steganography in their C&C-channels, the way the DoublePulsar backdoor did using SMB back in 2017?
    Denis: I suppose you mean the broken SMB packages. Yes, the last trick of the kind I saw was the rare use of HTTP statuses as C2 commands. You might be surprised to learn how many of them there are in RFCs and how strange some of them are, like “I’m the kettle”.
Reverse Engineering: how to start a career, working routines, the future of the profession
  1. How does one get into malware reverse engineering? What are the good resources to study? How can one find interesting malware samples?
    Ivan: You can find a solid introduction at https://beginners.re/. Next, check out https://crackmes.one/ which contains many programs designed to be reverse-engineered, so one can finally move on to malware samples. Worry not about finding the “interesting” ones early on; just try to get good at it, document what you do, and you will find yourself in no time being able to access all the data you could wish for.
    Denis: Do you like meditating on the code and trying to understand it? Then I suppose you already have everything you need. I think you should not bother looking for interesting ones in the beginning (if I get your question right) – everything will do. In my experience, the the ones on which you would progress more are written by professional programmers, not malware writers, because they just cannot do away with their habit of structuring the data and code, making it multi-thread safe, etc.
  2. Now an experienced malware reverse engineer, where did you start from? Do you have any solid math/programming background from where you moved on to malware reverse engineering? Or what would be the typical path?
    Ivan: I have a software engineering background, and my math expertise is shaky at best. After having met so many people in this field, I can say confidently that there is no typical path beyond being passionate about the subject.
    Denis: Personally I have a math/programming background, but I couldn’t agree more: it’s more about passion than any scientific education.
  3. If you are reverse engineering malware, do you work as a team?
    Ivan: While several researchers can investigate a campaign together, I usually work on samples alone. The time it takes to wrap up a case may vary between a week and several months, depending on the complexity of the investigation!
    Denis: Reversing itself is not the task that is easy to distribute/parallel. In my experience, you would spend more time organizing the process than benefit from the work of several reversers. Typically, I do this part alone, but research is not limited to binary analysis: the quest, the sharing of previous experiences with the same malware/tools, and so forth — it is a team game.
  4. What do you think about AI? Would it help to automate the reverse engineering work?
    Ivan: I think at the moment it is still a lot more A than I. I keep hearing sales pitches about how it will revolutionize the infosec industry and I do not want to dismiss them outright. I am sure there are a number of tasks, such as malware classification, where AI could be helpful. Let’s see what the future brings!
    Denis: OK, do you use any AI-based code similarity, for example? I do, and you know — my impression so far is we still need meat-based engineers who understand how it works to use it right.
  5. How helpful is static analysis, considering the multiple advanced sandboxing solutions available today?
    Ivan: Sandboxing and static analysis will always serve complementary purposes. Static analysis is fast and does not require running the sample. It is great to quickly gather information about what a program might do or for triage. Dynamic analysis takes longer, yields more details, but gives malware an opportunity to detect the sandboxed environment. Then, at the very end, you do static analysis again, which involves reverse-engineering the program with a disassembler and takes the longest. All have their uses.
    Denis: Sometimes you need static analysis because of the multiple advanced anti-sandboxing tricks out there. You also reveal far more details through static analysis if you want to create better Yara rules or distinguish a specific part of custom code to attribute samples to specific developers. So it is up to you how deep the rabbit hole should be.
Tips on tools, IDA and other things
  1. Do you contribute to Lumina server? Does Kaspersky have any similar public servers to help us during our analysis?
    Ivan: My understanding is that Lumina is most helpful when used by a critical mass of users. As such, I do not think it would make sense to fragment the community across multiple servers. If you are willing to share metadata about the programs you are working on with third-parties, I would recommend to simply go with an Hex-Rays’ instance.
    Denis: No, I have never contributed to Lumina so far. I don’t think it is going to be too popular for threat intelligence, but let us wait and see — public Yara repositories are there, so maybe code snippets might also meet the community’s needs.
  2. What tools and techniques do you recommend for calculating the code similarity of samples? Is this possible with IDA Pro?
    Ivan: For this, we have developed a commercial solution called KTAE. That’s what we regularly use internally.
    Denis: Personally, I am using our KTAE. As far as I know, the creating of custom FLIRT signatures right in IDA could partially cover this need.
  3. Is there any specific reason why you are using IDA under wine? Does it have anything to do with the type of samples you are analyzing?
    Denis: I used to have Windows IDA licenses and Linux OS historically, so wine is my way of using disassembler. It does not affect your analysis anyway — choose any samples you want under any OS.
  4. What is your favorite IDA Pro plugin and why?
    Ivan: One of the internal plugins developed by Kaspersky. Other than that, I use x64dbgida regularly and have heard great things about Labeless.
    Denis: For sure our internal plugins. And it’s not because of the authorship, they just perfectly meet our needs.
  5. Do you have a plan to create/open an API so we can create our own processor modules for decompilers (like SLEIGH in Ghidra)? The goal being to analyze VM-based obfuscation.
    Igor: Unlikely to happen in the near future but that’s something we’re definitely keeping in our minds.

If you have any more questions about Ivan’s workshop on the Cycldek-related tool or about the Targeted Malware Reverse Engineering online course, please feel free to drop us a line in the comments box below or contact us on Twitter: @JusticeRage, @legezo and @IgorSkochinsky. We will answer the rest of the questions in our next blogpost – stay tuned!