Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 50 min 50 sek zpět

Lookalike domains and how to outfox them

24 Listopad, 2020 - 11:00

Our colleagues already delved into how cybercriminals attack companies through compromised email addresses of employees, and how to protect against such attacks using SPF, DKIM and DMARC technologies. But despite the obvious pluses of these solutions, there is a way to bypass them that we want to discuss.

But let’s start from a different angle: how relevant is email these days? After all, this year saw a sharp rise in the popularity of video-conferencing tools, preceded by several years of healthy growth in the use of instant messengers, in particular, WhatsApp and Telegram. Nevertheless, email is still the main means of online communication, at least in the business world. Indirect confirmation of this is the increase in the number and quality of Business Email Compromise (BEC) attacks. According to data from the US Internet Crime Complaint Center (IC3), the financial damage from such attacks has risen sevenfold in the past five years.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Financial damage from BEC attacks, 2015–2019 (download)

Data for 2020 has not yet been published, but given the COVID-19 pandemic and the mass shift of employees to remote working, it is safe to assume that the number of BEC attacks will only grow. Initial threat landscape studies also point to this.

Lookalike domains in BEC

A feature of BEC is the emphasis not on the technical side (cybercriminals’ options are rather limited when it comes to email), but on social engineering. Typically, attacks of this kind combine technical and social techniques to achieve greater efficiency. The three protection technologies mentioned above cope with most combinations well enough. But there is one exception: lookalike-domain attacks. The method is simple in essence: the cybercriminals register a domain that looks very similar to that of the target company or a partner firm. Messages sent from this domain sail through Sender Policy Framework (SPF) authentication, possess a DomainKeys Identified Mail (DKIM) cryptographic signature, and generally do not arouse the suspicions of security systems. The snag is that these emails are phishing. And if written believably enough — with a corporate template, stressing the urgency of the matter, etc. — they will likely fool the victim.

Here are some examples of fake domain names:

Original domain Fake domain netflix.com netffix.com kaspersky.com kapersky.com uralairlines.ru uralairilnes.ru

As you can see, the fake differs from the original by only one letter added (or removed) so that a closer look is required to spot it.

For an overview of the use of fake domains, we compiled statistics on lookalike spoofing for Q3 2020. Having analyzed the data, we concluded that this year’s pandemic has significantly changed the direction of cybercriminal activity. Whereas before, the focus of such attacks was the financial sector, now the service sector is in the firing line, including various e-commerce services: food delivery, online shopping, buying air tickets, etc. Domains related to this sector accounted for 34.7% of the total number of attacks in Q3.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of detected lookalike domains by category, Q3 2020 (download)

Also note the rise in the IT sector’s share in 2020: up from 17.9% in Q1 to 22.2% in Q3. This is to be expected, since the mass transition to remote working was bound to impact the overall situation.

A word about lookalikes

Unlike spam mailings, which tend to be large in both scale and duration, attacks involving lookalike domains, like any BEC attack, target a specific victim (or group of victims). Consequently, emails are few and well thought out, and the domains are extremely short lived. We see that half of all fake domains are used only once, and in 73% of cases the domain is only active for just one day. This renders traditional signature-based anti-spam solutions (detect an attack, create a rule) effectively useless, thus the need arises for proactive protection. There are two common and at the same time simple methods available to companies keen to guard at least in some measure against lookalike and other such attacks.

The first is for the company itself to register domains with typos, and set up redirects to its official domain. This reduces cybercriminals’ ability to register a plausible fake, but does not nullify it completely or prevent counterfeiting of domains belonging to partners, contractors and other organizations which the company deals with.

The second is to compile lists of plausible fake names for both the company’s domain and those of partners and contractors. Next, the list is loaded into the anti-spam solution, which preemptively blocks all messages arriving from the fakes. The main drawback of this method is the same as before: it is impossible to cover all possible fake domains, especially if the company works with many counterparties. Plus, there is the ever-present human factor — one typo in the list of tens or hundreds of domain names can lead to a security breach or the filtering out of emails from a legitimate domain instead of a fake one, causing additional headaches for business units.

When simple solutions no longer suited our clients, they came to us for something more complex. The result was a method that requires no user interaction. In a nutshell, it automatically compiles a global list of legitimate domains that could potentially be faked, on which basis it analyzes and blocks messages from lookalike domains. In essence, it is proactive.

How it works

Protection against lookalike-domain attacks is three-pronged: client-side processing; domain reputation check in Kaspersky Security Network; infrastructure-side processing. The general principle is shown schematically below:

In practice, it goes as follows. On receiving an email, the technology forwards the sender domain to Kaspersky Security Network (KSN), which matches it against the list of lookalike domains already known to us. If the sender domain is found, the message is instantly blocked (steps 1 to 3). If there is no information about it, the email is quarantined for a short fixed period (step 4). This gives time for the technology to check the domain according to the set algorithm, and, if it recognizes it as fake, to add it to the list of lookalike domains in KSN. After the email leaves quarantine, it is rescanned (step 9) and blocked, since by then the list of lookalike domains has been updated.

Let’s take a look at how sender verification works and how the list of lookalike domains gets updated. Information about quarantined messages is sent to the KSN database together with additional metadata, including the sender domain (step 5). At the first stage of analysis, the domain undergoes a “suspiciousness” check based on a wide range of criteria, such as Whois data, DNS records, certificates, and so on; the purpose of this stage is to quickly sift out domains that are clearly legitimate, but not yet known to our system. Henceforth, emails from these domains are no longer quarantined, because KSN now has information about them. At the second stage, the system compares the similarity of suspicious domains and addresses in our global list of legitimate domains (step 7), which includes the domains of our clients and their counterparties. This list is generated automatically based on an assessment of the frequency with which legitimate messages are sent from the domain and the uniformity of the mail flow over time. The extent to which the overall picture matches the behavior of employees in terms of business correspondence determines the reputation of the domain (step 6). If the resemblance of the scammer’s domain to a legitimate address is high, the sender domain too is added to the list of lookalike domains and all messages sent from it are blocked.

Our approach is more complex than simply registering lookalike domains to the company and enables real-time blocking of attacks that use such domains as soon as they appear. In addition, the human factor is eliminated, and the global list of legitimate domains stays current thanks to automatic updates.

IT threat evolution Q3 2020. Non-mobile statistics

20 Listopad, 2020 - 11:10

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3:

  • Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
  • 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 146,761 unique users.
  • Ransomware attacks were defeated on the computers of 121,579 unique users.
  • Our File Anti-Virus detected 87,941,334 unique malicious and potentially unwanted objects.
Financial threats Financial threat statistics

In Q3 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 146,761 users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by financial malware, Q3 2020 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of financial malware attacks, Q3 2020 (download)

Top 10 countries by share of attacked users

Country* %** 1 Costa Rica 6.6 2 Turkmenistan 5.9 3 Tajikistan 4.7 4 Uzbekistan 4.6 5 Afghanistan 3.4 6 Syria 1.7 7 Iran 1.6 8 Yemen 1.6 9 Kazakhstan 1.5 10 Venezuela 1.5

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

First among the banker families, as in the previous quarter, is Zbot (19.7%), despite its share dropping 5.1 p.p. It is followed by Emotet (16.1%) — as we predicted, this malware renewed its activity, climbing by 9.5 p.p. as a result. Meanwhile, the share of another banker family, RTM, decreased by 11.2 p.p., falling from second position to fifth with a score of 7.4%.

Top 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 19.7 2 Emotet Backdoor.Win32.Emotet 16.1 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 12.2 4 Trickster Trojan.Win32.Trickster 8.8 5 RTM Trojan-Banker.Win32.RTM 7.4 6 Neurevt Trojan.Win32.Neurevt 5.4 7 Nimnul Virus.Win32.Nimnul 4.4 8 SpyEye Trojan-Spy.Win32.SpyEye 3.5 9 Danabot Trojan-Banker.Win32.Danabot 3.1 10 Gozi Trojan-Banker.Win32.Gozi 1.9

** Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly trends and highlights

Q3 2020 saw many high-profile ransomware attacks on organizations in various fields: education, healthcare, governance, energy, finance, IT, telecommunications and many others. Such cybercriminal activity is understandable: a successful attack on a major organization can command a ransom in the millions of dollars, which is several orders of magnitude higher than the typical sum for mass ransomware.

Campaigns of this type can be viewed as advanced persistent threats (APTs), and Kaspersky researchers detected the involvement of the Lazarus group in the distribution of one of these ransomware programs.

Distributors of these Trojans also began to cooperate with the aim of carrying out more effective and destructive attacks. At the start of the quarter, word leaked out that Maze operators had joined forces with distributors of LockBit, and later RagnarLocker, to form a ransomware cartel. The cybercriminals used shared infrastructure to publish stolen confidential data. Also observed was the pooling of expertise in countering security solutions.

Of the more heartening events, Q3 will be remembered for the arrest of one of the operators of the GandCrab ransomware. Law enforcement agencies in Belarus, Romania and the UK teamed up to catch the distributor of the malware, which had reportedly infected more than 1,000 computers.

Number of new modifications

In Q3 2020, we detected four new ransomware families and 6,720 new modifications of this malware type.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new ransomware modifications, Q3 2019 – Q3 2020 (download)

Number of users attacked by ransomware Trojans

In Q3 2020, Kaspersky products and technologies protected 121,579 users against ransomware attacks.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by ransomware Trojans, Q3 2020 (download)

Attack geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of attacks by ransomware Trojans, Q3 2020 (download)

Top 10 countries attacked by ransomware Trojans

Country* %** 1 Bangladesh 2.37 2 Mozambique 1.10 3 Ethiopia 1.02 4 Afghanistan 0.87 5 Uzbekistan 0.79 6 Egypt 0.71 7 China 0.65 8 Pakistan 0.52 9 Vietnam 0.50 10 Myanmar 0.46

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans

Name Verdicts %* 1 WannaCry Trojan-Ransom.Win32.Wanna 18.77 2 (generic verdict) Trojan-Ransom.Win32.Gen 10.37 3 (generic verdict) Trojan-Ransom.Win32.Encoder 9.58 4 (generic verdict) Trojan-Ransom.Win32.Generic 8.55 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.37 6 Stop Trojan-Ransom.Win32.Stop 5.89 7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.12 8 PolyRansom/VirLock Virus.Win32.PolyRansom 3.14 9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.44 10 (generic verdict) Trojan-Ransom.Win32.Crypmod 1.69

* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.

Miners Number of new modifications

In Q3 2020, Kaspersky solutions detected 3,722 new modifications of miners.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new miner modifications, Q3 2020 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 440,041 unique users of Kaspersky products worldwide. If in the previous quarter the number of attacked users decreased, in this reporting period the situation was reversed: from July we saw a gradual rise in activity.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by miners, Q3 2020 (download)

Attack geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of miner attacks, Q3 2020 (download)

Top 10 countries attacked by miners

Country* %** 1 Afghanistan 5.53 2 Ethiopia 3.94 3 Tanzania 3.06 4 Rwanda 2.58 5 Uzbekistan 2.46 6 Sri Lanka 2.30 7 Kazakhstan 2.26 8 Vietnam 1.95 9 Mozambique 1.76 10 Pakistan 1.57

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

According to our statistics, vulnerabilities in the Microsoft Office suite continue to lead: in Q3, their share amounted to 71% of all identified vulnerabilities. Users worldwide are in no rush to update the package, putting their computers at risk of infection. Although our products protect against the exploitation of vulnerabilities, we strongly recommend the timely installation of patches, especially security updates.

First place in this category of vulnerabilities goes to CVE-2017-8570, which can embed a malicious script in an OLE object placed inside an Office document. Almost on a par in terms of popularity is the vulnerability CVE-2017-11882, exploits for which use a stack overflow error in the Equation Editor component. CVE-2017-0199 and CVE-2018-0802 likewise remain popular.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2020 (download)

The share of vulnerabilities in Internet browsers increased by 3 p.p. this quarter to 15%. One of the most-talked-about browser vulnerabilities was CVE-2020-1380 — a use-after-free error in the jscript9.dll library of the current version of the Internet Explorer 9+ scripting engine. This same vulnerability was spotted in the Operation PowerFall targeted attack.

Also in Q3, researchers discovered the critical vulnerability CVE-2020-6492 in the WebGL component of Google Chrome. Theoretically, it can be used to execute arbitrary code in the context of a program. The similar vulnerability CVE-2020-6542 was later found in the same component. Use-after-free vulnerabilities were detected in other components too: Task Scheduler (CVE-2020-6543), Media (CVE-2020-6544) and Audio (CVE-2020-6545).

In another browser, Mozilla Firefox, three critical vulnerabilities, CVE-2020-15675, CVE-2020-15674 and CVE-2020-15673, related to incorrect memory handling, were detected, also potentially leading to arbitrary code execution in the system.

In the reporting quarter, the vulnerability CVE-2020-1464, used to bypass scans on malicious files delivered to user systems, was discovered in Microsoft Windows. An error in the cryptographic code made it possible for an attacker to insert a malicious JAR archive inside a correctly signed MSI file, circumvent security mechanisms, and compromise the system. Also detected were vulnerabilities that could potentially be used to compromise a system with different levels of privileges:

Among network-based attacks, those involving EternalBlue exploits and other vulnerabilities from the Shadow Brokers suite remain popular. Also common are brute-force attacks on Remote Desktop Services and Microsoft SQL Server, and via the SMB protocol. In addition, the already mentioned critical vulnerability CVE-2020-1472, also known as Zerologon, is network-based. This error allows an intruder in the corporate network to impersonate any computer and change its password in Active Directory.

Attacks on macOS

Perhaps this quarter’s most interesting find was EvilQuest, also known as Virus.OSX.ThifQseut.a. It is a self-replicating piece of ransomware, that is, a full-fledged virus. The last such malware for macOS was detected 13 years ago, since which time this class of threats has been considered irrelevant for this platform.

Top 20 threats for macOS

Verdict %* 1 Monitor.OSX.HistGrabber.b 14.11 2 AdWare.OSX.Pirrit.j 9.21 3 AdWare.OSX.Bnodlero.at 9.06 4 Trojan-Downloader.OSX.Shlayer.a 8.98 5 AdWare.OSX.Bnodlero.ay 6.78 6 AdWare.OSX.Pirrit.ac 5.78 7 AdWare.OSX.Ketin.h 5.71 8 AdWare.OSX.Pirrit.o 5.47 9 AdWare.OSX.Cimpli.k 4.79 10 AdWare.OSX.Ketin.m 4.45 11 Hoax.OSX.Amc.d 4.38 12 Trojan-Downloader.OSX.Agent.j 3.98 13 Trojan-Downloader.OSX.Agent.h 3.58 14 AdWare.OSX.Pirrit.gen 3.52 15 AdWare.OSX.Spc.a 3.18 16 AdWare.OSX.Amc.c 2.97 17 AdWare.OSX.Pirrit.aa 2.94 18 AdWare.OSX.Pirrit.x 2.81 19 AdWare.OSX.Cimpli.l 2.78 20 AdWare.OSX.Bnodlero.x 2.64

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

Among the adware modules and their Trojan downloaders in the macOS threat rating for Q3 2020 was Hoax.OSX.Amc.d. Known as Advanced Mac Cleaner, this is a typical representative of the class of programs that first intimidate the user with system errors or other issues on the computer, and then ask for money to fix them.

Threat geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of threats for macOS, Q3 2020 (download)

Top 10 countries by share of attacked users

Country* %** 1 Spain 6.20% 2 France 6.13% 3 India 5.59% 4 Canada 5.31% 5 Brazil 5.23% 6 USA 5.19% 7 Mexico 4.98% 8 Great Britain 4.37% 9 China 4.25% 10 Italy 4.19%

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 5000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

Spain (6.29%) and France (6.13%) were the leaders by share of attacked users. They were followed by India (5.59%) in third place, up from fifth in the last quarter. As for detected macOS threats, the Shlayer Trojan consistently holds a leading position in countries in this Top 10 list.

IoT attacks IoT threat statistics

In Q3 2020, the share of devices whose IP addresses were used for Telnet attacks on Kaspersky traps increased by 4.5 p.p.

Telnet 85.34% SSH 14.66%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2020

However, the distribution of sessions from these same IPs in Q3 did not change significantly: the share of operations using the SSH protocol rose by 2.8 p.p.

Telnet 68.69% SSH 31.31%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2020

Nevertheless, Telnet still dominates both by number of attacks from unique IPs and in terms of further communication with the trap by the attacking party.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps

Country %* India 19.99 China 15.46 Egypt 9.77 Brazil 7.66 Taiwan, Province of China 3.91 Russia 3.84 USA 3.14 Iran 3.09 Vietnam 2.83 Greece 2.52

* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.

In Q3, India (19.99%) was the location of the highest number of devices that attacked Telnet traps.  China (15.46%), having ranked first in the previous quarter, moved down a notch, despite its share increasing by 2.71 p.p. Egypt (9.77%) took third place, up by 1.45 p.p.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps

Country %* China 28.56 USA 14.75 Germany 4.67 Brazil 4.44 France 4.03 India 3.48 Russia 3.19 Singapore 3.16 Vietnam 3.14 South Korea 2.29

* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.

In Q3, as before, China (28.56%) topped the leaderboard. Likewise, the US (14.75%) retained second place. Vietnam (3.14%), however, having taken bronze in the previous quarter, fell to ninth, ceding its Top 3 position to Germany (4.67%).

Threats loaded into traps

Verdict %* Backdoor.Linux.Mirai.b 38.59 Trojan-Downloader.Linux.NyaDrop.b 24.78 Backdoor.Linux.Mirai.ba 11.40 Backdoor.Linux.Gafgyt.a 9.71 Backdoor.Linux.Mirai.cw 2.51 Trojan-Downloader.Shell.Agent.p 1.25 Backdoor.Linux.Gafgyt.bj 1.24 Backdoor.Linux.Mirai.ad 0.93 Backdoor.Linux.Mirai.cn 0.81 Backdoor.Linux.Mirai.c 0.61

* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2020, Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources located across the globe. 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of web attack sources by country, Q3 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Vietnam 8.69 2 Bangladesh 7.34 3 Latvia 7.32 4 Mongolia 6.83 5 France 6.71 6 Moldova 6.64 7 Algeria 6.22 8 Madagascar 6.15 9 Georgia 6.06 10 UAE 5.98 11 Nepal 5.98 12 Spain 5.92 13 Serbia 5.87 14 Montenegro 5.86 15 Estonia 5.84 16 Qatar 5.83 17 Tunisia 5.81 18 Belarus 5.78 19 Uzbekistan 5.68 20 Myanmar 5.55

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 4.58% of Internet user computers worldwide experienced at least one Malware-class attack.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of web-based malware attacks, Q3 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2020, our File Anti-Virus detected 87,941,334 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Afghanistan 49.27 2 Turkmenistan 45.07 3 Myanmar 42.76 4 Tajikistan 41.16 5 Ethiopia 41.15 6 Bangladesh 39.90 7 Burkina Faso 37.63 8 Laos 37.26 9 South Sudan 36.67 10 Uzbekistan 36.58 11 Benin 36.54 12 China 35.56 13 Sudan 34.74 14 Rwanda 34.40 15 Guinea 33.87 16 Vietnam 33.79 17 Mauritania 33.67 18 Tanzania 33.65 19 Chad 33.58 20 Burundi 33.49

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of local infection attempts, Q3 2020 (download)

Overall, 16.40% of user computers globally faced at least one Malware-class local threat during Q3.

The figure for Russia was 18.21%.

IT threat evolution Q3 2020 Mobile statistics

20 Listopad, 2020 - 11:05

The statistics presented here draw on detection verdicts returned by Kaspersky products and received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, the third quarter saw:

  • 1,189 797 detected malicious installers, of which
    • 39,051 packages were related to mobile banking trojans;
    • 6063 packages proved to be mobile ransomware trojans.
  • A total of 16,440,264 attacks on mobile devices were blocked.
Quarterly highlights

In Q3 2020, Kaspersky mobile protective solutions blocked 16,440,264 attacks on mobile devices, an increase of 2.2 million on Q2 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of attacks on mobile devices, Q1 2019 – Q3 2020 (download)

It is too early for conclusions now – we need to wait for the year’s results – but comparing Q3 2020 with Q3 2019 reveals a substantial difference: the number of attacks dropped by more that 2.7 million. One may conclude cybercriminals have not reached last year’s volume of attacks yet.

It is worth noting that in Q3 2020, the share of users attacked by malware increased, whereas the number of users who encountered adware and grayware decreased.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportions of users who encountered various threat classes in the total number of attacked users, Q3 2020 (download)

In Q3 2020, the share of users who encountered adware according to our data decreased by four percentage points. Notably, the complexity of these applications is no lower than that of malware. For instance, some samples of adware detected iin Q3 2020 use the KingRoot tool for obtaining superuser privileges on the device. This bodes no good for the user: not only does the device’s overall level of security is compromised – the ads are impossible to remove with the stock tools available on the device.

The third quarter reinforced the trend for the number of mobile users encountering stalkerware to drop.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of devices running Kaspersky Internet Security for Android on which stalkerware was detected in 2019 – 2020 (download)

The decrease is harder to explain this time around. It was probably caused by self-isolation in Q1 and Q2. Although big cities did not fully restore their levels of activity in Q3, people increasingly began to leave their homes and hence, to interest the users of stalker applications.

Mobile threat statistics

In Q3 2020, Kaspersky solutions detected 1,189,797 malicious installation packages, 56,097 more than in the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of detected malicious installers, Q2 2019 – Q3 2020 (download)

For the first time in a year, the number of detected mobile threats dropped when compared to the previous period. This was no ordinary year, though. A lot hinges on the level of activity of cybercriminals behind the threat family, so it is too early to call this a changing trend.

Distribution of detected mobile applications across types

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of newly detected mobile applications across types, Q2 and Q3 2020 (download)

The share of adware (44.82%) has declined for a second consecutive quarter, but the pace of the decline is not strong enough to declare this type of threat as losing its relevance.

The Ewind adware family (48% of all adware detected) was most common in Q3, followed by the FakeAdBlocker family with 32% and HiddenAd with 6%.

The only class of threats that displayed significant growth in Q3 2020 was grayware, i.e. RiskTool (33.54%), with its share rising by more than 13 percentage points. The greatest contributor to this was the Robtes family with 45% of the total detected grayware programs. It was followed by Skymoby and SMSreg, with 15% and 13%, respectively.

The share of trojan-clickers rose by one percentage point in Q3 2020 on account of the Simpo family with its 96% share of all clickers detected.

Twenty most common mobile malware programs

Note that the malware rankings below exclude riskware or grayware, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 36.22 2 Trojan.AndroidOS.Boogr.gsh 8.26 3 DangerousObject.AndroidOS.GenericML 6.05 4 Trojan-SMS.AndroidOS.Agent.ado 5.89 5 Trojan-Dropper.AndroidOS.Hqwar.cf 5.15 6 Trojan.AndroidOS.Hiddad.fi 4.65 7 Trojan.AndroidOS.Piom.agcb 4.28 8 Trojan-Downloader.AndroidOS.Necro.d 4.10 9 Trojan.AndroidOS.Agent.vz 3.90 10 Trojan-Downloader.AndroidOS.Helper.a 3.42 11 Trojan.AndroidOS.MobOk.v 2.83 12 Trojan-Downloader.AndroidOS.Agent.hy 2.52 13 Trojan-SMS.AndroidOS.Agent.adp 2.20 14 Trojan.AndroidOS.Hiddad.fw 1.81 15 Trojan-Downloader.AndroidOS.Agent.ic 1.75 16 Trojan.AndroidOS.Handda.san 1.72 17 Trojan-Dropper.AndroidOS.Hqwar.gen 1.55 18 Trojan.AndroidOS.LockScreen.ar 1.48 19 Trojan-Downloader.AndroidOS.Malota.a 1.28 20 Trojan-Dropper.AndroidOS.Agent.rb 1.14

* Unique users attacked by this malware as a percentage of all users of Kaspersky solutions who were attacked.

As usual, first place in the Q3 rankings went to DangerousObject.Multi.Generic (36.22%), the verdict we use for malware detected with cloud technology. The technology is triggered when antivirus databases do not yet contain data for detecting the malware at hand, but the anti-malware company’s cloud already contains information about the object. This is essentially how the latest malicious programs are detected.

Second and third places went to Trojan.AndroidOS.Boogr.gsh (8.26%) and DangerousObject.AndroidOS.GenericML (6,05%), respectively. These two verdicts are assigned to files recognized as malicious by our systems Powered by machine learning.

Fourth and thirteenth places went to the Agent family of SMS trojans. Around 95% of users attacked by these trojans were located in Russia, which is unusual, as we have always found the popularity of SMS trojans as a threat class to be very low, especially in Russia. The names of the detected files often allude to games and popular applications.

Fifth and seventeenth places were taken by members of the Trojan-Dropper.AndroidOS.Hqwar family. This was the most numerous family in its class in Q3 2020, with 40% of the total detected droppers. It was followed by Agent (32%) and Wapnor (22%).

Sixth and fourteenth positions in the rankings were occupied by the Trojan.AndroidOS.Hiddad malware, which displays ad banners.

Interestingly enough, our rankings of mobile threats for Q3 2020 include five different families of the Trojan-Downloader class. Two malware varieties, Trojan-Downloader.AndroidOS.Necro.d (4.10%) and Trojan-Downloader.AndroidOS.Helper.a (3.42%) belong to one infection chain, so it is little wonder their shares are so close. Both trojans are associated with spreading of aggressive adware. Two others, Trojan-Downloader.AndroidOS.Agent.hy (2.52%) and Trojan-Downloader.AndroidOS.Agent.ic (1.75%), were discovered back in 2019 and are members of one family. The final trojan, Trojan-Downloader.AndroidOS.Malota.a (1.28%), has been known since 2019 and appears unremarkable. All of the listed trojans serve the main purpose of downloading and running executable code.

Eleventh position belongs to Trojan.AndroidOS.MobOk.v (2.83%), a member of the MobOk family. This malware can auto-subscribe the target to paid services. It attempted to attack mobile users in Russia more frequently than residents of other countries.

Trojan.AndroidOS.LockScreen.ar (1.48%), in eighteenth place, is worth a separate mention. This primitive device-locking trojan was first seen in 2017. We have since repeatedly detected it with mobile users, 95% of these in Russia. The early versions of the trojan displayed an insulting political message in a mixture of Russian and poor English. Entering “0800” unlocked the device, and the trojan could then be removed with stock Android tools. LockScreen.ar carried no other malicious functions besides locking the device. However, it was accompanied by two Windows executables.

Both files are malicious, detected as Trojan-Ransom.Win32.Petr.a and Trojan-Ransom.Win32.Wanna.b, the most infamous among Windows ransomware trojans. Neither poses any threat to Android, and LockScreen.ar does not use them in any way. In other words, a mobile device infected with LockScreen.ar cannot infect a Windows workstation, so the presence of these two executables has no rational explanation.

In recent versions of LockScreen, the cybercriminals changed the lock screen design.

The unlock code changed, too, to 775. The trojan’s capabilities were unchanged, and the Windows executables were removed from the package.

Geography of mobile threats

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Map of infection attempts by mobile malware, Q3 2020 (download)

Ten countries with the largest shares of users attacked by mobile malware

Country* %** 1 Iran 30.29 2 Bangladesh 17.18 3 Algeria 16.28 4 Yemen 14.40 5 China 14.01 6 Nigeria 13.31 7 Saudi Arabia 11.91 8 Morocco 11.12 9 India 11.02 10 Kuwait 10.45

* Excluded from the rankings are countries with relatively few users of Kaspersky Security for Mobile (under 10,000).
** Share of unique users attacked in the country as a percentage of all users of Kaspersky Security for Mobile in the country.

The three countries where mobile threats were detected on Kaspersky users’ devices most frequently remained unchanged. Bangladesh and Algeria exchanged positions, with the former rising to second place with 17.18% and the latter dropping to third place with 16.28%. Iran retained its leadership even as it lost 12.33 percentage points: 30.29% of users in that country encountered mobile threats in Q3 2020.

The AdWare.AndroidOS.Notifyer adware was the most frequent one. Members of this family accounted for nearly ten of the most widespread threats in Iran.

Frequently encountered in Algeria was the Trojan-SMS.AndroidOS.Agent.adp trojan, which occupied third place in that country, as well as AdWare.AndroidOS.BrowserAd family malware (fourth place) and the Trojan-Spy.AndroidOS.SmsThief.oz spyware trojan (fifth place).

The most widespread adware in Bangladesh was the HiddenAd family which hides itself on the application list, and members of the AdWare.AndroidOS.Loead and AdWare.AndroidOS.BrowserAd families, which occupied fourth and fifth places, respectively, in that country.

Mobile web threats

The statistics presented here are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

In Q3 2020, we continued to assess the risks posed by web pages employed by hackers for attacking Kaspersky Security for Mobile users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of the countries with the highest risk of infection via web resources, Q3 2020 (download)

Ten countries with the highest risk of infection

Country* % of attacked users** Ecuador 6.33 Morocco 4.51 Algeria 4.27 India 4.11 Saudi Arabia 3.78 Singapore 3.69 Kuwait 3.66 Malaysia 3.49 South Africa 3.31 UAE 3.12

* Excluded are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users targeted by all types of web attacks as a percentage of all unique users of Kaspersky mobile products in the country.

As in Q2 2020, residents of Ecuador (6.33%), Marocco (4.51%) and Algeria (4.27%) encountered various web-based threats most frequently during the reporting period.

Countries where mobile web threats originated

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of countries where mobile attacks originated, Q3 2020 (download)

Ten countries where the largest numbers of mobile attacks originated

Country* %* Netherlands 37.77 Dominican Republic 26.33 USA 24.56 Germany 4.60 Singapore 3.32 Bulgaria 0.88 Ireland 0.52 Russia 0.50 Romania 0.49 Poland 0.21

* Share of sources in the country out of the total number of sources.

As in Q2 2020, the Netherlands was the biggest source of mobile attacks with 37.77%. It was followed by the Dominican Republic (26.3%), which pushed the United States (24.56%) to third place.

Mobile banking trojans

During the reporting period, we found 39,051 mobile banking trojan installers, only 100 fewer than in Q2 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of mobile banking trojan installers detected by Kaspersky, Q2 2019 – Q3 2020 (download)

The biggest contributions to our statistics for Q3 2020 came from the creators of the Trojan-Banker.AndroidOS.Agent family trojans: 71.27% of all banker trojans detected. The Trojan-Banker.AndroidOS.Rotexy family (9.23%) came second, far behind the leader, and immediately followed by Trojan-Banker.AndroidOS.Wroba (4.91%).

Ten most commonly detected bankers

Verdict %* 1 Agent 71.27 2 Rotexy 9.23 3 Wroba 4.91 4 Gustuff 4.40 5 Faketoken 2.10 6 Anubis 1.79 7 Knobot 1.23 8 Cebruser 1.21 9 Asacub 0.82 10 Hqwar 0.67

* Unique users attacked by mobile bankers as a percentage of all Kaspersky Security for Mobile users who faced banking threats.

Speaking of specific samples of mobile bankers, Trojan-Banker.AndroidOS.Agent.eq (11.26%) rose to first place in Q3 2020. Last quarter’s leader, Trojan-Banker.AndroidOS.Svpeng.q (11.20%), came second, followed by Trojan-Banker.AndroidOS.Rotexy.e (10.68%).

Ten most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Agent.eq 11.26 2 Trojan-Banker.AndroidOS.Svpeng.q 11.20 3 Trojan-Banker.AndroidOS.Rotexy.e 10.68 4 Trojan-Banker.AndroidOS.Asacub.ce 6.82 5 Trojan-Banker.AndroidOS.Asacub.snt 6.60 6 Trojan-Banker.AndroidOS.Anubis.n 4.66 7 Trojan-Banker.AndroidOS.Hqwar.t 4.08 8 Trojan-Banker.AndroidOS.Agent.ep 3.67 9 Trojan-Banker.AndroidOS.Knobot.h 3.31 10 Trojan-Banker.AndroidOS.Asacub.a 3.04

* Unique users attacked by this malware as a percentage of all Kaspersky Security for Mobile users who encountered banking threats.

It is worth noting that the Agent.eq banker has a lot in common with the Asacub trojan whose varieties occupied three out of the ten positions in our rankings.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile banking threats, Q3 2020 (download)

Ten countries with the largest shares of users attacked by mobile banking trojans

Country* %** 1 Japan 1.89 2 Taiwan Province, China 0.48 3 Turkey 0.33 4 Italy 0.31 5 Spain 0.22 6 Korea 0.17 7 Tajikistan 0.16 8 Russia 0.12 9 Australia 0.10 10 China 0.09

* Excluded from the rankings are countries with relatively few users of Kaspersky Security for Mobile (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all Kaspersky Security for Mobile users in the country.

The geographical distribution of financial mobile threats underwent a significant change in Q3 2020. The largest share (1.89%) of detections were registered in Japan, with the prevalent malware variety, which attacked 99% of users, being Trojan-Banker.AndroidOS.Agent.eq. Taiwan (0.48%) presented the exact same situation.

Turkey, which was third with 0.33%, had a slightly different picture. The most frequently encountered malware varieties in that countries were Trojan-Banker.AndroidOS.Cebruser.pac (56.29%), followed by Trojan-Banker.AndroidOS.Anubis.q (7.75%) and Trojan-Banker.AndroidOS.Agent.ep (6.06%).

Mobile ransomware trojans

In Q3 2020, we detected 6063 installation packages of mobile ransomware trojans, a fifty-percent increase on Q2 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of mobile ransomware installers detected by Kaspersky, Q2 2019 – Q3 2020 (download)

It appears that it is too early to write off mobile ransomware trojans just yet. This class of threats is still popular with hackers who generated a sufficiently large number of installation packages in Q3 2020.

Judging by KSN statistics, the number of users who encountered mobile ransomware increased as well.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of users who encountered mobile ransomware, Q2 2019 – Q3 2020 (download)

Top 10 mobile ransomware varieties

Verdict %* 1 Trojan-Ransom.AndroidOS.Small.as 13.31 2 Trojan-Ransom.AndroidOS.Small.o 5.29 3 Trojan-Ransom.AndroidOS.Piom.ly 5.21 4 Trojan-Ransom.AndroidOS.Agent.bq 4.58 5 Trojan-Ransom.AndroidOS.Rkor.z 4.45 6 Trojan-Ransom.AndroidOS.Congur.y 3.80 7 Trojan-Ransom.AndroidOS.Small.ce 3.62 8 Trojan-Ransom.AndroidOS.Congur.am 2.84 9 Trojan-Ransom.AndroidOS.Soobek.a 2.79 10 Trojan-Ransom.AndroidOS.Rkor.x 2.72

* Unique users attacked by the malware as a percentage of all Kaspersky Mobile Antivirus users attacked by ransomware trojans.

Trojan-Ransom.AndroidOS.Small.as (13.31%) retained its leadership in Q3 2020. It was followed by Trojan-Ransom.AndroidOS.Small.o (5.29%), a member of the same family.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile ransomware trojans, Q3 2020 (download)

The ten countries with the largest shares of users attacked by mobile ransomware trojans

Country* %** 1 Kazakhstan 0.57 2 Kyrgyzstan 0.14 3 China 0.09 4 Saudi Arabia 0.08 5 Yemen 0.05 6 USA 0.05 7 UAE 0.03 8 Indonesia 0.03 9 Kuwait 0.03 10 Algeria 0.03

 * Excluded from the rankings are countries with relatively few users of Kaspersky Security for Mobile (under 10,000).
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky Security for Mobile users in the country.

Kazakhstan (0.57%) Kyrgyzstan (0.14%) and China (0.10%) saw the largest shares of users attacked by mobile ransomware trojans.


This section uses statistics collected by Kaspersky Internet Security for Android.

Stalkerware was encountered less frequently in Q3 2020 than in Q3 2019. The same can be said of the entire year 2020, though. This must be another effect of the COVID-19 pandemic: users started spending much more time at home due to the restrictions, and following their family members and housemates did not require stalkerware. Those who took an interest in their coworkers’ lives had a much harder time gaining physical access to their targets’ devices amid self-isolation. Besides, the cybersecurity industry, not without our contribution, zeroed in on stalkerware, with protective solutions starting to warn users explicitly.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of devices running Kaspersky Internet Security for Android on which stalkerware was detected in 2019 – 2020 (download)

Developers of stalkerware have not gone anywhere. They create new designs quarter after quarter. In Q3 2020, we discovered seven hitherto-unknown stalkerware samples, which we singled out as separate families:

  • AndroidOS.CallRec.a
  • AndroidOS.Dromon.a
  • AndroidOS.Hovermon.a
  • AndroidOS.InterceptaSpy.a
  • AndroidOS.Manamon.a
  • AndroidOS.Spydev.a
  • AndroidOS.Tesmon.a

Ten most common stalkerware varieties

Verdict %* 1 Monitor.AndroidOS.Cerberus.a 13.38 2 Monitor.AndroidOS.Anlost.a 7.67 3 Monitor.AndroidOS.MobileTracker.c 6.85 4 Monitor.AndroidOS.Agent.af 5.59 5 Monitor.AndroidOS.Nidb.a 4.06 6 Monitor.AndroidOS.PhoneSpy.b 3.68 7 Monitor.AndroidOS.Reptilic.a 2.99 8 Monitor.AndroidOS.SecretCam.a 2.45 9 Monitor.AndroidOS.Traca.a 2.35 10 Monitor.AndroidOS.Alltracker.a 2.33

* Share of unique users whose mobile devices were found to contain stalkerware as a percentage of all Kaspersky Internet Security for Android users attacked by stalkerware

Cerberus (13.38%) has topped our stalkerware rankings for a second quarter in a row. The other nine contenders are well-known spyware programs that have been in the market for a long time.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of stalkerware distribution, Q3 2020 (download)

Country* Number of users Russia 15.57% Brazil 12.04% India 9.90% USA 8.02% Germany 3.80% Mexico 3.17% Italy 2.50% Iran 2.36% Saudi Arabia 2.19% Great Britain 1.83%

A decrease in the number of users who encountered stalkerware in Q3 2020 is typical both globally and for the three leaders.

IT threat evolution Q3 2020

20 Listopad, 2020 - 11:00

Targeted attacks MATA: Lazarus’s multi-platform targeted malware framework

The more sophisticated threat actors are continually developing their TTPs (Tactics, Techniques and Procedures) and the toolsets they use to compromise the systems of their targets. However, malicious toolsets used to target multiple platforms are rare, because they required significant investment to develop and maintain them.  In July, we reported the use of an advanced, multi-purpose malware framework developed by the Lazarus group.

We discovered the first artefacts relating to this framework, dubbed ‘MATA’ (the authors named their infrastructure ‘MataNet’) in April 2018. Since then, Lazarus has further developed MATA; and there are now versions for Windows, Linux and macOS operating systems.

The MATA framework consists of several components, including a loader, an orchestrator (which manages and coordinates the processes once a device is infected) a C&C server and various plugins.

Lazarus has used MATA to infiltrate the networks of organizations around the world and steal data from customer databases; and, in at least one case, the group has used it to spread ransomware – you can read more about this in the next section. The victims have included software developers, Internet providers and e-commerce sites; and we detected traces of the group’s activities in Poland, Germany, Turkey, Korea, Japan, and India.

You can read more about MATA here.

Lazarus on the hunt for big game

Targeted ransomware has been on the increase in recent years. Typically, such attacks are carried out by criminal groups, who license ‘as-a-service’ ransomware from third-party malware developers and then distribute it by piggy-backing established botnets.

However, earlier this year we discovered a new ransomware family linked to the Lazarus APT group. The VHD ransomware operates much like other ransomware – it encrypts files on drives connected to the victim’s computer and deletes System Volume Information (used as part of the Windows restore point feature) to prevent recovery of data. The malware also suspends processes that could potentially lock important files, such as Microsoft Exchange or SQL Server. However, the delivery mechanism is more reminiscent of APT campaigns. The spreading utility contains a list of administrative credentials and IP addresses specific to the victim, which is uses to brute-force the SMB service on every discovered computer. Whenever it makes a successful connection, a network share is mounted and the VHD ransomware is copied and executed through WMI calls.

While investigating a second incident, we were able to uncover the full infection chain. The malware gained access to a victim’s system by exploiting a vulnerable VPN gateway and then obtained administrative rights on the compromised machines. It used these to install a backdoor and take control of the Active Directory server. Then all computers were infected with the VHD ransomware using a loader created specifically for this task.

Further analysis revealed the backdoor to be part of the MATA framework described above.


Garmin, the GPS and aviation specialist, was the victim of a cyber-attack in July that resulted in the encryption of some of its systems. The malware used in the attack was the WastedLocker and you can read our technical analysis of this ransomware here.

This ransomware, the use of which has increased this year, has several noteworthy features. It includes a command line interface that attackers can use to control the way it operates – specifying directories to target and setting a priority of which files to encrypt first; and controlling the encryption of files on specified network resources. WastedLocker also features a bypass for UAC (User Account Control) on Windows computers that allows the malware to silently elevate its privileges using a known bypass technique.

WastedLocker uses a combination of AES and RSA algorithms to encrypt files, which is a standard for ransomware families. Files are encrypted using a single public RSA key. This would be a weakness if this ransomware were to be distributed in mass attacks, since a decryptor from one victim would have to contain the only private RSA key that could be used to decrypt the files of all victims. However, since WastedLocker is used in attacks targeted at a specific organization, this decryption approach is worthless in real-world scenarios. Encrypted files are given the extension garminwasted_info, – and unusually, a new info file is created for each of the victim’s encrypted files.

CactusPete’s updated Bisonal backdoor

CactusPete is a Chinese-speaking APT threat actor that has been active since 2013. The group has typically targeted military, diplomatic and infrastructure victims in Japan, South Korea, Taiwan and the U.S. However, more recently the group has shifted its focus more towards other Asian and Eastern European organizations.

This group, which we would characterize as having medium level technical capabilities, seems to have acquired greater support and has access to more complex code such as ShadowPad, which CactusPete deployed earlier this year against government, defence, energy, mining and telecoms organizations.

Nevertheless, the group continues to use less sophisticated tools. We recently reported the group’s use of a new variant of the Bisonal backdoor to steal information, execute code on target computers and perform lateral movement within the network. Our research began with a single sample, but using the Kaspersky Threat Attribution Engine (KTAE) we discovered more than 300 almost identical samples. All of these appeared between March 2019 and April this year – so the group has developed more than 20 samples per month! Bisonal is not advanced, relying instead on social engineering in the form of spear-phishing e-mails.

Operation PowerFall

Earlier this year our technologies prevented an attack on a South Korean company. Our investigation uncovered two zero-day vulnerabilities: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. The exploits targeted the latest builds of Windows 10 and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64.

The exploits operated in tandem. The victim was first targeted with a malicious script that, because of the vulnerability, was able to run in Internet Explorer. Then a flaw in the system service further escalated the privileges of the malicious process. As a result, the attackers were able to move laterally across the target network.

We reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for the elevation of privilege vulnerability (CVE-2020-0986): although, before our discovery, Microsoft hadn’t considered exploitation of this vulnerability to be likely. The patch for this vulnerability was released on 9 June. The patch for the remote code vulnerability (CVE-2020-1380) was released on 11 August.

We named this malicious campaign Operation PowerFall. While we have been unable to find a clear link to known threat actors, we believe that DarkHotel might be behind it. You can read more about it here and here.

The latest activities of Transparent Tribe

Transparent Tribe, a prolific threat actor that has been active since at least 2013, specializes in cyber-espionage. The group’s main malware is a custom .NET Remote Access Trojan (RAT) called Crimson RAT, spread by means of spear-phishing e-mails containing malicious Microsoft Office documents.

During our investigation into the activities of Transparent Tribe, we found around 200 Crimson RAT samples. Kaspersky Security Network (KSN) telemetry indicates that there were more than a thousand victims in the year following June 2019.  The main targets were diplomatic and military organizations in India and Pakistan.

Crimson RAT includes a range of functions for harvesting data from infected computers. The latest additions include a server-side component used to manage infected client machines and a USB worm component developed for stealing files from removable drives, spreading across systems by infecting removable media and downloading and executing a thin-client version of Crimson RAT from a remote server.

We also discovered a new Android implant used by Transparent Tribe to spy on mobile devices. The threat actor used social engineering to distribute the malware, disguised as a fake porn video player and a fake version of the Aarogya Setu COVID-19 tracking app developed by the government of India.

The app is a modified version of the AhMyth Android RAT, open source malware, downloadable from GitHub and built by binding a malicious payload inside legitimate apps. The malware is designed to collect information from the victim’s device and send it to the attackers.

DeathStalker: mercenary cybercrime group

In August, we reported the activities of a cybercrime group that specializes in stealing trade secrets – mainly from fintech companies, law firms, and financial advisors, although we’ve also seen an attack on a diplomatic entity. The choice of targets suggests that this group, which we have named DeathStalker, is either looking for specific information to sell, or is a mercenary group offering an ‘attack on demand’ service. The group has been active since at least 2018; but it’s possible that the group’s activities could go back further, to 2012, and may be linked to the Janicab and Evilnum malware families.

We have seen Powersing-related activities in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK and the UAE. We also located Evilnum victims in Cyprus, India, Lebanon, Russia, Jordan and the UAE.

The group’s use of a PowerShell implant called Powersing first brought DeathStalker to our attention. The operation starts with spear-phishing e-mails with attached archives containing a malicious LNK file. If the victim clicks on the archive, it starts a convoluted sequence resulting in the execution of arbitrary code on the computer

Powersing periodically takes screenshots on the victim’s computer and sends them to the C2 (Command and Control) server. It also executes additional PowerShell scripts that are downloaded from the C2 server. So Powersing is designed to provide the attackers with an initial point of presence on the infected computer from which to install additional malware.

DeathStalker camouflages communication between infected computers and the C2 server by using public services as dead drop resolvers: these services allow the attackers to store data at a fixed URL through public posts, comments, user profiles, content descriptions, etc.

DeathStalker offers a good example of what small groups or even skilled individuals can achieve, without the need for innovative tricks or sophisticated methods. DeathStalker should serve as a baseline of what organizations in the private sector should be able to defend against, since groups of this sort represent the type of cyber-threat companies today are most likely to face. We advise defenders to pay close attention to any process creation related to native Windows interpreters for scripting languages, such as powershell.exe and cscript.exe: wherever possible, these utilities should be made unavailable. Security awareness training and security product assessments should also include infection chains based on LNK files.

You can read more about DeathStalkers here.

Other malware The Tetrade: Brazilian banking malware goes global

Brazil has a well-established criminal underground and local malware developers have created many banking Trojans over the years. Typically, this malware is used to target customers of local banks. However, Brazilian cybercriminals are starting to expand their attacks and operations abroad, targeting other countries and banks. The Tetrade is our designation for four large banking Trojan families that have been created, developed and spread by Brazilian criminals, but which are now being used at a global level. The four malware families are Guildma, Javali, Melcoz and Grandoreiro.

We have seen attempts to do this before, with limited success using very basic Trojans. The situation is now different. Brazilian banking Trojans have evolved greatly, with hackers adopting techniques for bypassing detection, creating highly modular and obfuscated malware and using a very complex execution flow – making analysis more difficult. Notwithstanding the banking industry’s adoption of technologies aimed at protecting customers, including the deployment of plugins, tokens, e-tokens, two-factor authentication, CHIP and PIN credit, fraud continues to increase because Brazil still lacks proper cybercrime legislation.

Brazilian criminals are benefiting from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and in Europe, making it easy to extend their attacks to customers of these financial institutions. They are also rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (Malware-as-a-Service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners.

The banking Trojan families are seeking to innovate by using DGA (Domain Generation Algorithm), encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks to obstruct analysis and detection. We believe that these threats will evolve to target more banks in more countries.

We recommend that financial institutions monitor these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intelligence data to understand and mitigate such risks. Further information on these threats, along with IoCs, YARA rules and hashes, are available to customers of our Financial Threat Intelligence services.

The dangers of streaming

Home entertainment is changing as the adoption of streaming TV services increases. The global market for streaming services is estimated to reach $688.7 billion by 2024. For cybercriminals, the widespread adoption of streaming services offers new, potentially lucrative attack vector. For example, just hours after Disney + was launched last November, thousands of accounts were hacked and people’s passwords and email details were changed. The criminals sold the compromised accounts online for between $3 and $11.

Even established services, such as Netflix and Hulu, are prime targets for distributing malware, stealing passwords and launching spam and phishing attacks. The spike in the number of subscribers in the wake of the COVID-19 pandemic has provided cybercriminals with an even bigger pool of potential victims. In the first quarter of this year, Netflix added fifteen million subscribers—more than double what had been anticipated.

We took an in-depth look at the threat landscape as it relates to streaming services. Unsurprisingly, phishing is one of the approaches taken by cybercriminals, as they seek to trick people into disclosing login credentials or payment information.

The criminals also capitalize on the growing interest in streaming services to distribute malware and adware. Typically, backdoors and other Trojans are downloaded when people attempt to gain access through unofficial means – by purchasing discounted accounts, obtaining a ‘hack’ to keep their free trial going, or attempting to access a free subscription. The chart below shows the number of people that encountered various threats containing the names of popular streaming platforms while trying to access these platforms through unofficial means between January 2019 and 8 April 2020:

The chart below shows the mix of malicious programs disguised under the name of popular streaming platforms between January 2019 and 8 April 2020:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

You can read the full report here, including our guidance on how to avoid phishing scams and malware related to streaming services.

Threats facing digital education

Online learning became the norm in the wake of the COVID-19 pandemic, as classrooms and lecture theatres were forced to close. Unfortunately, many educational institutions did not have proper cyber-security measures in place, putting online classrooms at increased risks of cyber-attacks. On 17 June, Microsoft Security Intelligence reported that the education industry accounted for 61 percent of the 7.7 million malware encounters by enterprises in the previous 30 days – more than any other sector. In addition to malware, educational institutions also faced an increased risk of data breaches and violations of student privacy.

We recently published an overview of the threats facing schools and universities, including phishing related to online learning platforms and video conferencing applications, threats camouflaged as applications related to online learning and DDoS (Distributed Denial of Service) attacks affecting education.

In the first half of 2020, 168,550 people encountered various threats disguised as popular online learning platforms – a massive increase compared to just 820 in the same period the previous year.

The platform used most frequently as a lure was Zoom, with 99.5 per cent of detections, no surprise given the popularity of this platform.

The overwhelming majority of threats distributed under the guise of legitimate video conferencing and online learning platforms were riskware and adware. Adware bombards users with unwanted adverts, while riskware consists of various files – including browser bars, download managers and remote administration tools – that may carry out various actions without consent.

In Q1 2020, the total number of DDoS attacks increased globally by 80 per cent when compared to the same period in 2019: and a large proportion of this increase can be attributed to attacks on distance e-learning services.

The number of DDoS attacks affecting educational resources that occurred between January and June this year increased by at least 350 per cent when compared to the same period in 2019.

It’s likely that online learning will continue to grow in the future and cybercriminals will seek to exploit this. So it’s vital that educational institutions review their cyber-security policy and adopt appropriate measures to secure their online learning environments and resources.

You can read our full report here.

Undeletable adware on smartphones

We’ve highlighted the issue of intrusive advertisements on smartphones a number of times in the past (you can find recent posts here and here).  While it can be straightforward to remove adware, there are situations where it’s much more difficult because the adware is installed in the system partition. In such cases, trying to remove it can cause the device to fail. In addition, ads can be embedded in undeletable system apps and libraries at the code level. According to our data, 14.8 per cent of all users attacked by malware or adware in the last year suffered an infection of the system partition.

We have observed two main strategies for introducing undeletable adware onto a device. First, the malware obtains root access and installs adware in the system partition. Second, the code for displaying ads (or its loader) gets into the firmware of the device even before reaches the consumer. Our data indicates that between one and 5 per cent people running our mobile security solutions have encountered this. In the main, these are owners of smartphones and tablets of certain brands in the lower price segment. For some popular vendors offering low-cost devices, this figure reaches 27 per cent.

Since the Android security model assumes that anti-virus is a normal app, it is unable to do anything adware or malware in system directories, making this a serious problem.

Our investigations show that the focus of some mobile device suppliers is on maximizing profits through all kinds of advertising tools, even if such tools cause inconvenience to device owners. If advertising networks are ready to pay for views, clicks, and installations regardless of their source, it makes sense for them to embed ad modules into devices to increase the profit from each device sold.

Advanced Threat predictions for 2021

19 Listopad, 2020 - 11:00

Trying to make predictions about the future is a tricky business. However, while we don’t have a crystal ball that can reveal the future, we can try to make educated guesses using the trends that we have observed over the last 12 months to identify areas that attackers are likely to seek to exploit in the near future.

Let’s start by reflecting on our predictions for 2020.

  • The next level of false flag attacks
    This year, we haven’t seen anything as dramatic as the forging of a malicious module to make it look like the work of another threat actor, as was the case with Olympic Destroyer. However, the use of false flags has undoubtedly become an established method used by APT groups to try to deflect attention away from their activities. Notable examples this year include the campaigns of MontysThree and DeathStalker. Interestingly, in the DeathStalker case, the actor incorporated certificate metadata from the infamous Sofacy in their infrastructure, trading covertness for the chance of having their operation falsely attributed.
  • From ransomware to targeted ransomware
    Last year, we highlighted the shift towards targeted ransomware and predicted that attackers would use more aggressive methods to extort money from their victims. This year, hardly a week has gone by without news of an attempt to extort money from large organizations, including recent attacks on a number of US hospitals. We’ve also seen the emergence of ‘brokers’ who offer to negotiate with the attackers, to try to reduce the cost of the ransom fee. Some attackers seem to apply greater pressure by stealing data before encrypting it and threatening to publish it; and in a recent incident, affecting a large psychotherapy practice, the attackers posted sensitive data of patients.
  • New online banking and payments attack vectors
    We haven’t seen any dramatic attacks on payment systems this year. Nevertheless, financial institutions continue to be targeted by specialist cybercrime groups such as FIN7, CobaltGroup, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    APT threat actors have not confined their activities to Windows, as illustrated by the extension of Lazarus’s MATA framework, the development of Turla’s Penquin_x64 backdoor and the targeting of European supercomputing centers in May. We also saw the use of multiplatform, multi-architecture tools such as Termite and Earthworm in operation TunnelSnake. These tools are capable of creating tunnels, transferring data and spawning remote shells on the targeted machines, supporting x86, x64, MIPS(ES), SH-4, PowerPC, SPARC and M68k. On top of this, we also discovered the framework we dubbed MosaicRegressor, which includes a compromised UEFI firmware image designed to drop malware onto infected computers.
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
    In 2020, we observed several APT threat actors target countries that had previously drawn less attention. We saw various malware used by Chinese-speaking actors used against government targets in Kuwait, Ethiopia, Algeria, Myanmar and the Middle East. We also observed StrongPity deploying a new, improved version of their main implant called StrongPity4. In 2020 we found victims infected with StrongPity4 outside Turkey, located in the Middle East.
  • Increasing sophistication of attack methods
    In addition to the UEFI malware mentioned above, we have also seen the use of legitimate cloud services (YouTube, Google Docs, Dropbox, Firebase) as part of the attack infrastructure (either geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    This is apparent from the reports we have published this year. From year to year we have seen more and more APT actors develop tools to target mobile devices. Threat actors this year included OceanLotus, the threat actor behind TwoSail Junk, as well as Transparent Tribe, OrigamiElephant and many others.
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks. Threat actors are less afraid than ever to engage in active ongoing communications with their victims, as part of their spear-phishing operations, in their efforts to compromise target systems. We have seen this, for example, in Lazarus’s ThreatNeedle activities and in DeathStalker’s efforts to pressure victims into enabling macros. Criminals have used AI software to mimic the voice of a senior executive, tricking a manager into transferring more than £240,000 into a bank account controlled by fraudsters; and governments and law enforcement agencies have used facial recognition software for surveillance.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

In the last year, we have observed many targeted ransomware attacks using generic malware, such as Trickbot, to gain a foothold in target networks. We have also observed connections between targeted ransomware attacks and well-established underground networks like Genesis that typically trade in stolen credentials. We believe APT actors will start using the same method to compromise their targets.  Organizations should pay increased attention to generic malware and perform basic incident response activities on each compromised computer to ensure generic malware has not been used deploy sophisticated threats.

More countries using legal indictments as part of their cyberstrategy

Some years ago we predicted that governments would resort to “naming and shaming”, to draw attention to the activities of hostile APT groups. We have seen several cases of this over the last 12 months. We think that US Cyber Command’s “persistent engagement” strategy will begin to bear fruit in the coming year and lead other states to follow suit, not least as “tit for tat” retaliation to US indictments. Persistent engagement involves publicly releasing reports about adversary tools and activities. US Cyber Command has argued that warfare in cyberspace is of a fundamentally different nature, and requires full-time engagement with adversaries to disrupt their operations. One of the ways they do so is by providing indicators that the threat intelligence community can use to bootstrap new investigations – in a sense, it is a way of orienting private research through intelligence declassification.

Tools “burned” in this way become harder to use for the attackers, and can undermine past campaigns that might otherwise have stayed under the radar. Faced with this new threat, adversaries planning attacks must factor in additional costs (the heightened possibility of losing tools or these tools being exposed) in their risk/gain calculus.

Exposing toolsets of APT groups is nothing new: successive leaks by Shadow Brokers provide a striking example. However, it is the first time it has been done in an official capacity through state agencies. While quantifying the effects of deterrence is impossible, especially without access to diplomatic channels where such matters are discussed, we believe that more countries will follow this strategy in 2021. First, states traditionally aligned with the US may start replicating the process, and then, later on, the targets of such disclosures could follow suit as a form of retaliation.

More Silicon Valley companies will take action against zero-day brokers

Until recently, zero-day brokers have traded exploits for well-known commercial products; and big companies such as Microsoft, Google, Facebook and others have seemingly paid little attention to the trade. However, in the last year or so, there have been high-profile cases where accounts were allegedly compromised using WhatsApp vulnerabilities – including Jeff Bezos and Jamal Khashoggi. In October 2019, WhatsApp filed a lawsuit accusing Israel-based NSO Group of having exploited a vulnerability in its software; and that the technology sold by NSO was used to target more than 1,400 of its customers in 20 different countries, including human rights activists, journalists and others. A US judge subsequently ruled that the lawsuit could proceed. The outcome of the case could have far-reaching consequences, not least of which could be to lead other firms to take legal action against companies that deal in zero-day exploits. We think that mounting public pressure, and the risk of reputation damage, may lead other companies to follow WhatsApp’s lead and take action against zero-day brokers, to demonstrate to their customers that they are seeking to protect them.

Increased targeting of network appliances

With the trend towards overall improvement of organizational security, we think that actors will focus more on exploiting vulnerabilities in network appliances such as VPN gateways. We’re already starting to see this happen – see here, here and here for further details. This goes hand-in-hand with the shift towards working from home, requiring more companies to rely on a VPN setup in their business. The increased focus on remote working, and reliance on VPNs, opens up another potential attack vector: the harvesting of user credentials through real-world social engineering approaches such as “vishing” to obtain access to corporate VPNs. In some cases, this might allow the attacker to even accomplish their espionage goals without deploying malware in the victim’s environment.

The emergence of 5G vulnerabilities

5G has attracted a lot of attention this year, with the US exerting a lot of pressure on friendly states to discourage them from buying Huawei products. In many countries, there were also numerous scare stories about possible health risks, etc. This focus on 5G security means that researchers, both public and private, are definitely looking at the products of Huawei and others, for signs of implementation problems, crypto flaws and even backdoors. Any such flaws will certainly receive massive media attention. As usage of 5G increases, and more devices become dependent on the connectivity it provides, attackers will have a greater incentive to look for vulnerabilities that they can exploit.

Demanding money “with menaces”

We have seen several changes and refinements in the tactics used by ransomware gangs over the years. Most notably, attacks have evolved from random, speculative attacks distributed to a large number of potential victims, to highly targeted attacks that demand a considerably greater payout from a single victim at a time. The victims are carefully selected, based on their ability to pay, their reliance on the data encrypted and the wider impact an attack will have. And no sector is considered off limits, notwithstanding the promises ransomware gangs made not to target hospitals. The delivery method is also customized to fit the targeted organization, as we have seen with attacks on medical centers and hospitals throughout the year.

We have also seen ransomware gangs seeking to obtain greater leverage by threatening to publish stolen data if a company fails to pay the ransom demanded by the attackers. This trend is likely to develop further as ransomware gangs seek to maximize their return on investment.

The ransomware problem has become so prevalent that the OFAC (Office of Foreign Assets Control) released instructions for victims and clarified that paying ransoms could constitute a breach of international sanctions. We interpret this announcement as the beginning of a wider crackdown on the cybercrime world by US authorities.

This year, the Maze and Sodinokibi gangs both pioneered an “affiliate” model involving collaboration between groups. Nevertheless, the ransomware eco-system remains very diverse. It’s possible that in the future we will see a concentration of major ransomware players who will start to focus their activities and obtain APT-like capabilities. However, for some time to come, smaller gangs will continue to adopt the established approach that relies on piggybacking botnets and sourcing third-party ransomware.

More disruptive attacks

More and more aspects of our lives are becoming dependent on technology and connectivity to the internet. As a result, we present a much wider attack surface than ever before. It’s likely, therefore, that we will see more disruptive attacks in the future. On the one hand, this disruption could be the result of a directed, orchestrated attack, designed to affect critical infrastructure. On the other hand, it could be collateral damage that occurs as a side-effect of a large-volume ransomware attack targeting organizations that we use in our day-to-day lives, such as educational institutions, supermarkets, postal services and public transportation.

Attackers will continue to exploit the COVID-19 pandemic

The world has been turned upside down by COVID-19, which has impacted nearly every aspect of our lives this year. Attackers of all kinds were quick to seize the opportunity to exploit the keen interest in this topic, including APT threat actors. As we have noted before, this did not mark a change in TTPs, but simply a persistent topic of interest that they could use as a social engineering lure. The pandemic will continue to affect our lives for some time to come; and threat actors will continue to exploit this to gain a foothold in target systems. During the last six months, there have been reports of APT groups targeting COVID-19 research centers. The UK National Cyber Security Centre (NCSC) stated that APT29 (aka the Dukes and Cozy Bear) targeted COVID-19 vaccine development. This will remain a target of strategic interest to them for as long as the pandemic lasts.

Spam and phishing in Q3 2020

12 Listopad, 2020 - 11:00

Quarterly highlights Worming their way in: cybercriminal tricks of the trade

These days, many companies distribute marketing newsletters via online platforms. In terms of capabilities, such platforms are quite diverse: they send out advertising and informational messages, harvest statistics (for example, about clicked links in emails), and the like. At the same time, such services attract both spammers, who use them to send their own mailings, and cybercriminals, who try to gain access to user accounts, usually through phishing. As a result, attackers also get their hands on user-created mailing lists, which allows them to disseminate mass advertising or phishing messages that filtering systems sometimes let through.

Accordingly, in Q3 we registered an increase in the number of messages sent using the Sendgrid platform. A significant portion of them were phishing attacks aimed at stealing login credentials for major resources. The emails were no different from traditional phishing, save for the legitimate headers and link to Sendgrid, which redirected the recipient to a phishing site. To the observant eye, the address bar and From field would reveal the messages to be fake.

Call me!

In our previous quarterly report, we talked about an increasingly common scam whereby fraudsters send emails purportedly from large companies with a request to urgently contact support at the given phone number. Users who contacted the operator were then asked for information, such as bank card details, which could then be used to empty their account. The most commonly used toll-free numbers have specific three-digit prefixes after the country code (for example: 800, 888, 844).

In Q3 2020, we observed new versions of such schemes warning not only about unauthorized account access, but about money transactions supposedly made by the user. The attackers’ calculation is that, on seeing a message about a financial transaction, the client will grab their phone and dial the support number highlighted in bold. Such emails do not contain links, and the message itself is an image, which makes it harder to detect.


Scammers like such schemes, because sending spam is much cheaper and easier than calling potential victims. To avoid swallowing the bait, either call the support service using the number on the organization’s official website (not the one in the email), or use an app that protects against telephone fraud by checking outgoing call numbers.

COVID-19 and spam topics Facebook grants

In Q3 2020, many users of social networks and messengers saw a screenshot with some interesting news: CNBC, it said (in broken English — always a red flag), had reported that Facebook was paying out compensation to victims of COVID-19. To get yours, all you had to do was follow the link and fill out a number of documents.

The link had nothing to do with Facebook and led to a fake page resembling the website of Mercy Corps, an organization dedicated to helping victims of natural disasters and armed conflict. To apply, you had to enter your Facebook username and password, then verify your identity by providing personal information, including SSN (social security number, issued to US citizens). This last detail suggests that the attack was aimed at US residents. Users that entered all the requested data gave the cybercriminals not only access to their social network account, but also personal information that could then be used for identity theft or bank card fraud.

It should be noted that the scheme was based on official news that Facebook was indeed ready to provide support to victims of COVID-19. But it only concerned grants for companies, not individuals.

Tourist phishing

The coronavirus pandemic — which has decimated the tourist trade — has also had an effect on scammers: this quarter saw fewer emails offering attractive summer breaks than usual. However, the pandemic did not stop scammers, only redirected their attention.

In Q3, Airbnb and Expedia Group users were the most frequent targets of phishing attacks. Fake pages hungry for user credentials were very faithful to the design of the official websites, distinguishable only by looking closely at the address bar, where most often the domain was unrelated to the target company or belonged to a free hosting service.

So as not to reveal their cards too soon, scammers use URL-shortening services and distribute messages in social networks and messengers where shortened links look organic. In their messages, scammers offer cheap tickets or bargain hotel deals. And it is impossible to know where such links lead before clicking them, which is what attackers play upon. Accounts stolen in this way can be used, for example, for money laundering.

Phishers also forged pages with rental offers: visitors could view photos of apartments and read detailed information about the alleged terms and conditions. Lower down the page were rave reviews from past clients intended to lull the victim into a false sense of security.

The “landlord” in each case agreed to rent out the apartment, but asked for an advance payment. And then disappeared as soon as the money was deposited, together with the fake page. In this instance, the cybercriminals also banked on the fact that the juicy offer (low price, big discount) would distract the victim from looking at the URL and checking the information on the site.

Attacks on the corporate sector Malicious mail

We already told about the distribution of malicious files disguised as notifications from delivery services. They continued this quarter as well: we uncovered a mailing targeting employees connected to sales in some capacity. The scammers persuaded recipients to open the attached documents supposedly to pay customs duties for the import of goods. Instead of documents, the attachment contained Backdoor.MSIL.Crysan.gen.

Malicious mailings with “reminders” about online meetups are worth a separate mention. For example, one of them asked the recipient to join a Zoom conference by clicking the attached link. Instead of a meeting, the user ended up on a WeTransfer phishing page. If the user fell for the trap and entered their WeTransfer credentials, the attackers gained access to the company’s files stored in this cloud.

Another mailing informed users that a Microsoft SharePoint document had been shared with them. After clicking the link, the victim was taken to a fake Microsoft login page that helped cybercriminals steal account usernames and passwords.

Far more dangerous were meeting notifications containing malicious files. For example, the at-first-glance harmless message below contained HEUR:Trojan-Downloader.Script.Generic.

And Trojan-Banker.Win32.ClipBanker, downloaded via the link in the email below, is used to steal financial (including cryptocurrency-related) information.

Mail scanner

To gain access to corporate accounts, cybercriminals distributed messages stating that a virus had been found in the recipient’s mailbox, and advising an urgent scan, otherwise the account would be disabled. The messages, disguised as notifications from infosec companies, were sent from a free mail address and employed neutral names like Email Security Team to avoid unnecessary specifics.

The cybercriminals reckoned on the combined threat of a computer virus and a deactivated work email account forcing the recipient to ignore some of the oddities of the message. For example, such emails could be from the company’s IT or security department, but not a third party. The page that opened on clicking the link did not resemble a corporate resource by either its address or layout. Plus, for added believability, the cybervillains placed on it the logos of all major infosec companies.

To start a “virus scan”, the user was asked to enter the username and password for their corporate mailbox. That said, the “scan” started even if arbitrary credentials were entered in the fields:

Statistics: spam Proportion of spam in mail traffic

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in global mail traffic, Q2 2020 – Q3 2020 (download)

In Q3 2020, the largest share of spam was recorded in August (50.07%). The average share of spam in global mail traffic was 48.91%, down 1.27 p.p. against the previous reporting period.

Sources of spam by country

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Sources of spam by country, Q3 2020 (download)

The Top 5 countries by amount of outgoing spam remained the same as in the previous quarter. Only their shares changed. The biggest increase came from Russia, which ranked first, jumping by 5 p.p. to 23.52%. The shares of the remaining top-fivers did not fluctuate by more than one percentage point. Second-place Germany gained 11.01%, the US in third picked up 10.85%, France 6.69%, and China in fifth 6.33%.

The bottom half of the Top 10 changed more significantly. For instance, it said goodbye to Turkey, which this time took 11th place (1.73%). Sixth place was taken by the Netherlands (3.89%), seventh by Brazil (3.26%), eighth by Spain (2.52%), ninth by Japan (2.30%), and Poland (1.80%) rounds out the Top 10, up one position on last quarter.

Spam email size

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Spam email size, Q2 2020 – Q3 2020 (download)

The downward trend in the number of very small emails continued in Q3 2020; their share decreased significantly — by 13.21 p.p. to 38.09%. The share of emails sized 20–50 KB grew by 12.45 p.p. to 28.20% of the total number of registered spam emails. But the number of emails 10–20 KB in size fell to 8.31% (–2.78 p.p.). Also lower was the share of spam messages sized 100–200 KB; this time their share was 1.57%.

Malicious attachments: malware families

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of Mail Anti-Virus triggerings, Q2 2020 – Q3 2020 (download)

Throughout Q3 2020, our security solutions detected a total of 51,025,889 malicious email attachments, which is almost 8 million more than in the previous reporting period.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 malicious attachments in mail traffic, Q3 2020 (download)

The most widespread malware in Q3 mail traffic was assigned the verdict Trojan-PSW.MSIL.Agensla.gen (8.44%). In second place was Exploit.MSOffice.CVE-2017-11882.gen (5.67%), while Trojan.MSOffice.SAgent.gen (4.85%) came third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top 10 malware families in mail traffic, Q3 2020 (download)

This quarter’s most widespread malware family was Trojan-PSW.MSIL.Agensla (12.67%), having ranked second in the last reporting period. While last quarter’s leader Trojan.Win32.Agentb finished second (8.78%). Third place, as in the previous quarter, went to Exploit.MSOffice.CVE-2017-11882 (8.03%).

Countries targeted by malicious mailshots

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Mail Anti-Virus triggerings by country, Q3 2020 (download)

Since the beginning of the year, Spain has led the way by number of Mail Anti-Virus triggerings. In Q3, users in this country accounted for 7.76% of attacks. In second place this time was Germany (7.05%), knocking Russia (5.87%) into third.

Statistics: phishing

In Q3 2020, the Anti-Phishing system prevented 103,060,725 attempts to redirect users to fake pages, which is almost 3.2 million fewer than in Q2. The share of unique attacked users amounted to 7.67% of the total number of users of Kaspersky products

Attack geography

This time, the country with the largest proportion of users attacked by phishers was Mongolia (15.54%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of phishing attacks, Q3 2020 (download)

Israel (15.24%) lies close behind in second place, with France (12.57%) this time in third.

Top-level domains

The most popular top-level domain with phishers this quarter, as before, was COM (40.09% of the total number of top-level domains used in attacks). Silver went to XYZ (5.84%), and bronze to NET (3.00%). RU finished in fourth place (2.93%), and BUZZ in fifth (2.57%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Top-level domains most popular with phishers, Q3 2020 (download)

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by the Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

As before, the Online Stores category absorbed the most phishing attacks, despite its share dropping slightly against Q2 2020 (by 0.20 p.p.) to 19.22%. Global Web Portals (14.48%) in second position and Banks (10.89%) in third were also non-movers.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations subjected to phishing attacks by category, Q3 2020 (download)


The COVID-19 topic, which appeared in Q1 this year, is still in play for spammers and phishers. In our view, the so-called second wave could lead to a surge in mailings offering various coronavirus-related treatments. Moreover, against the backdrop of the worsening economic situation, we could see a rise in the number of scam mailings promising a big payout in exchange for a small upfront sum.

The average share of spam in global mail traffic (48.91%) this quarter decreased by 1.27 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 103 million.

First place in the list of spam-source countries in Q3 again went to Russia, with a share of 23.52%. Our security solutions blocked 51,025,889 malicious attachments; the most popular malware family in spam mailings was Trojan-PSW.MSIL.Agensla, with a 12.67% share of mail traffic.

Targeted ransomware: it’s not just about encrypting your data!

11 Listopad, 2020 - 11:00

When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data – it’s primarily about data exfiltration. After that, it’s about data encryption and leaving convincing proof that the attacker was in the network, and finally, it’s extortion. And again, it’s not about the data loss itself but about publishing stolen data on the internet. Let’s call it “Ransomware 2.0”.

Why is it so important to state this? Because many organizations still believe that it’s all about malware, and if your anti-malware protection is good enough, you’ll be OK. As long as people think this way, the ransomware threat actors will continue to succeed again and again.

In most cases, the initial vector of attack is exploiting some already known vulnerabilities in commercial VPN software. Other cases involve abusing RDP-enabled machines exposed to the internet. Then there’s the exploitation of the vulnerable router firmware. As you can see, it’s not necessarily about malware but also bad practices, a lack of patching cycles, and general security procedures.

Sometimes ransomware threat actors may rely on traditional malware like botnet implants previously dropped by other cybercriminal groups. And finally, if we recall the Tesla story, the attempt to infect that factory was through someone working at the company. That means physical human access is also a vector. It is complex.

In all cases, the original entry point is to start network reconnaissance, then lateral movement, then data exfiltration. Once it is done, it finally comes to the “coup de grace” – the ransomware. By the time ransomware is deployed, the anti-malware product might be already deleted or disabled by the threat actor because they already had full control over the domain network and could operate as legitimate administrators. So it is about a full red team operation that relies on different hacking techniques, including those to disable anti-malware solutions mostly through legitimate tools and misc scripts. That way, the threat actor doesn’t bother if the ransomware itself will be detected or not.

Different ransomware groups use different TTPs and different encryption techniques. Today we want to talk about two of them: Ragnar Locker and Egregor – a veteran and a newbie. Both singular and distant at the same time.

Ragnar Locker

Early variants of this malware were discovered in 2019; however, Ragnar Locker gained notoriety in the first half of 2020 when it started to attack large organizations.

Ragnar Locker is highly targeted, to the extent that each individual sample is specifically tailored for the organization the actors are attacking. The group behind it loves to abuse RDP, while their preferred payment method is bitcoins.

This group owns three .onion domains available on Tor and one Surface Web domain registered on June 16, 2020.

If the victims refuse to pay, their stolen data is published in a so-called Wall of Shame section.

Screenshot of the Wall of Shame where stolen data is exposed

Curiously, this group is positioning itself as a bug bounty hunting group. They claim the payment is their bounty for discovering vulnerabilities that were exploited and to provide decryption for the files and OpSec training for the victim; and, finally, for not publishing the stolen data. Of course, if the victim refuses to pay, the data goes public. Besides that, if the victim chats with the Ragnar Locker threat actor and fails to pay, then the chat is exposed along with the stolen data.

In July 2020, Ragnar Locker made a public announcement that they had joined so-called “Maze Cartel” distraction concept. It means to say that the groups cooperated, exchanging information stolen from victims and publishing it on their websites.

Example of a victim allegedly provided by Maze and published on the Ragnar Locker Wall of Shame page

You can read more about Maze Ransomware here.

Based on the list of victims who refused to pay, the main target of Ragnar Locker are US based companies, while the type of industry varies.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of Ragnar Locker victims (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ragnar Locker victims by industry (download)

Technical description

For our analysis we chose a recently encountered sample of the malware: 1195d0d18be9362fb8dd9e1738404c9d

When started, Ragnar Locker checks the system locale of the machine it is executing on. If determines that it is the locale of one of the countries listed in the screenshot below, it will cease operation and exit without doing anything else.

For countries not on the above list, it will proceed to stop services with names containing any of the substrings hardcoded in the malware sample and obfuscated by RC4:

Afterwards, Rangar Locker will terminate running processes according to another substring list contained inside the Trojan body:

Finally, when all the preparation is done, the Trojan will search for available drives and encrypt the victim’s files.

For file encryption RagnarLocker uses a custom stream cipher based on the Salsa20 cipher. Instead of the standard initialization ‘magic’ constants sigma = “expand 32-byte k” and tau = “expand 16-byte k” normally used in Salsa20, the Trojan generates new random values for each processed file. This is an unnecessary step which makes the cipher incompatible with the standard Salsa20, but doesn’t in fact enhance its security.

The key and nonce values are also uniquely generated for each file, and will be encrypted along with the constants described above by RSA using the public 2048-bit key hardcoded in the Trojan’s body.

The RNG is based on the MS CryptoAPI function CryptGenRandom, which is considered secure, and the SHA-256 hash algorithm. The RNG implementation looks a bit awkward, but we haven’t found any critical flaws in it.

The RNG procedure pseudocode used by a recent Ragnar Locker variant

After encrypting the content of each of the victim’s files, Ragnar Locker will append the encrypted key, nonce and initialization constants to the encrypted file, and finalize by adding the marker “!@#_®agna®_#@!”

Trailing bytes of a file encrypted by Ragnar Locker

The ransom notes dropped by the Trojan contain the name of the victim organization which clearly indicates that the criminals utilize a targeted approach, identify their victim and carefully prepare the attack.

The ransom note also attempts to further scare the victim into paying by emphasizing that the threat actors have stolen confidential data in addition to the file encryption performed by the Trojan.


Egregor ransomware is a new strain that was discovered in September 2020, and after the initial analysis we noticed code similarities between this new threat and Sekhmet ransomware, as well as the notorious Maze ransomware, which announced on November 1st, 2020 that they shut down.

Egregor keeps at least one .onion domain and two Surface Web domains. The first Surface Web domain was registered on September 6, 2020 and the second one on October 19, 2020. At the time of writing, both Surface Web domains were intermittent. That is probably why on the main page of the Onion domain, there is a big disclaimer with this notice:

The Egregor ransomware is typically distributed by the criminals following a network breach. The malware sample is a DLL file that needs to be launched with the correct password given as a command line argument. The DLL is usually dropped from the Internet. On occasions, the domains used to spread it exploit names or words used in the victim’s industry.

Egregor is probably the most aggressive Ransomware family in terms of negotiation with the victims. It gives only 72 hours to contact the threat actor. Otherwise, the victim’s data is processed for publishing.

The ransomware payment is negotiated and agreed upon via a special chat assigned to each victim. The payment is received in BTC.

Example of a chat negotiating to pay the ransom

Technical description


As mentioned above, the malware sample only works if a correct password is provided during launch. The packer of the malware will use this password to decrypt the payload binary. A missing or incorrect argument will result in an incorrect decryption of the payload, which will be unable to execute and will crash instead.

This technique is intended to hinder both automatic analysis in sandbox-type systems, and manual analysis by researchers: without the correct password it is impossible to unpack and analyze the payload binary.

After unpacking two layers of the malicious packer, we end up with an obfuscated binary which is still not suitable for static analysis. The obfuscation techniques used in Egregor strongly resemble those in Maze and Sekhmet: the code is ‘torn apart’ by control flow obfuscation using conditional and unconditional jumps, PUSH+JMP instead of RETN, and so on.

Control flow obfuscation example

When the payload starts executing, first of all, it will check the system and user language of the OS to avoid encrypting machines having one of the following languages installed:

Armenian (Armenia) Azerbaijani (Cyrillic, Azerbaijan) Azerbaijani (Latin, Azerbaijan) Belarusian (Belarus) Georgian (Georgia) Kazakh (Kazakhstan) Kyrgyz (Kyrgyzstan) Romanian (Moldova) Russian (Moldova) Russian (Russia) Tajik (Cyrillic, Tajikistan) Tatar (Russia) Turkmen (Turkmenistan) Ukrainian (Ukraine) Uzbek (Latin, Uzbekistan)

Then it will attempt to terminate the following processes:

This is intended to make writable potentially valuable files such as documents or databases that may have been in use at the moment of infection. In addition, some programs typically used by researchers, e.g., procmon or dumpcap, are also listed for termination to further hinder dynamic analysis.

Egregor uses a hybrid file encryption scheme based on the stream cipher ChaCha and the asymmetric cipher RSA.

The RSA-2048 master public key of the criminals is embedded in the trojan’s body.

When executing on a victim’s machine, Egregor generates a new unique pair of session RSA keys. The session private RSA key is exported and encrypted by ChaCha with a uniquely generated key + nonce, then the key and nonce are encrypted by the master public RSA key. The results are saved in a binary file (in our case it’s named C:\ProgramData\dtb.dat), as well as a base64-encoded string in the ransom notes.

For each data file Egregor processes, it generates a new 256-bit ChaCha key and 64-bit nonce, encrypts the file content by ChaCha, then encrypts them using the session public RSA key, and saves them along with some auxiliary information in the end of the encrypted file.

The last 16 bytes of each encrypted file are comprised of a dynamic marker: a random DWORD and this same DWORD xor’ed with the value 0xB16B00B5 which equals ‘BIGBOOBS’ in so-called leet speak, originally used by “hackers, crackers and script kiddies”, according to Wikipedia.

Part of the file encryption procedure pseudocode

The main page of the data leak website contains news about recently attacked companies along with some sarcastic remarks written by the ransomware group.

The archive section of the site lists the victims of the extortionists and the links to download the stolen data.

Based on the information of those victims who refused to pay, the geographic reach of Egregor is way more extensive than that of Ragnar Locker:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of Egregor victims (download)

The same is true for the number of attacked industries:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Egregor victims by industry (download)


Unfortunately, Ransomware 2.0 is here to stay. When we talk about 2.0, we mean targeted ransomware with data exfiltration. The whole extortion process is primarily about the victims’ data not being published on the internet and only then about decryption. Why is it so important for the victims that their data is not published? Because possible lawsuits and fines due to violations of regulations like HIPAA, PIC or GDPR can result in immense financial losses, reputational damage and potential bankruptcy.

As long as companies see ransomware threat actors as typical malware threats, they will also fail. It is not about just endpoint protection; it is about red teaming, business analysts working with exfiltrated documents evaluating the ransom to pay. It is also about data theft, of course, and public shaming, leading to all sorts of problems in the end.

Our next chapter will cover something else – a perfect umbrella for different threat actors with different motivations operating under the aegis of Ransomware 2.0.

How to protect yourself

To keep your company protected against these types of ransomware attacks, Kaspersky experts recommend:

  1. Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  2. Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  3. Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities
  4. Focus your defense strategy in detecting lateral movements and data exfiltration to the Internet. Pay a special attention to the outgoing traffic to detect cybercriminals connections. Back up data regularly. Make sure you can quickly access it in an emergency when needed.
  5. Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
  6. To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect from ransomware attacks is available here.
  7. Use reliable endpoint security solution, such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms which can prevent its removal by cybercriminals.

Ghimob: a Tétrade threat actor moves to infect mobile devices

9 Listopad, 2020 - 11:00

Guildma, a threat actor that is part of the Tétrade family of banking trojans, has been working on bringing in new techniques, creating new malware and targeting new victims. Recently, their new creation, the Ghimob banking trojan, has been a move toward infecting mobile devices, targeting financial apps from banks, fintechs, exchanges and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique.

Ghimob is a full-fledged spy in your pocket: once infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their antifraud behavioral systems. Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device. When the cybercriminal is ready to perform the transaction, they can insert a black screen as an overlay or open some website in full screen, so while the user looks at that screen, the criminal performs the transaction in the background by using the financial app running on the victim’s smartphone that the user has opened or logged in to.

From a technical standpoint, Ghimob is also interesting in that it uses C2s with fallback protected by Cloudflare, hides its real C2 with DGA and employs several other tricks, posing as a strong competitor in this field. But yet, no sign of MaaS (malware-as-a-service). Compared to BRATA or Basbanke, another mobile banking trojan family originating in Brazil, Ghimob is far more advanced and richer in features, and has strong persistence.

Multiplatform financial attack

While monitoring a Guildma Windows malware campaign, we were able to find malicious URLs used for distributing both ZIP files for Windows boxes and APK files, all from the same URL. If the user-agent that clicked the malicious link is an Android-based browser, the file downloaded will be the Ghimob APK installer.

The APKs thus distributed are posing as installers of popular apps; they are not on Google Play but rather hosted in several malicious domains registered by Guildma operators. Once installed on the phone, the app will abuse Accessibility Mode to gain persistence, disable manual uninstallation and allow the banking trojan to capture data, manipulate screen content and provide full remote control to the fraudster: a very typical mobile RAT.

Same link, different files: ZIP for Windows, APK for Android

Our telemetry shows that all victims of the Ghimob mobile banking trojan are located in Brazil at the moment, but like all other Tétrade threat actors, Ghimob has big plans to expand abroad.

Ghimob detections: Brazil for now, but ready to expand abroad

To lure the victim into installing the malicious file, the email is written as if from a creditor and provides a link where the recipient could view more information, while the app itself pretends to be Google Defender, Google Docs, WhatsApp Updater, etc.

A malicious message distributing the malware, written in Brazilian Portuguese

A persistent RAT in your pocket

As soon as the malware is launched, it tries to detect common emulators, checks for the presence of a debugger attached to the process and the manifest file, and also checks for a debuggable flag. If any of these are present, then the malware simply terminates itself. Newer versions of the malware have moved the emulator names to an encrypted configuration file. If those previous checks are passed, the user is then presented with the default Android accessibility window, as the malware heavily relies on accessibility to work.

“Google Docs” is asking you to provide Accessibility permissions

Once infection is completed, the malware proceeds to send an infection notification message to its notification server. This includes the phone model, whether it has a screen lock activated and a list of all installed apps that the malware has as a target including version numbers. Ghimob spies on 153 mobile apps, mainly from banks, fintechs, cryptocurrencies and exchanges. By analyzing the malware, it is possible to see all the apps monitored and targeted by the RAT. These are mainly institutions in Brazil (where it watches 112 apps), but since Ghimob, like other Tétrade threat actors, has been moving toward expanding its operations, it also watches the system for cryptocurrency apps from different countries (thirteen apps) and international payment systems (nine apps). Also targeted are banks in Germany (five apps), Portugal (three apps), Perú (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).

The malware also blocks the user from uninstalling it, restarting or shutting down the device. This is what happens when the user tries to remove Ghimob manually: video

Fallback C2s for complete remote control

Once installation is completed, Ghimob tries to hide its presence by hiding the icon from the app drawer. The malware will decrypt a list of hardcoded C2 providers from its configuration file and contact each in order to receive the real C2 address, a technique we call “fallback channels“.

The C2 providers found are the same across all samples we analyzed, but the directory parameters of the request to obtain the real C2 vary among different samples, returning a different set of real C2 addresses. All of the communication is done via the HTTP/HTTPS protocol.

Control Panel used by Ghimob for listing infected victims

Instead of recording the user screen via the MediaProjection API, like BRATA does, Ghimob sends accessibility-related information from the current active window, as can be seen below from the output of the “301” command returned from the C2. All the commands used by the RAT are described in our private report for customers of our Financial Threat Intel Portal.

Client:[TARGETED APP] ID: xDROID_smg930a7.1.125_7206eee5b3775586310270_3.1 Data:Sep 24 2020 3:23:28 PM Ref:unknown SAMSUNG-SM-G930A 7.1.1 25 KeySec:trueKeyLock:falseDevSec:trueDevLock:false com.sysdroidxx.addons - v:3.1 Ativar Google Docs ======================================= Link Conexao:hxxp://www.realcc.com Senha de 8 digitos:12345678 Senha de 6 digitos:123456 ======================================= ============== LOG GERAL ============== ======================================= 22{< x >}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView] 22{< x >}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView] 22{< x >}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView] 16{< x >}[targeted app]--[TEXTO:]--[ID:null]--[DESCRICAO:Senha de 8 digitos]--[CLASSE:android.widget.EditText] 0{< >}[targeted app]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--[CLASSE:android.widget.FrameLayout] 1{< >}[targeted app]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--[CLASSE:android.widget.LinearLayout] 2{< >}[targeted app]--[TEXTO:null]--[ID:android:id/content]--[DESCRICAO:null]--[CLASSE:android.widget.FrameLayout] 3{< >}[targeted app]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--[CLASSE:android.widget.FrameLayout] ======================================= ================ SALDOS =============== ======================================= [DESCRICAO: Rolando Lero Agencia: 111. Digito 6. Conta-corrente: 22222. Digito .7]-- [TEXTO:Account Rolando Lero] [DESCRICAO:Agencia: 111. Digito 6. Conta-corrente: 22222. Digito .7]--[TEXTO:111-6 22222-7] [DESCRICAO:Saldo disponivel R$ 7000,00]-- [DESCRICAO:7000,00]--[TEXTO:R$ 7000,00] [TEXTO:Saldo disponivel] [DESCRICAO:Agendado ate 04/Out R$ 6000,00 ]-- [DESCRICAO:6000,00 ]--[TEXTO:R$ 6000,00 ] [TEXTO:Agendado ate 04/Out]

This is likely due to low Internet speeds in Brazil: sending text information from time to time consumes less bandwidth than sending a screen recording in real time, thus increasing the chances of successful fraud for the cybercriminal. While BRATA uses an overlay with a fake WebView to steal credentials, Ghimob does not need to do that, as it reads the fields directly from the target app through accessibility features. The following words in Portuguese are monitored: saldo (balance), investimento (investment), empréstimo (lending), extrato (statement).


It took some time for Brazilian crooks to decide to try their hand at creating a mobile banking trojan with a worldwide reach. First, we saw Basbanke, then BRATA, but both were heavily focused on the Brazilian market. In fact, Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries. Our telemetry findings have confirmed victims in Brazil, but as we saw, the trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards from financial institutions operating in many countries, so it will naturally be an international expansion.

We believe this campaign could be related to the Guildma threat actor, a well-known Brazilian banking trojan, for several reasons, but mainly because they share the same infrastructure. It is also important to note that the protocol used in the mobile version is very similar to that used for the Windows version.

We recommend that financial institutions watch these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate all of the risks that this new mobile RAT family poses. All the details, IoCs, MITRE ATT&CK Framework data, Yara rules and hashes relating to this threat are available to the users of our Financial Threat Intel services. Kaspersky products detect this family as Trojan-Banker.AndroidOS.Ghimob.

Indicators of Compromise

Reference hashes:

RansomEXX Trojan attacks Linux systems

6 Listopad, 2020 - 16:23

We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.

After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year.

RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.

Several companies have fallen victim to this malware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.

Technical description

The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan implements its cryptographic scheme using functions from the open-source library mbedtls.

When launched, the Trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that it can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key embedded in the Trojan’s body and appended to each encrypted file.

Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually only differ every second.

Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use in their Trojans: no C&C communication, no termination of running processes, no anti-analysis tricks, etc.

Fragment of the file encryption procedure pseudocode; variable and function names are saved in the debug information and must match the original source code

Curiously, the ELF binary contains some debug information, including names of functions, global variables and source code files used by the malware developers.

Original names of source files embedded in the trojan’s body

Execution log of the trojan in Kaspersky Linux Sandbox

Similarities with Windows builds of RansomEXX

Despite the fact that previously discovered PE builds of RansomEXX use WinAPI (functions specific to Windows OS), the organization of the Trojan’s code and the method of using specific functions from the mbedtls library hint that both ELF and PE may be derived from the same source code.

In the screenshot below, we see a comparison of the procedures that encrypt the AES key. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f; on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb used in the TxDOT attack.

Despite being built by different compilers with different optimization options and for different platforms, the similarity is quite obvious.

We also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code.

What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing.

Parallels with a recent attack in Brazil

As reported by the media, one of the country’s government institutions has just been attacked by a targeted ransomware Trojan.

Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.

Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f

Ransom note from the Bleeping Computer post about the most recent attack in Brazil

Our products protect against this threat and detect it as Trojan-Ransom.Linux.Ransomexx

Kaspersky Threat Attribution Engine identifies Ransomexx malware family

Indicators of compromise

Recent Linux version: aa1ddf0c8312349be614ff43e80a262f
Earlier Windows version: fcd21c6fca3b9378961aa1865bee7ecb

Attacks on industrial enterprises using RMS and TeamViewer: new data

5 Listopad, 2020 - 11:00

 Download full report (PDF)

Executive Summary

In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another.

We reported these attacks in 2018 in an article entitled “Attacks on industrial enterprises using RMS and TeamViewer“, but recent data shows that the attackers have modified their attack techniques and that the number of enterprises facing the threat of infection is growing.

Before publishing this report, we waited for the vendor of the RMS software to make changes to its services to ensure that the results of this research could not be used to exploit vulnerabilities.

This report in a nutshell:

  • From 2018 to at least the early fall of 2020, attackers sent phishing emails laced with malware.
  • The attacks make use of social engineering techniques and legitimate documents, such as memos and documents detailing equipment settings or other industrial process information, which have apparently been stolen from the company under attack or its business partners.
  • The attacks still use remote administration utilities. The graphical user interface of these utilities is hidden by the malware, enabling the attackers to control infected systems without their users’ knowledge.
  • In the new version of the malware, the attackers changed the notification channel used after infecting a new system: instead of malware command-and-control servers, they use the web interface of the RMS remote administration utility’s cloud infrastructure.
  • Stealing money from the organization under attack remains the main objective of the attackers.
  • During an ongoing attack, the cybercriminals use spyware and the Mimikatz utility to steal authentication credentials that are subsequently used to infect other systems on the enterprise network.

The full article is available on Kaspersky Threat Intelligence.

For more information please contact: ics-cert@kaspersky.com.

Technical Analysis

Since we described the technical details of this series of attacks in our previous report, Attacks on industrial enterprises using RMS and TeamViewer, in this document we only list the main stages of an attack and describe the changes to the attackers’ tactics and toolset that have been implemented since the publication of the previous report.


Phishing emails used in this attack are in most cases disguised as business correspondence between organizations. Specifically, the attackers send claim letters on behalf of a large industrial company.

Phishing email disguised as a claim letter

In the earlier attack series, the attackers used a sender email address with a domain name that was similar to the official website address of the organization on whose behalf their phishing emails were sent. Now they use public email services to send their phishing emails and they use a different technique to mislead message recipients and persuade them to open a malicious attachment: they pretend to be a real business partner or to represent a real subsidiary of the company under attack and ask the recipient to view the documents attached by the deadline specified in the email, explaining the request by the approaching end of a purchase tender, possible penalties or the need to review equipment configuration data as soon as possible.

It should also be emphasized that the phishing emails are individually crafted for each specific company that is attacked. This is demonstrated by the fact that the name of the company under attack is mentioned in the email text, as well as by the documents used by the attackers as attachments (descriptions of the documents are provided below). In some of the cases identified earlier, the attackers also addressed the recipient by his or her full name.

Phishing email sent on behalf of a contractor

Attachments used in phishing emails are password-protected archives, with the password provided in the message body. The attackers explain this method of sending information by referring to confidentiality considerations in the message body, but in reality password protection prevents files stored in the archive from being scanned with antivirus tools.

Malware Features

The archive attached to a phishing email contains several malicious obfuscated JS scripts that have an identical functionality but slightly different structure due to different code obfuscation techniques being used. The script names are usually disguised as document names.

If a user runs one of these scripts, two files are unpacked and opened: a malicious program detected as HEUR:Backdoor.Win32.Generic, and a legitimate PDF file. Some JS script variants found in phishing emails download these files from a remote server rather than extracting them from the script’s body.

In earlier attacks, to ensure that the user didn’t have questions regarding the absence of the documents mentioned in the message body and to distract the user while installing the malware, the attackers opened a damaged PDF document or image or launched a legitimate software installer.

Image opened by the malware in earlier attacks

In their later attacks, the threat actor began to use actual documents related to the attacked organization’s area of work. A document can look like one created by a business partner or even the attacked organization itself. Specifically, documents used in attacks include scan copies of memos, letters to subsidiaries and contractors, as well as procurement documentation forms that were apparently stolen earlier.

PDF document containing instructions for subsidiaries, used by the attackers

A fact of particular interest is that in some cases, the attackers used documents containing industrial equipment configuration data and other information related to the industrial process.

Specifically, screenshots from the DIGSI application have been used. The application is designed to configure relay systems manufactured by Siemens.

DIGSI software screenshot 1

DIGSI is used by electric power facilities, such as substations, to configure their relay protection systems.

DIGSI software screenshot 2

Screenshot of a relay system’s configuration matrix. List of setpoints

We also found screenshots with transformer oscillograms in documents used by the attackers:

Vector diagrams with oscillograms

It is worth noting that the last screenshot shows oscillograms for a system at the moment of an accident.

Phishing emails with such screenshots do not call for the settings shown in attached documents to be implemented. It is most likely that the attackers use documents with the above screenshots to distract the personnel while the malware is being installed. Since the data mentioned above can provide a relay protection expert with information on standard settings used at the facility, the fact that the attackers have such screenshots at their disposal is cause for concern.

The JS script then launches the malware, which installs a version of TeamViewer, a remote administration tool (RAT), modified by the attackers. As in earlier attacks, the attackers use a malicious DLL library to hide the graphical user interface in order to control the infected system without the user’s knowledge.

If additional information needs to be collected, the attackers download an additional set of malware selected specifically for each victim. This can be spyware designed to collect credentials for a variety of programs and services, including email clients, browsers, SSH/FTP/Telnet clients, as well as recording keypresses and making screenshots. In some cases, the Mimikatz utility is used to collect account credentials for Windows accounts entered on the compromised system. The use of Mimikatz poses a particular danger, because it can provide the attackers with access to a large number of systems on the enterprise’s network.

In most cases, the attackers disguise malware components as Windows components to hide traces of malicious activity on the system.


While analyzing the new series of attacks, we noticed two ways in which the infrastructure is organized differently from that used in earlier attacks.

First, the attackers use resources disguised as websites of existing Russian-speaking companies to store files downloaded by malicious JS scripts at the system infection stage.

The second and more important difference is that the attackers no longer use a malware command-and-control server in their communication with infected systems.

The main reason for having a malware command-and-control server in this type of attack was the need to get the infected machine’s ID in the TeamViewer system. The attackers already had any other information they needed (the password required to connect was provided in a special configuration file). In the new series of attacks, the attackers sent the infected machine’s TeamViewer ID using the legitimate infrastructure of the RMS remote administration system.

This was possible because the RMS remote administration infrastructure has a dedicated web service designed to notify the administrator that an RMS distribution package has been installed on a remote system. To send the notification, the RMS server generates an email message that contains the machine’s ID in the RMS system in the message body. For the message to be generated, it is sufficient for the RMS client to send an HTTP POST request to the dedicated web page, providing the following data: product name, ID of the language pack used in the system, user name, computer name, email address to which the notification should be delivered, and the machine’s ID in the RMS system assigned after installing the program.

Attack kill chain

The underlying mechanism of the web service contained a vulnerability: it did not use any kind of authorization procedure. The malicious DLL responsible for hiding the TeamViewer graphic interface included code for sending the request described above to the RMS server. However, it sent the machine’s ID in the TeamViewer system instead of its ID in the RMS system. The ID length in the TeamViewer system is different from the ID length in the RMS system; however, since there is no verification of the contents of fields sent to the server in the HTTP POST request, a notification message with information on a newly infected machine was successfully delivered to the attacker’s address.

Kaspersky ICS CERT has notified RMS developers that their infrastructure is being used for criminal purposes, providing them with all the technical details needed to close the vulnerability. To date, the vulnerability has not been closed by the developers, but a workaround, filtration based on an address whitelist, has been implemented.

In other words, the functionality still works, but notification emails are only sent to email addresses included in a special list of customers ‘verified’ by RMS developers.

For technical details about this vulnerability please contact: ics-cert@kaspersky.com


As mentioned above, the vast majority of attacked systems are industrial enterprises in Russia representing various sectors of the economy. We identified attacks on companies from the following industries:

  • Manufacturing
  • Oil and gas
  • Metal industry
  • Engineering
  • Energy
  • Construction
  • Mining
  • Logistics

Consequently, this is not a case of an attack narrowly targeting one specific industry; however, since most legitimate documents used in the attacks are from the energy sector, it can be assumed that the attackers have a particular interest in the sector.


We are convinced that a Russian-speaking group is behind these attacks.

The main arguments in favor of this theory were offered in our previous report, “Attacks on industrial enterprises using RMS and TeamViewer“.

Note also that the code used to send requests to the RMS server, which was identified in the process of analyzing the new version of the malicious DLL, contains a language ID for the Russian localization of the operating system.

According to available information, the main objective of the criminals is to steal money from victim organizations’ accounts. This means that the attackers must have a good understanding of the financial workflow, which differs in some of its aspects from country to country, and support the appropriate infrastructure for cash withdrawal.

The group does not use any sophisticated tactics or technologies, but it carefully prepares each attack and expertly uses social engineering techniques, as well as technologies that are already known from attacks staged by other criminal groups.

We believe that the group includes people responsible for the technical aspect of infecting victims’ systems, as well as people responsible for financial operations, i.e., for stealing money from the group’s victims.


The threat actor continues to attack industrial enterprises successfully using relatively simple techniques, but its methods are evolving. To persuade users of the legitimacy of phishing emails, criminals have begun to use documents that were apparently stolen during earlier attacks. It is worth noting that some of the documents used for this purpose contain information on industrial equipment settings and industrial process parameters. This is one more reason to believe that these attacks specifically target industrial enterprises.

The main technical change in the attacks is that the attackers have discarded the most vulnerable stage in data collection and transmission – that is, malware command-and-control servers, which can be disconnected by the hosting provider or blocked by information security systems. Instead, new system infection notifications are delivered via the legitimate web interface of the RMS remote administration utility’s cloud infrastructure. Resources disguised as legitimate websites of existing organizations are used to store malware samples.

The attackers have full control of an infected system from the moment it becomes infected. Stealing money from the organization’s accounts remains their main objective. When the attackers connect to a victim’s computer, they look for financial and accounting software (1C accounting software, bank-client, etc.). In addition, they find and analyze procurement-related accounting documents and peruse the email correspondence of the enterprise’s employees. After that, the attackers look for various ways in which they can commit financial fraud. We believe that the criminals are able to substitute the bank details used to pay invoices.

Clearly, the attackers’ remote access to infected systems also poses other threats, such as the organization’s sensitive data being leaked, systems being put out of operation, etc. As the latest events have shown, the attackers use documents that were probably stolen from organizations to carry out subsequent attacks, including attacks on victim companies’ partners.

If you have encountered an attack of this kind, you can report it to us through a form on our website.

  • Train employees at enterprises in using email securely and, specifically, in identifying phishing messages
  • Restrict the ability of programs to gain SeDebugPrivilege privileges (wherever possible)
  • Install antivirus software with support for centrally managing the security policy on all systems; keep the antivirus databases and program modules of security solutions up to date
  • Use accounts with domain administrator privileges only when necessary. After using such accounts, restart the system on which the authentication was performed
  • Implement a password policy with password strength and regular password change requirements
  • If it is suspected that some systems are infected: remove all third-party remote administration utilities, scan these systems with antivirus software and force a change of passwords for all accounts that have been used to log on to compromised systems
  • Monitor network connections for any traces of remote administration utilities installed without proper authorization. Make a special emphasis on the use of RMS and TeamViewer utilities
  • Use network activity filtration systems to block connections to servers and IP addresses listed in Appendix I – Indicators of Compromise
  • Never use obsolete versions of the TeamViewer utility (versions 6.0 and earlier). To discover any instances of obsolete versions of TeamViewer being used, the YARA rule provided in Appendix I – Indicators of Compromise can be used
  • It should be noted that, since the attack uses legitimate remote administration software, that software can remain on the victim’s computer and continue operating even when the malicious downloader has been removed. If remote administration software has been identified at the stage of scanning corporate systems, it should be determined in each case whether it was installed legitimately

For more information please contact: ics-cert@kaspersky.com

Appendix I – Indicators of Compromise

File Hashes (malicious documents, malware, emails etc.)

  • 386a1594a0add346b8fbbebcf1547e77
  • 203e341cf850d7a05e44fafc628aeaf1
  • 3b79aacdc33593e8c8f560e4ab1c02c6
  • ea1440202beb02cbb49b5bef1ec013c0
  • 1091941264757dc7e3da0a086f69e4bb
  • 72f206e3a281248a3d5ca0b2c5208f5f
  • da4dff233ffbac362fee3ae08c4efa53
  • d768a65335e6ca715ab5ceb487f6862f
  • 9219e22809a1dff78aac5fff7c80933c
  • 86e14db0bcf5654a01c1b000d75b0324

File Names

  • Акт.js
  • Запрос 17782-09-1.js
  • Перечень документов.js
  • спецификация на оборудование xls.js
  • tv.dll
  • tv.ini

Some malware modules installed on the system have randomly generated names that follow a specific format. The following regular expression can be used to search for such files:


These files are saved in the temporary file directory (%TEMP%); the first part of the file name consists of two or three Roman characters; the second is a two-digit number followed by the extension .exe

Domains and IPs

  • timkasprot.temp.swtest[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)
  • 77.222.56[.]169 (RemoteAdmin.Win32.RemoteManipulator.vpj)
  • z-wavehome[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)
  • dncars[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)

Yara Rules

rule TeamViewer_ver6_and_lower { meta: description = "Rule to detect TeamViewer ver 6.0 and lower" hash = "4f926252e22afa85e5da7f83158db20f" hash = "8191265c6423773d0e60c88f6ecc0e38" version = "1.1" condition: uint16(0) == 0x5A4D and pe.version_info["CompanyName"] contains "TeamViewer" and (pe.version_info["ProductVersion"] contains "6.0" or pe.version_info["ProductVersion"] contains "5.1" or pe.version_info["ProductVersion"] contains "5.0" or pe.version_info["ProductVersion"] contains "4.1" or pe.version_info["ProductVersion"] contains "4.0" or pe.version_info["ProductVersion"] contains "3.6" or pe.version_info["ProductVersion"] contains "3.5" or pe.version_info["ProductVersion"] contains "3.4" or pe.version_info["ProductVersion"] contains "3.3" or pe.version_info["ProductVersion"] contains "3.2" or pe.version_info["ProductVersion"] contains "3.1" or pe.version_info["ProductVersion"] contains "3.0") }

The attackers use outdated versions of the TeamViewer client that contain a vulnerability enabling them to hide the utility’s graphic interface. This YARA rule can be used to determine whether there are outdated versions of the TeamViewer software installed on the system. Checking whether any such software found was installed legitimately is a first-priority task.

If instances of outdated versions of the TeamViewer client being used legitimately are identified, it is recommended that the software in question be updated to the latest version.

Registry keys

  • Key:
    rundll32.exe shell32.dll,ShellExec_RunDLL
  • Key:
    rundll32.exe shell32.dll,ShellExec_RunDLL “%temp%\TeamViewer.exe”

Threat actors’ email addresses

  • timkas@protonmail.com
  • smoollsrv@gmail.com
  • nataly@z-wavehome.ru
  • info@dncars.ru
Appendix II – MITRE ATT&CK Mapping Tactic Technique/Subtechnique Description Initial Access T1566.001 Phishing: Spearphishing Attachment

The attackers use phishing emails with archives containing malicious scripts Execution T1204.002 User Execution: Malicious File

Malicious software is executed when the user opens the file T1059.007 Command and Scripting Interpreter: JavaScript/Jscript

Used to execute malicious PE and open bait PDF files Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

The malware creates a registry value to run automatically after system restart Defense Evasion T1027.002 Obfuscated Files or Information: Software Packing

To make analysis more difficult, files of the malware are packed and its code is obfuscated T1564.001 Hide Artifacts: Hidden Files and Directories

The attributes “hidden” and “system” are assigned to malware files T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

To hide the GUI of the TeamViewer remote administration utility, a malicious program is loaded into the process instead of a system library T1036.005 Masquerading: Match Legitimate Name or Location

In most cases, attackers disguise malware components as Windows operating system components to hide the traces of malicious activity in the system Credential Access T1003.001 OS Credential Dumping: LSASS Memory

The attackers use the Mimikatz utility in cases where they need authentication credentials to infect other systems in an organization T1056.001 Input Capture: Keylogging

In some cases, malware (class: Spyware) designed to collect logins and passwords for various different programs and services, record keypresses and capture screenshots is downloaded to an infected system Discovery T1057 Process Discovery

The malware collects information on antivirus software running on the system T1018 Remote System Discovery

The attackers explore the organization’s other systems to which they can gain access over the network T1518 Software Discovery

The attackers take notes on which software associated with financial operations is installed on an infected system Lateral Movement T1021.001 Remote Services: Remote Desktop Protocol

RDP connections with account credentials obtained earlier using the Mimikatz utility are used for lateral movement
Collection T1005 Data from Local System

The attackers analyze documents found on infected systems; these documents can be used in subsequent attacks T1114.001 Email Collection: Local Email Collection

The attackers analyze the business correspondence of the organization under attack in order to use it for subsequent attacks on the victim’s business partners T1056.001, T1113 Input Capture: Keylogging and Screen Capture

In some cases, malware (class: Spyware) designed to collect logins and passwords for various different programs and services, record keypresses and capture screenshots is downloaded to an infected system Command And Control T1071.001 Application Layer Protocol: Web Protocols

To send the TeamViewer ID, an HTTP POST request is sent to the RMS server T1071.003 Application Layer Protocol: Mail Protocols

The RMS server sends an email to an address controlled by the attackers. The email contains the infected machine’s TeamViewer ID T1219 Remote Access Software

The attackers use the TeamViewer remote administration utility to connect to the infected system Exfiltration T1020 Automated Exfiltration

The attackers use malware to receive information collected on the infected system Impact T1565.001 Data Manipulation: Stored Data Manipulation

Substitution of bank details in payment forms

APT trends report Q3 2020

3 Listopad, 2020 - 11:00

For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q3 2020.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

We have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group’s interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker’s LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our public report of DeathStalker’s activities summarized the three scripting language-based toolchains used by the group – Powersing, Janicab and Evilnum.

Following our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn’t limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.

We also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.

During a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed MosaicRegressor. Code artefacts in some of the framework’s components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.


Since publishing our initial report on WellMess (see our APT trends report Q2 2020), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.

Russian-speaking activity

In summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset MontysThree. The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.

Chinese-speaking activity

Earlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker’s infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker’s origin.

PlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.

We discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven’t previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.

On September 16, the US Department of Justice released three indictments associated with hackers allegedly connected with APT41 and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for “conspiring to profit from computer intrusions targeting the video game industry”, following cooperation between the US DoJ and the Malaysian government, including the Attorney General’s Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite “white hat” network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they “carried out their hacking using specialized malware, such as malware that cyber-security experts named ‘PlugX/Fast’, ‘Winnti/Pasteboy’, ‘Shadowpad’, ‘Barlaiy/Poison Plug’ and ‘Crosswalk/ProxIP'”. The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.

Middle East

In June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.

Southeast Asia and Korean Peninsula

In May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.

We have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim’s network, to disclose the actor’s tactics and methods.

While tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported the launch of a new wide-ranging campaign that uses the CrimsonRAT tool where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found an Android implant used to target military personnel in India. This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.

In April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.

In June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom & Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.

In mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.

In May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more here and here), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks Operation PowerFall. Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.

On July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.

We have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group’s exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.

Other interesting discoveries

Attribution is difficult at the best of times, and sometimes it’s not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the “traceroute” command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.

In April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan’s government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven’t been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.

Final thoughts

The TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop very sophisticated tools, for example, MosiacRegressor UEFI implant, others have great success with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q3 2020:

  • Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the ‘naming and shaming’ of various threat actors by the NCSC and the US Department of Justice.
  • Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.
  • We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.
  • While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.
  • Unsurprisingly, we continue to see COVID-19-themed attacks – this quarter they included WellMess and Sidewinder.
  • Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.