Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 27 min 5 sek zpět

DDoS attacks in Q4 2019

13 Únor, 2020 - 11:15

News overview

In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. The first attacks using ARMS were registered back in June 2019, and by early October the protocol was being used by DDoS-as-a-service providers; such attacks have since become widespread. According to the BinaryEdge portal, at the beginning of the quarter, nearly 40,000 systems running macOS with ARMS were available online.

Q4 was also marked by the growing number of peer-to-peer (P2P) botnets. Unlike the classic sort, these are independent of C&C servers, and thus more difficult to neutralize. In Q4 2019, researchers at 360 Netlab told about two new such botnets. The first, nicknamed Roboto, attacks Linux servers through a known vulnerability in the Webmin remote administration application. Experts note that the botnet has yet to carry out a DDoS attack, although it does have the functionality. The second P2P network, Mozi, is aimed at IoT devices and distributed using the DHT protocol, which is applied in distributed networks, such as BitTorrent, to quickly set up a P2P network. Mozi’s authors seemingly borrowed part of the code from the Gafgyt malware, which was designed to create a “classic” botnet.

Gafgyt’s developers also updated their creation. Researchers from Palo Alto Networks detected a new version of the malware that attacks Huawei HG532, Realtek RTL81XX, and Zyxel P660HN-T1A routers. The new version of the bot has even learned to wipe competitors from infected devices.

While some cybercriminals are updating their arsenal, others are using already proven tools and methods. For instance, in October and November 2019, researchers observed a wave of TCP reflection attacks. This method involves sending requests to legitimate services under the guise of the victim, who is then flooded with responses, so the IP addresses of the attackers do not light up. Over the past two years, such attacks have been on the rise. In October, the betting website Eurobet fell victim to cybercriminals, followed by several other sports betting organizations. Later that same month, a flurry of TCP reflection attacks hit financial and telecommunications companies in Turkey. Also named among the targets were Amazon and SoftLayer (a subsidiary of IBM).

Q4 saw attacks on Internet service providers in South Africa continue. In late October, cybercriminals overwhelmed Echo Service Provider — which serves the local providers Afrihost, Axxess, and Webafrica — with junk traffic. Clients of these organizations experienced downtime when connecting to foreign segments of the Internet. The attack reoccurred approximately one month later, and this time the list of victims included the providers RSAWEB and Cool Ideas.

Among the DDoS attacks launched against commercial organizations, worth highlighting is the campaign in October against financial institutions in South Africa, Singapore, and Scandinavia. The attackers sent emails to the victims, threatening to disable their systems and demanding a ransom; and to prove their intent, they carried out a short demonstration DDoS attack. For added effect, they posed as the infamous APT group Fancy Bear, inviting victims to look online for information about their past exploits. When the media reported the attacks, the ransomers renamed themselves Cozy Bear.

Curiously, the media failed to mention a single large-scale DDoS attack timed to coincide with the runup to the festive period. But political incidents did get coverage. For instance, on November 11 and 12, a month before the UK general election, attackers tried to disable the campaign site of the Labour Party.

In December, media outlets in Kyrgyzstan that had reported an investigation into the expenses of the wife of a former official suffered from DDoS attacks. A total of seven organizations were temporarily taken down by the hired hands of the disgruntled party. Another news portal later joined the list of victims, but perhaps for a different reason.

The Minecraft server of the Vatican (that’s right) was bombarded with junk traffic immediately after launch, in what could be described as an ideological attack. The purpose of the server was to create a “less toxic environment” for players, but the project attracted not only peace-loving players. The Vatican is now beefing up its protection. Ubisoft too was engaged in DDoS fire-fighting. The developer adopted a complex of measures to protect the servers of its video game Rainbow Six Siege, which had been on the receiving end of regular attacks. As a result, according to the company, the number of incidents decreased by 93%.

Law enforcement agencies were conspicuous in the struggle against DDoSers. For instance, in early November, Chinese authorities announced the arrest of a group which controlled a botnet of more than 200,000 infected sites. The operation took place in 20 cities; 41 people were detained. In the second half of the same month, the US sentenced Sergey Usatyuk to 13 months’ imprisonment for running DDoS-for-hire services together with an unknown accomplice in Canada. The cybercriminals had been active from 2015 to 2017. In the first 13 months of the operation, the service was used by 386,000 clients and 3.8 million DDoS attacks were carried out.

Quarter and year trends

As we predicted, Q4 saw an increase in the number of attacks relative to the previous reporting period. Although the rise in the total number of incidents was modest, smart attacks grew by a quarter, which is a fair amount. What’s more, not only the number of attacks increased, but their average duration. This was expected, since Q4 is a period of retail warfare, and we observe an increase in attacks from October to December every year.

If we compare the Q4 indicators with those for the same period last year, we see a near doubling in 2019. The end of 2018 was really very calm; we only noticed renewed growth in the attack market after a significant drop, which we wrote about in last year’s report. Back then, we correctly predicted a further rise in the number of attacks. This is clearly seen when comparing full data for 2018 and 2019.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparison of the number and duration of DDoS attacks in Q3 and Q4 2019, as well as Q4 2018; the Q4 figures were taken as the 100% reference value (download)

Overall, in 2019 we observed clear growth in all indicators compared to 2018. The total number of smart attacks saw particularly significant growth, as did their average duration. Last year, we forecast a rise in DDoS attacks, but did not expect such a leap.

The maximum duration of attacks also climbed, but not as significantly. In calculating the indicators, we excluded from the statistics an abnormally long attack carried out in Q3 2019, because it was an outlier case that would have unfairly distorted the annual figures.\

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Comparison of the number and duration of DDoS attacks in 2018 and 2019; the 2019 figures are taken as the 100% reference value (download)

Although Q4 saw an increase in the number and duration of DDoS attacks relative to the previous reporting period, we link this to the specifics of the quarter, not to a market trend. Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth. There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth. Nor have any serious vulnerabilities that would facilitate attacks been found recently. Looking at the trends of past years, we expect a slight decline in Q1 2020, yet will hazard a prediction that in absolute terms it will still be higher than the same period for 2019. Last year was an interesting one in the world of DDoS attacks. Let’s hope that 2020 decides to be boring.

Statistics Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • China again took first place in terms of number of attacks, although its share slightly decreased (58.46% against 62.97% in Q3).
  • Two newcomers entered the Top 10: Japan (straight in at number three with 4.86%) and Vietnam (0.68%), while South Africa and the Netherlands dropped out.
  • The Top 3 countries by number of targets traditionally coincides with leaders by number of attacks: China (53.07%), the US (22.01%), and Japan (6.14%).
  • The past quarter was characterized by a low number of attacks: the most active days saw just over 250 attacks, and the quietest only eight.
  • DDoS botnet activity was distributed fairly evenly throughout the quarter itself and on individual days of the week, with the safest and most dangerous days differing by just 2.5 p.p.
  • The three longest attacks lasted more than 20 days (494, 492, and 486 hours), which is almost twice as long as last quarter’s leader.
  • Among the attack types, SYN flooding (6%) still leads. The share of TCP-based attacks continued to grow and overtook UDP flooding, while ICMP flooding showed a significant increase.
  • The ratio of Windows and Linux botnets remained virtually unchanged, with the latter still responsible for the overwhelming majority (97.4%) of attacks.
  • The number of C&C servers in absolute terms more than halved. In the US, the absolute number changed slightly less, leading to a sharp increase in the country’s share in the overall picture (58.33% up from 47.55%), while the Netherlands this quarter fell from second position to the foot of the table.
Attack geography

In the past quarter, China held on to the lead in terms of number of attacks, although its share continued to decline (this time by 4.5 p.p. down to 58.46%). The US position did not change either, remaining in second place, with 17.49% of all attacks (almost the same as last quarter’s 17.37%). Third position enjoyed no such stability: Hong Kong, the previous occupier, fell two places to fifth (3.73% against 5.44%), making way for Romania (fourth place with 4.56%, up almost 3.5 p.p.) and Japan, which not only entered the Top 10 for the first time in a year, but shot straight into third place (4.86% against last quarter’s 0.2% and 18th place).

Another newcomer to the ranking is Vietnam. Having narrowly failed to reach the Top 10 in Q3 (11th place), at the end of the year the country experienced a rise of 0.13 p.p. in its share of attacks, enough to cross the threshold. South Africa flew out of the Top 10 almost as swiftly as it had flown in, swapping fourth place for 15th. Slightly less sharp, but also significant, was the drop in the share of attacks on targets in the Netherlands, relegating the country to 14th position.

There were no major changes in the rest of the Top 10, only some shuffling of places. Romania rose from sixth place to fourth with 4.56%; South Korea from eighth to seventh (0.94%), and Canada tenth to eighth (0.83%). The UK (1.01%) and Singapore (0.72%), meanwhile, fell slightly — from fifth to sixth and seventh to ninth, respectively.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by country, Q3 and Q4 2019 (download)

The geography of unique targets is traditionally similar to the distribution of the attacks themselves. The Top 3 in both cases is identical. The share of targets in China also fell against Q3, down to 53.07%; the US still accounts for around a fifth of targets (22.01%), while Japan’s share increased 20-fold to 6.14%.

The Top 5 was again rounded out by Romania and Hong Kong, but in reverse order: this time fourth place went to the latter (4.14%), and fifth to the former (1.95%). The UK (1.53%) retains sixth place in both categories. It is followed by Canada (0.93%) and Vietnam (0.84%). Propping up the Top 10 are Australia (0.82%), up from 14th place over the quarter, and Singapore (0.78%). As such, this quarter’s newcomers — Japan, Australia, and Vietnam — squeezed out the leaders by number of unique targets — South Africa, the Netherlands, and France, which occupied 14th, 12th, and 11th places this quarter, respectively.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2019 (download)

Dynamics of the number of DDoS attacks

Q4 was even calmer than the preceding quarter. Even on the stormiest days (November 24 and December 11), the number of attacks barely exceeded 250 (recall that last year’s likewise relatively calm Q4 experienced a maximum of 457 attacks per day — almost twice as many). The total number of days that saw more than 200 attacks was also small — besides those already mentioned, October 6 and 7 and November 25 were also quite turbulent. Meanwhile, the quietest day, October 13, set a new record with only eight attacks recorded (the previous record-holder being May 25, 2018, with 13 attacks).

Curiously, this year there were no typical Q4 peaks on Black Friday and over Christmas: both periods were reasonably calm, and the attacks throughout the quarter were distributed fairly evenly.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Dynamics of the number of DDoS attacks in Q4 2019 (download)

The attack distribution by day of the week also flattened out considerably: the difference between the calmest and most dangerous day was only about 2.5 p.p. (having approached 7.7 p.p. in the previous reporting period). Attack organizers this quarter were particularly busy on Tuesdays (15.46%), and preferred to put their feet up on Thursdays (12.98%). The former first- and second-placed Monday (down 3.5 p.p.) and Sunday (up nearly 2.5 p.p.) showed the biggest change against the preceding quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by day of the week, Q3 and Q4 2019 (download)

Duration and types of DDoS attacks

While the number of attacks fell, their duration rose significantly compared to the previous quarter. As such, the three longest attacks in the three-month period were ongoing for more than 20 days (494, 492, and 486 hours), while in the quarter before not a single one lasted 12 days. Nevertheless, the record for duration remains an attack carried out in Q2 2019 (506 hours, more than 21 days).

The average attack duration stayed approximately unchanged, while the share of the longest attacks (more than 140 hours) fell by a third to just 0.08%. Meanwhile, the share of the shortest attacks (up to 4 hours) also dropped in relative terms, decreasing by 2.5 p.p. to 81.86%.

But the proportion of attacks lasting 100–139 hours grew slightly (0.14%), as did attacks lasting 10–19 and 5–9 hours (5.33% and 10.19%, respectively). The two middle groups — attacks lasting 20–49 and 50–99 hours — fell insignificantly to 2.05% and 0.36%, respectively.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2019 (download)

The share of SYN flooding this quarter amounted to 84.6%, while UDP attacks surrendered second place to TCP, but only by a whisker (5.8% of all attacks against the latter’s 5.9%). The popularity of TCP attacks thus continues to grow (recall that last quarter they moved past HTTP flooding). The bottom two places did not change, although the shares of both types in the total number of attacks increased slightly: HTTP gained 0.5 p.p. (2.2%), while ICMP added 1.1 p.p. (1.6%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by type, Q4 2019 (download)

Linux botnets did not partake in the growth trend: this quarter their share marginally decreased to 97.4% (against 97.75% in the previous quarter). Accordingly, the share of Windows botnets grew by the same amount (0.35 p.p.) to 2.6%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2019 (download)

Botnet distribution geography

In Q4 last year, the vast majority of botnets (58.33%) were registered in the US (up from 47.55% in the previous quarter). At the same time, the absolute number of C&C servers in the country almost halved.

The UK (14.29%) moved to runner-up spot, and China retained third (9.52%, roughly 3 p.p. higher than the quarter before). Fourth and fifth places this quarter went to Russia (3.57%) and Iran (2.38%), which climbed from 11th place. The combined share of other countries in the distribution of botnets is below 2%.

The most significant drop in the number of C&C servers was observed in the Netherlands, down from 45 to just one. In Germany and Vietnam, both in last quarter’s Top 10, no active botnets were registered this quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnet C&C servers by country, Q4 2019 (download)

Conclusion

Q4 2019 saw stability in some areas and sharp changes in others. For instance, in the geographical distribution, Japan broke straight into the Top 3, while two of the previous quarter’s newcomers, contrary to the norm, secured a footing in the Top 10. At the same time, the geographical distribution of unique targets traditionally mirrors the distribution of the total number of attacks.

Another notable difference between Q3 and Q4 last year was the number and chronology of attacks. Thus, at the end of the year, the distribution by month, as well as by day of the week, was far more uniform. To the surprise of experts, the traditional peaks on Black Friday and over the Christmas and New Year season did not materialize. The duration of the longest attack almost doubled, coming dangerously close to the record set in Q2 2019.

Tellingly, in the last quarter of the year, the number of both attacks and C&C servers fell sharply, while the number of extra-long attacks (over 400 hours) was the highest ever recorded in the history of our observations. This is perhaps evidence of an upward trend in the number of complex and meticulously planned attacks, albeit at the expense of the total number of attacks.

KBOT: sometimes they come back

10 Únor, 2020 - 15:00

Although by force of habit many still refer to any malware as a virus, this once extremely common class of threats is gradually becoming a thing of the past. However, there are some interesting exceptions to this trend: we recently discovered malware that spread through injecting malicious code into Windows executable files; in other words, a virus. It is the first “living” virus in recent years that we have spotted in the wild.

We named it KBOT, and Kaspersky solutions detect the malware and its components as Virus.Win32.Kpot.a, Virus.Win64.Kpot.a, Virus.Win32.Kpot.b, Virus.Win64.Kpot.b, and Trojan-PSW.Win32.Coins.nav.

What does KBOT do

KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on. The malware stores all its files and collected data in a virtual file system encrypted using the RC6 algorithm, making it hard to detect.

Number of Virus.Win32.Kpot detections, March — December 2019

Infection methods

KBOT infects all EXE files on connected logical drives (HDD partitions, external media, network drives) and in shared network folders by adding polymorphic malicious code to the file body. To do so, the malware listens to the connection events of local and network logical drives using the IID_IwbemObjectSink interface and a query of type SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA ‘Win32_LogicalDisk, and overrides the Indicate function of the IWbemObjectSink interface, where for each drive it performs recursive scanning of directories and infects EXE files.

The malware retrieves paths to shared network resources using the API functions NetServerEnum and NetShareEnum, before scanning directories and infecting executable EXE files:

Like many other viruses, KBOT patches the entry point code, where the switch to the polymorphic code added to the start of the code section is implemented. As a result, the original code of the entry point and the start of the code section are not saved. Consequently, the original functionality of the infected file is not retained.

Virus code at the entry point

The jmp command makes the switch to the polymorphic code:

The virus also adds encrypted data to the end of one of the following sections: .rsrc, .data, .rdata. Data located after the selected section is shifted. At the same time, the parameters of the relocation table directory, resources directory, imports directory, parameters of sections, and other PE file parameters are modified accordingly. The encrypted data contains the body of the main malware module (DLL library), as well as code for decrypting, loading into memory, and running this library. The data is encrypted using the XOR method, plus the library is additionally encrypted with the RC4 algorithm and compressed using Aplib.

Example of an infected file

At the end of the polymorphic code is a classic piece of code for obtaining the kernel32.dll base:

Next, the API address of the VirtualProtect function is retrieved and used to set permissions to write and execute encrypted virus data located at the end of the above-mentioned .rsrc, .data, and .rdata sections. The data is decrypted, and the switch to the relevant code is made:

The code decrypts the DLL library with basic bot functionality (encrypted using RC4 and compressed using Aplib), maps the library headers and sections into memory, resolves the imports from the import directory, does manual relocations using information from the relocation table directory, and executes the code at the library entry point.

KBOT functions Injects

To conceal malicious activity in the system and its ability to operate in the context of system applications, KBOT attempts to inject code into running system processes.

Using the API functions OpenProcess/OpenProcessToken and GetTokenInformation, it retrieves the SID of the process into whose address space the main malware module is loaded. If the SID of the process matches WinLocalSystemSid, KBOT uses the CreateProcess API with the CREATE_SUSPENDED flag to create the new process svchost.exe, and then performs a classic inject: using the API functions NtCreateSection/NtMapViewOfSection, it allocates memory in the address space of the svchost.exe process, where it copies the header and sections of the main module, after which it resolves the imports from the import directory and does manual relocations using information from the relocation table directory. Next, KBOT calls the CreateRemoteThread/RtlCreateUserThread API with the address of the entry point. If the SID of the process does not match WinLocalSystemSid, the malware sets SeDebugPrivilege debug privileges and tries to perform a similar inject in the running processes services.exe and svchost.exe, whose SIDs match WinLocalSystemSid, as well as in the explorer.exe process.

KBOT also injects the DLLs specified in the injects.ini file (located in the virtual file storage) into the processes listed in the same INI file. Configuration files, including injects.ini, are encrypted in one of the last sections of the main module of the bot, from where they are read, decrypted, and moved to the virtual file storage. The sample first searches for the current version of the required file in its storage (it might be that the current version was previously retrieved from the C&C); in case of failure, it reads the file data from the original version, which is located in the body of the bot itself in encrypted form. A special bot module — JF (joined files) — handles the processing of such files. At the start of the encrypted data of every such file, there is a structure with a data description containing a JF signature.

Description of the data processing procedure of the configuration file

The structure with the description of the encrypted file data corresponds to each encrypted file attached:

Example of injects.ini:

The above-mentioned JUPITER.32 and JUPITER.64 are DLLs that perform web injects that help the malware steal users’ personal data entered in browsers: passwords, credit card/wallet numbers, etc.; such injects are carried out through spoofing web page content as a result of injecting malicious code into the HTTP traffic. For this, it is necessary to modify the code of the browser and system functions responsible for the transmission and processing of traffic. To do so, after performing an inject in the system and browser processes, the web-injects library patches the code of functions in popular browsers (Chrome, Firefox, Opera, Yandex.Browser) and the code of system functions for transmitting traffic:

The list of injects from the configuration file is stored by the malware in a global array of inject descriptors — a functionality analogous in many ways to the Rovnix bootkit.

Below we give an example of the configuration file kbot.ini, where Hosts is the C&C list and ServerPub is the public key for data encryption:

DLL hijacking

So as to operate in the address space of a legitimate system application when the system boots, the malware performs a DLL hijacking attack by infecting the system libraries specified in the import directory of the system executable file and placing them next to the system file, which is then written to Startup.

In the system folder C:\Windows\\System32, the malware searches for executable EXE files suitable for attack, excluding from consideration the following files:

  1. Containing the strings level=”requireAdministrator” and >true in the manifest. That is, executable files that need administrator rights to run. Calling such applications invokes a UAC dialog box.
  2. Containing in the import table library names starting with API-MS-WIN- and EXT-MS-WIN-. That is, files that contain virtual library names in imports and use the API Set redirection table in ApiSetSchema.dll. For such files, DLL hijacking is impossible to implement, because virtual names are translated into system library names with full paths.
  3. The names of which are contained in the stop list:

Having found an executable file that meets all the criteria, KBOT creates a folder with an arbitrary name in the system directory, and copies the detected EXE file to it, as well as the system DLLs located in the import directory of the executable file. To perform these operations with administrator privileges, the malware generates a shellcode (based on this code) using EIFOMoniker Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}”.

The above shellcode functionality

This shellcode, along with the necessary parameters, is injected into the explorer.exe process using the CreateRemoteThread API function.

After copying, the virus creates an arbitrarily named file in the same folder, which is an encrypted file storage; VFAT is used as the file system. Located in the storage is the current version of the main bot module, configuration files received from the C&C, system information, and other service data.

As a result, the directory containing the system application, DLLs from the import directory, and the KBOT service data storage looks as follows (the file name of the malware’s encrypted virtual storage is highlighted red):

Next, KBOT infects the copied system libraries. The code of the DLLEntryPoint entry point is overwritten with the following code:

As when infecting the executable file, the virus adds polymorphic code to the code section and encrypted code at the end of one of the .rsrc, .data, or .rdata sections. Unlike the code added to the EXE file, this code does not contain the encrypted main module of the bot, rather it reads and decrypts it from the file storage. Functions imported by the system EXE file from the created folder have their start overwritten with the code for performing the switch to the polymorphic code:

The further operating algorithm of the malicious code is analogous to that of the malicious code in the infected EXE files, except that the main bot module is read from the encrypted storage. The original data of the infected DLLs is not saved.
Encrypted code at the end of the last section of the DLL:

In this way, after the system EXE file is started, the imported DLLs located next to it are loaded into the address space of the process. After calling the imported functions, the malicious code is executed.

Startup

To run at system startup, the malware uses the following methods:

  1. It writes itself to Software\\Microsoft\\Windows\\CurrentVersion\\Run.
    To prevent a UAC window from appearing, it sets the value of the __compat_layer environment variable to RunAsInvoker. Using the CreateDesktop API, it creates a new desktop. Within the framework of this desktop, it uses the CreateProcess API to launch the regedit.exe process. It injects into this process the shellcode, which uses API functions for working with the registry to write the full path of the system EXE to the specified registry key.
  2. Using WMI tools, a task is created to run the system EXE file in Task Scheduler, next to which are the infected malicious DLLs (see DLL hijacking above).

KBOT performs a preliminary check of the current tasks in Task Scheduler, reads the contents of DLLs imported from the tasks by the EXE files, and searches for the infection signature data:

If there are no tasks with infected files, it creates a new task on behalf of the local system account (S-1-5-18) without a user name:

Task parameters:

Example of XML with the created task:

Remote management

To remotely manage the victim’s computer, KBOT establishes reverse connections with the servers listed in the BC.ini file.

To create several simultaneous sessions using the RDP protocol, the malware configures the Remote Desktop Server settings:

  1. It finds processes that have the termserv.dll library loaded in their memory.
  2. It patches the memory section of the found process where termserv.dll is loaded. Different patching code is applied for different system versions.
  3. During the patching process, it searches the memory of the module for specific sets of bytes, and replaces them with those specified.

Next, KBOT duly edits the values of the registry keys responsible for TermService settings (not all editable values are listed):

  • HKLM\SYSTEM\ControlSet\Control\TerminalServer\LicensingCore\ EnableConcurrentSessions
  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\EnableConcurrentSessions
  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ AllowMultipleTSSessions
  • HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\TerminalServices\MaxInstanceCount

It then restarts TermService and creates a user in the system for remote connections with the SID WinBuiltinRemoteDesktopUsersSid.

C&C communication

The malware, according to a timer and in a separate thread, starts a process for receiving and processing commands from the server. The list of commands is sent in the form of a buffer. To receive commands, the wininet.dll APIs for network connections are used. The domains for receiving commands are located in the hosts.ini file, which the malware periodically updates. All configuration files with C&C data and connection parameters are stored in encrypted form in one of the last sections of the main bot module; newer versions are stored in an encrypted VFAT storage, as previously mentioned. Files received from C&C are placed in an encrypted storage.

Example of hosts.ini configuration file

Bot IDs and detailed information about the infected system (computer name, domain, system language and version, list of local users, list of installed security software, etc.) are sent to C&C in advance. Traffic is encrypted using the AES algorithm:

The malware can receive the following commands from the C&C server:

  • DeleteFile — delete the specified file from the file storage.
  • UpdateFile — update the specified file in the file storage.
  • UpdateInjects — update injects.ini.
  • UpdateHosts — update hosts.ini.
  • UpdateCore — update the main bot module and the configuration file kbot.ini.
  • Uninstall — uninstall the malware.
  • UpdateWormConfig — update worm.ini containing information about the location of EXE files to be infected.

    Example of worm.ini

  • UpdateBackconnectConfig — update the configuration file with the list of servers for reverse connections.

    Example of bc.ini

  • Load — load the file into the storage; it loads spyware programs for collecting user data, as well as DLLs for web injects (saved under the names JUPITER.32 and JUPITER.64), their configuration files, etc.

    Example of part of the configuration file for a web inject

Obfuscation

To complicate the analysis of its malicious activity, KBOT uses a set of obfuscation tools. When it loads, the main bot module checks whether the imported functions are patched for breakpoints; if so, it reloads the imported DLLs into memory, zeroes the names of the imported functions, and uses string obfuscation. The encrypted strings are stored in a special array of structures; to access them, the decryption function is called with the number of the string structure in the array. The strings are encrypted using the RC4 algorithm, and the decryption key is stored in the structure.

Example of an array of structures with a description of the strings

Access to the string:

Decryption function:

Obfuscation of the DLL that performs the web injects

The malware suspends threads of the well-known vendor’s security solution (like the Carberp Trojan), and in the context of its process finds threads whose code was run from DLLs located at the path mask *\\Trusteer\\Rapport\\*.dll

Next, the malware scans the contents of the DLL for signatures of interest to it. If any are present, it suspends execution of the thread, patches the context so that it performs the Sleep function, and resumes the thread:

KBOT then scans the code of the imported functions for patches. If the code is patched (for example, a 0xcc breakpoint has been added), it reloads the imported libraries into memory and resolves imports.

Conclusion

The KBOT virus poses a serious threat, because it is able to spread quickly in the system and on the local network by infecting executable files with no possibility of recovery. It significantly slows down the system through injects into system processes, enables its handlers to control the compromised system through remote desktop sessions, steals personal data, and performs web injects for the purpose of stealing users’ bank data.

IOC

Executable files:
Infected EXEs:
x86 — 2e3a7d4cf86025f5873ebddf3dcacf72
x64 — 46b3c12b44f587ae25d6f38d2a8c4e0f
Infected DLLs:
x86 – 5f00df73bb6e84c49b9bf33ff1d552c3
x64 – 1c15c98bc57c48140558d0e8d71b4ecd
Stealer:
c37058752b2c055ff3a3b3eac50f1350

C&C
213.252.245.229
my-backup-club-911[.]xyz
213.252.245.146/au.exe
sync-time[.]info/au.exe
sync-time[.]icu/au.exe
sync-time[.]club/au.exe

Happy New Fear! Gift-wrapped spam and phishing

7 Únor, 2020 - 11:01

Pre-holiday spam Easy money

In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line.

For example, one scam е-mail with the subject line “Xsmas gift” or “Xmas offer” talks about a “special donation” and provides a contact е-mail address for more information. Recipients who respond are lured into parting with a sum of money through social engineering.

Scammers offering “Xmas gifts” are very persistent

Another Christmas-related scheme aims to steal cryptocurrency. Scammers offer the chance to earn some bitcoins before the holiday period using “secret” software that can be downloaded via a link:

After downloading and running the program (the malware Hoax.Win32.Agent.gen.), the user is prompted to enter their cryptowallet credentials and wait until the request is executed.

Next, the user is informed that the cryptocurrency will be credited to their account immediately after they pay a transfer fee. The result is predictable — the user earns no bitcoins, and the “fee” goes to the scammers.

Extortion

Standard extortion schemes are also adapted for the festive period. For instance, the authors of this е-mail threaten to spoil the victim’s Christmas by smearing them as a pedophile. To prevent this, the recipient needs to transfer the equivalent of $5,000 in bitcoin to the extorters:

Malicious mailings and the corporate sector

Corporate е-mail addresses are also on the cybercriminal radar. To extract confidential information from recipients, or install malware, scammers mask malicious е-mails as business correspondence. In the pre-holiday period, when sales are on the rise, retail finds itself in a special risk zone. E-mails with malicious attachments (DOC or XLS) are sent under the guise of messages related to orders for goods.

For example, hidden in the attachment to this е-mail is Trojan-Downloader.MSOffice.SLoad.sb, which in turn downloads other malware to the victim’s computer:

Malicious attachments can also be disguised as invoices and payment notices. The archive attached to this е-mail actually contains the Trojan-PSW.MSIL.Agensla.hdt stealer, which harvests logins and passwords, and then sends them to the cybercriminals:

 

Statistics

The share of spam as a percentage of world email traffic gradually increased throughout the entire Q4 2019 and in December amounted to 57.26%. Thus it almost reached the maximum value for the second half of the year — 57.78% (which we recorded in August).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The share of spam in global email traffic, Q3 and Q4 2019 (download)

A similar picture was observed in Russia. However, in the fall the growth was less pronounced:
From September to November the amount of spam traffic grew by a total of 0.86 percentage points (compared to a growth rate of 1.14 percentage points for the entire world) to reach 51.15% of total email volume. However, during the last month of the year, the share of spam jumped dramatically by 3.36 p.p. (compared to only 1.44% for the entire world) and exceeded even the summer indicators (54.51% in December as opposed to 53.5 % in July and 53.76% in August). Most likely, such a sharp rise can be attributed to the traditional uptick in holiday season activity by spammers.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The share of spam in Russian email traffic, Q3 and Q4 2019 (download)

In the Asia-Pacific region as a whole, we also observed an increase in the amount of spam in email traffic from September (50.19%) to December (52.62%). As you can see from the diagram, the increase is quite gradual. At the same time, the volume of junk messages reached a peak in January, when their share made 55.48%. This is most likely due to the lunar new year, which is celebrated in most of the countries of the region and which this year fell on January 25.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The share of spam in email traffic in the Asia-Pacific Region, July 2019 – January 2020 (download)

Christmas/New Year phishing Fake websites

Phishers lured users onto fake pages with the promise of favorable T&Cs, discounts, gifts. For example, they tried to gain access to Amazon Prime accounts by offering Christmas promotions supposedly on behalf of the service; to take part, users were asked to enter their account credentials.

Besides fake versions of real websites, non-existent stores popped up online offering huge discounts. Their catalogs typically contain a very limited range of premium-class products, and the websites themselves look more like landing pages. A characteristic attribute of such sites is a countdown timer showing how much time is left before the “promotion” ends.

In addition to expensive goods, scammers offer libido-boosting drugs — also at great discounts. The product range in such “medical stores” is not very wide:

The information about the domain shows that it was registered recently, which is another indicator of fakeness.

 

Nor did scammers overlook gamers. For instance, we discovered phishing pages mimicking the Warface multiplayer website. In honor of New Year, one of the fakes promised gamers 30-days’ free use of some powerful weapons, while another presented a golden rifle for joining Santa’s helpers. To receive either “prize,” players had to enter their username and password on a fake login page, thereby giving the scammers access to their account. Accounts with a high in-game rank and unique, paid-for weapons can fetch a good price.

Cash gifts

Fake websites promising easy money were also given a festive makeover: they offered New Year payouts to the poor, sponsorship gifts, giveaways, etc. As usual in such cases, visitors are invited to complete a simple task, for example, take a survey and enter some personal data. After a five-digit sum seemingly ready for transfer is displayed on screen, the victim is asked to pay a service fee — which, of course, goes straight to the scammers.

To add credibility and urgency, the attackers place eye-catching information to nudge the victim into acting: notifications about the limited nature of the offer, number of visitors who are currently filling in the form, or a “bonuses” countdown:

Crypto fans did not escape phishers’ attention either. It was shortly before Christmas that we came across a scheme offering a festive giveaway of bitcoins and ether supposedly from the Binance crypto exchange. Naturally, to receive a “gift” it was necessary to confirm participation by transferring 5 BTC or 50 ETH to the “organizers.”

To promote the “event,” the scammers posted an article about it on the Medium platform with dozens of enthusiastic comments from “winning” users.

Statistics

In Q4 2019, the share of attacks that sought to steal financial data and accounts at online banks and stores out of the total number of phishing attacks amounted to 52.61%. This exceeds both the indicator for the previous quarter (43.19%) and the indicator for the whole year (51.4%). We observed a similar situation in 2018 and 2017, with the only difference being that the jump was more noticeable last year — from 44.67% on average for the entire year and 34.67% in Q3 to 51.18% in Q4.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The share of phishing attacks on online stores and financial services during Q3 and Q4 of 2017, 2018, and 2019 (download)

It is curious that by the end of 2019, fraudsters had partially lost interest in electronic payment services. For the first time in three years, in Q4 the share of phishing attacks on such resources decreased by 1.21 percentage points compared to the previous reporting period and amounted to 14%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The share of phishing attacks on online stores and financial services during Q3 and Q4 of 2017, 2018, and 2019 (download)

At the same time, the popularity of non-financial categories of websites also fell, and in the ranking of the most popular attack targets for the last quarter, payment services rose from fourth to third place, displacing social networks and blogs, which were attacked only in 5.89% of cases. The leading targets by number of phishing attacks in Q4 were bank resources (29.73%), ahead of global Internet portals (22.81%), which had led the ranking during the previous quarter (23.81%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The distribution of organizations whose users were attacked by phishers by category during Q4 2019 (download)

We analyzed the number of attacks on major commercial platforms during the period of November 11 to December 31. The number of attacks during this period jumped as expected shortly before Black Friday, which occurred on November 29, and remained at a high level until the Christmas and New Year holidays. In particular, the number of phishing schemes that were perpetrated under the Ebay brand since mid-November has remained at 1% (of the total number of attacks that used the brand for the specified period), and as of November 27, this figure was 3.15%, and as of December 2, it grew by almost one-and-a-half percentage points to 4.63%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The distribution of phishing attacks using the Ebay brand by day, November 11, 2019 — December 31, 2019 (download)

We observed a similar situation with phishing attacks that utilized the Alibaba brand:
The peak of activity occurred on November 27 and lasted until December 4. In both cases there was a short break in fraudulent activity in the middle of December: On December 15 it fell practically to zero, but it again began to rise with the approach of Christmas and New Year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

The distribution of phishing attacks using the Alibaba brand by day, November 11, 2019 — December 31, 2019 (download)

Tips and recommendations

So as not to fall for scams and tricks, it is important to take easy money offers with a massive pinch of festive salt.

If you are a consumer:

  • Remember that the only free cheese is in a mousetrap. If you are suddenly offered a reward for taking part in a survey, or a huge discount on luxury goods, be very wary.
  • Do not follow links in е-mails or messages in social networks if you have even the slightest doubt.
  • Be very careful when making purchases on unfamiliar websites. If an online store has few products, it might not be real. If the URL of a well-known website seems strange, that too is cause for concern.
  • Do not install software from unknown sources advertised in е-mails.
  • Use a reliable security solution.

If you are a company employee:

  • Read incoming е-mails from strangers with a critical eye. To spot malicious content in business correspondence, we recommend that you first check the sender address and autosignature. If they do not match, it should raise a red flag. It is also worth comparing the information in the е-mail with that on the website of the company in whose name the message was sent — the contact details might be completely different.

Shlayer Trojan attacks one in ten macOS users

23 Leden, 2020 - 11:00

For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 threats for macOS by share of users attacked, as detected by Kaspersky security solutions for macOS, January– November 2019 (download)

The operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much: the number of detections remains at the same level as in the first months after the malware was uncovered.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Shlayer malware detections by Kaspersky security solutions for macOS, February 2018 – November 2019 (download)

Technical details

Despite its prevalence, from a technical viewpoint Shlayer is a rather ordinary piece of malware. Of all its modifications, only the recent Trojan-Downloader.OSX.Shlayer.e stands apart. Unlike its Bash-based cousins, this variant of the malware is written in Python, and its operation algorithm is also somewhat different. Let’s demonstrate this using a DMG file with MD5 4d86ae25913374cfcb80a8d798b9016e.

First stage of infection

After mounting this DMG image, the user is prompted to run an “installation” file. However, the seemingly standard installer turns out to be a Python script, which is already atypical of macOS installation software.

Shlayer user guide

The directory with executable files inside the application package contains two Python scripts: gjpWvvuUD847DzQPyBI (main) and goQWAJdbnuv6 (auxiliary). The latter implements data encryption functions by means of a byte shift on the key key:

  • The encryptText/decryptText pair of functions encrypt and decrypt strings;
  • encryptList encrypts the contents of the list passed in the arguments; decryptList performs the inverse operation;
  • The getKey() function generates an encryption key based on the time in the operating system.

Main script of the Trojan

Auxiliary script of the Trojan

Next, the main script generates a unique user and system ID, and also collects information about the version of macOS in use. Based on this data, the GET query parameters are generated to download the ZIP file:

The ZIP archive downloaded to the /tmp/%(sessionID) directory is unpacked to the /tmp/tmp directory using the unzip function:

The ZIP archive was found to contain an application package with the executable file 84cd5bba3870:

After unpacking the archive, the main python script uses the chmod tool to assign the file 84cd5bba3870 permission to run in the system:

For added effect, the sample copies the icon of the original mounted DMG image to the directory with the newly downloaded application package using the moveIcon and findVolumePath functions:

After that, the Trojan runs the downloaded and unpacked application package using the built-in open tool, and deletes the downloaded archive and its unpacked contents:

Second stage of infection

Shlayer itself performs only the initial stage of the attack — it penetrates the system, loads the main payload, and runs it. The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family, which was being actively downloaded by the Trojan at the time of writing.

At first glance, the Cimpli installer looks harmless enough, simply offering to install a partner application (for example, Any Search):

But in actual fact, Cimpli performs several actions unseen by the user. First, it installs a malicious extension in Safari, hiding the OS security notification behind a malware fake window. By clicking on the buttons in the notification, the user in effect agrees to install the extension.

Left: what the user sees; right: what’s really going on

One of these extensions is called ManagementMark, which we detect as not-a-virus:HEUR:AdWare.Script.SearchExt.gen. It monitors user searches and redirects them to the address hxxp://lkysearchex41343-a.akamaihd[.]net/as?q=c by injecting the script script.js in the browser pages:

The sample also loads the mitmdump tool, which is packed using PyInstaller. To allow mitmdump to view HTTPS traffic, a special trusted certificate is added to the system. This is likewise done by superimposing a fake window over the installation confirmation box. After that, all user traffic is redirected to the SOCKS5 proxy launched using mitmdump.

Arguments for running the packed mitmdump run arguments

From the screenshot, it can be seen that all traffic passing through mitmdump (SearchSkilledData) is processed by the script SearchSkilledData.py (-s option):

This script redirects all user search queries to hxxp://lkysearchds3822-a.akamaihd[.]net. Kaspersky solutions detect this script as not-a-virus:AdWare.Python.CimpliAds.a.

Cimpli adware thus becomes firmly anchored in the system; in the event that traffic does not pass through the proxy server, the JS code of the extension injected in the page handles the redirection of queries. The attacker gains access to the user’s search queries and can modify the search engine results to display advertising. As a result, the user is inundated with unsolicited ads.

Note that Cimpli is not the only family of adware apps that Shlayer can download. The list also includes AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, and AdWare.OSX.Pirrit, which made up almost all the remaining positions in the Top 10 threats for macOS in 2019.

Family ties

The behavioral similarities between the Python version of Shlayer and earlier modifications of the family written in Bash are not hard to spot: harvesting IDs and system versions, downloading an archive to a temporary directory, executing the downloaded file, deleting traces of downloading — we’ve seen this course of actions before. Moreover, both modifications use curl with the combination of options -f0L, which is basically the calling card of the entire family:

Top: an old modification of the Trojan; bottom: the latest version

Finding legitimate use for curl with options –f0L is not an easy task

Distribution

Distribution is a vital part of any malware’s life cycle, and the creators of Shlayer have taken this issue to heart. Looking for the latest episode of your favorite TV show? Want to watch a live broadcast of a soccer match? Then take extra care, since the chances of a run-in with Shlayer are high.

Examples of Shlayer landing pages

We noticed at once several file partner programs in which Shlayer was offered as a monetization tool. Having analyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high installation fee (though only installations performed by U.S.-based users count). The prospect of a juicy profit likely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).

Description of the offer on a partner program website

In most cases, it was advertising landing pages that brought users to the next stage of the distribution chain — nicely crafted fake pages prompting to install the malware under the veil of a Flash Player update. This is primarily how the Trojan-Downloader.OSX.Shlayer.a modification was distributed.

Fake Flash Player download page

The version of Trojan-Downloader.OSX.Shlayer.e discussed above was propagated in a slightly different way. Similar to the previous scheme, users ended up on a page seemingly offering an Adobe Flash update. But they were redirected there from large online services boasting a multimillion-dollar audience. Time and again, we have uncovered links pointing to malware downloads in the descriptions of YouTube videos:

Another example is links to Shlayer distribution pages contained in the footnotes to Wikipedia articles:

These links were not added by the cybercriminals themselves: we found that all those malicious domains had recently expired, and, judging by the WHOIS data, they now belong to a single individual. On the websites, the newly minted owner posted a malicious script that redirects users to Shlayer download landing pages. There are already over 700 such domains in total.

Our statistics show that the majority of Shlayer attacks are against users in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%). This is wholly consistent with the terms and conditions of partner programs that deliver the malware, and with the fact that almost all sites with fake Flash Player download pages had English-language content.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geographic distribution of users attacked by the Shlayer Trojan, February 2018 – October 2019 (download)

Conclusion

Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals. The Trojan links even reside on legitimate resources — attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.

Kaspersky solutions detect Shlayer and its artifacts and download pages with the following verdicts:

  • HEUR:Trojan-Downloader.OSX.Shlayer.*
  • not-a-virus:HEUR:AdWare.OSX.Cimpli.*
  • not-a-virus:AdWare.Script.SearchExt.*
  • not-a-virus:AdWare.Python.CimpliAds.*
  • not-a-virus:HEUR:AdWare.Script.MacGenerator.gen

IOCS:

  • 4d86ae25913374cfcb80a8d798b9016e
  • fa124ed3905a9075517f497531779f92
  • 594aa050742406db04a8e07b5d247cdd

Malicious links:

  • hxxp://80.82.77.84/.dmg
  • hxxp://sci-hub[.]tv
  • hxxp://kodak-world[.]com

C&C Urls:

  • hxxp://api.typicalarchive[.]com
  • hxxp://api.entrycache[.]com
  • hxxp://api.macsmoments[.]com